]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/resolve/resolved-dnstls-openssl.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
resolve: clear error queue before calling SSL_*()
[thirdparty/systemd.git] / src / resolve / resolved-dnstls-openssl.c
1 /* SPDX-License-Identifier: LGPL-2.1+ */
2
3 #if !ENABLE_DNS_OVER_TLS || !DNS_OVER_TLS_USE_OPENSSL
4 #error This source file requires DNS-over-TLS to be enabled and OpenSSL to be available.
5 #endif
6
7 #include "resolved-dnstls.h"
8 #include "resolved-dns-stream.h"
9
10 #include <openssl/bio.h>
11 #include <openssl/err.h>
12
13 DEFINE_TRIVIAL_CLEANUP_FUNC(SSL*, SSL_free);
14 DEFINE_TRIVIAL_CLEANUP_FUNC(BIO*, BIO_free);
15
16 static int dnstls_flush_write_buffer(DnsStream *stream) {
17 ssize_t ss;
18
19 assert(stream);
20 assert(stream->encrypted);
21
22 if (stream->dnstls_data.write_buffer->length > 0) {
23 assert(stream->dnstls_data.write_buffer->data);
24
25 struct iovec iov[1];
26 iov[0].iov_base = stream->dnstls_data.write_buffer->data;
27 iov[0].iov_len = stream->dnstls_data.write_buffer->length;
28 ss = dns_stream_writev(stream, iov, 1, DNS_STREAM_WRITE_TLS_DATA);
29 if (ss < 0) {
30 if (ss == -EAGAIN)
31 stream->dnstls_events |= EPOLLOUT;
32
33 return ss;
34 } else {
35 stream->dnstls_data.write_buffer->length -= ss;
36 stream->dnstls_data.write_buffer->data += ss;
37
38 if (stream->dnstls_data.write_buffer->length > 0) {
39 stream->dnstls_events |= EPOLLOUT;
40 return -EAGAIN;
41 }
42 }
43 }
44
45 return 0;
46 }
47
48 int dnstls_stream_connect_tls(DnsStream *stream, DnsServer *server) {
49 _cleanup_(SSL_freep) SSL *s = NULL;
50 _cleanup_(BIO_freep) BIO *rb = NULL;
51 _cleanup_(BIO_freep) BIO *wb = NULL;
52 int r;
53 int error;
54
55 assert(stream);
56 assert(server);
57
58 rb = BIO_new_socket(stream->fd, 0);
59 if (!rb)
60 return -ENOMEM;
61
62 wb = BIO_new(BIO_s_mem());
63 if (!wb)
64 return -ENOMEM;
65
66 BIO_get_mem_ptr(wb, &stream->dnstls_data.write_buffer);
67
68 s = SSL_new(server->dnstls_data.ctx);
69 if (!s)
70 return -ENOMEM;
71
72 SSL_set_connect_state(s);
73 SSL_set_session(s, server->dnstls_data.session);
74 SSL_set_bio(s, TAKE_PTR(rb), TAKE_PTR(wb));
75
76 ERR_clear_error();
77 stream->dnstls_data.handshake = SSL_do_handshake(s);
78 if (stream->dnstls_data.handshake <= 0) {
79 error = SSL_get_error(s, stream->dnstls_data.handshake);
80 if (!IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) {
81 char errbuf[256];
82
83 ERR_error_string_n(error, errbuf, sizeof(errbuf));
84 log_debug("Failed to invoke SSL_do_handshake: %s", errbuf);
85 return -ECONNREFUSED;
86 }
87 }
88
89 stream->encrypted = true;
90
91 r = dnstls_flush_write_buffer(stream);
92 if (r < 0 && r != -EAGAIN)
93 return r;
94
95 stream->dnstls_data.ssl = TAKE_PTR(s);
96
97 return 0;
98 }
99
100 void dnstls_stream_free(DnsStream *stream) {
101 assert(stream);
102 assert(stream->encrypted);
103
104 if (stream->dnstls_data.ssl)
105 SSL_free(stream->dnstls_data.ssl);
106 }
107
108 int dnstls_stream_on_io(DnsStream *stream, uint32_t revents) {
109 int r;
110 int error;
111
112 assert(stream);
113 assert(stream->encrypted);
114 assert(stream->dnstls_data.ssl);
115
116 /* Flush write buffer when requested by OpenSSL ss*/
117 if ((revents & EPOLLOUT) && (stream->dnstls_events & EPOLLOUT)) {
118 r = dnstls_flush_write_buffer(stream);
119 if (r < 0)
120 return r;
121 }
122
123 if (stream->dnstls_data.shutdown) {
124 ERR_clear_error();
125 r = SSL_shutdown(stream->dnstls_data.ssl);
126 if (r <= 0) {
127 error = SSL_get_error(stream->dnstls_data.ssl, r);
128 if (r == 0 || IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) {
129 if (r < 0)
130 stream->dnstls_events = error == SSL_ERROR_WANT_READ ? EPOLLIN : EPOLLOUT;
131
132 r = dnstls_flush_write_buffer(stream);
133 if (r < 0)
134 return r;
135
136 return -EAGAIN;
137 } else {
138 char errbuf[256];
139
140 ERR_error_string_n(error, errbuf, sizeof(errbuf));
141 log_debug("Failed to invoke SSL_shutdown: %s", errbuf);
142 }
143 }
144
145 r = dnstls_flush_write_buffer(stream);
146 if (r < 0)
147 return r;
148
149 stream->dnstls_events = 0;
150 stream->dnstls_data.shutdown = false;
151 dns_stream_unref(stream);
152 return DNSTLS_STREAM_CLOSED;
153 } else if (stream->dnstls_data.handshake <= 0) {
154 ERR_clear_error();
155 stream->dnstls_data.handshake = SSL_do_handshake(stream->dnstls_data.ssl);
156 if (stream->dnstls_data.handshake <= 0) {
157 error = SSL_get_error(stream->dnstls_data.ssl, stream->dnstls_data.handshake);
158 if (IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) {
159 stream->dnstls_events = error == SSL_ERROR_WANT_READ ? EPOLLIN : EPOLLOUT;
160 r = dnstls_flush_write_buffer(stream);
161 if (r < 0)
162 return r;
163
164 return -EAGAIN;
165 } else {
166 char errbuf[256];
167
168 ERR_error_string_n(error, errbuf, sizeof(errbuf));
169 log_debug("Failed to invoke SSL_do_handshake: %s", errbuf);
170 return -ECONNREFUSED;
171 }
172 }
173
174 stream->dnstls_events = 0;
175 r = dnstls_flush_write_buffer(stream);
176 if (r < 0)
177 return r;
178 }
179
180 return 0;
181 }
182
183 int dnstls_stream_shutdown(DnsStream *stream, int error) {
184 int r;
185 int ssl_error;
186 SSL_SESSION *s;
187
188 assert(stream);
189 assert(stream->encrypted);
190 assert(stream->dnstls_data.ssl);
191
192 if (stream->server) {
193 s = SSL_get1_session(stream->dnstls_data.ssl);
194 if (s) {
195 if (stream->server->dnstls_data.session)
196 SSL_SESSION_free(stream->server->dnstls_data.session);
197
198 stream->server->dnstls_data.session = s;
199 }
200 }
201
202 if (error == ETIMEDOUT) {
203 ERR_clear_error();
204 r = SSL_shutdown(stream->dnstls_data.ssl);
205 if (r == 0) {
206 if (!stream->dnstls_data.shutdown) {
207 stream->dnstls_data.shutdown = true;
208 dns_stream_ref(stream);
209 }
210
211 r = dnstls_flush_write_buffer(stream);
212 if (r < 0)
213 return r;
214
215 return -EAGAIN;
216 } else if (r < 0) {
217 ssl_error = SSL_get_error(stream->dnstls_data.ssl, r);
218 if (IN_SET(ssl_error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) {
219 stream->dnstls_events = ssl_error == SSL_ERROR_WANT_READ ? EPOLLIN : EPOLLOUT;
220 r = dnstls_flush_write_buffer(stream);
221 if (r < 0 && r != -EAGAIN)
222 return r;
223
224 if (!stream->dnstls_data.shutdown) {
225 stream->dnstls_data.shutdown = true;
226 dns_stream_ref(stream);
227 }
228 return -EAGAIN;
229 } else {
230 char errbuf[256];
231
232 ERR_error_string_n(ssl_error, errbuf, sizeof(errbuf));
233 log_debug("Failed to invoke SSL_shutdown: %s", errbuf);
234 }
235 }
236
237 stream->dnstls_events = 0;
238 r = dnstls_flush_write_buffer(stream);
239 if (r < 0)
240 return r;
241 }
242
243 return 0;
244 }
245
246 ssize_t dnstls_stream_write(DnsStream *stream, const char *buf, size_t count) {
247 int r;
248 int error;
249 ssize_t ss;
250
251 assert(stream);
252 assert(stream->encrypted);
253 assert(stream->dnstls_data.ssl);
254 assert(buf);
255
256 ERR_clear_error();
257 ss = r = SSL_write(stream->dnstls_data.ssl, buf, count);
258 if (r <= 0) {
259 error = SSL_get_error(stream->dnstls_data.ssl, ss);
260 if (IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) {
261 stream->dnstls_events = error == SSL_ERROR_WANT_READ ? EPOLLIN : EPOLLOUT;
262 r = dnstls_flush_write_buffer(stream);
263 if (r < 0)
264 return r;
265
266 ss = -EAGAIN;
267 } else {
268 char errbuf[256];
269
270 ERR_error_string_n(error, errbuf, sizeof(errbuf));
271 log_debug("Failed to invoke SSL_read: %s", errbuf);
272 ss = -EPIPE;
273 }
274 }
275
276 stream->dnstls_events = 0;
277 r = dnstls_flush_write_buffer(stream);
278 if (r < 0)
279 return r;
280
281 return ss;
282 }
283
284 ssize_t dnstls_stream_read(DnsStream *stream, void *buf, size_t count) {
285 int r;
286 int error;
287 ssize_t ss;
288
289 assert(stream);
290 assert(stream->encrypted);
291 assert(stream->dnstls_data.ssl);
292 assert(buf);
293
294 ERR_clear_error();
295 ss = r = SSL_read(stream->dnstls_data.ssl, buf, count);
296 if (r <= 0) {
297 error = SSL_get_error(stream->dnstls_data.ssl, ss);
298 if (IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) {
299 stream->dnstls_events = error == SSL_ERROR_WANT_READ ? EPOLLIN : EPOLLOUT;
300
301 /* flush write buffer in cache of renegotiation */
302 r = dnstls_flush_write_buffer(stream);
303 if (r < 0)
304 return r;
305
306 ss = -EAGAIN;
307 } else {
308 char errbuf[256];
309
310 ERR_error_string_n(error, errbuf, sizeof(errbuf));
311 log_debug("Failed to invoke SSL_read: %s", errbuf);
312 ss = -EPIPE;
313 }
314 }
315
316 stream->dnstls_events = 0;
317
318 /* flush write buffer in cache of renegotiation */
319 r = dnstls_flush_write_buffer(stream);
320 if (r < 0)
321 return r;
322
323 return ss;
324 }
325
326 void dnstls_server_init(DnsServer *server) {
327 assert(server);
328
329 server->dnstls_data.ctx = SSL_CTX_new(TLS_client_method());
330 if (server->dnstls_data.ctx) {
331 SSL_CTX_set_min_proto_version(server->dnstls_data.ctx, TLS1_2_VERSION);
332 SSL_CTX_set_options(server->dnstls_data.ctx, SSL_OP_NO_COMPRESSION);
333 }
334 }
335
336 void dnstls_server_free(DnsServer *server) {
337 assert(server);
338
339 if (server->dnstls_data.ctx)
340 SSL_CTX_free(server->dnstls_data.ctx);
341
342 if (server->dnstls_data.session)
343 SSL_SESSION_free(server->dnstls_data.session);
344 }
Unnamed repository; edit this file 'description' to name the repository.