1 /* SPDX-License-Identifier: LGPL-2.1+ */
3 #if !ENABLE_DNS_OVER_TLS || !DNS_OVER_TLS_USE_OPENSSL
4 #error This source file requires DNS-over-TLS to be enabled and OpenSSL to be available.
7 #include "resolved-dnstls.h"
8 #include "resolved-dns-stream.h"
10 #include <openssl/bio.h>
11 #include <openssl/err.h>
13 DEFINE_TRIVIAL_CLEANUP_FUNC(SSL
*, SSL_free
);
14 DEFINE_TRIVIAL_CLEANUP_FUNC(BIO
*, BIO_free
);
16 static int dnstls_flush_write_buffer(DnsStream
*stream
) {
20 assert(stream
->encrypted
);
22 if (stream
->dnstls_data
.write_buffer
->length
> 0) {
23 assert(stream
->dnstls_data
.write_buffer
->data
);
26 iov
[0].iov_base
= stream
->dnstls_data
.write_buffer
->data
;
27 iov
[0].iov_len
= stream
->dnstls_data
.write_buffer
->length
;
28 ss
= dns_stream_writev(stream
, iov
, 1, DNS_STREAM_WRITE_TLS_DATA
);
31 stream
->dnstls_events
|= EPOLLOUT
;
35 stream
->dnstls_data
.write_buffer
->length
-= ss
;
36 stream
->dnstls_data
.write_buffer
->data
+= ss
;
38 if (stream
->dnstls_data
.write_buffer
->length
> 0) {
39 stream
->dnstls_events
|= EPOLLOUT
;
48 int dnstls_stream_connect_tls(DnsStream
*stream
, DnsServer
*server
) {
49 _cleanup_(SSL_freep
) SSL
*s
= NULL
;
50 _cleanup_(BIO_freep
) BIO
*rb
= NULL
;
51 _cleanup_(BIO_freep
) BIO
*wb
= NULL
;
58 rb
= BIO_new_socket(stream
->fd
, 0);
62 wb
= BIO_new(BIO_s_mem());
66 BIO_get_mem_ptr(wb
, &stream
->dnstls_data
.write_buffer
);
68 s
= SSL_new(server
->dnstls_data
.ctx
);
72 SSL_set_connect_state(s
);
73 SSL_set_session(s
, server
->dnstls_data
.session
);
74 SSL_set_bio(s
, TAKE_PTR(rb
), TAKE_PTR(wb
));
77 stream
->dnstls_data
.handshake
= SSL_do_handshake(s
);
78 if (stream
->dnstls_data
.handshake
<= 0) {
79 error
= SSL_get_error(s
, stream
->dnstls_data
.handshake
);
80 if (!IN_SET(error
, SSL_ERROR_WANT_READ
, SSL_ERROR_WANT_WRITE
)) {
83 ERR_error_string_n(error
, errbuf
, sizeof(errbuf
));
84 log_debug("Failed to invoke SSL_do_handshake: %s", errbuf
);
89 stream
->encrypted
= true;
91 r
= dnstls_flush_write_buffer(stream
);
92 if (r
< 0 && r
!= -EAGAIN
)
95 stream
->dnstls_data
.ssl
= TAKE_PTR(s
);
100 void dnstls_stream_free(DnsStream
*stream
) {
102 assert(stream
->encrypted
);
104 if (stream
->dnstls_data
.ssl
)
105 SSL_free(stream
->dnstls_data
.ssl
);
108 int dnstls_stream_on_io(DnsStream
*stream
, uint32_t revents
) {
113 assert(stream
->encrypted
);
114 assert(stream
->dnstls_data
.ssl
);
116 /* Flush write buffer when requested by OpenSSL ss*/
117 if ((revents
& EPOLLOUT
) && (stream
->dnstls_events
& EPOLLOUT
)) {
118 r
= dnstls_flush_write_buffer(stream
);
123 if (stream
->dnstls_data
.shutdown
) {
125 r
= SSL_shutdown(stream
->dnstls_data
.ssl
);
127 error
= SSL_get_error(stream
->dnstls_data
.ssl
, r
);
128 if (r
== 0 || IN_SET(error
, SSL_ERROR_WANT_READ
, SSL_ERROR_WANT_WRITE
)) {
130 stream
->dnstls_events
= error
== SSL_ERROR_WANT_READ
? EPOLLIN
: EPOLLOUT
;
132 r
= dnstls_flush_write_buffer(stream
);
140 ERR_error_string_n(error
, errbuf
, sizeof(errbuf
));
141 log_debug("Failed to invoke SSL_shutdown: %s", errbuf
);
145 r
= dnstls_flush_write_buffer(stream
);
149 stream
->dnstls_events
= 0;
150 stream
->dnstls_data
.shutdown
= false;
151 dns_stream_unref(stream
);
152 return DNSTLS_STREAM_CLOSED
;
153 } else if (stream
->dnstls_data
.handshake
<= 0) {
155 stream
->dnstls_data
.handshake
= SSL_do_handshake(stream
->dnstls_data
.ssl
);
156 if (stream
->dnstls_data
.handshake
<= 0) {
157 error
= SSL_get_error(stream
->dnstls_data
.ssl
, stream
->dnstls_data
.handshake
);
158 if (IN_SET(error
, SSL_ERROR_WANT_READ
, SSL_ERROR_WANT_WRITE
)) {
159 stream
->dnstls_events
= error
== SSL_ERROR_WANT_READ
? EPOLLIN
: EPOLLOUT
;
160 r
= dnstls_flush_write_buffer(stream
);
168 ERR_error_string_n(error
, errbuf
, sizeof(errbuf
));
169 log_debug("Failed to invoke SSL_do_handshake: %s", errbuf
);
170 return -ECONNREFUSED
;
174 stream
->dnstls_events
= 0;
175 r
= dnstls_flush_write_buffer(stream
);
183 int dnstls_stream_shutdown(DnsStream
*stream
, int error
) {
189 assert(stream
->encrypted
);
190 assert(stream
->dnstls_data
.ssl
);
192 if (stream
->server
) {
193 s
= SSL_get1_session(stream
->dnstls_data
.ssl
);
195 if (stream
->server
->dnstls_data
.session
)
196 SSL_SESSION_free(stream
->server
->dnstls_data
.session
);
198 stream
->server
->dnstls_data
.session
= s
;
202 if (error
== ETIMEDOUT
) {
204 r
= SSL_shutdown(stream
->dnstls_data
.ssl
);
206 if (!stream
->dnstls_data
.shutdown
) {
207 stream
->dnstls_data
.shutdown
= true;
208 dns_stream_ref(stream
);
211 r
= dnstls_flush_write_buffer(stream
);
217 ssl_error
= SSL_get_error(stream
->dnstls_data
.ssl
, r
);
218 if (IN_SET(ssl_error
, SSL_ERROR_WANT_READ
, SSL_ERROR_WANT_WRITE
)) {
219 stream
->dnstls_events
= ssl_error
== SSL_ERROR_WANT_READ
? EPOLLIN
: EPOLLOUT
;
220 r
= dnstls_flush_write_buffer(stream
);
221 if (r
< 0 && r
!= -EAGAIN
)
224 if (!stream
->dnstls_data
.shutdown
) {
225 stream
->dnstls_data
.shutdown
= true;
226 dns_stream_ref(stream
);
232 ERR_error_string_n(ssl_error
, errbuf
, sizeof(errbuf
));
233 log_debug("Failed to invoke SSL_shutdown: %s", errbuf
);
237 stream
->dnstls_events
= 0;
238 r
= dnstls_flush_write_buffer(stream
);
246 ssize_t
dnstls_stream_write(DnsStream
*stream
, const char *buf
, size_t count
) {
252 assert(stream
->encrypted
);
253 assert(stream
->dnstls_data
.ssl
);
257 ss
= r
= SSL_write(stream
->dnstls_data
.ssl
, buf
, count
);
259 error
= SSL_get_error(stream
->dnstls_data
.ssl
, ss
);
260 if (IN_SET(error
, SSL_ERROR_WANT_READ
, SSL_ERROR_WANT_WRITE
)) {
261 stream
->dnstls_events
= error
== SSL_ERROR_WANT_READ
? EPOLLIN
: EPOLLOUT
;
262 r
= dnstls_flush_write_buffer(stream
);
270 ERR_error_string_n(error
, errbuf
, sizeof(errbuf
));
271 log_debug("Failed to invoke SSL_read: %s", errbuf
);
276 stream
->dnstls_events
= 0;
277 r
= dnstls_flush_write_buffer(stream
);
284 ssize_t
dnstls_stream_read(DnsStream
*stream
, void *buf
, size_t count
) {
290 assert(stream
->encrypted
);
291 assert(stream
->dnstls_data
.ssl
);
295 ss
= r
= SSL_read(stream
->dnstls_data
.ssl
, buf
, count
);
297 error
= SSL_get_error(stream
->dnstls_data
.ssl
, ss
);
298 if (IN_SET(error
, SSL_ERROR_WANT_READ
, SSL_ERROR_WANT_WRITE
)) {
299 stream
->dnstls_events
= error
== SSL_ERROR_WANT_READ
? EPOLLIN
: EPOLLOUT
;
301 /* flush write buffer in cache of renegotiation */
302 r
= dnstls_flush_write_buffer(stream
);
310 ERR_error_string_n(error
, errbuf
, sizeof(errbuf
));
311 log_debug("Failed to invoke SSL_read: %s", errbuf
);
316 stream
->dnstls_events
= 0;
318 /* flush write buffer in cache of renegotiation */
319 r
= dnstls_flush_write_buffer(stream
);
326 void dnstls_server_init(DnsServer
*server
) {
329 server
->dnstls_data
.ctx
= SSL_CTX_new(TLS_client_method());
330 if (server
->dnstls_data
.ctx
) {
331 SSL_CTX_set_min_proto_version(server
->dnstls_data
.ctx
, TLS1_2_VERSION
);
332 SSL_CTX_set_options(server
->dnstls_data
.ctx
, SSL_OP_NO_COMPRESSION
);
336 void dnstls_server_free(DnsServer
*server
) {
339 if (server
->dnstls_data
.ctx
)
340 SSL_CTX_free(server
->dnstls_data
.ctx
);
342 if (server
->dnstls_data
.session
)
343 SSL_SESSION_free(server
->dnstls_data
.session
);