1 /* SPDX-License-Identifier: LGPL-2.1+ */
3 #if !ENABLE_DNS_OVER_TLS || !DNS_OVER_TLS_USE_OPENSSL
4 #error This source file requires DNS-over-TLS to be enabled and OpenSSL to be available.
7 #include <openssl/bio.h>
8 #include <openssl/err.h>
10 #include "resolved-dns-stream.h"
11 #include "resolved-dnstls.h"
15 DEFINE_TRIVIAL_CLEANUP_FUNC(SSL
*, SSL_free
);
16 DEFINE_TRIVIAL_CLEANUP_FUNC(BIO
*, BIO_free
);
18 static int dnstls_flush_write_buffer(DnsStream
*stream
) {
22 assert(stream
->encrypted
);
24 if (stream
->dnstls_data
.write_buffer
->length
> 0) {
25 assert(stream
->dnstls_data
.write_buffer
->data
);
28 iov
[0] = IOVEC_MAKE(stream
->dnstls_data
.write_buffer
->data
,
29 stream
->dnstls_data
.write_buffer
->length
);
30 ss
= dns_stream_writev(stream
, iov
, 1, DNS_STREAM_WRITE_TLS_DATA
);
33 stream
->dnstls_events
|= EPOLLOUT
;
37 stream
->dnstls_data
.write_buffer
->length
-= ss
;
38 stream
->dnstls_data
.write_buffer
->data
+= ss
;
40 if (stream
->dnstls_data
.write_buffer
->length
> 0) {
41 stream
->dnstls_events
|= EPOLLOUT
;
50 int dnstls_stream_connect_tls(DnsStream
*stream
, DnsServer
*server
) {
51 _cleanup_(BIO_freep
) BIO
*rb
= NULL
, *wb
= NULL
;
52 _cleanup_(SSL_freep
) SSL
*s
= NULL
;
58 rb
= BIO_new_socket(stream
->fd
, 0);
62 wb
= BIO_new(BIO_s_mem());
66 BIO_get_mem_ptr(wb
, &stream
->dnstls_data
.write_buffer
);
68 s
= SSL_new(server
->dnstls_data
.ctx
);
72 SSL_set_connect_state(s
);
73 SSL_set_session(s
, server
->dnstls_data
.session
);
74 SSL_set_bio(s
, TAKE_PTR(rb
), TAKE_PTR(wb
));
77 stream
->dnstls_data
.handshake
= SSL_do_handshake(s
);
78 if (stream
->dnstls_data
.handshake
<= 0) {
79 error
= SSL_get_error(s
, stream
->dnstls_data
.handshake
);
80 if (!IN_SET(error
, SSL_ERROR_WANT_READ
, SSL_ERROR_WANT_WRITE
)) {
83 ERR_error_string_n(error
, errbuf
, sizeof(errbuf
));
84 log_debug("Failed to invoke SSL_do_handshake: %s", errbuf
);
89 stream
->encrypted
= true;
91 r
= dnstls_flush_write_buffer(stream
);
92 if (r
< 0 && r
!= -EAGAIN
)
95 stream
->dnstls_data
.ssl
= TAKE_PTR(s
);
100 void dnstls_stream_free(DnsStream
*stream
) {
102 assert(stream
->encrypted
);
104 if (stream
->dnstls_data
.ssl
)
105 SSL_free(stream
->dnstls_data
.ssl
);
108 int dnstls_stream_on_io(DnsStream
*stream
, uint32_t revents
) {
112 assert(stream
->encrypted
);
113 assert(stream
->dnstls_data
.ssl
);
115 /* Flush write buffer when requested by OpenSSL */
116 if ((revents
& EPOLLOUT
) && (stream
->dnstls_events
& EPOLLOUT
)) {
117 r
= dnstls_flush_write_buffer(stream
);
122 if (stream
->dnstls_data
.shutdown
) {
124 r
= SSL_shutdown(stream
->dnstls_data
.ssl
);
126 stream
->dnstls_events
= 0;
128 r
= dnstls_flush_write_buffer(stream
);
134 error
= SSL_get_error(stream
->dnstls_data
.ssl
, r
);
135 if (IN_SET(error
, SSL_ERROR_WANT_READ
, SSL_ERROR_WANT_WRITE
)) {
136 stream
->dnstls_events
= error
== SSL_ERROR_WANT_READ
? EPOLLIN
: EPOLLOUT
;
138 r
= dnstls_flush_write_buffer(stream
);
143 } else if (error
== SSL_ERROR_SYSCALL
) {
145 log_debug_errno(errno
, "Failed to invoke SSL_shutdown, ignoring: %m");
149 ERR_error_string_n(error
, errbuf
, sizeof(errbuf
));
150 log_debug("Failed to invoke SSL_shutdown, ignoring: %s", errbuf
);
154 stream
->dnstls_events
= 0;
155 stream
->dnstls_data
.shutdown
= false;
157 r
= dnstls_flush_write_buffer(stream
);
161 dns_stream_unref(stream
);
162 return DNSTLS_STREAM_CLOSED
;
163 } else if (stream
->dnstls_data
.handshake
<= 0) {
165 stream
->dnstls_data
.handshake
= SSL_do_handshake(stream
->dnstls_data
.ssl
);
166 if (stream
->dnstls_data
.handshake
<= 0) {
167 error
= SSL_get_error(stream
->dnstls_data
.ssl
, stream
->dnstls_data
.handshake
);
168 if (IN_SET(error
, SSL_ERROR_WANT_READ
, SSL_ERROR_WANT_WRITE
)) {
169 stream
->dnstls_events
= error
== SSL_ERROR_WANT_READ
? EPOLLIN
: EPOLLOUT
;
170 r
= dnstls_flush_write_buffer(stream
);
178 ERR_error_string_n(error
, errbuf
, sizeof(errbuf
));
179 return log_debug_errno(SYNTHETIC_ERRNO(ECONNREFUSED
),
180 "Failed to invoke SSL_do_handshake: %s",
185 stream
->dnstls_events
= 0;
186 r
= dnstls_flush_write_buffer(stream
);
194 int dnstls_stream_shutdown(DnsStream
*stream
, int error
) {
199 assert(stream
->encrypted
);
200 assert(stream
->dnstls_data
.ssl
);
202 if (stream
->server
) {
203 s
= SSL_get1_session(stream
->dnstls_data
.ssl
);
205 if (stream
->server
->dnstls_data
.session
)
206 SSL_SESSION_free(stream
->server
->dnstls_data
.session
);
208 stream
->server
->dnstls_data
.session
= s
;
212 if (error
== ETIMEDOUT
) {
214 r
= SSL_shutdown(stream
->dnstls_data
.ssl
);
216 if (!stream
->dnstls_data
.shutdown
) {
217 stream
->dnstls_data
.shutdown
= true;
218 dns_stream_ref(stream
);
221 stream
->dnstls_events
= 0;
223 r
= dnstls_flush_write_buffer(stream
);
229 ssl_error
= SSL_get_error(stream
->dnstls_data
.ssl
, r
);
230 if (IN_SET(ssl_error
, SSL_ERROR_WANT_READ
, SSL_ERROR_WANT_WRITE
)) {
231 stream
->dnstls_events
= ssl_error
== SSL_ERROR_WANT_READ
? EPOLLIN
: EPOLLOUT
;
232 r
= dnstls_flush_write_buffer(stream
);
233 if (r
< 0 && r
!= -EAGAIN
)
236 if (!stream
->dnstls_data
.shutdown
) {
237 stream
->dnstls_data
.shutdown
= true;
238 dns_stream_ref(stream
);
241 } else if (ssl_error
== SSL_ERROR_SYSCALL
) {
243 log_debug_errno(errno
, "Failed to invoke SSL_shutdown, ignoring: %m");
247 ERR_error_string_n(ssl_error
, errbuf
, sizeof(errbuf
));
248 log_debug("Failed to invoke SSL_shutdown, ignoring: %s", errbuf
);
252 stream
->dnstls_events
= 0;
253 r
= dnstls_flush_write_buffer(stream
);
261 ssize_t
dnstls_stream_write(DnsStream
*stream
, const char *buf
, size_t count
) {
266 assert(stream
->encrypted
);
267 assert(stream
->dnstls_data
.ssl
);
271 ss
= r
= SSL_write(stream
->dnstls_data
.ssl
, buf
, count
);
273 error
= SSL_get_error(stream
->dnstls_data
.ssl
, r
);
274 if (IN_SET(error
, SSL_ERROR_WANT_READ
, SSL_ERROR_WANT_WRITE
)) {
275 stream
->dnstls_events
= error
== SSL_ERROR_WANT_READ
? EPOLLIN
: EPOLLOUT
;
277 } else if (error
== SSL_ERROR_ZERO_RETURN
) {
278 stream
->dnstls_events
= 0;
283 ERR_error_string_n(error
, errbuf
, sizeof(errbuf
));
284 log_debug("Failed to invoke SSL_write: %s", errbuf
);
285 stream
->dnstls_events
= 0;
289 stream
->dnstls_events
= 0;
291 r
= dnstls_flush_write_buffer(stream
);
298 ssize_t
dnstls_stream_read(DnsStream
*stream
, void *buf
, size_t count
) {
303 assert(stream
->encrypted
);
304 assert(stream
->dnstls_data
.ssl
);
308 ss
= r
= SSL_read(stream
->dnstls_data
.ssl
, buf
, count
);
310 error
= SSL_get_error(stream
->dnstls_data
.ssl
, r
);
311 if (IN_SET(error
, SSL_ERROR_WANT_READ
, SSL_ERROR_WANT_WRITE
)) {
312 stream
->dnstls_events
= error
== SSL_ERROR_WANT_READ
? EPOLLIN
: EPOLLOUT
;
314 } else if (error
== SSL_ERROR_ZERO_RETURN
) {
315 stream
->dnstls_events
= 0;
320 ERR_error_string_n(error
, errbuf
, sizeof(errbuf
));
321 log_debug("Failed to invoke SSL_read: %s", errbuf
);
322 stream
->dnstls_events
= 0;
326 stream
->dnstls_events
= 0;
328 /* flush write buffer in cache of renegotiation */
329 r
= dnstls_flush_write_buffer(stream
);
336 void dnstls_server_init(DnsServer
*server
) {
339 server
->dnstls_data
.ctx
= SSL_CTX_new(TLS_client_method());
340 if (server
->dnstls_data
.ctx
) {
341 SSL_CTX_set_min_proto_version(server
->dnstls_data
.ctx
, TLS1_2_VERSION
);
342 SSL_CTX_set_options(server
->dnstls_data
.ctx
, SSL_OP_NO_COMPRESSION
);
346 void dnstls_server_free(DnsServer
*server
) {
349 if (server
->dnstls_data
.ctx
)
350 SSL_CTX_free(server
->dnstls_data
.ctx
);
352 if (server
->dnstls_data
.session
)
353 SSL_SESSION_free(server
->dnstls_data
.session
);