1 /* SPDX-License-Identifier: LGPL-2.1+ */
3 #if !ENABLE_DNS_OVER_TLS || !DNS_OVER_TLS_USE_OPENSSL
4 #error This source file requires DNS-over-TLS to be enabled and OpenSSL to be available.
7 #include "resolved-dnstls.h"
8 #include "resolved-dns-stream.h"
10 #include <openssl/bio.h>
11 #include <openssl/err.h>
13 DEFINE_TRIVIAL_CLEANUP_FUNC(SSL
*, SSL_free
);
14 DEFINE_TRIVIAL_CLEANUP_FUNC(BIO
*, BIO_free
);
16 static int dnstls_flush_write_buffer(DnsStream
*stream
) {
20 assert(stream
->encrypted
);
22 if (stream
->dnstls_data
.write_buffer
->length
> 0) {
23 assert(stream
->dnstls_data
.write_buffer
->data
);
26 iov
[0].iov_base
= stream
->dnstls_data
.write_buffer
->data
;
27 iov
[0].iov_len
= stream
->dnstls_data
.write_buffer
->length
;
28 ss
= dns_stream_writev(stream
, iov
, 1, DNS_STREAM_WRITE_TLS_DATA
);
31 stream
->dnstls_events
|= EPOLLOUT
;
35 stream
->dnstls_data
.write_buffer
->length
-= ss
;
36 stream
->dnstls_data
.write_buffer
->data
+= ss
;
38 if (stream
->dnstls_data
.write_buffer
->length
> 0) {
39 stream
->dnstls_events
|= EPOLLOUT
;
48 int dnstls_stream_connect_tls(DnsStream
*stream
, DnsServer
*server
) {
49 _cleanup_(SSL_freep
) SSL
*s
= NULL
;
50 _cleanup_(BIO_freep
) BIO
*rb
= NULL
;
51 _cleanup_(BIO_freep
) BIO
*wb
= NULL
;
58 rb
= BIO_new_socket(stream
->fd
, 0);
62 wb
= BIO_new(BIO_s_mem());
66 BIO_get_mem_ptr(wb
, &stream
->dnstls_data
.write_buffer
);
68 s
= SSL_new(server
->dnstls_data
.ctx
);
72 SSL_set_connect_state(s
);
73 SSL_set_session(s
, server
->dnstls_data
.session
);
74 SSL_set_bio(s
, TAKE_PTR(rb
), TAKE_PTR(wb
));
76 stream
->dnstls_data
.handshake
= SSL_do_handshake(s
);
77 if (stream
->dnstls_data
.handshake
<= 0) {
78 error
= SSL_get_error(s
, stream
->dnstls_data
.handshake
);
79 if (!IN_SET(error
, SSL_ERROR_WANT_READ
, SSL_ERROR_WANT_WRITE
)) {
82 ERR_error_string_n(error
, errbuf
, sizeof(errbuf
));
83 log_debug("Failed to invoke SSL_do_handshake: %s", errbuf
);
88 stream
->encrypted
= true;
90 r
= dnstls_flush_write_buffer(stream
);
91 if (r
< 0 && r
!= -EAGAIN
)
94 stream
->dnstls_data
.ssl
= TAKE_PTR(s
);
99 void dnstls_stream_free(DnsStream
*stream
) {
101 assert(stream
->encrypted
);
103 if (stream
->dnstls_data
.ssl
)
104 SSL_free(stream
->dnstls_data
.ssl
);
107 int dnstls_stream_on_io(DnsStream
*stream
, uint32_t revents
) {
112 assert(stream
->encrypted
);
113 assert(stream
->dnstls_data
.ssl
);
115 /* Flush write buffer when requested by OpenSSL ss*/
116 if ((revents
& EPOLLOUT
) && (stream
->dnstls_events
& EPOLLOUT
)) {
117 r
= dnstls_flush_write_buffer(stream
);
122 if (stream
->dnstls_data
.shutdown
) {
123 r
= SSL_shutdown(stream
->dnstls_data
.ssl
);
125 error
= SSL_get_error(stream
->dnstls_data
.ssl
, r
);
126 if (r
== 0 || IN_SET(error
, SSL_ERROR_WANT_READ
, SSL_ERROR_WANT_WRITE
)) {
128 stream
->dnstls_events
= error
== SSL_ERROR_WANT_READ
? EPOLLIN
: EPOLLOUT
;
130 r
= dnstls_flush_write_buffer(stream
);
138 ERR_error_string_n(error
, errbuf
, sizeof(errbuf
));
139 log_debug("Failed to invoke SSL_shutdown: %s", errbuf
);
143 r
= dnstls_flush_write_buffer(stream
);
147 stream
->dnstls_events
= 0;
148 stream
->dnstls_data
.shutdown
= false;
149 dns_stream_unref(stream
);
150 return DNSTLS_STREAM_CLOSED
;
151 } else if (stream
->dnstls_data
.handshake
<= 0) {
152 stream
->dnstls_data
.handshake
= SSL_do_handshake(stream
->dnstls_data
.ssl
);
153 if (stream
->dnstls_data
.handshake
<= 0) {
154 error
= SSL_get_error(stream
->dnstls_data
.ssl
, stream
->dnstls_data
.handshake
);
155 if (IN_SET(error
, SSL_ERROR_WANT_READ
, SSL_ERROR_WANT_WRITE
)) {
156 stream
->dnstls_events
= error
== SSL_ERROR_WANT_READ
? EPOLLIN
: EPOLLOUT
;
157 r
= dnstls_flush_write_buffer(stream
);
165 ERR_error_string_n(error
, errbuf
, sizeof(errbuf
));
166 log_debug("Failed to invoke SSL_do_handshake: %s", errbuf
);
167 return -ECONNREFUSED
;
171 stream
->dnstls_events
= 0;
172 r
= dnstls_flush_write_buffer(stream
);
180 int dnstls_stream_shutdown(DnsStream
*stream
, int error
) {
186 assert(stream
->encrypted
);
187 assert(stream
->dnstls_data
.ssl
);
189 if (stream
->server
) {
190 s
= SSL_get1_session(stream
->dnstls_data
.ssl
);
192 if (stream
->server
->dnstls_data
.session
)
193 SSL_SESSION_free(stream
->server
->dnstls_data
.session
);
195 stream
->server
->dnstls_data
.session
= s
;
199 if (error
== ETIMEDOUT
) {
200 r
= SSL_shutdown(stream
->dnstls_data
.ssl
);
202 if (!stream
->dnstls_data
.shutdown
) {
203 stream
->dnstls_data
.shutdown
= true;
204 dns_stream_ref(stream
);
207 r
= dnstls_flush_write_buffer(stream
);
213 ssl_error
= SSL_get_error(stream
->dnstls_data
.ssl
, r
);
214 if (IN_SET(ssl_error
, SSL_ERROR_WANT_READ
, SSL_ERROR_WANT_WRITE
)) {
215 stream
->dnstls_events
= ssl_error
== SSL_ERROR_WANT_READ
? EPOLLIN
: EPOLLOUT
;
216 r
= dnstls_flush_write_buffer(stream
);
217 if (r
< 0 && r
!= -EAGAIN
)
220 if (!stream
->dnstls_data
.shutdown
) {
221 stream
->dnstls_data
.shutdown
= true;
222 dns_stream_ref(stream
);
228 ERR_error_string_n(ssl_error
, errbuf
, sizeof(errbuf
));
229 log_debug("Failed to invoke SSL_shutdown: %s", errbuf
);
233 stream
->dnstls_events
= 0;
234 r
= dnstls_flush_write_buffer(stream
);
242 ssize_t
dnstls_stream_write(DnsStream
*stream
, const char *buf
, size_t count
) {
248 assert(stream
->encrypted
);
249 assert(stream
->dnstls_data
.ssl
);
252 ss
= r
= SSL_write(stream
->dnstls_data
.ssl
, buf
, count
);
254 error
= SSL_get_error(stream
->dnstls_data
.ssl
, ss
);
255 if (IN_SET(error
, SSL_ERROR_WANT_READ
, SSL_ERROR_WANT_WRITE
)) {
256 stream
->dnstls_events
= error
== SSL_ERROR_WANT_READ
? EPOLLIN
: EPOLLOUT
;
257 r
= dnstls_flush_write_buffer(stream
);
265 ERR_error_string_n(error
, errbuf
, sizeof(errbuf
));
266 log_debug("Failed to invoke SSL_read: %s", errbuf
);
271 stream
->dnstls_events
= 0;
272 r
= dnstls_flush_write_buffer(stream
);
279 ssize_t
dnstls_stream_read(DnsStream
*stream
, void *buf
, size_t count
) {
285 assert(stream
->encrypted
);
286 assert(stream
->dnstls_data
.ssl
);
289 ss
= r
= SSL_read(stream
->dnstls_data
.ssl
, buf
, count
);
291 error
= SSL_get_error(stream
->dnstls_data
.ssl
, ss
);
292 if (IN_SET(error
, SSL_ERROR_WANT_READ
, SSL_ERROR_WANT_WRITE
)) {
293 stream
->dnstls_events
= error
== SSL_ERROR_WANT_READ
? EPOLLIN
: EPOLLOUT
;
295 /* flush write buffer in cache of renegotiation */
296 r
= dnstls_flush_write_buffer(stream
);
304 ERR_error_string_n(error
, errbuf
, sizeof(errbuf
));
305 log_debug("Failed to invoke SSL_read: %s", errbuf
);
310 stream
->dnstls_events
= 0;
312 /* flush write buffer in cache of renegotiation */
313 r
= dnstls_flush_write_buffer(stream
);
320 void dnstls_server_init(DnsServer
*server
) {
323 server
->dnstls_data
.ctx
= SSL_CTX_new(TLS_client_method());
324 if (server
->dnstls_data
.ctx
) {
325 SSL_CTX_set_min_proto_version(server
->dnstls_data
.ctx
, TLS1_2_VERSION
);
326 SSL_CTX_set_options(server
->dnstls_data
.ctx
, SSL_OP_NO_COMPRESSION
);
330 void dnstls_server_free(DnsServer
*server
) {
333 if (server
->dnstls_data
.ctx
)
334 SSL_CTX_free(server
->dnstls_data
.ctx
);
336 if (server
->dnstls_data
.session
)
337 SSL_SESSION_free(server
->dnstls_data
.session
);