#error This source file requires DNS-over-TLS to be enabled and OpenSSL to be available.
#endif
-#include "resolved-dnstls.h"
-#include "resolved-dns-stream.h"
-
#include <openssl/bio.h>
#include <openssl/err.h>
+#include "resolved-dns-stream.h"
+#include "resolved-dnstls.h"
+
DEFINE_TRIVIAL_CLEANUP_FUNC(SSL*, SSL_free);
DEFINE_TRIVIAL_CLEANUP_FUNC(BIO*, BIO_free);
assert(stream->dnstls_data.write_buffer->data);
struct iovec iov[1];
- iov[0].iov_base = stream->dnstls_data.write_buffer->data;
- iov[0].iov_len = stream->dnstls_data.write_buffer->length;
+ iov[0] = IOVEC_MAKE(stream->dnstls_data.write_buffer->data,
+ stream->dnstls_data.write_buffer->length);
ss = dns_stream_writev(stream, iov, 1, DNS_STREAM_WRITE_TLS_DATA);
if (ss < 0) {
if (ss == -EAGAIN)
}
int dnstls_stream_connect_tls(DnsStream *stream, DnsServer *server) {
+ _cleanup_(BIO_freep) BIO *rb = NULL, *wb = NULL;
_cleanup_(SSL_freep) SSL *s = NULL;
- _cleanup_(BIO_freep) BIO *rb = NULL;
- _cleanup_(BIO_freep) BIO *wb = NULL;
- int r;
- int error;
+ int error, r;
assert(stream);
assert(server);
SSL_set_session(s, server->dnstls_data.session);
SSL_set_bio(s, TAKE_PTR(rb), TAKE_PTR(wb));
+ ERR_clear_error();
stream->dnstls_data.handshake = SSL_do_handshake(s);
if (stream->dnstls_data.handshake <= 0) {
error = SSL_get_error(s, stream->dnstls_data.handshake);
}
int dnstls_stream_on_io(DnsStream *stream, uint32_t revents) {
- int r;
- int error;
+ int error, r;
assert(stream);
assert(stream->encrypted);
assert(stream->dnstls_data.ssl);
- /* Flush write buffer when requested by OpenSSL ss*/
+ /* Flush write buffer when requested by OpenSSL */
if ((revents & EPOLLOUT) && (stream->dnstls_events & EPOLLOUT)) {
r = dnstls_flush_write_buffer(stream);
if (r < 0)
}
if (stream->dnstls_data.shutdown) {
+ ERR_clear_error();
r = SSL_shutdown(stream->dnstls_data.ssl);
- if (r <= 0) {
+ if (r == 0) {
+ stream->dnstls_events = 0;
+
+ r = dnstls_flush_write_buffer(stream);
+ if (r < 0)
+ return r;
+
+ return -EAGAIN;
+ } else if (r < 0) {
error = SSL_get_error(stream->dnstls_data.ssl, r);
- if (r == 0 || IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) {
- if (r < 0)
- stream->dnstls_events = error == SSL_ERROR_WANT_READ ? EPOLLIN : EPOLLOUT;
+ if (IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) {
+ stream->dnstls_events = error == SSL_ERROR_WANT_READ ? EPOLLIN : EPOLLOUT;
r = dnstls_flush_write_buffer(stream);
if (r < 0)
return r;
return -EAGAIN;
+ } else if (error == SSL_ERROR_SYSCALL) {
+ if (errno > 0)
+ log_debug_errno(errno, "Failed to invoke SSL_shutdown, ignoring: %m");
} else {
char errbuf[256];
ERR_error_string_n(error, errbuf, sizeof(errbuf));
- log_debug("Failed to invoke SSL_shutdown: %s", errbuf);
+ log_debug("Failed to invoke SSL_shutdown, ignoring: %s", errbuf);
}
}
+ stream->dnstls_events = 0;
+ stream->dnstls_data.shutdown = false;
+
r = dnstls_flush_write_buffer(stream);
if (r < 0)
return r;
- stream->dnstls_events = 0;
- stream->dnstls_data.shutdown = false;
dns_stream_unref(stream);
return DNSTLS_STREAM_CLOSED;
} else if (stream->dnstls_data.handshake <= 0) {
+ ERR_clear_error();
stream->dnstls_data.handshake = SSL_do_handshake(stream->dnstls_data.ssl);
if (stream->dnstls_data.handshake <= 0) {
error = SSL_get_error(stream->dnstls_data.ssl, stream->dnstls_data.handshake);
char errbuf[256];
ERR_error_string_n(error, errbuf, sizeof(errbuf));
- log_debug("Failed to invoke SSL_do_handshake: %s", errbuf);
- return -ECONNREFUSED;
+ return log_debug_errno(SYNTHETIC_ERRNO(ECONNREFUSED),
+ "Failed to invoke SSL_do_handshake: %s",
+ errbuf);
}
}
}
int dnstls_stream_shutdown(DnsStream *stream, int error) {
- int r;
- int ssl_error;
+ int ssl_error, r;
SSL_SESSION *s;
assert(stream);
}
if (error == ETIMEDOUT) {
+ ERR_clear_error();
r = SSL_shutdown(stream->dnstls_data.ssl);
if (r == 0) {
if (!stream->dnstls_data.shutdown) {
dns_stream_ref(stream);
}
+ stream->dnstls_events = 0;
+
r = dnstls_flush_write_buffer(stream);
if (r < 0)
return r;
dns_stream_ref(stream);
}
return -EAGAIN;
+ } else if (ssl_error == SSL_ERROR_SYSCALL) {
+ if (errno > 0)
+ log_debug_errno(errno, "Failed to invoke SSL_shutdown, ignoring: %m");
} else {
char errbuf[256];
ERR_error_string_n(ssl_error, errbuf, sizeof(errbuf));
- log_debug("Failed to invoke SSL_shutdown: %s", errbuf);
+ log_debug("Failed to invoke SSL_shutdown, ignoring: %s", errbuf);
}
}
}
ssize_t dnstls_stream_write(DnsStream *stream, const char *buf, size_t count) {
- int r;
- int error;
+ int error, r;
ssize_t ss;
assert(stream);
assert(stream->dnstls_data.ssl);
assert(buf);
+ ERR_clear_error();
ss = r = SSL_write(stream->dnstls_data.ssl, buf, count);
if (r <= 0) {
- error = SSL_get_error(stream->dnstls_data.ssl, ss);
+ error = SSL_get_error(stream->dnstls_data.ssl, r);
if (IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) {
stream->dnstls_events = error == SSL_ERROR_WANT_READ ? EPOLLIN : EPOLLOUT;
- r = dnstls_flush_write_buffer(stream);
- if (r < 0)
- return r;
-
ss = -EAGAIN;
+ } else if (error == SSL_ERROR_ZERO_RETURN) {
+ stream->dnstls_events = 0;
+ ss = 0;
} else {
char errbuf[256];
ERR_error_string_n(error, errbuf, sizeof(errbuf));
- log_debug("Failed to invoke SSL_read: %s", errbuf);
+ log_debug("Failed to invoke SSL_write: %s", errbuf);
+ stream->dnstls_events = 0;
ss = -EPIPE;
}
- }
+ } else
+ stream->dnstls_events = 0;
- stream->dnstls_events = 0;
r = dnstls_flush_write_buffer(stream);
if (r < 0)
return r;
}
ssize_t dnstls_stream_read(DnsStream *stream, void *buf, size_t count) {
- int r;
- int error;
+ int error, r;
ssize_t ss;
assert(stream);
assert(stream->dnstls_data.ssl);
assert(buf);
+ ERR_clear_error();
ss = r = SSL_read(stream->dnstls_data.ssl, buf, count);
if (r <= 0) {
- error = SSL_get_error(stream->dnstls_data.ssl, ss);
+ error = SSL_get_error(stream->dnstls_data.ssl, r);
if (IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) {
stream->dnstls_events = error == SSL_ERROR_WANT_READ ? EPOLLIN : EPOLLOUT;
-
- /* flush write buffer in cache of renegotiation */
- r = dnstls_flush_write_buffer(stream);
- if (r < 0)
- return r;
-
ss = -EAGAIN;
+ } else if (error == SSL_ERROR_ZERO_RETURN) {
+ stream->dnstls_events = 0;
+ ss = 0;
} else {
char errbuf[256];
ERR_error_string_n(error, errbuf, sizeof(errbuf));
log_debug("Failed to invoke SSL_read: %s", errbuf);
+ stream->dnstls_events = 0;
ss = -EPIPE;
}
- }
-
- stream->dnstls_events = 0;
+ } else
+ stream->dnstls_events = 0;
/* flush write buffer in cache of renegotiation */
r = dnstls_flush_write_buffer(stream);