DEFINE_TRIVIAL_CLEANUP_FUNC(SSL*, SSL_free);
DEFINE_TRIVIAL_CLEANUP_FUNC(BIO*, BIO_free);
+static int dnstls_flush_write_buffer(DnsStream *stream) {
+ ssize_t ss;
+
+ assert(stream);
+ assert(stream->encrypted);
+
+ if (stream->dnstls_data.write_buffer->length > 0) {
+ assert(stream->dnstls_data.write_buffer->data);
+
+ struct iovec iov[1];
+ iov[0].iov_base = stream->dnstls_data.write_buffer->data;
+ iov[0].iov_len = stream->dnstls_data.write_buffer->length;
+ ss = dns_stream_writev(stream, iov, 1, DNS_STREAM_WRITE_TLS_DATA);
+ if (ss < 0) {
+ if (ss == -EAGAIN)
+ stream->dnstls_events |= EPOLLOUT;
+
+ return ss;
+ } else {
+ stream->dnstls_data.write_buffer->length -= ss;
+ stream->dnstls_data.write_buffer->data += ss;
+
+ if (stream->dnstls_data.write_buffer->length > 0) {
+ stream->dnstls_events |= EPOLLOUT;
+ return -EAGAIN;
+ }
+ }
+ }
+
+ return 0;
+}
+
int dnstls_stream_connect_tls(DnsStream *stream, DnsServer *server) {
_cleanup_(SSL_freep) SSL *s = NULL;
- _cleanup_(BIO_freep) BIO *b = NULL;
+ _cleanup_(BIO_freep) BIO *rb = NULL;
+ _cleanup_(BIO_freep) BIO *wb = NULL;
+ int r;
+ int error;
assert(stream);
assert(server);
- b = BIO_new_socket(stream->fd, 0);
- if (!b)
+ rb = BIO_new_socket(stream->fd, 0);
+ if (!rb)
+ return -ENOMEM;
+
+ wb = BIO_new(BIO_s_mem());
+ if (!wb)
return -ENOMEM;
+ BIO_get_mem_ptr(wb, &stream->dnstls_data.write_buffer);
+
s = SSL_new(server->dnstls_data.ctx);
if (!s)
return -ENOMEM;
SSL_set_connect_state(s);
- SSL_set_bio(s, b, b);
- b = NULL;
+ SSL_set_session(s, server->dnstls_data.session);
+ SSL_set_bio(s, TAKE_PTR(rb), TAKE_PTR(wb));
+
+ stream->dnstls_data.handshake = SSL_do_handshake(s);
+ if (stream->dnstls_data.handshake <= 0) {
+ error = SSL_get_error(s, stream->dnstls_data.handshake);
+ if (!IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) {
+ char errbuf[256];
- /* DNS-over-TLS using OpenSSL doesn't support TCP Fast Open yet */
- connect(stream->fd, &stream->tfo_address.sa, stream->tfo_salen);
- stream->tfo_salen = 0;
+ ERR_error_string_n(error, errbuf, sizeof(errbuf));
+ log_debug("Failed to invoke SSL_do_handshake: %s", errbuf);
+ return -ECONNREFUSED;
+ }
+ }
stream->encrypted = true;
- stream->dnstls_events = EPOLLOUT;
+
+ r = dnstls_flush_write_buffer(stream);
+ if (r < 0 && r != -EAGAIN)
+ return r;
+
stream->dnstls_data.ssl = TAKE_PTR(s);
return 0;
SSL_free(stream->dnstls_data.ssl);
}
-int dnstls_stream_on_io(DnsStream *stream) {
+int dnstls_stream_on_io(DnsStream *stream, uint32_t revents) {
int r;
int error;
assert(stream->encrypted);
assert(stream->dnstls_data.ssl);
+ /* Flush write buffer when requested by OpenSSL ss*/
+ if ((revents & EPOLLOUT) && (stream->dnstls_events & EPOLLOUT)) {
+ r = dnstls_flush_write_buffer(stream);
+ if (r < 0)
+ return r;
+ }
+
if (stream->dnstls_data.shutdown) {
r = SSL_shutdown(stream->dnstls_data.ssl);
- if (r == 0)
- return -EAGAIN;
- else if (r < 0) {
+ if (r <= 0) {
error = SSL_get_error(stream->dnstls_data.ssl, r);
- if (IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) {
- stream->dnstls_events = error == SSL_ERROR_WANT_READ ? EPOLLIN : EPOLLOUT;
+ if (r == 0 || IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) {
+ if (r < 0)
+ stream->dnstls_events = error == SSL_ERROR_WANT_READ ? EPOLLIN : EPOLLOUT;
+
+ r = dnstls_flush_write_buffer(stream);
+ if (r < 0)
+ return r;
+
return -EAGAIN;
} else {
char errbuf[256];
}
}
+ r = dnstls_flush_write_buffer(stream);
+ if (r < 0)
+ return r;
+
stream->dnstls_events = 0;
stream->dnstls_data.shutdown = false;
dns_stream_unref(stream);
error = SSL_get_error(stream->dnstls_data.ssl, stream->dnstls_data.handshake);
if (IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) {
stream->dnstls_events = error == SSL_ERROR_WANT_READ ? EPOLLIN : EPOLLOUT;
+ r = dnstls_flush_write_buffer(stream);
+ if (r < 0)
+ return r;
+
return -EAGAIN;
} else {
char errbuf[256];
}
stream->dnstls_events = 0;
+ r = dnstls_flush_write_buffer(stream);
+ if (r < 0)
+ return r;
}
return 0;
assert(stream->encrypted);
assert(stream->dnstls_data.ssl);
+ if (stream->server) {
+ s = SSL_get1_session(stream->dnstls_data.ssl);
+ if (s) {
+ if (stream->server->dnstls_data.session)
+ SSL_SESSION_free(stream->server->dnstls_data.session);
+
+ stream->server->dnstls_data.session = s;
+ }
+ }
+
if (error == ETIMEDOUT) {
r = SSL_shutdown(stream->dnstls_data.ssl);
if (r == 0) {
stream->dnstls_data.shutdown = true;
dns_stream_ref(stream);
}
+
+ r = dnstls_flush_write_buffer(stream);
+ if (r < 0)
+ return r;
+
return -EAGAIN;
} else if (r < 0) {
ssl_error = SSL_get_error(stream->dnstls_data.ssl, r);
if (IN_SET(ssl_error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) {
stream->dnstls_events = ssl_error == SSL_ERROR_WANT_READ ? EPOLLIN : EPOLLOUT;
+ r = dnstls_flush_write_buffer(stream);
+ if (r < 0 && r != -EAGAIN)
+ return r;
+
if (!stream->dnstls_data.shutdown) {
stream->dnstls_data.shutdown = true;
dns_stream_ref(stream);
log_debug("Failed to invoke SSL_shutdown: %s", errbuf);
}
}
+
+ stream->dnstls_events = 0;
+ r = dnstls_flush_write_buffer(stream);
+ if (r < 0)
+ return r;
}
return 0;
error = SSL_get_error(stream->dnstls_data.ssl, ss);
if (IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) {
stream->dnstls_events = error == SSL_ERROR_WANT_READ ? EPOLLIN : EPOLLOUT;
+ r = dnstls_flush_write_buffer(stream);
+ if (r < 0)
+ return r;
+
ss = -EAGAIN;
} else {
char errbuf[256];
}
stream->dnstls_events = 0;
+ r = dnstls_flush_write_buffer(stream);
+ if (r < 0)
+ return r;
+
return ss;
}
error = SSL_get_error(stream->dnstls_data.ssl, ss);
if (IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) {
stream->dnstls_events = error == SSL_ERROR_WANT_READ ? EPOLLIN : EPOLLOUT;
+
+ /* flush write buffer in cache of renegotiation */
+ r = dnstls_flush_write_buffer(stream);
+ if (r < 0)
+ return r;
+
ss = -EAGAIN;
} else {
char errbuf[256];
}
stream->dnstls_events = 0;
+
+ /* flush write buffer in cache of renegotiation */
+ r = dnstls_flush_write_buffer(stream);
+ if (r < 0)
+ return r;
+
return ss;
}
if (server->dnstls_data.ctx)
SSL_CTX_free(server->dnstls_data.ctx);
+
+ if (server->dnstls_data.session)
+ SSL_SESSION_free(server->dnstls_data.session);
}