meson: make DNS-over-TLS support optional

This adds dns-over-tls option to meson. If set to 'false',
systemd-resolved is not linked with libgnutls.

diff --git a/meson.build b/meson.build
index a97168961df64aac79823349fd5f98a3778685a2..e1d5b73566bdff6dda3533391063ba8a3978a758 100644 (file)
--- a/meson.build
+++ b/meson.build
@@ -1135,12 +1135,23 @@ conf.set('DEFAULT_DNSSEC_MODE',
          'DNSSEC_' + default_dnssec.underscorify().to_upper())
 substs.set('DEFAULT_DNSSEC_MODE', default_dnssec)
 
+dns_over_tls = get_option('dns-over-tls')
+if dns_over_tls != 'false'
+        have = conf.get('HAVE_GNUTLS') == 1
+        if dns_over_tls == 'true' and not have
+                error('DNS-over-TLS support was requested, but dependencies are not available')
+        endif
+else
+        have = false
+endif
+conf.set10('ENABLE_DNS_OVER_TLS', have)
+
 default_dns_over_tls = get_option('default-dns-over-tls')
 if fuzzer_build
         default_dns_over_tls = 'no'
 endif
-if default_dns_over_tls != 'no' and conf.get('HAVE_GNUTLS') == 0
-        message('default-dns-over-tls cannot be set to strict or opportunistic when gnutls is disabled. Setting default-dns-over-tls to no.')
+if default_dns_over_tls != 'no' and conf.get('ENABLE_DNS_OVER_TLS') == 0
+        message('default-dns-over-tls cannot be set to opportunistic when DNS-over-TLS support is disabled. Setting default-dns-over-tls to no.')
         default_dns_over_tls = 'no'
 endif
 conf.set('DEFAULT_DNS_OVER_TLS_MODE',
@@ -1594,11 +1605,7 @@ if conf.get('ENABLE_RESOLVE') == 1
                    link_with : [libshared,
                                 libbasic_gcrypt,
                                 libsystemd_resolve_core],
-                   dependencies : [threads,
-                                   libgnutls,
-                                   libgpg_error,
-                                   libm,
-                                   libidn],
+                   dependencies : systemd_resolved_dependencies,
                    install_rpath : rootlibexecdir,
                    install : true,
                    install_dir : rootlibexecdir)
@@ -2950,6 +2957,7 @@ foreach tuple : [
         ['localed'],
         ['networkd'],
         ['resolve'],
+        ['DNS-over-TLS'],
         ['coredump'],
         ['polkit'],
         ['legacy pkla',      install_polkit_pkla],

diff --git a/meson_options.txt b/meson_options.txt
index 58ee0daad6c7ee50459347bd8dd5f7159505574a..16c1f2b2fa2722713231b1d5020d0f0c69f85672 100644 (file)
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -195,6 +195,8 @@ option('default-dns-over-tls', type : 'combo',
        description : 'default DNS-over-TLS mode',
        choices : ['opportunistic', 'no'],
        value : 'no')
+option('dns-over-tls', type : 'combo', choices : ['auto', 'true', 'false'],
+       description : 'DNS-over-TLS support')
 option('dns-servers', type : 'string',
        description : 'space-separated list of default DNS servers',
        value : '8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844')

diff --git a/src/resolve/meson.build b/src/resolve/meson.build
index 759d1395d4d70b5186ca7cf117deef21ac15dbea..15f3835d5570526b13c7fb5efdf357bcf081889d 100644 (file)
--- a/src/resolve/meson.build
+++ b/src/resolve/meson.build
@@ -139,6 +139,11 @@ libsystemd_resolve_core = static_library(
 
 systemd_resolved_sources += [resolved_gperf_c, resolved_dnssd_gperf_c]
 
+systemd_resolved_dependencies = [threads, libgpg_error, libm, libidn]
+if conf.get('ENABLE_DNS_OVER_TLS') == 1
+        systemd_resolved_dependencies += [libgnutls]
+endif
+
 if conf.get('ENABLE_RESOLVE') == 1
         install_data('org.freedesktop.resolve1.conf',
                      install_dir : dbuspolicydir)

diff --git a/src/resolve/resolved-conf.c b/src/resolve/resolved-conf.c
index 8d01056def4e0f201599606e953a167d97829ba7..79e388f8a2d7cefec1f6bbb62d9c81d8fa9ffaa7 100644 (file)
--- a/src/resolve/resolved-conf.c
+++ b/src/resolve/resolved-conf.c
@@ -392,9 +392,9 @@ int manager_parse_config_file(Manager *m) {
         }
 #endif
 
-#if ! HAVE_GNUTLS
+#if ! ENABLE_DNS_OVER_TLS
         if (m->dns_over_tls_mode != DNS_OVER_TLS_NO) {
-                log_warning("DNS-over-TLS option cannot be set to opportunistic when systemd-resolved is built without gnutls support. Turning off DNS-over-TLS support.");
+                log_warning("DNS-over-TLS option cannot be set to opportunistic when systemd-resolved is built without DNS-over-TLS support. Turning off DNS-over-TLS support.");
                 m->dns_over_tls_mode = DNS_OVER_TLS_NO;
         }
 #endif

diff --git a/src/resolve/resolved-dns-server.c b/src/resolve/resolved-dns-server.c
index 1413f3d147db14acd4f0f28eba0ee47084db3522..5476ca2dbd5d3b52a9b9e90f9cca6b102d84cc6a 100644 (file)
--- a/src/resolve/resolved-dns-server.c
+++ b/src/resolve/resolved-dns-server.c
@@ -80,7 +80,7 @@ int dns_server_new(
 
         s->linked = true;
 
-#if HAVE_GNUTLS
+#if ENABLE_DNS_OVER_TLS
         /* Do not verify cerificate */
         gnutls_certificate_allocate_credentials(&s->tls_cert_cred);
 #endif
@@ -121,7 +121,7 @@ DnsServer* dns_server_unref(DnsServer *s)  {
 
         dns_stream_unref(s->stream);
 
-#if HAVE_GNUTLS
+#if ENABLE_DNS_OVER_TLS
         if (s->tls_cert_cred)
                 gnutls_certificate_free_credentials(s->tls_cert_cred);
 

diff --git a/src/resolve/resolved-dns-server.h b/src/resolve/resolved-dns-server.h
index 027559e3d4b34dc58390d024feaedcb1f4d0df6a..dffc4217d11ac4fe57421aca9ee84063d05d173b 100644 (file)
--- a/src/resolve/resolved-dns-server.h
+++ b/src/resolve/resolved-dns-server.h
@@ -3,7 +3,7 @@
 
 #include "in-addr-util.h"
 
-#if HAVE_GNUTLS
+#if ENABLE_DNS_OVER_TLS
 #include <gnutls/gnutls.h>
 #endif
 
@@ -56,7 +56,7 @@ struct DnsServer {
         char *server_string;
         DnsStream *stream;
 
-#if HAVE_GNUTLS
+#if ENABLE_DNS_OVER_TLS
         gnutls_certificate_credentials_t tls_cert_cred;
         gnutls_datum_t tls_session_data;
 #endif

diff --git a/src/resolve/resolved-dns-stream.c b/src/resolve/resolved-dns-stream.c
index d133efa751e43d0e9267b06a743a3d191ef0dcd3..066daef96e8a9603851c4fb1648ad88d8e5dbeea 100644 (file)
--- a/src/resolve/resolved-dns-stream.c
+++ b/src/resolve/resolved-dns-stream.c
@@ -44,7 +44,7 @@ static int dns_stream_update_io(DnsStream *s) {
 static int dns_stream_complete(DnsStream *s, int error) {
         assert(s);
 
-#if HAVE_GNUTLS
+#if ENABLE_DNS_OVER_TLS
         if (s->tls_session && IN_SET(error, ETIMEDOUT, 0)) {
                 int r;
 
@@ -197,7 +197,7 @@ static ssize_t dns_stream_writev(DnsStream *s, const struct iovec *iov, size_t i
         assert(s);
         assert(iov);
 
-#if HAVE_GNUTLS
+#if ENABLE_DNS_OVER_TLS
         if (s->tls_session && !(flags & WRITE_TLS_DATA)) {
                 ssize_t ss;
                 size_t i;
@@ -257,7 +257,7 @@ static ssize_t dns_stream_writev(DnsStream *s, const struct iovec *iov, size_t i
 static ssize_t dns_stream_read(DnsStream *s, void *buf, size_t count) {
         ssize_t ss;
 
-#if HAVE_GNUTLS
+#if ENABLE_DNS_OVER_TLS
         if (s->tls_session) {
                 ss = gnutls_record_recv(s->tls_session, buf, count);
                 if (ss < 0) {
@@ -290,7 +290,7 @@ static ssize_t dns_stream_read(DnsStream *s, void *buf, size_t count) {
         return ss;
 }
 
-#if HAVE_GNUTLS
+#if ENABLE_DNS_OVER_TLS
 static ssize_t dns_stream_tls_writev(gnutls_transport_ptr_t p, const giovec_t * iov, int iovcnt) {
         int r;
 
@@ -320,7 +320,7 @@ static int on_stream_io(sd_event_source *es, int fd, uint32_t revents, void *use
 
         assert(s);
 
-#if HAVE_GNUTLS
+#if ENABLE_DNS_OVER_TLS
         if (s->tls_bye) {
                 assert(s->tls_session);
 
@@ -505,7 +505,7 @@ DnsStream *dns_stream_unref(DnsStream *s) {
                 s->manager->n_dns_streams--;
         }
 
-#if HAVE_GNUTLS
+#if ENABLE_DNS_OVER_TLS
         if (s->tls_session)
                 gnutls_deinit(s->tls_session);
 #endif
@@ -586,7 +586,7 @@ int dns_stream_new(Manager *m, DnsStream **ret, DnsProtocol protocol, int fd, co
         return 0;
 }
 
-#if HAVE_GNUTLS
+#if ENABLE_DNS_OVER_TLS
 int dns_stream_connect_tls(DnsStream *s, gnutls_session_t tls_session) {
         gnutls_transport_set_ptr2(tls_session, (gnutls_transport_ptr_t) (long) s->fd, s);
         gnutls_transport_set_vec_push_function(tls_session, &dns_stream_tls_writev);

diff --git a/src/resolve/resolved-dns-stream.h b/src/resolve/resolved-dns-stream.h
index d194fb5a9d3cd55f99aa506c741f7d476c9b27e5..9a0da226d834e641631bd5960589236f90f16bc6 100644 (file)
--- a/src/resolve/resolved-dns-stream.h
+++ b/src/resolve/resolved-dns-stream.h
@@ -9,7 +9,7 @@ typedef struct DnsStream DnsStream;
 #include "resolved-dns-transaction.h"
 #include "resolved-manager.h"
 
-#if HAVE_GNUTLS
+#if ENABLE_DNS_OVER_TLS
 #include <gnutls/gnutls.h>
 #endif
 
@@ -39,7 +39,7 @@ struct DnsStream {
         union sockaddr_union tfo_address;
         socklen_t tfo_salen;
 
-#if HAVE_GNUTLS
+#if ENABLE_DNS_OVER_TLS
         gnutls_session_t tls_session;
         int tls_handshake;
         bool tls_bye;
@@ -68,7 +68,7 @@ struct DnsStream {
 };
 
 int dns_stream_new(Manager *m, DnsStream **s, DnsProtocol protocol, int fd, const union sockaddr_union *tfo_address);
-#if HAVE_GNUTLS
+#if ENABLE_DNS_OVER_TLS
 int dns_stream_connect_tls(DnsStream *s, gnutls_session_t tls_session);
 #endif
 DnsStream *dns_stream_unref(DnsStream *s);

diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c
index 385bb4fe2ea907ce21db99abf98932eb1ba5d1db..c60b8215a6ff01eeac1b92124b2b0ea3ac0c9f77 100644 (file)
--- a/src/resolve/resolved-dns-transaction.c
+++ b/src/resolve/resolved-dns-transaction.c
@@ -13,7 +13,7 @@
 #include "resolved-llmnr.h"
 #include "string-table.h"
 
-#if HAVE_GNUTLS
+#if ENABLE_DNS_OVER_TLS
 #include <gnutls/socket.h>
 #endif
 
@@ -504,7 +504,7 @@ static int dns_transaction_on_stream_packet(DnsTransaction *t, DnsPacket *p) {
 }
 
 static int on_stream_connection(DnsStream *s) {
-#if HAVE_GNUTLS
+#if ENABLE_DNS_OVER_TLS
         /* Store TLS Ticket for faster succesive TLS handshakes */
         if (s->tls_session && s->server) {
                 if (s->server->tls_session_data.data)
@@ -577,7 +577,7 @@ static int dns_transaction_emit_tcp(DnsTransaction *t) {
         _cleanup_(dns_stream_unrefp) DnsStream *s = NULL;
         union sockaddr_union sa;
         int r;
-#if HAVE_GNUTLS
+#if ENABLE_DNS_OVER_TLS
         gnutls_session_t gs;
 #endif
 
@@ -651,7 +651,7 @@ static int dns_transaction_emit_tcp(DnsTransaction *t) {
                         s->server = dns_server_ref(t->server);
                 }
 
-#if HAVE_GNUTLS
+#if ENABLE_DNS_OVER_TLS
                 if (DNS_SERVER_FEATURE_LEVEL_IS_TLS(t->current_feature_level)) {
                         r = gnutls_init(&gs, GNUTLS_CLIENT | GNUTLS_ENABLE_FALSE_START | GNUTLS_NONBLOCK);
                         if (r < 0)

diff --git a/src/resolve/resolved-link.c b/src/resolve/resolved-link.c
index 30fd542be1f7ee07a2c530e3a8638ef4d3524675..ff2be12415b55fd12ab1ecbe5d0eb5aa35a4af6f 100644 (file)
--- a/src/resolve/resolved-link.c
+++ b/src/resolve/resolved-link.c
@@ -353,9 +353,9 @@ void link_set_dns_over_tls_mode(Link *l, DnsOverTlsMode mode) {
 
         assert(l);
 
-#if ! HAVE_GNUTLS
+#if ! ENABLE_DNS_OVER_TLS
         if (mode != DNS_OVER_TLS_NO)
-                log_warning("DNS-over-TLS option for the link cannot be set to opportunistic when systemd-resolved is built without gnutls support. Turning off DNS-over-TLS support.");
+                log_warning("DNS-over-TLS option for the link cannot be set to opportunistic when systemd-resolved is built without DNS-over-TLS support. Turning off DNS-over-TLS support.");
         return;
 #endif