This is a first step towards supporting alternative TLS implementations for DNS-over-TLS.
Co-authored-by: Filipe Brandenburger <filbranden@google.com>
resolved-dns-stub.c
resolved-etc-hosts.h
resolved-etc-hosts.c
+ resolved-dnstls.h
'''.split())
resolvectl_sources = files('''
systemd_resolved_dependencies = [threads, libgpg_error, libm, libidn]
if conf.get('ENABLE_DNS_OVER_TLS') == 1
+ systemd_resolved_sources += [files(['resolved-dnstls-gnutls.c', 'resolved-dnstls-gnutls.h'])]
systemd_resolved_dependencies += [libgnutls]
endif
s->linked = true;
#if ENABLE_DNS_OVER_TLS
- /* Do not verify cerificate */
- gnutls_certificate_allocate_credentials(&s->tls_cert_cred);
+ dnstls_server_init(s);
#endif
/* A new DNS server that isn't fallback is added and the one
dns_stream_unref(s->stream);
#if ENABLE_DNS_OVER_TLS
- if (s->tls_cert_cred)
- gnutls_certificate_free_credentials(s->tls_cert_cred);
-
- if (s->tls_session_data.data)
- gnutls_free(s->tls_session_data.data);
+ dnstls_server_free(s);
#endif
free(s->server_string);
#include "in-addr-util.h"
-#if ENABLE_DNS_OVER_TLS
-#include <gnutls/gnutls.h>
-#endif
-
typedef struct DnsServer DnsServer;
typedef enum DnsServerType {
#include "resolved-link.h"
#include "resolved-manager.h"
+#if ENABLE_DNS_OVER_TLS
+#include "resolved-dnstls.h"
+#endif
struct DnsServer {
Manager *manager;
DnsStream *stream;
#if ENABLE_DNS_OVER_TLS
- gnutls_certificate_credentials_t tls_cert_cred;
- gnutls_datum_t tls_session_data;
+ DnsTlsServerData dnstls_data;
#endif
DnsServerFeatureLevel verified_feature_level;
#define DNS_STREAM_TIMEOUT_USEC (10 * USEC_PER_SEC)
#define DNS_STREAMS_MAX 128
-#define WRITE_TLS_DATA 1
-
static void dns_stream_stop(DnsStream *s) {
assert(s);
assert(s);
#if ENABLE_DNS_OVER_TLS
- if (s->tls_session && IN_SET(error, ETIMEDOUT, 0)) {
+ if (s->encrypted) {
int r;
- r = gnutls_bye(s->tls_session, GNUTLS_SHUT_RDWR);
- if (r == GNUTLS_E_AGAIN && !s->tls_bye) {
- dns_stream_ref(s); /* keep reference for closing TLS session */
- s->tls_bye = true;
- } else
+ r = dnstls_stream_shutdown(s, error);
+ if (r != -EAGAIN)
dns_stream_stop(s);
} else
#endif
return 0;
}
-static ssize_t dns_stream_writev(DnsStream *s, const struct iovec *iov, size_t iovcnt, int flags) {
+ssize_t dns_stream_writev(DnsStream *s, const struct iovec *iov, size_t iovcnt, int flags) {
ssize_t r;
assert(s);
assert(iov);
#if ENABLE_DNS_OVER_TLS
- if (s->tls_session && !(flags & WRITE_TLS_DATA)) {
+ if (s->encrypted && !(flags & DNS_STREAM_WRITE_TLS_DATA)) {
ssize_t ss;
size_t i;
r = 0;
for (i = 0; i < iovcnt; i++) {
- ss = gnutls_record_send(s->tls_session, iov[i].iov_base, iov[i].iov_len);
- if (ss < 0) {
- switch(ss) {
-
- case GNUTLS_E_INTERRUPTED:
- return -EINTR;
- case GNUTLS_E_AGAIN:
- return -EAGAIN;
- default:
- log_debug("Failed to invoke gnutls_record_send: %s", gnutls_strerror(ss));
- return -EIO;
- }
- }
+ ss = dnstls_stream_write(s, iov[i].iov_base, iov[i].iov_len);
+ if (ss < 0)
+ return ss;
r += ss;
if (ss != (ssize_t) iov[i].iov_len)
ssize_t ss;
#if ENABLE_DNS_OVER_TLS
- if (s->tls_session) {
- ss = gnutls_record_recv(s->tls_session, buf, count);
- if (ss < 0) {
- switch(ss) {
-
- case GNUTLS_E_INTERRUPTED:
- return -EINTR;
- case GNUTLS_E_AGAIN:
- return -EAGAIN;
- default:
- log_debug("Failed to invoke gnutls_record_send: %s", gnutls_strerror(ss));
- return -EIO;
- }
- } else if (s->on_connection) {
- int r;
-
- r = s->on_connection(s);
- s->on_connection = NULL; /* only call once */
- if (r < 0)
- return r;
- }
- } else
+ if (s->encrypted)
+ ss = dnstls_stream_read(s, buf, count);
+ else
#endif
{
ss = read(s->fd, buf, count);
return ss;
}
-#if ENABLE_DNS_OVER_TLS
-static ssize_t dns_stream_tls_writev(gnutls_transport_ptr_t p, const giovec_t * iov, int iovcnt) {
- int r;
-
- assert(p);
-
- r = dns_stream_writev((DnsStream*) p, (struct iovec*) iov, iovcnt, WRITE_TLS_DATA);
- if (r < 0) {
- errno = -r;
- return -1;
- }
-
- return r;
-}
-#endif
-
static int on_stream_timeout(sd_event_source *es, usec_t usec, void *userdata) {
DnsStream *s = userdata;
assert(s);
#if ENABLE_DNS_OVER_TLS
- if (s->tls_bye) {
- assert(s->tls_session);
-
- r = gnutls_bye(s->tls_session, GNUTLS_SHUT_RDWR);
- if (r != GNUTLS_E_AGAIN) {
- s->tls_bye = false;
- dns_stream_unref(s);
- }
-
- return 0;
- }
-
- if (s->tls_handshake < 0) {
- assert(s->tls_session);
-
- s->tls_handshake = gnutls_handshake(s->tls_session);
- if (s->tls_handshake >= 0) {
- if (s->on_connection && !(gnutls_session_get_flags(s->tls_session) & GNUTLS_SFLAGS_FALSE_START)) {
- r = s->on_connection(s);
- s->on_connection = NULL; /* only call once */
- if (r < 0)
- return r;
- }
- } else {
- if (gnutls_error_is_fatal(s->tls_handshake))
- return dns_stream_complete(s, ECONNREFUSED);
- else
- return 0;
- }
+ if (s->encrypted) {
+ r = dnstls_stream_on_io(s);
+ if (r == DNSTLS_STREAM_CLOSED || r == -EAGAIN)
+ return 0;
+ else if (r < 0)
+ return dns_stream_complete(s, -r);
}
#endif
}
#if ENABLE_DNS_OVER_TLS
- if (s->tls_session)
- gnutls_deinit(s->tls_session);
+ if (s->encrypted)
+ dnstls_stream_free(s);
#endif
ORDERED_SET_FOREACH(p, s->write_queue, i)
return 0;
}
-#if ENABLE_DNS_OVER_TLS
-int dns_stream_connect_tls(DnsStream *s, gnutls_session_t tls_session) {
- gnutls_transport_set_ptr2(tls_session, (gnutls_transport_ptr_t) (long) s->fd, s);
- gnutls_transport_set_vec_push_function(tls_session, &dns_stream_tls_writev);
-
- s->encrypted = true;
- s->tls_session = tls_session;
- s->tls_handshake = gnutls_handshake(tls_session);
- if (s->tls_handshake < 0 && gnutls_error_is_fatal(s->tls_handshake))
- return -ECONNREFUSED;
-
- return 0;
-}
-#endif
-
int dns_stream_write_packet(DnsStream *s, DnsPacket *p) {
int r;
#include "resolved-dns-packet.h"
#include "resolved-dns-transaction.h"
#include "resolved-manager.h"
-
#if ENABLE_DNS_OVER_TLS
-#include <gnutls/gnutls.h>
+#include "resolved-dnstls.h"
#endif
+#define DNS_STREAM_WRITE_TLS_DATA 1
+
/* Streams are used by three subsystems:
*
* 1. The normal transaction logic when doing a DNS or LLMNR lookup via TCP
socklen_t tfo_salen;
#if ENABLE_DNS_OVER_TLS
- gnutls_session_t tls_session;
- int tls_handshake;
- bool tls_bye;
+ DnsTlsStreamData dnstls_data;
#endif
sd_event_source *io_event_source;
int dns_stream_new(Manager *m, DnsStream **s, DnsProtocol protocol, int fd, const union sockaddr_union *tfo_address);
#if ENABLE_DNS_OVER_TLS
-int dns_stream_connect_tls(DnsStream *s, gnutls_session_t tls_session);
+int dns_stream_connect_tls(DnsStream *s, void *tls_session);
#endif
DnsStream *dns_stream_unref(DnsStream *s);
DnsStream *dns_stream_ref(DnsStream *s);
DEFINE_TRIVIAL_CLEANUP_FUNC(DnsStream*, dns_stream_unref);
int dns_stream_write_packet(DnsStream *s, DnsPacket *p);
+ssize_t dns_stream_writev(DnsStream *s, const struct iovec *iov, size_t iovcnt, int flags);
static inline bool DNS_STREAM_QUEUED(DnsStream *s) {
assert(s);
#include "resolved-dns-cache.h"
#include "resolved-dns-transaction.h"
#include "resolved-llmnr.h"
-#include "string-table.h"
-
#if ENABLE_DNS_OVER_TLS
-#include <gnutls/socket.h>
+#include "resolved-dnstls.h"
#endif
+#include "string-table.h"
#define TRANSACTIONS_MAX 4096
#define TRANSACTION_TCP_TIMEOUT_USEC (10U*USEC_PER_SEC)
return 0;
}
-static int on_stream_connection(DnsStream *s) {
-#if ENABLE_DNS_OVER_TLS
- /* Store TLS Ticket for faster succesive TLS handshakes */
- if (s->tls_session && s->server) {
- if (s->server->tls_session_data.data)
- gnutls_free(s->server->tls_session_data.data);
-
- gnutls_session_get_data2(s->tls_session, &s->server->tls_session_data);
- }
-#endif
-
- return 0;
-}
-
static int on_stream_complete(DnsStream *s, int error) {
_cleanup_(dns_stream_unrefp) DnsStream *p = NULL;
DnsTransaction *t, *n;
_cleanup_(dns_stream_unrefp) DnsStream *s = NULL;
union sockaddr_union sa;
int r;
-#if ENABLE_DNS_OVER_TLS
- gnutls_session_t gs;
-#endif
assert(t);
#if ENABLE_DNS_OVER_TLS
if (DNS_SERVER_FEATURE_LEVEL_IS_TLS(t->current_feature_level)) {
assert(t->server);
-
- r = gnutls_init(&gs, GNUTLS_CLIENT | GNUTLS_ENABLE_FALSE_START | GNUTLS_NONBLOCK);
- if (r < 0)
- return r;
-
- /* As DNS-over-TLS is a recent protocol, older TLS versions can be disabled */
- r = gnutls_priority_set_direct(gs, "NORMAL:-VERS-ALL:+VERS-TLS1.2", NULL);
- if (r < 0)
- return r;
-
- r = gnutls_credentials_set(gs, GNUTLS_CRD_CERTIFICATE, t->server->tls_cert_cred);
- if (r < 0)
- return r;
-
- if (t->server->tls_session_data.size > 0)
- gnutls_session_set_data(gs, t->server->tls_session_data.data, t->server->tls_session_data.size);
-
- gnutls_handshake_set_timeout(gs, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT);
-
- r = dns_stream_connect_tls(s, gs);
+ r = dnstls_stream_connect_tls(s, t->server);
if (r < 0)
return r;
}
#endif
- s->on_connection = on_stream_connection;
s->complete = on_stream_complete;
s->on_packet = dns_stream_on_packet;
--- /dev/null
+/* SPDX-License-Identifier: LGPL-2.1+ */
+
+#if !ENABLE_DNS_OVER_TLS || !HAVE_GNUTLS
+#error This source file requires DNS-over-TLS to be enabled and GnuTLS to be available.
+#endif
+
+#include "resolved-dnstls.h"
+#include "resolved-dns-stream.h"
+
+#include <gnutls/socket.h>
+
+DEFINE_TRIVIAL_CLEANUP_FUNC(gnutls_session_t, gnutls_deinit);
+
+static ssize_t dnstls_stream_writev(gnutls_transport_ptr_t p, const giovec_t *iov, int iovcnt) {
+ int r;
+
+ assert(p);
+
+ r = dns_stream_writev((DnsStream*) p, (const struct iovec*) iov, iovcnt, DNS_STREAM_WRITE_TLS_DATA);
+ if (r < 0) {
+ errno = -r;
+ return -1;
+ }
+
+ return r;
+}
+
+int dnstls_stream_connect_tls(DnsStream *stream, DnsServer *server) {
+ _cleanup_(gnutls_deinitp) gnutls_session_t gs;
+ int r;
+
+ assert(stream);
+ assert(server);
+
+ r = gnutls_init(&gs, GNUTLS_CLIENT | GNUTLS_ENABLE_FALSE_START | GNUTLS_NONBLOCK);
+ if (r < 0)
+ return r;
+
+ /* As DNS-over-TLS is a recent protocol, older TLS versions can be disabled */
+ r = gnutls_priority_set_direct(gs, "NORMAL:-VERS-ALL:+VERS-TLS1.2", NULL);
+ if (r < 0)
+ return r;
+
+ r = gnutls_credentials_set(gs, GNUTLS_CRD_CERTIFICATE, server->dnstls_data.cert_cred);
+ if (r < 0)
+ return r;
+
+ if (server->dnstls_data.session_data.size > 0) {
+ gnutls_session_set_data(gs, server->dnstls_data.session_data.data, server->dnstls_data.session_data.size);
+
+ // Clear old session ticket
+ gnutls_free(server->dnstls_data.session_data.data);
+ server->dnstls_data.session_data.data = NULL;
+ server->dnstls_data.session_data.size = 0;
+ }
+
+ gnutls_handshake_set_timeout(gs, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT);
+
+ gnutls_transport_set_ptr2(gs, (gnutls_transport_ptr_t) (long) stream->fd, stream);
+ gnutls_transport_set_vec_push_function(gs, &dnstls_stream_writev);
+
+ stream->encrypted = true;
+ stream->dnstls_data.handshake = gnutls_handshake(gs);
+ if (stream->dnstls_data.handshake < 0 && gnutls_error_is_fatal(stream->dnstls_data.handshake))
+ return -ECONNREFUSED;
+
+ stream->dnstls_data.session = TAKE_PTR(gs);
+
+ return 0;
+}
+
+void dnstls_stream_free(DnsStream *stream) {
+ assert(stream);
+ assert(stream->encrypted);
+
+ if (stream->dnstls_data.session)
+ gnutls_deinit(stream->dnstls_data.session);
+}
+
+int dnstls_stream_on_io(DnsStream *stream) {
+ int r;
+
+ assert(stream);
+ assert(stream->encrypted);
+ assert(stream->dnstls_data.session);
+
+ if (stream->dnstls_data.shutdown) {
+ r = gnutls_bye(stream->dnstls_data.session, GNUTLS_SHUT_RDWR);
+ if (r == GNUTLS_E_AGAIN)
+ return -EAGAIN;
+ else if (r < 0)
+ log_debug("Failed to invoke gnutls_bye: %s", gnutls_strerror(r));
+
+ stream->dnstls_data.shutdown = false;
+ dns_stream_unref(stream);
+ return DNSTLS_STREAM_CLOSED;
+ } else if (stream->dnstls_data.handshake < 0) {
+ stream->dnstls_data.handshake = gnutls_handshake(stream->dnstls_data.session);
+ if (stream->dnstls_data.handshake == GNUTLS_E_AGAIN)
+ return -EAGAIN;
+ else if (stream->dnstls_data.handshake < 0) {
+ log_debug("Failed to invoke gnutls_handshake: %s", gnutls_strerror(stream->dnstls_data.handshake));
+ if (gnutls_error_is_fatal(stream->dnstls_data.handshake))
+ return -ECONNREFUSED;
+ }
+ }
+
+ return 0;
+}
+
+int dnstls_stream_shutdown(DnsStream *stream, int error) {
+ int r;
+
+ assert(stream);
+ assert(stream->encrypted);
+ assert(stream->dnstls_data.session);
+
+ /* Store TLS Ticket for faster succesive TLS handshakes */
+ if (stream->server && stream->server->dnstls_data.session_data.size == 0 && stream->dnstls_data.handshake == GNUTLS_E_SUCCESS)
+ gnutls_session_get_data2(stream->dnstls_data.session, &stream->server->dnstls_data.session_data);
+
+ if (IN_SET(error, ETIMEDOUT, 0)) {
+ r = gnutls_bye(stream->dnstls_data.session, GNUTLS_SHUT_RDWR);
+ if (r == GNUTLS_E_AGAIN) {
+ if (!stream->dnstls_data.shutdown) {
+ stream->dnstls_data.shutdown = true;
+ dns_stream_ref(stream);
+ return -EAGAIN;
+ }
+ } else if (r < 0)
+ log_debug("Failed to invoke gnutls_bye: %s", gnutls_strerror(r));
+ }
+
+ return 0;
+}
+
+ssize_t dnstls_stream_write(DnsStream *stream, const char *buf, size_t count) {
+ ssize_t ss;
+
+ assert(stream);
+ assert(stream->encrypted);
+ assert(stream->dnstls_data.session);
+ assert(buf);
+
+ ss = gnutls_record_send(stream->dnstls_data.session, buf, count);
+ if (ss < 0)
+ switch(ss) {
+ case GNUTLS_E_INTERRUPTED:
+ return -EINTR;
+ case GNUTLS_E_AGAIN:
+ return -EAGAIN;
+ default:
+ log_debug("Failed to invoke gnutls_record_send: %s", gnutls_strerror(ss));
+ return -EPIPE;
+ }
+
+ return ss;
+}
+
+ssize_t dnstls_stream_read(DnsStream *stream, void *buf, size_t count) {
+ ssize_t ss;
+
+ assert(stream);
+ assert(stream->encrypted);
+ assert(stream->dnstls_data.session);
+ assert(buf);
+
+ ss = gnutls_record_recv(stream->dnstls_data.session, buf, count);
+ if (ss < 0)
+ switch(ss) {
+ case GNUTLS_E_INTERRUPTED:
+ return -EINTR;
+ case GNUTLS_E_AGAIN:
+ return -EAGAIN;
+ default:
+ log_debug("Failed to invoke gnutls_record_recv: %s", gnutls_strerror(ss));
+ return -EPIPE;
+ }
+
+ return ss;
+}
+
+void dnstls_server_init(DnsServer *server) {
+ assert(server);
+
+ /* Do not verify cerificate */
+ gnutls_certificate_allocate_credentials(&server->dnstls_data.cert_cred);
+}
+
+void dnstls_server_free(DnsServer *server) {
+ assert(server);
+
+ if (server->dnstls_data.cert_cred)
+ gnutls_certificate_free_credentials(server->dnstls_data.cert_cred);
+
+ if (server->dnstls_data.session_data.data)
+ gnutls_free(server->dnstls_data.session_data.data);
+}
--- /dev/null
+/* SPDX-License-Identifier: LGPL-2.1+ */
+#pragma once
+
+#if !ENABLE_DNS_OVER_TLS || !HAVE_GNUTLS
+#error This source file requires DNS-over-TLS to be enabled and GnuTLS to be available.
+#endif
+
+#include <stdbool.h>
+
+#include <gnutls/gnutls.h>
+
+struct DnsTlsServerData {
+ gnutls_certificate_credentials_t cert_cred;
+ gnutls_datum_t session_data;
+};
+
+struct DnsTlsStreamData {
+ gnutls_session_t session;
+ int handshake;
+ bool shutdown;
+};
--- /dev/null
+/* SPDX-License-Identifier: LGPL-2.1+ */
+#pragma once
+
+#if !ENABLE_DNS_OVER_TLS
+#error This source file requires DNS-over-TLS to be enabled
+#endif
+
+typedef struct DnsTlsServerData DnsTlsServerData;
+typedef struct DnsTlsStreamData DnsTlsStreamData;
+
+#if HAVE_GNUTLS
+#include "resolved-dnstls-gnutls.h"
+#endif
+
+#include "resolved-dns-stream.h"
+#include "resolved-dns-transaction.h"
+
+#define DNSTLS_STREAM_CLOSED 1
+
+int dnstls_stream_connect_tls(DnsStream *stream, DnsServer *server);
+void dnstls_stream_free(DnsStream *stream);
+int dnstls_stream_on_io(DnsStream *stream);
+int dnstls_stream_shutdown(DnsStream *stream, int error);
+ssize_t dnstls_stream_write(DnsStream *stream, const char *buf, size_t count);
+ssize_t dnstls_stream_read(DnsStream *stream, void *buf, size_t count);
+
+void dnstls_server_init(DnsServer *server);
+void dnstls_server_free(DnsServer *server);
projects / thirdparty / systemd.git / commitdiff
