From: Yu Watanabe Date: Tue, 1 Apr 2025 16:45:51 +0000 (+0900) Subject: resolve: always use openssl as backend of DNS-over-TLS X-Git-Tag: v258-rc1~779^2~3 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b1c3f57e76e9bb63a2f48d32d1ab955ceaef7140;p=thirdparty%2Fsystemd.git resolve: always use openssl as backend of DNS-over-TLS This drops support for dns-over-tls=gnutls meson option. --- diff --git a/.github/workflows/build_test.sh b/.github/workflows/build_test.sh index 113af704a80..25ffe415fae 100755 --- a/.github/workflows/build_test.sh +++ b/.github/workflows/build_test.sh @@ -10,7 +10,7 @@ fatal() { echo >&2 -e "\033[31;1m$1\033[0m"; exit 1; } success() { echo >&2 -e "\033[32;1m$1\033[0m"; } ARGS=( - "--optimization=0 -Dopenssl=disabled -Dcryptolib=gcrypt -Ddns-over-tls=gnutls -Dtpm=true -Dtpm2=enabled" + "--optimization=0 -Dopenssl=disabled -Dcryptolib=gcrypt -Dtpm=true -Dtpm2=enabled" "--optimization=s -Dutmp=false" "--optimization=2 -Dc_args=-Wmaybe-uninitialized -Ddns-over-tls=openssl" "--optimization=3 -Db_lto=true -Ddns-over-tls=false" diff --git a/README b/README index 53fa8c0bf7e..8d7dad329ac 100644 --- a/README +++ b/README @@ -240,8 +240,7 @@ REQUIREMENTS: libcurl >= 7.32.0 (optional) libidn2 or libidn (optional) gnutls >= 3.1.4 (optional) - >= 3.6.0 is required to support DNS-over-TLS with gnutls - openssl >= 1.1.0 (optional, required to support DNS-over-TLS with openssl) + openssl >= 1.1.0 (optional, required to support DNS-over-TLS) p11-kit >= 0.23.3 (optional) libfido2 (optional) tpm2-tss (optional) diff --git a/TODO b/TODO index e4597084ea4..2d1fb9e63f7 100644 --- a/TODO +++ b/TODO @@ -1807,7 +1807,6 @@ Features: with matches, then activate app through that passing socket over * unify on openssl: - - kill gnutls support in resolved - figure out what to do about libmicrohttpd, which has a hard dependency on gnutls - port fsprg over to a dlopen lib, then switch it to openssl diff --git a/meson.build b/meson.build index 43858480a6b..dfa40938891 100644 --- a/meson.build +++ b/meson.build @@ -1488,37 +1488,17 @@ conf.set10('HAVE_OPENSSL_OR_GCRYPT', lib_openssl_or_gcrypt = conf.get('PREFER_OPENSSL') == 1 ? [libopenssl] : [libgcrypt, libgpg_error] dns_over_tls = get_option('dns-over-tls') -if dns_over_tls != 'false' - if dns_over_tls == 'gnutls' and conf.get('PREFER_OPENSSL') == 1 - error('Sorry, -Ddns-over-tls=gnutls is not supported when openssl is used as the cryptolib') - endif - - if dns_over_tls == 'gnutls' - have_openssl = false - else - have_openssl = conf.get('HAVE_OPENSSL') == 1 - if dns_over_tls == 'openssl' and not have_openssl - error('DNS-over-TLS support was requested with openssl, but dependencies are not available') - endif - endif - if dns_over_tls == 'openssl' or have_openssl - have_gnutls = false - else - have_gnutls = conf.get('HAVE_GNUTLS') == 1 and libgnutls.version().version_compare('>= 3.6.0') - if dns_over_tls != 'auto' and not have_gnutls - str = dns_over_tls == 'gnutls' ? ' with gnutls' : '' - error('DNS-over-TLS support was requested@0@, but dependencies are not available'.format(str)) - endif - endif - have = have_gnutls or have_openssl -else +have_openssl = conf.get('HAVE_OPENSSL') == 1 +if dns_over_tls == 'false' have = false - have_gnutls = false - have_openssl = false +elif dns_over_tls == 'auto' + have = have_openssl +elif have_openssl + have = true +else + error('DNS-over-TLS support was requested, but OpenSSL support is disabled.') endif conf.set10('ENABLE_DNS_OVER_TLS', have) -conf.set10('DNS_OVER_TLS_USE_GNUTLS', have_gnutls) -conf.set10('DNS_OVER_TLS_USE_OPENSSL', have_openssl) default_dns_over_tls = get_option('default-dns-over-tls') if default_dns_over_tls != 'no' and conf.get('ENABLE_DNS_OVER_TLS') == 0 @@ -3080,6 +3060,7 @@ foreach tuple : [ # optional features ['dmi'], + ['DNS-over-TLS'], ['idn'], ['polkit'], ['legacy-pkla', install_polkit_pkla], @@ -3152,14 +3133,6 @@ else missing += 'cryptolib' endif -if conf.get('DNS_OVER_TLS_USE_GNUTLS') == 1 - found += 'DNS-over-TLS(gnutls)' -elif conf.get('DNS_OVER_TLS_USE_OPENSSL') == 1 - found += 'DNS-over-TLS(openssl)' -else - missing += 'DNS-over-TLS' -endif - summary({ 'enabled' : ', '.join(found), 'disabled' : ', '.join(missing)}, diff --git a/meson_options.txt b/meson_options.txt index 1e752eeb9ef..9b1685536bc 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -363,7 +363,7 @@ option('default-llmnr', type : 'combo', choices : ['yes', 'resolve', 'no'], description : 'default LLMNR mode', value : 'yes') -option('dns-over-tls', type : 'combo', choices : ['auto', 'gnutls', 'openssl', 'true', 'false'], +option('dns-over-tls', type : 'combo', choices : ['auto', 'openssl', 'true', 'false'], description : 'DNS-over-TLS support') option('dns-servers', type : 'string', description : 'space-separated list of default DNS servers', diff --git a/src/resolve/meson.build b/src/resolve/meson.build index 7e388f835bc..a64cfee2b7e 100644 --- a/src/resolve/meson.build +++ b/src/resolve/meson.build @@ -102,19 +102,10 @@ systemd_resolved_sources += custom_target( systemd_resolved_dependencies = [threads, libm] + [lib_openssl_or_gcrypt] if conf.get('ENABLE_DNS_OVER_TLS') == 1 - if conf.get('DNS_OVER_TLS_USE_GNUTLS') == 1 - systemd_resolved_sources += files( - 'resolved-dnstls-gnutls.c', - ) - systemd_resolved_dependencies += libgnutls - elif conf.get('DNS_OVER_TLS_USE_OPENSSL') == 1 - systemd_resolved_sources += files( - 'resolved-dnstls-openssl.c', - ) - systemd_resolved_dependencies += libopenssl - else - error('unknown dependency for supporting DNS-over-TLS') - endif + systemd_resolved_sources += files( + 'resolved-dnstls-openssl.c', + ) + systemd_resolved_dependencies += libopenssl endif link_with = [ diff --git a/src/resolve/resolved-dnstls-gnutls.c b/src/resolve/resolved-dnstls-gnutls.c deleted file mode 100644 index 321595f295e..00000000000 --- a/src/resolve/resolved-dnstls-gnutls.c +++ /dev/null @@ -1,255 +0,0 @@ -/* SPDX-License-Identifier: LGPL-2.1-or-later */ - -#if !ENABLE_DNS_OVER_TLS || !DNS_OVER_TLS_USE_GNUTLS -#error This source file requires DNS-over-TLS to be enabled and GnuTLS to be available. -#endif - -#include - -#include "iovec-util.h" -#include "resolved-dns-stream.h" -#include "resolved-dnstls.h" -#include "resolved-manager.h" - -#define TLS_PROTOCOL_PRIORITY "NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2" -DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(gnutls_session_t, gnutls_deinit, NULL); - -static ssize_t dnstls_stream_vec_push(gnutls_transport_ptr_t p, const giovec_t *iov, int iovcnt) { - int r; - - assert(p); - - r = dns_stream_writev((DnsStream*) p, (const struct iovec*) iov, iovcnt, DNS_STREAM_WRITE_TLS_DATA); - if (r < 0) { - errno = -r; - return -1; - } - - return r; -} - -int dnstls_stream_connect_tls(DnsStream *stream, DnsServer *server) { - _cleanup_(gnutls_deinitp) gnutls_session_t gs = NULL; - int r; - - assert(stream); - assert(server); - - r = gnutls_init(&gs, GNUTLS_CLIENT | GNUTLS_ENABLE_FALSE_START | GNUTLS_NONBLOCK); - if (r < 0) - return r; - - /* As DNS-over-TLS is a recent protocol, older TLS versions can be disabled */ - r = gnutls_priority_set_direct(gs, TLS_PROTOCOL_PRIORITY, NULL); - if (r < 0) - return r; - - r = gnutls_credentials_set(gs, GNUTLS_CRD_CERTIFICATE, stream->manager->dnstls_data.cert_cred); - if (r < 0) - return r; - - if (server->dnstls_data.session_data.size > 0) { - gnutls_session_set_data(gs, server->dnstls_data.session_data.data, server->dnstls_data.session_data.size); - - // Clear old session ticket - gnutls_free(server->dnstls_data.session_data.data); - server->dnstls_data.session_data.data = NULL; - server->dnstls_data.session_data.size = 0; - } - - if (server->manager->dns_over_tls_mode == DNS_OVER_TLS_YES) { - if (server->server_name) - gnutls_session_set_verify_cert(gs, server->server_name, 0); - else { - stream->dnstls_data.validation.type = GNUTLS_DT_IP_ADDRESS; - if (server->family == AF_INET) { - stream->dnstls_data.validation.data = (unsigned char*) &server->address.in.s_addr; - stream->dnstls_data.validation.size = 4; - } else { - stream->dnstls_data.validation.data = server->address.in6.s6_addr; - stream->dnstls_data.validation.size = 16; - } - gnutls_session_set_verify_cert2(gs, &stream->dnstls_data.validation, 1, 0); - } - } - - if (server->server_name) { - r = gnutls_server_name_set(gs, GNUTLS_NAME_DNS, server->server_name, strlen(server->server_name)); - if (r < 0) - return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to set server name: %s", gnutls_strerror(r)); - } - - gnutls_handshake_set_timeout(gs, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT); - - gnutls_transport_set_ptr2(gs, (gnutls_transport_ptr_t) (long) stream->fd, stream); - gnutls_transport_set_vec_push_function(gs, &dnstls_stream_vec_push); - - stream->encrypted = true; - stream->dnstls_data.handshake = gnutls_handshake(gs); - if (stream->dnstls_data.handshake < 0 && gnutls_error_is_fatal(stream->dnstls_data.handshake)) - return -ECONNREFUSED; - - stream->dnstls_data.session = TAKE_PTR(gs); - - return 0; -} - -void dnstls_stream_free(DnsStream *stream) { - assert(stream); - assert(stream->encrypted); - - if (stream->dnstls_data.session) - gnutls_deinit(stream->dnstls_data.session); -} - -int dnstls_stream_on_io(DnsStream *stream, uint32_t revents) { - int r; - - assert(stream); - assert(stream->encrypted); - assert(stream->dnstls_data.session); - - if (stream->dnstls_data.shutdown) { - r = gnutls_bye(stream->dnstls_data.session, GNUTLS_SHUT_RDWR); - if (r == GNUTLS_E_AGAIN) { - stream->dnstls_events = gnutls_record_get_direction(stream->dnstls_data.session) == 1 ? EPOLLOUT : EPOLLIN; - return -EAGAIN; - } else if (r < 0) - log_debug("Failed to invoke gnutls_bye: %s", gnutls_strerror(r)); - - stream->dnstls_events = 0; - stream->dnstls_data.shutdown = false; - dns_stream_unref(stream); - return DNSTLS_STREAM_CLOSED; - } else if (stream->dnstls_data.handshake < 0) { - stream->dnstls_data.handshake = gnutls_handshake(stream->dnstls_data.session); - if (stream->dnstls_data.handshake == GNUTLS_E_AGAIN) { - stream->dnstls_events = gnutls_record_get_direction(stream->dnstls_data.session) == 1 ? EPOLLOUT : EPOLLIN; - return -EAGAIN; - } else if (stream->dnstls_data.handshake < 0) { - log_debug("Failed to invoke gnutls_handshake: %s", gnutls_strerror(stream->dnstls_data.handshake)); - if (gnutls_error_is_fatal(stream->dnstls_data.handshake)) - return -ECONNREFUSED; - } - - stream->dnstls_events = 0; - } - - return 0; -} - -int dnstls_stream_shutdown(DnsStream *stream, int error) { - int r; - - assert(stream); - assert(stream->encrypted); - assert(stream->dnstls_data.session); - - /* Store TLS Ticket for faster successive TLS handshakes */ - if (stream->server && stream->server->dnstls_data.session_data.size == 0 && stream->dnstls_data.handshake == GNUTLS_E_SUCCESS) - gnutls_session_get_data2(stream->dnstls_data.session, &stream->server->dnstls_data.session_data); - - if (IN_SET(error, ETIMEDOUT, 0)) { - r = gnutls_bye(stream->dnstls_data.session, GNUTLS_SHUT_RDWR); - if (r == GNUTLS_E_AGAIN) { - if (!stream->dnstls_data.shutdown) { - stream->dnstls_data.shutdown = true; - dns_stream_ref(stream); - return -EAGAIN; - } - } else if (r < 0) - log_debug("Failed to invoke gnutls_bye: %s", gnutls_strerror(r)); - } - - return 0; -} - -ssize_t dnstls_stream_writev(DnsStream *stream, const struct iovec *iov, size_t iovcnt) { - ssize_t ss; - - assert(stream); - assert(stream->encrypted); - assert(stream->dnstls_data.session); - assert(iov); - assert(iovec_total_size(iov, iovcnt) > 0); - - gnutls_record_cork(stream->dnstls_data.session); - - for (size_t i = 0; i < iovcnt; i++) { - ss = gnutls_record_send( - stream->dnstls_data.session, - iov[i].iov_base, iov[i].iov_len); - if (ss < 0) - break; - } - - ss = gnutls_record_uncork(stream->dnstls_data.session, 0); - if (ss < 0) - switch (ss) { - case GNUTLS_E_INTERRUPTED: - return -EINTR; - case GNUTLS_E_AGAIN: - return -EAGAIN; - default: - return log_debug_errno(SYNTHETIC_ERRNO(EPIPE), - "Failed to invoke gnutls_record_send: %s", - gnutls_strerror(ss)); - } - - return ss; -} - -ssize_t dnstls_stream_read(DnsStream *stream, void *buf, size_t count) { - ssize_t ss; - - assert(stream); - assert(stream->encrypted); - assert(stream->dnstls_data.session); - assert(buf); - - ss = gnutls_record_recv(stream->dnstls_data.session, buf, count); - if (ss < 0) - switch (ss) { - case GNUTLS_E_INTERRUPTED: - return -EINTR; - case GNUTLS_E_AGAIN: - return -EAGAIN; - default: - return log_debug_errno(SYNTHETIC_ERRNO(EPIPE), - "Failed to invoke gnutls_record_recv: %s", - gnutls_strerror(ss)); - } - - return ss; -} - -void dnstls_server_free(DnsServer *server) { - assert(server); - - if (server->dnstls_data.session_data.data) - gnutls_free(server->dnstls_data.session_data.data); -} - -int dnstls_manager_init(Manager *manager) { - int r; - assert(manager); - - r = gnutls_certificate_allocate_credentials(&manager->dnstls_data.cert_cred); - if (r < 0) - return log_warning_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), - "Failed to allocate SSL credentials: %s", - gnutls_strerror(r)); - - r = gnutls_certificate_set_x509_system_trust(manager->dnstls_data.cert_cred); - if (r < 0) - log_warning("Failed to load system trust store: %s", gnutls_strerror(r)); - - return 0; -} - -void dnstls_manager_free(Manager *manager) { - assert(manager); - - if (manager->dnstls_data.cert_cred) - gnutls_certificate_free_credentials(manager->dnstls_data.cert_cred); -} diff --git a/src/resolve/resolved-dnstls-gnutls.h b/src/resolve/resolved-dnstls-gnutls.h deleted file mode 100644 index dc1255fbb97..00000000000 --- a/src/resolve/resolved-dnstls-gnutls.h +++ /dev/null @@ -1,24 +0,0 @@ -/* SPDX-License-Identifier: LGPL-2.1-or-later */ -#pragma once - -#if !ENABLE_DNS_OVER_TLS || !DNS_OVER_TLS_USE_GNUTLS -#error This source file requires DNS-over-TLS to be enabled and GnuTLS to be available. -#endif - -#include -#include - -struct DnsTlsManagerData { - gnutls_certificate_credentials_t cert_cred; -}; - -struct DnsTlsServerData { - gnutls_datum_t session_data; -}; - -struct DnsTlsStreamData { - gnutls_session_t session; - gnutls_typed_vdata_st validation; - int handshake; - bool shutdown; -}; diff --git a/src/resolve/resolved-dnstls-openssl.c b/src/resolve/resolved-dnstls-openssl.c index d814c174ea2..5b259fa1b68 100644 --- a/src/resolve/resolved-dnstls-openssl.c +++ b/src/resolve/resolved-dnstls-openssl.c @@ -1,6 +1,6 @@ /* SPDX-License-Identifier: LGPL-2.1-or-later */ -#if !ENABLE_DNS_OVER_TLS || !DNS_OVER_TLS_USE_OPENSSL +#if !ENABLE_DNS_OVER_TLS || !HAVE_OPENSSL #error This source file requires DNS-over-TLS to be enabled and OpenSSL to be available. #endif diff --git a/src/resolve/resolved-dnstls-openssl.h b/src/resolve/resolved-dnstls-openssl.h index a73b77bb581..e94f540c674 100644 --- a/src/resolve/resolved-dnstls-openssl.h +++ b/src/resolve/resolved-dnstls-openssl.h @@ -1,7 +1,7 @@ /* SPDX-License-Identifier: LGPL-2.1-or-later */ #pragma once -#if !ENABLE_DNS_OVER_TLS || !DNS_OVER_TLS_USE_OPENSSL +#if !ENABLE_DNS_OVER_TLS || !HAVE_OPENSSL #error This source file requires DNS-over-TLS to be enabled and OpenSSL to be available. #endif diff --git a/src/resolve/resolved-dnstls.h b/src/resolve/resolved-dnstls.h index cda97e0b126..62b471ca2b7 100644 --- a/src/resolve/resolved-dnstls.h +++ b/src/resolve/resolved-dnstls.h @@ -6,6 +6,8 @@ #include #include +#include "resolved-dnstls-openssl.h" + typedef struct DnsServer DnsServer; typedef struct DnsStream DnsStream; typedef struct DnsTlsManagerData DnsTlsManagerData; @@ -13,14 +15,6 @@ typedef struct DnsTlsServerData DnsTlsServerData; typedef struct DnsTlsStreamData DnsTlsStreamData; typedef struct Manager Manager; -#if DNS_OVER_TLS_USE_GNUTLS -#include "resolved-dnstls-gnutls.h" -#elif DNS_OVER_TLS_USE_OPENSSL -#include "resolved-dnstls-openssl.h" -#else -#error Unknown dependency for supporting DNS-over-TLS -#endif - #define DNSTLS_STREAM_CLOSED 1 int dnstls_stream_connect_tls(DnsStream *stream, DnsServer *server);