diff options
| -rw-r--r-- | src/resolve/meson.build | 2 | ||||
| -rw-r--r-- | src/resolve/resolved-dns-server.c | 9 | ||||
| -rw-r--r-- | src/resolve/resolved-dns-server.h | 10 | ||||
| -rw-r--r-- | src/resolve/resolved-dns-stream.c | 126 | ||||
| -rw-r--r-- | src/resolve/resolved-dns-stream.h | 12 | ||||
| -rw-r--r-- | src/resolve/resolved-dns-transaction.c | 44 | ||||
| -rw-r--r-- | src/resolve/resolved-dnstls-gnutls.c | 198 | ||||
| -rw-r--r-- | src/resolve/resolved-dnstls-gnutls.h | 21 | ||||
| -rw-r--r-- | src/resolve/resolved-dnstls.h | 28 |
9 files changed, 283 insertions, 167 deletions
diff --git a/src/resolve/meson.build b/src/resolve/meson.build index 15f3835d55..5955875f59 100644 --- a/src/resolve/meson.build +++ b/src/resolve/meson.build @@ -63,6 +63,7 @@ systemd_resolved_sources = files(''' resolved-dns-stub.c resolved-etc-hosts.h resolved-etc-hosts.c + resolved-dnstls.h '''.split()) resolvectl_sources = files(''' @@ -141,6 +142,7 @@ systemd_resolved_sources += [resolved_gperf_c, resolved_dnssd_gperf_c] systemd_resolved_dependencies = [threads, libgpg_error, libm, libidn] if conf.get('ENABLE_DNS_OVER_TLS') == 1 + systemd_resolved_sources += [files(['resolved-dnstls-gnutls.c', 'resolved-dnstls-gnutls.h'])] systemd_resolved_dependencies += [libgnutls] endif diff --git a/src/resolve/resolved-dns-server.c b/src/resolve/resolved-dns-server.c index 6645db467c..eff3dbb275 100644 --- a/src/resolve/resolved-dns-server.c +++ b/src/resolve/resolved-dns-server.c @@ -81,8 +81,7 @@ int dns_server_new( s->linked = true; #if ENABLE_DNS_OVER_TLS - /* Do not verify cerificate */ - gnutls_certificate_allocate_credentials(&s->tls_cert_cred); + dnstls_server_init(s); #endif /* A new DNS server that isn't fallback is added and the one @@ -122,11 +121,7 @@ DnsServer* dns_server_unref(DnsServer *s) { dns_stream_unref(s->stream); #if ENABLE_DNS_OVER_TLS - if (s->tls_cert_cred) - gnutls_certificate_free_credentials(s->tls_cert_cred); - - if (s->tls_session_data.data) - gnutls_free(s->tls_session_data.data); + dnstls_server_free(s); #endif free(s->server_string); diff --git a/src/resolve/resolved-dns-server.h b/src/resolve/resolved-dns-server.h index 53d45a6361..fda1251049 100644 --- a/src/resolve/resolved-dns-server.h +++ b/src/resolve/resolved-dns-server.h @@ -3,10 +3,6 @@ #include "in-addr-util.h" -#if ENABLE_DNS_OVER_TLS -#include <gnutls/gnutls.h> -#endif - typedef struct DnsServer DnsServer; typedef enum DnsServerType { @@ -41,6 +37,9 @@ int dns_server_feature_level_from_string(const char *s) _pure_; #include "resolved-link.h" #include "resolved-manager.h" +#if ENABLE_DNS_OVER_TLS +#include "resolved-dnstls.h" +#endif struct DnsServer { Manager *manager; @@ -58,8 +57,7 @@ struct DnsServer { DnsStream *stream; #if ENABLE_DNS_OVER_TLS - gnutls_certificate_credentials_t tls_cert_cred; - gnutls_datum_t tls_session_data; + DnsTlsServerData dnstls_data; #endif DnsServerFeatureLevel verified_feature_level; diff --git a/src/resolve/resolved-dns-stream.c b/src/resolve/resolved-dns-stream.c index 066daef96e..ee392efb9d 100644 --- a/src/resolve/resolved-dns-stream.c +++ b/src/resolve/resolved-dns-stream.c @@ -11,8 +11,6 @@ #define DNS_STREAM_TIMEOUT_USEC (10 * USEC_PER_SEC) #define DNS_STREAMS_MAX 128 -#define WRITE_TLS_DATA 1 - static void dns_stream_stop(DnsStream *s) { assert(s); @@ -45,14 +43,11 @@ static int dns_stream_complete(DnsStream *s, int error) { assert(s); #if ENABLE_DNS_OVER_TLS - if (s->tls_session && IN_SET(error, ETIMEDOUT, 0)) { + if (s->encrypted) { int r; - r = gnutls_bye(s->tls_session, GNUTLS_SHUT_RDWR); - if (r == GNUTLS_E_AGAIN && !s->tls_bye) { - dns_stream_ref(s); /* keep reference for closing TLS session */ - s->tls_bye = true; - } else + r = dnstls_stream_shutdown(s, error); + if (r != -EAGAIN) dns_stream_stop(s); } else #endif @@ -191,32 +186,22 @@ static int dns_stream_identify(DnsStream *s) { return 0; } -static ssize_t dns_stream_writev(DnsStream *s, const struct iovec *iov, size_t iovcnt, int flags) { +ssize_t dns_stream_writev(DnsStream *s, const struct iovec *iov, size_t iovcnt, int flags) { ssize_t r; assert(s); assert(iov); #if ENABLE_DNS_OVER_TLS - if (s->tls_session && !(flags & WRITE_TLS_DATA)) { + if (s->encrypted && !(flags & DNS_STREAM_WRITE_TLS_DATA)) { ssize_t ss; size_t i; r = 0; for (i = 0; i < iovcnt; i++) { - ss = gnutls_record_send(s->tls_session, iov[i].iov_base, iov[i].iov_len); - if (ss < 0) { - switch(ss) { - - case GNUTLS_E_INTERRUPTED: - return -EINTR; - case GNUTLS_E_AGAIN: - return -EAGAIN; - default: - log_debug("Failed to invoke gnutls_record_send: %s", gnutls_strerror(ss)); - return -EIO; - } - } + ss = dnstls_stream_write(s, iov[i].iov_base, iov[i].iov_len); + if (ss < 0) + return ss; r += ss; if (ss != (ssize_t) iov[i].iov_len) @@ -258,28 +243,9 @@ static ssize_t dns_stream_read(DnsStream *s, void *buf, size_t count) { ssize_t ss; #if ENABLE_DNS_OVER_TLS - if (s->tls_session) { - ss = gnutls_record_recv(s->tls_session, buf, count); - if (ss < 0) { - switch(ss) { - - case GNUTLS_E_INTERRUPTED: - return -EINTR; - case GNUTLS_E_AGAIN: - return -EAGAIN; - default: - log_debug("Failed to invoke gnutls_record_send: %s", gnutls_strerror(ss)); - return -EIO; - } - } else if (s->on_connection) { - int r; - - r = s->on_connection(s); - s->on_connection = NULL; /* only call once */ - if (r < 0) - return r; - } - } else + if (s->encrypted) + ss = dnstls_stream_read(s, buf, count); + else #endif { ss = read(s->fd, buf, count); @@ -290,22 +256,6 @@ static ssize_t dns_stream_read(DnsStream *s, void *buf, size_t count) { return ss; } -#if ENABLE_DNS_OVER_TLS -static ssize_t dns_stream_tls_writev(gnutls_transport_ptr_t p, const giovec_t * iov, int iovcnt) { - int r; - - assert(p); - - r = dns_stream_writev((DnsStream*) p, (struct iovec*) iov, iovcnt, WRITE_TLS_DATA); - if (r < 0) { - errno = -r; - return -1; - } - - return r; -} -#endif - static int on_stream_timeout(sd_event_source *es, usec_t usec, void *userdata) { DnsStream *s = userdata; @@ -321,36 +271,13 @@ static int on_stream_io(sd_event_source *es, int fd, uint32_t revents, void *use assert(s); #if ENABLE_DNS_OVER_TLS - if (s->tls_bye) { - assert(s->tls_session); - - r = gnutls_bye(s->tls_session, GNUTLS_SHUT_RDWR); - if (r != GNUTLS_E_AGAIN) { - s->tls_bye = false; - dns_stream_unref(s); - } - - return 0; - } - - if (s->tls_handshake < 0) { - assert(s->tls_session); - - s->tls_handshake = gnutls_handshake(s->tls_session); - if (s->tls_handshake >= 0) { - if (s->on_connection && !(gnutls_session_get_flags(s->tls_session) & GNUTLS_SFLAGS_FALSE_START)) { - r = s->on_connection(s); - s->on_connection = NULL; /* only call once */ - if (r < 0) - return r; - } - } else { - if (gnutls_error_is_fatal(s->tls_handshake)) - return dns_stream_complete(s, ECONNREFUSED); - else - return 0; - } + if (s->encrypted) { + r = dnstls_stream_on_io(s); + if (r == DNSTLS_STREAM_CLOSED || r == -EAGAIN) + return 0; + else if (r < 0) + return dns_stream_complete(s, -r); } #endif @@ -506,8 +433,8 @@ DnsStream *dns_stream_unref(DnsStream *s) { } #if ENABLE_DNS_OVER_TLS - if (s->tls_session) - gnutls_deinit(s->tls_session); + if (s->encrypted) + dnstls_stream_free(s); #endif ORDERED_SET_FOREACH(p, s->write_queue, i) @@ -586,21 +513,6 @@ int dns_stream_new(Manager *m, DnsStream **ret, DnsProtocol protocol, int fd, co return 0; } -#if ENABLE_DNS_OVER_TLS -int dns_stream_connect_tls(DnsStream *s, gnutls_session_t tls_session) { - gnutls_transport_set_ptr2(tls_session, (gnutls_transport_ptr_t) (long) s->fd, s); - gnutls_transport_set_vec_push_function(tls_session, &dns_stream_tls_writev); - - s->encrypted = true; - s->tls_session = tls_session; - s->tls_handshake = gnutls_handshake(tls_session); - if (s->tls_handshake < 0 && gnutls_error_is_fatal(s->tls_handshake)) - return -ECONNREFUSED; - - return 0; -} -#endif - int dns_stream_write_packet(DnsStream *s, DnsPacket *p) { int r; diff --git a/src/resolve/resolved-dns-stream.h b/src/resolve/resolved-dns-stream.h index 9a0da226d8..d64dc3b1d4 100644 --- a/src/resolve/resolved-dns-stream.h +++ b/src/resolve/resolved-dns-stream.h @@ -8,11 +8,12 @@ typedef struct DnsStream DnsStream; #include "resolved-dns-packet.h" #include "resolved-dns-transaction.h" #include "resolved-manager.h" - #if ENABLE_DNS_OVER_TLS -#include <gnutls/gnutls.h> +#include "resolved-dnstls.h" #endif +#define DNS_STREAM_WRITE_TLS_DATA 1 + /* Streams are used by three subsystems: * * 1. The normal transaction logic when doing a DNS or LLMNR lookup via TCP @@ -40,9 +41,7 @@ struct DnsStream { socklen_t tfo_salen; #if ENABLE_DNS_OVER_TLS - gnutls_session_t tls_session; - int tls_handshake; - bool tls_bye; + DnsTlsStreamData dnstls_data; #endif sd_event_source *io_event_source; @@ -69,7 +68,7 @@ struct DnsStream { int dns_stream_new(Manager *m, DnsStream **s, DnsProtocol protocol, int fd, const union sockaddr_union *tfo_address); #if ENABLE_DNS_OVER_TLS -int dns_stream_connect_tls(DnsStream *s, gnutls_session_t tls_session); +int dns_stream_connect_tls(DnsStream *s, void *tls_session); #endif DnsStream *dns_stream_unref(DnsStream *s); DnsStream *dns_stream_ref(DnsStream *s); @@ -77,6 +76,7 @@ DnsStream *dns_stream_ref(DnsStream *s); DEFINE_TRIVIAL_CLEANUP_FUNC(DnsStream*, dns_stream_unref); int dns_stream_write_packet(DnsStream *s, DnsPacket *p); +ssize_t dns_stream_writev(DnsStream *s, const struct iovec *iov, size_t iovcnt, int flags); static inline bool DNS_STREAM_QUEUED(DnsStream *s) { assert(s); diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c index 89d311811a..db30997d04 100644 --- a/src/resolve/resolved-dns-transaction.c +++ b/src/resolve/resolved-dns-transaction.c @@ -11,11 +11,10 @@ #include "resolved-dns-cache.h" #include "resolved-dns-transaction.h" #include "resolved-llmnr.h" -#include "string-table.h" - #if ENABLE_DNS_OVER_TLS -#include <gnutls/socket.h> +#include "resolved-dnstls.h" #endif +#include "string-table.h" #define TRANSACTIONS_MAX 4096 #define TRANSACTION_TCP_TIMEOUT_USEC (10U*USEC_PER_SEC) @@ -503,20 +502,6 @@ static int dns_transaction_on_stream_packet(DnsTransaction *t, DnsPacket *p) { return 0; } -static int on_stream_connection(DnsStream *s) { -#if ENABLE_DNS_OVER_TLS - /* Store TLS Ticket for faster succesive TLS handshakes */ - if (s->tls_session && s->server) { - if (s->server->tls_session_data.data) - gnutls_free(s->server->tls_session_data.data); - - gnutls_session_get_data2(s->tls_session, &s->server->tls_session_data); - } -#endif - - return 0; -} - static int on_stream_complete(DnsStream *s, int error) { _cleanup_(dns_stream_unrefp) DnsStream *p = NULL; DnsTransaction *t, *n; @@ -578,9 +563,6 @@ static int dns_transaction_emit_tcp(DnsTransaction *t) { _cleanup_(dns_stream_unrefp) DnsStream *s = NULL; union sockaddr_union sa; int r; -#if ENABLE_DNS_OVER_TLS - gnutls_session_t gs; -#endif assert(t); @@ -655,32 +637,12 @@ static int dns_transaction_emit_tcp(DnsTransaction *t) { #if ENABLE_DNS_OVER_TLS if (DNS_SERVER_FEATURE_LEVEL_IS_TLS(t->current_feature_level)) { assert(t->server); - - r = gnutls_init(&gs, GNUTLS_CLIENT | GNUTLS_ENABLE_FALSE_START | GNUTLS_NONBLOCK); - if (r < 0) - return r; - - /* As DNS-over-TLS is a recent protocol, older TLS versions can be disabled */ - r = gnutls_priority_set_direct(gs, "NORMAL:-VERS-ALL:+VERS-TLS1.2", NULL); - if (r < 0) - return r; - - r = gnutls_credentials_set(gs, GNUTLS_CRD_CERTIFICATE, t->server->tls_cert_cred); - if (r < 0) - return r; - - if (t->server->tls_session_data.size > 0) - gnutls_session_set_data(gs, t->server->tls_session_data.data, t->server->tls_session_data.size); - - gnutls_handshake_set_timeout(gs, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT); - - r = dns_stream_connect_tls(s, gs); + r = dnstls_stream_connect_tls(s, t->server); if (r < 0) return r; } #endif - s->on_connection = on_stream_connection; s->complete = on_stream_complete; s->on_packet = dns_stream_on_packet; diff --git a/src/resolve/resolved-dnstls-gnutls.c b/src/resolve/resolved-dnstls-gnutls.c new file mode 100644 index 0000000000..9c348cef67 --- /dev/null +++ b/src/resolve/resolved-dnstls-gnutls.c @@ -0,0 +1,198 @@ +/* SPDX-License-Identifier: LGPL-2.1+ */ + +#if !ENABLE_DNS_OVER_TLS || !HAVE_GNUTLS +#error This source file requires DNS-over-TLS to be enabled and GnuTLS to be available. +#endif + +#include "resolved-dnstls.h" +#include "resolved-dns-stream.h" + +#include <gnutls/socket.h> + +DEFINE_TRIVIAL_CLEANUP_FUNC(gnutls_session_t, gnutls_deinit); + +static ssize_t dnstls_stream_writev(gnutls_transport_ptr_t p, const giovec_t *iov, int iovcnt) { + int r; + + assert(p); + + r = dns_stream_writev((DnsStream*) p, (const struct iovec*) iov, iovcnt, DNS_STREAM_WRITE_TLS_DATA); + if (r < 0) { + errno = -r; + return -1; + } + + return r; +} + +int dnstls_stream_connect_tls(DnsStream *stream, DnsServer *server) { + _cleanup_(gnutls_deinitp) gnutls_session_t gs; + int r; + + assert(stream); + assert(server); + + r = gnutls_init(&gs, GNUTLS_CLIENT | GNUTLS_ENABLE_FALSE_START | GNUTLS_NONBLOCK); + if (r < 0) + return r; + + /* As DNS-over-TLS is a recent protocol, older TLS versions can be disabled */ + r = gnutls_priority_set_direct(gs, "NORMAL:-VERS-ALL:+VERS-TLS1.2", NULL); + if (r < 0) + return r; + + r = gnutls_credentials_set(gs, GNUTLS_CRD_CERTIFICATE, server->dnstls_data.cert_cred); + if (r < 0) + return r; + + if (server->dnstls_data.session_data.size > 0) { + gnutls_session_set_data(gs, server->dnstls_data.session_data.data, server->dnstls_data.session_data.size); + + // Clear old session ticket + gnutls_free(server->dnstls_data.session_data.data); + server->dnstls_data.session_data.data = NULL; + server->dnstls_data.session_data.size = 0; + } + + gnutls_handshake_set_timeout(gs, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT); + + gnutls_transport_set_ptr2(gs, (gnutls_transport_ptr_t) (long) stream->fd, stream); + gnutls_transport_set_vec_push_function(gs, &dnstls_stream_writev); + + stream->encrypted = true; + stream->dnstls_data.handshake = gnutls_handshake(gs); + if (stream->dnstls_data.handshake < 0 && gnutls_error_is_fatal(stream->dnstls_data.handshake)) + return -ECONNREFUSED; + + stream->dnstls_data.session = TAKE_PTR(gs); + + return 0; +} + +void dnstls_stream_free(DnsStream *stream) { + assert(stream); + assert(stream->encrypted); + + if (stream->dnstls_data.session) + gnutls_deinit(stream->dnstls_data.session); +} + +int dnstls_stream_on_io(DnsStream *stream) { + int r; + + assert(stream); + assert(stream->encrypted); + assert(stream->dnstls_data.session); + + if (stream->dnstls_data.shutdown) { + r = gnutls_bye(stream->dnstls_data.session, GNUTLS_SHUT_RDWR); + if (r == GNUTLS_E_AGAIN) + return -EAGAIN; + else if (r < 0) + log_debug("Failed to invoke gnutls_bye: %s", gnutls_strerror(r)); + + stream->dnstls_data.shutdown = false; + dns_stream_unref(stream); + return DNSTLS_STREAM_CLOSED; + } else if (stream->dnstls_data.handshake < 0) { + stream->dnstls_data.handshake = gnutls_handshake(stream->dnstls_data.session); + if (stream->dnstls_data.handshake == GNUTLS_E_AGAIN) + return -EAGAIN; + else if (stream->dnstls_data.handshake < 0) { + log_debug("Failed to invoke gnutls_handshake: %s", gnutls_strerror(stream->dnstls_data.handshake)); + if (gnutls_error_is_fatal(stream->dnstls_data.handshake)) + return -ECONNREFUSED; + } + } + + return 0; +} + +int dnstls_stream_shutdown(DnsStream *stream, int error) { + int r; + + assert(stream); + assert(stream->encrypted); + assert(stream->dnstls_data.session); + + /* Store TLS Ticket for faster succesive TLS handshakes */ + if (stream->server && stream->server->dnstls_data.session_data.size == 0 && stream->dnstls_data.handshake == GNUTLS_E_SUCCESS) + gnutls_session_get_data2(stream->dnstls_data.session, &stream->server->dnstls_data.session_data); + + if (IN_SET(error, ETIMEDOUT, 0)) { + r = gnutls_bye(stream->dnstls_data.session, GNUTLS_SHUT_RDWR); + if (r == GNUTLS_E_AGAIN) { + if (!stream->dnstls_data.shutdown) { + stream->dnstls_data.shutdown = true; + dns_stream_ref(stream); + return -EAGAIN; + } + } else if (r < 0) + log_debug("Failed to invoke gnutls_bye: %s", gnutls_strerror(r)); + } + + return 0; +} + +ssize_t dnstls_stream_write(DnsStream *stream, const char *buf, size_t count) { + ssize_t ss; + + assert(stream); + assert(stream->encrypted); + assert(stream->dnstls_data.session); + assert(buf); + + ss = gnutls_record_send(stream->dnstls_data.session, buf, count); + if (ss < 0) + switch(ss) { + case GNUTLS_E_INTERRUPTED: + return -EINTR; + case GNUTLS_E_AGAIN: + return -EAGAIN; + default: + log_debug("Failed to invoke gnutls_record_send: %s", gnutls_strerror(ss)); + return -EPIPE; + } + + return ss; +} + +ssize_t dnstls_stream_read(DnsStream *stream, void *buf, size_t count) { + ssize_t ss; + + assert(stream); + assert(stream->encrypted); + assert(stream->dnstls_data.session); + assert(buf); + + ss = gnutls_record_recv(stream->dnstls_data.session, buf, count); + if (ss < 0) + switch(ss) { + case GNUTLS_E_INTERRUPTED: + return -EINTR; + case GNUTLS_E_AGAIN: + return -EAGAIN; + default: + log_debug("Failed to invoke gnutls_record_recv: %s", gnutls_strerror(ss)); + return -EPIPE; + } + + return ss; +} + +void dnstls_server_init(DnsServer *server) { + assert(server); + + /* Do not verify cerificate */ + gnutls_certificate_allocate_credentials(&server->dnstls_data.cert_cred); +} + +void dnstls_server_free(DnsServer *server) { + assert(server); + + if (server->dnstls_data.cert_cred) + gnutls_certificate_free_credentials(server->dnstls_data.cert_cred); + + if (server->dnstls_data.session_data.data) + gnutls_free(server->dnstls_data.session_data.data); +} diff --git a/src/resolve/resolved-dnstls-gnutls.h b/src/resolve/resolved-dnstls-gnutls.h new file mode 100644 index 0000000000..8309f8d121 --- /dev/null +++ b/src/resolve/resolved-dnstls-gnutls.h @@ -0,0 +1,21 @@ +/* SPDX-License-Identifier: LGPL-2.1+ */ +#pragma once + +#if !ENABLE_DNS_OVER_TLS || !HAVE_GNUTLS +#error This source file requires DNS-over-TLS to be enabled and GnuTLS to be available. +#endif + +#include <stdbool.h> + +#include <gnutls/gnutls.h> + +struct DnsTlsServerData { + gnutls_certificate_credentials_t cert_cred; + gnutls_datum_t session_data; +}; + +struct DnsTlsStreamData { + gnutls_session_t session; + int handshake; + bool shutdown; +}; diff --git a/src/resolve/resolved-dnstls.h b/src/resolve/resolved-dnstls.h new file mode 100644 index 0000000000..32befc6414 --- /dev/null +++ b/src/resolve/resolved-dnstls.h @@ -0,0 +1,28 @@ +/* SPDX-License-Identifier: LGPL-2.1+ */ +#pragma once + +#if !ENABLE_DNS_OVER_TLS +#error This source file requires DNS-over-TLS to be enabled +#endif + +typedef struct DnsTlsServerData DnsTlsServerData; +typedef struct DnsTlsStreamData DnsTlsStreamData; + +#if HAVE_GNUTLS +#include "resolved-dnstls-gnutls.h" +#endif + +#include "resolved-dns-stream.h" +#include "resolved-dns-transaction.h" + +#define DNSTLS_STREAM_CLOSED 1 + +int dnstls_stream_connect_tls(DnsStream *stream, DnsServer *server); +void dnstls_stream_free(DnsStream *stream); +int dnstls_stream_on_io(DnsStream *stream); +int dnstls_stream_shutdown(DnsStream *stream, int error); +ssize_t dnstls_stream_write(DnsStream *stream, const char *buf, size_t count); +ssize_t dnstls_stream_read(DnsStream *stream, void *buf, size_t count); + +void dnstls_server_init(DnsServer *server); +void dnstls_server_free(DnsServer *server); |