morgan/systemd
1
0
Fork 0
mirror of https://github.com/morgan9e/systemd synced 2026-04-14 00:14:32 +09:00
Code Issues Packages Projects Releases Wiki Activity

resolve: always use openssl as backend of DNS-over-TLS

Browse Source 
This drops support for dns-over-tls=gnutls meson option.
This commit is contained in:
Yu Watanabe
2025-04-02 01:45:51 +09:00
parent a68457e0f3
commit b1c3f57e76
11 changed files with 20 additions and 343 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/build_test.sh vendored
View File

@@ -10,7 +10,7 @@ fatal() { echo >&2 -e "\033[31;1m$1\033[0m"; exit 1; }
success() { echo >&2 -e "\033[32;1m$1\033[0m"; }
ARGS=(
"--optimization=0 -Dopenssl=disabled -Dcryptolib=gcrypt -Ddns-over-tls=gnutls -Dtpm=true -Dtpm2=enabled"
"--optimization=0 -Dopenssl=disabled -Dcryptolib=gcrypt -Dtpm=true -Dtpm2=enabled"
"--optimization=s -Dutmp=false"
"--optimization=2 -Dc_args=-Wmaybe-uninitialized -Ddns-over-tls=openssl"
"--optimization=3 -Db_lto=true -Ddns-over-tls=false"

3
README
View File

@@ -240,8 +240,7 @@ REQUIREMENTS:
libcurl >= 7.32.0 (optional)
libidn2 or libidn (optional)
gnutls >= 3.1.4 (optional)
>= 3.6.0 is required to support DNS-over-TLS with gnutls
openssl >= 1.1.0 (optional, required to support DNS-over-TLS with openssl)
openssl >= 1.1.0 (optional, required to support DNS-over-TLS)
p11-kit >= 0.23.3 (optional)
libfido2 (optional)
tpm2-tss (optional)

1
TODO
View File

@@ -1807,7 +1807,6 @@ Features:
with matches, then activate app through that passing socket over
* unify on openssl:
- kill gnutls support in resolved
- figure out what to do about libmicrohttpd, which has a hard dependency on
gnutls
- port fsprg over to a dlopen lib, then switch it to openssl

45
meson.build
View File

@@ -1488,37 +1488,17 @@ conf.set10('HAVE_OPENSSL_OR_GCRYPT',
lib_openssl_or_gcrypt = conf.get('PREFER_OPENSSL') == 1 ? [libopenssl] : [libgcrypt, libgpg_error]
dns_over_tls = get_option('dns-over-tls')
if dns_over_tls != 'false'
if dns_over_tls == 'gnutls' and conf.get('PREFER_OPENSSL') == 1
error('Sorry, -Ddns-over-tls=gnutls is not supported when openssl is used as the cryptolib')
endif
if dns_over_tls == 'gnutls'
have_openssl = false
else
have_openssl = conf.get('HAVE_OPENSSL') == 1
if dns_over_tls == 'openssl' and not have_openssl
error('DNS-over-TLS support was requested with openssl, but dependencies are not available')
endif
endif
if dns_over_tls == 'openssl' or have_openssl
have_gnutls = false
else
have_gnutls = conf.get('HAVE_GNUTLS') == 1 and libgnutls.version().version_compare('>= 3.6.0')
if dns_over_tls != 'auto' and not have_gnutls
str = dns_over_tls == 'gnutls' ? ' with gnutls' : ''
error('DNS-over-TLS support was requested@0@, but dependencies are not available'.format(str))
endif
endif
have = have_gnutls or have_openssl
else
have_openssl = conf.get('HAVE_OPENSSL') == 1
if dns_over_tls == 'false'
have = false
have_gnutls = false
have_openssl = false
elif dns_over_tls == 'auto'
have = have_openssl
elif have_openssl
have = true
else
error('DNS-over-TLS support was requested, but OpenSSL support is disabled.')
endif
conf.set10('ENABLE_DNS_OVER_TLS', have)
conf.set10('DNS_OVER_TLS_USE_GNUTLS', have_gnutls)
conf.set10('DNS_OVER_TLS_USE_OPENSSL', have_openssl)
default_dns_over_tls = get_option('default-dns-over-tls')
if default_dns_over_tls != 'no' and conf.get('ENABLE_DNS_OVER_TLS') == 0
@@ -3080,6 +3060,7 @@ foreach tuple : [
# optional features
['dmi'],
['DNS-over-TLS'],
['idn'],
['polkit'],
['legacy-pkla', install_polkit_pkla],
@@ -3152,14 +3133,6 @@ else
missing += 'cryptolib'
endif
if conf.get('DNS_OVER_TLS_USE_GNUTLS') == 1
found += 'DNS-over-TLS(gnutls)'
elif conf.get('DNS_OVER_TLS_USE_OPENSSL') == 1
found += 'DNS-over-TLS(openssl)'
else
missing += 'DNS-over-TLS'
endif
summary({
'enabled' : ', '.join(found),
'disabled' : ', '.join(missing)},

2
meson_options.txt
View File

@@ -363,7 +363,7 @@ option('default-llmnr', type : 'combo',
choices : ['yes', 'resolve', 'no'],
description : 'default LLMNR mode',
value : 'yes')
option('dns-over-tls', type : 'combo', choices : ['auto', 'gnutls', 'openssl', 'true', 'false'],
option('dns-over-tls', type : 'combo', choices : ['auto', 'openssl', 'true', 'false'],
description : 'DNS-over-TLS support')
option('dns-servers', type : 'string',
description : 'space-separated list of default DNS servers',

17
src/resolve/meson.build
View File

@@ -102,19 +102,10 @@ systemd_resolved_sources += custom_target(
systemd_resolved_dependencies = [threads, libm] + [lib_openssl_or_gcrypt]
if conf.get('ENABLE_DNS_OVER_TLS') == 1
if conf.get('DNS_OVER_TLS_USE_GNUTLS') == 1
systemd_resolved_sources += files(
'resolved-dnstls-gnutls.c',
)
systemd_resolved_dependencies += libgnutls
elif conf.get('DNS_OVER_TLS_USE_OPENSSL') == 1
systemd_resolved_sources += files(
'resolved-dnstls-openssl.c',
)
systemd_resolved_dependencies += libopenssl
else
error('unknown dependency for supporting DNS-over-TLS')
endif
systemd_resolved_sources += files(
'resolved-dnstls-openssl.c',
)
systemd_resolved_dependencies += libopenssl
endif
link_with = [

255
src/resolve/resolved-dnstls-gnutls.c
View File

@@ -1,255 +0,0 @@
/* SPDX-License-Identifier: LGPL-2.1-or-later */
#if !ENABLE_DNS_OVER_TLS || !DNS_OVER_TLS_USE_GNUTLS
#error This source file requires DNS-over-TLS to be enabled and GnuTLS to be available.
#endif
#include <gnutls/socket.h>
#include "iovec-util.h"
#include "resolved-dns-stream.h"
#include "resolved-dnstls.h"
#include "resolved-manager.h"
#define TLS_PROTOCOL_PRIORITY "NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2"
DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(gnutls_session_t, gnutls_deinit, NULL);
static ssize_t dnstls_stream_vec_push(gnutls_transport_ptr_t p, const giovec_t *iov, int iovcnt) {
int r;
assert(p);
r = dns_stream_writev((DnsStream*) p, (const struct iovec*) iov, iovcnt, DNS_STREAM_WRITE_TLS_DATA);
if (r < 0) {
errno = -r;
return -1;
}
return r;
}
int dnstls_stream_connect_tls(DnsStream *stream, DnsServer *server) {
_cleanup_(gnutls_deinitp) gnutls_session_t gs = NULL;
int r;
assert(stream);
assert(server);
r = gnutls_init(&gs, GNUTLS_CLIENT | GNUTLS_ENABLE_FALSE_START | GNUTLS_NONBLOCK);
if (r < 0)
return r;
/* As DNS-over-TLS is a recent protocol, older TLS versions can be disabled */
r = gnutls_priority_set_direct(gs, TLS_PROTOCOL_PRIORITY, NULL);
if (r < 0)
return r;
r = gnutls_credentials_set(gs, GNUTLS_CRD_CERTIFICATE, stream->manager->dnstls_data.cert_cred);
if (r < 0)
return r;
if (server->dnstls_data.session_data.size > 0) {
gnutls_session_set_data(gs, server->dnstls_data.session_data.data, server->dnstls_data.session_data.size);
// Clear old session ticket
gnutls_free(server->dnstls_data.session_data.data);
server->dnstls_data.session_data.data = NULL;
server->dnstls_data.session_data.size = 0;
}
if (server->manager->dns_over_tls_mode == DNS_OVER_TLS_YES) {
if (server->server_name)
gnutls_session_set_verify_cert(gs, server->server_name, 0);
else {
stream->dnstls_data.validation.type = GNUTLS_DT_IP_ADDRESS;
if (server->family == AF_INET) {
stream->dnstls_data.validation.data = (unsigned char*) &server->address.in.s_addr;
stream->dnstls_data.validation.size = 4;
} else {
stream->dnstls_data.validation.data = server->address.in6.s6_addr;
stream->dnstls_data.validation.size = 16;
}
gnutls_session_set_verify_cert2(gs, &stream->dnstls_data.validation, 1, 0);
}
}
if (server->server_name) {
r = gnutls_server_name_set(gs, GNUTLS_NAME_DNS, server->server_name, strlen(server->server_name));
if (r < 0)
return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to set server name: %s", gnutls_strerror(r));
}
gnutls_handshake_set_timeout(gs, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT);
gnutls_transport_set_ptr2(gs, (gnutls_transport_ptr_t) (long) stream->fd, stream);
gnutls_transport_set_vec_push_function(gs, &dnstls_stream_vec_push);
stream->encrypted = true;
stream->dnstls_data.handshake = gnutls_handshake(gs);
if (stream->dnstls_data.handshake < 0 && gnutls_error_is_fatal(stream->dnstls_data.handshake))
return -ECONNREFUSED;
stream->dnstls_data.session = TAKE_PTR(gs);
return 0;
}
void dnstls_stream_free(DnsStream *stream) {
assert(stream);
assert(stream->encrypted);
if (stream->dnstls_data.session)
gnutls_deinit(stream->dnstls_data.session);
}
int dnstls_stream_on_io(DnsStream *stream, uint32_t revents) {
int r;
assert(stream);
assert(stream->encrypted);
assert(stream->dnstls_data.session);
if (stream->dnstls_data.shutdown) {
r = gnutls_bye(stream->dnstls_data.session, GNUTLS_SHUT_RDWR);
if (r == GNUTLS_E_AGAIN) {
stream->dnstls_events = gnutls_record_get_direction(stream->dnstls_data.session) == 1 ? EPOLLOUT : EPOLLIN;
return -EAGAIN;
} else if (r < 0)
log_debug("Failed to invoke gnutls_bye: %s", gnutls_strerror(r));
stream->dnstls_events = 0;
stream->dnstls_data.shutdown = false;
dns_stream_unref(stream);
return DNSTLS_STREAM_CLOSED;
} else if (stream->dnstls_data.handshake < 0) {
stream->dnstls_data.handshake = gnutls_handshake(stream->dnstls_data.session);
if (stream->dnstls_data.handshake == GNUTLS_E_AGAIN) {
stream->dnstls_events = gnutls_record_get_direction(stream->dnstls_data.session) == 1 ? EPOLLOUT : EPOLLIN;
return -EAGAIN;
} else if (stream->dnstls_data.handshake < 0) {
log_debug("Failed to invoke gnutls_handshake: %s", gnutls_strerror(stream->dnstls_data.handshake));
if (gnutls_error_is_fatal(stream->dnstls_data.handshake))
return -ECONNREFUSED;
}
stream->dnstls_events = 0;
}
return 0;
}
int dnstls_stream_shutdown(DnsStream *stream, int error) {
int r;
assert(stream);
assert(stream->encrypted);
assert(stream->dnstls_data.session);
/* Store TLS Ticket for faster successive TLS handshakes */
if (stream->server && stream->server->dnstls_data.session_data.size == 0 && stream->dnstls_data.handshake == GNUTLS_E_SUCCESS)
gnutls_session_get_data2(stream->dnstls_data.session, &stream->server->dnstls_data.session_data);
if (IN_SET(error, ETIMEDOUT, 0)) {
r = gnutls_bye(stream->dnstls_data.session, GNUTLS_SHUT_RDWR);
if (r == GNUTLS_E_AGAIN) {
if (!stream->dnstls_data.shutdown) {
stream->dnstls_data.shutdown = true;
dns_stream_ref(stream);
return -EAGAIN;
}
} else if (r < 0)
log_debug("Failed to invoke gnutls_bye: %s", gnutls_strerror(r));
}
return 0;
}
ssize_t dnstls_stream_writev(DnsStream *stream, const struct iovec *iov, size_t iovcnt) {
ssize_t ss;
assert(stream);
assert(stream->encrypted);
assert(stream->dnstls_data.session);
assert(iov);
assert(iovec_total_size(iov, iovcnt) > 0);
gnutls_record_cork(stream->dnstls_data.session);
for (size_t i = 0; i < iovcnt; i++) {
ss = gnutls_record_send(
stream->dnstls_data.session,
iov[i].iov_base, iov[i].iov_len);
if (ss < 0)
break;
}
ss = gnutls_record_uncork(stream->dnstls_data.session, 0);
if (ss < 0)
switch (ss) {
case GNUTLS_E_INTERRUPTED:
return -EINTR;
case GNUTLS_E_AGAIN:
return -EAGAIN;
default:
return log_debug_errno(SYNTHETIC_ERRNO(EPIPE),
"Failed to invoke gnutls_record_send: %s",
gnutls_strerror(ss));
}
return ss;
}
ssize_t dnstls_stream_read(DnsStream *stream, void *buf, size_t count) {
ssize_t ss;
assert(stream);
assert(stream->encrypted);
assert(stream->dnstls_data.session);
assert(buf);
ss = gnutls_record_recv(stream->dnstls_data.session, buf, count);
if (ss < 0)
switch (ss) {
case GNUTLS_E_INTERRUPTED:
return -EINTR;
case GNUTLS_E_AGAIN:
return -EAGAIN;
default:
return log_debug_errno(SYNTHETIC_ERRNO(EPIPE),
"Failed to invoke gnutls_record_recv: %s",
gnutls_strerror(ss));
}
return ss;
}
void dnstls_server_free(DnsServer *server) {
assert(server);
if (server->dnstls_data.session_data.data)
gnutls_free(server->dnstls_data.session_data.data);
}
int dnstls_manager_init(Manager *manager) {
int r;
assert(manager);
r = gnutls_certificate_allocate_credentials(&manager->dnstls_data.cert_cred);
if (r < 0)
return log_warning_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
"Failed to allocate SSL credentials: %s",
gnutls_strerror(r));
r = gnutls_certificate_set_x509_system_trust(manager->dnstls_data.cert_cred);
if (r < 0)
log_warning("Failed to load system trust store: %s", gnutls_strerror(r));
return 0;
}
void dnstls_manager_free(Manager *manager) {
assert(manager);
if (manager->dnstls_data.cert_cred)
gnutls_certificate_free_credentials(manager->dnstls_data.cert_cred);
}

24
src/resolve/resolved-dnstls-gnutls.h
View File

@@ -1,24 +0,0 @@
/* SPDX-License-Identifier: LGPL-2.1-or-later */
#pragma once
#if !ENABLE_DNS_OVER_TLS || !DNS_OVER_TLS_USE_GNUTLS
#error This source file requires DNS-over-TLS to be enabled and GnuTLS to be available.
#endif
#include <gnutls/gnutls.h>
#include <stdbool.h>
struct DnsTlsManagerData {
gnutls_certificate_credentials_t cert_cred;
};
struct DnsTlsServerData {
gnutls_datum_t session_data;
};
struct DnsTlsStreamData {
gnutls_session_t session;
gnutls_typed_vdata_st validation;
int handshake;
bool shutdown;
};

2
src/resolve/resolved-dnstls-openssl.c
View File

@@ -1,6 +1,6 @@
/* SPDX-License-Identifier: LGPL-2.1-or-later */
#if !ENABLE_DNS_OVER_TLS || !DNS_OVER_TLS_USE_OPENSSL
#if !ENABLE_DNS_OVER_TLS || !HAVE_OPENSSL
#error This source file requires DNS-over-TLS to be enabled and OpenSSL to be available.
#endif

2
src/resolve/resolved-dnstls-openssl.h
View File

@@ -1,7 +1,7 @@
/* SPDX-License-Identifier: LGPL-2.1-or-later */
#pragma once
#if !ENABLE_DNS_OVER_TLS || !DNS_OVER_TLS_USE_OPENSSL
#if !ENABLE_DNS_OVER_TLS || !HAVE_OPENSSL
#error This source file requires DNS-over-TLS to be enabled and OpenSSL to be available.
#endif

10
src/resolve/resolved-dnstls.h
View File

@@ -6,6 +6,8 @@
#include <stdint.h>
#include <sys/uio.h>
#include "resolved-dnstls-openssl.h"
typedef struct DnsServer DnsServer;
typedef struct DnsStream DnsStream;
typedef struct DnsTlsManagerData DnsTlsManagerData;
@@ -13,14 +15,6 @@ typedef struct DnsTlsServerData DnsTlsServerData;
typedef struct DnsTlsStreamData DnsTlsStreamData;
typedef struct Manager Manager;
#if DNS_OVER_TLS_USE_GNUTLS
#include "resolved-dnstls-gnutls.h"
#elif DNS_OVER_TLS_USE_OPENSSL
#include "resolved-dnstls-openssl.h"
#else
#error Unknown dependency for supporting DNS-over-TLS
#endif
#define DNSTLS_STREAM_CLOSED 1
int dnstls_stream_connect_tls(DnsStream *stream, DnsServer *server);