diff options
| author | Iwan Timmer <irtimmer@gmail.com> | 2019-06-15 22:54:41 +0200 |
|---|---|---|
| committer | Iwan Timmer <irtimmer@gmail.com> | 2019-06-18 19:16:36 +0200 |
| commit | e22c5b20641e3ce6cd029cb40e3f4ed1330493bf (patch) | |
| tree | 839b5da65aa36eb55a9d8921c91c276db072c907 /src/resolve/resolved-dnstls-openssl.c | |
| parent | 1faba68fd76ca0df5ac8b51320488aea11db2f20 (diff) | |
| download | systemd-e22c5b20641e3ce6cd029cb40e3f4ed1330493bf.tar.gz | |
resolved: move TLS data shared by all servers to manager
Instead of having a context and/or trusted CA list per server this is now moved to the server. Ensures future TLS configuration options are global instead of per server.
Diffstat (limited to 'src/resolve/resolved-dnstls-openssl.c')
| -rw-r--r-- | src/resolve/resolved-dnstls-openssl.c | 34 |
1 files changed, 21 insertions, 13 deletions
diff --git a/src/resolve/resolved-dnstls-openssl.c b/src/resolve/resolved-dnstls-openssl.c index 1a21b9224b..6b2e1b218f 100644 --- a/src/resolve/resolved-dnstls-openssl.c +++ b/src/resolve/resolved-dnstls-openssl.c @@ -54,6 +54,7 @@ int dnstls_stream_connect_tls(DnsStream *stream, DnsServer *server) { int error, r; assert(stream); + assert(stream->manager); assert(server); rb = BIO_new_socket(stream->fd, 0); @@ -67,7 +68,7 @@ int dnstls_stream_connect_tls(DnsStream *stream, DnsServer *server) { BIO_get_mem_ptr(wb, &stream->dnstls_data.write_buffer); stream->dnstls_data.buffer_offset = 0; - s = SSL_new(server->dnstls_data.ctx); + s = SSL_new(stream->manager->dnstls_data.ctx); if (!s) return -ENOMEM; @@ -336,22 +337,29 @@ ssize_t dnstls_stream_read(DnsStream *stream, void *buf, size_t count) { return ss; } -void dnstls_server_init(DnsServer *server) { +void dnstls_server_free(DnsServer *server) { assert(server); - server->dnstls_data.ctx = SSL_CTX_new(TLS_client_method()); - if (server->dnstls_data.ctx) { - SSL_CTX_set_min_proto_version(server->dnstls_data.ctx, TLS1_2_VERSION); - SSL_CTX_set_options(server->dnstls_data.ctx, SSL_OP_NO_COMPRESSION); - } + if (server->dnstls_data.session) + SSL_SESSION_free(server->dnstls_data.session); } -void dnstls_server_free(DnsServer *server) { - assert(server); +void dnstls_manager_init(Manager *manager) { + int r; + assert(manager); - if (server->dnstls_data.ctx) - SSL_CTX_free(server->dnstls_data.ctx); + ERR_load_crypto_strings(); + SSL_load_error_strings(); + manager->dnstls_data.ctx = SSL_CTX_new(TLS_client_method()); + if (manager->dnstls_data.ctx) { + SSL_CTX_set_min_proto_version(manager->dnstls_data.ctx, TLS1_2_VERSION); + SSL_CTX_set_options(manager->dnstls_data.ctx, SSL_OP_NO_COMPRESSION); + } +} - if (server->dnstls_data.session) - SSL_SESSION_free(server->dnstls_data.session); +void dnstls_manager_free(Manager *manager) { + assert(manager); + + if (manager->dnstls_data.ctx) + SSL_CTX_free(manager->dnstls_data.ctx); } |