summaryrefslogtreecommitdiff
path: root/src/resolve/resolved-dnstls-openssl.c
Commit message (Collapse)AuthorAgeFilesLines
* resolved: Fix OpenSSL error messagesBenjamin Fogle2022-11-221-39/+26
|
* resolved: Read as much as possible per stream EPOLLIN eventJoan Bruguera2022-02-011-9/+9
| | | | | | | | | | | | | | | | | | In commit 2aaf6bb6e99b0f2bd73e0c49bef9e11a2844bf1a, an issue was fixed where systemd-resolved could get stuck for multiple seconds waiting for incoming data, since GnuTLS/OpenSSL can buffer a TLS record, so data could be available, but no EPOLLIN event would be generated. To fix this, a somewhat elaborate logic consisting on asking the TLS library whether it had buffered data, then "faking" an EPOLLIN event was implemented. However, there is a much simpler solution: Always read as much data as available (i.e. until we get an event like EAGAIN when trying to read) from the stream when we get an EPOLLIN event, instead of at most a single packet per event. This approach does not require asking the TLS library whether it has buffered data, and the logic is exactly the same for both the TCP and TLS case. test-resolved-stream is fixed to avoid a latent double free bug.
* resolved: Avoid multiple SSL writes per DoT packetJoan Bruguera2022-02-011-6/+24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In the DoT case, dns_stream_writev decomposed an iovec into multiple dnstls_stream_write calls, which resulted in multiple SSL writes and multiple TLS records. This can be checked from a network capture, e.g. using socat: socat -v -x openssl-listen:853,reuseaddr,fork,cert=my.cert,key=my.key,verify=0 openssl:8.8.8.8:853 Instead, propagate the iovec as-is into the DoT handling code. For GnuTLS, the library provides support for buffering ('corking') a record. OpenSSL has no such facility, so we join the iovec into a single buffer then call SSL_write. socat capture of `resolvectl -4 query --cache=no example.com` before the commit: > 2022/01/30 13:35:52.194200 length=2 from=0 to=1 00 28 .( -- > 2022/01/30 13:35:52.194253 length=40 from=2 to=41 1e b2 01 00 00 01 00 00 00 00 00 01 07 65 78 61 .............exa 6d 70 6c 65 03 63 6f 6d 00 00 01 00 01 00 00 29 mple.com.......) ff e4 00 00 00 00 00 00 ........ -- < 2022/01/30 13:35:52.232798 length=58 from=0 to=57 00 38 1e b2 81 80 00 01 00 01 00 00 00 01 07 65 .8.............e 78 61 6d 70 6c 65 03 63 6f 6d 00 00 01 00 01 c0 xample.com...... 0c 00 01 00 01 00 00 53 6f 00 04 5d b8 d8 22 00 .......So..]..". 00 29 02 00 00 00 00 00 00 00 .)........ socat capture of `resolvectl -4 query --cache=no example.com` after the commit: > 2022/01/30 13:34:47.598099 length=42 from=504 to=545 00 28 37 86 01 00 00 01 00 00 00 00 00 01 07 65 .(7............e 78 61 6d 70 6c 65 03 63 6f 6d 00 00 01 00 01 00 xample.com...... 00 29 ff e4 00 00 00 00 00 00 .)........ -- < 2022/01/30 13:34:47.613203 length=58 from=756 to=813 00 38 37 86 81 80 00 01 00 01 00 00 00 01 07 65 .87............e 78 61 6d 70 6c 65 03 63 6f 6d 00 00 01 00 01 c0 xample.com...... 0c 00 01 00 01 00 00 52 5e 00 04 5d b8 d8 22 00 .......R^..]..". 00 29 02 00 00 00 00 00 00 00 .)........
* resolved: Fix DoT timeout on multiple answer recordsJoan Bruguera2022-01-271-0/+8
| | | | | | | | | | | | | | | | | | | | | | | | | When sending multiple DNS questions to a DNS-over-TLS server (e.g. a question for A and AAAA records, as is typical) on the same session, the server may answer to each question in a separate TLS record, but it may also aggregate multiple answers in a single TLS record. (Some servers do this very often (e.g. Cloudflare 1.0.0.1), some do it sometimes (e.g. Google 8.8.8.8) and some seem to never do it (e.g. Quad9 9.9.9.10)). Both cases should be handled equivalently, as the byte stream is the same, but when multiple answers came in a single TLS record, usually the first answer was processed, but the second answer was entirely ignored, which caused a 10s delay until the resolution timed out and the missing question was retried. This can be reproduced by configuring one of the offending server and running `resolvectl query google.com --cache=no` a few times. To be notified of incoming data, systemd-resolved listens to `EPOLLIN` events on the underlying socket. However, when DNS-over-TLS is used, the TLS library (OpenSSL or GnuTLS) may read and buffer the entire TLS record when reading the first answer, so usually no further `EPOLLIN` events will be generated, and the second answer will never be processed. To avoid this, if there's buffered TLS data, generate a "fake" EPOLLIN event. This is hacky, but it makes this case transparent to the rest of the IO code.
* dissect-image: optionally, validate dm-verity signatures in userspaceLennart Poettering2021-09-281-3/+1
| | | | | | | | | | | | | | | | | | | Getting certificates for dm-verity roothash signing into the trusted kernel keychain is a royal PITA (means recompiling or rebooting with shim), hence let's add a minimal userspace PKCS7 validation as well. The mechanism is really simple and compatible with the verification the kernel does. The only difference is that the certificates are searched in /etc/verity.d/*.crt (and similar dirs in /usr/lib/, …). We'll first try validation by passing the PKCS#7 data to the kernel, but if that doesn't work we'll see if one of the certificates found that way works and then attempt to attach the image without passing the PKCS#7 data to the kernel. This makes it very easy to have fully validated GPT disk images. For example, just copy the 'mkosi.secure-boot.crt' file you have in your mkosi build dir to /etc/verity.d/ and things should just work.
* resolve: Fix build for cleanup function (SSL_free + BIO_free)Benjamin Robin2021-02-161-2/+2
| | | | Follow-up of #18616
* license: LGPL-2.1+ -> LGPL-2.1-or-laterYu Watanabe2020-11-091-1/+1
|
* resolved: Fix build error due to missing include.Daan De Meyer2020-05-071-0/+1
|
* systemd-resolved: use hostname for certificate validation in DoTJörg Thalheim2020-03-071-4/+11
| | | | | | | Widely accepted certificates for IP addresses are expensive and only affordable for larger organizations. Therefore if the user provides the hostname in the DNS= option, we should use it instead of the IP address.
* resolve: error handling improvementsYu Watanabe2020-03-011-9/+18
|
* Implement SNI when using DNS-over-TLSGuilhem Lettron2019-12-041-0/+11
| | | | | | | | | Some DNS providers need SNI to identify client. This can be used by adding #name to a DNS. Example: [Resolve] DNS=192.168.1.1#example.com
* resolved: add strict mode for DNS-over-TLSIwan Timmer2019-06-191-0/+14
| | | | Add strict mode for DNS-over-TLS, which will require TLS support from the server. Closes #10755
* resolved: add missing error code check when initializing DNS-over-TLSIwan Timmer2019-06-181-5/+9
|
* resolved: move TLS data shared by all servers to managerIwan Timmer2019-06-181-13/+21
| | | | Instead of having a context and/or trusted CA list per server this is now moved to the server. Ensures future TLS configuration options are global instead of per server.
* resolved: make no changes to OpenSSL BUF_MEM structIwan Timmer2019-06-151-9/+13
| | | | Fix crash when using OpenSSL 1.1.1c Fixes: #12763
* Revert "resolved: Fix incorrect use of OpenSSL BUF_MEM"Iwan Timmer2019-06-151-4/+1
| | | | | | | | This reverts commit 18bddeaaf225d5becfc10cd2c6a1d037c90574a2. Revert this because it does not take the OpenSSL internal read pointer into considoration. Resulting in padding in packetdata and therefore broken SSL connections.
* resolved: Fix incorrect use of OpenSSL BUF_MEMTomas Mraz2019-06-121-1/+4
| | | | Fixes: #12763
* resolved: sort headers againLennart Poettering2018-12-021-2/+1
|
* resolved: add missed io-util.h header to resolved-dnstls-openssl.cAleksei Timofeyev2018-12-011-0/+2
| | | | Regression after commit 5cfa2c3dc09ffed1
* tree-wide: use IOVEC_MAKE() at many placesLennart Poettering2018-11-271-2/+2
|
* coccinelle: make use of SYNTHETIC_ERRNOZbigniew Jędrzejewski-Szmek2018-11-221-2/+3
| | | | | | | | | | | Ideally, coccinelle would strip unnecessary braces too. But I do not see any option in coccinelle for this, so instead, I edited the patch text using search&replace to remove the braces. Unfortunately this is not fully automatic, in particular it didn't deal well with if-else-if-else blocks and ifdefs, so there is an increased likelikehood be some bugs in such spots. I also removed part of the patch that coccinelle generated for udev, where we returns -1 for failure. This should be fixed independently.
* resolve: sort headersYu Watanabe2018-08-061-3/+3
|
* resolve: openssl: make dnstls_stream_{write,read}() may return zeroYu Watanabe2018-08-031-17/+14
|
* resolve: fix error handling of SSL_shutdown()Yu Watanabe2018-08-031-8/+24
|
* resolve: fix typo and coding style cleanupsYu Watanabe2018-08-031-14/+8
|
* resolve: clear error queue before calling SSL_*()Yu Watanabe2018-08-031-0/+6
|
* resolved: TCP Fast Open and TLS Session Tickets for OpenSSLIwan Timmer2018-07-271-15/+137
| | | To decreae latency this add support for TFO and TLS Session Tickets. As OpenSSL wouldn't let you easily set a different function all written data is temporarily cached and therefore needs to be flushed after each SSL function which can write data.
* resolved: basic OpenSSL support for DNS-over-TLSIwan Timmer2018-07-271-0/+216
This provides basic OpenSSL support without optimizations like TCP Fast Open and TLS Session Tickets. Notice only a single SSL library can be enabled at a time and therefore journald functions provided by GnuTLS will be disabled when using OpenSSL. Fixes #9531
View Lorry Controller Status