diff options
| author | Iwan Timmer <irtimmer@gmail.com> | 2019-02-18 20:41:46 +0100 |
|---|---|---|
| committer | Iwan Timmer <iwan.timmer@northwave.nl> | 2019-06-19 13:10:44 +0200 |
| commit | 4310bfc20b84127e19bed68701caa3820c844682 (patch) | |
| tree | ebe8291982d7903be331b1ef1136ebd58aef08e7 /src/resolve | |
| parent | aedf00a2bd39d70306d76a15fa535123d6d277fd (diff) | |
| download | systemd-4310bfc20b84127e19bed68701caa3820c844682.tar.gz | |
resolved: add strict mode for DNS-over-TLS
Add strict mode for DNS-over-TLS, which will require TLS support from the server. Closes #10755
Diffstat (limited to 'src/resolve')
| -rw-r--r-- | src/resolve/resolved-conf.c | 2 | ||||
| -rw-r--r-- | src/resolve/resolved-dns-server.c | 2 | ||||
| -rw-r--r-- | src/resolve/resolved-dnstls-gnutls.c | 7 | ||||
| -rw-r--r-- | src/resolve/resolved-dnstls-openssl.c | 14 | ||||
| -rw-r--r-- | src/resolve/resolved-link.c | 2 |
5 files changed, 24 insertions, 3 deletions
diff --git a/src/resolve/resolved-conf.c b/src/resolve/resolved-conf.c index 79e388f8a2..7b2938fea3 100644 --- a/src/resolve/resolved-conf.c +++ b/src/resolve/resolved-conf.c @@ -394,7 +394,7 @@ int manager_parse_config_file(Manager *m) { #if ! ENABLE_DNS_OVER_TLS if (m->dns_over_tls_mode != DNS_OVER_TLS_NO) { - log_warning("DNS-over-TLS option cannot be set to opportunistic when systemd-resolved is built without DNS-over-TLS support. Turning off DNS-over-TLS support."); + log_warning("DNS-over-TLS option cannot be enabled or set to opportunistic when systemd-resolved is built without DNS-over-TLS support. Turning off DNS-over-TLS support."); m->dns_over_tls_mode = DNS_OVER_TLS_NO; } #endif diff --git a/src/resolve/resolved-dns-server.c b/src/resolve/resolved-dns-server.c index 0033de73b4..78e5953b30 100644 --- a/src/resolve/resolved-dns-server.c +++ b/src/resolve/resolved-dns-server.c @@ -419,7 +419,7 @@ DnsServerFeatureLevel dns_server_possible_feature_level(DnsServer *s) { log_debug("Reached maximum number of failed TCP connection attempts, trying UDP again..."); s->possible_feature_level = DNS_SERVER_FEATURE_LEVEL_UDP; } else if (s->n_failed_tls > 0 && - DNS_SERVER_FEATURE_LEVEL_IS_TLS(s->possible_feature_level)) { + DNS_SERVER_FEATURE_LEVEL_IS_TLS(s->possible_feature_level) && dns_server_get_dns_over_tls_mode(s) != DNS_OVER_TLS_YES) { /* We tried to connect using DNS-over-TLS, and it didn't work. Downgrade to plaintext UDP * if we don't require DNS-over-TLS */ diff --git a/src/resolve/resolved-dnstls-gnutls.c b/src/resolve/resolved-dnstls-gnutls.c index d824d6ca5a..6eef6117a3 100644 --- a/src/resolve/resolved-dnstls-gnutls.c +++ b/src/resolve/resolved-dnstls-gnutls.c @@ -54,6 +54,9 @@ int dnstls_stream_connect_tls(DnsStream *stream, DnsServer *server) { server->dnstls_data.session_data.size = 0; } + if (server->manager->dns_over_tls_mode == DNS_OVER_TLS_YES) + gnutls_session_set_verify_cert(gs, NULL, 0); + gnutls_handshake_set_timeout(gs, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT); gnutls_transport_set_ptr2(gs, (gnutls_transport_ptr_t) (long) stream->fd, stream); @@ -202,6 +205,10 @@ int dnstls_manager_init(Manager *manager) { if (r < 0) return -ENOMEM; + r = gnutls_certificate_set_x509_system_trust(manager->dnstls_data.cert_cred); + if (r < 0) + log_warning("Failed to load system trust store: %s", gnutls_strerror(r)); + return 0; } diff --git a/src/resolve/resolved-dnstls-openssl.c b/src/resolve/resolved-dnstls-openssl.c index 22d579a7f7..85e202ff74 100644 --- a/src/resolve/resolved-dnstls-openssl.c +++ b/src/resolve/resolved-dnstls-openssl.c @@ -76,6 +76,17 @@ int dnstls_stream_connect_tls(DnsStream *stream, DnsServer *server) { SSL_set_session(s, server->dnstls_data.session); SSL_set_bio(s, TAKE_PTR(rb), TAKE_PTR(wb)); + if (server->manager->dns_over_tls_mode == DNS_OVER_TLS_YES) { + X509_VERIFY_PARAM *v; + const unsigned char *ip; + + SSL_set_verify(s, SSL_VERIFY_PEER, NULL); + v = SSL_get0_param(s); + ip = server->family == AF_INET ? (const unsigned char*) &server->address.in.s_addr : server->address.in6.s6_addr; + if (!X509_VERIFY_PARAM_set1_ip(v, ip, FAMILY_ADDRESS_SIZE(server->family))) + return -ECONNREFUSED; + } + ERR_clear_error(); stream->dnstls_data.handshake = SSL_do_handshake(s); if (stream->dnstls_data.handshake <= 0) { @@ -357,6 +368,9 @@ int dnstls_manager_init(Manager *manager) { SSL_CTX_set_min_proto_version(manager->dnstls_data.ctx, TLS1_2_VERSION); SSL_CTX_set_options(manager->dnstls_data.ctx, SSL_OP_NO_COMPRESSION); + r = SSL_CTX_set_default_verify_paths(manager->dnstls_data.ctx); + if (r < 0) + log_warning("Failed to load system trust store: %s", ERR_error_string(ERR_get_error(), NULL)); return 0; } diff --git a/src/resolve/resolved-link.c b/src/resolve/resolved-link.c index dd8b5a574b..96ebb4d23d 100644 --- a/src/resolve/resolved-link.c +++ b/src/resolve/resolved-link.c @@ -384,7 +384,7 @@ void link_set_dns_over_tls_mode(Link *l, DnsOverTlsMode mode) { #if ! ENABLE_DNS_OVER_TLS if (mode != DNS_OVER_TLS_NO) - log_warning("DNS-over-TLS option for the link cannot be set to opportunistic when systemd-resolved is built without DNS-over-TLS support. Turning off DNS-over-TLS support."); + log_warning("DNS-over-TLS option for the link cannot be enabled or set to opportunistic when systemd-resolved is built without DNS-over-TLS support. Turning off DNS-over-TLS support."); return; #endif |