From 56ddbf1009a16e2c2b063f3c3d41e1416b0fc17a Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Thu, 21 Jun 2018 01:29:49 +0900 Subject: [PATCH] meson: make DNS-over-TLS support optional This adds dns-over-tls option to meson. If set to 'false', systemd-resolved is not linked with libgnutls. --- meson.build | 22 +++++++++++++++------- meson_options.txt | 2 ++ src/resolve/meson.build | 5 +++++ src/resolve/resolved-conf.c | 4 ++-- src/resolve/resolved-dns-server.c | 4 ++-- src/resolve/resolved-dns-server.h | 4 ++-- src/resolve/resolved-dns-stream.c | 14 +++++++------- src/resolve/resolved-dns-stream.h | 6 +++--- src/resolve/resolved-dns-transaction.c | 8 ++++---- src/resolve/resolved-link.c | 4 ++-- 10 files changed, 44 insertions(+), 29 deletions(-) diff --git a/meson.build b/meson.build index a97168961d..e1d5b73566 100644 --- a/meson.build +++ b/meson.build @@ -1135,12 +1135,23 @@ conf.set('DEFAULT_DNSSEC_MODE', 'DNSSEC_' + default_dnssec.underscorify().to_upper()) substs.set('DEFAULT_DNSSEC_MODE', default_dnssec) +dns_over_tls = get_option('dns-over-tls') +if dns_over_tls != 'false' + have = conf.get('HAVE_GNUTLS') == 1 + if dns_over_tls == 'true' and not have + error('DNS-over-TLS support was requested, but dependencies are not available') + endif +else + have = false +endif +conf.set10('ENABLE_DNS_OVER_TLS', have) + default_dns_over_tls = get_option('default-dns-over-tls') if fuzzer_build default_dns_over_tls = 'no' endif -if default_dns_over_tls != 'no' and conf.get('HAVE_GNUTLS') == 0 - message('default-dns-over-tls cannot be set to strict or opportunistic when gnutls is disabled. Setting default-dns-over-tls to no.') +if default_dns_over_tls != 'no' and conf.get('ENABLE_DNS_OVER_TLS') == 0 + message('default-dns-over-tls cannot be set to opportunistic when DNS-over-TLS support is disabled. Setting default-dns-over-tls to no.') default_dns_over_tls = 'no' endif conf.set('DEFAULT_DNS_OVER_TLS_MODE', @@ -1594,11 +1605,7 @@ if conf.get('ENABLE_RESOLVE') == 1 link_with : [libshared, libbasic_gcrypt, libsystemd_resolve_core], - dependencies : [threads, - libgnutls, - libgpg_error, - libm, - libidn], + dependencies : systemd_resolved_dependencies, install_rpath : rootlibexecdir, install : true, install_dir : rootlibexecdir) @@ -2950,6 +2957,7 @@ foreach tuple : [ ['localed'], ['networkd'], ['resolve'], + ['DNS-over-TLS'], ['coredump'], ['polkit'], ['legacy pkla', install_polkit_pkla], diff --git a/meson_options.txt b/meson_options.txt index 58ee0daad6..16c1f2b2fa 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -195,6 +195,8 @@ option('default-dns-over-tls', type : 'combo', description : 'default DNS-over-TLS mode', choices : ['opportunistic', 'no'], value : 'no') +option('dns-over-tls', type : 'combo', choices : ['auto', 'true', 'false'], + description : 'DNS-over-TLS support') option('dns-servers', type : 'string', description : 'space-separated list of default DNS servers', value : '8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844') diff --git a/src/resolve/meson.build b/src/resolve/meson.build index 759d1395d4..15f3835d55 100644 --- a/src/resolve/meson.build +++ b/src/resolve/meson.build @@ -139,6 +139,11 @@ libsystemd_resolve_core = static_library( systemd_resolved_sources += [resolved_gperf_c, resolved_dnssd_gperf_c] +systemd_resolved_dependencies = [threads, libgpg_error, libm, libidn] +if conf.get('ENABLE_DNS_OVER_TLS') == 1 + systemd_resolved_dependencies += [libgnutls] +endif + if conf.get('ENABLE_RESOLVE') == 1 install_data('org.freedesktop.resolve1.conf', install_dir : dbuspolicydir) diff --git a/src/resolve/resolved-conf.c b/src/resolve/resolved-conf.c index 8d01056def..79e388f8a2 100644 --- a/src/resolve/resolved-conf.c +++ b/src/resolve/resolved-conf.c @@ -392,9 +392,9 @@ int manager_parse_config_file(Manager *m) { } #endif -#if ! HAVE_GNUTLS +#if ! ENABLE_DNS_OVER_TLS if (m->dns_over_tls_mode != DNS_OVER_TLS_NO) { - log_warning("DNS-over-TLS option cannot be set to opportunistic when systemd-resolved is built without gnutls support. Turning off DNS-over-TLS support."); + log_warning("DNS-over-TLS option cannot be set to opportunistic when systemd-resolved is built without DNS-over-TLS support. Turning off DNS-over-TLS support."); m->dns_over_tls_mode = DNS_OVER_TLS_NO; } #endif diff --git a/src/resolve/resolved-dns-server.c b/src/resolve/resolved-dns-server.c index 1413f3d147..5476ca2dbd 100644 --- a/src/resolve/resolved-dns-server.c +++ b/src/resolve/resolved-dns-server.c @@ -80,7 +80,7 @@ int dns_server_new( s->linked = true; -#if HAVE_GNUTLS +#if ENABLE_DNS_OVER_TLS /* Do not verify cerificate */ gnutls_certificate_allocate_credentials(&s->tls_cert_cred); #endif @@ -121,7 +121,7 @@ DnsServer* dns_server_unref(DnsServer *s) { dns_stream_unref(s->stream); -#if HAVE_GNUTLS +#if ENABLE_DNS_OVER_TLS if (s->tls_cert_cred) gnutls_certificate_free_credentials(s->tls_cert_cred); diff --git a/src/resolve/resolved-dns-server.h b/src/resolve/resolved-dns-server.h index 027559e3d4..dffc4217d1 100644 --- a/src/resolve/resolved-dns-server.h +++ b/src/resolve/resolved-dns-server.h @@ -3,7 +3,7 @@ #include "in-addr-util.h" -#if HAVE_GNUTLS +#if ENABLE_DNS_OVER_TLS #include #endif @@ -56,7 +56,7 @@ struct DnsServer { char *server_string; DnsStream *stream; -#if HAVE_GNUTLS +#if ENABLE_DNS_OVER_TLS gnutls_certificate_credentials_t tls_cert_cred; gnutls_datum_t tls_session_data; #endif diff --git a/src/resolve/resolved-dns-stream.c b/src/resolve/resolved-dns-stream.c index d133efa751..066daef96e 100644 --- a/src/resolve/resolved-dns-stream.c +++ b/src/resolve/resolved-dns-stream.c @@ -44,7 +44,7 @@ static int dns_stream_update_io(DnsStream *s) { static int dns_stream_complete(DnsStream *s, int error) { assert(s); -#if HAVE_GNUTLS +#if ENABLE_DNS_OVER_TLS if (s->tls_session && IN_SET(error, ETIMEDOUT, 0)) { int r; @@ -197,7 +197,7 @@ static ssize_t dns_stream_writev(DnsStream *s, const struct iovec *iov, size_t i assert(s); assert(iov); -#if HAVE_GNUTLS +#if ENABLE_DNS_OVER_TLS if (s->tls_session && !(flags & WRITE_TLS_DATA)) { ssize_t ss; size_t i; @@ -257,7 +257,7 @@ static ssize_t dns_stream_writev(DnsStream *s, const struct iovec *iov, size_t i static ssize_t dns_stream_read(DnsStream *s, void *buf, size_t count) { ssize_t ss; -#if HAVE_GNUTLS +#if ENABLE_DNS_OVER_TLS if (s->tls_session) { ss = gnutls_record_recv(s->tls_session, buf, count); if (ss < 0) { @@ -290,7 +290,7 @@ static ssize_t dns_stream_read(DnsStream *s, void *buf, size_t count) { return ss; } -#if HAVE_GNUTLS +#if ENABLE_DNS_OVER_TLS static ssize_t dns_stream_tls_writev(gnutls_transport_ptr_t p, const giovec_t * iov, int iovcnt) { int r; @@ -320,7 +320,7 @@ static int on_stream_io(sd_event_source *es, int fd, uint32_t revents, void *use assert(s); -#if HAVE_GNUTLS +#if ENABLE_DNS_OVER_TLS if (s->tls_bye) { assert(s->tls_session); @@ -505,7 +505,7 @@ DnsStream *dns_stream_unref(DnsStream *s) { s->manager->n_dns_streams--; } -#if HAVE_GNUTLS +#if ENABLE_DNS_OVER_TLS if (s->tls_session) gnutls_deinit(s->tls_session); #endif @@ -586,7 +586,7 @@ int dns_stream_new(Manager *m, DnsStream **ret, DnsProtocol protocol, int fd, co return 0; } -#if HAVE_GNUTLS +#if ENABLE_DNS_OVER_TLS int dns_stream_connect_tls(DnsStream *s, gnutls_session_t tls_session) { gnutls_transport_set_ptr2(tls_session, (gnutls_transport_ptr_t) (long) s->fd, s); gnutls_transport_set_vec_push_function(tls_session, &dns_stream_tls_writev); diff --git a/src/resolve/resolved-dns-stream.h b/src/resolve/resolved-dns-stream.h index d194fb5a9d..9a0da226d8 100644 --- a/src/resolve/resolved-dns-stream.h +++ b/src/resolve/resolved-dns-stream.h @@ -9,7 +9,7 @@ typedef struct DnsStream DnsStream; #include "resolved-dns-transaction.h" #include "resolved-manager.h" -#if HAVE_GNUTLS +#if ENABLE_DNS_OVER_TLS #include #endif @@ -39,7 +39,7 @@ struct DnsStream { union sockaddr_union tfo_address; socklen_t tfo_salen; -#if HAVE_GNUTLS +#if ENABLE_DNS_OVER_TLS gnutls_session_t tls_session; int tls_handshake; bool tls_bye; @@ -68,7 +68,7 @@ struct DnsStream { }; int dns_stream_new(Manager *m, DnsStream **s, DnsProtocol protocol, int fd, const union sockaddr_union *tfo_address); -#if HAVE_GNUTLS +#if ENABLE_DNS_OVER_TLS int dns_stream_connect_tls(DnsStream *s, gnutls_session_t tls_session); #endif DnsStream *dns_stream_unref(DnsStream *s); diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c index 385bb4fe2e..c60b8215a6 100644 --- a/src/resolve/resolved-dns-transaction.c +++ b/src/resolve/resolved-dns-transaction.c @@ -13,7 +13,7 @@ #include "resolved-llmnr.h" #include "string-table.h" -#if HAVE_GNUTLS +#if ENABLE_DNS_OVER_TLS #include #endif @@ -504,7 +504,7 @@ static int dns_transaction_on_stream_packet(DnsTransaction *t, DnsPacket *p) { } static int on_stream_connection(DnsStream *s) { -#if HAVE_GNUTLS +#if ENABLE_DNS_OVER_TLS /* Store TLS Ticket for faster succesive TLS handshakes */ if (s->tls_session && s->server) { if (s->server->tls_session_data.data) @@ -577,7 +577,7 @@ static int dns_transaction_emit_tcp(DnsTransaction *t) { _cleanup_(dns_stream_unrefp) DnsStream *s = NULL; union sockaddr_union sa; int r; -#if HAVE_GNUTLS +#if ENABLE_DNS_OVER_TLS gnutls_session_t gs; #endif @@ -651,7 +651,7 @@ static int dns_transaction_emit_tcp(DnsTransaction *t) { s->server = dns_server_ref(t->server); } -#if HAVE_GNUTLS +#if ENABLE_DNS_OVER_TLS if (DNS_SERVER_FEATURE_LEVEL_IS_TLS(t->current_feature_level)) { r = gnutls_init(&gs, GNUTLS_CLIENT | GNUTLS_ENABLE_FALSE_START | GNUTLS_NONBLOCK); if (r < 0) diff --git a/src/resolve/resolved-link.c b/src/resolve/resolved-link.c index 30fd542be1..ff2be12415 100644 --- a/src/resolve/resolved-link.c +++ b/src/resolve/resolved-link.c @@ -353,9 +353,9 @@ void link_set_dns_over_tls_mode(Link *l, DnsOverTlsMode mode) { assert(l); -#if ! HAVE_GNUTLS +#if ! ENABLE_DNS_OVER_TLS if (mode != DNS_OVER_TLS_NO) - log_warning("DNS-over-TLS option for the link cannot be set to opportunistic when systemd-resolved is built without gnutls support. Turning off DNS-over-TLS support."); + log_warning("DNS-over-TLS option for the link cannot be set to opportunistic when systemd-resolved is built without DNS-over-TLS support. Turning off DNS-over-TLS support."); return; #endif