picnoir
/
Systemd
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

meson: make DNS-over-TLS support optional 

This adds dns-over-tls option to meson. If set to 'false',
systemd-resolved is not linked with libgnutls.
This commit is contained in:
Yu Watanabe 2018-06-21 01:29:49 +09:00 committed by Zbigniew Jędrzejewski-Szmek
parent 4e6acc912d
commit 56ddbf1009
10 changed files with 44 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
meson.build
View File

@ -1135,12 +1135,23 @@ conf.set('DEFAULT_DNSSEC_MODE',
'DNSSEC_' + default_dnssec.underscorify().to_upper()) 'DNSSEC_' + default_dnssec.underscorify().to_upper())
substs.set('DEFAULT_DNSSEC_MODE', default_dnssec) substs.set('DEFAULT_DNSSEC_MODE', default_dnssec)
dns_over_tls = get_option('dns-over-tls')
if dns_over_tls != 'false'
have = conf.get('HAVE_GNUTLS') == 1
if dns_over_tls == 'true' and not have
error('DNS-over-TLS support was requested, but dependencies are not available')
endif
else
have = false
endif
conf.set10('ENABLE_DNS_OVER_TLS', have)
default_dns_over_tls = get_option('default-dns-over-tls') default_dns_over_tls = get_option('default-dns-over-tls')
if fuzzer_build if fuzzer_build
default_dns_over_tls = 'no' default_dns_over_tls = 'no'
endif endif
if default_dns_over_tls != 'no' and conf.get('HAVE_GNUTLS') == 0 if default_dns_over_tls != 'no' and conf.get('ENABLE_DNS_OVER_TLS') == 0
message('default-dns-over-tls cannot be set to strict or opportunistic when gnutls is disabled. Setting default-dns-over-tls to no.') message('default-dns-over-tls cannot be set to opportunistic when DNS-over-TLS support is disabled. Setting default-dns-over-tls to no.')
default_dns_over_tls = 'no' default_dns_over_tls = 'no'
endif endif
conf.set('DEFAULT_DNS_OVER_TLS_MODE', conf.set('DEFAULT_DNS_OVER_TLS_MODE',
@ -1594,11 +1605,7 @@ if conf.get('ENABLE_RESOLVE') == 1
link_with : [libshared, link_with : [libshared,
libbasic_gcrypt, libbasic_gcrypt,
libsystemd_resolve_core], libsystemd_resolve_core],
dependencies : [threads, dependencies : systemd_resolved_dependencies,
libgnutls,
libgpg_error,
libm,
libidn],
install_rpath : rootlibexecdir, install_rpath : rootlibexecdir,
install : true, install : true,
install_dir : rootlibexecdir) install_dir : rootlibexecdir)
@ -2950,6 +2957,7 @@ foreach tuple : [
['localed'], ['localed'],
['networkd'], ['networkd'],
['resolve'], ['resolve'],
['DNS-over-TLS'],
['coredump'], ['coredump'],
['polkit'], ['polkit'],
['legacy pkla', install_polkit_pkla], ['legacy pkla', install_polkit_pkla],

2
meson_options.txt
View File

@ -195,6 +195,8 @@ option('default-dns-over-tls', type : 'combo',
description : 'default DNS-over-TLS mode', description : 'default DNS-over-TLS mode',
choices : ['opportunistic', 'no'], choices : ['opportunistic', 'no'],
value : 'no') value : 'no')
option('dns-over-tls', type : 'combo', choices : ['auto', 'true', 'false'],
description : 'DNS-over-TLS support')
option('dns-servers', type : 'string', option('dns-servers', type : 'string',
description : 'space-separated list of default DNS servers', description : 'space-separated list of default DNS servers',
value : '8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844') value : '8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844')

5
src/resolve/meson.build
View File

@ -139,6 +139,11 @@ libsystemd_resolve_core = static_library(
systemd_resolved_sources += [resolved_gperf_c, resolved_dnssd_gperf_c] systemd_resolved_sources += [resolved_gperf_c, resolved_dnssd_gperf_c]
systemd_resolved_dependencies = [threads, libgpg_error, libm, libidn]
if conf.get('ENABLE_DNS_OVER_TLS') == 1
systemd_resolved_dependencies += [libgnutls]
endif
if conf.get('ENABLE_RESOLVE') == 1 if conf.get('ENABLE_RESOLVE') == 1
install_data('org.freedesktop.resolve1.conf', install_data('org.freedesktop.resolve1.conf',
install_dir : dbuspolicydir) install_dir : dbuspolicydir)

4
src/resolve/resolved-conf.c
View File

@ -392,9 +392,9 @@ int manager_parse_config_file(Manager *m) {
} }
#endif #endif
#if ! HAVE_GNUTLS #if ! ENABLE_DNS_OVER_TLS
if (m->dns_over_tls_mode != DNS_OVER_TLS_NO) { if (m->dns_over_tls_mode != DNS_OVER_TLS_NO) {
log_warning("DNS-over-TLS option cannot be set to opportunistic when systemd-resolved is built without gnutls support. Turning off DNS-over-TLS support."); log_warning("DNS-over-TLS option cannot be set to opportunistic when systemd-resolved is built without DNS-over-TLS support. Turning off DNS-over-TLS support.");
m->dns_over_tls_mode = DNS_OVER_TLS_NO; m->dns_over_tls_mode = DNS_OVER_TLS_NO;
} }
#endif #endif

4
src/resolve/resolved-dns-server.c
View File

@ -80,7 +80,7 @@ int dns_server_new(
s->linked = true; s->linked = true;
#if HAVE_GNUTLS #if ENABLE_DNS_OVER_TLS
/* Do not verify cerificate */ /* Do not verify cerificate */
gnutls_certificate_allocate_credentials(&s->tls_cert_cred); gnutls_certificate_allocate_credentials(&s->tls_cert_cred);
#endif #endif
@ -121,7 +121,7 @@ DnsServer* dns_server_unref(DnsServer *s) {
dns_stream_unref(s->stream); dns_stream_unref(s->stream);
#if HAVE_GNUTLS #if ENABLE_DNS_OVER_TLS
if (s->tls_cert_cred) if (s->tls_cert_cred)
gnutls_certificate_free_credentials(s->tls_cert_cred); gnutls_certificate_free_credentials(s->tls_cert_cred);

4
src/resolve/resolved-dns-server.h
View File

@ -3,7 +3,7 @@
#include "in-addr-util.h" #include "in-addr-util.h"
#if HAVE_GNUTLS #if ENABLE_DNS_OVER_TLS
#include <gnutls/gnutls.h> #include <gnutls/gnutls.h>
#endif #endif
@ -56,7 +56,7 @@ struct DnsServer {
char *server_string; char *server_string;
DnsStream *stream; DnsStream *stream;
#if HAVE_GNUTLS #if ENABLE_DNS_OVER_TLS
gnutls_certificate_credentials_t tls_cert_cred; gnutls_certificate_credentials_t tls_cert_cred;
gnutls_datum_t tls_session_data; gnutls_datum_t tls_session_data;
#endif #endif

14
src/resolve/resolved-dns-stream.c
View File

@ -44,7 +44,7 @@ static int dns_stream_update_io(DnsStream *s) {
static int dns_stream_complete(DnsStream *s, int error) { static int dns_stream_complete(DnsStream *s, int error) {
assert(s); assert(s);
#if HAVE_GNUTLS #if ENABLE_DNS_OVER_TLS
if (s->tls_session && IN_SET(error, ETIMEDOUT, 0)) { if (s->tls_session && IN_SET(error, ETIMEDOUT, 0)) {
int r; int r;
@ -197,7 +197,7 @@ static ssize_t dns_stream_writev(DnsStream *s, const struct iovec *iov, size_t i
assert(s); assert(s);
assert(iov); assert(iov);
#if HAVE_GNUTLS #if ENABLE_DNS_OVER_TLS
if (s->tls_session && !(flags & WRITE_TLS_DATA)) { if (s->tls_session && !(flags & WRITE_TLS_DATA)) {
ssize_t ss; ssize_t ss;
size_t i; size_t i;
@ -257,7 +257,7 @@ static ssize_t dns_stream_writev(DnsStream *s, const struct iovec *iov, size_t i
static ssize_t dns_stream_read(DnsStream *s, void *buf, size_t count) { static ssize_t dns_stream_read(DnsStream *s, void *buf, size_t count) {
ssize_t ss; ssize_t ss;
#if HAVE_GNUTLS #if ENABLE_DNS_OVER_TLS
if (s->tls_session) { if (s->tls_session) {
ss = gnutls_record_recv(s->tls_session, buf, count); ss = gnutls_record_recv(s->tls_session, buf, count);
if (ss < 0) { if (ss < 0) {
@ -290,7 +290,7 @@ static ssize_t dns_stream_read(DnsStream *s, void *buf, size_t count) {
return ss; return ss;
} }
#if HAVE_GNUTLS #if ENABLE_DNS_OVER_TLS
static ssize_t dns_stream_tls_writev(gnutls_transport_ptr_t p, const giovec_t * iov, int iovcnt) { static ssize_t dns_stream_tls_writev(gnutls_transport_ptr_t p, const giovec_t * iov, int iovcnt) {
int r; int r;
@ -320,7 +320,7 @@ static int on_stream_io(sd_event_source *es, int fd, uint32_t revents, void *use
assert(s); assert(s);
#if HAVE_GNUTLS #if ENABLE_DNS_OVER_TLS
if (s->tls_bye) { if (s->tls_bye) {
assert(s->tls_session); assert(s->tls_session);
@ -505,7 +505,7 @@ DnsStream *dns_stream_unref(DnsStream *s) {
s->manager->n_dns_streams--; s->manager->n_dns_streams--;
} }
#if HAVE_GNUTLS #if ENABLE_DNS_OVER_TLS
if (s->tls_session) if (s->tls_session)
gnutls_deinit(s->tls_session); gnutls_deinit(s->tls_session);
#endif #endif
@ -586,7 +586,7 @@ int dns_stream_new(Manager *m, DnsStream **ret, DnsProtocol protocol, int fd, co
return 0; return 0;
} }
#if HAVE_GNUTLS #if ENABLE_DNS_OVER_TLS
int dns_stream_connect_tls(DnsStream *s, gnutls_session_t tls_session) { int dns_stream_connect_tls(DnsStream *s, gnutls_session_t tls_session) {
gnutls_transport_set_ptr2(tls_session, (gnutls_transport_ptr_t) (long) s->fd, s); gnutls_transport_set_ptr2(tls_session, (gnutls_transport_ptr_t) (long) s->fd, s);
gnutls_transport_set_vec_push_function(tls_session, &dns_stream_tls_writev); gnutls_transport_set_vec_push_function(tls_session, &dns_stream_tls_writev);

6
src/resolve/resolved-dns-stream.h
View File

@ -9,7 +9,7 @@ typedef struct DnsStream DnsStream;
#include "resolved-dns-transaction.h" #include "resolved-dns-transaction.h"
#include "resolved-manager.h" #include "resolved-manager.h"
#if HAVE_GNUTLS #if ENABLE_DNS_OVER_TLS
#include <gnutls/gnutls.h> #include <gnutls/gnutls.h>
#endif #endif
@ -39,7 +39,7 @@ struct DnsStream {
union sockaddr_union tfo_address; union sockaddr_union tfo_address;
socklen_t tfo_salen; socklen_t tfo_salen;
#if HAVE_GNUTLS #if ENABLE_DNS_OVER_TLS
gnutls_session_t tls_session; gnutls_session_t tls_session;
int tls_handshake; int tls_handshake;
bool tls_bye; bool tls_bye;
@ -68,7 +68,7 @@ struct DnsStream {
}; };
int dns_stream_new(Manager *m, DnsStream **s, DnsProtocol protocol, int fd, const union sockaddr_union *tfo_address); int dns_stream_new(Manager *m, DnsStream **s, DnsProtocol protocol, int fd, const union sockaddr_union *tfo_address);
#if HAVE_GNUTLS #if ENABLE_DNS_OVER_TLS
int dns_stream_connect_tls(DnsStream *s, gnutls_session_t tls_session); int dns_stream_connect_tls(DnsStream *s, gnutls_session_t tls_session);
#endif #endif
DnsStream *dns_stream_unref(DnsStream *s); DnsStream *dns_stream_unref(DnsStream *s);

8
src/resolve/resolved-dns-transaction.c
View File

@ -13,7 +13,7 @@
#include "resolved-llmnr.h" #include "resolved-llmnr.h"
#include "string-table.h" #include "string-table.h"
#if HAVE_GNUTLS #if ENABLE_DNS_OVER_TLS
#include <gnutls/socket.h> #include <gnutls/socket.h>
#endif #endif
@ -504,7 +504,7 @@ static int dns_transaction_on_stream_packet(DnsTransaction *t, DnsPacket *p) {
} }
static int on_stream_connection(DnsStream *s) { static int on_stream_connection(DnsStream *s) {
#if HAVE_GNUTLS #if ENABLE_DNS_OVER_TLS
/* Store TLS Ticket for faster succesive TLS handshakes */ /* Store TLS Ticket for faster succesive TLS handshakes */
if (s->tls_session && s->server) { if (s->tls_session && s->server) {
if (s->server->tls_session_data.data) if (s->server->tls_session_data.data)
@ -577,7 +577,7 @@ static int dns_transaction_emit_tcp(DnsTransaction *t) {
_cleanup_(dns_stream_unrefp) DnsStream *s = NULL; _cleanup_(dns_stream_unrefp) DnsStream *s = NULL;
union sockaddr_union sa; union sockaddr_union sa;
int r; int r;
#if HAVE_GNUTLS #if ENABLE_DNS_OVER_TLS
gnutls_session_t gs; gnutls_session_t gs;
#endif #endif
@ -651,7 +651,7 @@ static int dns_transaction_emit_tcp(DnsTransaction *t) {
s->server = dns_server_ref(t->server); s->server = dns_server_ref(t->server);
} }
#if HAVE_GNUTLS #if ENABLE_DNS_OVER_TLS
if (DNS_SERVER_FEATURE_LEVEL_IS_TLS(t->current_feature_level)) { if (DNS_SERVER_FEATURE_LEVEL_IS_TLS(t->current_feature_level)) {
r = gnutls_init(&gs, GNUTLS_CLIENT | GNUTLS_ENABLE_FALSE_START | GNUTLS_NONBLOCK); r = gnutls_init(&gs, GNUTLS_CLIENT | GNUTLS_ENABLE_FALSE_START | GNUTLS_NONBLOCK);
if (r < 0) if (r < 0)

4
src/resolve/resolved-link.c
View File

@ -353,9 +353,9 @@ void link_set_dns_over_tls_mode(Link *l, DnsOverTlsMode mode) {
assert(l); assert(l);
#if ! HAVE_GNUTLS #if ! ENABLE_DNS_OVER_TLS
if (mode != DNS_OVER_TLS_NO) if (mode != DNS_OVER_TLS_NO)
log_warning("DNS-over-TLS option for the link cannot be set to opportunistic when systemd-resolved is built without gnutls support. Turning off DNS-over-TLS support."); log_warning("DNS-over-TLS option for the link cannot be set to opportunistic when systemd-resolved is built without DNS-over-TLS support. Turning off DNS-over-TLS support.");
return; return;
#endif #endif