meson: make DNS-over-TLS support optional
This adds dns-over-tls option to meson. If set to 'false', systemd-resolved is not linked with libgnutls.
This commit is contained in:
parent
4e6acc912d
commit
56ddbf1009
22
meson.build
22
meson.build
|
@ -1135,12 +1135,23 @@ conf.set('DEFAULT_DNSSEC_MODE',
|
||||||
'DNSSEC_' + default_dnssec.underscorify().to_upper())
|
'DNSSEC_' + default_dnssec.underscorify().to_upper())
|
||||||
substs.set('DEFAULT_DNSSEC_MODE', default_dnssec)
|
substs.set('DEFAULT_DNSSEC_MODE', default_dnssec)
|
||||||
|
|
||||||
|
dns_over_tls = get_option('dns-over-tls')
|
||||||
|
if dns_over_tls != 'false'
|
||||||
|
have = conf.get('HAVE_GNUTLS') == 1
|
||||||
|
if dns_over_tls == 'true' and not have
|
||||||
|
error('DNS-over-TLS support was requested, but dependencies are not available')
|
||||||
|
endif
|
||||||
|
else
|
||||||
|
have = false
|
||||||
|
endif
|
||||||
|
conf.set10('ENABLE_DNS_OVER_TLS', have)
|
||||||
|
|
||||||
default_dns_over_tls = get_option('default-dns-over-tls')
|
default_dns_over_tls = get_option('default-dns-over-tls')
|
||||||
if fuzzer_build
|
if fuzzer_build
|
||||||
default_dns_over_tls = 'no'
|
default_dns_over_tls = 'no'
|
||||||
endif
|
endif
|
||||||
if default_dns_over_tls != 'no' and conf.get('HAVE_GNUTLS') == 0
|
if default_dns_over_tls != 'no' and conf.get('ENABLE_DNS_OVER_TLS') == 0
|
||||||
message('default-dns-over-tls cannot be set to strict or opportunistic when gnutls is disabled. Setting default-dns-over-tls to no.')
|
message('default-dns-over-tls cannot be set to opportunistic when DNS-over-TLS support is disabled. Setting default-dns-over-tls to no.')
|
||||||
default_dns_over_tls = 'no'
|
default_dns_over_tls = 'no'
|
||||||
endif
|
endif
|
||||||
conf.set('DEFAULT_DNS_OVER_TLS_MODE',
|
conf.set('DEFAULT_DNS_OVER_TLS_MODE',
|
||||||
|
@ -1594,11 +1605,7 @@ if conf.get('ENABLE_RESOLVE') == 1
|
||||||
link_with : [libshared,
|
link_with : [libshared,
|
||||||
libbasic_gcrypt,
|
libbasic_gcrypt,
|
||||||
libsystemd_resolve_core],
|
libsystemd_resolve_core],
|
||||||
dependencies : [threads,
|
dependencies : systemd_resolved_dependencies,
|
||||||
libgnutls,
|
|
||||||
libgpg_error,
|
|
||||||
libm,
|
|
||||||
libidn],
|
|
||||||
install_rpath : rootlibexecdir,
|
install_rpath : rootlibexecdir,
|
||||||
install : true,
|
install : true,
|
||||||
install_dir : rootlibexecdir)
|
install_dir : rootlibexecdir)
|
||||||
|
@ -2950,6 +2957,7 @@ foreach tuple : [
|
||||||
['localed'],
|
['localed'],
|
||||||
['networkd'],
|
['networkd'],
|
||||||
['resolve'],
|
['resolve'],
|
||||||
|
['DNS-over-TLS'],
|
||||||
['coredump'],
|
['coredump'],
|
||||||
['polkit'],
|
['polkit'],
|
||||||
['legacy pkla', install_polkit_pkla],
|
['legacy pkla', install_polkit_pkla],
|
||||||
|
|
|
@ -195,6 +195,8 @@ option('default-dns-over-tls', type : 'combo',
|
||||||
description : 'default DNS-over-TLS mode',
|
description : 'default DNS-over-TLS mode',
|
||||||
choices : ['opportunistic', 'no'],
|
choices : ['opportunistic', 'no'],
|
||||||
value : 'no')
|
value : 'no')
|
||||||
|
option('dns-over-tls', type : 'combo', choices : ['auto', 'true', 'false'],
|
||||||
|
description : 'DNS-over-TLS support')
|
||||||
option('dns-servers', type : 'string',
|
option('dns-servers', type : 'string',
|
||||||
description : 'space-separated list of default DNS servers',
|
description : 'space-separated list of default DNS servers',
|
||||||
value : '8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844')
|
value : '8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844')
|
||||||
|
|
|
@ -139,6 +139,11 @@ libsystemd_resolve_core = static_library(
|
||||||
|
|
||||||
systemd_resolved_sources += [resolved_gperf_c, resolved_dnssd_gperf_c]
|
systemd_resolved_sources += [resolved_gperf_c, resolved_dnssd_gperf_c]
|
||||||
|
|
||||||
|
systemd_resolved_dependencies = [threads, libgpg_error, libm, libidn]
|
||||||
|
if conf.get('ENABLE_DNS_OVER_TLS') == 1
|
||||||
|
systemd_resolved_dependencies += [libgnutls]
|
||||||
|
endif
|
||||||
|
|
||||||
if conf.get('ENABLE_RESOLVE') == 1
|
if conf.get('ENABLE_RESOLVE') == 1
|
||||||
install_data('org.freedesktop.resolve1.conf',
|
install_data('org.freedesktop.resolve1.conf',
|
||||||
install_dir : dbuspolicydir)
|
install_dir : dbuspolicydir)
|
||||||
|
|
|
@ -392,9 +392,9 @@ int manager_parse_config_file(Manager *m) {
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if ! HAVE_GNUTLS
|
#if ! ENABLE_DNS_OVER_TLS
|
||||||
if (m->dns_over_tls_mode != DNS_OVER_TLS_NO) {
|
if (m->dns_over_tls_mode != DNS_OVER_TLS_NO) {
|
||||||
log_warning("DNS-over-TLS option cannot be set to opportunistic when systemd-resolved is built without gnutls support. Turning off DNS-over-TLS support.");
|
log_warning("DNS-over-TLS option cannot be set to opportunistic when systemd-resolved is built without DNS-over-TLS support. Turning off DNS-over-TLS support.");
|
||||||
m->dns_over_tls_mode = DNS_OVER_TLS_NO;
|
m->dns_over_tls_mode = DNS_OVER_TLS_NO;
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
|
@ -80,7 +80,7 @@ int dns_server_new(
|
||||||
|
|
||||||
s->linked = true;
|
s->linked = true;
|
||||||
|
|
||||||
#if HAVE_GNUTLS
|
#if ENABLE_DNS_OVER_TLS
|
||||||
/* Do not verify cerificate */
|
/* Do not verify cerificate */
|
||||||
gnutls_certificate_allocate_credentials(&s->tls_cert_cred);
|
gnutls_certificate_allocate_credentials(&s->tls_cert_cred);
|
||||||
#endif
|
#endif
|
||||||
|
@ -121,7 +121,7 @@ DnsServer* dns_server_unref(DnsServer *s) {
|
||||||
|
|
||||||
dns_stream_unref(s->stream);
|
dns_stream_unref(s->stream);
|
||||||
|
|
||||||
#if HAVE_GNUTLS
|
#if ENABLE_DNS_OVER_TLS
|
||||||
if (s->tls_cert_cred)
|
if (s->tls_cert_cred)
|
||||||
gnutls_certificate_free_credentials(s->tls_cert_cred);
|
gnutls_certificate_free_credentials(s->tls_cert_cred);
|
||||||
|
|
||||||
|
|
|
@ -3,7 +3,7 @@
|
||||||
|
|
||||||
#include "in-addr-util.h"
|
#include "in-addr-util.h"
|
||||||
|
|
||||||
#if HAVE_GNUTLS
|
#if ENABLE_DNS_OVER_TLS
|
||||||
#include <gnutls/gnutls.h>
|
#include <gnutls/gnutls.h>
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
@ -56,7 +56,7 @@ struct DnsServer {
|
||||||
char *server_string;
|
char *server_string;
|
||||||
DnsStream *stream;
|
DnsStream *stream;
|
||||||
|
|
||||||
#if HAVE_GNUTLS
|
#if ENABLE_DNS_OVER_TLS
|
||||||
gnutls_certificate_credentials_t tls_cert_cred;
|
gnutls_certificate_credentials_t tls_cert_cred;
|
||||||
gnutls_datum_t tls_session_data;
|
gnutls_datum_t tls_session_data;
|
||||||
#endif
|
#endif
|
||||||
|
|
|
@ -44,7 +44,7 @@ static int dns_stream_update_io(DnsStream *s) {
|
||||||
static int dns_stream_complete(DnsStream *s, int error) {
|
static int dns_stream_complete(DnsStream *s, int error) {
|
||||||
assert(s);
|
assert(s);
|
||||||
|
|
||||||
#if HAVE_GNUTLS
|
#if ENABLE_DNS_OVER_TLS
|
||||||
if (s->tls_session && IN_SET(error, ETIMEDOUT, 0)) {
|
if (s->tls_session && IN_SET(error, ETIMEDOUT, 0)) {
|
||||||
int r;
|
int r;
|
||||||
|
|
||||||
|
@ -197,7 +197,7 @@ static ssize_t dns_stream_writev(DnsStream *s, const struct iovec *iov, size_t i
|
||||||
assert(s);
|
assert(s);
|
||||||
assert(iov);
|
assert(iov);
|
||||||
|
|
||||||
#if HAVE_GNUTLS
|
#if ENABLE_DNS_OVER_TLS
|
||||||
if (s->tls_session && !(flags & WRITE_TLS_DATA)) {
|
if (s->tls_session && !(flags & WRITE_TLS_DATA)) {
|
||||||
ssize_t ss;
|
ssize_t ss;
|
||||||
size_t i;
|
size_t i;
|
||||||
|
@ -257,7 +257,7 @@ static ssize_t dns_stream_writev(DnsStream *s, const struct iovec *iov, size_t i
|
||||||
static ssize_t dns_stream_read(DnsStream *s, void *buf, size_t count) {
|
static ssize_t dns_stream_read(DnsStream *s, void *buf, size_t count) {
|
||||||
ssize_t ss;
|
ssize_t ss;
|
||||||
|
|
||||||
#if HAVE_GNUTLS
|
#if ENABLE_DNS_OVER_TLS
|
||||||
if (s->tls_session) {
|
if (s->tls_session) {
|
||||||
ss = gnutls_record_recv(s->tls_session, buf, count);
|
ss = gnutls_record_recv(s->tls_session, buf, count);
|
||||||
if (ss < 0) {
|
if (ss < 0) {
|
||||||
|
@ -290,7 +290,7 @@ static ssize_t dns_stream_read(DnsStream *s, void *buf, size_t count) {
|
||||||
return ss;
|
return ss;
|
||||||
}
|
}
|
||||||
|
|
||||||
#if HAVE_GNUTLS
|
#if ENABLE_DNS_OVER_TLS
|
||||||
static ssize_t dns_stream_tls_writev(gnutls_transport_ptr_t p, const giovec_t * iov, int iovcnt) {
|
static ssize_t dns_stream_tls_writev(gnutls_transport_ptr_t p, const giovec_t * iov, int iovcnt) {
|
||||||
int r;
|
int r;
|
||||||
|
|
||||||
|
@ -320,7 +320,7 @@ static int on_stream_io(sd_event_source *es, int fd, uint32_t revents, void *use
|
||||||
|
|
||||||
assert(s);
|
assert(s);
|
||||||
|
|
||||||
#if HAVE_GNUTLS
|
#if ENABLE_DNS_OVER_TLS
|
||||||
if (s->tls_bye) {
|
if (s->tls_bye) {
|
||||||
assert(s->tls_session);
|
assert(s->tls_session);
|
||||||
|
|
||||||
|
@ -505,7 +505,7 @@ DnsStream *dns_stream_unref(DnsStream *s) {
|
||||||
s->manager->n_dns_streams--;
|
s->manager->n_dns_streams--;
|
||||||
}
|
}
|
||||||
|
|
||||||
#if HAVE_GNUTLS
|
#if ENABLE_DNS_OVER_TLS
|
||||||
if (s->tls_session)
|
if (s->tls_session)
|
||||||
gnutls_deinit(s->tls_session);
|
gnutls_deinit(s->tls_session);
|
||||||
#endif
|
#endif
|
||||||
|
@ -586,7 +586,7 @@ int dns_stream_new(Manager *m, DnsStream **ret, DnsProtocol protocol, int fd, co
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
#if HAVE_GNUTLS
|
#if ENABLE_DNS_OVER_TLS
|
||||||
int dns_stream_connect_tls(DnsStream *s, gnutls_session_t tls_session) {
|
int dns_stream_connect_tls(DnsStream *s, gnutls_session_t tls_session) {
|
||||||
gnutls_transport_set_ptr2(tls_session, (gnutls_transport_ptr_t) (long) s->fd, s);
|
gnutls_transport_set_ptr2(tls_session, (gnutls_transport_ptr_t) (long) s->fd, s);
|
||||||
gnutls_transport_set_vec_push_function(tls_session, &dns_stream_tls_writev);
|
gnutls_transport_set_vec_push_function(tls_session, &dns_stream_tls_writev);
|
||||||
|
|
|
@ -9,7 +9,7 @@ typedef struct DnsStream DnsStream;
|
||||||
#include "resolved-dns-transaction.h"
|
#include "resolved-dns-transaction.h"
|
||||||
#include "resolved-manager.h"
|
#include "resolved-manager.h"
|
||||||
|
|
||||||
#if HAVE_GNUTLS
|
#if ENABLE_DNS_OVER_TLS
|
||||||
#include <gnutls/gnutls.h>
|
#include <gnutls/gnutls.h>
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
@ -39,7 +39,7 @@ struct DnsStream {
|
||||||
union sockaddr_union tfo_address;
|
union sockaddr_union tfo_address;
|
||||||
socklen_t tfo_salen;
|
socklen_t tfo_salen;
|
||||||
|
|
||||||
#if HAVE_GNUTLS
|
#if ENABLE_DNS_OVER_TLS
|
||||||
gnutls_session_t tls_session;
|
gnutls_session_t tls_session;
|
||||||
int tls_handshake;
|
int tls_handshake;
|
||||||
bool tls_bye;
|
bool tls_bye;
|
||||||
|
@ -68,7 +68,7 @@ struct DnsStream {
|
||||||
};
|
};
|
||||||
|
|
||||||
int dns_stream_new(Manager *m, DnsStream **s, DnsProtocol protocol, int fd, const union sockaddr_union *tfo_address);
|
int dns_stream_new(Manager *m, DnsStream **s, DnsProtocol protocol, int fd, const union sockaddr_union *tfo_address);
|
||||||
#if HAVE_GNUTLS
|
#if ENABLE_DNS_OVER_TLS
|
||||||
int dns_stream_connect_tls(DnsStream *s, gnutls_session_t tls_session);
|
int dns_stream_connect_tls(DnsStream *s, gnutls_session_t tls_session);
|
||||||
#endif
|
#endif
|
||||||
DnsStream *dns_stream_unref(DnsStream *s);
|
DnsStream *dns_stream_unref(DnsStream *s);
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
#include "resolved-llmnr.h"
|
#include "resolved-llmnr.h"
|
||||||
#include "string-table.h"
|
#include "string-table.h"
|
||||||
|
|
||||||
#if HAVE_GNUTLS
|
#if ENABLE_DNS_OVER_TLS
|
||||||
#include <gnutls/socket.h>
|
#include <gnutls/socket.h>
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
@ -504,7 +504,7 @@ static int dns_transaction_on_stream_packet(DnsTransaction *t, DnsPacket *p) {
|
||||||
}
|
}
|
||||||
|
|
||||||
static int on_stream_connection(DnsStream *s) {
|
static int on_stream_connection(DnsStream *s) {
|
||||||
#if HAVE_GNUTLS
|
#if ENABLE_DNS_OVER_TLS
|
||||||
/* Store TLS Ticket for faster succesive TLS handshakes */
|
/* Store TLS Ticket for faster succesive TLS handshakes */
|
||||||
if (s->tls_session && s->server) {
|
if (s->tls_session && s->server) {
|
||||||
if (s->server->tls_session_data.data)
|
if (s->server->tls_session_data.data)
|
||||||
|
@ -577,7 +577,7 @@ static int dns_transaction_emit_tcp(DnsTransaction *t) {
|
||||||
_cleanup_(dns_stream_unrefp) DnsStream *s = NULL;
|
_cleanup_(dns_stream_unrefp) DnsStream *s = NULL;
|
||||||
union sockaddr_union sa;
|
union sockaddr_union sa;
|
||||||
int r;
|
int r;
|
||||||
#if HAVE_GNUTLS
|
#if ENABLE_DNS_OVER_TLS
|
||||||
gnutls_session_t gs;
|
gnutls_session_t gs;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
@ -651,7 +651,7 @@ static int dns_transaction_emit_tcp(DnsTransaction *t) {
|
||||||
s->server = dns_server_ref(t->server);
|
s->server = dns_server_ref(t->server);
|
||||||
}
|
}
|
||||||
|
|
||||||
#if HAVE_GNUTLS
|
#if ENABLE_DNS_OVER_TLS
|
||||||
if (DNS_SERVER_FEATURE_LEVEL_IS_TLS(t->current_feature_level)) {
|
if (DNS_SERVER_FEATURE_LEVEL_IS_TLS(t->current_feature_level)) {
|
||||||
r = gnutls_init(&gs, GNUTLS_CLIENT | GNUTLS_ENABLE_FALSE_START | GNUTLS_NONBLOCK);
|
r = gnutls_init(&gs, GNUTLS_CLIENT | GNUTLS_ENABLE_FALSE_START | GNUTLS_NONBLOCK);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
|
|
|
@ -353,9 +353,9 @@ void link_set_dns_over_tls_mode(Link *l, DnsOverTlsMode mode) {
|
||||||
|
|
||||||
assert(l);
|
assert(l);
|
||||||
|
|
||||||
#if ! HAVE_GNUTLS
|
#if ! ENABLE_DNS_OVER_TLS
|
||||||
if (mode != DNS_OVER_TLS_NO)
|
if (mode != DNS_OVER_TLS_NO)
|
||||||
log_warning("DNS-over-TLS option for the link cannot be set to opportunistic when systemd-resolved is built without gnutls support. Turning off DNS-over-TLS support.");
|
log_warning("DNS-over-TLS option for the link cannot be set to opportunistic when systemd-resolved is built without DNS-over-TLS support. Turning off DNS-over-TLS support.");
|
||||||
return;
|
return;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue