From 4310bfc20b84127e19bed68701caa3820c844682 Mon Sep 17 00:00:00 2001 From: Iwan Timmer Date: Mon, 18 Feb 2019 20:41:46 +0100 Subject: [PATCH] resolved: add strict mode for DNS-over-TLS Add strict mode for DNS-over-TLS, which will require TLS support from the server. Closes #10755 --- man/resolved.conf.xml | 7 +++++-- man/systemd.network.xml | 11 +++++++---- meson.build | 2 +- meson_options.txt | 2 +- shell-completion/bash/resolvectl | 2 +- shell-completion/bash/systemd-resolve | 2 +- src/resolve/resolved-conf.c | 2 +- src/resolve/resolved-dns-server.c | 2 +- src/resolve/resolved-dnstls-gnutls.c | 7 +++++++ src/resolve/resolved-dnstls-openssl.c | 14 ++++++++++++++ src/resolve/resolved-link.c | 2 +- src/shared/resolve-util.c | 3 ++- src/shared/resolve-util.h | 3 +++ src/systemd/sd-network.h | 2 +- 14 files changed, 46 insertions(+), 15 deletions(-) diff --git a/man/resolved.conf.xml b/man/resolved.conf.xml index c8ab6942c14..a647a4ace77 100644 --- a/man/resolved.conf.xml +++ b/man/resolved.conf.xml @@ -193,8 +193,11 @@ DNSOverTLS= - Takes false or - opportunistic. When set to opportunistic + Takes a boolean argument or opportunistic. + If true all connections to the server will be encrypted. Note that + this mode requires a DNS server that supports DNS-over-TLS and has + a valid certificate for it's IP. If the DNS server does not support + DNS-over-TLS all DNS requests will fail. When set to opportunistic DNS request are attempted to send encrypted with DNS-over-TLS. If the DNS server does not support TLS, DNS-over-TLS is disabled. Note that this mode makes DNS-over-TLS vulnerable to "downgrade" diff --git a/man/systemd.network.xml b/man/systemd.network.xml index d832e68d71c..bad673b44e1 100644 --- a/man/systemd.network.xml +++ b/man/systemd.network.xml @@ -395,12 +395,15 @@ DNSOverTLS= - Takes false or - opportunistic. When set to opportunistic, enables + Takes a boolean or opportunistic. + When true, enables DNS-over-TLS - support on the link. This option defines a - per-interface setting for + support on the link. + When set to opportunistic, compatibility with + non-DNS-over-TLS servers is increased, by automatically + turning off DNS-over-TLS servers in this case. + This option defines a per-interface setting for resolved.conf5's global DNSOverTLS= option. Defaults to false. This setting is read by diff --git a/meson.build b/meson.build index 19c005141fb..0a9b3d5b857 100644 --- a/meson.build +++ b/meson.build @@ -1221,7 +1221,7 @@ if skip_deps default_dns_over_tls = 'no' endif if default_dns_over_tls != 'no' and conf.get('ENABLE_DNS_OVER_TLS') == 0 - message('default-dns-over-tls cannot be set to opportunistic when DNS-over-TLS support is disabled. Setting default-dns-over-tls to no.') + message('default-dns-over-tls cannot be enabled or set to opportunistic when DNS-over-TLS support is disabled. Setting default-dns-over-tls to no.') default_dns_over_tls = 'no' endif conf.set('DEFAULT_DNS_OVER_TLS_MODE', diff --git a/meson_options.txt b/meson_options.txt index 494a8de43c4..b96e49d8257 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -206,7 +206,7 @@ option('default-dnssec', type : 'combo', value : 'allow-downgrade') option('default-dns-over-tls', type : 'combo', description : 'default DNS-over-TLS mode', - choices : ['opportunistic', 'no'], + choices : ['yes', 'opportunistic', 'no'], value : 'no') option('dns-over-tls', type : 'combo', choices : ['auto', 'gnutls', 'openssl', 'true', 'false'], description : 'DNS-over-TLS support') diff --git a/shell-completion/bash/resolvectl b/shell-completion/bash/resolvectl index 161ac4d3c57..d4ac3390381 100644 --- a/shell-completion/bash/resolvectl +++ b/shell-completion/bash/resolvectl @@ -53,7 +53,7 @@ _resolvectl() { [FAMILY]='tcp udp sctp' [RESOLVE]='yes no resolve' [DNSSEC]='yes no allow-downgrade' - [DNSOVERTLS]='no opportunistic' + [DNSOVERTLS]='yes no opportunistic' ) local interfaces=$( __get_interfaces ) diff --git a/shell-completion/bash/systemd-resolve b/shell-completion/bash/systemd-resolve index 84747b7462f..66f0ae04a0a 100644 --- a/shell-completion/bash/systemd-resolve +++ b/shell-completion/bash/systemd-resolve @@ -64,7 +64,7 @@ _systemd-resolve() { comps="yes no allow-downgrade" ;; --set-dnsovertls) - comps="no opportunistic" + comps="yes no opportunistic" ;; esac COMPREPLY=( $(compgen -W '$comps' -- "$cur") ) diff --git a/src/resolve/resolved-conf.c b/src/resolve/resolved-conf.c index 79e388f8a2d..7b2938fea3f 100644 --- a/src/resolve/resolved-conf.c +++ b/src/resolve/resolved-conf.c @@ -394,7 +394,7 @@ int manager_parse_config_file(Manager *m) { #if ! ENABLE_DNS_OVER_TLS if (m->dns_over_tls_mode != DNS_OVER_TLS_NO) { - log_warning("DNS-over-TLS option cannot be set to opportunistic when systemd-resolved is built without DNS-over-TLS support. Turning off DNS-over-TLS support."); + log_warning("DNS-over-TLS option cannot be enabled or set to opportunistic when systemd-resolved is built without DNS-over-TLS support. Turning off DNS-over-TLS support."); m->dns_over_tls_mode = DNS_OVER_TLS_NO; } #endif diff --git a/src/resolve/resolved-dns-server.c b/src/resolve/resolved-dns-server.c index 0033de73b4f..78e5953b300 100644 --- a/src/resolve/resolved-dns-server.c +++ b/src/resolve/resolved-dns-server.c @@ -419,7 +419,7 @@ DnsServerFeatureLevel dns_server_possible_feature_level(DnsServer *s) { log_debug("Reached maximum number of failed TCP connection attempts, trying UDP again..."); s->possible_feature_level = DNS_SERVER_FEATURE_LEVEL_UDP; } else if (s->n_failed_tls > 0 && - DNS_SERVER_FEATURE_LEVEL_IS_TLS(s->possible_feature_level)) { + DNS_SERVER_FEATURE_LEVEL_IS_TLS(s->possible_feature_level) && dns_server_get_dns_over_tls_mode(s) != DNS_OVER_TLS_YES) { /* We tried to connect using DNS-over-TLS, and it didn't work. Downgrade to plaintext UDP * if we don't require DNS-over-TLS */ diff --git a/src/resolve/resolved-dnstls-gnutls.c b/src/resolve/resolved-dnstls-gnutls.c index d824d6ca5ac..6eef6117a3a 100644 --- a/src/resolve/resolved-dnstls-gnutls.c +++ b/src/resolve/resolved-dnstls-gnutls.c @@ -54,6 +54,9 @@ int dnstls_stream_connect_tls(DnsStream *stream, DnsServer *server) { server->dnstls_data.session_data.size = 0; } + if (server->manager->dns_over_tls_mode == DNS_OVER_TLS_YES) + gnutls_session_set_verify_cert(gs, NULL, 0); + gnutls_handshake_set_timeout(gs, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT); gnutls_transport_set_ptr2(gs, (gnutls_transport_ptr_t) (long) stream->fd, stream); @@ -202,6 +205,10 @@ int dnstls_manager_init(Manager *manager) { if (r < 0) return -ENOMEM; + r = gnutls_certificate_set_x509_system_trust(manager->dnstls_data.cert_cred); + if (r < 0) + log_warning("Failed to load system trust store: %s", gnutls_strerror(r)); + return 0; } diff --git a/src/resolve/resolved-dnstls-openssl.c b/src/resolve/resolved-dnstls-openssl.c index 22d579a7f77..85e202ff741 100644 --- a/src/resolve/resolved-dnstls-openssl.c +++ b/src/resolve/resolved-dnstls-openssl.c @@ -76,6 +76,17 @@ int dnstls_stream_connect_tls(DnsStream *stream, DnsServer *server) { SSL_set_session(s, server->dnstls_data.session); SSL_set_bio(s, TAKE_PTR(rb), TAKE_PTR(wb)); + if (server->manager->dns_over_tls_mode == DNS_OVER_TLS_YES) { + X509_VERIFY_PARAM *v; + const unsigned char *ip; + + SSL_set_verify(s, SSL_VERIFY_PEER, NULL); + v = SSL_get0_param(s); + ip = server->family == AF_INET ? (const unsigned char*) &server->address.in.s_addr : server->address.in6.s6_addr; + if (!X509_VERIFY_PARAM_set1_ip(v, ip, FAMILY_ADDRESS_SIZE(server->family))) + return -ECONNREFUSED; + } + ERR_clear_error(); stream->dnstls_data.handshake = SSL_do_handshake(s); if (stream->dnstls_data.handshake <= 0) { @@ -357,6 +368,9 @@ int dnstls_manager_init(Manager *manager) { SSL_CTX_set_min_proto_version(manager->dnstls_data.ctx, TLS1_2_VERSION); SSL_CTX_set_options(manager->dnstls_data.ctx, SSL_OP_NO_COMPRESSION); + r = SSL_CTX_set_default_verify_paths(manager->dnstls_data.ctx); + if (r < 0) + log_warning("Failed to load system trust store: %s", ERR_error_string(ERR_get_error(), NULL)); return 0; } diff --git a/src/resolve/resolved-link.c b/src/resolve/resolved-link.c index dd8b5a574b0..96ebb4d23d3 100644 --- a/src/resolve/resolved-link.c +++ b/src/resolve/resolved-link.c @@ -384,7 +384,7 @@ void link_set_dns_over_tls_mode(Link *l, DnsOverTlsMode mode) { #if ! ENABLE_DNS_OVER_TLS if (mode != DNS_OVER_TLS_NO) - log_warning("DNS-over-TLS option for the link cannot be set to opportunistic when systemd-resolved is built without DNS-over-TLS support. Turning off DNS-over-TLS support."); + log_warning("DNS-over-TLS option for the link cannot be enabled or set to opportunistic when systemd-resolved is built without DNS-over-TLS support. Turning off DNS-over-TLS support."); return; #endif diff --git a/src/shared/resolve-util.c b/src/shared/resolve-util.c index a5d4a14344f..b433cd24bca 100644 --- a/src/shared/resolve-util.c +++ b/src/shared/resolve-util.c @@ -25,5 +25,6 @@ DEFINE_STRING_TABLE_LOOKUP_WITH_BOOLEAN(dnssec_mode, DnssecMode, DNSSEC_YES); static const char* const dns_over_tls_mode_table[_DNS_OVER_TLS_MODE_MAX] = { [DNS_OVER_TLS_NO] = "no", [DNS_OVER_TLS_OPPORTUNISTIC] = "opportunistic", + [DNS_OVER_TLS_YES] = "yes", }; -DEFINE_STRING_TABLE_LOOKUP_WITH_BOOLEAN(dns_over_tls_mode, DnsOverTlsMode, _DNS_OVER_TLS_MODE_INVALID); +DEFINE_STRING_TABLE_LOOKUP_WITH_BOOLEAN(dns_over_tls_mode, DnsOverTlsMode, DNS_OVER_TLS_YES); diff --git a/src/shared/resolve-util.h b/src/shared/resolve-util.h index 5883342e653..6ce25084660 100644 --- a/src/shared/resolve-util.h +++ b/src/shared/resolve-util.h @@ -42,6 +42,9 @@ enum DnsOverTlsMode { * fallback to using an unencrypted connection */ DNS_OVER_TLS_OPPORTUNISTIC, + /* Enforce DNS-over-TLS and require valid server certificates */ + DNS_OVER_TLS_YES, + _DNS_OVER_TLS_MODE_MAX, _DNS_OVER_TLS_MODE_INVALID = -1 }; diff --git a/src/systemd/sd-network.h b/src/systemd/sd-network.h index 166c30185a1..9ab4426b8b7 100644 --- a/src/systemd/sd-network.h +++ b/src/systemd/sd-network.h @@ -127,7 +127,7 @@ int sd_network_link_get_mdns(int ifindex, char **mdns); /* Indicates whether or not DNS-over-TLS should be enabled for the * link. - * Possible levels of support: strict, no, opportunistic + * Possible levels of support: yes, no, opportunistic * Possible return codes: * -ENODATA: networkd is not aware of the link */