diff options
| author | Dag-Erling Smørgrav <des@FreeBSD.org> | 2018-05-12 11:55:17 +0000 |
|---|---|---|
| committer | Dag-Erling Smørgrav <des@FreeBSD.org> | 2018-05-12 11:55:17 +0000 |
| commit | a6c5280ea59f940be13fd6eb0f94ab8360d3d6c9 (patch) | |
| tree | cbe088761a83cf2025bbdf36e1574f38c3e988f5 /util/net_help.c | |
| parent | 8c2647a7dc721c8e5349bd194b8e8e178412057e (diff) | |
| download | src-test2-a6c5280ea59f940be13fd6eb0f94ab8360d3d6c9.tar.gz src-test2-a6c5280ea59f940be13fd6eb0f94ab8360d3d6c9.zip | |
Vendor import of Unbound 1.6.6.vendor/unbound/1.6.6
Notes
Notes:
svn path=/vendor/unbound/dist/; revision=333541
svn path=/vendor/unbound/1.6.6/; revision=333542; tag=vendor/unbound/1.6.6
Diffstat (limited to 'util/net_help.c')
| -rw-r--r-- | util/net_help.c | 111 |
1 files changed, 84 insertions, 27 deletions
diff --git a/util/net_help.c b/util/net_help.c index 6c0d68e312b8..ce136a337cff 100644 --- a/util/net_help.c +++ b/util/net_help.c @@ -114,8 +114,9 @@ fd_set_block(int s) #elif defined(HAVE_IOCTLSOCKET) unsigned long off = 0; if(ioctlsocket(s, FIONBIO, &off) != 0) { - log_err("can't ioctlsocket FIONBIO off: %s", - wsa_strerror(WSAGetLastError())); + if(WSAGetLastError() != WSAEINVAL || verbosity >= 4) + log_err("can't ioctlsocket FIONBIO off: %s", + wsa_strerror(WSAGetLastError())); } #endif return 1; @@ -610,45 +611,66 @@ log_crypto_err(const char* str) #endif /* HAVE_SSL */ } -void* listen_sslctx_create(char* key, char* pem, char* verifypem) +int +listen_sslctx_setup(void* ctxt) { #ifdef HAVE_SSL - SSL_CTX* ctx = SSL_CTX_new(SSLv23_server_method()); - if(!ctx) { - log_crypto_err("could not SSL_CTX_new"); - return NULL; - } + SSL_CTX* ctx = (SSL_CTX*)ctxt; /* no SSLv2, SSLv3 because has defects */ if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2) != SSL_OP_NO_SSLv2){ log_crypto_err("could not set SSL_OP_NO_SSLv2"); - SSL_CTX_free(ctx); - return NULL; + return 0; } if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3) != SSL_OP_NO_SSLv3){ log_crypto_err("could not set SSL_OP_NO_SSLv3"); - SSL_CTX_free(ctx); - return NULL; + return 0; } - if(!SSL_CTX_use_certificate_chain_file(ctx, pem)) { - log_err("error for cert file: %s", pem); - log_crypto_err("error in SSL_CTX use_certificate_chain_file"); - SSL_CTX_free(ctx); - return NULL; +#if defined(SSL_OP_NO_TLSv1) && defined(SSL_OP_NO_TLSv1_1) + /* if we have tls 1.1 disable 1.0 */ + if((SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1) & SSL_OP_NO_TLSv1) + != SSL_OP_NO_TLSv1){ + log_crypto_err("could not set SSL_OP_NO_TLSv1"); + return 0; } - if(!SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM)) { - log_err("error for private key file: %s", key); - log_crypto_err("Error in SSL_CTX use_PrivateKey_file"); - SSL_CTX_free(ctx); - return NULL; +#endif +#if defined(SSL_OP_NO_TLSv1_1) && defined(SSL_OP_NO_TLSv1_2) + /* if we have tls 1.2 disable 1.1 */ + if((SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_1) & SSL_OP_NO_TLSv1_1) + != SSL_OP_NO_TLSv1_1){ + log_crypto_err("could not set SSL_OP_NO_TLSv1_1"); + return 0; } - if(!SSL_CTX_check_private_key(ctx)) { - log_err("error for key file: %s", key); - log_crypto_err("Error in SSL_CTX check_private_key"); - SSL_CTX_free(ctx); - return NULL; +#endif +#if defined(SHA256_DIGEST_LENGTH) && defined(USE_ECDSA) + /* if we have sha256, set the cipher list to have no known vulns */ + if(!SSL_CTX_set_cipher_list(ctx, "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256")) + log_crypto_err("could not set cipher list with SSL_CTX_set_cipher_list"); +#endif + + if((SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE) & + SSL_OP_CIPHER_SERVER_PREFERENCE) != + SSL_OP_CIPHER_SERVER_PREFERENCE) { + log_crypto_err("could not set SSL_OP_CIPHER_SERVER_PREFERENCE"); + return 0; } + +#ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL + SSL_CTX_set_security_level(ctx, 0); +#endif +#else + (void)ctxt; +#endif /* HAVE_SSL */ + return 1; +} + +void +listen_sslctx_setup_2(void* ctxt) +{ +#ifdef HAVE_SSL + SSL_CTX* ctx = (SSL_CTX*)ctxt; + (void)ctx; #if HAVE_DECL_SSL_CTX_SET_ECDH_AUTO if(!SSL_CTX_set_ecdh_auto(ctx,1)) { log_crypto_err("Error in SSL_CTX_ecdh_auto, not enabling ECDHE"); @@ -666,7 +688,42 @@ void* listen_sslctx_create(char* key, char* pem, char* verifypem) } } #endif +#else + (void)ctxt; +#endif /* HAVE_SSL */ +} +void* listen_sslctx_create(char* key, char* pem, char* verifypem) +{ +#ifdef HAVE_SSL + SSL_CTX* ctx = SSL_CTX_new(SSLv23_server_method()); + if(!ctx) { + log_crypto_err("could not SSL_CTX_new"); + return NULL; + } + if(!listen_sslctx_setup(ctx)) { + SSL_CTX_free(ctx); + return NULL; + } + if(!SSL_CTX_use_certificate_chain_file(ctx, pem)) { + log_err("error for cert file: %s", pem); + log_crypto_err("error in SSL_CTX use_certificate_chain_file"); + SSL_CTX_free(ctx); + return NULL; + } + if(!SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM)) { + log_err("error for private key file: %s", key); + log_crypto_err("Error in SSL_CTX use_PrivateKey_file"); + SSL_CTX_free(ctx); + return NULL; + } + if(!SSL_CTX_check_private_key(ctx)) { + log_err("error for key file: %s", key); + log_crypto_err("Error in SSL_CTX check_private_key"); + SSL_CTX_free(ctx); + return NULL; + } + listen_sslctx_setup_2(ctx); if(verifypem && verifypem[0]) { if(!SSL_CTX_load_verify_locations(ctx, verifypem, NULL)) { log_crypto_err("Error in SSL_CTX verify locations"); |