From a6c5280ea59f940be13fd6eb0f94ab8360d3d6c9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dag-Erling=20Sm=C3=B8rgrav?= <des@FreeBSD.org>
Date: Sat, 12 May 2018 11:55:17 +0000
Subject: Vendor import of Unbound 1.6.6.

---
 util/net_help.c | 111 ++++++++++++++++++++++++++++++++++++++++++--------------
 1 file changed, 84 insertions(+), 27 deletions(-)

(limited to 'util/net_help.c')

diff --git a/util/net_help.c b/util/net_help.c
index 6c0d68e312b8..ce136a337cff 100644
--- a/util/net_help.c
+++ b/util/net_help.c
@@ -114,8 +114,9 @@ fd_set_block(int s)
 #elif defined(HAVE_IOCTLSOCKET)
 	unsigned long off = 0;
 	if(ioctlsocket(s, FIONBIO, &off) != 0) {
-		log_err("can't ioctlsocket FIONBIO off: %s", 
-			wsa_strerror(WSAGetLastError()));
+		if(WSAGetLastError() != WSAEINVAL || verbosity >= 4)
+			log_err("can't ioctlsocket FIONBIO off: %s", 
+				wsa_strerror(WSAGetLastError()));
 	}
 #endif	
 	return 1;
@@ -610,45 +611,66 @@ log_crypto_err(const char* str)
 #endif /* HAVE_SSL */
 }
 
-void* listen_sslctx_create(char* key, char* pem, char* verifypem)
+int
+listen_sslctx_setup(void* ctxt)
 {
 #ifdef HAVE_SSL
-	SSL_CTX* ctx = SSL_CTX_new(SSLv23_server_method());
-	if(!ctx) {
-		log_crypto_err("could not SSL_CTX_new");
-		return NULL;
-	}
+	SSL_CTX* ctx = (SSL_CTX*)ctxt;
 	/* no SSLv2, SSLv3 because has defects */
 	if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)
 		!= SSL_OP_NO_SSLv2){
 		log_crypto_err("could not set SSL_OP_NO_SSLv2");
-		SSL_CTX_free(ctx);
-		return NULL;
+		return 0;
 	}
 	if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
 		!= SSL_OP_NO_SSLv3){
 		log_crypto_err("could not set SSL_OP_NO_SSLv3");
-		SSL_CTX_free(ctx);
-		return NULL;
+		return 0;
 	}
-	if(!SSL_CTX_use_certificate_chain_file(ctx, pem)) {
-		log_err("error for cert file: %s", pem);
-		log_crypto_err("error in SSL_CTX use_certificate_chain_file");
-		SSL_CTX_free(ctx);
-		return NULL;
+#if defined(SSL_OP_NO_TLSv1) && defined(SSL_OP_NO_TLSv1_1)
+	/* if we have tls 1.1 disable 1.0 */
+	if((SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1) & SSL_OP_NO_TLSv1)
+		!= SSL_OP_NO_TLSv1){
+		log_crypto_err("could not set SSL_OP_NO_TLSv1");
+		return 0;
 	}
-	if(!SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM)) {
-		log_err("error for private key file: %s", key);
-		log_crypto_err("Error in SSL_CTX use_PrivateKey_file");
-		SSL_CTX_free(ctx);
-		return NULL;
+#endif
+#if defined(SSL_OP_NO_TLSv1_1) && defined(SSL_OP_NO_TLSv1_2)
+	/* if we have tls 1.2 disable 1.1 */
+	if((SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_1) & SSL_OP_NO_TLSv1_1)
+		!= SSL_OP_NO_TLSv1_1){
+		log_crypto_err("could not set SSL_OP_NO_TLSv1_1");
+		return 0;
 	}
-	if(!SSL_CTX_check_private_key(ctx)) {
-		log_err("error for key file: %s", key);
-		log_crypto_err("Error in SSL_CTX check_private_key");
-		SSL_CTX_free(ctx);
-		return NULL;
+#endif
+#if defined(SHA256_DIGEST_LENGTH) && defined(USE_ECDSA)
+	/* if we have sha256, set the cipher list to have no known vulns */
+	if(!SSL_CTX_set_cipher_list(ctx, "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"))
+		log_crypto_err("could not set cipher list with SSL_CTX_set_cipher_list");
+#endif
+
+	if((SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE) &
+		SSL_OP_CIPHER_SERVER_PREFERENCE) !=
+		SSL_OP_CIPHER_SERVER_PREFERENCE) {
+		log_crypto_err("could not set SSL_OP_CIPHER_SERVER_PREFERENCE");
+		return 0;
 	}
+
+#ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL
+	SSL_CTX_set_security_level(ctx, 0);
+#endif
+#else
+	(void)ctxt;
+#endif /* HAVE_SSL */
+	return 1;
+}
+
+void
+listen_sslctx_setup_2(void* ctxt)
+{
+#ifdef HAVE_SSL
+	SSL_CTX* ctx = (SSL_CTX*)ctxt;
+	(void)ctx;
 #if HAVE_DECL_SSL_CTX_SET_ECDH_AUTO
 	if(!SSL_CTX_set_ecdh_auto(ctx,1)) {
 		log_crypto_err("Error in SSL_CTX_ecdh_auto, not enabling ECDHE");
@@ -666,7 +688,42 @@ void* listen_sslctx_create(char* key, char* pem, char* verifypem)
 		}
 	}
 #endif
+#else
+	(void)ctxt;
+#endif /* HAVE_SSL */
+}
 
+void* listen_sslctx_create(char* key, char* pem, char* verifypem)
+{
+#ifdef HAVE_SSL
+	SSL_CTX* ctx = SSL_CTX_new(SSLv23_server_method());
+	if(!ctx) {
+		log_crypto_err("could not SSL_CTX_new");
+		return NULL;
+	}
+	if(!listen_sslctx_setup(ctx)) {
+		SSL_CTX_free(ctx);
+		return NULL;
+	}
+	if(!SSL_CTX_use_certificate_chain_file(ctx, pem)) {
+		log_err("error for cert file: %s", pem);
+		log_crypto_err("error in SSL_CTX use_certificate_chain_file");
+		SSL_CTX_free(ctx);
+		return NULL;
+	}
+	if(!SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM)) {
+		log_err("error for private key file: %s", key);
+		log_crypto_err("Error in SSL_CTX use_PrivateKey_file");
+		SSL_CTX_free(ctx);
+		return NULL;
+	}
+	if(!SSL_CTX_check_private_key(ctx)) {
+		log_err("error for key file: %s", key);
+		log_crypto_err("Error in SSL_CTX check_private_key");
+		SSL_CTX_free(ctx);
+		return NULL;
+	}
+	listen_sslctx_setup_2(ctx);
 	if(verifypem && verifypem[0]) {
 		if(!SSL_CTX_load_verify_locations(ctx, verifypem, NULL)) {
 			log_crypto_err("Error in SSL_CTX verify locations");
-- 
cgit v1.2.3