From 8ae9f26bce3aa776cf0ead81e4eeca8a1fa65ea6 Mon Sep 17 00:00:00 2001
From: Wouter Wijngaards <wouter@nlnetlabs.nl>
Date: Wed, 23 Jan 2019 08:37:00 +0000
Subject: [PATCH] - Patch from Manabu Sonoda with tls-ciphers and
 tls-ciphersuites   options for unbound.conf.

git-svn-id: file:///svn/unbound/trunk@5054 be551aaa-1e26-0410-a405-d3ace91eadb9
---
 daemon/unbound.c     | 13 +++++++++++++
 doc/Changelog        |  4 ++++
 doc/example.conf.in  |  5 +++++
 util/config_file.c   |  4 ++++
 util/config_file.h   |  4 ++++
 util/configlexer.lex |  2 ++
 util/configparser.y  | 18 ++++++++++++++++--
 7 files changed, 48 insertions(+), 2 deletions(-)

diff --git a/daemon/unbound.c b/daemon/unbound.c
index 020e45303..d5a591e0b 100644
--- a/daemon/unbound.c
+++ b/daemon/unbound.c
@@ -67,6 +67,7 @@
 #ifdef HAVE_GRP_H
 #include <grp.h>
 #endif
+#include <openssl/ssl.h>
 
 #ifndef S_SPLINT_S
 /* splint chokes on this system header file */
@@ -430,6 +431,18 @@ perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode,
 		if(!(daemon->listen_sslctx = listen_sslctx_create(
 			cfg->ssl_service_key, cfg->ssl_service_pem, NULL)))
 			fatal_exit("could not set up listen SSL_CTX");
+		if(cfg->tls_ciphers && cfg->tls_ciphers[0]) {
+			if (!SSL_CTX_set_cipher_list(daemon->listen_sslctx, cfg->tls_ciphers)) {
+				fatal_exit("faild to set tls-cipher %s",cfg->tls_ciphers);
+			}
+		}
+#if OPENSSL_VERSION_NUMBER >= 0x1010101
+		if(cfg->tls_ciphersuites && cfg->tls_ciphersuites[0]) {
+			if (!SSL_CTX_set_ciphersuites(daemon->listen_sslctx, cfg->tls_ciphersuites)) {
+				fatal_exit("faild to set tls-ciphersuites %s",cfg->tls_ciphersuites);
+			}
+		}
+#endif
 	}
 	if(!(daemon->connect_sslctx = connect_sslctx_create(NULL, NULL,
 		cfg->tls_cert_bundle, cfg->tls_win_cert)))
diff --git a/doc/Changelog b/doc/Changelog
index 70f8dd59e..d07861035 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,7 @@
+23 January 2018: Wouter
+	- Patch from Manabu Sonoda with tls-ciphers and tls-ciphersuites
+	  options for unbound.conf.
+
 22 January 2018: Wouter
 	- Fix space calculation for tcp req buffer size.
 	- Doc for stream-wait-size and unit test.
diff --git a/doc/example.conf.in b/doc/example.conf.in
index 2ec538956..ca4070917 100644
--- a/doc/example.conf.in
+++ b/doc/example.conf.in
@@ -715,6 +715,11 @@ server:
 	# tls-service-pem: "path/to/publiccertfile.pem"
 	# tls-port: 853
 
+	# cipher setting for TLSv1.2
+	# tls-chiphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256"
+	# cipher setting for TLSv1.3 
+	# tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
+
 	# request upstream over TLS (with plain DNS inside the TLS stream).
 	# Default is no.  Can be turned on and off with unbound-control.
 	# tls-upstream: no
diff --git a/util/config_file.c b/util/config_file.c
index 954517341..e49bc8f00 100644
--- a/util/config_file.c
+++ b/util/config_file.c
@@ -487,6 +487,8 @@ int config_set_option(struct config_file* cfg, const char* opt,
 	else S_STRLIST("additional-tls-port:", tls_additional_port)
 	else S_STRLIST("tls-additional-ports:", tls_additional_port)
 	else S_STRLIST("tls-additional-port:", tls_additional_port)
+	else S_STR("tls_ciphers:", tls_ciphers)
+	else S_STR("tls_ciphersuites:", tls_ciphersuites)
 	else S_YNO("interface-automatic:", if_automatic)
 	else S_YNO("use-systemd:", use_systemd)
 	else S_YNO("do-daemonize:", do_daemonize)
@@ -924,6 +926,8 @@ config_get_option(struct config_file* cfg, const char* opt,
 	else O_STR(opt, "tls-cert-bundle", tls_cert_bundle)
 	else O_YNO(opt, "tls-win-cert", tls_win_cert)
 	else O_LST(opt, "tls-additional-port", tls_additional_port)
+	else O_STR(opt, "tls-ciphers", tls_ciphers)
+	else O_STR(opt, "tls-ciphersuites", tls_ciphersuites)
 	else O_YNO(opt, "use-systemd", use_systemd)
 	else O_YNO(opt, "do-daemonize", do_daemonize)
 	else O_STR(opt, "chroot", chrootdir)
diff --git a/util/config_file.h b/util/config_file.h
index 0f50c0e71..3a8efce8d 100644
--- a/util/config_file.h
+++ b/util/config_file.h
@@ -120,6 +120,10 @@ struct config_file {
 	int tls_win_cert;
 	/** additional tls ports */
 	struct config_strlist* tls_additional_port;
+	/** TLS chiper **/
+	char* tls_ciphers;
+	/** TLS chipersuites (TLSv1.3) **/
+	char* tls_ciphersuites;
 
 	/** outgoing port range number of ports (per thread) */
 	int outgoing_num_ports;
diff --git a/util/configlexer.lex b/util/configlexer.lex
index 60373e515..beec31396 100644
--- a/util/configlexer.lex
+++ b/util/configlexer.lex
@@ -245,6 +245,8 @@ additional-ssl-port{COLON}	{ YDVAR(1, VAR_TLS_ADDITIONAL_PORT) }
 additional-tls-port{COLON}	{ YDVAR(1, VAR_TLS_ADDITIONAL_PORT) }
 tls-additional-ports{COLON}	{ YDVAR(1, VAR_TLS_ADDITIONAL_PORT) }
 tls-additional-port{COLON}	{ YDVAR(1, VAR_TLS_ADDITIONAL_PORT) }
+tls-ciphers{COLON}		{ YDVAR(1, VAR_TLS_CIPHERS) }
+tls-ciphersuites{COLON}		{ YDVAR(1, VAR_TLS_CIPHERSUITES) }
 use-systemd{COLON}		{ YDVAR(1, VAR_USE_SYSTEMD) }
 do-daemonize{COLON}		{ YDVAR(1, VAR_DO_DAEMONIZE) }
 interface{COLON}		{ YDVAR(1, VAR_INTERFACE) }
diff --git a/util/configparser.y b/util/configparser.y
index c96700577..440e9afec 100644
--- a/util/configparser.y
+++ b/util/configparser.y
@@ -165,7 +165,7 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_ALLOW_NOTIFY VAR_TLS_WIN_CERT VAR_TCP_CONNECTION_LIMIT
 %token VAR_FORWARD_NO_CACHE VAR_STUB_NO_CACHE VAR_LOG_SERVFAIL VAR_DENY_ANY
 %token VAR_UNKNOWN_SERVER_TIME_LIMIT VAR_LOG_TAG_QUERYREPLY
-%token VAR_STREAM_WAIT_SIZE
+%token VAR_STREAM_WAIT_SIZE VAR_TLS_CIPHERS VAR_TLS_CIPHERSUITES
 
 %%
 toplevelvars: /* empty */ | toplevelvars toplevelvar ;
@@ -265,7 +265,7 @@ content_server: server_num_threads | server_verbosity | server_port |
 	server_fast_server_permil | server_fast_server_num  | server_tls_win_cert |
 	server_tcp_connection_limit | server_log_servfail | server_deny_any |
 	server_unknown_server_time_limit | server_log_tag_queryreply |
-	server_stream_wait_size
+	server_stream_wait_size | server_tls_ciphers | server_tls_ciphersuites
 	;
 stubstart: VAR_STUB_ZONE
 	{
@@ -820,6 +820,20 @@ server_tls_additional_port: VAR_TLS_ADDITIONAL_PORT STRING_ARG
 			yyerror("out of memory");
 	}
 	;
+server_tls_ciphers: VAR_TLS_CIPHERS STRING_ARG
+	{
+		OUTYY(("P(server_tls_ciphers:%s)\n", $2));
+		free(cfg_parser->cfg->tls_ciphers);
+		cfg_parser->cfg->tls_ciphers = $2;
+	}
+	;
+server_tls_ciphersuites: VAR_TLS_CIPHERSUITES STRING_ARG
+	{
+		OUTYY(("P(server_tls_ciphersuites:%s)\n", $2));
+		free(cfg_parser->cfg->tls_ciphersuites);
+		cfg_parser->cfg->tls_ciphersuites = $2;
+	}
+	;
 server_use_systemd: VAR_USE_SYSTEMD STRING_ARG
 	{
 		OUTYY(("P(server_use_systemd:%s)\n", $2));
-- 
2.47.3