- Patch from Manabu Sonoda with tls-ciphers and tls-ciphersuites

  options for unbound.conf.

git-svn-id: file:///svn/unbound/trunk@5054 be551aaa-1e26-0410-a405-d3ace91eadb9

diff --git a/daemon/unbound.c b/daemon/unbound.c
index 020e453034ad59a79438634a39eea6e818a08e0d..d5a591e0b11ecc9bd58c2265dc640c7dbb7c701d 100644 (file)
--- a/daemon/unbound.c
+++ b/daemon/unbound.c
@@ -67,6 +67,7 @@
 #ifdef HAVE_GRP_H
 #include <grp.h>
 #endif
+#include <openssl/ssl.h>
 
 #ifndef S_SPLINT_S
 /* splint chokes on this system header file */
@@ -430,6 +431,18 @@ perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode,
                if(!(daemon->listen_sslctx = listen_sslctx_create(
                        cfg->ssl_service_key, cfg->ssl_service_pem, NULL)))
                        fatal_exit("could not set up listen SSL_CTX");
+               if(cfg->tls_ciphers && cfg->tls_ciphers[0]) {
+                       if (!SSL_CTX_set_cipher_list(daemon->listen_sslctx, cfg->tls_ciphers)) {
+                               fatal_exit("faild to set tls-cipher %s",cfg->tls_ciphers);
+                       }
+               }
+#if OPENSSL_VERSION_NUMBER >= 0x1010101
+               if(cfg->tls_ciphersuites && cfg->tls_ciphersuites[0]) {
+                       if (!SSL_CTX_set_ciphersuites(daemon->listen_sslctx, cfg->tls_ciphersuites)) {
+                               fatal_exit("faild to set tls-ciphersuites %s",cfg->tls_ciphersuites);
+                       }
+               }
+#endif
        }
        if(!(daemon->connect_sslctx = connect_sslctx_create(NULL, NULL,
                cfg->tls_cert_bundle, cfg->tls_win_cert)))

diff --git a/doc/Changelog b/doc/Changelog
index 70f8dd59e63ff7527abcbf58b8f2ac4f9c74964b..d078610353798cd05b86e8af95a9321a12c9848c 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,7 @@
+23 January 2018: Wouter
+       - Patch from Manabu Sonoda with tls-ciphers and tls-ciphersuites
+         options for unbound.conf.
+
 22 January 2018: Wouter
        - Fix space calculation for tcp req buffer size.
        - Doc for stream-wait-size and unit test.

diff --git a/doc/example.conf.in b/doc/example.conf.in
index 2ec53895636e068f692c34060b70167a52e42862..ca4070917c81e29d5380b9cc22ecf896cd918947 100644 (file)
--- a/doc/example.conf.in
+++ b/doc/example.conf.in
@@ -715,6 +715,11 @@ server:
        # tls-service-pem: "path/to/publiccertfile.pem"
        # tls-port: 853
 
+       # cipher setting for TLSv1.2
+       # tls-chiphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256"
+       # cipher setting for TLSv1.3 
+       # tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
+
        # request upstream over TLS (with plain DNS inside the TLS stream).
        # Default is no.  Can be turned on and off with unbound-control.
        # tls-upstream: no

diff --git a/util/config_file.c b/util/config_file.c
index 9545173412747fe65882a9dddecec6b5db7f201d..e49bc8f00209411003c700828c085d22e88fd281 100644 (file)
--- a/util/config_file.c
+++ b/util/config_file.c
@@ -487,6 +487,8 @@ int config_set_option(struct config_file* cfg, const char* opt,
        else S_STRLIST("additional-tls-port:", tls_additional_port)
        else S_STRLIST("tls-additional-ports:", tls_additional_port)
        else S_STRLIST("tls-additional-port:", tls_additional_port)
+       else S_STR("tls_ciphers:", tls_ciphers)
+       else S_STR("tls_ciphersuites:", tls_ciphersuites)
        else S_YNO("interface-automatic:", if_automatic)
        else S_YNO("use-systemd:", use_systemd)
        else S_YNO("do-daemonize:", do_daemonize)
@@ -924,6 +926,8 @@ config_get_option(struct config_file* cfg, const char* opt,
        else O_STR(opt, "tls-cert-bundle", tls_cert_bundle)
        else O_YNO(opt, "tls-win-cert", tls_win_cert)
        else O_LST(opt, "tls-additional-port", tls_additional_port)
+       else O_STR(opt, "tls-ciphers", tls_ciphers)
+       else O_STR(opt, "tls-ciphersuites", tls_ciphersuites)
        else O_YNO(opt, "use-systemd", use_systemd)
        else O_YNO(opt, "do-daemonize", do_daemonize)
        else O_STR(opt, "chroot", chrootdir)

diff --git a/util/config_file.h b/util/config_file.h
index 0f50c0e7144c6a348f1da70e6f3e493d6aa84c81..3a8efce8d01d8cb0de0e7cbd9a34a0f22220ab9f 100644 (file)
--- a/util/config_file.h
+++ b/util/config_file.h
@@ -120,6 +120,10 @@ struct config_file {
        int tls_win_cert;
        /** additional tls ports */
        struct config_strlist* tls_additional_port;
+       /** TLS chiper **/
+       char* tls_ciphers;
+       /** TLS chipersuites (TLSv1.3) **/
+       char* tls_ciphersuites;
 
        /** outgoing port range number of ports (per thread) */
        int outgoing_num_ports;

diff --git a/util/configlexer.lex b/util/configlexer.lex
index 60373e5150f804e158b6bbd6e9a3c03d8487393e..beec313964f63f7bf46f238fb0966070237c4e75 100644 (file)
--- a/util/configlexer.lex
+++ b/util/configlexer.lex
@@ -245,6 +245,8 @@ additional-ssl-port{COLON}  { YDVAR(1, VAR_TLS_ADDITIONAL_PORT) }
 additional-tls-port{COLON}     { YDVAR(1, VAR_TLS_ADDITIONAL_PORT) }
 tls-additional-ports{COLON}    { YDVAR(1, VAR_TLS_ADDITIONAL_PORT) }
 tls-additional-port{COLON}     { YDVAR(1, VAR_TLS_ADDITIONAL_PORT) }
+tls-ciphers{COLON}             { YDVAR(1, VAR_TLS_CIPHERS) }
+tls-ciphersuites{COLON}                { YDVAR(1, VAR_TLS_CIPHERSUITES) }
 use-systemd{COLON}             { YDVAR(1, VAR_USE_SYSTEMD) }
 do-daemonize{COLON}            { YDVAR(1, VAR_DO_DAEMONIZE) }
 interface{COLON}               { YDVAR(1, VAR_INTERFACE) }

diff --git a/util/configparser.y b/util/configparser.y
index c96700577986051658a8d20f83aa02b50adfd8cb..440e9afecf0a94d85a8cefb941990acbbd922bd6 100644 (file)
--- a/util/configparser.y
+++ b/util/configparser.y
@@ -165,7 +165,7 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_ALLOW_NOTIFY VAR_TLS_WIN_CERT VAR_TCP_CONNECTION_LIMIT
 %token VAR_FORWARD_NO_CACHE VAR_STUB_NO_CACHE VAR_LOG_SERVFAIL VAR_DENY_ANY
 %token VAR_UNKNOWN_SERVER_TIME_LIMIT VAR_LOG_TAG_QUERYREPLY
-%token VAR_STREAM_WAIT_SIZE
+%token VAR_STREAM_WAIT_SIZE VAR_TLS_CIPHERS VAR_TLS_CIPHERSUITES
 
 %%
 toplevelvars: /* empty */ | toplevelvars toplevelvar ;
@@ -265,7 +265,7 @@ content_server: server_num_threads | server_verbosity | server_port |
        server_fast_server_permil | server_fast_server_num  | server_tls_win_cert |
        server_tcp_connection_limit | server_log_servfail | server_deny_any |
        server_unknown_server_time_limit | server_log_tag_queryreply |
-       server_stream_wait_size
+       server_stream_wait_size | server_tls_ciphers | server_tls_ciphersuites
        ;
 stubstart: VAR_STUB_ZONE
        {
@@ -820,6 +820,20 @@ server_tls_additional_port: VAR_TLS_ADDITIONAL_PORT STRING_ARG
                        yyerror("out of memory");
        }
        ;
+server_tls_ciphers: VAR_TLS_CIPHERS STRING_ARG
+       {
+               OUTYY(("P(server_tls_ciphers:%s)\n", $2));
+               free(cfg_parser->cfg->tls_ciphers);
+               cfg_parser->cfg->tls_ciphers = $2;
+       }
+       ;
+server_tls_ciphersuites: VAR_TLS_CIPHERSUITES STRING_ARG
+       {
+               OUTYY(("P(server_tls_ciphersuites:%s)\n", $2));
+               free(cfg_parser->cfg->tls_ciphersuites);
+               cfg_parser->cfg->tls_ciphersuites = $2;
+       }
+       ;
 server_use_systemd: VAR_USE_SYSTEMD STRING_ARG
        {
                OUTYY(("P(server_use_systemd:%s)\n", $2));