From: Wouter Wijngaards Date: Thu, 29 Jun 2017 11:45:43 +0000 (+0000) Subject: - enhancement for hardened-tls for DNS over TLS. Removed duplicated X-Git-Tag: release-1.6.6rc1~76 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=08a3461810709ab83102427d341cd253afd56926;p=thirdparty%2Funbound.git - enhancement for hardened-tls for DNS over TLS. Removed duplicated security settings. git-svn-id: file:///svn/unbound/trunk@4255 be551aaa-1e26-0410-a405-d3ace91eadb9 --- diff --git a/daemon/remote.c b/daemon/remote.c index fbfe1a1b7..74c668eec 100644 --- a/daemon/remote.c +++ b/daemon/remote.c @@ -229,42 +229,10 @@ daemon_remote_create(struct config_file* cfg) free(rc); return NULL; } - /* no SSLv2, SSLv3 because has defects */ - if((SSL_CTX_set_options(rc->ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2) - != SSL_OP_NO_SSLv2){ - log_crypto_err("could not set SSL_OP_NO_SSLv2"); + if(!listen_sslctx_setup(rc->ctx)) { daemon_remote_delete(rc); return NULL; } - if((SSL_CTX_set_options(rc->ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3) - != SSL_OP_NO_SSLv3){ - log_crypto_err("could not set SSL_OP_NO_SSLv3"); - daemon_remote_delete(rc); - return NULL; - } -#if defined(SSL_OP_NO_TLSv1) && defined(SSL_OP_NO_TLSv1_1) - /* if we have tls 1.1 disable 1.0 */ - if((SSL_CTX_set_options(rc->ctx, SSL_OP_NO_TLSv1) & SSL_OP_NO_TLSv1) - != SSL_OP_NO_TLSv1){ - log_crypto_err("could not set SSL_OP_NO_TLSv1"); - daemon_remote_delete(rc); - return NULL; - } -#endif -#if defined(SSL_OP_NO_TLSv1_1) && defined(SSL_OP_NO_TLSv1_2) - /* if we have tls 1.2 disable 1.1 */ - if((SSL_CTX_set_options(rc->ctx, SSL_OP_NO_TLSv1_1) & SSL_OP_NO_TLSv1_1) - != SSL_OP_NO_TLSv1_1){ - log_crypto_err("could not set SSL_OP_NO_TLSv1_1"); - daemon_remote_delete(rc); - return NULL; - } -#endif -#if defined(SHA256_DIGEST_LENGTH) && defined(USE_ECDSA) - /* if we have sha256, set the cipher list to have no known vulns */ - if(!SSL_CTX_set_cipher_list(rc->ctx, "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256")) - log_crypto_err("could not set cipher list with SSL_CTX_set_cipher_list"); -#endif if (cfg->remote_control_use_cert == 0) { /* No certificates are requested */ @@ -314,23 +282,7 @@ daemon_remote_create(struct config_file* cfg) log_crypto_err("Error in SSL_CTX check_private_key"); goto setup_error; } -#if HAVE_DECL_SSL_CTX_SET_ECDH_AUTO - if(!SSL_CTX_set_ecdh_auto(rc->ctx,1)) { - log_crypto_err("Error in SSL_CTX_ecdh_auto, not enabling ECDHE"); - } -#elif defined(USE_ECDSA) - if(1) { - EC_KEY *ecdh = EC_KEY_new_by_curve_name (NID_X9_62_prime256v1); - if (!ecdh) { - log_crypto_err("could not find p256, not enabling ECDHE"); - } else { - if (1 != SSL_CTX_set_tmp_ecdh (rc->ctx, ecdh)) { - log_crypto_err("Error in SSL_CTX_set_tmp_ecdh, not enabling ECDHE"); - } - EC_KEY_free (ecdh); - } - } -#endif + listen_sslctx_setup_2(rc->ctx); if(!SSL_CTX_load_verify_locations(rc->ctx, s_cert, NULL)) { log_crypto_err("Error setting up SSL_CTX verify locations"); setup_error: diff --git a/doc/Changelog b/doc/Changelog index d7f601ec2..4c167852e 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,6 +1,8 @@ 29 June 2017: Wouter - Fix python example0 return module wait instead of error for pass. - iana portlist update + - enhancement for hardened-tls for DNS over TLS. Removed duplicated + security settings. 27 June 2017: Wouter - Tag 1.6.4 is created with the 1.6.4rc2 contents. diff --git a/util/net_help.c b/util/net_help.c index 6c0d68e31..9d532852b 100644 --- a/util/net_help.c +++ b/util/net_help.c @@ -610,45 +610,56 @@ log_crypto_err(const char* str) #endif /* HAVE_SSL */ } -void* listen_sslctx_create(char* key, char* pem, char* verifypem) +int +listen_sslctx_setup(void* ctxt) { -#ifdef HAVE_SSL - SSL_CTX* ctx = SSL_CTX_new(SSLv23_server_method()); - if(!ctx) { - log_crypto_err("could not SSL_CTX_new"); - return NULL; - } + SSL_CTX* ctx = (SSL_CTX*)ctxt; /* no SSLv2, SSLv3 because has defects */ if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2) != SSL_OP_NO_SSLv2){ log_crypto_err("could not set SSL_OP_NO_SSLv2"); - SSL_CTX_free(ctx); - return NULL; + return 0; } if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3) != SSL_OP_NO_SSLv3){ log_crypto_err("could not set SSL_OP_NO_SSLv3"); - SSL_CTX_free(ctx); - return NULL; - } - if(!SSL_CTX_use_certificate_chain_file(ctx, pem)) { - log_err("error for cert file: %s", pem); - log_crypto_err("error in SSL_CTX use_certificate_chain_file"); - SSL_CTX_free(ctx); - return NULL; + return 0; } - if(!SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM)) { - log_err("error for private key file: %s", key); - log_crypto_err("Error in SSL_CTX use_PrivateKey_file"); - SSL_CTX_free(ctx); - return NULL; +#if defined(SSL_OP_NO_TLSv1) && defined(SSL_OP_NO_TLSv1_1) + /* if we have tls 1.1 disable 1.0 */ + if((SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1) & SSL_OP_NO_TLSv1) + != SSL_OP_NO_TLSv1){ + log_crypto_err("could not set SSL_OP_NO_TLSv1"); + return 0; } - if(!SSL_CTX_check_private_key(ctx)) { - log_err("error for key file: %s", key); - log_crypto_err("Error in SSL_CTX check_private_key"); - SSL_CTX_free(ctx); - return NULL; +#endif +#if defined(SSL_OP_NO_TLSv1_1) && defined(SSL_OP_NO_TLSv1_2) + /* if we have tls 1.2 disable 1.1 */ + if((SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_1) & SSL_OP_NO_TLSv1_1) + != SSL_OP_NO_TLSv1_1){ + log_crypto_err("could not set SSL_OP_NO_TLSv1_1"); + return 0; } +#endif +#if defined(SHA256_DIGEST_LENGTH) && defined(USE_ECDSA) + /* if we have sha256, set the cipher list to have no known vulns */ + if(!SSL_CTX_set_cipher_list(ctx, "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256")) + log_crypto_err("could not set cipher list with SSL_CTX_set_cipher_list"); +#endif + + SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); + +#ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL + SSL_CTX_set_security_level(ctx, 0); +#endif + return 1; +} + +void +listen_sslctx_setup_2(void* ctxt) +{ + SSL_CTX* ctx = (SSL_CTX*)ctxt; + (void)ctx; #if HAVE_DECL_SSL_CTX_SET_ECDH_AUTO if(!SSL_CTX_set_ecdh_auto(ctx,1)) { log_crypto_err("Error in SSL_CTX_ecdh_auto, not enabling ECDHE"); @@ -666,7 +677,39 @@ void* listen_sslctx_create(char* key, char* pem, char* verifypem) } } #endif +} +void* listen_sslctx_create(char* key, char* pem, char* verifypem) +{ +#ifdef HAVE_SSL + SSL_CTX* ctx = SSL_CTX_new(SSLv23_server_method()); + if(!ctx) { + log_crypto_err("could not SSL_CTX_new"); + return NULL; + } + if(!listen_sslctx_setup(ctx)) { + SSL_CTX_free(ctx); + return NULL; + } + if(!SSL_CTX_use_certificate_chain_file(ctx, pem)) { + log_err("error for cert file: %s", pem); + log_crypto_err("error in SSL_CTX use_certificate_chain_file"); + SSL_CTX_free(ctx); + return NULL; + } + if(!SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM)) { + log_err("error for private key file: %s", key); + log_crypto_err("Error in SSL_CTX use_PrivateKey_file"); + SSL_CTX_free(ctx); + return NULL; + } + if(!SSL_CTX_check_private_key(ctx)) { + log_err("error for key file: %s", key); + log_crypto_err("Error in SSL_CTX check_private_key"); + SSL_CTX_free(ctx); + return NULL; + } + listen_sslctx_setup_2(ctx); if(verifypem && verifypem[0]) { if(!SSL_CTX_load_verify_locations(ctx, verifypem, NULL)) { log_crypto_err("Error in SSL_CTX verify locations"); diff --git a/util/net_help.h b/util/net_help.h index 54f4c9c0e..f0236e533 100644 --- a/util/net_help.h +++ b/util/net_help.h @@ -345,6 +345,19 @@ void sock_list_merge(struct sock_list** list, struct regional* region, */ void log_crypto_err(const char* str); +/** + * Set SSL_OP_NOxxx options on SSL context to disable bad crypto + * @param ctxt: SSL_CTX* + * @return false on failure. + */ +int listen_sslctx_setup(void* ctxt); + +/** + * Further setup of listening SSL context, after keys loaded. + * @param ctxt: SSL_CTX* + */ +void listen_sslctx_setup_2(void* ctxt); + /** * create SSL listen context * @param key: private key file.