From: Jeffrey Walton <noloader@gmail.com>
Date: Thu, 6 Feb 2020 12:57:02 +0000 (-0500)
Subject: Use OpenSSL context options
X-Git-Tag: 1.8.0-rc.1~75^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F61%2Fhead;p=thirdparty%2Fldns.git

Use OpenSSL context options
---

diff --git a/dane.c b/dane.c
index 30dc1f70..41a8b8ad 100644
--- a/dane.c
+++ b/dane.c
@@ -1,7 +1,7 @@
 /*
  * Verify or create TLS authentication with DANE (RFC6698)
  *
- * (c) NLnetLabs 2012
+ * (c) NLnetLabs 2012-2020
  *
  * See the file LICENSE for the license.
  *
@@ -29,6 +29,63 @@
 #include <openssl/x509v3.h>
 #endif
 
+/* OpenSSL context options. At the moment, disable SSLv2, SSLv3
+ * and Compression, if available. TLSv1.0 is allowed at the moment.
+ * TLSv1.1 is the first to provide elliptic curves, so it is usually
+ * allowed in a TLS stack. TLSv1.2 is the first to provide authenc
+ * modes of operation, like GCM. The defines below are a moving
+ * target based on OpenSSL library version. Grep is useful to find
+ * the defines: grep -IR SSL_OP_NO_ /usr/include/openssl.
+ */
+#ifdef HAVE_SSL
+# ifdef SSL_OP_NO_SSLv2
+	const long NoOpenSSLv2 = SSL_OP_NO_SSLv2;
+# else
+	const long NoOpenSSLv2 = 0L;
+# endif
+# ifdef SSL_OP_NO_SSLv3
+	const long NoOpenSSLv3 = SSL_OP_NO_SSLv3;
+# else
+	const long NoOpenSSLv3 = 0L;
+# endif
+# ifdef SSL_OP_NO_TLSv1
+	const long NoOpenTLSv1 = SSL_OP_NO_TLSv1;
+# else
+	const long NoOpenTLSv1 = 0L;
+# endif
+# ifdef SSL_OP_NO_DTLSv1
+	const long NoOpenDTLSv1 = SSL_OP_NO_DTLSv1;
+# else
+	const long NoOpenDTLSv1 = 0L;
+# endif
+# ifdef SSL_OP_NO_COMPRESSION
+	const long NoOpenSSLCompression = SSL_OP_NO_COMPRESSION;
+# else
+	const long NoOpenSSLCompression = 0L;
+# endif
+#endif
+
+#ifdef USE_DANE_VERIFY
+static SSL_CTX*
+ldns_dane_new_ssl_context(void)
+{
+	SSL_CTX* ssl_ctx;
+
+	ssl_ctx = SSL_CTX_new(TLS_client_method());
+	if (ssl_ctx != NULL)
+	{
+		/* ldns allows TLS and DTLS v1.0 at the moment. Some may disagree.
+		 * Sometime in the future they may be disabled, too. Maybe
+		 * --disable-tlsv1 and --disable-dtlsv1 should be configure options.
+		 */
+		long flags = NoOpenSSLv2 | NoOpenSSLv3 | NoOpenSSLCompression;
+		SSL_CTX_set_options(ssl_ctx, flags);
+	}
+
+	return ssl_ctx;
+}
+#endif
+
 ldns_status
 ldns_dane_create_tlsa_owner(ldns_rdf** tlsa_owner, const ldns_rdf* name,
 		uint16_t port, ldns_dane_transport transport)
@@ -641,7 +698,7 @@ ldns_dane_verify_rr(const ldns_rr* tlsa_rr,
 	 * verification.  We use these undocumented means with the ldns
 	 * dane function prototypes which did only offline dane verification.
 	 */
-	if (!(ssl_ctx = SSL_CTX_new(TLS_client_method())))
+	if (!(ssl_ctx = ldns_dane_new_ssl_context()))
 		s = LDNS_STATUS_MEM_ERR;
 
 	else if (SSL_CTX_dane_enable(ssl_ctx) <= 0)
@@ -841,7 +898,7 @@ ldns_dane_verify(const ldns_rr_list* tlsas,
 	 * verification.  We use these undocumented means with the ldns
 	 * dane function prototypes which did only offline dane verification.
 	 */
-	if (!(ssl_ctx = SSL_CTX_new(TLS_client_method())))
+	if (!(ssl_ctx = ldns_dane_new_ssl_context()))
 		s = LDNS_STATUS_MEM_ERR;
 
 	else if (SSL_CTX_dane_enable(ssl_ctx) <= 0)