From 7fe3bd6a1fb5f346b99ab33ea88bc2841628429f Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Wed, 20 Dec 2017 13:13:02 +0100
Subject: [PATCH] getdns_context_set_ciphers_list()

---
 ChangeLog                    |  2 ++
 src/const-info.c             |  2 ++
 src/context.c                | 49 +++++++++++++++++++++++++++++++-----
 src/context.h                |  1 +
 src/getdns/getdns_extra.h.in | 25 ++++++++++++++++++
 src/libgetdns.symbols        |  2 ++
 6 files changed, 75 insertions(+), 6 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 05c1d9c3..503db698 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,6 @@
 * 2017-12-??: Version 1.3.0
+  * Specify available cipher suites for authenticated TLS upstreams
+    with getdns_context_set_ciphers_list()
   * PR #366: Add support for TLS 1.3 and Chacha20-Poly1305
     Thanks Pascal Ernster
   * Bugfix #356: Do Zero configuration DNSSEC meta queries over on the
diff --git a/src/const-info.c b/src/const-info.c
index 41d1c091..1cd30020 100644
--- a/src/const-info.c
+++ b/src/const-info.c
@@ -91,6 +91,7 @@ static struct const_info consts_info[] = {
 	{     630, "GETDNS_CONTEXT_CODE_HOSTS", GETDNS_CONTEXT_CODE_HOSTS_TEXT },
 	{     631, "GETDNS_CONTEXT_CODE_CAPATH", GETDNS_CONTEXT_CODE_CAPATH_TEXT },
 	{     632, "GETDNS_CONTEXT_CODE_CAFILE", GETDNS_CONTEXT_CODE_CAFILE_TEXT },
+	{     633, "GETDNS_CONTEXT_CODE_CIPHER_LIST", GETDNS_CONTEXT_CODE_CIPHER_LIST_TEXT },
 	{     700, "GETDNS_CALLBACK_COMPLETE", GETDNS_CALLBACK_COMPLETE_TEXT },
 	{     701, "GETDNS_CALLBACK_CANCEL", GETDNS_CALLBACK_CANCEL_TEXT },
 	{     702, "GETDNS_CALLBACK_TIMEOUT", GETDNS_CALLBACK_TIMEOUT_TEXT },
@@ -163,6 +164,7 @@ static struct const_name_info consts_name_info[] = {
 	{ "GETDNS_CONTEXT_CODE_APPEND_NAME", 607 },
 	{ "GETDNS_CONTEXT_CODE_CAFILE", 632 },
 	{ "GETDNS_CONTEXT_CODE_CAPATH", 631 },
+	{ "GETDNS_CONTEXT_CODE_CIPHER_LIST", 633 },
 	{ "GETDNS_CONTEXT_CODE_DNSSEC_ALLOWED_SKEW", 614 },
 	{ "GETDNS_CONTEXT_CODE_DNSSEC_TRUST_ANCHORS", 609 },
 	{ "GETDNS_CONTEXT_CODE_DNS_ROOT_SERVERS", 604 },
diff --git a/src/context.c b/src/context.c
index 7f7d393a..90a35beb 100644
--- a/src/context.c
+++ b/src/context.c
@@ -1377,11 +1377,11 @@ static void _getdns_check_expired_pending_netreqs_cb(void *arg)
 	_getdns_check_expired_pending_netreqs((getdns_context *)arg, &now_ms);
 }
 
-static const char *_getdns_default_trust_anchors_url =
+static char const * const _getdns_default_trust_anchors_url =
     "http://data.iana.org/root-anchors/root-anchors.xml";
 
 /* The ICANN CA fetched at 24 Sep 2010.  Valid to 2028 */
-static const char *_getdns_default_trust_anchors_verify_CA =
+static char const * const _getdns_default_trust_anchors_verify_CA =
 "-----BEGIN CERTIFICATE-----\n"
 "MIIDdzCCAl+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO\n"
 "TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV\n"
@@ -1404,9 +1404,12 @@ static const char *_getdns_default_trust_anchors_verify_CA =
 "j/Br5BZw3X/zd325TvnswzMC1+ljLzHnQGGk\n"
 "-----END CERTIFICATE-----\n";
 
-static const char *_getdns_default_trust_anchors_verify_email =
+static char const * const _getdns_default_trust_anchors_verify_email =
     "dnssec@iana.org";
 
+static char const * const _getdns_default_cipher_list = 
+	"TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:"
+	"TLS13-CHACHA20-POLY1305-SHA256:EECDH+AESGCM:EECDH+CHACHA20";
 
 /*
  * getdns_context_create
@@ -1515,6 +1518,7 @@ getdns_context_create_with_extended_memory_functions(
 	result->appdata_dir = NULL;
 	result->CApath = NULL;
 	result->CAfile = NULL;
+	result->cipher_list = NULL;
 
 	(void) memset(&result->root_ksk, 0, sizeof(result->root_ksk));
 
@@ -1783,7 +1787,8 @@ getdns_context_destroy(struct getdns_context *context)
 		GETDNS_FREE(context->mf, context->CApath);
 	if (context->CAfile)
 		GETDNS_FREE(context->mf, context->CAfile);
-
+	if (context->cipher_list)
+		GETDNS_FREE(context->mf, context->cipher_list);
 
 #ifdef USE_WINSOCK
 	WSACleanup();
@@ -3574,8 +3579,9 @@ _getdns_context_prepare_for_resolution(getdns_context *context)
 #  endif
 			/* Be strict and only use the cipher suites recommended in RFC7525
 			   Unless we later fallback to opportunistic. */
-			const char* const PREFERRED_CIPHERS = "TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-CHACHA20-POLY1305-SHA256:EECDH+AESGCM:EECDH+CHACHA20";
-			if (!SSL_CTX_set_cipher_list(context->tls_ctx, PREFERRED_CIPHERS))
+			if (!SSL_CTX_set_cipher_list(context->tls_ctx,
+			    context->cipher_list ? context->cipher_list
+			                         : _getdns_default_cipher_list))
 				return GETDNS_RETURN_BAD_CONTEXT;
 			/* For strict authentication, we must have local root certs available
 		       Set up is done only when the tls_ctx is created (per getdns_context)*/
@@ -3891,6 +3897,8 @@ _get_context_settings(getdns_context* context)
 		(void) getdns_dict_util_set_string(result, "CApath", str_value);
 	if (!getdns_context_get_CAfile(context, &str_value) && str_value)
 		(void) getdns_dict_util_set_string(result, "CAfile", str_value);
+	if (!getdns_context_get_cipher_list(context, &str_value) && str_value)
+		(void) getdns_dict_util_set_string(result, "cipher_list", str_value);
 
 	/* Default settings for extensions */
 	(void)getdns_dict_set_int(
@@ -4683,6 +4691,7 @@ _getdns_context_config_setting(getdns_context *context,
 	CONTEXT_SETTING_STRING(hosts)
 	CONTEXT_SETTING_STRING(CApath)
 	CONTEXT_SETTING_STRING(CAfile)
+	CONTEXT_SETTING_STRING(cipher_list)
 
 	/**************************************/
 	/****                              ****/
@@ -5233,4 +5242,32 @@ getdns_context_get_CAfile(getdns_context *context, const char **CAfile)
 	return GETDNS_RETURN_GOOD;
 }
 
+getdns_return_t
+getdns_context_set_cipher_list(getdns_context *context, const char *cipher_list)
+{
+	if (!context)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+	if (context->cipher_list)
+		GETDNS_FREE(context->mf, context->cipher_list);
+	context->cipher_list = cipher_list
+	                     ? _getdns_strdup(&context->mf, cipher_list)
+	                     : NULL;
+
+	dispatch_updated(context, GETDNS_CONTEXT_CODE_CIPHER_LIST);
+	return GETDNS_RETURN_GOOD;
+}
+
+getdns_return_t
+getdns_context_get_cipher_list(getdns_context *context, const char **cipher_list)
+{
+	if (!context || !cipher_list)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+
+	*cipher_list = context->cipher_list
+	             ? context->cipher_list
+	             : _getdns_default_cipher_list;
+	return GETDNS_RETURN_GOOD;
+}
+
+
 /* context.c */
diff --git a/src/context.h b/src/context.h
index 12c29356..fe1ba18c 100644
--- a/src/context.h
+++ b/src/context.h
@@ -345,6 +345,7 @@ struct getdns_context {
 
 	char                 *CApath;
 	char                 *CAfile;
+	char                 *cipher_list;
 
 	getdns_upstreams     *upstreams;
 	uint16_t             limit_outstanding_queries;
diff --git a/src/getdns/getdns_extra.h.in b/src/getdns/getdns_extra.h.in
index 1c88813b..9f949f72 100644
--- a/src/getdns/getdns_extra.h.in
+++ b/src/getdns/getdns_extra.h.in
@@ -98,6 +98,8 @@ extern "C" {
 #define GETDNS_CONTEXT_CODE_CAPATH_TEXT "Change related to getdns_context_set_CApath"
 #define GETDNS_CONTEXT_CODE_CAFILE 632
 #define GETDNS_CONTEXT_CODE_CAFILE_TEXT "Change related to getdns_context_set_CAfile"
+#define GETDNS_CONTEXT_CODE_CIPHER_LIST 633
+#define GETDNS_CONTEXT_CODE_CIPHER_LIST_TEXT "Change related to getdns_context_set_cipher_list"
 
 /** @}
   */
@@ -739,6 +741,17 @@ getdns_context_set_CApath(getdns_context *context, const char *CApath);
 getdns_return_t
 getdns_context_set_CAfile(getdns_context *context, const char *CAfile);
 
+/**
+ * Sets the list of available ciphers for authenticated TLS upstreams.
+ * @see getdns_context_get_cipher_list
+ * @param[in] context      The context to configure
+ * @param[in] cipher_list  The cipher list
+ * @return GETDNS_RETURN_GOOD when successful
+ * @return GETDNS_RETURN_INVALID_PARAMETER when context was NULL.
+ */
+getdns_return_t
+getdns_context_set_cipher_list(getdns_context *context, const char *CAfile);
+
 /**
  * Get the current resolution type setting from this context.
  * @see getdns_context_set_resolution_type
@@ -1246,6 +1259,18 @@ getdns_context_get_CApath(getdns_context *context, const char **CApath);
 getdns_return_t
 getdns_context_get_CAfile(getdns_context *context, const char **CAfile);
 
+/**
+ * Get the list of available ciphers for authenticated TLS upstreams.
+ * @see getdns_context_set_cipher_list
+ * @param[in]  context      The context configure
+ * @param[out] cipher_list  The cipher list
+ * @return GETDNS_RETURN_GOOD when successful
+ * @return GETDNS_RETURN_INVALID_PARAMETER when context was NULL.
+ */
+getdns_return_t
+getdns_context_get_cipher_list(getdns_context *context, const char **cipher_list);
+
+
 /** @}
  */
 
diff --git a/src/libgetdns.symbols b/src/libgetdns.symbols
index 1dadfa45..35d2761f 100644
--- a/src/libgetdns.symbols
+++ b/src/libgetdns.symbols
@@ -11,6 +11,7 @@ getdns_context_get_CAfile
 getdns_context_get_CApath
 getdns_context_get_api_information
 getdns_context_get_append_name
+getdns_context_get_cipher_list
 getdns_context_get_dns_root_servers
 getdns_context_get_dns_transport
 getdns_context_get_dns_transport_list
@@ -48,6 +49,7 @@ getdns_context_set_CAfile
 getdns_context_set_CApath
 getdns_context_set_appdata_dir
 getdns_context_set_append_name
+getdns_context_set_cipher_list
 getdns_context_set_context_update_callback
 getdns_context_set_dns_root_servers
 getdns_context_set_dns_transport