Fix nsd and unbound's error checking with SSL_CTX_set_options().

LibreSSL, BoringSSL and OpenSSL have all been redefining SSL_OP_* flags to
be 0 when support is removed.  This breaks the error checking that nsd and
unbound were doing.  It should check against the flag value itself to allow
for 0.

input deraadt@, jsing@
tweak + ok miod@, guenther@

diff --git a/usr.sbin/nsd/nsd-control.c b/usr.sbin/nsd/nsd-control.c
index 3b6e652..3b7a2c6 100644 (file)
--- a/usr.sbin/nsd/nsd-control.c
+++ b/usr.sbin/nsd/nsd-control.c
@@ -125,9 +125,11 @@ setup_ctx(nsd_options_t* cfg)
         ctx = SSL_CTX_new(SSLv23_client_method());
        if(!ctx)
                ssl_err("could not allocate SSL_CTX pointer");
-        if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2))
+        if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)
+               != SSL_OP_NO_SSLv2)
                ssl_err("could not set SSL_OP_NO_SSLv2");
-        if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3))
+        if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
+               != SSL_OP_NO_SSLv3)
                ssl_err("could not set SSL_OP_NO_SSLv3");
        if(!SSL_CTX_use_certificate_file(ctx,c_cert,SSL_FILETYPE_PEM) ||
                !SSL_CTX_use_PrivateKey_file(ctx,c_key,SSL_FILETYPE_PEM)

diff --git a/usr.sbin/nsd/remote.c b/usr.sbin/nsd/remote.c
index fa1528f..e3322c6 100644 (file)
--- a/usr.sbin/nsd/remote.c
+++ b/usr.sbin/nsd/remote.c
@@ -263,12 +263,14 @@ daemon_remote_create(nsd_options_t* cfg)
                return NULL;
        }
        /* no SSLv2, SSLv3 because has defects */
-       if(!(SSL_CTX_set_options(rc->ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)){
+       if((SSL_CTX_set_options(rc->ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)
+               != SSL_OP_NO_SSLv2){
                log_crypto_err("could not set SSL_OP_NO_SSLv2");
                daemon_remote_delete(rc);
                return NULL;
        }
-       if(!(SSL_CTX_set_options(rc->ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)){
+       if((SSL_CTX_set_options(rc->ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
+               != SSL_OP_NO_SSLv3){
                log_crypto_err("could not set SSL_OP_NO_SSLv3");
                daemon_remote_delete(rc);
                return NULL;

diff --git a/usr.sbin/unbound/daemon/remote.c b/usr.sbin/unbound/daemon/remote.c
index 93d0eda..198909d 100644 (file)
--- a/usr.sbin/unbound/daemon/remote.c
+++ b/usr.sbin/unbound/daemon/remote.c
@@ -208,12 +208,14 @@ daemon_remote_create(struct config_file* cfg)
                return NULL;
        }
        /* no SSLv2, SSLv3 because has defects */
-       if(!(SSL_CTX_set_options(rc->ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)){
+       if((SSL_CTX_set_options(rc->ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)
+               != SSL_OP_NO_SSLv2){
                log_crypto_err("could not set SSL_OP_NO_SSLv2");
                daemon_remote_delete(rc);
                return NULL;
        }
-       if(!(SSL_CTX_set_options(rc->ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)){
+       if((SSL_CTX_set_options(rc->ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
+               != SSL_OP_NO_SSLv3){
                log_crypto_err("could not set SSL_OP_NO_SSLv3");
                daemon_remote_delete(rc);
                return NULL;

diff --git a/usr.sbin/unbound/smallapp/unbound-control.c b/usr.sbin/unbound/smallapp/unbound-control.c
index d4b147d..b4af4d7 100644 (file)
--- a/usr.sbin/unbound/smallapp/unbound-control.c
+++ b/usr.sbin/unbound/smallapp/unbound-control.c
@@ -156,10 +156,12 @@ setup_ctx(struct config_file* cfg)
         ctx = SSL_CTX_new(SSLv23_client_method());
        if(!ctx)
                ssl_err("could not allocate SSL_CTX pointer");
-        if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2))
+        if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)
+               != SSL_OP_NO_SSLv2)
                ssl_err("could not set SSL_OP_NO_SSLv2");
         if(cfg->remote_control_use_cert) {
-               if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3))
+               if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
+                       != SSL_OP_NO_SSLv3)
                        ssl_err("could not set SSL_OP_NO_SSLv3");
                if(!SSL_CTX_use_certificate_file(ctx,c_cert,SSL_FILETYPE_PEM) ||
                    !SSL_CTX_use_PrivateKey_file(ctx,c_key,SSL_FILETYPE_PEM)

diff --git a/usr.sbin/unbound/util/net_help.c b/usr.sbin/unbound/util/net_help.c
index 8b39af6..b3d1040 100644 (file)
--- a/usr.sbin/unbound/util/net_help.c
+++ b/usr.sbin/unbound/util/net_help.c
@@ -619,12 +619,14 @@ void* listen_sslctx_create(char* key, char* pem, char* verifypem)
                return NULL;
        }
        /* no SSLv2, SSLv3 because has defects */
-       if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)){
+       if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)
+               != SSL_OP_NO_SSLv2){
                log_crypto_err("could not set SSL_OP_NO_SSLv2");
                SSL_CTX_free(ctx);
                return NULL;
        }
-       if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)){
+       if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
+               != SSL_OP_NO_SSLv3){
                log_crypto_err("could not set SSL_OP_NO_SSLv3");
                SSL_CTX_free(ctx);
                return NULL;
@@ -673,12 +675,14 @@ void* connect_sslctx_create(char* key, char* pem, char* verifypem)
                log_crypto_err("could not allocate SSL_CTX pointer");
                return NULL;
        }
-       if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)) {
+       if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)
+               != SSL_OP_NO_SSLv2) {
                log_crypto_err("could not set SSL_OP_NO_SSLv2");
                SSL_CTX_free(ctx);
                return NULL;
        }
-       if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)) {
+       if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
+               != SSL_OP_NO_SSLv3) {
                log_crypto_err("could not set SSL_OP_NO_SSLv3");
                SSL_CTX_free(ctx);
                return NULL;