vsftpd/SOURCES/0022-Introduce-support-for-...

From a6d641a0ccba1033587f6faa0e5e6749fa35f5c4 Mon Sep 17 00:00:00 2001
From: Martin Sehnoutka <msehnout@redhat.com>
Date: Thu, 17 Nov 2016 10:49:22 +0100
Subject: [PATCH 22/59] Introduce support for EDDHE based cipher suites.

---
 parseconf.c   |  1 +
 ssl.c         | 37 ++++++++++++++++++++++++++++++++++++-
 tunables.c    |  4 +++-
 tunables.h    |  1 +
 vsftpd.conf.5 |  8 ++++++++
 5 files changed, 49 insertions(+), 2 deletions(-)

diff --git a/parseconf.c b/parseconf.c
index 38e3182..a2c715b 100644
--- a/parseconf.c
+++ b/parseconf.c
@@ -177,6 +177,7 @@ parseconf_str_array[] =
   { "rsa_cert_file", &tunable_rsa_cert_file },
   { "dsa_cert_file", &tunable_dsa_cert_file },
   { "dh_param_file", &tunable_dh_param_file },
+  { "ecdh_param_file", &tunable_ecdh_param_file },
   { "ssl_ciphers", &tunable_ssl_ciphers },
   { "rsa_private_key_file", &tunable_rsa_private_key_file },
   { "dsa_private_key_file", &tunable_dsa_private_key_file },
diff --git a/ssl.c b/ssl.c
index 22b69b3..96bf8ad 100644
--- a/ssl.c
+++ b/ssl.c
@@ -122,7 +122,7 @@ ssl_init(struct vsf_session* p_sess)
     {
       die("SSL: could not allocate SSL context");
     }
-    options = SSL_OP_ALL | SSL_OP_SINGLE_DH_USE;
+    options = SSL_OP_ALL | SSL_OP_SINGLE_DH_USE | SSL_OP_SINGLE_ECDH_USE;
     if (!tunable_sslv2)
     {
       options |= SSL_OP_NO_SSLv2;
@@ -244,6 +244,41 @@ ssl_init(struct vsf_session* p_sess)
     
     SSL_CTX_set_tmp_dh_callback(p_ctx, ssl_tmp_dh_callback);
 
+    if (tunable_ecdh_param_file)
+    {
+      BIO *bio;
+      int nid;
+      EC_GROUP *ecparams = NULL;
+      EC_KEY *eckey;
+
+      if ((bio = BIO_new_file(tunable_ecdh_param_file, "r")) == NULL)
+        die("SSL: cannot load custom ec params");
+      else
+      {
+        ecparams = PEM_read_bio_ECPKParameters(bio, NULL, NULL, NULL);
+        BIO_free(bio);
+
+        if (ecparams && (nid = EC_GROUP_get_curve_name(ecparams)) &&
+            (eckey = EC_KEY_new_by_curve_name(nid)))
+        {
+          if (!SSL_CTX_set_tmp_ecdh(p_ctx, eckey))
+            die("SSL: setting custom EC params failed");
+	}
+	else
+        {
+          die("SSL: getting ec group or key failed");
+	}
+      }
+    }
+    else
+    {
+#if defined(SSL_CTX_set_ecdh_auto)
+      SSL_CTX_set_ecdh_auto(p_ctx, 1);
+#else
+      SSL_CTX_set_tmp_ecdh(p_ctx, EC_KEY_new_by_curve_name(NID_X9_62_prime256v1));
+#endif
+    }
+
     p_sess->p_ssl_ctx = p_ctx;
     ssl_inited = 1;
   }
diff --git a/tunables.c b/tunables.c
index 1ea7227..93f85b1 100644
--- a/tunables.c
+++ b/tunables.c
@@ -141,6 +141,7 @@ const char* tunable_email_password_file;
 const char* tunable_rsa_cert_file;
 const char* tunable_dsa_cert_file;
 const char* tunable_dh_param_file;
+const char* tunable_ecdh_param_file;
 const char* tunable_ssl_ciphers;
 const char* tunable_rsa_private_key_file;
 const char* tunable_dsa_private_key_file;
@@ -290,7 +291,8 @@ tunables_load_defaults()
                       &tunable_rsa_cert_file);
   install_str_setting(0, &tunable_dsa_cert_file);
   install_str_setting(0, &tunable_dh_param_file);
-  install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA",
+  install_str_setting(0, &tunable_ecdh_param_file);
+  install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA",
                       &tunable_ssl_ciphers);
   install_str_setting(0, &tunable_rsa_private_key_file);
   install_str_setting(0, &tunable_dsa_private_key_file);
diff --git a/tunables.h b/tunables.h
index 3995472..3e2d40c 100644
--- a/tunables.h
+++ b/tunables.h
@@ -143,6 +143,7 @@ extern const char* tunable_email_password_file;
 extern const char* tunable_rsa_cert_file;
 extern const char* tunable_dsa_cert_file;
 extern const char* tunable_dh_param_file;
+extern const char* tunable_ecdh_param_file;
 extern const char* tunable_ssl_ciphers;
 extern const char* tunable_rsa_private_key_file;
 extern const char* tunable_dsa_private_key_file;
diff --git a/vsftpd.conf.5 b/vsftpd.conf.5
index ff94eca..e242873 100644
--- a/vsftpd.conf.5
+++ b/vsftpd.conf.5
@@ -899,6 +899,14 @@ ephemeral Diffie-Hellman key exchange in SSL.
 
 Default: (none - use built in parameters appropriate for certificate key size)
 .TP
+.B ecdh_param_file
+This option specifies the location of custom parameters for ephemeral
+Elliptic Curve Diffie-Hellman (ECDH) key exchange.
+
+Default: (none - use built in parameters, NIST P-256 with OpenSSL 1.0.1 and
+automatically selected curve based on client preferences with OpenSSL 1.0.2
+and later)
+.TP
 .B email_password_file
 This option can be used to provide an alternate file for usage by the
 .BR secure_email_list_enable
-- 
2.14.4
import vsftpd-3.0.3-28.el8 2019-05-07 10:38:32 +00:00			`From a6d641a0ccba1033587f6faa0e5e6749fa35f5c4 Mon Sep 17 00:00:00 2001`
			`From: Martin Sehnoutka <msehnout@redhat.com>`
			`Date: Thu, 17 Nov 2016 10:49:22 +0100`
			`Subject: [PATCH 22/59] Introduce support for EDDHE based cipher suites.`

			`---`
			`parseconf.c \| 1 +`
			`ssl.c \| 37 ++++++++++++++++++++++++++++++++++++-`
			`tunables.c \| 4 +++-`
			`tunables.h \| 1 +`
			`vsftpd.conf.5 \| 8 ++++++++`
			`5 files changed, 49 insertions(+), 2 deletions(-)`

			`diff --git a/parseconf.c b/parseconf.c`
			`index 38e3182..a2c715b 100644`
			`--- a/parseconf.c`
			`+++ b/parseconf.c`
			`@@ -177,6 +177,7 @@ parseconf_str_array[] =`
			`{ "rsa_cert_file", &tunable_rsa_cert_file },`
			`{ "dsa_cert_file", &tunable_dsa_cert_file },`
			`{ "dh_param_file", &tunable_dh_param_file },`
			`+ { "ecdh_param_file", &tunable_ecdh_param_file },`
			`{ "ssl_ciphers", &tunable_ssl_ciphers },`
			`{ "rsa_private_key_file", &tunable_rsa_private_key_file },`
			`{ "dsa_private_key_file", &tunable_dsa_private_key_file },`
			`diff --git a/ssl.c b/ssl.c`
			`index 22b69b3..96bf8ad 100644`
			`--- a/ssl.c`
			`+++ b/ssl.c`
			`@@ -122,7 +122,7 @@ ssl_init(struct vsf_session* p_sess)`
			`{`
			`die("SSL: could not allocate SSL context");`
			`}`
			`- options = SSL_OP_ALL \| SSL_OP_SINGLE_DH_USE;`
			`+ options = SSL_OP_ALL \| SSL_OP_SINGLE_DH_USE \| SSL_OP_SINGLE_ECDH_USE;`
			`if (!tunable_sslv2)`
			`{`
			`options \|= SSL_OP_NO_SSLv2;`
			`@@ -244,6 +244,41 @@ ssl_init(struct vsf_session* p_sess)`

			`SSL_CTX_set_tmp_dh_callback(p_ctx, ssl_tmp_dh_callback);`

			`+ if (tunable_ecdh_param_file)`
			`+ {`
			`+ BIO *bio;`
			`+ int nid;`
			`+ EC_GROUP *ecparams = NULL;`
			`+ EC_KEY *eckey;`
			`+`
			`+ if ((bio = BIO_new_file(tunable_ecdh_param_file, "r")) == NULL)`
			`+ die("SSL: cannot load custom ec params");`
			`+ else`
			`+ {`
			`+ ecparams = PEM_read_bio_ECPKParameters(bio, NULL, NULL, NULL);`
			`+ BIO_free(bio);`
			`+`
			`+ if (ecparams && (nid = EC_GROUP_get_curve_name(ecparams)) &&`
			`+ (eckey = EC_KEY_new_by_curve_name(nid)))`
			`+ {`
			`+ if (!SSL_CTX_set_tmp_ecdh(p_ctx, eckey))`
			`+ die("SSL: setting custom EC params failed");`
			`+ }`
			`+ else`
			`+ {`
			`+ die("SSL: getting ec group or key failed");`
			`+ }`
			`+ }`
			`+ }`
			`+ else`
			`+ {`
			`+#if defined(SSL_CTX_set_ecdh_auto)`
			`+ SSL_CTX_set_ecdh_auto(p_ctx, 1);`
			`+#else`
			`+ SSL_CTX_set_tmp_ecdh(p_ctx, EC_KEY_new_by_curve_name(NID_X9_62_prime256v1));`
			`+#endif`
			`+ }`
			`+`
			`p_sess->p_ssl_ctx = p_ctx;`
			`ssl_inited = 1;`
			`}`
			`diff --git a/tunables.c b/tunables.c`
			`index 1ea7227..93f85b1 100644`
			`--- a/tunables.c`
			`+++ b/tunables.c`
			`@@ -141,6 +141,7 @@ const char* tunable_email_password_file;`
			`const char* tunable_rsa_cert_file;`
			`const char* tunable_dsa_cert_file;`
			`const char* tunable_dh_param_file;`
			`+const char* tunable_ecdh_param_file;`
			`const char* tunable_ssl_ciphers;`
			`const char* tunable_rsa_private_key_file;`
			`const char* tunable_dsa_private_key_file;`
			`@@ -290,7 +291,8 @@ tunables_load_defaults()`
			`&tunable_rsa_cert_file);`
			`install_str_setting(0, &tunable_dsa_cert_file);`
			`install_str_setting(0, &tunable_dh_param_file);`
			`- install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA",`
			`+ install_str_setting(0, &tunable_ecdh_param_file);`
			`+ install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA",`
			`&tunable_ssl_ciphers);`
			`install_str_setting(0, &tunable_rsa_private_key_file);`
			`install_str_setting(0, &tunable_dsa_private_key_file);`
			`diff --git a/tunables.h b/tunables.h`
			`index 3995472..3e2d40c 100644`
			`--- a/tunables.h`
			`+++ b/tunables.h`
			`@@ -143,6 +143,7 @@ extern const char* tunable_email_password_file;`
			`extern const char* tunable_rsa_cert_file;`
			`extern const char* tunable_dsa_cert_file;`
			`extern const char* tunable_dh_param_file;`
			`+extern const char* tunable_ecdh_param_file;`
			`extern const char* tunable_ssl_ciphers;`
			`extern const char* tunable_rsa_private_key_file;`
			`extern const char* tunable_dsa_private_key_file;`
			`diff --git a/vsftpd.conf.5 b/vsftpd.conf.5`
			`index ff94eca..e242873 100644`
			`--- a/vsftpd.conf.5`
			`+++ b/vsftpd.conf.5`
			`@@ -899,6 +899,14 @@ ephemeral Diffie-Hellman key exchange in SSL.`

			`Default: (none - use built in parameters appropriate for certificate key size)`
			`.TP`
			`+.B ecdh_param_file`
			`+This option specifies the location of custom parameters for ephemeral`
			`+Elliptic Curve Diffie-Hellman (ECDH) key exchange.`
			`+`
			`+Default: (none - use built in parameters, NIST P-256 with OpenSSL 1.0.1 and`
			`+automatically selected curve based on client preferences with OpenSSL 1.0.2`
			`+and later)`
			`+.TP`
			`.B email_password_file`
			`This option can be used to provide an alternate file for usage by the`
			`.BR secure_email_list_enable`
			`--`
			`2.14.4`