Blame SOURCES/0022-Introduce-support-for-EDDHE-based-cipher-suites.patch

90e381
From a6d641a0ccba1033587f6faa0e5e6749fa35f5c4 Mon Sep 17 00:00:00 2001
90e381
From: Martin Sehnoutka <msehnout@redhat.com>
90e381
Date: Thu, 17 Nov 2016 10:49:22 +0100
90e381
Subject: [PATCH 22/59] Introduce support for EDDHE based cipher suites.
90e381
90e381
---
90e381
 parseconf.c   |  1 +
90e381
 ssl.c         | 37 ++++++++++++++++++++++++++++++++++++-
90e381
 tunables.c    |  4 +++-
90e381
 tunables.h    |  1 +
90e381
 vsftpd.conf.5 |  8 ++++++++
90e381
 5 files changed, 49 insertions(+), 2 deletions(-)
90e381
90e381
diff --git a/parseconf.c b/parseconf.c
90e381
index 38e3182..a2c715b 100644
90e381
--- a/parseconf.c
90e381
+++ b/parseconf.c
90e381
@@ -177,6 +177,7 @@ parseconf_str_array[] =
90e381
   { "rsa_cert_file", &tunable_rsa_cert_file },
90e381
   { "dsa_cert_file", &tunable_dsa_cert_file },
90e381
   { "dh_param_file", &tunable_dh_param_file },
90e381
+  { "ecdh_param_file", &tunable_ecdh_param_file },
90e381
   { "ssl_ciphers", &tunable_ssl_ciphers },
90e381
   { "rsa_private_key_file", &tunable_rsa_private_key_file },
90e381
   { "dsa_private_key_file", &tunable_dsa_private_key_file },
90e381
diff --git a/ssl.c b/ssl.c
90e381
index 22b69b3..96bf8ad 100644
90e381
--- a/ssl.c
90e381
+++ b/ssl.c
90e381
@@ -122,7 +122,7 @@ ssl_init(struct vsf_session* p_sess)
90e381
     {
90e381
       die("SSL: could not allocate SSL context");
90e381
     }
90e381
-    options = SSL_OP_ALL | SSL_OP_SINGLE_DH_USE;
90e381
+    options = SSL_OP_ALL | SSL_OP_SINGLE_DH_USE | SSL_OP_SINGLE_ECDH_USE;
90e381
     if (!tunable_sslv2)
90e381
     {
90e381
       options |= SSL_OP_NO_SSLv2;
9b0ebb
@@ -244,6 +244,33 @@
9b0ebb
 
9b0ebb
     SSL_CTX_set0_tmp_dh_pkey(p_ctx, DH_get_dh());
90e381
 
90e381
+    if (tunable_ecdh_param_file)
90e381
+    {
90e381
+      BIO *bio;
9b0ebb
+      EVP_PKEY *ec_params = NULL;
90e381
+
90e381
+      if ((bio = BIO_new_file(tunable_ecdh_param_file, "r")) == NULL)
90e381
+        die("SSL: cannot load custom ec params");
90e381
+      else
90e381
+      {
9b0ebb
+        ec_params = PEM_read_bio_Parameters(bio, NULL);
90e381
+        BIO_free(bio);
90e381
+
9b0ebb
+        if (ec_params != NULL)
90e381
+        {
9b0ebb
+          if (!SSL_CTX_set1_groups_list(p_ctx, ec_params))
90e381
+            die("SSL: setting custom EC params failed");
9b0ebb
+	       }
9b0ebb
+	        else
90e381
+        {
90e381
+          die("SSL: getting ec group or key failed");
9b0ebb
+	       }
90e381
+      }
90e381
+    }
90e381
+    else
90e381
+    {
9b0ebb
+      SSL_CTX_set1_groups_list(p_ctx, "P-256");
90e381
+    }
9b0ebb
     /* Set up ALPN to check for FTP protocol intention of client. */
9b0ebb
     SSL_CTX_set_alpn_select_cb(p_ctx, ssl_alpn_callback, p_sess);
9b0ebb
     /* Set up SNI callback for an optional hostname check. */
90e381
diff --git a/tunables.c b/tunables.c
90e381
index 1ea7227..93f85b1 100644
90e381
--- a/tunables.c
90e381
+++ b/tunables.c
90e381
@@ -141,6 +141,7 @@ const char* tunable_email_password_file;
90e381
 const char* tunable_rsa_cert_file;
90e381
 const char* tunable_dsa_cert_file;
90e381
 const char* tunable_dh_param_file;
90e381
+const char* tunable_ecdh_param_file;
90e381
 const char* tunable_ssl_ciphers;
90e381
 const char* tunable_rsa_private_key_file;
90e381
 const char* tunable_dsa_private_key_file;
90e381
@@ -290,7 +291,8 @@ tunables_load_defaults()
90e381
                       &tunable_rsa_cert_file);
90e381
   install_str_setting(0, &tunable_dsa_cert_file);
90e381
   install_str_setting(0, &tunable_dh_param_file);
90e381
-  install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA",
90e381
+  install_str_setting(0, &tunable_ecdh_param_file);
90e381
+  install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA",
90e381
                       &tunable_ssl_ciphers);
90e381
   install_str_setting(0, &tunable_rsa_private_key_file);
90e381
   install_str_setting(0, &tunable_dsa_private_key_file);
90e381
diff --git a/tunables.h b/tunables.h
90e381
index 3995472..3e2d40c 100644
90e381
--- a/tunables.h
90e381
+++ b/tunables.h
90e381
@@ -143,6 +143,7 @@ extern const char* tunable_email_password_file;
90e381
 extern const char* tunable_rsa_cert_file;
90e381
 extern const char* tunable_dsa_cert_file;
90e381
 extern const char* tunable_dh_param_file;
90e381
+extern const char* tunable_ecdh_param_file;
90e381
 extern const char* tunable_ssl_ciphers;
90e381
 extern const char* tunable_rsa_private_key_file;
90e381
 extern const char* tunable_dsa_private_key_file;
90e381
diff --git a/vsftpd.conf.5 b/vsftpd.conf.5
90e381
index ff94eca..e242873 100644
90e381
--- a/vsftpd.conf.5
90e381
+++ b/vsftpd.conf.5
90e381
@@ -899,6 +899,14 @@ ephemeral Diffie-Hellman key exchange in SSL.
90e381
 
90e381
 Default: (none - use built in parameters appropriate for certificate key size)
90e381
 .TP
90e381
+.B ecdh_param_file
90e381
+This option specifies the location of custom parameters for ephemeral
90e381
+Elliptic Curve Diffie-Hellman (ECDH) key exchange.
90e381
+
90e381
+Default: (none - use built in parameters, NIST P-256 with OpenSSL 1.0.1 and
90e381
+automatically selected curve based on client preferences with OpenSSL 1.0.2
90e381
+and later)
90e381
+.TP
90e381
 .B email_password_file
90e381
 This option can be used to provide an alternate file for usage by the
90e381
 .BR secure_email_list_enable
90e381
-- 
90e381
2.14.4
90e381