|
 |
f22e83 |
From a6d641a0ccba1033587f6faa0e5e6749fa35f5c4 Mon Sep 17 00:00:00 2001
|
|
|
f22e83 |
From: Martin Sehnoutka <msehnout@redhat.com>
|
|
|
f22e83 |
Date: Thu, 17 Nov 2016 10:49:22 +0100
|
|
|
f22e83 |
Subject: [PATCH 22/59] Introduce support for EDDHE based cipher suites.
|
|
|
f22e83 |
|
|
|
f22e83 |
---
|
|
|
f22e83 |
parseconf.c | 1 +
|
|
|
f22e83 |
ssl.c | 37 ++++++++++++++++++++++++++++++++++++-
|
|
|
f22e83 |
tunables.c | 4 +++-
|
|
|
f22e83 |
tunables.h | 1 +
|
|
|
f22e83 |
vsftpd.conf.5 | 8 ++++++++
|
|
|
f22e83 |
5 files changed, 49 insertions(+), 2 deletions(-)
|
|
|
f22e83 |
|
|
|
f22e83 |
diff --git a/parseconf.c b/parseconf.c
|
|
|
f22e83 |
index 38e3182..a2c715b 100644
|
|
|
f22e83 |
--- a/parseconf.c
|
|
|
f22e83 |
+++ b/parseconf.c
|
|
|
f22e83 |
@@ -177,6 +177,7 @@ parseconf_str_array[] =
|
|
|
f22e83 |
{ "rsa_cert_file", &tunable_rsa_cert_file },
|
|
|
f22e83 |
{ "dsa_cert_file", &tunable_dsa_cert_file },
|
|
|
f22e83 |
{ "dh_param_file", &tunable_dh_param_file },
|
|
|
f22e83 |
+ { "ecdh_param_file", &tunable_ecdh_param_file },
|
|
|
f22e83 |
{ "ssl_ciphers", &tunable_ssl_ciphers },
|
|
|
f22e83 |
{ "rsa_private_key_file", &tunable_rsa_private_key_file },
|
|
|
f22e83 |
{ "dsa_private_key_file", &tunable_dsa_private_key_file },
|
|
|
f22e83 |
diff --git a/ssl.c b/ssl.c
|
|
|
f22e83 |
index 22b69b3..96bf8ad 100644
|
|
|
f22e83 |
--- a/ssl.c
|
|
|
f22e83 |
+++ b/ssl.c
|
|
|
f22e83 |
@@ -122,7 +122,7 @@ ssl_init(struct vsf_session* p_sess)
|
|
|
f22e83 |
{
|
|
|
f22e83 |
die("SSL: could not allocate SSL context");
|
|
|
f22e83 |
}
|
|
|
f22e83 |
- options = SSL_OP_ALL | SSL_OP_SINGLE_DH_USE;
|
|
|
f22e83 |
+ options = SSL_OP_ALL | SSL_OP_SINGLE_DH_USE | SSL_OP_SINGLE_ECDH_USE;
|
|
|
f22e83 |
if (!tunable_sslv2)
|
|
|
f22e83 |
{
|
|
|
f22e83 |
options |= SSL_OP_NO_SSLv2;
|
|
|
d41830 |
@@ -244,6 +244,33 @@
|
|
|
d41830 |
|
|
|
d41830 |
SSL_CTX_set0_tmp_dh_pkey(p_ctx, DH_get_dh());
|
|
|
f22e83 |
|
|
|
f22e83 |
+ if (tunable_ecdh_param_file)
|
|
|
f22e83 |
+ {
|
|
|
f22e83 |
+ BIO *bio;
|
|
|
d41830 |
+ EVP_PKEY *ec_params = NULL;
|
|
|
f22e83 |
+
|
|
|
f22e83 |
+ if ((bio = BIO_new_file(tunable_ecdh_param_file, "r")) == NULL)
|
|
|
f22e83 |
+ die("SSL: cannot load custom ec params");
|
|
|
f22e83 |
+ else
|
|
|
f22e83 |
+ {
|
|
|
d41830 |
+ ec_params = PEM_read_bio_Parameters(bio, NULL);
|
|
|
f22e83 |
+ BIO_free(bio);
|
|
|
f22e83 |
+
|
|
|
d41830 |
+ if (ec_params != NULL)
|
|
|
f22e83 |
+ {
|
|
|
d41830 |
+ if (!SSL_CTX_set1_groups_list(p_ctx, ec_params))
|
|
|
f22e83 |
+ die("SSL: setting custom EC params failed");
|
|
|
d41830 |
+ }
|
|
|
d41830 |
+ else
|
|
|
f22e83 |
+ {
|
|
|
f22e83 |
+ die("SSL: getting ec group or key failed");
|
|
|
d41830 |
+ }
|
|
|
f22e83 |
+ }
|
|
|
f22e83 |
+ }
|
|
|
f22e83 |
+ else
|
|
|
f22e83 |
+ {
|
|
|
d41830 |
+ SSL_CTX_set1_groups_list(p_ctx, "P-256");
|
|
|
f22e83 |
+ }
|
|
|
d41830 |
/* Set up ALPN to check for FTP protocol intention of client. */
|
|
|
d41830 |
SSL_CTX_set_alpn_select_cb(p_ctx, ssl_alpn_callback, p_sess);
|
|
|
d41830 |
/* Set up SNI callback for an optional hostname check. */
|
|
|
f22e83 |
diff --git a/tunables.c b/tunables.c
|
|
|
f22e83 |
index 1ea7227..93f85b1 100644
|
|
|
f22e83 |
--- a/tunables.c
|
|
|
f22e83 |
+++ b/tunables.c
|
|
|
f22e83 |
@@ -141,6 +141,7 @@ const char* tunable_email_password_file;
|
|
|
f22e83 |
const char* tunable_rsa_cert_file;
|
|
|
f22e83 |
const char* tunable_dsa_cert_file;
|
|
|
f22e83 |
const char* tunable_dh_param_file;
|
|
|
f22e83 |
+const char* tunable_ecdh_param_file;
|
|
|
f22e83 |
const char* tunable_ssl_ciphers;
|
|
|
f22e83 |
const char* tunable_rsa_private_key_file;
|
|
|
f22e83 |
const char* tunable_dsa_private_key_file;
|
|
|
f22e83 |
@@ -290,7 +291,8 @@ tunables_load_defaults()
|
|
|
f22e83 |
&tunable_rsa_cert_file);
|
|
|
f22e83 |
install_str_setting(0, &tunable_dsa_cert_file);
|
|
|
f22e83 |
install_str_setting(0, &tunable_dh_param_file);
|
|
|
f22e83 |
- install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA",
|
|
|
f22e83 |
+ install_str_setting(0, &tunable_ecdh_param_file);
|
|
|
f22e83 |
+ install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA",
|
|
|
f22e83 |
&tunable_ssl_ciphers);
|
|
|
f22e83 |
install_str_setting(0, &tunable_rsa_private_key_file);
|
|
|
f22e83 |
install_str_setting(0, &tunable_dsa_private_key_file);
|
|
|
f22e83 |
diff --git a/tunables.h b/tunables.h
|
|
|
f22e83 |
index 3995472..3e2d40c 100644
|
|
|
f22e83 |
--- a/tunables.h
|
|
|
f22e83 |
+++ b/tunables.h
|
|
|
f22e83 |
@@ -143,6 +143,7 @@ extern const char* tunable_email_password_file;
|
|
|
f22e83 |
extern const char* tunable_rsa_cert_file;
|
|
|
f22e83 |
extern const char* tunable_dsa_cert_file;
|
|
|
f22e83 |
extern const char* tunable_dh_param_file;
|
|
|
f22e83 |
+extern const char* tunable_ecdh_param_file;
|
|
|
f22e83 |
extern const char* tunable_ssl_ciphers;
|
|
|
f22e83 |
extern const char* tunable_rsa_private_key_file;
|
|
|
f22e83 |
extern const char* tunable_dsa_private_key_file;
|
|
|
f22e83 |
diff --git a/vsftpd.conf.5 b/vsftpd.conf.5
|
|
|
f22e83 |
index ff94eca..e242873 100644
|
|
|
f22e83 |
--- a/vsftpd.conf.5
|
|
|
f22e83 |
+++ b/vsftpd.conf.5
|
|
|
f22e83 |
@@ -899,6 +899,14 @@ ephemeral Diffie-Hellman key exchange in SSL.
|
|
|
f22e83 |
|
|
|
f22e83 |
Default: (none - use built in parameters appropriate for certificate key size)
|
|
|
f22e83 |
.TP
|
|
|
f22e83 |
+.B ecdh_param_file
|
|
|
f22e83 |
+This option specifies the location of custom parameters for ephemeral
|
|
|
f22e83 |
+Elliptic Curve Diffie-Hellman (ECDH) key exchange.
|
|
|
f22e83 |
+
|
|
|
f22e83 |
+Default: (none - use built in parameters, NIST P-256 with OpenSSL 1.0.1 and
|
|
|
f22e83 |
+automatically selected curve based on client preferences with OpenSSL 1.0.2
|
|
|
f22e83 |
+and later)
|
|
|
f22e83 |
+.TP
|
|
|
f22e83 |
.B email_password_file
|
|
|
f22e83 |
This option can be used to provide an alternate file for usage by the
|
|
|
f22e83 |
.BR secure_email_list_enable
|
|
|
f22e83 |
--
|
|
|
f22e83 |
2.14.4
|
|
|
f22e83 |
|