Tree - rpms/vsftpd - CentOS Git server

rpms / vsftpd

Blame SOURCES/vsftpd-3.0.2-dh.patch

Blob History Raw

		249a1e	`diff -up vsftpd-3.0.2/parseconf.c.dh vsftpd-3.0.2/parseconf.c`
		249a1e	`--- vsftpd-3.0.2/parseconf.c.dh 2014-06-04 10:24:57.512748573 +0200`
		249a1e	`+++ vsftpd-3.0.2/parseconf.c 2014-06-04 10:24:57.532748566 +0200`
		249a1e	`@@ -175,6 +175,7 @@ parseconf_str_array[] =`
		249a1e	`{ "email_password_file", &tunable_email_password_file },`
		249a1e	`{ "rsa_cert_file", &tunable_rsa_cert_file },`
		249a1e	`{ "dsa_cert_file", &tunable_dsa_cert_file },`
		249a1e	`+ { "dh_param_file", &tunable_dh_param_file },`
		249a1e	`{ "ssl_ciphers", &tunable_ssl_ciphers },`
		249a1e	`{ "rsa_private_key_file", &tunable_rsa_private_key_file },`
		249a1e	`{ "dsa_private_key_file", &tunable_dsa_private_key_file },`
		249a1e	`diff -up vsftpd-3.0.2/ssl.c.dh vsftpd-3.0.2/ssl.c`
		249a1e	`--- vsftpd-3.0.2/ssl.c.dh 2012-04-03 02:23:42.000000000 +0200`
		249a1e	`+++ vsftpd-3.0.2/ssl.c 2014-06-04 10:24:57.533748565 +0200`
		249a1e	`@@ -28,6 +28,8 @@`
		249a1e	`#include <openssl/err.h>`
		249a1e	`#include <openssl/rand.h>`
		249a1e	`#include <openssl/bio.h>`
		249a1e	`+#include <openssl/dh.h>`
		249a1e	`+#include <openssl/bn.h>`
		249a1e	`#include <errno.h>`
		249a1e	`#include <limits.h>`
		249a1e
		249a1e	`@@ -38,6 +40,7 @@ static void setup_bio_callbacks();`
		249a1e	`static long bio_callback(`
		249a1e	`BIO* p_bio, int oper, const char* p_arg, int argi, long argl, long retval);`
		249a1e	`static int ssl_verify_callback(int verify_ok, X509_STORE_CTX* p_ctx);`
		249a1e	`+static DH ssl_tmp_dh_callback(SSL ssl, int is_export, int keylength);`
		249a1e	`static int ssl_cert_digest(`
		249a1e	`SSL* p_ssl, struct vsf_session* p_sess, struct mystr* p_str);`
		249a1e	`static void maybe_log_shutdown_state(struct vsf_session* p_sess);`
		249a1e	`@@ -51,6 +54,60 @@ static int ssl_read_common(struct vsf_se`
		249a1e	`static int ssl_inited;`
		249a1e	`static struct mystr debug_str;`
		249a1e
		249a1e	`+`
		249a1e	`+// Grab prime number from OpenSSL; <openssl/bn.h>`
		249a1e	`+// (get_rfc*) for all available primes.`
		249a1e	`+// wraps selection of comparable algorithm strength`
		249a1e	`+#if !defined(match_dh_bits)`
		249a1e	`+ #define match_dh_bits(keylen) \`
		249a1e	`+ keylen >= 8191 ? 8192 : \`
		249a1e	`+ keylen >= 6143 ? 6144 : \`
		249a1e	`+ keylen >= 4095 ? 4096 : \`
		249a1e	`+ keylen >= 3071 ? 3072 : \`
		249a1e	`+ keylen >= 2047 ? 2048 : \`
		249a1e	`+ keylen >= 1535 ? 1536 : \`
		249a1e	`+ keylen >= 1023 ? 1024 : 768`
		249a1e	`+#endif`
		249a1e	`+`
		249a1e	`+#if !defined(DH_get_prime)`
		249a1e	`+ BIGNUM *`
		249a1e	`+ DH_get_prime(int bits)`
		249a1e	`+ {`
		249a1e	`+ switch (bits) {`
		249a1e	`+ case 768: return get_rfc2409_prime_768(NULL);`
		249a1e	`+ case 1024: return get_rfc2409_prime_1024(NULL);`
		249a1e	`+ case 1536: return get_rfc3526_prime_1536(NULL);`
		249a1e	`+ case 2048: return get_rfc3526_prime_2048(NULL);`
		249a1e	`+ case 3072: return get_rfc3526_prime_3072(NULL);`
		249a1e	`+ case 4096: return get_rfc3526_prime_4096(NULL);`
		249a1e	`+ case 6144: return get_rfc3526_prime_6144(NULL);`
		249a1e	`+ case 8192: return get_rfc3526_prime_8192(NULL);`
		249a1e	`+ // shouldn't happen when used match_dh_bits; strict compiler`
		249a1e	`+ default: return NULL;`
		249a1e	`+ }`
		249a1e	`+}`
		249a1e	`+#endif`
		249a1e	`+`
		249a1e	`+#if !defined(DH_get_dh)`
		249a1e	`+ // Grab DH parameters`
		249a1e	`+ DH *`
		249a1e	`+ DH_get_dh(int size)`
		249a1e	`+ {`
		249a1e	`+ DH *dh = DH_new();`
		249a1e	`+ if (!dh) {`
		249a1e	`+ return NULL;`
		249a1e	`+ }`
		249a1e	`+ dh->p = DH_get_prime(match_dh_bits(size));`
		249a1e	`+ BN_dec2bn(&dh->g, "2");`
		249a1e	`+ if (!dh->p \|\| !dh->g)`
		249a1e	`+ {`
		249a1e	`+ DH_free(dh);`
		249a1e	`+ return NULL;`
		249a1e	`+ }`
		249a1e	`+ return dh;`
		249a1e	`+ }`
		249a1e	`+#endif`
		249a1e	`+`
		249a1e	`void`
		249a1e	`ssl_init(struct vsf_session* p_sess)`
		249a1e	`{`
		249a1e	`@@ -65,7 +122,7 @@ ssl_init(struct vsf_session* p_sess)`
		249a1e	`{`
		249a1e	`die("SSL: could not allocate SSL context");`
		249a1e	`}`
		249a1e	`- options = SSL_OP_ALL;`
		249a1e	`+ options = SSL_OP_ALL \| SSL_OP_SINGLE_DH_USE;`
		249a1e	`if (!tunable_sslv2)`
		249a1e	`{`
		249a1e	`options \|= SSL_OP_NO_SSLv2;`
		249a1e	`@@ -111,6 +168,25 @@ ssl_init(struct vsf_session* p_sess)`
		249a1e	`die("SSL: cannot load DSA private key");`
		249a1e	`}`
		249a1e	`}`
		249a1e	`+ if (tunable_dh_param_file)`
		249a1e	`+ {`
		249a1e	`+ BIO *bio;`
		249a1e	`+ DH *dhparams = NULL;`
		249a1e	`+ if ((bio = BIO_new_file(tunable_dh_param_file, "r")) == NULL)`
		249a1e	`+ {`
		249a1e	`+ die("SSL: cannot load custom DH params");`
		249a1e	`+ }`
		249a1e	`+ else`
		249a1e	`+ {`
		249a1e	`+ dhparams = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);`
		249a1e	`+ BIO_free(bio);`
		249a1e	`+`
		249a1e	`+ if (!SSL_CTX_set_tmp_dh(p_ctx, dhparams))`
		249a1e	`+ {`
		249a1e	`+ die("SSL: setting custom DH params failed");`
		249a1e	`+ }`
		249a1e	`+ }`
		249a1e	`+ }`
		249a1e	`if (tunable_ssl_ciphers &&`
		249a1e	`SSL_CTX_set_cipher_list(p_ctx, tunable_ssl_ciphers) != 1)`
		249a1e	`{`
		249a1e	`@@ -156,6 +232,9 @@ ssl_init(struct vsf_session* p_sess)`
		249a1e	`/* Ensure cached session doesn't expire */`
		249a1e	`SSL_CTX_set_timeout(p_ctx, INT_MAX);`
		249a1e	`}`
		249a1e	`+`
		249a1e	`+ SSL_CTX_set_tmp_dh_callback(p_ctx, ssl_tmp_dh_callback);`
		249a1e	`+`
		249a1e	`p_sess->p_ssl_ctx = p_ctx;`
		249a1e	`ssl_inited = 1;`
		249a1e	`}`
		249a1e	`@@ -675,6 +754,18 @@ ssl_verify_callback(int verify_ok, X509_`
		249a1e	`return 1;`
		249a1e	`}`
		249a1e
		249a1e	`+#define UNUSED(x) ( (void)(x) )`
		249a1e	`+`
		249a1e	`+static DH *`
		249a1e	`+ssl_tmp_dh_callback(SSL *ssl, int is_export, int keylength)`
		249a1e	`+{`
		249a1e	`+ // strict compiler bypassing`
		249a1e	`+ UNUSED(ssl);`
		249a1e	`+ UNUSED(is_export);`
		249a1e	`+`
		249a1e	`+ return DH_get_dh(keylength);`
		249a1e	`+}`
		249a1e	`+`
		249a1e	`void`
		249a1e	`ssl_add_entropy(struct vsf_session* p_sess)`
		249a1e	`{`
		249a1e	`diff -up vsftpd-3.0.2/tunables.c.dh vsftpd-3.0.2/tunables.c`
		249a1e	`--- vsftpd-3.0.2/tunables.c.dh 2014-06-04 10:24:57.530748566 +0200`
		249a1e	`+++ vsftpd-3.0.2/tunables.c 2014-06-04 10:24:57.533748565 +0200`
		249a1e	`@@ -139,6 +139,7 @@ const char* tunable_user_sub_token;`
		249a1e	`const char* tunable_email_password_file;`
		249a1e	`const char* tunable_rsa_cert_file;`
		249a1e	`const char* tunable_dsa_cert_file;`
		249a1e	`+const char* tunable_dh_param_file;`
		249a1e	`const char* tunable_ssl_ciphers;`
		249a1e	`const char* tunable_rsa_private_key_file;`
		249a1e	`const char* tunable_dsa_private_key_file;`
		249a1e	`@@ -286,7 +287,9 @@ tunables_load_defaults()`
		249a1e	`install_str_setting("/usr/share/ssl/certs/vsftpd.pem",`
		249a1e	`&tunable_rsa_cert_file);`
		249a1e	`install_str_setting(0, &tunable_dsa_cert_file);`
		249a1e	`- install_str_setting("AES128-SHA:DES-CBC3-SHA", &tunable_ssl_ciphers);`
		249a1e	`+ install_str_setting(0, &tunable_dh_param_file);`
		249a1e	`+ install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA",`
		249a1e	`+ &tunable_ssl_ciphers);`
		249a1e	`install_str_setting(0, &tunable_rsa_private_key_file);`
		249a1e	`install_str_setting(0, &tunable_dsa_private_key_file);`
		249a1e	`install_str_setting(0, &tunable_ca_certs_file);`
		249a1e	`diff -up vsftpd-3.0.2/tunables.h.dh vsftpd-3.0.2/tunables.h`
		249a1e	`--- vsftpd-3.0.2/tunables.h.dh 2014-06-04 10:24:57.511748573 +0200`
		249a1e	`+++ vsftpd-3.0.2/tunables.h 2014-06-04 10:24:57.533748565 +0200`
		249a1e	`@@ -141,6 +141,7 @@ extern const char* tunable_user_sub_toke`
		249a1e	`extern const char* tunable_email_password_file;`
		249a1e	`extern const char* tunable_rsa_cert_file;`
		249a1e	`extern const char* tunable_dsa_cert_file;`
		249a1e	`+extern const char* tunable_dh_param_file;`
		249a1e	`extern const char* tunable_ssl_ciphers;`
		249a1e	`extern const char* tunable_rsa_private_key_file;`
		249a1e	`extern const char* tunable_dsa_private_key_file;`
		249a1e	`diff -up vsftpd-3.0.2/vsftpd.conf.5.dh vsftpd-3.0.2/vsftpd.conf.5`
		249a1e	`--- vsftpd-3.0.2/vsftpd.conf.5.dh 2014-06-04 10:24:57.523748569 +0200`
		249a1e	`+++ vsftpd-3.0.2/vsftpd.conf.5 2014-06-04 10:24:57.533748565 +0200`
		249a1e	`@@ -884,6 +884,12 @@ to be in the same file as the certificat`
		249a1e
		249a1e	`Default: (none)`
		249a1e	`.TP`
		249a1e	`+.B dh_param_file`
		249a1e	`+This option specifies the location of the custom parameters used for`
		249a1e	`+ephemeral Diffie-Hellman key exchange in SSL.`
		249a1e	`+`
		249a1e	`+Default: (none - use built in parameters appropriate for certificate key size)`
		249a1e	`+.TP`
		249a1e	`.B email_password_file`
		249a1e	`This option can be used to provide an alternate file for usage by the`
		249a1e	`.BR secure_email_list_enable`

rpms / vsftpd

Source Code

Blame SOURCES/vsftpd-3.0.2-dh.patch