|
|
d83721 |
diff -up vsftpd-3.0.2/parseconf.c.dh vsftpd-3.0.2/parseconf.c
|
|
|
d83721 |
--- vsftpd-3.0.2/parseconf.c.dh 2014-06-04 10:24:57.512748573 +0200
|
|
|
d83721 |
+++ vsftpd-3.0.2/parseconf.c 2014-06-04 10:24:57.532748566 +0200
|
|
|
d83721 |
@@ -175,6 +175,7 @@ parseconf_str_array[] =
|
|
|
d83721 |
{ "email_password_file", &tunable_email_password_file },
|
|
|
d83721 |
{ "rsa_cert_file", &tunable_rsa_cert_file },
|
|
|
d83721 |
{ "dsa_cert_file", &tunable_dsa_cert_file },
|
|
|
d83721 |
+ { "dh_param_file", &tunable_dh_param_file },
|
|
|
d83721 |
{ "ssl_ciphers", &tunable_ssl_ciphers },
|
|
|
d83721 |
{ "rsa_private_key_file", &tunable_rsa_private_key_file },
|
|
|
d83721 |
{ "dsa_private_key_file", &tunable_dsa_private_key_file },
|
|
|
d83721 |
diff -up vsftpd-3.0.2/ssl.c.dh vsftpd-3.0.2/ssl.c
|
|
|
d83721 |
--- vsftpd-3.0.2/ssl.c.dh 2012-04-03 02:23:42.000000000 +0200
|
|
|
d83721 |
+++ vsftpd-3.0.2/ssl.c 2014-06-04 10:24:57.533748565 +0200
|
|
|
d83721 |
@@ -28,6 +28,8 @@
|
|
|
d83721 |
#include <openssl/err.h>
|
|
|
d83721 |
#include <openssl/rand.h>
|
|
|
d83721 |
#include <openssl/bio.h>
|
|
|
d83721 |
+#include <openssl/dh.h>
|
|
|
d83721 |
+#include <openssl/bn.h>
|
|
|
d83721 |
#include <errno.h>
|
|
|
d83721 |
#include <limits.h>
|
|
|
d83721 |
|
|
|
d83721 |
@@ -38,6 +40,7 @@ static void setup_bio_callbacks();
|
|
|
d83721 |
static long bio_callback(
|
|
|
d83721 |
BIO* p_bio, int oper, const char* p_arg, int argi, long argl, long retval);
|
|
|
d83721 |
static int ssl_verify_callback(int verify_ok, X509_STORE_CTX* p_ctx);
|
|
|
d83721 |
+static DH *ssl_tmp_dh_callback(SSL *ssl, int is_export, int keylength);
|
|
|
d83721 |
static int ssl_cert_digest(
|
|
|
d83721 |
SSL* p_ssl, struct vsf_session* p_sess, struct mystr* p_str);
|
|
|
d83721 |
static void maybe_log_shutdown_state(struct vsf_session* p_sess);
|
|
|
d83721 |
@@ -51,6 +54,60 @@ static int ssl_read_common(struct vsf_se
|
|
|
d83721 |
static int ssl_inited;
|
|
|
d83721 |
static struct mystr debug_str;
|
|
|
d83721 |
|
|
|
d83721 |
+
|
|
|
d83721 |
+// Grab prime number from OpenSSL; <openssl/bn.h>
|
|
|
d83721 |
+// (get_rfc*) for all available primes.
|
|
|
d83721 |
+// wraps selection of comparable algorithm strength
|
|
|
d83721 |
+#if !defined(match_dh_bits)
|
|
|
d83721 |
+ #define match_dh_bits(keylen) \
|
|
|
d83721 |
+ keylen >= 8191 ? 8192 : \
|
|
|
d83721 |
+ keylen >= 6143 ? 6144 : \
|
|
|
d83721 |
+ keylen >= 4095 ? 4096 : \
|
|
|
d83721 |
+ keylen >= 3071 ? 3072 : \
|
|
|
d83721 |
+ keylen >= 2047 ? 2048 : \
|
|
|
d83721 |
+ keylen >= 1535 ? 1536 : \
|
|
|
d83721 |
+ keylen >= 1023 ? 1024 : 768
|
|
|
d83721 |
+#endif
|
|
|
d83721 |
+
|
|
|
d83721 |
+#if !defined(DH_get_prime)
|
|
|
d83721 |
+ BIGNUM *
|
|
|
d83721 |
+ DH_get_prime(int bits)
|
|
|
d83721 |
+ {
|
|
|
d83721 |
+ switch (bits) {
|
|
|
d83721 |
+ case 768: return get_rfc2409_prime_768(NULL);
|
|
|
d83721 |
+ case 1024: return get_rfc2409_prime_1024(NULL);
|
|
|
d83721 |
+ case 1536: return get_rfc3526_prime_1536(NULL);
|
|
|
d83721 |
+ case 2048: return get_rfc3526_prime_2048(NULL);
|
|
|
d83721 |
+ case 3072: return get_rfc3526_prime_3072(NULL);
|
|
|
d83721 |
+ case 4096: return get_rfc3526_prime_4096(NULL);
|
|
|
d83721 |
+ case 6144: return get_rfc3526_prime_6144(NULL);
|
|
|
d83721 |
+ case 8192: return get_rfc3526_prime_8192(NULL);
|
|
|
d83721 |
+ // shouldn't happen when used match_dh_bits; strict compiler
|
|
|
d83721 |
+ default: return NULL;
|
|
|
d83721 |
+ }
|
|
|
d83721 |
+}
|
|
|
d83721 |
+#endif
|
|
|
d83721 |
+
|
|
|
d83721 |
+#if !defined(DH_get_dh)
|
|
|
d83721 |
+ // Grab DH parameters
|
|
|
d83721 |
+ DH *
|
|
|
d83721 |
+ DH_get_dh(int size)
|
|
|
d83721 |
+ {
|
|
|
d83721 |
+ DH *dh = DH_new();
|
|
|
d83721 |
+ if (!dh) {
|
|
|
d83721 |
+ return NULL;
|
|
|
d83721 |
+ }
|
|
|
d83721 |
+ dh->p = DH_get_prime(match_dh_bits(size));
|
|
|
d83721 |
+ BN_dec2bn(&dh->g, "2");
|
|
|
d83721 |
+ if (!dh->p || !dh->g)
|
|
|
d83721 |
+ {
|
|
|
d83721 |
+ DH_free(dh);
|
|
|
d83721 |
+ return NULL;
|
|
|
d83721 |
+ }
|
|
|
d83721 |
+ return dh;
|
|
|
d83721 |
+ }
|
|
|
d83721 |
+#endif
|
|
|
d83721 |
+
|
|
|
d83721 |
void
|
|
|
d83721 |
ssl_init(struct vsf_session* p_sess)
|
|
|
d83721 |
{
|
|
|
d83721 |
@@ -65,7 +122,7 @@ ssl_init(struct vsf_session* p_sess)
|
|
|
d83721 |
{
|
|
|
d83721 |
die("SSL: could not allocate SSL context");
|
|
|
d83721 |
}
|
|
|
d83721 |
- options = SSL_OP_ALL;
|
|
|
d83721 |
+ options = SSL_OP_ALL | SSL_OP_SINGLE_DH_USE;
|
|
|
d83721 |
if (!tunable_sslv2)
|
|
|
d83721 |
{
|
|
|
d83721 |
options |= SSL_OP_NO_SSLv2;
|
|
|
d83721 |
@@ -111,6 +168,25 @@ ssl_init(struct vsf_session* p_sess)
|
|
|
d83721 |
die("SSL: cannot load DSA private key");
|
|
|
d83721 |
}
|
|
|
d83721 |
}
|
|
|
d83721 |
+ if (tunable_dh_param_file)
|
|
|
d83721 |
+ {
|
|
|
d83721 |
+ BIO *bio;
|
|
|
d83721 |
+ DH *dhparams = NULL;
|
|
|
d83721 |
+ if ((bio = BIO_new_file(tunable_dh_param_file, "r")) == NULL)
|
|
|
d83721 |
+ {
|
|
|
d83721 |
+ die("SSL: cannot load custom DH params");
|
|
|
d83721 |
+ }
|
|
|
d83721 |
+ else
|
|
|
d83721 |
+ {
|
|
|
d83721 |
+ dhparams = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
|
|
|
d83721 |
+ BIO_free(bio);
|
|
|
d83721 |
+
|
|
|
d83721 |
+ if (!SSL_CTX_set_tmp_dh(p_ctx, dhparams))
|
|
|
d83721 |
+ {
|
|
|
d83721 |
+ die("SSL: setting custom DH params failed");
|
|
|
d83721 |
+ }
|
|
|
d83721 |
+ }
|
|
|
d83721 |
+ }
|
|
|
d83721 |
if (tunable_ssl_ciphers &&
|
|
|
d83721 |
SSL_CTX_set_cipher_list(p_ctx, tunable_ssl_ciphers) != 1)
|
|
|
d83721 |
{
|
|
|
d83721 |
@@ -156,6 +232,9 @@ ssl_init(struct vsf_session* p_sess)
|
|
|
d83721 |
/* Ensure cached session doesn't expire */
|
|
|
d83721 |
SSL_CTX_set_timeout(p_ctx, INT_MAX);
|
|
|
d83721 |
}
|
|
|
d83721 |
+
|
|
|
d83721 |
+ SSL_CTX_set_tmp_dh_callback(p_ctx, ssl_tmp_dh_callback);
|
|
|
d83721 |
+
|
|
|
d83721 |
p_sess->p_ssl_ctx = p_ctx;
|
|
|
d83721 |
ssl_inited = 1;
|
|
|
d83721 |
}
|
|
|
d83721 |
@@ -675,6 +754,18 @@ ssl_verify_callback(int verify_ok, X509_
|
|
|
d83721 |
return 1;
|
|
|
d83721 |
}
|
|
|
d83721 |
|
|
|
d83721 |
+#define UNUSED(x) ( (void)(x) )
|
|
|
d83721 |
+
|
|
|
d83721 |
+static DH *
|
|
|
d83721 |
+ssl_tmp_dh_callback(SSL *ssl, int is_export, int keylength)
|
|
|
d83721 |
+{
|
|
|
d83721 |
+ // strict compiler bypassing
|
|
|
d83721 |
+ UNUSED(ssl);
|
|
|
d83721 |
+ UNUSED(is_export);
|
|
|
d83721 |
+
|
|
|
d83721 |
+ return DH_get_dh(keylength);
|
|
|
d83721 |
+}
|
|
|
d83721 |
+
|
|
|
d83721 |
void
|
|
|
d83721 |
ssl_add_entropy(struct vsf_session* p_sess)
|
|
|
d83721 |
{
|
|
|
d83721 |
diff -up vsftpd-3.0.2/tunables.c.dh vsftpd-3.0.2/tunables.c
|
|
|
d83721 |
--- vsftpd-3.0.2/tunables.c.dh 2014-06-04 10:24:57.530748566 +0200
|
|
|
d83721 |
+++ vsftpd-3.0.2/tunables.c 2014-06-04 10:24:57.533748565 +0200
|
|
|
d83721 |
@@ -139,6 +139,7 @@ const char* tunable_user_sub_token;
|
|
|
d83721 |
const char* tunable_email_password_file;
|
|
|
d83721 |
const char* tunable_rsa_cert_file;
|
|
|
d83721 |
const char* tunable_dsa_cert_file;
|
|
|
d83721 |
+const char* tunable_dh_param_file;
|
|
|
d83721 |
const char* tunable_ssl_ciphers;
|
|
|
d83721 |
const char* tunable_rsa_private_key_file;
|
|
|
d83721 |
const char* tunable_dsa_private_key_file;
|
|
|
d83721 |
@@ -286,7 +287,9 @@ tunables_load_defaults()
|
|
|
d83721 |
install_str_setting("/usr/share/ssl/certs/vsftpd.pem",
|
|
|
d83721 |
&tunable_rsa_cert_file);
|
|
|
d83721 |
install_str_setting(0, &tunable_dsa_cert_file);
|
|
|
d83721 |
- install_str_setting("AES128-SHA:DES-CBC3-SHA", &tunable_ssl_ciphers);
|
|
|
d83721 |
+ install_str_setting(0, &tunable_dh_param_file);
|
|
|
d83721 |
+ install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA",
|
|
|
d83721 |
+ &tunable_ssl_ciphers);
|
|
|
d83721 |
install_str_setting(0, &tunable_rsa_private_key_file);
|
|
|
d83721 |
install_str_setting(0, &tunable_dsa_private_key_file);
|
|
|
d83721 |
install_str_setting(0, &tunable_ca_certs_file);
|
|
|
d83721 |
diff -up vsftpd-3.0.2/tunables.h.dh vsftpd-3.0.2/tunables.h
|
|
|
d83721 |
--- vsftpd-3.0.2/tunables.h.dh 2014-06-04 10:24:57.511748573 +0200
|
|
|
d83721 |
+++ vsftpd-3.0.2/tunables.h 2014-06-04 10:24:57.533748565 +0200
|
|
|
d83721 |
@@ -141,6 +141,7 @@ extern const char* tunable_user_sub_toke
|
|
|
d83721 |
extern const char* tunable_email_password_file;
|
|
|
d83721 |
extern const char* tunable_rsa_cert_file;
|
|
|
d83721 |
extern const char* tunable_dsa_cert_file;
|
|
|
d83721 |
+extern const char* tunable_dh_param_file;
|
|
|
d83721 |
extern const char* tunable_ssl_ciphers;
|
|
|
d83721 |
extern const char* tunable_rsa_private_key_file;
|
|
|
d83721 |
extern const char* tunable_dsa_private_key_file;
|
|
|
d83721 |
diff -up vsftpd-3.0.2/vsftpd.conf.5.dh vsftpd-3.0.2/vsftpd.conf.5
|
|
|
d83721 |
--- vsftpd-3.0.2/vsftpd.conf.5.dh 2014-06-04 10:24:57.523748569 +0200
|
|
|
d83721 |
+++ vsftpd-3.0.2/vsftpd.conf.5 2014-06-04 10:24:57.533748565 +0200
|
|
|
d83721 |
@@ -884,6 +884,12 @@ to be in the same file as the certificat
|
|
|
d83721 |
|
|
|
d83721 |
Default: (none)
|
|
|
d83721 |
.TP
|
|
|
d83721 |
+.B dh_param_file
|
|
|
d83721 |
+This option specifies the location of the custom parameters used for
|
|
|
d83721 |
+ephemeral Diffie-Hellman key exchange in SSL.
|
|
|
d83721 |
+
|
|
|
d83721 |
+Default: (none - use built in parameters appropriate for certificate key size)
|
|
|
d83721 |
+.TP
|
|
|
d83721 |
.B email_password_file
|
|
|
d83721 |
This option can be used to provide an alternate file for usage by the
|
|
|
d83721 |
.BR secure_email_list_enable
|