Blame SOURCES/vsftpd-3.0.2-ecdh.patch

249a1e
diff -up vsftpd-3.0.2/parseconf.c.ecdh vsftpd-3.0.2/parseconf.c
249a1e
--- vsftpd-3.0.2/parseconf.c.ecdh	2014-06-04 10:25:36.786735755 +0200
249a1e
+++ vsftpd-3.0.2/parseconf.c	2014-06-04 10:25:36.812735747 +0200
249a1e
@@ -176,6 +176,7 @@ parseconf_str_array[] =
249a1e
   { "rsa_cert_file", &tunable_rsa_cert_file },
249a1e
   { "dsa_cert_file", &tunable_dsa_cert_file },
249a1e
   { "dh_param_file", &tunable_dh_param_file },
249a1e
+  { "ecdh_param_file", &tunable_ecdh_param_file },
249a1e
   { "ssl_ciphers", &tunable_ssl_ciphers },
249a1e
   { "rsa_private_key_file", &tunable_rsa_private_key_file },
249a1e
   { "dsa_private_key_file", &tunable_dsa_private_key_file },
249a1e
diff -up vsftpd-3.0.2/ssl.c.ecdh vsftpd-3.0.2/ssl.c
249a1e
--- vsftpd-3.0.2/ssl.c.ecdh	2014-06-04 10:25:36.786735755 +0200
249a1e
+++ vsftpd-3.0.2/ssl.c	2014-06-04 10:25:36.812735747 +0200
249a1e
@@ -122,7 +122,7 @@ ssl_init(struct vsf_session* p_sess)
249a1e
     {
249a1e
       die("SSL: could not allocate SSL context");
249a1e
     }
249a1e
-    options = SSL_OP_ALL | SSL_OP_SINGLE_DH_USE;
249a1e
+    options = SSL_OP_ALL | SSL_OP_SINGLE_DH_USE | SSL_OP_SINGLE_ECDH_USE;
249a1e
     if (!tunable_sslv2)
249a1e
     {
249a1e
       options |= SSL_OP_NO_SSLv2;
249a1e
@@ -235,6 +235,41 @@ ssl_init(struct vsf_session* p_sess)
249a1e
     
249a1e
     SSL_CTX_set_tmp_dh_callback(p_ctx, ssl_tmp_dh_callback);
249a1e
 
249a1e
+    if (tunable_ecdh_param_file)
249a1e
+    {
249a1e
+      BIO *bio;
249a1e
+      int nid;
249a1e
+      EC_GROUP *ecparams = NULL;
249a1e
+      EC_KEY *eckey;
249a1e
+
249a1e
+      if ((bio = BIO_new_file(tunable_ecdh_param_file, "r")) == NULL)
249a1e
+        die("SSL: cannot load custom ec params");
249a1e
+      else
249a1e
+      {
249a1e
+        ecparams = PEM_read_bio_ECPKParameters(bio, NULL, NULL, NULL);
249a1e
+        BIO_free(bio);
249a1e
+
249a1e
+        if (ecparams && (nid = EC_GROUP_get_curve_name(ecparams)) &&
249a1e
+            (eckey = EC_KEY_new_by_curve_name(nid)))
249a1e
+        {
249a1e
+          if (!SSL_CTX_set_tmp_ecdh(p_ctx, eckey))
249a1e
+            die("SSL: setting custom EC params failed");
249a1e
+	}
249a1e
+	else
249a1e
+        {
249a1e
+          die("SSL: getting ec group or key failed");
249a1e
+	}
249a1e
+      }
249a1e
+    }
249a1e
+    else
249a1e
+    {
249a1e
+#if defined(SSL_CTX_set_ecdh_auto)
249a1e
+      SSL_CTX_set_ecdh_auto(p_ctx, 1);
249a1e
+#else
249a1e
+      SSL_CTX_set_tmp_ecdh(p_ctx, EC_KEY_new_by_curve_name(NID_X9_62_prime256v1));
249a1e
+#endif
249a1e
+    }
249a1e
+
249a1e
     p_sess->p_ssl_ctx = p_ctx;
249a1e
     ssl_inited = 1;
249a1e
   }
249a1e
diff -up vsftpd-3.0.2/tunables.c.ecdh vsftpd-3.0.2/tunables.c
249a1e
--- vsftpd-3.0.2/tunables.c.ecdh	2014-06-04 10:25:36.787735755 +0200
249a1e
+++ vsftpd-3.0.2/tunables.c	2014-06-04 10:25:36.813735747 +0200
249a1e
@@ -140,6 +140,7 @@ const char* tunable_email_password_file;
249a1e
 const char* tunable_rsa_cert_file;
249a1e
 const char* tunable_dsa_cert_file;
249a1e
 const char* tunable_dh_param_file;
249a1e
+const char* tunable_ecdh_param_file;
249a1e
 const char* tunable_ssl_ciphers;
249a1e
 const char* tunable_rsa_private_key_file;
249a1e
 const char* tunable_dsa_private_key_file;
249a1e
@@ -288,7 +289,8 @@ tunables_load_defaults()
249a1e
                       &tunable_rsa_cert_file);
249a1e
   install_str_setting(0, &tunable_dsa_cert_file);
249a1e
   install_str_setting(0, &tunable_dh_param_file);
249a1e
-  install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA",
249a1e
+  install_str_setting(0, &tunable_ecdh_param_file);
249a1e
+  install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA",
249a1e
                       &tunable_ssl_ciphers);
249a1e
   install_str_setting(0, &tunable_rsa_private_key_file);
249a1e
   install_str_setting(0, &tunable_dsa_private_key_file);
249a1e
diff -up vsftpd-3.0.2/tunables.h.ecdh vsftpd-3.0.2/tunables.h
249a1e
--- vsftpd-3.0.2/tunables.h.ecdh	2014-06-04 10:25:36.787735755 +0200
249a1e
+++ vsftpd-3.0.2/tunables.h	2014-06-04 10:25:36.813735747 +0200
249a1e
@@ -142,6 +142,7 @@ extern const char* tunable_email_passwor
249a1e
 extern const char* tunable_rsa_cert_file;
249a1e
 extern const char* tunable_dsa_cert_file;
249a1e
 extern const char* tunable_dh_param_file;
249a1e
+extern const char* tunable_ecdh_param_file;
249a1e
 extern const char* tunable_ssl_ciphers;
249a1e
 extern const char* tunable_rsa_private_key_file;
249a1e
 extern const char* tunable_dsa_private_key_file;
249a1e
diff -up vsftpd-3.0.2/vsftpd.conf.5.ecdh vsftpd-3.0.2/vsftpd.conf.5
249a1e
--- vsftpd-3.0.2/vsftpd.conf.5.ecdh	2014-06-04 10:25:36.787735755 +0200
249a1e
+++ vsftpd-3.0.2/vsftpd.conf.5	2014-06-04 10:25:36.813735747 +0200
249a1e
@@ -890,6 +890,14 @@ ephemeral Diffie-Hellman key exchange in
249a1e
 
249a1e
 Default: (none - use built in parameters appropriate for certificate key size)
249a1e
 .TP
249a1e
+.B ecdh_param_file
249a1e
+This option specifies the location of custom parameters for ephemeral
249a1e
+Elliptic Curve Diffie-Hellman (ECDH) key exchange.
249a1e
+
249a1e
+Default: (none - use built in parameters, NIST P-256 with OpenSSL 1.0.1 and
249a1e
+automatically selected curve based on client preferences with OpenSSL 1.0.2
249a1e
+and later)
249a1e
+.TP
249a1e
 .B email_password_file
249a1e
 This option can be used to provide an alternate file for usage by the
249a1e
 .BR secure_email_list_enable