rpms / proftpd

Clone
Source Code
GIT

Files

el4 el5 el6 epel7 epel8 epel8-playground epel9 f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f30 f31 f32 f33 f34 f35 f36 f37 f38 f39 f40 f7 f8 f9 fc6 main rawhide
  1.   el5
  2.   proftpd-mod_tls-bug4230.patch
Blob Blame History Raw 
--- contrib/mod_tls.c
+++ contrib/mod_tls.c
@@ -387,6 +387,13 @@ static int tls_required_on_ctrl = 0;
 static int tls_required_on_data = 0;
 static unsigned char *tls_authenticated = NULL;
 
+/* Define the minimum DH group length we allow (unless the AllowWeakDH
+ * TLSOption is used).  Ideally this would be 2048, per https://weakdh.org,
+ * but for compatibility with older Java versions, which only support up to
+ * 1024, we'll use 1024.  For now.
+ */
+#define TLS_DH_MIN_LEN				1024
+
 /* mod_tls session flags */
 #define	TLS_SESS_ON_CTRL			0x0001
 #define TLS_SESS_ON_DATA			0x0002
@@ -411,6 +418,7 @@ static unsigned char *tls_authenticated
 #define TLS_OPT_NO_SESSION_REUSE_REQUIRED		0x0100
 #define TLS_OPT_USE_IMPLICIT_SSL			0x0200
 #define TLS_OPT_ALLOW_CLIENT_RENEGOTIATIONS		0x0400
+#define TLS_OPT_ALLOW_WEAK_DH				0x1000
 
 /* mod_tls cleanup flags */
 #define TLS_CLEANUP_FL_SESS_INIT	0x0001
@@ -512,6 +520,8 @@ static ctrls_acttab_t tls_acttab[];
 
 static int tls_need_init_handshake = TRUE;
 
+static const char *trace_channel = "tls";
+
 static void tls_diags_cb(const SSL *ssl, int where, int ret) {
   const char *str = "(unknown)";
   int w;
@@ -1951,26 +1961,141 @@ static int tls_ctrl_renegotiate_cb(CALLB
 }
 #endif
 
-static DH *tls_dh_cb(SSL *ssl, int is_export, int keylength) {
+static DH *tls_dh_cb(SSL *ssl, int is_export, int keylen) {
   DH *dh = NULL;
+  EVP_PKEY *pkey;
+  int pkeylen = 0, use_pkeylen = FALSE;
+
+  /* OpenSSL will only ever call us (currently) with a keylen of 512 or 1024;
+   * see the SSL_EXPORT_PKEYLENGTH macro in ssl_locl.h.  Sigh.
+   *
+   * Thus we adjust the DH parameter length according to the size of the
+   * RSA/DSA private key used for the current connection.
+   *
+   * NOTE: This MAY cause interoperability issues with some clients, notably
+   * Java 7 (and earlier) clients, since Java 7 and earlier supports
+   * Diffie-Hellman only up to 1024 bits.  More sighs.  To deal with these
+   * clients, then, you need to configure a certificate/key of 1024 bits.
+   */
+  pkey = SSL_get_privatekey(ssl);
+  if (pkey != NULL) {
+    if (EVP_PKEY_type(pkey->type) == EVP_PKEY_RSA ||
+        EVP_PKEY_type(pkey->type) == EVP_PKEY_DSA) {
+      pkeylen = EVP_PKEY_bits(pkey);
+
+      if (pkeylen < TLS_DH_MIN_LEN) {
+        if (!(tls_opts & TLS_OPT_ALLOW_WEAK_DH)) {
+          pr_trace_msg(trace_channel, 11,
+            "certificate private key length %d less than %d bits, using %d "
+            "(see AllowWeakDH TLSOption)", pkeylen, TLS_DH_MIN_LEN,
+            TLS_DH_MIN_LEN);
+          pkeylen = TLS_DH_MIN_LEN;
+        }
+      }
+
+      if (pkeylen != keylen) {
+        pr_trace_msg(trace_channel, 13,
+          "adjusted DH parameter length from %d to %d bits", keylen, pkeylen);
+        use_pkeylen = TRUE;
+      }
+    }
+  }
 
   if (tls_tmp_dhs != NULL &&
       tls_tmp_dhs->nelts > 0) {
     register unsigned int i;
-    DH **dhs;
+    DH *best_dh = NULL, **dhs;
+    int best_dhlen = 0;
 
     dhs = tls_tmp_dhs->elts;
+
+    /* Search the configured list of DH parameters twice: once for any sizes
+     * matching the actual requested size (usually 1024), and once for any
+     * matching the certificate private key size (pkeylen).
+     *
+     * This behavior allows site admins to configure a TLSDHParamFile that
+     * contains 1024-bit parameters, for e.g. Java 7 (and earlier) clients.
+     */
+
+    /* Note: the keylen argument is in BITS, but DH_size() returns the number
+     * of BYTES.
+     */
     for (i = 0; i < tls_tmp_dhs->nelts; i++) {
-      /* Note: the keylength argument is in BITS, but DH_size() returns
-       * the number of BYTES.
+      int dhlen;
+
+      dhlen = DH_size(dhs[i]) * 8;
+      if (dhlen == keylen) {
+        pr_trace_msg(trace_channel, 11,
+          "found matching DH parameter for key length %d", keylen);
+        return dhs[i];
+      }
+
+      /* Try to find the next "best" DH to use, where "best" means
+       * the smallest DH that is larger than the necessary keylen.
        */
-      if (DH_size(dhs[i]) == (keylength / 8)) {
+      if (dhlen > keylen) {
+        if (best_dh != NULL) {
+          if (dhlen < best_dhlen) {
+            best_dh = dhs[i];
+            best_dhlen = dhlen;
+          }
+
+        } else {
+          best_dh = dhs[i];
+          best_dhlen = dhlen;
+        }
+      }
+    }
+
+    for (i = 0; i < tls_tmp_dhs->nelts; i++) {
+      int dhlen;
+
+      dhlen = DH_size(dhs[i]) * 8;
+      if (dhlen == pkeylen) {
+        pr_trace_msg(trace_channel, 11,
+          "found matching DH parameter for certificate private key length %d",
+          pkeylen);
         return dhs[i];
       }
+
+      if (dhlen > pkeylen) {
+        if (best_dh != NULL) {
+          if (dhlen < best_dhlen) {
+            best_dh = dhs[i];
+            best_dhlen = dhlen;
+          }
+
+        } else {
+          best_dh = dhs[i];
+          best_dhlen = dhlen;
+        }
+      }
+    }
+
+    if (best_dh != NULL) {
+      pr_trace_msg(trace_channel, 11,
+        "using best DH parameter for key length %d (length %d)", keylen,
+        best_dhlen);
+      return best_dh;
+    }
+  }
+
+  /* Still no DH parameters found?  Use the built-in ones. */
+
+  if (keylen < TLS_DH_MIN_LEN) {
+    if (!(tls_opts & TLS_OPT_ALLOW_WEAK_DH)) {
+      pr_trace_msg(trace_channel, 11,
+        "requested key length %d less than %d bits, using %d "
+        "(see AllowWeakDH TLSOption)", keylen, TLS_DH_MIN_LEN, TLS_DH_MIN_LEN);
+      keylen = TLS_DH_MIN_LEN;
     }
   }
 
-  switch (keylength) {
+  if (use_pkeylen) {
+    keylen = pkeylen;
+  }
+
+  switch (keylen) {
     case 512:
       dh = get_dh512();
       break;
@@ -1979,25 +2104,27 @@ static DH *tls_dh_cb(SSL *ssl, int is_ex
       dh = get_dh768();
       break;
 
-     case 1024:
-       dh = get_dh1024();
-       break;
-
-     case 1536:
-       dh = get_dh1536();
-       break;
-
-     case 2048:
-       dh = get_dh2048();
-       break;
-
-     default:
-       tls_log("unsupported DH key length %d requested, returning 1024 bits",
-         keylength);
-       dh = get_dh1024();
-       break;
+    case 1024:
+      dh = get_dh1024();
+      break;
+
+    case 1536:
+      dh = get_dh1536();
+      break;
+
+    case 2048:
+      dh = get_dh2048();
+      break;
+
+    default:
+      tls_log("unsupported DH key length %d requested, returning 1024 bits",
+        keylen);
+      dh = get_dh1024();
+      break;
   }
 
+  pr_trace_msg(trace_channel, 11, "using builtin DH for %d bits", keylen);
+
   /* Add this DH to the list, so that it can be freed properly later. */
   if (tls_tmp_dhs == NULL) {
     tls_tmp_dhs = make_array(session.pool, 1, sizeof(DH *));
@@ -6310,6 +6437,9 @@ MODRET set_tlsoptions(cmd_rec *cmd) {
                strcmp(cmd->argv[i], "AllowClientRenegotiations") == 0) {
       opts |= TLS_OPT_ALLOW_CLIENT_RENEGOTIATIONS;
 
+    } else if (strcmp(cmd->argv[i], "AllowWeakDH") == 0) {
+      opts |= TLS_OPT_ALLOW_WEAK_DH;
+
     } else if (strcmp(cmd->argv[i], "EnableDiags") == 0) {
       opts |= TLS_OPT_ENABLE_DIAGS;
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.