import-layers/meta-openembedded/meta-networking/recipes-daemons/proftpd/files/CVE-2016-3125.patch - openbmc/openbmc - Gitiles

 From 7a8f683cedf9b0d1024a80362693c9f8b93a0f2b Mon Sep 17 00:00:00 2001
 From: TJ Saunders <tj@castaglia.org>
 Date: Thu, 10 Mar 2016 15:07:58 -0800
 Subject: [PATCH] Backport of fix for Bug#4230 to 1.3.5 branch.

 Upstream-Status: Backport
 CVE: CVE-2016-3125

 Author: TJ Saunders <tj@castaglia.org>
 Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
 ---
  contrib/mod_tls.c | 167 +++++++++++++++++++++++++++++++++++++++++++++++-------
  1 file changed, 147 insertions(+), 20 deletions(-)

 diff --git a/contrib/mod_tls.c b/contrib/mod_tls.c
 index df92658..5883cc7 100644
 --- a/contrib/mod_tls.c
 +++ b/contrib/mod_tls.c
 @@ -411,6 +411,13 @@ static int tls_required_on_ctrl = 0;
  static int tls_required_on_data = 0;
  static unsigned char *tls_authenticated = NULL;

 +/* Define the minimum DH group length we allow (unless the AllowWeakDH
 + * TLSOption is used).  Ideally this would be 2048, per https://weakdh.org,
 + * but for compatibility with older Java versions, which only support up to
 + * 1024, we'll use 1024.  For now.
 + */
 +#define TLS_DH_MIN_LEN				1024
 +
  /* mod_tls session flags */
  #define	TLS_SESS_ON_CTRL			0x0001
  #define TLS_SESS_ON_DATA			0x0002
 @@ -438,6 +445,7 @@ static unsigned char *tls_authenticated = NULL;
  #define TLS_OPT_USE_IMPLICIT_SSL			0x0200
  #define TLS_OPT_ALLOW_CLIENT_RENEGOTIATIONS		0x0400
  #define TLS_OPT_VERIFY_CERT_CN				0x0800
 +#define TLS_OPT_ALLOW_WEAK_DH				0x1000

  /* mod_tls SSCN modes */
  #define TLS_SSCN_MODE_SERVER				0
 @@ -2417,24 +2425,139 @@ static int tls_ctrl_renegotiate_cb(CALLBACK_FRAME) {

  static DH *tls_dh_cb(SSL *ssl, int is_export, int keylength) {
    DH *dh = NULL;
 +  EVP_PKEY *pkey;
 +  int pkeylen = 0, use_pkeylen = FALSE;
 +
 +  /* OpenSSL will only ever call us (currently) with a keylen of 512 or 1024;
 +   * see the SSL_EXPORT_PKEYLENGTH macro in ssl_locl.h.  Sigh.
 +   *
 +   * Thus we adjust the DH parameter length according to the size of the
 +   * RSA/DSA private key used for the current connection.
 +   *
 +   * NOTE: This MAY cause interoperability issues with some clients, notably
 +   * Java 7 (and earlier) clients, since Java 7 and earlier supports
 +   * Diffie-Hellman only up to 1024 bits.  More sighs.  To deal with these
 +   * clients, then, you need to configure a certificate/key of 1024 bits.
 +   */
 +  pkey = SSL_get_privatekey(ssl);
 +  if (pkey != NULL) {
 +    if (EVP_PKEY_type(pkey->type) == EVP_PKEY_RSA ||
 +        EVP_PKEY_type(pkey->type) == EVP_PKEY_DSA) {
 +      pkeylen = EVP_PKEY_bits(pkey);
 +
 +      if (pkeylen < TLS_DH_MIN_LEN) {
 +        if (!(tls_opts & TLS_OPT_ALLOW_WEAK_DH)) {
 +          pr_trace_msg(trace_channel, 11,
 +            "certificate private key length %d less than %d bits, using %d "
 +            "(see AllowWeakDH TLSOption)", pkeylen, TLS_DH_MIN_LEN,
 +            TLS_DH_MIN_LEN);
 +          pkeylen = TLS_DH_MIN_LEN;
 +        }
 +      }
 +
 +      if (pkeylen != keylen) {
 +        pr_trace_msg(trace_channel, 13,
 +          "adjusted DH parameter length from %d to %d bits", keylen, pkeylen);
 +        use_pkeylen = TRUE;
 +      }
 +    }
 +  }

    if (tls_tmp_dhs != NULL &&
        tls_tmp_dhs->nelts > 0) {
      register unsigned int i;
 -    DH **dhs;
 +    DH *best_dh = NULL, **dhs;
 +    int best_dhlen = 0;

      dhs = tls_tmp_dhs->elts;
 +
 +    /* Search the configured list of DH parameters twice: once for any sizes
 +     * matching the actual requested size (usually 1024), and once for any
 +     * matching the certificate private key size (pkeylen).
 +     *
 +     * This behavior allows site admins to configure a TLSDHParamFile that
 +     * contains 1024-bit parameters, for e.g. Java 7 (and earlier) clients.
 +     */
 +
 +    /* Note: the keylen argument is in BITS, but DH_size() returns the number
 +     * of BYTES.
 +     */
      for (i = 0; i < tls_tmp_dhs->nelts; i++) {
 -      /* Note: the keylength argument is in BITS, but DH_size() returns
 -       * the number of BYTES.
 +      int dhlen;
 +
 +      dhlen = DH_size(dhs[i]) * 8;
 +      if (dhlen == keylen) {
 +        pr_trace_msg(trace_channel, 11,
 +          "found matching DH parameter for key length %d", keylen);
 +        return dhs[i];
 +      }
 +
 +      /* Try to find the next "best" DH to use, where "best" means
 +       * the smallest DH that is larger than the necessary keylen.
         */
 -      if (DH_size(dhs[i]) == (keylength / 8)) {
 +      if (dhlen > keylen) {
 +        if (best_dh != NULL) {
 +          if (dhlen < best_dhlen) {
 +            best_dh = dhs[i];
 +            best_dhlen = dhlen;
 +          }
 +
 +        } else {
 +          best_dh = dhs[i];
 +          best_dhlen = dhlen;
 +        }
 +      }
 +    }
 +
 +    for (i = 0; i < tls_tmp_dhs->nelts; i++) {
 +      int dhlen;
 +
 +      dhlen = DH_size(dhs[i]) * 8;
 +      if (dhlen == pkeylen) {
 +        pr_trace_msg(trace_channel, 11,
 +          "found matching DH parameter for certificate private key length %d",
 +          pkeylen);
          return dhs[i];
        }
 +
 +      if (dhlen > pkeylen) {
 +        if (best_dh != NULL) {
 +          if (dhlen < best_dhlen) {
 +            best_dh = dhs[i];
 +            best_dhlen = dhlen;
 +          }
 +
 +        } else {
 +          best_dh = dhs[i];
 +          best_dhlen = dhlen;
 +        }
 +      }
 +    }
 +
 +    if (best_dh != NULL) {
 +      pr_trace_msg(trace_channel, 11,
 +        "using best DH parameter for key length %d (length %d)", keylen,
 +        best_dhlen);
 +      return best_dh;
      }
    }

 -  switch (keylength) {
 +  /* Still no DH parameters found?  Use the built-in ones. */
 +
 +  if (keylen < TLS_DH_MIN_LEN) {
 +    if (!(tls_opts & TLS_OPT_ALLOW_WEAK_DH)) {
 +      pr_trace_msg(trace_channel, 11,
 +        "requested key length %d less than %d bits, using %d "
 +        "(see AllowWeakDH TLSOption)", keylen, TLS_DH_MIN_LEN, TLS_DH_MIN_LEN);
 +      keylen = TLS_DH_MIN_LEN;
 +    }
 +  }
 +
 +  if (use_pkeylen) {
 +    keylen = pkeylen;
 +  }
 +
 +  switch (keylen) {
      case 512:
        dh = get_dh512();
        break;
 @@ -2443,32 +2566,33 @@ static DH *tls_dh_cb(SSL *ssl, int is_export, int keylength) {
        dh = get_dh768();
        break;

 -     case 1024:
 -       dh = get_dh1024();
 -       break;
 +    case 1024:
 +      dh = get_dh1024();
 +      break;

 -     case 1536:
 -       dh = get_dh1536();
 -       break;
 +    case 1536:
 +      dh = get_dh1536();
 +      break;

 -     case 2048:
 -       dh = get_dh2048();
 -       break;
 +    case 2048:
 +      dh = get_dh2048();
 +      break;

 -     default:
 -       tls_log("unsupported DH key length %d requested, returning 1024 bits",
 -         keylength);
 -       dh = get_dh1024();
 -       break;
 +    default:
 +      tls_log("unsupported DH key length %d requested, returning 1024 bits",
 +        keylen);
 +      dh = get_dh1024();
 +      break;
    }

 +  pr_trace_msg(trace_channel, 11, "using builtin DH for %d bits", keylen);
 +
    /* Add this DH to the list, so that it can be freed properly later. */
    if (tls_tmp_dhs == NULL) {
      tls_tmp_dhs = make_array(session.pool, 1, sizeof(DH *));
    }

    *((DH **) push_array(tls_tmp_dhs)) = dh;
 -
    return dh;
  }

 @@ -8445,6 +8569,9 @@ MODRET set_tlsoptions(cmd_rec *cmd) {
                 strcmp(cmd->argv[i], "AllowClientRenegotiations") == 0) {
        opts |= TLS_OPT_ALLOW_CLIENT_RENEGOTIATIONS;

 +    } else if (strcmp(cmd->argv[i], "AllowWeakDH") == 0) {
 +      opts |= TLS_OPT_ALLOW_WEAK_DH;
 +
      } else if (strcmp(cmd->argv[i], "EnableDiags") == 0) {
        opts |= TLS_OPT_ENABLE_DIAGS;

 --
 2.7.4
	From 7a8f683cedf9b0d1024a80362693c9f8b93a0f2b Mon Sep 17 00:00:00 2001
	From: TJ Saunders <tj@castaglia.org>
	Date: Thu, 10 Mar 2016 15:07:58 -0800
	Subject: [PATCH] Backport of fix for Bug#4230 to 1.3.5 branch.

	Upstream-Status: Backport
	CVE: CVE-2016-3125

	Author: TJ Saunders <tj@castaglia.org>
	Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
	---
	contrib/mod_tls.c \| 167 +++++++++++++++++++++++++++++++++++++++++++++++-------
	1 file changed, 147 insertions(+), 20 deletions(-)

	diff --git a/contrib/mod_tls.c b/contrib/mod_tls.c
	index df92658..5883cc7 100644
	--- a/contrib/mod_tls.c
	+++ b/contrib/mod_tls.c
	@@ -411,6 +411,13 @@ static int tls_required_on_ctrl = 0;
	static int tls_required_on_data = 0;
	static unsigned char *tls_authenticated = NULL;

	+/* Define the minimum DH group length we allow (unless the AllowWeakDH
	+ * TLSOption is used). Ideally this would be 2048, per https://weakdh.org,
	+ * but for compatibility with older Java versions, which only support up to
	+ * 1024, we'll use 1024. For now.
	+ */
	+#define TLS_DH_MIN_LEN 1024
	+
	/* mod_tls session flags */
	#define TLS_SESS_ON_CTRL 0x0001
	#define TLS_SESS_ON_DATA 0x0002
	@@ -438,6 +445,7 @@ static unsigned char *tls_authenticated = NULL;
	#define TLS_OPT_USE_IMPLICIT_SSL 0x0200
	#define TLS_OPT_ALLOW_CLIENT_RENEGOTIATIONS 0x0400
	#define TLS_OPT_VERIFY_CERT_CN 0x0800
	+#define TLS_OPT_ALLOW_WEAK_DH 0x1000

	/* mod_tls SSCN modes */
	#define TLS_SSCN_MODE_SERVER 0
	@@ -2417,24 +2425,139 @@ static int tls_ctrl_renegotiate_cb(CALLBACK_FRAME) {

	static DH tls_dh_cb(SSL ssl, int is_export, int keylength) {
	DH *dh = NULL;
	+ EVP_PKEY *pkey;
	+ int pkeylen = 0, use_pkeylen = FALSE;
	+
	+ /* OpenSSL will only ever call us (currently) with a keylen of 512 or 1024;
	+ * see the SSL_EXPORT_PKEYLENGTH macro in ssl_locl.h. Sigh.
	+ *
	+ * Thus we adjust the DH parameter length according to the size of the
	+ * RSA/DSA private key used for the current connection.
	+ *
	+ * NOTE: This MAY cause interoperability issues with some clients, notably
	+ * Java 7 (and earlier) clients, since Java 7 and earlier supports
	+ * Diffie-Hellman only up to 1024 bits. More sighs. To deal with these
	+ * clients, then, you need to configure a certificate/key of 1024 bits.
	+ */
	+ pkey = SSL_get_privatekey(ssl);
	+ if (pkey != NULL) {
	+ if (EVP_PKEY_type(pkey->type) == EVP_PKEY_RSA \|\|
	+ EVP_PKEY_type(pkey->type) == EVP_PKEY_DSA) {
	+ pkeylen = EVP_PKEY_bits(pkey);
	+
	+ if (pkeylen < TLS_DH_MIN_LEN) {
	+ if (!(tls_opts & TLS_OPT_ALLOW_WEAK_DH)) {
	+ pr_trace_msg(trace_channel, 11,
	+ "certificate private key length %d less than %d bits, using %d "
	+ "(see AllowWeakDH TLSOption)", pkeylen, TLS_DH_MIN_LEN,
	+ TLS_DH_MIN_LEN);
	+ pkeylen = TLS_DH_MIN_LEN;
	+ }
	+ }
	+
	+ if (pkeylen != keylen) {
	+ pr_trace_msg(trace_channel, 13,
	+ "adjusted DH parameter length from %d to %d bits", keylen, pkeylen);
	+ use_pkeylen = TRUE;
	+ }
	+ }
	+ }

	if (tls_tmp_dhs != NULL &&
	tls_tmp_dhs->nelts > 0) {
	register unsigned int i;
	- DH **dhs;
	+ DH best_dh = NULL, *dhs;
	+ int best_dhlen = 0;

	dhs = tls_tmp_dhs->elts;
	+
	+ /* Search the configured list of DH parameters twice: once for any sizes
	+ * matching the actual requested size (usually 1024), and once for any
	+ * matching the certificate private key size (pkeylen).
	+ *
	+ * This behavior allows site admins to configure a TLSDHParamFile that
	+ * contains 1024-bit parameters, for e.g. Java 7 (and earlier) clients.
	+ */
	+
	+ /* Note: the keylen argument is in BITS, but DH_size() returns the number
	+ * of BYTES.
	+ */
	for (i = 0; i < tls_tmp_dhs->nelts; i++) {
	- /* Note: the keylength argument is in BITS, but DH_size() returns
	- * the number of BYTES.
	+ int dhlen;
	+
	+ dhlen = DH_size(dhs[i]) * 8;
	+ if (dhlen == keylen) {
	+ pr_trace_msg(trace_channel, 11,
	+ "found matching DH parameter for key length %d", keylen);
	+ return dhs[i];
	+ }
	+
	+ /* Try to find the next "best" DH to use, where "best" means
	+ * the smallest DH that is larger than the necessary keylen.
	*/
	- if (DH_size(dhs[i]) == (keylength / 8)) {
	+ if (dhlen > keylen) {
	+ if (best_dh != NULL) {
	+ if (dhlen < best_dhlen) {
	+ best_dh = dhs[i];
	+ best_dhlen = dhlen;
	+ }
	+
	+ } else {
	+ best_dh = dhs[i];
	+ best_dhlen = dhlen;
	+ }
	+ }
	+ }
	+
	+ for (i = 0; i < tls_tmp_dhs->nelts; i++) {
	+ int dhlen;
	+
	+ dhlen = DH_size(dhs[i]) * 8;
	+ if (dhlen == pkeylen) {
	+ pr_trace_msg(trace_channel, 11,
	+ "found matching DH parameter for certificate private key length %d",
	+ pkeylen);
	return dhs[i];
	}
	+
	+ if (dhlen > pkeylen) {
	+ if (best_dh != NULL) {
	+ if (dhlen < best_dhlen) {
	+ best_dh = dhs[i];
	+ best_dhlen = dhlen;
	+ }
	+
	+ } else {
	+ best_dh = dhs[i];
	+ best_dhlen = dhlen;
	+ }
	+ }
	+ }
	+
	+ if (best_dh != NULL) {
	+ pr_trace_msg(trace_channel, 11,
	+ "using best DH parameter for key length %d (length %d)", keylen,
	+ best_dhlen);
	+ return best_dh;
	}
	}

	- switch (keylength) {
	+ /* Still no DH parameters found? Use the built-in ones. */
	+
	+ if (keylen < TLS_DH_MIN_LEN) {
	+ if (!(tls_opts & TLS_OPT_ALLOW_WEAK_DH)) {
	+ pr_trace_msg(trace_channel, 11,
	+ "requested key length %d less than %d bits, using %d "
	+ "(see AllowWeakDH TLSOption)", keylen, TLS_DH_MIN_LEN, TLS_DH_MIN_LEN);
	+ keylen = TLS_DH_MIN_LEN;
	+ }
	+ }
	+
	+ if (use_pkeylen) {
	+ keylen = pkeylen;
	+ }
	+
	+ switch (keylen) {
	case 512:
	dh = get_dh512();
	break;
	@@ -2443,32 +2566,33 @@ static DH tls_dh_cb(SSL ssl, int is_export, int keylength) {
	dh = get_dh768();
	break;

	- case 1024:
	- dh = get_dh1024();
	- break;
	+ case 1024:
	+ dh = get_dh1024();
	+ break;

	- case 1536:
	- dh = get_dh1536();
	- break;
	+ case 1536:
	+ dh = get_dh1536();
	+ break;

	- case 2048:
	- dh = get_dh2048();
	- break;
	+ case 2048:
	+ dh = get_dh2048();
	+ break;

	- default:
	- tls_log("unsupported DH key length %d requested, returning 1024 bits",
	- keylength);
	- dh = get_dh1024();
	- break;
	+ default:
	+ tls_log("unsupported DH key length %d requested, returning 1024 bits",
	+ keylen);
	+ dh = get_dh1024();
	+ break;
	}

	+ pr_trace_msg(trace_channel, 11, "using builtin DH for %d bits", keylen);
	+
	/* Add this DH to the list, so that it can be freed properly later. */
	if (tls_tmp_dhs == NULL) {
	tls_tmp_dhs = make_array(session.pool, 1, sizeof(DH *));
	}

	((DH *) push_array(tls_tmp_dhs)) = dh;
	-
	return dh;
	}

	@@ -8445,6 +8569,9 @@ MODRET set_tlsoptions(cmd_rec *cmd) {
	strcmp(cmd->argv[i], "AllowClientRenegotiations") == 0) {
	opts \|= TLS_OPT_ALLOW_CLIENT_RENEGOTIATIONS;

	+ } else if (strcmp(cmd->argv[i], "AllowWeakDH") == 0) {
	+ opts \|= TLS_OPT_ALLOW_WEAK_DH;
	+
	} else if (strcmp(cmd->argv[i], "EnableDiags") == 0) {
	opts \|= TLS_OPT_ENABLE_DIAGS;

	--
	2.7.4