Merge pull request #1535 from proftpd/tls-auth-after-login-issue1533-…

…backport Issue #1533: Ensure that FTPS clients cannot request a TLS session if…
proftpd · Oct 2, 2022 · 0d7dbd5 · 0d7dbd5
2 parents b0bb8fc + d90f9ed
commit 0d7dbd5
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 5 deletions.
diff --git a/NEWS b/NEWS
@@ -15,6 +15,11 @@
   where `N' is the issue number.
 -----------------------------------------------------------------------------
 
+1.3.7f
+--------------------------------
+- Issue 1533 - mod_tls module unexpectedly allows TLS handshake after
+  authentication in some configurations.
+
 1.3.7e - Released 23-Jul-2022
 --------------------------------
 - Issue 1448 - Ensure that mod_sftp algorithms work properly with OpenSSL 3.x.

diff --git a/contrib/mod_tls.c b/contrib/mod_tls.c
@@ -2,7 +2,7 @@
  * mod_tls - An RFC2228 SSL/TLS module for ProFTPD
  *
  * Copyright (c) 2000-2002 Peter 'Luna' Runestig <peter@runestig.com>
- * Copyright (c) 2002-2021 TJ Saunders <tj@castaglia.org>
+ * Copyright (c) 2002-2022 TJ Saunders <tj@castaglia.org>
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without modifi-
@@ -12590,8 +12590,9 @@ MODRET tls_any(cmd_rec *cmd) {
 MODRET tls_auth(cmd_rec *cmd) {
   register unsigned int i = 0;
   char *mode;
+  unsigned char *authenticated = NULL;
 
-  if (!tls_engine) {
+  if (tls_engine == FALSE) {
     return PR_DECLINED(cmd);
   }
 
@@ -12641,6 +12642,22 @@ MODRET tls_auth(cmd_rec *cmd) {
     return PR_ERROR(cmd);
   }
 
+  /* If the client has already authenticated via USER/PASS, AND if the
+   * AllowPerUser TLSOption is NOT in effect, then do not allow the AUTH
+   * command (Issue #1533).
+   */
+  authenticated = get_param_ptr(cmd->server->conf, "authenticated", FALSE);
+  if (authenticated != NULL &&
+      *authenticated == TRUE &&
+      !(tls_opts & TLS_OPT_ALLOW_PER_USER)) {
+    tls_log("Unwilling to accept AUTH after USER/PASS authentication for this session unless AllowPerUser TLSOption is used");
+    pr_response_add_err(R_534, _("Unwilling to accept security parameters"));
+
+    pr_cmd_set_errno(cmd, EPERM);
+    errno = EPERM;
+    return PR_ERROR(cmd);
+  }
+
   /* Convert the parameter to upper case */
   mode = cmd->argv[1];
   for (i = 0; i < strlen(mode); i++) {

diff --git a/doc/contrib/mod_tls.html b/doc/contrib/mod_tls.html
@@ -826,8 +826,9 @@ <h3><a name="TLSOptions">TLSOptions</a></h3>
     <code>TLSRequired on</code> or <code>TLSRequired ctrl</code> are in
     effect, it will be possible for the connecting client to send
     usernames and password <i>unprotected</i> before <code>mod_tls</code>
-    rejects the connection.  This results in a slightly weaker security
-    policy enforcement; please consider carefully if this tradeoff is
+    rejects the connection; those credentials could be intercepted and/or
+    manipulated before they reach the server.  This results in a weaker
+    security policy enforcement; please consider carefully if this tradeoff is
     acceptable for your site.
 
     <p>
@@ -2337,7 +2338,7 @@ <h2><a name="Installation">Installation</a></h2>
 <p>
 <hr>
 <font size=2><b><i>
-&copy; Copyright 2002-2021 TJ Saunders<br>
+&copy; Copyright 2002-2022 TJ Saunders<br>
  All Rights Reserved<br>
 </i></b></font>
 <hr>