rpms
/
vsftpd
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

import vsftpd-3.0.5-4.el9

Browse Source
c9 imports/c9/vsftpd-3.0.5-4.el9
CentOS Sources 2 years ago committed by MSVSphere Packaging Team
parent 15894cb9cc
commit 5f466954ac
18 changed files with 302 additions and 769 deletions
Show Stats Download Patch File Download Diff File

2
.gitignore vendored
Unescape View File

@ -1 +1 @@
SOURCES/vsftpd-3.0.3.tar.gz SOURCES/vsftpd-3.0.5.tar.gz

2
.vsftpd.metadata
Unescape View File

@ -1 +1 @@
d5f5a180dbecd0fbcdc92bf0ba2fc001c962b55a SOURCES/vsftpd-3.0.3.tar.gz 0159531cc9f9fc6dd64cd734e2fd42601e44b5d9 SOURCES/vsftpd-3.0.5.tar.gz

112
SOURCES/0021-Introduce-support-for-DHE-based-cipher-suites.patch
Unescape View File

@ -31,81 +31,36 @@ index c362983..22b69b3 100644
#include <openssl/err.h> #include <openssl/err.h>
#include <openssl/rand.h> #include <openssl/rand.h>
#include <openssl/bio.h> #include <openssl/bio.h>
+#include <openssl/dh.h>
+#include <openssl/bn.h> +#include <openssl/bn.h>
+#include <openssl/param_build.h>
#include <errno.h> #include <errno.h>
#include <limits.h> #include <limits.h>
@@ -38,6 +40,7 @@ static void setup_bio_callbacks(); @@ -58,6 +60,23 @@
static long bio_callback(
BIO* p_bio, int oper, const char* p_arg, int argi, long argl, long retval);
static int ssl_verify_callback(int verify_ok, X509_STORE_CTX* p_ctx);
+static DH *ssl_tmp_dh_callback(SSL *ssl, int is_export, int keylength);
static int ssl_cert_digest(
SSL* p_ssl, struct vsf_session* p_sess, struct mystr* p_str);
static void maybe_log_shutdown_state(struct vsf_session* p_sess);
@@ -51,6 +54,60 @@ static int ssl_read_common(struct vsf_session* p_sess,
static int ssl_inited; static int ssl_inited;
static struct mystr debug_str; static struct mystr debug_str;
+ +EVP_PKEY *
+// Grab prime number from OpenSSL; <openssl/bn.h> +DH_get_dh()
+// (get_rfc*) for all available primes.
+// wraps selection of comparable algorithm strength
+#if !defined(match_dh_bits)
+ #define match_dh_bits(keylen) \
+ keylen >= 8191 ? 8192 : \
+ keylen >= 6143 ? 6144 : \
+ keylen >= 4095 ? 4096 : \
+ keylen >= 3071 ? 3072 : \
+ keylen >= 2047 ? 2048 : \
+ keylen >= 1535 ? 1536 : \
+ keylen >= 1023 ? 1024 : 768
+#endif
+
+#if !defined(DH_get_prime)
+ BIGNUM *
+ DH_get_prime(int bits)
+{ +{
+ switch (bits) { + OSSL_PARAM dh_params[2];
+ case 768: return get_rfc2409_prime_768(NULL); + EVP_PKEY *dh_key = NULL;
+ case 1024: return get_rfc2409_prime_1024(NULL); + EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_from_name(NULL, "DH", NULL);
+ case 1536: return get_rfc3526_prime_1536(NULL);
+ case 2048: return get_rfc3526_prime_2048(NULL);
+ case 3072: return get_rfc3526_prime_3072(NULL);
+ case 4096: return get_rfc3526_prime_4096(NULL);
+ case 6144: return get_rfc3526_prime_6144(NULL);
+ case 8192: return get_rfc3526_prime_8192(NULL);
+ // shouldn't happen when used match_dh_bits; strict compiler
+ default: return NULL;
+ }
+}
+#endif
+ +
+#if !defined(DH_get_dh) + dh_params[0] = OSSL_PARAM_construct_utf8_string("group", "ffdhe2048", 0);
+ // Grab DH parameters + dh_params[1] = OSSL_PARAM_construct_end();
+ DH * +
+ DH_get_dh(int size) + if (EVP_PKEY_keygen_init(pctx) <= 0 || EVP_PKEY_CTX_set_params(pctx, dh_params) <= 0)
+ {
+ DH *dh = DH_new();
+ if (!dh) {
+ return NULL;
+ }
+ dh->p = DH_get_prime(match_dh_bits(size));
+ BN_dec2bn(&dh->g, "2");
+ if (!dh->p || !dh->g)
+ {
+ DH_free(dh);
+ return NULL; + return NULL;
+ EVP_PKEY_generate(pctx, &dh_key);
+ EVP_PKEY_CTX_free(pctx);
+ return dh_key;
+} +}
+ return dh;
+ }
+#endif
+ +
void void
ssl_init(struct vsf_session* p_sess) ssl_init(struct vsf_session* p_sess)
{ {
@@ -65,7 +122,7 @@ ssl_init(struct vsf_session* p_sess) @@ -72,7 +89,7 @@
{ {
die("SSL: could not allocate SSL context"); die("SSL: could not allocate SSL context");
} }
@ -114,24 +69,24 @@ index c362983..22b69b3 100644
if (!tunable_sslv2) if (!tunable_sslv2)
{ {
options |= SSL_OP_NO_SSLv2; options |= SSL_OP_NO_SSLv2;
@@ -111,6 +168,25 @@ ssl_init(struct vsf_session* p_sess) @@ -130,6 +147,25 @@
die("SSL: cannot load DSA private key"); die("SSL: cannot load DSA private key");
} }
} }
+ if (tunable_dh_param_file) + if (tunable_dh_param_file)
+ { + {
+ BIO *bio; + BIO *bio;
+ DH *dhparams = NULL; + EVP_PKEY *dh_params = NULL;
+ if ((bio = BIO_new_file(tunable_dh_param_file, "r")) == NULL) + if ((bio = BIO_new_file(tunable_dh_param_file, "r")) == NULL)
+ { + {
+ die("SSL: cannot load custom DH params"); + die("SSL: cannot load custom DH params");
+ } + }
+ else + else
+ { + {
+ dhparams = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); + dh_params = PEM_read_bio_Parameters(bio, NULL);
+ BIO_free(bio); + BIO_free(bio);
+ +
+ if (!SSL_CTX_set_tmp_dh(p_ctx, dhparams)) + if (!SSL_CTX_set0_tmp_dh_pkey(p_ctx, dh_params))
+ { + {
+ die("SSL: setting custom DH params failed"); + die("SSL: setting custom DH params failed");
+ } + }
@ -140,35 +95,16 @@ index c362983..22b69b3 100644
if (tunable_ssl_ciphers && if (tunable_ssl_ciphers &&
SSL_CTX_set_cipher_list(p_ctx, tunable_ssl_ciphers) != 1) SSL_CTX_set_cipher_list(p_ctx, tunable_ssl_ciphers) != 1)
{ {
@@ -165,6 +241,9 @@ ssl_init(struct vsf_session* p_sess) @@ -184,6 +226,9 @@
/* Ensure cached session doesn't expire */ /* Ensure cached session doesn't expire */
SSL_CTX_set_timeout(p_ctx, INT_MAX); SSL_CTX_set_timeout(p_ctx, INT_MAX);
} }
+ +
+ SSL_CTX_set_tmp_dh_callback(p_ctx, ssl_tmp_dh_callback); + SSL_CTX_set0_tmp_dh_pkey(p_ctx, DH_get_dh());
+ +
p_sess->p_ssl_ctx = p_ctx; /* Set up ALPN to check for FTP protocol intention of client. */
ssl_inited = 1; SSL_CTX_set_alpn_select_cb(p_ctx, ssl_alpn_callback, p_sess);
} /* Set up SNI callback for an optional hostname check. */
@@ -702,6 +781,18 @@ ssl_verify_callback(int verify_ok, X509_STORE_CTX* p_ctx)
return 1;
}
+#define UNUSED(x) ( (void)(x) )
+
+static DH *
+ssl_tmp_dh_callback(SSL *ssl, int is_export, int keylength)
+{
+ // strict compiler bypassing
+ UNUSED(ssl);
+ UNUSED(is_export);
+
+ return DH_get_dh(keylength);
+}
+
void
ssl_add_entropy(struct vsf_session* p_sess)
{
diff --git a/tunables.c b/tunables.c diff --git a/tunables.c b/tunables.c
index c737465..1ea7227 100644 index c737465..1ea7227 100644
--- a/tunables.c --- a/tunables.c

28
SOURCES/0022-Introduce-support-for-EDDHE-based-cipher-suites.patch
Unescape View File

@ -36,28 +36,25 @@ index 22b69b3..96bf8ad 100644
if (!tunable_sslv2) if (!tunable_sslv2)
{ {
options |= SSL_OP_NO_SSLv2; options |= SSL_OP_NO_SSLv2;
@@ -244,6 +244,41 @@ ssl_init(struct vsf_session* p_sess) @@ -244,6 +244,33 @@
SSL_CTX_set_tmp_dh_callback(p_ctx, ssl_tmp_dh_callback); SSL_CTX_set0_tmp_dh_pkey(p_ctx, DH_get_dh());
+ if (tunable_ecdh_param_file) + if (tunable_ecdh_param_file)
+ { + {
+ BIO *bio; + BIO *bio;
+ int nid; + EVP_PKEY *ec_params = NULL;
+ EC_GROUP *ecparams = NULL;
+ EC_KEY *eckey;
+ +
+ if ((bio = BIO_new_file(tunable_ecdh_param_file, "r")) == NULL) + if ((bio = BIO_new_file(tunable_ecdh_param_file, "r")) == NULL)
+ die("SSL: cannot load custom ec params"); + die("SSL: cannot load custom ec params");
+ else + else
+ { + {
+ ecparams = PEM_read_bio_ECPKParameters(bio, NULL, NULL, NULL); + ec_params = PEM_read_bio_Parameters(bio, NULL);
+ BIO_free(bio); + BIO_free(bio);
+ +
+ if (ecparams && (nid = EC_GROUP_get_curve_name(ecparams)) && + if (ec_params != NULL)
+ (eckey = EC_KEY_new_by_curve_name(nid)))
+ { + {
+ if (!SSL_CTX_set_tmp_ecdh(p_ctx, eckey)) + if (!SSL_CTX_set1_groups_list(p_ctx, ec_params))
+ die("SSL: setting custom EC params failed"); + die("SSL: setting custom EC params failed");
+ } + }
+ else + else
@ -68,16 +65,11 @@ index 22b69b3..96bf8ad 100644
+ } + }
+ else + else
+ { + {
+#if defined(SSL_CTX_set_ecdh_auto) + SSL_CTX_set1_groups_list(p_ctx, "P-256");
+ SSL_CTX_set_ecdh_auto(p_ctx, 1);
+#else
+ SSL_CTX_set_tmp_ecdh(p_ctx, EC_KEY_new_by_curve_name(NID_X9_62_prime256v1));
+#endif
+ } + }
+ /* Set up ALPN to check for FTP protocol intention of client. */
p_sess->p_ssl_ctx = p_ctx; SSL_CTX_set_alpn_select_cb(p_ctx, ssl_alpn_callback, p_sess);
ssl_inited = 1; /* Set up SNI callback for an optional hostname check. */
}
diff --git a/tunables.c b/tunables.c diff --git a/tunables.c b/tunables.c
index 1ea7227..93f85b1 100644 index 1ea7227..93f85b1 100644
--- a/tunables.c --- a/tunables.c

4
SOURCES/0025-Improve-local_max_rate-option.patch
Unescape View File

@ -60,9 +60,9 @@ diff --git a/main.c b/main.c
index eaba265..f1e2f69 100644 index eaba265..f1e2f69 100644
--- a/main.c --- a/main.c
+++ b/main.c +++ b/main.c
@@ -40,7 +40,7 @@ main(int argc, const char* argv[]) @@ -40,7 +40,7 @@
/* Control connection */ /* Control connection */
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
/* Data connection */ /* Data connection */
- -1, 0, -1, 0, 0, 0, 0, - -1, 0, -1, 0, 0, 0, 0,
+ -1, 0, -1, 0, 0, 0, 0, 0, + -1, 0, -1, 0, 0, 0, 0, 0,

153
SOURCES/0033-Introduce-TLSv1.1-and-TLSv1.2-options.patch
Unescape View File

@ -1,153 +0,0 @@
From 01bef55a1987700af3d43cdc5f5be88d3843ab85 Mon Sep 17 00:00:00 2001
From: Martin Sehnoutka <msehnout@redhat.com>
Date: Thu, 17 Nov 2016 13:36:17 +0100
Subject: [PATCH 33/59] Introduce TLSv1.1 and TLSv1.2 options.
Users can now enable a specific version of TLS protocol.
---
parseconf.c | 2 ++
ssl.c | 8 ++++++++
tunables.c | 9 +++++++--
tunables.h | 2 ++
vsftpd.conf.5 | 24 ++++++++++++++++++++----
5 files changed, 39 insertions(+), 6 deletions(-)
diff --git a/parseconf.c b/parseconf.c
index a2c715b..33a1349 100644
--- a/parseconf.c
+++ b/parseconf.c
@@ -85,6 +85,8 @@ parseconf_bool_array[] =
{ "ssl_sslv2", &tunable_sslv2 },
{ "ssl_sslv3", &tunable_sslv3 },
{ "ssl_tlsv1", &tunable_tlsv1 },
+ { "ssl_tlsv1_1", &tunable_tlsv1_1 },
+ { "ssl_tlsv1_2", &tunable_tlsv1_2 },
{ "tilde_user_enable", &tunable_tilde_user_enable },
{ "force_anon_logins_ssl", &tunable_force_anon_logins_ssl },
{ "force_anon_data_ssl", &tunable_force_anon_data_ssl },
diff --git a/ssl.c b/ssl.c
index 96bf8ad..ba8a613 100644
--- a/ssl.c
+++ b/ssl.c
@@ -135,6 +135,14 @@ ssl_init(struct vsf_session* p_sess)
{
options |= SSL_OP_NO_TLSv1;
}
+ if (!tunable_tlsv1_1)
+ {
+ options |= SSL_OP_NO_TLSv1_1;
+ }
+ if (!tunable_tlsv1_2)
+ {
+ options |= SSL_OP_NO_TLSv1_2;
+ }
SSL_CTX_set_options(p_ctx, options);
if (tunable_rsa_cert_file)
{
diff --git a/tunables.c b/tunables.c
index 93f85b1..78f2bcd 100644
--- a/tunables.c
+++ b/tunables.c
@@ -66,6 +66,8 @@ int tunable_force_local_data_ssl;
int tunable_sslv2;
int tunable_sslv3;
int tunable_tlsv1;
+int tunable_tlsv1_1;
+int tunable_tlsv1_2;
int tunable_tilde_user_enable;
int tunable_force_anon_logins_ssl;
int tunable_force_anon_data_ssl;
@@ -209,7 +211,10 @@ tunables_load_defaults()
tunable_force_local_data_ssl = 1;
tunable_sslv2 = 0;
tunable_sslv3 = 0;
+ /* TLSv1 up to TLSv1.2 is enabled by default */
tunable_tlsv1 = 1;
+ tunable_tlsv1_1 = 1;
+ tunable_tlsv1_2 = 1;
tunable_tilde_user_enable = 0;
tunable_force_anon_logins_ssl = 0;
tunable_force_anon_data_ssl = 0;
@@ -292,8 +297,8 @@ tunables_load_defaults()
install_str_setting(0, &tunable_dsa_cert_file);
install_str_setting(0, &tunable_dh_param_file);
install_str_setting(0, &tunable_ecdh_param_file);
- install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA",
- &tunable_ssl_ciphers);
+ install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384",
+ &tunable_ssl_ciphers);
install_str_setting(0, &tunable_rsa_private_key_file);
install_str_setting(0, &tunable_dsa_private_key_file);
install_str_setting(0, &tunable_ca_certs_file);
diff --git a/tunables.h b/tunables.h
index 3e2d40c..a466427 100644
--- a/tunables.h
+++ b/tunables.h
@@ -67,6 +67,8 @@ extern int tunable_force_local_data_ssl; /* Require local data uses SSL */
extern int tunable_sslv2; /* Allow SSLv2 */
extern int tunable_sslv3; /* Allow SSLv3 */
extern int tunable_tlsv1; /* Allow TLSv1 */
+extern int tunable_tlsv1_1; /* Allow TLSv1.1 */
+extern int tunable_tlsv1_2; /* Allow TLSv1.2 */
extern int tunable_tilde_user_enable; /* Support e.g. ~chris */
extern int tunable_force_anon_logins_ssl; /* Require anon logins use SSL */
extern int tunable_force_anon_data_ssl; /* Require anon data uses SSL */
diff --git a/vsftpd.conf.5 b/vsftpd.conf.5
index cf1ae34..a3d569e 100644
--- a/vsftpd.conf.5
+++ b/vsftpd.conf.5
@@ -506,7 +506,7 @@ Default: YES
Only applies if
.BR ssl_enable
is activated. If enabled, this option will permit SSL v2 protocol connections.
-TLS v1 connections are preferred.
+TLS v1.2 connections are preferred.
Default: NO
.TP
@@ -514,7 +514,7 @@ Default: NO
Only applies if
.BR ssl_enable
is activated. If enabled, this option will permit SSL v3 protocol connections.
-TLS v1 connections are preferred.
+TLS v1.2 connections are preferred.
Default: NO
.TP
@@ -522,7 +522,23 @@ Default: NO
Only applies if
.BR ssl_enable
is activated. If enabled, this option will permit TLS v1 protocol connections.
-TLS v1 connections are preferred.
+TLS v1.2 connections are preferred.
+
+Default: YES
+.TP
+.B ssl_tlsv1_1
+Only applies if
+.BR ssl_enable
+is activated. If enabled, this option will permit TLS v1.1 protocol connections.
+TLS v1.2 connections are preferred.
+
+Default: YES
+.TP
+.B ssl_tlsv1_2
+Only applies if
+.BR ssl_enable
+is activated. If enabled, this option will permit TLS v1.2 protocol connections.
+TLS v1.2 connections are preferred.
Default: YES
.TP
@@ -1044,7 +1060,7 @@ man page for further details. Note that restricting ciphers can be a useful
security precaution as it prevents malicious remote parties forcing a cipher
which they have found problems with.
-Default: DES-CBC3-SHA
+Default: AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384
.TP
.B user_config_dir
This powerful option allows the override of any config option specified in
--
2.14.4

74
SOURCES/0035-Modify-DH-enablement-patch-to-build-with-OpenSSL-1.1.patch
Unescape View File

@ -1,74 +0,0 @@
From 6c8dd87f311e411bcb1c72c1c780497881a5621c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= <olysonek@redhat.com>
Date: Mon, 4 Sep 2017 11:32:03 +0200
Subject: [PATCH 35/59] Modify DH enablement patch to build with OpenSSL 1.1
---
ssl.c | 41 ++++++++++++++++++++++++++++++++++++++---
1 file changed, 38 insertions(+), 3 deletions(-)
diff --git a/ssl.c b/ssl.c
index ba8a613..09ec96a 100644
--- a/ssl.c
+++ b/ssl.c
@@ -88,19 +88,54 @@ static struct mystr debug_str;
}
#endif
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
+{
+ /* If the fields p and g in d are NULL, the corresponding input
+ * parameters MUST be non-NULL. q may remain NULL.
+ */
+ if ((dh->p == NULL && p == NULL)
+ || (dh->g == NULL && g == NULL))
+ return 0;
+
+ if (p != NULL) {
+ BN_free(dh->p);
+ dh->p = p;
+ }
+ if (q != NULL) {
+ BN_free(dh->q);
+ dh->q = q;
+ }
+ if (g != NULL) {
+ BN_free(dh->g);
+ dh->g = g;
+ }
+
+ if (q != NULL) {
+ dh->length = BN_num_bits(q);
+ }
+
+ return 1;
+}
+#endif
+
#if !defined(DH_get_dh)
// Grab DH parameters
DH *
DH_get_dh(int size)
{
+ BIGNUM *g = NULL;
+ BIGNUM *p = NULL;
DH *dh = DH_new();
if (!dh) {
return NULL;
}
- dh->p = DH_get_prime(match_dh_bits(size));
- BN_dec2bn(&dh->g, "2");
- if (!dh->p || !dh->g)
+ p = DH_get_prime(match_dh_bits(size));
+ BN_dec2bn(&g, "2");
+ if (!p || !g || !DH_set0_pqg(dh, p, NULL, g))
{
+ BN_free(g);
+ BN_free(p);
DH_free(dh);
return NULL;
}
--
2.14.4

4
SOURCES/0040-Use-system-wide-crypto-policy.patch
Unescape View File

@ -3,7 +3,7 @@ From: Martin Sehnoutka <msehnout@redhat.com>
Date: Tue, 29 Aug 2017 10:32:16 +0200 Date: Tue, 29 Aug 2017 10:32:16 +0200
Subject: [PATCH 40/59] Use system wide crypto policy Subject: [PATCH 40/59] Use system wide crypto policy
Resolves: rhbz#1483970 Resolves: rhbz#
--- ---
tunables.c | 3 +-- tunables.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-) 1 file changed, 1 insertion(+), 2 deletions(-)
@ -16,7 +16,7 @@ index 5440c00..354251c 100644
install_str_setting(0, &tunable_dsa_cert_file); install_str_setting(0, &tunable_dsa_cert_file);
install_str_setting(0, &tunable_dh_param_file); install_str_setting(0, &tunable_dh_param_file);
install_str_setting(0, &tunable_ecdh_param_file); install_str_setting(0, &tunable_ecdh_param_file);
- install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384", - install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA",
- &tunable_ssl_ciphers); - &tunable_ssl_ciphers);
+ install_str_setting("PROFILE=SYSTEM", &tunable_ssl_ciphers); + install_str_setting("PROFILE=SYSTEM", &tunable_ssl_ciphers);
install_str_setting(0, &tunable_rsa_private_key_file); install_str_setting(0, &tunable_rsa_private_key_file);

6
SOURCES/0041-Document-the-new-default-for-ssl_ciphers-in-the-man-.patch
Unescape View File

@ -17,15 +17,15 @@ index 3ca55e4..2a7662e 100644
security precaution as it prevents malicious remote parties forcing a cipher security precaution as it prevents malicious remote parties forcing a cipher
which they have found problems with. which they have found problems with.
-Default: AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384 -Default: DES-CBC3-SHA
+By default, the system-wide crypto policy is used. See +By default, the system-wide crypto policy is used. See
+.BR update-crypto-policies(8) +.BR update-crypto-policies(8)
+for further details. +for further details.
+ +
+Default: PROFILE=SYSTEM +Default: PROFILE=SYSTEM
.TP .TP
.B user_config_dir .B ssl_sni_hostname
This powerful option allows the override of any config option specified in If set, SSL connections will be rejected unless the SNI hostname in the
-- --
2.14.4 2.14.4

32
SOURCES/0042-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch
Unescape View File

@ -1,32 +0,0 @@
From 1c280a0b04e58ec63ce9ab5eb8d0ffe5ebbae115 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= <olysonek@redhat.com>
Date: Thu, 21 Dec 2017 14:29:25 +0100
Subject: [PATCH 42/59] When handling FEAT command, check ssl_tlsv1_1 and
ssl_tlsv1_2
Send 'AUTH SSL' in reply to the FEAT command when the ssl_tlsv1_1
or ssl_tlsv1_2 configuration option is enabled.
The patch was written by Martin Sehnoutka.
Resolves: rhbz#1432054
---
features.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/features.c b/features.c
index 1212980..d024366 100644
--- a/features.c
+++ b/features.c
@@ -22,7 +22,7 @@ handle_feat(struct vsf_session* p_sess)
{
vsf_cmdio_write_raw(p_sess, " AUTH SSL\r\n");
}
- if (tunable_tlsv1)
+ if (tunable_tlsv1 || tunable_tlsv1_1 || tunable_tlsv1_2)
{
vsf_cmdio_write_raw(p_sess, " AUTH TLS\r\n");
}
--
2.14.4

53
SOURCES/0043-Enable-only-TLSv1.2-by-default.patch
Unescape View File

@ -1,53 +0,0 @@
From 75c942c77aa575143c5b75637e64a925ad12641a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= <olysonek@redhat.com>
Date: Thu, 21 Dec 2017 16:38:40 +0100
Subject: [PATCH 43/59] Enable only TLSv1.2 by default
Disable TLSv1 and TLSv1.1 - enable only TLSv1.2 by default.
---
tunables.c | 6 +++---
vsftpd.conf.5 | 4 ++--
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/tunables.c b/tunables.c
index 354251c..9680528 100644
--- a/tunables.c
+++ b/tunables.c
@@ -211,9 +211,9 @@ tunables_load_defaults()
tunable_force_local_data_ssl = 1;
tunable_sslv2 = 0;
tunable_sslv3 = 0;
- /* TLSv1 up to TLSv1.2 is enabled by default */
- tunable_tlsv1 = 1;
- tunable_tlsv1_1 = 1;
+ tunable_tlsv1 = 0;
+ tunable_tlsv1_1 = 0;
+ /* Only TLSv1.2 is enabled by default */
tunable_tlsv1_2 = 1;
tunable_tilde_user_enable = 0;
tunable_force_anon_logins_ssl = 0;
diff --git a/vsftpd.conf.5 b/vsftpd.conf.5
index 2a7662e..df14027 100644
--- a/vsftpd.conf.5
+++ b/vsftpd.conf.5
@@ -539,7 +539,7 @@ Only applies if
is activated. If enabled, this option will permit TLS v1 protocol connections.
TLS v1.2 connections are preferred.
-Default: YES
+Default: NO
.TP
.B ssl_tlsv1_1
Only applies if
@@ -547,7 +547,7 @@ Only applies if
is activated. If enabled, this option will permit TLS v1.1 protocol connections.
TLS v1.2 connections are preferred.
-Default: YES
+Default: NO
.TP
.B ssl_tlsv1_2
Only applies if
--
2.14.4

7
SOURCES/fix-str_open.patch
Unescape View File

@ -1,11 +1,10 @@
diff -ruN vsftpd-3.0.3.orig/sysstr.c vsftpd-3.0.3/sysstr.c --- sysstr-orig.c 2022-07-27 09:44:52.606408000 +0200
--- vsftpd-3.0.3.orig/sysstr.c 2020-11-17 09:47:03.872923383 +0100 +++ sysstr.c 2022-07-27 09:54:24.043081352 +0200
+++ vsftpd-3.0.3/sysstr.c 2020-11-17 09:48:41.219754145 +0100
@@ -74,19 +74,11 @@ @@ -74,19 +74,11 @@
int int
str_open(const struct mystr* p_str, const enum EVSFSysStrOpenMode mode) str_open(const struct mystr* p_str, const enum EVSFSysStrOpenMode mode)
{ {
- enum EVSFSysUtilOpenMode open_mode = kVSFSysStrOpenUnknown; - enum EVSFSysUtilOpenMode open_mode = kVSFSysUtilOpenUnknown;
- switch (mode) - switch (mode)
- { - {
- case kVSFSysStrOpenReadOnly: - case kVSFSysStrOpenReadOnly:

225
SOURCES/vsftpd-3.0.3-ALPACA.patch
Unescape View File

@ -1,225 +0,0 @@
diff --git a/parseconf.c b/parseconf.c
index 3729818..ee1b8b4 100644
--- a/parseconf.c
+++ b/parseconf.c
@@ -188,6 +188,7 @@ parseconf_str_array[] =
{ "rsa_private_key_file", &tunable_rsa_private_key_file },
{ "dsa_private_key_file", &tunable_dsa_private_key_file },
{ "ca_certs_file", &tunable_ca_certs_file },
+ { "ssl_sni_hostname", &tunable_ssl_sni_hostname },
{ "cmds_denied", &tunable_cmds_denied },
{ 0, 0 }
};
diff --git a/ssl.c b/ssl.c
index 09ec96a..51345f8 100644
--- a/ssl.c
+++ b/ssl.c
@@ -41,6 +41,13 @@ static long bio_callback(
BIO* p_bio, int oper, const char* p_arg, int argi, long argl, long retval);
static int ssl_verify_callback(int verify_ok, X509_STORE_CTX* p_ctx);
static DH *ssl_tmp_dh_callback(SSL *ssl, int is_export, int keylength);
+static int ssl_alpn_callback(SSL* p_ssl,
+ const unsigned char** p_out,
+ unsigned char* outlen,
+ const unsigned char* p_in,
+ unsigned int inlen,
+ void* p_arg);
+static long ssl_sni_callback(SSL* p_ssl, int* p_al, void* p_arg);
static int ssl_cert_digest(
SSL* p_ssl, struct vsf_session* p_sess, struct mystr* p_str);
static void maybe_log_shutdown_state(struct vsf_session* p_sess);
@@ -286,6 +293,12 @@ ssl_init(struct vsf_session* p_sess)
}
SSL_CTX_set_tmp_dh_callback(p_ctx, ssl_tmp_dh_callback);
+ /* Set up ALPN to check for FTP protocol intention of client. */
+ SSL_CTX_set_alpn_select_cb(p_ctx, ssl_alpn_callback, p_sess);
+ /* Set up SNI callback for an optional hostname check. */
+ SSL_CTX_set_tlsext_servername_callback(p_ctx, ssl_sni_callback);
+ SSL_CTX_set_tlsext_servername_arg(p_ctx, p_sess);
+
if (tunable_ecdh_param_file)
{
@@ -870,6 +883,132 @@ ssl_tmp_dh_callback(SSL *ssl, int is_export, int keylength)
return DH_get_dh(keylength);
}
+static int
+ssl_alpn_callback(SSL* p_ssl,
+ const unsigned char** p_out,
+ unsigned char* outlen,
+ const unsigned char* p_in,
+ unsigned int inlen,
+ void* p_arg) {
+ unsigned int i;
+ struct vsf_session* p_sess = (struct vsf_session*) p_arg;
+ int is_ok = 0;
+
+ (void) p_ssl;
+
+ /* Initialize just in case. */
+ *p_out = p_in;
+ *outlen = 0;
+
+ for (i = 0; i < inlen; ++i) {
+ unsigned int left = (inlen - i);
+ if (left < 4) {
+ continue;
+ }
+ if (p_in[i] == 3 && p_in[i + 1] == 'f' && p_in[i + 2] == 't' &&
+ p_in[i + 3] == 'p')
+ {
+ is_ok = 1;
+ *p_out = &p_in[i + 1];
+ *outlen = 3;
+ break;
+ }
+ }
+
+ if (!is_ok)
+ {
+ str_alloc_text(&debug_str, "ALPN rejection");
+ vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str);
+ }
+ if (!is_ok || tunable_debug_ssl)
+ {
+ str_alloc_text(&debug_str, "ALPN data: ");
+ for (i = 0; i < inlen; ++i) {
+ str_append_char(&debug_str, p_in[i]);
+ }
+ vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str);
+ }
+
+ if (is_ok)
+ {
+ return SSL_TLSEXT_ERR_OK;
+ }
+ else
+ {
+ return SSL_TLSEXT_ERR_ALERT_FATAL;
+ }
+}
+
+static long
+ssl_sni_callback(SSL* p_ssl, int* p_al, void* p_arg)
+{
+ static struct mystr s_sni_expected_hostname;
+ static struct mystr s_sni_received_hostname;
+
+ int servername_type;
+ const char* p_sni_servername;
+ struct vsf_session* p_sess = (struct vsf_session*) p_arg;
+ int is_ok = 0;
+
+ (void) p_ssl;
+ (void) p_arg;
+
+ if (tunable_ssl_sni_hostname)
+ {
+ str_alloc_text(&s_sni_expected_hostname, tunable_ssl_sni_hostname);
+ }
+
+ /* The OpenSSL documentation says it is pre-initialized like this, but set
+ * it just in case.
+ */
+ *p_al = SSL_AD_UNRECOGNIZED_NAME;
+
+ servername_type = SSL_get_servername_type(p_ssl);
+ p_sni_servername = SSL_get_servername(p_ssl, TLSEXT_NAMETYPE_host_name);
+ if (p_sni_servername != NULL) {
+ str_alloc_text(&s_sni_received_hostname, p_sni_servername);
+ }
+
+ if (str_isempty(&s_sni_expected_hostname))
+ {
+ is_ok = 1;
+ }
+ else if (servername_type != TLSEXT_NAMETYPE_host_name)
+ {
+ /* Fail. */
+ str_alloc_text(&debug_str, "SNI bad type: ");
+ str_append_ulong(&debug_str, servername_type);
+ vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str);
+ }
+ else
+ {
+ if (!str_strcmp(&s_sni_expected_hostname, &s_sni_received_hostname))
+ {
+ is_ok = 1;
+ }
+ else
+ {
+ str_alloc_text(&debug_str, "SNI rejection");
+ vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str);
+ }
+ }
+
+ if (!is_ok || tunable_debug_ssl)
+ {
+ str_alloc_text(&debug_str, "SNI hostname: ");
+ str_append_str(&debug_str, &s_sni_received_hostname);
+ vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str);
+ }
+
+ if (is_ok)
+ {
+ return SSL_TLSEXT_ERR_OK;
+ }
+ else
+ {
+ return SSL_TLSEXT_ERR_ALERT_FATAL;
+ }
+}
void
ssl_add_entropy(struct vsf_session* p_sess)
diff --git a/tunables.c b/tunables.c
index c96c1ac..d8dfcde 100644
--- a/tunables.c
+++ b/tunables.c
@@ -152,6 +152,7 @@ const char* tunable_ssl_ciphers;
const char* tunable_rsa_private_key_file;
const char* tunable_dsa_private_key_file;
const char* tunable_ca_certs_file;
+const char* tunable_ssl_sni_hostname;
static void install_str_setting(const char* p_value, const char** p_storage);
@@ -309,6 +310,7 @@ tunables_load_defaults()
install_str_setting(0, &tunable_rsa_private_key_file);
install_str_setting(0, &tunable_dsa_private_key_file);
install_str_setting(0, &tunable_ca_certs_file);
+ install_str_setting(0, &tunable_ssl_sni_hostname);
}
void
diff --git a/tunables.h b/tunables.h
index 8d50150..de6cab0 100644
--- a/tunables.h
+++ b/tunables.h
@@ -157,6 +157,7 @@ extern const char* tunable_ssl_ciphers;
extern const char* tunable_rsa_private_key_file;
extern const char* tunable_dsa_private_key_file;
extern const char* tunable_ca_certs_file;
+extern const char* tunable_ssl_sni_hostname;
extern const char* tunable_cmds_denied;
#endif /* VSF_TUNABLES_H */
diff --git a/vsftpd.conf.5 b/vsftpd.conf.5
index 815773f..7006287 100644
--- a/vsftpd.conf.5
+++ b/vsftpd.conf.5
@@ -1128,6 +1128,12 @@ for further details.
Default: PROFILE=SYSTEM
.TP
+.B ssl_sni_hostname
+If set, SSL connections will be rejected unless the SNI hostname in the
+incoming handshakes matches this value.
+
+Default: (none)
+.TP
.B user_config_dir
This powerful option allows the override of any config option specified in
the manual page, on a per-user basis. Usage is simple, and is best illustrated

96
SOURCES/vsftpd-3.0.3-option_to_disable_TLSv1_3.patch
Unescape View File

@ -1,96 +0,0 @@
diff --git a/features.c b/features.c
index d024366..3a60b88 100644
--- a/features.c
+++ b/features.c
@@ -22,7 +22,7 @@ handle_feat(struct vsf_session* p_sess)
{
vsf_cmdio_write_raw(p_sess, " AUTH SSL\r\n");
}
- if (tunable_tlsv1 || tunable_tlsv1_1 || tunable_tlsv1_2)
+ if (tunable_tlsv1 || tunable_tlsv1_1 || tunable_tlsv1_2 || tunable_tlsv1_3)
{
vsf_cmdio_write_raw(p_sess, " AUTH TLS\r\n");
}
diff --git a/parseconf.c b/parseconf.c
index ee1b8b4..5188088 100644
--- a/parseconf.c
+++ b/parseconf.c
@@ -87,6 +87,7 @@ parseconf_bool_array[] =
{ "ssl_tlsv1", &tunable_tlsv1 },
{ "ssl_tlsv1_1", &tunable_tlsv1_1 },
{ "ssl_tlsv1_2", &tunable_tlsv1_2 },
+ { "ssl_tlsv1_3", &tunable_tlsv1_3 },
{ "tilde_user_enable", &tunable_tilde_user_enable },
{ "force_anon_logins_ssl", &tunable_force_anon_logins_ssl },
{ "force_anon_data_ssl", &tunable_force_anon_data_ssl },
diff --git a/ssl.c b/ssl.c
index 51345f8..d5d4a21 100644
--- a/ssl.c
+++ b/ssl.c
@@ -185,6 +185,10 @@ ssl_init(struct vsf_session* p_sess)
{
options |= SSL_OP_NO_TLSv1_2;
}
+ if (!tunable_tlsv1_3)
+ {
+ options |= SSL_OP_NO_TLSv1_3;
+ }
SSL_CTX_set_options(p_ctx, options);
if (tunable_rsa_cert_file)
{
diff --git a/tunables.c b/tunables.c
index d8dfcde..dc001ac 100644
--- a/tunables.c
+++ b/tunables.c
@@ -68,6 +68,7 @@ int tunable_sslv3;
int tunable_tlsv1;
int tunable_tlsv1_1;
int tunable_tlsv1_2;
+int tunable_tlsv1_3;
int tunable_tilde_user_enable;
int tunable_force_anon_logins_ssl;
int tunable_force_anon_data_ssl;
@@ -218,8 +219,9 @@ tunables_load_defaults()
tunable_sslv3 = 0;
tunable_tlsv1 = 0;
tunable_tlsv1_1 = 0;
- /* Only TLSv1.2 is enabled by default */
+ /* Only TLSv1.2 and TLSv1.3 are enabled by default */
tunable_tlsv1_2 = 1;
+ tunable_tlsv1_3 = 1;
tunable_tilde_user_enable = 0;
tunable_force_anon_logins_ssl = 0;
tunable_force_anon_data_ssl = 0;
diff --git a/tunables.h b/tunables.h
index de6cab0..ff0eebc 100644
--- a/tunables.h
+++ b/tunables.h
@@ -69,6 +69,7 @@ extern int tunable_sslv3; /* Allow SSLv3 */
extern int tunable_tlsv1; /* Allow TLSv1 */
extern int tunable_tlsv1_1; /* Allow TLSv1.1 */
extern int tunable_tlsv1_2; /* Allow TLSv1.2 */
+extern int tunable_tlsv1_3; /* Allow TLSv1.3 */
extern int tunable_tilde_user_enable; /* Support e.g. ~chris */
extern int tunable_force_anon_logins_ssl; /* Require anon logins use SSL */
extern int tunable_force_anon_data_ssl; /* Require anon data uses SSL */
diff --git a/vsftpd.conf.5 b/vsftpd.conf.5
index 7006287..d181e50 100644
--- a/vsftpd.conf.5
+++ b/vsftpd.conf.5
@@ -587,7 +587,15 @@ Default: NO
Only applies if
.BR ssl_enable
is activated. If enabled, this option will permit TLS v1.2 protocol connections.
-TLS v1.2 connections are preferred.
+TLS v1.2 and TLS v1.3 connections are preferred.
+
+Default: YES
+.TP
+.B ssl_tlsv1_3
+Only applies if
+.BR ssl_enable
+is activated. If enabled, this option will permit TLS v1.3 protocol connections.
+TLS v1.2 and TLS v1.3 connections are preferred.
Default: YES
.TP

139
SOURCES/vsftpd-3.0.5-repalce-old-network-addr-functions.patch
Unescape View File

@ -0,0 +1,139 @@
diff -urN vsftpd-3.0.5-orig/postlogin.c vsftpd-3.0.5/postlogin.c
--- vsftpd-3.0.5-orig/postlogin.c 2015-07-22 21:03:22.000000000 +0200
+++ vsftpd-3.0.5/postlogin.c 2023-02-13 16:34:05.244467476 +0100
@@ -27,4 +27,6 @@
#include "ssl.h"
#include "vsftpver.h"
+#include <netdb.h>
+#include <arpa/inet.h>
#include "opts.h"
@@ -628,9 +629,10 @@
else
{
const void* p_v4addr = vsf_sysutil_sockaddr_ipv6_v4(s_p_sockaddr);
+ static char result[INET_ADDRSTRLEN];
if (p_v4addr)
{
- str_append_text(&s_pasv_res_str, vsf_sysutil_inet_ntoa(p_v4addr));
+ str_append_text(&s_pasv_res_str, inet_ntop(AF_INET, p_v4addr, result, INET_ADDRSTRLEN));
}
else
{
diff -urN vsftpd-3.0.5-orig/sysutil.c vsftpd-3.0.5/sysutil.c
--- vsftpd-3.0.5-orig/sysutil.c 2012-09-16 09:07:38.000000000 +0200
+++ vsftpd-3.0.5/sysutil.c 2023-02-13 16:08:58.557153109 +0100
@@ -2205,20 +2205,13 @@
const struct sockaddr* p_sockaddr = &p_sockptr->u.u_sockaddr;
if (p_sockaddr->sa_family == AF_INET)
{
- return inet_ntoa(p_sockptr->u.u_sockaddr_in.sin_addr);
+ static char result[INET_ADDRSTRLEN];
+ return inet_ntop(AF_INET, &p_sockptr->u.u_sockaddr_in.sin_addr, result, INET_ADDRSTRLEN);
}
else if (p_sockaddr->sa_family == AF_INET6)
{
- static char inaddr_buf[64];
- const char* p_ret = inet_ntop(AF_INET6,
- &p_sockptr->u.u_sockaddr_in6.sin6_addr,
- inaddr_buf, sizeof(inaddr_buf));
- inaddr_buf[sizeof(inaddr_buf) - 1] = '\0';
- if (p_ret == NULL)
- {
- inaddr_buf[0] = '\0';
- }
- return inaddr_buf;
+ static char result[INET6_ADDRSTRLEN];
+ return inet_ntop(AF_INET6, &p_sockptr->u.u_sockaddr_in6.sin6_addr, result, INET6_ADDRSTRLEN);
}
else
{
@@ -2227,12 +2220,6 @@
}
}
-const char*
-vsf_sysutil_inet_ntoa(const void* p_raw_addr)
-{
- return inet_ntoa(*((struct in_addr*)p_raw_addr));
-}
-
int
vsf_sysutil_inet_aton(const char* p_text, struct vsf_sysutil_sockaddr* p_addr)
{
@@ -2241,7 +2228,7 @@
{
bug("bad family");
}
- if (inet_aton(p_text, &sin_addr))
+ if (inet_pton(AF_INET, p_text, &sin_addr))
{
vsf_sysutil_memcpy(&p_addr->u.u_sockaddr_in.sin_addr,
&sin_addr, sizeof(p_addr->u.u_sockaddr_in.sin_addr));
@@ -2257,37 +2244,46 @@
vsf_sysutil_dns_resolve(struct vsf_sysutil_sockaddr** p_sockptr,
const char* p_name)
{
- struct hostent* hent = gethostbyname(p_name);
- if (hent == NULL)
+ struct addrinfo *result;
+ struct addrinfo hints;
+ int ret;
+
+ memset(&hints, 0, sizeof(struct addrinfo));
+ hints.ai_family = AF_UNSPEC;
+
+ if ((ret = getaddrinfo(p_name, NULL, &hints, &result)) != 0)
{
+ fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(ret));
die2("cannot resolve host:", p_name);
}
vsf_sysutil_sockaddr_clear(p_sockptr);
- if (hent->h_addrtype == AF_INET)
+ if (result->ai_family == AF_INET)
{
- unsigned int len = hent->h_length;
+ unsigned int len = result->ai_addrlen;
if (len > sizeof((*p_sockptr)->u.u_sockaddr_in.sin_addr))
{
len = sizeof((*p_sockptr)->u.u_sockaddr_in.sin_addr);
}
vsf_sysutil_sockaddr_alloc_ipv4(p_sockptr);
vsf_sysutil_memcpy(&(*p_sockptr)->u.u_sockaddr_in.sin_addr,
- hent->h_addr_list[0], len);
+ &result->ai_addrlen, len);
}
- else if (hent->h_addrtype == AF_INET6)
+ else if (result->ai_family == AF_INET6)
{
- unsigned int len = hent->h_length;
+ unsigned int len = result->ai_addrlen;
if (len > sizeof((*p_sockptr)->u.u_sockaddr_in6.sin6_addr))
{
len = sizeof((*p_sockptr)->u.u_sockaddr_in6.sin6_addr);
}
vsf_sysutil_sockaddr_alloc_ipv6(p_sockptr);
vsf_sysutil_memcpy(&(*p_sockptr)->u.u_sockaddr_in6.sin6_addr,
- hent->h_addr_list[0], len);
+ &result->ai_addrlen, len);
}
else
{
- die("gethostbyname(): neither IPv4 nor IPv6");
+ freeaddrinfo(result);
+ die("getaddrinfo(): neither IPv4 nor IPv6");
}
+ freeaddrinfo(result);
}
diff -urN vsftpd-3.0.5-orig/sysutil.h vsftpd-3.0.5/sysutil.h
--- vsftpd-3.0.5-orig/sysutil.h 2021-05-18 08:50:21.000000000 +0200
+++ vsftpd-3.0.5/sysutil.h 2023-02-13 15:59:22.088331075 +0100
@@ -277,7 +277,6 @@
const char* vsf_sysutil_inet_ntop(
const struct vsf_sysutil_sockaddr* p_sockptr);
-const char* vsf_sysutil_inet_ntoa(const void* p_raw_addr);
int vsf_sysutil_inet_aton(
const char* p_text, struct vsf_sysutil_sockaddr* p_addr);

70
SOURCES/vsftpd-3.0.5-replace-deprecated-openssl-functions.patch
Unescape View File

@ -0,0 +1,70 @@
diff --git a/ssl.c b/ssl.c
--- ssl.c
+++ ssl.c
@@ -28,17 +28,17 @@
#include <openssl/err.h>
#include <openssl/rand.h>
#include <openssl/bio.h>
#include <openssl/bn.h>
#include <openssl/param_build.h>
#include <errno.h>
#include <limits.h>
static char* get_ssl_error();
static SSL* get_ssl(struct vsf_session* p_sess, int fd);
static int ssl_session_init(struct vsf_session* p_sess);
static void setup_bio_callbacks();
static long bio_callback(
- BIO* p_bio, int oper, const char* p_arg, int argi, long argl, long retval);
+ BIO* p_bio, int oper, const char* p_arg, size_t len, int argi, long argl, int ret, size_t *processed);
static int ssl_verify_callback(int verify_ok, X509_STORE_CTX* p_ctx);
static int ssl_alpn_callback(SSL* p_ssl,
const unsigned char** p_out,
@@ -88,7 +88,7 @@
long options;
int verify_option = 0;
SSL_library_init();
- p_ctx = SSL_CTX_new(SSLv23_server_method());
+ p_ctx = SSL_CTX_new_ex(NULL, NULL, SSLv23_server_method());
if (p_ctx == NULL)
{
die("SSL: could not allocate SSL context");
@@ -180,13 +180,10 @@
die("SSL: RNG is not seeded");
}
{
- EC_KEY* key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
- if (key == NULL)
+ if (!SSL_CTX_set1_groups_list(p_ctx, "P-256"))
{
die("SSL: failed to get curve p256");
}
- SSL_CTX_set_tmp_ecdh(p_ctx, key);
- EC_KEY_free(key);
}
if (tunable_ssl_request_cert)
{
@@ -692,17 +689,19 @@
static void setup_bio_callbacks(SSL* p_ssl)
{
BIO* p_bio = SSL_get_rbio(p_ssl);
- BIO_set_callback(p_bio, bio_callback);
+ BIO_set_callback_ex(p_bio, bio_callback);
p_bio = SSL_get_wbio(p_ssl);
- BIO_set_callback(p_bio, bio_callback);
+ BIO_set_callback_ex(p_bio, bio_callback);
}
static long
bio_callback(
- BIO* p_bio, int oper, const char* p_arg, int argi, long argl, long ret)
+ BIO* p_bio, int oper, const char* p_arg, size_t len, int argi, long argl, int ret, size_t *processed)
{
int retval = 0;
int fd = 0;
+ (void) len;
+ (void) processed;
(void) p_arg;
(void) argi;
(void) argl;

15
SOURCES/vsftpd-3.0.5-use-old-tlsv-options.patch
Unescape View File

@ -0,0 +1,15 @@
--- parseconf-orig.c 2022-10-25 15:17:18.990701984 +0200
+++ parseconf.c 2022-10-25 15:12:44.213480000 +0200
@@ -85,9 +85,9 @@
{ "ssl_sslv2", &tunable_sslv2 },
{ "ssl_sslv3", &tunable_sslv3 },
{ "ssl_tlsv1", &tunable_tlsv1 },
- { "ssl_tlsv11", &tunable_tlsv1_1 },
- { "ssl_tlsv12", &tunable_tlsv1_2 },
- { "ssl_tlsv13", &tunable_tlsv1_3 },
+ { "ssl_tlsv1_1", &tunable_tlsv1_1 },
+ { "ssl_tlsv1_2", &tunable_tlsv1_2 },
+ { "ssl_tlsv1_3", &tunable_tlsv1_3 },
{ "tilde_user_enable", &tunable_tilde_user_enable },
{ "force_anon_logins_ssl", &tunable_force_anon_logins_ssl },
{ "force_anon_data_ssl", &tunable_force_anon_data_ssl },

33
SPECS/vsftpd.spec
Unescape View File

@ -1,8 +1,8 @@
%global _generatorsdir %{_prefix}/lib/systemd/system-generators %global _generatorsdir %{_prefix}/lib/systemd/system-generators
Name: vsftpd Name: vsftpd
Version: 3.0.3 Version: 3.0.5
Release: 49%{?dist} Release: 4%{?dist}
Summary: Very Secure Ftp Daemon Summary: Very Secure Ftp Daemon
# OpenSSL link exception # OpenSSL link exception
@ -61,17 +61,16 @@ Patch29: 0029-Fix-segfault-in-config-file-parser.patch
Patch30: 0030-Fix-logging-into-syslog-when-enabled-in-config.patch Patch30: 0030-Fix-logging-into-syslog-when-enabled-in-config.patch
Patch31: 0031-Fix-question-mark-wildcard-withing-a-file-name.patch Patch31: 0031-Fix-question-mark-wildcard-withing-a-file-name.patch
Patch32: 0032-Propagate-errors-from-nfs-with-quota-to-client.patch Patch32: 0032-Propagate-errors-from-nfs-with-quota-to-client.patch
Patch33: 0033-Introduce-TLSv1.1-and-TLSv1.2-options.patch #Patch33: 0033-Introduce-TLSv1.1-and-TLSv1.2-options.patch
Patch34: 0034-Turn-off-seccomp-sandbox-because-it-is-too-strict.patch Patch34: 0034-Turn-off-seccomp-sandbox-because-it-is-too-strict.patch
Patch35: 0035-Modify-DH-enablement-patch-to-build-with-OpenSSL-1.1.patch
Patch36: 0036-Redefine-VSFTP_COMMAND_FD-to-1.patch Patch36: 0036-Redefine-VSFTP_COMMAND_FD-to-1.patch
Patch37: 0037-Document-the-relationship-of-text_userdb_names-and-c.patch Patch37: 0037-Document-the-relationship-of-text_userdb_names-and-c.patch
Patch38: 0038-Document-allow_writeable_chroot-in-the-man-page.patch Patch38: 0038-Document-allow_writeable_chroot-in-the-man-page.patch
Patch39: 0039-Improve-documentation-of-ASCII-mode-in-the-man-page.patch Patch39: 0039-Improve-documentation-of-ASCII-mode-in-the-man-page.patch
Patch40: 0040-Use-system-wide-crypto-policy.patch Patch40: 0040-Use-system-wide-crypto-policy.patch
Patch41: 0041-Document-the-new-default-for-ssl_ciphers-in-the-man-.patch Patch41: 0041-Document-the-new-default-for-ssl_ciphers-in-the-man-.patch
Patch42: 0042-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch #Patch42: 0042-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch
Patch43: 0043-Enable-only-TLSv1.2-by-default.patch #Patch43: 0043-Enable-only-TLSv1.2-by-default.patch
Patch44: 0044-Disable-anonymous_enable-in-default-config-file.patch Patch44: 0044-Disable-anonymous_enable-in-default-config-file.patch
Patch45: 0045-Expand-explanation-of-ascii_-options-behaviour-in-ma.patch Patch45: 0045-Expand-explanation-of-ascii_-options-behaviour-in-ma.patch
Patch46: 0046-vsftpd.conf-Refer-to-the-man-page-regarding-the-asci.patch Patch46: 0046-vsftpd.conf-Refer-to-the-man-page-regarding-the-asci.patch
@ -97,10 +96,10 @@ Patch67: 0001-Fix-timestamp-handling-in-MDTM.patch
Patch68: 0002-Drop-an-unused-global-variable.patch Patch68: 0002-Drop-an-unused-global-variable.patch
Patch69: 0001-Remove-a-hint-about-the-ftp_home_dir-SELinux-boolean.patch Patch69: 0001-Remove-a-hint-about-the-ftp_home_dir-SELinux-boolean.patch
Patch70: fix-str_open.patch Patch70: fix-str_open.patch
# upstream commits 56402c0, 8b82e73 rhbz#1948570
Patch71: vsftpd-3.0.3-enable_wc_logs-replace_unprintable_with_hex.patch Patch71: vsftpd-3.0.3-enable_wc_logs-replace_unprintable_with_hex.patch
Patch72: vsftpd-3.0.3-ALPACA.patch Patch72: vsftpd-3.0.5-use-old-tlsv-options.patch
Patch73: vsftpd-3.0.3-option_to_disable_TLSv1_3.patch Patch73: vsftpd-3.0.5-repalce-old-network-addr-functions.patch
Patch74: vsftpd-3.0.5-replace-deprecated-openssl-functions.patch
%description %description
vsftpd is a Very Secure FTP daemon. It was written completely from vsftpd is a Very Secure FTP daemon. It was written completely from
@ -173,6 +172,22 @@ mkdir -p $RPM_BUILD_ROOT/%{_var}/ftp/pub
%{_var}/ftp %{_var}/ftp
%changelog %changelog
* Mon Feb 13 2023 Richard Lescak <rlescak@redhat.com> - 3.0.5-4
- add patch to replace deprecated Openssl functions
- Resolves: rhbz#1981411
* Mon Feb 06 2023 Richard Lescak <rlescak@redhat.com> - 3.0.5-3
- add patch to replace old network functions
- Resolves: rhbz#1951545
* Fri Nov 11 2022 Richard Lescak <rlescak@redhat.com> - 3.0.5-2
- reintroduce patch for support of wide-character strings in logs
- Related: rhbz#2018284
* Wed Oct 26 2022 Richard Lescak <rlescak@redhat.com> - 3.0.5-1
- rebase to version 3.0.5
- Resolves: rhbz#2018284
* Wed Oct 27 2021 Artem Egorenkov <aegorenk@redhat.com> - 3.0.3-49 * Wed Oct 27 2021 Artem Egorenkov <aegorenk@redhat.com> - 3.0.3-49
- add option to disable TLSv1.3 - add option to disable TLSv1.3
- Resolves: rhbz#1954682 - Resolves: rhbz#1954682

Write Preview
Loading…
Cancel
Save