From 885240479d5e7081b1546cbdd1cf95d5c340e18f Mon Sep 17 00:00:00 2001 From: eabdullin Date: Wed, 5 Nov 2025 07:48:02 +0000 Subject: [PATCH] Import from CS git --- SOURCES/lftp-4.8.4-tls-close-timer.patch | 126 +++++++++++++++++++++++ SPECS/lftp.spec | 8 +- 2 files changed, 133 insertions(+), 1 deletion(-) create mode 100644 SOURCES/lftp-4.8.4-tls-close-timer.patch diff --git a/SOURCES/lftp-4.8.4-tls-close-timer.patch b/SOURCES/lftp-4.8.4-tls-close-timer.patch new file mode 100644 index 0000000..1f5a67f --- /dev/null +++ b/SOURCES/lftp-4.8.4-tls-close-timer.patch @@ -0,0 +1,126 @@ +From 2784cae1d18370acdc13f2bf660c59cd15764d7b Mon Sep 17 00:00:00 2001 +From: Michal Ruprich +Date: Thu, 25 Sep 2025 17:28:54 +0200 +Subject: [PATCH] Improving TLS communication with a timer + +--- + src/buffer_ssl.h | 1 + + src/ftpclass.cc | 4 +++- + src/lftp_ssl.cc | 20 +++++++++++++++----- + src/lftp_ssl.h | 2 ++ + src/network.cc | 5 +++++ + src/network.h | 1 + + 6 files changed, 27 insertions(+), 6 deletions(-) + +diff --git a/src/buffer_ssl.h b/src/buffer_ssl.h +index 8915066dc..51080b268 100644 +--- a/src/buffer_ssl.h ++++ b/src/buffer_ssl.h +@@ -21,6 +21,7 @@ + #define BUFFER_SSL_H + + #include "buffer.h" ++#include "Timer.h" + + #if USE_SSL + #include "lftp_ssl.h" +diff --git a/src/ftpclass.cc b/src/ftpclass.cc +index eb5d0186b..0321a1347 100644 +--- a/src/ftpclass.cc ++++ b/src/ftpclass.cc +@@ -4872,8 +4872,10 @@ void Ftp::Reconfig(const char *name) + + if(conn && conn->control_sock!=-1) + SetSocketBuffer(conn->control_sock); +- if(conn && conn->data_sock!=-1) ++ if(conn && conn->data_sock!=-1) { + SetSocketBuffer(conn->data_sock); ++ SetTCPNodelay(conn->data_sock); ++ } + if(conn && conn->data_iobuf && rate_limit) + rate_limit->SetBufferSize(conn->data_iobuf,max_buf); + } +diff --git a/src/lftp_ssl.cc b/src/lftp_ssl.cc +index f53edf249..74f3e390e 100644 +--- a/src/lftp_ssl.cc ++++ b/src/lftp_ssl.cc +@@ -356,16 +356,26 @@ int lftp_ssl_gnutls::shutdown() + { + int res; + if(handshake_done) { ++ // Certain SSL implementations do not reply us with ++ // close_notify that is why we must not wait for it ++ // indefinetely ++ if (ssl_shutdown_timer && ssl_shutdown_timer->Stopped()) { ++ Log::global->Format(9,"TLS Timer ran out, considering channel closed\n"); ++ goodbye_done = true; ++ return DONE; ++ } + res = gnutls_bye(session,GNUTLS_SHUT_RDWR); + if (res == GNUTLS_E_SUCCESS) { ++ if (ssl_shutdown_timer) { ++ ssl_shutdown_timer->Stop(); ++ Log::global->Format(9,"Stopping TLS close timer\n"); ++ } + goodbye_done = true; + return DONE; + } else if (res == GNUTLS_E_AGAIN || res == GNUTLS_E_INTERRUPTED) { +- /* In ideal world we would not need this if, but windows does not +- * send close-notify, so do not wait on server close-notify */ +- if (gnutls_record_get_direction(session) == 0) { +- goodbye_done = true; +- return DONE; ++ if (!ssl_shutdown_timer) { ++ ssl_shutdown_timer = new Timer(0, 200); ++ Log::global->Format(9,"Starting TLS close timer\n"); + } + return RETRY; + } +diff --git a/src/lftp_ssl.h b/src/lftp_ssl.h +index 9b2a615fb..c8492e45f 100644 +--- a/src/lftp_ssl.h ++++ b/src/lftp_ssl.h +@@ -33,6 +33,7 @@ + + #include "Ref.h" + #include "xstring.h" ++#include "Timer.h" + + class lftp_ssl_base + { +@@ -92,6 +93,7 @@ class lftp_ssl_gnutls : public lftp_ssl_base + static Ref instance; + gnutls_session_t session; + gnutls_certificate_credentials_t cred; ++ Ref ssl_shutdown_timer; + void verify_certificate_chain(const gnutls_datum_t *cert_chain,int cert_chain_length); + int do_handshake(); + bool check_fatal(int res); +diff --git a/src/network.cc b/src/network.cc +index cf26089eb..454e6609a 100644 +--- a/src/network.cc ++++ b/src/network.cc +@@ -264,6 +264,11 @@ void Networker::SetSocketMaxseg(int sock,int socket_maxseg) + ProtoLog::LogError(1,"setsockopt(TCP_MAXSEG,%d): %s",socket_maxseg,strerror(errno)); + #endif + } ++void Networker::SetTCPNodelay(int sock) ++{ ++ if(-1==setsockopt(sock, SOL_TCP, TCP_NODELAY, &one, sizeof(one))) ++ ProtoLog::LogError(1,"setsockopt(TCP_NODELAY): %s", strerror(errno)); ++} + + int Networker::SocketCreateUnbound(int af,int type,int proto,const char *hostname) + { +diff --git a/src/network.h b/src/network.h +index 10d99227d..0e84edb99 100644 +--- a/src/network.h ++++ b/src/network.h +@@ -132,6 +132,7 @@ class Networker + static int SocketAccept(int fd,sockaddr_u *u,const char *hostname=0); + static void SetSocketBuffer(int sock,int socket_buffer); + static void SetSocketMaxseg(int sock,int socket_maxseg); ++ static void SetTCPNodelay(int sock); + static void SocketBindStd(int s,int af,const char *hostname,int port=0); + static int SocketCreate(int af,int type,int proto,const char *hostname); + static void SocketTuneTCP(int s,const char *hostname); diff --git a/SPECS/lftp.spec b/SPECS/lftp.spec index 5fcc322..ae8a917 100644 --- a/SPECS/lftp.spec +++ b/SPECS/lftp.spec @@ -1,7 +1,7 @@ Summary: A sophisticated file transfer program Name: lftp Version: 4.8.4 -Release: 6%{?dist} +Release: 7%{?dist} License: GPLv3+ Group: Applications/Internet Source0: http://lftp.yar.ru/ftp/%{name}-%{version}.tar.xz @@ -15,6 +15,7 @@ Patch1: lftp-4.0.9-date_fmt.patch Patch2: lftp-4.8.4-ssh-prompt.patch Patch3: lftp-4.8.4-re-newed-cert.patch Patch4: lftp-4.8.4-tls-close.patch +Patch5: lftp-4.8.4-tls-close-timer.patch %description LFTP is a sophisticated ftp/http file transfer program. Like bash, it has job @@ -38,6 +39,7 @@ Utility scripts for use with lftp. %patch2 -p1 -b .ssh-prompt %patch3 -p1 -b .re-newed-cert %patch4 -p1 -b .tls-close +%patch5 -p1 -b .tls-close-timer #sed -i.rpath -e '/lftp_cv_openssl/s|-R.*lib||' configure sed -i.norpath -e \ @@ -107,6 +109,10 @@ rm -rf $RPM_BUILD_ROOT %changelog +* Thu Oct 02 2025 Michal Ruprich - 4.8.4-7 +- Adding a timeout for TLS close +- Resolves: RHEL-108115 - "cannot seek on data source" in TLS lftp sessions + * Fri Jul 04 2025 Tomas Korbar - 4.8.4-6 - Do not wait for server close-notify on TLS close - Resolves: RHEL-99571