5 changed files with 45 additions and 343 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/lftp-4.8.4.tar.xz
+SOURCES/lftp-4.9.2.tar.xz
--- a/.lftp.metadata
+++ b/.lftp.metadata
@ -0,0 +1 @@
 e1c7936fef725c9e9c5ccccc30f73f9a9f781115 SOURCES/lftp-4.9.2.tar.xz
--- a/SOURCES/lftp-4.8.4-re-newed-cert.patch
+++ b/SOURCES/lftp-4.8.4-re-newed-cert.patch
@ -1,261 +0,0 @@
 From fd40ee3542d877c37ff129d5c9b02df21d20c6a0 Mon Sep 17 00:00:00 2001
 From: Miao Wang <shankerwangmiao@gmail.com>
 Date: Sat, 9 Oct 2021 18:13:30 +0800
 Subject: [PATCH] Use gnutls_certificate_verify_peers2 to verify server
 certificates
 Fixes: #641
 Signed-off-by: Miao Wang <shankerwangmiao@gmail.com>
 ---
 src/lftp_ssl.cc | 207 +++++++++++-------------------------------------
 src/lftp_ssl.h  |   2 -
 2 files changed, 48 insertions(+), 161 deletions(-)
 diff --git a/src/lftp_ssl.cc b/src/lftp_ssl.cc
 index 968d3fb26..26e91e4b9 100644
 --- a/src/lftp_ssl.cc
 +++ b/src/lftp_ssl.cc
@@ -338,6 +338,16 @@ void lftp_ssl_gnutls::load_keys()
       if(res<0)
 	 Log::global->Format(0,"gnutls_certificate_set_x509_key_file(%s,%s): %s\n",cert_file,key_file,gnutls_strerror(res));
    }
 +   res = gnutls_certificate_set_x509_trust(cred, instance->ca_list, instance->ca_list_size);
 +   if(res < 0)
 +      Log::global->Format(0, "gnutls_certificate_set_x509_trust: %s\n", gnutls_strerror(res));
 +   else
 +      Log::global->Format(9, "Loaded %d CAs\n", res);
 +   res = gnutls_certificate_set_x509_crl(cred, instance->crl_list, instance->crl_list_size);
 +   if(res < 0)
 +      Log::global->Format(0, "gnutls_certificate_set_x509_crl: %s\n", gnutls_strerror(res));
 +   else
 +      Log::global->Format(9, "Loaded %d CRLs\n", res);
    gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, cred);
 }
 void lftp_ssl_gnutls::shutdown()
@@ -358,174 +368,53 @@ lftp_ssl_gnutls::~lftp_ssl_gnutls()
  */
 void lftp_ssl_gnutls::verify_certificate_chain(const gnutls_datum_t *cert_chain,int cert_chain_length)
 {
 -   int i;
 -   gnutls_x509_crt_t *cert=(gnutls_x509_crt_t*)alloca(cert_chain_length*sizeof(gnutls_x509_crt_t));
 -
 -   /* Import all the certificates in the chain to
 -    * native certificate format.
 -    */
 -   for (i = 0; i < cert_chain_length; i++)
 -   {
 -      gnutls_x509_crt_init(&cert[i]);
 -      gnutls_x509_crt_import(cert[i],&cert_chain[i],GNUTLS_X509_FMT_DER);
 +   int err;
 +   unsigned int status;
 +
 +   gnutls_x509_crt_t leaf_cert;
 +   err = gnutls_x509_crt_init(&leaf_cert);
 +   if(err < 0){
 +     set_cert_error(xstring::format("GnuTLS Error: %s", gnutls_strerror(err)), NULL);
 +     goto err_out;
    }
 -
 -   /* Now verify the certificates against their issuers
 -    * in the chain.
 -    */
 -   for (i = 1; i < cert_chain_length; i++)
 -      verify_cert2(cert[i - 1], cert[i]);
 -
 -    /* Here we must verify the last certificate in the chain against
 -     * our trusted CA list.
 -     */
 -   verify_last_cert(cert[cert_chain_length - 1]);
 -
 -   /* Check if the name in the first certificate matches our destination!
 -    */
 -   bool check_hostname = ResMgr::QueryBool("ssl:check-hostname", hostname);
 -   if(check_hostname) {
 -      if(!gnutls_x509_crt_check_hostname(cert[0], hostname))
 -	 set_cert_error(xstring::format("certificate common name doesn't match requested host name %s",quote(hostname)),get_fp(cert[0]));
 -   } else {
 -      Log::global->Format(0, "WARNING: Certificate verification: hostname checking disabled\n");
 +   gnutls_x509_crt_import(leaf_cert, &cert_chain[0], GNUTLS_X509_FMT_DER);
 +   if(err < 0){
 +     set_cert_error(xstring::format("GnuTLS Error: %s", gnutls_strerror(err)), NULL);
 +     goto deinit_cert;
    }
 -   for (i = 0; i < cert_chain_length; i++)
 -      gnutls_x509_crt_deinit(cert[i]);
 -}
 -
 -
 -/* Verifies a certificate against an other certificate
 - * which is supposed to be it's issuer. Also checks the
 - * crl_list if the certificate is revoked.
 - */
 -void lftp_ssl_gnutls::verify_cert2(gnutls_x509_crt_t crt,gnutls_x509_crt_t issuer)
 -{
 -   int ret;
 -   time_t now = SMTask::now;
 -   size_t name_size;
 -   char name[256];
 -
 -   /* Print information about the certificates to
 -    * be checked.
 -    */
 -   name_size = sizeof(name);
 -   gnutls_x509_crt_get_dn(crt, name, &name_size);
 -
 -   Log::global->Format(9, "Certificate: %s\n", name);
 -
 -   name_size = sizeof(name);
 -   gnutls_x509_crt_get_issuer_dn(crt, name, &name_size);
 -
 -   Log::global->Format(9, " Issued by:        %s\n", name);
 -
 -   /* Get the DN of the issuer cert.
 -    */
 -   name_size = sizeof(name);
 -   gnutls_x509_crt_get_dn(issuer, name, &name_size);
 -
 -   Log::global->Format(9, " Checking against: %s\n", name);
 -
 -   /* Do the actual verification.
 -    */
 -   unsigned crt_status=0;
 -   unsigned issuer_status=0;
 -   gnutls_x509_crt_verify(crt, &issuer, 1, 0, &crt_status);
 -   if(crt_status&GNUTLS_CERT_SIGNER_NOT_CA)
 -   {
 -      // recheck the issuer certificate against CA
 -      gnutls_x509_crt_verify(issuer, instance->ca_list, instance->ca_list_size, 0, &issuer_status);
 -      if(issuer_status==0)
 -	 crt_status&=~GNUTLS_CERT_SIGNER_NOT_CA;
 -      if(crt_status==GNUTLS_CERT_INVALID)
 -	 crt_status=0;
 +   err = gnutls_certificate_verify_peers2 (session, &status);
 +   if(err < 0){
 +     set_cert_error(xstring::format("Cerificate Verification Error: %s", gnutls_strerror(err)), get_fp(leaf_cert));
 +     goto deinit_cert;
    }
 -   if (crt_status & GNUTLS_CERT_INVALID)
 -   {
 -      char msg[256];
 -      strcpy(msg,"Not trusted");
 -      if(crt_status & GNUTLS_CERT_SIGNER_NOT_FOUND)
 -	 strcat(msg,": no issuer was found");
 -      if(crt_status & GNUTLS_CERT_SIGNER_NOT_CA)
 -	 strcat(msg,": issuer is not a CA");
 -      set_cert_error(msg,get_fp(crt));
 -   }
 -   else
 -      Log::global->Format(9, "  Trusted\n");
 -
 -    /* Now check the expiration dates.
 -     */
 -    if (gnutls_x509_crt_get_activation_time(crt) > now)
 -	set_cert_error("Not yet activated",get_fp(crt));
 -
 -    if (gnutls_x509_crt_get_expiration_time(crt) < now)
 -	set_cert_error("Expired",get_fp(crt));
 -
 -    /* Check if the certificate is revoked.
 -     */
 -    ret = gnutls_x509_crt_check_revocation(crt, instance->crl_list, instance->crl_list_size);
 -    if (ret == 1) {		/* revoked */
 -	set_cert_error("Revoked",get_fp(crt));
 -    }
 -}
 -
 -
 -/* Verifies a certificate against the trusted CA list.
 - * Also checks the crl_list if the certificate is revoked.
 - */
 -void lftp_ssl_gnutls::verify_last_cert(gnutls_x509_crt_t crt)
 -{
 -   unsigned int crt_status;
 -   int ret;
 -   time_t now = SMTask::now;
 -   size_t name_size;
 -   char name[256];
 -
 -   /* Print information about the certificates to
 -    * be checked.
 -    */
 -   name_size = sizeof(name);
 -   gnutls_x509_crt_get_dn(crt, name, &name_size);
 -
 -   Log::global->Format(9, "Certificate: %s\n", name);
 -
 -   name_size = sizeof(name);
 -   gnutls_x509_crt_get_issuer_dn(crt, name, &name_size);
 -
 -   Log::global->Format(9, " Issued by: %s\n", name);
 -
 -   /* Do the actual verification.
 -    */
 -   gnutls_x509_crt_verify(crt, instance->ca_list, instance->ca_list_size, GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT, &crt_status);
 -
 -   if (crt_status & GNUTLS_CERT_INVALID)
 -   {
 -      char msg[256];
 -      strcpy(msg,"Not trusted");
 -      if (crt_status & GNUTLS_CERT_SIGNER_NOT_CA)
 -	 strcat(msg,": Issuer is not a CA");
 -      set_cert_error(msg,get_fp(crt));
 +   if(status != 0){
 +     gnutls_datum_t reason;
 +     err = gnutls_certificate_verification_status_print(status, gnutls_certificate_type_get(session), &reason, 0);
 +     if(err < 0){
 +       set_cert_error(xstring::format("Cerificate Verification Error: %s", gnutls_strerror(err)), get_fp(leaf_cert));
 +       goto deinit_cert;
 +     }
 +     set_cert_error((const char*)reason.data, get_fp(leaf_cert));
 +     gnutls_free(reason.data);
 +     goto deinit_cert;
    }
 -   else
 -      Log::global->Format(9, "  Trusted\n");
 +   if(ResMgr::QueryBool("ssl:check-hostname", hostname)) {
 +      if(!gnutls_x509_crt_check_hostname(leaf_cert, hostname)){
 +         set_cert_error(xstring::format("certificate common name doesn't match requested host name %s",quote(hostname)),get_fp(leaf_cert));
 +         goto deinit_cert;
 +      }
 +   } else {
 +      Log::global->Format(0, "WARNING: Certificate verification: hostname checking disabled\n");
 +   }
 -   /* Now check the expiration dates.
 -    */
 -   if(gnutls_x509_crt_get_activation_time(crt) > now)
 -      set_cert_error("Not yet activated",get_fp(crt));
 -
 -   if(gnutls_x509_crt_get_expiration_time(crt) < now)
 -      set_cert_error("Expired",get_fp(crt));
 +   deinit_cert:
 +   gnutls_x509_crt_deinit(leaf_cert);
 -   /* Check if the certificate is revoked.
 -    */
 -   ret = gnutls_x509_crt_check_revocation(crt, instance->crl_list, instance->crl_list_size);
 -   if (ret == 1) {		/* revoked */
 -      set_cert_error("Revoked",get_fp(crt));
 -   }
 +   err_out:
 +   return;
 }
 bool lftp_ssl_gnutls::check_fatal(int res)
 diff --git a/src/lftp_ssl.h b/src/lftp_ssl.h
 index c37b047b4..87b92d4fa 100644
 --- a/src/lftp_ssl.h
 +++ b/src/lftp_ssl.h
@@ -92,8 +92,6 @@ class lftp_ssl_gnutls : public lftp_ssl_base
    gnutls_session_t session;
    gnutls_certificate_credentials_t cred;
    void verify_certificate_chain(const gnutls_datum_t *cert_chain,int cert_chain_length);
 -   void verify_cert2(gnutls_x509_crt_t crt,gnutls_x509_crt_t issuer);
 -   void verify_last_cert(gnutls_x509_crt_t crt);
    int do_handshake();
    bool check_fatal(int res);
    static const xstring& get_fp(gnutls_x509_crt_t crt);
--- a/SOURCES/lftp-4.8.4-ssh-prompt.patch
+++ b/SOURCES/lftp-4.8.4-ssh-prompt.patch
@ -1,59 +0,0 @@
 From 0ad0732b8fbacd3519b4e3ecf8c394681b314672 Mon Sep 17 00:00:00 2001
 From: "Alexander V. Lukyanov" <lavv17f@gmail.com>
 Date: Thu, 5 Dec 2019 21:34:11 +0300
 Subject: [PATCH] SSH_Access: fixed yes/no/[fingerprint] recognition (fix #547,
 fix #525)
 ---
 src/SSH_Access.cc | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)
 diff --git a/src/SSH_Access.cc b/src/SSH_Access.cc
 index 97683a3f..adf0c196 100644
 --- a/src/SSH_Access.cc
 +++ b/src/SSH_Access.cc
@@ -20,6 +20,8 @@
 #include <config.h>
 #include "SSH_Access.h"
 #include "misc.h"
 +#include <algorithm>
 +#include "ascii_ctype.h"
 void SSH_Access::MakePtyBuffers()
 {
@@ -70,6 +70,26 @@ static bool IsPasswordPrompt(const char *b,const char *e)
    return (e-b>=len && !strncasecmp(b,suffix,len));
 }
 +struct nocase_eq
 +{
 +   inline bool operator() (char lhs, char rhs) const
 +   {
 +      return c_tolower(lhs) == c_tolower(rhs);
 +   };
 +};
 +
 +static bool contains(char const *begin, char const *end, char const *needle)
 +{
 +   return std::search(begin, end, needle, needle+strlen(needle), nocase_eq()) != end;
 +}
 +
 +static bool IsConfirmPrompt(const char *b,const char *e)
 +{
 +   if(b==e)
 +      return false;
 +   return e[-1]=='?' && contains(b,e,"yes/no");
 +}
 +
 int SSH_Access::HandleSSHMessage()
 {
    int m=STALL;
@@ -99,7 +106,7 @@ int SSH_Access::HandleSSHMessage()
 	 password_sent++;
 	 return m;
       }
 -      if(ends_with(b,b+s,"(yes/no)?"))
 +      if(IsConfirmPrompt(b,b+s))
       {
 	 const char *answer=QueryBool("auto-confirm",hostname)?"yes\n":"no\n";
 	 pty_recv_buf->Put(answer);
--- a/SPECS/lftp.spec
+++ b/SPECS/lftp.spec
@ -1,19 +1,16 @@
 Summary:	A sophisticated file transfer program
 Name:		lftp
-Version:	4.8.4
+Version:	4.9.2
-Release:	3%{?dist}
+Release:	4%{?dist}
 License:	GPLv3+
 Group:		Applications/Internet
 Source0:	http://lftp.yar.ru/ftp/%{name}-%{version}.tar.xz
 URL:		http://lftp.yar.ru/
 BuildRoot:	%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires:	ncurses-devel, gnutls-devel, perl-generators, pkgconfig, readline-devel, gettext
-BuildRequires:	zlib-devel
+BuildRequires:	zlib-devel, gcc-c++
 BuildRequires: desktop-file-utils
 BuildRequires: make
 Patch1:  lftp-4.0.9-date_fmt.patch
 Patch2:  lftp-4.8.4-ssh-prompt.patch
 Patch3:  lftp-4.8.4-re-newed-cert.patch
 %description
 LFTP is a sophisticated ftp/http file transfer program. Like bash, it has job
@ -23,7 +20,6 @@ reliability in mind.
 %package scripts
 Summary:	Scripts for lftp
 Group:		Applications/Internet
 Requires:	lftp >= %{version}-%{release}
 BuildArch:	noarch
@ -34,8 +30,6 @@ Utility scripts for use with lftp.
 %setup -q
 %patch1 -p1 -b .date_fmt
 %patch2 -p1 -b .ssh-prompt
 %patch3 -p1 -b .re-newed-cert
 #sed -i.rpath -e '/lftp_cv_openssl/s|-R.*lib||' configure
 sed -i.norpath -e \
@ -67,15 +61,9 @@ desktop-file-install	\
 %find_lang %{name}
-%clean
+%ldconfig_scriptlets
 rm -rf $RPM_BUILD_ROOT
 %post -p /sbin/ldconfig
 %postun -p /sbin/ldconfig
 %files -f %{name}.lang
 %defattr(-,root,root,-)
 %doc BUGS COPYING ChangeLog FAQ FEATURES README* NEWS THANKS TODO
 %config(noreplace) %{_sysconfdir}/lftp.conf
 %{_bindir}/*
@ -100,20 +88,53 @@ rm -rf $RPM_BUILD_ROOT
 %files scripts
 %defattr(-,root,root,-)
 %{_datadir}/lftp
 %changelog
-* Mon Jul 24 2023 Michal Ruprich <mruprich@redhat.com> - 4.8.4-3
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 4.9.2-4
- Resolves: #2182418 - Connection to site fails with certificate verification error
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
  Related: rhbz#1991688
-* Tue Apr 28 2020 Michal Ruprich <michalruprich@gmail.com> - 4.8.4-2
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 4.9.2-3
- Resolves: #1793557 - SFTP over LFTP hangs if host key of the remote system doesn't exist
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
 * Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 4.9.2-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
 * Wed Aug 19 2020 Michal Ruprich <michalruprich@gmail.com> - 4.9.2-1
 - New version 4.9.2
 * Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 4.9.1-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
 * Fri Apr 03 2020 Michal Ruprich <michalruprich@gmail.com> - 4.9.1-1
 - New version 4.9.1
 * Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 4.9.0-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
 * Fri Jan 03 2020 Michal Ruprich <mruprich@redhat.com> - 4.9.0-1
 - New version 4.9.0
 * Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 4.8.4-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
 * Sun Feb 17 2019 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 4.8.4-3
 - Rebuild for readline 8.0
 * Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 4.8.4-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
 * Wed Aug 01 2018 Michal Ruprich <mruprich@redhat.com> - 4.8.4-1
 - New version 4.8.4
 * Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 4.8.3-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
 * Thu Apr 26 2018 Tomas Hozza <thozza@redhat.com> - 4.8.3-3
 - Added gcc-c++ as an explicit BuildRequires
 * Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 4.8.3-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
`@ -1 +1 @@`
	`SOURCES/lftp-4.8.4.tar.xz`	`SOURCES/lftp-4.9.2.tar.xz`
		`@ -0,0 +1 @@`
							`e1c7936fef725c9e9c5ccccc30f73f9a9f781115 SOURCES/lftp-4.9.2.tar.xz`