Compare commits

..

No commits in common. "c9-beta" and "c8" have entirely different histories.
c9-beta ... c8

5 changed files with 343 additions and 45 deletions

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/lftp-4.9.2.tar.xz SOURCES/lftp-4.8.4.tar.xz

View File

@ -1 +0,0 @@
e1c7936fef725c9e9c5ccccc30f73f9a9f781115 SOURCES/lftp-4.9.2.tar.xz

View File

@ -0,0 +1,261 @@
From fd40ee3542d877c37ff129d5c9b02df21d20c6a0 Mon Sep 17 00:00:00 2001
From: Miao Wang <shankerwangmiao@gmail.com>
Date: Sat, 9 Oct 2021 18:13:30 +0800
Subject: [PATCH] Use gnutls_certificate_verify_peers2 to verify server
certificates
Fixes: #641
Signed-off-by: Miao Wang <shankerwangmiao@gmail.com>
---
src/lftp_ssl.cc | 207 +++++++++++-------------------------------------
src/lftp_ssl.h | 2 -
2 files changed, 48 insertions(+), 161 deletions(-)
diff --git a/src/lftp_ssl.cc b/src/lftp_ssl.cc
index 968d3fb26..26e91e4b9 100644
--- a/src/lftp_ssl.cc
+++ b/src/lftp_ssl.cc
@@ -338,6 +338,16 @@ void lftp_ssl_gnutls::load_keys()
if(res<0)
Log::global->Format(0,"gnutls_certificate_set_x509_key_file(%s,%s): %s\n",cert_file,key_file,gnutls_strerror(res));
}
+ res = gnutls_certificate_set_x509_trust(cred, instance->ca_list, instance->ca_list_size);
+ if(res < 0)
+ Log::global->Format(0, "gnutls_certificate_set_x509_trust: %s\n", gnutls_strerror(res));
+ else
+ Log::global->Format(9, "Loaded %d CAs\n", res);
+ res = gnutls_certificate_set_x509_crl(cred, instance->crl_list, instance->crl_list_size);
+ if(res < 0)
+ Log::global->Format(0, "gnutls_certificate_set_x509_crl: %s\n", gnutls_strerror(res));
+ else
+ Log::global->Format(9, "Loaded %d CRLs\n", res);
gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, cred);
}
void lftp_ssl_gnutls::shutdown()
@@ -358,174 +368,53 @@ lftp_ssl_gnutls::~lftp_ssl_gnutls()
*/
void lftp_ssl_gnutls::verify_certificate_chain(const gnutls_datum_t *cert_chain,int cert_chain_length)
{
- int i;
- gnutls_x509_crt_t *cert=(gnutls_x509_crt_t*)alloca(cert_chain_length*sizeof(gnutls_x509_crt_t));
-
- /* Import all the certificates in the chain to
- * native certificate format.
- */
- for (i = 0; i < cert_chain_length; i++)
- {
- gnutls_x509_crt_init(&cert[i]);
- gnutls_x509_crt_import(cert[i],&cert_chain[i],GNUTLS_X509_FMT_DER);
+ int err;
+ unsigned int status;
+
+ gnutls_x509_crt_t leaf_cert;
+ err = gnutls_x509_crt_init(&leaf_cert);
+ if(err < 0){
+ set_cert_error(xstring::format("GnuTLS Error: %s", gnutls_strerror(err)), NULL);
+ goto err_out;
}
-
- /* Now verify the certificates against their issuers
- * in the chain.
- */
- for (i = 1; i < cert_chain_length; i++)
- verify_cert2(cert[i - 1], cert[i]);
-
- /* Here we must verify the last certificate in the chain against
- * our trusted CA list.
- */
- verify_last_cert(cert[cert_chain_length - 1]);
-
- /* Check if the name in the first certificate matches our destination!
- */
- bool check_hostname = ResMgr::QueryBool("ssl:check-hostname", hostname);
- if(check_hostname) {
- if(!gnutls_x509_crt_check_hostname(cert[0], hostname))
- set_cert_error(xstring::format("certificate common name doesn't match requested host name %s",quote(hostname)),get_fp(cert[0]));
- } else {
- Log::global->Format(0, "WARNING: Certificate verification: hostname checking disabled\n");
+ gnutls_x509_crt_import(leaf_cert, &cert_chain[0], GNUTLS_X509_FMT_DER);
+ if(err < 0){
+ set_cert_error(xstring::format("GnuTLS Error: %s", gnutls_strerror(err)), NULL);
+ goto deinit_cert;
}
- for (i = 0; i < cert_chain_length; i++)
- gnutls_x509_crt_deinit(cert[i]);
-}
-
-
-/* Verifies a certificate against an other certificate
- * which is supposed to be it's issuer. Also checks the
- * crl_list if the certificate is revoked.
- */
-void lftp_ssl_gnutls::verify_cert2(gnutls_x509_crt_t crt,gnutls_x509_crt_t issuer)
-{
- int ret;
- time_t now = SMTask::now;
- size_t name_size;
- char name[256];
-
- /* Print information about the certificates to
- * be checked.
- */
- name_size = sizeof(name);
- gnutls_x509_crt_get_dn(crt, name, &name_size);
-
- Log::global->Format(9, "Certificate: %s\n", name);
-
- name_size = sizeof(name);
- gnutls_x509_crt_get_issuer_dn(crt, name, &name_size);
-
- Log::global->Format(9, " Issued by: %s\n", name);
-
- /* Get the DN of the issuer cert.
- */
- name_size = sizeof(name);
- gnutls_x509_crt_get_dn(issuer, name, &name_size);
-
- Log::global->Format(9, " Checking against: %s\n", name);
-
- /* Do the actual verification.
- */
- unsigned crt_status=0;
- unsigned issuer_status=0;
- gnutls_x509_crt_verify(crt, &issuer, 1, 0, &crt_status);
- if(crt_status&GNUTLS_CERT_SIGNER_NOT_CA)
- {
- // recheck the issuer certificate against CA
- gnutls_x509_crt_verify(issuer, instance->ca_list, instance->ca_list_size, 0, &issuer_status);
- if(issuer_status==0)
- crt_status&=~GNUTLS_CERT_SIGNER_NOT_CA;
- if(crt_status==GNUTLS_CERT_INVALID)
- crt_status=0;
+ err = gnutls_certificate_verify_peers2 (session, &status);
+ if(err < 0){
+ set_cert_error(xstring::format("Cerificate Verification Error: %s", gnutls_strerror(err)), get_fp(leaf_cert));
+ goto deinit_cert;
}
- if (crt_status & GNUTLS_CERT_INVALID)
- {
- char msg[256];
- strcpy(msg,"Not trusted");
- if(crt_status & GNUTLS_CERT_SIGNER_NOT_FOUND)
- strcat(msg,": no issuer was found");
- if(crt_status & GNUTLS_CERT_SIGNER_NOT_CA)
- strcat(msg,": issuer is not a CA");
- set_cert_error(msg,get_fp(crt));
- }
- else
- Log::global->Format(9, " Trusted\n");
-
- /* Now check the expiration dates.
- */
- if (gnutls_x509_crt_get_activation_time(crt) > now)
- set_cert_error("Not yet activated",get_fp(crt));
-
- if (gnutls_x509_crt_get_expiration_time(crt) < now)
- set_cert_error("Expired",get_fp(crt));
-
- /* Check if the certificate is revoked.
- */
- ret = gnutls_x509_crt_check_revocation(crt, instance->crl_list, instance->crl_list_size);
- if (ret == 1) { /* revoked */
- set_cert_error("Revoked",get_fp(crt));
- }
-}
-
-
-/* Verifies a certificate against the trusted CA list.
- * Also checks the crl_list if the certificate is revoked.
- */
-void lftp_ssl_gnutls::verify_last_cert(gnutls_x509_crt_t crt)
-{
- unsigned int crt_status;
- int ret;
- time_t now = SMTask::now;
- size_t name_size;
- char name[256];
-
- /* Print information about the certificates to
- * be checked.
- */
- name_size = sizeof(name);
- gnutls_x509_crt_get_dn(crt, name, &name_size);
-
- Log::global->Format(9, "Certificate: %s\n", name);
-
- name_size = sizeof(name);
- gnutls_x509_crt_get_issuer_dn(crt, name, &name_size);
-
- Log::global->Format(9, " Issued by: %s\n", name);
-
- /* Do the actual verification.
- */
- gnutls_x509_crt_verify(crt, instance->ca_list, instance->ca_list_size, GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT, &crt_status);
-
- if (crt_status & GNUTLS_CERT_INVALID)
- {
- char msg[256];
- strcpy(msg,"Not trusted");
- if (crt_status & GNUTLS_CERT_SIGNER_NOT_CA)
- strcat(msg,": Issuer is not a CA");
- set_cert_error(msg,get_fp(crt));
+ if(status != 0){
+ gnutls_datum_t reason;
+ err = gnutls_certificate_verification_status_print(status, gnutls_certificate_type_get(session), &reason, 0);
+ if(err < 0){
+ set_cert_error(xstring::format("Cerificate Verification Error: %s", gnutls_strerror(err)), get_fp(leaf_cert));
+ goto deinit_cert;
+ }
+ set_cert_error((const char*)reason.data, get_fp(leaf_cert));
+ gnutls_free(reason.data);
+ goto deinit_cert;
}
- else
- Log::global->Format(9, " Trusted\n");
+ if(ResMgr::QueryBool("ssl:check-hostname", hostname)) {
+ if(!gnutls_x509_crt_check_hostname(leaf_cert, hostname)){
+ set_cert_error(xstring::format("certificate common name doesn't match requested host name %s",quote(hostname)),get_fp(leaf_cert));
+ goto deinit_cert;
+ }
+ } else {
+ Log::global->Format(0, "WARNING: Certificate verification: hostname checking disabled\n");
+ }
- /* Now check the expiration dates.
- */
- if(gnutls_x509_crt_get_activation_time(crt) > now)
- set_cert_error("Not yet activated",get_fp(crt));
-
- if(gnutls_x509_crt_get_expiration_time(crt) < now)
- set_cert_error("Expired",get_fp(crt));
+ deinit_cert:
+ gnutls_x509_crt_deinit(leaf_cert);
- /* Check if the certificate is revoked.
- */
- ret = gnutls_x509_crt_check_revocation(crt, instance->crl_list, instance->crl_list_size);
- if (ret == 1) { /* revoked */
- set_cert_error("Revoked",get_fp(crt));
- }
+ err_out:
+ return;
}
bool lftp_ssl_gnutls::check_fatal(int res)
diff --git a/src/lftp_ssl.h b/src/lftp_ssl.h
index c37b047b4..87b92d4fa 100644
--- a/src/lftp_ssl.h
+++ b/src/lftp_ssl.h
@@ -92,8 +92,6 @@ class lftp_ssl_gnutls : public lftp_ssl_base
gnutls_session_t session;
gnutls_certificate_credentials_t cred;
void verify_certificate_chain(const gnutls_datum_t *cert_chain,int cert_chain_length);
- void verify_cert2(gnutls_x509_crt_t crt,gnutls_x509_crt_t issuer);
- void verify_last_cert(gnutls_x509_crt_t crt);
int do_handshake();
bool check_fatal(int res);
static const xstring& get_fp(gnutls_x509_crt_t crt);

View File

@ -0,0 +1,59 @@
From 0ad0732b8fbacd3519b4e3ecf8c394681b314672 Mon Sep 17 00:00:00 2001
From: "Alexander V. Lukyanov" <lavv17f@gmail.com>
Date: Thu, 5 Dec 2019 21:34:11 +0300
Subject: [PATCH] SSH_Access: fixed yes/no/[fingerprint] recognition (fix #547,
fix #525)
---
src/SSH_Access.cc | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/src/SSH_Access.cc b/src/SSH_Access.cc
index 97683a3f..adf0c196 100644
--- a/src/SSH_Access.cc
+++ b/src/SSH_Access.cc
@@ -20,6 +20,8 @@
#include <config.h>
#include "SSH_Access.h"
#include "misc.h"
+#include <algorithm>
+#include "ascii_ctype.h"
void SSH_Access::MakePtyBuffers()
{
@@ -70,6 +70,26 @@ static bool IsPasswordPrompt(const char *b,const char *e)
return (e-b>=len && !strncasecmp(b,suffix,len));
}
+struct nocase_eq
+{
+ inline bool operator() (char lhs, char rhs) const
+ {
+ return c_tolower(lhs) == c_tolower(rhs);
+ };
+};
+
+static bool contains(char const *begin, char const *end, char const *needle)
+{
+ return std::search(begin, end, needle, needle+strlen(needle), nocase_eq()) != end;
+}
+
+static bool IsConfirmPrompt(const char *b,const char *e)
+{
+ if(b==e)
+ return false;
+ return e[-1]=='?' && contains(b,e,"yes/no");
+}
+
int SSH_Access::HandleSSHMessage()
{
int m=STALL;
@@ -99,7 +106,7 @@ int SSH_Access::HandleSSHMessage()
password_sent++;
return m;
}
- if(ends_with(b,b+s,"(yes/no)?"))
+ if(IsConfirmPrompt(b,b+s))
{
const char *answer=QueryBool("auto-confirm",hostname)?"yes\n":"no\n";
pty_recv_buf->Put(answer);

View File

@ -1,16 +1,19 @@
Summary: A sophisticated file transfer program Summary: A sophisticated file transfer program
Name: lftp Name: lftp
Version: 4.9.2 Version: 4.8.4
Release: 4%{?dist} Release: 3%{?dist}
License: GPLv3+ License: GPLv3+
Group: Applications/Internet
Source0: http://lftp.yar.ru/ftp/%{name}-%{version}.tar.xz Source0: http://lftp.yar.ru/ftp/%{name}-%{version}.tar.xz
URL: http://lftp.yar.ru/ URL: http://lftp.yar.ru/
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: ncurses-devel, gnutls-devel, perl-generators, pkgconfig, readline-devel, gettext BuildRequires: ncurses-devel, gnutls-devel, perl-generators, pkgconfig, readline-devel, gettext
BuildRequires: zlib-devel, gcc-c++ BuildRequires: zlib-devel
BuildRequires: desktop-file-utils BuildRequires: desktop-file-utils
BuildRequires: make
Patch1: lftp-4.0.9-date_fmt.patch Patch1: lftp-4.0.9-date_fmt.patch
Patch2: lftp-4.8.4-ssh-prompt.patch
Patch3: lftp-4.8.4-re-newed-cert.patch
%description %description
LFTP is a sophisticated ftp/http file transfer program. Like bash, it has job LFTP is a sophisticated ftp/http file transfer program. Like bash, it has job
@ -20,6 +23,7 @@ reliability in mind.
%package scripts %package scripts
Summary: Scripts for lftp Summary: Scripts for lftp
Group: Applications/Internet
Requires: lftp >= %{version}-%{release} Requires: lftp >= %{version}-%{release}
BuildArch: noarch BuildArch: noarch
@ -30,6 +34,8 @@ Utility scripts for use with lftp.
%setup -q %setup -q
%patch1 -p1 -b .date_fmt %patch1 -p1 -b .date_fmt
%patch2 -p1 -b .ssh-prompt
%patch3 -p1 -b .re-newed-cert
#sed -i.rpath -e '/lftp_cv_openssl/s|-R.*lib||' configure #sed -i.rpath -e '/lftp_cv_openssl/s|-R.*lib||' configure
sed -i.norpath -e \ sed -i.norpath -e \
@ -61,9 +67,15 @@ desktop-file-install \
%find_lang %{name} %find_lang %{name}
%ldconfig_scriptlets %clean
rm -rf $RPM_BUILD_ROOT
%post -p /sbin/ldconfig
%postun -p /sbin/ldconfig
%files -f %{name}.lang %files -f %{name}.lang
%defattr(-,root,root,-)
%doc BUGS COPYING ChangeLog FAQ FEATURES README* NEWS THANKS TODO %doc BUGS COPYING ChangeLog FAQ FEATURES README* NEWS THANKS TODO
%config(noreplace) %{_sysconfdir}/lftp.conf %config(noreplace) %{_sysconfdir}/lftp.conf
%{_bindir}/* %{_bindir}/*
@ -88,53 +100,20 @@ desktop-file-install \
%files scripts %files scripts
%defattr(-,root,root,-)
%{_datadir}/lftp %{_datadir}/lftp
%changelog %changelog
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 4.9.2-4 * Mon Jul 24 2023 Michal Ruprich <mruprich@redhat.com> - 4.8.4-3
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags - Resolves: #2182418 - Connection to site fails with certificate verification error
Related: rhbz#1991688
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 4.9.2-3 * Tue Apr 28 2020 Michal Ruprich <michalruprich@gmail.com> - 4.8.4-2
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 - Resolves: #1793557 - SFTP over LFTP hangs if host key of the remote system doesn't exist
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 4.9.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Wed Aug 19 2020 Michal Ruprich <michalruprich@gmail.com> - 4.9.2-1
- New version 4.9.2
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 4.9.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Fri Apr 03 2020 Michal Ruprich <michalruprich@gmail.com> - 4.9.1-1
- New version 4.9.1
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 4.9.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Fri Jan 03 2020 Michal Ruprich <mruprich@redhat.com> - 4.9.0-1
- New version 4.9.0
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 4.8.4-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Sun Feb 17 2019 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 4.8.4-3
- Rebuild for readline 8.0
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 4.8.4-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Wed Aug 01 2018 Michal Ruprich <mruprich@redhat.com> - 4.8.4-1 * Wed Aug 01 2018 Michal Ruprich <mruprich@redhat.com> - 4.8.4-1
- New version 4.8.4 - New version 4.8.4
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 4.8.3-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Thu Apr 26 2018 Tomas Hozza <thozza@redhat.com> - 4.8.3-3
- Added gcc-c++ as an explicit BuildRequires
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 4.8.3-2 * Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 4.8.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild