add option for TLSv1.3 ciphersuites

SPDX migration

0021-Introduce-support-for-DHE-based-cipher-suites.patch

@@ -69,7 +69,7 @@ index c362983..22b69b3 100644
      if (!tunable_sslv2)
      {
        options |= SSL_OP_NO_SSLv2;
-@@ -130,6 +147,25 @@
+@@ -149,8 +166,27 @@
          die("SSL: cannot load DSA private key");
        }
      }
@@ -95,6 +95,8 @@ index c362983..22b69b3 100644
      if (tunable_ssl_ciphers &&
          SSL_CTX_set_cipher_list(p_ctx, tunable_ssl_ciphers) != 1)
      {
+       die("SSL: could not set cipher list");
+     }
 @@ -184,6 +226,9 @@
        /* Ensure cached session doesn't expire */
        SSL_CTX_set_timeout(p_ctx, INT_MAX);

vsftpd-3.0.5-add-option-for-tlsv1.3-ciphersuites.patch

@@ -0,0 +1,79 @@
+diff -urN a/parseconf.c b/parseconf.c
+--- a/parseconf.c	2021-05-29 23:39:19.000000000 +0200
++++ b/parseconf.c	2023-03-03 10:22:38.256439634 +0100
+@@ -185,6 +185,7 @@
+   { "dsa_cert_file", &tunable_dsa_cert_file },
+   { "dh_param_file", &tunable_dh_param_file },
+   { "ecdh_param_file", &tunable_ecdh_param_file },
++  { "ssl_ciphersuites", &tunable_ssl_ciphersuites },
+   { "ssl_ciphers", &tunable_ssl_ciphers },
+   { "rsa_private_key_file", &tunable_rsa_private_key_file },
+   { "dsa_private_key_file", &tunable_dsa_private_key_file },
+diff -urN a/ssl.c b/ssl.c
+--- a/ssl.c	2021-08-02 08:24:35.000000000 +0200
++++ b/ssl.c	2023-03-03 10:28:05.989757655 +0100
+@@ -135,6 +135,11 @@
+     {
+       die("SSL: could not set cipher list");
+     }
++    if (tunable_ssl_ciphersuites &&
++        SSL_CTX_set_ciphersuites(p_ctx, tunable_ssl_ciphersuites) != 1)
++    {
++      die("SSL: could not set ciphersuites");
++    }
+     if (RAND_status() != 1)
+     {
+       die("SSL: RNG is not seeded");
+diff -urN a/tunables.c b/tunables.c
+--- a/tunables.c	2021-05-29 23:39:00.000000000 +0200
++++ b/tunables.c	2023-03-03 10:13:30.566868026 +0100
+@@ -154,6 +154,7 @@
+ const char* tunable_dsa_cert_file;
+ const char* tunable_dh_param_file;
+ const char* tunable_ecdh_param_file;
+ const char* tunable_ssl_ciphers;
++const char* tunable_ssl_ciphersuites;
+ const char* tunable_rsa_private_key_file;
+ const char* tunable_dsa_private_key_file;
+@@ -293,6 +293,7 @@
+   install_str_setting(0, &tunable_dh_param_file);
+   install_str_setting(0, &tunable_ecdh_param_file);
+   install_str_setting("PROFILE=SYSTEM", &tunable_ssl_ciphers);
++  install_str_setting("TLS_AES_256_GCM_SHA384", &tunable_ssl_ciphersuites);
+   install_str_setting(0, &tunable_rsa_private_key_file);
+   install_str_setting(0, &tunable_dsa_private_key_file);
+   install_str_setting(0, &tunable_ca_certs_file);
+diff -urN a/tunables.h b/tunables.h
+--- a/tunables.h
++++ b/tunables.h
+@@ -144,6 +144,7 @@
+ extern const char* tunable_dsa_cert_file;
+ extern const char* tunable_dh_param_file;
+ extern const char* tunable_ecdh_param_file;
+ extern const char* tunable_ssl_ciphers;
++extern const char* tunable_ssl_ciphersuites;
+ extern const char* tunable_rsa_private_key_file;
+ extern const char* tunable_dsa_private_key_file;
+--- a/vsftpd.conf.5
++++ b/vsftpd.conf.5
+@@ -1009,6 +1009,20 @@
+ 
+ Default: PROFILE=SYSTEM
+ .TP
++.B ssl_ciphersuites
++This option can be used to select which SSL cipher suites vsftpd will allow for
++encrypted SSL connections with TLSv1.3. See the
++.BR ciphers
++man page for further details. Note that restricting ciphers can be a useful
++security precaution as it prevents malicious remote parties forcing a cipher
++which they have found problems with.
++
++By default, the system-wide crypto policy is used. See
++.BR update-crypto-policies(8)
++for further details.
++
++Default: TLS_AES_256_GCM_SHA384
++.TP
+ .B ssl_sni_hostname
+ If set, SSL connections will be rejected unless the SNI hostname in the
+ incoming handshakes matches this value.

vsftpd-3.0.5-replace-deprecated-openssl-functions.patch

@@ -25,7 +25,7 @@ diff --git a/ssl.c b/ssl.c
      int verify_option = 0;
      SSL_library_init();
 -    p_ctx = SSL_CTX_new(SSLv23_server_method());
-+    p_ctx = SSL_CTX_new_ex(NULL, NULL, SSLv23_server_method());
++    p_ctx = SSL_CTX_new_ex(NULL, NULL, TLS_server_method());
      if (p_ctx == NULL)
      {
        die("SSL: could not allocate SSL context");

vsftpd-3.0.5-use-old-tlsv-options.patch

@@ -0,0 +1,15 @@
+--- parseconf-orig.c	2022-10-25 15:17:18.990701984 +0200
++++ parseconf.c	2022-10-25 15:12:44.213480000 +0200
+@@ -85,9 +85,9 @@
+   { "ssl_sslv2", &tunable_sslv2 },
+   { "ssl_sslv3", &tunable_sslv3 },
+   { "ssl_tlsv1", &tunable_tlsv1 },
+-  { "ssl_tlsv11", &tunable_tlsv1_1 },
+-  { "ssl_tlsv12", &tunable_tlsv1_2 },
+-  { "ssl_tlsv13", &tunable_tlsv1_3 },
++  { "ssl_tlsv1_1", &tunable_tlsv1_1 },
++  { "ssl_tlsv1_2", &tunable_tlsv1_2 },
++  { "ssl_tlsv1_3", &tunable_tlsv1_3 },
+   { "tilde_user_enable", &tunable_tilde_user_enable },
+   { "force_anon_logins_ssl", &tunable_force_anon_logins_ssl },
+   { "force_anon_data_ssl", &tunable_force_anon_data_ssl },

vsftpd.spec

@@ -2,11 +2,11 @@
 
 Name:    vsftpd
 Version: 3.0.5
-Release: 3%{?dist}
+Release: 4%{?dist}
 Summary: Very Secure Ftp Daemon
 
 # OpenSSL link exception
-License:  GPLv2 with exceptions
+License:  GPL-2.0-only WITH vsftpd-openssl-exception
 URL:      https://security.appspot.com/vsftpd.html
 Source0:  https://security.appspot.com/downloads/%{name}-%{version}.tar.gz
 Source1:  vsftpd.xinetd
@@ -99,6 +99,8 @@ Patch70: fix-str_open.patch
 Patch71: vsftpd-3.0.5-enable_wc_logs-replace_unprintable_with_hex.patch
 Patch72: vsftpd-3.0.5-replace-old-network-addr-functions.patch
 Patch73: vsftpd-3.0.5-replace-deprecated-openssl-functions.patch
+Patch74: vsftpd-3.0.5-add-option-for-tlsv1.3-ciphersuites.patch
+Patch75: vsftpd-3.0.5-use-old-tlsv-options.patch
 
 %description
 vsftpd is a Very Secure FTP daemon. It was written completely from
@@ -168,6 +170,10 @@ mkdir -p $RPM_BUILD_ROOT/%{_var}/ftp/pub
 %{_var}/ftp
 
 %changelog
+* Thu May 04 2023 Richard Lescak <rlescak@redhat.com> - 3.0.5-4
+- add option for TLSv1.3 ciphersuites
+- SPDX migration
+
 * Fri Feb 17 2023 Richard Lescak <rlescak@redhat.com> - 3.0.5-3
 - make vsftpd compatible with Openssl 3.0+
 - replace old network functions