import vsftpd-3.0.3-49.el9

2021-12-07 11:58:57 -05:00 · 2021-12-07 11:58:57 -05:00 · 3b658dfddf
parent ae0d01b2d0
commit 3b658dfddf
3 changed files with 332 additions and 1 deletions
--- a/SOURCES/vsftpd-3.0.3-ALPACA.patch
+++ b/SOURCES/vsftpd-3.0.3-ALPACA.patch
@ -0,0 +1,225 @@
+diff --git a/parseconf.c b/parseconf.c
+index 3729818..ee1b8b4 100644
+--- a/parseconf.c
+++ b/parseconf.c
+@@ -188,6 +188,7 @@ parseconf_str_array[] =
+   { "rsa_private_key_file", &tunable_rsa_private_key_file },
+   { "dsa_private_key_file", &tunable_dsa_private_key_file },
+   { "ca_certs_file", &tunable_ca_certs_file },
+  { "ssl_sni_hostname", &tunable_ssl_sni_hostname },
+   { "cmds_denied", &tunable_cmds_denied },
+   { 0, 0 }
+ };
+diff --git a/ssl.c b/ssl.c
+index 09ec96a..51345f8 100644
+--- a/ssl.c
+++ b/ssl.c
+@@ -41,6 +41,13 @@ static long bio_callback(
+   BIO* p_bio, int oper, const char* p_arg, int argi, long argl, long retval);
+ static int ssl_verify_callback(int verify_ok, X509_STORE_CTX* p_ctx);
+ static DH *ssl_tmp_dh_callback(SSL *ssl, int is_export, int keylength);
+static int ssl_alpn_callback(SSL* p_ssl,
+                             const unsigned char** p_out,
+                             unsigned char* outlen,
+                             const unsigned char* p_in,
+                             unsigned int inlen,
+                             void* p_arg);
+static long ssl_sni_callback(SSL* p_ssl, int* p_al, void* p_arg);
+ static int ssl_cert_digest(
+   SSL* p_ssl, struct vsf_session* p_sess, struct mystr* p_str);
+ static void maybe_log_shutdown_state(struct vsf_session* p_sess);
+@@ -286,6 +293,12 @@ ssl_init(struct vsf_session* p_sess)
+     }
+     
+     SSL_CTX_set_tmp_dh_callback(p_ctx, ssl_tmp_dh_callback);
+    /* Set up ALPN to check for FTP protocol intention of client. */
+    SSL_CTX_set_alpn_select_cb(p_ctx, ssl_alpn_callback, p_sess);
+    /* Set up SNI callback for an optional hostname check. */
+    SSL_CTX_set_tlsext_servername_callback(p_ctx, ssl_sni_callback);
+    SSL_CTX_set_tlsext_servername_arg(p_ctx, p_sess);
+
+ 
+     if (tunable_ecdh_param_file)
+     {
+@@ -870,6 +883,132 @@ ssl_tmp_dh_callback(SSL *ssl, int is_export, int keylength)
+   
+   return DH_get_dh(keylength);
+ }
+static int
+ssl_alpn_callback(SSL* p_ssl,
+                  const unsigned char** p_out,
+                  unsigned char* outlen,
+                  const unsigned char* p_in,
+                  unsigned int inlen,
+                  void* p_arg) {
+  unsigned int i;
+  struct vsf_session* p_sess = (struct vsf_session*) p_arg;
+  int is_ok = 0;
+
+  (void) p_ssl;
+
+  /* Initialize just in case. */
+  *p_out = p_in;
+  *outlen = 0;
+
+  for (i = 0; i < inlen; ++i) {
+    unsigned int left = (inlen - i);
+    if (left < 4) {
+      continue;
+    }
+    if (p_in[i] == 3 && p_in[i + 1] == 'f' && p_in[i + 2] == 't' &&
+        p_in[i + 3] == 'p')
+    {
+      is_ok = 1;
+      *p_out = &p_in[i + 1];
+      *outlen = 3;
+      break;
+    }
+  }
+  
+  if (!is_ok)
+  {
+    str_alloc_text(&debug_str, "ALPN rejection");
+    vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str);
+  }
+  if (!is_ok || tunable_debug_ssl)
+  {
+    str_alloc_text(&debug_str, "ALPN data: ");
+    for (i = 0; i < inlen; ++i) {
+      str_append_char(&debug_str, p_in[i]);
+    }
+    vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str);
+  }
+
+  if (is_ok)
+  {
+    return SSL_TLSEXT_ERR_OK;
+  }
+  else
+  {
+    return SSL_TLSEXT_ERR_ALERT_FATAL;
+  }
+}
+
+static long
+ssl_sni_callback(SSL* p_ssl, int* p_al, void* p_arg)
+{
+  static struct mystr s_sni_expected_hostname;
+  static struct mystr s_sni_received_hostname;
+
+  int servername_type;
+  const char* p_sni_servername;
+  struct vsf_session* p_sess = (struct vsf_session*) p_arg;
+  int is_ok = 0;
+
+  (void) p_ssl;
+  (void) p_arg;
+
+  if (tunable_ssl_sni_hostname)
+  {
+    str_alloc_text(&s_sni_expected_hostname, tunable_ssl_sni_hostname);
+  }
+
+  /* The OpenSSL documentation says it is pre-initialized like this, but set
+   * it just in case.
+   */
+  *p_al = SSL_AD_UNRECOGNIZED_NAME;
+
+  servername_type = SSL_get_servername_type(p_ssl);
+  p_sni_servername = SSL_get_servername(p_ssl, TLSEXT_NAMETYPE_host_name);
+  if (p_sni_servername != NULL) {
+    str_alloc_text(&s_sni_received_hostname, p_sni_servername);
+  }
+
+  if (str_isempty(&s_sni_expected_hostname))
+  {
+    is_ok = 1;
+  }
+  else if (servername_type != TLSEXT_NAMETYPE_host_name)
+  {
+    /* Fail. */
+    str_alloc_text(&debug_str, "SNI bad type: ");
+    str_append_ulong(&debug_str, servername_type);
+    vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str);
+  }
+  else
+  {
+    if (!str_strcmp(&s_sni_expected_hostname, &s_sni_received_hostname))
+    {
+      is_ok = 1;
+    }
+    else
+    {
+      str_alloc_text(&debug_str, "SNI rejection");
+      vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str);
+    }
+  }
+
+  if (!is_ok || tunable_debug_ssl)
+  {
+    str_alloc_text(&debug_str, "SNI hostname: ");
+    str_append_str(&debug_str, &s_sni_received_hostname);
+    vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str);
+  }
+
+  if (is_ok)
+  {
+    return SSL_TLSEXT_ERR_OK;
+  }
+  else
+  {
+    return SSL_TLSEXT_ERR_ALERT_FATAL;
+  }
+}
+ 
+ void
+ ssl_add_entropy(struct vsf_session* p_sess)
+diff --git a/tunables.c b/tunables.c
+index c96c1ac..d8dfcde 100644
+--- a/tunables.c
+++ b/tunables.c
+@@ -152,6 +152,7 @@ const char* tunable_ssl_ciphers;
+ const char* tunable_rsa_private_key_file;
+ const char* tunable_dsa_private_key_file;
+ const char* tunable_ca_certs_file;
+const char* tunable_ssl_sni_hostname;
+ 
+ static void install_str_setting(const char* p_value, const char** p_storage);
+ 
+@@ -309,6 +310,7 @@ tunables_load_defaults()
+   install_str_setting(0, &tunable_rsa_private_key_file);
+   install_str_setting(0, &tunable_dsa_private_key_file);
+   install_str_setting(0, &tunable_ca_certs_file);
+  install_str_setting(0, &tunable_ssl_sni_hostname);
+ }
+ 
+ void
+diff --git a/tunables.h b/tunables.h
+index 8d50150..de6cab0 100644
+--- a/tunables.h
+++ b/tunables.h
+@@ -157,6 +157,7 @@ extern const char* tunable_ssl_ciphers;
+ extern const char* tunable_rsa_private_key_file;
+ extern const char* tunable_dsa_private_key_file;
+ extern const char* tunable_ca_certs_file;
+extern const char* tunable_ssl_sni_hostname;
+ extern const char* tunable_cmds_denied;
+ 
+ #endif /* VSF_TUNABLES_H */
+diff --git a/vsftpd.conf.5 b/vsftpd.conf.5
+index 815773f..7006287 100644
+--- a/vsftpd.conf.5
+++ b/vsftpd.conf.5
+@@ -1128,6 +1128,12 @@ for further details.
+ 
+ Default: PROFILE=SYSTEM
+ .TP
+.B ssl_sni_hostname
+If set, SSL connections will be rejected unless the SNI hostname in the
+incoming handshakes matches this value.
+
+Default: (none)
+.TP
+ .B user_config_dir
+ This powerful option allows the override of any config option specified in
+ the manual page, on a per-user basis. Usage is simple, and is best illustrated
--- a/SOURCES/vsftpd-3.0.3-option_to_disable_TLSv1_3.patch
+++ b/SOURCES/vsftpd-3.0.3-option_to_disable_TLSv1_3.patch
@ -0,0 +1,96 @@
+diff --git a/features.c b/features.c
+index d024366..3a60b88 100644
+--- a/features.c
+++ b/features.c
+@@ -22,7 +22,7 @@ handle_feat(struct vsf_session* p_sess)
+     {
+       vsf_cmdio_write_raw(p_sess, " AUTH SSL\r\n");
+     }
+-    if (tunable_tlsv1 || tunable_tlsv1_1 || tunable_tlsv1_2)
+    if (tunable_tlsv1 || tunable_tlsv1_1 || tunable_tlsv1_2 || tunable_tlsv1_3)
+     {
+       vsf_cmdio_write_raw(p_sess, " AUTH TLS\r\n");
+     }
+diff --git a/parseconf.c b/parseconf.c
+index ee1b8b4..5188088 100644
+--- a/parseconf.c
+++ b/parseconf.c
+@@ -87,6 +87,7 @@ parseconf_bool_array[] =
+   { "ssl_tlsv1", &tunable_tlsv1 },
+   { "ssl_tlsv1_1", &tunable_tlsv1_1 },
+   { "ssl_tlsv1_2", &tunable_tlsv1_2 },
+  { "ssl_tlsv1_3", &tunable_tlsv1_3 },
+   { "tilde_user_enable", &tunable_tilde_user_enable },
+   { "force_anon_logins_ssl", &tunable_force_anon_logins_ssl },
+   { "force_anon_data_ssl", &tunable_force_anon_data_ssl },
+diff --git a/ssl.c b/ssl.c
+index 51345f8..d5d4a21 100644
+--- a/ssl.c
+++ b/ssl.c
+@@ -185,6 +185,10 @@ ssl_init(struct vsf_session* p_sess)
+     {
+       options |= SSL_OP_NO_TLSv1_2;
+     }
+    if (!tunable_tlsv1_3)
+    {
+      options |= SSL_OP_NO_TLSv1_3;
+    }
+     SSL_CTX_set_options(p_ctx, options);
+     if (tunable_rsa_cert_file)
+     {
+diff --git a/tunables.c b/tunables.c
+index d8dfcde..dc001ac 100644
+--- a/tunables.c
+++ b/tunables.c
+@@ -68,6 +68,7 @@ int tunable_sslv3;
+ int tunable_tlsv1;
+ int tunable_tlsv1_1;
+ int tunable_tlsv1_2;
+int tunable_tlsv1_3;
+ int tunable_tilde_user_enable;
+ int tunable_force_anon_logins_ssl;
+ int tunable_force_anon_data_ssl;
+@@ -218,8 +219,9 @@ tunables_load_defaults()
+   tunable_sslv3 = 0;
+   tunable_tlsv1 = 0;
+   tunable_tlsv1_1 = 0;
+-  /* Only TLSv1.2 is enabled by default */
+  /* Only TLSv1.2 and TLSv1.3 are enabled by default */
+   tunable_tlsv1_2 = 1;
+  tunable_tlsv1_3 = 1;
+   tunable_tilde_user_enable = 0;
+   tunable_force_anon_logins_ssl = 0;
+   tunable_force_anon_data_ssl = 0;
+diff --git a/tunables.h b/tunables.h
+index de6cab0..ff0eebc 100644
+--- a/tunables.h
+++ b/tunables.h
+@@ -69,6 +69,7 @@ extern int tunable_sslv3;                     /* Allow SSLv3 */
+ extern int tunable_tlsv1;                     /* Allow TLSv1 */
+ extern int tunable_tlsv1_1;                   /* Allow TLSv1.1 */
+ extern int tunable_tlsv1_2;                   /* Allow TLSv1.2 */
+extern int tunable_tlsv1_3;                   /* Allow TLSv1.3 */
+ extern int tunable_tilde_user_enable;         /* Support e.g. ~chris */
+ extern int tunable_force_anon_logins_ssl;     /* Require anon logins use SSL */
+ extern int tunable_force_anon_data_ssl;       /* Require anon data uses SSL */
+diff --git a/vsftpd.conf.5 b/vsftpd.conf.5
+index 7006287..d181e50 100644
+--- a/vsftpd.conf.5
+++ b/vsftpd.conf.5
+@@ -587,7 +587,15 @@ Default: NO
+ Only applies if
+ .BR ssl_enable
+ is activated. If enabled, this option will permit TLS v1.2 protocol connections.
+-TLS v1.2 connections are preferred.
+TLS v1.2 and TLS v1.3 connections are preferred.
+
+Default: YES
+.TP
+.B ssl_tlsv1_3
+Only applies if
+.BR ssl_enable
+is activated. If enabled, this option will permit TLS v1.3 protocol connections.
+TLS v1.2 and TLS v1.3 connections are preferred.
+ 
+ Default: YES
+ .TP
--- a/SPECS/vsftpd.spec
+++ b/SPECS/vsftpd.spec
@ -2,7 +2,7 @@

 Name:    vsftpd
 Version: 3.0.3
-Release: 47%{?dist}
+Release: 49%{?dist}
 Summary: Very Secure Ftp Daemon

 # OpenSSL link exception
@ -99,6 +99,8 @@ Patch69: 0001-Remove-a-hint-about-the-ftp_home_dir-SELinux-boolean.patch
 Patch70: fix-str_open.patch
 # upstream commits 56402c0, 8b82e73 rhbz#1948570
 Patch71: vsftpd-3.0.3-enable_wc_logs-replace_unprintable_with_hex.patch
+Patch72: vsftpd-3.0.3-ALPACA.patch
+Patch73: vsftpd-3.0.3-option_to_disable_TLSv1_3.patch

 %description
 vsftpd is a Very Secure FTP daemon. It was written completely from
@ -171,6 +173,14 @@ mkdir -p $RPM_BUILD_ROOT/%{_var}/ftp/pub
 %{_var}/ftp

 %changelog
+* Wed Oct 27 2021 Artem Egorenkov <aegorenk@redhat.com> - 3.0.3-49
+- add option to disable TLSv1.3
+- Resolves: rhbz#1954682
+
+* Wed Oct 13 2021 Artem Egorenkov <aegorenk@redhat.com> - 3.0.3-48
+- ALPACA fix backported from upstram 3.0.5 version
+- Resolves: rhbz#1975647
+
 * Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 3.0.3-47
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
  Related: rhbz#1991688