diff --git a/.gitignore b/.gitignore index 80044ba..f553e46 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/vsftpd-3.0.3.tar.gz +SOURCES/vsftpd-3.0.5.tar.gz diff --git a/.vsftpd.metadata b/.vsftpd.metadata index 8ae172c..a8856ef 100644 --- a/.vsftpd.metadata +++ b/.vsftpd.metadata @@ -1 +1 @@ -d5f5a180dbecd0fbcdc92bf0ba2fc001c962b55a SOURCES/vsftpd-3.0.3.tar.gz +0159531cc9f9fc6dd64cd734e2fd42601e44b5d9 SOURCES/vsftpd-3.0.5.tar.gz diff --git a/SOURCES/0021-Introduce-support-for-DHE-based-cipher-suites.patch b/SOURCES/0021-Introduce-support-for-DHE-based-cipher-suites.patch index 1abe1e4..bbf99a8 100644 --- a/SOURCES/0021-Introduce-support-for-DHE-based-cipher-suites.patch +++ b/SOURCES/0021-Introduce-support-for-DHE-based-cipher-suites.patch @@ -31,81 +31,36 @@ index c362983..22b69b3 100644 #include #include #include -+#include +#include ++#include #include #include -@@ -38,6 +40,7 @@ static void setup_bio_callbacks(); - static long bio_callback( - BIO* p_bio, int oper, const char* p_arg, int argi, long argl, long retval); - static int ssl_verify_callback(int verify_ok, X509_STORE_CTX* p_ctx); -+static DH *ssl_tmp_dh_callback(SSL *ssl, int is_export, int keylength); - static int ssl_cert_digest( - SSL* p_ssl, struct vsf_session* p_sess, struct mystr* p_str); - static void maybe_log_shutdown_state(struct vsf_session* p_sess); -@@ -51,6 +54,60 @@ static int ssl_read_common(struct vsf_session* p_sess, +@@ -58,6 +60,23 @@ static int ssl_inited; static struct mystr debug_str; ++EVP_PKEY * ++DH_get_dh() ++{ ++ OSSL_PARAM dh_params[2]; ++ EVP_PKEY *dh_key = NULL; ++ EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_from_name(NULL, "DH", NULL); + -+// Grab prime number from OpenSSL; -+// (get_rfc*) for all available primes. -+// wraps selection of comparable algorithm strength -+#if !defined(match_dh_bits) -+ #define match_dh_bits(keylen) \ -+ keylen >= 8191 ? 8192 : \ -+ keylen >= 6143 ? 6144 : \ -+ keylen >= 4095 ? 4096 : \ -+ keylen >= 3071 ? 3072 : \ -+ keylen >= 2047 ? 2048 : \ -+ keylen >= 1535 ? 1536 : \ -+ keylen >= 1023 ? 1024 : 768 -+#endif ++ dh_params[0] = OSSL_PARAM_construct_utf8_string("group", "ffdhe2048", 0); ++ dh_params[1] = OSSL_PARAM_construct_end(); + -+#if !defined(DH_get_prime) -+ BIGNUM * -+ DH_get_prime(int bits) -+ { -+ switch (bits) { -+ case 768: return get_rfc2409_prime_768(NULL); -+ case 1024: return get_rfc2409_prime_1024(NULL); -+ case 1536: return get_rfc3526_prime_1536(NULL); -+ case 2048: return get_rfc3526_prime_2048(NULL); -+ case 3072: return get_rfc3526_prime_3072(NULL); -+ case 4096: return get_rfc3526_prime_4096(NULL); -+ case 6144: return get_rfc3526_prime_6144(NULL); -+ case 8192: return get_rfc3526_prime_8192(NULL); -+ // shouldn't happen when used match_dh_bits; strict compiler -+ default: return NULL; -+ } ++ if (EVP_PKEY_keygen_init(pctx) <= 0 || EVP_PKEY_CTX_set_params(pctx, dh_params) <= 0) ++ return NULL; ++ EVP_PKEY_generate(pctx, &dh_key); ++ EVP_PKEY_CTX_free(pctx); ++ return dh_key; +} -+#endif -+ -+#if !defined(DH_get_dh) -+ // Grab DH parameters -+ DH * -+ DH_get_dh(int size) -+ { -+ DH *dh = DH_new(); -+ if (!dh) { -+ return NULL; -+ } -+ dh->p = DH_get_prime(match_dh_bits(size)); -+ BN_dec2bn(&dh->g, "2"); -+ if (!dh->p || !dh->g) -+ { -+ DH_free(dh); -+ return NULL; -+ } -+ return dh; -+ } -+#endif + void ssl_init(struct vsf_session* p_sess) { -@@ -65,7 +122,7 @@ ssl_init(struct vsf_session* p_sess) +@@ -72,7 +89,7 @@ { die("SSL: could not allocate SSL context"); } @@ -114,61 +69,42 @@ index c362983..22b69b3 100644 if (!tunable_sslv2) { options |= SSL_OP_NO_SSLv2; -@@ -111,6 +168,25 @@ ssl_init(struct vsf_session* p_sess) +@@ -130,6 +147,25 @@ die("SSL: cannot load DSA private key"); } } + if (tunable_dh_param_file) + { + BIO *bio; -+ DH *dhparams = NULL; ++ EVP_PKEY *dh_params = NULL; + if ((bio = BIO_new_file(tunable_dh_param_file, "r")) == NULL) + { + die("SSL: cannot load custom DH params"); + } + else + { -+ dhparams = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); ++ dh_params = PEM_read_bio_Parameters(bio, NULL); + BIO_free(bio); + -+ if (!SSL_CTX_set_tmp_dh(p_ctx, dhparams)) -+ { ++ if (!SSL_CTX_set0_tmp_dh_pkey(p_ctx, dh_params)) ++ { + die("SSL: setting custom DH params failed"); -+ } ++ } + } + } if (tunable_ssl_ciphers && SSL_CTX_set_cipher_list(p_ctx, tunable_ssl_ciphers) != 1) { -@@ -165,6 +241,9 @@ ssl_init(struct vsf_session* p_sess) +@@ -184,6 +226,9 @@ /* Ensure cached session doesn't expire */ SSL_CTX_set_timeout(p_ctx, INT_MAX); } -+ -+ SSL_CTX_set_tmp_dh_callback(p_ctx, ssl_tmp_dh_callback); + - p_sess->p_ssl_ctx = p_ctx; - ssl_inited = 1; - } -@@ -702,6 +781,18 @@ ssl_verify_callback(int verify_ok, X509_STORE_CTX* p_ctx) - return 1; - } - -+#define UNUSED(x) ( (void)(x) ) ++ SSL_CTX_set0_tmp_dh_pkey(p_ctx, DH_get_dh()); + -+static DH * -+ssl_tmp_dh_callback(SSL *ssl, int is_export, int keylength) -+{ -+ // strict compiler bypassing -+ UNUSED(ssl); -+ UNUSED(is_export); -+ -+ return DH_get_dh(keylength); -+} -+ - void - ssl_add_entropy(struct vsf_session* p_sess) - { + /* Set up ALPN to check for FTP protocol intention of client. */ + SSL_CTX_set_alpn_select_cb(p_ctx, ssl_alpn_callback, p_sess); + /* Set up SNI callback for an optional hostname check. */ diff --git a/tunables.c b/tunables.c index c737465..1ea7227 100644 --- a/tunables.c diff --git a/SOURCES/0022-Introduce-support-for-EDDHE-based-cipher-suites.patch b/SOURCES/0022-Introduce-support-for-EDDHE-based-cipher-suites.patch index 1428b86..0a09a2c 100644 --- a/SOURCES/0022-Introduce-support-for-EDDHE-based-cipher-suites.patch +++ b/SOURCES/0022-Introduce-support-for-EDDHE-based-cipher-suites.patch @@ -36,48 +36,40 @@ index 22b69b3..96bf8ad 100644 if (!tunable_sslv2) { options |= SSL_OP_NO_SSLv2; -@@ -244,6 +244,41 @@ ssl_init(struct vsf_session* p_sess) - - SSL_CTX_set_tmp_dh_callback(p_ctx, ssl_tmp_dh_callback); +@@ -244,6 +244,33 @@ + + SSL_CTX_set0_tmp_dh_pkey(p_ctx, DH_get_dh()); + if (tunable_ecdh_param_file) + { + BIO *bio; -+ int nid; -+ EC_GROUP *ecparams = NULL; -+ EC_KEY *eckey; ++ EVP_PKEY *ec_params = NULL; + + if ((bio = BIO_new_file(tunable_ecdh_param_file, "r")) == NULL) + die("SSL: cannot load custom ec params"); + else + { -+ ecparams = PEM_read_bio_ECPKParameters(bio, NULL, NULL, NULL); ++ ec_params = PEM_read_bio_Parameters(bio, NULL); + BIO_free(bio); + -+ if (ecparams && (nid = EC_GROUP_get_curve_name(ecparams)) && -+ (eckey = EC_KEY_new_by_curve_name(nid))) ++ if (ec_params != NULL) + { -+ if (!SSL_CTX_set_tmp_ecdh(p_ctx, eckey)) ++ if (!SSL_CTX_set1_groups_list(p_ctx, ec_params)) + die("SSL: setting custom EC params failed"); -+ } -+ else ++ } ++ else + { + die("SSL: getting ec group or key failed"); -+ } ++ } + } + } + else + { -+#if defined(SSL_CTX_set_ecdh_auto) -+ SSL_CTX_set_ecdh_auto(p_ctx, 1); -+#else -+ SSL_CTX_set_tmp_ecdh(p_ctx, EC_KEY_new_by_curve_name(NID_X9_62_prime256v1)); -+#endif ++ SSL_CTX_set1_groups_list(p_ctx, "P-256"); + } -+ - p_sess->p_ssl_ctx = p_ctx; - ssl_inited = 1; - } + /* Set up ALPN to check for FTP protocol intention of client. */ + SSL_CTX_set_alpn_select_cb(p_ctx, ssl_alpn_callback, p_sess); + /* Set up SNI callback for an optional hostname check. */ diff --git a/tunables.c b/tunables.c index 1ea7227..93f85b1 100644 --- a/tunables.c diff --git a/SOURCES/0025-Improve-local_max_rate-option.patch b/SOURCES/0025-Improve-local_max_rate-option.patch index e78f825..2c74c7a 100644 --- a/SOURCES/0025-Improve-local_max_rate-option.patch +++ b/SOURCES/0025-Improve-local_max_rate-option.patch @@ -60,9 +60,9 @@ diff --git a/main.c b/main.c index eaba265..f1e2f69 100644 --- a/main.c +++ b/main.c -@@ -40,7 +40,7 @@ main(int argc, const char* argv[]) +@@ -40,7 +40,7 @@ /* Control connection */ - 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, /* Data connection */ - -1, 0, -1, 0, 0, 0, 0, + -1, 0, -1, 0, 0, 0, 0, 0, diff --git a/SOURCES/0033-Introduce-TLSv1.1-and-TLSv1.2-options.patch b/SOURCES/0033-Introduce-TLSv1.1-and-TLSv1.2-options.patch deleted file mode 100644 index 8d6228e..0000000 --- a/SOURCES/0033-Introduce-TLSv1.1-and-TLSv1.2-options.patch +++ /dev/null @@ -1,153 +0,0 @@ -From 01bef55a1987700af3d43cdc5f5be88d3843ab85 Mon Sep 17 00:00:00 2001 -From: Martin Sehnoutka -Date: Thu, 17 Nov 2016 13:36:17 +0100 -Subject: [PATCH 33/59] Introduce TLSv1.1 and TLSv1.2 options. - -Users can now enable a specific version of TLS protocol. ---- - parseconf.c | 2 ++ - ssl.c | 8 ++++++++ - tunables.c | 9 +++++++-- - tunables.h | 2 ++ - vsftpd.conf.5 | 24 ++++++++++++++++++++---- - 5 files changed, 39 insertions(+), 6 deletions(-) - -diff --git a/parseconf.c b/parseconf.c -index a2c715b..33a1349 100644 ---- a/parseconf.c -+++ b/parseconf.c -@@ -85,6 +85,8 @@ parseconf_bool_array[] = - { "ssl_sslv2", &tunable_sslv2 }, - { "ssl_sslv3", &tunable_sslv3 }, - { "ssl_tlsv1", &tunable_tlsv1 }, -+ { "ssl_tlsv1_1", &tunable_tlsv1_1 }, -+ { "ssl_tlsv1_2", &tunable_tlsv1_2 }, - { "tilde_user_enable", &tunable_tilde_user_enable }, - { "force_anon_logins_ssl", &tunable_force_anon_logins_ssl }, - { "force_anon_data_ssl", &tunable_force_anon_data_ssl }, -diff --git a/ssl.c b/ssl.c -index 96bf8ad..ba8a613 100644 ---- a/ssl.c -+++ b/ssl.c -@@ -135,6 +135,14 @@ ssl_init(struct vsf_session* p_sess) - { - options |= SSL_OP_NO_TLSv1; - } -+ if (!tunable_tlsv1_1) -+ { -+ options |= SSL_OP_NO_TLSv1_1; -+ } -+ if (!tunable_tlsv1_2) -+ { -+ options |= SSL_OP_NO_TLSv1_2; -+ } - SSL_CTX_set_options(p_ctx, options); - if (tunable_rsa_cert_file) - { -diff --git a/tunables.c b/tunables.c -index 93f85b1..78f2bcd 100644 ---- a/tunables.c -+++ b/tunables.c -@@ -66,6 +66,8 @@ int tunable_force_local_data_ssl; - int tunable_sslv2; - int tunable_sslv3; - int tunable_tlsv1; -+int tunable_tlsv1_1; -+int tunable_tlsv1_2; - int tunable_tilde_user_enable; - int tunable_force_anon_logins_ssl; - int tunable_force_anon_data_ssl; -@@ -209,7 +211,10 @@ tunables_load_defaults() - tunable_force_local_data_ssl = 1; - tunable_sslv2 = 0; - tunable_sslv3 = 0; -+ /* TLSv1 up to TLSv1.2 is enabled by default */ - tunable_tlsv1 = 1; -+ tunable_tlsv1_1 = 1; -+ tunable_tlsv1_2 = 1; - tunable_tilde_user_enable = 0; - tunable_force_anon_logins_ssl = 0; - tunable_force_anon_data_ssl = 0; -@@ -292,8 +297,8 @@ tunables_load_defaults() - install_str_setting(0, &tunable_dsa_cert_file); - install_str_setting(0, &tunable_dh_param_file); - install_str_setting(0, &tunable_ecdh_param_file); -- install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA", -- &tunable_ssl_ciphers); -+ install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384", -+ &tunable_ssl_ciphers); - install_str_setting(0, &tunable_rsa_private_key_file); - install_str_setting(0, &tunable_dsa_private_key_file); - install_str_setting(0, &tunable_ca_certs_file); -diff --git a/tunables.h b/tunables.h -index 3e2d40c..a466427 100644 ---- a/tunables.h -+++ b/tunables.h -@@ -67,6 +67,8 @@ extern int tunable_force_local_data_ssl; /* Require local data uses SSL */ - extern int tunable_sslv2; /* Allow SSLv2 */ - extern int tunable_sslv3; /* Allow SSLv3 */ - extern int tunable_tlsv1; /* Allow TLSv1 */ -+extern int tunable_tlsv1_1; /* Allow TLSv1.1 */ -+extern int tunable_tlsv1_2; /* Allow TLSv1.2 */ - extern int tunable_tilde_user_enable; /* Support e.g. ~chris */ - extern int tunable_force_anon_logins_ssl; /* Require anon logins use SSL */ - extern int tunable_force_anon_data_ssl; /* Require anon data uses SSL */ -diff --git a/vsftpd.conf.5 b/vsftpd.conf.5 -index cf1ae34..a3d569e 100644 ---- a/vsftpd.conf.5 -+++ b/vsftpd.conf.5 -@@ -506,7 +506,7 @@ Default: YES - Only applies if - .BR ssl_enable - is activated. If enabled, this option will permit SSL v2 protocol connections. --TLS v1 connections are preferred. -+TLS v1.2 connections are preferred. - - Default: NO - .TP -@@ -514,7 +514,7 @@ Default: NO - Only applies if - .BR ssl_enable - is activated. If enabled, this option will permit SSL v3 protocol connections. --TLS v1 connections are preferred. -+TLS v1.2 connections are preferred. - - Default: NO - .TP -@@ -522,7 +522,23 @@ Default: NO - Only applies if - .BR ssl_enable - is activated. If enabled, this option will permit TLS v1 protocol connections. --TLS v1 connections are preferred. -+TLS v1.2 connections are preferred. -+ -+Default: YES -+.TP -+.B ssl_tlsv1_1 -+Only applies if -+.BR ssl_enable -+is activated. If enabled, this option will permit TLS v1.1 protocol connections. -+TLS v1.2 connections are preferred. -+ -+Default: YES -+.TP -+.B ssl_tlsv1_2 -+Only applies if -+.BR ssl_enable -+is activated. If enabled, this option will permit TLS v1.2 protocol connections. -+TLS v1.2 connections are preferred. - - Default: YES - .TP -@@ -1044,7 +1060,7 @@ man page for further details. Note that restricting ciphers can be a useful - security precaution as it prevents malicious remote parties forcing a cipher - which they have found problems with. - --Default: DES-CBC3-SHA -+Default: AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384 - .TP - .B user_config_dir - This powerful option allows the override of any config option specified in --- -2.14.4 - diff --git a/SOURCES/0035-Modify-DH-enablement-patch-to-build-with-OpenSSL-1.1.patch b/SOURCES/0035-Modify-DH-enablement-patch-to-build-with-OpenSSL-1.1.patch deleted file mode 100644 index 1cebc18..0000000 --- a/SOURCES/0035-Modify-DH-enablement-patch-to-build-with-OpenSSL-1.1.patch +++ /dev/null @@ -1,74 +0,0 @@ -From 6c8dd87f311e411bcb1c72c1c780497881a5621c Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= -Date: Mon, 4 Sep 2017 11:32:03 +0200 -Subject: [PATCH 35/59] Modify DH enablement patch to build with OpenSSL 1.1 - ---- - ssl.c | 41 ++++++++++++++++++++++++++++++++++++++--- - 1 file changed, 38 insertions(+), 3 deletions(-) - -diff --git a/ssl.c b/ssl.c -index ba8a613..09ec96a 100644 ---- a/ssl.c -+++ b/ssl.c -@@ -88,19 +88,54 @@ static struct mystr debug_str; - } - #endif - -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) -+{ -+ /* If the fields p and g in d are NULL, the corresponding input -+ * parameters MUST be non-NULL. q may remain NULL. -+ */ -+ if ((dh->p == NULL && p == NULL) -+ || (dh->g == NULL && g == NULL)) -+ return 0; -+ -+ if (p != NULL) { -+ BN_free(dh->p); -+ dh->p = p; -+ } -+ if (q != NULL) { -+ BN_free(dh->q); -+ dh->q = q; -+ } -+ if (g != NULL) { -+ BN_free(dh->g); -+ dh->g = g; -+ } -+ -+ if (q != NULL) { -+ dh->length = BN_num_bits(q); -+ } -+ -+ return 1; -+} -+#endif -+ - #if !defined(DH_get_dh) - // Grab DH parameters - DH * - DH_get_dh(int size) - { -+ BIGNUM *g = NULL; -+ BIGNUM *p = NULL; - DH *dh = DH_new(); - if (!dh) { - return NULL; - } -- dh->p = DH_get_prime(match_dh_bits(size)); -- BN_dec2bn(&dh->g, "2"); -- if (!dh->p || !dh->g) -+ p = DH_get_prime(match_dh_bits(size)); -+ BN_dec2bn(&g, "2"); -+ if (!p || !g || !DH_set0_pqg(dh, p, NULL, g)) - { -+ BN_free(g); -+ BN_free(p); - DH_free(dh); - return NULL; - } --- -2.14.4 - diff --git a/SOURCES/0040-Use-system-wide-crypto-policy.patch b/SOURCES/0040-Use-system-wide-crypto-policy.patch index f59ba2b..940a5b2 100644 --- a/SOURCES/0040-Use-system-wide-crypto-policy.patch +++ b/SOURCES/0040-Use-system-wide-crypto-policy.patch @@ -3,7 +3,7 @@ From: Martin Sehnoutka Date: Tue, 29 Aug 2017 10:32:16 +0200 Subject: [PATCH 40/59] Use system wide crypto policy -Resolves: rhbz#1483970 +Resolves: rhbz# --- tunables.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) @@ -16,8 +16,8 @@ index 5440c00..354251c 100644 install_str_setting(0, &tunable_dsa_cert_file); install_str_setting(0, &tunable_dh_param_file); install_str_setting(0, &tunable_ecdh_param_file); -- install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384", -- &tunable_ssl_ciphers); +- install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA", +- &tunable_ssl_ciphers); + install_str_setting("PROFILE=SYSTEM", &tunable_ssl_ciphers); install_str_setting(0, &tunable_rsa_private_key_file); install_str_setting(0, &tunable_dsa_private_key_file); diff --git a/SOURCES/0041-Document-the-new-default-for-ssl_ciphers-in-the-man-.patch b/SOURCES/0041-Document-the-new-default-for-ssl_ciphers-in-the-man-.patch index 8b26c7b..93e2ce8 100644 --- a/SOURCES/0041-Document-the-new-default-for-ssl_ciphers-in-the-man-.patch +++ b/SOURCES/0041-Document-the-new-default-for-ssl_ciphers-in-the-man-.patch @@ -17,15 +17,15 @@ index 3ca55e4..2a7662e 100644 security precaution as it prevents malicious remote parties forcing a cipher which they have found problems with. --Default: AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384 +-Default: DES-CBC3-SHA +By default, the system-wide crypto policy is used. See +.BR update-crypto-policies(8) +for further details. + +Default: PROFILE=SYSTEM .TP - .B user_config_dir - This powerful option allows the override of any config option specified in + .B ssl_sni_hostname + If set, SSL connections will be rejected unless the SNI hostname in the -- 2.14.4 diff --git a/SOURCES/0042-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch b/SOURCES/0042-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch deleted file mode 100644 index 250a44c..0000000 --- a/SOURCES/0042-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 1c280a0b04e58ec63ce9ab5eb8d0ffe5ebbae115 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= -Date: Thu, 21 Dec 2017 14:29:25 +0100 -Subject: [PATCH 42/59] When handling FEAT command, check ssl_tlsv1_1 and - ssl_tlsv1_2 - -Send 'AUTH SSL' in reply to the FEAT command when the ssl_tlsv1_1 -or ssl_tlsv1_2 configuration option is enabled. - -The patch was written by Martin Sehnoutka. - -Resolves: rhbz#1432054 ---- - features.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/features.c b/features.c -index 1212980..d024366 100644 ---- a/features.c -+++ b/features.c -@@ -22,7 +22,7 @@ handle_feat(struct vsf_session* p_sess) - { - vsf_cmdio_write_raw(p_sess, " AUTH SSL\r\n"); - } -- if (tunable_tlsv1) -+ if (tunable_tlsv1 || tunable_tlsv1_1 || tunable_tlsv1_2) - { - vsf_cmdio_write_raw(p_sess, " AUTH TLS\r\n"); - } --- -2.14.4 - diff --git a/SOURCES/0043-Enable-only-TLSv1.2-by-default.patch b/SOURCES/0043-Enable-only-TLSv1.2-by-default.patch deleted file mode 100644 index eb157f8..0000000 --- a/SOURCES/0043-Enable-only-TLSv1.2-by-default.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 75c942c77aa575143c5b75637e64a925ad12641a Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= -Date: Thu, 21 Dec 2017 16:38:40 +0100 -Subject: [PATCH 43/59] Enable only TLSv1.2 by default - -Disable TLSv1 and TLSv1.1 - enable only TLSv1.2 by default. ---- - tunables.c | 6 +++--- - vsftpd.conf.5 | 4 ++-- - 2 files changed, 5 insertions(+), 5 deletions(-) - -diff --git a/tunables.c b/tunables.c -index 354251c..9680528 100644 ---- a/tunables.c -+++ b/tunables.c -@@ -211,9 +211,9 @@ tunables_load_defaults() - tunable_force_local_data_ssl = 1; - tunable_sslv2 = 0; - tunable_sslv3 = 0; -- /* TLSv1 up to TLSv1.2 is enabled by default */ -- tunable_tlsv1 = 1; -- tunable_tlsv1_1 = 1; -+ tunable_tlsv1 = 0; -+ tunable_tlsv1_1 = 0; -+ /* Only TLSv1.2 is enabled by default */ - tunable_tlsv1_2 = 1; - tunable_tilde_user_enable = 0; - tunable_force_anon_logins_ssl = 0; -diff --git a/vsftpd.conf.5 b/vsftpd.conf.5 -index 2a7662e..df14027 100644 ---- a/vsftpd.conf.5 -+++ b/vsftpd.conf.5 -@@ -539,7 +539,7 @@ Only applies if - is activated. If enabled, this option will permit TLS v1 protocol connections. - TLS v1.2 connections are preferred. - --Default: YES -+Default: NO - .TP - .B ssl_tlsv1_1 - Only applies if -@@ -547,7 +547,7 @@ Only applies if - is activated. If enabled, this option will permit TLS v1.1 protocol connections. - TLS v1.2 connections are preferred. - --Default: YES -+Default: NO - .TP - .B ssl_tlsv1_2 - Only applies if --- -2.14.4 - diff --git a/SOURCES/fix-str_open.patch b/SOURCES/fix-str_open.patch index eef52ec..e5d5bd9 100644 --- a/SOURCES/fix-str_open.patch +++ b/SOURCES/fix-str_open.patch @@ -1,11 +1,10 @@ -diff -ruN vsftpd-3.0.3.orig/sysstr.c vsftpd-3.0.3/sysstr.c ---- vsftpd-3.0.3.orig/sysstr.c 2020-11-17 09:47:03.872923383 +0100 -+++ vsftpd-3.0.3/sysstr.c 2020-11-17 09:48:41.219754145 +0100 +--- sysstr-orig.c 2022-07-27 09:44:52.606408000 +0200 ++++ sysstr.c 2022-07-27 09:54:24.043081352 +0200 @@ -74,19 +74,11 @@ int str_open(const struct mystr* p_str, const enum EVSFSysStrOpenMode mode) { -- enum EVSFSysUtilOpenMode open_mode = kVSFSysStrOpenUnknown; +- enum EVSFSysUtilOpenMode open_mode = kVSFSysUtilOpenUnknown; - switch (mode) - { - case kVSFSysStrOpenReadOnly: diff --git a/SOURCES/vsftpd-3.0.3-ALPACA.patch b/SOURCES/vsftpd-3.0.3-ALPACA.patch deleted file mode 100644 index a09f362..0000000 --- a/SOURCES/vsftpd-3.0.3-ALPACA.patch +++ /dev/null @@ -1,225 +0,0 @@ -diff --git a/parseconf.c b/parseconf.c -index 3729818..ee1b8b4 100644 ---- a/parseconf.c -+++ b/parseconf.c -@@ -188,6 +188,7 @@ parseconf_str_array[] = - { "rsa_private_key_file", &tunable_rsa_private_key_file }, - { "dsa_private_key_file", &tunable_dsa_private_key_file }, - { "ca_certs_file", &tunable_ca_certs_file }, -+ { "ssl_sni_hostname", &tunable_ssl_sni_hostname }, - { "cmds_denied", &tunable_cmds_denied }, - { 0, 0 } - }; -diff --git a/ssl.c b/ssl.c -index 09ec96a..51345f8 100644 ---- a/ssl.c -+++ b/ssl.c -@@ -41,6 +41,13 @@ static long bio_callback( - BIO* p_bio, int oper, const char* p_arg, int argi, long argl, long retval); - static int ssl_verify_callback(int verify_ok, X509_STORE_CTX* p_ctx); - static DH *ssl_tmp_dh_callback(SSL *ssl, int is_export, int keylength); -+static int ssl_alpn_callback(SSL* p_ssl, -+ const unsigned char** p_out, -+ unsigned char* outlen, -+ const unsigned char* p_in, -+ unsigned int inlen, -+ void* p_arg); -+static long ssl_sni_callback(SSL* p_ssl, int* p_al, void* p_arg); - static int ssl_cert_digest( - SSL* p_ssl, struct vsf_session* p_sess, struct mystr* p_str); - static void maybe_log_shutdown_state(struct vsf_session* p_sess); -@@ -286,6 +293,12 @@ ssl_init(struct vsf_session* p_sess) - } - - SSL_CTX_set_tmp_dh_callback(p_ctx, ssl_tmp_dh_callback); -+ /* Set up ALPN to check for FTP protocol intention of client. */ -+ SSL_CTX_set_alpn_select_cb(p_ctx, ssl_alpn_callback, p_sess); -+ /* Set up SNI callback for an optional hostname check. */ -+ SSL_CTX_set_tlsext_servername_callback(p_ctx, ssl_sni_callback); -+ SSL_CTX_set_tlsext_servername_arg(p_ctx, p_sess); -+ - - if (tunable_ecdh_param_file) - { -@@ -870,6 +883,132 @@ ssl_tmp_dh_callback(SSL *ssl, int is_export, int keylength) - - return DH_get_dh(keylength); - } -+static int -+ssl_alpn_callback(SSL* p_ssl, -+ const unsigned char** p_out, -+ unsigned char* outlen, -+ const unsigned char* p_in, -+ unsigned int inlen, -+ void* p_arg) { -+ unsigned int i; -+ struct vsf_session* p_sess = (struct vsf_session*) p_arg; -+ int is_ok = 0; -+ -+ (void) p_ssl; -+ -+ /* Initialize just in case. */ -+ *p_out = p_in; -+ *outlen = 0; -+ -+ for (i = 0; i < inlen; ++i) { -+ unsigned int left = (inlen - i); -+ if (left < 4) { -+ continue; -+ } -+ if (p_in[i] == 3 && p_in[i + 1] == 'f' && p_in[i + 2] == 't' && -+ p_in[i + 3] == 'p') -+ { -+ is_ok = 1; -+ *p_out = &p_in[i + 1]; -+ *outlen = 3; -+ break; -+ } -+ } -+ -+ if (!is_ok) -+ { -+ str_alloc_text(&debug_str, "ALPN rejection"); -+ vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str); -+ } -+ if (!is_ok || tunable_debug_ssl) -+ { -+ str_alloc_text(&debug_str, "ALPN data: "); -+ for (i = 0; i < inlen; ++i) { -+ str_append_char(&debug_str, p_in[i]); -+ } -+ vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str); -+ } -+ -+ if (is_ok) -+ { -+ return SSL_TLSEXT_ERR_OK; -+ } -+ else -+ { -+ return SSL_TLSEXT_ERR_ALERT_FATAL; -+ } -+} -+ -+static long -+ssl_sni_callback(SSL* p_ssl, int* p_al, void* p_arg) -+{ -+ static struct mystr s_sni_expected_hostname; -+ static struct mystr s_sni_received_hostname; -+ -+ int servername_type; -+ const char* p_sni_servername; -+ struct vsf_session* p_sess = (struct vsf_session*) p_arg; -+ int is_ok = 0; -+ -+ (void) p_ssl; -+ (void) p_arg; -+ -+ if (tunable_ssl_sni_hostname) -+ { -+ str_alloc_text(&s_sni_expected_hostname, tunable_ssl_sni_hostname); -+ } -+ -+ /* The OpenSSL documentation says it is pre-initialized like this, but set -+ * it just in case. -+ */ -+ *p_al = SSL_AD_UNRECOGNIZED_NAME; -+ -+ servername_type = SSL_get_servername_type(p_ssl); -+ p_sni_servername = SSL_get_servername(p_ssl, TLSEXT_NAMETYPE_host_name); -+ if (p_sni_servername != NULL) { -+ str_alloc_text(&s_sni_received_hostname, p_sni_servername); -+ } -+ -+ if (str_isempty(&s_sni_expected_hostname)) -+ { -+ is_ok = 1; -+ } -+ else if (servername_type != TLSEXT_NAMETYPE_host_name) -+ { -+ /* Fail. */ -+ str_alloc_text(&debug_str, "SNI bad type: "); -+ str_append_ulong(&debug_str, servername_type); -+ vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str); -+ } -+ else -+ { -+ if (!str_strcmp(&s_sni_expected_hostname, &s_sni_received_hostname)) -+ { -+ is_ok = 1; -+ } -+ else -+ { -+ str_alloc_text(&debug_str, "SNI rejection"); -+ vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str); -+ } -+ } -+ -+ if (!is_ok || tunable_debug_ssl) -+ { -+ str_alloc_text(&debug_str, "SNI hostname: "); -+ str_append_str(&debug_str, &s_sni_received_hostname); -+ vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str); -+ } -+ -+ if (is_ok) -+ { -+ return SSL_TLSEXT_ERR_OK; -+ } -+ else -+ { -+ return SSL_TLSEXT_ERR_ALERT_FATAL; -+ } -+} - - void - ssl_add_entropy(struct vsf_session* p_sess) -diff --git a/tunables.c b/tunables.c -index c96c1ac..d8dfcde 100644 ---- a/tunables.c -+++ b/tunables.c -@@ -152,6 +152,7 @@ const char* tunable_ssl_ciphers; - const char* tunable_rsa_private_key_file; - const char* tunable_dsa_private_key_file; - const char* tunable_ca_certs_file; -+const char* tunable_ssl_sni_hostname; - - static void install_str_setting(const char* p_value, const char** p_storage); - -@@ -309,6 +310,7 @@ tunables_load_defaults() - install_str_setting(0, &tunable_rsa_private_key_file); - install_str_setting(0, &tunable_dsa_private_key_file); - install_str_setting(0, &tunable_ca_certs_file); -+ install_str_setting(0, &tunable_ssl_sni_hostname); - } - - void -diff --git a/tunables.h b/tunables.h -index 8d50150..de6cab0 100644 ---- a/tunables.h -+++ b/tunables.h -@@ -157,6 +157,7 @@ extern const char* tunable_ssl_ciphers; - extern const char* tunable_rsa_private_key_file; - extern const char* tunable_dsa_private_key_file; - extern const char* tunable_ca_certs_file; -+extern const char* tunable_ssl_sni_hostname; - extern const char* tunable_cmds_denied; - - #endif /* VSF_TUNABLES_H */ -diff --git a/vsftpd.conf.5 b/vsftpd.conf.5 -index 815773f..7006287 100644 ---- a/vsftpd.conf.5 -+++ b/vsftpd.conf.5 -@@ -1128,6 +1128,12 @@ for further details. - - Default: PROFILE=SYSTEM - .TP -+.B ssl_sni_hostname -+If set, SSL connections will be rejected unless the SNI hostname in the -+incoming handshakes matches this value. -+ -+Default: (none) -+.TP - .B user_config_dir - This powerful option allows the override of any config option specified in - the manual page, on a per-user basis. Usage is simple, and is best illustrated diff --git a/SOURCES/vsftpd-3.0.3-option_to_disable_TLSv1_3.patch b/SOURCES/vsftpd-3.0.3-option_to_disable_TLSv1_3.patch deleted file mode 100644 index e1900ee..0000000 --- a/SOURCES/vsftpd-3.0.3-option_to_disable_TLSv1_3.patch +++ /dev/null @@ -1,96 +0,0 @@ -diff --git a/features.c b/features.c -index d024366..3a60b88 100644 ---- a/features.c -+++ b/features.c -@@ -22,7 +22,7 @@ handle_feat(struct vsf_session* p_sess) - { - vsf_cmdio_write_raw(p_sess, " AUTH SSL\r\n"); - } -- if (tunable_tlsv1 || tunable_tlsv1_1 || tunable_tlsv1_2) -+ if (tunable_tlsv1 || tunable_tlsv1_1 || tunable_tlsv1_2 || tunable_tlsv1_3) - { - vsf_cmdio_write_raw(p_sess, " AUTH TLS\r\n"); - } -diff --git a/parseconf.c b/parseconf.c -index ee1b8b4..5188088 100644 ---- a/parseconf.c -+++ b/parseconf.c -@@ -87,6 +87,7 @@ parseconf_bool_array[] = - { "ssl_tlsv1", &tunable_tlsv1 }, - { "ssl_tlsv1_1", &tunable_tlsv1_1 }, - { "ssl_tlsv1_2", &tunable_tlsv1_2 }, -+ { "ssl_tlsv1_3", &tunable_tlsv1_3 }, - { "tilde_user_enable", &tunable_tilde_user_enable }, - { "force_anon_logins_ssl", &tunable_force_anon_logins_ssl }, - { "force_anon_data_ssl", &tunable_force_anon_data_ssl }, -diff --git a/ssl.c b/ssl.c -index 51345f8..d5d4a21 100644 ---- a/ssl.c -+++ b/ssl.c -@@ -185,6 +185,10 @@ ssl_init(struct vsf_session* p_sess) - { - options |= SSL_OP_NO_TLSv1_2; - } -+ if (!tunable_tlsv1_3) -+ { -+ options |= SSL_OP_NO_TLSv1_3; -+ } - SSL_CTX_set_options(p_ctx, options); - if (tunable_rsa_cert_file) - { -diff --git a/tunables.c b/tunables.c -index d8dfcde..dc001ac 100644 ---- a/tunables.c -+++ b/tunables.c -@@ -68,6 +68,7 @@ int tunable_sslv3; - int tunable_tlsv1; - int tunable_tlsv1_1; - int tunable_tlsv1_2; -+int tunable_tlsv1_3; - int tunable_tilde_user_enable; - int tunable_force_anon_logins_ssl; - int tunable_force_anon_data_ssl; -@@ -218,8 +219,9 @@ tunables_load_defaults() - tunable_sslv3 = 0; - tunable_tlsv1 = 0; - tunable_tlsv1_1 = 0; -- /* Only TLSv1.2 is enabled by default */ -+ /* Only TLSv1.2 and TLSv1.3 are enabled by default */ - tunable_tlsv1_2 = 1; -+ tunable_tlsv1_3 = 1; - tunable_tilde_user_enable = 0; - tunable_force_anon_logins_ssl = 0; - tunable_force_anon_data_ssl = 0; -diff --git a/tunables.h b/tunables.h -index de6cab0..ff0eebc 100644 ---- a/tunables.h -+++ b/tunables.h -@@ -69,6 +69,7 @@ extern int tunable_sslv3; /* Allow SSLv3 */ - extern int tunable_tlsv1; /* Allow TLSv1 */ - extern int tunable_tlsv1_1; /* Allow TLSv1.1 */ - extern int tunable_tlsv1_2; /* Allow TLSv1.2 */ -+extern int tunable_tlsv1_3; /* Allow TLSv1.3 */ - extern int tunable_tilde_user_enable; /* Support e.g. ~chris */ - extern int tunable_force_anon_logins_ssl; /* Require anon logins use SSL */ - extern int tunable_force_anon_data_ssl; /* Require anon data uses SSL */ -diff --git a/vsftpd.conf.5 b/vsftpd.conf.5 -index 7006287..d181e50 100644 ---- a/vsftpd.conf.5 -+++ b/vsftpd.conf.5 -@@ -587,7 +587,15 @@ Default: NO - Only applies if - .BR ssl_enable - is activated. If enabled, this option will permit TLS v1.2 protocol connections. --TLS v1.2 connections are preferred. -+TLS v1.2 and TLS v1.3 connections are preferred. -+ -+Default: YES -+.TP -+.B ssl_tlsv1_3 -+Only applies if -+.BR ssl_enable -+is activated. If enabled, this option will permit TLS v1.3 protocol connections. -+TLS v1.2 and TLS v1.3 connections are preferred. - - Default: YES - .TP diff --git a/SOURCES/vsftpd-3.0.5-repalce-old-network-addr-functions.patch b/SOURCES/vsftpd-3.0.5-repalce-old-network-addr-functions.patch new file mode 100644 index 0000000..89e6257 --- /dev/null +++ b/SOURCES/vsftpd-3.0.5-repalce-old-network-addr-functions.patch @@ -0,0 +1,139 @@ +diff -urN vsftpd-3.0.5-orig/postlogin.c vsftpd-3.0.5/postlogin.c +--- vsftpd-3.0.5-orig/postlogin.c 2015-07-22 21:03:22.000000000 +0200 ++++ vsftpd-3.0.5/postlogin.c 2023-02-13 16:34:05.244467476 +0100 +@@ -27,4 +27,6 @@ + #include "ssl.h" + #include "vsftpver.h" ++#include ++#include + #include "opts.h" + +@@ -628,9 +629,10 @@ + else + { + const void* p_v4addr = vsf_sysutil_sockaddr_ipv6_v4(s_p_sockaddr); ++ static char result[INET_ADDRSTRLEN]; + if (p_v4addr) + { +- str_append_text(&s_pasv_res_str, vsf_sysutil_inet_ntoa(p_v4addr)); ++ str_append_text(&s_pasv_res_str, inet_ntop(AF_INET, p_v4addr, result, INET_ADDRSTRLEN)); + } + else + { +diff -urN vsftpd-3.0.5-orig/sysutil.c vsftpd-3.0.5/sysutil.c +--- vsftpd-3.0.5-orig/sysutil.c 2012-09-16 09:07:38.000000000 +0200 ++++ vsftpd-3.0.5/sysutil.c 2023-02-13 16:08:58.557153109 +0100 +@@ -2205,20 +2205,13 @@ + const struct sockaddr* p_sockaddr = &p_sockptr->u.u_sockaddr; + if (p_sockaddr->sa_family == AF_INET) + { +- return inet_ntoa(p_sockptr->u.u_sockaddr_in.sin_addr); ++ static char result[INET_ADDRSTRLEN]; ++ return inet_ntop(AF_INET, &p_sockptr->u.u_sockaddr_in.sin_addr, result, INET_ADDRSTRLEN); + } + else if (p_sockaddr->sa_family == AF_INET6) + { +- static char inaddr_buf[64]; +- const char* p_ret = inet_ntop(AF_INET6, +- &p_sockptr->u.u_sockaddr_in6.sin6_addr, +- inaddr_buf, sizeof(inaddr_buf)); +- inaddr_buf[sizeof(inaddr_buf) - 1] = '\0'; +- if (p_ret == NULL) +- { +- inaddr_buf[0] = '\0'; +- } +- return inaddr_buf; ++ static char result[INET6_ADDRSTRLEN]; ++ return inet_ntop(AF_INET6, &p_sockptr->u.u_sockaddr_in6.sin6_addr, result, INET6_ADDRSTRLEN); + } + else + { +@@ -2227,12 +2220,6 @@ + } + } + +-const char* +-vsf_sysutil_inet_ntoa(const void* p_raw_addr) +-{ +- return inet_ntoa(*((struct in_addr*)p_raw_addr)); +-} +- + int + vsf_sysutil_inet_aton(const char* p_text, struct vsf_sysutil_sockaddr* p_addr) + { +@@ -2241,7 +2228,7 @@ + { + bug("bad family"); + } +- if (inet_aton(p_text, &sin_addr)) ++ if (inet_pton(AF_INET, p_text, &sin_addr)) + { + vsf_sysutil_memcpy(&p_addr->u.u_sockaddr_in.sin_addr, + &sin_addr, sizeof(p_addr->u.u_sockaddr_in.sin_addr)); +@@ -2257,37 +2244,46 @@ + vsf_sysutil_dns_resolve(struct vsf_sysutil_sockaddr** p_sockptr, + const char* p_name) + { +- struct hostent* hent = gethostbyname(p_name); +- if (hent == NULL) ++ struct addrinfo *result; ++ struct addrinfo hints; ++ int ret; ++ ++ memset(&hints, 0, sizeof(struct addrinfo)); ++ hints.ai_family = AF_UNSPEC; ++ ++ if ((ret = getaddrinfo(p_name, NULL, &hints, &result)) != 0) + { ++ fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(ret)); + die2("cannot resolve host:", p_name); + } + vsf_sysutil_sockaddr_clear(p_sockptr); +- if (hent->h_addrtype == AF_INET) ++ if (result->ai_family == AF_INET) + { +- unsigned int len = hent->h_length; ++ unsigned int len = result->ai_addrlen; + if (len > sizeof((*p_sockptr)->u.u_sockaddr_in.sin_addr)) + { + len = sizeof((*p_sockptr)->u.u_sockaddr_in.sin_addr); + } + vsf_sysutil_sockaddr_alloc_ipv4(p_sockptr); + vsf_sysutil_memcpy(&(*p_sockptr)->u.u_sockaddr_in.sin_addr, +- hent->h_addr_list[0], len); ++ &result->ai_addrlen, len); + } +- else if (hent->h_addrtype == AF_INET6) ++ else if (result->ai_family == AF_INET6) + { +- unsigned int len = hent->h_length; ++ unsigned int len = result->ai_addrlen; + if (len > sizeof((*p_sockptr)->u.u_sockaddr_in6.sin6_addr)) + { + len = sizeof((*p_sockptr)->u.u_sockaddr_in6.sin6_addr); + } + vsf_sysutil_sockaddr_alloc_ipv6(p_sockptr); + vsf_sysutil_memcpy(&(*p_sockptr)->u.u_sockaddr_in6.sin6_addr, +- hent->h_addr_list[0], len); ++ &result->ai_addrlen, len); + } + else + { +- die("gethostbyname(): neither IPv4 nor IPv6"); ++ freeaddrinfo(result); ++ die("getaddrinfo(): neither IPv4 nor IPv6"); + } ++ freeaddrinfo(result); + } + +diff -urN vsftpd-3.0.5-orig/sysutil.h vsftpd-3.0.5/sysutil.h +--- vsftpd-3.0.5-orig/sysutil.h 2021-05-18 08:50:21.000000000 +0200 ++++ vsftpd-3.0.5/sysutil.h 2023-02-13 15:59:22.088331075 +0100 +@@ -277,7 +277,6 @@ + + const char* vsf_sysutil_inet_ntop( + const struct vsf_sysutil_sockaddr* p_sockptr); +-const char* vsf_sysutil_inet_ntoa(const void* p_raw_addr); + int vsf_sysutil_inet_aton( + const char* p_text, struct vsf_sysutil_sockaddr* p_addr); + diff --git a/SOURCES/vsftpd-3.0.5-replace-deprecated-openssl-functions.patch b/SOURCES/vsftpd-3.0.5-replace-deprecated-openssl-functions.patch new file mode 100644 index 0000000..c6f8f7d --- /dev/null +++ b/SOURCES/vsftpd-3.0.5-replace-deprecated-openssl-functions.patch @@ -0,0 +1,70 @@ +diff --git a/ssl.c b/ssl.c +--- ssl.c ++++ ssl.c +@@ -28,17 +28,17 @@ + #include + #include + #include + #include + #include + #include + #include + + static char* get_ssl_error(); + static SSL* get_ssl(struct vsf_session* p_sess, int fd); + static int ssl_session_init(struct vsf_session* p_sess); + static void setup_bio_callbacks(); + static long bio_callback( +- BIO* p_bio, int oper, const char* p_arg, int argi, long argl, long retval); ++ BIO* p_bio, int oper, const char* p_arg, size_t len, int argi, long argl, int ret, size_t *processed); + static int ssl_verify_callback(int verify_ok, X509_STORE_CTX* p_ctx); + static int ssl_alpn_callback(SSL* p_ssl, + const unsigned char** p_out, +@@ -88,7 +88,7 @@ + long options; + int verify_option = 0; + SSL_library_init(); +- p_ctx = SSL_CTX_new(SSLv23_server_method()); ++ p_ctx = SSL_CTX_new_ex(NULL, NULL, SSLv23_server_method()); + if (p_ctx == NULL) + { + die("SSL: could not allocate SSL context"); +@@ -180,13 +180,10 @@ + die("SSL: RNG is not seeded"); + } + { +- EC_KEY* key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); +- if (key == NULL) ++ if (!SSL_CTX_set1_groups_list(p_ctx, "P-256")) + { + die("SSL: failed to get curve p256"); + } +- SSL_CTX_set_tmp_ecdh(p_ctx, key); +- EC_KEY_free(key); + } + if (tunable_ssl_request_cert) + { +@@ -692,17 +689,19 @@ + static void setup_bio_callbacks(SSL* p_ssl) + { + BIO* p_bio = SSL_get_rbio(p_ssl); +- BIO_set_callback(p_bio, bio_callback); ++ BIO_set_callback_ex(p_bio, bio_callback); + p_bio = SSL_get_wbio(p_ssl); +- BIO_set_callback(p_bio, bio_callback); ++ BIO_set_callback_ex(p_bio, bio_callback); + } + + static long + bio_callback( +- BIO* p_bio, int oper, const char* p_arg, int argi, long argl, long ret) ++ BIO* p_bio, int oper, const char* p_arg, size_t len, int argi, long argl, int ret, size_t *processed) + { + int retval = 0; + int fd = 0; ++ (void) len; ++ (void) processed; + (void) p_arg; + (void) argi; + (void) argl; + diff --git a/SOURCES/vsftpd-3.0.5-use-old-tlsv-options.patch b/SOURCES/vsftpd-3.0.5-use-old-tlsv-options.patch new file mode 100644 index 0000000..7c37ce9 --- /dev/null +++ b/SOURCES/vsftpd-3.0.5-use-old-tlsv-options.patch @@ -0,0 +1,15 @@ +--- parseconf-orig.c 2022-10-25 15:17:18.990701984 +0200 ++++ parseconf.c 2022-10-25 15:12:44.213480000 +0200 +@@ -85,9 +85,9 @@ + { "ssl_sslv2", &tunable_sslv2 }, + { "ssl_sslv3", &tunable_sslv3 }, + { "ssl_tlsv1", &tunable_tlsv1 }, +- { "ssl_tlsv11", &tunable_tlsv1_1 }, +- { "ssl_tlsv12", &tunable_tlsv1_2 }, +- { "ssl_tlsv13", &tunable_tlsv1_3 }, ++ { "ssl_tlsv1_1", &tunable_tlsv1_1 }, ++ { "ssl_tlsv1_2", &tunable_tlsv1_2 }, ++ { "ssl_tlsv1_3", &tunable_tlsv1_3 }, + { "tilde_user_enable", &tunable_tilde_user_enable }, + { "force_anon_logins_ssl", &tunable_force_anon_logins_ssl }, + { "force_anon_data_ssl", &tunable_force_anon_data_ssl }, diff --git a/SPECS/vsftpd.spec b/SPECS/vsftpd.spec index 934cd80..5856ee8 100644 --- a/SPECS/vsftpd.spec +++ b/SPECS/vsftpd.spec @@ -1,8 +1,8 @@ %global _generatorsdir %{_prefix}/lib/systemd/system-generators Name: vsftpd -Version: 3.0.3 -Release: 49%{?dist} +Version: 3.0.5 +Release: 4%{?dist} Summary: Very Secure Ftp Daemon # OpenSSL link exception @@ -61,17 +61,16 @@ Patch29: 0029-Fix-segfault-in-config-file-parser.patch Patch30: 0030-Fix-logging-into-syslog-when-enabled-in-config.patch Patch31: 0031-Fix-question-mark-wildcard-withing-a-file-name.patch Patch32: 0032-Propagate-errors-from-nfs-with-quota-to-client.patch -Patch33: 0033-Introduce-TLSv1.1-and-TLSv1.2-options.patch +#Patch33: 0033-Introduce-TLSv1.1-and-TLSv1.2-options.patch Patch34: 0034-Turn-off-seccomp-sandbox-because-it-is-too-strict.patch -Patch35: 0035-Modify-DH-enablement-patch-to-build-with-OpenSSL-1.1.patch Patch36: 0036-Redefine-VSFTP_COMMAND_FD-to-1.patch Patch37: 0037-Document-the-relationship-of-text_userdb_names-and-c.patch Patch38: 0038-Document-allow_writeable_chroot-in-the-man-page.patch Patch39: 0039-Improve-documentation-of-ASCII-mode-in-the-man-page.patch Patch40: 0040-Use-system-wide-crypto-policy.patch Patch41: 0041-Document-the-new-default-for-ssl_ciphers-in-the-man-.patch -Patch42: 0042-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch -Patch43: 0043-Enable-only-TLSv1.2-by-default.patch +#Patch42: 0042-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch +#Patch43: 0043-Enable-only-TLSv1.2-by-default.patch Patch44: 0044-Disable-anonymous_enable-in-default-config-file.patch Patch45: 0045-Expand-explanation-of-ascii_-options-behaviour-in-ma.patch Patch46: 0046-vsftpd.conf-Refer-to-the-man-page-regarding-the-asci.patch @@ -97,10 +96,10 @@ Patch67: 0001-Fix-timestamp-handling-in-MDTM.patch Patch68: 0002-Drop-an-unused-global-variable.patch Patch69: 0001-Remove-a-hint-about-the-ftp_home_dir-SELinux-boolean.patch Patch70: fix-str_open.patch -# upstream commits 56402c0, 8b82e73 rhbz#1948570 Patch71: vsftpd-3.0.3-enable_wc_logs-replace_unprintable_with_hex.patch -Patch72: vsftpd-3.0.3-ALPACA.patch -Patch73: vsftpd-3.0.3-option_to_disable_TLSv1_3.patch +Patch72: vsftpd-3.0.5-use-old-tlsv-options.patch +Patch73: vsftpd-3.0.5-repalce-old-network-addr-functions.patch +Patch74: vsftpd-3.0.5-replace-deprecated-openssl-functions.patch %description vsftpd is a Very Secure FTP daemon. It was written completely from @@ -173,6 +172,22 @@ mkdir -p $RPM_BUILD_ROOT/%{_var}/ftp/pub %{_var}/ftp %changelog +* Mon Feb 13 2023 Richard Lescak - 3.0.5-4 +- add patch to replace deprecated Openssl functions +- Resolves: rhbz#1981411 + +* Mon Feb 06 2023 Richard Lescak - 3.0.5-3 +- add patch to replace old network functions +- Resolves: rhbz#1951545 + +* Fri Nov 11 2022 Richard Lescak - 3.0.5-2 +- reintroduce patch for support of wide-character strings in logs +- Related: rhbz#2018284 + +* Wed Oct 26 2022 Richard Lescak - 3.0.5-1 +- rebase to version 3.0.5 +- Resolves: rhbz#2018284 + * Wed Oct 27 2021 Artem Egorenkov - 3.0.3-49 - add option to disable TLSv1.3 - Resolves: rhbz#1954682