From 63f4fa04b225188aed90f98db682c86858d2cbdc Mon Sep 17 00:00:00 2001
From: Richard Lescak <rlescak@redhat.com>
Date: Fri, 29 Jul 2022 20:10:46 +0200
Subject: [PATCH] rebase to version 3.0.5

---
 .gitignore                                    |  1 +
 ...-support-for-DHE-based-cipher-suites.patch | 26 +++++++++----------
 ...upport-for-EDDHE-based-cipher-suites.patch | 10 +++----
 0025-Improve-local_max_rate-option.patch      |  4 +--
 0040-Use-system-wide-crypto-policy.patch      |  6 ++---
 ...-default-for-ssl_ciphers-in-the-man-.patch |  6 ++---
 fix-str_open.patch                            |  7 +++--
 sources                                       |  2 +-
 ...wc_logs-replace_unprintable_with_hex.patch |  0
 vsftpd.spec                                   | 17 ++++++------
 10 files changed, 40 insertions(+), 39 deletions(-)
 rename vsftpd-3.0.3-enable_wc_logs-replace_unprintable_with_hex.patch => vsftpd-3.0.5-enable_wc_logs-replace_unprintable_with_hex.patch (100%)

diff --git a/.gitignore b/.gitignore
index 811254b..d4e96bd 100644
--- a/.gitignore
+++ b/.gitignore
@@ -6,3 +6,4 @@ vsftpd-2.3.2.tar.gz
 /vsftpd-3.0.1.tar.gz
 /vsftpd-3.0.2.tar.gz
 /vsftpd-3.0.3.tar.gz
+/vsftpd-3.0.5.tar.gz
diff --git a/0021-Introduce-support-for-DHE-based-cipher-suites.patch b/0021-Introduce-support-for-DHE-based-cipher-suites.patch
index 1abe1e4..cfa23bb 100644
--- a/0021-Introduce-support-for-DHE-based-cipher-suites.patch
+++ b/0021-Introduce-support-for-DHE-based-cipher-suites.patch
@@ -36,14 +36,14 @@ index c362983..22b69b3 100644
  #include <errno.h>
  #include <limits.h>
  
-@@ -38,6 +40,7 @@ static void setup_bio_callbacks();
+@@ -38,6 +40,7 @@
+ static char* get_ssl_error();
+ static SSL* get_ssl(struct vsf_session* p_sess, int fd);
+ static int ssl_session_init(struct vsf_session* p_sess);
++static DH *ssl_tmp_dh_callback(SSL *ssl, int is_export, int keylength);
+ static void setup_bio_callbacks();
  static long bio_callback(
    BIO* p_bio, int oper, const char* p_arg, int argi, long argl, long retval);
- static int ssl_verify_callback(int verify_ok, X509_STORE_CTX* p_ctx);
-+static DH *ssl_tmp_dh_callback(SSL *ssl, int is_export, int keylength);
- static int ssl_cert_digest(
-   SSL* p_ssl, struct vsf_session* p_sess, struct mystr* p_str);
- static void maybe_log_shutdown_state(struct vsf_session* p_sess);
 @@ -51,6 +54,60 @@ static int ssl_read_common(struct vsf_session* p_sess,
  static int ssl_inited;
  static struct mystr debug_str;
@@ -140,18 +140,18 @@ index c362983..22b69b3 100644
      if (tunable_ssl_ciphers &&
          SSL_CTX_set_cipher_list(p_ctx, tunable_ssl_ciphers) != 1)
      {
-@@ -165,6 +241,9 @@ ssl_init(struct vsf_session* p_sess)
+@@ -184,6 +260,9 @@
        /* Ensure cached session doesn't expire */
        SSL_CTX_set_timeout(p_ctx, INT_MAX);
      }
-+    
++
 +    SSL_CTX_set_tmp_dh_callback(p_ctx, ssl_tmp_dh_callback);
 +
-     p_sess->p_ssl_ctx = p_ctx;
-     ssl_inited = 1;
+     /* Set up ALPN to check for FTP protocol intention of client. */
+     SSL_CTX_set_alpn_select_cb(p_ctx, ssl_alpn_callback, p_sess);
+     /* Set up SNI callback for an optional hostname check. */
+@@ -854,6 +933,18 @@ ssl_verify_callback(int verify_ok, X509_STORE_CTX* p_ctx)
    }
-@@ -702,6 +781,18 @@ ssl_verify_callback(int verify_ok, X509_STORE_CTX* p_ctx)
-   return 1;
  }
  
 +#define UNUSED(x) ( (void)(x) )
@@ -162,7 +162,7 @@ index c362983..22b69b3 100644
 +  // strict compiler bypassing
 +  UNUSED(ssl);
 +  UNUSED(is_export);
-+  
++
 +  return DH_get_dh(keylength);
 +}
 +
diff --git a/0022-Introduce-support-for-EDDHE-based-cipher-suites.patch b/0022-Introduce-support-for-EDDHE-based-cipher-suites.patch
index 1428b86..9cb56cd 100644
--- a/0022-Introduce-support-for-EDDHE-based-cipher-suites.patch
+++ b/0022-Introduce-support-for-EDDHE-based-cipher-suites.patch
@@ -36,8 +36,8 @@ index 22b69b3..96bf8ad 100644
      if (!tunable_sslv2)
      {
        options |= SSL_OP_NO_SSLv2;
-@@ -244,6 +244,41 @@ ssl_init(struct vsf_session* p_sess)
-     
+@@ -244,6 +244,41 @@
+ 
      SSL_CTX_set_tmp_dh_callback(p_ctx, ssl_tmp_dh_callback);
  
 +    if (tunable_ecdh_param_file)
@@ -75,9 +75,9 @@ index 22b69b3..96bf8ad 100644
 +#endif
 +    }
 +
-     p_sess->p_ssl_ctx = p_ctx;
-     ssl_inited = 1;
-   }
+     /* Set up ALPN to check for FTP protocol intention of client. */
+     SSL_CTX_set_alpn_select_cb(p_ctx, ssl_alpn_callback, p_sess);
+     /* Set up SNI callback for an optional hostname check. */
 diff --git a/tunables.c b/tunables.c
 index 1ea7227..93f85b1 100644
 --- a/tunables.c
diff --git a/0025-Improve-local_max_rate-option.patch b/0025-Improve-local_max_rate-option.patch
index e78f825..2c74c7a 100644
--- a/0025-Improve-local_max_rate-option.patch
+++ b/0025-Improve-local_max_rate-option.patch
@@ -60,9 +60,9 @@ diff --git a/main.c b/main.c
 index eaba265..f1e2f69 100644
 --- a/main.c
 +++ b/main.c
-@@ -40,7 +40,7 @@ main(int argc, const char* argv[])
+@@ -40,7 +40,7 @@
      /* Control connection */
-     0, 0, 0, 0, 0,
+     0, 0, 0, 0, 0, 0,
      /* Data connection */
 -    -1, 0, -1, 0, 0, 0, 0,
 +    -1, 0, -1, 0, 0, 0, 0, 0,
diff --git a/0040-Use-system-wide-crypto-policy.patch b/0040-Use-system-wide-crypto-policy.patch
index f59ba2b..940a5b2 100644
--- a/0040-Use-system-wide-crypto-policy.patch
+++ b/0040-Use-system-wide-crypto-policy.patch
@@ -3,7 +3,7 @@ From: Martin Sehnoutka <msehnout@redhat.com>
 Date: Tue, 29 Aug 2017 10:32:16 +0200
 Subject: [PATCH 40/59] Use system wide crypto policy
 
-Resolves: rhbz#1483970
+Resolves: rhbz#
 ---
  tunables.c | 3 +--
  1 file changed, 1 insertion(+), 2 deletions(-)
@@ -16,8 +16,8 @@ index 5440c00..354251c 100644
    install_str_setting(0, &tunable_dsa_cert_file);
    install_str_setting(0, &tunable_dh_param_file);
    install_str_setting(0, &tunable_ecdh_param_file);
--  install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384",
--          &tunable_ssl_ciphers);
+-  install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA",
+-                      &tunable_ssl_ciphers);
 +  install_str_setting("PROFILE=SYSTEM", &tunable_ssl_ciphers);
    install_str_setting(0, &tunable_rsa_private_key_file);
    install_str_setting(0, &tunable_dsa_private_key_file);
diff --git a/0041-Document-the-new-default-for-ssl_ciphers-in-the-man-.patch b/0041-Document-the-new-default-for-ssl_ciphers-in-the-man-.patch
index 8b26c7b..93e2ce8 100644
--- a/0041-Document-the-new-default-for-ssl_ciphers-in-the-man-.patch
+++ b/0041-Document-the-new-default-for-ssl_ciphers-in-the-man-.patch
@@ -17,15 +17,15 @@ index 3ca55e4..2a7662e 100644
  security precaution as it prevents malicious remote parties forcing a cipher
  which they have found problems with.
  
--Default: AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384
+-Default: DES-CBC3-SHA
 +By default, the system-wide crypto policy is used. See
 +.BR update-crypto-policies(8)
 +for further details.
 +
 +Default: PROFILE=SYSTEM
  .TP
- .B user_config_dir
- This powerful option allows the override of any config option specified in
+ .B ssl_sni_hostname
+ If set, SSL connections will be rejected unless the SNI hostname in the
 -- 
 2.14.4
 
diff --git a/fix-str_open.patch b/fix-str_open.patch
index eef52ec..e5d5bd9 100644
--- a/fix-str_open.patch
+++ b/fix-str_open.patch
@@ -1,11 +1,10 @@
-diff -ruN vsftpd-3.0.3.orig/sysstr.c vsftpd-3.0.3/sysstr.c
---- vsftpd-3.0.3.orig/sysstr.c	2020-11-17 09:47:03.872923383 +0100
-+++ vsftpd-3.0.3/sysstr.c	2020-11-17 09:48:41.219754145 +0100
+--- sysstr-orig.c	2022-07-27 09:44:52.606408000 +0200
++++ sysstr.c	2022-07-27 09:54:24.043081352 +0200
 @@ -74,19 +74,11 @@
  int
  str_open(const struct mystr* p_str, const enum EVSFSysStrOpenMode mode)
  {
--  enum EVSFSysUtilOpenMode open_mode = kVSFSysStrOpenUnknown;
+-  enum EVSFSysUtilOpenMode open_mode = kVSFSysUtilOpenUnknown;
 -  switch (mode)
 -  {
 -    case kVSFSysStrOpenReadOnly:
diff --git a/sources b/sources
index 73f8cf5..e0f928f 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (vsftpd-3.0.3.tar.gz) = 5a4410a88e72ecf6f60a60a89771bcec300c9f63c2ea83b219bdf65fd9749b9853f9579f7257205b55659aefcd5dab243eba878dbbd4f0ff8532dd6e60884df7
+SHA512 (vsftpd-3.0.5.tar.gz) = 9e9f9bde8c460fbc6b1d29ca531327fb2e40e336358f1cc19e1da205ef81b553719a148ad4613ceead25499d1ac3f03301a0ecd3776e5c228acccb7f9461a7ee
diff --git a/vsftpd-3.0.3-enable_wc_logs-replace_unprintable_with_hex.patch b/vsftpd-3.0.5-enable_wc_logs-replace_unprintable_with_hex.patch
similarity index 100%
rename from vsftpd-3.0.3-enable_wc_logs-replace_unprintable_with_hex.patch
rename to vsftpd-3.0.5-enable_wc_logs-replace_unprintable_with_hex.patch
diff --git a/vsftpd.spec b/vsftpd.spec
index ab63318..18f9361 100644
--- a/vsftpd.spec
+++ b/vsftpd.spec
@@ -1,8 +1,8 @@
 %global _generatorsdir %{_prefix}/lib/systemd/system-generators
 
 Name:    vsftpd
-Version: 3.0.3
-Release: 51%{?dist}
+Version: 3.0.5
+Release: 1%{?dist}
 Summary: Very Secure Ftp Daemon
 
 # OpenSSL link exception
@@ -61,7 +61,7 @@ Patch29: 0029-Fix-segfault-in-config-file-parser.patch
 Patch30: 0030-Fix-logging-into-syslog-when-enabled-in-config.patch
 Patch31: 0031-Fix-question-mark-wildcard-withing-a-file-name.patch
 Patch32: 0032-Propagate-errors-from-nfs-with-quota-to-client.patch
-Patch33: 0033-Introduce-TLSv1.1-and-TLSv1.2-options.patch
+#Patch33: 0033-Introduce-TLSv1.1-and-TLSv1.2-options.patch
 Patch34: 0034-Turn-off-seccomp-sandbox-because-it-is-too-strict.patch
 Patch35: 0035-Modify-DH-enablement-patch-to-build-with-OpenSSL-1.1.patch
 Patch36: 0036-Redefine-VSFTP_COMMAND_FD-to-1.patch
@@ -70,8 +70,8 @@ Patch38: 0038-Document-allow_writeable_chroot-in-the-man-page.patch
 Patch39: 0039-Improve-documentation-of-ASCII-mode-in-the-man-page.patch
 Patch40: 0040-Use-system-wide-crypto-policy.patch
 Patch41: 0041-Document-the-new-default-for-ssl_ciphers-in-the-man-.patch
-Patch42: 0042-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch
-Patch43: 0043-Enable-only-TLSv1.2-by-default.patch
+#Patch42: 0042-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch
+#Patch43: 0043-Enable-only-TLSv1.2-by-default.patch
 Patch44: 0044-Disable-anonymous_enable-in-default-config-file.patch
 Patch45: 0045-Expand-explanation-of-ascii_-options-behaviour-in-ma.patch
 Patch46: 0046-vsftpd.conf-Refer-to-the-man-page-regarding-the-asci.patch
@@ -97,10 +97,8 @@ Patch67: 0001-Fix-timestamp-handling-in-MDTM.patch
 Patch68: 0002-Drop-an-unused-global-variable.patch
 Patch69: 0001-Remove-a-hint-about-the-ftp_home_dir-SELinux-boolean.patch
 Patch70: fix-str_open.patch
+Patch71: vsftpd-3.0.5-enable_wc_logs-replace_unprintable_with_hex.patch
 # upstream commits 56402c0, 8b82e73
-Patch71: vsftpd-3.0.3-enable_wc_logs-replace_unprintable_with_hex.patch
-Patch72: vsftpd-3.0.3-ALPACA.patch
-Patch73: vsftpd-3.0.3-option_to_disable_TLSv1_3.patch
 
 %description
 vsftpd is a Very Secure FTP daemon. It was written completely from
@@ -172,6 +170,9 @@ mkdir -p $RPM_BUILD_ROOT/%{_var}/ftp/pub
 %{_var}/ftp
 
 %changelog
+* Thu Jul 28 2022 Richard Lescak <rlescak@redhat.com> 3.0.5-1
+- rebase to version 3.0.5
+
 * Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.3-51
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild