rebase to version 3.0.5

This commit is contained in:
Richard Lescak 2022-07-29 20:10:46 +02:00
parent b7d0384436
commit 63f4fa04b2
10 changed files with 40 additions and 39 deletions

1
.gitignore vendored
View File

@ -6,3 +6,4 @@ vsftpd-2.3.2.tar.gz
/vsftpd-3.0.1.tar.gz
/vsftpd-3.0.2.tar.gz
/vsftpd-3.0.3.tar.gz
/vsftpd-3.0.5.tar.gz

View File

@ -36,14 +36,14 @@ index c362983..22b69b3 100644
#include <errno.h>
#include <limits.h>
@@ -38,6 +40,7 @@ static void setup_bio_callbacks();
@@ -38,6 +40,7 @@
static char* get_ssl_error();
static SSL* get_ssl(struct vsf_session* p_sess, int fd);
static int ssl_session_init(struct vsf_session* p_sess);
+static DH *ssl_tmp_dh_callback(SSL *ssl, int is_export, int keylength);
static void setup_bio_callbacks();
static long bio_callback(
BIO* p_bio, int oper, const char* p_arg, int argi, long argl, long retval);
static int ssl_verify_callback(int verify_ok, X509_STORE_CTX* p_ctx);
+static DH *ssl_tmp_dh_callback(SSL *ssl, int is_export, int keylength);
static int ssl_cert_digest(
SSL* p_ssl, struct vsf_session* p_sess, struct mystr* p_str);
static void maybe_log_shutdown_state(struct vsf_session* p_sess);
@@ -51,6 +54,60 @@ static int ssl_read_common(struct vsf_session* p_sess,
static int ssl_inited;
static struct mystr debug_str;
@ -140,18 +140,18 @@ index c362983..22b69b3 100644
if (tunable_ssl_ciphers &&
SSL_CTX_set_cipher_list(p_ctx, tunable_ssl_ciphers) != 1)
{
@@ -165,6 +241,9 @@ ssl_init(struct vsf_session* p_sess)
@@ -184,6 +260,9 @@
/* Ensure cached session doesn't expire */
SSL_CTX_set_timeout(p_ctx, INT_MAX);
}
+
+ SSL_CTX_set_tmp_dh_callback(p_ctx, ssl_tmp_dh_callback);
+
p_sess->p_ssl_ctx = p_ctx;
ssl_inited = 1;
/* Set up ALPN to check for FTP protocol intention of client. */
SSL_CTX_set_alpn_select_cb(p_ctx, ssl_alpn_callback, p_sess);
/* Set up SNI callback for an optional hostname check. */
@@ -854,6 +933,18 @@ ssl_verify_callback(int verify_ok, X509_STORE_CTX* p_ctx)
}
@@ -702,6 +781,18 @@ ssl_verify_callback(int verify_ok, X509_STORE_CTX* p_ctx)
return 1;
}
+#define UNUSED(x) ( (void)(x) )

View File

@ -36,7 +36,7 @@ index 22b69b3..96bf8ad 100644
if (!tunable_sslv2)
{
options |= SSL_OP_NO_SSLv2;
@@ -244,6 +244,41 @@ ssl_init(struct vsf_session* p_sess)
@@ -244,6 +244,41 @@
SSL_CTX_set_tmp_dh_callback(p_ctx, ssl_tmp_dh_callback);
@ -75,9 +75,9 @@ index 22b69b3..96bf8ad 100644
+#endif
+ }
+
p_sess->p_ssl_ctx = p_ctx;
ssl_inited = 1;
}
/* Set up ALPN to check for FTP protocol intention of client. */
SSL_CTX_set_alpn_select_cb(p_ctx, ssl_alpn_callback, p_sess);
/* Set up SNI callback for an optional hostname check. */
diff --git a/tunables.c b/tunables.c
index 1ea7227..93f85b1 100644
--- a/tunables.c

View File

@ -60,9 +60,9 @@ diff --git a/main.c b/main.c
index eaba265..f1e2f69 100644
--- a/main.c
+++ b/main.c
@@ -40,7 +40,7 @@ main(int argc, const char* argv[])
@@ -40,7 +40,7 @@
/* Control connection */
0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0,
/* Data connection */
- -1, 0, -1, 0, 0, 0, 0,
+ -1, 0, -1, 0, 0, 0, 0, 0,

View File

@ -3,7 +3,7 @@ From: Martin Sehnoutka <msehnout@redhat.com>
Date: Tue, 29 Aug 2017 10:32:16 +0200
Subject: [PATCH 40/59] Use system wide crypto policy
Resolves: rhbz#1483970
Resolves: rhbz#
---
tunables.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
@ -16,7 +16,7 @@ index 5440c00..354251c 100644
install_str_setting(0, &tunable_dsa_cert_file);
install_str_setting(0, &tunable_dh_param_file);
install_str_setting(0, &tunable_ecdh_param_file);
- install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384",
- install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA",
- &tunable_ssl_ciphers);
+ install_str_setting("PROFILE=SYSTEM", &tunable_ssl_ciphers);
install_str_setting(0, &tunable_rsa_private_key_file);

View File

@ -17,15 +17,15 @@ index 3ca55e4..2a7662e 100644
security precaution as it prevents malicious remote parties forcing a cipher
which they have found problems with.
-Default: AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384
-Default: DES-CBC3-SHA
+By default, the system-wide crypto policy is used. See
+.BR update-crypto-policies(8)
+for further details.
+
+Default: PROFILE=SYSTEM
.TP
.B user_config_dir
This powerful option allows the override of any config option specified in
.B ssl_sni_hostname
If set, SSL connections will be rejected unless the SNI hostname in the
--
2.14.4

View File

@ -1,11 +1,10 @@
diff -ruN vsftpd-3.0.3.orig/sysstr.c vsftpd-3.0.3/sysstr.c
--- vsftpd-3.0.3.orig/sysstr.c 2020-11-17 09:47:03.872923383 +0100
+++ vsftpd-3.0.3/sysstr.c 2020-11-17 09:48:41.219754145 +0100
--- sysstr-orig.c 2022-07-27 09:44:52.606408000 +0200
+++ sysstr.c 2022-07-27 09:54:24.043081352 +0200
@@ -74,19 +74,11 @@
int
str_open(const struct mystr* p_str, const enum EVSFSysStrOpenMode mode)
{
- enum EVSFSysUtilOpenMode open_mode = kVSFSysStrOpenUnknown;
- enum EVSFSysUtilOpenMode open_mode = kVSFSysUtilOpenUnknown;
- switch (mode)
- {
- case kVSFSysStrOpenReadOnly:

View File

@ -1 +1 @@
SHA512 (vsftpd-3.0.3.tar.gz) = 5a4410a88e72ecf6f60a60a89771bcec300c9f63c2ea83b219bdf65fd9749b9853f9579f7257205b55659aefcd5dab243eba878dbbd4f0ff8532dd6e60884df7
SHA512 (vsftpd-3.0.5.tar.gz) = 9e9f9bde8c460fbc6b1d29ca531327fb2e40e336358f1cc19e1da205ef81b553719a148ad4613ceead25499d1ac3f03301a0ecd3776e5c228acccb7f9461a7ee

View File

@ -1,8 +1,8 @@
%global _generatorsdir %{_prefix}/lib/systemd/system-generators
Name: vsftpd
Version: 3.0.3
Release: 51%{?dist}
Version: 3.0.5
Release: 1%{?dist}
Summary: Very Secure Ftp Daemon
# OpenSSL link exception
@ -61,7 +61,7 @@ Patch29: 0029-Fix-segfault-in-config-file-parser.patch
Patch30: 0030-Fix-logging-into-syslog-when-enabled-in-config.patch
Patch31: 0031-Fix-question-mark-wildcard-withing-a-file-name.patch
Patch32: 0032-Propagate-errors-from-nfs-with-quota-to-client.patch
Patch33: 0033-Introduce-TLSv1.1-and-TLSv1.2-options.patch
#Patch33: 0033-Introduce-TLSv1.1-and-TLSv1.2-options.patch
Patch34: 0034-Turn-off-seccomp-sandbox-because-it-is-too-strict.patch
Patch35: 0035-Modify-DH-enablement-patch-to-build-with-OpenSSL-1.1.patch
Patch36: 0036-Redefine-VSFTP_COMMAND_FD-to-1.patch
@ -70,8 +70,8 @@ Patch38: 0038-Document-allow_writeable_chroot-in-the-man-page.patch
Patch39: 0039-Improve-documentation-of-ASCII-mode-in-the-man-page.patch
Patch40: 0040-Use-system-wide-crypto-policy.patch
Patch41: 0041-Document-the-new-default-for-ssl_ciphers-in-the-man-.patch
Patch42: 0042-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch
Patch43: 0043-Enable-only-TLSv1.2-by-default.patch
#Patch42: 0042-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch
#Patch43: 0043-Enable-only-TLSv1.2-by-default.patch
Patch44: 0044-Disable-anonymous_enable-in-default-config-file.patch
Patch45: 0045-Expand-explanation-of-ascii_-options-behaviour-in-ma.patch
Patch46: 0046-vsftpd.conf-Refer-to-the-man-page-regarding-the-asci.patch
@ -97,10 +97,8 @@ Patch67: 0001-Fix-timestamp-handling-in-MDTM.patch
Patch68: 0002-Drop-an-unused-global-variable.patch
Patch69: 0001-Remove-a-hint-about-the-ftp_home_dir-SELinux-boolean.patch
Patch70: fix-str_open.patch
Patch71: vsftpd-3.0.5-enable_wc_logs-replace_unprintable_with_hex.patch
# upstream commits 56402c0, 8b82e73
Patch71: vsftpd-3.0.3-enable_wc_logs-replace_unprintable_with_hex.patch
Patch72: vsftpd-3.0.3-ALPACA.patch
Patch73: vsftpd-3.0.3-option_to_disable_TLSv1_3.patch
%description
vsftpd is a Very Secure FTP daemon. It was written completely from
@ -172,6 +170,9 @@ mkdir -p $RPM_BUILD_ROOT/%{_var}/ftp/pub
%{_var}/ftp
%changelog
* Thu Jul 28 2022 Richard Lescak <rlescak@redhat.com> 3.0.5-1
- rebase to version 3.0.5
* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.3-51
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild