rebase to version 3.0.5
This commit is contained in:
Richard Lescak
parent
b7d0384436
commit
63f4fa04b2
1
.gitignore
vendored
1
.gitignore
vendored
@ -6,3 +6,4 @@ vsftpd-2.3.2.tar.gz
|
||||
/vsftpd-3.0.1.tar.gz
|
||||
/vsftpd-3.0.2.tar.gz
|
||||
/vsftpd-3.0.3.tar.gz
|
||||
/vsftpd-3.0.5.tar.gz
|
||||
|
||||
@ -36,14 +36,14 @@ index c362983..22b69b3 100644
|
||||
#include <errno.h>
|
||||
#include <limits.h>
|
||||
|
||||
@@ -38,6 +40,7 @@ static void setup_bio_callbacks();
|
||||
@@ -38,6 +40,7 @@
|
||||
static char* get_ssl_error();
|
||||
static SSL* get_ssl(struct vsf_session* p_sess, int fd);
|
||||
static int ssl_session_init(struct vsf_session* p_sess);
|
||||
+static DH *ssl_tmp_dh_callback(SSL *ssl, int is_export, int keylength);
|
||||
static void setup_bio_callbacks();
|
||||
static long bio_callback(
|
||||
BIO* p_bio, int oper, const char* p_arg, int argi, long argl, long retval);
|
||||
static int ssl_verify_callback(int verify_ok, X509_STORE_CTX* p_ctx);
|
||||
+static DH *ssl_tmp_dh_callback(SSL *ssl, int is_export, int keylength);
|
||||
static int ssl_cert_digest(
|
||||
SSL* p_ssl, struct vsf_session* p_sess, struct mystr* p_str);
|
||||
static void maybe_log_shutdown_state(struct vsf_session* p_sess);
|
||||
@@ -51,6 +54,60 @@ static int ssl_read_common(struct vsf_session* p_sess,
|
||||
static int ssl_inited;
|
||||
static struct mystr debug_str;
|
||||
@ -140,18 +140,18 @@ index c362983..22b69b3 100644
|
||||
if (tunable_ssl_ciphers &&
|
||||
SSL_CTX_set_cipher_list(p_ctx, tunable_ssl_ciphers) != 1)
|
||||
{
|
||||
@@ -165,6 +241,9 @@ ssl_init(struct vsf_session* p_sess)
|
||||
@@ -184,6 +260,9 @@
|
||||
/* Ensure cached session doesn't expire */
|
||||
SSL_CTX_set_timeout(p_ctx, INT_MAX);
|
||||
}
|
||||
+
|
||||
+
|
||||
+ SSL_CTX_set_tmp_dh_callback(p_ctx, ssl_tmp_dh_callback);
|
||||
+
|
||||
p_sess->p_ssl_ctx = p_ctx;
|
||||
ssl_inited = 1;
|
||||
/* Set up ALPN to check for FTP protocol intention of client. */
|
||||
SSL_CTX_set_alpn_select_cb(p_ctx, ssl_alpn_callback, p_sess);
|
||||
/* Set up SNI callback for an optional hostname check. */
|
||||
@@ -854,6 +933,18 @@ ssl_verify_callback(int verify_ok, X509_STORE_CTX* p_ctx)
|
||||
}
|
||||
@@ -702,6 +781,18 @@ ssl_verify_callback(int verify_ok, X509_STORE_CTX* p_ctx)
|
||||
return 1;
|
||||
}
|
||||
|
||||
+#define UNUSED(x) ( (void)(x) )
|
||||
@ -162,7 +162,7 @@ index c362983..22b69b3 100644
|
||||
+ // strict compiler bypassing
|
||||
+ UNUSED(ssl);
|
||||
+ UNUSED(is_export);
|
||||
+
|
||||
+
|
||||
+ return DH_get_dh(keylength);
|
||||
+}
|
||||
+
|
||||
|
||||
@ -36,8 +36,8 @@ index 22b69b3..96bf8ad 100644
|
||||
if (!tunable_sslv2)
|
||||
{
|
||||
options |= SSL_OP_NO_SSLv2;
|
||||
@@ -244,6 +244,41 @@ ssl_init(struct vsf_session* p_sess)
|
||||
|
||||
@@ -244,6 +244,41 @@
|
||||
|
||||
SSL_CTX_set_tmp_dh_callback(p_ctx, ssl_tmp_dh_callback);
|
||||
|
||||
+ if (tunable_ecdh_param_file)
|
||||
@ -75,9 +75,9 @@ index 22b69b3..96bf8ad 100644
|
||||
+#endif
|
||||
+ }
|
||||
+
|
||||
p_sess->p_ssl_ctx = p_ctx;
|
||||
ssl_inited = 1;
|
||||
}
|
||||
/* Set up ALPN to check for FTP protocol intention of client. */
|
||||
SSL_CTX_set_alpn_select_cb(p_ctx, ssl_alpn_callback, p_sess);
|
||||
/* Set up SNI callback for an optional hostname check. */
|
||||
diff --git a/tunables.c b/tunables.c
|
||||
index 1ea7227..93f85b1 100644
|
||||
--- a/tunables.c
|
||||
|
||||
@ -60,9 +60,9 @@ diff --git a/main.c b/main.c
|
||||
index eaba265..f1e2f69 100644
|
||||
--- a/main.c
|
||||
+++ b/main.c
|
||||
@@ -40,7 +40,7 @@ main(int argc, const char* argv[])
|
||||
@@ -40,7 +40,7 @@
|
||||
/* Control connection */
|
||||
0, 0, 0, 0, 0,
|
||||
0, 0, 0, 0, 0, 0,
|
||||
/* Data connection */
|
||||
- -1, 0, -1, 0, 0, 0, 0,
|
||||
+ -1, 0, -1, 0, 0, 0, 0, 0,
|
||||
|
||||
@ -3,7 +3,7 @@ From: Martin Sehnoutka <msehnout@redhat.com>
|
||||
Date: Tue, 29 Aug 2017 10:32:16 +0200
|
||||
Subject: [PATCH 40/59] Use system wide crypto policy
|
||||
|
||||
Resolves: rhbz#1483970
|
||||
Resolves: rhbz#
|
||||
---
|
||||
tunables.c | 3 +--
|
||||
1 file changed, 1 insertion(+), 2 deletions(-)
|
||||
@ -16,8 +16,8 @@ index 5440c00..354251c 100644
|
||||
install_str_setting(0, &tunable_dsa_cert_file);
|
||||
install_str_setting(0, &tunable_dh_param_file);
|
||||
install_str_setting(0, &tunable_ecdh_param_file);
|
||||
- install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384",
|
||||
- &tunable_ssl_ciphers);
|
||||
- install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA",
|
||||
- &tunable_ssl_ciphers);
|
||||
+ install_str_setting("PROFILE=SYSTEM", &tunable_ssl_ciphers);
|
||||
install_str_setting(0, &tunable_rsa_private_key_file);
|
||||
install_str_setting(0, &tunable_dsa_private_key_file);
|
||||
|
||||
@ -17,15 +17,15 @@ index 3ca55e4..2a7662e 100644
|
||||
security precaution as it prevents malicious remote parties forcing a cipher
|
||||
which they have found problems with.
|
||||
|
||||
-Default: AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384
|
||||
-Default: DES-CBC3-SHA
|
||||
+By default, the system-wide crypto policy is used. See
|
||||
+.BR update-crypto-policies(8)
|
||||
+for further details.
|
||||
+
|
||||
+Default: PROFILE=SYSTEM
|
||||
.TP
|
||||
.B user_config_dir
|
||||
This powerful option allows the override of any config option specified in
|
||||
.B ssl_sni_hostname
|
||||
If set, SSL connections will be rejected unless the SNI hostname in the
|
||||
--
|
||||
2.14.4
|
||||
|
||||
|
||||
@ -1,11 +1,10 @@
|
||||
diff -ruN vsftpd-3.0.3.orig/sysstr.c vsftpd-3.0.3/sysstr.c
|
||||
--- vsftpd-3.0.3.orig/sysstr.c 2020-11-17 09:47:03.872923383 +0100
|
||||
+++ vsftpd-3.0.3/sysstr.c 2020-11-17 09:48:41.219754145 +0100
|
||||
--- sysstr-orig.c 2022-07-27 09:44:52.606408000 +0200
|
||||
+++ sysstr.c 2022-07-27 09:54:24.043081352 +0200
|
||||
@@ -74,19 +74,11 @@
|
||||
int
|
||||
str_open(const struct mystr* p_str, const enum EVSFSysStrOpenMode mode)
|
||||
{
|
||||
- enum EVSFSysUtilOpenMode open_mode = kVSFSysStrOpenUnknown;
|
||||
- enum EVSFSysUtilOpenMode open_mode = kVSFSysUtilOpenUnknown;
|
||||
- switch (mode)
|
||||
- {
|
||||
- case kVSFSysStrOpenReadOnly:
|
||||
|
||||
2
sources
2
sources
@ -1 +1 @@
|
||||
SHA512 (vsftpd-3.0.3.tar.gz) = 5a4410a88e72ecf6f60a60a89771bcec300c9f63c2ea83b219bdf65fd9749b9853f9579f7257205b55659aefcd5dab243eba878dbbd4f0ff8532dd6e60884df7
|
||||
SHA512 (vsftpd-3.0.5.tar.gz) = 9e9f9bde8c460fbc6b1d29ca531327fb2e40e336358f1cc19e1da205ef81b553719a148ad4613ceead25499d1ac3f03301a0ecd3776e5c228acccb7f9461a7ee
|
||||
|
||||
17
vsftpd.spec
17
vsftpd.spec
@ -1,8 +1,8 @@
|
||||
%global _generatorsdir %{_prefix}/lib/systemd/system-generators
|
||||
|
||||
Name: vsftpd
|
||||
Version: 3.0.3
|
||||
Release: 51%{?dist}
|
||||
Version: 3.0.5
|
||||
Release: 1%{?dist}
|
||||
Summary: Very Secure Ftp Daemon
|
||||
|
||||
# OpenSSL link exception
|
||||
@ -61,7 +61,7 @@ Patch29: 0029-Fix-segfault-in-config-file-parser.patch
|
||||
Patch30: 0030-Fix-logging-into-syslog-when-enabled-in-config.patch
|
||||
Patch31: 0031-Fix-question-mark-wildcard-withing-a-file-name.patch
|
||||
Patch32: 0032-Propagate-errors-from-nfs-with-quota-to-client.patch
|
||||
Patch33: 0033-Introduce-TLSv1.1-and-TLSv1.2-options.patch
|
||||
#Patch33: 0033-Introduce-TLSv1.1-and-TLSv1.2-options.patch
|
||||
Patch34: 0034-Turn-off-seccomp-sandbox-because-it-is-too-strict.patch
|
||||
Patch35: 0035-Modify-DH-enablement-patch-to-build-with-OpenSSL-1.1.patch
|
||||
Patch36: 0036-Redefine-VSFTP_COMMAND_FD-to-1.patch
|
||||
@ -70,8 +70,8 @@ Patch38: 0038-Document-allow_writeable_chroot-in-the-man-page.patch
|
||||
Patch39: 0039-Improve-documentation-of-ASCII-mode-in-the-man-page.patch
|
||||
Patch40: 0040-Use-system-wide-crypto-policy.patch
|
||||
Patch41: 0041-Document-the-new-default-for-ssl_ciphers-in-the-man-.patch
|
||||
Patch42: 0042-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch
|
||||
Patch43: 0043-Enable-only-TLSv1.2-by-default.patch
|
||||
#Patch42: 0042-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch
|
||||
#Patch43: 0043-Enable-only-TLSv1.2-by-default.patch
|
||||
Patch44: 0044-Disable-anonymous_enable-in-default-config-file.patch
|
||||
Patch45: 0045-Expand-explanation-of-ascii_-options-behaviour-in-ma.patch
|
||||
Patch46: 0046-vsftpd.conf-Refer-to-the-man-page-regarding-the-asci.patch
|
||||
@ -97,10 +97,8 @@ Patch67: 0001-Fix-timestamp-handling-in-MDTM.patch
|
||||
Patch68: 0002-Drop-an-unused-global-variable.patch
|
||||
Patch69: 0001-Remove-a-hint-about-the-ftp_home_dir-SELinux-boolean.patch
|
||||
Patch70: fix-str_open.patch
|
||||
Patch71: vsftpd-3.0.5-enable_wc_logs-replace_unprintable_with_hex.patch
|
||||
# upstream commits 56402c0, 8b82e73
|
||||
Patch71: vsftpd-3.0.3-enable_wc_logs-replace_unprintable_with_hex.patch
|
||||
Patch72: vsftpd-3.0.3-ALPACA.patch
|
||||
Patch73: vsftpd-3.0.3-option_to_disable_TLSv1_3.patch
|
||||
|
||||
%description
|
||||
vsftpd is a Very Secure FTP daemon. It was written completely from
|
||||
@ -172,6 +170,9 @@ mkdir -p $RPM_BUILD_ROOT/%{_var}/ftp/pub
|
||||
%{_var}/ftp
|
||||
|
||||
%changelog
|
||||
* Thu Jul 28 2022 Richard Lescak <rlescak@redhat.com> 3.0.5-1
|
||||
- rebase to version 3.0.5
|
||||
|
||||
* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.3-51
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user