- improves DH cipher
- implements ECDH cipher - adds isolate* options to man vsftpd.conf - corrects max_clients, max_per_ip default values in man vsftd.conf - adds return code 450 when a file is temporarily unavailable
This commit is contained in:
parent
1dfc2c1071
commit
72b11624b3
@ -1,6 +1,17 @@
|
|||||||
|
diff -up vsftpd-3.0.2/parseconf.c.dh vsftpd-3.0.2/parseconf.c
|
||||||
|
--- vsftpd-3.0.2/parseconf.c.dh 2014-06-04 09:54:43.364747051 +0200
|
||||||
|
+++ vsftpd-3.0.2/parseconf.c 2014-06-04 09:54:43.368747052 +0200
|
||||||
|
@@ -176,6 +176,7 @@ parseconf_str_array[] =
|
||||||
|
{ "email_password_file", &tunable_email_password_file },
|
||||||
|
{ "rsa_cert_file", &tunable_rsa_cert_file },
|
||||||
|
{ "dsa_cert_file", &tunable_dsa_cert_file },
|
||||||
|
+ { "dh_param_file", &tunable_dh_param_file },
|
||||||
|
{ "ssl_ciphers", &tunable_ssl_ciphers },
|
||||||
|
{ "rsa_private_key_file", &tunable_rsa_private_key_file },
|
||||||
|
{ "dsa_private_key_file", &tunable_dsa_private_key_file },
|
||||||
diff -up vsftpd-3.0.2/ssl.c.dh vsftpd-3.0.2/ssl.c
|
diff -up vsftpd-3.0.2/ssl.c.dh vsftpd-3.0.2/ssl.c
|
||||||
--- vsftpd-3.0.2/ssl.c.dh 2012-04-03 02:23:42.000000000 +0200
|
--- vsftpd-3.0.2/ssl.c.dh 2012-04-03 02:23:42.000000000 +0200
|
||||||
+++ vsftpd-3.0.2/ssl.c 2014-05-13 12:36:26.790953361 +0200
|
+++ vsftpd-3.0.2/ssl.c 2014-06-04 09:55:59.443770325 +0200
|
||||||
@@ -28,6 +28,8 @@
|
@@ -28,6 +28,8 @@
|
||||||
#include <openssl/err.h>
|
#include <openssl/err.h>
|
||||||
#include <openssl/rand.h>
|
#include <openssl/rand.h>
|
||||||
@ -18,44 +29,103 @@ diff -up vsftpd-3.0.2/ssl.c.dh vsftpd-3.0.2/ssl.c
|
|||||||
static int ssl_cert_digest(
|
static int ssl_cert_digest(
|
||||||
SSL* p_ssl, struct vsf_session* p_sess, struct mystr* p_str);
|
SSL* p_ssl, struct vsf_session* p_sess, struct mystr* p_str);
|
||||||
static void maybe_log_shutdown_state(struct vsf_session* p_sess);
|
static void maybe_log_shutdown_state(struct vsf_session* p_sess);
|
||||||
@@ -51,6 +54,36 @@ static int ssl_read_common(struct vsf_se
|
@@ -51,6 +54,60 @@ static int ssl_read_common(struct vsf_se
|
||||||
static int ssl_inited;
|
static int ssl_inited;
|
||||||
static struct mystr debug_str;
|
static struct mystr debug_str;
|
||||||
|
|
||||||
+
|
+
|
||||||
+// Grab DH parameters from OpenSSL; <openssl/bn.h>
|
+// Grab prime number from OpenSSL; <openssl/bn.h>
|
||||||
+// (get_rfc*) for all available primes.
|
+// (get_rfc*) for all available primes.
|
||||||
+#define make_get_dh(rfc,size) \
|
+// wraps selection of comparable algorithm strength
|
||||||
+static DH *get_dh##size(void) \
|
+#if !defined(match_dh_bits)
|
||||||
+{ \
|
+ #define match_dh_bits(keylen) \
|
||||||
+ DH *dh = DH_new(); \
|
+ keylen >= 8191 ? 8192 : \
|
||||||
+ if (!dh) { \
|
+ keylen >= 6143 ? 6144 : \
|
||||||
+ return NULL; \
|
+ keylen >= 4095 ? 4096 : \
|
||||||
+ } \
|
+ keylen >= 3071 ? 3072 : \
|
||||||
+ dh->p = get_##rfc##_prime_##size(NULL); \
|
+ keylen >= 2047 ? 2048 : \
|
||||||
+ BN_dec2bn(&dh->g, "2"); \
|
+ keylen >= 1535 ? 1536 : \
|
||||||
+ if (!dh->p || !dh->g) { \
|
+ keylen >= 1023 ? 1024 : 768
|
||||||
+ DH_free(dh); \
|
+#endif
|
||||||
+ return NULL; \
|
+
|
||||||
+ } \
|
+#if !defined(DH_get_prime)
|
||||||
+ return dh; \
|
+ BIGNUM *
|
||||||
|
+ DH_get_prime(int bits)
|
||||||
|
+ {
|
||||||
|
+ switch (bits) {
|
||||||
|
+ case 768: return get_rfc2409_prime_768(NULL);
|
||||||
|
+ case 1024: return get_rfc2409_prime_1024(NULL);
|
||||||
|
+ case 1536: return get_rfc3526_prime_1536(NULL);
|
||||||
|
+ case 2048: return get_rfc3526_prime_2048(NULL);
|
||||||
|
+ case 3072: return get_rfc3526_prime_3072(NULL);
|
||||||
|
+ case 4096: return get_rfc3526_prime_4096(NULL);
|
||||||
|
+ case 6144: return get_rfc3526_prime_6144(NULL);
|
||||||
|
+ case 8192: return get_rfc3526_prime_8192(NULL);
|
||||||
|
+ // shouldn't happen when used match_dh_bits; strict compiler
|
||||||
|
+ default: return NULL;
|
||||||
+ }
|
+ }
|
||||||
|
+}
|
||||||
|
+#endif
|
||||||
+
|
+
|
||||||
+// Prepare DH parameters from 768 to 8192 bits
|
+#if !defined(DH_get_dh)
|
||||||
+make_get_dh(rfc2409, 768)
|
+ // Grab DH parameters
|
||||||
+make_get_dh(rfc2409, 1024)
|
+ DH *
|
||||||
+make_get_dh(rfc3526, 1536)
|
+ DH_get_dh(int size)
|
||||||
+make_get_dh(rfc3526, 2048)
|
+ {
|
||||||
+make_get_dh(rfc3526, 3072)
|
+ DH *dh = DH_new();
|
||||||
+make_get_dh(rfc3526, 4096)
|
+ if (!dh) {
|
||||||
+make_get_dh(rfc3526, 6144)
|
+ return NULL;
|
||||||
+make_get_dh(rfc3526, 8192)
|
+ }
|
||||||
+
|
+ dh->p = DH_get_prime(match_dh_bits(size));
|
||||||
|
+ BN_dec2bn(&dh->g, "2");
|
||||||
|
+ if (!dh->p || !dh->g)
|
||||||
|
+ {
|
||||||
|
+ DH_free(dh);
|
||||||
|
+ return NULL;
|
||||||
|
+ }
|
||||||
|
+ return dh;
|
||||||
|
+ }
|
||||||
|
+#endif
|
||||||
+
|
+
|
||||||
void
|
void
|
||||||
ssl_init(struct vsf_session* p_sess)
|
ssl_init(struct vsf_session* p_sess)
|
||||||
{
|
{
|
||||||
@@ -156,6 +189,9 @@ ssl_init(struct vsf_session* p_sess)
|
@@ -65,7 +122,7 @@ ssl_init(struct vsf_session* p_sess)
|
||||||
|
{
|
||||||
|
die("SSL: could not allocate SSL context");
|
||||||
|
}
|
||||||
|
- options = SSL_OP_ALL;
|
||||||
|
+ options = SSL_OP_ALL | SSL_OP_SINGLE_DH_USE;
|
||||||
|
if (!tunable_sslv2)
|
||||||
|
{
|
||||||
|
options |= SSL_OP_NO_SSLv2;
|
||||||
|
@@ -111,6 +168,25 @@ ssl_init(struct vsf_session* p_sess)
|
||||||
|
die("SSL: cannot load DSA private key");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
+ if (tunable_dh_param_file)
|
||||||
|
+ {
|
||||||
|
+ BIO *bio;
|
||||||
|
+ DH *dhparams = NULL;
|
||||||
|
+ if ((bio = BIO_new_file(tunable_dh_param_file, "r")) == NULL)
|
||||||
|
+ {
|
||||||
|
+ die("SSL: cannot load custom DH params");
|
||||||
|
+ }
|
||||||
|
+ else
|
||||||
|
+ {
|
||||||
|
+ dhparams = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
|
||||||
|
+ BIO_free(bio);
|
||||||
|
+
|
||||||
|
+ if (!SSL_CTX_set_tmp_dh(p_ctx, dhparams))
|
||||||
|
+ {
|
||||||
|
+ die("SSL: setting custom DH params failed");
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
if (tunable_ssl_ciphers &&
|
||||||
|
SSL_CTX_set_cipher_list(p_ctx, tunable_ssl_ciphers) != 1)
|
||||||
|
{
|
||||||
|
@@ -156,6 +232,9 @@ ssl_init(struct vsf_session* p_sess)
|
||||||
/* Ensure cached session doesn't expire */
|
/* Ensure cached session doesn't expire */
|
||||||
SSL_CTX_set_timeout(p_ctx, INT_MAX);
|
SSL_CTX_set_timeout(p_ctx, INT_MAX);
|
||||||
}
|
}
|
||||||
@ -65,7 +135,7 @@ diff -up vsftpd-3.0.2/ssl.c.dh vsftpd-3.0.2/ssl.c
|
|||||||
p_sess->p_ssl_ctx = p_ctx;
|
p_sess->p_ssl_ctx = p_ctx;
|
||||||
ssl_inited = 1;
|
ssl_inited = 1;
|
||||||
}
|
}
|
||||||
@@ -675,6 +711,49 @@ ssl_verify_callback(int verify_ok, X509_
|
@@ -675,6 +754,18 @@ ssl_verify_callback(int verify_ok, X509_
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -74,44 +144,59 @@ diff -up vsftpd-3.0.2/ssl.c.dh vsftpd-3.0.2/ssl.c
|
|||||||
+static DH *
|
+static DH *
|
||||||
+ssl_tmp_dh_callback(SSL *ssl, int is_export, int keylength)
|
+ssl_tmp_dh_callback(SSL *ssl, int is_export, int keylength)
|
||||||
+{
|
+{
|
||||||
+ DH *dh_tmp=NULL;
|
|
||||||
+
|
|
||||||
+ // strict compiler bypassing
|
+ // strict compiler bypassing
|
||||||
+ UNUSED(ssl);
|
+ UNUSED(ssl);
|
||||||
+ UNUSED(is_export);
|
+ UNUSED(is_export);
|
||||||
+
|
+
|
||||||
+ switch (keylength) {
|
+ return DH_get_dh(keylength);
|
||||||
+ case 768:
|
|
||||||
+ dh_tmp = get_dh768();
|
|
||||||
+ break;
|
|
||||||
+ case 1024:
|
|
||||||
+ dh_tmp = get_dh1024();
|
|
||||||
+ break;
|
|
||||||
+ case 1536:
|
|
||||||
+ dh_tmp = get_dh1536();
|
|
||||||
+ break;
|
|
||||||
+ case 2048:
|
|
||||||
+ dh_tmp = get_dh2048();
|
|
||||||
+ break;
|
|
||||||
+ case 3072:
|
|
||||||
+ dh_tmp = get_dh3072();
|
|
||||||
+ break;
|
|
||||||
+ case 4096:
|
|
||||||
+ dh_tmp = get_dh4096();
|
|
||||||
+ break;
|
|
||||||
+ case 6144:
|
|
||||||
+ dh_tmp = get_dh6144();
|
|
||||||
+ break;
|
|
||||||
+ case 8192:
|
|
||||||
+ dh_tmp = get_dh8192();
|
|
||||||
+ break;
|
|
||||||
+ default:
|
|
||||||
+ dh_tmp = get_dh1024();
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
+ return dh_tmp;
|
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
void
|
void
|
||||||
ssl_add_entropy(struct vsf_session* p_sess)
|
ssl_add_entropy(struct vsf_session* p_sess)
|
||||||
{
|
{
|
||||||
|
diff -up vsftpd-3.0.2/tunables.c.dh vsftpd-3.0.2/tunables.c
|
||||||
|
--- vsftpd-3.0.2/tunables.c.dh 2014-06-04 09:54:43.364747051 +0200
|
||||||
|
+++ vsftpd-3.0.2/tunables.c 2014-06-04 09:54:43.369747052 +0200
|
||||||
|
@@ -140,6 +140,7 @@ const char* tunable_user_sub_token;
|
||||||
|
const char* tunable_email_password_file;
|
||||||
|
const char* tunable_rsa_cert_file;
|
||||||
|
const char* tunable_dsa_cert_file;
|
||||||
|
+const char* tunable_dh_param_file;
|
||||||
|
const char* tunable_ssl_ciphers;
|
||||||
|
const char* tunable_rsa_private_key_file;
|
||||||
|
const char* tunable_dsa_private_key_file;
|
||||||
|
@@ -288,6 +289,7 @@ tunables_load_defaults()
|
||||||
|
install_str_setting("/usr/share/ssl/certs/vsftpd.pem",
|
||||||
|
&tunable_rsa_cert_file);
|
||||||
|
install_str_setting(0, &tunable_dsa_cert_file);
|
||||||
|
+ install_str_setting(0, &tunable_dh_param_file);
|
||||||
|
install_str_setting("AES128-SHA:DES-CBC3-SHA", &tunable_ssl_ciphers);
|
||||||
|
install_str_setting(0, &tunable_rsa_private_key_file);
|
||||||
|
install_str_setting(0, &tunable_dsa_private_key_file);
|
||||||
|
diff -up vsftpd-3.0.2/tunables.h.dh vsftpd-3.0.2/tunables.h
|
||||||
|
--- vsftpd-3.0.2/tunables.h.dh 2014-06-04 09:54:43.364747051 +0200
|
||||||
|
+++ vsftpd-3.0.2/tunables.h 2014-06-04 09:54:43.369747052 +0200
|
||||||
|
@@ -142,6 +142,7 @@ extern const char* tunable_user_sub_toke
|
||||||
|
extern const char* tunable_email_password_file;
|
||||||
|
extern const char* tunable_rsa_cert_file;
|
||||||
|
extern const char* tunable_dsa_cert_file;
|
||||||
|
+extern const char* tunable_dh_param_file;
|
||||||
|
extern const char* tunable_ssl_ciphers;
|
||||||
|
extern const char* tunable_rsa_private_key_file;
|
||||||
|
extern const char* tunable_dsa_private_key_file;
|
||||||
|
diff -up vsftpd-3.0.2/vsftpd.conf.5.dh vsftpd-3.0.2/vsftpd.conf.5
|
||||||
|
--- vsftpd-3.0.2/vsftpd.conf.5.dh 2014-06-04 09:54:43.364747051 +0200
|
||||||
|
+++ vsftpd-3.0.2/vsftpd.conf.5 2014-06-04 09:54:43.369747052 +0200
|
||||||
|
@@ -893,6 +893,12 @@ to be in the same file as the certificat
|
||||||
|
|
||||||
|
Default: (none)
|
||||||
|
.TP
|
||||||
|
+.B dh_param_file
|
||||||
|
+This option specifies the location of the custom parameters used for
|
||||||
|
+ephemeral Diffie-Hellman key exchange in SSL.
|
||||||
|
+
|
||||||
|
+Default: (none - use built in parameters appropriate for certificate key size)
|
||||||
|
+.TP
|
||||||
|
.B email_password_file
|
||||||
|
This option can be used to provide an alternate file for usage by the
|
||||||
|
.BR secure_email_list_enable
|
||||||
|
48
vsftpd-3.0.2-docupd.patch
Normal file
48
vsftpd-3.0.2-docupd.patch
Normal file
@ -0,0 +1,48 @@
|
|||||||
|
diff -up vsftpd-3.0.2/vsftpd.conf.5.docupd vsftpd-3.0.2/vsftpd.conf.5
|
||||||
|
--- vsftpd-3.0.2/vsftpd.conf.5.docupd 2014-06-05 09:47:27.987876849 +0200
|
||||||
|
+++ vsftpd-3.0.2/vsftpd.conf.5 2014-06-05 09:47:27.989876848 +0200
|
||||||
|
@@ -652,6 +652,21 @@ change it with the setting
|
||||||
|
.BR xferlog_file .
|
||||||
|
|
||||||
|
Default: NO
|
||||||
|
+.TP
|
||||||
|
+.B isolate_network
|
||||||
|
+If enabled, use CLONE_NEWNET to isolate the untrusted processes so that
|
||||||
|
+they can't do arbitrary connect() and instead have to ask the privileged
|
||||||
|
+process for sockets (
|
||||||
|
+.BR port_promiscuous
|
||||||
|
+have to be disabled).
|
||||||
|
+
|
||||||
|
+Default: YES
|
||||||
|
+.TP
|
||||||
|
+.B isolate
|
||||||
|
+If enabled, use CLONE_NEWPID and CLONE_NEWIPC to isolate processes to their
|
||||||
|
+ipc and pid namespaces. So separated processes can not interact with each other.
|
||||||
|
+
|
||||||
|
+Default: YES
|
||||||
|
|
||||||
|
.SH NUMERIC OPTIONS
|
||||||
|
Below is a list of numeric options. A numeric option must be set to a non
|
||||||
|
@@ -749,8 +764,9 @@ Default: 077
|
||||||
|
.B max_clients
|
||||||
|
If vsftpd is in standalone mode, this is the maximum number of clients which
|
||||||
|
may be connected. Any additional clients connecting will get an error message.
|
||||||
|
+The value 0 switches off the limit.
|
||||||
|
|
||||||
|
-Default: 0 (unlimited)
|
||||||
|
+Default: 2000
|
||||||
|
.TP
|
||||||
|
.B max_login_fails
|
||||||
|
After this many login failures, the session is killed.
|
||||||
|
@@ -760,9 +776,9 @@ Default: 3
|
||||||
|
.B max_per_ip
|
||||||
|
If vsftpd is in standalone mode, this is the maximum number of clients which
|
||||||
|
may be connected from the same source internet address. A client will get an
|
||||||
|
-error message if they go over this limit.
|
||||||
|
+error message if they go over this limit. The value 0 switches off the limit.
|
||||||
|
|
||||||
|
-Default: 0 (unlimited)
|
||||||
|
+Default: 50
|
||||||
|
.TP
|
||||||
|
.B pasv_max_port
|
||||||
|
The maximum port to allocate for PASV style data connections. Can be used to
|
113
vsftpd-3.0.2-ecdh.patch
Normal file
113
vsftpd-3.0.2-ecdh.patch
Normal file
@ -0,0 +1,113 @@
|
|||||||
|
diff -up vsftpd-3.0.2/parseconf.c.ecdh vsftpd-3.0.2/parseconf.c
|
||||||
|
--- vsftpd-3.0.2/parseconf.c.ecdh 2014-06-04 09:56:56.358788746 +0200
|
||||||
|
+++ vsftpd-3.0.2/parseconf.c 2014-06-04 09:56:56.360788747 +0200
|
||||||
|
@@ -177,6 +177,7 @@ parseconf_str_array[] =
|
||||||
|
{ "rsa_cert_file", &tunable_rsa_cert_file },
|
||||||
|
{ "dsa_cert_file", &tunable_dsa_cert_file },
|
||||||
|
{ "dh_param_file", &tunable_dh_param_file },
|
||||||
|
+ { "ecdh_param_file", &tunable_ecdh_param_file },
|
||||||
|
{ "ssl_ciphers", &tunable_ssl_ciphers },
|
||||||
|
{ "rsa_private_key_file", &tunable_rsa_private_key_file },
|
||||||
|
{ "dsa_private_key_file", &tunable_dsa_private_key_file },
|
||||||
|
diff -up vsftpd-3.0.2/ssl.c.ecdh vsftpd-3.0.2/ssl.c
|
||||||
|
--- vsftpd-3.0.2/ssl.c.ecdh 2014-06-04 09:56:56.358788746 +0200
|
||||||
|
+++ vsftpd-3.0.2/ssl.c 2014-06-04 09:56:56.360788747 +0200
|
||||||
|
@@ -122,7 +122,7 @@ ssl_init(struct vsf_session* p_sess)
|
||||||
|
{
|
||||||
|
die("SSL: could not allocate SSL context");
|
||||||
|
}
|
||||||
|
- options = SSL_OP_ALL | SSL_OP_SINGLE_DH_USE;
|
||||||
|
+ options = SSL_OP_ALL | SSL_OP_SINGLE_DH_USE | SSL_OP_SINGLE_ECDH_USE;
|
||||||
|
if (!tunable_sslv2)
|
||||||
|
{
|
||||||
|
options |= SSL_OP_NO_SSLv2;
|
||||||
|
@@ -235,6 +235,41 @@ ssl_init(struct vsf_session* p_sess)
|
||||||
|
|
||||||
|
SSL_CTX_set_tmp_dh_callback(p_ctx, ssl_tmp_dh_callback);
|
||||||
|
|
||||||
|
+ if (tunable_ecdh_param_file)
|
||||||
|
+ {
|
||||||
|
+ BIO *bio;
|
||||||
|
+ int nid;
|
||||||
|
+ EC_GROUP *ecparams = NULL;
|
||||||
|
+ EC_KEY *eckey;
|
||||||
|
+
|
||||||
|
+ if ((bio = BIO_new_file(tunable_ecdh_param_file, "r")) == NULL)
|
||||||
|
+ die("SSL: cannot load custom ec params");
|
||||||
|
+ else
|
||||||
|
+ {
|
||||||
|
+ ecparams = PEM_read_bio_ECPKParameters(bio, NULL, NULL, NULL);
|
||||||
|
+ BIO_free(bio);
|
||||||
|
+
|
||||||
|
+ if (ecparams && (nid = EC_GROUP_get_curve_name(ecparams)) &&
|
||||||
|
+ (eckey = EC_KEY_new_by_curve_name(nid)))
|
||||||
|
+ {
|
||||||
|
+ if (!SSL_CTX_set_tmp_ecdh(p_ctx, eckey))
|
||||||
|
+ die("SSL: setting custom EC params failed");
|
||||||
|
+ }
|
||||||
|
+ else
|
||||||
|
+ {
|
||||||
|
+ die("SSL: getting ec group or key failed");
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ else
|
||||||
|
+ {
|
||||||
|
+#if defined(SSL_CTX_set_ecdh_auto)
|
||||||
|
+ SSL_CTX_set_ecdh_auto(p_ctx, 1);
|
||||||
|
+#else
|
||||||
|
+ SSL_CTX_set_tmp_ecdh(p_ctx, EC_KEY_new_by_curve_name(NID_X9_62_prime256v1));
|
||||||
|
+#endif
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
p_sess->p_ssl_ctx = p_ctx;
|
||||||
|
ssl_inited = 1;
|
||||||
|
}
|
||||||
|
diff -up vsftpd-3.0.2/tunables.c.ecdh vsftpd-3.0.2/tunables.c
|
||||||
|
--- vsftpd-3.0.2/tunables.c.ecdh 2014-06-04 09:56:56.358788746 +0200
|
||||||
|
+++ vsftpd-3.0.2/tunables.c 2014-06-04 09:56:56.361788747 +0200
|
||||||
|
@@ -141,6 +141,7 @@ const char* tunable_email_password_file;
|
||||||
|
const char* tunable_rsa_cert_file;
|
||||||
|
const char* tunable_dsa_cert_file;
|
||||||
|
const char* tunable_dh_param_file;
|
||||||
|
+const char* tunable_ecdh_param_file;
|
||||||
|
const char* tunable_ssl_ciphers;
|
||||||
|
const char* tunable_rsa_private_key_file;
|
||||||
|
const char* tunable_dsa_private_key_file;
|
||||||
|
@@ -290,6 +291,7 @@ tunables_load_defaults()
|
||||||
|
&tunable_rsa_cert_file);
|
||||||
|
install_str_setting(0, &tunable_dsa_cert_file);
|
||||||
|
install_str_setting(0, &tunable_dh_param_file);
|
||||||
|
+ install_str_setting(0, &tunable_ecdh_param_file);
|
||||||
|
install_str_setting("AES128-SHA:DES-CBC3-SHA", &tunable_ssl_ciphers);
|
||||||
|
install_str_setting(0, &tunable_rsa_private_key_file);
|
||||||
|
install_str_setting(0, &tunable_dsa_private_key_file);
|
||||||
|
diff -up vsftpd-3.0.2/tunables.h.ecdh vsftpd-3.0.2/tunables.h
|
||||||
|
--- vsftpd-3.0.2/tunables.h.ecdh 2014-06-04 09:56:56.359788746 +0200
|
||||||
|
+++ vsftpd-3.0.2/tunables.h 2014-06-04 09:56:56.361788747 +0200
|
||||||
|
@@ -143,6 +143,7 @@ extern const char* tunable_email_passwor
|
||||||
|
extern const char* tunable_rsa_cert_file;
|
||||||
|
extern const char* tunable_dsa_cert_file;
|
||||||
|
extern const char* tunable_dh_param_file;
|
||||||
|
+extern const char* tunable_ecdh_param_file;
|
||||||
|
extern const char* tunable_ssl_ciphers;
|
||||||
|
extern const char* tunable_rsa_private_key_file;
|
||||||
|
extern const char* tunable_dsa_private_key_file;
|
||||||
|
diff -up vsftpd-3.0.2/vsftpd.conf.5.ecdh vsftpd-3.0.2/vsftpd.conf.5
|
||||||
|
--- vsftpd-3.0.2/vsftpd.conf.5.ecdh 2014-06-04 09:56:56.359788746 +0200
|
||||||
|
+++ vsftpd-3.0.2/vsftpd.conf.5 2014-06-04 09:56:56.361788747 +0200
|
||||||
|
@@ -899,6 +899,14 @@ ephemeral Diffie-Hellman key exchange in
|
||||||
|
|
||||||
|
Default: (none - use built in parameters appropriate for certificate key size)
|
||||||
|
.TP
|
||||||
|
+.B ecdh_param_file
|
||||||
|
+This option specifies the location of custom parameters for ephemeral
|
||||||
|
+Elliptic Curve Diffie-Hellman (ECDH) key exchange.
|
||||||
|
+
|
||||||
|
+Default: (none - use built in parameters, NIST P-256 with OpenSSL 1.0.1 and
|
||||||
|
+automatically selected curve based on client preferences with OpenSSL 1.0.2
|
||||||
|
+and later)
|
||||||
|
+.TP
|
||||||
|
.B email_password_file
|
||||||
|
This option can be used to provide an alternate file for usage by the
|
||||||
|
.BR secure_email_list_enable
|
56
vsftpd-3.0.2-rc450.patch
Normal file
56
vsftpd-3.0.2-rc450.patch
Normal file
@ -0,0 +1,56 @@
|
|||||||
|
diff -up vsftpd-3.0.2/ftpcodes.h.rc450 vsftpd-3.0.2/ftpcodes.h
|
||||||
|
--- vsftpd-3.0.2/ftpcodes.h.rc450 2008-02-12 01:30:46.000000000 +0100
|
||||||
|
+++ vsftpd-3.0.2/ftpcodes.h 2014-06-18 13:41:02.238821708 +0200
|
||||||
|
@@ -52,6 +52,7 @@
|
||||||
|
#define FTP_TLS_FAIL 421
|
||||||
|
#define FTP_BADSENDCONN 425
|
||||||
|
#define FTP_BADSENDNET 426
|
||||||
|
+#define FTP_FILETMPFAIL 450
|
||||||
|
#define FTP_BADSENDFILE 451
|
||||||
|
|
||||||
|
#define FTP_BADCMD 500
|
||||||
|
diff -up vsftpd-3.0.2/postlogin.c.rc450 vsftpd-3.0.2/postlogin.c
|
||||||
|
--- vsftpd-3.0.2/postlogin.c.rc450 2012-09-18 11:59:37.000000000 +0200
|
||||||
|
+++ vsftpd-3.0.2/postlogin.c 2014-06-18 13:41:02.238821708 +0200
|
||||||
|
@@ -670,7 +670,14 @@ handle_retr(struct vsf_session* p_sess,
|
||||||
|
opened_file = str_open(&p_sess->ftp_arg_str, kVSFSysStrOpenReadOnly);
|
||||||
|
if (vsf_sysutil_retval_is_error(opened_file))
|
||||||
|
{
|
||||||
|
- vsf_cmdio_write(p_sess, FTP_FILEFAIL, "Failed to open file.");
|
||||||
|
+ if (kVSFSysUtilErrAGAIN == vsf_sysutil_get_error())
|
||||||
|
+ {
|
||||||
|
+ vsf_cmdio_write(p_sess, FTP_FILETMPFAIL, "Temporarily failed to open file");
|
||||||
|
+ }
|
||||||
|
+ else
|
||||||
|
+ {
|
||||||
|
+ vsf_cmdio_write(p_sess, FTP_FILEFAIL, "Failed to open file.");
|
||||||
|
+ }
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
/* Lock file if required */
|
||||||
|
diff -up vsftpd-3.0.2/sysutil.c.rc450 vsftpd-3.0.2/sysutil.c
|
||||||
|
--- vsftpd-3.0.2/sysutil.c.rc450 2014-06-18 13:41:02.231821807 +0200
|
||||||
|
+++ vsftpd-3.0.2/sysutil.c 2014-06-18 13:41:02.238821708 +0200
|
||||||
|
@@ -1632,6 +1632,9 @@ vsf_sysutil_get_error(void)
|
||||||
|
case ENOENT:
|
||||||
|
retval = kVSFSysUtilErrNOENT;
|
||||||
|
break;
|
||||||
|
+ case EAGAIN:
|
||||||
|
+ retval = kVSFSysUtilErrAGAIN;
|
||||||
|
+ break;
|
||||||
|
default:
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
diff -up vsftpd-3.0.2/sysutil.h.rc450 vsftpd-3.0.2/sysutil.h
|
||||||
|
--- vsftpd-3.0.2/sysutil.h.rc450 2014-06-18 13:41:02.231821807 +0200
|
||||||
|
+++ vsftpd-3.0.2/sysutil.h 2014-06-18 13:41:02.239821694 +0200
|
||||||
|
@@ -18,7 +18,8 @@ enum EVSFSysUtilError
|
||||||
|
kVSFSysUtilErrINVAL,
|
||||||
|
kVSFSysUtilErrOPNOTSUPP,
|
||||||
|
kVSFSysUtilErrACCES,
|
||||||
|
- kVSFSysUtilErrNOENT
|
||||||
|
+ kVSFSysUtilErrNOENT,
|
||||||
|
+ kVSFSysUtilErrAGAIN
|
||||||
|
};
|
||||||
|
enum EVSFSysUtilError vsf_sysutil_get_error(void);
|
||||||
|
|
15
vsftpd.spec
15
vsftpd.spec
@ -3,7 +3,7 @@
|
|||||||
|
|
||||||
Name: vsftpd
|
Name: vsftpd
|
||||||
Version: 3.0.2
|
Version: 3.0.2
|
||||||
Release: 9%{?dist}
|
Release: 10%{?dist}
|
||||||
Summary: Very Secure Ftp Daemon
|
Summary: Very Secure Ftp Daemon
|
||||||
|
|
||||||
Group: System Environment/Daemons
|
Group: System Environment/Daemons
|
||||||
@ -62,6 +62,9 @@ Patch25: vsftpd-3.0.0-logrotate.patch
|
|||||||
Patch26: vsftpd-3.0.2-lookup.patch
|
Patch26: vsftpd-3.0.2-lookup.patch
|
||||||
Patch27: vsftpd-3.0.2-uint-uidgid.patch
|
Patch27: vsftpd-3.0.2-uint-uidgid.patch
|
||||||
Patch28: vsftpd-3.0.2-dh.patch
|
Patch28: vsftpd-3.0.2-dh.patch
|
||||||
|
Patch29: vsftpd-3.0.2-ecdh.patch
|
||||||
|
Patch30: vsftpd-3.0.2-docupd.patch
|
||||||
|
Patch31: vsftpd-3.0.2-rc450.patch
|
||||||
|
|
||||||
%description
|
%description
|
||||||
vsftpd is a Very Secure FTP daemon. It was written completely from
|
vsftpd is a Very Secure FTP daemon. It was written completely from
|
||||||
@ -95,6 +98,9 @@ cp %{SOURCE1} .
|
|||||||
%patch26 -p1 -b .lookup
|
%patch26 -p1 -b .lookup
|
||||||
%patch27 -p1 -b .uint-uidgid
|
%patch27 -p1 -b .uint-uidgid
|
||||||
%patch28 -p1 -b .dh
|
%patch28 -p1 -b .dh
|
||||||
|
%patch29 -p1 -b .ecdh
|
||||||
|
%patch30 -p1 -b .docupd
|
||||||
|
%patch31 -p1 -b .rc450
|
||||||
|
|
||||||
%build
|
%build
|
||||||
%ifarch s390x sparcv9 sparc64
|
%ifarch s390x sparcv9 sparc64
|
||||||
@ -161,6 +167,13 @@ rm -rf $RPM_BUILD_ROOT
|
|||||||
%{_var}/ftp
|
%{_var}/ftp
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Jun 18 2014 Jiri Skala <jskala@redhat.com> - 3.0.2-10
|
||||||
|
- improves DH cipher
|
||||||
|
- implements ECDH cipher
|
||||||
|
- adds isolate* options to man vsftpd.conf
|
||||||
|
- corrects max_clients, max_per_ip default values in man vsftd.conf
|
||||||
|
- adds return code 450 when a file is temporarily unavailable
|
||||||
|
|
||||||
* Sun Jun 08 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.0.2-9
|
* Sun Jun 08 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.0.2-9
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user