Fix FEAT command to list AUTH TLS when TLSv1.3 is enabled

Resolves: RHEL-54726
2024-08-20 09:13:08 +02:00 · 2024-08-20 09:13:08 +02:00 · 77de9f2209
commit 77de9f2209
parent 9b9e8d5b77
4 changed files with 7 additions and 211 deletions
--- a/0033-Introduce-TLSv1.1-and-TLSv1.2-options.patch
+++ b/0033-Introduce-TLSv1.1-and-TLSv1.2-options.patch
@ -1,153 +0,0 @@
-From 01bef55a1987700af3d43cdc5f5be88d3843ab85 Mon Sep 17 00:00:00 2001
-From: Martin Sehnoutka <msehnout@redhat.com>
-Date: Thu, 17 Nov 2016 13:36:17 +0100
-Subject: [PATCH 33/59] Introduce TLSv1.1 and TLSv1.2 options.
-
-Users can now enable a specific version of TLS protocol.
---
- parseconf.c   |  2 ++
- ssl.c         |  8 ++++++++
- tunables.c    |  9 +++++++--
- tunables.h    |  2 ++
- vsftpd.conf.5 | 24 ++++++++++++++++++++----
- 5 files changed, 39 insertions(+), 6 deletions(-)
-
-diff --git a/parseconf.c b/parseconf.c
-index a2c715b..33a1349 100644
--- a/parseconf.c
-+++ b/parseconf.c
-@@ -85,6 +85,8 @@ parseconf_bool_array[] =
-   { "ssl_sslv2", &tunable_sslv2 },
-   { "ssl_sslv3", &tunable_sslv3 },
-   { "ssl_tlsv1", &tunable_tlsv1 },
-+  { "ssl_tlsv1_1", &tunable_tlsv1_1 },
-+  { "ssl_tlsv1_2", &tunable_tlsv1_2 },
-   { "tilde_user_enable", &tunable_tilde_user_enable },
-   { "force_anon_logins_ssl", &tunable_force_anon_logins_ssl },
-   { "force_anon_data_ssl", &tunable_force_anon_data_ssl },
-diff --git a/ssl.c b/ssl.c
-index 96bf8ad..ba8a613 100644
--- a/ssl.c
-+++ b/ssl.c
-@@ -135,6 +135,14 @@ ssl_init(struct vsf_session* p_sess)
-     {
-       options |= SSL_OP_NO_TLSv1;
-     }
-+    if (!tunable_tlsv1_1)
-+    {
-+      options |= SSL_OP_NO_TLSv1_1;
-+    }
-+    if (!tunable_tlsv1_2)
-+    {
-+      options |= SSL_OP_NO_TLSv1_2;
-+    }
-     SSL_CTX_set_options(p_ctx, options);
-     if (tunable_rsa_cert_file)
-     {
-diff --git a/tunables.c b/tunables.c
-index 93f85b1..78f2bcd 100644
--- a/tunables.c
-+++ b/tunables.c
-@@ -66,6 +66,8 @@ int tunable_force_local_data_ssl;
- int tunable_sslv2;
- int tunable_sslv3;
- int tunable_tlsv1;
-+int tunable_tlsv1_1;
-+int tunable_tlsv1_2;
- int tunable_tilde_user_enable;
- int tunable_force_anon_logins_ssl;
- int tunable_force_anon_data_ssl;
-@@ -209,7 +211,10 @@ tunables_load_defaults()
-   tunable_force_local_data_ssl = 1;
-   tunable_sslv2 = 0;
-   tunable_sslv3 = 0;
-+  /* TLSv1 up to TLSv1.2 is enabled by default */
-   tunable_tlsv1 = 1;
-+  tunable_tlsv1_1 = 1;
-+  tunable_tlsv1_2 = 1;
-   tunable_tilde_user_enable = 0;
-   tunable_force_anon_logins_ssl = 0;
-   tunable_force_anon_data_ssl = 0;
-@@ -292,8 +297,8 @@ tunables_load_defaults()
-   install_str_setting(0, &tunable_dsa_cert_file);
-   install_str_setting(0, &tunable_dh_param_file);
-   install_str_setting(0, &tunable_ecdh_param_file);
-  install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA",
-                      &tunable_ssl_ciphers);
-+  install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384",
-+          &tunable_ssl_ciphers);
-   install_str_setting(0, &tunable_rsa_private_key_file);
-   install_str_setting(0, &tunable_dsa_private_key_file);
-   install_str_setting(0, &tunable_ca_certs_file);
-diff --git a/tunables.h b/tunables.h
-index 3e2d40c..a466427 100644
--- a/tunables.h
-+++ b/tunables.h
-@@ -67,6 +67,8 @@ extern int tunable_force_local_data_ssl;      /* Require local data uses SSL */
- extern int tunable_sslv2;                     /* Allow SSLv2 */
- extern int tunable_sslv3;                     /* Allow SSLv3 */
- extern int tunable_tlsv1;                     /* Allow TLSv1 */
-+extern int tunable_tlsv1_1;                   /* Allow TLSv1.1 */
-+extern int tunable_tlsv1_2;                   /* Allow TLSv1.2 */
- extern int tunable_tilde_user_enable;         /* Support e.g. ~chris */
- extern int tunable_force_anon_logins_ssl;     /* Require anon logins use SSL */
- extern int tunable_force_anon_data_ssl;       /* Require anon data uses SSL */
-diff --git a/vsftpd.conf.5 b/vsftpd.conf.5
-index cf1ae34..a3d569e 100644
--- a/vsftpd.conf.5
-+++ b/vsftpd.conf.5
-@@ -506,7 +506,7 @@ Default: YES
- Only applies if
- .BR ssl_enable
- is activated. If enabled, this option will permit SSL v2 protocol connections.
-TLS v1 connections are preferred.
-+TLS v1.2 connections are preferred.
- 
- Default: NO
- .TP
-@@ -514,7 +514,7 @@ Default: NO
- Only applies if
- .BR ssl_enable
- is activated. If enabled, this option will permit SSL v3 protocol connections.
-TLS v1 connections are preferred.
-+TLS v1.2 connections are preferred.
- 
- Default: NO
- .TP
-@@ -522,7 +522,23 @@ Default: NO
- Only applies if
- .BR ssl_enable
- is activated. If enabled, this option will permit TLS v1 protocol connections.
-TLS v1 connections are preferred.
-+TLS v1.2 connections are preferred.
-+
-+Default: YES
-+.TP
-+.B ssl_tlsv1_1
-+Only applies if
-+.BR ssl_enable
-+is activated. If enabled, this option will permit TLS v1.1 protocol connections.
-+TLS v1.2 connections are preferred.
-+
-+Default: YES
-+.TP
-+.B ssl_tlsv1_2
-+Only applies if
-+.BR ssl_enable
-+is activated. If enabled, this option will permit TLS v1.2 protocol connections.
-+TLS v1.2 connections are preferred.
- 
- Default: YES
- .TP
-@@ -1044,7 +1060,7 @@ man page for further details. Note that restricting ciphers can be a useful
- security precaution as it prevents malicious remote parties forcing a cipher
- which they have found problems with.
- 
-Default: DES-CBC3-SHA
-+Default: AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384
- .TP
- .B user_config_dir
- This powerful option allows the override of any config option specified in
-- 
-2.14.4
-
--- a/0042-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch
+++ b/0042-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch
@ -23,7 +23,7 @@ index 1212980..d024366 100644
       vsf_cmdio_write_raw(p_sess, " AUTH SSL\r\n");
     }
 -    if (tunable_tlsv1)
-+    if (tunable_tlsv1 || tunable_tlsv1_1 || tunable_tlsv1_2)
+    if (tunable_tlsv1 || tunable_tlsv1_1 || tunable_tlsv1_2 || tunable_tlsv1_3)
     {
       vsf_cmdio_write_raw(p_sess, " AUTH TLS\r\n");
     }
--- a/0043-Enable-only-TLSv1.2-by-default.patch
+++ b/0043-Enable-only-TLSv1.2-by-default.patch
@ -1,53 +0,0 @@
-From 75c942c77aa575143c5b75637e64a925ad12641a Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= <olysonek@redhat.com>
-Date: Thu, 21 Dec 2017 16:38:40 +0100
-Subject: [PATCH 43/59] Enable only TLSv1.2 by default
-
-Disable TLSv1 and TLSv1.1 - enable only TLSv1.2 by default.
---
- tunables.c    | 6 +++---
- vsftpd.conf.5 | 4 ++--
- 2 files changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/tunables.c b/tunables.c
-index 354251c..9680528 100644
--- a/tunables.c
-+++ b/tunables.c
-@@ -211,9 +211,9 @@ tunables_load_defaults()
-   tunable_force_local_data_ssl = 1;
-   tunable_sslv2 = 0;
-   tunable_sslv3 = 0;
-  /* TLSv1 up to TLSv1.2 is enabled by default */
-  tunable_tlsv1 = 1;
-  tunable_tlsv1_1 = 1;
-+  tunable_tlsv1 = 0;
-+  tunable_tlsv1_1 = 0;
-+  /* Only TLSv1.2 is enabled by default */
-   tunable_tlsv1_2 = 1;
-   tunable_tilde_user_enable = 0;
-   tunable_force_anon_logins_ssl = 0;
-diff --git a/vsftpd.conf.5 b/vsftpd.conf.5
-index 2a7662e..df14027 100644
--- a/vsftpd.conf.5
-+++ b/vsftpd.conf.5
-@@ -539,7 +539,7 @@ Only applies if
- is activated. If enabled, this option will permit TLS v1 protocol connections.
- TLS v1.2 connections are preferred.
- 
-Default: YES
-+Default: NO
- .TP
- .B ssl_tlsv1_1
- Only applies if
-@@ -547,7 +547,7 @@ Only applies if
- is activated. If enabled, this option will permit TLS v1.1 protocol connections.
- TLS v1.2 connections are preferred.
- 
-Default: YES
-+Default: NO
- .TP
- .B ssl_tlsv1_2
- Only applies if
-- 
-2.14.4
-
--- a/vsftpd.spec
+++ b/vsftpd.spec
@ -2,7 +2,7 @@

 Name:    vsftpd
 Version: 3.0.5
-Release: 7%{?dist}
+Release: 8%{?dist}
 Summary: Very Secure Ftp Daemon

 # OpenSSL link exception
@ -61,7 +61,6 @@ Patch29: 0029-Fix-segfault-in-config-file-parser.patch
 Patch30: 0030-Fix-logging-into-syslog-when-enabled-in-config.patch
 Patch31: 0031-Fix-question-mark-wildcard-withing-a-file-name.patch
 Patch32: 0032-Propagate-errors-from-nfs-with-quota-to-client.patch
-#Patch33: 0033-Introduce-TLSv1.1-and-TLSv1.2-options.patch
 Patch34: 0034-Turn-off-seccomp-sandbox-because-it-is-too-strict.patch
 Patch36: 0036-Redefine-VSFTP_COMMAND_FD-to-1.patch
 Patch37: 0037-Document-the-relationship-of-text_userdb_names-and-c.patch
@ -69,8 +68,7 @@ Patch38: 0038-Document-allow_writeable_chroot-in-the-man-page.patch
 Patch39: 0039-Improve-documentation-of-ASCII-mode-in-the-man-page.patch
 Patch40: 0040-Use-system-wide-crypto-policy.patch
 Patch41: 0041-Document-the-new-default-for-ssl_ciphers-in-the-man-.patch
-#Patch42: 0042-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch
-#Patch43: 0043-Enable-only-TLSv1.2-by-default.patch
+Patch42: 0042-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch
 Patch44: 0044-Disable-anonymous_enable-in-default-config-file.patch
 Patch45: 0045-Expand-explanation-of-ascii_-options-behaviour-in-ma.patch
 Patch46: 0046-vsftpd.conf-Refer-to-the-man-page-regarding-the-asci.patch
@ -170,6 +168,10 @@ mkdir -p $RPM_BUILD_ROOT/%{_var}/ftp/pub
 %{_var}/ftp

 %changelog
+* Tue Aug 20 2024 Tomas Korbar <tkorbar@redhat.com> - 3.0.5-8
+- Fix FEAT command to list AUTH TLS when TLSv1.3 is enabled
+- Resolves: RHEL-54726
+
 * Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 3.0.5-7
 - Bump release for June 2024 mass rebuild