rpms/vsftpd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Adjust opinionated use of cryptography

Browse Source 
Adhere to crypto-policies when restricting
TLS 1.3 ciphersuites by default.

When using DH, let OpenSSL set up its params
automatically by default.

When using ephemeral ECDH, allow all supported
curves. Deprecate the `ecdh_param_file` config
option which is broken since the transition to
OpenSSL 3.0.

Also remove old unused patches.

Resolves: RHEL-99533
This commit is contained in:
Pavol Žáčik 2025-07-09 15:04:48 +02:00
parent 43b81dd9a0
commit ca207c8895
No known key found for this signature in database
GPG Key ID: 4EE16C6E333F70A8
11 changed files with 183 additions and 783 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
0021-Follow-crypto-policies-for-ssl-ciphers.patch Normal file
View File

@ -0,0 +1,39 @@
diff --git a/tunables.c b/tunables.c
--- a/tunables.c
+++ b/tunables.c
@@ -295,7 +295,7 @@
install_str_setting("/usr/share/ssl/certs/vsftpd.pem",
&tunable_rsa_cert_file);
install_str_setting(0, &tunable_dsa_cert_file);
- install_str_setting("ECDHE-RSA-AES256-GCM-SHA384", &tunable_ssl_ciphers);
+ install_str_setting(0, &tunable_ssl_ciphers);
install_str_setting(0, &tunable_rsa_private_key_file);
install_str_setting(0, &tunable_dsa_private_key_file);
install_str_setting(0, &tunable_ca_certs_file);
diff --git a/vsftpd.conf.5 b/vsftpd.conf.5
--- a/vsftpd.conf.5
+++ b/vsftpd.conf.5
@@ -1030,14 +1030,16 @@
Default: /usr/share/empty
.TP
.B ssl_ciphers
-This option can be used to select which SSL ciphers vsftpd will allow for
-encrypted SSL connections. See the
-.BR ciphers
+This option can be used to select which TLS ciphers vsftpd will allow for
+encrypted TLS connections. See the
+.BR openssl-ciphers
-man page for further details. Note that restricting ciphers can be a useful
-security precaution as it prevents malicious remote parties forcing a cipher
-which they have found problems with.
+man page for further details.
+
+By default, the system-wide crypto policy is used. See
+.BR update-crypto-policies(8)
+for further details.
-Default: DES-CBC3-SHA
+Default: (none - system-wide crypto policy is followed)
.TP
.B ssl_sni_hostname
If set, SSL connections will be rejected unless the SNI hostname in the

164
0021-Introduce-support-for-DHE-based-cipher-suites.patch
View File

@ -1,164 +0,0 @@
From 4eac1dbb5f70a652d31847eec7c28d245f36cdbb Mon Sep 17 00:00:00 2001
From: Martin Sehnoutka <msehnout@redhat.com>
Date: Thu, 17 Nov 2016 10:48:28 +0100
Subject: [PATCH 21/59] Introduce support for DHE based cipher suites.
---
parseconf.c | 1 +
ssl.c | 93 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
tunables.c | 5 +++-
tunables.h | 1 +
vsftpd.conf.5 | 6 ++++
5 files changed, 104 insertions(+), 2 deletions(-)
diff --git a/parseconf.c b/parseconf.c
index 3e0dba4..38e3182 100644
--- a/parseconf.c
+++ b/parseconf.c
@@ -176,6 +176,7 @@ parseconf_str_array[] =
{ "email_password_file", &tunable_email_password_file },
{ "rsa_cert_file", &tunable_rsa_cert_file },
{ "dsa_cert_file", &tunable_dsa_cert_file },
+ { "dh_param_file", &tunable_dh_param_file },
{ "ssl_ciphers", &tunable_ssl_ciphers },
{ "rsa_private_key_file", &tunable_rsa_private_key_file },
{ "dsa_private_key_file", &tunable_dsa_private_key_file },
diff --git a/ssl.c b/ssl.c
index c362983..22b69b3 100644
--- a/ssl.c
+++ b/ssl.c
@@ -28,6 +28,8 @@
#include <openssl/err.h>
#include <openssl/rand.h>
#include <openssl/bio.h>
+#include <openssl/bn.h>
+#include <openssl/param_build.h>
#include <errno.h>
#include <limits.h>
@@ -58,6 +60,23 @@
static int ssl_inited;
static struct mystr debug_str;
+EVP_PKEY *
+DH_get_dh()
+{
+ OSSL_PARAM dh_params[2];
+ EVP_PKEY *dh_key = NULL;
+ EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_from_name(NULL, "DH", NULL);
+
+ dh_params[0] = OSSL_PARAM_construct_utf8_string("group", "ffdhe2048", 0);
+ dh_params[1] = OSSL_PARAM_construct_end();
+
+ if (EVP_PKEY_keygen_init(pctx) <= 0 || EVP_PKEY_CTX_set_params(pctx, dh_params) <= 0)
+ return NULL;
+ EVP_PKEY_generate(pctx, &dh_key);
+ EVP_PKEY_CTX_free(pctx);
+ return dh_key;
+}
+
void
ssl_init(struct vsf_session* p_sess)
{
@@ -72,7 +89,7 @@
{
die("SSL: could not allocate SSL context");
}
- options = SSL_OP_ALL;
+ options = SSL_OP_ALL | SSL_OP_SINGLE_DH_USE;
if (!tunable_sslv2)
{
options |= SSL_OP_NO_SSLv2;
@@ -149,8 +166,27 @@
die("SSL: cannot load DSA private key");
}
}
+ if (tunable_dh_param_file)
+ {
+ BIO *bio;
+ EVP_PKEY *dh_params = NULL;
+ if ((bio = BIO_new_file(tunable_dh_param_file, "r")) == NULL)
+ {
+ die("SSL: cannot load custom DH params");
+ }
+ else
+ {
+ dh_params = PEM_read_bio_Parameters(bio, NULL);
+ BIO_free(bio);
+
+ if (!SSL_CTX_set0_tmp_dh_pkey(p_ctx, dh_params))
+ {
+ die("SSL: setting custom DH params failed");
+ }
+ }
+ }
if (tunable_ssl_ciphers &&
SSL_CTX_set_cipher_list(p_ctx, tunable_ssl_ciphers) != 1)
{
die("SSL: could not set cipher list");
}
@@ -184,6 +226,9 @@
/* Ensure cached session doesn't expire */
SSL_CTX_set_timeout(p_ctx, INT_MAX);
}
+
+ SSL_CTX_set0_tmp_dh_pkey(p_ctx, DH_get_dh());
+
/* Set up ALPN to check for FTP protocol intention of client. */
SSL_CTX_set_alpn_select_cb(p_ctx, ssl_alpn_callback, p_sess);
/* Set up SNI callback for an optional hostname check. */
diff --git a/tunables.c b/tunables.c
index c737465..1ea7227 100644
--- a/tunables.c
+++ b/tunables.c
@@ -140,6 +140,7 @@ const char* tunable_user_sub_token;
const char* tunable_email_password_file;
const char* tunable_rsa_cert_file;
const char* tunable_dsa_cert_file;
+const char* tunable_dh_param_file;
const char* tunable_ssl_ciphers;
const char* tunable_rsa_private_key_file;
const char* tunable_dsa_private_key_file;
@@ -288,7 +289,9 @@ tunables_load_defaults()
install_str_setting("/usr/share/ssl/certs/vsftpd.pem",
&tunable_rsa_cert_file);
install_str_setting(0, &tunable_dsa_cert_file);
- install_str_setting("ECDHE-RSA-AES256-GCM-SHA384", &tunable_ssl_ciphers);
+ install_str_setting(0, &tunable_dh_param_file);
+ install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA",
+ &tunable_ssl_ciphers);
install_str_setting(0, &tunable_rsa_private_key_file);
install_str_setting(0, &tunable_dsa_private_key_file);
install_str_setting(0, &tunable_ca_certs_file);
diff --git a/tunables.h b/tunables.h
index 9553038..3995472 100644
--- a/tunables.h
+++ b/tunables.h
@@ -142,6 +142,7 @@ extern const char* tunable_user_sub_token;
extern const char* tunable_email_password_file;
extern const char* tunable_rsa_cert_file;
extern const char* tunable_dsa_cert_file;
+extern const char* tunable_dh_param_file;
extern const char* tunable_ssl_ciphers;
extern const char* tunable_rsa_private_key_file;
extern const char* tunable_dsa_private_key_file;
diff --git a/vsftpd.conf.5 b/vsftpd.conf.5
index fb6324e..ff94eca 100644
--- a/vsftpd.conf.5
+++ b/vsftpd.conf.5
@@ -893,6 +893,12 @@ to be in the same file as the certificate.
Default: (none)
.TP
+.B dh_param_file
+This option specifies the location of the custom parameters used for
+ephemeral Diffie-Hellman key exchange in SSL.
+
+Default: (none - use built in parameters appropriate for certificate key size)
+.TP
.B email_password_file
This option can be used to provide an alternate file for usage by the
.BR secure_email_list_enable
--
2.14.4

135
0022-Add-options-for-TLS-ciphersuites-and-DH-params.patch Normal file
View File

@ -0,0 +1,135 @@
diff --git a/parseconf.c b/parseconf.c
--- a/parseconf.c
+++ b/parseconf.c
@@ -180,6 +180,9 @@ parseconf_str_array[] =
{ "email_password_file", &tunable_email_password_file },
{ "rsa_cert_file", &tunable_rsa_cert_file },
{ "dsa_cert_file", &tunable_dsa_cert_file },
+ { "dh_param_file", &tunable_dh_param_file },
+ { "ecdh_param_file", &tunable_ecdh_param_file },
+ { "ssl_ciphersuites", &tunable_ssl_ciphersuites },
{ "ssl_ciphers", &tunable_ssl_ciphers },
{ "rsa_private_key_file", &tunable_rsa_private_key_file },
{ "dsa_private_key_file", &tunable_dsa_private_key_file },
diff --git a/ssl.c b/ssl.c
--- a/ssl.c
+++ b/ssl.c
@@ -130,6 +130,30 @@ ssl_init(struct vsf_session* p_sess)
die("SSL: cannot load DSA private key");
}
}
+ if (tunable_dh_param_file)
+ {
+ BIO *bio;
+ EVP_PKEY *dh_params = NULL;
+ if ((bio = BIO_new_file(tunable_dh_param_file, "r")) == NULL)
+ {
+ die("SSL: cannot load custom DH params");
+ }
+ dh_params = PEM_read_bio_Parameters(bio, NULL);
+ BIO_free(bio);
+ if (dh_params == NULL || !SSL_CTX_set0_tmp_dh_pkey(p_ctx, dh_params))
+ {
+ die("SSL: setting custom DH params failed");
+ }
+ }
+ else
+ {
+ SSL_CTX_set_dh_auto(p_ctx, 1);
+ }
+ if (tunable_ssl_ciphersuites &&
+ SSL_CTX_set_ciphersuites(p_ctx, tunable_ssl_ciphersuites) != 1)
+ {
+ die("SSL: could not set ciphersuites");
+ }
if (tunable_ssl_ciphers &&
SSL_CTX_set_cipher_list(p_ctx, tunable_ssl_ciphers) != 1)
{
@@ -139,15 +163,6 @@ ssl_init(struct vsf_session* p_sess)
{
die("SSL: RNG is not seeded");
}
- {
- EC_KEY* key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
- if (key == NULL)
- {
- die("SSL: failed to get curve p256");
- }
- SSL_CTX_set_tmp_ecdh(p_ctx, key);
- EC_KEY_free(key);
- }
if (tunable_ssl_request_cert)
{
verify_option |= SSL_VERIFY_PEER;
diff --git a/tunables.c b/tunables.c
--- a/tunables.c
+++ b/tunables.c
@@ -143,6 +143,9 @@ const char* tunable_user_sub_token;
const char* tunable_email_password_file;
const char* tunable_rsa_cert_file;
const char* tunable_dsa_cert_file;
+const char* tunable_dh_param_file;
+const char* tunable_ecdh_param_file;
+const char* tunable_ssl_ciphersuites;
const char* tunable_ssl_ciphers;
const char* tunable_rsa_private_key_file;
const char* tunable_dsa_private_key_file;
@@ -295,6 +298,9 @@ tunables_load_defaults()
install_str_setting("/usr/share/ssl/certs/vsftpd.pem",
&tunable_rsa_cert_file);
install_str_setting(0, &tunable_dsa_cert_file);
+ install_str_setting(0, &tunable_dh_param_file);
+ install_str_setting(0, &tunable_ecdh_param_file);
+ install_str_setting(0, &tunable_ssl_ciphersuites);
install_str_setting(0, &tunable_ssl_ciphers);
install_str_setting(0, &tunable_rsa_private_key_file);
install_str_setting(0, &tunable_dsa_private_key_file);
diff --git a/tunables.h b/tunables.h
--- a/tunables.h
+++ b/tunables.h
@@ -145,6 +145,9 @@ extern const char* tunable_user_sub_token;
extern const char* tunable_email_password_file;
extern const char* tunable_rsa_cert_file;
extern const char* tunable_dsa_cert_file;
+extern const char* tunable_dh_param_file;
+extern const char* tunable_ecdh_param_file;
+extern const char* tunable_ssl_ciphersuites;
extern const char* tunable_ssl_ciphers;
extern const char* tunable_rsa_private_key_file;
extern const char* tunable_dsa_private_key_file;
diff --git a/vsftpd.conf.5 b/vsftpd.conf.5
--- a/vsftpd.conf.5
+++ b/vsftpd.conf.5
@@ -1029,6 +1029,32 @@
Default: /usr/share/empty
.TP
+.B dh_param_file
+This option specifies the location of custom parameters used for
+ephemeral Diffie-Hellman key exchange in TLS.
+
+Default: (none - use built-in parameters appropriate for certificate key size)
+.TP
+.B ecdh_param_file
+This option specifies the location of custom curve parameters for ephemeral
+Elliptic Curve Diffie-Hellman (ECDH) key exchange in TLS.
+
+This option is deprecated and has no effect.
+
+Default: (none - enable all supported curve groups)
+.TP
+.B ssl_ciphersuites
+This option can be used to select which TLS ciphersuites vsftpd will allow for
+encrypted TLS connections with TLSv1.3. See the
+.BR openssl-ciphers
+man page for further details.
+
+By default, the system-wide crypto policy is used. See
+.BR update-crypto-policies(8)
+for further details.
+
+Default: (none - system-wide crypto policy is followed)
+.TP
.B ssl_ciphers
This option can be used to select which TLS ciphers vsftpd will allow for
encrypted TLS connections. See the

128
0022-Introduce-support-for-EDDHE-based-cipher-suites.patch
View File

@ -1,128 +0,0 @@
From a6d641a0ccba1033587f6faa0e5e6749fa35f5c4 Mon Sep 17 00:00:00 2001
From: Martin Sehnoutka <msehnout@redhat.com>
Date: Thu, 17 Nov 2016 10:49:22 +0100
Subject: [PATCH 22/59] Introduce support for EDDHE based cipher suites.
---
parseconf.c | 1 +
ssl.c | 37 ++++++++++++++++++++++++++++++++++++-
tunables.c | 4 +++-
tunables.h | 1 +
vsftpd.conf.5 | 8 ++++++++
5 files changed, 49 insertions(+), 2 deletions(-)
diff --git a/parseconf.c b/parseconf.c
index 38e3182..a2c715b 100644
--- a/parseconf.c
+++ b/parseconf.c
@@ -177,6 +177,7 @@ parseconf_str_array[] =
{ "rsa_cert_file", &tunable_rsa_cert_file },
{ "dsa_cert_file", &tunable_dsa_cert_file },
{ "dh_param_file", &tunable_dh_param_file },
+ { "ecdh_param_file", &tunable_ecdh_param_file },
{ "ssl_ciphers", &tunable_ssl_ciphers },
{ "rsa_private_key_file", &tunable_rsa_private_key_file },
{ "dsa_private_key_file", &tunable_dsa_private_key_file },
diff --git a/ssl.c b/ssl.c
index 22b69b3..96bf8ad 100644
--- a/ssl.c
+++ b/ssl.c
@@ -122,7 +122,7 @@ ssl_init(struct vsf_session* p_sess)
{
die("SSL: could not allocate SSL context");
}
- options = SSL_OP_ALL | SSL_OP_SINGLE_DH_USE;
+ options = SSL_OP_ALL | SSL_OP_SINGLE_DH_USE | SSL_OP_SINGLE_ECDH_USE;
if (!tunable_sslv2)
{
options |= SSL_OP_NO_SSLv2;
@@ -244,6 +244,33 @@
SSL_CTX_set0_tmp_dh_pkey(p_ctx, DH_get_dh());
+ if (tunable_ecdh_param_file)
+ {
+ BIO *bio;
+ EVP_PKEY *ec_params = NULL;
+
+ if ((bio = BIO_new_file(tunable_ecdh_param_file, "r")) == NULL)
+ die("SSL: cannot load custom ec params");
+ else
+ {
+ ec_params = PEM_read_bio_Parameters(bio, NULL);
+ BIO_free(bio);
+
+ if (ec_params != NULL)
+ {
+ if (!SSL_CTX_set1_groups_list(p_ctx, ec_params))
+ die("SSL: setting custom EC params failed");
+ }
+ else
+ {
+ die("SSL: getting ec group or key failed");
+ }
+ }
+ }
+ else
+ {
+ SSL_CTX_set1_groups_list(p_ctx, "P-256");
+ }
/* Set up ALPN to check for FTP protocol intention of client. */
SSL_CTX_set_alpn_select_cb(p_ctx, ssl_alpn_callback, p_sess);
/* Set up SNI callback for an optional hostname check. */
diff --git a/tunables.c b/tunables.c
index 1ea7227..93f85b1 100644
--- a/tunables.c
+++ b/tunables.c
@@ -141,6 +141,7 @@ const char* tunable_email_password_file;
const char* tunable_rsa_cert_file;
const char* tunable_dsa_cert_file;
const char* tunable_dh_param_file;
+const char* tunable_ecdh_param_file;
const char* tunable_ssl_ciphers;
const char* tunable_rsa_private_key_file;
const char* tunable_dsa_private_key_file;
@@ -290,7 +291,8 @@ tunables_load_defaults()
&tunable_rsa_cert_file);
install_str_setting(0, &tunable_dsa_cert_file);
install_str_setting(0, &tunable_dh_param_file);
- install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA",
+ install_str_setting(0, &tunable_ecdh_param_file);
+ install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA",
&tunable_ssl_ciphers);
install_str_setting(0, &tunable_rsa_private_key_file);
install_str_setting(0, &tunable_dsa_private_key_file);
diff --git a/tunables.h b/tunables.h
index 3995472..3e2d40c 100644
--- a/tunables.h
+++ b/tunables.h
@@ -143,6 +143,7 @@ extern const char* tunable_email_password_file;
extern const char* tunable_rsa_cert_file;
extern const char* tunable_dsa_cert_file;
extern const char* tunable_dh_param_file;
+extern const char* tunable_ecdh_param_file;
extern const char* tunable_ssl_ciphers;
extern const char* tunable_rsa_private_key_file;
extern const char* tunable_dsa_private_key_file;
diff --git a/vsftpd.conf.5 b/vsftpd.conf.5
index ff94eca..e242873 100644
--- a/vsftpd.conf.5
+++ b/vsftpd.conf.5
@@ -899,6 +899,14 @@ ephemeral Diffie-Hellman key exchange in SSL.
Default: (none - use built in parameters appropriate for certificate key size)
.TP
+.B ecdh_param_file
+This option specifies the location of custom parameters for ephemeral
+Elliptic Curve Diffie-Hellman (ECDH) key exchange.
+
+Default: (none - use built in parameters, NIST P-256 with OpenSSL 1.0.1 and
+automatically selected curve based on client preferences with OpenSSL 1.0.2
+and later)
+.TP
.B email_password_file
This option can be used to provide an alternate file for usage by the
.BR secure_email_list_enable
--
2.14.4

27
0040-Use-system-wide-crypto-policy.patch
View File

@ -1,27 +0,0 @@
From b83be8b4f86bf1a8a6de4802a9486d084c4a46cd Mon Sep 17 00:00:00 2001
From: Martin Sehnoutka <msehnout@redhat.com>
Date: Tue, 29 Aug 2017 10:32:16 +0200
Subject: [PATCH 40/59] Use system wide crypto policy
Resolves: rhbz#
---
tunables.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/tunables.c b/tunables.c
index 5440c00..354251c 100644
--- a/tunables.c
+++ b/tunables.c
@@ -297,8 +297,7 @@ tunables_load_defaults()
install_str_setting(0, &tunable_dsa_cert_file);
install_str_setting(0, &tunable_dh_param_file);
install_str_setting(0, &tunable_ecdh_param_file);
- install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA",
- &tunable_ssl_ciphers);
+ install_str_setting("PROFILE=SYSTEM", &tunable_ssl_ciphers);
install_str_setting(0, &tunable_rsa_private_key_file);
install_str_setting(0, &tunable_dsa_private_key_file);
install_str_setting(0, &tunable_ca_certs_file);
--
2.14.4

31
0041-Document-the-new-default-for-ssl_ciphers-in-the-man-.patch
View File

@ -1,31 +0,0 @@
From 2369d1ea5144d525d315aba90da528e7d9bfd1cc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= <olysonek@redhat.com>
Date: Thu, 21 Dec 2017 14:19:18 +0100
Subject: [PATCH 41/59] Document the new default for ssl_ciphers in the man
page
Related: rhbz#1483970
---
vsftpd.conf.5 | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/vsftpd.conf.5 b/vsftpd.conf.5
index 3ca55e4..2a7662e 100644
--- a/vsftpd.conf.5
+++ b/vsftpd.conf.5
@@ -1078,7 +1078,11 @@ man page for further details. Note that restricting ciphers can be a useful
security precaution as it prevents malicious remote parties forcing a cipher
which they have found problems with.
-Default: DES-CBC3-SHA
+By default, the system-wide crypto policy is used. See
+.BR update-crypto-policies(8)
+for further details.
+
+Default: PROFILE=SYSTEM
.TP
.B ssl_sni_hostname
If set, SSL connections will be rejected unless the SNI hostname in the
--
2.14.4

225
vsftpd-3.0.3-ALPACA.patch
View File

@ -1,225 +0,0 @@
diff --git a/parseconf.c b/parseconf.c
index 3729818..ee1b8b4 100644
--- a/parseconf.c
+++ b/parseconf.c
@@ -188,6 +188,7 @@ parseconf_str_array[] =
{ "rsa_private_key_file", &tunable_rsa_private_key_file },
{ "dsa_private_key_file", &tunable_dsa_private_key_file },
{ "ca_certs_file", &tunable_ca_certs_file },
+ { "ssl_sni_hostname", &tunable_ssl_sni_hostname },
{ "cmds_denied", &tunable_cmds_denied },
{ 0, 0 }
};
diff --git a/ssl.c b/ssl.c
index 09ec96a..b622347 100644
--- a/ssl.c
+++ b/ssl.c
@@ -41,6 +41,13 @@ static long bio_callback(
BIO* p_bio, int oper, const char* p_arg, int argi, long argl, long retval);
static int ssl_verify_callback(int verify_ok, X509_STORE_CTX* p_ctx);
static DH *ssl_tmp_dh_callback(SSL *ssl, int is_export, int keylength);
+static int ssl_alpn_callback(SSL* p_ssl,
+ const unsigned char** p_out,
+ unsigned char* outlen,
+ const unsigned char* p_in,
+ unsigned int inlen,
+ void* p_arg);
+static long ssl_sni_callback(SSL* p_ssl, int* p_al, void* p_arg);
static int ssl_cert_digest(
SSL* p_ssl, struct vsf_session* p_sess, struct mystr* p_str);
static void maybe_log_shutdown_state(struct vsf_session* p_sess);
@@ -285,6 +292,11 @@ ssl_init(struct vsf_session* p_sess)
SSL_CTX_set_timeout(p_ctx, INT_MAX);
}
+ /* Set up ALPN to check for FTP protocol intention of client. */
+ SSL_CTX_set_alpn_select_cb(p_ctx, ssl_alpn_callback, p_sess);
+ /* Set up SNI callback for an optional hostname check. */
+ SSL_CTX_set_tlsext_servername_callback(p_ctx, ssl_sni_callback);
+ SSL_CTX_set_tlsext_servername_arg(p_ctx, p_sess);
SSL_CTX_set_tmp_dh_callback(p_ctx, ssl_tmp_dh_callback);
if (tunable_ecdh_param_file)
@@ -871,6 +883,133 @@ ssl_tmp_dh_callback(SSL *ssl, int is_export, int keylength)
return DH_get_dh(keylength);
}
+static int
+ssl_alpn_callback(SSL* p_ssl,
+ const unsigned char** p_out,
+ unsigned char* outlen,
+ const unsigned char* p_in,
+ unsigned int inlen,
+ void* p_arg) {
+ unsigned int i;
+ struct vsf_session* p_sess = (struct vsf_session*) p_arg;
+ int is_ok = 0;
+
+ (void) p_ssl;
+
+ /* Initialize just in case. */
+ *p_out = p_in;
+ *outlen = 0;
+
+ for (i = 0; i < inlen; ++i) {
+ unsigned int left = (inlen - i);
+ if (left < 4) {
+ continue;
+ }
+ if (p_in[i] == 3 && p_in[i + 1] == 'f' && p_in[i + 2] == 't' &&
+ p_in[i + 3] == 'p')
+ {
+ is_ok = 1;
+ *p_out = &p_in[i + 1];
+ *outlen = 3;
+ break;
+ }
+ }
+
+ if (!is_ok)
+ {
+ str_alloc_text(&debug_str, "ALPN rejection");
+ vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str);
+ }
+ if (!is_ok || tunable_debug_ssl)
+ {
+ str_alloc_text(&debug_str, "ALPN data: ");
+ for (i = 0; i < inlen; ++i) {
+ str_append_char(&debug_str, p_in[i]);
+ }
+ vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str);
+ }
+
+ if (is_ok)
+ {
+ return SSL_TLSEXT_ERR_OK;
+ }
+ else
+ {
+ return SSL_TLSEXT_ERR_ALERT_FATAL;
+ }
+}
+
+static long
+ssl_sni_callback(SSL* p_ssl, int* p_al, void* p_arg)
+{
+ static struct mystr s_sni_expected_hostname;
+ static struct mystr s_sni_received_hostname;
+
+ int servername_type;
+ const char* p_sni_servername;
+ struct vsf_session* p_sess = (struct vsf_session*) p_arg;
+ int is_ok = 0;
+
+ (void) p_ssl;
+ (void) p_arg;
+
+ if (tunable_ssl_sni_hostname)
+ {
+ str_alloc_text(&s_sni_expected_hostname, tunable_ssl_sni_hostname);
+ }
+
+ /* The OpenSSL documentation says it is pre-initialized like this, but set
+ * it just in case.
+ */
+ *p_al = SSL_AD_UNRECOGNIZED_NAME;
+
+ servername_type = SSL_get_servername_type(p_ssl);
+ p_sni_servername = SSL_get_servername(p_ssl, TLSEXT_NAMETYPE_host_name);
+ if (p_sni_servername != NULL) {
+ str_alloc_text(&s_sni_received_hostname, p_sni_servername);
+ }
+
+ if (str_isempty(&s_sni_expected_hostname))
+ {
+ is_ok = 1;
+ }
+ else if (servername_type != TLSEXT_NAMETYPE_host_name)
+ {
+ /* Fail. */
+ str_alloc_text(&debug_str, "SNI bad type: ");
+ str_append_ulong(&debug_str, servername_type);
+ vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str);
+ }
+ else
+ {
+ if (!str_strcmp(&s_sni_expected_hostname, &s_sni_received_hostname))
+ {
+ is_ok = 1;
+ }
+ else
+ {
+ str_alloc_text(&debug_str, "SNI rejection");
+ vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str);
+ }
+ }
+
+ if (!is_ok || tunable_debug_ssl)
+ {
+ str_alloc_text(&debug_str, "SNI hostname: ");
+ str_append_str(&debug_str, &s_sni_received_hostname);
+ vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str);
+ }
+
+ if (is_ok)
+ {
+ return SSL_TLSEXT_ERR_OK;
+ }
+ else
+ {
+ return SSL_TLSEXT_ERR_ALERT_FATAL;
+ }
+}
+
void
ssl_add_entropy(struct vsf_session* p_sess)
{
diff --git a/tunables.c b/tunables.c
index c96c1ac..d8dfcde 100644
--- a/tunables.c
+++ b/tunables.c
@@ -152,6 +152,7 @@ const char* tunable_ssl_ciphers;
const char* tunable_rsa_private_key_file;
const char* tunable_dsa_private_key_file;
const char* tunable_ca_certs_file;
+const char* tunable_ssl_sni_hostname;
static void install_str_setting(const char* p_value, const char** p_storage);
@@ -309,6 +310,7 @@ tunables_load_defaults()
install_str_setting(0, &tunable_rsa_private_key_file);
install_str_setting(0, &tunable_dsa_private_key_file);
install_str_setting(0, &tunable_ca_certs_file);
+ install_str_setting(0, &tunable_ssl_sni_hostname);
}
void
diff --git a/tunables.h b/tunables.h
index 8d50150..de6cab0 100644
--- a/tunables.h
+++ b/tunables.h
@@ -157,6 +157,7 @@ extern const char* tunable_ssl_ciphers;
extern const char* tunable_rsa_private_key_file;
extern const char* tunable_dsa_private_key_file;
extern const char* tunable_ca_certs_file;
+extern const char* tunable_ssl_sni_hostname;
extern const char* tunable_cmds_denied;
#endif /* VSF_TUNABLES_H */
diff --git a/vsftpd.conf.5 b/vsftpd.conf.5
index 815773f..7006287 100644
--- a/vsftpd.conf.5
+++ b/vsftpd.conf.5
@@ -1128,6 +1128,12 @@ for further details.
Default: PROFILE=SYSTEM
.TP
+.B ssl_sni_hostname
+If set, SSL connections will be rejected unless the SNI hostname in the
+incoming handshakes matches this value.
+
+Default: (none)
+.TP
.B user_config_dir
This powerful option allows the override of any config option specified in
the manual page, on a per-user basis. Usage is simple, and is best illustrated

96
vsftpd-3.0.3-option_to_disable_TLSv1_3.patch
View File

@ -1,96 +0,0 @@
diff --git a/features.c b/features.c
index d024366..3a60b88 100644
--- a/features.c
+++ b/features.c
@@ -22,7 +22,7 @@ handle_feat(struct vsf_session* p_sess)
{
vsf_cmdio_write_raw(p_sess, " AUTH SSL\r\n");
}
- if (tunable_tlsv1 || tunable_tlsv1_1 || tunable_tlsv1_2)
+ if (tunable_tlsv1 || tunable_tlsv1_1 || tunable_tlsv1_2 || tunable_tlsv1_3)
{
vsf_cmdio_write_raw(p_sess, " AUTH TLS\r\n");
}
diff --git a/parseconf.c b/parseconf.c
index ee1b8b4..5188088 100644
--- a/parseconf.c
+++ b/parseconf.c
@@ -87,6 +87,7 @@ parseconf_bool_array[] =
{ "ssl_tlsv1", &tunable_tlsv1 },
{ "ssl_tlsv1_1", &tunable_tlsv1_1 },
{ "ssl_tlsv1_2", &tunable_tlsv1_2 },
+ { "ssl_tlsv1_3", &tunable_tlsv1_3 },
{ "tilde_user_enable", &tunable_tilde_user_enable },
{ "force_anon_logins_ssl", &tunable_force_anon_logins_ssl },
{ "force_anon_data_ssl", &tunable_force_anon_data_ssl },
diff --git a/ssl.c b/ssl.c
index b622347..3af67ad 100644
--- a/ssl.c
+++ b/ssl.c
@@ -185,6 +185,10 @@ ssl_init(struct vsf_session* p_sess)
{
options |= SSL_OP_NO_TLSv1_2;
}
+ if (!tunable_tlsv1_3)
+ {
+ options |= SSL_OP_NO_TLSv1_3;
+ }
SSL_CTX_set_options(p_ctx, options);
if (tunable_rsa_cert_file)
{
diff --git a/tunables.c b/tunables.c
index d8dfcde..dc001ac 100644
--- a/tunables.c
+++ b/tunables.c
@@ -68,6 +68,7 @@ int tunable_sslv3;
int tunable_tlsv1;
int tunable_tlsv1_1;
int tunable_tlsv1_2;
+int tunable_tlsv1_3;
int tunable_tilde_user_enable;
int tunable_force_anon_logins_ssl;
int tunable_force_anon_data_ssl;
@@ -218,8 +219,9 @@ tunables_load_defaults()
tunable_sslv3 = 0;
tunable_tlsv1 = 0;
tunable_tlsv1_1 = 0;
- /* Only TLSv1.2 is enabled by default */
+ /* Only TLSv1.2 and TLSv1.3 are enabled by default */
tunable_tlsv1_2 = 1;
+ tunable_tlsv1_3 = 1;
tunable_tilde_user_enable = 0;
tunable_force_anon_logins_ssl = 0;
tunable_force_anon_data_ssl = 0;
diff --git a/tunables.h b/tunables.h
index de6cab0..ff0eebc 100644
--- a/tunables.h
+++ b/tunables.h
@@ -69,6 +69,7 @@ extern int tunable_sslv3; /* Allow SSLv3 */
extern int tunable_tlsv1; /* Allow TLSv1 */
extern int tunable_tlsv1_1; /* Allow TLSv1.1 */
extern int tunable_tlsv1_2; /* Allow TLSv1.2 */
+extern int tunable_tlsv1_3; /* Allow TLSv1.3 */
extern int tunable_tilde_user_enable; /* Support e.g. ~chris */
extern int tunable_force_anon_logins_ssl; /* Require anon logins use SSL */
extern int tunable_force_anon_data_ssl; /* Require anon data uses SSL */
diff --git a/vsftpd.conf.5 b/vsftpd.conf.5
index 7006287..d181e50 100644
--- a/vsftpd.conf.5
+++ b/vsftpd.conf.5
@@ -587,7 +587,15 @@ Default: NO
Only applies if
.BR ssl_enable
is activated. If enabled, this option will permit TLS v1.2 protocol connections.
-TLS v1.2 connections are preferred.
+TLS v1.2 and TLS v1.3 connections are preferred.
+
+Default: YES
+.TP
+.B ssl_tlsv1_3
+Only applies if
+.BR ssl_enable
+is activated. If enabled, this option will permit TLS v1.3 protocol connections.
+TLS v1.2 and TLS v1.3 connections are preferred.
Default: YES
.TP

79
vsftpd-3.0.5-add-option-for-tlsv1.3-ciphersuites.patch
View File

@ -1,79 +0,0 @@
diff -urN a/parseconf.c b/parseconf.c
--- a/parseconf.c 2021-05-29 23:39:19.000000000 +0200
+++ b/parseconf.c 2023-03-03 10:22:38.256439634 +0100
@@ -185,6 +185,7 @@
{ "dsa_cert_file", &tunable_dsa_cert_file },
{ "dh_param_file", &tunable_dh_param_file },
{ "ecdh_param_file", &tunable_ecdh_param_file },
+ { "ssl_ciphersuites", &tunable_ssl_ciphersuites },
{ "ssl_ciphers", &tunable_ssl_ciphers },
{ "rsa_private_key_file", &tunable_rsa_private_key_file },
{ "dsa_private_key_file", &tunable_dsa_private_key_file },
diff -urN a/ssl.c b/ssl.c
--- a/ssl.c 2021-08-02 08:24:35.000000000 +0200
+++ b/ssl.c 2023-03-03 10:28:05.989757655 +0100
@@ -135,6 +135,11 @@
{
die("SSL: could not set cipher list");
}
+ if (tunable_ssl_ciphersuites &&
+ SSL_CTX_set_ciphersuites(p_ctx, tunable_ssl_ciphersuites) != 1)
+ {
+ die("SSL: could not set ciphersuites");
+ }
if (RAND_status() != 1)
{
die("SSL: RNG is not seeded");
diff -urN a/tunables.c b/tunables.c
--- a/tunables.c 2021-05-29 23:39:00.000000000 +0200
+++ b/tunables.c 2023-03-03 10:13:30.566868026 +0100
@@ -154,6 +154,7 @@
const char* tunable_dsa_cert_file;
const char* tunable_dh_param_file;
const char* tunable_ecdh_param_file;
const char* tunable_ssl_ciphers;
+const char* tunable_ssl_ciphersuites;
const char* tunable_rsa_private_key_file;
const char* tunable_dsa_private_key_file;
@@ -293,6 +293,7 @@
install_str_setting(0, &tunable_dh_param_file);
install_str_setting(0, &tunable_ecdh_param_file);
install_str_setting("PROFILE=SYSTEM", &tunable_ssl_ciphers);
+ install_str_setting("TLS_AES_256_GCM_SHA384", &tunable_ssl_ciphersuites);
install_str_setting(0, &tunable_rsa_private_key_file);
install_str_setting(0, &tunable_dsa_private_key_file);
install_str_setting(0, &tunable_ca_certs_file);
diff -urN a/tunables.h b/tunables.h
--- a/tunables.h
+++ b/tunables.h
@@ -144,6 +144,7 @@
extern const char* tunable_dsa_cert_file;
extern const char* tunable_dh_param_file;
extern const char* tunable_ecdh_param_file;
extern const char* tunable_ssl_ciphers;
+extern const char* tunable_ssl_ciphersuites;
extern const char* tunable_rsa_private_key_file;
extern const char* tunable_dsa_private_key_file;
--- a/vsftpd.conf.5
+++ b/vsftpd.conf.5
@@ -1009,6 +1009,20 @@
Default: PROFILE=SYSTEM
.TP
+.B ssl_ciphersuites
+This option can be used to select which SSL cipher suites vsftpd will allow for
+encrypted SSL connections with TLSv1.3. See the
+.BR ciphers
+man page for further details. Note that restricting ciphers can be a useful
+security precaution as it prevents malicious remote parties forcing a cipher
+which they have found problems with.
+
+By default, the system-wide crypto policy is used. See
+.BR update-crypto-policies(8)
+for further details.
+
+Default: TLS_AES_256_GCM_SHA384
+.TP
.B ssl_sni_hostname
If set, SSL connections will be rejected unless the SNI hostname in the
incoming handshakes matches this value.

29
vsftpd-3.0.5-replace-deprecated-openssl-functions.patch
View File

@ -1,17 +1,7 @@
diff --git a/ssl.c b/ssl.c
--- ssl.c
+++ ssl.c
@@ -28,17 +28,17 @@
#include <openssl/err.h>
#include <openssl/rand.h>
#include <openssl/bio.h>
#include <openssl/bn.h>
#include <openssl/param_build.h>
#include <errno.h>
#include <limits.h>
static char* get_ssl_error();
static SSL* get_ssl(struct vsf_session* p_sess, int fd);
@@ -36,7 +36,7 @@ static SSL* get_ssl(struct vsf_session* p_sess, int fd);
static int ssl_session_init(struct vsf_session* p_sess);
static void setup_bio_callbacks();
static long bio_callback(
@ -25,25 +15,10 @@ diff --git a/ssl.c b/ssl.c
int verify_option = 0;
SSL_library_init();
- p_ctx = SSL_CTX_new(SSLv23_server_method());
+ p_ctx = SSL_CTX_new_ex(NULL, NULL, TLS_server_method());
+ p_ctx = SSL_CTX_new(TLS_server_method());
if (p_ctx == NULL)
{
die("SSL: could not allocate SSL context");
@@ -180,13 +180,10 @@
die("SSL: RNG is not seeded");
}
{
- EC_KEY* key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
- if (key == NULL)
+ if (!SSL_CTX_set1_groups_list(p_ctx, "P-256"))
{
die("SSL: failed to get curve p256");
}
- SSL_CTX_set_tmp_ecdh(p_ctx, key);
- EC_KEY_free(key);
}
if (tunable_ssl_request_cert)
{
@@ -692,17 +689,19 @@
static void setup_bio_callbacks(SSL* p_ssl)
{

13
vsftpd.spec
View File

@ -2,7 +2,7 @@
Name: vsftpd
Version: 3.0.5
Release: 9%{?dist}
Release: 10%{?dist}
Summary: Very Secure Ftp Daemon
# OpenSSL link exception
@ -49,8 +49,8 @@ Patch17: 0017-Fix-an-issue-with-timestamps-during-DST.patch
Patch18: 0018-Change-the-default-log-file-in-configuration.patch
Patch19: 0019-Introduce-reverse_lookup_enable-option.patch
Patch20: 0020-Use-unsigned-int-for-uid-and-gid-representation.patch
Patch21: 0021-Introduce-support-for-DHE-based-cipher-suites.patch
Patch22: 0022-Introduce-support-for-EDDHE-based-cipher-suites.patch
Patch21: 0021-Follow-crypto-policies-for-ssl-ciphers.patch
Patch22: 0022-Add-options-for-TLS-ciphersuites-and-DH-params.patch
Patch23: 0023-Add-documentation-for-isolate_-options.-Correct-defa.patch
Patch24: 0024-Introduce-new-return-value-450.patch
Patch25: 0025-Improve-local_max_rate-option.patch
@ -66,8 +66,6 @@ Patch36: 0036-Redefine-VSFTP_COMMAND_FD-to-1.patch
Patch37: 0037-Document-the-relationship-of-text_userdb_names-and-c.patch
Patch38: 0038-Document-allow_writeable_chroot-in-the-man-page.patch
Patch39: 0039-Improve-documentation-of-ASCII-mode-in-the-man-page.patch
Patch40: 0040-Use-system-wide-crypto-policy.patch
Patch41: 0041-Document-the-new-default-for-ssl_ciphers-in-the-man-.patch
Patch42: 0042-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch
Patch44: 0044-Disable-anonymous_enable-in-default-config-file.patch
Patch45: 0045-Expand-explanation-of-ascii_-options-behaviour-in-ma.patch
@ -97,7 +95,6 @@ Patch70: fix-str_open.patch
Patch71: vsftpd-3.0.5-enable_wc_logs-replace_unprintable_with_hex.patch
Patch72: vsftpd-3.0.5-replace-old-network-addr-functions.patch
Patch73: vsftpd-3.0.5-replace-deprecated-openssl-functions.patch
Patch74: vsftpd-3.0.5-add-option-for-tlsv1.3-ciphersuites.patch
Patch75: vsftpd-3.0.5-use-old-tlsv-options.patch
%description
@ -168,6 +165,10 @@ mkdir -p $RPM_BUILD_ROOT/%{_var}/ftp/pub
%{_var}/ftp
%changelog
* Thu Jul 10 2025 Pavol Žáčik <pzacik@redhat.com> - 3.0.5-10
- Fix cryptographic agility issues
Resolves: RHEL-99533
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 3.0.5-9
- Bump release for October 2024 mass rebuild:
Resolves: RHEL-64018