From ca207c8895261ac6b510ca0d04e94f955b1c64a6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavol=20=C5=BD=C3=A1=C4=8Dik?= Date: Wed, 9 Jul 2025 15:04:48 +0200 Subject: [PATCH] Adjust opinionated use of cryptography Adhere to crypto-policies when restricting TLS 1.3 ciphersuites by default. When using DH, let OpenSSL set up its params automatically by default. When using ephemeral ECDH, allow all supported curves. Deprecate the `ecdh_param_file` config option which is broken since the transition to OpenSSL 3.0. Also remove old unused patches. Resolves: RHEL-99533 --- ...llow-crypto-policies-for-ssl-ciphers.patch | 39 +++ ...-support-for-DHE-based-cipher-suites.patch | 164 ------------- ...s-for-TLS-ciphersuites-and-DH-params.patch | 135 +++++++++++ ...upport-for-EDDHE-based-cipher-suites.patch | 128 ---------- 0040-Use-system-wide-crypto-policy.patch | 27 --- ...-default-for-ssl_ciphers-in-the-man-.patch | 31 --- vsftpd-3.0.3-ALPACA.patch | 225 ------------------ vsftpd-3.0.3-option_to_disable_TLSv1_3.patch | 96 -------- ...-add-option-for-tlsv1.3-ciphersuites.patch | 79 ------ ...replace-deprecated-openssl-functions.patch | 29 +-- vsftpd.spec | 13 +- 11 files changed, 183 insertions(+), 783 deletions(-) create mode 100644 0021-Follow-crypto-policies-for-ssl-ciphers.patch delete mode 100644 0021-Introduce-support-for-DHE-based-cipher-suites.patch create mode 100644 0022-Add-options-for-TLS-ciphersuites-and-DH-params.patch delete mode 100644 0022-Introduce-support-for-EDDHE-based-cipher-suites.patch delete mode 100644 0040-Use-system-wide-crypto-policy.patch delete mode 100644 0041-Document-the-new-default-for-ssl_ciphers-in-the-man-.patch delete mode 100644 vsftpd-3.0.3-ALPACA.patch delete mode 100644 vsftpd-3.0.3-option_to_disable_TLSv1_3.patch delete mode 100644 vsftpd-3.0.5-add-option-for-tlsv1.3-ciphersuites.patch diff --git a/0021-Follow-crypto-policies-for-ssl-ciphers.patch b/0021-Follow-crypto-policies-for-ssl-ciphers.patch new file mode 100644 index 0000000..22b989d --- /dev/null +++ b/0021-Follow-crypto-policies-for-ssl-ciphers.patch @@ -0,0 +1,39 @@ +diff --git a/tunables.c b/tunables.c +--- a/tunables.c ++++ b/tunables.c +@@ -295,7 +295,7 @@ + install_str_setting("/usr/share/ssl/certs/vsftpd.pem", + &tunable_rsa_cert_file); + install_str_setting(0, &tunable_dsa_cert_file); +- install_str_setting("ECDHE-RSA-AES256-GCM-SHA384", &tunable_ssl_ciphers); ++ install_str_setting(0, &tunable_ssl_ciphers); + install_str_setting(0, &tunable_rsa_private_key_file); + install_str_setting(0, &tunable_dsa_private_key_file); + install_str_setting(0, &tunable_ca_certs_file); +diff --git a/vsftpd.conf.5 b/vsftpd.conf.5 +--- a/vsftpd.conf.5 ++++ b/vsftpd.conf.5 +@@ -1030,14 +1030,16 @@ + Default: /usr/share/empty + .TP + .B ssl_ciphers +-This option can be used to select which SSL ciphers vsftpd will allow for +-encrypted SSL connections. See the +-.BR ciphers ++This option can be used to select which TLS ciphers vsftpd will allow for ++encrypted TLS connections. See the ++.BR openssl-ciphers +-man page for further details. Note that restricting ciphers can be a useful +-security precaution as it prevents malicious remote parties forcing a cipher +-which they have found problems with. ++man page for further details. ++ ++By default, the system-wide crypto policy is used. See ++.BR update-crypto-policies(8) ++for further details. + +-Default: DES-CBC3-SHA ++Default: (none - system-wide crypto policy is followed) + .TP + .B ssl_sni_hostname + If set, SSL connections will be rejected unless the SNI hostname in the diff --git a/0021-Introduce-support-for-DHE-based-cipher-suites.patch b/0021-Introduce-support-for-DHE-based-cipher-suites.patch deleted file mode 100644 index 3460c2a..0000000 --- a/0021-Introduce-support-for-DHE-based-cipher-suites.patch +++ /dev/null @@ -1,164 +0,0 @@ -From 4eac1dbb5f70a652d31847eec7c28d245f36cdbb Mon Sep 17 00:00:00 2001 -From: Martin Sehnoutka -Date: Thu, 17 Nov 2016 10:48:28 +0100 -Subject: [PATCH 21/59] Introduce support for DHE based cipher suites. - ---- - parseconf.c | 1 + - ssl.c | 93 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++- - tunables.c | 5 +++- - tunables.h | 1 + - vsftpd.conf.5 | 6 ++++ - 5 files changed, 104 insertions(+), 2 deletions(-) - -diff --git a/parseconf.c b/parseconf.c -index 3e0dba4..38e3182 100644 ---- a/parseconf.c -+++ b/parseconf.c -@@ -176,6 +176,7 @@ parseconf_str_array[] = - { "email_password_file", &tunable_email_password_file }, - { "rsa_cert_file", &tunable_rsa_cert_file }, - { "dsa_cert_file", &tunable_dsa_cert_file }, -+ { "dh_param_file", &tunable_dh_param_file }, - { "ssl_ciphers", &tunable_ssl_ciphers }, - { "rsa_private_key_file", &tunable_rsa_private_key_file }, - { "dsa_private_key_file", &tunable_dsa_private_key_file }, -diff --git a/ssl.c b/ssl.c -index c362983..22b69b3 100644 ---- a/ssl.c -+++ b/ssl.c -@@ -28,6 +28,8 @@ - #include - #include - #include -+#include -+#include - #include - #include - -@@ -58,6 +60,23 @@ - static int ssl_inited; - static struct mystr debug_str; - -+EVP_PKEY * -+DH_get_dh() -+{ -+ OSSL_PARAM dh_params[2]; -+ EVP_PKEY *dh_key = NULL; -+ EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_from_name(NULL, "DH", NULL); -+ -+ dh_params[0] = OSSL_PARAM_construct_utf8_string("group", "ffdhe2048", 0); -+ dh_params[1] = OSSL_PARAM_construct_end(); -+ -+ if (EVP_PKEY_keygen_init(pctx) <= 0 || EVP_PKEY_CTX_set_params(pctx, dh_params) <= 0) -+ return NULL; -+ EVP_PKEY_generate(pctx, &dh_key); -+ EVP_PKEY_CTX_free(pctx); -+ return dh_key; -+} -+ - void - ssl_init(struct vsf_session* p_sess) - { -@@ -72,7 +89,7 @@ - { - die("SSL: could not allocate SSL context"); - } -- options = SSL_OP_ALL; -+ options = SSL_OP_ALL | SSL_OP_SINGLE_DH_USE; - if (!tunable_sslv2) - { - options |= SSL_OP_NO_SSLv2; -@@ -149,8 +166,27 @@ - die("SSL: cannot load DSA private key"); - } - } -+ if (tunable_dh_param_file) -+ { -+ BIO *bio; -+ EVP_PKEY *dh_params = NULL; -+ if ((bio = BIO_new_file(tunable_dh_param_file, "r")) == NULL) -+ { -+ die("SSL: cannot load custom DH params"); -+ } -+ else -+ { -+ dh_params = PEM_read_bio_Parameters(bio, NULL); -+ BIO_free(bio); -+ -+ if (!SSL_CTX_set0_tmp_dh_pkey(p_ctx, dh_params)) -+ { -+ die("SSL: setting custom DH params failed"); -+ } -+ } -+ } - if (tunable_ssl_ciphers && - SSL_CTX_set_cipher_list(p_ctx, tunable_ssl_ciphers) != 1) - { - die("SSL: could not set cipher list"); - } -@@ -184,6 +226,9 @@ - /* Ensure cached session doesn't expire */ - SSL_CTX_set_timeout(p_ctx, INT_MAX); - } -+ -+ SSL_CTX_set0_tmp_dh_pkey(p_ctx, DH_get_dh()); -+ - /* Set up ALPN to check for FTP protocol intention of client. */ - SSL_CTX_set_alpn_select_cb(p_ctx, ssl_alpn_callback, p_sess); - /* Set up SNI callback for an optional hostname check. */ -diff --git a/tunables.c b/tunables.c -index c737465..1ea7227 100644 ---- a/tunables.c -+++ b/tunables.c -@@ -140,6 +140,7 @@ const char* tunable_user_sub_token; - const char* tunable_email_password_file; - const char* tunable_rsa_cert_file; - const char* tunable_dsa_cert_file; -+const char* tunable_dh_param_file; - const char* tunable_ssl_ciphers; - const char* tunable_rsa_private_key_file; - const char* tunable_dsa_private_key_file; -@@ -288,7 +289,9 @@ tunables_load_defaults() - install_str_setting("/usr/share/ssl/certs/vsftpd.pem", - &tunable_rsa_cert_file); - install_str_setting(0, &tunable_dsa_cert_file); -- install_str_setting("ECDHE-RSA-AES256-GCM-SHA384", &tunable_ssl_ciphers); -+ install_str_setting(0, &tunable_dh_param_file); -+ install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA", -+ &tunable_ssl_ciphers); - install_str_setting(0, &tunable_rsa_private_key_file); - install_str_setting(0, &tunable_dsa_private_key_file); - install_str_setting(0, &tunable_ca_certs_file); -diff --git a/tunables.h b/tunables.h -index 9553038..3995472 100644 ---- a/tunables.h -+++ b/tunables.h -@@ -142,6 +142,7 @@ extern const char* tunable_user_sub_token; - extern const char* tunable_email_password_file; - extern const char* tunable_rsa_cert_file; - extern const char* tunable_dsa_cert_file; -+extern const char* tunable_dh_param_file; - extern const char* tunable_ssl_ciphers; - extern const char* tunable_rsa_private_key_file; - extern const char* tunable_dsa_private_key_file; -diff --git a/vsftpd.conf.5 b/vsftpd.conf.5 -index fb6324e..ff94eca 100644 ---- a/vsftpd.conf.5 -+++ b/vsftpd.conf.5 -@@ -893,6 +893,12 @@ to be in the same file as the certificate. - - Default: (none) - .TP -+.B dh_param_file -+This option specifies the location of the custom parameters used for -+ephemeral Diffie-Hellman key exchange in SSL. -+ -+Default: (none - use built in parameters appropriate for certificate key size) -+.TP - .B email_password_file - This option can be used to provide an alternate file for usage by the - .BR secure_email_list_enable --- -2.14.4 - diff --git a/0022-Add-options-for-TLS-ciphersuites-and-DH-params.patch b/0022-Add-options-for-TLS-ciphersuites-and-DH-params.patch new file mode 100644 index 0000000..1f0f1c1 --- /dev/null +++ b/0022-Add-options-for-TLS-ciphersuites-and-DH-params.patch @@ -0,0 +1,135 @@ +diff --git a/parseconf.c b/parseconf.c +--- a/parseconf.c ++++ b/parseconf.c +@@ -180,6 +180,9 @@ parseconf_str_array[] = + { "email_password_file", &tunable_email_password_file }, + { "rsa_cert_file", &tunable_rsa_cert_file }, + { "dsa_cert_file", &tunable_dsa_cert_file }, ++ { "dh_param_file", &tunable_dh_param_file }, ++ { "ecdh_param_file", &tunable_ecdh_param_file }, ++ { "ssl_ciphersuites", &tunable_ssl_ciphersuites }, + { "ssl_ciphers", &tunable_ssl_ciphers }, + { "rsa_private_key_file", &tunable_rsa_private_key_file }, + { "dsa_private_key_file", &tunable_dsa_private_key_file }, +diff --git a/ssl.c b/ssl.c +--- a/ssl.c ++++ b/ssl.c +@@ -130,6 +130,30 @@ ssl_init(struct vsf_session* p_sess) + die("SSL: cannot load DSA private key"); + } + } ++ if (tunable_dh_param_file) ++ { ++ BIO *bio; ++ EVP_PKEY *dh_params = NULL; ++ if ((bio = BIO_new_file(tunable_dh_param_file, "r")) == NULL) ++ { ++ die("SSL: cannot load custom DH params"); ++ } ++ dh_params = PEM_read_bio_Parameters(bio, NULL); ++ BIO_free(bio); ++ if (dh_params == NULL || !SSL_CTX_set0_tmp_dh_pkey(p_ctx, dh_params)) ++ { ++ die("SSL: setting custom DH params failed"); ++ } ++ } ++ else ++ { ++ SSL_CTX_set_dh_auto(p_ctx, 1); ++ } ++ if (tunable_ssl_ciphersuites && ++ SSL_CTX_set_ciphersuites(p_ctx, tunable_ssl_ciphersuites) != 1) ++ { ++ die("SSL: could not set ciphersuites"); ++ } + if (tunable_ssl_ciphers && + SSL_CTX_set_cipher_list(p_ctx, tunable_ssl_ciphers) != 1) + { +@@ -139,15 +163,6 @@ ssl_init(struct vsf_session* p_sess) + { + die("SSL: RNG is not seeded"); + } +- { +- EC_KEY* key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); +- if (key == NULL) +- { +- die("SSL: failed to get curve p256"); +- } +- SSL_CTX_set_tmp_ecdh(p_ctx, key); +- EC_KEY_free(key); +- } + if (tunable_ssl_request_cert) + { + verify_option |= SSL_VERIFY_PEER; +diff --git a/tunables.c b/tunables.c +--- a/tunables.c ++++ b/tunables.c +@@ -143,6 +143,9 @@ const char* tunable_user_sub_token; + const char* tunable_email_password_file; + const char* tunable_rsa_cert_file; + const char* tunable_dsa_cert_file; ++const char* tunable_dh_param_file; ++const char* tunable_ecdh_param_file; ++const char* tunable_ssl_ciphersuites; + const char* tunable_ssl_ciphers; + const char* tunable_rsa_private_key_file; + const char* tunable_dsa_private_key_file; +@@ -295,6 +298,9 @@ tunables_load_defaults() + install_str_setting("/usr/share/ssl/certs/vsftpd.pem", + &tunable_rsa_cert_file); + install_str_setting(0, &tunable_dsa_cert_file); ++ install_str_setting(0, &tunable_dh_param_file); ++ install_str_setting(0, &tunable_ecdh_param_file); ++ install_str_setting(0, &tunable_ssl_ciphersuites); + install_str_setting(0, &tunable_ssl_ciphers); + install_str_setting(0, &tunable_rsa_private_key_file); + install_str_setting(0, &tunable_dsa_private_key_file); +diff --git a/tunables.h b/tunables.h +--- a/tunables.h ++++ b/tunables.h +@@ -145,6 +145,9 @@ extern const char* tunable_user_sub_token; + extern const char* tunable_email_password_file; + extern const char* tunable_rsa_cert_file; + extern const char* tunable_dsa_cert_file; ++extern const char* tunable_dh_param_file; ++extern const char* tunable_ecdh_param_file; ++extern const char* tunable_ssl_ciphersuites; + extern const char* tunable_ssl_ciphers; + extern const char* tunable_rsa_private_key_file; + extern const char* tunable_dsa_private_key_file; +diff --git a/vsftpd.conf.5 b/vsftpd.conf.5 +--- a/vsftpd.conf.5 ++++ b/vsftpd.conf.5 +@@ -1029,6 +1029,32 @@ + + Default: /usr/share/empty + .TP ++.B dh_param_file ++This option specifies the location of custom parameters used for ++ephemeral Diffie-Hellman key exchange in TLS. ++ ++Default: (none - use built-in parameters appropriate for certificate key size) ++.TP ++.B ecdh_param_file ++This option specifies the location of custom curve parameters for ephemeral ++Elliptic Curve Diffie-Hellman (ECDH) key exchange in TLS. ++ ++This option is deprecated and has no effect. ++ ++Default: (none - enable all supported curve groups) ++.TP ++.B ssl_ciphersuites ++This option can be used to select which TLS ciphersuites vsftpd will allow for ++encrypted TLS connections with TLSv1.3. See the ++.BR openssl-ciphers ++man page for further details. ++ ++By default, the system-wide crypto policy is used. See ++.BR update-crypto-policies(8) ++for further details. ++ ++Default: (none - system-wide crypto policy is followed) ++.TP + .B ssl_ciphers + This option can be used to select which TLS ciphers vsftpd will allow for + encrypted TLS connections. See the diff --git a/0022-Introduce-support-for-EDDHE-based-cipher-suites.patch b/0022-Introduce-support-for-EDDHE-based-cipher-suites.patch deleted file mode 100644 index 0a09a2c..0000000 --- a/0022-Introduce-support-for-EDDHE-based-cipher-suites.patch +++ /dev/null @@ -1,128 +0,0 @@ -From a6d641a0ccba1033587f6faa0e5e6749fa35f5c4 Mon Sep 17 00:00:00 2001 -From: Martin Sehnoutka -Date: Thu, 17 Nov 2016 10:49:22 +0100 -Subject: [PATCH 22/59] Introduce support for EDDHE based cipher suites. - ---- - parseconf.c | 1 + - ssl.c | 37 ++++++++++++++++++++++++++++++++++++- - tunables.c | 4 +++- - tunables.h | 1 + - vsftpd.conf.5 | 8 ++++++++ - 5 files changed, 49 insertions(+), 2 deletions(-) - -diff --git a/parseconf.c b/parseconf.c -index 38e3182..a2c715b 100644 ---- a/parseconf.c -+++ b/parseconf.c -@@ -177,6 +177,7 @@ parseconf_str_array[] = - { "rsa_cert_file", &tunable_rsa_cert_file }, - { "dsa_cert_file", &tunable_dsa_cert_file }, - { "dh_param_file", &tunable_dh_param_file }, -+ { "ecdh_param_file", &tunable_ecdh_param_file }, - { "ssl_ciphers", &tunable_ssl_ciphers }, - { "rsa_private_key_file", &tunable_rsa_private_key_file }, - { "dsa_private_key_file", &tunable_dsa_private_key_file }, -diff --git a/ssl.c b/ssl.c -index 22b69b3..96bf8ad 100644 ---- a/ssl.c -+++ b/ssl.c -@@ -122,7 +122,7 @@ ssl_init(struct vsf_session* p_sess) - { - die("SSL: could not allocate SSL context"); - } -- options = SSL_OP_ALL | SSL_OP_SINGLE_DH_USE; -+ options = SSL_OP_ALL | SSL_OP_SINGLE_DH_USE | SSL_OP_SINGLE_ECDH_USE; - if (!tunable_sslv2) - { - options |= SSL_OP_NO_SSLv2; -@@ -244,6 +244,33 @@ - - SSL_CTX_set0_tmp_dh_pkey(p_ctx, DH_get_dh()); - -+ if (tunable_ecdh_param_file) -+ { -+ BIO *bio; -+ EVP_PKEY *ec_params = NULL; -+ -+ if ((bio = BIO_new_file(tunable_ecdh_param_file, "r")) == NULL) -+ die("SSL: cannot load custom ec params"); -+ else -+ { -+ ec_params = PEM_read_bio_Parameters(bio, NULL); -+ BIO_free(bio); -+ -+ if (ec_params != NULL) -+ { -+ if (!SSL_CTX_set1_groups_list(p_ctx, ec_params)) -+ die("SSL: setting custom EC params failed"); -+ } -+ else -+ { -+ die("SSL: getting ec group or key failed"); -+ } -+ } -+ } -+ else -+ { -+ SSL_CTX_set1_groups_list(p_ctx, "P-256"); -+ } - /* Set up ALPN to check for FTP protocol intention of client. */ - SSL_CTX_set_alpn_select_cb(p_ctx, ssl_alpn_callback, p_sess); - /* Set up SNI callback for an optional hostname check. */ -diff --git a/tunables.c b/tunables.c -index 1ea7227..93f85b1 100644 ---- a/tunables.c -+++ b/tunables.c -@@ -141,6 +141,7 @@ const char* tunable_email_password_file; - const char* tunable_rsa_cert_file; - const char* tunable_dsa_cert_file; - const char* tunable_dh_param_file; -+const char* tunable_ecdh_param_file; - const char* tunable_ssl_ciphers; - const char* tunable_rsa_private_key_file; - const char* tunable_dsa_private_key_file; -@@ -290,7 +291,8 @@ tunables_load_defaults() - &tunable_rsa_cert_file); - install_str_setting(0, &tunable_dsa_cert_file); - install_str_setting(0, &tunable_dh_param_file); -- install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA", -+ install_str_setting(0, &tunable_ecdh_param_file); -+ install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA", - &tunable_ssl_ciphers); - install_str_setting(0, &tunable_rsa_private_key_file); - install_str_setting(0, &tunable_dsa_private_key_file); -diff --git a/tunables.h b/tunables.h -index 3995472..3e2d40c 100644 ---- a/tunables.h -+++ b/tunables.h -@@ -143,6 +143,7 @@ extern const char* tunable_email_password_file; - extern const char* tunable_rsa_cert_file; - extern const char* tunable_dsa_cert_file; - extern const char* tunable_dh_param_file; -+extern const char* tunable_ecdh_param_file; - extern const char* tunable_ssl_ciphers; - extern const char* tunable_rsa_private_key_file; - extern const char* tunable_dsa_private_key_file; -diff --git a/vsftpd.conf.5 b/vsftpd.conf.5 -index ff94eca..e242873 100644 ---- a/vsftpd.conf.5 -+++ b/vsftpd.conf.5 -@@ -899,6 +899,14 @@ ephemeral Diffie-Hellman key exchange in SSL. - - Default: (none - use built in parameters appropriate for certificate key size) - .TP -+.B ecdh_param_file -+This option specifies the location of custom parameters for ephemeral -+Elliptic Curve Diffie-Hellman (ECDH) key exchange. -+ -+Default: (none - use built in parameters, NIST P-256 with OpenSSL 1.0.1 and -+automatically selected curve based on client preferences with OpenSSL 1.0.2 -+and later) -+.TP - .B email_password_file - This option can be used to provide an alternate file for usage by the - .BR secure_email_list_enable --- -2.14.4 - diff --git a/0040-Use-system-wide-crypto-policy.patch b/0040-Use-system-wide-crypto-policy.patch deleted file mode 100644 index 940a5b2..0000000 --- a/0040-Use-system-wide-crypto-policy.patch +++ /dev/null @@ -1,27 +0,0 @@ -From b83be8b4f86bf1a8a6de4802a9486d084c4a46cd Mon Sep 17 00:00:00 2001 -From: Martin Sehnoutka -Date: Tue, 29 Aug 2017 10:32:16 +0200 -Subject: [PATCH 40/59] Use system wide crypto policy - -Resolves: rhbz# ---- - tunables.c | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/tunables.c b/tunables.c -index 5440c00..354251c 100644 ---- a/tunables.c -+++ b/tunables.c -@@ -297,8 +297,7 @@ tunables_load_defaults() - install_str_setting(0, &tunable_dsa_cert_file); - install_str_setting(0, &tunable_dh_param_file); - install_str_setting(0, &tunable_ecdh_param_file); -- install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA", -- &tunable_ssl_ciphers); -+ install_str_setting("PROFILE=SYSTEM", &tunable_ssl_ciphers); - install_str_setting(0, &tunable_rsa_private_key_file); - install_str_setting(0, &tunable_dsa_private_key_file); - install_str_setting(0, &tunable_ca_certs_file); --- -2.14.4 - diff --git a/0041-Document-the-new-default-for-ssl_ciphers-in-the-man-.patch b/0041-Document-the-new-default-for-ssl_ciphers-in-the-man-.patch deleted file mode 100644 index 93e2ce8..0000000 --- a/0041-Document-the-new-default-for-ssl_ciphers-in-the-man-.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 2369d1ea5144d525d315aba90da528e7d9bfd1cc Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= -Date: Thu, 21 Dec 2017 14:19:18 +0100 -Subject: [PATCH 41/59] Document the new default for ssl_ciphers in the man - page - -Related: rhbz#1483970 ---- - vsftpd.conf.5 | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/vsftpd.conf.5 b/vsftpd.conf.5 -index 3ca55e4..2a7662e 100644 ---- a/vsftpd.conf.5 -+++ b/vsftpd.conf.5 -@@ -1078,7 +1078,11 @@ man page for further details. Note that restricting ciphers can be a useful - security precaution as it prevents malicious remote parties forcing a cipher - which they have found problems with. - --Default: DES-CBC3-SHA -+By default, the system-wide crypto policy is used. See -+.BR update-crypto-policies(8) -+for further details. -+ -+Default: PROFILE=SYSTEM - .TP - .B ssl_sni_hostname - If set, SSL connections will be rejected unless the SNI hostname in the --- -2.14.4 - diff --git a/vsftpd-3.0.3-ALPACA.patch b/vsftpd-3.0.3-ALPACA.patch deleted file mode 100644 index 336a1de..0000000 --- a/vsftpd-3.0.3-ALPACA.patch +++ /dev/null @@ -1,225 +0,0 @@ -diff --git a/parseconf.c b/parseconf.c -index 3729818..ee1b8b4 100644 ---- a/parseconf.c -+++ b/parseconf.c -@@ -188,6 +188,7 @@ parseconf_str_array[] = - { "rsa_private_key_file", &tunable_rsa_private_key_file }, - { "dsa_private_key_file", &tunable_dsa_private_key_file }, - { "ca_certs_file", &tunable_ca_certs_file }, -+ { "ssl_sni_hostname", &tunable_ssl_sni_hostname }, - { "cmds_denied", &tunable_cmds_denied }, - { 0, 0 } - }; -diff --git a/ssl.c b/ssl.c -index 09ec96a..b622347 100644 ---- a/ssl.c -+++ b/ssl.c -@@ -41,6 +41,13 @@ static long bio_callback( - BIO* p_bio, int oper, const char* p_arg, int argi, long argl, long retval); - static int ssl_verify_callback(int verify_ok, X509_STORE_CTX* p_ctx); - static DH *ssl_tmp_dh_callback(SSL *ssl, int is_export, int keylength); -+static int ssl_alpn_callback(SSL* p_ssl, -+ const unsigned char** p_out, -+ unsigned char* outlen, -+ const unsigned char* p_in, -+ unsigned int inlen, -+ void* p_arg); -+static long ssl_sni_callback(SSL* p_ssl, int* p_al, void* p_arg); - static int ssl_cert_digest( - SSL* p_ssl, struct vsf_session* p_sess, struct mystr* p_str); - static void maybe_log_shutdown_state(struct vsf_session* p_sess); -@@ -285,6 +292,11 @@ ssl_init(struct vsf_session* p_sess) - SSL_CTX_set_timeout(p_ctx, INT_MAX); - } - -+ /* Set up ALPN to check for FTP protocol intention of client. */ -+ SSL_CTX_set_alpn_select_cb(p_ctx, ssl_alpn_callback, p_sess); -+ /* Set up SNI callback for an optional hostname check. */ -+ SSL_CTX_set_tlsext_servername_callback(p_ctx, ssl_sni_callback); -+ SSL_CTX_set_tlsext_servername_arg(p_ctx, p_sess); - SSL_CTX_set_tmp_dh_callback(p_ctx, ssl_tmp_dh_callback); - - if (tunable_ecdh_param_file) -@@ -871,6 +883,133 @@ ssl_tmp_dh_callback(SSL *ssl, int is_export, int keylength) - return DH_get_dh(keylength); - } - -+static int -+ssl_alpn_callback(SSL* p_ssl, -+ const unsigned char** p_out, -+ unsigned char* outlen, -+ const unsigned char* p_in, -+ unsigned int inlen, -+ void* p_arg) { -+ unsigned int i; -+ struct vsf_session* p_sess = (struct vsf_session*) p_arg; -+ int is_ok = 0; -+ -+ (void) p_ssl; -+ -+ /* Initialize just in case. */ -+ *p_out = p_in; -+ *outlen = 0; -+ -+ for (i = 0; i < inlen; ++i) { -+ unsigned int left = (inlen - i); -+ if (left < 4) { -+ continue; -+ } -+ if (p_in[i] == 3 && p_in[i + 1] == 'f' && p_in[i + 2] == 't' && -+ p_in[i + 3] == 'p') -+ { -+ is_ok = 1; -+ *p_out = &p_in[i + 1]; -+ *outlen = 3; -+ break; -+ } -+ } -+ -+ if (!is_ok) -+ { -+ str_alloc_text(&debug_str, "ALPN rejection"); -+ vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str); -+ } -+ if (!is_ok || tunable_debug_ssl) -+ { -+ str_alloc_text(&debug_str, "ALPN data: "); -+ for (i = 0; i < inlen; ++i) { -+ str_append_char(&debug_str, p_in[i]); -+ } -+ vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str); -+ } -+ -+ if (is_ok) -+ { -+ return SSL_TLSEXT_ERR_OK; -+ } -+ else -+ { -+ return SSL_TLSEXT_ERR_ALERT_FATAL; -+ } -+} -+ -+static long -+ssl_sni_callback(SSL* p_ssl, int* p_al, void* p_arg) -+{ -+ static struct mystr s_sni_expected_hostname; -+ static struct mystr s_sni_received_hostname; -+ -+ int servername_type; -+ const char* p_sni_servername; -+ struct vsf_session* p_sess = (struct vsf_session*) p_arg; -+ int is_ok = 0; -+ -+ (void) p_ssl; -+ (void) p_arg; -+ -+ if (tunable_ssl_sni_hostname) -+ { -+ str_alloc_text(&s_sni_expected_hostname, tunable_ssl_sni_hostname); -+ } -+ -+ /* The OpenSSL documentation says it is pre-initialized like this, but set -+ * it just in case. -+ */ -+ *p_al = SSL_AD_UNRECOGNIZED_NAME; -+ -+ servername_type = SSL_get_servername_type(p_ssl); -+ p_sni_servername = SSL_get_servername(p_ssl, TLSEXT_NAMETYPE_host_name); -+ if (p_sni_servername != NULL) { -+ str_alloc_text(&s_sni_received_hostname, p_sni_servername); -+ } -+ -+ if (str_isempty(&s_sni_expected_hostname)) -+ { -+ is_ok = 1; -+ } -+ else if (servername_type != TLSEXT_NAMETYPE_host_name) -+ { -+ /* Fail. */ -+ str_alloc_text(&debug_str, "SNI bad type: "); -+ str_append_ulong(&debug_str, servername_type); -+ vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str); -+ } -+ else -+ { -+ if (!str_strcmp(&s_sni_expected_hostname, &s_sni_received_hostname)) -+ { -+ is_ok = 1; -+ } -+ else -+ { -+ str_alloc_text(&debug_str, "SNI rejection"); -+ vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str); -+ } -+ } -+ -+ if (!is_ok || tunable_debug_ssl) -+ { -+ str_alloc_text(&debug_str, "SNI hostname: "); -+ str_append_str(&debug_str, &s_sni_received_hostname); -+ vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str); -+ } -+ -+ if (is_ok) -+ { -+ return SSL_TLSEXT_ERR_OK; -+ } -+ else -+ { -+ return SSL_TLSEXT_ERR_ALERT_FATAL; -+ } -+} -+ - void - ssl_add_entropy(struct vsf_session* p_sess) - { -diff --git a/tunables.c b/tunables.c -index c96c1ac..d8dfcde 100644 ---- a/tunables.c -+++ b/tunables.c -@@ -152,6 +152,7 @@ const char* tunable_ssl_ciphers; - const char* tunable_rsa_private_key_file; - const char* tunable_dsa_private_key_file; - const char* tunable_ca_certs_file; -+const char* tunable_ssl_sni_hostname; - - static void install_str_setting(const char* p_value, const char** p_storage); - -@@ -309,6 +310,7 @@ tunables_load_defaults() - install_str_setting(0, &tunable_rsa_private_key_file); - install_str_setting(0, &tunable_dsa_private_key_file); - install_str_setting(0, &tunable_ca_certs_file); -+ install_str_setting(0, &tunable_ssl_sni_hostname); - } - - void -diff --git a/tunables.h b/tunables.h -index 8d50150..de6cab0 100644 ---- a/tunables.h -+++ b/tunables.h -@@ -157,6 +157,7 @@ extern const char* tunable_ssl_ciphers; - extern const char* tunable_rsa_private_key_file; - extern const char* tunable_dsa_private_key_file; - extern const char* tunable_ca_certs_file; -+extern const char* tunable_ssl_sni_hostname; - extern const char* tunable_cmds_denied; - - #endif /* VSF_TUNABLES_H */ -diff --git a/vsftpd.conf.5 b/vsftpd.conf.5 -index 815773f..7006287 100644 ---- a/vsftpd.conf.5 -+++ b/vsftpd.conf.5 -@@ -1128,6 +1128,12 @@ for further details. - - Default: PROFILE=SYSTEM - .TP -+.B ssl_sni_hostname -+If set, SSL connections will be rejected unless the SNI hostname in the -+incoming handshakes matches this value. -+ -+Default: (none) -+.TP - .B user_config_dir - This powerful option allows the override of any config option specified in - the manual page, on a per-user basis. Usage is simple, and is best illustrated diff --git a/vsftpd-3.0.3-option_to_disable_TLSv1_3.patch b/vsftpd-3.0.3-option_to_disable_TLSv1_3.patch deleted file mode 100644 index b215273..0000000 --- a/vsftpd-3.0.3-option_to_disable_TLSv1_3.patch +++ /dev/null @@ -1,96 +0,0 @@ -diff --git a/features.c b/features.c -index d024366..3a60b88 100644 ---- a/features.c -+++ b/features.c -@@ -22,7 +22,7 @@ handle_feat(struct vsf_session* p_sess) - { - vsf_cmdio_write_raw(p_sess, " AUTH SSL\r\n"); - } -- if (tunable_tlsv1 || tunable_tlsv1_1 || tunable_tlsv1_2) -+ if (tunable_tlsv1 || tunable_tlsv1_1 || tunable_tlsv1_2 || tunable_tlsv1_3) - { - vsf_cmdio_write_raw(p_sess, " AUTH TLS\r\n"); - } -diff --git a/parseconf.c b/parseconf.c -index ee1b8b4..5188088 100644 ---- a/parseconf.c -+++ b/parseconf.c -@@ -87,6 +87,7 @@ parseconf_bool_array[] = - { "ssl_tlsv1", &tunable_tlsv1 }, - { "ssl_tlsv1_1", &tunable_tlsv1_1 }, - { "ssl_tlsv1_2", &tunable_tlsv1_2 }, -+ { "ssl_tlsv1_3", &tunable_tlsv1_3 }, - { "tilde_user_enable", &tunable_tilde_user_enable }, - { "force_anon_logins_ssl", &tunable_force_anon_logins_ssl }, - { "force_anon_data_ssl", &tunable_force_anon_data_ssl }, -diff --git a/ssl.c b/ssl.c -index b622347..3af67ad 100644 ---- a/ssl.c -+++ b/ssl.c -@@ -185,6 +185,10 @@ ssl_init(struct vsf_session* p_sess) - { - options |= SSL_OP_NO_TLSv1_2; - } -+ if (!tunable_tlsv1_3) -+ { -+ options |= SSL_OP_NO_TLSv1_3; -+ } - SSL_CTX_set_options(p_ctx, options); - if (tunable_rsa_cert_file) - { -diff --git a/tunables.c b/tunables.c -index d8dfcde..dc001ac 100644 ---- a/tunables.c -+++ b/tunables.c -@@ -68,6 +68,7 @@ int tunable_sslv3; - int tunable_tlsv1; - int tunable_tlsv1_1; - int tunable_tlsv1_2; -+int tunable_tlsv1_3; - int tunable_tilde_user_enable; - int tunable_force_anon_logins_ssl; - int tunable_force_anon_data_ssl; -@@ -218,8 +219,9 @@ tunables_load_defaults() - tunable_sslv3 = 0; - tunable_tlsv1 = 0; - tunable_tlsv1_1 = 0; -- /* Only TLSv1.2 is enabled by default */ -+ /* Only TLSv1.2 and TLSv1.3 are enabled by default */ - tunable_tlsv1_2 = 1; -+ tunable_tlsv1_3 = 1; - tunable_tilde_user_enable = 0; - tunable_force_anon_logins_ssl = 0; - tunable_force_anon_data_ssl = 0; -diff --git a/tunables.h b/tunables.h -index de6cab0..ff0eebc 100644 ---- a/tunables.h -+++ b/tunables.h -@@ -69,6 +69,7 @@ extern int tunable_sslv3; /* Allow SSLv3 */ - extern int tunable_tlsv1; /* Allow TLSv1 */ - extern int tunable_tlsv1_1; /* Allow TLSv1.1 */ - extern int tunable_tlsv1_2; /* Allow TLSv1.2 */ -+extern int tunable_tlsv1_3; /* Allow TLSv1.3 */ - extern int tunable_tilde_user_enable; /* Support e.g. ~chris */ - extern int tunable_force_anon_logins_ssl; /* Require anon logins use SSL */ - extern int tunable_force_anon_data_ssl; /* Require anon data uses SSL */ -diff --git a/vsftpd.conf.5 b/vsftpd.conf.5 -index 7006287..d181e50 100644 ---- a/vsftpd.conf.5 -+++ b/vsftpd.conf.5 -@@ -587,7 +587,15 @@ Default: NO - Only applies if - .BR ssl_enable - is activated. If enabled, this option will permit TLS v1.2 protocol connections. --TLS v1.2 connections are preferred. -+TLS v1.2 and TLS v1.3 connections are preferred. -+ -+Default: YES -+.TP -+.B ssl_tlsv1_3 -+Only applies if -+.BR ssl_enable -+is activated. If enabled, this option will permit TLS v1.3 protocol connections. -+TLS v1.2 and TLS v1.3 connections are preferred. - - Default: YES - .TP diff --git a/vsftpd-3.0.5-add-option-for-tlsv1.3-ciphersuites.patch b/vsftpd-3.0.5-add-option-for-tlsv1.3-ciphersuites.patch deleted file mode 100644 index 1f1925e..0000000 --- a/vsftpd-3.0.5-add-option-for-tlsv1.3-ciphersuites.patch +++ /dev/null @@ -1,79 +0,0 @@ -diff -urN a/parseconf.c b/parseconf.c ---- a/parseconf.c 2021-05-29 23:39:19.000000000 +0200 -+++ b/parseconf.c 2023-03-03 10:22:38.256439634 +0100 -@@ -185,6 +185,7 @@ - { "dsa_cert_file", &tunable_dsa_cert_file }, - { "dh_param_file", &tunable_dh_param_file }, - { "ecdh_param_file", &tunable_ecdh_param_file }, -+ { "ssl_ciphersuites", &tunable_ssl_ciphersuites }, - { "ssl_ciphers", &tunable_ssl_ciphers }, - { "rsa_private_key_file", &tunable_rsa_private_key_file }, - { "dsa_private_key_file", &tunable_dsa_private_key_file }, -diff -urN a/ssl.c b/ssl.c ---- a/ssl.c 2021-08-02 08:24:35.000000000 +0200 -+++ b/ssl.c 2023-03-03 10:28:05.989757655 +0100 -@@ -135,6 +135,11 @@ - { - die("SSL: could not set cipher list"); - } -+ if (tunable_ssl_ciphersuites && -+ SSL_CTX_set_ciphersuites(p_ctx, tunable_ssl_ciphersuites) != 1) -+ { -+ die("SSL: could not set ciphersuites"); -+ } - if (RAND_status() != 1) - { - die("SSL: RNG is not seeded"); -diff -urN a/tunables.c b/tunables.c ---- a/tunables.c 2021-05-29 23:39:00.000000000 +0200 -+++ b/tunables.c 2023-03-03 10:13:30.566868026 +0100 -@@ -154,6 +154,7 @@ - const char* tunable_dsa_cert_file; - const char* tunable_dh_param_file; - const char* tunable_ecdh_param_file; - const char* tunable_ssl_ciphers; -+const char* tunable_ssl_ciphersuites; - const char* tunable_rsa_private_key_file; - const char* tunable_dsa_private_key_file; -@@ -293,6 +293,7 @@ - install_str_setting(0, &tunable_dh_param_file); - install_str_setting(0, &tunable_ecdh_param_file); - install_str_setting("PROFILE=SYSTEM", &tunable_ssl_ciphers); -+ install_str_setting("TLS_AES_256_GCM_SHA384", &tunable_ssl_ciphersuites); - install_str_setting(0, &tunable_rsa_private_key_file); - install_str_setting(0, &tunable_dsa_private_key_file); - install_str_setting(0, &tunable_ca_certs_file); -diff -urN a/tunables.h b/tunables.h ---- a/tunables.h -+++ b/tunables.h -@@ -144,6 +144,7 @@ - extern const char* tunable_dsa_cert_file; - extern const char* tunable_dh_param_file; - extern const char* tunable_ecdh_param_file; - extern const char* tunable_ssl_ciphers; -+extern const char* tunable_ssl_ciphersuites; - extern const char* tunable_rsa_private_key_file; - extern const char* tunable_dsa_private_key_file; ---- a/vsftpd.conf.5 -+++ b/vsftpd.conf.5 -@@ -1009,6 +1009,20 @@ - - Default: PROFILE=SYSTEM - .TP -+.B ssl_ciphersuites -+This option can be used to select which SSL cipher suites vsftpd will allow for -+encrypted SSL connections with TLSv1.3. See the -+.BR ciphers -+man page for further details. Note that restricting ciphers can be a useful -+security precaution as it prevents malicious remote parties forcing a cipher -+which they have found problems with. -+ -+By default, the system-wide crypto policy is used. See -+.BR update-crypto-policies(8) -+for further details. -+ -+Default: TLS_AES_256_GCM_SHA384 -+.TP - .B ssl_sni_hostname - If set, SSL connections will be rejected unless the SNI hostname in the - incoming handshakes matches this value. diff --git a/vsftpd-3.0.5-replace-deprecated-openssl-functions.patch b/vsftpd-3.0.5-replace-deprecated-openssl-functions.patch index 8e3792b..c81d0e6 100644 --- a/vsftpd-3.0.5-replace-deprecated-openssl-functions.patch +++ b/vsftpd-3.0.5-replace-deprecated-openssl-functions.patch @@ -1,17 +1,7 @@ diff --git a/ssl.c b/ssl.c --- ssl.c +++ ssl.c -@@ -28,17 +28,17 @@ - #include - #include - #include - #include - #include - #include - #include - - static char* get_ssl_error(); - static SSL* get_ssl(struct vsf_session* p_sess, int fd); +@@ -36,7 +36,7 @@ static SSL* get_ssl(struct vsf_session* p_sess, int fd); static int ssl_session_init(struct vsf_session* p_sess); static void setup_bio_callbacks(); static long bio_callback( @@ -25,25 +15,10 @@ diff --git a/ssl.c b/ssl.c int verify_option = 0; SSL_library_init(); - p_ctx = SSL_CTX_new(SSLv23_server_method()); -+ p_ctx = SSL_CTX_new_ex(NULL, NULL, TLS_server_method()); ++ p_ctx = SSL_CTX_new(TLS_server_method()); if (p_ctx == NULL) { die("SSL: could not allocate SSL context"); -@@ -180,13 +180,10 @@ - die("SSL: RNG is not seeded"); - } - { -- EC_KEY* key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); -- if (key == NULL) -+ if (!SSL_CTX_set1_groups_list(p_ctx, "P-256")) - { - die("SSL: failed to get curve p256"); - } -- SSL_CTX_set_tmp_ecdh(p_ctx, key); -- EC_KEY_free(key); - } - if (tunable_ssl_request_cert) - { @@ -692,17 +689,19 @@ static void setup_bio_callbacks(SSL* p_ssl) { diff --git a/vsftpd.spec b/vsftpd.spec index d6fe01c..44ca65f 100644 --- a/vsftpd.spec +++ b/vsftpd.spec @@ -2,7 +2,7 @@ Name: vsftpd Version: 3.0.5 -Release: 9%{?dist} +Release: 10%{?dist} Summary: Very Secure Ftp Daemon # OpenSSL link exception @@ -49,8 +49,8 @@ Patch17: 0017-Fix-an-issue-with-timestamps-during-DST.patch Patch18: 0018-Change-the-default-log-file-in-configuration.patch Patch19: 0019-Introduce-reverse_lookup_enable-option.patch Patch20: 0020-Use-unsigned-int-for-uid-and-gid-representation.patch -Patch21: 0021-Introduce-support-for-DHE-based-cipher-suites.patch -Patch22: 0022-Introduce-support-for-EDDHE-based-cipher-suites.patch +Patch21: 0021-Follow-crypto-policies-for-ssl-ciphers.patch +Patch22: 0022-Add-options-for-TLS-ciphersuites-and-DH-params.patch Patch23: 0023-Add-documentation-for-isolate_-options.-Correct-defa.patch Patch24: 0024-Introduce-new-return-value-450.patch Patch25: 0025-Improve-local_max_rate-option.patch @@ -66,8 +66,6 @@ Patch36: 0036-Redefine-VSFTP_COMMAND_FD-to-1.patch Patch37: 0037-Document-the-relationship-of-text_userdb_names-and-c.patch Patch38: 0038-Document-allow_writeable_chroot-in-the-man-page.patch Patch39: 0039-Improve-documentation-of-ASCII-mode-in-the-man-page.patch -Patch40: 0040-Use-system-wide-crypto-policy.patch -Patch41: 0041-Document-the-new-default-for-ssl_ciphers-in-the-man-.patch Patch42: 0042-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch Patch44: 0044-Disable-anonymous_enable-in-default-config-file.patch Patch45: 0045-Expand-explanation-of-ascii_-options-behaviour-in-ma.patch @@ -97,7 +95,6 @@ Patch70: fix-str_open.patch Patch71: vsftpd-3.0.5-enable_wc_logs-replace_unprintable_with_hex.patch Patch72: vsftpd-3.0.5-replace-old-network-addr-functions.patch Patch73: vsftpd-3.0.5-replace-deprecated-openssl-functions.patch -Patch74: vsftpd-3.0.5-add-option-for-tlsv1.3-ciphersuites.patch Patch75: vsftpd-3.0.5-use-old-tlsv-options.patch %description @@ -168,6 +165,10 @@ mkdir -p $RPM_BUILD_ROOT/%{_var}/ftp/pub %{_var}/ftp %changelog +* Thu Jul 10 2025 Pavol Žáčik - 3.0.5-10 +- Fix cryptographic agility issues + Resolves: RHEL-99533 + * Tue Oct 29 2024 Troy Dawson - 3.0.5-9 - Bump release for October 2024 mass rebuild: Resolves: RHEL-64018