rebase to version 3.0.5

Resolves: rhbz#2018284
2022-10-27 12:41:08 +02:00 · 2022-10-27 12:41:08 +02:00 · cd371a2ff9
parent 4f3c7662fd
commit cd371a2ff9
10 changed files with 57 additions and 41 deletions
--- a/.gitignore
+++ b/.gitignore
@ -6,3 +6,4 @@ vsftpd-2.3.2.tar.gz
 /vsftpd-3.0.1.tar.gz
 /vsftpd-3.0.2.tar.gz
 /vsftpd-3.0.3.tar.gz
+/vsftpd-3.0.5.tar.gz
--- a/0021-Introduce-support-for-DHE-based-cipher-suites.patch
+++ b/0021-Introduce-support-for-DHE-based-cipher-suites.patch
@ -36,14 +36,14 @@ index c362983..22b69b3 100644
 #include <errno.h>
 #include <limits.h>
 
-@@ -38,6 +40,7 @@ static void setup_bio_callbacks();
+@@ -38,6 +40,7 @@
+ static char* get_ssl_error();
+ static SSL* get_ssl(struct vsf_session* p_sess, int fd);
+ static int ssl_session_init(struct vsf_session* p_sess);
+static DH *ssl_tmp_dh_callback(SSL *ssl, int is_export, int keylength);
+ static void setup_bio_callbacks();
 static long bio_callback(
   BIO* p_bio, int oper, const char* p_arg, int argi, long argl, long retval);
- static int ssl_verify_callback(int verify_ok, X509_STORE_CTX* p_ctx);
-+static DH *ssl_tmp_dh_callback(SSL *ssl, int is_export, int keylength);
- static int ssl_cert_digest(
-   SSL* p_ssl, struct vsf_session* p_sess, struct mystr* p_str);
- static void maybe_log_shutdown_state(struct vsf_session* p_sess);
@@ -51,6 +54,60 @@ static int ssl_read_common(struct vsf_session* p_sess,
 static int ssl_inited;
 static struct mystr debug_str;
@ -140,18 +140,18 @@ index c362983..22b69b3 100644
     if (tunable_ssl_ciphers &&
         SSL_CTX_set_cipher_list(p_ctx, tunable_ssl_ciphers) != 1)
     {
-@@ -165,6 +241,9 @@ ssl_init(struct vsf_session* p_sess)
+@@ -184,6 +260,9 @@
       /* Ensure cached session doesn't expire */
       SSL_CTX_set_timeout(p_ctx, INT_MAX);
     }
-+    
+
 +    SSL_CTX_set_tmp_dh_callback(p_ctx, ssl_tmp_dh_callback);
 +
-     p_sess->p_ssl_ctx = p_ctx;
-     ssl_inited = 1;
+     /* Set up ALPN to check for FTP protocol intention of client. */
+     SSL_CTX_set_alpn_select_cb(p_ctx, ssl_alpn_callback, p_sess);
+     /* Set up SNI callback for an optional hostname check. */
+@@ -854,6 +933,18 @@ ssl_verify_callback(int verify_ok, X509_STORE_CTX* p_ctx)
   }
-@@ -702,6 +781,18 @@ ssl_verify_callback(int verify_ok, X509_STORE_CTX* p_ctx)
-   return 1;
 }
 
 +#define UNUSED(x) ( (void)(x) )
@ -162,7 +162,7 @@ index c362983..22b69b3 100644
 +  // strict compiler bypassing
 +  UNUSED(ssl);
 +  UNUSED(is_export);
-+  
+
 +  return DH_get_dh(keylength);
 +}
 +
--- a/0022-Introduce-support-for-EDDHE-based-cipher-suites.patch
+++ b/0022-Introduce-support-for-EDDHE-based-cipher-suites.patch
@ -36,8 +36,8 @@ index 22b69b3..96bf8ad 100644
     if (!tunable_sslv2)
     {
       options |= SSL_OP_NO_SSLv2;
-@@ -244,6 +244,41 @@ ssl_init(struct vsf_session* p_sess)
-     
+@@ -244,6 +244,41 @@
+ 
     SSL_CTX_set_tmp_dh_callback(p_ctx, ssl_tmp_dh_callback);
 
 +    if (tunable_ecdh_param_file)
@ -75,9 +75,9 @@ index 22b69b3..96bf8ad 100644
 +#endif
 +    }
 +
-     p_sess->p_ssl_ctx = p_ctx;
-     ssl_inited = 1;
-   }
+     /* Set up ALPN to check for FTP protocol intention of client. */
+     SSL_CTX_set_alpn_select_cb(p_ctx, ssl_alpn_callback, p_sess);
+     /* Set up SNI callback for an optional hostname check. */
 diff --git a/tunables.c b/tunables.c
 index 1ea7227..93f85b1 100644
 --- a/tunables.c
--- a/0025-Improve-local_max_rate-option.patch
+++ b/0025-Improve-local_max_rate-option.patch
@ -60,9 +60,9 @@ diff --git a/main.c b/main.c
 index eaba265..f1e2f69 100644
 --- a/main.c
 +++ b/main.c
-@@ -40,7 +40,7 @@ main(int argc, const char* argv[])
+@@ -40,7 +40,7 @@
     /* Control connection */
-     0, 0, 0, 0, 0,
+     0, 0, 0, 0, 0, 0,
     /* Data connection */
 -    -1, 0, -1, 0, 0, 0, 0,
 +    -1, 0, -1, 0, 0, 0, 0, 0,
--- a/0040-Use-system-wide-crypto-policy.patch
+++ b/0040-Use-system-wide-crypto-policy.patch
@ -3,7 +3,7 @@ From: Martin Sehnoutka <msehnout@redhat.com>
 Date: Tue, 29 Aug 2017 10:32:16 +0200
 Subject: [PATCH 40/59] Use system wide crypto policy

-Resolves: rhbz#1483970
+Resolves: rhbz#
 ---
 tunables.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)
@ -16,8 +16,8 @@ index 5440c00..354251c 100644
   install_str_setting(0, &tunable_dsa_cert_file);
   install_str_setting(0, &tunable_dh_param_file);
   install_str_setting(0, &tunable_ecdh_param_file);
-  install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384",
-          &tunable_ssl_ciphers);
+-  install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA",
+-                      &tunable_ssl_ciphers);
 +  install_str_setting("PROFILE=SYSTEM", &tunable_ssl_ciphers);
   install_str_setting(0, &tunable_rsa_private_key_file);
   install_str_setting(0, &tunable_dsa_private_key_file);
--- a/0041-Document-the-new-default-for-ssl_ciphers-in-the-man-.patch
+++ b/0041-Document-the-new-default-for-ssl_ciphers-in-the-man-.patch
@ -17,15 +17,15 @@ index 3ca55e4..2a7662e 100644
 security precaution as it prevents malicious remote parties forcing a cipher
 which they have found problems with.
 
-Default: AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384
+-Default: DES-CBC3-SHA
 +By default, the system-wide crypto policy is used. See
 +.BR update-crypto-policies(8)
 +for further details.
 +
 +Default: PROFILE=SYSTEM
 .TP
- .B user_config_dir
- This powerful option allows the override of any config option specified in
+ .B ssl_sni_hostname
+ If set, SSL connections will be rejected unless the SNI hostname in the
 -- 
 2.14.4

--- a/fix-str_open.patch
+++ b/fix-str_open.patch
@ -1,11 +1,10 @@
-diff -ruN vsftpd-3.0.3.orig/sysstr.c vsftpd-3.0.3/sysstr.c
--- vsftpd-3.0.3.orig/sysstr.c	2020-11-17 09:47:03.872923383 +0100
-+++ vsftpd-3.0.3/sysstr.c	2020-11-17 09:48:41.219754145 +0100
+--- sysstr-orig.c	2022-07-27 09:44:52.606408000 +0200
+++ sysstr.c	2022-07-27 09:54:24.043081352 +0200
@@ -74,19 +74,11 @@
 int
 str_open(const struct mystr* p_str, const enum EVSFSysStrOpenMode mode)
 {
-  enum EVSFSysUtilOpenMode open_mode = kVSFSysStrOpenUnknown;
+-  enum EVSFSysUtilOpenMode open_mode = kVSFSysUtilOpenUnknown;
 -  switch (mode)
 -  {
 -    case kVSFSysStrOpenReadOnly:
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (vsftpd-3.0.3.tar.gz) = 5a4410a88e72ecf6f60a60a89771bcec300c9f63c2ea83b219bdf65fd9749b9853f9579f7257205b55659aefcd5dab243eba878dbbd4f0ff8532dd6e60884df7
+SHA512 (vsftpd-3.0.5.tar.gz) = 9e9f9bde8c460fbc6b1d29ca531327fb2e40e336358f1cc19e1da205ef81b553719a148ad4613ceead25499d1ac3f03301a0ecd3776e5c228acccb7f9461a7ee
--- a/vsftpd-3.0.5-use-old-tlsv-options.patch
+++ b/vsftpd-3.0.5-use-old-tlsv-options.patch
@ -0,0 +1,15 @@
+--- parseconf-orig.c	2022-10-25 15:17:18.990701984 +0200
+++ parseconf.c	2022-10-25 15:12:44.213480000 +0200
+@@ -85,9 +85,9 @@
+   { "ssl_sslv2", &tunable_sslv2 },
+   { "ssl_sslv3", &tunable_sslv3 },
+   { "ssl_tlsv1", &tunable_tlsv1 },
+-  { "ssl_tlsv11", &tunable_tlsv1_1 },
+-  { "ssl_tlsv12", &tunable_tlsv1_2 },
+-  { "ssl_tlsv13", &tunable_tlsv1_3 },
+  { "ssl_tlsv1_1", &tunable_tlsv1_1 },
+  { "ssl_tlsv1_2", &tunable_tlsv1_2 },
+  { "ssl_tlsv1_3", &tunable_tlsv1_3 },
+   { "tilde_user_enable", &tunable_tilde_user_enable },
+   { "force_anon_logins_ssl", &tunable_force_anon_logins_ssl },
+   { "force_anon_data_ssl", &tunable_force_anon_data_ssl },
--- a/vsftpd.spec
+++ b/vsftpd.spec
@ -1,8 +1,8 @@
 %global _generatorsdir %{_prefix}/lib/systemd/system-generators

 Name:    vsftpd
-Version: 3.0.3
-Release: 49%{?dist}
+Version: 3.0.5
+Release: 1%{?dist}
 Summary: Very Secure Ftp Daemon

 # OpenSSL link exception
@ -61,7 +61,7 @@ Patch29: 0029-Fix-segfault-in-config-file-parser.patch
 Patch30: 0030-Fix-logging-into-syslog-when-enabled-in-config.patch
 Patch31: 0031-Fix-question-mark-wildcard-withing-a-file-name.patch
 Patch32: 0032-Propagate-errors-from-nfs-with-quota-to-client.patch
-Patch33: 0033-Introduce-TLSv1.1-and-TLSv1.2-options.patch
+#Patch33: 0033-Introduce-TLSv1.1-and-TLSv1.2-options.patch
 Patch34: 0034-Turn-off-seccomp-sandbox-because-it-is-too-strict.patch
 Patch35: 0035-Modify-DH-enablement-patch-to-build-with-OpenSSL-1.1.patch
 Patch36: 0036-Redefine-VSFTP_COMMAND_FD-to-1.patch
@ -70,8 +70,8 @@ Patch38: 0038-Document-allow_writeable_chroot-in-the-man-page.patch
 Patch39: 0039-Improve-documentation-of-ASCII-mode-in-the-man-page.patch
 Patch40: 0040-Use-system-wide-crypto-policy.patch
 Patch41: 0041-Document-the-new-default-for-ssl_ciphers-in-the-man-.patch
-Patch42: 0042-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch
-Patch43: 0043-Enable-only-TLSv1.2-by-default.patch
+#Patch42: 0042-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch
+#Patch43: 0043-Enable-only-TLSv1.2-by-default.patch
 Patch44: 0044-Disable-anonymous_enable-in-default-config-file.patch
 Patch45: 0045-Expand-explanation-of-ascii_-options-behaviour-in-ma.patch
 Patch46: 0046-vsftpd.conf-Refer-to-the-man-page-regarding-the-asci.patch
@ -95,12 +95,9 @@ Patch64: 0002-Repeat-pututxline-if-it-fails-with-EINTR.patch
 Patch65: 0001-Repeat-pututxline-until-it-succeeds-if-it-fails-with.patch
 Patch67: 0001-Fix-timestamp-handling-in-MDTM.patch
 Patch68: 0002-Drop-an-unused-global-variable.patch
-Patch69: 0001-Remove-a-hint-about-the-ftp_home_dir-SELinux-boolean.patch
+#Patch69: 0001-Remove-a-hint-about-the-ftp_home_dir-SELinux-boolean.patch
 Patch70: fix-str_open.patch
-# upstream commits 56402c0, 8b82e73 rhbz#1948570
-Patch71: vsftpd-3.0.3-enable_wc_logs-replace_unprintable_with_hex.patch
-Patch72: vsftpd-3.0.3-ALPACA.patch
-Patch73: vsftpd-3.0.3-option_to_disable_TLSv1_3.patch
+Patch71: vsftpd-3.0.5-use-old-tlsv-options.patch

 %description
 vsftpd is a Very Secure FTP daemon. It was written completely from
@ -173,6 +170,10 @@ mkdir -p $RPM_BUILD_ROOT/%{_var}/ftp/pub
 %{_var}/ftp

 %changelog
+* Wed Oct 26 2022 Richard Lescak <rlescak@redhat.com> - 3.0.5-1
+- rebase to version 3.0.5 
+- Resolves: rhbz#2018284
+
 * Wed Oct 27 2021 Artem Egorenkov <aegorenk@redhat.com> - 3.0.3-49
 - add option to disable TLSv1.3
 - Resolves: rhbz#1954682