diff --git a/SOURCES/0021-Introduce-support-for-DHE-based-cipher-suites.patch b/SOURCES/0021-Introduce-support-for-DHE-based-cipher-suites.patch index bbf99a8..3460c2a 100644 --- a/SOURCES/0021-Introduce-support-for-DHE-based-cipher-suites.patch +++ b/SOURCES/0021-Introduce-support-for-DHE-based-cipher-suites.patch @@ -69,7 +69,7 @@ index c362983..22b69b3 100644 if (!tunable_sslv2) { options |= SSL_OP_NO_SSLv2; -@@ -130,6 +147,25 @@ +@@ -149,8 +166,27 @@ die("SSL: cannot load DSA private key"); } } @@ -95,6 +95,8 @@ index c362983..22b69b3 100644 if (tunable_ssl_ciphers && SSL_CTX_set_cipher_list(p_ctx, tunable_ssl_ciphers) != 1) { + die("SSL: could not set cipher list"); + } @@ -184,6 +226,9 @@ /* Ensure cached session doesn't expire */ SSL_CTX_set_timeout(p_ctx, INT_MAX); diff --git a/SOURCES/vsftpd-3.0.5-add-option-for-tlsv1.3-ciphersuites.patch b/SOURCES/vsftpd-3.0.5-add-option-for-tlsv1.3-ciphersuites.patch new file mode 100644 index 0000000..1f1925e --- /dev/null +++ b/SOURCES/vsftpd-3.0.5-add-option-for-tlsv1.3-ciphersuites.patch @@ -0,0 +1,79 @@ +diff -urN a/parseconf.c b/parseconf.c +--- a/parseconf.c 2021-05-29 23:39:19.000000000 +0200 ++++ b/parseconf.c 2023-03-03 10:22:38.256439634 +0100 +@@ -185,6 +185,7 @@ + { "dsa_cert_file", &tunable_dsa_cert_file }, + { "dh_param_file", &tunable_dh_param_file }, + { "ecdh_param_file", &tunable_ecdh_param_file }, ++ { "ssl_ciphersuites", &tunable_ssl_ciphersuites }, + { "ssl_ciphers", &tunable_ssl_ciphers }, + { "rsa_private_key_file", &tunable_rsa_private_key_file }, + { "dsa_private_key_file", &tunable_dsa_private_key_file }, +diff -urN a/ssl.c b/ssl.c +--- a/ssl.c 2021-08-02 08:24:35.000000000 +0200 ++++ b/ssl.c 2023-03-03 10:28:05.989757655 +0100 +@@ -135,6 +135,11 @@ + { + die("SSL: could not set cipher list"); + } ++ if (tunable_ssl_ciphersuites && ++ SSL_CTX_set_ciphersuites(p_ctx, tunable_ssl_ciphersuites) != 1) ++ { ++ die("SSL: could not set ciphersuites"); ++ } + if (RAND_status() != 1) + { + die("SSL: RNG is not seeded"); +diff -urN a/tunables.c b/tunables.c +--- a/tunables.c 2021-05-29 23:39:00.000000000 +0200 ++++ b/tunables.c 2023-03-03 10:13:30.566868026 +0100 +@@ -154,6 +154,7 @@ + const char* tunable_dsa_cert_file; + const char* tunable_dh_param_file; + const char* tunable_ecdh_param_file; + const char* tunable_ssl_ciphers; ++const char* tunable_ssl_ciphersuites; + const char* tunable_rsa_private_key_file; + const char* tunable_dsa_private_key_file; +@@ -293,6 +293,7 @@ + install_str_setting(0, &tunable_dh_param_file); + install_str_setting(0, &tunable_ecdh_param_file); + install_str_setting("PROFILE=SYSTEM", &tunable_ssl_ciphers); ++ install_str_setting("TLS_AES_256_GCM_SHA384", &tunable_ssl_ciphersuites); + install_str_setting(0, &tunable_rsa_private_key_file); + install_str_setting(0, &tunable_dsa_private_key_file); + install_str_setting(0, &tunable_ca_certs_file); +diff -urN a/tunables.h b/tunables.h +--- a/tunables.h ++++ b/tunables.h +@@ -144,6 +144,7 @@ + extern const char* tunable_dsa_cert_file; + extern const char* tunable_dh_param_file; + extern const char* tunable_ecdh_param_file; + extern const char* tunable_ssl_ciphers; ++extern const char* tunable_ssl_ciphersuites; + extern const char* tunable_rsa_private_key_file; + extern const char* tunable_dsa_private_key_file; +--- a/vsftpd.conf.5 ++++ b/vsftpd.conf.5 +@@ -1009,6 +1009,20 @@ + + Default: PROFILE=SYSTEM + .TP ++.B ssl_ciphersuites ++This option can be used to select which SSL cipher suites vsftpd will allow for ++encrypted SSL connections with TLSv1.3. See the ++.BR ciphers ++man page for further details. Note that restricting ciphers can be a useful ++security precaution as it prevents malicious remote parties forcing a cipher ++which they have found problems with. ++ ++By default, the system-wide crypto policy is used. See ++.BR update-crypto-policies(8) ++for further details. ++ ++Default: TLS_AES_256_GCM_SHA384 ++.TP + .B ssl_sni_hostname + If set, SSL connections will be rejected unless the SNI hostname in the + incoming handshakes matches this value. diff --git a/SOURCES/vsftpd-3.0.5-replace-deprecated-openssl-functions.patch b/SOURCES/vsftpd-3.0.5-replace-deprecated-openssl-functions.patch index c6f8f7d..8e3792b 100644 --- a/SOURCES/vsftpd-3.0.5-replace-deprecated-openssl-functions.patch +++ b/SOURCES/vsftpd-3.0.5-replace-deprecated-openssl-functions.patch @@ -25,7 +25,7 @@ diff --git a/ssl.c b/ssl.c int verify_option = 0; SSL_library_init(); - p_ctx = SSL_CTX_new(SSLv23_server_method()); -+ p_ctx = SSL_CTX_new_ex(NULL, NULL, SSLv23_server_method()); ++ p_ctx = SSL_CTX_new_ex(NULL, NULL, TLS_server_method()); if (p_ctx == NULL) { die("SSL: could not allocate SSL context"); diff --git a/SOURCES/vsftpd-3.0.5-repalce-old-network-addr-functions.patch b/SOURCES/vsftpd-3.0.5-replace-old-network-addr-functions.patch similarity index 100% rename from SOURCES/vsftpd-3.0.5-repalce-old-network-addr-functions.patch rename to SOURCES/vsftpd-3.0.5-replace-old-network-addr-functions.patch diff --git a/SPECS/vsftpd.spec b/SPECS/vsftpd.spec index 5856ee8..ef34762 100644 --- a/SPECS/vsftpd.spec +++ b/SPECS/vsftpd.spec @@ -2,7 +2,7 @@ Name: vsftpd Version: 3.0.5 -Release: 4%{?dist} +Release: 5%{?dist} Summary: Very Secure Ftp Daemon # OpenSSL link exception @@ -98,8 +98,9 @@ Patch69: 0001-Remove-a-hint-about-the-ftp_home_dir-SELinux-boolean.patch Patch70: fix-str_open.patch Patch71: vsftpd-3.0.3-enable_wc_logs-replace_unprintable_with_hex.patch Patch72: vsftpd-3.0.5-use-old-tlsv-options.patch -Patch73: vsftpd-3.0.5-repalce-old-network-addr-functions.patch +Patch73: vsftpd-3.0.5-replace-old-network-addr-functions.patch Patch74: vsftpd-3.0.5-replace-deprecated-openssl-functions.patch +Patch75: vsftpd-3.0.5-add-option-for-tlsv1.3-ciphersuites.patch %description vsftpd is a Very Secure FTP daemon. It was written completely from @@ -110,14 +111,11 @@ scratch. cp %{SOURCE1} . %build -# temporary ignore deprecated warnings to be able to build against OpenSSL 3.0 -# upstram tracking bug: rhbz#1962603 -%define ignore_deprecated -Wno-deprecated-declarations %ifarch s390x sparcv9 sparc64 -%make_build CFLAGS="$RPM_OPT_FLAGS -fPIE -pipe -Wextra -Werror %ignore_deprecated" \ +%make_build CFLAGS="$RPM_OPT_FLAGS -fPIE -pipe -Wextra -Werror" \ %else -%make_build CFLAGS="$RPM_OPT_FLAGS -fpie -pipe -Wextra -Werror %ignore_deprecated" \ +%make_build CFLAGS="$RPM_OPT_FLAGS -fpie -pipe -Wextra -Werror" \ %endif LINK="-pie -lssl $RPM_LD_FLAGS" %{?_smp_mflags} @@ -172,6 +170,10 @@ mkdir -p $RPM_BUILD_ROOT/%{_var}/ftp/pub %{_var}/ftp %changelog +* Thu Apr 27 2023 Richard Lescak - 3.0.5-5 +- add option for TLSv1.3 ciphersuites +- Resolves: rhbz#2188296 + * Mon Feb 13 2023 Richard Lescak - 3.0.5-4 - add patch to replace deprecated Openssl functions - Resolves: rhbz#1981411