Compare commits
No commits in common. "c10s" and "c8" have entirely different histories.
@ -1 +0,0 @@
|
||||
1
|
10
.gitignore
vendored
10
.gitignore
vendored
@ -1,9 +1 @@
|
||||
vsftpd-2.2.2.tar.gz
|
||||
vsftpd-2.3.2.tar.gz
|
||||
/vsftpd-2.3.4.tar.gz
|
||||
/vsftpd-2.3.5.tar.gz
|
||||
/vsftpd-3.0.0.tar.gz
|
||||
/vsftpd-3.0.1.tar.gz
|
||||
/vsftpd-3.0.2.tar.gz
|
||||
/vsftpd-3.0.3.tar.gz
|
||||
/vsftpd-3.0.5.tar.gz
|
||||
SOURCES/vsftpd-3.0.3.tar.gz
|
||||
|
@ -1,56 +0,0 @@
|
||||
From d0045e35674d64d166d17c3c079ae03e8c2e6361 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= <olysonek@redhat.com>
|
||||
Date: Thu, 13 Feb 2020 17:29:06 +0100
|
||||
Subject: [PATCH 2/2] Drop an unused global variable
|
||||
|
||||
The global variable `s_timezone` is not used anymore, so we can drop
|
||||
it.
|
||||
---
|
||||
sysutil.c | 17 +++--------------
|
||||
1 file changed, 3 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/sysutil.c b/sysutil.c
|
||||
index 66d4c5e..0ccf551 100644
|
||||
--- a/sysutil.c
|
||||
+++ b/sysutil.c
|
||||
@@ -72,8 +72,6 @@ static struct timeval s_current_time;
|
||||
static int s_current_pid = -1;
|
||||
/* Exit function */
|
||||
static exitfunc_t s_exit_func;
|
||||
-/* Difference in timezone from GMT in seconds */
|
||||
-static long s_timezone;
|
||||
|
||||
/* Our internal signal handling implementation details */
|
||||
static struct vsf_sysutil_sig_details
|
||||
@@ -2661,7 +2659,6 @@ char* vsf_sysutil_get_tz()
|
||||
void
|
||||
vsf_sysutil_tzset(void)
|
||||
{
|
||||
- int retval;
|
||||
char *tz=NULL, tzbuf[sizeof("+HHMM!")];
|
||||
time_t the_time = time(NULL);
|
||||
struct tm* p_tm;
|
||||
@@ -2681,17 +2678,9 @@ vsf_sysutil_tzset(void)
|
||||
{
|
||||
die("localtime");
|
||||
}
|
||||
- retval = strftime(tzbuf, sizeof(tzbuf), "%z", p_tm);
|
||||
- tzbuf[sizeof(tzbuf) - 1] = '\0';
|
||||
- if (retval == 5)
|
||||
- {
|
||||
- s_timezone = ((tzbuf[1] - '0') * 10 + (tzbuf[2] - '0')) * 60 * 60;
|
||||
- s_timezone += ((tzbuf[3] - '0') * 10 + (tzbuf[4] - '0')) * 60;
|
||||
- if (tzbuf[0] == '+')
|
||||
- {
|
||||
- s_timezone *= -1;
|
||||
- }
|
||||
- }
|
||||
+ /* Not sure if the following call to strftime() has any desired side
|
||||
+ effects, so I'm keeping it to be safe. */
|
||||
+ (void) strftime(tzbuf, sizeof(tzbuf), "%z", p_tm);
|
||||
/* Call in to the time subsystem again now that TZ is set, trying to force
|
||||
* caching of the actual zoneinfo for the timezone.
|
||||
*/
|
||||
--
|
||||
2.24.1
|
||||
|
@ -1,7 +1,7 @@
|
||||
From 6a4dc470e569df38b8a7ea09ee6aace3c73b7353 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= <olysonek@redhat.com>
|
||||
Date: Wed, 28 Mar 2018 09:06:34 +0200
|
||||
Subject: [PATCH 1/2] Fix timestamp handling in MDTM
|
||||
Subject: [PATCH] Fix timestamp handling in MDTM
|
||||
|
||||
There were two problems with the timestamp handling with MDTM:
|
||||
|
@ -1,7 +1,7 @@
|
||||
From 96698a525784ad91cb27b572dd5f871c183fdfa5 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= <olysonek@redhat.com>
|
||||
Date: Sun, 28 Jul 2019 12:25:35 +0200
|
||||
Subject: [PATCH 1/2] Set s_uwtmp_inserted only after record insertion/removal
|
||||
Subject: [PATCH 1/3] Set s_uwtmp_inserted only after record insertion/removal
|
||||
|
||||
pututxline() is the function that actually inserts the new record, so
|
||||
setting 's_uwtmp_inserted' before calling pututxline() doesn't make
|
@ -1,7 +1,7 @@
|
||||
From 896b3694ca062d747cd67e9e9ba246adb3fc706b Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= <olysonek@redhat.com>
|
||||
Date: Mon, 5 Aug 2019 13:55:37 +0200
|
||||
Subject: [PATCH 2/2] Repeat pututxline() if it fails with EINTR
|
||||
Subject: [PATCH 2/3] Repeat pututxline() if it fails with EINTR
|
||||
|
||||
This is a partial fix for rhbz#1688848. We cannot resolve it
|
||||
completely until glibc bug rhbz#1734791 is fixed. See
|
@ -1,7 +1,8 @@
|
||||
From 7957425ef5ab365fc96ea0615f99705581c6dbd8 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= <olysonek@redhat.com>
|
||||
Date: Mon, 12 Aug 2019 18:15:36 +0200
|
||||
Subject: [PATCH] Repeat pututxline() until it succeeds if it fails with EINTR
|
||||
Subject: [PATCH 3/3] Repeat pututxline() until it succeeds if it fails with
|
||||
EINTR
|
||||
|
||||
Since the pututxline() bug rhbz#1749439 is now fixed in glibc in
|
||||
Fedora and RHEL-8, we can implement a complete solution for the stale
|
@ -31,36 +31,81 @@ index c362983..22b69b3 100644
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/rand.h>
|
||||
#include <openssl/bio.h>
|
||||
+#include <openssl/dh.h>
|
||||
+#include <openssl/bn.h>
|
||||
+#include <openssl/param_build.h>
|
||||
#include <errno.h>
|
||||
#include <limits.h>
|
||||
|
||||
@@ -58,6 +60,23 @@
|
||||
@@ -38,6 +40,7 @@ static void setup_bio_callbacks();
|
||||
static long bio_callback(
|
||||
BIO* p_bio, int oper, const char* p_arg, int argi, long argl, long retval);
|
||||
static int ssl_verify_callback(int verify_ok, X509_STORE_CTX* p_ctx);
|
||||
+static DH *ssl_tmp_dh_callback(SSL *ssl, int is_export, int keylength);
|
||||
static int ssl_cert_digest(
|
||||
SSL* p_ssl, struct vsf_session* p_sess, struct mystr* p_str);
|
||||
static void maybe_log_shutdown_state(struct vsf_session* p_sess);
|
||||
@@ -51,6 +54,60 @@ static int ssl_read_common(struct vsf_session* p_sess,
|
||||
static int ssl_inited;
|
||||
static struct mystr debug_str;
|
||||
|
||||
+EVP_PKEY *
|
||||
+DH_get_dh()
|
||||
+{
|
||||
+ OSSL_PARAM dh_params[2];
|
||||
+ EVP_PKEY *dh_key = NULL;
|
||||
+ EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_from_name(NULL, "DH", NULL);
|
||||
+
|
||||
+ dh_params[0] = OSSL_PARAM_construct_utf8_string("group", "ffdhe2048", 0);
|
||||
+ dh_params[1] = OSSL_PARAM_construct_end();
|
||||
+// Grab prime number from OpenSSL; <openssl/bn.h>
|
||||
+// (get_rfc*) for all available primes.
|
||||
+// wraps selection of comparable algorithm strength
|
||||
+#if !defined(match_dh_bits)
|
||||
+ #define match_dh_bits(keylen) \
|
||||
+ keylen >= 8191 ? 8192 : \
|
||||
+ keylen >= 6143 ? 6144 : \
|
||||
+ keylen >= 4095 ? 4096 : \
|
||||
+ keylen >= 3071 ? 3072 : \
|
||||
+ keylen >= 2047 ? 2048 : \
|
||||
+ keylen >= 1535 ? 1536 : \
|
||||
+ keylen >= 1023 ? 1024 : 768
|
||||
+#endif
|
||||
+
|
||||
+ if (EVP_PKEY_keygen_init(pctx) <= 0 || EVP_PKEY_CTX_set_params(pctx, dh_params) <= 0)
|
||||
+ return NULL;
|
||||
+ EVP_PKEY_generate(pctx, &dh_key);
|
||||
+ EVP_PKEY_CTX_free(pctx);
|
||||
+ return dh_key;
|
||||
+#if !defined(DH_get_prime)
|
||||
+ BIGNUM *
|
||||
+ DH_get_prime(int bits)
|
||||
+ {
|
||||
+ switch (bits) {
|
||||
+ case 768: return get_rfc2409_prime_768(NULL);
|
||||
+ case 1024: return get_rfc2409_prime_1024(NULL);
|
||||
+ case 1536: return get_rfc3526_prime_1536(NULL);
|
||||
+ case 2048: return get_rfc3526_prime_2048(NULL);
|
||||
+ case 3072: return get_rfc3526_prime_3072(NULL);
|
||||
+ case 4096: return get_rfc3526_prime_4096(NULL);
|
||||
+ case 6144: return get_rfc3526_prime_6144(NULL);
|
||||
+ case 8192: return get_rfc3526_prime_8192(NULL);
|
||||
+ // shouldn't happen when used match_dh_bits; strict compiler
|
||||
+ default: return NULL;
|
||||
+ }
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
+#if !defined(DH_get_dh)
|
||||
+ // Grab DH parameters
|
||||
+ DH *
|
||||
+ DH_get_dh(int size)
|
||||
+ {
|
||||
+ DH *dh = DH_new();
|
||||
+ if (!dh) {
|
||||
+ return NULL;
|
||||
+ }
|
||||
+ dh->p = DH_get_prime(match_dh_bits(size));
|
||||
+ BN_dec2bn(&dh->g, "2");
|
||||
+ if (!dh->p || !dh->g)
|
||||
+ {
|
||||
+ DH_free(dh);
|
||||
+ return NULL;
|
||||
+ }
|
||||
+ return dh;
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
void
|
||||
ssl_init(struct vsf_session* p_sess)
|
||||
{
|
||||
@@ -72,7 +89,7 @@
|
||||
@@ -65,7 +122,7 @@ ssl_init(struct vsf_session* p_sess)
|
||||
{
|
||||
die("SSL: could not allocate SSL context");
|
||||
}
|
||||
@ -69,44 +114,61 @@ index c362983..22b69b3 100644
|
||||
if (!tunable_sslv2)
|
||||
{
|
||||
options |= SSL_OP_NO_SSLv2;
|
||||
@@ -149,8 +166,27 @@
|
||||
@@ -111,6 +168,25 @@ ssl_init(struct vsf_session* p_sess)
|
||||
die("SSL: cannot load DSA private key");
|
||||
}
|
||||
}
|
||||
+ if (tunable_dh_param_file)
|
||||
+ {
|
||||
+ BIO *bio;
|
||||
+ EVP_PKEY *dh_params = NULL;
|
||||
+ DH *dhparams = NULL;
|
||||
+ if ((bio = BIO_new_file(tunable_dh_param_file, "r")) == NULL)
|
||||
+ {
|
||||
+ die("SSL: cannot load custom DH params");
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ dh_params = PEM_read_bio_Parameters(bio, NULL);
|
||||
+ dhparams = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
|
||||
+ BIO_free(bio);
|
||||
+
|
||||
+ if (!SSL_CTX_set0_tmp_dh_pkey(p_ctx, dh_params))
|
||||
+ {
|
||||
+ if (!SSL_CTX_set_tmp_dh(p_ctx, dhparams))
|
||||
+ {
|
||||
+ die("SSL: setting custom DH params failed");
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
if (tunable_ssl_ciphers &&
|
||||
SSL_CTX_set_cipher_list(p_ctx, tunable_ssl_ciphers) != 1)
|
||||
{
|
||||
die("SSL: could not set cipher list");
|
||||
}
|
||||
@@ -184,6 +226,9 @@
|
||||
@@ -165,6 +241,9 @@ ssl_init(struct vsf_session* p_sess)
|
||||
/* Ensure cached session doesn't expire */
|
||||
SSL_CTX_set_timeout(p_ctx, INT_MAX);
|
||||
}
|
||||
+
|
||||
+ SSL_CTX_set_tmp_dh_callback(p_ctx, ssl_tmp_dh_callback);
|
||||
+
|
||||
+ SSL_CTX_set0_tmp_dh_pkey(p_ctx, DH_get_dh());
|
||||
p_sess->p_ssl_ctx = p_ctx;
|
||||
ssl_inited = 1;
|
||||
}
|
||||
@@ -702,6 +781,18 @@ ssl_verify_callback(int verify_ok, X509_STORE_CTX* p_ctx)
|
||||
return 1;
|
||||
}
|
||||
|
||||
+#define UNUSED(x) ( (void)(x) )
|
||||
+
|
||||
/* Set up ALPN to check for FTP protocol intention of client. */
|
||||
SSL_CTX_set_alpn_select_cb(p_ctx, ssl_alpn_callback, p_sess);
|
||||
/* Set up SNI callback for an optional hostname check. */
|
||||
+static DH *
|
||||
+ssl_tmp_dh_callback(SSL *ssl, int is_export, int keylength)
|
||||
+{
|
||||
+ // strict compiler bypassing
|
||||
+ UNUSED(ssl);
|
||||
+ UNUSED(is_export);
|
||||
+
|
||||
+ return DH_get_dh(keylength);
|
||||
+}
|
||||
+
|
||||
void
|
||||
ssl_add_entropy(struct vsf_session* p_sess)
|
||||
{
|
||||
diff --git a/tunables.c b/tunables.c
|
||||
index c737465..1ea7227 100644
|
||||
--- a/tunables.c
|
@ -36,40 +36,48 @@ index 22b69b3..96bf8ad 100644
|
||||
if (!tunable_sslv2)
|
||||
{
|
||||
options |= SSL_OP_NO_SSLv2;
|
||||
@@ -244,6 +244,33 @@
|
||||
|
||||
SSL_CTX_set0_tmp_dh_pkey(p_ctx, DH_get_dh());
|
||||
@@ -244,6 +244,41 @@ ssl_init(struct vsf_session* p_sess)
|
||||
|
||||
SSL_CTX_set_tmp_dh_callback(p_ctx, ssl_tmp_dh_callback);
|
||||
|
||||
+ if (tunable_ecdh_param_file)
|
||||
+ {
|
||||
+ BIO *bio;
|
||||
+ EVP_PKEY *ec_params = NULL;
|
||||
+ int nid;
|
||||
+ EC_GROUP *ecparams = NULL;
|
||||
+ EC_KEY *eckey;
|
||||
+
|
||||
+ if ((bio = BIO_new_file(tunable_ecdh_param_file, "r")) == NULL)
|
||||
+ die("SSL: cannot load custom ec params");
|
||||
+ else
|
||||
+ {
|
||||
+ ec_params = PEM_read_bio_Parameters(bio, NULL);
|
||||
+ ecparams = PEM_read_bio_ECPKParameters(bio, NULL, NULL, NULL);
|
||||
+ BIO_free(bio);
|
||||
+
|
||||
+ if (ec_params != NULL)
|
||||
+ if (ecparams && (nid = EC_GROUP_get_curve_name(ecparams)) &&
|
||||
+ (eckey = EC_KEY_new_by_curve_name(nid)))
|
||||
+ {
|
||||
+ if (!SSL_CTX_set1_groups_list(p_ctx, ec_params))
|
||||
+ if (!SSL_CTX_set_tmp_ecdh(p_ctx, eckey))
|
||||
+ die("SSL: setting custom EC params failed");
|
||||
+ }
|
||||
+ else
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ die("SSL: getting ec group or key failed");
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ SSL_CTX_set1_groups_list(p_ctx, "P-256");
|
||||
+#if defined(SSL_CTX_set_ecdh_auto)
|
||||
+ SSL_CTX_set_ecdh_auto(p_ctx, 1);
|
||||
+#else
|
||||
+ SSL_CTX_set_tmp_ecdh(p_ctx, EC_KEY_new_by_curve_name(NID_X9_62_prime256v1));
|
||||
+#endif
|
||||
+ }
|
||||
/* Set up ALPN to check for FTP protocol intention of client. */
|
||||
SSL_CTX_set_alpn_select_cb(p_ctx, ssl_alpn_callback, p_sess);
|
||||
/* Set up SNI callback for an optional hostname check. */
|
||||
+
|
||||
p_sess->p_ssl_ctx = p_ctx;
|
||||
ssl_inited = 1;
|
||||
}
|
||||
diff --git a/tunables.c b/tunables.c
|
||||
index 1ea7227..93f85b1 100644
|
||||
--- a/tunables.c
|
@ -60,9 +60,9 @@ diff --git a/main.c b/main.c
|
||||
index eaba265..f1e2f69 100644
|
||||
--- a/main.c
|
||||
+++ b/main.c
|
||||
@@ -40,7 +40,7 @@
|
||||
@@ -40,7 +40,7 @@ main(int argc, const char* argv[])
|
||||
/* Control connection */
|
||||
0, 0, 0, 0, 0, 0,
|
||||
0, 0, 0, 0, 0,
|
||||
/* Data connection */
|
||||
- -1, 0, -1, 0, 0, 0, 0,
|
||||
+ -1, 0, -1, 0, 0, 0, 0, 0,
|
153
SOURCES/0033-Introduce-TLSv1.1-and-TLSv1.2-options.patch
Normal file
153
SOURCES/0033-Introduce-TLSv1.1-and-TLSv1.2-options.patch
Normal file
@ -0,0 +1,153 @@
|
||||
From 01bef55a1987700af3d43cdc5f5be88d3843ab85 Mon Sep 17 00:00:00 2001
|
||||
From: Martin Sehnoutka <msehnout@redhat.com>
|
||||
Date: Thu, 17 Nov 2016 13:36:17 +0100
|
||||
Subject: [PATCH 33/59] Introduce TLSv1.1 and TLSv1.2 options.
|
||||
|
||||
Users can now enable a specific version of TLS protocol.
|
||||
---
|
||||
parseconf.c | 2 ++
|
||||
ssl.c | 8 ++++++++
|
||||
tunables.c | 9 +++++++--
|
||||
tunables.h | 2 ++
|
||||
vsftpd.conf.5 | 24 ++++++++++++++++++++----
|
||||
5 files changed, 39 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/parseconf.c b/parseconf.c
|
||||
index a2c715b..33a1349 100644
|
||||
--- a/parseconf.c
|
||||
+++ b/parseconf.c
|
||||
@@ -85,6 +85,8 @@ parseconf_bool_array[] =
|
||||
{ "ssl_sslv2", &tunable_sslv2 },
|
||||
{ "ssl_sslv3", &tunable_sslv3 },
|
||||
{ "ssl_tlsv1", &tunable_tlsv1 },
|
||||
+ { "ssl_tlsv1_1", &tunable_tlsv1_1 },
|
||||
+ { "ssl_tlsv1_2", &tunable_tlsv1_2 },
|
||||
{ "tilde_user_enable", &tunable_tilde_user_enable },
|
||||
{ "force_anon_logins_ssl", &tunable_force_anon_logins_ssl },
|
||||
{ "force_anon_data_ssl", &tunable_force_anon_data_ssl },
|
||||
diff --git a/ssl.c b/ssl.c
|
||||
index 96bf8ad..ba8a613 100644
|
||||
--- a/ssl.c
|
||||
+++ b/ssl.c
|
||||
@@ -135,6 +135,14 @@ ssl_init(struct vsf_session* p_sess)
|
||||
{
|
||||
options |= SSL_OP_NO_TLSv1;
|
||||
}
|
||||
+ if (!tunable_tlsv1_1)
|
||||
+ {
|
||||
+ options |= SSL_OP_NO_TLSv1_1;
|
||||
+ }
|
||||
+ if (!tunable_tlsv1_2)
|
||||
+ {
|
||||
+ options |= SSL_OP_NO_TLSv1_2;
|
||||
+ }
|
||||
SSL_CTX_set_options(p_ctx, options);
|
||||
if (tunable_rsa_cert_file)
|
||||
{
|
||||
diff --git a/tunables.c b/tunables.c
|
||||
index 93f85b1..78f2bcd 100644
|
||||
--- a/tunables.c
|
||||
+++ b/tunables.c
|
||||
@@ -66,6 +66,8 @@ int tunable_force_local_data_ssl;
|
||||
int tunable_sslv2;
|
||||
int tunable_sslv3;
|
||||
int tunable_tlsv1;
|
||||
+int tunable_tlsv1_1;
|
||||
+int tunable_tlsv1_2;
|
||||
int tunable_tilde_user_enable;
|
||||
int tunable_force_anon_logins_ssl;
|
||||
int tunable_force_anon_data_ssl;
|
||||
@@ -209,7 +211,10 @@ tunables_load_defaults()
|
||||
tunable_force_local_data_ssl = 1;
|
||||
tunable_sslv2 = 0;
|
||||
tunable_sslv3 = 0;
|
||||
+ /* TLSv1 up to TLSv1.2 is enabled by default */
|
||||
tunable_tlsv1 = 1;
|
||||
+ tunable_tlsv1_1 = 1;
|
||||
+ tunable_tlsv1_2 = 1;
|
||||
tunable_tilde_user_enable = 0;
|
||||
tunable_force_anon_logins_ssl = 0;
|
||||
tunable_force_anon_data_ssl = 0;
|
||||
@@ -292,8 +297,8 @@ tunables_load_defaults()
|
||||
install_str_setting(0, &tunable_dsa_cert_file);
|
||||
install_str_setting(0, &tunable_dh_param_file);
|
||||
install_str_setting(0, &tunable_ecdh_param_file);
|
||||
- install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA",
|
||||
- &tunable_ssl_ciphers);
|
||||
+ install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384",
|
||||
+ &tunable_ssl_ciphers);
|
||||
install_str_setting(0, &tunable_rsa_private_key_file);
|
||||
install_str_setting(0, &tunable_dsa_private_key_file);
|
||||
install_str_setting(0, &tunable_ca_certs_file);
|
||||
diff --git a/tunables.h b/tunables.h
|
||||
index 3e2d40c..a466427 100644
|
||||
--- a/tunables.h
|
||||
+++ b/tunables.h
|
||||
@@ -67,6 +67,8 @@ extern int tunable_force_local_data_ssl; /* Require local data uses SSL */
|
||||
extern int tunable_sslv2; /* Allow SSLv2 */
|
||||
extern int tunable_sslv3; /* Allow SSLv3 */
|
||||
extern int tunable_tlsv1; /* Allow TLSv1 */
|
||||
+extern int tunable_tlsv1_1; /* Allow TLSv1.1 */
|
||||
+extern int tunable_tlsv1_2; /* Allow TLSv1.2 */
|
||||
extern int tunable_tilde_user_enable; /* Support e.g. ~chris */
|
||||
extern int tunable_force_anon_logins_ssl; /* Require anon logins use SSL */
|
||||
extern int tunable_force_anon_data_ssl; /* Require anon data uses SSL */
|
||||
diff --git a/vsftpd.conf.5 b/vsftpd.conf.5
|
||||
index cf1ae34..a3d569e 100644
|
||||
--- a/vsftpd.conf.5
|
||||
+++ b/vsftpd.conf.5
|
||||
@@ -506,7 +506,7 @@ Default: YES
|
||||
Only applies if
|
||||
.BR ssl_enable
|
||||
is activated. If enabled, this option will permit SSL v2 protocol connections.
|
||||
-TLS v1 connections are preferred.
|
||||
+TLS v1.2 connections are preferred.
|
||||
|
||||
Default: NO
|
||||
.TP
|
||||
@@ -514,7 +514,7 @@ Default: NO
|
||||
Only applies if
|
||||
.BR ssl_enable
|
||||
is activated. If enabled, this option will permit SSL v3 protocol connections.
|
||||
-TLS v1 connections are preferred.
|
||||
+TLS v1.2 connections are preferred.
|
||||
|
||||
Default: NO
|
||||
.TP
|
||||
@@ -522,7 +522,23 @@ Default: NO
|
||||
Only applies if
|
||||
.BR ssl_enable
|
||||
is activated. If enabled, this option will permit TLS v1 protocol connections.
|
||||
-TLS v1 connections are preferred.
|
||||
+TLS v1.2 connections are preferred.
|
||||
+
|
||||
+Default: YES
|
||||
+.TP
|
||||
+.B ssl_tlsv1_1
|
||||
+Only applies if
|
||||
+.BR ssl_enable
|
||||
+is activated. If enabled, this option will permit TLS v1.1 protocol connections.
|
||||
+TLS v1.2 connections are preferred.
|
||||
+
|
||||
+Default: YES
|
||||
+.TP
|
||||
+.B ssl_tlsv1_2
|
||||
+Only applies if
|
||||
+.BR ssl_enable
|
||||
+is activated. If enabled, this option will permit TLS v1.2 protocol connections.
|
||||
+TLS v1.2 connections are preferred.
|
||||
|
||||
Default: YES
|
||||
.TP
|
||||
@@ -1044,7 +1060,7 @@ man page for further details. Note that restricting ciphers can be a useful
|
||||
security precaution as it prevents malicious remote parties forcing a cipher
|
||||
which they have found problems with.
|
||||
|
||||
-Default: DES-CBC3-SHA
|
||||
+Default: AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384
|
||||
.TP
|
||||
.B user_config_dir
|
||||
This powerful option allows the override of any config option specified in
|
||||
--
|
||||
2.14.4
|
||||
|
@ -0,0 +1,74 @@
|
||||
From 6c8dd87f311e411bcb1c72c1c780497881a5621c Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= <olysonek@redhat.com>
|
||||
Date: Mon, 4 Sep 2017 11:32:03 +0200
|
||||
Subject: [PATCH 35/59] Modify DH enablement patch to build with OpenSSL 1.1
|
||||
|
||||
---
|
||||
ssl.c | 41 ++++++++++++++++++++++++++++++++++++++---
|
||||
1 file changed, 38 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/ssl.c b/ssl.c
|
||||
index ba8a613..09ec96a 100644
|
||||
--- a/ssl.c
|
||||
+++ b/ssl.c
|
||||
@@ -88,19 +88,54 @@ static struct mystr debug_str;
|
||||
}
|
||||
#endif
|
||||
|
||||
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||
+int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
|
||||
+{
|
||||
+ /* If the fields p and g in d are NULL, the corresponding input
|
||||
+ * parameters MUST be non-NULL. q may remain NULL.
|
||||
+ */
|
||||
+ if ((dh->p == NULL && p == NULL)
|
||||
+ || (dh->g == NULL && g == NULL))
|
||||
+ return 0;
|
||||
+
|
||||
+ if (p != NULL) {
|
||||
+ BN_free(dh->p);
|
||||
+ dh->p = p;
|
||||
+ }
|
||||
+ if (q != NULL) {
|
||||
+ BN_free(dh->q);
|
||||
+ dh->q = q;
|
||||
+ }
|
||||
+ if (g != NULL) {
|
||||
+ BN_free(dh->g);
|
||||
+ dh->g = g;
|
||||
+ }
|
||||
+
|
||||
+ if (q != NULL) {
|
||||
+ dh->length = BN_num_bits(q);
|
||||
+ }
|
||||
+
|
||||
+ return 1;
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
#if !defined(DH_get_dh)
|
||||
// Grab DH parameters
|
||||
DH *
|
||||
DH_get_dh(int size)
|
||||
{
|
||||
+ BIGNUM *g = NULL;
|
||||
+ BIGNUM *p = NULL;
|
||||
DH *dh = DH_new();
|
||||
if (!dh) {
|
||||
return NULL;
|
||||
}
|
||||
- dh->p = DH_get_prime(match_dh_bits(size));
|
||||
- BN_dec2bn(&dh->g, "2");
|
||||
- if (!dh->p || !dh->g)
|
||||
+ p = DH_get_prime(match_dh_bits(size));
|
||||
+ BN_dec2bn(&g, "2");
|
||||
+ if (!p || !g || !DH_set0_pqg(dh, p, NULL, g))
|
||||
{
|
||||
+ BN_free(g);
|
||||
+ BN_free(p);
|
||||
DH_free(dh);
|
||||
return NULL;
|
||||
}
|
||||
--
|
||||
2.14.4
|
||||
|
@ -3,7 +3,7 @@ From: Martin Sehnoutka <msehnout@redhat.com>
|
||||
Date: Tue, 29 Aug 2017 10:32:16 +0200
|
||||
Subject: [PATCH 40/59] Use system wide crypto policy
|
||||
|
||||
Resolves: rhbz#
|
||||
Resolves: rhbz#1483970
|
||||
---
|
||||
tunables.c | 3 +--
|
||||
1 file changed, 1 insertion(+), 2 deletions(-)
|
||||
@ -16,8 +16,8 @@ index 5440c00..354251c 100644
|
||||
install_str_setting(0, &tunable_dsa_cert_file);
|
||||
install_str_setting(0, &tunable_dh_param_file);
|
||||
install_str_setting(0, &tunable_ecdh_param_file);
|
||||
- install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA",
|
||||
- &tunable_ssl_ciphers);
|
||||
- install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384",
|
||||
- &tunable_ssl_ciphers);
|
||||
+ install_str_setting("PROFILE=SYSTEM", &tunable_ssl_ciphers);
|
||||
install_str_setting(0, &tunable_rsa_private_key_file);
|
||||
install_str_setting(0, &tunable_dsa_private_key_file);
|
@ -17,15 +17,15 @@ index 3ca55e4..2a7662e 100644
|
||||
security precaution as it prevents malicious remote parties forcing a cipher
|
||||
which they have found problems with.
|
||||
|
||||
-Default: DES-CBC3-SHA
|
||||
-Default: AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384
|
||||
+By default, the system-wide crypto policy is used. See
|
||||
+.BR update-crypto-policies(8)
|
||||
+for further details.
|
||||
+
|
||||
+Default: PROFILE=SYSTEM
|
||||
.TP
|
||||
.B ssl_sni_hostname
|
||||
If set, SSL connections will be rejected unless the SNI hostname in the
|
||||
.B user_config_dir
|
||||
This powerful option allows the override of any config option specified in
|
||||
--
|
||||
2.14.4
|
||||
|
@ -23,7 +23,7 @@ index 1212980..d024366 100644
|
||||
vsf_cmdio_write_raw(p_sess, " AUTH SSL\r\n");
|
||||
}
|
||||
- if (tunable_tlsv1)
|
||||
+ if (tunable_tlsv1 || tunable_tlsv1_1 || tunable_tlsv1_2 || tunable_tlsv1_3)
|
||||
+ if (tunable_tlsv1 || tunable_tlsv1_1 || tunable_tlsv1_2)
|
||||
{
|
||||
vsf_cmdio_write_raw(p_sess, " AUTH TLS\r\n");
|
||||
}
|
53
SOURCES/0043-Enable-only-TLSv1.2-by-default.patch
Normal file
53
SOURCES/0043-Enable-only-TLSv1.2-by-default.patch
Normal file
@ -0,0 +1,53 @@
|
||||
From 75c942c77aa575143c5b75637e64a925ad12641a Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= <olysonek@redhat.com>
|
||||
Date: Thu, 21 Dec 2017 16:38:40 +0100
|
||||
Subject: [PATCH 43/59] Enable only TLSv1.2 by default
|
||||
|
||||
Disable TLSv1 and TLSv1.1 - enable only TLSv1.2 by default.
|
||||
---
|
||||
tunables.c | 6 +++---
|
||||
vsftpd.conf.5 | 4 ++--
|
||||
2 files changed, 5 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/tunables.c b/tunables.c
|
||||
index 354251c..9680528 100644
|
||||
--- a/tunables.c
|
||||
+++ b/tunables.c
|
||||
@@ -211,9 +211,9 @@ tunables_load_defaults()
|
||||
tunable_force_local_data_ssl = 1;
|
||||
tunable_sslv2 = 0;
|
||||
tunable_sslv3 = 0;
|
||||
- /* TLSv1 up to TLSv1.2 is enabled by default */
|
||||
- tunable_tlsv1 = 1;
|
||||
- tunable_tlsv1_1 = 1;
|
||||
+ tunable_tlsv1 = 0;
|
||||
+ tunable_tlsv1_1 = 0;
|
||||
+ /* Only TLSv1.2 is enabled by default */
|
||||
tunable_tlsv1_2 = 1;
|
||||
tunable_tilde_user_enable = 0;
|
||||
tunable_force_anon_logins_ssl = 0;
|
||||
diff --git a/vsftpd.conf.5 b/vsftpd.conf.5
|
||||
index 2a7662e..df14027 100644
|
||||
--- a/vsftpd.conf.5
|
||||
+++ b/vsftpd.conf.5
|
||||
@@ -539,7 +539,7 @@ Only applies if
|
||||
is activated. If enabled, this option will permit TLS v1 protocol connections.
|
||||
TLS v1.2 connections are preferred.
|
||||
|
||||
-Default: YES
|
||||
+Default: NO
|
||||
.TP
|
||||
.B ssl_tlsv1_1
|
||||
Only applies if
|
||||
@@ -547,7 +547,7 @@ Only applies if
|
||||
is activated. If enabled, this option will permit TLS v1.1 protocol connections.
|
||||
TLS v1.2 connections are preferred.
|
||||
|
||||
-Default: YES
|
||||
+Default: NO
|
||||
.TP
|
||||
.B ssl_tlsv1_2
|
||||
Only applies if
|
||||
--
|
||||
2.14.4
|
||||
|
@ -19,7 +19,7 @@ diff -urN a/ssl.c b/ssl.c
|
||||
+ if (tunable_ssl_ciphersuites &&
|
||||
+ SSL_CTX_set_ciphersuites(p_ctx, tunable_ssl_ciphersuites) != 1)
|
||||
+ {
|
||||
+ die("SSL: could not set ciphersuites");
|
||||
+ die("SSL: could not set ciphersuites list");
|
||||
+ }
|
||||
if (RAND_status() != 1)
|
||||
{
|
||||
@ -56,7 +56,7 @@ diff -urN a/tunables.h b/tunables.h
|
||||
extern const char* tunable_dsa_private_key_file;
|
||||
--- a/vsftpd.conf.5
|
||||
+++ b/vsftpd.conf.5
|
||||
@@ -1009,6 +1009,20 @@
|
||||
@@ -1009,6 +1009,16 @@
|
||||
|
||||
Default: PROFILE=SYSTEM
|
||||
.TP
|
||||
@ -68,12 +68,8 @@ diff -urN a/tunables.h b/tunables.h
|
||||
+security precaution as it prevents malicious remote parties forcing a cipher
|
||||
+which they have found problems with.
|
||||
+
|
||||
+By default, the system-wide crypto policy is used. See
|
||||
+.BR update-crypto-policies(8)
|
||||
+for further details.
|
||||
+
|
||||
+Default: TLS_AES_256_GCM_SHA384
|
||||
+.TP
|
||||
.B ssl_sni_hostname
|
||||
If set, SSL connections will be rejected unless the SNI hostname in the
|
||||
incoming handshakes matches this value.
|
||||
.B user_config_dir
|
||||
This powerful option allows the override of any config option specified in
|
||||
the manual page, on a per-user basis. Usage is simple, and is best illustrated
|
@ -12,7 +12,7 @@ index d024366..3a60b88 100644
|
||||
vsf_cmdio_write_raw(p_sess, " AUTH TLS\r\n");
|
||||
}
|
||||
diff --git a/parseconf.c b/parseconf.c
|
||||
index ee1b8b4..5188088 100644
|
||||
index 3729818..2c5ffe6 100644
|
||||
--- a/parseconf.c
|
||||
+++ b/parseconf.c
|
||||
@@ -87,6 +87,7 @@ parseconf_bool_array[] =
|
||||
@ -24,10 +24,10 @@ index ee1b8b4..5188088 100644
|
||||
{ "force_anon_logins_ssl", &tunable_force_anon_logins_ssl },
|
||||
{ "force_anon_data_ssl", &tunable_force_anon_data_ssl },
|
||||
diff --git a/ssl.c b/ssl.c
|
||||
index b622347..3af67ad 100644
|
||||
index 09ec96a..5d9c595 100644
|
||||
--- a/ssl.c
|
||||
+++ b/ssl.c
|
||||
@@ -185,6 +185,10 @@ ssl_init(struct vsf_session* p_sess)
|
||||
@@ -178,6 +178,10 @@ ssl_init(struct vsf_session* p_sess)
|
||||
{
|
||||
options |= SSL_OP_NO_TLSv1_2;
|
||||
}
|
||||
@ -39,7 +39,7 @@ index b622347..3af67ad 100644
|
||||
if (tunable_rsa_cert_file)
|
||||
{
|
||||
diff --git a/tunables.c b/tunables.c
|
||||
index d8dfcde..dc001ac 100644
|
||||
index c96c1ac..e6fbb9d 100644
|
||||
--- a/tunables.c
|
||||
+++ b/tunables.c
|
||||
@@ -68,6 +68,7 @@ int tunable_sslv3;
|
||||
@ -50,7 +50,7 @@ index d8dfcde..dc001ac 100644
|
||||
int tunable_tilde_user_enable;
|
||||
int tunable_force_anon_logins_ssl;
|
||||
int tunable_force_anon_data_ssl;
|
||||
@@ -218,8 +219,9 @@ tunables_load_defaults()
|
||||
@@ -217,8 +218,9 @@ tunables_load_defaults()
|
||||
tunable_sslv3 = 0;
|
||||
tunable_tlsv1 = 0;
|
||||
tunable_tlsv1_1 = 0;
|
||||
@ -62,7 +62,7 @@ index d8dfcde..dc001ac 100644
|
||||
tunable_force_anon_logins_ssl = 0;
|
||||
tunable_force_anon_data_ssl = 0;
|
||||
diff --git a/tunables.h b/tunables.h
|
||||
index de6cab0..ff0eebc 100644
|
||||
index 8d50150..6e1d301 100644
|
||||
--- a/tunables.h
|
||||
+++ b/tunables.h
|
||||
@@ -69,6 +69,7 @@ extern int tunable_sslv3; /* Allow SSLv3 */
|
||||
@ -74,9 +74,45 @@ index de6cab0..ff0eebc 100644
|
||||
extern int tunable_force_anon_logins_ssl; /* Require anon logins use SSL */
|
||||
extern int tunable_force_anon_data_ssl; /* Require anon data uses SSL */
|
||||
diff --git a/vsftpd.conf.5 b/vsftpd.conf.5
|
||||
index 7006287..d181e50 100644
|
||||
index 815773f..c37a536 100644
|
||||
--- a/vsftpd.conf.5
|
||||
+++ b/vsftpd.conf.5
|
||||
@@ -555,7 +555,7 @@ Default: YES
|
||||
Only applies if
|
||||
.BR ssl_enable
|
||||
is activated. If enabled, this option will permit SSL v2 protocol connections.
|
||||
-TLS v1.2 connections are preferred.
|
||||
+TLS v1.2 and TLS v1.3 connections are preferred.
|
||||
|
||||
Default: NO
|
||||
.TP
|
||||
@@ -563,7 +563,7 @@ Default: NO
|
||||
Only applies if
|
||||
.BR ssl_enable
|
||||
is activated. If enabled, this option will permit SSL v3 protocol connections.
|
||||
-TLS v1.2 connections are preferred.
|
||||
+TLS v1.2 and TLS v1.3 connections are preferred.
|
||||
|
||||
Default: NO
|
||||
.TP
|
||||
@@ -571,7 +571,7 @@ Default: NO
|
||||
Only applies if
|
||||
.BR ssl_enable
|
||||
is activated. If enabled, this option will permit TLS v1 protocol connections.
|
||||
-TLS v1.2 connections are preferred.
|
||||
+TLS v1.2 and TLS v1.3 connections are preferred.
|
||||
|
||||
Default: NO
|
||||
.TP
|
||||
@@ -579,7 +579,7 @@ Default: NO
|
||||
Only applies if
|
||||
.BR ssl_enable
|
||||
is activated. If enabled, this option will permit TLS v1.1 protocol connections.
|
||||
-TLS v1.2 connections are preferred.
|
||||
+TLS v1.2 and TLS v1.3 connections are preferred.
|
||||
|
||||
Default: NO
|
||||
.TP
|
||||
@@ -587,7 +587,15 @@ Default: NO
|
||||
Only applies if
|
||||
.BR ssl_enable
|
@ -1,12 +1,13 @@
|
||||
%global _generatorsdir %{_prefix}/lib/systemd/system-generators
|
||||
|
||||
Name: vsftpd
|
||||
Version: 3.0.5
|
||||
Release: 9%{?dist}
|
||||
Version: 3.0.3
|
||||
Release: 36%{?dist}
|
||||
Summary: Very Secure Ftp Daemon
|
||||
|
||||
Group: System Environment/Daemons
|
||||
# OpenSSL link exception
|
||||
License: GPL-2.0-only WITH vsftpd-openssl-exception
|
||||
License: GPLv2 with exceptions
|
||||
URL: https://security.appspot.com/vsftpd.html
|
||||
Source0: https://security.appspot.com/downloads/%{name}-%{version}.tar.gz
|
||||
Source1: vsftpd.xinetd
|
||||
@ -19,7 +20,6 @@ Source8: vsftpd@.service
|
||||
Source9: vsftpd.target
|
||||
Source10: vsftpd-generator
|
||||
|
||||
BuildRequires: make
|
||||
BuildRequires: pam-devel
|
||||
BuildRequires: libcap-devel
|
||||
BuildRequires: openssl-devel
|
||||
@ -61,7 +61,9 @@ Patch29: 0029-Fix-segfault-in-config-file-parser.patch
|
||||
Patch30: 0030-Fix-logging-into-syslog-when-enabled-in-config.patch
|
||||
Patch31: 0031-Fix-question-mark-wildcard-withing-a-file-name.patch
|
||||
Patch32: 0032-Propagate-errors-from-nfs-with-quota-to-client.patch
|
||||
Patch33: 0033-Introduce-TLSv1.1-and-TLSv1.2-options.patch
|
||||
Patch34: 0034-Turn-off-seccomp-sandbox-because-it-is-too-strict.patch
|
||||
Patch35: 0035-Modify-DH-enablement-patch-to-build-with-OpenSSL-1.1.patch
|
||||
Patch36: 0036-Redefine-VSFTP_COMMAND_FD-to-1.patch
|
||||
Patch37: 0037-Document-the-relationship-of-text_userdb_names-and-c.patch
|
||||
Patch38: 0038-Document-allow_writeable_chroot-in-the-man-page.patch
|
||||
@ -69,6 +71,7 @@ Patch39: 0039-Improve-documentation-of-ASCII-mode-in-the-man-page.patch
|
||||
Patch40: 0040-Use-system-wide-crypto-policy.patch
|
||||
Patch41: 0041-Document-the-new-default-for-ssl_ciphers-in-the-man-.patch
|
||||
Patch42: 0042-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch
|
||||
Patch43: 0043-Enable-only-TLSv1.2-by-default.patch
|
||||
Patch44: 0044-Disable-anonymous_enable-in-default-config-file.patch
|
||||
Patch45: 0045-Expand-explanation-of-ascii_-options-behaviour-in-ma.patch
|
||||
Patch46: 0046-vsftpd.conf-Refer-to-the-man-page-regarding-the-asci.patch
|
||||
@ -85,21 +88,16 @@ Patch56: 0056-Log-die-calls-to-syslog.patch
|
||||
Patch57: 0057-Improve-error-message-when-max-number-of-bind-attemp.patch
|
||||
Patch58: 0058-Make-the-max-number-of-bind-retries-tunable.patch
|
||||
Patch59: 0059-Fix-SEGFAULT-when-running-in-a-container-as-PID-1.patch
|
||||
Patch61: 0001-Move-closing-standard-FDs-after-listen.patch
|
||||
Patch62: 0002-Prevent-recursion-in-bug.patch
|
||||
Patch63: 0001-Set-s_uwtmp_inserted-only-after-record-insertion-rem.patch
|
||||
Patch64: 0002-Repeat-pututxline-if-it-fails-with-EINTR.patch
|
||||
Patch65: 0001-Repeat-pututxline-until-it-succeeds-if-it-fails-with.patch
|
||||
Patch67: 0001-Fix-timestamp-handling-in-MDTM.patch
|
||||
Patch68: 0002-Drop-an-unused-global-variable.patch
|
||||
Patch69: 0001-Remove-a-hint-about-the-ftp_home_dir-SELinux-boolean.patch
|
||||
Patch70: fix-str_open.patch
|
||||
Patch71: vsftpd-3.0.5-enable_wc_logs-replace_unprintable_with_hex.patch
|
||||
Patch72: vsftpd-3.0.5-replace-old-network-addr-functions.patch
|
||||
Patch73: vsftpd-3.0.5-replace-deprecated-openssl-functions.patch
|
||||
Patch74: vsftpd-3.0.5-add-option-for-tlsv1.3-ciphersuites.patch
|
||||
Patch75: vsftpd-3.0.5-use-old-tlsv-options.patch
|
||||
|
||||
Patch60: 0001-Move-closing-standard-FDs-after-listen.patch
|
||||
Patch61: 0002-Prevent-recursion-in-bug.patch
|
||||
Patch62: 0001-Set-s_uwtmp_inserted-only-after-record-insertion-rem.patch
|
||||
Patch63: 0002-Repeat-pututxline-if-it-fails-with-EINTR.patch
|
||||
Patch64: 0003-Repeat-pututxline-until-it-succeeds-if-it-fails-with.patch
|
||||
Patch65: 0001-Fix-timestamp-handling-in-MDTM.patch
|
||||
Patch66: 0001-Remove-a-hint-about-the-ftp_home_dir-SELinux-boolean.patch
|
||||
Patch67: vsftpd-3.0.3-enable_wc_logs-replace_unprintable_with_hex.patch
|
||||
Patch68: vsftpd-3.0.3-option_to_disable_TLSv1_3.patch
|
||||
Patch69: vsftpd-3.0.3-add-option-for-tlsv1.3-ciphersuites.patch
|
||||
%description
|
||||
vsftpd is a Very Secure FTP daemon. It was written completely from
|
||||
scratch.
|
||||
@ -109,13 +107,12 @@ scratch.
|
||||
cp %{SOURCE1} .
|
||||
|
||||
%build
|
||||
|
||||
%ifarch s390x sparcv9 sparc64
|
||||
%make_build CFLAGS="$RPM_OPT_FLAGS -fPIE -pipe -Wextra -Werror" \
|
||||
make CFLAGS="$RPM_OPT_FLAGS -fPIE -pipe -Wextra -Werror" \
|
||||
%else
|
||||
%make_build CFLAGS="$RPM_OPT_FLAGS -fpie -pipe -Wextra -Werror" \
|
||||
make CFLAGS="$RPM_OPT_FLAGS -fpie -pipe -Wextra -Werror" \
|
||||
%endif
|
||||
LINK="-pie -lssl $RPM_LD_FLAGS" %{?_smp_mflags}
|
||||
LINK="-pie -lssl" %{?_smp_mflags}
|
||||
|
||||
%install
|
||||
mkdir -p $RPM_BUILD_ROOT%{_sbindir}
|
||||
@ -168,119 +165,38 @@ mkdir -p $RPM_BUILD_ROOT/%{_var}/ftp/pub
|
||||
%{_var}/ftp
|
||||
|
||||
%changelog
|
||||
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 3.0.5-9
|
||||
- Bump release for October 2024 mass rebuild:
|
||||
Resolves: RHEL-64018
|
||||
* Thu Apr 06 2023 Richard Lescak <rlescak@redhat.com> -3.0.3-36
|
||||
- add patch to provide option for TLSv1.3 ciphersuites
|
||||
- Resolves: rhbz#2069733
|
||||
|
||||
* Tue Aug 20 2024 Tomas Korbar <tkorbar@redhat.com> - 3.0.5-8
|
||||
- Fix FEAT command to list AUTH TLS when TLSv1.3 is enabled
|
||||
- Resolves: RHEL-54726
|
||||
|
||||
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 3.0.5-7
|
||||
- Bump release for June 2024 mass rebuild
|
||||
|
||||
* Sat Jan 27 2024 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.5-6
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
|
||||
|
||||
* Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.5-5
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
|
||||
|
||||
* Thu May 04 2023 Richard Lescak <rlescak@redhat.com> - 3.0.5-4
|
||||
- add option for TLSv1.3 ciphersuites
|
||||
- SPDX migration
|
||||
|
||||
* Fri Feb 17 2023 Richard Lescak <rlescak@redhat.com> - 3.0.5-3
|
||||
- make vsftpd compatible with Openssl 3.0+
|
||||
- replace old network functions
|
||||
|
||||
* Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.5-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
|
||||
|
||||
* Thu Jul 28 2022 Richard Lescak <rlescak@redhat.com> 3.0.5-1
|
||||
- rebase to version 3.0.5
|
||||
|
||||
* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.3-51
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
|
||||
|
||||
* Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.3-50
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
|
||||
|
||||
* Wed Oct 27 2021 Artem Egorenkov <aegorenk@redhat.com> - 3.0.3-49
|
||||
* Fri Dec 03 2021 Artem Egorenkov <aegorenk@redhat.com> - 3.0.3-35
|
||||
- add option to disable TLSv1.3
|
||||
- Resolves: rhbz#2017705
|
||||
- Resolves: rhbz#1638375
|
||||
|
||||
* Wed Oct 13 2021 Artem Egorenkov <aegorenk@redhat.com> - 3.0.3-48
|
||||
- ALPACA fix backported from upstram 3.0.5 version
|
||||
- Resolves: rhbz#1975648
|
||||
|
||||
* Wed Oct 13 2021 Artem Egorenkov <aegorenk@redhat.com> - 3.0.3-47
|
||||
- Temporary pass -Wno-deprecated-declarations to gcc to ignore
|
||||
deprecated warnings to be able to build against OpenSSL-3.0
|
||||
- Resolves: rhbz#1962603
|
||||
|
||||
* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 3.0.3-46
|
||||
- Rebuilt with OpenSSL 3.0.0
|
||||
|
||||
* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.3-45
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
|
||||
|
||||
* Thu Apr 8 2021 Artem Egorenkov <aegorenk@redhat.com> - 3.0.3-44
|
||||
* Mon Apr 12 2021 Artem Egorenkov <aegorenk@redhat.com> - 3.0.3-34
|
||||
- Enable support for wide-character strings in logs
|
||||
- Replace unprintables with HEX code, not question marks
|
||||
- Resolves: rhbz#1947900
|
||||
|
||||
* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 3.0.3-43
|
||||
- Rebuilt for updated systemd-rpm-macros
|
||||
See https://pagure.io/fesco/issue/2583.
|
||||
|
||||
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.3-42
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
||||
|
||||
* Fri Nov 27 2020 Timm Bäder<tbaeder@redhat.com> - 3.0.3-41
|
||||
- Fix str_open() so it doesn't warn when compiled with clang
|
||||
- Pass $RPM_LD_FLAGS when linking
|
||||
|
||||
* Mon Nov 02 2020 Artem Egorenkov <aegorenk@redhat.com> - 3.0.3-40
|
||||
* Mon Nov 02 2020 Artem Egorenkov <aegorenk@redhat.com> - 3.0.3-33
|
||||
- Unit files fixed "After=network-online.target"
|
||||
- Resolves: rhbz#1893636
|
||||
|
||||
* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.3-39
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||
|
||||
* Tue Mar 17 2020 Ondřej Lysoněk <olysonek@redhat.com> - 3.0.3-38
|
||||
* Tue Mar 17 2020 Ondřej Lysoněk <olysonek@redhat.com> - 3.0.3-32
|
||||
- Removed a hint about the ftp_home_dir SELinux boolean from the config file
|
||||
- Resolves: rhbz#1623424
|
||||
|
||||
* Thu Feb 13 2020 Ondřej Lysoněk <olysonek@redhat.com> - 3.0.3-37
|
||||
* Thu Feb 13 2020 Ondřej Lysoněk <olysonek@redhat.com> - 3.0.3-31
|
||||
- Fix timestamp handling in MDTM
|
||||
- Resolves: rhbz#1567855
|
||||
|
||||
* Fri Feb 07 2020 Ondřej Lysoněk <olysonek@redhat.com> - 3.0.3-36
|
||||
- Fix build with gcc 10
|
||||
- Resolves: rhbz#1800239
|
||||
|
||||
* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.3-35
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
||||
|
||||
* Fri Jan 17 2020 Tom Stellard <tstellar@redhat.com> - 3.0.3-34
|
||||
- Use make_build macro
|
||||
|
||||
* Thu Nov 28 2019 Ondřej Lysoněk <olysonek@redhat.com> - 3.0.3-33
|
||||
- Finish up the fix to the problem with bad utmp entries when pututxline() fails
|
||||
* Thu Nov 28 2019 Ondřej Lysoněk <olysonek@redhat.com> - 3.0.3-30
|
||||
- Fix a problem with bad utmp entries when pututxline() fails
|
||||
- Resolves: rhbz#1688852
|
||||
- Resolves: rhbz#1737433
|
||||
|
||||
* Mon Aug 05 2019 Ondřej Lysoněk <olysonek@redhat.com> - 3.0.3-32
|
||||
- Partially fix problem with bad utmp entries when pututxline() fails
|
||||
- Resolves: rhbz#1688848
|
||||
|
||||
* Sat Aug 03 2019 Ondřej Lysoněk <olysonek@redhat.com> - 3.0.3-31
|
||||
* Thu Nov 28 2019 Ondřej Lysoněk <olysonek@redhat.com> - 3.0.3-29
|
||||
- Fix segfault when listen() returns an error
|
||||
- Resolves: rhbz#1666380
|
||||
|
||||
* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.3-30
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
||||
|
||||
* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.3-29
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
||||
- Resolves: rhbz#1734340
|
||||
|
||||
* Wed Jul 25 2018 Ondřej Lysoněk <olysonek@redhat.com> - 3.0.3-28
|
||||
- Rebuilt, switched to SHA512 source tarball hash
|
@ -1,27 +0,0 @@
|
||||
--- sysstr-orig.c 2022-07-27 09:44:52.606408000 +0200
|
||||
+++ sysstr.c 2022-07-27 09:54:24.043081352 +0200
|
||||
@@ -74,19 +74,11 @@
|
||||
int
|
||||
str_open(const struct mystr* p_str, const enum EVSFSysStrOpenMode mode)
|
||||
{
|
||||
- enum EVSFSysUtilOpenMode open_mode = kVSFSysUtilOpenUnknown;
|
||||
- switch (mode)
|
||||
- {
|
||||
- case kVSFSysStrOpenReadOnly:
|
||||
- open_mode = kVSFSysUtilOpenReadOnly;
|
||||
- break;
|
||||
- case kVSFSysStrOpenUnknown:
|
||||
- /* Fall through */
|
||||
- default:
|
||||
- bug("unknown mode value in str_open");
|
||||
- break;
|
||||
- }
|
||||
- return vsf_sysutil_open_file(str_getbuf(p_str), open_mode);
|
||||
+ if (mode == kVSFSysStrOpenReadOnly)
|
||||
+ return vsf_sysutil_open_file(str_getbuf(p_str), kVSFSysUtilOpenReadOnly);
|
||||
+
|
||||
+ bug("unknown mode value in str_open");
|
||||
+ return -1;
|
||||
}
|
||||
|
||||
int
|
25
gating.yaml
25
gating.yaml
@ -1,25 +0,0 @@
|
||||
--- !Policy
|
||||
product_versions:
|
||||
- fedora-*
|
||||
decision_context: bodhi_update_push_testing
|
||||
subject_type: koji_build
|
||||
rules:
|
||||
- !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/tier1-public.functional}
|
||||
|
||||
#Rawhide
|
||||
--- !Policy
|
||||
product_versions:
|
||||
- fedora-*
|
||||
decision_context: bodhi_update_push_stable
|
||||
subject_type: koji_build
|
||||
rules:
|
||||
- !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/tier1-public.functional}
|
||||
|
||||
#gating rhel
|
||||
--- !Policy
|
||||
product_versions:
|
||||
- rhel-*
|
||||
decision_context: osci_compose_gate
|
||||
rules:
|
||||
- !PassingTestCaseRule {test_case_name: osci.brew-build./plans/tier1-public.functional}
|
||||
- !PassingTestCaseRule {test_case_name: osci.brew-build./plans/tier1-internal.functional}
|
36
plans.fmf
36
plans.fmf
@ -1,36 +0,0 @@
|
||||
/tier1-internal:
|
||||
plan:
|
||||
import:
|
||||
url: https://src.fedoraproject.org/tests/vsftpd.git
|
||||
name: /plans/tier1/internal
|
||||
|
||||
/tier1-public:
|
||||
plan:
|
||||
import:
|
||||
url: https://src.fedoraproject.org/tests/vsftpd.git
|
||||
name: /plans/tier1/public
|
||||
|
||||
/tier2-tier3-internal:
|
||||
plan:
|
||||
import:
|
||||
url: https://src.fedoraproject.org/tests/vsftpd.git
|
||||
name: /plans/tier2-tier3/internal
|
||||
|
||||
/tier2-tier3-public:
|
||||
plan:
|
||||
import:
|
||||
url: https://src.fedoraproject.org/tests/vsftpd.git
|
||||
name: /plans/tier2-tier3/public
|
||||
|
||||
/others-internal:
|
||||
plan:
|
||||
import:
|
||||
url: https://src.fedoraproject.org/tests/vsftpd.git
|
||||
name: /plans/others/internal
|
||||
|
||||
/others-public:
|
||||
plan:
|
||||
import:
|
||||
url: https://src.fedoraproject.org/tests/vsftpd.git
|
||||
name: /plans/others/public
|
||||
|
1
sources
1
sources
@ -1 +0,0 @@
|
||||
SHA512 (vsftpd-3.0.5.tar.gz) = 9e9f9bde8c460fbc6b1d29ca531327fb2e40e336358f1cc19e1da205ef81b553719a148ad4613ceead25499d1ac3f03301a0ecd3776e5c228acccb7f9461a7ee
|
@ -1,225 +0,0 @@
|
||||
diff --git a/parseconf.c b/parseconf.c
|
||||
index 3729818..ee1b8b4 100644
|
||||
--- a/parseconf.c
|
||||
+++ b/parseconf.c
|
||||
@@ -188,6 +188,7 @@ parseconf_str_array[] =
|
||||
{ "rsa_private_key_file", &tunable_rsa_private_key_file },
|
||||
{ "dsa_private_key_file", &tunable_dsa_private_key_file },
|
||||
{ "ca_certs_file", &tunable_ca_certs_file },
|
||||
+ { "ssl_sni_hostname", &tunable_ssl_sni_hostname },
|
||||
{ "cmds_denied", &tunable_cmds_denied },
|
||||
{ 0, 0 }
|
||||
};
|
||||
diff --git a/ssl.c b/ssl.c
|
||||
index 09ec96a..b622347 100644
|
||||
--- a/ssl.c
|
||||
+++ b/ssl.c
|
||||
@@ -41,6 +41,13 @@ static long bio_callback(
|
||||
BIO* p_bio, int oper, const char* p_arg, int argi, long argl, long retval);
|
||||
static int ssl_verify_callback(int verify_ok, X509_STORE_CTX* p_ctx);
|
||||
static DH *ssl_tmp_dh_callback(SSL *ssl, int is_export, int keylength);
|
||||
+static int ssl_alpn_callback(SSL* p_ssl,
|
||||
+ const unsigned char** p_out,
|
||||
+ unsigned char* outlen,
|
||||
+ const unsigned char* p_in,
|
||||
+ unsigned int inlen,
|
||||
+ void* p_arg);
|
||||
+static long ssl_sni_callback(SSL* p_ssl, int* p_al, void* p_arg);
|
||||
static int ssl_cert_digest(
|
||||
SSL* p_ssl, struct vsf_session* p_sess, struct mystr* p_str);
|
||||
static void maybe_log_shutdown_state(struct vsf_session* p_sess);
|
||||
@@ -285,6 +292,11 @@ ssl_init(struct vsf_session* p_sess)
|
||||
SSL_CTX_set_timeout(p_ctx, INT_MAX);
|
||||
}
|
||||
|
||||
+ /* Set up ALPN to check for FTP protocol intention of client. */
|
||||
+ SSL_CTX_set_alpn_select_cb(p_ctx, ssl_alpn_callback, p_sess);
|
||||
+ /* Set up SNI callback for an optional hostname check. */
|
||||
+ SSL_CTX_set_tlsext_servername_callback(p_ctx, ssl_sni_callback);
|
||||
+ SSL_CTX_set_tlsext_servername_arg(p_ctx, p_sess);
|
||||
SSL_CTX_set_tmp_dh_callback(p_ctx, ssl_tmp_dh_callback);
|
||||
|
||||
if (tunable_ecdh_param_file)
|
||||
@@ -871,6 +883,133 @@ ssl_tmp_dh_callback(SSL *ssl, int is_export, int keylength)
|
||||
return DH_get_dh(keylength);
|
||||
}
|
||||
|
||||
+static int
|
||||
+ssl_alpn_callback(SSL* p_ssl,
|
||||
+ const unsigned char** p_out,
|
||||
+ unsigned char* outlen,
|
||||
+ const unsigned char* p_in,
|
||||
+ unsigned int inlen,
|
||||
+ void* p_arg) {
|
||||
+ unsigned int i;
|
||||
+ struct vsf_session* p_sess = (struct vsf_session*) p_arg;
|
||||
+ int is_ok = 0;
|
||||
+
|
||||
+ (void) p_ssl;
|
||||
+
|
||||
+ /* Initialize just in case. */
|
||||
+ *p_out = p_in;
|
||||
+ *outlen = 0;
|
||||
+
|
||||
+ for (i = 0; i < inlen; ++i) {
|
||||
+ unsigned int left = (inlen - i);
|
||||
+ if (left < 4) {
|
||||
+ continue;
|
||||
+ }
|
||||
+ if (p_in[i] == 3 && p_in[i + 1] == 'f' && p_in[i + 2] == 't' &&
|
||||
+ p_in[i + 3] == 'p')
|
||||
+ {
|
||||
+ is_ok = 1;
|
||||
+ *p_out = &p_in[i + 1];
|
||||
+ *outlen = 3;
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (!is_ok)
|
||||
+ {
|
||||
+ str_alloc_text(&debug_str, "ALPN rejection");
|
||||
+ vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str);
|
||||
+ }
|
||||
+ if (!is_ok || tunable_debug_ssl)
|
||||
+ {
|
||||
+ str_alloc_text(&debug_str, "ALPN data: ");
|
||||
+ for (i = 0; i < inlen; ++i) {
|
||||
+ str_append_char(&debug_str, p_in[i]);
|
||||
+ }
|
||||
+ vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str);
|
||||
+ }
|
||||
+
|
||||
+ if (is_ok)
|
||||
+ {
|
||||
+ return SSL_TLSEXT_ERR_OK;
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ return SSL_TLSEXT_ERR_ALERT_FATAL;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+static long
|
||||
+ssl_sni_callback(SSL* p_ssl, int* p_al, void* p_arg)
|
||||
+{
|
||||
+ static struct mystr s_sni_expected_hostname;
|
||||
+ static struct mystr s_sni_received_hostname;
|
||||
+
|
||||
+ int servername_type;
|
||||
+ const char* p_sni_servername;
|
||||
+ struct vsf_session* p_sess = (struct vsf_session*) p_arg;
|
||||
+ int is_ok = 0;
|
||||
+
|
||||
+ (void) p_ssl;
|
||||
+ (void) p_arg;
|
||||
+
|
||||
+ if (tunable_ssl_sni_hostname)
|
||||
+ {
|
||||
+ str_alloc_text(&s_sni_expected_hostname, tunable_ssl_sni_hostname);
|
||||
+ }
|
||||
+
|
||||
+ /* The OpenSSL documentation says it is pre-initialized like this, but set
|
||||
+ * it just in case.
|
||||
+ */
|
||||
+ *p_al = SSL_AD_UNRECOGNIZED_NAME;
|
||||
+
|
||||
+ servername_type = SSL_get_servername_type(p_ssl);
|
||||
+ p_sni_servername = SSL_get_servername(p_ssl, TLSEXT_NAMETYPE_host_name);
|
||||
+ if (p_sni_servername != NULL) {
|
||||
+ str_alloc_text(&s_sni_received_hostname, p_sni_servername);
|
||||
+ }
|
||||
+
|
||||
+ if (str_isempty(&s_sni_expected_hostname))
|
||||
+ {
|
||||
+ is_ok = 1;
|
||||
+ }
|
||||
+ else if (servername_type != TLSEXT_NAMETYPE_host_name)
|
||||
+ {
|
||||
+ /* Fail. */
|
||||
+ str_alloc_text(&debug_str, "SNI bad type: ");
|
||||
+ str_append_ulong(&debug_str, servername_type);
|
||||
+ vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str);
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ if (!str_strcmp(&s_sni_expected_hostname, &s_sni_received_hostname))
|
||||
+ {
|
||||
+ is_ok = 1;
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ str_alloc_text(&debug_str, "SNI rejection");
|
||||
+ vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (!is_ok || tunable_debug_ssl)
|
||||
+ {
|
||||
+ str_alloc_text(&debug_str, "SNI hostname: ");
|
||||
+ str_append_str(&debug_str, &s_sni_received_hostname);
|
||||
+ vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str);
|
||||
+ }
|
||||
+
|
||||
+ if (is_ok)
|
||||
+ {
|
||||
+ return SSL_TLSEXT_ERR_OK;
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ return SSL_TLSEXT_ERR_ALERT_FATAL;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
void
|
||||
ssl_add_entropy(struct vsf_session* p_sess)
|
||||
{
|
||||
diff --git a/tunables.c b/tunables.c
|
||||
index c96c1ac..d8dfcde 100644
|
||||
--- a/tunables.c
|
||||
+++ b/tunables.c
|
||||
@@ -152,6 +152,7 @@ const char* tunable_ssl_ciphers;
|
||||
const char* tunable_rsa_private_key_file;
|
||||
const char* tunable_dsa_private_key_file;
|
||||
const char* tunable_ca_certs_file;
|
||||
+const char* tunable_ssl_sni_hostname;
|
||||
|
||||
static void install_str_setting(const char* p_value, const char** p_storage);
|
||||
|
||||
@@ -309,6 +310,7 @@ tunables_load_defaults()
|
||||
install_str_setting(0, &tunable_rsa_private_key_file);
|
||||
install_str_setting(0, &tunable_dsa_private_key_file);
|
||||
install_str_setting(0, &tunable_ca_certs_file);
|
||||
+ install_str_setting(0, &tunable_ssl_sni_hostname);
|
||||
}
|
||||
|
||||
void
|
||||
diff --git a/tunables.h b/tunables.h
|
||||
index 8d50150..de6cab0 100644
|
||||
--- a/tunables.h
|
||||
+++ b/tunables.h
|
||||
@@ -157,6 +157,7 @@ extern const char* tunable_ssl_ciphers;
|
||||
extern const char* tunable_rsa_private_key_file;
|
||||
extern const char* tunable_dsa_private_key_file;
|
||||
extern const char* tunable_ca_certs_file;
|
||||
+extern const char* tunable_ssl_sni_hostname;
|
||||
extern const char* tunable_cmds_denied;
|
||||
|
||||
#endif /* VSF_TUNABLES_H */
|
||||
diff --git a/vsftpd.conf.5 b/vsftpd.conf.5
|
||||
index 815773f..7006287 100644
|
||||
--- a/vsftpd.conf.5
|
||||
+++ b/vsftpd.conf.5
|
||||
@@ -1128,6 +1128,12 @@ for further details.
|
||||
|
||||
Default: PROFILE=SYSTEM
|
||||
.TP
|
||||
+.B ssl_sni_hostname
|
||||
+If set, SSL connections will be rejected unless the SNI hostname in the
|
||||
+incoming handshakes matches this value.
|
||||
+
|
||||
+Default: (none)
|
||||
+.TP
|
||||
.B user_config_dir
|
||||
This powerful option allows the override of any config option specified in
|
||||
the manual page, on a per-user basis. Usage is simple, and is best illustrated
|
@ -1,70 +0,0 @@
|
||||
diff --git a/ssl.c b/ssl.c
|
||||
--- ssl.c
|
||||
+++ ssl.c
|
||||
@@ -28,17 +28,17 @@
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/rand.h>
|
||||
#include <openssl/bio.h>
|
||||
#include <openssl/bn.h>
|
||||
#include <openssl/param_build.h>
|
||||
#include <errno.h>
|
||||
#include <limits.h>
|
||||
|
||||
static char* get_ssl_error();
|
||||
static SSL* get_ssl(struct vsf_session* p_sess, int fd);
|
||||
static int ssl_session_init(struct vsf_session* p_sess);
|
||||
static void setup_bio_callbacks();
|
||||
static long bio_callback(
|
||||
- BIO* p_bio, int oper, const char* p_arg, int argi, long argl, long retval);
|
||||
+ BIO* p_bio, int oper, const char* p_arg, size_t len, int argi, long argl, int ret, size_t *processed);
|
||||
static int ssl_verify_callback(int verify_ok, X509_STORE_CTX* p_ctx);
|
||||
static int ssl_alpn_callback(SSL* p_ssl,
|
||||
const unsigned char** p_out,
|
||||
@@ -88,7 +88,7 @@
|
||||
long options;
|
||||
int verify_option = 0;
|
||||
SSL_library_init();
|
||||
- p_ctx = SSL_CTX_new(SSLv23_server_method());
|
||||
+ p_ctx = SSL_CTX_new_ex(NULL, NULL, TLS_server_method());
|
||||
if (p_ctx == NULL)
|
||||
{
|
||||
die("SSL: could not allocate SSL context");
|
||||
@@ -180,13 +180,10 @@
|
||||
die("SSL: RNG is not seeded");
|
||||
}
|
||||
{
|
||||
- EC_KEY* key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
|
||||
- if (key == NULL)
|
||||
+ if (!SSL_CTX_set1_groups_list(p_ctx, "P-256"))
|
||||
{
|
||||
die("SSL: failed to get curve p256");
|
||||
}
|
||||
- SSL_CTX_set_tmp_ecdh(p_ctx, key);
|
||||
- EC_KEY_free(key);
|
||||
}
|
||||
if (tunable_ssl_request_cert)
|
||||
{
|
||||
@@ -692,17 +689,19 @@
|
||||
static void setup_bio_callbacks(SSL* p_ssl)
|
||||
{
|
||||
BIO* p_bio = SSL_get_rbio(p_ssl);
|
||||
- BIO_set_callback(p_bio, bio_callback);
|
||||
+ BIO_set_callback_ex(p_bio, bio_callback);
|
||||
p_bio = SSL_get_wbio(p_ssl);
|
||||
- BIO_set_callback(p_bio, bio_callback);
|
||||
+ BIO_set_callback_ex(p_bio, bio_callback);
|
||||
}
|
||||
|
||||
static long
|
||||
bio_callback(
|
||||
- BIO* p_bio, int oper, const char* p_arg, int argi, long argl, long ret)
|
||||
+ BIO* p_bio, int oper, const char* p_arg, size_t len, int argi, long argl, int ret, size_t *processed)
|
||||
{
|
||||
int retval = 0;
|
||||
int fd = 0;
|
||||
+ (void) len;
|
||||
+ (void) processed;
|
||||
(void) p_arg;
|
||||
(void) argi;
|
||||
(void) argl;
|
||||
|
@ -1,139 +0,0 @@
|
||||
diff -urN vsftpd-3.0.5-orig/postlogin.c vsftpd-3.0.5/postlogin.c
|
||||
--- vsftpd-3.0.5-orig/postlogin.c 2015-07-22 21:03:22.000000000 +0200
|
||||
+++ vsftpd-3.0.5/postlogin.c 2023-02-13 16:34:05.244467476 +0100
|
||||
@@ -27,4 +27,6 @@
|
||||
#include "ssl.h"
|
||||
#include "vsftpver.h"
|
||||
+#include <netdb.h>
|
||||
+#include <arpa/inet.h>
|
||||
#include "opts.h"
|
||||
|
||||
@@ -628,9 +629,10 @@
|
||||
else
|
||||
{
|
||||
const void* p_v4addr = vsf_sysutil_sockaddr_ipv6_v4(s_p_sockaddr);
|
||||
+ static char result[INET_ADDRSTRLEN];
|
||||
if (p_v4addr)
|
||||
{
|
||||
- str_append_text(&s_pasv_res_str, vsf_sysutil_inet_ntoa(p_v4addr));
|
||||
+ str_append_text(&s_pasv_res_str, inet_ntop(AF_INET, p_v4addr, result, INET_ADDRSTRLEN));
|
||||
}
|
||||
else
|
||||
{
|
||||
diff -urN vsftpd-3.0.5-orig/sysutil.c vsftpd-3.0.5/sysutil.c
|
||||
--- vsftpd-3.0.5-orig/sysutil.c 2012-09-16 09:07:38.000000000 +0200
|
||||
+++ vsftpd-3.0.5/sysutil.c 2023-02-13 16:08:58.557153109 +0100
|
||||
@@ -2205,20 +2205,13 @@
|
||||
const struct sockaddr* p_sockaddr = &p_sockptr->u.u_sockaddr;
|
||||
if (p_sockaddr->sa_family == AF_INET)
|
||||
{
|
||||
- return inet_ntoa(p_sockptr->u.u_sockaddr_in.sin_addr);
|
||||
+ static char result[INET_ADDRSTRLEN];
|
||||
+ return inet_ntop(AF_INET, &p_sockptr->u.u_sockaddr_in.sin_addr, result, INET_ADDRSTRLEN);
|
||||
}
|
||||
else if (p_sockaddr->sa_family == AF_INET6)
|
||||
{
|
||||
- static char inaddr_buf[64];
|
||||
- const char* p_ret = inet_ntop(AF_INET6,
|
||||
- &p_sockptr->u.u_sockaddr_in6.sin6_addr,
|
||||
- inaddr_buf, sizeof(inaddr_buf));
|
||||
- inaddr_buf[sizeof(inaddr_buf) - 1] = '\0';
|
||||
- if (p_ret == NULL)
|
||||
- {
|
||||
- inaddr_buf[0] = '\0';
|
||||
- }
|
||||
- return inaddr_buf;
|
||||
+ static char result[INET6_ADDRSTRLEN];
|
||||
+ return inet_ntop(AF_INET6, &p_sockptr->u.u_sockaddr_in6.sin6_addr, result, INET6_ADDRSTRLEN);
|
||||
}
|
||||
else
|
||||
{
|
||||
@@ -2227,12 +2220,6 @@
|
||||
}
|
||||
}
|
||||
|
||||
-const char*
|
||||
-vsf_sysutil_inet_ntoa(const void* p_raw_addr)
|
||||
-{
|
||||
- return inet_ntoa(*((struct in_addr*)p_raw_addr));
|
||||
-}
|
||||
-
|
||||
int
|
||||
vsf_sysutil_inet_aton(const char* p_text, struct vsf_sysutil_sockaddr* p_addr)
|
||||
{
|
||||
@@ -2241,7 +2228,7 @@
|
||||
{
|
||||
bug("bad family");
|
||||
}
|
||||
- if (inet_aton(p_text, &sin_addr))
|
||||
+ if (inet_pton(AF_INET, p_text, &sin_addr))
|
||||
{
|
||||
vsf_sysutil_memcpy(&p_addr->u.u_sockaddr_in.sin_addr,
|
||||
&sin_addr, sizeof(p_addr->u.u_sockaddr_in.sin_addr));
|
||||
@@ -2257,37 +2244,46 @@
|
||||
vsf_sysutil_dns_resolve(struct vsf_sysutil_sockaddr** p_sockptr,
|
||||
const char* p_name)
|
||||
{
|
||||
- struct hostent* hent = gethostbyname(p_name);
|
||||
- if (hent == NULL)
|
||||
+ struct addrinfo *result;
|
||||
+ struct addrinfo hints;
|
||||
+ int ret;
|
||||
+
|
||||
+ memset(&hints, 0, sizeof(struct addrinfo));
|
||||
+ hints.ai_family = AF_UNSPEC;
|
||||
+
|
||||
+ if ((ret = getaddrinfo(p_name, NULL, &hints, &result)) != 0)
|
||||
{
|
||||
+ fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(ret));
|
||||
die2("cannot resolve host:", p_name);
|
||||
}
|
||||
vsf_sysutil_sockaddr_clear(p_sockptr);
|
||||
- if (hent->h_addrtype == AF_INET)
|
||||
+ if (result->ai_family == AF_INET)
|
||||
{
|
||||
- unsigned int len = hent->h_length;
|
||||
+ unsigned int len = result->ai_addrlen;
|
||||
if (len > sizeof((*p_sockptr)->u.u_sockaddr_in.sin_addr))
|
||||
{
|
||||
len = sizeof((*p_sockptr)->u.u_sockaddr_in.sin_addr);
|
||||
}
|
||||
vsf_sysutil_sockaddr_alloc_ipv4(p_sockptr);
|
||||
vsf_sysutil_memcpy(&(*p_sockptr)->u.u_sockaddr_in.sin_addr,
|
||||
- hent->h_addr_list[0], len);
|
||||
+ &result->ai_addrlen, len);
|
||||
}
|
||||
- else if (hent->h_addrtype == AF_INET6)
|
||||
+ else if (result->ai_family == AF_INET6)
|
||||
{
|
||||
- unsigned int len = hent->h_length;
|
||||
+ unsigned int len = result->ai_addrlen;
|
||||
if (len > sizeof((*p_sockptr)->u.u_sockaddr_in6.sin6_addr))
|
||||
{
|
||||
len = sizeof((*p_sockptr)->u.u_sockaddr_in6.sin6_addr);
|
||||
}
|
||||
vsf_sysutil_sockaddr_alloc_ipv6(p_sockptr);
|
||||
vsf_sysutil_memcpy(&(*p_sockptr)->u.u_sockaddr_in6.sin6_addr,
|
||||
- hent->h_addr_list[0], len);
|
||||
+ &result->ai_addrlen, len);
|
||||
}
|
||||
else
|
||||
{
|
||||
- die("gethostbyname(): neither IPv4 nor IPv6");
|
||||
+ freeaddrinfo(result);
|
||||
+ die("getaddrinfo(): neither IPv4 nor IPv6");
|
||||
}
|
||||
+ freeaddrinfo(result);
|
||||
}
|
||||
|
||||
diff -urN vsftpd-3.0.5-orig/sysutil.h vsftpd-3.0.5/sysutil.h
|
||||
--- vsftpd-3.0.5-orig/sysutil.h 2021-05-18 08:50:21.000000000 +0200
|
||||
+++ vsftpd-3.0.5/sysutil.h 2023-02-13 15:59:22.088331075 +0100
|
||||
@@ -277,7 +277,6 @@
|
||||
|
||||
const char* vsf_sysutil_inet_ntop(
|
||||
const struct vsf_sysutil_sockaddr* p_sockptr);
|
||||
-const char* vsf_sysutil_inet_ntoa(const void* p_raw_addr);
|
||||
int vsf_sysutil_inet_aton(
|
||||
const char* p_text, struct vsf_sysutil_sockaddr* p_addr);
|
||||
|
@ -1,15 +0,0 @@
|
||||
--- parseconf-orig.c 2022-10-25 15:17:18.990701984 +0200
|
||||
+++ parseconf.c 2022-10-25 15:12:44.213480000 +0200
|
||||
@@ -85,9 +85,9 @@
|
||||
{ "ssl_sslv2", &tunable_sslv2 },
|
||||
{ "ssl_sslv3", &tunable_sslv3 },
|
||||
{ "ssl_tlsv1", &tunable_tlsv1 },
|
||||
- { "ssl_tlsv11", &tunable_tlsv1_1 },
|
||||
- { "ssl_tlsv12", &tunable_tlsv1_2 },
|
||||
- { "ssl_tlsv13", &tunable_tlsv1_3 },
|
||||
+ { "ssl_tlsv1_1", &tunable_tlsv1_1 },
|
||||
+ { "ssl_tlsv1_2", &tunable_tlsv1_2 },
|
||||
+ { "ssl_tlsv1_3", &tunable_tlsv1_3 },
|
||||
{ "tilde_user_enable", &tunable_tilde_user_enable },
|
||||
{ "force_anon_logins_ssl", &tunable_force_anon_logins_ssl },
|
||||
{ "force_anon_data_ssl", &tunable_force_anon_data_ssl },
|
Loading…
Reference in New Issue
Block a user