.fmf/version

@@ -0,0 +1 @@
+1

.gitignore

@@ -1 +1,9 @@
-SOURCES/vsftpd-3.0.3.tar.gz
+vsftpd-2.2.2.tar.gz
+vsftpd-2.3.2.tar.gz
+/vsftpd-2.3.4.tar.gz
+/vsftpd-2.3.5.tar.gz
+/vsftpd-3.0.0.tar.gz
+/vsftpd-3.0.1.tar.gz
+/vsftpd-3.0.2.tar.gz
+/vsftpd-3.0.3.tar.gz
+/vsftpd-3.0.5.tar.gz

.vsftpd.metadata

@@ -1 +1 @@
-d5f5a180dbecd0fbcdc92bf0ba2fc001c962b55a SOURCES/vsftpd-3.0.3.tar.gz
+0159531cc9f9fc6dd64cd734e2fd42601e44b5d9 vsftpd-3.0.5.tar.gz

0001-Fix-timestamp-handling-in-MDTM.patch

@@ -1,7 +1,7 @@
 From 6a4dc470e569df38b8a7ea09ee6aace3c73b7353 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= <olysonek@redhat.com>
 Date: Wed, 28 Mar 2018 09:06:34 +0200
-Subject: [PATCH] Fix timestamp handling in MDTM
+Subject: [PATCH 1/2] Fix timestamp handling in MDTM
 
 There were two problems with the timestamp handling with MDTM:
 

0001-Repeat-pututxline-until-it-succeeds-if-it-fails-with.patch

@@ -1,8 +1,7 @@
 From 7957425ef5ab365fc96ea0615f99705581c6dbd8 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= <olysonek@redhat.com>
 Date: Mon, 12 Aug 2019 18:15:36 +0200
-Subject: [PATCH 3/3] Repeat pututxline() until it succeeds if it fails with
- EINTR
+Subject: [PATCH] Repeat pututxline() until it succeeds if it fails with EINTR
 
 Since the pututxline() bug rhbz#1749439 is now fixed in glibc in
 Fedora and RHEL-8, we can implement a complete solution for the stale

0001-Set-s_uwtmp_inserted-only-after-record-insertion-rem.patch

@@ -1,7 +1,7 @@
 From 96698a525784ad91cb27b572dd5f871c183fdfa5 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= <olysonek@redhat.com>
 Date: Sun, 28 Jul 2019 12:25:35 +0200
-Subject: [PATCH 1/3] Set s_uwtmp_inserted only after record insertion/removal
+Subject: [PATCH 1/2] Set s_uwtmp_inserted only after record insertion/removal
 
 pututxline() is the function that actually inserts the new record, so
 setting 's_uwtmp_inserted' before calling pututxline() doesn't make

0002-Drop-an-unused-global-variable.patch

@@ -0,0 +1,56 @@
+From d0045e35674d64d166d17c3c079ae03e8c2e6361 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= <olysonek@redhat.com>
+Date: Thu, 13 Feb 2020 17:29:06 +0100
+Subject: [PATCH 2/2] Drop an unused global variable
+
+The global variable `s_timezone` is not used anymore, so we can drop
+it.
+---
+ sysutil.c | 17 +++--------------
+ 1 file changed, 3 insertions(+), 14 deletions(-)
+
+diff --git a/sysutil.c b/sysutil.c
+index 66d4c5e..0ccf551 100644
+--- a/sysutil.c
++++ b/sysutil.c
+@@ -72,8 +72,6 @@ static struct timeval s_current_time;
+ static int s_current_pid = -1;
+ /* Exit function */
+ static exitfunc_t s_exit_func;
+-/* Difference in timezone from GMT in seconds */
+-static long s_timezone;
+ 
+ /* Our internal signal handling implementation details */
+ static struct vsf_sysutil_sig_details
+@@ -2661,7 +2659,6 @@ char* vsf_sysutil_get_tz()
+ void
+ vsf_sysutil_tzset(void)
+ {
+-  int retval;
+   char *tz=NULL, tzbuf[sizeof("+HHMM!")];
+   time_t the_time = time(NULL);
+   struct tm* p_tm;
+@@ -2681,17 +2678,9 @@ vsf_sysutil_tzset(void)
+   {
+     die("localtime");
+   }
+-  retval = strftime(tzbuf, sizeof(tzbuf), "%z", p_tm);
+-  tzbuf[sizeof(tzbuf) - 1] = '\0';
+-  if (retval == 5)
+-  {
+-    s_timezone = ((tzbuf[1] - '0') * 10 + (tzbuf[2] - '0')) * 60 * 60;
+-    s_timezone += ((tzbuf[3] - '0') * 10 + (tzbuf[4] - '0')) * 60;
+-    if (tzbuf[0] == '+')
+-    {
+-      s_timezone *= -1;
+-    }
+-  }
++  /* Not sure if the following call to strftime() has any desired side
++     effects, so I'm keeping it to be safe. */
++  (void) strftime(tzbuf, sizeof(tzbuf), "%z", p_tm);
+   /* Call in to the time subsystem again now that TZ is set, trying to force
+    * caching of the actual zoneinfo for the timezone.
+    */
+-- 
+2.24.1
+

0002-Repeat-pututxline-if-it-fails-with-EINTR.patch

@@ -1,7 +1,7 @@
 From 896b3694ca062d747cd67e9e9ba246adb3fc706b Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= <olysonek@redhat.com>
 Date: Mon, 5 Aug 2019 13:55:37 +0200
-Subject: [PATCH 2/3] Repeat pututxline() if it fails with EINTR
+Subject: [PATCH 2/2] Repeat pututxline() if it fails with EINTR
 
 This is a partial fix for rhbz#1688848. We cannot resolve it
 completely until glibc bug rhbz#1734791 is fixed. See

0021-Introduce-support-for-DHE-based-cipher-suites.patch

@@ -31,81 +31,36 @@ index c362983..22b69b3 100644
  #include <openssl/err.h>
  #include <openssl/rand.h>
  #include <openssl/bio.h>
-+#include <openssl/dh.h>
 +#include <openssl/bn.h>
++#include <openssl/param_build.h>
  #include <errno.h>
  #include <limits.h>
  
-@@ -38,6 +40,7 @@ static void setup_bio_callbacks();
- static long bio_callback(
-   BIO* p_bio, int oper, const char* p_arg, int argi, long argl, long retval);
- static int ssl_verify_callback(int verify_ok, X509_STORE_CTX* p_ctx);
-+static DH *ssl_tmp_dh_callback(SSL *ssl, int is_export, int keylength);
- static int ssl_cert_digest(
-   SSL* p_ssl, struct vsf_session* p_sess, struct mystr* p_str);
- static void maybe_log_shutdown_state(struct vsf_session* p_sess);
-@@ -51,6 +54,60 @@ static int ssl_read_common(struct vsf_session* p_sess,
+@@ -58,6 +60,23 @@
  static int ssl_inited;
  static struct mystr debug_str;
  
++EVP_PKEY *
++DH_get_dh()
++{
++  OSSL_PARAM dh_params[2];
++  EVP_PKEY *dh_key = NULL;
++  EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_from_name(NULL, "DH", NULL);
 +
-+// Grab prime number from OpenSSL; <openssl/bn.h>
-+// (get_rfc*) for all available primes.
-+// wraps selection of comparable algorithm strength
-+#if !defined(match_dh_bits)
-+  #define match_dh_bits(keylen) \
-+    keylen >= 8191 ? 8192 : \
-+    keylen >= 6143 ? 6144 : \
-+    keylen >= 4095 ? 4096 : \
-+    keylen >= 3071 ? 3072 : \
-+    keylen >= 2047 ? 2048 : \
-+    keylen >= 1535 ? 1536 : \
-+    keylen >= 1023 ? 1024 : 768
-+#endif
++  dh_params[0] = OSSL_PARAM_construct_utf8_string("group", "ffdhe2048", 0);
++  dh_params[1] = OSSL_PARAM_construct_end();
 +
-+#if !defined(DH_get_prime)
-+  BIGNUM *
-+  DH_get_prime(int bits)
-+  {
-+    switch (bits) {
-+      case 768:  return get_rfc2409_prime_768(NULL);
-+      case 1024: return get_rfc2409_prime_1024(NULL);
-+      case 1536: return get_rfc3526_prime_1536(NULL);
-+      case 2048: return get_rfc3526_prime_2048(NULL);
-+      case 3072: return get_rfc3526_prime_3072(NULL);
-+      case 4096: return get_rfc3526_prime_4096(NULL);
-+      case 6144: return get_rfc3526_prime_6144(NULL);
-+      case 8192: return get_rfc3526_prime_8192(NULL);
-+      // shouldn't happen when used match_dh_bits; strict compiler
-+      default:   return NULL;
-+    }
++  if (EVP_PKEY_keygen_init(pctx) <= 0 || EVP_PKEY_CTX_set_params(pctx, dh_params) <= 0)
++    return NULL;
++  EVP_PKEY_generate(pctx, &dh_key);
++  EVP_PKEY_CTX_free(pctx);
++  return dh_key;
 +}
-+#endif
-+
-+#if !defined(DH_get_dh)
-+  // Grab DH parameters
-+  DH *
-+  DH_get_dh(int size)
-+  {
-+    DH *dh = DH_new();
-+    if (!dh) {
-+      return NULL;
-+    }
-+    dh->p = DH_get_prime(match_dh_bits(size));
-+    BN_dec2bn(&dh->g, "2");
-+    if (!dh->p || !dh->g)
-+    {
-+      DH_free(dh);
-+      return NULL;
-+    }
-+    return dh;
-+  }
-+#endif
 +
  void
  ssl_init(struct vsf_session* p_sess)
  {
-@@ -65,7 +122,7 @@ ssl_init(struct vsf_session* p_sess)
+@@ -72,7 +89,7 @@
      {
        die("SSL: could not allocate SSL context");
      }
@@ -114,61 +69,44 @@ index c362983..22b69b3 100644
      if (!tunable_sslv2)
      {
        options |= SSL_OP_NO_SSLv2;
-@@ -111,6 +168,25 @@ ssl_init(struct vsf_session* p_sess)
+@@ -149,8 +166,27 @@
          die("SSL: cannot load DSA private key");
        }
      }
 +    if (tunable_dh_param_file)
 +    {
 +      BIO *bio;
-+      DH *dhparams = NULL;
++      EVP_PKEY *dh_params = NULL;
 +      if ((bio = BIO_new_file(tunable_dh_param_file, "r")) == NULL)
 +      {
 +        die("SSL: cannot load custom DH params");
 +      }
 +      else
 +      {
-+        dhparams = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
++        dh_params = PEM_read_bio_Parameters(bio, NULL);
 +        BIO_free(bio);
 +
-+        if (!SSL_CTX_set_tmp_dh(p_ctx, dhparams))
-+	{
++        if (!SSL_CTX_set0_tmp_dh_pkey(p_ctx, dh_params))
++	       {
 +          die("SSL: setting custom DH params failed");
-+	}
++        }
 +      }
 +    }
      if (tunable_ssl_ciphers &&
          SSL_CTX_set_cipher_list(p_ctx, tunable_ssl_ciphers) != 1)
      {
-@@ -165,6 +241,9 @@ ssl_init(struct vsf_session* p_sess)
+       die("SSL: could not set cipher list");
+     }
+@@ -184,6 +226,9 @@
        /* Ensure cached session doesn't expire */
        SSL_CTX_set_timeout(p_ctx, INT_MAX);
      }
-+    
-+    SSL_CTX_set_tmp_dh_callback(p_ctx, ssl_tmp_dh_callback);
 +
-     p_sess->p_ssl_ctx = p_ctx;
-     ssl_inited = 1;
-   }
-@@ -702,6 +781,18 @@ ssl_verify_callback(int verify_ok, X509_STORE_CTX* p_ctx)
-   return 1;
- }
- 
-+#define UNUSED(x) ( (void)(x) )
-+
-+static DH *
-+ssl_tmp_dh_callback(SSL *ssl, int is_export, int keylength)
-+{
-+  // strict compiler bypassing
-+  UNUSED(ssl);
-+  UNUSED(is_export);
-+  
-+  return DH_get_dh(keylength);
-+}
++    SSL_CTX_set0_tmp_dh_pkey(p_ctx, DH_get_dh());
 +
- void
- ssl_add_entropy(struct vsf_session* p_sess)
- {
+     /* Set up ALPN to check for FTP protocol intention of client. */
+     SSL_CTX_set_alpn_select_cb(p_ctx, ssl_alpn_callback, p_sess);
+     /* Set up SNI callback for an optional hostname check. */
 diff --git a/tunables.c b/tunables.c
 index c737465..1ea7227 100644
 --- a/tunables.c

0022-Introduce-support-for-EDDHE-based-cipher-suites.patch

@@ -36,48 +36,40 @@ index 22b69b3..96bf8ad 100644
      if (!tunable_sslv2)
      {
        options |= SSL_OP_NO_SSLv2;
-@@ -244,6 +244,41 @@ ssl_init(struct vsf_session* p_sess)
-     
-     SSL_CTX_set_tmp_dh_callback(p_ctx, ssl_tmp_dh_callback);
+@@ -244,6 +244,33 @@
+ 
+     SSL_CTX_set0_tmp_dh_pkey(p_ctx, DH_get_dh());
  
 +    if (tunable_ecdh_param_file)
 +    {
 +      BIO *bio;
-+      int nid;
-+      EC_GROUP *ecparams = NULL;
-+      EC_KEY *eckey;
++      EVP_PKEY *ec_params = NULL;
 +
 +      if ((bio = BIO_new_file(tunable_ecdh_param_file, "r")) == NULL)
 +        die("SSL: cannot load custom ec params");
 +      else
 +      {
-+        ecparams = PEM_read_bio_ECPKParameters(bio, NULL, NULL, NULL);
++        ec_params = PEM_read_bio_Parameters(bio, NULL);
 +        BIO_free(bio);
 +
-+        if (ecparams && (nid = EC_GROUP_get_curve_name(ecparams)) &&
-+            (eckey = EC_KEY_new_by_curve_name(nid)))
++        if (ec_params != NULL)
 +        {
-+          if (!SSL_CTX_set_tmp_ecdh(p_ctx, eckey))
++          if (!SSL_CTX_set1_groups_list(p_ctx, ec_params))
 +            die("SSL: setting custom EC params failed");
-+	}
-+	else
++	       }
++	        else
 +        {
 +          die("SSL: getting ec group or key failed");
-+	}
++	       }
 +      }
 +    }
 +    else
 +    {
-+#if defined(SSL_CTX_set_ecdh_auto)
-+      SSL_CTX_set_ecdh_auto(p_ctx, 1);
-+#else
-+      SSL_CTX_set_tmp_ecdh(p_ctx, EC_KEY_new_by_curve_name(NID_X9_62_prime256v1));
-+#endif
++      SSL_CTX_set1_groups_list(p_ctx, "P-256");
 +    }
-+
-     p_sess->p_ssl_ctx = p_ctx;
-     ssl_inited = 1;
-   }
+     /* Set up ALPN to check for FTP protocol intention of client. */
+     SSL_CTX_set_alpn_select_cb(p_ctx, ssl_alpn_callback, p_sess);
+     /* Set up SNI callback for an optional hostname check. */
 diff --git a/tunables.c b/tunables.c
 index 1ea7227..93f85b1 100644
 --- a/tunables.c

0025-Improve-local_max_rate-option.patch

@@ -60,9 +60,9 @@ diff --git a/main.c b/main.c
 index eaba265..f1e2f69 100644
 --- a/main.c
 +++ b/main.c
-@@ -40,7 +40,7 @@ main(int argc, const char* argv[])
+@@ -40,7 +40,7 @@
      /* Control connection */
-     0, 0, 0, 0, 0,
+     0, 0, 0, 0, 0, 0,
      /* Data connection */
 -    -1, 0, -1, 0, 0, 0, 0,
 +    -1, 0, -1, 0, 0, 0, 0, 0,

0040-Use-system-wide-crypto-policy.patch

@@ -3,7 +3,7 @@ From: Martin Sehnoutka <msehnout@redhat.com>
 Date: Tue, 29 Aug 2017 10:32:16 +0200
 Subject: [PATCH 40/59] Use system wide crypto policy
 
-Resolves: rhbz#1483970
+Resolves: rhbz#
 ---
  tunables.c | 3 +--
  1 file changed, 1 insertion(+), 2 deletions(-)
@@ -16,8 +16,8 @@ index 5440c00..354251c 100644
    install_str_setting(0, &tunable_dsa_cert_file);
    install_str_setting(0, &tunable_dh_param_file);
    install_str_setting(0, &tunable_ecdh_param_file);
--  install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384",
--          &tunable_ssl_ciphers);
+-  install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA",
+-                      &tunable_ssl_ciphers);
 +  install_str_setting("PROFILE=SYSTEM", &tunable_ssl_ciphers);
    install_str_setting(0, &tunable_rsa_private_key_file);
    install_str_setting(0, &tunable_dsa_private_key_file);

0041-Document-the-new-default-for-ssl_ciphers-in-the-man-.patch

@@ -17,15 +17,15 @@ index 3ca55e4..2a7662e 100644
  security precaution as it prevents malicious remote parties forcing a cipher
  which they have found problems with.
  
--Default: AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384
+-Default: DES-CBC3-SHA
 +By default, the system-wide crypto policy is used. See
 +.BR update-crypto-policies(8)
 +for further details.
 +
 +Default: PROFILE=SYSTEM
  .TP
- .B user_config_dir
- This powerful option allows the override of any config option specified in
+ .B ssl_sni_hostname
+ If set, SSL connections will be rejected unless the SNI hostname in the
 -- 
 2.14.4
 

SOURCES/0035-Modify-DH-enablement-patch-to-build-with-OpenSSL-1.1.patch

@@ -1,74 +0,0 @@
-From 6c8dd87f311e411bcb1c72c1c780497881a5621c Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= <olysonek@redhat.com>
-Date: Mon, 4 Sep 2017 11:32:03 +0200
-Subject: [PATCH 35/59] Modify DH enablement patch to build with OpenSSL 1.1
-
----
- ssl.c | 41 ++++++++++++++++++++++++++++++++++++++---
- 1 file changed, 38 insertions(+), 3 deletions(-)
-
-diff --git a/ssl.c b/ssl.c
-index ba8a613..09ec96a 100644
---- a/ssl.c
-+++ b/ssl.c
-@@ -88,19 +88,54 @@ static struct mystr debug_str;
- }
- #endif
- 
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
-+{
-+  /* If the fields p and g in d are NULL, the corresponding input
-+   * parameters MUST be non-NULL.  q may remain NULL.
-+   */
-+  if ((dh->p == NULL && p == NULL)
-+      || (dh->g == NULL && g == NULL))
-+    return 0;
-+
-+  if (p != NULL) {
-+    BN_free(dh->p);
-+    dh->p = p;
-+  }
-+  if (q != NULL) {
-+    BN_free(dh->q);
-+    dh->q = q;
-+  }
-+  if (g != NULL) {
-+    BN_free(dh->g);
-+    dh->g = g;
-+  }
-+
-+  if (q != NULL) {
-+    dh->length = BN_num_bits(q);
-+  }
-+
-+  return 1;
-+}
-+#endif
-+
- #if !defined(DH_get_dh)
-   // Grab DH parameters
-   DH *
-   DH_get_dh(int size)
-   {
-+    BIGNUM *g = NULL;
-+    BIGNUM *p = NULL;
-     DH *dh = DH_new();
-     if (!dh) {
-       return NULL;
-     }
--    dh->p = DH_get_prime(match_dh_bits(size));
--    BN_dec2bn(&dh->g, "2");
--    if (!dh->p || !dh->g)
-+    p = DH_get_prime(match_dh_bits(size));
-+    BN_dec2bn(&g, "2");
-+    if (!p || !g || !DH_set0_pqg(dh, p, NULL, g))
-     {
-+      BN_free(g);
-+      BN_free(p);
-       DH_free(dh);
-       return NULL;
-     }
--- 
-2.14.4
-

ci.fmf

@@ -0,0 +1 @@
+resultsdb-testcase: separate

fix-str_open.patch

@@ -0,0 +1,27 @@
+--- sysstr-orig.c	2022-07-27 09:44:52.606408000 +0200
++++ sysstr.c	2022-07-27 09:54:24.043081352 +0200
+@@ -74,19 +74,11 @@
+ int
+ str_open(const struct mystr* p_str, const enum EVSFSysStrOpenMode mode)
+ {
+-  enum EVSFSysUtilOpenMode open_mode = kVSFSysUtilOpenUnknown;
+-  switch (mode)
+-  {
+-    case kVSFSysStrOpenReadOnly:
+-      open_mode = kVSFSysUtilOpenReadOnly;
+-      break;
+-    case kVSFSysStrOpenUnknown:
+-      /* Fall through */
+-    default:
+-      bug("unknown mode value in str_open");
+-      break;
+-  }
+-  return vsf_sysutil_open_file(str_getbuf(p_str), open_mode);
++  if (mode == kVSFSysStrOpenReadOnly)
++    return vsf_sysutil_open_file(str_getbuf(p_str), kVSFSysUtilOpenReadOnly);
++
++  bug("unknown mode value in str_open");
++  return -1;
+ }
+ 
+ int

gating.yaml

@@ -0,0 +1,8 @@
+--- !Policy
+product_versions:
+  - rhel-9
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}
+  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tedude.validation}
+  - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/tier1-internal.functional}

plans/public.fmf

@@ -0,0 +1,7 @@
+summary: Test plan that runs all tests from tests repo.
+discover:
+    how: fmf
+    url: https://src.fedoraproject.org/tests/vsftpd.git
+execute:
+    how: tmt
+

plans/tier1-internal.fmf

@@ -0,0 +1,15 @@
+summary: CI plan, picks Tier1 tests, runs in beakerlib.
+discover:
+  - name: rhel
+    how: fmf
+    filter: 'tier: 1'
+    url: git://pkgs.devel.redhat.com/tests/vsftpd
+  - name: fedora
+    how: fmf
+    filter: 'tier: 1'
+    url: "https://src.fedoraproject.org/tests/vsftpd.git"
+execute:
+    how: tmt
+adjust:     
+    enabled: false     
+    when: distro == centos-stream-9

sources

@@ -0,0 +1 @@
+SHA512 (vsftpd-3.0.5.tar.gz) = 9e9f9bde8c460fbc6b1d29ca531327fb2e40e336358f1cc19e1da205ef81b553719a148ad4613ceead25499d1ac3f03301a0ecd3776e5c228acccb7f9461a7ee

vsftpd-3.0.3-ALPACA.patch

@@ -0,0 +1,225 @@
+diff --git a/parseconf.c b/parseconf.c
+index 3729818..ee1b8b4 100644
+--- a/parseconf.c
++++ b/parseconf.c
+@@ -188,6 +188,7 @@ parseconf_str_array[] =
+   { "rsa_private_key_file", &tunable_rsa_private_key_file },
+   { "dsa_private_key_file", &tunable_dsa_private_key_file },
+   { "ca_certs_file", &tunable_ca_certs_file },
++  { "ssl_sni_hostname", &tunable_ssl_sni_hostname },
+   { "cmds_denied", &tunable_cmds_denied },
+   { 0, 0 }
+ };
+diff --git a/ssl.c b/ssl.c
+index 09ec96a..51345f8 100644
+--- a/ssl.c
++++ b/ssl.c
+@@ -41,6 +41,13 @@ static long bio_callback(
+   BIO* p_bio, int oper, const char* p_arg, int argi, long argl, long retval);
+ static int ssl_verify_callback(int verify_ok, X509_STORE_CTX* p_ctx);
+ static DH *ssl_tmp_dh_callback(SSL *ssl, int is_export, int keylength);
++static int ssl_alpn_callback(SSL* p_ssl,
++                             const unsigned char** p_out,
++                             unsigned char* outlen,
++                             const unsigned char* p_in,
++                             unsigned int inlen,
++                             void* p_arg);
++static long ssl_sni_callback(SSL* p_ssl, int* p_al, void* p_arg);
+ static int ssl_cert_digest(
+   SSL* p_ssl, struct vsf_session* p_sess, struct mystr* p_str);
+ static void maybe_log_shutdown_state(struct vsf_session* p_sess);
+@@ -286,6 +293,12 @@ ssl_init(struct vsf_session* p_sess)
+     }
+     
+     SSL_CTX_set_tmp_dh_callback(p_ctx, ssl_tmp_dh_callback);
++    /* Set up ALPN to check for FTP protocol intention of client. */
++    SSL_CTX_set_alpn_select_cb(p_ctx, ssl_alpn_callback, p_sess);
++    /* Set up SNI callback for an optional hostname check. */
++    SSL_CTX_set_tlsext_servername_callback(p_ctx, ssl_sni_callback);
++    SSL_CTX_set_tlsext_servername_arg(p_ctx, p_sess);
++
+ 
+     if (tunable_ecdh_param_file)
+     {
+@@ -870,6 +883,132 @@ ssl_tmp_dh_callback(SSL *ssl, int is_export, int keylength)
+   
+   return DH_get_dh(keylength);
+ }
++static int
++ssl_alpn_callback(SSL* p_ssl,
++                  const unsigned char** p_out,
++                  unsigned char* outlen,
++                  const unsigned char* p_in,
++                  unsigned int inlen,
++                  void* p_arg) {
++  unsigned int i;
++  struct vsf_session* p_sess = (struct vsf_session*) p_arg;
++  int is_ok = 0;
++
++  (void) p_ssl;
++
++  /* Initialize just in case. */
++  *p_out = p_in;
++  *outlen = 0;
++
++  for (i = 0; i < inlen; ++i) {
++    unsigned int left = (inlen - i);
++    if (left < 4) {
++      continue;
++    }
++    if (p_in[i] == 3 && p_in[i + 1] == 'f' && p_in[i + 2] == 't' &&
++        p_in[i + 3] == 'p')
++    {
++      is_ok = 1;
++      *p_out = &p_in[i + 1];
++      *outlen = 3;
++      break;
++    }
++  }
++  
++  if (!is_ok)
++  {
++    str_alloc_text(&debug_str, "ALPN rejection");
++    vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str);
++  }
++  if (!is_ok || tunable_debug_ssl)
++  {
++    str_alloc_text(&debug_str, "ALPN data: ");
++    for (i = 0; i < inlen; ++i) {
++      str_append_char(&debug_str, p_in[i]);
++    }
++    vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str);
++  }
++
++  if (is_ok)
++  {
++    return SSL_TLSEXT_ERR_OK;
++  }
++  else
++  {
++    return SSL_TLSEXT_ERR_ALERT_FATAL;
++  }
++}
++
++static long
++ssl_sni_callback(SSL* p_ssl, int* p_al, void* p_arg)
++{
++  static struct mystr s_sni_expected_hostname;
++  static struct mystr s_sni_received_hostname;
++
++  int servername_type;
++  const char* p_sni_servername;
++  struct vsf_session* p_sess = (struct vsf_session*) p_arg;
++  int is_ok = 0;
++
++  (void) p_ssl;
++  (void) p_arg;
++
++  if (tunable_ssl_sni_hostname)
++  {
++    str_alloc_text(&s_sni_expected_hostname, tunable_ssl_sni_hostname);
++  }
++
++  /* The OpenSSL documentation says it is pre-initialized like this, but set
++   * it just in case.
++   */
++  *p_al = SSL_AD_UNRECOGNIZED_NAME;
++
++  servername_type = SSL_get_servername_type(p_ssl);
++  p_sni_servername = SSL_get_servername(p_ssl, TLSEXT_NAMETYPE_host_name);
++  if (p_sni_servername != NULL) {
++    str_alloc_text(&s_sni_received_hostname, p_sni_servername);
++  }
++
++  if (str_isempty(&s_sni_expected_hostname))
++  {
++    is_ok = 1;
++  }
++  else if (servername_type != TLSEXT_NAMETYPE_host_name)
++  {
++    /* Fail. */
++    str_alloc_text(&debug_str, "SNI bad type: ");
++    str_append_ulong(&debug_str, servername_type);
++    vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str);
++  }
++  else
++  {
++    if (!str_strcmp(&s_sni_expected_hostname, &s_sni_received_hostname))
++    {
++      is_ok = 1;
++    }
++    else
++    {
++      str_alloc_text(&debug_str, "SNI rejection");
++      vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str);
++    }
++  }
++
++  if (!is_ok || tunable_debug_ssl)
++  {
++    str_alloc_text(&debug_str, "SNI hostname: ");
++    str_append_str(&debug_str, &s_sni_received_hostname);
++    vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str);
++  }
++
++  if (is_ok)
++  {
++    return SSL_TLSEXT_ERR_OK;
++  }
++  else
++  {
++    return SSL_TLSEXT_ERR_ALERT_FATAL;
++  }
++}
+ 
+ void
+ ssl_add_entropy(struct vsf_session* p_sess)
+diff --git a/tunables.c b/tunables.c
+index c96c1ac..d8dfcde 100644
+--- a/tunables.c
++++ b/tunables.c
+@@ -152,6 +152,7 @@ const char* tunable_ssl_ciphers;
+ const char* tunable_rsa_private_key_file;
+ const char* tunable_dsa_private_key_file;
+ const char* tunable_ca_certs_file;
++const char* tunable_ssl_sni_hostname;
+ 
+ static void install_str_setting(const char* p_value, const char** p_storage);
+ 
+@@ -309,6 +310,7 @@ tunables_load_defaults()
+   install_str_setting(0, &tunable_rsa_private_key_file);
+   install_str_setting(0, &tunable_dsa_private_key_file);
+   install_str_setting(0, &tunable_ca_certs_file);
++  install_str_setting(0, &tunable_ssl_sni_hostname);
+ }
+ 
+ void
+diff --git a/tunables.h b/tunables.h
+index 8d50150..de6cab0 100644
+--- a/tunables.h
++++ b/tunables.h
+@@ -157,6 +157,7 @@ extern const char* tunable_ssl_ciphers;
+ extern const char* tunable_rsa_private_key_file;
+ extern const char* tunable_dsa_private_key_file;
+ extern const char* tunable_ca_certs_file;
++extern const char* tunable_ssl_sni_hostname;
+ extern const char* tunable_cmds_denied;
+ 
+ #endif /* VSF_TUNABLES_H */
+diff --git a/vsftpd.conf.5 b/vsftpd.conf.5
+index 815773f..7006287 100644
+--- a/vsftpd.conf.5
++++ b/vsftpd.conf.5
+@@ -1128,6 +1128,12 @@ for further details.
+ 
+ Default: PROFILE=SYSTEM
+ .TP
++.B ssl_sni_hostname
++If set, SSL connections will be rejected unless the SNI hostname in the
++incoming handshakes matches this value.
++
++Default: (none)
++.TP
+ .B user_config_dir
+ This powerful option allows the override of any config option specified in
+ the manual page, on a per-user basis. Usage is simple, and is best illustrated

vsftpd-3.0.3-option_to_disable_TLSv1_3.patch

@@ -12,7 +12,7 @@ index d024366..3a60b88 100644
        vsf_cmdio_write_raw(p_sess, " AUTH TLS\r\n");
      }
 diff --git a/parseconf.c b/parseconf.c
-index 3729818..2c5ffe6 100644
+index ee1b8b4..5188088 100644
 --- a/parseconf.c
 +++ b/parseconf.c
 @@ -87,6 +87,7 @@ parseconf_bool_array[] =
@@ -24,10 +24,10 @@ index 3729818..2c5ffe6 100644
    { "force_anon_logins_ssl", &tunable_force_anon_logins_ssl },
    { "force_anon_data_ssl", &tunable_force_anon_data_ssl },
 diff --git a/ssl.c b/ssl.c
-index 09ec96a..5d9c595 100644
+index 51345f8..d5d4a21 100644
 --- a/ssl.c
 +++ b/ssl.c
-@@ -178,6 +178,10 @@ ssl_init(struct vsf_session* p_sess)
+@@ -185,6 +185,10 @@ ssl_init(struct vsf_session* p_sess)
      {
        options |= SSL_OP_NO_TLSv1_2;
      }
@@ -39,7 +39,7 @@ index 09ec96a..5d9c595 100644
      if (tunable_rsa_cert_file)
      {
 diff --git a/tunables.c b/tunables.c
-index c96c1ac..e6fbb9d 100644
+index d8dfcde..dc001ac 100644
 --- a/tunables.c
 +++ b/tunables.c
 @@ -68,6 +68,7 @@ int tunable_sslv3;
@@ -50,7 +50,7 @@ index c96c1ac..e6fbb9d 100644
  int tunable_tilde_user_enable;
  int tunable_force_anon_logins_ssl;
  int tunable_force_anon_data_ssl;
-@@ -217,8 +218,9 @@ tunables_load_defaults()
+@@ -218,8 +219,9 @@ tunables_load_defaults()
    tunable_sslv3 = 0;
    tunable_tlsv1 = 0;
    tunable_tlsv1_1 = 0;
@@ -62,7 +62,7 @@ index c96c1ac..e6fbb9d 100644
    tunable_force_anon_logins_ssl = 0;
    tunable_force_anon_data_ssl = 0;
 diff --git a/tunables.h b/tunables.h
-index 8d50150..6e1d301 100644
+index de6cab0..ff0eebc 100644
 --- a/tunables.h
 +++ b/tunables.h
 @@ -69,6 +69,7 @@ extern int tunable_sslv3;                     /* Allow SSLv3 */
@@ -74,45 +74,9 @@ index 8d50150..6e1d301 100644
  extern int tunable_force_anon_logins_ssl;     /* Require anon logins use SSL */
  extern int tunable_force_anon_data_ssl;       /* Require anon data uses SSL */
 diff --git a/vsftpd.conf.5 b/vsftpd.conf.5
-index 815773f..c37a536 100644
+index 7006287..d181e50 100644
 --- a/vsftpd.conf.5
 +++ b/vsftpd.conf.5
-@@ -555,7 +555,7 @@ Default: YES
- Only applies if
- .BR ssl_enable
- is activated. If enabled, this option will permit SSL v2 protocol connections.
--TLS v1.2 connections are preferred.
-+TLS v1.2 and TLS v1.3 connections are preferred.
- 
- Default: NO
- .TP
-@@ -563,7 +563,7 @@ Default: NO
- Only applies if
- .BR ssl_enable
- is activated. If enabled, this option will permit SSL v3 protocol connections.
--TLS v1.2 connections are preferred.
-+TLS v1.2 and TLS v1.3 connections are preferred.
- 
- Default: NO
- .TP
-@@ -571,7 +571,7 @@ Default: NO
- Only applies if
- .BR ssl_enable
- is activated. If enabled, this option will permit TLS v1 protocol connections.
--TLS v1.2 connections are preferred.
-+TLS v1.2 and TLS v1.3 connections are preferred.
- 
- Default: NO
- .TP
-@@ -579,7 +579,7 @@ Default: NO
- Only applies if
- .BR ssl_enable
- is activated. If enabled, this option will permit TLS v1.1 protocol connections.
--TLS v1.2 connections are preferred.
-+TLS v1.2 and TLS v1.3 connections are preferred.
- 
- Default: NO
- .TP
 @@ -587,7 +587,15 @@ Default: NO
  Only applies if
  .BR ssl_enable

vsftpd-3.0.5-add-option-for-tlsv1.3-ciphersuites.patch

@@ -0,0 +1,79 @@
+diff -urN a/parseconf.c b/parseconf.c
+--- a/parseconf.c	2021-05-29 23:39:19.000000000 +0200
++++ b/parseconf.c	2023-03-03 10:22:38.256439634 +0100
+@@ -185,6 +185,7 @@
+   { "dsa_cert_file", &tunable_dsa_cert_file },
+   { "dh_param_file", &tunable_dh_param_file },
+   { "ecdh_param_file", &tunable_ecdh_param_file },
++  { "ssl_ciphersuites", &tunable_ssl_ciphersuites },
+   { "ssl_ciphers", &tunable_ssl_ciphers },
+   { "rsa_private_key_file", &tunable_rsa_private_key_file },
+   { "dsa_private_key_file", &tunable_dsa_private_key_file },
+diff -urN a/ssl.c b/ssl.c
+--- a/ssl.c	2021-08-02 08:24:35.000000000 +0200
++++ b/ssl.c	2023-03-03 10:28:05.989757655 +0100
+@@ -135,6 +135,11 @@
+     {
+       die("SSL: could not set cipher list");
+     }
++    if (tunable_ssl_ciphersuites &&
++        SSL_CTX_set_ciphersuites(p_ctx, tunable_ssl_ciphersuites) != 1)
++    {
++      die("SSL: could not set ciphersuites");
++    }
+     if (RAND_status() != 1)
+     {
+       die("SSL: RNG is not seeded");
+diff -urN a/tunables.c b/tunables.c
+--- a/tunables.c	2021-05-29 23:39:00.000000000 +0200
++++ b/tunables.c	2023-03-03 10:13:30.566868026 +0100
+@@ -154,6 +154,7 @@
+ const char* tunable_dsa_cert_file;
+ const char* tunable_dh_param_file;
+ const char* tunable_ecdh_param_file;
+ const char* tunable_ssl_ciphers;
++const char* tunable_ssl_ciphersuites;
+ const char* tunable_rsa_private_key_file;
+ const char* tunable_dsa_private_key_file;
+@@ -293,6 +293,7 @@
+   install_str_setting(0, &tunable_dh_param_file);
+   install_str_setting(0, &tunable_ecdh_param_file);
+   install_str_setting("PROFILE=SYSTEM", &tunable_ssl_ciphers);
++  install_str_setting("TLS_AES_256_GCM_SHA384", &tunable_ssl_ciphersuites);
+   install_str_setting(0, &tunable_rsa_private_key_file);
+   install_str_setting(0, &tunable_dsa_private_key_file);
+   install_str_setting(0, &tunable_ca_certs_file);
+diff -urN a/tunables.h b/tunables.h
+--- a/tunables.h
++++ b/tunables.h
+@@ -144,6 +144,7 @@
+ extern const char* tunable_dsa_cert_file;
+ extern const char* tunable_dh_param_file;
+ extern const char* tunable_ecdh_param_file;
+ extern const char* tunable_ssl_ciphers;
++extern const char* tunable_ssl_ciphersuites;
+ extern const char* tunable_rsa_private_key_file;
+ extern const char* tunable_dsa_private_key_file;
+--- a/vsftpd.conf.5
++++ b/vsftpd.conf.5
+@@ -1009,6 +1009,20 @@
+ 
+ Default: PROFILE=SYSTEM
+ .TP
++.B ssl_ciphersuites
++This option can be used to select which SSL cipher suites vsftpd will allow for
++encrypted SSL connections with TLSv1.3. See the
++.BR ciphers
++man page for further details. Note that restricting ciphers can be a useful
++security precaution as it prevents malicious remote parties forcing a cipher
++which they have found problems with.
++
++By default, the system-wide crypto policy is used. See
++.BR update-crypto-policies(8)
++for further details.
++
++Default: TLS_AES_256_GCM_SHA384
++.TP
+ .B ssl_sni_hostname
+ If set, SSL connections will be rejected unless the SNI hostname in the
+ incoming handshakes matches this value.

vsftpd-3.0.5-replace-deprecated-openssl-functions.patch

@@ -0,0 +1,70 @@
+diff --git a/ssl.c b/ssl.c
+--- ssl.c	
++++ ssl.c	
+@@ -28,17 +28,17 @@
+ #include <openssl/err.h>
+ #include <openssl/rand.h>
+ #include <openssl/bio.h>
+ #include <openssl/bn.h>
+ #include <openssl/param_build.h>
+ #include <errno.h>
+ #include <limits.h>
+ 
+ static char* get_ssl_error();
+ static SSL* get_ssl(struct vsf_session* p_sess, int fd);
+ static int ssl_session_init(struct vsf_session* p_sess);
+ static void setup_bio_callbacks();
+ static long bio_callback(
+-  BIO* p_bio, int oper, const char* p_arg, int argi, long argl, long retval);
++  BIO* p_bio, int oper, const char* p_arg, size_t len, int argi, long argl, int ret, size_t *processed);
+ static int ssl_verify_callback(int verify_ok, X509_STORE_CTX* p_ctx);
+ static int ssl_alpn_callback(SSL* p_ssl,
+                              const unsigned char** p_out,
+@@ -88,7 +88,7 @@
+     long options;
+     int verify_option = 0;
+     SSL_library_init();
+-    p_ctx = SSL_CTX_new(SSLv23_server_method());
++    p_ctx = SSL_CTX_new_ex(NULL, NULL, TLS_server_method());
+     if (p_ctx == NULL)
+     {
+       die("SSL: could not allocate SSL context");
+@@ -180,13 +180,10 @@
+       die("SSL: RNG is not seeded");
+     }
+     {
+-      EC_KEY* key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+-      if (key == NULL)
++      if (!SSL_CTX_set1_groups_list(p_ctx, "P-256"))
+       {
+         die("SSL: failed to get curve p256");
+       }
+-      SSL_CTX_set_tmp_ecdh(p_ctx, key);
+-      EC_KEY_free(key);
+     }
+     if (tunable_ssl_request_cert)
+     {
+@@ -692,17 +689,19 @@
+ static void setup_bio_callbacks(SSL* p_ssl)
+ {
+   BIO* p_bio = SSL_get_rbio(p_ssl);
+-  BIO_set_callback(p_bio, bio_callback);
++  BIO_set_callback_ex(p_bio, bio_callback);
+   p_bio = SSL_get_wbio(p_ssl);
+-  BIO_set_callback(p_bio, bio_callback);
++  BIO_set_callback_ex(p_bio, bio_callback);
+ }
+ 
+ static long
+ bio_callback(
+-  BIO* p_bio, int oper, const char* p_arg, int argi, long argl, long ret)
++  BIO* p_bio, int oper, const char* p_arg, size_t len, int argi, long argl, int ret, size_t *processed)
+ {
+   int retval = 0;
+   int fd = 0;
++  (void) len;
++  (void) processed;
+   (void) p_arg;
+   (void) argi;
+   (void) argl;
+

vsftpd-3.0.5-replace-old-network-addr-functions.patch

@@ -0,0 +1,139 @@
+diff -urN vsftpd-3.0.5-orig/postlogin.c vsftpd-3.0.5/postlogin.c
+--- vsftpd-3.0.5-orig/postlogin.c	2015-07-22 21:03:22.000000000 +0200
++++ vsftpd-3.0.5/postlogin.c	2023-02-13 16:34:05.244467476 +0100
+@@ -27,4 +27,6 @@
+ #include "ssl.h"
+ #include "vsftpver.h"
++#include <netdb.h>
++#include <arpa/inet.h>
+ #include "opts.h"
+
+@@ -628,9 +629,10 @@
+   else
+   {
+     const void* p_v4addr = vsf_sysutil_sockaddr_ipv6_v4(s_p_sockaddr);
++    static char result[INET_ADDRSTRLEN];
+     if (p_v4addr)
+     {
+-      str_append_text(&s_pasv_res_str, vsf_sysutil_inet_ntoa(p_v4addr));
++      str_append_text(&s_pasv_res_str, inet_ntop(AF_INET, p_v4addr, result, INET_ADDRSTRLEN));
+     }
+     else
+     {
+diff -urN vsftpd-3.0.5-orig/sysutil.c vsftpd-3.0.5/sysutil.c
+--- vsftpd-3.0.5-orig/sysutil.c	2012-09-16 09:07:38.000000000 +0200
++++ vsftpd-3.0.5/sysutil.c	2023-02-13 16:08:58.557153109 +0100
+@@ -2205,20 +2205,13 @@
+   const struct sockaddr* p_sockaddr = &p_sockptr->u.u_sockaddr;
+   if (p_sockaddr->sa_family == AF_INET)
+   {
+-    return inet_ntoa(p_sockptr->u.u_sockaddr_in.sin_addr);
++    static char result[INET_ADDRSTRLEN];
++    return inet_ntop(AF_INET, &p_sockptr->u.u_sockaddr_in.sin_addr, result, INET_ADDRSTRLEN);
+   }
+   else if (p_sockaddr->sa_family == AF_INET6)
+   {
+-    static char inaddr_buf[64];
+-    const char* p_ret = inet_ntop(AF_INET6,
+-                                  &p_sockptr->u.u_sockaddr_in6.sin6_addr,
+-                                  inaddr_buf, sizeof(inaddr_buf));
+-    inaddr_buf[sizeof(inaddr_buf) - 1] = '\0';
+-    if (p_ret == NULL)
+-    {
+-      inaddr_buf[0] = '\0';
+-    }
+-    return inaddr_buf;
++    static char result[INET6_ADDRSTRLEN];
++    return inet_ntop(AF_INET6, &p_sockptr->u.u_sockaddr_in6.sin6_addr, result, INET6_ADDRSTRLEN);
+   }
+   else
+   {
+@@ -2227,12 +2220,6 @@
+   }
+ }
+ 
+-const char*
+-vsf_sysutil_inet_ntoa(const void* p_raw_addr)
+-{
+-  return inet_ntoa(*((struct in_addr*)p_raw_addr));
+-}
+-
+ int
+ vsf_sysutil_inet_aton(const char* p_text, struct vsf_sysutil_sockaddr* p_addr)
+ {
+@@ -2241,7 +2228,7 @@
+   {
+     bug("bad family");
+   }
+-  if (inet_aton(p_text, &sin_addr))
++  if (inet_pton(AF_INET, p_text, &sin_addr))
+   {
+     vsf_sysutil_memcpy(&p_addr->u.u_sockaddr_in.sin_addr,
+                        &sin_addr, sizeof(p_addr->u.u_sockaddr_in.sin_addr));
+@@ -2257,37 +2244,46 @@
+ vsf_sysutil_dns_resolve(struct vsf_sysutil_sockaddr** p_sockptr,
+                         const char* p_name)
+ {
+-  struct hostent* hent = gethostbyname(p_name);
+-  if (hent == NULL)
++  struct addrinfo *result;
++  struct addrinfo hints;
++  int ret;
++
++  memset(&hints, 0, sizeof(struct addrinfo));
++  hints.ai_family = AF_UNSPEC;
++
++  if ((ret = getaddrinfo(p_name, NULL, &hints, &result)) != 0)
+   {
++    fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(ret));
+     die2("cannot resolve host:", p_name);
+   }
+   vsf_sysutil_sockaddr_clear(p_sockptr);
+-  if (hent->h_addrtype == AF_INET)
++  if (result->ai_family == AF_INET)
+   {
+-    unsigned int len = hent->h_length;
++    unsigned int len = result->ai_addrlen;
+     if (len > sizeof((*p_sockptr)->u.u_sockaddr_in.sin_addr))
+     {
+       len = sizeof((*p_sockptr)->u.u_sockaddr_in.sin_addr);
+     }
+     vsf_sysutil_sockaddr_alloc_ipv4(p_sockptr);
+     vsf_sysutil_memcpy(&(*p_sockptr)->u.u_sockaddr_in.sin_addr,
+-                       hent->h_addr_list[0], len);
++                       &result->ai_addrlen, len);
+   }
+-  else if (hent->h_addrtype == AF_INET6)
++  else if (result->ai_family == AF_INET6)
+   {
+-    unsigned int len = hent->h_length;
++    unsigned int len = result->ai_addrlen;
+     if (len > sizeof((*p_sockptr)->u.u_sockaddr_in6.sin6_addr))
+     {
+       len = sizeof((*p_sockptr)->u.u_sockaddr_in6.sin6_addr);
+     }
+     vsf_sysutil_sockaddr_alloc_ipv6(p_sockptr);
+     vsf_sysutil_memcpy(&(*p_sockptr)->u.u_sockaddr_in6.sin6_addr,
+-                       hent->h_addr_list[0], len);
++                       &result->ai_addrlen, len);
+   }
+   else
+   {
+-    die("gethostbyname(): neither IPv4 nor IPv6");
++    freeaddrinfo(result);
++    die("getaddrinfo(): neither IPv4 nor IPv6");
+   }
++  freeaddrinfo(result);
+ }
+ 
+diff -urN vsftpd-3.0.5-orig/sysutil.h vsftpd-3.0.5/sysutil.h
+--- vsftpd-3.0.5-orig/sysutil.h	2021-05-18 08:50:21.000000000 +0200
++++ vsftpd-3.0.5/sysutil.h	2023-02-13 15:59:22.088331075 +0100
+@@ -277,7 +277,6 @@
+ 
+ const char* vsf_sysutil_inet_ntop(
+   const struct vsf_sysutil_sockaddr* p_sockptr);
+-const char* vsf_sysutil_inet_ntoa(const void* p_raw_addr);
+ int vsf_sysutil_inet_aton(
+   const char* p_text, struct vsf_sysutil_sockaddr* p_addr);
+ 

vsftpd-3.0.5-use-old-tlsv-options.patch

@@ -0,0 +1,15 @@
+--- parseconf-orig.c	2022-10-25 15:17:18.990701984 +0200
++++ parseconf.c	2022-10-25 15:12:44.213480000 +0200
+@@ -85,9 +85,9 @@
+   { "ssl_sslv2", &tunable_sslv2 },
+   { "ssl_sslv3", &tunable_sslv3 },
+   { "ssl_tlsv1", &tunable_tlsv1 },
+-  { "ssl_tlsv11", &tunable_tlsv1_1 },
+-  { "ssl_tlsv12", &tunable_tlsv1_2 },
+-  { "ssl_tlsv13", &tunable_tlsv1_3 },
++  { "ssl_tlsv1_1", &tunable_tlsv1_1 },
++  { "ssl_tlsv1_2", &tunable_tlsv1_2 },
++  { "ssl_tlsv1_3", &tunable_tlsv1_3 },
+   { "tilde_user_enable", &tunable_tilde_user_enable },
+   { "force_anon_logins_ssl", &tunable_force_anon_logins_ssl },
+   { "force_anon_data_ssl", &tunable_force_anon_data_ssl },

vsftpd.spec

@@ -1,11 +1,10 @@
 %global _generatorsdir %{_prefix}/lib/systemd/system-generators
 
 Name:    vsftpd
-Version: 3.0.3
-Release: 35%{?dist}
+Version: 3.0.5
+Release: 5%{?dist}
 Summary: Very Secure Ftp Daemon
 
-Group:    System Environment/Daemons
 # OpenSSL link exception
 License:  GPLv2 with exceptions
 URL:      https://security.appspot.com/vsftpd.html
@@ -20,6 +19,7 @@ Source8:  vsftpd@.service
 Source9:  vsftpd.target
 Source10: vsftpd-generator
 
+BuildRequires: make
 BuildRequires: pam-devel
 BuildRequires: libcap-devel
 BuildRequires: openssl-devel
@@ -61,17 +61,16 @@ Patch29: 0029-Fix-segfault-in-config-file-parser.patch
 Patch30: 0030-Fix-logging-into-syslog-when-enabled-in-config.patch
 Patch31: 0031-Fix-question-mark-wildcard-withing-a-file-name.patch
 Patch32: 0032-Propagate-errors-from-nfs-with-quota-to-client.patch
-Patch33: 0033-Introduce-TLSv1.1-and-TLSv1.2-options.patch
+#Patch33: 0033-Introduce-TLSv1.1-and-TLSv1.2-options.patch
 Patch34: 0034-Turn-off-seccomp-sandbox-because-it-is-too-strict.patch
-Patch35: 0035-Modify-DH-enablement-patch-to-build-with-OpenSSL-1.1.patch
 Patch36: 0036-Redefine-VSFTP_COMMAND_FD-to-1.patch
 Patch37: 0037-Document-the-relationship-of-text_userdb_names-and-c.patch
 Patch38: 0038-Document-allow_writeable_chroot-in-the-man-page.patch
 Patch39: 0039-Improve-documentation-of-ASCII-mode-in-the-man-page.patch
 Patch40: 0040-Use-system-wide-crypto-policy.patch
 Patch41: 0041-Document-the-new-default-for-ssl_ciphers-in-the-man-.patch
-Patch42: 0042-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch
-Patch43: 0043-Enable-only-TLSv1.2-by-default.patch
+#Patch42: 0042-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch
+#Patch43: 0043-Enable-only-TLSv1.2-by-default.patch
 Patch44: 0044-Disable-anonymous_enable-in-default-config-file.patch
 Patch45: 0045-Expand-explanation-of-ascii_-options-behaviour-in-ma.patch
 Patch46: 0046-vsftpd.conf-Refer-to-the-man-page-regarding-the-asci.patch
@@ -88,15 +87,20 @@ Patch56: 0056-Log-die-calls-to-syslog.patch
 Patch57: 0057-Improve-error-message-when-max-number-of-bind-attemp.patch
 Patch58: 0058-Make-the-max-number-of-bind-retries-tunable.patch
 Patch59: 0059-Fix-SEGFAULT-when-running-in-a-container-as-PID-1.patch
-Patch60: 0001-Move-closing-standard-FDs-after-listen.patch
-Patch61: 0002-Prevent-recursion-in-bug.patch
-Patch62: 0001-Set-s_uwtmp_inserted-only-after-record-insertion-rem.patch
-Patch63: 0002-Repeat-pututxline-if-it-fails-with-EINTR.patch
-Patch64: 0003-Repeat-pututxline-until-it-succeeds-if-it-fails-with.patch
-Patch65: 0001-Fix-timestamp-handling-in-MDTM.patch
-Patch66: 0001-Remove-a-hint-about-the-ftp_home_dir-SELinux-boolean.patch
-Patch67: vsftpd-3.0.3-enable_wc_logs-replace_unprintable_with_hex.patch
-Patch68: vsftpd-3.0.3-option_to_disable_TLSv1_3.patch
+Patch61: 0001-Move-closing-standard-FDs-after-listen.patch
+Patch62: 0002-Prevent-recursion-in-bug.patch
+Patch63: 0001-Set-s_uwtmp_inserted-only-after-record-insertion-rem.patch
+Patch64: 0002-Repeat-pututxline-if-it-fails-with-EINTR.patch
+Patch65: 0001-Repeat-pututxline-until-it-succeeds-if-it-fails-with.patch
+Patch67: 0001-Fix-timestamp-handling-in-MDTM.patch
+Patch68: 0002-Drop-an-unused-global-variable.patch
+Patch69: 0001-Remove-a-hint-about-the-ftp_home_dir-SELinux-boolean.patch
+Patch70: fix-str_open.patch
+Patch71: vsftpd-3.0.3-enable_wc_logs-replace_unprintable_with_hex.patch
+Patch72: vsftpd-3.0.5-use-old-tlsv-options.patch
+Patch73: vsftpd-3.0.5-replace-old-network-addr-functions.patch
+Patch74: vsftpd-3.0.5-replace-deprecated-openssl-functions.patch
+Patch75: vsftpd-3.0.5-add-option-for-tlsv1.3-ciphersuites.patch
 
 %description
 vsftpd is a Very Secure FTP daemon. It was written completely from
@@ -107,12 +111,13 @@ scratch.
 cp %{SOURCE1} .
 
 %build
+
 %ifarch s390x sparcv9 sparc64
-make CFLAGS="$RPM_OPT_FLAGS -fPIE -pipe -Wextra -Werror" \
+%make_build CFLAGS="$RPM_OPT_FLAGS -fPIE -pipe -Wextra -Werror" \
 %else
-make CFLAGS="$RPM_OPT_FLAGS -fpie -pipe -Wextra -Werror" \
+%make_build CFLAGS="$RPM_OPT_FLAGS -fpie -pipe -Wextra -Werror" \
 %endif
-        LINK="-pie -lssl" %{?_smp_mflags}
+        LINK="-pie -lssl $RPM_LD_FLAGS" %{?_smp_mflags}
 
 %install
 mkdir -p $RPM_BUILD_ROOT%{_sbindir}
@@ -165,34 +170,104 @@ mkdir -p $RPM_BUILD_ROOT/%{_var}/ftp/pub
 %{_var}/ftp
 
 %changelog
-* Fri Dec 03 2021 Artem Egorenkov <aegorenk@redhat.com> - 3.0.3-35
+* Thu Apr 27 2023 Richard Lescak <rlescak@redhat.com> - 3.0.5-5
+- add option for TLSv1.3 ciphersuites
+- Resolves: rhbz#2188296
+ 
+* Mon Feb 13 2023 Richard Lescak <rlescak@redhat.com> - 3.0.5-4
+- add patch to replace deprecated Openssl functions 
+- Resolves: rhbz#1981411
+
+* Mon Feb 06 2023 Richard Lescak <rlescak@redhat.com> - 3.0.5-3
+- add patch to replace old network functions 
+- Resolves: rhbz#1951545
+
+* Fri Nov 11 2022 Richard Lescak <rlescak@redhat.com> - 3.0.5-2
+- reintroduce patch for support of wide-character strings in logs
+- Related: rhbz#2018284
+
+* Wed Oct 26 2022 Richard Lescak <rlescak@redhat.com> - 3.0.5-1
+- rebase to version 3.0.5 
+- Resolves: rhbz#2018284
+
+* Wed Oct 27 2021 Artem Egorenkov <aegorenk@redhat.com> - 3.0.3-49
 - add option to disable TLSv1.3
-- Resolves: rhbz#1638375
+- Resolves: rhbz#1954682
+
+* Wed Oct 13 2021 Artem Egorenkov <aegorenk@redhat.com> - 3.0.3-48
+- ALPACA fix backported from upstram 3.0.5 version
+- Resolves: rhbz#1975647
+
+* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 3.0.3-47
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
+
+* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 3.0.3-46
+- Rebuilt for RHEL 9 BETA for openssl 3.0
+  Related: rhbz#1971065
+
+* Thu May 20 2021 Artem Egorenkov <aegorenk@redhat.com> - 3.0.3-45
+- Temporary pass -Wno-deprecated-declarations to gcc to ignore
+  deprecated warnings to be able to build against OpenSSL-3.0
+- Resolves: rhbz#1958028
 
-* Mon Apr 12 2021 Artem Egorenkov <aegorenk@redhat.com> - 3.0.3-34
+* Fri Apr 16 2021 Artem Egorenkov <aegorenk@redhat.com> - 3.0.3-44
 - Enable support for wide-character strings in logs
 - Replace unprintables with HEX code, not question marks
-- Resolves: rhbz#1947900
+- Resolves: rhbz#1948570
 
-* Mon Nov 02 2020 Artem Egorenkov <aegorenk@redhat.com> - 3.0.3-33
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 3.0.3-43
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+
+* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.3-42
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Fri Nov 27 2020 Timm Bäder<tbaeder@redhat.com> - 3.0.3-41
+- Fix str_open() so it doesn't warn when compiled with clang
+- Pass $RPM_LD_FLAGS when linking
+
+* Mon Nov 02 2020 Artem Egorenkov <aegorenk@redhat.com> - 3.0.3-40
 - Unit files fixed "After=network-online.target"
-- Resolves: rhbz#1893636
 
-* Tue Mar 17 2020 Ondřej Lysoněk <olysonek@redhat.com> - 3.0.3-32
+* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.3-39
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue Mar 17 2020 Ondřej Lysoněk <olysonek@redhat.com> - 3.0.3-38
 - Removed a hint about the ftp_home_dir SELinux boolean from the config file
 - Resolves: rhbz#1623424
 
-* Thu Feb 13 2020 Ondřej Lysoněk <olysonek@redhat.com> - 3.0.3-31
+* Thu Feb 13 2020 Ondřej Lysoněk <olysonek@redhat.com> - 3.0.3-37
 - Fix timestamp handling in MDTM
 - Resolves: rhbz#1567855
 
-* Thu Nov 28 2019 Ondřej Lysoněk <olysonek@redhat.com> - 3.0.3-30
-- Fix a problem with bad utmp entries when pututxline() fails
+* Fri Feb 07 2020 Ondřej Lysoněk <olysonek@redhat.com> - 3.0.3-36
+- Fix build with gcc 10