9 changed files with 6 additions and 476 deletions
--- a/.vsftpd.metadata
+++ b/.vsftpd.metadata
@ -0,0 +1 @@
 d5f5a180dbecd0fbcdc92bf0ba2fc001c962b55a SOURCES/vsftpd-3.0.3.tar.gz
--- a/SOURCES/0001-Remove-a-hint-about-the-ftp_home_dir-SELinux-boolean.patch
+++ b/SOURCES/0001-Remove-a-hint-about-the-ftp_home_dir-SELinux-boolean.patch
@ -1,25 +0,0 @@
 From ab797dcffc855b05c9e7c8db4e5be2fc7510831b Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= <olysonek@redhat.com>
 Date: Tue, 17 Mar 2020 12:57:36 +0100
 Subject: [PATCH] Remove a hint about the ftp_home_dir SELinux boolean
 The boolean has been removed from SELinux.
 ---
 vsftpd.conf | 1 -
 1 file changed, 1 deletion(-)
 diff --git a/vsftpd.conf b/vsftpd.conf
 index 6b8eebb..ea20a72 100644
 --- a/vsftpd.conf
 +++ b/vsftpd.conf
@@ -12,7 +12,6 @@
 anonymous_enable=NO
 #
 # Uncomment this to allow local users to log in.
 -# When SELinux is enforcing check for SE bool ftp_home_dir
 local_enable=YES
 #
 # Uncomment this to enable any form of FTP write command.
 -- 
 2.25.1
--- a/SOURCES/vsftpd-3.0.3-add-option-for-tlsv1.3-ciphersuites.patch
+++ b/SOURCES/vsftpd-3.0.3-add-option-for-tlsv1.3-ciphersuites.patch
@ -1,75 +0,0 @@
 diff -urN a/parseconf.c b/parseconf.c
 --- a/parseconf.c	2021-05-29 23:39:19.000000000 +0200
 +++ b/parseconf.c	2023-03-03 10:22:38.256439634 +0100
@@ -185,6 +185,7 @@
   { "dsa_cert_file", &tunable_dsa_cert_file },
   { "dh_param_file", &tunable_dh_param_file },
   { "ecdh_param_file", &tunable_ecdh_param_file },
 +  { "ssl_ciphersuites", &tunable_ssl_ciphersuites },
   { "ssl_ciphers", &tunable_ssl_ciphers },
   { "rsa_private_key_file", &tunable_rsa_private_key_file },
   { "dsa_private_key_file", &tunable_dsa_private_key_file },
 diff -urN a/ssl.c b/ssl.c
 --- a/ssl.c	2021-08-02 08:24:35.000000000 +0200
 +++ b/ssl.c	2023-03-03 10:28:05.989757655 +0100
@@ -135,6 +135,11 @@
     {
       die("SSL: could not set cipher list");
     }
 +    if (tunable_ssl_ciphersuites &&
 +        SSL_CTX_set_ciphersuites(p_ctx, tunable_ssl_ciphersuites) != 1)
 +    {
 +      die("SSL: could not set ciphersuites list");
 +    }
     if (RAND_status() != 1)
     {
       die("SSL: RNG is not seeded");
 diff -urN a/tunables.c b/tunables.c
 --- a/tunables.c	2021-05-29 23:39:00.000000000 +0200
 +++ b/tunables.c	2023-03-03 10:13:30.566868026 +0100
@@ -154,6 +154,7 @@
 const char* tunable_dsa_cert_file;
 const char* tunable_dh_param_file;
 const char* tunable_ecdh_param_file;
 const char* tunable_ssl_ciphers;
 +const char* tunable_ssl_ciphersuites;
 const char* tunable_rsa_private_key_file;
 const char* tunable_dsa_private_key_file;
@@ -293,6 +293,7 @@
   install_str_setting(0, &tunable_dh_param_file);
   install_str_setting(0, &tunable_ecdh_param_file);
   install_str_setting("PROFILE=SYSTEM", &tunable_ssl_ciphers);
 +  install_str_setting("TLS_AES_256_GCM_SHA384", &tunable_ssl_ciphersuites);
   install_str_setting(0, &tunable_rsa_private_key_file);
   install_str_setting(0, &tunable_dsa_private_key_file);
   install_str_setting(0, &tunable_ca_certs_file);
 diff -urN a/tunables.h b/tunables.h
 --- a/tunables.h
 +++ b/tunables.h
@@ -144,6 +144,7 @@
 extern const char* tunable_dsa_cert_file;
 extern const char* tunable_dh_param_file;
 extern const char* tunable_ecdh_param_file;
 extern const char* tunable_ssl_ciphers;
 +extern const char* tunable_ssl_ciphersuites;
 extern const char* tunable_rsa_private_key_file;
 extern const char* tunable_dsa_private_key_file;
 --- a/vsftpd.conf.5
 +++ b/vsftpd.conf.5
@@ -1009,6 +1009,16 @@
 Default: PROFILE=SYSTEM
 .TP
 +.B ssl_ciphersuites
 +This option can be used to select which SSL cipher suites vsftpd will allow for
 +encrypted SSL connections with TLSv1.3. See the
 +.BR ciphers
 +man page for further details. Note that restricting ciphers can be a useful
 +security precaution as it prevents malicious remote parties forcing a cipher
 +which they have found problems with.
 +
 +Default: TLS_AES_256_GCM_SHA384
 +.TP
 .B user_config_dir
 This powerful option allows the override of any config option specified in
 the manual page, on a per-user basis. Usage is simple, and is best illustrated
--- a/SOURCES/vsftpd-3.0.3-enable_wc_logs-replace_unprintable_with_hex.patch
+++ b/SOURCES/vsftpd-3.0.3-enable_wc_logs-replace_unprintable_with_hex.patch
@ -1,215 +0,0 @@
 diff --git a/logging.c b/logging.c
 index 9e86808..613ff4b 100644
 --- a/logging.c
 +++ b/logging.c
@@ -171,7 +171,14 @@ vsf_log_do_log_to_file(int fd, struct mystr* p_str)
       return;
     }
   }
 -  str_replace_unprintable(p_str, '?');
 +  if (tunable_wc_logs_enable)
 +  {
 +    str_replace_unprintable_with_hex_wc(p_str);
 +  }
 +  else
 +  {
 +    str_replace_unprintable_with_hex(p_str);
 +  }
   str_append_char(p_str, '\n');
   /* Ignore write failure; maybe the disk filled etc. */
   (void) str_write_loop(p_str, fd);
 diff --git a/parseconf.c b/parseconf.c
 index 3cfe7da..3729818 100644
 --- a/parseconf.c
 +++ b/parseconf.c
@@ -113,6 +113,7 @@ parseconf_bool_array[] =
   { "allow_writeable_chroot", &tunable_allow_writeable_chroot },
   { "better_stou", &tunable_better_stou },
   { "log_die", &tunable_log_die },
 +  { "wc_logs_enable", &tunable_wc_logs_enable },
   { 0, 0 }
 };
 diff --git a/str.c b/str.c
 index 82b8ae4..c03e7d8 100644
 --- a/str.c
 +++ b/str.c
@@ -20,6 +20,11 @@
 #include "utility.h"
 #include "sysutil.h"
 +#include <stdio.h>
 +#include <string.h>
 +#include <wchar.h>
 +#include <wctype.h>
 +
 /* File local functions */
 static void str_split_text_common(struct mystr* p_src, struct mystr* p_rhs,
                                   const char* p_text, int is_reverse);
@@ -723,6 +728,102 @@ str_replace_unprintable(struct mystr* p_str, char new_char)
   }
 }
 +void
 +str_replace_unprintable_with_hex(struct mystr* p_str)
 +{
 +  unsigned int ups_size = sizeof(unsigned int) * (p_str->len);
 +  if (ups_size < p_str->len)
 +  {
 +    str_replace_unprintable(p_str, '?');
 +    str_append_text(p_str, ": BUG: string is too long");
 +    bug(p_str->p_buf);
 +  }
 +  unsigned int* ups = vsf_sysutil_malloc(ups_size);
 +  unsigned int up_count = 0;
 +  for (unsigned int i=0; i < p_str->len; i++)
 +  {
 +    if (!vsf_sysutil_isprint(p_str->p_buf[i]))
 +    {
 +      ups[up_count++] = i;
 +    }
 +  }
 +  str_replace_positions_with_hex(p_str, ups, up_count);
 +  vsf_sysutil_free(ups);
 +}
 +
 +void str_replace_unprintable_with_hex_wc(struct mystr* p_str)
 +{
 +  unsigned int ups_size = sizeof(unsigned int) * (p_str->len);
 +  if (ups_size < p_str->len)
 +  {
 +    str_replace_unprintable(p_str, '?');
 +    str_append_text(p_str, ": BUG: string is too long");
 +    bug(p_str->p_buf);
 +  }
 +  unsigned int* ups = vsf_sysutil_malloc(ups_size);
 +  unsigned int up_count = 0;
 +
 +  size_t current = 0;
 +  wchar_t pwc;
 +  mbstate_t ps;
 +  memset(&ps, 0, sizeof(ps));
 +  ssize_t len = 0;
 +  while ((len = mbrtowc(&pwc, p_str->p_buf, p_str->len - current, &ps)) > 0)
 +  {
 +    if (!iswprint(pwc))
 +    {
 +      for (int i = 0; i < len; i++)
 +      {
 +        ups[up_count++] = current++;
 +      }
 +    }
 +    else
 +    {
 +      current += len;
 +    }
 +  }
 +  if (len < 0)
 +  {
 +    while (current < p_str->len)
 +    {
 +      ups[up_count++] = current++;
 +    }
 +  }
 +  str_replace_positions_with_hex(p_str, ups, up_count);
 +  vsf_sysutil_free(ups);
 +}
 +
 +void
 +str_replace_positions_with_hex(struct mystr* p_str, const unsigned int* poss, const unsigned int pos_count)
 +{
 +  if (pos_count == 0)
 +    return;
 +
 +  struct mystr tmp_str = INIT_MYSTR;
 +  str_reserve(&tmp_str, p_str->len + 3 * pos_count);
 +  unsigned int current = 0;
 +
 +  for (unsigned int i=0; i < pos_count; i++)
 +  {
 +    unsigned int pos = poss[i];
 +
 +    if (current < pos)
 +      private_str_append_memchunk(&tmp_str, p_str->p_buf + current, pos - current);
 +
 +    char hex_buf[5];
 +    memset(hex_buf, 0, sizeof(hex_buf));
 +    sprintf(hex_buf, "\\x%02X", (unsigned char) p_str->p_buf[pos]);
 +    str_append_text(&tmp_str, hex_buf);
 +    current = pos + 1;
 +  }
 +
 +  if (current < p_str->len)
 +    private_str_append_memchunk(&tmp_str, p_str->p_buf + current, p_str->len - current);
 +
 +  str_copy(p_str, &tmp_str);
 +  str_free(&tmp_str);
 +}
 +
 void
 str_basename (struct mystr* d_str, const struct mystr* path)
 {
 diff --git a/str.h b/str.h
 index 44270da..95a83b5 100644
 --- a/str.h
 +++ b/str.h
@@ -98,6 +98,10 @@ int str_contains_space(const struct mystr* p_str);
 int str_all_space(const struct mystr* p_str);
 int str_contains_unprintable(const struct mystr* p_str);
 void str_replace_unprintable(struct mystr* p_str, char new_char);
 +void str_replace_unprintable_with_hex(struct mystr* p_str);
 +void str_replace_unprintable_with_hex_wc(struct mystr* p_str);
 +void str_replace_positions_with_hex(struct mystr* p_str, const unsigned int* poss,
 +                                    const unsigned int pos_count);
 int str_atoi(const struct mystr* p_str);
 filesize_t str_a_to_filesize_t(const struct mystr* p_str);
 unsigned int str_octal_to_uint(const struct mystr* p_str);
 diff --git a/tunables.c b/tunables.c
 index a7ce9c8..c96c1ac 100644
 --- a/tunables.c
 +++ b/tunables.c
@@ -94,6 +94,7 @@ int tunable_seccomp_sandbox;
 int tunable_allow_writeable_chroot;
 int tunable_better_stou;
 int tunable_log_die;
 +int tunable_wc_logs_enable;
 unsigned int tunable_accept_timeout;
 unsigned int tunable_connect_timeout;
@@ -244,6 +245,7 @@ tunables_load_defaults()
   tunable_allow_writeable_chroot = 0;
   tunable_better_stou = 0;
   tunable_log_die = 0;
 +  tunable_wc_logs_enable = 0;
   tunable_accept_timeout = 60;
   tunable_connect_timeout = 60;
 diff --git a/tunables.h b/tunables.h
 index 029d645..8d50150 100644
 --- a/tunables.h
 +++ b/tunables.h
@@ -98,6 +98,7 @@ extern int tunable_better_stou;               /* Use better file name generation
 					       */
 extern int tunable_log_die;                   /* Log calls to die(), die2()
                                                * and bug() */
 +extern int tunable_wc_logs_enable;            /* Allow non ASCII characters in logs */
 /* Integer/numeric defines */
 extern unsigned int tunable_accept_timeout;
 diff --git a/vsftpd.conf.5 b/vsftpd.conf.5
 index ce3fba3..815773f 100644
 --- a/vsftpd.conf.5
 +++ b/vsftpd.conf.5
@@ -735,6 +735,12 @@ If enabled, use CLONE_NEWPID and CLONE_NEWIPC to isolate processes to their
 ipc and pid namespaces. So separated processes can not interact with each other.
 Default: YES
 +.TP
 +.B wc_logs_enable
 +If enabled, logs will be treated as wide-character strings and not just
 +ASCII strings when filtering out non-printable characters.
 +
 +Default: NO
 .SH NUMERIC OPTIONS
 Below is a list of numeric options. A numeric option must be set to a non
--- a/SOURCES/vsftpd-3.0.3-option_to_disable_TLSv1_3.patch
+++ b/SOURCES/vsftpd-3.0.3-option_to_disable_TLSv1_3.patch
@ -1,132 +0,0 @@
 diff --git a/features.c b/features.c
 index d024366..3a60b88 100644
 --- a/features.c
 +++ b/features.c
@@ -22,7 +22,7 @@ handle_feat(struct vsf_session* p_sess)
     {
       vsf_cmdio_write_raw(p_sess, " AUTH SSL\r\n");
     }
 -    if (tunable_tlsv1 || tunable_tlsv1_1 || tunable_tlsv1_2)
 +    if (tunable_tlsv1 || tunable_tlsv1_1 || tunable_tlsv1_2 || tunable_tlsv1_3)
     {
       vsf_cmdio_write_raw(p_sess, " AUTH TLS\r\n");
     }
 diff --git a/parseconf.c b/parseconf.c
 index 3729818..2c5ffe6 100644
 --- a/parseconf.c
 +++ b/parseconf.c
@@ -87,6 +87,7 @@ parseconf_bool_array[] =
   { "ssl_tlsv1", &tunable_tlsv1 },
   { "ssl_tlsv1_1", &tunable_tlsv1_1 },
   { "ssl_tlsv1_2", &tunable_tlsv1_2 },
 +  { "ssl_tlsv1_3", &tunable_tlsv1_3 },
   { "tilde_user_enable", &tunable_tilde_user_enable },
   { "force_anon_logins_ssl", &tunable_force_anon_logins_ssl },
   { "force_anon_data_ssl", &tunable_force_anon_data_ssl },
 diff --git a/ssl.c b/ssl.c
 index 09ec96a..5d9c595 100644
 --- a/ssl.c
 +++ b/ssl.c
@@ -178,6 +178,10 @@ ssl_init(struct vsf_session* p_sess)
     {
       options |= SSL_OP_NO_TLSv1_2;
     }
 +    if (!tunable_tlsv1_3)
 +    {
 +      options |= SSL_OP_NO_TLSv1_3;
 +    }
     SSL_CTX_set_options(p_ctx, options);
     if (tunable_rsa_cert_file)
     {
 diff --git a/tunables.c b/tunables.c
 index c96c1ac..e6fbb9d 100644
 --- a/tunables.c
 +++ b/tunables.c
@@ -68,6 +68,7 @@ int tunable_sslv3;
 int tunable_tlsv1;
 int tunable_tlsv1_1;
 int tunable_tlsv1_2;
 +int tunable_tlsv1_3;
 int tunable_tilde_user_enable;
 int tunable_force_anon_logins_ssl;
 int tunable_force_anon_data_ssl;
@@ -217,8 +218,9 @@ tunables_load_defaults()
   tunable_sslv3 = 0;
   tunable_tlsv1 = 0;
   tunable_tlsv1_1 = 0;
 -  /* Only TLSv1.2 is enabled by default */
 +  /* Only TLSv1.2 and TLSv1.3 are enabled by default */
   tunable_tlsv1_2 = 1;
 +  tunable_tlsv1_3 = 1;
   tunable_tilde_user_enable = 0;
   tunable_force_anon_logins_ssl = 0;
   tunable_force_anon_data_ssl = 0;
 diff --git a/tunables.h b/tunables.h
 index 8d50150..6e1d301 100644
 --- a/tunables.h
 +++ b/tunables.h
@@ -69,6 +69,7 @@ extern int tunable_sslv3;                     /* Allow SSLv3 */
 extern int tunable_tlsv1;                     /* Allow TLSv1 */
 extern int tunable_tlsv1_1;                   /* Allow TLSv1.1 */
 extern int tunable_tlsv1_2;                   /* Allow TLSv1.2 */
 +extern int tunable_tlsv1_3;                   /* Allow TLSv1.3 */
 extern int tunable_tilde_user_enable;         /* Support e.g. ~chris */
 extern int tunable_force_anon_logins_ssl;     /* Require anon logins use SSL */
 extern int tunable_force_anon_data_ssl;       /* Require anon data uses SSL */
 diff --git a/vsftpd.conf.5 b/vsftpd.conf.5
 index 815773f..c37a536 100644
 --- a/vsftpd.conf.5
 +++ b/vsftpd.conf.5
@@ -555,7 +555,7 @@ Default: YES
 Only applies if
 .BR ssl_enable
 is activated. If enabled, this option will permit SSL v2 protocol connections.
 -TLS v1.2 connections are preferred.
 +TLS v1.2 and TLS v1.3 connections are preferred.
 Default: NO
 .TP
@@ -563,7 +563,7 @@ Default: NO
 Only applies if
 .BR ssl_enable
 is activated. If enabled, this option will permit SSL v3 protocol connections.
 -TLS v1.2 connections are preferred.
 +TLS v1.2 and TLS v1.3 connections are preferred.
 Default: NO
 .TP
@@ -571,7 +571,7 @@ Default: NO
 Only applies if
 .BR ssl_enable
 is activated. If enabled, this option will permit TLS v1 protocol connections.
 -TLS v1.2 connections are preferred.
 +TLS v1.2 and TLS v1.3 connections are preferred.
 Default: NO
 .TP
@@ -579,7 +579,7 @@ Default: NO
 Only applies if
 .BR ssl_enable
 is activated. If enabled, this option will permit TLS v1.1 protocol connections.
 -TLS v1.2 connections are preferred.
 +TLS v1.2 and TLS v1.3 connections are preferred.
 Default: NO
 .TP
@@ -587,7 +587,15 @@ Default: NO
 Only applies if
 .BR ssl_enable
 is activated. If enabled, this option will permit TLS v1.2 protocol connections.
 -TLS v1.2 connections are preferred.
 +TLS v1.2 and TLS v1.3 connections are preferred.
 +
 +Default: YES
 +.TP
 +.B ssl_tlsv1_3
 +Only applies if
 +.BR ssl_enable
 +is activated. If enabled, this option will permit TLS v1.3 protocol connections.
 +TLS v1.2 and TLS v1.3 connections are preferred.
 Default: YES
 .TP
--- a/SOURCES/vsftpd.service
+++ b/SOURCES/vsftpd.service
@ -1,6 +1,6 @@
 [Unit]
 Description=Vsftpd ftp daemon
-After=network-online.target
+After=network.target
 [Service]
 Type=forking
--- a/SOURCES/vsftpd.target
+++ b/SOURCES/vsftpd.target
@ -1,6 +1,6 @@
 [Unit]
 Description=FTP daemon
-After=network-online.target
+After=network.target
 [Install]
 WantedBy=multi-user.target
--- a/SOURCES/vsftpd@.service
+++ b/SOURCES/vsftpd@.service
@ -1,6 +1,6 @@
 [Unit]
 Description=Vsftpd ftp daemon
-After=network-online.target
+After=network.target
 PartOf=vsftpd.target
 [Service]
--- a/SPECS/vsftpd.spec
+++ b/SPECS/vsftpd.spec
@ -2,7 +2,7 @@
 Name:    vsftpd
 Version: 3.0.3
-Release: 36%{?dist}
+Release: 31%{?dist}
 Summary: Very Secure Ftp Daemon
 Group:    System Environment/Daemons
@ -94,10 +94,7 @@ Patch62: 0001-Set-s_uwtmp_inserted-only-after-record-insertion-rem.patch
 Patch63: 0002-Repeat-pututxline-if-it-fails-with-EINTR.patch
 Patch64: 0003-Repeat-pututxline-until-it-succeeds-if-it-fails-with.patch
 Patch65: 0001-Fix-timestamp-handling-in-MDTM.patch
-Patch66: 0001-Remove-a-hint-about-the-ftp_home_dir-SELinux-boolean.patch
+
 Patch67: vsftpd-3.0.3-enable_wc_logs-replace_unprintable_with_hex.patch
 Patch68: vsftpd-3.0.3-option_to_disable_TLSv1_3.patch
 Patch69: vsftpd-3.0.3-add-option-for-tlsv1.3-ciphersuites.patch
 %description
 vsftpd is a Very Secure FTP daemon. It was written completely from
 scratch.
@ -165,27 +162,6 @@ mkdir -p $RPM_BUILD_ROOT/%{_var}/ftp/pub
 %{_var}/ftp
 %changelog
 * Thu Apr 06 2023 Richard Lescak <rlescak@redhat.com> -3.0.3-36
 - add patch to provide option for TLSv1.3 ciphersuites
 - Resolves: rhbz#2069733
 * Fri Dec 03 2021 Artem Egorenkov <aegorenk@redhat.com> - 3.0.3-35
 - add option to disable TLSv1.3
 - Resolves: rhbz#1638375
 * Mon Apr 12 2021 Artem Egorenkov <aegorenk@redhat.com> - 3.0.3-34
 - Enable support for wide-character strings in logs
 - Replace unprintables with HEX code, not question marks
 - Resolves: rhbz#1947900
 * Mon Nov 02 2020 Artem Egorenkov <aegorenk@redhat.com> - 3.0.3-33
 - Unit files fixed "After=network-online.target"
 - Resolves: rhbz#1893636
 * Tue Mar 17 2020 Ondřej Lysoněk <olysonek@redhat.com> - 3.0.3-32
 - Removed a hint about the ftp_home_dir SELinux boolean from the config file
 - Resolves: rhbz#1623424
 * Thu Feb 13 2020 Ondřej Lysoněk <olysonek@redhat.com> - 3.0.3-31
 - Fix timestamp handling in MDTM
 - Resolves: rhbz#1567855
		`@ -0,0 +1 @@`
							`d5f5a180dbecd0fbcdc92bf0ba2fc001c962b55a SOURCES/vsftpd-3.0.3.tar.gz`