4 changed files with 4 additions and 219 deletions
--- a/.vsftpd.metadata
+++ b/.vsftpd.metadata
@ -0,0 +1 @@
+d5f5a180dbecd0fbcdc92bf0ba2fc001c962b55a SOURCES/vsftpd-3.0.3.tar.gz
--- a/SOURCES/vsftpd-3.0.3-add-option-for-tlsv1.3-ciphersuites.patch
+++ b/SOURCES/vsftpd-3.0.3-add-option-for-tlsv1.3-ciphersuites.patch
@ -1,75 +0,0 @@
-diff -urN a/parseconf.c b/parseconf.c
--- a/parseconf.c	2021-05-29 23:39:19.000000000 +0200
-+++ b/parseconf.c	2023-03-03 10:22:38.256439634 +0100
-@@ -185,6 +185,7 @@
-   { "dsa_cert_file", &tunable_dsa_cert_file },
-   { "dh_param_file", &tunable_dh_param_file },
-   { "ecdh_param_file", &tunable_ecdh_param_file },
-+  { "ssl_ciphersuites", &tunable_ssl_ciphersuites },
-   { "ssl_ciphers", &tunable_ssl_ciphers },
-   { "rsa_private_key_file", &tunable_rsa_private_key_file },
-   { "dsa_private_key_file", &tunable_dsa_private_key_file },
-diff -urN a/ssl.c b/ssl.c
--- a/ssl.c	2021-08-02 08:24:35.000000000 +0200
-+++ b/ssl.c	2023-03-03 10:28:05.989757655 +0100
-@@ -135,6 +135,11 @@
-     {
-       die("SSL: could not set cipher list");
-     }
-+    if (tunable_ssl_ciphersuites &&
-+        SSL_CTX_set_ciphersuites(p_ctx, tunable_ssl_ciphersuites) != 1)
-+    {
-+      die("SSL: could not set ciphersuites list");
-+    }
-     if (RAND_status() != 1)
-     {
-       die("SSL: RNG is not seeded");
-diff -urN a/tunables.c b/tunables.c
--- a/tunables.c	2021-05-29 23:39:00.000000000 +0200
-+++ b/tunables.c	2023-03-03 10:13:30.566868026 +0100
-@@ -154,6 +154,7 @@
- const char* tunable_dsa_cert_file;
- const char* tunable_dh_param_file;
- const char* tunable_ecdh_param_file;
- const char* tunable_ssl_ciphers;
-+const char* tunable_ssl_ciphersuites;
- const char* tunable_rsa_private_key_file;
- const char* tunable_dsa_private_key_file;
-@@ -293,6 +293,7 @@
-   install_str_setting(0, &tunable_dh_param_file);
-   install_str_setting(0, &tunable_ecdh_param_file);
-   install_str_setting("PROFILE=SYSTEM", &tunable_ssl_ciphers);
-+  install_str_setting("TLS_AES_256_GCM_SHA384", &tunable_ssl_ciphersuites);
-   install_str_setting(0, &tunable_rsa_private_key_file);
-   install_str_setting(0, &tunable_dsa_private_key_file);
-   install_str_setting(0, &tunable_ca_certs_file);
-diff -urN a/tunables.h b/tunables.h
--- a/tunables.h
-+++ b/tunables.h
-@@ -144,6 +144,7 @@
- extern const char* tunable_dsa_cert_file;
- extern const char* tunable_dh_param_file;
- extern const char* tunable_ecdh_param_file;
- extern const char* tunable_ssl_ciphers;
-+extern const char* tunable_ssl_ciphersuites;
- extern const char* tunable_rsa_private_key_file;
- extern const char* tunable_dsa_private_key_file;
--- a/vsftpd.conf.5
-+++ b/vsftpd.conf.5
-@@ -1009,6 +1009,16 @@
- 
- Default: PROFILE=SYSTEM
- .TP
-+.B ssl_ciphersuites
-+This option can be used to select which SSL cipher suites vsftpd will allow for
-+encrypted SSL connections with TLSv1.3. See the
-+.BR ciphers
-+man page for further details. Note that restricting ciphers can be a useful
-+security precaution as it prevents malicious remote parties forcing a cipher
-+which they have found problems with.
-+
-+Default: TLS_AES_256_GCM_SHA384
-+.TP
- .B user_config_dir
- This powerful option allows the override of any config option specified in
- the manual page, on a per-user basis. Usage is simple, and is best illustrated
--- a/SOURCES/vsftpd-3.0.3-option_to_disable_TLSv1_3.patch
+++ b/SOURCES/vsftpd-3.0.3-option_to_disable_TLSv1_3.patch
@ -1,132 +0,0 @@
-diff --git a/features.c b/features.c
-index d024366..3a60b88 100644
--- a/features.c
-+++ b/features.c
-@@ -22,7 +22,7 @@ handle_feat(struct vsf_session* p_sess)
-     {
-       vsf_cmdio_write_raw(p_sess, " AUTH SSL\r\n");
-     }
-    if (tunable_tlsv1 || tunable_tlsv1_1 || tunable_tlsv1_2)
-+    if (tunable_tlsv1 || tunable_tlsv1_1 || tunable_tlsv1_2 || tunable_tlsv1_3)
-     {
-       vsf_cmdio_write_raw(p_sess, " AUTH TLS\r\n");
-     }
-diff --git a/parseconf.c b/parseconf.c
-index 3729818..2c5ffe6 100644
--- a/parseconf.c
-+++ b/parseconf.c
-@@ -87,6 +87,7 @@ parseconf_bool_array[] =
-   { "ssl_tlsv1", &tunable_tlsv1 },
-   { "ssl_tlsv1_1", &tunable_tlsv1_1 },
-   { "ssl_tlsv1_2", &tunable_tlsv1_2 },
-+  { "ssl_tlsv1_3", &tunable_tlsv1_3 },
-   { "tilde_user_enable", &tunable_tilde_user_enable },
-   { "force_anon_logins_ssl", &tunable_force_anon_logins_ssl },
-   { "force_anon_data_ssl", &tunable_force_anon_data_ssl },
-diff --git a/ssl.c b/ssl.c
-index 09ec96a..5d9c595 100644
--- a/ssl.c
-+++ b/ssl.c
-@@ -178,6 +178,10 @@ ssl_init(struct vsf_session* p_sess)
-     {
-       options |= SSL_OP_NO_TLSv1_2;
-     }
-+    if (!tunable_tlsv1_3)
-+    {
-+      options |= SSL_OP_NO_TLSv1_3;
-+    }
-     SSL_CTX_set_options(p_ctx, options);
-     if (tunable_rsa_cert_file)
-     {
-diff --git a/tunables.c b/tunables.c
-index c96c1ac..e6fbb9d 100644
--- a/tunables.c
-+++ b/tunables.c
-@@ -68,6 +68,7 @@ int tunable_sslv3;
- int tunable_tlsv1;
- int tunable_tlsv1_1;
- int tunable_tlsv1_2;
-+int tunable_tlsv1_3;
- int tunable_tilde_user_enable;
- int tunable_force_anon_logins_ssl;
- int tunable_force_anon_data_ssl;
-@@ -217,8 +218,9 @@ tunables_load_defaults()
-   tunable_sslv3 = 0;
-   tunable_tlsv1 = 0;
-   tunable_tlsv1_1 = 0;
-  /* Only TLSv1.2 is enabled by default */
-+  /* Only TLSv1.2 and TLSv1.3 are enabled by default */
-   tunable_tlsv1_2 = 1;
-+  tunable_tlsv1_3 = 1;
-   tunable_tilde_user_enable = 0;
-   tunable_force_anon_logins_ssl = 0;
-   tunable_force_anon_data_ssl = 0;
-diff --git a/tunables.h b/tunables.h
-index 8d50150..6e1d301 100644
--- a/tunables.h
-+++ b/tunables.h
-@@ -69,6 +69,7 @@ extern int tunable_sslv3;                     /* Allow SSLv3 */
- extern int tunable_tlsv1;                     /* Allow TLSv1 */
- extern int tunable_tlsv1_1;                   /* Allow TLSv1.1 */
- extern int tunable_tlsv1_2;                   /* Allow TLSv1.2 */
-+extern int tunable_tlsv1_3;                   /* Allow TLSv1.3 */
- extern int tunable_tilde_user_enable;         /* Support e.g. ~chris */
- extern int tunable_force_anon_logins_ssl;     /* Require anon logins use SSL */
- extern int tunable_force_anon_data_ssl;       /* Require anon data uses SSL */
-diff --git a/vsftpd.conf.5 b/vsftpd.conf.5
-index 815773f..c37a536 100644
--- a/vsftpd.conf.5
-+++ b/vsftpd.conf.5
-@@ -555,7 +555,7 @@ Default: YES
- Only applies if
- .BR ssl_enable
- is activated. If enabled, this option will permit SSL v2 protocol connections.
-TLS v1.2 connections are preferred.
-+TLS v1.2 and TLS v1.3 connections are preferred.
- 
- Default: NO
- .TP
-@@ -563,7 +563,7 @@ Default: NO
- Only applies if
- .BR ssl_enable
- is activated. If enabled, this option will permit SSL v3 protocol connections.
-TLS v1.2 connections are preferred.
-+TLS v1.2 and TLS v1.3 connections are preferred.
- 
- Default: NO
- .TP
-@@ -571,7 +571,7 @@ Default: NO
- Only applies if
- .BR ssl_enable
- is activated. If enabled, this option will permit TLS v1 protocol connections.
-TLS v1.2 connections are preferred.
-+TLS v1.2 and TLS v1.3 connections are preferred.
- 
- Default: NO
- .TP
-@@ -579,7 +579,7 @@ Default: NO
- Only applies if
- .BR ssl_enable
- is activated. If enabled, this option will permit TLS v1.1 protocol connections.
-TLS v1.2 connections are preferred.
-+TLS v1.2 and TLS v1.3 connections are preferred.
- 
- Default: NO
- .TP
-@@ -587,7 +587,15 @@ Default: NO
- Only applies if
- .BR ssl_enable
- is activated. If enabled, this option will permit TLS v1.2 protocol connections.
-TLS v1.2 connections are preferred.
-+TLS v1.2 and TLS v1.3 connections are preferred.
-+
-+Default: YES
-+.TP
-+.B ssl_tlsv1_3
-+Only applies if
-+.BR ssl_enable
-+is activated. If enabled, this option will permit TLS v1.3 protocol connections.
-+TLS v1.2 and TLS v1.3 connections are preferred.
- 
- Default: YES
- .TP
--- a/SPECS/vsftpd.spec
+++ b/SPECS/vsftpd.spec
@ -2,7 +2,7 @@

 Name:    vsftpd
 Version: 3.0.3
-Release: 36%{?dist}
+Release: 34%{?dist}
 Summary: Very Secure Ftp Daemon

 Group:    System Environment/Daemons
@ -96,8 +96,7 @@ Patch64: 0003-Repeat-pututxline-until-it-succeeds-if-it-fails-with.patch
 Patch65: 0001-Fix-timestamp-handling-in-MDTM.patch
 Patch66: 0001-Remove-a-hint-about-the-ftp_home_dir-SELinux-boolean.patch
 Patch67: vsftpd-3.0.3-enable_wc_logs-replace_unprintable_with_hex.patch
-Patch68: vsftpd-3.0.3-option_to_disable_TLSv1_3.patch
-Patch69: vsftpd-3.0.3-add-option-for-tlsv1.3-ciphersuites.patch
+
 %description
 vsftpd is a Very Secure FTP daemon. It was written completely from
 scratch.
@ -165,15 +164,7 @@ mkdir -p $RPM_BUILD_ROOT/%{_var}/ftp/pub
 %{_var}/ftp

 %changelog
-* Thu Apr 06 2023 Richard Lescak <rlescak@redhat.com> -3.0.3-36
- add patch to provide option for TLSv1.3 ciphersuites
- Resolves: rhbz#2069733
-
-* Fri Dec 03 2021 Artem Egorenkov <aegorenk@redhat.com> - 3.0.3-35
- add option to disable TLSv1.3
- Resolves: rhbz#1638375
-
-* Mon Apr 12 2021 Artem Egorenkov <aegorenk@redhat.com> - 3.0.3-34
+* Mon Apr 12 2021 Artem Egorenkov <aegorenk@redhat.com> - 3.0.3-33
 - Enable support for wide-character strings in logs
 - Replace unprintables with HEX code, not question marks
 - Resolves: rhbz#1947900
				`@ -0,0 +1 @@`
				`d5f5a180dbecd0fbcdc92bf0ba2fc001c962b55a SOURCES/vsftpd-3.0.3.tar.gz`