diff --git a/.fmf/version b/.fmf/version deleted file mode 100644 index d00491f..0000000 --- a/.fmf/version +++ /dev/null @@ -1 +0,0 @@ -1 diff --git a/.gitignore b/.gitignore index d4e96bd..811254b 100644 --- a/.gitignore +++ b/.gitignore @@ -6,4 +6,3 @@ vsftpd-2.3.2.tar.gz /vsftpd-3.0.1.tar.gz /vsftpd-3.0.2.tar.gz /vsftpd-3.0.3.tar.gz -/vsftpd-3.0.5.tar.gz diff --git a/0014-Add-support-for-square-brackets-in-ls.patch b/0014-Add-support-for-square-brackets-in-ls.patch index 5035675..27f5374 100644 --- a/0014-Add-support-for-square-brackets-in-ls.patch +++ b/0014-Add-support-for-square-brackets-in-ls.patch @@ -1,11 +1,14 @@ -commit de556b2643b5da622f501b435740c651b9f82554 -Author: Tomas Korbar -Date: Mon Dec 15 02:00:00 2025 +0200 +From ba0520650ae7f9f63e48ba9fb3a94297aebe2d0c Mon Sep 17 00:00:00 2001 +From: Martin Sehnoutka +Date: Wed, 7 Sep 2016 14:22:21 +0200 +Subject: [PATCH 14/59] Add support for square brackets in ls. - Add support for square brackets in ls. +--- + ls.c | 222 +++++++++++++++++++++++++++++++++++++++++++++---------------------- + 1 file changed, 150 insertions(+), 72 deletions(-) diff --git a/ls.c b/ls.c -index 616b2d9..ab69af9 100644 +index 616b2d9..b840136 100644 --- a/ls.c +++ b/ls.c @@ -246,7 +246,7 @@ vsf_filename_passes_filter(const struct mystr* p_filename_str, @@ -188,7 +191,7 @@ index 616b2d9..ab69af9 100644 - if (vsf_filename_passes_filter(&name_remain_str, &new_filter_str, - iters)) + unsigned int cur_pos; -+ unsigned char stch, ench; ++ char stch, ench; + const char *p_brace; + + str_split_char(&filter_remain_str, &temp_str, ']'); @@ -213,7 +216,7 @@ index 616b2d9..ab69af9 100644 + cur_pos++; + } + // expand char[s] -+ for (;stch <= ench && !str_isempty(&brace_list_str) && stch != 0; stch++) ++ for (;stch <= ench && !str_isempty(&brace_list_str); stch++) + { + str_empty(&new_filter_str); + if (!matched) @@ -269,4 +272,6 @@ index 616b2d9..ab69af9 100644 } /* Any incoming string left means no match unless we ended on the correct * type of wildcard. +-- +2.14.4 diff --git a/0021-Introduce-support-for-DHE-based-cipher-suites.patch b/0021-Introduce-support-for-DHE-based-cipher-suites.patch index 3460c2a..1abe1e4 100644 --- a/0021-Introduce-support-for-DHE-based-cipher-suites.patch +++ b/0021-Introduce-support-for-DHE-based-cipher-suites.patch @@ -31,36 +31,81 @@ index c362983..22b69b3 100644 #include #include #include ++#include +#include -+#include #include #include -@@ -58,6 +60,23 @@ +@@ -38,6 +40,7 @@ static void setup_bio_callbacks(); + static long bio_callback( + BIO* p_bio, int oper, const char* p_arg, int argi, long argl, long retval); + static int ssl_verify_callback(int verify_ok, X509_STORE_CTX* p_ctx); ++static DH *ssl_tmp_dh_callback(SSL *ssl, int is_export, int keylength); + static int ssl_cert_digest( + SSL* p_ssl, struct vsf_session* p_sess, struct mystr* p_str); + static void maybe_log_shutdown_state(struct vsf_session* p_sess); +@@ -51,6 +54,60 @@ static int ssl_read_common(struct vsf_session* p_sess, static int ssl_inited; static struct mystr debug_str; -+EVP_PKEY * -+DH_get_dh() -+{ -+ OSSL_PARAM dh_params[2]; -+ EVP_PKEY *dh_key = NULL; -+ EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_from_name(NULL, "DH", NULL); + -+ dh_params[0] = OSSL_PARAM_construct_utf8_string("group", "ffdhe2048", 0); -+ dh_params[1] = OSSL_PARAM_construct_end(); ++// Grab prime number from OpenSSL; ++// (get_rfc*) for all available primes. ++// wraps selection of comparable algorithm strength ++#if !defined(match_dh_bits) ++ #define match_dh_bits(keylen) \ ++ keylen >= 8191 ? 8192 : \ ++ keylen >= 6143 ? 6144 : \ ++ keylen >= 4095 ? 4096 : \ ++ keylen >= 3071 ? 3072 : \ ++ keylen >= 2047 ? 2048 : \ ++ keylen >= 1535 ? 1536 : \ ++ keylen >= 1023 ? 1024 : 768 ++#endif + -+ if (EVP_PKEY_keygen_init(pctx) <= 0 || EVP_PKEY_CTX_set_params(pctx, dh_params) <= 0) -+ return NULL; -+ EVP_PKEY_generate(pctx, &dh_key); -+ EVP_PKEY_CTX_free(pctx); -+ return dh_key; ++#if !defined(DH_get_prime) ++ BIGNUM * ++ DH_get_prime(int bits) ++ { ++ switch (bits) { ++ case 768: return get_rfc2409_prime_768(NULL); ++ case 1024: return get_rfc2409_prime_1024(NULL); ++ case 1536: return get_rfc3526_prime_1536(NULL); ++ case 2048: return get_rfc3526_prime_2048(NULL); ++ case 3072: return get_rfc3526_prime_3072(NULL); ++ case 4096: return get_rfc3526_prime_4096(NULL); ++ case 6144: return get_rfc3526_prime_6144(NULL); ++ case 8192: return get_rfc3526_prime_8192(NULL); ++ // shouldn't happen when used match_dh_bits; strict compiler ++ default: return NULL; ++ } +} ++#endif ++ ++#if !defined(DH_get_dh) ++ // Grab DH parameters ++ DH * ++ DH_get_dh(int size) ++ { ++ DH *dh = DH_new(); ++ if (!dh) { ++ return NULL; ++ } ++ dh->p = DH_get_prime(match_dh_bits(size)); ++ BN_dec2bn(&dh->g, "2"); ++ if (!dh->p || !dh->g) ++ { ++ DH_free(dh); ++ return NULL; ++ } ++ return dh; ++ } ++#endif + void ssl_init(struct vsf_session* p_sess) { -@@ -72,7 +89,7 @@ +@@ -65,7 +122,7 @@ ssl_init(struct vsf_session* p_sess) { die("SSL: could not allocate SSL context"); } @@ -69,44 +114,61 @@ index c362983..22b69b3 100644 if (!tunable_sslv2) { options |= SSL_OP_NO_SSLv2; -@@ -149,8 +166,27 @@ +@@ -111,6 +168,25 @@ ssl_init(struct vsf_session* p_sess) die("SSL: cannot load DSA private key"); } } + if (tunable_dh_param_file) + { + BIO *bio; -+ EVP_PKEY *dh_params = NULL; ++ DH *dhparams = NULL; + if ((bio = BIO_new_file(tunable_dh_param_file, "r")) == NULL) + { + die("SSL: cannot load custom DH params"); + } + else + { -+ dh_params = PEM_read_bio_Parameters(bio, NULL); ++ dhparams = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); + BIO_free(bio); + -+ if (!SSL_CTX_set0_tmp_dh_pkey(p_ctx, dh_params)) -+ { ++ if (!SSL_CTX_set_tmp_dh(p_ctx, dhparams)) ++ { + die("SSL: setting custom DH params failed"); -+ } ++ } + } + } if (tunable_ssl_ciphers && SSL_CTX_set_cipher_list(p_ctx, tunable_ssl_ciphers) != 1) { - die("SSL: could not set cipher list"); - } -@@ -184,6 +226,9 @@ +@@ -165,6 +241,9 @@ ssl_init(struct vsf_session* p_sess) /* Ensure cached session doesn't expire */ SSL_CTX_set_timeout(p_ctx, INT_MAX); } ++ ++ SSL_CTX_set_tmp_dh_callback(p_ctx, ssl_tmp_dh_callback); + -+ SSL_CTX_set0_tmp_dh_pkey(p_ctx, DH_get_dh()); + p_sess->p_ssl_ctx = p_ctx; + ssl_inited = 1; + } +@@ -702,6 +781,18 @@ ssl_verify_callback(int verify_ok, X509_STORE_CTX* p_ctx) + return 1; + } + ++#define UNUSED(x) ( (void)(x) ) + - /* Set up ALPN to check for FTP protocol intention of client. */ - SSL_CTX_set_alpn_select_cb(p_ctx, ssl_alpn_callback, p_sess); - /* Set up SNI callback for an optional hostname check. */ ++static DH * ++ssl_tmp_dh_callback(SSL *ssl, int is_export, int keylength) ++{ ++ // strict compiler bypassing ++ UNUSED(ssl); ++ UNUSED(is_export); ++ ++ return DH_get_dh(keylength); ++} ++ + void + ssl_add_entropy(struct vsf_session* p_sess) + { diff --git a/tunables.c b/tunables.c index c737465..1ea7227 100644 --- a/tunables.c diff --git a/0022-Introduce-support-for-EDDHE-based-cipher-suites.patch b/0022-Introduce-support-for-EDDHE-based-cipher-suites.patch index 0a09a2c..1428b86 100644 --- a/0022-Introduce-support-for-EDDHE-based-cipher-suites.patch +++ b/0022-Introduce-support-for-EDDHE-based-cipher-suites.patch @@ -36,40 +36,48 @@ index 22b69b3..96bf8ad 100644 if (!tunable_sslv2) { options |= SSL_OP_NO_SSLv2; -@@ -244,6 +244,33 @@ - - SSL_CTX_set0_tmp_dh_pkey(p_ctx, DH_get_dh()); +@@ -244,6 +244,41 @@ ssl_init(struct vsf_session* p_sess) + + SSL_CTX_set_tmp_dh_callback(p_ctx, ssl_tmp_dh_callback); + if (tunable_ecdh_param_file) + { + BIO *bio; -+ EVP_PKEY *ec_params = NULL; ++ int nid; ++ EC_GROUP *ecparams = NULL; ++ EC_KEY *eckey; + + if ((bio = BIO_new_file(tunable_ecdh_param_file, "r")) == NULL) + die("SSL: cannot load custom ec params"); + else + { -+ ec_params = PEM_read_bio_Parameters(bio, NULL); ++ ecparams = PEM_read_bio_ECPKParameters(bio, NULL, NULL, NULL); + BIO_free(bio); + -+ if (ec_params != NULL) ++ if (ecparams && (nid = EC_GROUP_get_curve_name(ecparams)) && ++ (eckey = EC_KEY_new_by_curve_name(nid))) + { -+ if (!SSL_CTX_set1_groups_list(p_ctx, ec_params)) ++ if (!SSL_CTX_set_tmp_ecdh(p_ctx, eckey)) + die("SSL: setting custom EC params failed"); -+ } -+ else ++ } ++ else + { + die("SSL: getting ec group or key failed"); -+ } ++ } + } + } + else + { -+ SSL_CTX_set1_groups_list(p_ctx, "P-256"); ++#if defined(SSL_CTX_set_ecdh_auto) ++ SSL_CTX_set_ecdh_auto(p_ctx, 1); ++#else ++ SSL_CTX_set_tmp_ecdh(p_ctx, EC_KEY_new_by_curve_name(NID_X9_62_prime256v1)); ++#endif + } - /* Set up ALPN to check for FTP protocol intention of client. */ - SSL_CTX_set_alpn_select_cb(p_ctx, ssl_alpn_callback, p_sess); - /* Set up SNI callback for an optional hostname check. */ ++ + p_sess->p_ssl_ctx = p_ctx; + ssl_inited = 1; + } diff --git a/tunables.c b/tunables.c index 1ea7227..93f85b1 100644 --- a/tunables.c diff --git a/0025-Improve-local_max_rate-option.patch b/0025-Improve-local_max_rate-option.patch index 2c74c7a..e78f825 100644 --- a/0025-Improve-local_max_rate-option.patch +++ b/0025-Improve-local_max_rate-option.patch @@ -60,9 +60,9 @@ diff --git a/main.c b/main.c index eaba265..f1e2f69 100644 --- a/main.c +++ b/main.c -@@ -40,7 +40,7 @@ +@@ -40,7 +40,7 @@ main(int argc, const char* argv[]) /* Control connection */ - 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, /* Data connection */ - -1, 0, -1, 0, 0, 0, 0, + -1, 0, -1, 0, 0, 0, 0, 0, diff --git a/0033-Introduce-TLSv1.1-and-TLSv1.2-options.patch b/0033-Introduce-TLSv1.1-and-TLSv1.2-options.patch new file mode 100644 index 0000000..8d6228e --- /dev/null +++ b/0033-Introduce-TLSv1.1-and-TLSv1.2-options.patch @@ -0,0 +1,153 @@ +From 01bef55a1987700af3d43cdc5f5be88d3843ab85 Mon Sep 17 00:00:00 2001 +From: Martin Sehnoutka +Date: Thu, 17 Nov 2016 13:36:17 +0100 +Subject: [PATCH 33/59] Introduce TLSv1.1 and TLSv1.2 options. + +Users can now enable a specific version of TLS protocol. +--- + parseconf.c | 2 ++ + ssl.c | 8 ++++++++ + tunables.c | 9 +++++++-- + tunables.h | 2 ++ + vsftpd.conf.5 | 24 ++++++++++++++++++++---- + 5 files changed, 39 insertions(+), 6 deletions(-) + +diff --git a/parseconf.c b/parseconf.c +index a2c715b..33a1349 100644 +--- a/parseconf.c ++++ b/parseconf.c +@@ -85,6 +85,8 @@ parseconf_bool_array[] = + { "ssl_sslv2", &tunable_sslv2 }, + { "ssl_sslv3", &tunable_sslv3 }, + { "ssl_tlsv1", &tunable_tlsv1 }, ++ { "ssl_tlsv1_1", &tunable_tlsv1_1 }, ++ { "ssl_tlsv1_2", &tunable_tlsv1_2 }, + { "tilde_user_enable", &tunable_tilde_user_enable }, + { "force_anon_logins_ssl", &tunable_force_anon_logins_ssl }, + { "force_anon_data_ssl", &tunable_force_anon_data_ssl }, +diff --git a/ssl.c b/ssl.c +index 96bf8ad..ba8a613 100644 +--- a/ssl.c ++++ b/ssl.c +@@ -135,6 +135,14 @@ ssl_init(struct vsf_session* p_sess) + { + options |= SSL_OP_NO_TLSv1; + } ++ if (!tunable_tlsv1_1) ++ { ++ options |= SSL_OP_NO_TLSv1_1; ++ } ++ if (!tunable_tlsv1_2) ++ { ++ options |= SSL_OP_NO_TLSv1_2; ++ } + SSL_CTX_set_options(p_ctx, options); + if (tunable_rsa_cert_file) + { +diff --git a/tunables.c b/tunables.c +index 93f85b1..78f2bcd 100644 +--- a/tunables.c ++++ b/tunables.c +@@ -66,6 +66,8 @@ int tunable_force_local_data_ssl; + int tunable_sslv2; + int tunable_sslv3; + int tunable_tlsv1; ++int tunable_tlsv1_1; ++int tunable_tlsv1_2; + int tunable_tilde_user_enable; + int tunable_force_anon_logins_ssl; + int tunable_force_anon_data_ssl; +@@ -209,7 +211,10 @@ tunables_load_defaults() + tunable_force_local_data_ssl = 1; + tunable_sslv2 = 0; + tunable_sslv3 = 0; ++ /* TLSv1 up to TLSv1.2 is enabled by default */ + tunable_tlsv1 = 1; ++ tunable_tlsv1_1 = 1; ++ tunable_tlsv1_2 = 1; + tunable_tilde_user_enable = 0; + tunable_force_anon_logins_ssl = 0; + tunable_force_anon_data_ssl = 0; +@@ -292,8 +297,8 @@ tunables_load_defaults() + install_str_setting(0, &tunable_dsa_cert_file); + install_str_setting(0, &tunable_dh_param_file); + install_str_setting(0, &tunable_ecdh_param_file); +- install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA", +- &tunable_ssl_ciphers); ++ install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384", ++ &tunable_ssl_ciphers); + install_str_setting(0, &tunable_rsa_private_key_file); + install_str_setting(0, &tunable_dsa_private_key_file); + install_str_setting(0, &tunable_ca_certs_file); +diff --git a/tunables.h b/tunables.h +index 3e2d40c..a466427 100644 +--- a/tunables.h ++++ b/tunables.h +@@ -67,6 +67,8 @@ extern int tunable_force_local_data_ssl; /* Require local data uses SSL */ + extern int tunable_sslv2; /* Allow SSLv2 */ + extern int tunable_sslv3; /* Allow SSLv3 */ + extern int tunable_tlsv1; /* Allow TLSv1 */ ++extern int tunable_tlsv1_1; /* Allow TLSv1.1 */ ++extern int tunable_tlsv1_2; /* Allow TLSv1.2 */ + extern int tunable_tilde_user_enable; /* Support e.g. ~chris */ + extern int tunable_force_anon_logins_ssl; /* Require anon logins use SSL */ + extern int tunable_force_anon_data_ssl; /* Require anon data uses SSL */ +diff --git a/vsftpd.conf.5 b/vsftpd.conf.5 +index cf1ae34..a3d569e 100644 +--- a/vsftpd.conf.5 ++++ b/vsftpd.conf.5 +@@ -506,7 +506,7 @@ Default: YES + Only applies if + .BR ssl_enable + is activated. If enabled, this option will permit SSL v2 protocol connections. +-TLS v1 connections are preferred. ++TLS v1.2 connections are preferred. + + Default: NO + .TP +@@ -514,7 +514,7 @@ Default: NO + Only applies if + .BR ssl_enable + is activated. If enabled, this option will permit SSL v3 protocol connections. +-TLS v1 connections are preferred. ++TLS v1.2 connections are preferred. + + Default: NO + .TP +@@ -522,7 +522,23 @@ Default: NO + Only applies if + .BR ssl_enable + is activated. If enabled, this option will permit TLS v1 protocol connections. +-TLS v1 connections are preferred. ++TLS v1.2 connections are preferred. ++ ++Default: YES ++.TP ++.B ssl_tlsv1_1 ++Only applies if ++.BR ssl_enable ++is activated. If enabled, this option will permit TLS v1.1 protocol connections. ++TLS v1.2 connections are preferred. ++ ++Default: YES ++.TP ++.B ssl_tlsv1_2 ++Only applies if ++.BR ssl_enable ++is activated. If enabled, this option will permit TLS v1.2 protocol connections. ++TLS v1.2 connections are preferred. + + Default: YES + .TP +@@ -1044,7 +1060,7 @@ man page for further details. Note that restricting ciphers can be a useful + security precaution as it prevents malicious remote parties forcing a cipher + which they have found problems with. + +-Default: DES-CBC3-SHA ++Default: AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384 + .TP + .B user_config_dir + This powerful option allows the override of any config option specified in +-- +2.14.4 + diff --git a/0035-Modify-DH-enablement-patch-to-build-with-OpenSSL-1.1.patch b/0035-Modify-DH-enablement-patch-to-build-with-OpenSSL-1.1.patch new file mode 100644 index 0000000..1cebc18 --- /dev/null +++ b/0035-Modify-DH-enablement-patch-to-build-with-OpenSSL-1.1.patch @@ -0,0 +1,74 @@ +From 6c8dd87f311e411bcb1c72c1c780497881a5621c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= +Date: Mon, 4 Sep 2017 11:32:03 +0200 +Subject: [PATCH 35/59] Modify DH enablement patch to build with OpenSSL 1.1 + +--- + ssl.c | 41 ++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 38 insertions(+), 3 deletions(-) + +diff --git a/ssl.c b/ssl.c +index ba8a613..09ec96a 100644 +--- a/ssl.c ++++ b/ssl.c +@@ -88,19 +88,54 @@ static struct mystr debug_str; + } + #endif + ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) ++{ ++ /* If the fields p and g in d are NULL, the corresponding input ++ * parameters MUST be non-NULL. q may remain NULL. ++ */ ++ if ((dh->p == NULL && p == NULL) ++ || (dh->g == NULL && g == NULL)) ++ return 0; ++ ++ if (p != NULL) { ++ BN_free(dh->p); ++ dh->p = p; ++ } ++ if (q != NULL) { ++ BN_free(dh->q); ++ dh->q = q; ++ } ++ if (g != NULL) { ++ BN_free(dh->g); ++ dh->g = g; ++ } ++ ++ if (q != NULL) { ++ dh->length = BN_num_bits(q); ++ } ++ ++ return 1; ++} ++#endif ++ + #if !defined(DH_get_dh) + // Grab DH parameters + DH * + DH_get_dh(int size) + { ++ BIGNUM *g = NULL; ++ BIGNUM *p = NULL; + DH *dh = DH_new(); + if (!dh) { + return NULL; + } +- dh->p = DH_get_prime(match_dh_bits(size)); +- BN_dec2bn(&dh->g, "2"); +- if (!dh->p || !dh->g) ++ p = DH_get_prime(match_dh_bits(size)); ++ BN_dec2bn(&g, "2"); ++ if (!p || !g || !DH_set0_pqg(dh, p, NULL, g)) + { ++ BN_free(g); ++ BN_free(p); + DH_free(dh); + return NULL; + } +-- +2.14.4 + diff --git a/0040-Use-system-wide-crypto-policy.patch b/0040-Use-system-wide-crypto-policy.patch index 940a5b2..f59ba2b 100644 --- a/0040-Use-system-wide-crypto-policy.patch +++ b/0040-Use-system-wide-crypto-policy.patch @@ -3,7 +3,7 @@ From: Martin Sehnoutka Date: Tue, 29 Aug 2017 10:32:16 +0200 Subject: [PATCH 40/59] Use system wide crypto policy -Resolves: rhbz# +Resolves: rhbz#1483970 --- tunables.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) @@ -16,8 +16,8 @@ index 5440c00..354251c 100644 install_str_setting(0, &tunable_dsa_cert_file); install_str_setting(0, &tunable_dh_param_file); install_str_setting(0, &tunable_ecdh_param_file); -- install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA", -- &tunable_ssl_ciphers); +- install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384", +- &tunable_ssl_ciphers); + install_str_setting("PROFILE=SYSTEM", &tunable_ssl_ciphers); install_str_setting(0, &tunable_rsa_private_key_file); install_str_setting(0, &tunable_dsa_private_key_file); diff --git a/0041-Document-the-new-default-for-ssl_ciphers-in-the-man-.patch b/0041-Document-the-new-default-for-ssl_ciphers-in-the-man-.patch index 93e2ce8..8b26c7b 100644 --- a/0041-Document-the-new-default-for-ssl_ciphers-in-the-man-.patch +++ b/0041-Document-the-new-default-for-ssl_ciphers-in-the-man-.patch @@ -17,15 +17,15 @@ index 3ca55e4..2a7662e 100644 security precaution as it prevents malicious remote parties forcing a cipher which they have found problems with. --Default: DES-CBC3-SHA +-Default: AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384 +By default, the system-wide crypto policy is used. See +.BR update-crypto-policies(8) +for further details. + +Default: PROFILE=SYSTEM .TP - .B ssl_sni_hostname - If set, SSL connections will be rejected unless the SNI hostname in the + .B user_config_dir + This powerful option allows the override of any config option specified in -- 2.14.4 diff --git a/0042-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch b/0042-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch index 1e14813..250a44c 100644 --- a/0042-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch +++ b/0042-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch @@ -23,7 +23,7 @@ index 1212980..d024366 100644 vsf_cmdio_write_raw(p_sess, " AUTH SSL\r\n"); } - if (tunable_tlsv1) -+ if (tunable_tlsv1 || tunable_tlsv1_1 || tunable_tlsv1_2 || tunable_tlsv1_3) ++ if (tunable_tlsv1 || tunable_tlsv1_1 || tunable_tlsv1_2) { vsf_cmdio_write_raw(p_sess, " AUTH TLS\r\n"); } diff --git a/0043-Enable-only-TLSv1.2-by-default.patch b/0043-Enable-only-TLSv1.2-by-default.patch new file mode 100644 index 0000000..eb157f8 --- /dev/null +++ b/0043-Enable-only-TLSv1.2-by-default.patch @@ -0,0 +1,53 @@ +From 75c942c77aa575143c5b75637e64a925ad12641a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= +Date: Thu, 21 Dec 2017 16:38:40 +0100 +Subject: [PATCH 43/59] Enable only TLSv1.2 by default + +Disable TLSv1 and TLSv1.1 - enable only TLSv1.2 by default. +--- + tunables.c | 6 +++--- + vsftpd.conf.5 | 4 ++-- + 2 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/tunables.c b/tunables.c +index 354251c..9680528 100644 +--- a/tunables.c ++++ b/tunables.c +@@ -211,9 +211,9 @@ tunables_load_defaults() + tunable_force_local_data_ssl = 1; + tunable_sslv2 = 0; + tunable_sslv3 = 0; +- /* TLSv1 up to TLSv1.2 is enabled by default */ +- tunable_tlsv1 = 1; +- tunable_tlsv1_1 = 1; ++ tunable_tlsv1 = 0; ++ tunable_tlsv1_1 = 0; ++ /* Only TLSv1.2 is enabled by default */ + tunable_tlsv1_2 = 1; + tunable_tilde_user_enable = 0; + tunable_force_anon_logins_ssl = 0; +diff --git a/vsftpd.conf.5 b/vsftpd.conf.5 +index 2a7662e..df14027 100644 +--- a/vsftpd.conf.5 ++++ b/vsftpd.conf.5 +@@ -539,7 +539,7 @@ Only applies if + is activated. If enabled, this option will permit TLS v1 protocol connections. + TLS v1.2 connections are preferred. + +-Default: YES ++Default: NO + .TP + .B ssl_tlsv1_1 + Only applies if +@@ -547,7 +547,7 @@ Only applies if + is activated. If enabled, this option will permit TLS v1.1 protocol connections. + TLS v1.2 connections are preferred. + +-Default: YES ++Default: NO + .TP + .B ssl_tlsv1_2 + Only applies if +-- +2.14.4 + diff --git a/0076-Correct-the-definition-of-setup_bio_callbacks-in-ssl.patch b/0076-Correct-the-definition-of-setup_bio_callbacks-in-ssl.patch deleted file mode 100644 index 4fb8420..0000000 --- a/0076-Correct-the-definition-of-setup_bio_callbacks-in-ssl.patch +++ /dev/null @@ -1,25 +0,0 @@ -From f3a745be207831ebd07add16e66ac2b43a743dc1 Mon Sep 17 00:00:00 2001 -From: rpm-build -Date: Fri, 24 Jan 2025 11:42:39 +0100 -Subject: [PATCH] Correct the definition of setup_bio_callbacks() in ssl.c - ---- - ssl.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ssl.c b/ssl.c -index e518097..02ed489 100644 ---- a/ssl.c -+++ b/ssl.c -@@ -36,7 +36,7 @@ - static char* get_ssl_error(); - static SSL* get_ssl(struct vsf_session* p_sess, int fd); - static int ssl_session_init(struct vsf_session* p_sess); --static void setup_bio_callbacks(); -+static void setup_bio_callbacks(SSL* p_ssl); - static long bio_callback( - BIO* p_bio, int oper, const char* p_arg, size_t len, int argi, long argl, int ret, size_t *processed); - static int ssl_verify_callback(int verify_ok, X509_STORE_CTX* p_ctx); --- -2.48.1 - diff --git a/ci.fmf b/ci.fmf deleted file mode 100644 index c5aa0e0..0000000 --- a/ci.fmf +++ /dev/null @@ -1 +0,0 @@ -resultsdb-testcase: separate diff --git a/fix-str_open.patch b/fix-str_open.patch index e5d5bd9..eef52ec 100644 --- a/fix-str_open.patch +++ b/fix-str_open.patch @@ -1,10 +1,11 @@ ---- sysstr-orig.c 2022-07-27 09:44:52.606408000 +0200 -+++ sysstr.c 2022-07-27 09:54:24.043081352 +0200 +diff -ruN vsftpd-3.0.3.orig/sysstr.c vsftpd-3.0.3/sysstr.c +--- vsftpd-3.0.3.orig/sysstr.c 2020-11-17 09:47:03.872923383 +0100 ++++ vsftpd-3.0.3/sysstr.c 2020-11-17 09:48:41.219754145 +0100 @@ -74,19 +74,11 @@ int str_open(const struct mystr* p_str, const enum EVSFSysStrOpenMode mode) { -- enum EVSFSysUtilOpenMode open_mode = kVSFSysUtilOpenUnknown; +- enum EVSFSysUtilOpenMode open_mode = kVSFSysStrOpenUnknown; - switch (mode) - { - case kVSFSysStrOpenReadOnly: diff --git a/gating.yaml b/gating.yaml deleted file mode 100644 index 9b2646f..0000000 --- a/gating.yaml +++ /dev/null @@ -1,26 +0,0 @@ ---- !Policy -product_versions: - - fedora-* -decision_context: bodhi_update_push_testing -subject_type: koji_build -rules: - - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/tier1-public.functional} - -#Rawhide ---- !Policy -product_versions: - - fedora-* -decision_context: bodhi_update_push_stable -subject_type: koji_build -rules: - - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/tier1-public.functional} - -#gating rhel ---- !Policy -product_versions: - - rhel-* -decision_context: osci_compose_gate -rules: - - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/tier1-public.functional} - - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/tier1-internal.functional} - diff --git a/plans.fmf b/plans.fmf deleted file mode 100644 index 900f2e5..0000000 --- a/plans.fmf +++ /dev/null @@ -1,47 +0,0 @@ -/tier1-internal: - plan: - import: - url: https://gitlab.com/redhat/centos-stream/tests/vsftpd.git - name: /plans/tier1/internal - adjust: - enabled: false - when: distro == centos-stream, fedora - because: They don't have access to internal repos. - -/tier1-public: - plan: - import: - url: https://gitlab.com/redhat/centos-stream/tests/vsftpd.git - name: /plans/tier1/public - -/tier2-tier3-internal: - plan: - import: - url: https://gitlab.com/redhat/centos-stream/tests/vsftpd.git - name: /plans/tier2-tier3/internal - adjust: - enabled: false - when: distro == centos-stream, fedora - because: They don't have access to internal repos. - -/tier2-tier3-public: - plan: - import: - url: https://gitlab.com/redhat/centos-stream/tests/vsftpd.git - name: /plans/tier2-tier3/public - -/others-internal: - plan: - import: - url: https://gitlab.com/redhat/centos-stream/tests/vsftpd.git - name: /plans/others/internal - adjust: - enabled: false - when: distro == centos-stream, fedora - because: They don't have access to internal repos. - -/others-public: - plan: - import: - url: https://gitlab.com/redhat/centos-stream/tests/vsftpd.git - name: /plans/others/public diff --git a/sources b/sources index e0f928f..73f8cf5 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (vsftpd-3.0.5.tar.gz) = 9e9f9bde8c460fbc6b1d29ca531327fb2e40e336358f1cc19e1da205ef81b553719a148ad4613ceead25499d1ac3f03301a0ecd3776e5c228acccb7f9461a7ee +SHA512 (vsftpd-3.0.3.tar.gz) = 5a4410a88e72ecf6f60a60a89771bcec300c9f63c2ea83b219bdf65fd9749b9853f9579f7257205b55659aefcd5dab243eba878dbbd4f0ff8532dd6e60884df7 diff --git a/vsftpd-3.0.3-option_to_disable_TLSv1_3.patch b/vsftpd-3.0.3-option_to_disable_TLSv1_3.patch deleted file mode 100644 index b215273..0000000 --- a/vsftpd-3.0.3-option_to_disable_TLSv1_3.patch +++ /dev/null @@ -1,96 +0,0 @@ -diff --git a/features.c b/features.c -index d024366..3a60b88 100644 ---- a/features.c -+++ b/features.c -@@ -22,7 +22,7 @@ handle_feat(struct vsf_session* p_sess) - { - vsf_cmdio_write_raw(p_sess, " AUTH SSL\r\n"); - } -- if (tunable_tlsv1 || tunable_tlsv1_1 || tunable_tlsv1_2) -+ if (tunable_tlsv1 || tunable_tlsv1_1 || tunable_tlsv1_2 || tunable_tlsv1_3) - { - vsf_cmdio_write_raw(p_sess, " AUTH TLS\r\n"); - } -diff --git a/parseconf.c b/parseconf.c -index ee1b8b4..5188088 100644 ---- a/parseconf.c -+++ b/parseconf.c -@@ -87,6 +87,7 @@ parseconf_bool_array[] = - { "ssl_tlsv1", &tunable_tlsv1 }, - { "ssl_tlsv1_1", &tunable_tlsv1_1 }, - { "ssl_tlsv1_2", &tunable_tlsv1_2 }, -+ { "ssl_tlsv1_3", &tunable_tlsv1_3 }, - { "tilde_user_enable", &tunable_tilde_user_enable }, - { "force_anon_logins_ssl", &tunable_force_anon_logins_ssl }, - { "force_anon_data_ssl", &tunable_force_anon_data_ssl }, -diff --git a/ssl.c b/ssl.c -index b622347..3af67ad 100644 ---- a/ssl.c -+++ b/ssl.c -@@ -185,6 +185,10 @@ ssl_init(struct vsf_session* p_sess) - { - options |= SSL_OP_NO_TLSv1_2; - } -+ if (!tunable_tlsv1_3) -+ { -+ options |= SSL_OP_NO_TLSv1_3; -+ } - SSL_CTX_set_options(p_ctx, options); - if (tunable_rsa_cert_file) - { -diff --git a/tunables.c b/tunables.c -index d8dfcde..dc001ac 100644 ---- a/tunables.c -+++ b/tunables.c -@@ -68,6 +68,7 @@ int tunable_sslv3; - int tunable_tlsv1; - int tunable_tlsv1_1; - int tunable_tlsv1_2; -+int tunable_tlsv1_3; - int tunable_tilde_user_enable; - int tunable_force_anon_logins_ssl; - int tunable_force_anon_data_ssl; -@@ -218,8 +219,9 @@ tunables_load_defaults() - tunable_sslv3 = 0; - tunable_tlsv1 = 0; - tunable_tlsv1_1 = 0; -- /* Only TLSv1.2 is enabled by default */ -+ /* Only TLSv1.2 and TLSv1.3 are enabled by default */ - tunable_tlsv1_2 = 1; -+ tunable_tlsv1_3 = 1; - tunable_tilde_user_enable = 0; - tunable_force_anon_logins_ssl = 0; - tunable_force_anon_data_ssl = 0; -diff --git a/tunables.h b/tunables.h -index de6cab0..ff0eebc 100644 ---- a/tunables.h -+++ b/tunables.h -@@ -69,6 +69,7 @@ extern int tunable_sslv3; /* Allow SSLv3 */ - extern int tunable_tlsv1; /* Allow TLSv1 */ - extern int tunable_tlsv1_1; /* Allow TLSv1.1 */ - extern int tunable_tlsv1_2; /* Allow TLSv1.2 */ -+extern int tunable_tlsv1_3; /* Allow TLSv1.3 */ - extern int tunable_tilde_user_enable; /* Support e.g. ~chris */ - extern int tunable_force_anon_logins_ssl; /* Require anon logins use SSL */ - extern int tunable_force_anon_data_ssl; /* Require anon data uses SSL */ -diff --git a/vsftpd.conf.5 b/vsftpd.conf.5 -index 7006287..d181e50 100644 ---- a/vsftpd.conf.5 -+++ b/vsftpd.conf.5 -@@ -587,7 +587,15 @@ Default: NO - Only applies if - .BR ssl_enable - is activated. If enabled, this option will permit TLS v1.2 protocol connections. --TLS v1.2 connections are preferred. -+TLS v1.2 and TLS v1.3 connections are preferred. -+ -+Default: YES -+.TP -+.B ssl_tlsv1_3 -+Only applies if -+.BR ssl_enable -+is activated. If enabled, this option will permit TLS v1.3 protocol connections. -+TLS v1.2 and TLS v1.3 connections are preferred. - - Default: YES - .TP diff --git a/vsftpd-3.0.5-add-option-for-tlsv1.3-ciphersuites.patch b/vsftpd-3.0.5-add-option-for-tlsv1.3-ciphersuites.patch deleted file mode 100644 index 1f1925e..0000000 --- a/vsftpd-3.0.5-add-option-for-tlsv1.3-ciphersuites.patch +++ /dev/null @@ -1,79 +0,0 @@ -diff -urN a/parseconf.c b/parseconf.c ---- a/parseconf.c 2021-05-29 23:39:19.000000000 +0200 -+++ b/parseconf.c 2023-03-03 10:22:38.256439634 +0100 -@@ -185,6 +185,7 @@ - { "dsa_cert_file", &tunable_dsa_cert_file }, - { "dh_param_file", &tunable_dh_param_file }, - { "ecdh_param_file", &tunable_ecdh_param_file }, -+ { "ssl_ciphersuites", &tunable_ssl_ciphersuites }, - { "ssl_ciphers", &tunable_ssl_ciphers }, - { "rsa_private_key_file", &tunable_rsa_private_key_file }, - { "dsa_private_key_file", &tunable_dsa_private_key_file }, -diff -urN a/ssl.c b/ssl.c ---- a/ssl.c 2021-08-02 08:24:35.000000000 +0200 -+++ b/ssl.c 2023-03-03 10:28:05.989757655 +0100 -@@ -135,6 +135,11 @@ - { - die("SSL: could not set cipher list"); - } -+ if (tunable_ssl_ciphersuites && -+ SSL_CTX_set_ciphersuites(p_ctx, tunable_ssl_ciphersuites) != 1) -+ { -+ die("SSL: could not set ciphersuites"); -+ } - if (RAND_status() != 1) - { - die("SSL: RNG is not seeded"); -diff -urN a/tunables.c b/tunables.c ---- a/tunables.c 2021-05-29 23:39:00.000000000 +0200 -+++ b/tunables.c 2023-03-03 10:13:30.566868026 +0100 -@@ -154,6 +154,7 @@ - const char* tunable_dsa_cert_file; - const char* tunable_dh_param_file; - const char* tunable_ecdh_param_file; - const char* tunable_ssl_ciphers; -+const char* tunable_ssl_ciphersuites; - const char* tunable_rsa_private_key_file; - const char* tunable_dsa_private_key_file; -@@ -293,6 +293,7 @@ - install_str_setting(0, &tunable_dh_param_file); - install_str_setting(0, &tunable_ecdh_param_file); - install_str_setting("PROFILE=SYSTEM", &tunable_ssl_ciphers); -+ install_str_setting("TLS_AES_256_GCM_SHA384", &tunable_ssl_ciphersuites); - install_str_setting(0, &tunable_rsa_private_key_file); - install_str_setting(0, &tunable_dsa_private_key_file); - install_str_setting(0, &tunable_ca_certs_file); -diff -urN a/tunables.h b/tunables.h ---- a/tunables.h -+++ b/tunables.h -@@ -144,6 +144,7 @@ - extern const char* tunable_dsa_cert_file; - extern const char* tunable_dh_param_file; - extern const char* tunable_ecdh_param_file; - extern const char* tunable_ssl_ciphers; -+extern const char* tunable_ssl_ciphersuites; - extern const char* tunable_rsa_private_key_file; - extern const char* tunable_dsa_private_key_file; ---- a/vsftpd.conf.5 -+++ b/vsftpd.conf.5 -@@ -1009,6 +1009,20 @@ - - Default: PROFILE=SYSTEM - .TP -+.B ssl_ciphersuites -+This option can be used to select which SSL cipher suites vsftpd will allow for -+encrypted SSL connections with TLSv1.3. See the -+.BR ciphers -+man page for further details. Note that restricting ciphers can be a useful -+security precaution as it prevents malicious remote parties forcing a cipher -+which they have found problems with. -+ -+By default, the system-wide crypto policy is used. See -+.BR update-crypto-policies(8) -+for further details. -+ -+Default: TLS_AES_256_GCM_SHA384 -+.TP - .B ssl_sni_hostname - If set, SSL connections will be rejected unless the SNI hostname in the - incoming handshakes matches this value. diff --git a/vsftpd-3.0.5-enable_wc_logs-replace_unprintable_with_hex.patch b/vsftpd-3.0.5-enable_wc_logs-replace_unprintable_with_hex.patch deleted file mode 100644 index 914aebd..0000000 --- a/vsftpd-3.0.5-enable_wc_logs-replace_unprintable_with_hex.patch +++ /dev/null @@ -1,215 +0,0 @@ -diff --git a/logging.c b/logging.c -index 9e86808..613ff4b 100644 ---- a/logging.c -+++ b/logging.c -@@ -171,7 +171,14 @@ vsf_log_do_log_to_file(int fd, struct mystr* p_str) - return; - } - } -- str_replace_unprintable(p_str, '?'); -+ if (tunable_wc_logs_enable) -+ { -+ str_replace_unprintable_with_hex_wc(p_str); -+ } -+ else -+ { -+ str_replace_unprintable_with_hex(p_str); -+ } - str_append_char(p_str, '\n'); - /* Ignore write failure; maybe the disk filled etc. */ - (void) str_write_loop(p_str, fd); -diff --git a/parseconf.c b/parseconf.c -index 3cfe7da..3729818 100644 ---- a/parseconf.c -+++ b/parseconf.c -@@ -113,6 +113,7 @@ parseconf_bool_array[] = - { "allow_writeable_chroot", &tunable_allow_writeable_chroot }, - { "better_stou", &tunable_better_stou }, - { "log_die", &tunable_log_die }, -+ { "wc_logs_enable", &tunable_wc_logs_enable }, - { 0, 0 } - }; - -diff --git a/str.c b/str.c -index 82b8ae4..c03e7d8 100644 ---- a/str.c -+++ b/str.c -@@ -20,6 +20,11 @@ - #include "utility.h" - #include "sysutil.h" - -+#include -+#include -+#include -+#include -+ - /* File local functions */ - static void str_split_text_common(struct mystr* p_src, struct mystr* p_rhs, - const char* p_text, int is_reverse); -@@ -723,6 +728,102 @@ str_replace_unprintable(struct mystr* p_str, char new_char) - } - } - -+void -+str_replace_unprintable_with_hex(struct mystr* p_str) -+{ -+ unsigned int ups_size = sizeof(unsigned int) * (p_str->len); -+ if (ups_size < p_str->len) -+ { -+ str_replace_unprintable(p_str, '?'); -+ str_append_text(p_str, ": BUG: string is too long"); -+ bug(p_str->p_buf); -+ } -+ unsigned int* ups = vsf_sysutil_malloc(ups_size); -+ unsigned int up_count = 0; -+ for (unsigned int i=0; i < p_str->len; i++) -+ { -+ if (!vsf_sysutil_isprint(p_str->p_buf[i])) -+ { -+ ups[up_count++] = i; -+ } -+ } -+ str_replace_positions_with_hex(p_str, ups, up_count); -+ vsf_sysutil_free(ups); -+} -+ -+void str_replace_unprintable_with_hex_wc(struct mystr* p_str) -+{ -+ unsigned int ups_size = sizeof(unsigned int) * (p_str->len); -+ if (ups_size < p_str->len) -+ { -+ str_replace_unprintable(p_str, '?'); -+ str_append_text(p_str, ": BUG: string is too long"); -+ bug(p_str->p_buf); -+ } -+ unsigned int* ups = vsf_sysutil_malloc(ups_size); -+ unsigned int up_count = 0; -+ -+ size_t current = 0; -+ wchar_t pwc; -+ mbstate_t ps; -+ memset(&ps, 0, sizeof(ps)); -+ ssize_t len = 0; -+ while ((len = mbrtowc(&pwc, p_str->p_buf, p_str->len - current, &ps)) > 0) -+ { -+ if (!iswprint(pwc)) -+ { -+ for (int i = 0; i < len; i++) -+ { -+ ups[up_count++] = current++; -+ } -+ } -+ else -+ { -+ current += len; -+ } -+ } -+ if (len < 0) -+ { -+ while (current < p_str->len) -+ { -+ ups[up_count++] = current++; -+ } -+ } -+ str_replace_positions_with_hex(p_str, ups, up_count); -+ vsf_sysutil_free(ups); -+} -+ -+void -+str_replace_positions_with_hex(struct mystr* p_str, const unsigned int* poss, const unsigned int pos_count) -+{ -+ if (pos_count == 0) -+ return; -+ -+ struct mystr tmp_str = INIT_MYSTR; -+ str_reserve(&tmp_str, p_str->len + 3 * pos_count); -+ unsigned int current = 0; -+ -+ for (unsigned int i=0; i < pos_count; i++) -+ { -+ unsigned int pos = poss[i]; -+ -+ if (current < pos) -+ private_str_append_memchunk(&tmp_str, p_str->p_buf + current, pos - current); -+ -+ char hex_buf[5]; -+ memset(hex_buf, 0, sizeof(hex_buf)); -+ sprintf(hex_buf, "\\x%02X", (unsigned char) p_str->p_buf[pos]); -+ str_append_text(&tmp_str, hex_buf); -+ current = pos + 1; -+ } -+ -+ if (current < p_str->len) -+ private_str_append_memchunk(&tmp_str, p_str->p_buf + current, p_str->len - current); -+ -+ str_copy(p_str, &tmp_str); -+ str_free(&tmp_str); -+} -+ - void - str_basename (struct mystr* d_str, const struct mystr* path) - { -diff --git a/str.h b/str.h -index 44270da..95a83b5 100644 ---- a/str.h -+++ b/str.h -@@ -98,6 +98,10 @@ int str_contains_space(const struct mystr* p_str); - int str_all_space(const struct mystr* p_str); - int str_contains_unprintable(const struct mystr* p_str); - void str_replace_unprintable(struct mystr* p_str, char new_char); -+void str_replace_unprintable_with_hex(struct mystr* p_str); -+void str_replace_unprintable_with_hex_wc(struct mystr* p_str); -+void str_replace_positions_with_hex(struct mystr* p_str, const unsigned int* poss, -+ const unsigned int pos_count); - int str_atoi(const struct mystr* p_str); - filesize_t str_a_to_filesize_t(const struct mystr* p_str); - unsigned int str_octal_to_uint(const struct mystr* p_str); -diff --git a/tunables.c b/tunables.c -index a7ce9c8..c96c1ac 100644 ---- a/tunables.c -+++ b/tunables.c -@@ -94,6 +94,7 @@ int tunable_seccomp_sandbox; - int tunable_allow_writeable_chroot; - int tunable_better_stou; - int tunable_log_die; -+int tunable_wc_logs_enable; - - unsigned int tunable_accept_timeout; - unsigned int tunable_connect_timeout; -@@ -244,6 +245,7 @@ tunables_load_defaults() - tunable_allow_writeable_chroot = 0; - tunable_better_stou = 0; - tunable_log_die = 0; -+ tunable_wc_logs_enable = 0; - - tunable_accept_timeout = 60; - tunable_connect_timeout = 60; -diff --git a/tunables.h b/tunables.h -index 029d645..8d50150 100644 ---- a/tunables.h -+++ b/tunables.h -@@ -98,6 +98,7 @@ extern int tunable_better_stou; /* Use better file name generation - */ - extern int tunable_log_die; /* Log calls to die(), die2() - * and bug() */ -+extern int tunable_wc_logs_enable; /* Allow non ASCII characters in logs */ - - /* Integer/numeric defines */ - extern unsigned int tunable_accept_timeout; -diff --git a/vsftpd.conf.5 b/vsftpd.conf.5 -index ce3fba3..815773f 100644 ---- a/vsftpd.conf.5 -+++ b/vsftpd.conf.5 -@@ -735,6 +735,12 @@ If enabled, use CLONE_NEWPID and CLONE_NEWIPC to isolate processes to their - ipc and pid namespaces. So separated processes can not interact with each other. - - Default: YES -+.TP -+.B wc_logs_enable -+If enabled, logs will be treated as wide-character strings and not just -+ASCII strings when filtering out non-printable characters. -+ -+Default: NO - - .SH NUMERIC OPTIONS - Below is a list of numeric options. A numeric option must be set to a non diff --git a/vsftpd-3.0.5-replace-deprecated-openssl-functions.patch b/vsftpd-3.0.5-replace-deprecated-openssl-functions.patch deleted file mode 100644 index 8e3792b..0000000 --- a/vsftpd-3.0.5-replace-deprecated-openssl-functions.patch +++ /dev/null @@ -1,70 +0,0 @@ -diff --git a/ssl.c b/ssl.c ---- ssl.c -+++ ssl.c -@@ -28,17 +28,17 @@ - #include - #include - #include - #include - #include - #include - #include - - static char* get_ssl_error(); - static SSL* get_ssl(struct vsf_session* p_sess, int fd); - static int ssl_session_init(struct vsf_session* p_sess); - static void setup_bio_callbacks(); - static long bio_callback( -- BIO* p_bio, int oper, const char* p_arg, int argi, long argl, long retval); -+ BIO* p_bio, int oper, const char* p_arg, size_t len, int argi, long argl, int ret, size_t *processed); - static int ssl_verify_callback(int verify_ok, X509_STORE_CTX* p_ctx); - static int ssl_alpn_callback(SSL* p_ssl, - const unsigned char** p_out, -@@ -88,7 +88,7 @@ - long options; - int verify_option = 0; - SSL_library_init(); -- p_ctx = SSL_CTX_new(SSLv23_server_method()); -+ p_ctx = SSL_CTX_new_ex(NULL, NULL, TLS_server_method()); - if (p_ctx == NULL) - { - die("SSL: could not allocate SSL context"); -@@ -180,13 +180,10 @@ - die("SSL: RNG is not seeded"); - } - { -- EC_KEY* key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); -- if (key == NULL) -+ if (!SSL_CTX_set1_groups_list(p_ctx, "P-256")) - { - die("SSL: failed to get curve p256"); - } -- SSL_CTX_set_tmp_ecdh(p_ctx, key); -- EC_KEY_free(key); - } - if (tunable_ssl_request_cert) - { -@@ -692,17 +689,19 @@ - static void setup_bio_callbacks(SSL* p_ssl) - { - BIO* p_bio = SSL_get_rbio(p_ssl); -- BIO_set_callback(p_bio, bio_callback); -+ BIO_set_callback_ex(p_bio, bio_callback); - p_bio = SSL_get_wbio(p_ssl); -- BIO_set_callback(p_bio, bio_callback); -+ BIO_set_callback_ex(p_bio, bio_callback); - } - - static long - bio_callback( -- BIO* p_bio, int oper, const char* p_arg, int argi, long argl, long ret) -+ BIO* p_bio, int oper, const char* p_arg, size_t len, int argi, long argl, int ret, size_t *processed) - { - int retval = 0; - int fd = 0; -+ (void) len; -+ (void) processed; - (void) p_arg; - (void) argi; - (void) argl; - diff --git a/vsftpd-3.0.5-replace-old-network-addr-functions.patch b/vsftpd-3.0.5-replace-old-network-addr-functions.patch deleted file mode 100644 index 89e6257..0000000 --- a/vsftpd-3.0.5-replace-old-network-addr-functions.patch +++ /dev/null @@ -1,139 +0,0 @@ -diff -urN vsftpd-3.0.5-orig/postlogin.c vsftpd-3.0.5/postlogin.c ---- vsftpd-3.0.5-orig/postlogin.c 2015-07-22 21:03:22.000000000 +0200 -+++ vsftpd-3.0.5/postlogin.c 2023-02-13 16:34:05.244467476 +0100 -@@ -27,4 +27,6 @@ - #include "ssl.h" - #include "vsftpver.h" -+#include -+#include - #include "opts.h" - -@@ -628,9 +629,10 @@ - else - { - const void* p_v4addr = vsf_sysutil_sockaddr_ipv6_v4(s_p_sockaddr); -+ static char result[INET_ADDRSTRLEN]; - if (p_v4addr) - { -- str_append_text(&s_pasv_res_str, vsf_sysutil_inet_ntoa(p_v4addr)); -+ str_append_text(&s_pasv_res_str, inet_ntop(AF_INET, p_v4addr, result, INET_ADDRSTRLEN)); - } - else - { -diff -urN vsftpd-3.0.5-orig/sysutil.c vsftpd-3.0.5/sysutil.c ---- vsftpd-3.0.5-orig/sysutil.c 2012-09-16 09:07:38.000000000 +0200 -+++ vsftpd-3.0.5/sysutil.c 2023-02-13 16:08:58.557153109 +0100 -@@ -2205,20 +2205,13 @@ - const struct sockaddr* p_sockaddr = &p_sockptr->u.u_sockaddr; - if (p_sockaddr->sa_family == AF_INET) - { -- return inet_ntoa(p_sockptr->u.u_sockaddr_in.sin_addr); -+ static char result[INET_ADDRSTRLEN]; -+ return inet_ntop(AF_INET, &p_sockptr->u.u_sockaddr_in.sin_addr, result, INET_ADDRSTRLEN); - } - else if (p_sockaddr->sa_family == AF_INET6) - { -- static char inaddr_buf[64]; -- const char* p_ret = inet_ntop(AF_INET6, -- &p_sockptr->u.u_sockaddr_in6.sin6_addr, -- inaddr_buf, sizeof(inaddr_buf)); -- inaddr_buf[sizeof(inaddr_buf) - 1] = '\0'; -- if (p_ret == NULL) -- { -- inaddr_buf[0] = '\0'; -- } -- return inaddr_buf; -+ static char result[INET6_ADDRSTRLEN]; -+ return inet_ntop(AF_INET6, &p_sockptr->u.u_sockaddr_in6.sin6_addr, result, INET6_ADDRSTRLEN); - } - else - { -@@ -2227,12 +2220,6 @@ - } - } - --const char* --vsf_sysutil_inet_ntoa(const void* p_raw_addr) --{ -- return inet_ntoa(*((struct in_addr*)p_raw_addr)); --} -- - int - vsf_sysutil_inet_aton(const char* p_text, struct vsf_sysutil_sockaddr* p_addr) - { -@@ -2241,7 +2228,7 @@ - { - bug("bad family"); - } -- if (inet_aton(p_text, &sin_addr)) -+ if (inet_pton(AF_INET, p_text, &sin_addr)) - { - vsf_sysutil_memcpy(&p_addr->u.u_sockaddr_in.sin_addr, - &sin_addr, sizeof(p_addr->u.u_sockaddr_in.sin_addr)); -@@ -2257,37 +2244,46 @@ - vsf_sysutil_dns_resolve(struct vsf_sysutil_sockaddr** p_sockptr, - const char* p_name) - { -- struct hostent* hent = gethostbyname(p_name); -- if (hent == NULL) -+ struct addrinfo *result; -+ struct addrinfo hints; -+ int ret; -+ -+ memset(&hints, 0, sizeof(struct addrinfo)); -+ hints.ai_family = AF_UNSPEC; -+ -+ if ((ret = getaddrinfo(p_name, NULL, &hints, &result)) != 0) - { -+ fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(ret)); - die2("cannot resolve host:", p_name); - } - vsf_sysutil_sockaddr_clear(p_sockptr); -- if (hent->h_addrtype == AF_INET) -+ if (result->ai_family == AF_INET) - { -- unsigned int len = hent->h_length; -+ unsigned int len = result->ai_addrlen; - if (len > sizeof((*p_sockptr)->u.u_sockaddr_in.sin_addr)) - { - len = sizeof((*p_sockptr)->u.u_sockaddr_in.sin_addr); - } - vsf_sysutil_sockaddr_alloc_ipv4(p_sockptr); - vsf_sysutil_memcpy(&(*p_sockptr)->u.u_sockaddr_in.sin_addr, -- hent->h_addr_list[0], len); -+ &result->ai_addrlen, len); - } -- else if (hent->h_addrtype == AF_INET6) -+ else if (result->ai_family == AF_INET6) - { -- unsigned int len = hent->h_length; -+ unsigned int len = result->ai_addrlen; - if (len > sizeof((*p_sockptr)->u.u_sockaddr_in6.sin6_addr)) - { - len = sizeof((*p_sockptr)->u.u_sockaddr_in6.sin6_addr); - } - vsf_sysutil_sockaddr_alloc_ipv6(p_sockptr); - vsf_sysutil_memcpy(&(*p_sockptr)->u.u_sockaddr_in6.sin6_addr, -- hent->h_addr_list[0], len); -+ &result->ai_addrlen, len); - } - else - { -- die("gethostbyname(): neither IPv4 nor IPv6"); -+ freeaddrinfo(result); -+ die("getaddrinfo(): neither IPv4 nor IPv6"); - } -+ freeaddrinfo(result); - } - -diff -urN vsftpd-3.0.5-orig/sysutil.h vsftpd-3.0.5/sysutil.h ---- vsftpd-3.0.5-orig/sysutil.h 2021-05-18 08:50:21.000000000 +0200 -+++ vsftpd-3.0.5/sysutil.h 2023-02-13 15:59:22.088331075 +0100 -@@ -277,7 +277,6 @@ - - const char* vsf_sysutil_inet_ntop( - const struct vsf_sysutil_sockaddr* p_sockptr); --const char* vsf_sysutil_inet_ntoa(const void* p_raw_addr); - int vsf_sysutil_inet_aton( - const char* p_text, struct vsf_sysutil_sockaddr* p_addr); - diff --git a/vsftpd-3.0.5-use-old-tlsv-options.patch b/vsftpd-3.0.5-use-old-tlsv-options.patch deleted file mode 100644 index 7c37ce9..0000000 --- a/vsftpd-3.0.5-use-old-tlsv-options.patch +++ /dev/null @@ -1,15 +0,0 @@ ---- parseconf-orig.c 2022-10-25 15:17:18.990701984 +0200 -+++ parseconf.c 2022-10-25 15:12:44.213480000 +0200 -@@ -85,9 +85,9 @@ - { "ssl_sslv2", &tunable_sslv2 }, - { "ssl_sslv3", &tunable_sslv3 }, - { "ssl_tlsv1", &tunable_tlsv1 }, -- { "ssl_tlsv11", &tunable_tlsv1_1 }, -- { "ssl_tlsv12", &tunable_tlsv1_2 }, -- { "ssl_tlsv13", &tunable_tlsv1_3 }, -+ { "ssl_tlsv1_1", &tunable_tlsv1_1 }, -+ { "ssl_tlsv1_2", &tunable_tlsv1_2 }, -+ { "ssl_tlsv1_3", &tunable_tlsv1_3 }, - { "tilde_user_enable", &tunable_tilde_user_enable }, - { "force_anon_logins_ssl", &tunable_force_anon_logins_ssl }, - { "force_anon_data_ssl", &tunable_force_anon_data_ssl }, diff --git a/vsftpd-tmpfiles.conf b/vsftpd-tmpfiles.conf deleted file mode 100644 index f1a385c..0000000 --- a/vsftpd-tmpfiles.conf +++ /dev/null @@ -1,2 +0,0 @@ -d /var/ftp 0755 root root - -d /var/ftp/pub 0755 root root - diff --git a/vsftpd.spec b/vsftpd.spec index d8e0a58..fac53d0 100644 --- a/vsftpd.spec +++ b/vsftpd.spec @@ -1,12 +1,12 @@ %global _generatorsdir %{_prefix}/lib/systemd/system-generators Name: vsftpd -Version: 3.0.5 -Release: 14%{?dist} +Version: 3.0.3 +Release: 43%{?dist} Summary: Very Secure Ftp Daemon # OpenSSL link exception -License: GPL-2.0-only WITH vsftpd-openssl-exception +License: GPLv2 with exceptions URL: https://security.appspot.com/vsftpd.html Source0: https://security.appspot.com/downloads/%{name}-%{version}.tar.gz Source1: vsftpd.xinetd @@ -18,7 +18,6 @@ Source7: vsftpd.service Source8: vsftpd@.service Source9: vsftpd.target Source10: vsftpd-generator -Source11: vsftpd-tmpfiles.conf BuildRequires: make BuildRequires: pam-devel @@ -62,7 +61,9 @@ Patch29: 0029-Fix-segfault-in-config-file-parser.patch Patch30: 0030-Fix-logging-into-syslog-when-enabled-in-config.patch Patch31: 0031-Fix-question-mark-wildcard-withing-a-file-name.patch Patch32: 0032-Propagate-errors-from-nfs-with-quota-to-client.patch +Patch33: 0033-Introduce-TLSv1.1-and-TLSv1.2-options.patch Patch34: 0034-Turn-off-seccomp-sandbox-because-it-is-too-strict.patch +Patch35: 0035-Modify-DH-enablement-patch-to-build-with-OpenSSL-1.1.patch Patch36: 0036-Redefine-VSFTP_COMMAND_FD-to-1.patch Patch37: 0037-Document-the-relationship-of-text_userdb_names-and-c.patch Patch38: 0038-Document-allow_writeable_chroot-in-the-man-page.patch @@ -70,6 +71,7 @@ Patch39: 0039-Improve-documentation-of-ASCII-mode-in-the-man-page.patch Patch40: 0040-Use-system-wide-crypto-policy.patch Patch41: 0041-Document-the-new-default-for-ssl_ciphers-in-the-man-.patch Patch42: 0042-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch +Patch43: 0043-Enable-only-TLSv1.2-by-default.patch Patch44: 0044-Disable-anonymous_enable-in-default-config-file.patch Patch45: 0045-Expand-explanation-of-ascii_-options-behaviour-in-ma.patch Patch46: 0046-vsftpd.conf-Refer-to-the-man-page-regarding-the-asci.patch @@ -95,12 +97,7 @@ Patch67: 0001-Fix-timestamp-handling-in-MDTM.patch Patch68: 0002-Drop-an-unused-global-variable.patch Patch69: 0001-Remove-a-hint-about-the-ftp_home_dir-SELinux-boolean.patch Patch70: fix-str_open.patch -Patch71: vsftpd-3.0.5-enable_wc_logs-replace_unprintable_with_hex.patch -Patch72: vsftpd-3.0.5-replace-old-network-addr-functions.patch -Patch73: vsftpd-3.0.5-replace-deprecated-openssl-functions.patch -Patch74: vsftpd-3.0.5-add-option-for-tlsv1.3-ciphersuites.patch -Patch75: vsftpd-3.0.5-use-old-tlsv-options.patch -Patch76: 0076-Correct-the-definition-of-setup_bio_callbacks-in-ssl.patch +Patch71: vsftpd-3.0.3-ALPACA.patch %description vsftpd is a Very Secure FTP daemon. It was written completely from @@ -111,7 +108,6 @@ scratch. cp %{SOURCE1} . %build - %ifarch s390x sparcv9 sparc64 %make_build CFLAGS="$RPM_OPT_FLAGS -fPIE -pipe -Wextra -Werror" \ %else @@ -120,13 +116,13 @@ cp %{SOURCE1} . LINK="-pie -lssl $RPM_LD_FLAGS" %{?_smp_mflags} %install -mkdir -p $RPM_BUILD_ROOT%{_bindir} +mkdir -p $RPM_BUILD_ROOT%{_sbindir} mkdir -p $RPM_BUILD_ROOT%{_sysconfdir} mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/{vsftpd,pam.d,logrotate.d} mkdir -p $RPM_BUILD_ROOT%{_mandir}/man{5,8} mkdir -p $RPM_BUILD_ROOT%{_unitdir} mkdir -p $RPM_BUILD_ROOT%{_generatorsdir} -install -m 755 vsftpd $RPM_BUILD_ROOT%{_bindir}/vsftpd +install -m 755 vsftpd $RPM_BUILD_ROOT%{_sbindir}/vsftpd install -m 600 vsftpd.conf $RPM_BUILD_ROOT%{_sysconfdir}/vsftpd/vsftpd.conf install -m 644 vsftpd.conf.5 $RPM_BUILD_ROOT/%{_mandir}/man5/ install -m 644 vsftpd.8 $RPM_BUILD_ROOT/%{_mandir}/man8/ @@ -139,7 +135,6 @@ install -m 644 %{SOURCE7} $RPM_BUILD_ROOT%{_unitdir} install -m 644 %{SOURCE8} $RPM_BUILD_ROOT%{_unitdir} install -m 644 %{SOURCE9} $RPM_BUILD_ROOT%{_unitdir} install -m 755 %{SOURCE10} $RPM_BUILD_ROOT%{_generatorsdir} -install -Dpm 644 %{SOURCE11} $RPM_BUILD_ROOT%{_tmpfilesdir}/vsftpd.conf mkdir -p $RPM_BUILD_ROOT/%{_var}/ftp/pub @@ -156,7 +151,7 @@ mkdir -p $RPM_BUILD_ROOT/%{_var}/ftp/pub %files %{_unitdir}/* %{_generatorsdir}/* -%{_bindir}/vsftpd +%{_sbindir}/vsftpd %dir %{_sysconfdir}/vsftpd %{_sysconfdir}/vsftpd/vsftpd_conf_migrate.sh %config(noreplace) %{_sysconfdir}/vsftpd/ftpusers @@ -169,86 +164,12 @@ mkdir -p $RPM_BUILD_ROOT/%{_var}/ftp/pub %{_mandir}/man5/vsftpd.conf.* %{_mandir}/man8/vsftpd.* %{_var}/ftp -%{_tmpfilesdir}/vsftpd.conf %changelog -* Wed Jan 14 2026 Tomas Korbar - 3.0.5-14 -- Resolve CVE-2025-14242 - -* Thu Dec 18 2025 Fedor Vorobev - 3.0.5-13 -- Add a tmpfiles.d config. (image mode support) - -* Fri Jul 25 2025 Fedora Release Engineering - 3.0.5-12 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild - -* Tue Apr 15 2025 Tomas Korbar - 3.0.5-11 -- Move executable to bindir - -* Fri Jan 24 2025 Stepan Broz - 3.0.5-10 -- Correct the definition of setup_bio_callbacks() in ssl.c - -* Sun Jan 19 2025 Fedora Release Engineering - 3.0.5-9 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild - -* Mon Aug 19 2024 Tomas Korbar - 3.0.5-8 -- Fix FEAT command to list AUTH TLS when TLSv1.3 is enabled - -* Sat Jul 20 2024 Fedora Release Engineering - 3.0.5-7 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild - -* Sat Jan 27 2024 Fedora Release Engineering - 3.0.5-6 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild - -* Sat Jul 22 2023 Fedora Release Engineering - 3.0.5-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild - -* Thu May 04 2023 Richard Lescak - 3.0.5-4 -- add option for TLSv1.3 ciphersuites -- SPDX migration - -* Fri Feb 17 2023 Richard Lescak - 3.0.5-3 -- make vsftpd compatible with Openssl 3.0+ -- replace old network functions - -* Sat Jan 21 2023 Fedora Release Engineering - 3.0.5-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild - -* Thu Jul 28 2022 Richard Lescak 3.0.5-1 -- rebase to version 3.0.5 - -* Sat Jul 23 2022 Fedora Release Engineering - 3.0.3-51 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild - -* Sat Jan 22 2022 Fedora Release Engineering - 3.0.3-50 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild - -* Wed Oct 27 2021 Artem Egorenkov - 3.0.3-49 -- add option to disable TLSv1.3 -- Resolves: rhbz#2017705 - -* Wed Oct 13 2021 Artem Egorenkov - 3.0.3-48 +* Wed Oct 13 2021 Artem Egorenkov - 3.0.3-43 - ALPACA fix backported from upstram 3.0.5 version - Resolves: rhbz#1975648 -* Wed Oct 13 2021 Artem Egorenkov - 3.0.3-47 -- Temporary pass -Wno-deprecated-declarations to gcc to ignore - deprecated warnings to be able to build against OpenSSL-3.0 -- Resolves: rhbz#1962603 - -* Tue Sep 14 2021 Sahana Prasad - 3.0.3-46 -- Rebuilt with OpenSSL 3.0.0 - -* Fri Jul 23 2021 Fedora Release Engineering - 3.0.3-45 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild - -* Thu Apr 8 2021 Artem Egorenkov - 3.0.3-44 -- Enable support for wide-character strings in logs -- Replace unprintables with HEX code, not question marks - -* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek - 3.0.3-43 -- Rebuilt for updated systemd-rpm-macros - See https://pagure.io/fesco/issue/2583. - * Wed Jan 27 2021 Fedora Release Engineering - 3.0.3-42 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild