rebase to version 3.0.5

- ALPACA fix backported from upstram 3.0.5 version
- Relates: rhbz#1975648
2022-08-01 15:31:07 +02:00 · 2021-10-13 17:20:15 +02:00
11 changed files with 269 additions and 37 deletions
--- a/.gitignore
+++ b/.gitignore
@ -6,3 +6,4 @@ vsftpd-2.3.2.tar.gz
 /vsftpd-3.0.1.tar.gz
 /vsftpd-3.0.2.tar.gz
 /vsftpd-3.0.3.tar.gz
+/vsftpd-3.0.5.tar.gz
--- a/0021-Introduce-support-for-DHE-based-cipher-suites.patch
+++ b/0021-Introduce-support-for-DHE-based-cipher-suites.patch
@ -36,14 +36,14 @@ index c362983..22b69b3 100644
 #include <errno.h>
 #include <limits.h>
 
-@@ -38,6 +40,7 @@ static void setup_bio_callbacks();
+@@ -38,6 +40,7 @@
+ static char* get_ssl_error();
+ static SSL* get_ssl(struct vsf_session* p_sess, int fd);
+ static int ssl_session_init(struct vsf_session* p_sess);
+static DH *ssl_tmp_dh_callback(SSL *ssl, int is_export, int keylength);
+ static void setup_bio_callbacks();
 static long bio_callback(
   BIO* p_bio, int oper, const char* p_arg, int argi, long argl, long retval);
- static int ssl_verify_callback(int verify_ok, X509_STORE_CTX* p_ctx);
-+static DH *ssl_tmp_dh_callback(SSL *ssl, int is_export, int keylength);
- static int ssl_cert_digest(
-   SSL* p_ssl, struct vsf_session* p_sess, struct mystr* p_str);
- static void maybe_log_shutdown_state(struct vsf_session* p_sess);
@@ -51,6 +54,60 @@ static int ssl_read_common(struct vsf_session* p_sess,
 static int ssl_inited;
 static struct mystr debug_str;
@ -140,18 +140,18 @@ index c362983..22b69b3 100644
     if (tunable_ssl_ciphers &&
         SSL_CTX_set_cipher_list(p_ctx, tunable_ssl_ciphers) != 1)
     {
-@@ -165,6 +241,9 @@ ssl_init(struct vsf_session* p_sess)
+@@ -184,6 +260,9 @@
       /* Ensure cached session doesn't expire */
       SSL_CTX_set_timeout(p_ctx, INT_MAX);
     }
-+    
+
 +    SSL_CTX_set_tmp_dh_callback(p_ctx, ssl_tmp_dh_callback);
 +
-     p_sess->p_ssl_ctx = p_ctx;
-     ssl_inited = 1;
+     /* Set up ALPN to check for FTP protocol intention of client. */
+     SSL_CTX_set_alpn_select_cb(p_ctx, ssl_alpn_callback, p_sess);
+     /* Set up SNI callback for an optional hostname check. */
+@@ -854,6 +933,18 @@ ssl_verify_callback(int verify_ok, X509_STORE_CTX* p_ctx)
   }
-@@ -702,6 +781,18 @@ ssl_verify_callback(int verify_ok, X509_STORE_CTX* p_ctx)
-   return 1;
 }
 
 +#define UNUSED(x) ( (void)(x) )
@ -162,7 +162,7 @@ index c362983..22b69b3 100644
 +  // strict compiler bypassing
 +  UNUSED(ssl);
 +  UNUSED(is_export);
-+  
+
 +  return DH_get_dh(keylength);
 +}
 +
--- a/0022-Introduce-support-for-EDDHE-based-cipher-suites.patch
+++ b/0022-Introduce-support-for-EDDHE-based-cipher-suites.patch
@ -36,8 +36,8 @@ index 22b69b3..96bf8ad 100644
     if (!tunable_sslv2)
     {
       options |= SSL_OP_NO_SSLv2;
-@@ -244,6 +244,41 @@ ssl_init(struct vsf_session* p_sess)
-     
+@@ -244,6 +244,41 @@
+ 
     SSL_CTX_set_tmp_dh_callback(p_ctx, ssl_tmp_dh_callback);
 
 +    if (tunable_ecdh_param_file)
@ -75,9 +75,9 @@ index 22b69b3..96bf8ad 100644
 +#endif
 +    }
 +
-     p_sess->p_ssl_ctx = p_ctx;
-     ssl_inited = 1;
-   }
+     /* Set up ALPN to check for FTP protocol intention of client. */
+     SSL_CTX_set_alpn_select_cb(p_ctx, ssl_alpn_callback, p_sess);
+     /* Set up SNI callback for an optional hostname check. */
 diff --git a/tunables.c b/tunables.c
 index 1ea7227..93f85b1 100644
 --- a/tunables.c
--- a/0025-Improve-local_max_rate-option.patch
+++ b/0025-Improve-local_max_rate-option.patch
@ -60,9 +60,9 @@ diff --git a/main.c b/main.c
 index eaba265..f1e2f69 100644
 --- a/main.c
 +++ b/main.c
-@@ -40,7 +40,7 @@ main(int argc, const char* argv[])
+@@ -40,7 +40,7 @@
     /* Control connection */
-     0, 0, 0, 0, 0,
+     0, 0, 0, 0, 0, 0,
     /* Data connection */
 -    -1, 0, -1, 0, 0, 0, 0,
 +    -1, 0, -1, 0, 0, 0, 0, 0,
--- a/0040-Use-system-wide-crypto-policy.patch
+++ b/0040-Use-system-wide-crypto-policy.patch
@ -3,7 +3,7 @@ From: Martin Sehnoutka <msehnout@redhat.com>
 Date: Tue, 29 Aug 2017 10:32:16 +0200
 Subject: [PATCH 40/59] Use system wide crypto policy

-Resolves: rhbz#1483970
+Resolves: rhbz#
 ---
 tunables.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)
@ -16,8 +16,8 @@ index 5440c00..354251c 100644
   install_str_setting(0, &tunable_dsa_cert_file);
   install_str_setting(0, &tunable_dh_param_file);
   install_str_setting(0, &tunable_ecdh_param_file);
-  install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384",
-          &tunable_ssl_ciphers);
+-  install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA",
+-                      &tunable_ssl_ciphers);
 +  install_str_setting("PROFILE=SYSTEM", &tunable_ssl_ciphers);
   install_str_setting(0, &tunable_rsa_private_key_file);
   install_str_setting(0, &tunable_dsa_private_key_file);
--- a/0041-Document-the-new-default-for-ssl_ciphers-in-the-man-.patch
+++ b/0041-Document-the-new-default-for-ssl_ciphers-in-the-man-.patch
@ -17,15 +17,15 @@ index 3ca55e4..2a7662e 100644
 security precaution as it prevents malicious remote parties forcing a cipher
 which they have found problems with.
 
-Default: AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384
+-Default: DES-CBC3-SHA
 +By default, the system-wide crypto policy is used. See
 +.BR update-crypto-policies(8)
 +for further details.
 +
 +Default: PROFILE=SYSTEM
 .TP
- .B user_config_dir
- This powerful option allows the override of any config option specified in
+ .B ssl_sni_hostname
+ If set, SSL connections will be rejected unless the SNI hostname in the
 -- 
 2.14.4

--- a/fix-str_open.patch
+++ b/fix-str_open.patch
@ -1,11 +1,10 @@
-diff -ruN vsftpd-3.0.3.orig/sysstr.c vsftpd-3.0.3/sysstr.c
--- vsftpd-3.0.3.orig/sysstr.c	2020-11-17 09:47:03.872923383 +0100
-+++ vsftpd-3.0.3/sysstr.c	2020-11-17 09:48:41.219754145 +0100
+--- sysstr-orig.c	2022-07-27 09:44:52.606408000 +0200
+++ sysstr.c	2022-07-27 09:54:24.043081352 +0200
@@ -74,19 +74,11 @@
 int
 str_open(const struct mystr* p_str, const enum EVSFSysStrOpenMode mode)
 {
-  enum EVSFSysUtilOpenMode open_mode = kVSFSysStrOpenUnknown;
+-  enum EVSFSysUtilOpenMode open_mode = kVSFSysUtilOpenUnknown;
 -  switch (mode)
 -  {
 -    case kVSFSysStrOpenReadOnly:
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (vsftpd-3.0.3.tar.gz) = 5a4410a88e72ecf6f60a60a89771bcec300c9f63c2ea83b219bdf65fd9749b9853f9579f7257205b55659aefcd5dab243eba878dbbd4f0ff8532dd6e60884df7
+SHA512 (vsftpd-3.0.5.tar.gz) = 9e9f9bde8c460fbc6b1d29ca531327fb2e40e336358f1cc19e1da205ef81b553719a148ad4613ceead25499d1ac3f03301a0ecd3776e5c228acccb7f9461a7ee
--- a/vsftpd-3.0.3-ALPACA.patch
+++ b/vsftpd-3.0.3-ALPACA.patch
@ -0,0 +1,225 @@
+diff --git a/parseconf.c b/parseconf.c
+index 3729818..ee1b8b4 100644
+--- a/parseconf.c
+++ b/parseconf.c
+@@ -188,6 +188,7 @@ parseconf_str_array[] =
+   { "rsa_private_key_file", &tunable_rsa_private_key_file },
+   { "dsa_private_key_file", &tunable_dsa_private_key_file },
+   { "ca_certs_file", &tunable_ca_certs_file },
+  { "ssl_sni_hostname", &tunable_ssl_sni_hostname },
+   { "cmds_denied", &tunable_cmds_denied },
+   { 0, 0 }
+ };
+diff --git a/ssl.c b/ssl.c
+index 09ec96a..b622347 100644
+--- a/ssl.c
+++ b/ssl.c
+@@ -41,6 +41,13 @@ static long bio_callback(
+   BIO* p_bio, int oper, const char* p_arg, int argi, long argl, long retval);
+ static int ssl_verify_callback(int verify_ok, X509_STORE_CTX* p_ctx);
+ static DH *ssl_tmp_dh_callback(SSL *ssl, int is_export, int keylength);
+static int ssl_alpn_callback(SSL* p_ssl,
+                             const unsigned char** p_out,
+                             unsigned char* outlen,
+                             const unsigned char* p_in,
+                             unsigned int inlen,
+                             void* p_arg);
+static long ssl_sni_callback(SSL* p_ssl, int* p_al, void* p_arg);
+ static int ssl_cert_digest(
+   SSL* p_ssl, struct vsf_session* p_sess, struct mystr* p_str);
+ static void maybe_log_shutdown_state(struct vsf_session* p_sess);
+@@ -285,6 +292,11 @@ ssl_init(struct vsf_session* p_sess)
+       SSL_CTX_set_timeout(p_ctx, INT_MAX);
+     }
+     
+    /* Set up ALPN to check for FTP protocol intention of client. */
+    SSL_CTX_set_alpn_select_cb(p_ctx, ssl_alpn_callback, p_sess);
+    /* Set up SNI callback for an optional hostname check. */
+    SSL_CTX_set_tlsext_servername_callback(p_ctx, ssl_sni_callback);
+    SSL_CTX_set_tlsext_servername_arg(p_ctx, p_sess);
+     SSL_CTX_set_tmp_dh_callback(p_ctx, ssl_tmp_dh_callback);
+ 
+     if (tunable_ecdh_param_file)
+@@ -871,6 +883,133 @@ ssl_tmp_dh_callback(SSL *ssl, int is_export, int keylength)
+   return DH_get_dh(keylength);
+ }
+ 
+static int
+ssl_alpn_callback(SSL* p_ssl,
+                  const unsigned char** p_out,
+                  unsigned char* outlen,
+                  const unsigned char* p_in,
+                  unsigned int inlen,
+                  void* p_arg) {
+    unsigned int i;
+    struct vsf_session* p_sess = (struct vsf_session*) p_arg;
+    int is_ok = 0;
+
+    (void) p_ssl;
+
+    /* Initialize just in case. */
+    *p_out = p_in;
+    *outlen = 0;
+
+    for (i = 0; i < inlen; ++i) {
+        unsigned int left = (inlen - i);
+        if (left < 4) {
+            continue;
+        }
+        if (p_in[i] == 3 && p_in[i + 1] == 'f' && p_in[i + 2] == 't' &&
+            p_in[i + 3] == 'p')
+        {
+            is_ok = 1;
+            *p_out = &p_in[i + 1];
+            *outlen = 3;
+            break;
+        }
+    }
+
+    if (!is_ok)
+    {
+        str_alloc_text(&debug_str, "ALPN rejection");
+        vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str);
+    }
+    if (!is_ok || tunable_debug_ssl)
+    {
+        str_alloc_text(&debug_str, "ALPN data: ");
+        for (i = 0; i < inlen; ++i) {
+            str_append_char(&debug_str, p_in[i]);
+        }
+        vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str);
+    }
+
+    if (is_ok)
+    {
+        return SSL_TLSEXT_ERR_OK;
+    }
+    else
+    {
+        return SSL_TLSEXT_ERR_ALERT_FATAL;
+    }
+}
+
+static long
+ssl_sni_callback(SSL* p_ssl, int* p_al, void* p_arg)
+{
+    static struct mystr s_sni_expected_hostname;
+    static struct mystr s_sni_received_hostname;
+
+    int servername_type;
+    const char* p_sni_servername;
+    struct vsf_session* p_sess = (struct vsf_session*) p_arg;
+    int is_ok = 0;
+
+    (void) p_ssl;
+    (void) p_arg;
+
+    if (tunable_ssl_sni_hostname)
+    {
+        str_alloc_text(&s_sni_expected_hostname, tunable_ssl_sni_hostname);
+    }
+
+    /* The OpenSSL documentation says it is pre-initialized like this, but set
+     * it just in case.
+     */
+    *p_al = SSL_AD_UNRECOGNIZED_NAME;
+
+    servername_type = SSL_get_servername_type(p_ssl);
+    p_sni_servername = SSL_get_servername(p_ssl, TLSEXT_NAMETYPE_host_name);
+    if (p_sni_servername != NULL) {
+        str_alloc_text(&s_sni_received_hostname, p_sni_servername);
+    }
+
+    if (str_isempty(&s_sni_expected_hostname))
+    {
+        is_ok = 1;
+    }
+    else if (servername_type != TLSEXT_NAMETYPE_host_name)
+    {
+        /* Fail. */
+        str_alloc_text(&debug_str, "SNI bad type: ");
+        str_append_ulong(&debug_str, servername_type);
+        vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str);
+    }
+    else
+    {
+        if (!str_strcmp(&s_sni_expected_hostname, &s_sni_received_hostname))
+        {
+            is_ok = 1;
+        }
+        else
+        {
+            str_alloc_text(&debug_str, "SNI rejection");
+            vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str);
+        }
+    }
+
+    if (!is_ok || tunable_debug_ssl)
+    {
+        str_alloc_text(&debug_str, "SNI hostname: ");
+        str_append_str(&debug_str, &s_sni_received_hostname);
+        vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str);
+    }
+
+    if (is_ok)
+    {
+        return SSL_TLSEXT_ERR_OK;
+    }
+    else
+    {
+        return SSL_TLSEXT_ERR_ALERT_FATAL;
+    }
+}
+
+ void
+ ssl_add_entropy(struct vsf_session* p_sess)
+ {
+diff --git a/tunables.c b/tunables.c
+index c96c1ac..d8dfcde 100644
+--- a/tunables.c
+++ b/tunables.c
+@@ -152,6 +152,7 @@ const char* tunable_ssl_ciphers;
+ const char* tunable_rsa_private_key_file;
+ const char* tunable_dsa_private_key_file;
+ const char* tunable_ca_certs_file;
+const char* tunable_ssl_sni_hostname;
+ 
+ static void install_str_setting(const char* p_value, const char** p_storage);
+ 
+@@ -309,6 +310,7 @@ tunables_load_defaults()
+   install_str_setting(0, &tunable_rsa_private_key_file);
+   install_str_setting(0, &tunable_dsa_private_key_file);
+   install_str_setting(0, &tunable_ca_certs_file);
+  install_str_setting(0, &tunable_ssl_sni_hostname);
+ }
+ 
+ void
+diff --git a/tunables.h b/tunables.h
+index 8d50150..de6cab0 100644
+--- a/tunables.h
+++ b/tunables.h
+@@ -157,6 +157,7 @@ extern const char* tunable_ssl_ciphers;
+ extern const char* tunable_rsa_private_key_file;
+ extern const char* tunable_dsa_private_key_file;
+ extern const char* tunable_ca_certs_file;
+extern const char* tunable_ssl_sni_hostname;
+ extern const char* tunable_cmds_denied;
+ 
+ #endif /* VSF_TUNABLES_H */
+diff --git a/vsftpd.conf.5 b/vsftpd.conf.5
+index 815773f..7006287 100644
+--- a/vsftpd.conf.5
+++ b/vsftpd.conf.5
+@@ -1128,6 +1128,12 @@ for further details.
+ 
+ Default: PROFILE=SYSTEM
+ .TP
+.B ssl_sni_hostname
+If set, SSL connections will be rejected unless the SNI hostname in the
+incoming handshakes matches this value.
+
+Default: (none)
+.TP
+ .B user_config_dir
+ This powerful option allows the override of any config option specified in
+ the manual page, on a per-user basis. Usage is simple, and is best illustrated
--- a/vsftpd-3.0.5-enable_wc_logs-replace_unprintable_with_hex.patch
+++ b/vsftpd-3.0.5-enable_wc_logs-replace_unprintable_with_hex.patch
--- a/vsftpd.spec
+++ b/vsftpd.spec
@ -1,8 +1,8 @@
 %global _generatorsdir %{_prefix}/lib/systemd/system-generators

 Name:    vsftpd
-Version: 3.0.3
-Release: 45%{?dist}
+Version: 3.0.5
+Release: 1%{?dist}
 Summary: Very Secure Ftp Daemon

 # OpenSSL link exception
@ -61,7 +61,7 @@ Patch29: 0029-Fix-segfault-in-config-file-parser.patch
 Patch30: 0030-Fix-logging-into-syslog-when-enabled-in-config.patch
 Patch31: 0031-Fix-question-mark-wildcard-withing-a-file-name.patch
 Patch32: 0032-Propagate-errors-from-nfs-with-quota-to-client.patch
-Patch33: 0033-Introduce-TLSv1.1-and-TLSv1.2-options.patch
+#Patch33: 0033-Introduce-TLSv1.1-and-TLSv1.2-options.patch
 Patch34: 0034-Turn-off-seccomp-sandbox-because-it-is-too-strict.patch
 Patch35: 0035-Modify-DH-enablement-patch-to-build-with-OpenSSL-1.1.patch
 Patch36: 0036-Redefine-VSFTP_COMMAND_FD-to-1.patch
@ -70,8 +70,8 @@ Patch38: 0038-Document-allow_writeable_chroot-in-the-man-page.patch
 Patch39: 0039-Improve-documentation-of-ASCII-mode-in-the-man-page.patch
 Patch40: 0040-Use-system-wide-crypto-policy.patch
 Patch41: 0041-Document-the-new-default-for-ssl_ciphers-in-the-man-.patch
-Patch42: 0042-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch
-Patch43: 0043-Enable-only-TLSv1.2-by-default.patch
+#Patch42: 0042-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch
+#Patch43: 0043-Enable-only-TLSv1.2-by-default.patch
 Patch44: 0044-Disable-anonymous_enable-in-default-config-file.patch
 Patch45: 0045-Expand-explanation-of-ascii_-options-behaviour-in-ma.patch
 Patch46: 0046-vsftpd.conf-Refer-to-the-man-page-regarding-the-asci.patch
@ -97,8 +97,8 @@ Patch67: 0001-Fix-timestamp-handling-in-MDTM.patch
 Patch68: 0002-Drop-an-unused-global-variable.patch
 Patch69: 0001-Remove-a-hint-about-the-ftp_home_dir-SELinux-boolean.patch
 Patch70: fix-str_open.patch
+Patch71: vsftpd-3.0.5-enable_wc_logs-replace_unprintable_with_hex.patch
 # upstream commits 56402c0, 8b82e73
-Patch71: vsftpd-3.0.3-enable_wc_logs-replace_unprintable_with_hex.patch

 %description
 vsftpd is a Very Secure FTP daemon. It was written completely from
@ -167,6 +167,13 @@ mkdir -p $RPM_BUILD_ROOT/%{_var}/ftp/pub
 %{_var}/ftp

 %changelog
+* Thu Jul 28 2022 Richard Lescak <rlescak@redhat.com> 3.0.5-1
+- rebase to version 3.0.5
+
+* Wed Oct 13 2021 Artem Egorenkov <aegorenk@redhat.com> - 3.0.3-46
+- ALPACA fix backported from upstram 3.0.5 version
+- Resolves: rhbz#1975648
+
 * Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.3-45
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
Author	SHA1	Message	Date
Richard Lescak	27cd211262	rebase to version 3.0.5	2022-08-01 15:31:07 +02:00
Artem Egorenkov	c2ae83edb8	- ALPACA fix backported from upstram 3.0.5 version - Relates: rhbz#1975648	2021-10-13 17:20:15 +02:00