.fmf/version

@@ -1 +0,0 @@
-1

.gitignore

@@ -6,4 +6,3 @@ vsftpd-2.3.2.tar.gz
 /vsftpd-3.0.1.tar.gz
 /vsftpd-3.0.2.tar.gz
 /vsftpd-3.0.3.tar.gz
-/vsftpd-3.0.5.tar.gz

0001-Fix-timestamp-handling-in-MDTM.patch

@@ -1,151 +0,0 @@
-From 6a4dc470e569df38b8a7ea09ee6aace3c73b7353 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= <olysonek@redhat.com>
-Date: Wed, 28 Mar 2018 09:06:34 +0200
-Subject: [PATCH 1/2] Fix timestamp handling in MDTM
-
-There were two problems with the timestamp handling with MDTM:
-
-1. In vsf_sysutil_parse_time(), the `the_time.tm_isdst` attribute was
-   always set to 0, regardless of whether DST (daylight saving time)
-   is active on the given date or not.
-
-   This made glibc shift the timestamp when DST was in fact active on
-   the given date, in an attempt to correct the discrepancy between
-   the given timestamp and the `tm_isdst` attribute. The shifting
-   produced incorrect results however.
-
-   We fix this by setting `tm_isdst` to -1 to let glibc decide if DST
-   is active or not at the time of the timestamp. glibc won't touch
-   the timestamp then.
-
-2. vsftpd used to record the offset from UTC of the current timezone
-   in the global variable `s_timezone`. This variable was then
-   subtracted from the variable `the_time` in vsf_sysutil_setmodtime()
-   when the config option use_localtime=NO was set. This was done to
-   compensate for the fact that mktime(), used in
-   vsf_sysutil_parse_time(), expects a timestamp expressed as local
-   time, whereas vsftpd is dealing with universal time.
-
-   However, this did not work in the case when the offset stored in
-   `s_timezone` did not match the timezone of the timestamp given to
-   mktime() - this happens when DST is active at the current time, but
-   DST is not active at the time of the timestamp, or vice versa.
-
-   We fix this by subtracting the real timezone offset directly in
-   vsf_sysutil_parse_time().
-
-   Note that the `tm_gmtoff` attribute, used in this fix, is a
-   BSD/glic extension. However, using `tm_gmtoff` seems like the
-   simplest solution and we need to make this work only with glibc
-   anyway.
-
-The fix was tested in the following way. We checked that the timestamp
-given to the MDTM command when setting modification time exactly
-matches the timestamp received as response from MDTM when reading back
-the modification time. Additionally, we checked that the modification
-time was set correctly on the given file on disk.
-
-These two checks were performed under various conditions - all the
-combinations of DST/non-DST system time, DST/non-DST modification
-time, use_localtime=YES/NO.
-
-Note that (I think) this will still not work if the rules for when DST
-is active change. For example, if DST is ever completely cancelled in
-the Europe/Prague timezone, and vsftpd is dealing with a timestamp
-from a time when DST was active, it will produce incorrect results. I
-think we would need the full zone file to fix this, but the zone file
-is hard to provide when we're chroot-ed.
-
-Resolves: rhbz#1567855
----
- postlogin.c |  5 +++--
- sysutil.c   | 17 ++++++++++-------
- sysutil.h   |  4 ++--
- 3 files changed, 15 insertions(+), 11 deletions(-)
-
-diff --git a/postlogin.c b/postlogin.c
-index 7c749ef..8a3d9d2 100644
---- a/postlogin.c
-+++ b/postlogin.c
-@@ -1788,7 +1788,8 @@ handle_mdtm(struct vsf_session* p_sess)
-   if (do_write != 0)
-   {
-     str_split_char(&p_sess->ftp_arg_str, &s_filename_str, ' ');
--    modtime = vsf_sysutil_parse_time(str_getbuf(&p_sess->ftp_arg_str));
-+    modtime = vsf_sysutil_parse_time(
-+      str_getbuf(&p_sess->ftp_arg_str), tunable_use_localtime);
-     str_copy(&p_sess->ftp_arg_str, &s_filename_str);
-   }
-   resolve_tilde(&p_sess->ftp_arg_str, p_sess);
-@@ -1809,7 +1810,7 @@ handle_mdtm(struct vsf_session* p_sess)
-     else
-     {
-       retval = vsf_sysutil_setmodtime(
--        str_getbuf(&p_sess->ftp_arg_str), modtime, tunable_use_localtime);
-+        str_getbuf(&p_sess->ftp_arg_str), modtime);
-       if (retval != 0)
-       {
-         vsf_cmdio_write(p_sess, FTP_FILEFAIL,
-diff --git a/sysutil.c b/sysutil.c
-index e847650..66d4c5e 100644
---- a/sysutil.c
-+++ b/sysutil.c
-@@ -2819,11 +2819,13 @@ vsf_sysutil_syslog(const char* p_text, int severe)
- }
- 
- long
--vsf_sysutil_parse_time(const char* p_text)
-+vsf_sysutil_parse_time(const char* p_text, int is_localtime)
- {
-+  long res;
-   struct tm the_time;
-   unsigned int len = vsf_sysutil_strlen(p_text);
-   vsf_sysutil_memclr(&the_time, sizeof(the_time));
-+  the_time.tm_isdst = -1;
-   if (len >= 8)
-   {
-     char yr[5];
-@@ -2848,17 +2850,18 @@ vsf_sysutil_parse_time(const char* p_text)
-     the_time.tm_min = vsf_sysutil_atoi(mins);
-     the_time.tm_sec = vsf_sysutil_atoi(sec);
-   }
--  return mktime(&the_time);
-+  res = mktime(&the_time);
-+  if (!is_localtime)
-+  {
-+    res += the_time.tm_gmtoff;
-+  }
-+  return res;
- }
- 
- int
--vsf_sysutil_setmodtime(const char* p_file, long the_time, int is_localtime)
-+vsf_sysutil_setmodtime(const char* p_file, long the_time)
- {
-   struct utimbuf new_times;
--  if (!is_localtime)
--  {
--    the_time -= s_timezone;
--  }
-   vsf_sysutil_memclr(&new_times, sizeof(new_times));
-   new_times.actime = the_time;
-   new_times.modtime = the_time;
-diff --git a/sysutil.h b/sysutil.h
-index 7a59f13..b90f6ca 100644
---- a/sysutil.h
-+++ b/sysutil.h
-@@ -349,9 +349,9 @@ void vsf_sysutil_chroot(const char* p_root_path);
-  */
- long vsf_sysutil_get_time_sec(void);
- long vsf_sysutil_get_time_usec(void);
--long vsf_sysutil_parse_time(const char* p_text);
-+long vsf_sysutil_parse_time(const char* p_text, int is_localtime);
- void vsf_sysutil_sleep(double seconds);
--int vsf_sysutil_setmodtime(const char* p_file, long the_time, int is_localtime);
-+int vsf_sysutil_setmodtime(const char* p_file, long the_time);
- 
- /* Limits */
- void vsf_sysutil_set_address_space_limit(unsigned long bytes);
--- 
-2.24.1
-

0001-Move-closing-standard-FDs-after-listen.patch

@@ -1,46 +0,0 @@
-From 40fea4552377504ce69935149e64e39a595f4600 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= <olysonek@redhat.com>
-Date: Sat, 3 Aug 2019 17:50:14 +0200
-Subject: [PATCH 1/2] Move closing standard FDs after listen()
-
-The vsf_sysutil_close() calls need to be moved a bit further so that
-die() works properly in case listen() fails.
-
-I see no reason the calls should be placed before listen()
-specifically, as they are now. My guess is that the author who added
-the calls thought that listen() is a blocking call, which is not the
-case. The only thing we need to satisfy is that close() is called
-before accept, because that is a blocking call. That's all that is
-needed to fix the bug that was fixed by adding the close() calls.
-
-Resolves: rhbz#1666380
----
- standalone.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/standalone.c b/standalone.c
-index 3f35e9e..b358ca1 100644
---- a/standalone.c
-+++ b/standalone.c
-@@ -152,15 +152,15 @@ vsf_standalone_main(void)
-       vsf_sysutil_kill(vsf_sysutil_getppid(), kVSFSysUtilSigUSR1);
-     }
-   }
--  vsf_sysutil_close(0);
--  vsf_sysutil_close(1);
--  vsf_sysutil_close(2);
-   retval = vsf_sysutil_listen(listen_sock, VSFTP_LISTEN_BACKLOG);
-   if (vsf_sysutil_retval_is_error(retval))
-   {
-     die("could not listen");
-   }
-   vsf_sysutil_sockaddr_alloc(&p_accept_addr);
-+  vsf_sysutil_close(0);
-+  vsf_sysutil_close(1);
-+  vsf_sysutil_close(2);
-   while (1)
-   {
-     struct vsf_client_launch child_info;
--- 
-2.20.1
-

0001-Remove-a-hint-about-the-ftp_home_dir-SELinux-boolean.patch

@@ -1,25 +0,0 @@
-From ab797dcffc855b05c9e7c8db4e5be2fc7510831b Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= <olysonek@redhat.com>
-Date: Tue, 17 Mar 2020 12:57:36 +0100
-Subject: [PATCH] Remove a hint about the ftp_home_dir SELinux boolean
-
-The boolean has been removed from SELinux.
----
- vsftpd.conf | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/vsftpd.conf b/vsftpd.conf
-index 6b8eebb..ea20a72 100644
---- a/vsftpd.conf
-+++ b/vsftpd.conf
-@@ -12,7 +12,6 @@
- anonymous_enable=NO
- #
- # Uncomment this to allow local users to log in.
--# When SELinux is enforcing check for SE bool ftp_home_dir
- local_enable=YES
- #
- # Uncomment this to enable any form of FTP write command.
--- 
-2.25.1
-

0001-Repeat-pututxline-until-it-succeeds-if-it-fails-with.patch

@@ -1,108 +0,0 @@
-From 7957425ef5ab365fc96ea0615f99705581c6dbd8 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= <olysonek@redhat.com>
-Date: Mon, 12 Aug 2019 18:15:36 +0200
-Subject: [PATCH] Repeat pututxline() until it succeeds if it fails with EINTR
-
-Since the pututxline() bug rhbz#1749439 is now fixed in glibc in
-Fedora and RHEL-8, we can implement a complete solution for the stale
-utmp entries issue originally reported as rhbz#1688848.
-
-This patch is a followup to commit 896b3694ca062d7.
-
-Resolves: rhbz#1688852
-Resolves: rhbz#1737433
----
- sysdeputil.c | 53 +++++++++++++---------------------------------------
- 1 file changed, 13 insertions(+), 40 deletions(-)
-
-diff --git a/sysdeputil.c b/sysdeputil.c
-index 4fbcca7..75be680 100644
---- a/sysdeputil.c
-+++ b/sysdeputil.c
-@@ -1203,7 +1203,7 @@ void
- vsf_insert_uwtmp(const struct mystr* p_user_str,
-                  const struct mystr* p_host_str)
- {
--  int attempts;
-+  struct utmpx* p_res;
- 
-   if (sizeof(s_utent.ut_line) < 16)
-   {
-@@ -1233,34 +1233,21 @@ vsf_insert_uwtmp(const struct mystr* p_user_str,
-   vsf_sysutil_strcpy(s_utent.ut_host, str_getbuf(p_host_str),
-                      sizeof(s_utent.ut_host));
-   s_utent.ut_tv.tv_sec = vsf_sysutil_get_time_sec();
--  for (attempts = 2; attempts > 0; --attempts)
-+  setutxent();
-+  do
-   {
--    struct utmpx* p_res;
--    setutxent();
-     p_res = pututxline(&s_utent);
-     /* For now we'll ignore errors other than EINTR and EAGAIN */
--    if (p_res != NULL || (errno != EINTR && errno != EAGAIN))
--    {
--      break;
--    }
--  }
--  if (attempts == 0)
--  {
--    /* This makes us skip pututxline() in vsf_remove_uwtmp() */
--    s_uwtmp_inserted = -1;
--  }
--  else
--  {
--    s_uwtmp_inserted = 1;
--    endutxent();
--  }
-+  } while (p_res == NULL && (errno == EINTR || errno == EAGAIN));
-+  s_uwtmp_inserted = 1;
-+  endutxent();
-   updwtmpx(WTMPX_FILE, &s_utent);
- }
- 
- void
- vsf_remove_uwtmp(void)
- {
--  int attempts;
-+  struct utmpx* p_res;
- 
-   if (!s_uwtmp_inserted)
-   {
-@@ -1270,27 +1257,13 @@ vsf_remove_uwtmp(void)
-   vsf_sysutil_memclr(s_utent.ut_user, sizeof(s_utent.ut_user));
-   vsf_sysutil_memclr(s_utent.ut_host, sizeof(s_utent.ut_host));
-   s_utent.ut_tv.tv_sec = 0;
--  if (s_uwtmp_inserted == 1)
-+  setutxent();
-+  do
-   {
--    for (attempts = 2; attempts > 0; --attempts)
--    {
--      struct utmpx* p_res;
--      setutxent();
--      p_res = pututxline(&s_utent);
--      /* For now we'll ignore errors other than EINTR and EAGAIN */
--      if (p_res != NULL || (errno != EINTR && errno != EAGAIN))
--      {
--        break;
--      }
--    }
--    if (attempts != 0)
--    {
--      endutxent();
--    }
--  }
--  /* Set s_uwtmp_inserted to 0 regardless of the result of
--   * pututxline() to make sure we won't run this function twice.
--   */
-+    p_res = pututxline(&s_utent);
-+    /* For now we'll ignore errors other than EINTR and EAGAIN */
-+  } while (p_res == NULL && (errno == EINTR || errno == EAGAIN));
-+  endutxent();
-   s_uwtmp_inserted = 0;
-   s_utent.ut_tv.tv_sec = vsf_sysutil_get_time_sec();
-   updwtmpx(WTMPX_FILE, &s_utent);
--- 
-2.20.1
-

0001-Set-s_uwtmp_inserted-only-after-record-insertion-rem.patch

@@ -1,53 +0,0 @@
-From 96698a525784ad91cb27b572dd5f871c183fdfa5 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= <olysonek@redhat.com>
-Date: Sun, 28 Jul 2019 12:25:35 +0200
-Subject: [PATCH 1/2] Set s_uwtmp_inserted only after record insertion/removal
-
-pututxline() is the function that actually inserts the new record, so
-setting 's_uwtmp_inserted' before calling pututxline() doesn't make
-sense.
-
-We'll need this change for other fixes.
----
- sysdeputil.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/sysdeputil.c b/sysdeputil.c
-index 4fe56c2..bd1e8c9 100644
---- a/sysdeputil.c
-+++ b/sysdeputil.c
-@@ -1224,7 +1224,6 @@ vsf_insert_uwtmp(const struct mystr* p_user_str,
-                        sizeof(s_utent.ut_line));
-     str_free(&line_str);
-   }
--  s_uwtmp_inserted = 1;
-   s_utent.ut_type = USER_PROCESS;
-   s_utent.ut_pid = vsf_sysutil_getpid();
-   vsf_sysutil_strcpy(s_utent.ut_user, str_getbuf(p_user_str),
-@@ -1235,6 +1234,7 @@ vsf_insert_uwtmp(const struct mystr* p_user_str,
-   setutxent();
-   (void) pututxline(&s_utent);
-   endutxent();
-+  s_uwtmp_inserted = 1;
-   updwtmpx(WTMPX_FILE, &s_utent);
- }
- 
-@@ -1245,7 +1245,6 @@ vsf_remove_uwtmp(void)
-   {
-     return;
-   }
--  s_uwtmp_inserted = 0;
-   s_utent.ut_type = DEAD_PROCESS;
-   vsf_sysutil_memclr(s_utent.ut_user, sizeof(s_utent.ut_user));
-   vsf_sysutil_memclr(s_utent.ut_host, sizeof(s_utent.ut_host));
-@@ -1253,6 +1252,7 @@ vsf_remove_uwtmp(void)
-   setutxent();
-   (void) pututxline(&s_utent);
-   endutxent();
-+  s_uwtmp_inserted = 0;
-   s_utent.ut_tv.tv_sec = vsf_sysutil_get_time_sec();
-   updwtmpx(WTMPX_FILE, &s_utent);
- }
--- 
-2.20.1
-

0002-Drop-an-unused-global-variable.patch

@@ -1,56 +0,0 @@
-From d0045e35674d64d166d17c3c079ae03e8c2e6361 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= <olysonek@redhat.com>
-Date: Thu, 13 Feb 2020 17:29:06 +0100
-Subject: [PATCH 2/2] Drop an unused global variable
-
-The global variable `s_timezone` is not used anymore, so we can drop
-it.
----
- sysutil.c | 17 +++--------------
- 1 file changed, 3 insertions(+), 14 deletions(-)
-
-diff --git a/sysutil.c b/sysutil.c
-index 66d4c5e..0ccf551 100644
---- a/sysutil.c
-+++ b/sysutil.c
-@@ -72,8 +72,6 @@ static struct timeval s_current_time;
- static int s_current_pid = -1;
- /* Exit function */
- static exitfunc_t s_exit_func;
--/* Difference in timezone from GMT in seconds */
--static long s_timezone;
- 
- /* Our internal signal handling implementation details */
- static struct vsf_sysutil_sig_details
-@@ -2661,7 +2659,6 @@ char* vsf_sysutil_get_tz()
- void
- vsf_sysutil_tzset(void)
- {
--  int retval;
-   char *tz=NULL, tzbuf[sizeof("+HHMM!")];
-   time_t the_time = time(NULL);
-   struct tm* p_tm;
-@@ -2681,17 +2678,9 @@ vsf_sysutil_tzset(void)
-   {
-     die("localtime");
-   }
--  retval = strftime(tzbuf, sizeof(tzbuf), "%z", p_tm);
--  tzbuf[sizeof(tzbuf) - 1] = '\0';
--  if (retval == 5)
--  {
--    s_timezone = ((tzbuf[1] - '0') * 10 + (tzbuf[2] - '0')) * 60 * 60;
--    s_timezone += ((tzbuf[3] - '0') * 10 + (tzbuf[4] - '0')) * 60;
--    if (tzbuf[0] == '+')
--    {
--      s_timezone *= -1;
--    }
--  }
-+  /* Not sure if the following call to strftime() has any desired side
-+     effects, so I'm keeping it to be safe. */
-+  (void) strftime(tzbuf, sizeof(tzbuf), "%z", p_tm);
-   /* Call in to the time subsystem again now that TZ is set, trying to force
-    * caching of the actual zoneinfo for the timezone.
-    */
--- 
-2.24.1
-

0002-Prevent-recursion-in-bug.patch

@@ -1,107 +0,0 @@
-From e679a3ce0f2cf1558da31e0bccd9e2398b89c7e9 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= <olysonek@redhat.com>
-Date: Tue, 30 Jul 2019 16:07:01 +0200
-Subject: [PATCH 2/2] Prevent recursion in bug()
-
-Resolves: rhbz#1666380
----
- sysutil.c | 35 +++++++++++++++++++++++++++++++----
- sysutil.h |  1 +
- utility.c | 12 +++++++-----
- 3 files changed, 39 insertions(+), 9 deletions(-)
-
-diff --git a/sysutil.c b/sysutil.c
-index fd07d99..e2df671 100644
---- a/sysutil.c
-+++ b/sysutil.c
-@@ -774,21 +774,48 @@ vsf_sysutil_deactivate_linger_failok(int fd)
-   (void) setsockopt(fd, SOL_SOCKET, SO_LINGER, &the_linger, sizeof(the_linger));
- }
- 
--void
--vsf_sysutil_activate_noblock(int fd)
-+static int
-+vsf_sysutil_activate_noblock_internal(int fd, int return_err)
- {
-   int retval;
-   int curr_flags = fcntl(fd, F_GETFL);
-   if (vsf_sysutil_retval_is_error(curr_flags))
-   {
--    die("fcntl");
-+    if (return_err)
-+    {
-+      return -1;
-+    }
-+    else
-+    {
-+      die("fcntl");
-+    }
-   }
-   curr_flags |= O_NONBLOCK;
-   retval = fcntl(fd, F_SETFL, curr_flags);
-   if (retval != 0)
-   {
--    die("fcntl");
-+    if (return_err)
-+    {
-+      return -1;
-+    }
-+    else
-+    {
-+      die("fcntl");
-+    }
-   }
-+  return 0;
-+}
-+
-+void
-+vsf_sysutil_activate_noblock(int fd)
-+{
-+  (void) vsf_sysutil_activate_noblock_internal(fd, 0);
-+}
-+
-+int
-+vsf_sysutil_activate_noblock_no_die(int fd)
-+{
-+  return vsf_sysutil_activate_noblock_internal(fd, 1);
- }
- 
- void
-diff --git a/sysutil.h b/sysutil.h
-index 2df14ed..0772423 100644
---- a/sysutil.h
-+++ b/sysutil.h
-@@ -281,6 +281,7 @@ void vsf_sysutil_activate_oobinline(int fd);
- void vsf_sysutil_activate_linger(int fd);
- void vsf_sysutil_deactivate_linger_failok(int fd);
- void vsf_sysutil_activate_noblock(int fd);
-+int vsf_sysutil_activate_noblock_no_die(int fd);
- void vsf_sysutil_deactivate_noblock(int fd);
- /* This does SHUT_RDWR */
- void vsf_sysutil_shutdown_failok(int fd);
-diff --git a/utility.c b/utility.c
-index 75e5bdd..5619a04 100644
---- a/utility.c
-+++ b/utility.c
-@@ -47,11 +47,13 @@ bug(const char* p_text)
-   {
-     vsf_log_die(p_text);
-   }
--  vsf_sysutil_activate_noblock(VSFTP_COMMAND_FD);
--  (void) vsf_sysutil_write_loop(VSFTP_COMMAND_FD, "500 OOPS: ", 10);
--  (void) vsf_sysutil_write_loop(VSFTP_COMMAND_FD, p_text,
--                                vsf_sysutil_strlen(p_text));
--  (void) vsf_sysutil_write_loop(VSFTP_COMMAND_FD, "\r\n", 2);
-+  if (vsf_sysutil_activate_noblock_no_die(VSFTP_COMMAND_FD) == 0)
-+  {
-+    (void) vsf_sysutil_write_loop(VSFTP_COMMAND_FD, "500 OOPS: ", 10);
-+    (void) vsf_sysutil_write_loop(VSFTP_COMMAND_FD, p_text,
-+				  vsf_sysutil_strlen(p_text));
-+    (void) vsf_sysutil_write_loop(VSFTP_COMMAND_FD, "\r\n", 2);
-+  }
-   if (tunable_log_die)
-   {
-     /* Workaround for https://github.com/systemd/systemd/issues/2913 */
--- 
-2.20.1
-

0002-Repeat-pututxline-if-it-fails-with-EINTR.patch

@@ -1,105 +0,0 @@
-From 896b3694ca062d747cd67e9e9ba246adb3fc706b Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= <olysonek@redhat.com>
-Date: Mon, 5 Aug 2019 13:55:37 +0200
-Subject: [PATCH 2/2] Repeat pututxline() if it fails with EINTR
-
-This is a partial fix for rhbz#1688848. We cannot resolve it
-completely until glibc bug rhbz#1734791 is fixed. See
-https://bugzilla.redhat.com/show_bug.cgi?id=1688848#c13.
-
-The maximum number of attempts is currently 2, which might seem
-low. However setting it to 2 was a decision based on data - see
-https://bugzilla.redhat.com/show_bug.cgi?id=1688848#c16.
-
-Resolves: rhbz#1688848
----
- sysdeputil.c | 53 +++++++++++++++++++++++++++++++++++++++++++++-------
- 1 file changed, 46 insertions(+), 7 deletions(-)
-
-diff --git a/sysdeputil.c b/sysdeputil.c
-index bd1e8c9..4fbcca7 100644
---- a/sysdeputil.c
-+++ b/sysdeputil.c
-@@ -1203,6 +1203,8 @@ void
- vsf_insert_uwtmp(const struct mystr* p_user_str,
-                  const struct mystr* p_host_str)
- {
-+  int attempts;
-+
-   if (sizeof(s_utent.ut_line) < 16)
-   {
-     return;
-@@ -1231,16 +1233,35 @@ vsf_insert_uwtmp(const struct mystr* p_user_str,
-   vsf_sysutil_strcpy(s_utent.ut_host, str_getbuf(p_host_str),
-                      sizeof(s_utent.ut_host));
-   s_utent.ut_tv.tv_sec = vsf_sysutil_get_time_sec();
--  setutxent();
--  (void) pututxline(&s_utent);
--  endutxent();
--  s_uwtmp_inserted = 1;
-+  for (attempts = 2; attempts > 0; --attempts)
-+  {
-+    struct utmpx* p_res;
-+    setutxent();
-+    p_res = pututxline(&s_utent);
-+    /* For now we'll ignore errors other than EINTR and EAGAIN */
-+    if (p_res != NULL || (errno != EINTR && errno != EAGAIN))
-+    {
-+      break;
-+    }
-+  }
-+  if (attempts == 0)
-+  {
-+    /* This makes us skip pututxline() in vsf_remove_uwtmp() */
-+    s_uwtmp_inserted = -1;
-+  }
-+  else
-+  {
-+    s_uwtmp_inserted = 1;
-+    endutxent();
-+  }
-   updwtmpx(WTMPX_FILE, &s_utent);
- }
- 
- void
- vsf_remove_uwtmp(void)
- {
-+  int attempts;
-+
-   if (!s_uwtmp_inserted)
-   {
-     return;
-@@ -1249,9 +1270,27 @@ vsf_remove_uwtmp(void)
-   vsf_sysutil_memclr(s_utent.ut_user, sizeof(s_utent.ut_user));
-   vsf_sysutil_memclr(s_utent.ut_host, sizeof(s_utent.ut_host));
-   s_utent.ut_tv.tv_sec = 0;
--  setutxent();
--  (void) pututxline(&s_utent);
--  endutxent();
-+  if (s_uwtmp_inserted == 1)
-+  {
-+    for (attempts = 2; attempts > 0; --attempts)
-+    {
-+      struct utmpx* p_res;
-+      setutxent();
-+      p_res = pututxline(&s_utent);
-+      /* For now we'll ignore errors other than EINTR and EAGAIN */
-+      if (p_res != NULL || (errno != EINTR && errno != EAGAIN))
-+      {
-+        break;
-+      }
-+    }
-+    if (attempts != 0)
-+    {
-+      endutxent();
-+    }
-+  }
-+  /* Set s_uwtmp_inserted to 0 regardless of the result of
-+   * pututxline() to make sure we won't run this function twice.
-+   */
-   s_uwtmp_inserted = 0;
-   s_utent.ut_tv.tv_sec = vsf_sysutil_get_time_sec();
-   updwtmpx(WTMPX_FILE, &s_utent);
--- 
-2.20.1
-

0014-Add-support-for-square-brackets-in-ls.patch

@@ -1,11 +1,14 @@
-commit de556b2643b5da622f501b435740c651b9f82554
-Author: Tomas Korbar <tkorbar@redhat.com>
-Date:   Mon Dec 15 02:00:00 2025 +0200
+From ba0520650ae7f9f63e48ba9fb3a94297aebe2d0c Mon Sep 17 00:00:00 2001
+From: Martin Sehnoutka <msehnout@redhat.com>
+Date: Wed, 7 Sep 2016 14:22:21 +0200
+Subject: [PATCH 14/59] Add support for square brackets in ls.
 
-    Add support for square brackets in ls.
+---
+ ls.c | 222 +++++++++++++++++++++++++++++++++++++++++++++----------------------
+ 1 file changed, 150 insertions(+), 72 deletions(-)
 
 diff --git a/ls.c b/ls.c
-index 616b2d9..ab69af9 100644
+index 616b2d9..b840136 100644
 --- a/ls.c
 +++ b/ls.c
 @@ -246,7 +246,7 @@ vsf_filename_passes_filter(const struct mystr* p_filename_str,
@@ -188,7 +191,7 @@ index 616b2d9..ab69af9 100644
 -          if (vsf_filename_passes_filter(&name_remain_str, &new_filter_str,
 -                                         iters))
 +          unsigned int cur_pos;
-+          unsigned char stch, ench;
++          char stch, ench;
 +          const char *p_brace;
 +
 +          str_split_char(&filter_remain_str, &temp_str, ']');
@@ -213,7 +216,7 @@ index 616b2d9..ab69af9 100644
 +              cur_pos++;
 +            }
 +            // expand char[s]
-+            for (;stch <= ench && !str_isempty(&brace_list_str) && stch != 0; stch++)
++            for (;stch <= ench && !str_isempty(&brace_list_str); stch++)
 +            {
 +              str_empty(&new_filter_str);
 +              if (!matched)
@@ -269,4 +272,6 @@ index 616b2d9..ab69af9 100644
    }
    /* Any incoming string left means no match unless we ended on the correct
     * type of wildcard.
+-- 
+2.14.4
 

0021-Introduce-support-for-DHE-based-cipher-suites.patch

@@ -31,36 +31,81 @@ index c362983..22b69b3 100644
  #include <openssl/err.h>
  #include <openssl/rand.h>
  #include <openssl/bio.h>
++#include <openssl/dh.h>
 +#include <openssl/bn.h>
-+#include <openssl/param_build.h>
  #include <errno.h>
  #include <limits.h>
  
-@@ -58,6 +60,23 @@
+@@ -38,6 +40,7 @@ static void setup_bio_callbacks();
+ static long bio_callback(
+   BIO* p_bio, int oper, const char* p_arg, int argi, long argl, long retval);
+ static int ssl_verify_callback(int verify_ok, X509_STORE_CTX* p_ctx);
++static DH *ssl_tmp_dh_callback(SSL *ssl, int is_export, int keylength);
+ static int ssl_cert_digest(
+   SSL* p_ssl, struct vsf_session* p_sess, struct mystr* p_str);
+ static void maybe_log_shutdown_state(struct vsf_session* p_sess);
+@@ -51,6 +54,60 @@ static int ssl_read_common(struct vsf_session* p_sess,
  static int ssl_inited;
  static struct mystr debug_str;
  
-+EVP_PKEY *
-+DH_get_dh()
-+{
-+  OSSL_PARAM dh_params[2];
-+  EVP_PKEY *dh_key = NULL;
-+  EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_from_name(NULL, "DH", NULL);
 +
-+  dh_params[0] = OSSL_PARAM_construct_utf8_string("group", "ffdhe2048", 0);
-+  dh_params[1] = OSSL_PARAM_construct_end();
++// Grab prime number from OpenSSL; <openssl/bn.h>
++// (get_rfc*) for all available primes.
++// wraps selection of comparable algorithm strength
++#if !defined(match_dh_bits)
++  #define match_dh_bits(keylen) \
++    keylen >= 8191 ? 8192 : \
++    keylen >= 6143 ? 6144 : \
++    keylen >= 4095 ? 4096 : \
++    keylen >= 3071 ? 3072 : \
++    keylen >= 2047 ? 2048 : \
++    keylen >= 1535 ? 1536 : \
++    keylen >= 1023 ? 1024 : 768
++#endif
 +
-+  if (EVP_PKEY_keygen_init(pctx) <= 0 || EVP_PKEY_CTX_set_params(pctx, dh_params) <= 0)
-+    return NULL;
-+  EVP_PKEY_generate(pctx, &dh_key);
-+  EVP_PKEY_CTX_free(pctx);
-+  return dh_key;
++#if !defined(DH_get_prime)
++  BIGNUM *
++  DH_get_prime(int bits)
++  {
++    switch (bits) {
++      case 768:  return get_rfc2409_prime_768(NULL);
++      case 1024: return get_rfc2409_prime_1024(NULL);
++      case 1536: return get_rfc3526_prime_1536(NULL);
++      case 2048: return get_rfc3526_prime_2048(NULL);
++      case 3072: return get_rfc3526_prime_3072(NULL);
++      case 4096: return get_rfc3526_prime_4096(NULL);
++      case 6144: return get_rfc3526_prime_6144(NULL);
++      case 8192: return get_rfc3526_prime_8192(NULL);
++      // shouldn't happen when used match_dh_bits; strict compiler
++      default:   return NULL;
++    }
 +}
++#endif
++
++#if !defined(DH_get_dh)
++  // Grab DH parameters
++  DH *
++  DH_get_dh(int size)
++  {
++    DH *dh = DH_new();
++    if (!dh) {
++      return NULL;
++    }
++    dh->p = DH_get_prime(match_dh_bits(size));
++    BN_dec2bn(&dh->g, "2");
++    if (!dh->p || !dh->g)
++    {
++      DH_free(dh);
++      return NULL;
++    }
++    return dh;
++  }
++#endif
 +
  void
  ssl_init(struct vsf_session* p_sess)
  {
-@@ -72,7 +89,7 @@
+@@ -65,7 +122,7 @@ ssl_init(struct vsf_session* p_sess)
      {
        die("SSL: could not allocate SSL context");
      }
@@ -69,44 +114,61 @@ index c362983..22b69b3 100644
      if (!tunable_sslv2)
      {
        options |= SSL_OP_NO_SSLv2;
-@@ -149,8 +166,27 @@
+@@ -111,6 +168,25 @@ ssl_init(struct vsf_session* p_sess)
          die("SSL: cannot load DSA private key");
        }
      }
 +    if (tunable_dh_param_file)
 +    {
 +      BIO *bio;
-+      EVP_PKEY *dh_params = NULL;
++      DH *dhparams = NULL;
 +      if ((bio = BIO_new_file(tunable_dh_param_file, "r")) == NULL)
 +      {
 +        die("SSL: cannot load custom DH params");
 +      }
 +      else
 +      {
-+        dh_params = PEM_read_bio_Parameters(bio, NULL);
++        dhparams = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
 +        BIO_free(bio);
 +
-+        if (!SSL_CTX_set0_tmp_dh_pkey(p_ctx, dh_params))
-+	       {
++        if (!SSL_CTX_set_tmp_dh(p_ctx, dhparams))
++	{
 +          die("SSL: setting custom DH params failed");
-+        }
++	}
 +      }
 +    }
      if (tunable_ssl_ciphers &&
          SSL_CTX_set_cipher_list(p_ctx, tunable_ssl_ciphers) != 1)
      {
-       die("SSL: could not set cipher list");
-     }
-@@ -184,6 +226,9 @@
+@@ -165,6 +241,9 @@ ssl_init(struct vsf_session* p_sess)
        /* Ensure cached session doesn't expire */
        SSL_CTX_set_timeout(p_ctx, INT_MAX);
      }
++    
++    SSL_CTX_set_tmp_dh_callback(p_ctx, ssl_tmp_dh_callback);
 +
-+    SSL_CTX_set0_tmp_dh_pkey(p_ctx, DH_get_dh());
+     p_sess->p_ssl_ctx = p_ctx;
+     ssl_inited = 1;
+   }
+@@ -702,6 +781,18 @@ ssl_verify_callback(int verify_ok, X509_STORE_CTX* p_ctx)
+   return 1;
+ }
+ 
++#define UNUSED(x) ( (void)(x) )
 +
-     /* Set up ALPN to check for FTP protocol intention of client. */
-     SSL_CTX_set_alpn_select_cb(p_ctx, ssl_alpn_callback, p_sess);
-     /* Set up SNI callback for an optional hostname check. */
++static DH *
++ssl_tmp_dh_callback(SSL *ssl, int is_export, int keylength)
++{
++  // strict compiler bypassing
++  UNUSED(ssl);
++  UNUSED(is_export);
++  
++  return DH_get_dh(keylength);
++}
++
+ void
+ ssl_add_entropy(struct vsf_session* p_sess)
+ {
 diff --git a/tunables.c b/tunables.c
 index c737465..1ea7227 100644
 --- a/tunables.c

0022-Introduce-support-for-EDDHE-based-cipher-suites.patch

@@ -36,40 +36,48 @@ index 22b69b3..96bf8ad 100644
      if (!tunable_sslv2)
      {
        options |= SSL_OP_NO_SSLv2;
-@@ -244,6 +244,33 @@
- 
-     SSL_CTX_set0_tmp_dh_pkey(p_ctx, DH_get_dh());
+@@ -244,6 +244,41 @@ ssl_init(struct vsf_session* p_sess)
+     
+     SSL_CTX_set_tmp_dh_callback(p_ctx, ssl_tmp_dh_callback);
  
 +    if (tunable_ecdh_param_file)
 +    {
 +      BIO *bio;
-+      EVP_PKEY *ec_params = NULL;
++      int nid;
++      EC_GROUP *ecparams = NULL;
++      EC_KEY *eckey;
 +
 +      if ((bio = BIO_new_file(tunable_ecdh_param_file, "r")) == NULL)
 +        die("SSL: cannot load custom ec params");
 +      else
 +      {
-+        ec_params = PEM_read_bio_Parameters(bio, NULL);
++        ecparams = PEM_read_bio_ECPKParameters(bio, NULL, NULL, NULL);
 +        BIO_free(bio);
 +
-+        if (ec_params != NULL)
++        if (ecparams && (nid = EC_GROUP_get_curve_name(ecparams)) &&
++            (eckey = EC_KEY_new_by_curve_name(nid)))
 +        {
-+          if (!SSL_CTX_set1_groups_list(p_ctx, ec_params))
++          if (!SSL_CTX_set_tmp_ecdh(p_ctx, eckey))
 +            die("SSL: setting custom EC params failed");
-+	       }
-+	        else
++	}
++	else
 +        {
 +          die("SSL: getting ec group or key failed");
-+	       }
++	}
 +      }
 +    }
 +    else
 +    {
-+      SSL_CTX_set1_groups_list(p_ctx, "P-256");
++#if defined(SSL_CTX_set_ecdh_auto)
++      SSL_CTX_set_ecdh_auto(p_ctx, 1);
++#else
++      SSL_CTX_set_tmp_ecdh(p_ctx, EC_KEY_new_by_curve_name(NID_X9_62_prime256v1));
++#endif
 +    }
-     /* Set up ALPN to check for FTP protocol intention of client. */
-     SSL_CTX_set_alpn_select_cb(p_ctx, ssl_alpn_callback, p_sess);
-     /* Set up SNI callback for an optional hostname check. */
++
+     p_sess->p_ssl_ctx = p_ctx;
+     ssl_inited = 1;
+   }
 diff --git a/tunables.c b/tunables.c
 index 1ea7227..93f85b1 100644
 --- a/tunables.c

0025-Improve-local_max_rate-option.patch

@@ -60,9 +60,9 @@ diff --git a/main.c b/main.c
 index eaba265..f1e2f69 100644
 --- a/main.c
 +++ b/main.c
-@@ -40,7 +40,7 @@
+@@ -40,7 +40,7 @@ main(int argc, const char* argv[])
      /* Control connection */
-     0, 0, 0, 0, 0, 0,
+     0, 0, 0, 0, 0,
      /* Data connection */
 -    -1, 0, -1, 0, 0, 0, 0,
 +    -1, 0, -1, 0, 0, 0, 0, 0,

0033-Introduce-TLSv1.1-and-TLSv1.2-options.patch

@@ -0,0 +1,153 @@
+From 01bef55a1987700af3d43cdc5f5be88d3843ab85 Mon Sep 17 00:00:00 2001
+From: Martin Sehnoutka <msehnout@redhat.com>
+Date: Thu, 17 Nov 2016 13:36:17 +0100
+Subject: [PATCH 33/59] Introduce TLSv1.1 and TLSv1.2 options.
+
+Users can now enable a specific version of TLS protocol.
+---
+ parseconf.c   |  2 ++
+ ssl.c         |  8 ++++++++
+ tunables.c    |  9 +++++++--
+ tunables.h    |  2 ++
+ vsftpd.conf.5 | 24 ++++++++++++++++++++----
+ 5 files changed, 39 insertions(+), 6 deletions(-)
+
+diff --git a/parseconf.c b/parseconf.c
+index a2c715b..33a1349 100644
+--- a/parseconf.c
++++ b/parseconf.c
+@@ -85,6 +85,8 @@ parseconf_bool_array[] =
+   { "ssl_sslv2", &tunable_sslv2 },
+   { "ssl_sslv3", &tunable_sslv3 },
+   { "ssl_tlsv1", &tunable_tlsv1 },
++  { "ssl_tlsv1_1", &tunable_tlsv1_1 },
++  { "ssl_tlsv1_2", &tunable_tlsv1_2 },
+   { "tilde_user_enable", &tunable_tilde_user_enable },
+   { "force_anon_logins_ssl", &tunable_force_anon_logins_ssl },
+   { "force_anon_data_ssl", &tunable_force_anon_data_ssl },
+diff --git a/ssl.c b/ssl.c
+index 96bf8ad..ba8a613 100644
+--- a/ssl.c
++++ b/ssl.c
+@@ -135,6 +135,14 @@ ssl_init(struct vsf_session* p_sess)
+     {
+       options |= SSL_OP_NO_TLSv1;
+     }
++    if (!tunable_tlsv1_1)
++    {
++      options |= SSL_OP_NO_TLSv1_1;
++    }
++    if (!tunable_tlsv1_2)
++    {
++      options |= SSL_OP_NO_TLSv1_2;
++    }
+     SSL_CTX_set_options(p_ctx, options);
+     if (tunable_rsa_cert_file)
+     {
+diff --git a/tunables.c b/tunables.c
+index 93f85b1..78f2bcd 100644
+--- a/tunables.c
++++ b/tunables.c
+@@ -66,6 +66,8 @@ int tunable_force_local_data_ssl;
+ int tunable_sslv2;
+ int tunable_sslv3;
+ int tunable_tlsv1;
++int tunable_tlsv1_1;
++int tunable_tlsv1_2;
+ int tunable_tilde_user_enable;
+ int tunable_force_anon_logins_ssl;
+ int tunable_force_anon_data_ssl;
+@@ -209,7 +211,10 @@ tunables_load_defaults()
+   tunable_force_local_data_ssl = 1;
+   tunable_sslv2 = 0;
+   tunable_sslv3 = 0;
++  /* TLSv1 up to TLSv1.2 is enabled by default */
+   tunable_tlsv1 = 1;
++  tunable_tlsv1_1 = 1;
++  tunable_tlsv1_2 = 1;
+   tunable_tilde_user_enable = 0;
+   tunable_force_anon_logins_ssl = 0;
+   tunable_force_anon_data_ssl = 0;
+@@ -292,8 +297,8 @@ tunables_load_defaults()
+   install_str_setting(0, &tunable_dsa_cert_file);
+   install_str_setting(0, &tunable_dh_param_file);
+   install_str_setting(0, &tunable_ecdh_param_file);
+-  install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA",
+-                      &tunable_ssl_ciphers);
++  install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384",
++          &tunable_ssl_ciphers);
+   install_str_setting(0, &tunable_rsa_private_key_file);
+   install_str_setting(0, &tunable_dsa_private_key_file);
+   install_str_setting(0, &tunable_ca_certs_file);
+diff --git a/tunables.h b/tunables.h
+index 3e2d40c..a466427 100644
+--- a/tunables.h
++++ b/tunables.h
+@@ -67,6 +67,8 @@ extern int tunable_force_local_data_ssl;      /* Require local data uses SSL */
+ extern int tunable_sslv2;                     /* Allow SSLv2 */
+ extern int tunable_sslv3;                     /* Allow SSLv3 */
+ extern int tunable_tlsv1;                     /* Allow TLSv1 */
++extern int tunable_tlsv1_1;                   /* Allow TLSv1.1 */
++extern int tunable_tlsv1_2;                   /* Allow TLSv1.2 */
+ extern int tunable_tilde_user_enable;         /* Support e.g. ~chris */
+ extern int tunable_force_anon_logins_ssl;     /* Require anon logins use SSL */
+ extern int tunable_force_anon_data_ssl;       /* Require anon data uses SSL */
+diff --git a/vsftpd.conf.5 b/vsftpd.conf.5
+index cf1ae34..a3d569e 100644
+--- a/vsftpd.conf.5
++++ b/vsftpd.conf.5
+@@ -506,7 +506,7 @@ Default: YES
+ Only applies if
+ .BR ssl_enable
+ is activated. If enabled, this option will permit SSL v2 protocol connections.
+-TLS v1 connections are preferred.
++TLS v1.2 connections are preferred.
+ 
+ Default: NO
+ .TP
+@@ -514,7 +514,7 @@ Default: NO
+ Only applies if
+ .BR ssl_enable
+ is activated. If enabled, this option will permit SSL v3 protocol connections.
+-TLS v1 connections are preferred.
++TLS v1.2 connections are preferred.
+ 
+ Default: NO
+ .TP
+@@ -522,7 +522,23 @@ Default: NO
+ Only applies if
+ .BR ssl_enable
+ is activated. If enabled, this option will permit TLS v1 protocol connections.
+-TLS v1 connections are preferred.
++TLS v1.2 connections are preferred.
++
++Default: YES
++.TP
++.B ssl_tlsv1_1
++Only applies if
++.BR ssl_enable
++is activated. If enabled, this option will permit TLS v1.1 protocol connections.
++TLS v1.2 connections are preferred.
++
++Default: YES
++.TP
++.B ssl_tlsv1_2
++Only applies if
++.BR ssl_enable
++is activated. If enabled, this option will permit TLS v1.2 protocol connections.
++TLS v1.2 connections are preferred.
+ 
+ Default: YES
+ .TP
+@@ -1044,7 +1060,7 @@ man page for further details. Note that restricting ciphers can be a useful
+ security precaution as it prevents malicious remote parties forcing a cipher
+ which they have found problems with.
+ 
+-Default: DES-CBC3-SHA
++Default: AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384
+ .TP
+ .B user_config_dir
+ This powerful option allows the override of any config option specified in
+-- 
+2.14.4
+

0035-Modify-DH-enablement-patch-to-build-with-OpenSSL-1.1.patch

@@ -0,0 +1,74 @@
+From 6c8dd87f311e411bcb1c72c1c780497881a5621c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= <olysonek@redhat.com>
+Date: Mon, 4 Sep 2017 11:32:03 +0200
+Subject: [PATCH 35/59] Modify DH enablement patch to build with OpenSSL 1.1
+
+---
+ ssl.c | 41 ++++++++++++++++++++++++++++++++++++++---
+ 1 file changed, 38 insertions(+), 3 deletions(-)
+
+diff --git a/ssl.c b/ssl.c
+index ba8a613..09ec96a 100644
+--- a/ssl.c
++++ b/ssl.c
+@@ -88,19 +88,54 @@ static struct mystr debug_str;
+ }
+ #endif
+ 
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
++int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
++{
++  /* If the fields p and g in d are NULL, the corresponding input
++   * parameters MUST be non-NULL.  q may remain NULL.
++   */
++  if ((dh->p == NULL && p == NULL)
++      || (dh->g == NULL && g == NULL))
++    return 0;
++
++  if (p != NULL) {
++    BN_free(dh->p);
++    dh->p = p;
++  }
++  if (q != NULL) {
++    BN_free(dh->q);
++    dh->q = q;
++  }
++  if (g != NULL) {
++    BN_free(dh->g);
++    dh->g = g;
++  }
++
++  if (q != NULL) {
++    dh->length = BN_num_bits(q);
++  }
++
++  return 1;
++}
++#endif
++
+ #if !defined(DH_get_dh)
+   // Grab DH parameters
+   DH *
+   DH_get_dh(int size)
+   {
++    BIGNUM *g = NULL;
++    BIGNUM *p = NULL;
+     DH *dh = DH_new();
+     if (!dh) {
+       return NULL;
+     }
+-    dh->p = DH_get_prime(match_dh_bits(size));
+-    BN_dec2bn(&dh->g, "2");
+-    if (!dh->p || !dh->g)
++    p = DH_get_prime(match_dh_bits(size));
++    BN_dec2bn(&g, "2");
++    if (!p || !g || !DH_set0_pqg(dh, p, NULL, g))
+     {
++      BN_free(g);
++      BN_free(p);
+       DH_free(dh);
+       return NULL;
+     }
+-- 
+2.14.4
+

0040-Use-system-wide-crypto-policy.patch

@@ -3,7 +3,7 @@ From: Martin Sehnoutka <msehnout@redhat.com>
 Date: Tue, 29 Aug 2017 10:32:16 +0200
 Subject: [PATCH 40/59] Use system wide crypto policy
 
-Resolves: rhbz#
+Resolves: rhbz#1483970
 ---
  tunables.c | 3 +--
  1 file changed, 1 insertion(+), 2 deletions(-)
@@ -16,8 +16,8 @@ index 5440c00..354251c 100644
    install_str_setting(0, &tunable_dsa_cert_file);
    install_str_setting(0, &tunable_dh_param_file);
    install_str_setting(0, &tunable_ecdh_param_file);
--  install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA",
--                      &tunable_ssl_ciphers);
+-  install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384",
+-          &tunable_ssl_ciphers);
 +  install_str_setting("PROFILE=SYSTEM", &tunable_ssl_ciphers);
    install_str_setting(0, &tunable_rsa_private_key_file);
    install_str_setting(0, &tunable_dsa_private_key_file);

0041-Document-the-new-default-for-ssl_ciphers-in-the-man-.patch

@@ -17,15 +17,15 @@ index 3ca55e4..2a7662e 100644
  security precaution as it prevents malicious remote parties forcing a cipher
  which they have found problems with.
  
--Default: DES-CBC3-SHA
+-Default: AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384
 +By default, the system-wide crypto policy is used. See
 +.BR update-crypto-policies(8)
 +for further details.
 +
 +Default: PROFILE=SYSTEM
  .TP
- .B ssl_sni_hostname
- If set, SSL connections will be rejected unless the SNI hostname in the
+ .B user_config_dir
+ This powerful option allows the override of any config option specified in
 -- 
 2.14.4
 

0042-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch

@@ -23,7 +23,7 @@ index 1212980..d024366 100644
        vsf_cmdio_write_raw(p_sess, " AUTH SSL\r\n");
      }
 -    if (tunable_tlsv1)
-+    if (tunable_tlsv1 || tunable_tlsv1_1 || tunable_tlsv1_2 || tunable_tlsv1_3)
++    if (tunable_tlsv1 || tunable_tlsv1_1 || tunable_tlsv1_2)
      {
        vsf_cmdio_write_raw(p_sess, " AUTH TLS\r\n");
      }

0043-Enable-only-TLSv1.2-by-default.patch

@@ -0,0 +1,53 @@
+From 75c942c77aa575143c5b75637e64a925ad12641a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= <olysonek@redhat.com>
+Date: Thu, 21 Dec 2017 16:38:40 +0100
+Subject: [PATCH 43/59] Enable only TLSv1.2 by default
+
+Disable TLSv1 and TLSv1.1 - enable only TLSv1.2 by default.
+---
+ tunables.c    | 6 +++---
+ vsftpd.conf.5 | 4 ++--
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/tunables.c b/tunables.c
+index 354251c..9680528 100644
+--- a/tunables.c
++++ b/tunables.c
+@@ -211,9 +211,9 @@ tunables_load_defaults()
+   tunable_force_local_data_ssl = 1;
+   tunable_sslv2 = 0;
+   tunable_sslv3 = 0;
+-  /* TLSv1 up to TLSv1.2 is enabled by default */
+-  tunable_tlsv1 = 1;
+-  tunable_tlsv1_1 = 1;
++  tunable_tlsv1 = 0;
++  tunable_tlsv1_1 = 0;
++  /* Only TLSv1.2 is enabled by default */
+   tunable_tlsv1_2 = 1;
+   tunable_tilde_user_enable = 0;
+   tunable_force_anon_logins_ssl = 0;
+diff --git a/vsftpd.conf.5 b/vsftpd.conf.5
+index 2a7662e..df14027 100644
+--- a/vsftpd.conf.5
++++ b/vsftpd.conf.5
+@@ -539,7 +539,7 @@ Only applies if
+ is activated. If enabled, this option will permit TLS v1 protocol connections.
+ TLS v1.2 connections are preferred.
+ 
+-Default: YES
++Default: NO
+ .TP
+ .B ssl_tlsv1_1
+ Only applies if
+@@ -547,7 +547,7 @@ Only applies if
+ is activated. If enabled, this option will permit TLS v1.1 protocol connections.
+ TLS v1.2 connections are preferred.
+ 
+-Default: YES
++Default: NO
+ .TP
+ .B ssl_tlsv1_2
+ Only applies if
+-- 
+2.14.4
+

0076-Correct-the-definition-of-setup_bio_callbacks-in-ssl.patch

@@ -1,25 +0,0 @@
-From f3a745be207831ebd07add16e66ac2b43a743dc1 Mon Sep 17 00:00:00 2001
-From: rpm-build <rpm-build>
-Date: Fri, 24 Jan 2025 11:42:39 +0100
-Subject: [PATCH] Correct the definition of setup_bio_callbacks() in ssl.c
-
----
- ssl.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/ssl.c b/ssl.c
-index e518097..02ed489 100644
---- a/ssl.c
-+++ b/ssl.c
-@@ -36,7 +36,7 @@
- static char* get_ssl_error();
- static SSL* get_ssl(struct vsf_session* p_sess, int fd);
- static int ssl_session_init(struct vsf_session* p_sess);
--static void setup_bio_callbacks();
-+static void setup_bio_callbacks(SSL* p_ssl);
- static long bio_callback(
-   BIO* p_bio, int oper, const char* p_arg, size_t len, int argi, long argl, int ret, size_t *processed);
- static int ssl_verify_callback(int verify_ok, X509_STORE_CTX* p_ctx);
--- 
-2.48.1
-

ci.fmf

@@ -1 +0,0 @@
-resultsdb-testcase: separate

fix-str_open.patch

@@ -1,27 +0,0 @@
---- sysstr-orig.c	2022-07-27 09:44:52.606408000 +0200
-+++ sysstr.c	2022-07-27 09:54:24.043081352 +0200
-@@ -74,19 +74,11 @@
- int
- str_open(const struct mystr* p_str, const enum EVSFSysStrOpenMode mode)
- {
--  enum EVSFSysUtilOpenMode open_mode = kVSFSysUtilOpenUnknown;
--  switch (mode)
--  {
--    case kVSFSysStrOpenReadOnly:
--      open_mode = kVSFSysUtilOpenReadOnly;
--      break;
--    case kVSFSysStrOpenUnknown:
--      /* Fall through */
--    default:
--      bug("unknown mode value in str_open");
--      break;
--  }
--  return vsf_sysutil_open_file(str_getbuf(p_str), open_mode);
-+  if (mode == kVSFSysStrOpenReadOnly)
-+    return vsf_sysutil_open_file(str_getbuf(p_str), kVSFSysUtilOpenReadOnly);
-+
-+  bug("unknown mode value in str_open");
-+  return -1;
- }
- 
- int

gating.yaml

@@ -1,26 +0,0 @@
---- !Policy
-product_versions:
-  - fedora-*
-decision_context: bodhi_update_push_testing
-subject_type: koji_build
-rules:
-  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/tier1-public.functional}
- 
-#Rawhide
---- !Policy
-product_versions:
-  - fedora-*
-decision_context: bodhi_update_push_stable
-subject_type: koji_build
-rules:
-  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/tier1-public.functional}
- 
-#gating rhel
---- !Policy
-product_versions:
-  - rhel-*
-decision_context: osci_compose_gate
-rules:
-  - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/tier1-public.functional}
-  - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/tier1-internal.functional}
-

plans.fmf

@@ -1,47 +0,0 @@
-/tier1-internal:
-  plan:
-    import:
-      url: https://gitlab.com/redhat/centos-stream/tests/vsftpd.git
-      name: /plans/tier1/internal
-  adjust:
-    enabled: false
-    when: distro == centos-stream, fedora
-    because: They don't have access to internal repos.
-
-/tier1-public:
-  plan:
-    import:
-      url: https://gitlab.com/redhat/centos-stream/tests/vsftpd.git
-      name: /plans/tier1/public
-
-/tier2-tier3-internal:
-  plan:
-    import:
-      url: https://gitlab.com/redhat/centos-stream/tests/vsftpd.git
-      name: /plans/tier2-tier3/internal
-  adjust:
-    enabled: false
-    when: distro == centos-stream, fedora
-    because: They don't have access to internal repos.
-
-/tier2-tier3-public:
-  plan:
-    import:
-      url: https://gitlab.com/redhat/centos-stream/tests/vsftpd.git
-      name: /plans/tier2-tier3/public
-
-/others-internal:
-  plan:
-    import:
-      url: https://gitlab.com/redhat/centos-stream/tests/vsftpd.git
-      name: /plans/others/internal
-  adjust:
-    enabled: false
-    when: distro == centos-stream, fedora
-    because: They don't have access to internal repos.
-
-/others-public:
-  plan:
-    import:
-      url: https://gitlab.com/redhat/centos-stream/tests/vsftpd.git
-      name: /plans/others/public

sources

@@ -1 +1 @@
-SHA512 (vsftpd-3.0.5.tar.gz) = 9e9f9bde8c460fbc6b1d29ca531327fb2e40e336358f1cc19e1da205ef81b553719a148ad4613ceead25499d1ac3f03301a0ecd3776e5c228acccb7f9461a7ee
+SHA512 (vsftpd-3.0.3.tar.gz) = 5a4410a88e72ecf6f60a60a89771bcec300c9f63c2ea83b219bdf65fd9749b9853f9579f7257205b55659aefcd5dab243eba878dbbd4f0ff8532dd6e60884df7

vsftpd-3.0.3-ALPACA.patch

@@ -1,225 +0,0 @@
-diff --git a/parseconf.c b/parseconf.c
-index 3729818..ee1b8b4 100644
---- a/parseconf.c
-+++ b/parseconf.c
-@@ -188,6 +188,7 @@ parseconf_str_array[] =
-   { "rsa_private_key_file", &tunable_rsa_private_key_file },
-   { "dsa_private_key_file", &tunable_dsa_private_key_file },
-   { "ca_certs_file", &tunable_ca_certs_file },
-+  { "ssl_sni_hostname", &tunable_ssl_sni_hostname },
-   { "cmds_denied", &tunable_cmds_denied },
-   { 0, 0 }
- };
-diff --git a/ssl.c b/ssl.c
-index 09ec96a..b622347 100644
---- a/ssl.c
-+++ b/ssl.c
-@@ -41,6 +41,13 @@ static long bio_callback(
-   BIO* p_bio, int oper, const char* p_arg, int argi, long argl, long retval);
- static int ssl_verify_callback(int verify_ok, X509_STORE_CTX* p_ctx);
- static DH *ssl_tmp_dh_callback(SSL *ssl, int is_export, int keylength);
-+static int ssl_alpn_callback(SSL* p_ssl,
-+                             const unsigned char** p_out,
-+                             unsigned char* outlen,
-+                             const unsigned char* p_in,
-+                             unsigned int inlen,
-+                             void* p_arg);
-+static long ssl_sni_callback(SSL* p_ssl, int* p_al, void* p_arg);
- static int ssl_cert_digest(
-   SSL* p_ssl, struct vsf_session* p_sess, struct mystr* p_str);
- static void maybe_log_shutdown_state(struct vsf_session* p_sess);
-@@ -285,6 +292,11 @@ ssl_init(struct vsf_session* p_sess)
-       SSL_CTX_set_timeout(p_ctx, INT_MAX);
-     }
-     
-+    /* Set up ALPN to check for FTP protocol intention of client. */
-+    SSL_CTX_set_alpn_select_cb(p_ctx, ssl_alpn_callback, p_sess);
-+    /* Set up SNI callback for an optional hostname check. */
-+    SSL_CTX_set_tlsext_servername_callback(p_ctx, ssl_sni_callback);
-+    SSL_CTX_set_tlsext_servername_arg(p_ctx, p_sess);
-     SSL_CTX_set_tmp_dh_callback(p_ctx, ssl_tmp_dh_callback);
- 
-     if (tunable_ecdh_param_file)
-@@ -871,6 +883,133 @@ ssl_tmp_dh_callback(SSL *ssl, int is_export, int keylength)
-   return DH_get_dh(keylength);
- }
- 
-+static int
-+ssl_alpn_callback(SSL* p_ssl,
-+                  const unsigned char** p_out,
-+                  unsigned char* outlen,
-+                  const unsigned char* p_in,
-+                  unsigned int inlen,
-+                  void* p_arg) {
-+    unsigned int i;
-+    struct vsf_session* p_sess = (struct vsf_session*) p_arg;
-+    int is_ok = 0;
-+
-+    (void) p_ssl;
-+
-+    /* Initialize just in case. */
-+    *p_out = p_in;
-+    *outlen = 0;
-+
-+    for (i = 0; i < inlen; ++i) {
-+        unsigned int left = (inlen - i);
-+        if (left < 4) {
-+            continue;
-+        }
-+        if (p_in[i] == 3 && p_in[i + 1] == 'f' && p_in[i + 2] == 't' &&
-+            p_in[i + 3] == 'p')
-+        {
-+            is_ok = 1;
-+            *p_out = &p_in[i + 1];
-+            *outlen = 3;
-+            break;
-+        }
-+    }
-+
-+    if (!is_ok)
-+    {
-+        str_alloc_text(&debug_str, "ALPN rejection");
-+        vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str);
-+    }
-+    if (!is_ok || tunable_debug_ssl)
-+    {
-+        str_alloc_text(&debug_str, "ALPN data: ");
-+        for (i = 0; i < inlen; ++i) {
-+            str_append_char(&debug_str, p_in[i]);
-+        }
-+        vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str);
-+    }
-+
-+    if (is_ok)
-+    {
-+        return SSL_TLSEXT_ERR_OK;
-+    }
-+    else
-+    {
-+        return SSL_TLSEXT_ERR_ALERT_FATAL;
-+    }
-+}
-+
-+static long
-+ssl_sni_callback(SSL* p_ssl, int* p_al, void* p_arg)
-+{
-+    static struct mystr s_sni_expected_hostname;
-+    static struct mystr s_sni_received_hostname;
-+
-+    int servername_type;
-+    const char* p_sni_servername;
-+    struct vsf_session* p_sess = (struct vsf_session*) p_arg;
-+    int is_ok = 0;
-+
-+    (void) p_ssl;
-+    (void) p_arg;
-+
-+    if (tunable_ssl_sni_hostname)
-+    {
-+        str_alloc_text(&s_sni_expected_hostname, tunable_ssl_sni_hostname);
-+    }
-+
-+    /* The OpenSSL documentation says it is pre-initialized like this, but set
-+     * it just in case.
-+     */
-+    *p_al = SSL_AD_UNRECOGNIZED_NAME;
-+
-+    servername_type = SSL_get_servername_type(p_ssl);
-+    p_sni_servername = SSL_get_servername(p_ssl, TLSEXT_NAMETYPE_host_name);
-+    if (p_sni_servername != NULL) {
-+        str_alloc_text(&s_sni_received_hostname, p_sni_servername);
-+    }
-+
-+    if (str_isempty(&s_sni_expected_hostname))
-+    {
-+        is_ok = 1;
-+    }
-+    else if (servername_type != TLSEXT_NAMETYPE_host_name)
-+    {
-+        /* Fail. */
-+        str_alloc_text(&debug_str, "SNI bad type: ");
-+        str_append_ulong(&debug_str, servername_type);
-+        vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str);
-+    }
-+    else
-+    {
-+        if (!str_strcmp(&s_sni_expected_hostname, &s_sni_received_hostname))
-+        {
-+            is_ok = 1;
-+        }
-+        else
-+        {
-+            str_alloc_text(&debug_str, "SNI rejection");
-+            vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str);
-+        }
-+    }
-+
-+    if (!is_ok || tunable_debug_ssl)
-+    {
-+        str_alloc_text(&debug_str, "SNI hostname: ");
-+        str_append_str(&debug_str, &s_sni_received_hostname);
-+        vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str);
-+    }
-+
-+    if (is_ok)
-+    {
-+        return SSL_TLSEXT_ERR_OK;
-+    }
-+    else
-+    {
-+        return SSL_TLSEXT_ERR_ALERT_FATAL;
-+    }
-+}
-+
- void
- ssl_add_entropy(struct vsf_session* p_sess)
- {
-diff --git a/tunables.c b/tunables.c
-index c96c1ac..d8dfcde 100644
---- a/tunables.c
-+++ b/tunables.c
-@@ -152,6 +152,7 @@ const char* tunable_ssl_ciphers;
- const char* tunable_rsa_private_key_file;
- const char* tunable_dsa_private_key_file;
- const char* tunable_ca_certs_file;
-+const char* tunable_ssl_sni_hostname;
- 
- static void install_str_setting(const char* p_value, const char** p_storage);
- 
-@@ -309,6 +310,7 @@ tunables_load_defaults()
-   install_str_setting(0, &tunable_rsa_private_key_file);
-   install_str_setting(0, &tunable_dsa_private_key_file);
-   install_str_setting(0, &tunable_ca_certs_file);
-+  install_str_setting(0, &tunable_ssl_sni_hostname);
- }
- 
- void
-diff --git a/tunables.h b/tunables.h
-index 8d50150..de6cab0 100644
---- a/tunables.h
-+++ b/tunables.h
-@@ -157,6 +157,7 @@ extern const char* tunable_ssl_ciphers;
- extern const char* tunable_rsa_private_key_file;
- extern const char* tunable_dsa_private_key_file;
- extern const char* tunable_ca_certs_file;
-+extern const char* tunable_ssl_sni_hostname;
- extern const char* tunable_cmds_denied;
- 
- #endif /* VSF_TUNABLES_H */
-diff --git a/vsftpd.conf.5 b/vsftpd.conf.5
-index 815773f..7006287 100644
---- a/vsftpd.conf.5
-+++ b/vsftpd.conf.5
-@@ -1128,6 +1128,12 @@ for further details.
- 
- Default: PROFILE=SYSTEM
- .TP
-+.B ssl_sni_hostname
-+If set, SSL connections will be rejected unless the SNI hostname in the
-+incoming handshakes matches this value.
-+
-+Default: (none)
-+.TP
- .B user_config_dir
- This powerful option allows the override of any config option specified in
- the manual page, on a per-user basis. Usage is simple, and is best illustrated

vsftpd-3.0.3-option_to_disable_TLSv1_3.patch

@@ -1,96 +0,0 @@
-diff --git a/features.c b/features.c
-index d024366..3a60b88 100644
---- a/features.c
-+++ b/features.c
-@@ -22,7 +22,7 @@ handle_feat(struct vsf_session* p_sess)
-     {
-       vsf_cmdio_write_raw(p_sess, " AUTH SSL\r\n");
-     }
--    if (tunable_tlsv1 || tunable_tlsv1_1 || tunable_tlsv1_2)
-+    if (tunable_tlsv1 || tunable_tlsv1_1 || tunable_tlsv1_2 || tunable_tlsv1_3)
-     {
-       vsf_cmdio_write_raw(p_sess, " AUTH TLS\r\n");
-     }
-diff --git a/parseconf.c b/parseconf.c
-index ee1b8b4..5188088 100644
---- a/parseconf.c
-+++ b/parseconf.c
-@@ -87,6 +87,7 @@ parseconf_bool_array[] =
-   { "ssl_tlsv1", &tunable_tlsv1 },
-   { "ssl_tlsv1_1", &tunable_tlsv1_1 },
-   { "ssl_tlsv1_2", &tunable_tlsv1_2 },
-+  { "ssl_tlsv1_3", &tunable_tlsv1_3 },
-   { "tilde_user_enable", &tunable_tilde_user_enable },
-   { "force_anon_logins_ssl", &tunable_force_anon_logins_ssl },
-   { "force_anon_data_ssl", &tunable_force_anon_data_ssl },
-diff --git a/ssl.c b/ssl.c
-index b622347..3af67ad 100644
---- a/ssl.c
-+++ b/ssl.c
-@@ -185,6 +185,10 @@ ssl_init(struct vsf_session* p_sess)
-     {
-       options |= SSL_OP_NO_TLSv1_2;
-     }
-+    if (!tunable_tlsv1_3)
-+    {
-+      options |= SSL_OP_NO_TLSv1_3;
-+    }
-     SSL_CTX_set_options(p_ctx, options);
-     if (tunable_rsa_cert_file)
-     {
-diff --git a/tunables.c b/tunables.c
-index d8dfcde..dc001ac 100644
---- a/tunables.c
-+++ b/tunables.c
-@@ -68,6 +68,7 @@ int tunable_sslv3;
- int tunable_tlsv1;
- int tunable_tlsv1_1;
- int tunable_tlsv1_2;
-+int tunable_tlsv1_3;
- int tunable_tilde_user_enable;
- int tunable_force_anon_logins_ssl;
- int tunable_force_anon_data_ssl;
-@@ -218,8 +219,9 @@ tunables_load_defaults()
-   tunable_sslv3 = 0;
-   tunable_tlsv1 = 0;
-   tunable_tlsv1_1 = 0;
--  /* Only TLSv1.2 is enabled by default */
-+  /* Only TLSv1.2 and TLSv1.3 are enabled by default */
-   tunable_tlsv1_2 = 1;
-+  tunable_tlsv1_3 = 1;
-   tunable_tilde_user_enable = 0;
-   tunable_force_anon_logins_ssl = 0;
-   tunable_force_anon_data_ssl = 0;
-diff --git a/tunables.h b/tunables.h
-index de6cab0..ff0eebc 100644
---- a/tunables.h
-+++ b/tunables.h
-@@ -69,6 +69,7 @@ extern int tunable_sslv3;                     /* Allow SSLv3 */
- extern int tunable_tlsv1;                     /* Allow TLSv1 */
- extern int tunable_tlsv1_1;                   /* Allow TLSv1.1 */
- extern int tunable_tlsv1_2;                   /* Allow TLSv1.2 */
-+extern int tunable_tlsv1_3;                   /* Allow TLSv1.3 */
- extern int tunable_tilde_user_enable;         /* Support e.g. ~chris */
- extern int tunable_force_anon_logins_ssl;     /* Require anon logins use SSL */
- extern int tunable_force_anon_data_ssl;       /* Require anon data uses SSL */
-diff --git a/vsftpd.conf.5 b/vsftpd.conf.5
-index 7006287..d181e50 100644
---- a/vsftpd.conf.5
-+++ b/vsftpd.conf.5
-@@ -587,7 +587,15 @@ Default: NO
- Only applies if
- .BR ssl_enable
- is activated. If enabled, this option will permit TLS v1.2 protocol connections.
--TLS v1.2 connections are preferred.
-+TLS v1.2 and TLS v1.3 connections are preferred.
-+
-+Default: YES
-+.TP
-+.B ssl_tlsv1_3
-+Only applies if
-+.BR ssl_enable
-+is activated. If enabled, this option will permit TLS v1.3 protocol connections.
-+TLS v1.2 and TLS v1.3 connections are preferred.
- 
- Default: YES
- .TP

vsftpd-3.0.5-add-option-for-tlsv1.3-ciphersuites.patch

@@ -1,79 +0,0 @@
-diff -urN a/parseconf.c b/parseconf.c
---- a/parseconf.c	2021-05-29 23:39:19.000000000 +0200
-+++ b/parseconf.c	2023-03-03 10:22:38.256439634 +0100
-@@ -185,6 +185,7 @@
-   { "dsa_cert_file", &tunable_dsa_cert_file },
-   { "dh_param_file", &tunable_dh_param_file },
-   { "ecdh_param_file", &tunable_ecdh_param_file },
-+  { "ssl_ciphersuites", &tunable_ssl_ciphersuites },
-   { "ssl_ciphers", &tunable_ssl_ciphers },
-   { "rsa_private_key_file", &tunable_rsa_private_key_file },
-   { "dsa_private_key_file", &tunable_dsa_private_key_file },
-diff -urN a/ssl.c b/ssl.c
---- a/ssl.c	2021-08-02 08:24:35.000000000 +0200
-+++ b/ssl.c	2023-03-03 10:28:05.989757655 +0100
-@@ -135,6 +135,11 @@
-     {
-       die("SSL: could not set cipher list");
-     }
-+    if (tunable_ssl_ciphersuites &&
-+        SSL_CTX_set_ciphersuites(p_ctx, tunable_ssl_ciphersuites) != 1)
-+    {
-+      die("SSL: could not set ciphersuites");
-+    }
-     if (RAND_status() != 1)
-     {
-       die("SSL: RNG is not seeded");
-diff -urN a/tunables.c b/tunables.c
---- a/tunables.c	2021-05-29 23:39:00.000000000 +0200
-+++ b/tunables.c	2023-03-03 10:13:30.566868026 +0100
-@@ -154,6 +154,7 @@
- const char* tunable_dsa_cert_file;
- const char* tunable_dh_param_file;
- const char* tunable_ecdh_param_file;
- const char* tunable_ssl_ciphers;
-+const char* tunable_ssl_ciphersuites;
- const char* tunable_rsa_private_key_file;
- const char* tunable_dsa_private_key_file;
-@@ -293,6 +293,7 @@
-   install_str_setting(0, &tunable_dh_param_file);
-   install_str_setting(0, &tunable_ecdh_param_file);
-   install_str_setting("PROFILE=SYSTEM", &tunable_ssl_ciphers);
-+  install_str_setting("TLS_AES_256_GCM_SHA384", &tunable_ssl_ciphersuites);
-   install_str_setting(0, &tunable_rsa_private_key_file);
-   install_str_setting(0, &tunable_dsa_private_key_file);
-   install_str_setting(0, &tunable_ca_certs_file);
-diff -urN a/tunables.h b/tunables.h
---- a/tunables.h
-+++ b/tunables.h
-@@ -144,6 +144,7 @@
- extern const char* tunable_dsa_cert_file;
- extern const char* tunable_dh_param_file;
- extern const char* tunable_ecdh_param_file;
- extern const char* tunable_ssl_ciphers;
-+extern const char* tunable_ssl_ciphersuites;
- extern const char* tunable_rsa_private_key_file;
- extern const char* tunable_dsa_private_key_file;
---- a/vsftpd.conf.5
-+++ b/vsftpd.conf.5
-@@ -1009,6 +1009,20 @@
- 
- Default: PROFILE=SYSTEM
- .TP
-+.B ssl_ciphersuites
-+This option can be used to select which SSL cipher suites vsftpd will allow for
-+encrypted SSL connections with TLSv1.3. See the
-+.BR ciphers
-+man page for further details. Note that restricting ciphers can be a useful
-+security precaution as it prevents malicious remote parties forcing a cipher
-+which they have found problems with.
-+
-+By default, the system-wide crypto policy is used. See
-+.BR update-crypto-policies(8)
-+for further details.
-+
-+Default: TLS_AES_256_GCM_SHA384
-+.TP
- .B ssl_sni_hostname
- If set, SSL connections will be rejected unless the SNI hostname in the
- incoming handshakes matches this value.

vsftpd-3.0.5-enable_wc_logs-replace_unprintable_with_hex.patch

@@ -1,215 +0,0 @@
-diff --git a/logging.c b/logging.c
-index 9e86808..613ff4b 100644
---- a/logging.c
-+++ b/logging.c
-@@ -171,7 +171,14 @@ vsf_log_do_log_to_file(int fd, struct mystr* p_str)
-       return;
-     }
-   }
--  str_replace_unprintable(p_str, '?');
-+  if (tunable_wc_logs_enable)
-+  {
-+    str_replace_unprintable_with_hex_wc(p_str);
-+  }
-+  else
-+  {
-+    str_replace_unprintable_with_hex(p_str);
-+  }
-   str_append_char(p_str, '\n');
-   /* Ignore write failure; maybe the disk filled etc. */
-   (void) str_write_loop(p_str, fd);
-diff --git a/parseconf.c b/parseconf.c
-index 3cfe7da..3729818 100644
---- a/parseconf.c
-+++ b/parseconf.c
-@@ -113,6 +113,7 @@ parseconf_bool_array[] =
-   { "allow_writeable_chroot", &tunable_allow_writeable_chroot },
-   { "better_stou", &tunable_better_stou },
-   { "log_die", &tunable_log_die },
-+  { "wc_logs_enable", &tunable_wc_logs_enable },
-   { 0, 0 }
- };
- 
-diff --git a/str.c b/str.c
-index 82b8ae4..c03e7d8 100644
---- a/str.c
-+++ b/str.c
-@@ -20,6 +20,11 @@
- #include "utility.h"
- #include "sysutil.h"
- 
-+#include <stdio.h>
-+#include <string.h>
-+#include <wchar.h>
-+#include <wctype.h>
-+
- /* File local functions */
- static void str_split_text_common(struct mystr* p_src, struct mystr* p_rhs,
-                                   const char* p_text, int is_reverse);
-@@ -723,6 +728,102 @@ str_replace_unprintable(struct mystr* p_str, char new_char)
-   }
- }
- 
-+void
-+str_replace_unprintable_with_hex(struct mystr* p_str)
-+{
-+  unsigned int ups_size = sizeof(unsigned int) * (p_str->len);
-+  if (ups_size < p_str->len)
-+  {
-+    str_replace_unprintable(p_str, '?');
-+    str_append_text(p_str, ": BUG: string is too long");
-+    bug(p_str->p_buf);
-+  }
-+  unsigned int* ups = vsf_sysutil_malloc(ups_size);
-+  unsigned int up_count = 0;
-+  for (unsigned int i=0; i < p_str->len; i++)
-+  {
-+    if (!vsf_sysutil_isprint(p_str->p_buf[i]))
-+    {
-+      ups[up_count++] = i;
-+    }
-+  }
-+  str_replace_positions_with_hex(p_str, ups, up_count);
-+  vsf_sysutil_free(ups);
-+}
-+
-+void str_replace_unprintable_with_hex_wc(struct mystr* p_str)
-+{
-+  unsigned int ups_size = sizeof(unsigned int) * (p_str->len);
-+  if (ups_size < p_str->len)
-+  {
-+    str_replace_unprintable(p_str, '?');
-+    str_append_text(p_str, ": BUG: string is too long");
-+    bug(p_str->p_buf);
-+  }
-+  unsigned int* ups = vsf_sysutil_malloc(ups_size);
-+  unsigned int up_count = 0;
-+
-+  size_t current = 0;
-+  wchar_t pwc;
-+  mbstate_t ps;
-+  memset(&ps, 0, sizeof(ps));
-+  ssize_t len = 0;
-+  while ((len = mbrtowc(&pwc, p_str->p_buf, p_str->len - current, &ps)) > 0)
-+  {
-+    if (!iswprint(pwc))
-+    {
-+      for (int i = 0; i < len; i++)
-+      {
-+        ups[up_count++] = current++;
-+      }
-+    }
-+    else
-+    {
-+      current += len;
-+    }
-+  }
-+  if (len < 0)
-+  {
-+    while (current < p_str->len)
-+    {
-+      ups[up_count++] = current++;
-+    }
-+  }
-+  str_replace_positions_with_hex(p_str, ups, up_count);
-+  vsf_sysutil_free(ups);
-+}
-+
-+void
-+str_replace_positions_with_hex(struct mystr* p_str, const unsigned int* poss, const unsigned int pos_count)
-+{
-+  if (pos_count == 0)
-+    return;
-+
-+  struct mystr tmp_str = INIT_MYSTR;
-+  str_reserve(&tmp_str, p_str->len + 3 * pos_count);
-+  unsigned int current = 0;
-+
-+  for (unsigned int i=0; i < pos_count; i++)
-+  {
-+    unsigned int pos = poss[i];
-+
-+    if (current < pos)
-+      private_str_append_memchunk(&tmp_str, p_str->p_buf + current, pos - current);
-+
-+    char hex_buf[5];
-+    memset(hex_buf, 0, sizeof(hex_buf));
-+    sprintf(hex_buf, "\\x%02X", (unsigned char) p_str->p_buf[pos]);
-+    str_append_text(&tmp_str, hex_buf);
-+    current = pos + 1;
-+  }
-+
-+  if (current < p_str->len)
-+    private_str_append_memchunk(&tmp_str, p_str->p_buf + current, p_str->len - current);
-+
-+  str_copy(p_str, &tmp_str);
-+  str_free(&tmp_str);
-+}
-+
- void
- str_basename (struct mystr* d_str, const struct mystr* path)
- {
-diff --git a/str.h b/str.h
-index 44270da..95a83b5 100644
---- a/str.h
-+++ b/str.h
-@@ -98,6 +98,10 @@ int str_contains_space(const struct mystr* p_str);
- int str_all_space(const struct mystr* p_str);
- int str_contains_unprintable(const struct mystr* p_str);
- void str_replace_unprintable(struct mystr* p_str, char new_char);
-+void str_replace_unprintable_with_hex(struct mystr* p_str);
-+void str_replace_unprintable_with_hex_wc(struct mystr* p_str);
-+void str_replace_positions_with_hex(struct mystr* p_str, const unsigned int* poss,
-+                                    const unsigned int pos_count);
- int str_atoi(const struct mystr* p_str);
- filesize_t str_a_to_filesize_t(const struct mystr* p_str);
- unsigned int str_octal_to_uint(const struct mystr* p_str);
-diff --git a/tunables.c b/tunables.c
-index a7ce9c8..c96c1ac 100644
---- a/tunables.c
-+++ b/tunables.c
-@@ -94,6 +94,7 @@ int tunable_seccomp_sandbox;
- int tunable_allow_writeable_chroot;
- int tunable_better_stou;
- int tunable_log_die;
-+int tunable_wc_logs_enable;
- 
- unsigned int tunable_accept_timeout;
- unsigned int tunable_connect_timeout;
-@@ -244,6 +245,7 @@ tunables_load_defaults()
-   tunable_allow_writeable_chroot = 0;
-   tunable_better_stou = 0;
-   tunable_log_die = 0;
-+  tunable_wc_logs_enable = 0;
- 
-   tunable_accept_timeout = 60;
-   tunable_connect_timeout = 60;
-diff --git a/tunables.h b/tunables.h
-index 029d645..8d50150 100644
---- a/tunables.h
-+++ b/tunables.h
-@@ -98,6 +98,7 @@ extern int tunable_better_stou;               /* Use better file name generation
- 					       */
- extern int tunable_log_die;                   /* Log calls to die(), die2()
-                                                * and bug() */
-+extern int tunable_wc_logs_enable;            /* Allow non ASCII characters in logs */
- 
- /* Integer/numeric defines */
- extern unsigned int tunable_accept_timeout;
-diff --git a/vsftpd.conf.5 b/vsftpd.conf.5
-index ce3fba3..815773f 100644
---- a/vsftpd.conf.5
-+++ b/vsftpd.conf.5
-@@ -735,6 +735,12 @@ If enabled, use CLONE_NEWPID and CLONE_NEWIPC to isolate processes to their
- ipc and pid namespaces. So separated processes can not interact with each other.
- 
- Default: YES
-+.TP
-+.B wc_logs_enable
-+If enabled, logs will be treated as wide-character strings and not just
-+ASCII strings when filtering out non-printable characters.
-+
-+Default: NO
- 
- .SH NUMERIC OPTIONS
- Below is a list of numeric options. A numeric option must be set to a non

vsftpd-3.0.5-replace-deprecated-openssl-functions.patch

@@ -1,70 +0,0 @@
-diff --git a/ssl.c b/ssl.c
---- ssl.c	
-+++ ssl.c	
-@@ -28,17 +28,17 @@
- #include <openssl/err.h>
- #include <openssl/rand.h>
- #include <openssl/bio.h>
- #include <openssl/bn.h>
- #include <openssl/param_build.h>
- #include <errno.h>
- #include <limits.h>
- 
- static char* get_ssl_error();
- static SSL* get_ssl(struct vsf_session* p_sess, int fd);
- static int ssl_session_init(struct vsf_session* p_sess);
- static void setup_bio_callbacks();
- static long bio_callback(
--  BIO* p_bio, int oper, const char* p_arg, int argi, long argl, long retval);
-+  BIO* p_bio, int oper, const char* p_arg, size_t len, int argi, long argl, int ret, size_t *processed);
- static int ssl_verify_callback(int verify_ok, X509_STORE_CTX* p_ctx);
- static int ssl_alpn_callback(SSL* p_ssl,
-                              const unsigned char** p_out,
-@@ -88,7 +88,7 @@
-     long options;
-     int verify_option = 0;
-     SSL_library_init();
--    p_ctx = SSL_CTX_new(SSLv23_server_method());
-+    p_ctx = SSL_CTX_new_ex(NULL, NULL, TLS_server_method());
-     if (p_ctx == NULL)
-     {
-       die("SSL: could not allocate SSL context");
-@@ -180,13 +180,10 @@
-       die("SSL: RNG is not seeded");
-     }
-     {
--      EC_KEY* key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
--      if (key == NULL)
-+      if (!SSL_CTX_set1_groups_list(p_ctx, "P-256"))
-       {
-         die("SSL: failed to get curve p256");
-       }
--      SSL_CTX_set_tmp_ecdh(p_ctx, key);
--      EC_KEY_free(key);
-     }
-     if (tunable_ssl_request_cert)
-     {
-@@ -692,17 +689,19 @@
- static void setup_bio_callbacks(SSL* p_ssl)
- {
-   BIO* p_bio = SSL_get_rbio(p_ssl);
--  BIO_set_callback(p_bio, bio_callback);
-+  BIO_set_callback_ex(p_bio, bio_callback);
-   p_bio = SSL_get_wbio(p_ssl);
--  BIO_set_callback(p_bio, bio_callback);
-+  BIO_set_callback_ex(p_bio, bio_callback);
- }
- 
- static long
- bio_callback(
--  BIO* p_bio, int oper, const char* p_arg, int argi, long argl, long ret)
-+  BIO* p_bio, int oper, const char* p_arg, size_t len, int argi, long argl, int ret, size_t *processed)
- {
-   int retval = 0;
-   int fd = 0;
-+  (void) len;
-+  (void) processed;
-   (void) p_arg;
-   (void) argi;
-   (void) argl;
-

vsftpd-3.0.5-replace-old-network-addr-functions.patch

@@ -1,139 +0,0 @@
-diff -urN vsftpd-3.0.5-orig/postlogin.c vsftpd-3.0.5/postlogin.c
---- vsftpd-3.0.5-orig/postlogin.c	2015-07-22 21:03:22.000000000 +0200
-+++ vsftpd-3.0.5/postlogin.c	2023-02-13 16:34:05.244467476 +0100
-@@ -27,4 +27,6 @@
- #include "ssl.h"
- #include "vsftpver.h"
-+#include <netdb.h>
-+#include <arpa/inet.h>
- #include "opts.h"
-
-@@ -628,9 +629,10 @@
-   else
-   {
-     const void* p_v4addr = vsf_sysutil_sockaddr_ipv6_v4(s_p_sockaddr);
-+    static char result[INET_ADDRSTRLEN];
-     if (p_v4addr)
-     {
--      str_append_text(&s_pasv_res_str, vsf_sysutil_inet_ntoa(p_v4addr));
-+      str_append_text(&s_pasv_res_str, inet_ntop(AF_INET, p_v4addr, result, INET_ADDRSTRLEN));
-     }
-     else
-     {
-diff -urN vsftpd-3.0.5-orig/sysutil.c vsftpd-3.0.5/sysutil.c
---- vsftpd-3.0.5-orig/sysutil.c	2012-09-16 09:07:38.000000000 +0200
-+++ vsftpd-3.0.5/sysutil.c	2023-02-13 16:08:58.557153109 +0100
-@@ -2205,20 +2205,13 @@
-   const struct sockaddr* p_sockaddr = &p_sockptr->u.u_sockaddr;
-   if (p_sockaddr->sa_family == AF_INET)
-   {
--    return inet_ntoa(p_sockptr->u.u_sockaddr_in.sin_addr);
-+    static char result[INET_ADDRSTRLEN];
-+    return inet_ntop(AF_INET, &p_sockptr->u.u_sockaddr_in.sin_addr, result, INET_ADDRSTRLEN);
-   }
-   else if (p_sockaddr->sa_family == AF_INET6)
-   {
--    static char inaddr_buf[64];
--    const char* p_ret = inet_ntop(AF_INET6,
--                                  &p_sockptr->u.u_sockaddr_in6.sin6_addr,
--                                  inaddr_buf, sizeof(inaddr_buf));
--    inaddr_buf[sizeof(inaddr_buf) - 1] = '\0';
--    if (p_ret == NULL)
--    {
--      inaddr_buf[0] = '\0';
--    }
--    return inaddr_buf;
-+    static char result[INET6_ADDRSTRLEN];
-+    return inet_ntop(AF_INET6, &p_sockptr->u.u_sockaddr_in6.sin6_addr, result, INET6_ADDRSTRLEN);
-   }
-   else
-   {
-@@ -2227,12 +2220,6 @@
-   }
- }
- 
--const char*
--vsf_sysutil_inet_ntoa(const void* p_raw_addr)
--{
--  return inet_ntoa(*((struct in_addr*)p_raw_addr));
--}
--
- int
- vsf_sysutil_inet_aton(const char* p_text, struct vsf_sysutil_sockaddr* p_addr)
- {
-@@ -2241,7 +2228,7 @@
-   {
-     bug("bad family");
-   }
--  if (inet_aton(p_text, &sin_addr))
-+  if (inet_pton(AF_INET, p_text, &sin_addr))
-   {
-     vsf_sysutil_memcpy(&p_addr->u.u_sockaddr_in.sin_addr,
-                        &sin_addr, sizeof(p_addr->u.u_sockaddr_in.sin_addr));
-@@ -2257,37 +2244,46 @@
- vsf_sysutil_dns_resolve(struct vsf_sysutil_sockaddr** p_sockptr,
-                         const char* p_name)
- {
--  struct hostent* hent = gethostbyname(p_name);
--  if (hent == NULL)
-+  struct addrinfo *result;
-+  struct addrinfo hints;
-+  int ret;
-+
-+  memset(&hints, 0, sizeof(struct addrinfo));
-+  hints.ai_family = AF_UNSPEC;
-+
-+  if ((ret = getaddrinfo(p_name, NULL, &hints, &result)) != 0)
-   {
-+    fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(ret));
-     die2("cannot resolve host:", p_name);
-   }
-   vsf_sysutil_sockaddr_clear(p_sockptr);
--  if (hent->h_addrtype == AF_INET)
-+  if (result->ai_family == AF_INET)
-   {
--    unsigned int len = hent->h_length;
-+    unsigned int len = result->ai_addrlen;
-     if (len > sizeof((*p_sockptr)->u.u_sockaddr_in.sin_addr))
-     {
-       len = sizeof((*p_sockptr)->u.u_sockaddr_in.sin_addr);
-     }
-     vsf_sysutil_sockaddr_alloc_ipv4(p_sockptr);
-     vsf_sysutil_memcpy(&(*p_sockptr)->u.u_sockaddr_in.sin_addr,
--                       hent->h_addr_list[0], len);
-+                       &result->ai_addrlen, len);
-   }
--  else if (hent->h_addrtype == AF_INET6)
-+  else if (result->ai_family == AF_INET6)
-   {
--    unsigned int len = hent->h_length;
-+    unsigned int len = result->ai_addrlen;
-     if (len > sizeof((*p_sockptr)->u.u_sockaddr_in6.sin6_addr))
-     {
-       len = sizeof((*p_sockptr)->u.u_sockaddr_in6.sin6_addr);
-     }
-     vsf_sysutil_sockaddr_alloc_ipv6(p_sockptr);
-     vsf_sysutil_memcpy(&(*p_sockptr)->u.u_sockaddr_in6.sin6_addr,
--                       hent->h_addr_list[0], len);
-+                       &result->ai_addrlen, len);
-   }
-   else
-   {
--    die("gethostbyname(): neither IPv4 nor IPv6");
-+    freeaddrinfo(result);
-+    die("getaddrinfo(): neither IPv4 nor IPv6");
-   }
-+  freeaddrinfo(result);
- }
- 
-diff -urN vsftpd-3.0.5-orig/sysutil.h vsftpd-3.0.5/sysutil.h
---- vsftpd-3.0.5-orig/sysutil.h	2021-05-18 08:50:21.000000000 +0200
-+++ vsftpd-3.0.5/sysutil.h	2023-02-13 15:59:22.088331075 +0100
-@@ -277,7 +277,6 @@
- 
- const char* vsf_sysutil_inet_ntop(
-   const struct vsf_sysutil_sockaddr* p_sockptr);
--const char* vsf_sysutil_inet_ntoa(const void* p_raw_addr);
- int vsf_sysutil_inet_aton(
-   const char* p_text, struct vsf_sysutil_sockaddr* p_addr);
- 

vsftpd-3.0.5-use-old-tlsv-options.patch

@@ -1,15 +0,0 @@
---- parseconf-orig.c	2022-10-25 15:17:18.990701984 +0200
-+++ parseconf.c	2022-10-25 15:12:44.213480000 +0200
-@@ -85,9 +85,9 @@
-   { "ssl_sslv2", &tunable_sslv2 },
-   { "ssl_sslv3", &tunable_sslv3 },
-   { "ssl_tlsv1", &tunable_tlsv1 },
--  { "ssl_tlsv11", &tunable_tlsv1_1 },
--  { "ssl_tlsv12", &tunable_tlsv1_2 },
--  { "ssl_tlsv13", &tunable_tlsv1_3 },
-+  { "ssl_tlsv1_1", &tunable_tlsv1_1 },
-+  { "ssl_tlsv1_2", &tunable_tlsv1_2 },
-+  { "ssl_tlsv1_3", &tunable_tlsv1_3 },
-   { "tilde_user_enable", &tunable_tilde_user_enable },
-   { "force_anon_logins_ssl", &tunable_force_anon_logins_ssl },
-   { "force_anon_data_ssl", &tunable_force_anon_data_ssl },

vsftpd-tmpfiles.conf

@@ -1,2 +0,0 @@
-d /var/ftp 0755 root root -
-d /var/ftp/pub 0755 root root -

vsftpd.service

@@ -1,6 +1,6 @@
 [Unit]
 Description=Vsftpd ftp daemon
-After=network-online.target
+After=network.target
 
 [Service]
 Type=forking

vsftpd.spec

@@ -1,12 +1,13 @@
 %global _generatorsdir %{_prefix}/lib/systemd/system-generators
 
 Name:    vsftpd
-Version: 3.0.5
-Release: 14%{?dist}
+Version: 3.0.3
+Release: 28%{?dist}
 Summary: Very Secure Ftp Daemon
 
+Group:    System Environment/Daemons
 # OpenSSL link exception
-License:  GPL-2.0-only WITH vsftpd-openssl-exception
+License:  GPLv2 with exceptions
 URL:      https://security.appspot.com/vsftpd.html
 Source0:  https://security.appspot.com/downloads/%{name}-%{version}.tar.gz
 Source1:  vsftpd.xinetd
@@ -18,9 +19,7 @@ Source7:  vsftpd.service
 Source8:  vsftpd@.service
 Source9:  vsftpd.target
 Source10: vsftpd-generator
-Source11: vsftpd-tmpfiles.conf
 
-BuildRequires: make
 BuildRequires: pam-devel
 BuildRequires: libcap-devel
 BuildRequires: openssl-devel
@@ -62,7 +61,9 @@ Patch29: 0029-Fix-segfault-in-config-file-parser.patch
 Patch30: 0030-Fix-logging-into-syslog-when-enabled-in-config.patch
 Patch31: 0031-Fix-question-mark-wildcard-withing-a-file-name.patch
 Patch32: 0032-Propagate-errors-from-nfs-with-quota-to-client.patch
+Patch33: 0033-Introduce-TLSv1.1-and-TLSv1.2-options.patch
 Patch34: 0034-Turn-off-seccomp-sandbox-because-it-is-too-strict.patch
+Patch35: 0035-Modify-DH-enablement-patch-to-build-with-OpenSSL-1.1.patch
 Patch36: 0036-Redefine-VSFTP_COMMAND_FD-to-1.patch
 Patch37: 0037-Document-the-relationship-of-text_userdb_names-and-c.patch
 Patch38: 0038-Document-allow_writeable_chroot-in-the-man-page.patch
@@ -70,6 +71,7 @@ Patch39: 0039-Improve-documentation-of-ASCII-mode-in-the-man-page.patch
 Patch40: 0040-Use-system-wide-crypto-policy.patch
 Patch41: 0041-Document-the-new-default-for-ssl_ciphers-in-the-man-.patch
 Patch42: 0042-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch
+Patch43: 0043-Enable-only-TLSv1.2-by-default.patch
 Patch44: 0044-Disable-anonymous_enable-in-default-config-file.patch
 Patch45: 0045-Expand-explanation-of-ascii_-options-behaviour-in-ma.patch
 Patch46: 0046-vsftpd.conf-Refer-to-the-man-page-regarding-the-asci.patch
@@ -86,21 +88,6 @@ Patch56: 0056-Log-die-calls-to-syslog.patch
 Patch57: 0057-Improve-error-message-when-max-number-of-bind-attemp.patch
 Patch58: 0058-Make-the-max-number-of-bind-retries-tunable.patch
 Patch59: 0059-Fix-SEGFAULT-when-running-in-a-container-as-PID-1.patch
-Patch61: 0001-Move-closing-standard-FDs-after-listen.patch
-Patch62: 0002-Prevent-recursion-in-bug.patch
-Patch63: 0001-Set-s_uwtmp_inserted-only-after-record-insertion-rem.patch
-Patch64: 0002-Repeat-pututxline-if-it-fails-with-EINTR.patch
-Patch65: 0001-Repeat-pututxline-until-it-succeeds-if-it-fails-with.patch
-Patch67: 0001-Fix-timestamp-handling-in-MDTM.patch
-Patch68: 0002-Drop-an-unused-global-variable.patch
-Patch69: 0001-Remove-a-hint-about-the-ftp_home_dir-SELinux-boolean.patch
-Patch70: fix-str_open.patch
-Patch71: vsftpd-3.0.5-enable_wc_logs-replace_unprintable_with_hex.patch
-Patch72: vsftpd-3.0.5-replace-old-network-addr-functions.patch
-Patch73: vsftpd-3.0.5-replace-deprecated-openssl-functions.patch
-Patch74: vsftpd-3.0.5-add-option-for-tlsv1.3-ciphersuites.patch
-Patch75: vsftpd-3.0.5-use-old-tlsv-options.patch
-Patch76: 0076-Correct-the-definition-of-setup_bio_callbacks-in-ssl.patch
 
 %description
 vsftpd is a Very Secure FTP daemon. It was written completely from
@@ -111,22 +98,21 @@ scratch.
 cp %{SOURCE1} .
 
 %build
-
 %ifarch s390x sparcv9 sparc64
-%make_build CFLAGS="$RPM_OPT_FLAGS -fPIE -pipe -Wextra -Werror" \
+make CFLAGS="$RPM_OPT_FLAGS -fPIE -pipe -Wextra -Werror" \
 %else
-%make_build CFLAGS="$RPM_OPT_FLAGS -fpie -pipe -Wextra -Werror" \
+make CFLAGS="$RPM_OPT_FLAGS -fpie -pipe -Wextra -Werror" \
 %endif
-        LINK="-pie -lssl $RPM_LD_FLAGS" %{?_smp_mflags}
+        LINK="-pie -lssl" %{?_smp_mflags}
 
 %install
-mkdir -p $RPM_BUILD_ROOT%{_bindir}
+mkdir -p $RPM_BUILD_ROOT%{_sbindir}
 mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}
 mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/{vsftpd,pam.d,logrotate.d}
 mkdir -p $RPM_BUILD_ROOT%{_mandir}/man{5,8}
 mkdir -p $RPM_BUILD_ROOT%{_unitdir}
 mkdir -p $RPM_BUILD_ROOT%{_generatorsdir}
-install -m 755 vsftpd  $RPM_BUILD_ROOT%{_bindir}/vsftpd
+install -m 755 vsftpd  $RPM_BUILD_ROOT%{_sbindir}/vsftpd
 install -m 600 vsftpd.conf $RPM_BUILD_ROOT%{_sysconfdir}/vsftpd/vsftpd.conf
 install -m 644 vsftpd.conf.5 $RPM_BUILD_ROOT/%{_mandir}/man5/
 install -m 644 vsftpd.8 $RPM_BUILD_ROOT/%{_mandir}/man8/
@@ -139,7 +125,6 @@ install -m 644 %{SOURCE7} $RPM_BUILD_ROOT%{_unitdir}
 install -m 644 %{SOURCE8} $RPM_BUILD_ROOT%{_unitdir}
 install -m 644 %{SOURCE9} $RPM_BUILD_ROOT%{_unitdir}
 install -m 755 %{SOURCE10} $RPM_BUILD_ROOT%{_generatorsdir}
-install -Dpm 644 %{SOURCE11} $RPM_BUILD_ROOT%{_tmpfilesdir}/vsftpd.conf
                             
 mkdir -p $RPM_BUILD_ROOT/%{_var}/ftp/pub
 
@@ -156,7 +141,7 @@ mkdir -p $RPM_BUILD_ROOT/%{_var}/ftp/pub
 %files
 %{_unitdir}/*
 %{_generatorsdir}/*
-%{_bindir}/vsftpd
+%{_sbindir}/vsftpd
 %dir %{_sysconfdir}/vsftpd
 %{_sysconfdir}/vsftpd/vsftpd_conf_migrate.sh
 %config(noreplace) %{_sysconfdir}/vsftpd/ftpusers
@@ -169,136 +154,8 @@ mkdir -p $RPM_BUILD_ROOT/%{_var}/ftp/pub
 %{_mandir}/man5/vsftpd.conf.*
 %{_mandir}/man8/vsftpd.*
 %{_var}/ftp
-%{_tmpfilesdir}/vsftpd.conf
 
 %changelog
-* Wed Jan 14 2026 Tomas Korbar <tkorbar@redhat.com> - 3.0.5-14
-- Resolve CVE-2025-14242
-
-* Thu Dec 18 2025 Fedor Vorobev <fvorobev@redhat.com> - 3.0.5-13
-- Add a tmpfiles.d config. (image mode support)
-
-* Fri Jul 25 2025 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.5-12
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
-
-* Tue Apr 15 2025 Tomas Korbar <tkorbar@redhat.com> - 3.0.5-11
-- Move executable to bindir
-
-* Fri Jan 24 2025 Stepan Broz <sbroz@redhat.com> - 3.0.5-10
-- Correct the definition of setup_bio_callbacks() in ssl.c
-
-* Sun Jan 19 2025 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.5-9
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
-
-* Mon Aug 19 2024 Tomas Korbar <tkorbar@redhat.com> - 3.0.5-8
-- Fix FEAT command to list AUTH TLS when TLSv1.3 is enabled
-
-* Sat Jul 20 2024 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.5-7
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
-
-* Sat Jan 27 2024 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.5-6
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
-
-* Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.5-5
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
-
-* Thu May 04 2023 Richard Lescak <rlescak@redhat.com> - 3.0.5-4
-- add option for TLSv1.3 ciphersuites
-- SPDX migration
-
-* Fri Feb 17 2023 Richard Lescak <rlescak@redhat.com> - 3.0.5-3
-- make vsftpd compatible with Openssl 3.0+
-- replace old network functions
-
-* Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.5-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
-
-* Thu Jul 28 2022 Richard Lescak <rlescak@redhat.com> 3.0.5-1
-- rebase to version 3.0.5
-
-* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.3-51
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
-
-* Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.3-50
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
-
-* Wed Oct 27 2021 Artem Egorenkov <aegorenk@redhat.com> - 3.0.3-49
-- add option to disable TLSv1.3
-- Resolves: rhbz#2017705
-
-* Wed Oct 13 2021 Artem Egorenkov <aegorenk@redhat.com> - 3.0.3-48
-- ALPACA fix backported from upstram 3.0.5 version
-- Resolves: rhbz#1975648
-
-* Wed Oct 13 2021 Artem Egorenkov <aegorenk@redhat.com> - 3.0.3-47
-- Temporary pass -Wno-deprecated-declarations to gcc to ignore
-  deprecated warnings to be able to build against OpenSSL-3.0
-- Resolves: rhbz#1962603
-
-* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 3.0.3-46
-- Rebuilt with OpenSSL 3.0.0
-
-* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.3-45
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
-
-* Thu Apr 8 2021 Artem Egorenkov <aegorenk@redhat.com> - 3.0.3-44
-- Enable support for wide-character strings in logs
-- Replace unprintables with HEX code, not question marks
-
-* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 3.0.3-43
-- Rebuilt for updated systemd-rpm-macros
-  See https://pagure.io/fesco/issue/2583.
-
-* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.3-42
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
-
-* Fri Nov 27 2020 Timm Bäder<tbaeder@redhat.com> - 3.0.3-41
-- Fix str_open() so it doesn't warn when compiled with clang
-- Pass $RPM_LD_FLAGS when linking
-
-* Mon Nov 02 2020 Artem Egorenkov <aegorenk@redhat.com> - 3.0.3-40
-- Unit files fixed "After=network-online.target"
-
-* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.3-39
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-
-* Tue Mar 17 2020 Ondřej Lysoněk <olysonek@redhat.com> - 3.0.3-38
-- Removed a hint about the ftp_home_dir SELinux boolean from the config file
-- Resolves: rhbz#1623424
-
-* Thu Feb 13 2020 Ondřej Lysoněk <olysonek@redhat.com> - 3.0.3-37
-- Fix timestamp handling in MDTM
-- Resolves: rhbz#1567855
-
-* Fri Feb 07 2020 Ondřej Lysoněk <olysonek@redhat.com> - 3.0.3-36
-- Fix build with gcc 10
-- Resolves: rhbz#1800239
-
-* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.3-35
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
-
-* Fri Jan 17 2020 Tom Stellard <tstellar@redhat.com> - 3.0.3-34
-- Use make_build macro
-
-* Thu Nov 28 2019 Ondřej Lysoněk <olysonek@redhat.com> - 3.0.3-33
-- Finish up the fix to the problem with bad utmp entries when pututxline() fails
-- Resolves: rhbz#1688852
-- Resolves: rhbz#1737433
-
-* Mon Aug 05 2019 Ondřej Lysoněk <olysonek@redhat.com> - 3.0.3-32
-- Partially fix problem with bad utmp entries when pututxline() fails
-- Resolves: rhbz#1688848
-
-* Sat Aug 03 2019 Ondřej Lysoněk <olysonek@redhat.com> - 3.0.3-31
-- Fix segfault when listen() returns an error
-- Resolves: rhbz#1666380
-
-* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.3-30
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
-
-* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.3-29
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
-
 * Wed Jul 25 2018 Ondřej Lysoněk <olysonek@redhat.com> - 3.0.3-28
 - Rebuilt, switched to SHA512 source tarball hash
 

vsftpd.target

@@ -1,6 +1,6 @@
 [Unit]
 Description=FTP daemon
-After=network-online.target
+After=network.target
 
 [Install]
 WantedBy=multi-user.target

vsftpd@.service

@@ -1,6 +1,6 @@
 [Unit]
 Description=Vsftpd ftp daemon
-After=network-online.target
+After=network.target
 PartOf=vsftpd.target
 
 [Service]