rpm/vsftpd
SHA256
1
0
Fork 0
forked from pool/vsftpd
Code Pull Requests Activity

implement SLE-4182

Browse Source 
OBS-URL: https://build.opensuse.org/package/show/network/vsftpd?expand=0&rev=145
This commit is contained in:
Peter Simons 2020-11-13 10:29:04 +00:00 committed by Git OBS Bridge
parent 3eb7a9bc6b
commit 3fa65078f1
4 changed files with 192 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

149
0001-Introduce-TLSv1.1-and-TLSv1.2-options.patch Normal file
View File

@ -0,0 +1,149 @@
From 01bef55a1987700af3d43cdc5f5be88d3843ab85 Mon Sep 17 00:00:00 2001
From: Martin Sehnoutka <msehnout@redhat.com>
Date: Thu, 17 Nov 2016 13:36:17 +0100
Subject: [PATCH] Introduce TLSv1.1 and TLSv1.2 options.
Users can now enable a specific version of TLS protocol.
---
parseconf.c | 2 ++
ssl.c | 8 ++++++++
tunables.c | 9 +++++++--
tunables.h | 2 ++
vsftpd.conf.5 | 24 ++++++++++++++++++++----
5 files changed, 39 insertions(+), 6 deletions(-)
Index: vsftpd-3.0.3/parseconf.c
===================================================================
--- vsftpd-3.0.3.orig/parseconf.c 2020-11-13 09:52:41.369111000 +0000
+++ vsftpd-3.0.3/parseconf.c 2020-11-13 09:52:48.881045043 +0000
@@ -85,6 +85,8 @@ parseconf_bool_array[] =
{ "ssl_sslv2", &tunable_sslv2 },
{ "ssl_sslv3", &tunable_sslv3 },
{ "ssl_tlsv1", &tunable_tlsv1 },
+ { "ssl_tlsv1_1", &tunable_tlsv1_1 },
+ { "ssl_tlsv1_2", &tunable_tlsv1_2 },
{ "tilde_user_enable", &tunable_tilde_user_enable },
{ "force_anon_logins_ssl", &tunable_force_anon_logins_ssl },
{ "force_anon_data_ssl", &tunable_force_anon_data_ssl },
Index: vsftpd-3.0.3/ssl.c
===================================================================
--- vsftpd-3.0.3.orig/ssl.c 2020-11-13 09:52:41.369111000 +0000
+++ vsftpd-3.0.3/ssl.c 2020-11-13 09:52:48.881045043 +0000
@@ -78,6 +78,14 @@ ssl_init(struct vsf_session* p_sess)
{
options |= SSL_OP_NO_TLSv1;
}
+ if (!tunable_tlsv1_1)
+ {
+ options |= SSL_OP_NO_TLSv1_1;
+ }
+ if (!tunable_tlsv1_2)
+ {
+ options |= SSL_OP_NO_TLSv1_2;
+ }
SSL_CTX_set_options(p_ctx, options);
if (tunable_rsa_cert_file)
{
Index: vsftpd-3.0.3/tunables.c
===================================================================
--- vsftpd-3.0.3.orig/tunables.c 2020-11-13 09:52:41.369111000 +0000
+++ vsftpd-3.0.3/tunables.c 2020-11-13 09:56:53.162888596 +0000
@@ -66,6 +66,8 @@ int tunable_force_local_data_ssl;
int tunable_sslv2;
int tunable_sslv3;
int tunable_tlsv1;
+int tunable_tlsv1_1;
+int tunable_tlsv1_2;
int tunable_tilde_user_enable;
int tunable_force_anon_logins_ssl;
int tunable_force_anon_data_ssl;
@@ -207,7 +209,10 @@ tunables_load_defaults()
tunable_force_local_data_ssl = 1;
tunable_sslv2 = 0;
tunable_sslv3 = 0;
+ /* TLSv1 up to TLSv1.2 is enabled by default */
tunable_tlsv1 = 1;
+ tunable_tlsv1_1 = 1;
+ tunable_tlsv1_2 = 1;
tunable_tilde_user_enable = 0;
tunable_force_anon_logins_ssl = 0;
tunable_force_anon_data_ssl = 0;
@@ -288,7 +293,8 @@ tunables_load_defaults()
install_str_setting("/usr/share/ssl/certs/vsftpd.pem",
&tunable_rsa_cert_file);
install_str_setting(0, &tunable_dsa_cert_file);
- install_str_setting("ECDHE-RSA-AES256-GCM-SHA384", &tunable_ssl_ciphers);
+ install_str_setting("AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384",
+ &tunable_ssl_ciphers);
install_str_setting(0, &tunable_rsa_private_key_file);
install_str_setting(0, &tunable_dsa_private_key_file);
install_str_setting(0, &tunable_ca_certs_file);
Index: vsftpd-3.0.3/tunables.h
===================================================================
--- vsftpd-3.0.3.orig/tunables.h 2020-11-13 09:52:41.369111000 +0000
+++ vsftpd-3.0.3/tunables.h 2020-11-13 09:52:48.881045043 +0000
@@ -67,6 +67,8 @@ extern int tunable_force_local_data_ssl;
extern int tunable_sslv2; /* Allow SSLv2 */
extern int tunable_sslv3; /* Allow SSLv3 */
extern int tunable_tlsv1; /* Allow TLSv1 */
+extern int tunable_tlsv1_1; /* Allow TLSv1.1 */
+extern int tunable_tlsv1_2; /* Allow TLSv1.2 */
extern int tunable_tilde_user_enable; /* Support e.g. ~chris */
extern int tunable_force_anon_logins_ssl; /* Require anon logins use SSL */
extern int tunable_force_anon_data_ssl; /* Require anon data uses SSL */
Index: vsftpd-3.0.3/vsftpd.conf.5
===================================================================
--- vsftpd-3.0.3.orig/vsftpd.conf.5 2020-11-13 09:52:41.370110991 +0000
+++ vsftpd-3.0.3/vsftpd.conf.5 2020-11-13 09:52:48.881045043 +0000
@@ -486,7 +486,7 @@ Default: YES
Only applies if
.BR ssl_enable
is activated. If enabled, this option will permit SSL v2 protocol connections.
-TLS v1 connections are preferred.
+TLS v1.2 connections are preferred.
Default: NO
.TP
@@ -494,7 +494,7 @@ Default: NO
Only applies if
.BR ssl_enable
is activated. If enabled, this option will permit SSL v3 protocol connections.
-TLS v1 connections are preferred.
+TLS v1.2 connections are preferred.
Default: NO
.TP
@@ -502,7 +502,23 @@ Default: NO
Only applies if
.BR ssl_enable
is activated. If enabled, this option will permit TLS v1 protocol connections.
-TLS v1 connections are preferred.
+TLS v1.2 connections are preferred.
+
+Default: YES
+.TP
+.B ssl_tlsv1_1
+Only applies if
+.BR ssl_enable
+is activated. If enabled, this option will permit TLS v1.1 protocol connections.
+TLS v1.2 connections are preferred.
+
+Default: YES
+.TP
+.B ssl_tlsv1_2
+Only applies if
+.BR ssl_enable
+is activated. If enabled, this option will permit TLS v1.2 protocol connections.
+TLS v1.2 connections are preferred.
Default: YES
.TP
@@ -1001,7 +1017,7 @@ man page for further details. Note that
security precaution as it prevents malicious remote parties forcing a cipher
which they have found problems with.
-Default: DES-CBC3-SHA
+Default: AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384
.TP
.B user_config_dir
This powerful option allows the override of any config option specified in

31
0001-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch Normal file
View File

@ -0,0 +1,31 @@
From 1c280a0b04e58ec63ce9ab5eb8d0ffe5ebbae115 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= <olysonek@redhat.com>
Date: Thu, 21 Dec 2017 14:29:25 +0100
Subject: [PATCH] When handling FEAT command, check ssl_tlsv1_1 and ssl_tlsv1_2
Send 'AUTH SSL' in reply to the FEAT command when the ssl_tlsv1_1
or ssl_tlsv1_2 configuration option is enabled.
The patch was written by Martin Sehnoutka.
Resolves: rhbz#1432054
---
features.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/features.c b/features.c
index 1212980..d024366 100644
--- a/features.c
+++ b/features.c
@@ -22,7 +22,7 @@ handle_feat(struct vsf_session* p_sess)
{
vsf_cmdio_write_raw(p_sess, " AUTH SSL\r\n");
}
- if (tunable_tlsv1)
+ if (tunable_tlsv1 || tunable_tlsv1_1 || tunable_tlsv1_2)
{
vsf_cmdio_write_raw(p_sess, " AUTH TLS\r\n");
}
--
2.29.0

8
vsftpd.changes
View File

@ -1,3 +1,11 @@
-------------------------------------------------------------------
Fri Nov 13 09:49:06 AM UTC 2020 - psimons@suse.com
- Apply "0001-Introduce-TLSv1.1-and-TLSv1.2-options.patch" and
"0001-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch",
which add the "ssl_tlsv1_1" and "ssl_tlsv1_2" options to the
configuration file. Both options default to true. [SLE-4182]
-------------------------------------------------------------------
Wed Aug 19 09:46:05 UTC 2020 - Dominique Leuenberger <dimstar@opensuse.org>

4
vsftpd.spec
View File

@ -85,6 +85,8 @@ Patch30: vsftpd-3.0.3-address_space_limit.patch
Patch31: vsftpd-enable-syscalls-needed-by-sle15.patch
Patch32: vsftpd-support-dsa-only-setups.patch
Patch33: vsftpd-avoid-bogus-ssl-write.patch
Patch34: 0001-Introduce-TLSv1.1-and-TLSv1.2-options.patch
Patch35: 0001-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch
BuildRequires: libcap-devel
BuildRequires: libopenssl-devel
BuildRequires: pam-devel
@ -150,6 +152,8 @@ tests.
%patch31 -p1
%patch32 -p1
%patch33 -p1
%patch34 -p1
%patch35 -p1
%build
%define seccomp_opts -D_GNU_SOURCE -DUSE_SECCOMP