From 993feb8b7efd05f1c8b5421e3f964fe186289d0e Mon Sep 17 00:00:00 2001 From: =?utf8?q?Arkadiusz=20Mi=C5=9Bkiewicz?= Date: Thu, 2 Jul 2015 13:48:08 +0200 Subject: [PATCH] - rel 2; use upstream parameter for ssl cert file --- pure-ftpd-path_to_ssl_cert_in_config.patch | 236 +++++++-------------- pure-ftpd.spec | 5 +- 2 files changed, 77 insertions(+), 164 deletions(-) diff --git a/pure-ftpd-path_to_ssl_cert_in_config.patch b/pure-ftpd-path_to_ssl_cert_in_config.patch index ec77d5f..2a136c2 100644 --- a/pure-ftpd-path_to_ssl_cert_in_config.patch +++ b/pure-ftpd-path_to_ssl_cert_in_config.patch @@ -1,170 +1,82 @@ -diff -Nur b/configuration-file/pure-config.pl.in n/configuration-file/pure-config.pl.in ---- b/configuration-file/pure-config.pl.in 2004-02-29 12:17:00.000000000 +0100 -+++ n/configuration-file/pure-config.pl.in 2004-09-15 17:02:28.545013000 +0200 -@@ -57,6 +57,7 @@ - TrustedIP => "-V", - AltLog => "-O", - PIDFile => "-g", -+ SSLCertFile => "-7", +commit 659d4e968a2204395c7e1757dade46f9dfc95960 +Author: Frank Denis +Date: Sat Jun 27 16:11:56 2015 +0200 + + DEFAULT_CERT_FILE -> TLS_CERTIFICATE_FILE + +diff --git a/src/ftpd.h b/src/ftpd.h +index 039bed4..717c3da 100644 +--- a/src/ftpd.h ++++ b/src/ftpd.h +@@ -418,8 +418,8 @@ extern int opt_a, opt_C, opt_d, opt_F, opt_l, opt_R; + # ifndef TLS_CONFDIR + # define TLS_CONFDIR "/etc/ssl/private" + # endif +-# ifndef DEFAULT_CERT_FILE +-# define DEFAULT_CERT_FILE TLS_CONFDIR "/pure-ftpd.pem" ++# ifndef TLS_CERTIFICATE_FILE ++# define TLS_CERTIFICATE_FILE TLS_CONFDIR "/pure-ftpd.pem" + # endif + # ifndef TLS_DHPARAMS_FILE + # define TLS_DHPARAMS_FILE TLS_CONFDIR "/pure-ftpd-dhparams.pem" +diff --git a/src/globals.h b/src/globals.h +index 833cfa2..e0c1d30 100644 +--- a/src/globals.h ++++ b/src/globals.h +@@ -166,7 +166,7 @@ GLOBAL0(int data_protection_level); + GLOBAL(const char *tlsciphersuite, TLS_DEFAULT_CIPHER_SUITE); + GLOBAL0(signed char ssl_disabled); + GLOBAL0(signed char ssl_verify_client_cert); +-GLOBAL(const char *cert_file, DEFAULT_CERT_FILE); ++GLOBAL(const char *cert_file, TLS_CERTIFICATE_FILE); + #endif + + GLOBAL0(char *atomic_prefix); + +commit 32bffd1ce2670279ebc9aac0386a6d223b1119b6 +Author: Frank Denis +Date: Fri Jun 26 19:02:37 2015 +0200 + + Add CertFile to the configuration files wrappers + +diff --git a/configuration-file/pure-config.pl.in b/configuration-file/pure-config.pl.in +index 498af50..ea675c8 100644 +--- a/configuration-file/pure-config.pl.in ++++ b/configuration-file/pure-config.pl.in +@@ -60,6 +60,7 @@ my %string_switch_for = ( + AltLog => "-O", + PIDFile => "-g", + TLSCipherSuite => "-J", ++ CertFile => "-2", ); my %numeric_switch_for = ( -diff -Nur b/configuration-file/pure-config.py.in n/configuration-file/pure-config.py.in ---- b/configuration-file/pure-config.py.in 2004-02-29 12:17:14.000000000 +0100 -+++ n/configuration-file/pure-config.py.in 2004-09-15 17:02:28.546012000 +0200 -@@ -55,6 +55,7 @@ - option_tuple = ( - ["IPV4Only[\s]+yes", "-4" ], - ["IPV6Only[\s]+yes", "-6" ], -+ ["SSLCertFile\s+(\S+)", "-7", None ], - ["ChrootEveryone[\s]+yes", "-A" ], - ["TrustedGID[\s]+([\d]+)", "-a", None ], - ["BrokenClientsCompatibility[\s]+yes", "-b" ], -diff -Nur b/configuration-file/pure-ftpd.conf.in n/configuration-file/pure-ftpd.conf.in ---- b/configuration-file/pure-ftpd.conf.in 2004-09-15 17:03:04.281580000 +0200 -+++ n/configuration-file/pure-ftpd.conf.in 2004-09-15 17:02:28.547012000 +0200 -@@ -420,7 +420,13 @@ - # 3) Only compatible clients will log in. - - # TLS 1 -- -+ -+# Path to SSL certificate file. This is non-standard addition -+# and it might disappear in the future. If not present -+# default is /var/lib/openssl/certs/ftpd.pem for PLD. -+# -+# SSLCertFile /etc/ssl/private/pure-ftpd.pem -+# - +diff --git a/configuration-file/pure-config.py.in b/configuration-file/pure-config.py.in +index 9a4943c..c458a20 100644 +--- a/configuration-file/pure-config.py.in ++++ b/configuration-file/pure-config.py.in +@@ -114,6 +114,7 @@ option_tuple = ( + ["PIDFile\s+(\S+)", "-g", None ], + ["TLSCipherSuite\s+(\S+)", "-J", None ], + ["PerUserLimits\s+([:0-9]+)", "-y", None ], ++ ["CertFile\s+(\S+)", "-2", None ], + ["TLS\s+(\d)", "-Y", None ]) - # Listen only to IPv4 addresses in standalone mode (ie. disable IPv6) -diff -Nur b/man/pure-ftpd.8 n/man/pure-ftpd.8 ---- b/man/pure-ftpd.8 2004-02-29 21:10:06.000000000 +0100 -+++ n/man/pure-ftpd.8 2004-09-15 17:02:28.548012000 +0200 -@@ -9,7 +9,7 @@ - pure\-ftpd \- simple File Transfer Protocol server + for option in option_tuple: +diff --git a/configuration-file/pure-ftpd.conf.in b/configuration-file/pure-ftpd.conf.in +index 74d1fb1..8591906 100644 +--- a/configuration-file/pure-ftpd.conf.in ++++ b/configuration-file/pure-ftpd.conf.in +@@ -434,6 +434,12 @@ CustomerProof yes - .SH "SYNOPSIS" --.B pure\-ftpd [\-0] [\-1] [\-4] [\-6] [\-a gid] [\-A] [\-b] [\-B] [\-c clients] [\-C cnx/ip] [\-d [\-d]] [\-D] [\-e] [\-E] [\-f facility] [\-F fortunes file] [\-g pidfile] [\-G] [\-H] [\-i] [\-I] [\-j] [\-k percentage] [\-K] [\-l authentication[:config file]] [\-L max files:max depth] [\-m maxload] [\-M] [\-n maxfiles:maxsize] [\-N] [\-o] [\-O format:log file] [\-p first:last] [\-P ip address or host name] [\-q upload:download ratio] [\-Q upload:download ratio] [\-r] [\-R] [\-s] [\-S [address,][port]] [\-t upload bandwidth:download bandwidth] [\-T upload bandwidth:download bandwidth] [\-u uid] [\-U umask files:umask dirs] [\-v rendezvous name] [\-V ip address] [\-w] [\-W] [\-x] [\-X] [\-y max user sessions:max anon sessions] [\-Y tls behavior] [\-z] [\-Z] -+.B pure\-ftpd [\-0] [\-1] [\-4] [\-6] [\-7 certificate file] [\-a gid] [\-A] [\-b] [\-B] [\-c clients] [\-C cnx/ip] [\-d [\-d]] [\-D] [\-e] [\-E] [\-f facility] [\-F fortunes file] [\-g pidfile] [\-G] [\-H] [\-i] [\-I] [\-j] [\-k percentage] [\-K] [\-l authentication[:config file]] [\-L max files:max depth] [\-m maxload] [\-M] [\-n maxfiles:maxsize] [\-N] [\-o] [\-O format:log file] [\-p first:last] [\-P ip address or host name] [\-q upload:download ratio] [\-Q upload:download ratio] [\-r] [\-R] [\-s] [\-S [address,][port]] [\-t upload bandwidth:download bandwidth] [\-T upload bandwidth:download bandwidth] [\-u uid] [\-U umask files:umask dirs] [\-v rendezvous name] [\-V ip address] [\-w] [\-W] [\-x] [\-X] [\-y max user sessions:max anon sessions] [\-Y tls behavior] [\-z] [\-Z] - .br - Alternative style : -@@ -22,6 +22,8 @@ - .br - \-6 \-\-ipv6only - .br -+\-7 \-\-sslcertfile -+.br - \-a \-\-trustedgid - .br - \-A \-\-chrooteveryone -@@ -157,6 +159,9 @@ - .B \-6 - Listen only to IPv6 connections. - .TP -+.B \-7 SSL certificate file -+Path to SSL certificate file. If option \-7 is not present default value is /var/lib/openssl/certs/ftpd.pem for PLD. This is non\-standard addition. It might disappear in the future and meaning of \-7 option is not guaranted. -+.TP - .B \-a gid - Regular users will be chrooted to their home directories, unless - they belong to the specified gid. Note that root is always trusted, -diff -Nur b/src/ftpd.c n/src/ftpd.c ---- b/src/ftpd.c 2004-09-15 18:05:29.951069216 +0200 -+++ n/src/ftpd.c 2004-09-15 18:03:14.172710664 +0200 -@@ -4830,7 +4830,7 @@ - int fodder; - int bypass_ipv6 = 0; - struct passwd *pw; -- -+ - #ifdef PROBE_RANDOM_AT_RUNTIME - pw_zrand_probe(); - #endif -@@ -5097,6 +5097,15 @@ - enforce_tls_auth > 2) { - die(421, LOG_ERR, MSG_CONF_ERR ": TLS"); - } -+ if (!tlscert_file) -+ if ((tlscert_file = strdup(TLS_CERTIFICATE_FILE)) == NULL) -+ die_mem(); -+ break; -+ } -+ case '7': { -+ free(tlscert_file); -+ if ((tlscert_file = strdup(optarg)) == NULL) -+ die_mem(); - break; - } - #endif -diff -Nur b/src/ftpd_p.h n/src/ftpd_p.h ---- b/src/ftpd_p.h 2004-02-29 22:49:28.000000000 +0100 -+++ n/src/ftpd_p.h 2004-09-15 17:02:28.561010000 +0200 -@@ -101,6 +101,7 @@ - #endif - #ifdef WITH_TLS - "Y:" -+ "7:" - #endif - "zZ"; -@@ -180,6 +181,7 @@ - # endif - # ifdef WITH_TLS - { "tls", 1, NULL, 'Y' }, -+ { "sslcertfile", 1, NULL, '7'}, - # endif - { "allowdotfiles", 0, NULL, 'z' }, - { "customerproof", 0, NULL, 'Z' }, -diff -Nur b/src/globals.h n/src/globals.h ---- b/src/globals.h 2004-02-29 22:49:28.000000000 +0100 -+++ n/src/globals.h 2004-09-15 17:02:28.561010000 +0200 -@@ -167,6 +167,7 @@ - - #ifdef WITH_TLS - GLOBAL0(signed char enforce_tls_auth); -+GLOBAL0(char *tlscert_file); - #endif - - GLOBAL0(char *atomic_prefix); -diff -Nur b/src/tls.c n/src/tls.c ---- b/src/tls.c 2004-02-29 22:49:27.000000000 +0100 -+++ n/src/tls.c 2004-09-15 17:02:28.562010000 +0200 -@@ -9,11 +9,12 @@ - # include "tls.h" - # include "ftpwho-update.h" - # include "messages.h" -+# include "globals.h" - - static void tls_error(void) - { - logfile(LOG_ERR, "SSL/TLS [%s]: %s", -- TLS_CERTIFICATE_FILE, -+ tlscert_file, - ERR_error_string(ERR_get_error(), NULL)); - _EXIT(EXIT_FAILURE); - } -@@ -23,7 +24,7 @@ - DH *dh; - BIO *bio; ++# Certificate file, for TLS ++ ++# CertFile /etc/ssl/private/pure-ftpd.pem ++ ++ ++ + # Listen only to IPv4 addresses in standalone mode (ie. disable IPv6) + # By default, both IPv4 and IPv6 are enabled. -- if ((bio = BIO_new_file(TLS_CERTIFICATE_FILE, "r")) == NULL) { -+ if ((bio = BIO_new_file(tlscert_file, "r")) == NULL) { - return -1; - } - if ((dh = PEM_read_bio_DHparams(bio, NULL, NULL -@@ -65,11 +66,11 @@ - tls_init_cache(); - SSL_CTX_set_options(tls_ctx, SSL_OP_ALL); - if (SSL_CTX_use_certificate_chain_file -- (tls_ctx, TLS_CERTIFICATE_FILE) != 1) { -+ (tls_ctx, tlscert_file) != 1) { - die(421, LOG_ERR, -- MSG_FILE_DOESNT_EXIST ": [%s]", TLS_CERTIFICATE_FILE); -+ MSG_FILE_DOESNT_EXIST ": [%s]", tlscert_file); - } -- if (SSL_CTX_use_PrivateKey_file(tls_ctx, TLS_CERTIFICATE_FILE, -+ if (SSL_CTX_use_PrivateKey_file(tls_ctx, tlscert_file, - SSL_FILETYPE_PEM) != 1) { - tls_error(); - } diff --git a/pure-ftpd.spec b/pure-ftpd.spec index ba5d73f..5e94734 100644 --- a/pure-ftpd.spec +++ b/pure-ftpd.spec @@ -9,7 +9,7 @@ %bcond_without tls # disable SSL/TLS support %bcond_without cap # disable capabilities -%define rel 1 +%define rel 2 Summary: Small, fast and secure FTP server Summary(pl.UTF-8): Mały, szybki i bezpieczny serwer FTP Name: pure-ftpd @@ -206,9 +206,10 @@ if [ "$1" = "0" ]; then %service -q ldap restart fi -%triggerpostun -- %{name} < 1.0.40-1 +%triggerpostun -- %{name} < 1.0.41-2 %{?with_mysql:sed -i -e 's#MYSQLCrypt[\t ]\+all#MYSQLCrypt any#gi' $RPM_BUILD_ROOT%{_sysconfdir}/pureftpd-mysql.conf} %{?with_pgsql:sed -i -e 's#PgSQLCrypt[\t ]\+all#PgSQLCrypt any#gi' $RPM_BUILD_ROOT%{_sysconfdir}/pureftpd-pgsql.conf} +sed -i -e 's#SSLCertFile#CertFile#gi' $RPM_BUILD_ROOT%{_sysconfdir}/pureftpd.conf exit 0 %files -- 2.44.0