- rel 6; tls patches from upstream

diff --git a/pure-ftpd.spec b/pure-ftpd.spec
index 4abfc33f7a09a98b93a94315d2775dd6a708fca4..15e915963efad719a87d50256325e0453a635ff4 100644 (file)
--- a/pure-ftpd.spec
+++ b/pure-ftpd.spec
@@ -9,7 +9,7 @@
 %bcond_without tls             # disable SSL/TLS support
 %bcond_without cap             # disable capabilities
 
-%define        rel     5
+%define        rel     6
 Summary:       Small, fast and secure FTP server
 Summary(pl.UTF-8):     Mały, szybki i bezpieczny serwer FTP
 Name:          pure-ftpd
@@ -32,6 +32,7 @@ Patch2:               %{name}-pure-pw_passwd.patch
 Patch3:                %{name}-mysql_config.patch
 # from Fedora
 Patch4:                0003-Allow-having-both-options-and-config-file-on-command.patch
+Patch5:                tls.patch
 
 Patch7:                audit_cap.patch
 Patch8:                %{name}-apparmor.patch
@@ -111,6 +112,7 @@ Ten pakiet zawiera schemat Pure-FTPd pureftpd.schema dla openldapa.
 %patch1 -p1
 %patch3 -p1
 %patch4 -p1
+%patch5 -p1
 
 %patch7 -p1
 %patch8 -p1

diff --git a/tls.patch b/tls.patch
new file mode 100644 (file)
index 0000000..615fb96
--- /dev/null
+++ b/tls.patch
@@ -0,0 +1,63 @@
+commit 4a495c61ce22c893aed5ee57f6ce0b43c3be59ad
+Author: Frank Denis <github@pureftpd.org>
+Date:   Wed Sep 19 23:53:45 2018 +0200
+
+    TLS1.3 compatibility
+    
+    Fixes #94
+
+diff --git a/src/tls.c b/src/tls.c
+index c693d3b..f383ed9 100644
+--- a/src/tls.c
++++ b/src/tls.c
+@@ -228,7 +228,16 @@ static void ssl_info_cb(const SSL *cnx, int where, int ret)
+     if ((where & SSL_CB_HANDSHAKE_START) != 0) {
+         if ((cnx == tls_cnx && tls_cnx_handshook != 0) ||
+             (cnx == tls_data_cnx && tls_data_cnx_handshook != 0)) {
+-            die(400, LOG_ERR, "TLS renegociation");
++            const SSL_CIPHER *cipher;
++            const char *cipher_version;
++            if ((cipher = SSL_get_current_cipher(cnx)) == NULL ||
++                (cipher_version = SSL_CIPHER_get_version(cipher)) == NULL) {
++                die(400, LOG_ERR, "No cipher");
++            }
++            if (strcmp(cipher_version, "TLSv1.3") != 0) {
++                die(400, LOG_ERR, "TLS renegociation");
++                return;
++            }
+         }
+         return;
+     }
+@@ -264,10 +273,10 @@ int tls_init_library(void)
+     OpenSSL_add_all_algorithms();
+ # else
+     OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS |
+-                   OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
++                     OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
+     OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS |
+-                      OPENSSL_INIT_ADD_ALL_DIGESTS |
+-                      OPENSSL_INIT_LOAD_CONFIG, NULL);
++                        OPENSSL_INIT_ADD_ALL_DIGESTS |
++                        OPENSSL_INIT_LOAD_CONFIG, NULL);
+ # endif
+     while (RAND_status() == 0) {
+         rnd = zrand();
+commit aa68b2d620ef0c83c7f52213c7e6093722b0b8bd
+Author: Frank Denis <github@pureftpd.org>
+Date:   Wed Oct 24 19:19:26 2018 +0200
+
+    Disable TLSv1_1
+
+diff --git a/src/tls.c b/src/tls.c
+index f383ed9..c4e2a1b 100644
+--- a/src/tls.c
++++ b/src/tls.c
+@@ -297,7 +297,7 @@ int tls_init_library(void)
+     SSL_CTX_set_options(tls_ctx, SSL_OP_NO_TLSv1);
+ # endif
+ # ifdef SSL_OP_NO_TLSv1_1
+-    SSL_CTX_clear_options(tls_ctx, SSL_OP_NO_TLSv1_1);
++    SSL_CTX_set_options(tls_ctx, SSL_OP_NO_TLSv1_1);
+ # endif
+ # ifdef SSL_OP_NO_TLSv1_2
+     SSL_CTX_clear_options(tls_ctx, SSL_OP_NO_TLSv1_2);