rpms/proftpd/F-8 proftpd-1.3.1-tls_debug.patch, NONE, 1.1 proftpd-1.3.1-tls_shutdown.patch, NONE, 1.1 proftpd-1.3.1-tls_sighup.patch, NONE, 1.1 proftpd.conf, 1.8, 1.9 proftpd.spec, 1.37, 1.38
Matthias Saou
thias at fedoraproject.org
Fri Jan 2 13:46:19 UTC 2009
- Previous message (by thread): rpms/proftpd/F-9 proftpd-1.3.1-tls_debug.patch, NONE, 1.1 proftpd-1.3.1-tls_shutdown.patch, NONE, 1.1 proftpd-1.3.1-tls_sighup.patch, NONE, 1.1 proftpd.conf, 1.8, 1.9 proftpd.spec, 1.40, 1.41
- Next message (by thread): rpms/gnubg/devel gnubg.spec,1.24,1.25
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: thias
Update of /cvs/extras/rpms/proftpd/F-8
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv19543/F-8
Modified Files:
proftpd.conf proftpd.spec
Added Files:
proftpd-1.3.1-tls_debug.patch proftpd-1.3.1-tls_shutdown.patch
proftpd-1.3.1-tls_sighup.patch
Log Message:
Update default configuration to have a lit of available modules and more example configuration for them, include patches to fix TLS issues (#457280).
proftpd-1.3.1-tls_debug.patch:
--- NEW FILE proftpd-1.3.1-tls_debug.patch ---
diff -uNr proftpd-1.3.1.orig/contrib/mod_tls.c proftpd-1.3.1/contrib/mod_tls.c
--- proftpd-1.3.1.orig/contrib/mod_tls.c 2007-10-04 10:04:24.000000000 -0700
+++ proftpd-1.3.1/contrib/mod_tls.c 2008-08-10 07:54:21.000000000 -0700
@@ -969,6 +969,7 @@
break;
fseek(keyf, 0, SEEK_SET);
+ fprintf(stderr, "Error reading passphrase: %s", tls_get_errors());
ERR_clear_error();
fprintf(stderr, "\nWrong passphrase for this key. Please try again.\n");
}
proftpd-1.3.1-tls_shutdown.patch:
--- NEW FILE proftpd-1.3.1-tls_shutdown.patch ---
Index: contrib/mod_tls.c
===================================================================
RCS file: /cvsroot/proftp/proftpd/contrib/mod_tls.c,v
retrieving revision 1.138
diff -u -r1.138 mod_tls.c
--- contrib/mod_tls.c 20 May 2008 14:35:24 -0000 1.138
+++ contrib/mod_tls.c 30 Jul 2008 04:16:19 -0000
@@ -411,6 +411,8 @@
/* SSL/TLS support functions */
static void tls_closelog(void);
static void tls_end_sess(SSL *, int, int);
+#define TLS_SHUTDOWN_BIDIRECTIONAL 0x0001
+
static void tls_fatal_error(int, int);
static const char *tls_get_errors(void);
static char *tls_get_page(size_t, void **);
@@ -1428,7 +1430,7 @@
} else if (tls_renegotiate_required) {
tls_log("%s", "requested TLS renegotiation timed out on control channel");
tls_log("%s", "shutting down control channel TLS session");
- tls_end_sess(ctrl_ssl, PR_NETIO_STRM_CTRL, TRUE);
+ tls_end_sess(ctrl_ssl, PR_NETIO_STRM_CTRL, 0);
tls_ctrl_rd_nstrm->strm_data = tls_ctrl_wr_nstrm->strm_data =
ctrl_ssl = NULL;
}
@@ -1444,8 +1446,7 @@
} else if (tls_renegotiate_required) {
tls_log("%s", "requested TLS renegotiation timed out on data channel");
tls_log("%s", "shutting down data channel TLS session");
- tls_end_sess((SSL *) tls_data_wr_nstrm->strm_data, PR_NETIO_STRM_DATA,
- TRUE);
+ tls_end_sess((SSL *) tls_data_wr_nstrm->strm_data, PR_NETIO_STRM_DATA, 0);
tls_data_rd_nstrm->strm_data = tls_data_wr_nstrm->strm_data = NULL;
}
}
@@ -1996,8 +1997,7 @@
if (tls_handshake_timed_out) {
tls_log("TLS negotiation timed out (%u seconds)", tls_handshake_timeout);
- tls_end_sess(ssl, on_data ? PR_NETIO_STRM_DATA : PR_NETIO_STRM_CTRL,
- TRUE);
+ tls_end_sess(ssl, on_data ? PR_NETIO_STRM_DATA : PR_NETIO_STRM_CTRL, 0);
return -4;
}
@@ -2043,8 +2043,7 @@
break;
}
- tls_end_sess(ssl, on_data ? PR_NETIO_STRM_DATA : PR_NETIO_STRM_CTRL,
- TRUE);
+ tls_end_sess(ssl, on_data ? PR_NETIO_STRM_DATA : PR_NETIO_STRM_CTRL, 0);
return -3;
}
@@ -2154,42 +2153,34 @@
}
}
-static void tls_end_sess(SSL *ssl, int strms, int use_shutdown) {
- int res;
+static void tls_end_sess(SSL *ssl, int strms, int flags) {
+ int res = 0;
int shutdown_state;
if (!ssl)
return;
- res = SSL_shutdown(ssl);
- if (res == 0) {
- if (use_shutdown) {
- /* Try calling SSL_shutdown() again. First, though, send a TCP FIN
- * to trigger the remote end's close_notify SSL message, via shutdown().
- */
- if (strms & PR_NETIO_STRM_CTRL) {
- pr_netio_shutdown(session.c->outstrm, 1);
+ /* A 'close_notify' alert (SSL shutdown message) may have been previously
+ * sent to the client via tls_netio_shutdown_cb().
+ */
- if (session.c->instrm != session.c->outstrm)
- pr_netio_shutdown(session.c->instrm, 1);
- }
+ shutdown_state = SSL_get_shutdown(ssl);
+ if (!(shutdown_state & SSL_SENT_SHUTDOWN)) {
+ /* 'close_notify' not already sent; send it now. */
+ res = SSL_shutdown(ssl);
+ }
- if (strms & PR_NETIO_STRM_DATA) {
- pr_netio_shutdown(session.d->outstrm, 1);
+ if (res == 0) {
+ /* Now call SSL_shutdown() again, but only if necessary. */
+ if (flags & TLS_SHUTDOWN_BIDIRECTIONAL) {
+ shutdown_state = SSL_get_shutdown(ssl);
- if (session.d->instrm != session.d->outstrm)
- pr_netio_shutdown(session.d->instrm, 1);
+ res = 1;
+ if (!(shutdown_state & SSL_RECEIVED_SHUTDOWN)) {
+ res = SSL_shutdown(ssl);
}
}
- shutdown_state = SSL_get_shutdown(ssl);
-
- /* Now call SSL_shutdown() again, but only if necessary. */
- res = 1;
- if (!(shutdown_state & SSL_RECEIVED_SHUTDOWN)) {
- res = SSL_shutdown(ssl);
- }
-
if (res == 0) {
int err = SSL_get_error(ssl, res);
@@ -2216,7 +2207,8 @@
if (errno != 0 &&
errno != EOF &&
errno != EBADF &&
- errno != EPIPE) {
+ errno != EPIPE &&
+ errno != EPERM) {
tls_log("SSL_shutdown syscall error: %s", strerror(errno));
pr_log_debug(DEBUG0, MOD_TLS_VERSION
": SSL_shutdown syscall error: %s", strerror(errno));
@@ -3811,7 +3803,7 @@
if (nstrm->strm_type == PR_NETIO_STRM_CTRL &&
nstrm->strm_mode == PR_NETIO_IO_WR) {
- tls_end_sess((SSL *) nstrm->strm_data, nstrm->strm_type, TRUE);
+ tls_end_sess((SSL *) nstrm->strm_data, nstrm->strm_type, 0);
tls_ctrl_rd_nstrm->strm_data = tls_ctrl_wr_nstrm->strm_data =
nstrm->strm_data = NULL;
tls_ctrl_netio = NULL;
@@ -3820,7 +3812,7 @@
if (nstrm->strm_type == PR_NETIO_STRM_DATA &&
nstrm->strm_mode == PR_NETIO_IO_WR) {
- tls_end_sess((SSL *) nstrm->strm_data, nstrm->strm_type, TRUE);
+ tls_end_sess((SSL *) nstrm->strm_data, nstrm->strm_type, 0);
tls_data_rd_nstrm->strm_data = tls_data_wr_nstrm->strm_data =
nstrm->strm_data = NULL;
tls_data_netio = NULL;
@@ -3931,7 +3923,7 @@
X509_free(data_cert);
/* Properly shutdown the SSL session. */
- tls_end_sess((SSL *) nstrm->strm_data, nstrm->strm_type, TRUE);
+ tls_end_sess((SSL *) nstrm->strm_data, nstrm->strm_type, 0);
tls_data_rd_nstrm->strm_data = tls_data_wr_nstrm->strm_data =
nstrm->strm_data = NULL;
@@ -3987,6 +3979,28 @@
}
static int tls_netio_shutdown_cb(pr_netio_stream_t *nstrm, int how) {
+
+ if (how != 0) {
+ /* Closing this stream for writing; we need to send the 'close_notify'
+ * alert first, so that the client knows, at the application layer,
+ * that the SSL/TLS session is shutting down.
+ */
+
+ if (nstrm->strm_mode == PR_NETIO_IO_WR &&
+ (nstrm->strm_type == PR_NETIO_STRM_CTRL ||
+ nstrm->strm_type == PR_NETIO_STRM_DATA)) {
+ SSL *ssl;
+
+ ssl = (SSL *) nstrm->strm_data;
+ if (ssl) {
+ if (!(SSL_get_shutdown(ssl) & SSL_SENT_SHUTDOWN)) {
+ /* We haven't sent a 'close_notify' alert yet; do so now. */
+ SSL_shutdown(ssl);
+ }
+ }
+ }
+ }
+
return shutdown(nstrm->strm_fd, how);
}
@@ -4413,7 +4427,7 @@
* The data channel, if protected, should remain so.
*/
- tls_end_sess(ctrl_ssl, PR_NETIO_STRM_CTRL, FALSE);
+ tls_end_sess(ctrl_ssl, PR_NETIO_STRM_CTRL, TLS_SHUTDOWN_BIDIRECTIONAL);
ctrl_ssl = tls_ctrl_rd_nstrm->strm_data = tls_ctrl_wr_nstrm->strm_data = NULL;
/* Remove our NetIO for the control channel. */
proftpd-1.3.1-tls_sighup.patch:
--- NEW FILE proftpd-1.3.1-tls_sighup.patch ---
Index: src/log.c
===================================================================
RCS file: /cvsroot/proftp/proftpd/src/log.c,v
retrieving revision 1.85
diff -u -r1.85 log.c
--- src/log.c 24 Feb 2008 20:35:56 -0000 1.85
+++ src/log.c 13 Aug 2008 18:38:57 -0000
@@ -410,9 +410,10 @@
/* The child may have inherited a valid socket from the parent. */
pr_closelog(syslog_sockfd);
- if ((syslog_sockfd = pr_openlog("proftpd", LOG_NDELAY|LOG_PID,
- facility)) < 0)
+ syslog_sockfd = pr_openlog("proftpd", LOG_NDELAY|LOG_PID, facility);
+ if (syslog_sockfd < 0)
return -1;
+
systemlog_fd = -1;
} else if ((res = pr_log_openfile(systemlog_fn, &systemlog_fd,
@@ -426,14 +427,11 @@
}
void log_closesyslog(void) {
- if (systemlog_fd != -1) {
- close(systemlog_fd);
- systemlog_fd = -1;
+ (void) close(systemlog_fd);
+ systemlog_fd = -1;
- } else {
- pr_closelog(syslog_sockfd);
- syslog_sockfd = -1;
- }
+ (void) pr_closelog(syslog_sockfd);
+ syslog_sockfd = -1;
syslog_open = FALSE;
}
@@ -517,6 +515,7 @@
if (!syslog_open) {
syslog_sockfd = pr_openlog("proftpd", LOG_NDELAY|LOG_PID, f);
+ syslog_open = TRUE;
} else if (f != facility) {
(void) pr_setlogfacility(f);
@@ -531,14 +530,6 @@
pr_syslog(syslog_sockfd, priority, "%s - %s\n", serverinfo, s);
else
pr_syslog(syslog_sockfd, priority, "%s\n", s);
-
- if (!syslog_open) {
- pr_closelog(syslog_sockfd);
- syslog_sockfd = -1;
-
- } else if (f != facility) {
- (void) pr_setlogfacility(f);
- }
}
void pr_log_pri(int priority, const char *fmt, ...) {
Index: proftpd.conf
===================================================================
RCS file: /cvs/extras/rpms/proftpd/F-8/proftpd.conf,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -r1.8 -r1.9
--- proftpd.conf 19 Aug 2007 16:18:30 -0000 1.8
+++ proftpd.conf 2 Jan 2009 13:45:48 -0000 1.9
@@ -91,9 +91,13 @@
# SQL authentication Dynamic Shared Object (DSO) loading
# See README.DSO and howto/DSO.html for more details.
#<IfModule mod_dso.c>
-# LoadModule mod_sql.c
-# LoadModule mod_sql_mysql.c
-# LoadModule mod_sql_postgres.c
+# LoadModule mod_ban.c
+# LoadModule mod_ifsession.c
+# LoadModule mod_quotatab.c
+# LoadModule mod_quotatab_file.c
+# LoadModule mod_sql.c
+# LoadModule mod_sql_mysql.c
+# LoadModule mod_sql_postgres.c
#</IfModule>
# A basic anonymous configuration, with an upload directory.
@@ -148,3 +152,18 @@
#
#</Anonymous>
+# Configuration for mod_ban
+<IfModule mod_ban.c>
+ BanEngine on
+ BanLog /var/log/proftpd/ban.log
+ BanTable /var/run/proftpd/ban.tab
+
+ # If the same client reaches the MaxLoginAttempts limit 2 times
+ # within 10 minutes, automatically add a ban for that client that
+ # will expire after one hour.
+ BanOnEvent MaxLoginAttempts 2/00:10:00 01:00:00
+
+ # Allow the FTP admin to manually add/remove bans
+ BanControlsACLs all allow user ftpadm
+</IfModule>
+
Index: proftpd.spec
===================================================================
RCS file: /cvs/extras/rpms/proftpd/F-8/proftpd.spec,v
retrieving revision 1.37
retrieving revision 1.38
diff -u -r1.37 -r1.38
--- proftpd.spec 2 Jan 2009 12:51:48 -0000 1.37
+++ proftpd.spec 2 Jan 2009 13:45:48 -0000 1.38
@@ -1,7 +1,7 @@
Summary: Flexible, stable and highly-configurable FTP server
Name: proftpd
Version: 1.3.1
-Release: 7%{?dist}
+Release: 8%{?dist}
License: GPLv2+
Group: System Environment/Daemons
URL: http://www.proftpd.org/
@@ -16,6 +16,9 @@
Source8: proftpd-mod_quotatab_ldap.schema
Patch0: proftpd-1.3.1-find-umode_t.patch
Patch1: proftpd-1.3.1-csrf.patch
+Patch2: proftpd-1.3.1-tls_shutdown.patch
+Patch3: proftpd-1.3.1-tls_debug.patch
+Patch4: proftpd-1.3.1-tls_sighup.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
Requires: pam >= 0.59
Requires(post): /sbin/chkconfig
@@ -68,6 +71,9 @@
%setup -q
%patch0 -p1 -b .find-umode_t
%patch1 -p1 -b .csrf
+%patch2 -p0 -b .tls_shutdown
+%patch3 -p1 -b .tls_debug.patch
+%patch4 -p0 -b .tls_sighup.patch
%build
@@ -198,6 +204,11 @@
%changelog
+* Fri Jan 2 2009 Matthias Saou <http://freshrpms.net/> 1.3.1-8
+- Update default configuration to have a lit of available modules and more
+ example configuration for them.
+- Include patches to fix TLS issues (#457280).
+
* Fri Jan 2 2009 Matthias Saou <http://freshrpms.net/> 1.3.1-7
- Add Debian patch to fix CSRF vulnerability (#464127, upstream #3115).
- Previous message (by thread): rpms/proftpd/F-9 proftpd-1.3.1-tls_debug.patch, NONE, 1.1 proftpd-1.3.1-tls_shutdown.patch, NONE, 1.1 proftpd-1.3.1-tls_sighup.patch, NONE, 1.1 proftpd.conf, 1.8, 1.9 proftpd.spec, 1.40, 1.41
- Next message (by thread): rpms/gnubg/devel gnubg.spec,1.24,1.25
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list