diff options
author | Mingli Yu <Mingli.Yu@windriver.com> | 2016-08-16 16:14:22 +0800 |
---|---|---|
committer | Joe MacDonald <joe_macdonald@mentor.com> | 2016-08-16 21:26:15 -0400 |
commit | 5fdc25afc62269a4e129846f0209223885d626e9 (patch) | |
tree | 4055a32929cea3554e8cc0759f5038fe536f75d7 /meta-networking/recipes-daemons/proftpd | |
parent | 5793d60bbe09142d6d4b9829971737c4e4bd7fca (diff) | |
download | meta-openembedded-5fdc25afc62269a4e129846f0209223885d626e9.tar.gz |
proftpd: 1.3.5a -> 1.3.5b
* Upgrade proftpd from 1.3.5a to 1.3.5b
* Remove two backport patches
Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
Diffstat (limited to 'meta-networking/recipes-daemons/proftpd')
-rw-r--r-- | meta-networking/recipes-daemons/proftpd/files/CVE-2016-3125.patch | 247 | ||||
-rw-r--r-- | meta-networking/recipes-daemons/proftpd/files/Fix-build-errors.patch | 64 | ||||
-rw-r--r-- | meta-networking/recipes-daemons/proftpd/proftpd_1.3.5b.bb (renamed from meta-networking/recipes-daemons/proftpd/proftpd_1.3.5a.bb) | 6 |
3 files changed, 2 insertions, 315 deletions
diff --git a/meta-networking/recipes-daemons/proftpd/files/CVE-2016-3125.patch b/meta-networking/recipes-daemons/proftpd/files/CVE-2016-3125.patch deleted file mode 100644 index 69c9be031..000000000 --- a/meta-networking/recipes-daemons/proftpd/files/CVE-2016-3125.patch +++ /dev/null | |||
@@ -1,247 +0,0 @@ | |||
1 | From 7a8f683cedf9b0d1024a80362693c9f8b93a0f2b Mon Sep 17 00:00:00 2001 | ||
2 | From: TJ Saunders <tj@castaglia.org> | ||
3 | Date: Thu, 10 Mar 2016 15:07:58 -0800 | ||
4 | Subject: [PATCH] Backport of fix for Bug#4230 to 1.3.5 branch. | ||
5 | |||
6 | Upstream-Status: Backport | ||
7 | CVE: CVE-2016-3125 | ||
8 | |||
9 | Author: TJ Saunders <tj@castaglia.org> | ||
10 | Signed-off-by: Catalin Enache <catalin.enache@windriver.com> | ||
11 | --- | ||
12 | contrib/mod_tls.c | 167 +++++++++++++++++++++++++++++++++++++++++++++++------- | ||
13 | 1 file changed, 147 insertions(+), 20 deletions(-) | ||
14 | |||
15 | diff --git a/contrib/mod_tls.c b/contrib/mod_tls.c | ||
16 | index df92658..5883cc7 100644 | ||
17 | --- a/contrib/mod_tls.c | ||
18 | +++ b/contrib/mod_tls.c | ||
19 | @@ -411,6 +411,13 @@ static int tls_required_on_ctrl = 0; | ||
20 | static int tls_required_on_data = 0; | ||
21 | static unsigned char *tls_authenticated = NULL; | ||
22 | |||
23 | +/* Define the minimum DH group length we allow (unless the AllowWeakDH | ||
24 | + * TLSOption is used). Ideally this would be 2048, per https://weakdh.org, | ||
25 | + * but for compatibility with older Java versions, which only support up to | ||
26 | + * 1024, we'll use 1024. For now. | ||
27 | + */ | ||
28 | +#define TLS_DH_MIN_LEN 1024 | ||
29 | + | ||
30 | /* mod_tls session flags */ | ||
31 | #define TLS_SESS_ON_CTRL 0x0001 | ||
32 | #define TLS_SESS_ON_DATA 0x0002 | ||
33 | @@ -438,6 +445,7 @@ static unsigned char *tls_authenticated = NULL; | ||
34 | #define TLS_OPT_USE_IMPLICIT_SSL 0x0200 | ||
35 | #define TLS_OPT_ALLOW_CLIENT_RENEGOTIATIONS 0x0400 | ||
36 | #define TLS_OPT_VERIFY_CERT_CN 0x0800 | ||
37 | +#define TLS_OPT_ALLOW_WEAK_DH 0x1000 | ||
38 | |||
39 | /* mod_tls SSCN modes */ | ||
40 | #define TLS_SSCN_MODE_SERVER 0 | ||
41 | @@ -2417,24 +2425,139 @@ static int tls_ctrl_renegotiate_cb(CALLBACK_FRAME) { | ||
42 | |||
43 | static DH *tls_dh_cb(SSL *ssl, int is_export, int keylength) { | ||
44 | DH *dh = NULL; | ||
45 | + EVP_PKEY *pkey; | ||
46 | + int pkeylen = 0, use_pkeylen = FALSE; | ||
47 | + | ||
48 | + /* OpenSSL will only ever call us (currently) with a keylen of 512 or 1024; | ||
49 | + * see the SSL_EXPORT_PKEYLENGTH macro in ssl_locl.h. Sigh. | ||
50 | + * | ||
51 | + * Thus we adjust the DH parameter length according to the size of the | ||
52 | + * RSA/DSA private key used for the current connection. | ||
53 | + * | ||
54 | + * NOTE: This MAY cause interoperability issues with some clients, notably | ||
55 | + * Java 7 (and earlier) clients, since Java 7 and earlier supports | ||
56 | + * Diffie-Hellman only up to 1024 bits. More sighs. To deal with these | ||
57 | + * clients, then, you need to configure a certificate/key of 1024 bits. | ||
58 | + */ | ||
59 | + pkey = SSL_get_privatekey(ssl); | ||
60 | + if (pkey != NULL) { | ||
61 | + if (EVP_PKEY_type(pkey->type) == EVP_PKEY_RSA || | ||
62 | + EVP_PKEY_type(pkey->type) == EVP_PKEY_DSA) { | ||
63 | + pkeylen = EVP_PKEY_bits(pkey); | ||
64 | + | ||
65 | + if (pkeylen < TLS_DH_MIN_LEN) { | ||
66 | + if (!(tls_opts & TLS_OPT_ALLOW_WEAK_DH)) { | ||
67 | + pr_trace_msg(trace_channel, 11, | ||
68 | + "certificate private key length %d less than %d bits, using %d " | ||
69 | + "(see AllowWeakDH TLSOption)", pkeylen, TLS_DH_MIN_LEN, | ||
70 | + TLS_DH_MIN_LEN); | ||
71 | + pkeylen = TLS_DH_MIN_LEN; | ||
72 | + } | ||
73 | + } | ||
74 | + | ||
75 | + if (pkeylen != keylen) { | ||
76 | + pr_trace_msg(trace_channel, 13, | ||
77 | + "adjusted DH parameter length from %d to %d bits", keylen, pkeylen); | ||
78 | + use_pkeylen = TRUE; | ||
79 | + } | ||
80 | + } | ||
81 | + } | ||
82 | |||
83 | if (tls_tmp_dhs != NULL && | ||
84 | tls_tmp_dhs->nelts > 0) { | ||
85 | register unsigned int i; | ||
86 | - DH **dhs; | ||
87 | + DH *best_dh = NULL, **dhs; | ||
88 | + int best_dhlen = 0; | ||
89 | |||
90 | dhs = tls_tmp_dhs->elts; | ||
91 | + | ||
92 | + /* Search the configured list of DH parameters twice: once for any sizes | ||
93 | + * matching the actual requested size (usually 1024), and once for any | ||
94 | + * matching the certificate private key size (pkeylen). | ||
95 | + * | ||
96 | + * This behavior allows site admins to configure a TLSDHParamFile that | ||
97 | + * contains 1024-bit parameters, for e.g. Java 7 (and earlier) clients. | ||
98 | + */ | ||
99 | + | ||
100 | + /* Note: the keylen argument is in BITS, but DH_size() returns the number | ||
101 | + * of BYTES. | ||
102 | + */ | ||
103 | for (i = 0; i < tls_tmp_dhs->nelts; i++) { | ||
104 | - /* Note: the keylength argument is in BITS, but DH_size() returns | ||
105 | - * the number of BYTES. | ||
106 | + int dhlen; | ||
107 | + | ||
108 | + dhlen = DH_size(dhs[i]) * 8; | ||
109 | + if (dhlen == keylen) { | ||
110 | + pr_trace_msg(trace_channel, 11, | ||
111 | + "found matching DH parameter for key length %d", keylen); | ||
112 | + return dhs[i]; | ||
113 | + } | ||
114 | + | ||
115 | + /* Try to find the next "best" DH to use, where "best" means | ||
116 | + * the smallest DH that is larger than the necessary keylen. | ||
117 | */ | ||
118 | - if (DH_size(dhs[i]) == (keylength / 8)) { | ||
119 | + if (dhlen > keylen) { | ||
120 | + if (best_dh != NULL) { | ||
121 | + if (dhlen < best_dhlen) { | ||
122 | + best_dh = dhs[i]; | ||
123 | + best_dhlen = dhlen; | ||
124 | + } | ||
125 | + | ||
126 | + } else { | ||
127 | + best_dh = dhs[i]; | ||
128 | + best_dhlen = dhlen; | ||
129 | + } | ||
130 | + } | ||
131 | + } | ||
132 | + | ||
133 | + for (i = 0; i < tls_tmp_dhs->nelts; i++) { | ||
134 | + int dhlen; | ||
135 | + | ||
136 | + dhlen = DH_size(dhs[i]) * 8; | ||
137 | + if (dhlen == pkeylen) { | ||
138 | + pr_trace_msg(trace_channel, 11, | ||
139 | + "found matching DH parameter for certificate private key length %d", | ||
140 | + pkeylen); | ||
141 | return dhs[i]; | ||
142 | } | ||
143 | + | ||
144 | + if (dhlen > pkeylen) { | ||
145 | + if (best_dh != NULL) { | ||
146 | + if (dhlen < best_dhlen) { | ||
147 | + best_dh = dhs[i]; | ||
148 | + best_dhlen = dhlen; | ||
149 | + } | ||
150 | + | ||
151 | + } else { | ||
152 | + best_dh = dhs[i]; | ||
153 | + best_dhlen = dhlen; | ||
154 | + } | ||
155 | + } | ||
156 | + } | ||
157 | + | ||
158 | + if (best_dh != NULL) { | ||
159 | + pr_trace_msg(trace_channel, 11, | ||
160 | + "using best DH parameter for key length %d (length %d)", keylen, | ||
161 | + best_dhlen); | ||
162 | + return best_dh; | ||
163 | } | ||
164 | } | ||
165 | |||
166 | - switch (keylength) { | ||
167 | + /* Still no DH parameters found? Use the built-in ones. */ | ||
168 | + | ||
169 | + if (keylen < TLS_DH_MIN_LEN) { | ||
170 | + if (!(tls_opts & TLS_OPT_ALLOW_WEAK_DH)) { | ||
171 | + pr_trace_msg(trace_channel, 11, | ||
172 | + "requested key length %d less than %d bits, using %d " | ||
173 | + "(see AllowWeakDH TLSOption)", keylen, TLS_DH_MIN_LEN, TLS_DH_MIN_LEN); | ||
174 | + keylen = TLS_DH_MIN_LEN; | ||
175 | + } | ||
176 | + } | ||
177 | + | ||
178 | + if (use_pkeylen) { | ||
179 | + keylen = pkeylen; | ||
180 | + } | ||
181 | + | ||
182 | + switch (keylen) { | ||
183 | case 512: | ||
184 | dh = get_dh512(); | ||
185 | break; | ||
186 | @@ -2443,32 +2566,33 @@ static DH *tls_dh_cb(SSL *ssl, int is_export, int keylength) { | ||
187 | dh = get_dh768(); | ||
188 | break; | ||
189 | |||
190 | - case 1024: | ||
191 | - dh = get_dh1024(); | ||
192 | - break; | ||
193 | + case 1024: | ||
194 | + dh = get_dh1024(); | ||
195 | + break; | ||
196 | |||
197 | - case 1536: | ||
198 | - dh = get_dh1536(); | ||
199 | - break; | ||
200 | + case 1536: | ||
201 | + dh = get_dh1536(); | ||
202 | + break; | ||
203 | |||
204 | - case 2048: | ||
205 | - dh = get_dh2048(); | ||
206 | - break; | ||
207 | + case 2048: | ||
208 | + dh = get_dh2048(); | ||
209 | + break; | ||
210 | |||
211 | - default: | ||
212 | - tls_log("unsupported DH key length %d requested, returning 1024 bits", | ||
213 | - keylength); | ||
214 | - dh = get_dh1024(); | ||
215 | - break; | ||
216 | + default: | ||
217 | + tls_log("unsupported DH key length %d requested, returning 1024 bits", | ||
218 | + keylen); | ||
219 | + dh = get_dh1024(); | ||
220 | + break; | ||
221 | } | ||
222 | |||
223 | + pr_trace_msg(trace_channel, 11, "using builtin DH for %d bits", keylen); | ||
224 | + | ||
225 | /* Add this DH to the list, so that it can be freed properly later. */ | ||
226 | if (tls_tmp_dhs == NULL) { | ||
227 | tls_tmp_dhs = make_array(session.pool, 1, sizeof(DH *)); | ||
228 | } | ||
229 | |||
230 | *((DH **) push_array(tls_tmp_dhs)) = dh; | ||
231 | - | ||
232 | return dh; | ||
233 | } | ||
234 | |||
235 | @@ -8445,6 +8569,9 @@ MODRET set_tlsoptions(cmd_rec *cmd) { | ||
236 | strcmp(cmd->argv[i], "AllowClientRenegotiations") == 0) { | ||
237 | opts |= TLS_OPT_ALLOW_CLIENT_RENEGOTIATIONS; | ||
238 | |||
239 | + } else if (strcmp(cmd->argv[i], "AllowWeakDH") == 0) { | ||
240 | + opts |= TLS_OPT_ALLOW_WEAK_DH; | ||
241 | + | ||
242 | } else if (strcmp(cmd->argv[i], "EnableDiags") == 0) { | ||
243 | opts |= TLS_OPT_ENABLE_DIAGS; | ||
244 | |||
245 | -- | ||
246 | 2.7.4 | ||
247 | |||
diff --git a/meta-networking/recipes-daemons/proftpd/files/Fix-build-errors.patch b/meta-networking/recipes-daemons/proftpd/files/Fix-build-errors.patch deleted file mode 100644 index 3b9856054..000000000 --- a/meta-networking/recipes-daemons/proftpd/files/Fix-build-errors.patch +++ /dev/null | |||
@@ -1,64 +0,0 @@ | |||
1 | From 253e6ef6a4fde5545111f7c439a9692afecc597b Mon Sep 17 00:00:00 2001 | ||
2 | From: TJ Saunders <tj@castaglia.org> | ||
3 | Date: Thu, 10 Mar 2016 15:17:50 -0800 | ||
4 | Subject: [PATCH] Fix build errors; used wrong variable name, and pushed | ||
5 | without building. Shame. | ||
6 | |||
7 | Upstream-Status: Backport | ||
8 | |||
9 | Author: TJ Saunders <tj@castaglia.org> | ||
10 | Signed-off-by: Catalin Enache <catalin.enache@windriver.com> | ||
11 | --- | ||
12 | contrib/mod_tls.c | 10 +++++----- | ||
13 | 1 file changed, 5 insertions(+), 5 deletions(-) | ||
14 | |||
15 | diff --git a/contrib/mod_tls.c b/contrib/mod_tls.c | ||
16 | index c557454..ecd9f56 100644 | ||
17 | --- a/contrib/mod_tls.c | ||
18 | +++ b/contrib/mod_tls.c | ||
19 | @@ -2423,7 +2423,7 @@ static int tls_ctrl_renegotiate_cb(CALLBACK_FRAME) { | ||
20 | } | ||
21 | #endif | ||
22 | |||
23 | -static DH *tls_dh_cb(SSL *ssl, int is_export, int keylength) { | ||
24 | +static DH *tls_dh_cb(SSL *ssl, int is_export, int keylen) { | ||
25 | DH *dh = NULL; | ||
26 | EVP_PKEY *pkey; | ||
27 | int pkeylen = 0, use_pkeylen = FALSE; | ||
28 | @@ -2597,7 +2597,7 @@ static DH *tls_dh_cb(SSL *ssl, int is_export, int keylength) { | ||
29 | } | ||
30 | |||
31 | #ifdef PR_USE_OPENSSL_ECC | ||
32 | -static EC_KEY *tls_ecdh_cb(SSL *ssl, int is_export, int keylength) { | ||
33 | +static EC_KEY *tls_ecdh_cb(SSL *ssl, int is_export, int keylen) { | ||
34 | static EC_KEY *ecdh = NULL; | ||
35 | static int init = 0; | ||
36 | |||
37 | @@ -5064,7 +5064,7 @@ static ssize_t tls_read(SSL *ssl, void *buf, size_t len) { | ||
38 | return count; | ||
39 | } | ||
40 | |||
41 | -static RSA *tls_rsa_cb(SSL *ssl, int is_export, int keylength) { | ||
42 | +static RSA *tls_rsa_cb(SSL *ssl, int is_export, int keylen) { | ||
43 | BIGNUM *e = NULL; | ||
44 | |||
45 | if (tls_tmp_rsa) { | ||
46 | @@ -5082,13 +5082,13 @@ static RSA *tls_rsa_cb(SSL *ssl, int is_export, int keylength) { | ||
47 | return NULL; | ||
48 | } | ||
49 | |||
50 | - if (RSA_generate_key_ex(tls_tmp_rsa, keylength, e, NULL) != 1) { | ||
51 | + if (RSA_generate_key_ex(tls_tmp_rsa, keylen, e, NULL) != 1) { | ||
52 | BN_free(e); | ||
53 | return NULL; | ||
54 | } | ||
55 | |||
56 | #else | ||
57 | - tls_tmp_rsa = RSA_generate_key(keylength, RSA_F4, NULL, NULL); | ||
58 | + tls_tmp_rsa = RSA_generate_key(keylen, RSA_F4, NULL, NULL); | ||
59 | #endif /* OpenSSL version 0.9.8 and later */ | ||
60 | |||
61 | if (e != NULL) { | ||
62 | -- | ||
63 | 2.7.4 | ||
64 | |||
diff --git a/meta-networking/recipes-daemons/proftpd/proftpd_1.3.5a.bb b/meta-networking/recipes-daemons/proftpd/proftpd_1.3.5b.bb index 2332ef856..5a53d0df6 100644 --- a/meta-networking/recipes-daemons/proftpd/proftpd_1.3.5a.bb +++ b/meta-networking/recipes-daemons/proftpd/proftpd_1.3.5b.bb | |||
@@ -12,12 +12,10 @@ SRC_URI = "ftp://ftp.proftpd.org/distrib/source/${BPN}-${PV}.tar.gz \ | |||
12 | file://contrib.patch \ | 12 | file://contrib.patch \ |
13 | file://build_fixup.patch \ | 13 | file://build_fixup.patch \ |
14 | file://proftpd.service \ | 14 | file://proftpd.service \ |
15 | file://CVE-2016-3125.patch \ | ||
16 | file://Fix-build-errors.patch \ | ||
17 | " | 15 | " |
18 | 16 | ||
19 | SRC_URI[md5sum] = "b9d3092411478415b31d435f8e26d173" | 17 | SRC_URI[md5sum] = "f7b8e3a383b34a894c2502db74ccccde" |
20 | SRC_URI[sha256sum] = "a1f48df8539c414ec56e0cea63dcf4b8e16e606c05f10156f030a4a67fae5696" | 18 | SRC_URI[sha256sum] = "afc1789f2478acf88dfdc7d70da90a4fa2786d628218e9574273295d044b4fc8" |
21 | 19 | ||
22 | inherit autotools-brokensep useradd update-rc.d systemd | 20 | inherit autotools-brokensep useradd update-rc.d systemd |
23 | 21 | ||