Hello community, here is the log from the commit of package tnftp for openSUSE:Factory checked in at 2020-06-03 20:28:55 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/tnftp (Old) and /work/SRC/openSUSE:Factory/.tnftp.new.3606 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tnftp" Wed Jun 3 20:28:55 2020 rev:7 rq:809763 version:20151004 Changes: -------- --- /work/SRC/openSUSE:Factory/tnftp/tnftp.changes 2016-08-18 09:16:43.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.tnftp.new.3606/tnftp.changes 2020-06-03 20:29:07.404553620 +0200 @@ -1,0 +2,10 @@ +Tue May 26 13:49:20 UTC 2020 - Cristian RodrÃguez <crrodrig...@opensuse.org> + +- tnftp ssl client should validate hostnames and certificates, + so for example tnftp -d https://revoked.badssl.com/example + fails to connect. (tnftp-verify_hostname.patch), There are + at least two reports about this misbehaviour online but it has + never been fixed. Patch targets openSSL 1.1.x and later + so specify requirement in spec file. + +------------------------------------------------------------------- New: ---- tnftp-verify_hostname.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ tnftp.spec ++++++ --- /var/tmp/diff_new_pack.WNai6u/_old 2020-06-03 20:29:08.288556308 +0200 +++ /var/tmp/diff_new_pack.WNai6u/_new 2020-06-03 20:29:08.288556308 +0200 @@ -1,7 +1,7 @@ # # spec file for package tnftp # -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # @@ -22,16 +22,17 @@ Summary: Enhanced FTP Client License: BSD-3-Clause Group: Productivity/Networking/Ftp/Clients -Url: ftp://ftp.netbsd.org/pub/NetBSD/misc/tnftp/ +URL: ftp://ftp.netbsd.org/pub/NetBSD/misc/tnftp/ Source0: ftp://ftp.netbsd.org/pub/NetBSD/misc/tnftp/%{name}-%{version}.tar.gz Source1: ftp://ftp.netbsd.org/pub/NetBSD/misc/tnftp/%{name}-%{version}.tar.gz.asc Source2: tnftp.keyring # PATCH-FIX-UPSTREAM: do not use bundled libedit Patch0: tnftp-20100108-am_and_libedit.patch +Patch1: tnftp-verify_hostname.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: libedit-devel -BuildRequires: libopenssl-devel +BuildRequires: libopenssl-devel >= 1.1 BuildRequires: libtool BuildRequires: pkgconfig BuildRequires: update-alternatives @@ -53,6 +54,7 @@ %prep %setup -q %patch0 -p1 +%patch1 -p1 %build #axe bundled library ++++++ tnftp-verify_hostname.patch ++++++ Index: tnftp-20151004/src/ssl.c =================================================================== --- tnftp-20151004.orig/src/ssl.c +++ tnftp-20151004/src/ssl.c @@ -56,6 +56,7 @@ __RCSID(" NetBSD: ssl.c,v 1.5 2015/09/16 #include <openssl/crypto.h> #include <openssl/x509.h> +#include <openssl/x509v3.h> #include <openssl/pem.h> #include <openssl/ssl.h> #include <openssl/err.h> @@ -559,34 +560,56 @@ fetch_start_ssl(int sock, const char *se SSL_CTX *ctx; int ret, ssl_err; - /* Init the SSL library and context */ - if (!SSL_library_init()){ - fprintf(ttyout, "SSL library init failed\n"); + OPENSSL_init_ssl(0, NULL); + + ctx = SSL_CTX_new(SSLv23_client_method()); + + if(!ctx) { + fprintf(ttyout, "SSL_CTX context creation failed: %s\n", ERR_error_string(ERR_get_error(), NULL)); return NULL; } + + SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY|SSL_MODE_RELEASE_BUFFERS); + SSL_CTX_set_default_verify_paths(ctx); + SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION); - SSL_load_error_strings(); - - ctx = SSL_CTX_new(SSLv23_client_method()); - SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY); ssl = SSL_new(ctx); if (ssl == NULL){ - fprintf(ttyout, "SSL context creation failed\n"); + fprintf(ttyout, "SSL context creation failed: %s\n", ERR_error_string(ERR_get_error(), NULL)); + SSL_CTX_free(ctx); + return NULL; + } + if(!SSL_set_fd(ssl, sock)) { + fprintf(ttyout, "SSL_set_fd() failed: %s\n", ERR_error_string(ERR_get_error(), NULL)); SSL_CTX_free(ctx); + SSL_free(ssl); return NULL; } - SSL_set_fd(ssl, sock); if (!SSL_set_tlsext_host_name(ssl, __UNCONST(servername))) { fprintf(ttyout, "SSL hostname setting failed\n"); SSL_CTX_free(ctx); + SSL_free(ssl); + return NULL; + } + + SSL_set_hostflags(ssl, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); + + if (!SSL_set1_host(ssl, __UNCONST(servername))) { + fprintf(ttyout, "SSL hostname setting for validation failed\n"); + SSL_CTX_free(ctx); + SSL_free(ssl); return NULL; } + + SSL_set_verify(ssl, SSL_VERIFY_PEER, NULL); + while ((ret = SSL_connect(ssl)) == -1) { ssl_err = SSL_get_error(ssl, ret); if (ssl_err != SSL_ERROR_WANT_READ && ssl_err != SSL_ERROR_WANT_WRITE) { ERR_print_errors_fp(ttyout); + SSL_CTX_free(ctx); SSL_free(ssl); return NULL; }