[proftpd-dfsg] 01/01: Removed obsolete patches

Francesco Lovergine frankie at moszumanska.debian.org
Wed Jan 10 08:33:06 UTC 2018


This is an automated email from the git hooks/post-receive script.

frankie pushed a commit to branch master
in repository proftpd-dfsg.

commit a6d047025581073bb29464ffae2be6c208fde0b1
Author: Francesco Paolo Lovergine <frankie at debian.org>
Date:   Wed Jan 10 09:32:58 2018 +0100

    Removed obsolete patches
---
 debian/patches/CVE-2015-3306    | 610 ----------------------------------------
 debian/patches/large_files_SFTP | 389 -------------------------
 2 files changed, 999 deletions(-)

diff --git a/debian/patches/CVE-2015-3306 b/debian/patches/CVE-2015-3306
deleted file mode 100644
index 306fbb6..0000000
--- a/debian/patches/CVE-2015-3306
+++ /dev/null
@@ -1,610 +0,0 @@
-Index: proftpd-dfsg/contrib/mod_copy.c
-===================================================================
---- proftpd-dfsg.orig/contrib/mod_copy.c
-+++ proftpd-dfsg/contrib/mod_copy.c
-@@ -2,7 +2,7 @@
-  * ProFTPD: mod_copy -- a module supporting copying of files on the server
-  *                      without transferring the data to the client and back
-  *
-- * Copyright (c) 2009-2012 TJ Saunders
-+ * Copyright (c) 2009-2015 TJ Saunders
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License as published by
-@@ -25,13 +25,11 @@
-  *
-  * This is mod_copy, contrib software for proftpd 1.3.x and above.
-  * For more information contact TJ Saunders <tj at castaglia.org>.
-- *
-- * $Id: mod_copy.c,v 1.8 2012/12/27 22:31:29 castaglia Exp $
-  */
- 
- #include "conf.h"
- 
--#define MOD_COPY_VERSION	"mod_copy/0.4"
-+#define MOD_COPY_VERSION	"mod_copy/0.5"
- 
- /* Make sure the version of proftpd is as necessary. */
- #if PROFTPD_VERSION_NUMBER < 0x0001030401
-@@ -40,6 +38,8 @@
- 
- extern pr_response_t *resp_list, *resp_err_list;
- 
-+static int copy_engine = TRUE;
-+
- static const char *trace_channel = "copy";
- 
- /* These are copied largely from src/mkhome.c */
-@@ -165,7 +165,7 @@ static int copy_symlink(pool *p, const c
-       src_path, strerror(xerrno));
- 
-     errno = xerrno;
--    return -1;
-+    return -1; 
-   }
-   link_path[len] = '\0';
- 
-@@ -471,10 +471,37 @@ static int copy_paths(pool *p, const cha
-   return 0;
- }
- 
-+/* Configuration handlers
-+ */
-+
-+/* usage: CopyEngine on|off */
-+MODRET set_copyengine(cmd_rec *cmd) {
-+  int engine = -1;
-+  config_rec *c;
-+
-+  CHECK_ARGS(cmd, 1);
-+  CHECK_CONF(cmd, CONF_ROOT|CONF_VIRTUAL|CONF_GLOBAL);
-+
-+  engine = get_boolean(cmd, 1);
-+  if (engine == -1) {
-+    CONF_ERROR(cmd, "expected Boolean parameter");
-+  }
-+
-+  c = add_config_param(cmd->argv[0], 1, NULL);
-+  c->argv[0] = palloc(c->pool, sizeof(int));
-+  *((int *) c->argv[0]) = engine;
-+
-+  return PR_HANDLED(cmd);
-+}
-+
- /* Command handlers
-  */
- 
- MODRET copy_copy(cmd_rec *cmd) {
-+  if (copy_engine == FALSE) {
-+    return PR_DECLINED(cmd);
-+  }
-+
-   if (cmd->argc < 2) {
-     return PR_DECLINED(cmd);
-   }
-@@ -539,12 +566,26 @@ MODRET copy_cpfr(cmd_rec *cmd) {
-   register unsigned int i;
-   int res;
-   char *path = "";
-+  unsigned char *authenticated = NULL;
-+
-+  if (copy_engine == FALSE) {
-+    return PR_DECLINED(cmd);
-+  }
- 
-   if (cmd->argc < 3 ||
-       strncasecmp(cmd->argv[1], "CPFR", 5) != 0) {
-     return PR_DECLINED(cmd);
-   }
- 
-+  authenticated = get_param_ptr(cmd->server->conf, "authenticated", FALSE);
-+  if (authenticated == NULL ||
-+      *authenticated == FALSE) {
-+    pr_response_add_err(R_530, _("Please login with USER and PASS"));
-+  
-+    errno = EPERM;
-+    return PR_ERROR(cmd);
-+  }
-+
-   CHECK_CMD_MIN_ARGS(cmd, 3);
- 
-   /* Construct the target file name by concatenating all the parameters after
-@@ -594,12 +635,26 @@ MODRET copy_cpfr(cmd_rec *cmd) {
- MODRET copy_cpto(cmd_rec *cmd) {
-   register unsigned int i;
-   char *from, *to = "";
-+  unsigned char *authenticated = NULL;
-+
-+  if (copy_engine == FALSE) {
-+    return PR_DECLINED(cmd);
-+  }
- 
-   if (cmd->argc < 3 ||
-       strncasecmp(cmd->argv[1], "CPTO", 5) != 0) {
-     return PR_DECLINED(cmd);
-   }
- 
-+  authenticated = get_param_ptr(cmd->server->conf, "authenticated", FALSE);
-+  if (authenticated == NULL ||
-+      *authenticated == FALSE) {
-+    pr_response_add_err(R_530, _("Please login with USER and PASS"));
-+
-+    errno = EPERM;
-+    return PR_ERROR(cmd);
-+  }
-+
-   CHECK_CMD_MIN_ARGS(cmd, 3);
- 
-   from = pr_table_get(session.notes, "mod_copy.cpfr-path", NULL);
-@@ -632,6 +687,10 @@ MODRET copy_cpto(cmd_rec *cmd) {
- }
- 
- MODRET copy_log_site(cmd_rec *cmd) {
-+  if (copy_engine == FALSE) {
-+    return PR_DECLINED(cmd);
-+  }
-+
-   if (cmd->argc < 3 ||
-       strncasecmp(cmd->argv[1], "CPTO", 5) != 0) {
-     return PR_DECLINED(cmd);
-@@ -643,23 +702,58 @@ MODRET copy_log_site(cmd_rec *cmd) {
-   return PR_DECLINED(cmd);
- }
- 
-+MODRET copy_post_pass(cmd_rec *cmd) {
-+  config_rec *c;
-+
-+  if (copy_engine == FALSE) {
-+    return PR_DECLINED(cmd);
-+  }
-+
-+  /* The CopyEngine directive may have been changed for this user by
-+   * e.g. mod_ifsession, thus we check again.
-+   */
-+  c = find_config(main_server->conf, CONF_PARAM, "CopyEngine", FALSE);
-+  if (c != NULL) {
-+    copy_engine = *((int *) c->argv[0]);
-+  }
-+
-+  return PR_DECLINED(cmd);
-+}
-+
- /* Initialization functions
-  */
- 
- static int copy_sess_init(void) {
-+  config_rec *c;
-+
-+  c = find_config(main_server->conf, CONF_PARAM, "CopyEngine", FALSE);
-+  if (c != NULL) {
-+    copy_engine = *((int *) c->argv[0]);
-+  }
-+
-+  if (copy_engine == FALSE) {
-+    return 0;
-+  }
-+
-   /* Advertise support for the SITE command */
-   pr_feat_add("SITE COPY");
--
-   return 0;
- }
- 
- /* Module API tables
-  */
- 
-+static conftable copy_conftab[] = {
-+  { "CopyEngine",	set_copyengine,		NULL },
-+
-+  { NULL }
-+};
-+
- static cmdtable copy_cmdtab[] = {
-   { CMD, 	C_SITE, G_WRITE,	copy_copy,	FALSE,	FALSE, CL_MISC },
-   { CMD, 	C_SITE, G_DIRS,		copy_cpfr,	FALSE,	FALSE, CL_MISC },
-   { CMD, 	C_SITE, G_WRITE,	copy_cpto,	FALSE,	FALSE, CL_MISC },
-+  { POST_CMD,	C_PASS,	G_NONE,		copy_post_pass, FALSE,	FALSE },
-   { LOG_CMD, 	C_SITE, G_NONE,		copy_log_site,	FALSE,	FALSE },
-   { LOG_CMD_ERR, C_SITE, G_NONE,	copy_log_site,	FALSE,	FALSE },
- 
-@@ -676,7 +770,7 @@ module copy_module = {
-   "copy",
- 
-   /* Module configuration handler table */
--  NULL,
-+  copy_conftab,
- 
-   /* Module command handler table */
-   copy_cmdtab,
-Index: proftpd-dfsg/doc/contrib/mod_copy.html
-===================================================================
---- proftpd-dfsg.orig/doc/contrib/mod_copy.html
-+++ proftpd-dfsg/doc/contrib/mod_copy.html
-@@ -1,5 +1,5 @@
--<!-- $Id: mod_copy.html,v 1.1 2010/03/10 19:20:43 castaglia Exp $ -->
--<!-- $Source: /cvsroot/proftp/proftpd/doc/contrib/mod_copy.html,v $ -->
-+<!-- $Id: mod_copy.html,v 1.1 2010-03-10 19:20:43 castaglia Exp $ -->
-+<!-- $Source: /home/proftpd-core/backup/proftp-cvsroot/proftpd/doc/contrib/mod_copy.html,v $ -->
- 
- <html>
- <head>
-@@ -27,22 +27,40 @@ ProFTPD 1.3.<i>x</i>, and is not compile
- instructions are discussed <a href="#Installation">here</a>.
- 
- <p>
--The most current version of <code>mod_copy</code> can be found at:
--<pre>
--  <a href="http://www.castaglia.org/proftpd/">http://www.castaglia.org/proftpd/</a>
--</pre>
-+The most current version of <code>mod_copy</code> is distributed with the
-+ProFTPD source code.
- 
- <h2>Author</h2>
- <p>
- Please contact TJ Saunders <tj <i>at</i> castaglia.org> with any
- questions, concerns, or suggestions regarding this module.
- 
-+<h2>Directives</h2>
-+<ul>
-+  <li><a href="#CopyEngine">CopyEngine</a>
-+</ul>
-+
- <h2><code>SITE</code> Commands</h2>
- <ul>
-   <li><a href="#SITE_CPFR">SITE CPFR</a>
-   <li><a href="#SITE_CPTO">SITE CPTO</a>
- </ul>
- 
-+<p>
-+<hr>
-+<h2><a name="CopyEngine">CopyEngine</a></h2>
-+<strong>Syntax:</strong> CopyEngine <em>on|off</em><br>
-+<strong>Default:</strong> CopyEngine on<br>
-+<strong>Context:</strong> server config, <code><VirtualHost></code>, <code><Global></code><br>
-+<strong>Module:</strong> mod_radius<br>
-+<strong>Compatibility:</strong> 1.3.6rc1 and later
-+
-+<p>
-+The <code>CopyEngine</code> directive enables or disables the module's
-+handling of <code>SITE COPY</code> <i>et al</i> commands.  If it is set to
-+<em>off</em> this module ignores these commands.
-+
-+<p>
- <hr>
- <h2><a name="SITE_CPFR">SITE CPFR</a></h2>
- This <code>SITE</code> command specifies the source file/directory to use
-@@ -118,13 +136,8 @@ your existing server:
- <p>
- <hr><br>
- 
--Author: <i>$Author: castaglia $</i><br>
--Last Updated: <i>$Date: 2010/03/10 19:20:43 $</i><br>
--
--<br><hr>
--
- <font size=2><b><i>
--© Copyright 2009-2010 TJ Saunders<br>
-+© Copyright 2009-2015 TJ Saunders<br>
-  All Rights Reserved<br>
- </i></b></font>
- 
-Index: proftpd-dfsg/tests/t/lib/ProFTPD/Tests/Modules/mod_copy.pm
-===================================================================
---- proftpd-dfsg.orig/tests/t/lib/ProFTPD/Tests/Modules/mod_copy.pm
-+++ proftpd-dfsg/tests/t/lib/ProFTPD/Tests/Modules/mod_copy.pm
-@@ -21,6 +21,11 @@ my $TESTS = {
-     test_class => [qw(forking)],
-   },
- 
-+  copy_file_no_login => {
-+    order => ++$order,
-+    test_class => [qw(bug forking)],
-+  },
-+
-   copy_dir => {
-     order => ++$order,
-     test_class => [qw(forking)],
-@@ -86,6 +91,11 @@ my $TESTS = {
-     test_class => [qw(forking)],
-   },
- 
-+  copy_cpfr_cpto_no_login => {
-+    order => ++$order,
-+    test_class => [qw(bug forking)],
-+  },
-+
-   copy_cpto_no_cpfr => {
-     order => ++$order,
-     test_class => [qw(forking)],
-@@ -263,6 +273,137 @@ sub copy_file {
-   unlink($log_file);
- }
- 
-+sub copy_file_no_login {
-+  my $self = shift;
-+  my $tmpdir = $self->{tmpdir};
-+
-+  my $config_file = "$tmpdir/copy.conf";
-+  my $pid_file = File::Spec->rel2abs("$tmpdir/copy.pid");
-+  my $scoreboard_file = File::Spec->rel2abs("$tmpdir/copy.scoreboard");
-+
-+  my $log_file = File::Spec->rel2abs('tests.log');
-+
-+  my $auth_user_file = File::Spec->rel2abs("$tmpdir/copy.passwd");
-+  my $auth_group_file = File::Spec->rel2abs("$tmpdir/copy.group");
-+
-+  my $user = 'proftpd';
-+  my $passwd = 'test';
-+  my $group = 'ftpd';
-+  my $home_dir = File::Spec->rel2abs($tmpdir);
-+  my $uid = 500;
-+  my $gid = 500;
-+
-+  # Make sure that, if we're running as root, that the home directory has
-+  # permissions/privs set for the account we create
-+  if ($< == 0) {
-+    unless (chmod(0755, $home_dir)) {
-+      die("Can't set perms on $home_dir to 0755: $!");
-+    }
-+
-+    unless (chown($uid, $gid, $home_dir)) {
-+      die("Can't set owner of $home_dir to $uid/$gid: $!");
-+    }
-+  }
-+
-+  auth_user_write($auth_user_file, $user, $passwd, $uid, $gid, $home_dir,
-+    '/bin/bash');
-+  auth_group_write($auth_group_file, $group, $gid, $user);
-+
-+  my $src_file = File::Spec->rel2abs("$home_dir/foo.txt");
-+  if (open(my $fh, "> $src_file")) {
-+    print $fh "Hello, World!\n";
-+
-+    unless (close($fh)) {
-+      die("Can't write $src_file: $!");
-+    }
-+
-+  } else {
-+    die("Can't open $src_file: $!");
-+  }
-+
-+  my $dst_file = File::Spec->rel2abs("$home_dir/bar.txt");
-+
-+  my $config = {
-+    PidFile => $pid_file,
-+    ScoreboardFile => $scoreboard_file,
-+    SystemLog => $log_file,
-+
-+    AuthUserFile => $auth_user_file,
-+    AuthGroupFile => $auth_group_file,
-+
-+    IfModules => {
-+      'mod_delay.c' => {
-+        DelayEngine => 'off',
-+      },
-+    },
-+  };
-+
-+  my ($port, $config_user, $config_group) = config_write($config_file, $config);
-+
-+  # Open pipes, for use between the parent and child processes.  Specifically,
-+  # the child will indicate when it's done with its test by writing a message
-+  # to the parent.
-+  my ($rfh, $wfh);
-+  unless (pipe($rfh, $wfh)) {
-+    die("Can't open pipe: $!");
-+  }
-+
-+  my $ex;
-+
-+  # Fork child
-+  $self->handle_sigchld();
-+  defined(my $pid = fork()) or die("Can't fork: $!");
-+  if ($pid) {
-+    eval {
-+      my $client = ProFTPD::TestSuite::FTP->new('127.0.0.1', $port);
-+
-+      eval { $client->site('COPY', 'foo.txt', 'bar.txt') };
-+      unless ($@) { 
-+        die("SITE COPY succeeded unexpectedly");
-+      }
-+
-+      my $resp_code = $client->response_code();
-+      my $resp_msg = $client->response_msg();
-+
-+      my $expected;
-+      $expected = 530;
-+      $self->assert($expected == $resp_code,
-+        test_msg("Expected response code $expected, got $resp_code"));
-+
-+      $expected = "Please login with USER and PASS";
-+      $self->assert($expected eq $resp_msg,
-+        test_msg("Expected response message '$expected', got '$resp_msg'"));
-+    };
-+
-+    if ($@) {
-+      $ex = $@;
-+    }
-+
-+    $wfh->print("done\n");
-+    $wfh->flush();
-+
-+  } else {
-+    eval { server_wait($config_file, $rfh) };
-+    if ($@) {
-+      warn($@);
-+      exit 1;
-+    }
-+
-+    exit 0;
-+  }
-+
-+  # Stop server
-+  server_stop($pid_file);
-+
-+  $self->assert_child_ok($pid);
-+
-+  if ($ex) {
-+    die($ex);
-+  }
-+
-+  unlink($log_file);
-+}
-+
- sub copy_dir {
-   my $self = shift;
-   my $tmpdir = $self->{tmpdir};
-@@ -2578,6 +2719,153 @@ sub copy_cpfr_cpto {
-     };
- 
-     if ($@) {
-+      $ex = $@;
-+    }
-+
-+    $wfh->print("done\n");
-+    $wfh->flush();
-+
-+  } else {
-+    eval { server_wait($config_file, $rfh) };
-+    if ($@) {
-+      warn($@);
-+      exit 1;
-+    }
-+
-+    exit 0;
-+  }
-+
-+  # Stop server
-+  server_stop($pid_file);
-+
-+  $self->assert_child_ok($pid);
-+
-+  if ($ex) {
-+    die($ex);
-+  }
-+
-+  unlink($log_file);
-+}
-+
-+sub copy_cpfr_cpto_no_login {
-+  my $self = shift;
-+  my $tmpdir = $self->{tmpdir};
-+
-+  my $config_file = "$tmpdir/copy.conf";
-+  my $pid_file = File::Spec->rel2abs("$tmpdir/copy.pid");
-+  my $scoreboard_file = File::Spec->rel2abs("$tmpdir/copy.scoreboard");
-+
-+  my $log_file = File::Spec->rel2abs('tests.log');
-+
-+  my $auth_user_file = File::Spec->rel2abs("$tmpdir/copy.passwd");
-+  my $auth_group_file = File::Spec->rel2abs("$tmpdir/copy.group");
-+
-+  my $user = 'proftpd';
-+  my $passwd = 'test';
-+  my $group = 'ftpd';
-+  my $home_dir = File::Spec->rel2abs($tmpdir);
-+  my $uid = 500;
-+  my $gid = 500;
-+
-+  # Make sure that, if we're running as root, that the home directory has
-+  # permissions/privs set for the account we create
-+  if ($< == 0) {
-+    unless (chmod(0755, $home_dir)) {
-+      die("Can't set perms on $home_dir to 0755: $!");
-+    }
-+
-+    unless (chown($uid, $gid, $home_dir)) {
-+      die("Can't set owner of $home_dir to $uid/$gid: $!");
-+    }
-+  }
-+
-+  auth_user_write($auth_user_file, $user, $passwd, $uid, $gid, $home_dir,
-+    '/bin/bash');
-+  auth_group_write($auth_group_file, $group, $gid, $user);
-+
-+  my $src_file = File::Spec->rel2abs("$home_dir/foo.txt");
-+  if (open(my $fh, "> $src_file")) {
-+    print $fh "Hello, World!\n";
-+
-+    unless (close($fh)) {
-+      die("Can't write $src_file: $!");
-+    }
-+
-+  } else {
-+    die("Can't open $src_file: $!");
-+  }
-+
-+  my $dst_file = File::Spec->rel2abs("$home_dir/bar.txt");
-+
-+  my $config = {
-+    PidFile => $pid_file,
-+    ScoreboardFile => $scoreboard_file,
-+    SystemLog => $log_file,
-+
-+    AuthUserFile => $auth_user_file,
-+    AuthGroupFile => $auth_group_file,
-+
-+    IfModules => {
-+      'mod_delay.c' => {
-+        DelayEngine => 'off',
-+      },
-+    },
-+  };
-+
-+  my ($port, $config_user, $config_group) = config_write($config_file, $config);
-+
-+  # Open pipes, for use between the parent and child processes.  Specifically,
-+  # the child will indicate when it's done with its test by writing a message
-+  # to the parent.
-+  my ($rfh, $wfh);
-+  unless (pipe($rfh, $wfh)) {
-+    die("Can't open pipe: $!");
-+  }
-+
-+  my $ex;
-+
-+  # Fork child
-+  $self->handle_sigchld();
-+  defined(my $pid = fork()) or die("Can't fork: $!");
-+  if ($pid) {
-+    eval {
-+      my $client = ProFTPD::TestSuite::FTP->new('127.0.0.1', $port);
-+ 
-+      eval { $client->site('CPFR', 'foo.txt') };
-+      unless ($@) {
-+        die("SITE CPFR succeeded unexpectedly");
-+      }
-+
-+      my $resp_code = $client->response_code();
-+      my $resp_msg = $client->response_msg();
-+
-+      my $expected;
-+      $expected = 530;
-+      $self->assert($expected == $resp_code,
-+        test_msg("Expected response code $expected, got $resp_code"));
-+
-+      $expected = "Please login with USER and PASS";
-+      $self->assert($expected eq $resp_msg,
-+        test_msg("Expected response message '$expected', got '$resp_msg'"));
-+
-+      eval { $client->site('CPTO', 'bar.txt') };
-+      unless ($@) {
-+        die("SITE CPTO succeeded unexpectedly");
-+      }
-+
-+      $resp_code = $client->response_code();
-+      $resp_msg = $client->response_msg();
-+
-+      $expected = 530;
-+      $self->assert($expected == $resp_code,
-+        test_msg("Expected response code $expected, got $resp_code"));
-+
-+      $expected = "Please login with USER and PASS";
-+      $self->assert($expected eq $resp_msg,
-+        test_msg("Expected response message '$expected', got '$resp_msg'"));
-+    };
-+
-+    if ($@) {
-       $ex = $@;
-     }
- 
diff --git a/debian/patches/large_files_SFTP b/debian/patches/large_files_SFTP
deleted file mode 100644
index e6d49bc..0000000
--- a/debian/patches/large_files_SFTP
+++ /dev/null
@@ -1,389 +0,0 @@
-Description: Unable to transfer large files (more than 1 GB) with SFTP module.
-Author: proftpd upstream
-Forwarded: bug #4097, fixed in 1.3.5.b.
-Bug-Debian: http://bugs.debian.org/809068
-
-Index: proftpd-dfsg/contrib/mod_sftp/kex.c
-===================================================================
---- proftpd-dfsg.orig/contrib/mod_sftp/kex.c	2016-08-25 12:25:34.000000000 +0200
-+++ proftpd-dfsg/contrib/mod_sftp/kex.c	2016-09-04 15:06:00.000000000 +0200
-@@ -39,8 +39,6 @@
- #include "interop.h"
- #include "tap.h"
- 
--#define SFTP_DH_PRIV_KEY_RANDOM_BITS	2048
--
- extern module sftp_module;
- 
- /* For managing the kexinit process */
-@@ -621,8 +619,94 @@
-   return 0;
- }
- 
-+static int get_dh_nbits(struct sftp_kex *kex) {
-+  int dh_nbits = 0, dh_size = 0;
-+  const char *algo;
-+  const EVP_CIPHER *cipher;
-+  const EVP_MD *digest;
-+
-+  algo = kex->session_names->c2s_encrypt_algo;
-+  cipher = sftp_crypto_get_cipher(algo, NULL, NULL);
-+  if (cipher != NULL) {
-+    int block_size, key_len;
-+
-+    key_len = EVP_CIPHER_key_length(cipher);
-+    if (dh_size < key_len) {
-+      dh_size = key_len;
-+      pr_trace_msg(trace_channel, 19,
-+        "set DH size to %d bytes, matching client-to-server '%s' cipher "
-+        "key length", dh_size, algo);
-+    }
-+
-+    block_size = EVP_CIPHER_block_size(cipher);
-+    if (dh_size < block_size) {
-+      dh_size = block_size;
-+      pr_trace_msg(trace_channel, 19,
-+        "set DH size to %d bytes, matching client-to-server '%s' cipher "
-+        "block size", dh_size, algo);
-+    }
-+  }
-+
-+  algo = kex->session_names->s2c_encrypt_algo;
-+  cipher = sftp_crypto_get_cipher(algo, NULL, NULL);
-+  if (cipher != NULL) {
-+    int block_size, key_len;
-+
-+    key_len = EVP_CIPHER_key_length(cipher);
-+    if (dh_size < key_len) {
-+      dh_size = key_len;
-+      pr_trace_msg(trace_channel, 19,
-+        "set DH size to %d bytes, matching server-to-client '%s' cipher "
-+        "key length", dh_size, algo);
-+    }
-+
-+    block_size = EVP_CIPHER_block_size(cipher);
-+    if (dh_size < block_size) {
-+      dh_size = block_size;
-+      pr_trace_msg(trace_channel, 19,
-+        "set DH size to %d bytes, matching server-to-client '%s' cipher "
-+        "block size", dh_size, algo);
-+    }
-+  }
-+
-+  algo = kex->session_names->c2s_mac_algo;
-+  digest = sftp_crypto_get_digest(algo, NULL);
-+  if (digest != NULL) {
-+    int mac_len;
-+
-+    mac_len = EVP_MD_size(digest);
-+    if (dh_size < mac_len) {
-+      dh_size = mac_len;
-+      pr_trace_msg(trace_channel, 19,
-+        "set DH size to %d bytes, matching client-to-server '%s' digest size",
-+        dh_size, algo);
-+    }
-+  }
-+
-+  algo = kex->session_names->s2c_mac_algo;
-+  digest = sftp_crypto_get_digest(algo, NULL);
-+  if (digest != NULL) {
-+    int mac_len;
-+
-+    mac_len = EVP_MD_size(digest);
-+    if (dh_size < mac_len) {
-+      dh_size = mac_len;
-+      pr_trace_msg(trace_channel, 19,
-+        "set DH size to %d bytes, matching server-to-client '%s' digest size",
-+        dh_size, algo);
-+    }
-+  }
-+
-+  /* We want to return bits, not bytes. */
-+  dh_nbits = dh_size * 8;
-+
-+  pr_trace_msg(trace_channel, 8, "requesting DH size of %d bits", dh_nbits);
-+  return dh_nbits;
-+}
-+
- static int create_dh(struct sftp_kex *kex, int type) {
-   unsigned int attempts = 0;
-+  int dh_nbits;
-   DH *dh;
- 
-   if (type != SFTP_DH_GROUP1_SHA1 &&
-@@ -656,6 +740,8 @@
-     kex->dh = NULL;
-   }
- 
-+  dh_nbits = get_dh_nbits(kex);
-+
-   /* We have 10 attempts to make a DH key which passes muster. */
-   while (attempts <= 10) {
-     pr_signals_handle();
-@@ -665,7 +751,7 @@
-       attempts);
- 
-     dh = DH_new();
--    if (!dh) {
-+    if (dh == NULL) {
-       (void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION,
-         "error creating DH: %s", sftp_crypto_get_errors());
-       return -1;
-@@ -699,10 +785,11 @@
-       return -1;
-     }
- 
--    if (!BN_rand(dh->priv_key, SFTP_DH_PRIV_KEY_RANDOM_BITS, 0, 0)) {
-+    /* Generate a random private exponent of the desired size, in bits. */
-+    if (!BN_rand(dh->priv_key, dh_nbits, 0, 0)) {
-       (void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION,
--        "error generating DH random key (%d bytes): %s",
--        SFTP_DH_PRIV_KEY_RANDOM_BITS, sftp_crypto_get_errors());
-+        "error generating DH random key (%d bits): %s", dh_nbits,
-+        sftp_crypto_get_errors());
-       DH_free(dh);
-       return -1;
-     }
-@@ -787,6 +874,9 @@
- 
- static int finish_dh(struct sftp_kex *kex) {
-   unsigned int attempts = 0;
-+  int dh_nbits;
-+
-+  dh_nbits = get_dh_nbits(kex);
- 
-   /* We have 10 attempts to make a DH key which passes muster. */
-   while (attempts <= 10) {
-@@ -797,11 +887,12 @@
-       attempts);
- 
-     kex->dh->priv_key = BN_new();
--  
--    if (!BN_rand(kex->dh->priv_key, SFTP_DH_PRIV_KEY_RANDOM_BITS, 0, 0)) {
-+ 
-+    /* Generate a random private exponent of the desired size, in bits. */ 
-+    if (!BN_rand(kex->dh->priv_key, dh_nbits, 0, 0)) {
-       (void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION,
--        "error generating DH random key (%d bytes): %s",
--        SFTP_DH_PRIV_KEY_RANDOM_BITS, sftp_crypto_get_errors());
-+        "error generating DH random key (%d bits): %s", dh_nbits,
-+        sftp_crypto_get_errors());
-       return -1;
-     }
- 
-@@ -1514,77 +1605,71 @@
- }
- 
- static int setup_c2s_encrypt_algo(struct sftp_kex *kex, const char *algo) {
--  (void) kex;
--
--  if (sftp_cipher_set_read_algo(algo) < 0)
-+  if (sftp_cipher_set_read_algo(algo) < 0) {
-     return -1;
-+  }
- 
-+  kex->session_names->c2s_encrypt_algo = algo;
-   return 0;
- }
- 
- static int setup_s2c_encrypt_algo(struct sftp_kex *kex, const char *algo) {
--  (void) kex;
--
--  if (sftp_cipher_set_write_algo(algo) < 0)
-+  if (sftp_cipher_set_write_algo(algo) < 0) {
-     return -1;
-+  }
- 
-+  kex->session_names->s2c_encrypt_algo = algo;
-   return 0;
- }
- 
- static int setup_c2s_mac_algo(struct sftp_kex *kex, const char *algo) {
--  (void) kex;
--
--  if (sftp_mac_set_read_algo(algo) < 0)
-+  if (sftp_mac_set_read_algo(algo) < 0) {
-     return -1;
-+  }
- 
-+  kex->session_names->c2s_mac_algo = algo;
-   return 0;
- }
- 
- static int setup_s2c_mac_algo(struct sftp_kex *kex, const char *algo) {
--  (void) kex;
--
--  if (sftp_mac_set_write_algo(algo) < 0)
-+  if (sftp_mac_set_write_algo(algo) < 0) {
-     return -1;
-+  }
- 
-+  kex->session_names->s2c_mac_algo = algo;
-   return 0;
- }
- 
- static int setup_c2s_comp_algo(struct sftp_kex *kex, const char *algo) {
--  (void) kex;
--
--  if (sftp_compress_set_read_algo(algo) < 0)
-+  if (sftp_compress_set_read_algo(algo) < 0) {
-     return -1;
-+  }
- 
-+  kex->session_names->c2s_comp_algo = algo;
-   return 0;
- }
- 
- static int setup_s2c_comp_algo(struct sftp_kex *kex, const char *algo) {
--  (void) kex;
--
--  if (sftp_compress_set_write_algo(algo) < 0)
-+  if (sftp_compress_set_write_algo(algo) < 0) {
-     return -1;
-+  }
- 
-+  kex->session_names->s2c_comp_algo = algo;
-   return 0;
- }
- 
- static int setup_c2s_lang(struct sftp_kex *kex, const char *lang) {
--  (void) kex;
--
--  /* XXX Need to implement the functionality here. */
--
-+  kex->session_names->c2s_lang = lang;
-   return 0;
- }
- 
- static int setup_s2c_lang(struct sftp_kex *kex, const char *lang) {
--  (void) kex;
--
--  /* XXX Need to implement the functionality here. */
--
-+  kex->session_names->s2c_lang = lang;
-   return 0;
- }
- 
- static int get_session_names(struct sftp_kex *kex, int *correct_guess) {
--  const char *shared, *client_list, *server_list;
-+  const char *kex_algo, *shared, *client_list, *server_list;
-   const char *client_pref, *server_pref;
-   pool *tmp_pool;
- 
-@@ -1624,17 +1709,16 @@
-     }
-   }
- 
--  shared = get_shared_name(kex_pool, client_list, server_list);
--  if (shared) {
--    if (setup_kex_algo(kex, shared) < 0) {
--      destroy_pool(tmp_pool);
--      return -1;
--    }
--
-+  kex_algo = get_shared_name(kex_pool, client_list, server_list);
-+  if (kex_algo != NULL) {
-+    /* Unlike the following algorithms, we wait to setup the chosen kex algo
-+     * until the end.  Why?  The kex algo setup may require knowledge of the
-+     * ciphers chosen for encryption, MAC, etc (Bug#4097).
-+     */
-     (void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION,
--      " + Session key exchange: %s", shared);
-+      " + Session key exchange: %s", kex_algo);
-     pr_trace_msg(trace_channel, 20, "session key exchange algorithm: %s",
--      shared);
-+      kex_algo);
- 
-   } else {
-     (void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION,
-@@ -1902,6 +1986,14 @@
- #endif
-   }
- 
-+  /* Now that we've finished setting up the other bits, we can set up the
-+   * kex algo.
-+   */
-+  if (setup_kex_algo(kex, kex_algo) < 0) {
-+    destroy_pool(tmp_pool);
-+    return -1;
-+  }
-+
-   destroy_pool(tmp_pool);
-   return 0;
- }
-Index: proftpd-dfsg/contrib/mod_sftp/keys.c
-===================================================================
---- proftpd-dfsg.orig/contrib/mod_sftp/keys.c	2016-08-25 12:25:34.000000000 +0200
-+++ proftpd-dfsg/contrib/mod_sftp/keys.c	2016-09-04 15:06:00.000000000 +0200
-@@ -36,6 +36,7 @@
- extern xaset_t *server_list;
- extern module sftp_module;
- 
-+/* Note: Should this size be made bigger, in light of larger hostkeys? */
- #define SFTP_DEFAULT_HOSTKEY_SZ		4096
- #define SFTP_MAX_SIG_SZ			4096
- 
-@@ -2028,7 +2029,7 @@
-       }
- 
-       /* XXX Is this buffer large enough?  Too large? */
--      ptr = buf = sftp_msg_getbuf(p, buflen);
-+      ptr = buf = palloc(p, buflen);
-       sftp_msg_write_string(&buf, &buflen, "ssh-rsa");
-       sftp_msg_write_mpint(&buf, &buflen, rsa->e);
-       sftp_msg_write_mpint(&buf, &buflen, rsa->n);
-@@ -2048,7 +2049,7 @@
-       }
- 
-       /* XXX Is this buffer large enough?  Too large? */
--      ptr = buf = sftp_msg_getbuf(p, buflen);
-+      ptr = buf = palloc(p, buflen);
-       sftp_msg_write_string(&buf, &buflen, "ssh-dss");
-       sftp_msg_write_mpint(&buf, &buflen, dsa->p);
-       sftp_msg_write_mpint(&buf, &buflen, dsa->q);
-@@ -2071,8 +2072,7 @@
-       }
- 
-       /* XXX Is this buffer large enough?  Too large? */
--      ptr = buf = sftp_msg_getbuf(p, buflen);
--
-+      ptr = buf = palloc(p, buflen);
-       sftp_msg_write_string(&buf, &buflen, "ecdsa-sha2-nistp256");
-       sftp_msg_write_string(&buf, &buflen, "nistp256");
-       sftp_msg_write_ecpoint(&buf, &buflen, EC_KEY_get0_group(ec),
-@@ -2093,8 +2093,7 @@
-       }
- 
-       /* XXX Is this buffer large enough?  Too large? */
--      ptr = buf = sftp_msg_getbuf(p, buflen);
--
-+      ptr = buf = palloc(p, buflen);
-       sftp_msg_write_string(&buf, &buflen, "ecdsa-sha2-nistp384");
-       sftp_msg_write_string(&buf, &buflen, "nistp384");
-       sftp_msg_write_ecpoint(&buf, &buflen, EC_KEY_get0_group(ec),
-@@ -2115,8 +2114,7 @@
-       }
- 
-       /* XXX Is this buffer large enough?  Too large? */
--      ptr = buf = sftp_msg_getbuf(p, buflen);
--
-+      ptr = buf = palloc(p, buflen);
-       sftp_msg_write_string(&buf, &buflen, "ecdsa-sha2-nistp521");
-       sftp_msg_write_string(&buf, &buflen, "nistp521");
-       sftp_msg_write_ecpoint(&buf, &buflen, EC_KEY_get0_group(ec),
-@@ -2137,8 +2135,14 @@
-   *datalen = SFTP_DEFAULT_HOSTKEY_SZ - buflen;
- 
-   /* If the caller provided a pool, make a copy of the data from the
--   * given pool, and return the copy.  Make sure the scrub the original
-+   * given pool, and return the copy.  Make sure to scrub the original
-    * after making the copy.
-+   *
-+   * Note that we do this copy, even though we use the given pool, since
-+   * we only know the actual size of the data after the fact.  And we need
-+   * to provide the size of the data to the caller, NOT the optimistic size
-+   * we allocate out of the pool for writing the data in the first place.
-+   * Hence the copy.
-    */
-   if (p) {
-     buf = palloc(p, *datalen);

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-proftpd/proftpd-dfsg.git



More information about the Pkg-proftpd-maintainers mailing list