[proftpd-dfsg] 01/01: Removed obsolete patches
Francesco Lovergine
frankie at moszumanska.debian.org
Wed Jan 10 08:33:06 UTC 2018
This is an automated email from the git hooks/post-receive script.
frankie pushed a commit to branch master
in repository proftpd-dfsg.
commit a6d047025581073bb29464ffae2be6c208fde0b1
Author: Francesco Paolo Lovergine <frankie at debian.org>
Date: Wed Jan 10 09:32:58 2018 +0100
Removed obsolete patches
---
debian/patches/CVE-2015-3306 | 610 ----------------------------------------
debian/patches/large_files_SFTP | 389 -------------------------
2 files changed, 999 deletions(-)
diff --git a/debian/patches/CVE-2015-3306 b/debian/patches/CVE-2015-3306
deleted file mode 100644
index 306fbb6..0000000
--- a/debian/patches/CVE-2015-3306
+++ /dev/null
@@ -1,610 +0,0 @@
-Index: proftpd-dfsg/contrib/mod_copy.c
-===================================================================
---- proftpd-dfsg.orig/contrib/mod_copy.c
-+++ proftpd-dfsg/contrib/mod_copy.c
-@@ -2,7 +2,7 @@
- * ProFTPD: mod_copy -- a module supporting copying of files on the server
- * without transferring the data to the client and back
- *
-- * Copyright (c) 2009-2012 TJ Saunders
-+ * Copyright (c) 2009-2015 TJ Saunders
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
-@@ -25,13 +25,11 @@
- *
- * This is mod_copy, contrib software for proftpd 1.3.x and above.
- * For more information contact TJ Saunders <tj at castaglia.org>.
-- *
-- * $Id: mod_copy.c,v 1.8 2012/12/27 22:31:29 castaglia Exp $
- */
-
- #include "conf.h"
-
--#define MOD_COPY_VERSION "mod_copy/0.4"
-+#define MOD_COPY_VERSION "mod_copy/0.5"
-
- /* Make sure the version of proftpd is as necessary. */
- #if PROFTPD_VERSION_NUMBER < 0x0001030401
-@@ -40,6 +38,8 @@
-
- extern pr_response_t *resp_list, *resp_err_list;
-
-+static int copy_engine = TRUE;
-+
- static const char *trace_channel = "copy";
-
- /* These are copied largely from src/mkhome.c */
-@@ -165,7 +165,7 @@ static int copy_symlink(pool *p, const c
- src_path, strerror(xerrno));
-
- errno = xerrno;
-- return -1;
-+ return -1;
- }
- link_path[len] = '\0';
-
-@@ -471,10 +471,37 @@ static int copy_paths(pool *p, const cha
- return 0;
- }
-
-+/* Configuration handlers
-+ */
-+
-+/* usage: CopyEngine on|off */
-+MODRET set_copyengine(cmd_rec *cmd) {
-+ int engine = -1;
-+ config_rec *c;
-+
-+ CHECK_ARGS(cmd, 1);
-+ CHECK_CONF(cmd, CONF_ROOT|CONF_VIRTUAL|CONF_GLOBAL);
-+
-+ engine = get_boolean(cmd, 1);
-+ if (engine == -1) {
-+ CONF_ERROR(cmd, "expected Boolean parameter");
-+ }
-+
-+ c = add_config_param(cmd->argv[0], 1, NULL);
-+ c->argv[0] = palloc(c->pool, sizeof(int));
-+ *((int *) c->argv[0]) = engine;
-+
-+ return PR_HANDLED(cmd);
-+}
-+
- /* Command handlers
- */
-
- MODRET copy_copy(cmd_rec *cmd) {
-+ if (copy_engine == FALSE) {
-+ return PR_DECLINED(cmd);
-+ }
-+
- if (cmd->argc < 2) {
- return PR_DECLINED(cmd);
- }
-@@ -539,12 +566,26 @@ MODRET copy_cpfr(cmd_rec *cmd) {
- register unsigned int i;
- int res;
- char *path = "";
-+ unsigned char *authenticated = NULL;
-+
-+ if (copy_engine == FALSE) {
-+ return PR_DECLINED(cmd);
-+ }
-
- if (cmd->argc < 3 ||
- strncasecmp(cmd->argv[1], "CPFR", 5) != 0) {
- return PR_DECLINED(cmd);
- }
-
-+ authenticated = get_param_ptr(cmd->server->conf, "authenticated", FALSE);
-+ if (authenticated == NULL ||
-+ *authenticated == FALSE) {
-+ pr_response_add_err(R_530, _("Please login with USER and PASS"));
-+
-+ errno = EPERM;
-+ return PR_ERROR(cmd);
-+ }
-+
- CHECK_CMD_MIN_ARGS(cmd, 3);
-
- /* Construct the target file name by concatenating all the parameters after
-@@ -594,12 +635,26 @@ MODRET copy_cpfr(cmd_rec *cmd) {
- MODRET copy_cpto(cmd_rec *cmd) {
- register unsigned int i;
- char *from, *to = "";
-+ unsigned char *authenticated = NULL;
-+
-+ if (copy_engine == FALSE) {
-+ return PR_DECLINED(cmd);
-+ }
-
- if (cmd->argc < 3 ||
- strncasecmp(cmd->argv[1], "CPTO", 5) != 0) {
- return PR_DECLINED(cmd);
- }
-
-+ authenticated = get_param_ptr(cmd->server->conf, "authenticated", FALSE);
-+ if (authenticated == NULL ||
-+ *authenticated == FALSE) {
-+ pr_response_add_err(R_530, _("Please login with USER and PASS"));
-+
-+ errno = EPERM;
-+ return PR_ERROR(cmd);
-+ }
-+
- CHECK_CMD_MIN_ARGS(cmd, 3);
-
- from = pr_table_get(session.notes, "mod_copy.cpfr-path", NULL);
-@@ -632,6 +687,10 @@ MODRET copy_cpto(cmd_rec *cmd) {
- }
-
- MODRET copy_log_site(cmd_rec *cmd) {
-+ if (copy_engine == FALSE) {
-+ return PR_DECLINED(cmd);
-+ }
-+
- if (cmd->argc < 3 ||
- strncasecmp(cmd->argv[1], "CPTO", 5) != 0) {
- return PR_DECLINED(cmd);
-@@ -643,23 +702,58 @@ MODRET copy_log_site(cmd_rec *cmd) {
- return PR_DECLINED(cmd);
- }
-
-+MODRET copy_post_pass(cmd_rec *cmd) {
-+ config_rec *c;
-+
-+ if (copy_engine == FALSE) {
-+ return PR_DECLINED(cmd);
-+ }
-+
-+ /* The CopyEngine directive may have been changed for this user by
-+ * e.g. mod_ifsession, thus we check again.
-+ */
-+ c = find_config(main_server->conf, CONF_PARAM, "CopyEngine", FALSE);
-+ if (c != NULL) {
-+ copy_engine = *((int *) c->argv[0]);
-+ }
-+
-+ return PR_DECLINED(cmd);
-+}
-+
- /* Initialization functions
- */
-
- static int copy_sess_init(void) {
-+ config_rec *c;
-+
-+ c = find_config(main_server->conf, CONF_PARAM, "CopyEngine", FALSE);
-+ if (c != NULL) {
-+ copy_engine = *((int *) c->argv[0]);
-+ }
-+
-+ if (copy_engine == FALSE) {
-+ return 0;
-+ }
-+
- /* Advertise support for the SITE command */
- pr_feat_add("SITE COPY");
--
- return 0;
- }
-
- /* Module API tables
- */
-
-+static conftable copy_conftab[] = {
-+ { "CopyEngine", set_copyengine, NULL },
-+
-+ { NULL }
-+};
-+
- static cmdtable copy_cmdtab[] = {
- { CMD, C_SITE, G_WRITE, copy_copy, FALSE, FALSE, CL_MISC },
- { CMD, C_SITE, G_DIRS, copy_cpfr, FALSE, FALSE, CL_MISC },
- { CMD, C_SITE, G_WRITE, copy_cpto, FALSE, FALSE, CL_MISC },
-+ { POST_CMD, C_PASS, G_NONE, copy_post_pass, FALSE, FALSE },
- { LOG_CMD, C_SITE, G_NONE, copy_log_site, FALSE, FALSE },
- { LOG_CMD_ERR, C_SITE, G_NONE, copy_log_site, FALSE, FALSE },
-
-@@ -676,7 +770,7 @@ module copy_module = {
- "copy",
-
- /* Module configuration handler table */
-- NULL,
-+ copy_conftab,
-
- /* Module command handler table */
- copy_cmdtab,
-Index: proftpd-dfsg/doc/contrib/mod_copy.html
-===================================================================
---- proftpd-dfsg.orig/doc/contrib/mod_copy.html
-+++ proftpd-dfsg/doc/contrib/mod_copy.html
-@@ -1,5 +1,5 @@
--<!-- $Id: mod_copy.html,v 1.1 2010/03/10 19:20:43 castaglia Exp $ -->
--<!-- $Source: /cvsroot/proftp/proftpd/doc/contrib/mod_copy.html,v $ -->
-+<!-- $Id: mod_copy.html,v 1.1 2010-03-10 19:20:43 castaglia Exp $ -->
-+<!-- $Source: /home/proftpd-core/backup/proftp-cvsroot/proftpd/doc/contrib/mod_copy.html,v $ -->
-
- <html>
- <head>
-@@ -27,22 +27,40 @@ ProFTPD 1.3.<i>x</i>, and is not compile
- instructions are discussed <a href="#Installation">here</a>.
-
- <p>
--The most current version of <code>mod_copy</code> can be found at:
--<pre>
-- <a href="http://www.castaglia.org/proftpd/">http://www.castaglia.org/proftpd/</a>
--</pre>
-+The most current version of <code>mod_copy</code> is distributed with the
-+ProFTPD source code.
-
- <h2>Author</h2>
- <p>
- Please contact TJ Saunders <tj <i>at</i> castaglia.org> with any
- questions, concerns, or suggestions regarding this module.
-
-+<h2>Directives</h2>
-+<ul>
-+ <li><a href="#CopyEngine">CopyEngine</a>
-+</ul>
-+
- <h2><code>SITE</code> Commands</h2>
- <ul>
- <li><a href="#SITE_CPFR">SITE CPFR</a>
- <li><a href="#SITE_CPTO">SITE CPTO</a>
- </ul>
-
-+<p>
-+<hr>
-+<h2><a name="CopyEngine">CopyEngine</a></h2>
-+<strong>Syntax:</strong> CopyEngine <em>on|off</em><br>
-+<strong>Default:</strong> CopyEngine on<br>
-+<strong>Context:</strong> server config, <code><VirtualHost></code>, <code><Global></code><br>
-+<strong>Module:</strong> mod_radius<br>
-+<strong>Compatibility:</strong> 1.3.6rc1 and later
-+
-+<p>
-+The <code>CopyEngine</code> directive enables or disables the module's
-+handling of <code>SITE COPY</code> <i>et al</i> commands. If it is set to
-+<em>off</em> this module ignores these commands.
-+
-+<p>
- <hr>
- <h2><a name="SITE_CPFR">SITE CPFR</a></h2>
- This <code>SITE</code> command specifies the source file/directory to use
-@@ -118,13 +136,8 @@ your existing server:
- <p>
- <hr><br>
-
--Author: <i>$Author: castaglia $</i><br>
--Last Updated: <i>$Date: 2010/03/10 19:20:43 $</i><br>
--
--<br><hr>
--
- <font size=2><b><i>
--© Copyright 2009-2010 TJ Saunders<br>
-+© Copyright 2009-2015 TJ Saunders<br>
- All Rights Reserved<br>
- </i></b></font>
-
-Index: proftpd-dfsg/tests/t/lib/ProFTPD/Tests/Modules/mod_copy.pm
-===================================================================
---- proftpd-dfsg.orig/tests/t/lib/ProFTPD/Tests/Modules/mod_copy.pm
-+++ proftpd-dfsg/tests/t/lib/ProFTPD/Tests/Modules/mod_copy.pm
-@@ -21,6 +21,11 @@ my $TESTS = {
- test_class => [qw(forking)],
- },
-
-+ copy_file_no_login => {
-+ order => ++$order,
-+ test_class => [qw(bug forking)],
-+ },
-+
- copy_dir => {
- order => ++$order,
- test_class => [qw(forking)],
-@@ -86,6 +91,11 @@ my $TESTS = {
- test_class => [qw(forking)],
- },
-
-+ copy_cpfr_cpto_no_login => {
-+ order => ++$order,
-+ test_class => [qw(bug forking)],
-+ },
-+
- copy_cpto_no_cpfr => {
- order => ++$order,
- test_class => [qw(forking)],
-@@ -263,6 +273,137 @@ sub copy_file {
- unlink($log_file);
- }
-
-+sub copy_file_no_login {
-+ my $self = shift;
-+ my $tmpdir = $self->{tmpdir};
-+
-+ my $config_file = "$tmpdir/copy.conf";
-+ my $pid_file = File::Spec->rel2abs("$tmpdir/copy.pid");
-+ my $scoreboard_file = File::Spec->rel2abs("$tmpdir/copy.scoreboard");
-+
-+ my $log_file = File::Spec->rel2abs('tests.log');
-+
-+ my $auth_user_file = File::Spec->rel2abs("$tmpdir/copy.passwd");
-+ my $auth_group_file = File::Spec->rel2abs("$tmpdir/copy.group");
-+
-+ my $user = 'proftpd';
-+ my $passwd = 'test';
-+ my $group = 'ftpd';
-+ my $home_dir = File::Spec->rel2abs($tmpdir);
-+ my $uid = 500;
-+ my $gid = 500;
-+
-+ # Make sure that, if we're running as root, that the home directory has
-+ # permissions/privs set for the account we create
-+ if ($< == 0) {
-+ unless (chmod(0755, $home_dir)) {
-+ die("Can't set perms on $home_dir to 0755: $!");
-+ }
-+
-+ unless (chown($uid, $gid, $home_dir)) {
-+ die("Can't set owner of $home_dir to $uid/$gid: $!");
-+ }
-+ }
-+
-+ auth_user_write($auth_user_file, $user, $passwd, $uid, $gid, $home_dir,
-+ '/bin/bash');
-+ auth_group_write($auth_group_file, $group, $gid, $user);
-+
-+ my $src_file = File::Spec->rel2abs("$home_dir/foo.txt");
-+ if (open(my $fh, "> $src_file")) {
-+ print $fh "Hello, World!\n";
-+
-+ unless (close($fh)) {
-+ die("Can't write $src_file: $!");
-+ }
-+
-+ } else {
-+ die("Can't open $src_file: $!");
-+ }
-+
-+ my $dst_file = File::Spec->rel2abs("$home_dir/bar.txt");
-+
-+ my $config = {
-+ PidFile => $pid_file,
-+ ScoreboardFile => $scoreboard_file,
-+ SystemLog => $log_file,
-+
-+ AuthUserFile => $auth_user_file,
-+ AuthGroupFile => $auth_group_file,
-+
-+ IfModules => {
-+ 'mod_delay.c' => {
-+ DelayEngine => 'off',
-+ },
-+ },
-+ };
-+
-+ my ($port, $config_user, $config_group) = config_write($config_file, $config);
-+
-+ # Open pipes, for use between the parent and child processes. Specifically,
-+ # the child will indicate when it's done with its test by writing a message
-+ # to the parent.
-+ my ($rfh, $wfh);
-+ unless (pipe($rfh, $wfh)) {
-+ die("Can't open pipe: $!");
-+ }
-+
-+ my $ex;
-+
-+ # Fork child
-+ $self->handle_sigchld();
-+ defined(my $pid = fork()) or die("Can't fork: $!");
-+ if ($pid) {
-+ eval {
-+ my $client = ProFTPD::TestSuite::FTP->new('127.0.0.1', $port);
-+
-+ eval { $client->site('COPY', 'foo.txt', 'bar.txt') };
-+ unless ($@) {
-+ die("SITE COPY succeeded unexpectedly");
-+ }
-+
-+ my $resp_code = $client->response_code();
-+ my $resp_msg = $client->response_msg();
-+
-+ my $expected;
-+ $expected = 530;
-+ $self->assert($expected == $resp_code,
-+ test_msg("Expected response code $expected, got $resp_code"));
-+
-+ $expected = "Please login with USER and PASS";
-+ $self->assert($expected eq $resp_msg,
-+ test_msg("Expected response message '$expected', got '$resp_msg'"));
-+ };
-+
-+ if ($@) {
-+ $ex = $@;
-+ }
-+
-+ $wfh->print("done\n");
-+ $wfh->flush();
-+
-+ } else {
-+ eval { server_wait($config_file, $rfh) };
-+ if ($@) {
-+ warn($@);
-+ exit 1;
-+ }
-+
-+ exit 0;
-+ }
-+
-+ # Stop server
-+ server_stop($pid_file);
-+
-+ $self->assert_child_ok($pid);
-+
-+ if ($ex) {
-+ die($ex);
-+ }
-+
-+ unlink($log_file);
-+}
-+
- sub copy_dir {
- my $self = shift;
- my $tmpdir = $self->{tmpdir};
-@@ -2578,6 +2719,153 @@ sub copy_cpfr_cpto {
- };
-
- if ($@) {
-+ $ex = $@;
-+ }
-+
-+ $wfh->print("done\n");
-+ $wfh->flush();
-+
-+ } else {
-+ eval { server_wait($config_file, $rfh) };
-+ if ($@) {
-+ warn($@);
-+ exit 1;
-+ }
-+
-+ exit 0;
-+ }
-+
-+ # Stop server
-+ server_stop($pid_file);
-+
-+ $self->assert_child_ok($pid);
-+
-+ if ($ex) {
-+ die($ex);
-+ }
-+
-+ unlink($log_file);
-+}
-+
-+sub copy_cpfr_cpto_no_login {
-+ my $self = shift;
-+ my $tmpdir = $self->{tmpdir};
-+
-+ my $config_file = "$tmpdir/copy.conf";
-+ my $pid_file = File::Spec->rel2abs("$tmpdir/copy.pid");
-+ my $scoreboard_file = File::Spec->rel2abs("$tmpdir/copy.scoreboard");
-+
-+ my $log_file = File::Spec->rel2abs('tests.log');
-+
-+ my $auth_user_file = File::Spec->rel2abs("$tmpdir/copy.passwd");
-+ my $auth_group_file = File::Spec->rel2abs("$tmpdir/copy.group");
-+
-+ my $user = 'proftpd';
-+ my $passwd = 'test';
-+ my $group = 'ftpd';
-+ my $home_dir = File::Spec->rel2abs($tmpdir);
-+ my $uid = 500;
-+ my $gid = 500;
-+
-+ # Make sure that, if we're running as root, that the home directory has
-+ # permissions/privs set for the account we create
-+ if ($< == 0) {
-+ unless (chmod(0755, $home_dir)) {
-+ die("Can't set perms on $home_dir to 0755: $!");
-+ }
-+
-+ unless (chown($uid, $gid, $home_dir)) {
-+ die("Can't set owner of $home_dir to $uid/$gid: $!");
-+ }
-+ }
-+
-+ auth_user_write($auth_user_file, $user, $passwd, $uid, $gid, $home_dir,
-+ '/bin/bash');
-+ auth_group_write($auth_group_file, $group, $gid, $user);
-+
-+ my $src_file = File::Spec->rel2abs("$home_dir/foo.txt");
-+ if (open(my $fh, "> $src_file")) {
-+ print $fh "Hello, World!\n";
-+
-+ unless (close($fh)) {
-+ die("Can't write $src_file: $!");
-+ }
-+
-+ } else {
-+ die("Can't open $src_file: $!");
-+ }
-+
-+ my $dst_file = File::Spec->rel2abs("$home_dir/bar.txt");
-+
-+ my $config = {
-+ PidFile => $pid_file,
-+ ScoreboardFile => $scoreboard_file,
-+ SystemLog => $log_file,
-+
-+ AuthUserFile => $auth_user_file,
-+ AuthGroupFile => $auth_group_file,
-+
-+ IfModules => {
-+ 'mod_delay.c' => {
-+ DelayEngine => 'off',
-+ },
-+ },
-+ };
-+
-+ my ($port, $config_user, $config_group) = config_write($config_file, $config);
-+
-+ # Open pipes, for use between the parent and child processes. Specifically,
-+ # the child will indicate when it's done with its test by writing a message
-+ # to the parent.
-+ my ($rfh, $wfh);
-+ unless (pipe($rfh, $wfh)) {
-+ die("Can't open pipe: $!");
-+ }
-+
-+ my $ex;
-+
-+ # Fork child
-+ $self->handle_sigchld();
-+ defined(my $pid = fork()) or die("Can't fork: $!");
-+ if ($pid) {
-+ eval {
-+ my $client = ProFTPD::TestSuite::FTP->new('127.0.0.1', $port);
-+
-+ eval { $client->site('CPFR', 'foo.txt') };
-+ unless ($@) {
-+ die("SITE CPFR succeeded unexpectedly");
-+ }
-+
-+ my $resp_code = $client->response_code();
-+ my $resp_msg = $client->response_msg();
-+
-+ my $expected;
-+ $expected = 530;
-+ $self->assert($expected == $resp_code,
-+ test_msg("Expected response code $expected, got $resp_code"));
-+
-+ $expected = "Please login with USER and PASS";
-+ $self->assert($expected eq $resp_msg,
-+ test_msg("Expected response message '$expected', got '$resp_msg'"));
-+
-+ eval { $client->site('CPTO', 'bar.txt') };
-+ unless ($@) {
-+ die("SITE CPTO succeeded unexpectedly");
-+ }
-+
-+ $resp_code = $client->response_code();
-+ $resp_msg = $client->response_msg();
-+
-+ $expected = 530;
-+ $self->assert($expected == $resp_code,
-+ test_msg("Expected response code $expected, got $resp_code"));
-+
-+ $expected = "Please login with USER and PASS";
-+ $self->assert($expected eq $resp_msg,
-+ test_msg("Expected response message '$expected', got '$resp_msg'"));
-+ };
-+
-+ if ($@) {
- $ex = $@;
- }
-
diff --git a/debian/patches/large_files_SFTP b/debian/patches/large_files_SFTP
deleted file mode 100644
index e6d49bc..0000000
--- a/debian/patches/large_files_SFTP
+++ /dev/null
@@ -1,389 +0,0 @@
-Description: Unable to transfer large files (more than 1 GB) with SFTP module.
-Author: proftpd upstream
-Forwarded: bug #4097, fixed in 1.3.5.b.
-Bug-Debian: http://bugs.debian.org/809068
-
-Index: proftpd-dfsg/contrib/mod_sftp/kex.c
-===================================================================
---- proftpd-dfsg.orig/contrib/mod_sftp/kex.c 2016-08-25 12:25:34.000000000 +0200
-+++ proftpd-dfsg/contrib/mod_sftp/kex.c 2016-09-04 15:06:00.000000000 +0200
-@@ -39,8 +39,6 @@
- #include "interop.h"
- #include "tap.h"
-
--#define SFTP_DH_PRIV_KEY_RANDOM_BITS 2048
--
- extern module sftp_module;
-
- /* For managing the kexinit process */
-@@ -621,8 +619,94 @@
- return 0;
- }
-
-+static int get_dh_nbits(struct sftp_kex *kex) {
-+ int dh_nbits = 0, dh_size = 0;
-+ const char *algo;
-+ const EVP_CIPHER *cipher;
-+ const EVP_MD *digest;
-+
-+ algo = kex->session_names->c2s_encrypt_algo;
-+ cipher = sftp_crypto_get_cipher(algo, NULL, NULL);
-+ if (cipher != NULL) {
-+ int block_size, key_len;
-+
-+ key_len = EVP_CIPHER_key_length(cipher);
-+ if (dh_size < key_len) {
-+ dh_size = key_len;
-+ pr_trace_msg(trace_channel, 19,
-+ "set DH size to %d bytes, matching client-to-server '%s' cipher "
-+ "key length", dh_size, algo);
-+ }
-+
-+ block_size = EVP_CIPHER_block_size(cipher);
-+ if (dh_size < block_size) {
-+ dh_size = block_size;
-+ pr_trace_msg(trace_channel, 19,
-+ "set DH size to %d bytes, matching client-to-server '%s' cipher "
-+ "block size", dh_size, algo);
-+ }
-+ }
-+
-+ algo = kex->session_names->s2c_encrypt_algo;
-+ cipher = sftp_crypto_get_cipher(algo, NULL, NULL);
-+ if (cipher != NULL) {
-+ int block_size, key_len;
-+
-+ key_len = EVP_CIPHER_key_length(cipher);
-+ if (dh_size < key_len) {
-+ dh_size = key_len;
-+ pr_trace_msg(trace_channel, 19,
-+ "set DH size to %d bytes, matching server-to-client '%s' cipher "
-+ "key length", dh_size, algo);
-+ }
-+
-+ block_size = EVP_CIPHER_block_size(cipher);
-+ if (dh_size < block_size) {
-+ dh_size = block_size;
-+ pr_trace_msg(trace_channel, 19,
-+ "set DH size to %d bytes, matching server-to-client '%s' cipher "
-+ "block size", dh_size, algo);
-+ }
-+ }
-+
-+ algo = kex->session_names->c2s_mac_algo;
-+ digest = sftp_crypto_get_digest(algo, NULL);
-+ if (digest != NULL) {
-+ int mac_len;
-+
-+ mac_len = EVP_MD_size(digest);
-+ if (dh_size < mac_len) {
-+ dh_size = mac_len;
-+ pr_trace_msg(trace_channel, 19,
-+ "set DH size to %d bytes, matching client-to-server '%s' digest size",
-+ dh_size, algo);
-+ }
-+ }
-+
-+ algo = kex->session_names->s2c_mac_algo;
-+ digest = sftp_crypto_get_digest(algo, NULL);
-+ if (digest != NULL) {
-+ int mac_len;
-+
-+ mac_len = EVP_MD_size(digest);
-+ if (dh_size < mac_len) {
-+ dh_size = mac_len;
-+ pr_trace_msg(trace_channel, 19,
-+ "set DH size to %d bytes, matching server-to-client '%s' digest size",
-+ dh_size, algo);
-+ }
-+ }
-+
-+ /* We want to return bits, not bytes. */
-+ dh_nbits = dh_size * 8;
-+
-+ pr_trace_msg(trace_channel, 8, "requesting DH size of %d bits", dh_nbits);
-+ return dh_nbits;
-+}
-+
- static int create_dh(struct sftp_kex *kex, int type) {
- unsigned int attempts = 0;
-+ int dh_nbits;
- DH *dh;
-
- if (type != SFTP_DH_GROUP1_SHA1 &&
-@@ -656,6 +740,8 @@
- kex->dh = NULL;
- }
-
-+ dh_nbits = get_dh_nbits(kex);
-+
- /* We have 10 attempts to make a DH key which passes muster. */
- while (attempts <= 10) {
- pr_signals_handle();
-@@ -665,7 +751,7 @@
- attempts);
-
- dh = DH_new();
-- if (!dh) {
-+ if (dh == NULL) {
- (void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION,
- "error creating DH: %s", sftp_crypto_get_errors());
- return -1;
-@@ -699,10 +785,11 @@
- return -1;
- }
-
-- if (!BN_rand(dh->priv_key, SFTP_DH_PRIV_KEY_RANDOM_BITS, 0, 0)) {
-+ /* Generate a random private exponent of the desired size, in bits. */
-+ if (!BN_rand(dh->priv_key, dh_nbits, 0, 0)) {
- (void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION,
-- "error generating DH random key (%d bytes): %s",
-- SFTP_DH_PRIV_KEY_RANDOM_BITS, sftp_crypto_get_errors());
-+ "error generating DH random key (%d bits): %s", dh_nbits,
-+ sftp_crypto_get_errors());
- DH_free(dh);
- return -1;
- }
-@@ -787,6 +874,9 @@
-
- static int finish_dh(struct sftp_kex *kex) {
- unsigned int attempts = 0;
-+ int dh_nbits;
-+
-+ dh_nbits = get_dh_nbits(kex);
-
- /* We have 10 attempts to make a DH key which passes muster. */
- while (attempts <= 10) {
-@@ -797,11 +887,12 @@
- attempts);
-
- kex->dh->priv_key = BN_new();
--
-- if (!BN_rand(kex->dh->priv_key, SFTP_DH_PRIV_KEY_RANDOM_BITS, 0, 0)) {
-+
-+ /* Generate a random private exponent of the desired size, in bits. */
-+ if (!BN_rand(kex->dh->priv_key, dh_nbits, 0, 0)) {
- (void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION,
-- "error generating DH random key (%d bytes): %s",
-- SFTP_DH_PRIV_KEY_RANDOM_BITS, sftp_crypto_get_errors());
-+ "error generating DH random key (%d bits): %s", dh_nbits,
-+ sftp_crypto_get_errors());
- return -1;
- }
-
-@@ -1514,77 +1605,71 @@
- }
-
- static int setup_c2s_encrypt_algo(struct sftp_kex *kex, const char *algo) {
-- (void) kex;
--
-- if (sftp_cipher_set_read_algo(algo) < 0)
-+ if (sftp_cipher_set_read_algo(algo) < 0) {
- return -1;
-+ }
-
-+ kex->session_names->c2s_encrypt_algo = algo;
- return 0;
- }
-
- static int setup_s2c_encrypt_algo(struct sftp_kex *kex, const char *algo) {
-- (void) kex;
--
-- if (sftp_cipher_set_write_algo(algo) < 0)
-+ if (sftp_cipher_set_write_algo(algo) < 0) {
- return -1;
-+ }
-
-+ kex->session_names->s2c_encrypt_algo = algo;
- return 0;
- }
-
- static int setup_c2s_mac_algo(struct sftp_kex *kex, const char *algo) {
-- (void) kex;
--
-- if (sftp_mac_set_read_algo(algo) < 0)
-+ if (sftp_mac_set_read_algo(algo) < 0) {
- return -1;
-+ }
-
-+ kex->session_names->c2s_mac_algo = algo;
- return 0;
- }
-
- static int setup_s2c_mac_algo(struct sftp_kex *kex, const char *algo) {
-- (void) kex;
--
-- if (sftp_mac_set_write_algo(algo) < 0)
-+ if (sftp_mac_set_write_algo(algo) < 0) {
- return -1;
-+ }
-
-+ kex->session_names->s2c_mac_algo = algo;
- return 0;
- }
-
- static int setup_c2s_comp_algo(struct sftp_kex *kex, const char *algo) {
-- (void) kex;
--
-- if (sftp_compress_set_read_algo(algo) < 0)
-+ if (sftp_compress_set_read_algo(algo) < 0) {
- return -1;
-+ }
-
-+ kex->session_names->c2s_comp_algo = algo;
- return 0;
- }
-
- static int setup_s2c_comp_algo(struct sftp_kex *kex, const char *algo) {
-- (void) kex;
--
-- if (sftp_compress_set_write_algo(algo) < 0)
-+ if (sftp_compress_set_write_algo(algo) < 0) {
- return -1;
-+ }
-
-+ kex->session_names->s2c_comp_algo = algo;
- return 0;
- }
-
- static int setup_c2s_lang(struct sftp_kex *kex, const char *lang) {
-- (void) kex;
--
-- /* XXX Need to implement the functionality here. */
--
-+ kex->session_names->c2s_lang = lang;
- return 0;
- }
-
- static int setup_s2c_lang(struct sftp_kex *kex, const char *lang) {
-- (void) kex;
--
-- /* XXX Need to implement the functionality here. */
--
-+ kex->session_names->s2c_lang = lang;
- return 0;
- }
-
- static int get_session_names(struct sftp_kex *kex, int *correct_guess) {
-- const char *shared, *client_list, *server_list;
-+ const char *kex_algo, *shared, *client_list, *server_list;
- const char *client_pref, *server_pref;
- pool *tmp_pool;
-
-@@ -1624,17 +1709,16 @@
- }
- }
-
-- shared = get_shared_name(kex_pool, client_list, server_list);
-- if (shared) {
-- if (setup_kex_algo(kex, shared) < 0) {
-- destroy_pool(tmp_pool);
-- return -1;
-- }
--
-+ kex_algo = get_shared_name(kex_pool, client_list, server_list);
-+ if (kex_algo != NULL) {
-+ /* Unlike the following algorithms, we wait to setup the chosen kex algo
-+ * until the end. Why? The kex algo setup may require knowledge of the
-+ * ciphers chosen for encryption, MAC, etc (Bug#4097).
-+ */
- (void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION,
-- " + Session key exchange: %s", shared);
-+ " + Session key exchange: %s", kex_algo);
- pr_trace_msg(trace_channel, 20, "session key exchange algorithm: %s",
-- shared);
-+ kex_algo);
-
- } else {
- (void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION,
-@@ -1902,6 +1986,14 @@
- #endif
- }
-
-+ /* Now that we've finished setting up the other bits, we can set up the
-+ * kex algo.
-+ */
-+ if (setup_kex_algo(kex, kex_algo) < 0) {
-+ destroy_pool(tmp_pool);
-+ return -1;
-+ }
-+
- destroy_pool(tmp_pool);
- return 0;
- }
-Index: proftpd-dfsg/contrib/mod_sftp/keys.c
-===================================================================
---- proftpd-dfsg.orig/contrib/mod_sftp/keys.c 2016-08-25 12:25:34.000000000 +0200
-+++ proftpd-dfsg/contrib/mod_sftp/keys.c 2016-09-04 15:06:00.000000000 +0200
-@@ -36,6 +36,7 @@
- extern xaset_t *server_list;
- extern module sftp_module;
-
-+/* Note: Should this size be made bigger, in light of larger hostkeys? */
- #define SFTP_DEFAULT_HOSTKEY_SZ 4096
- #define SFTP_MAX_SIG_SZ 4096
-
-@@ -2028,7 +2029,7 @@
- }
-
- /* XXX Is this buffer large enough? Too large? */
-- ptr = buf = sftp_msg_getbuf(p, buflen);
-+ ptr = buf = palloc(p, buflen);
- sftp_msg_write_string(&buf, &buflen, "ssh-rsa");
- sftp_msg_write_mpint(&buf, &buflen, rsa->e);
- sftp_msg_write_mpint(&buf, &buflen, rsa->n);
-@@ -2048,7 +2049,7 @@
- }
-
- /* XXX Is this buffer large enough? Too large? */
-- ptr = buf = sftp_msg_getbuf(p, buflen);
-+ ptr = buf = palloc(p, buflen);
- sftp_msg_write_string(&buf, &buflen, "ssh-dss");
- sftp_msg_write_mpint(&buf, &buflen, dsa->p);
- sftp_msg_write_mpint(&buf, &buflen, dsa->q);
-@@ -2071,8 +2072,7 @@
- }
-
- /* XXX Is this buffer large enough? Too large? */
-- ptr = buf = sftp_msg_getbuf(p, buflen);
--
-+ ptr = buf = palloc(p, buflen);
- sftp_msg_write_string(&buf, &buflen, "ecdsa-sha2-nistp256");
- sftp_msg_write_string(&buf, &buflen, "nistp256");
- sftp_msg_write_ecpoint(&buf, &buflen, EC_KEY_get0_group(ec),
-@@ -2093,8 +2093,7 @@
- }
-
- /* XXX Is this buffer large enough? Too large? */
-- ptr = buf = sftp_msg_getbuf(p, buflen);
--
-+ ptr = buf = palloc(p, buflen);
- sftp_msg_write_string(&buf, &buflen, "ecdsa-sha2-nistp384");
- sftp_msg_write_string(&buf, &buflen, "nistp384");
- sftp_msg_write_ecpoint(&buf, &buflen, EC_KEY_get0_group(ec),
-@@ -2115,8 +2114,7 @@
- }
-
- /* XXX Is this buffer large enough? Too large? */
-- ptr = buf = sftp_msg_getbuf(p, buflen);
--
-+ ptr = buf = palloc(p, buflen);
- sftp_msg_write_string(&buf, &buflen, "ecdsa-sha2-nistp521");
- sftp_msg_write_string(&buf, &buflen, "nistp521");
- sftp_msg_write_ecpoint(&buf, &buflen, EC_KEY_get0_group(ec),
-@@ -2137,8 +2135,14 @@
- *datalen = SFTP_DEFAULT_HOSTKEY_SZ - buflen;
-
- /* If the caller provided a pool, make a copy of the data from the
-- * given pool, and return the copy. Make sure the scrub the original
-+ * given pool, and return the copy. Make sure to scrub the original
- * after making the copy.
-+ *
-+ * Note that we do this copy, even though we use the given pool, since
-+ * we only know the actual size of the data after the fact. And we need
-+ * to provide the size of the data to the caller, NOT the optimistic size
-+ * we allocate out of the pool for writing the data in the first place.
-+ * Hence the copy.
- */
- if (p) {
- buf = palloc(p, *datalen);
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-proftpd/proftpd-dfsg.git
More information about the Pkg-proftpd-maintainers
mailing list