From e2347b769edfe9c3f63a30981432a4dc4cbe40c3 Mon Sep 17 00:00:00 2001
From: tomatosoup <tomatosoup@lostcreations.org>
Date: Sat, 1 Aug 2015 11:28:08 +0200
Subject: [PATCH] vsftpd 3.0.3

---
 release/src/router/Makefile                |  2 +-
 release/src/router/vsftpd/Changelog        | 32 ++++++++++++++++++++++++++++++
 release/src/router/vsftpd/Makefile         |  2 +-
 release/src/router/vsftpd/README           |  2 +-
 release/src/router/vsftpd/defs.h           |  2 +-
 release/src/router/vsftpd/ftpdataio.c      | 10 ++++------
 release/src/router/vsftpd/postlogin.c      | 13 ++++++++++--
 release/src/router/vsftpd/seccompsandbox.c | 22 ++++++++++++++++++++
 release/src/router/vsftpd/ssl.c            | 32 ++++++++++++++++++++++++++++--
 release/src/router/vsftpd/tunables.c       |  4 ++--
 release/src/router/vsftpd/twoprocess.c     |  7 -------
 release/src/router/vsftpd/vsftpver.h       |  2 +-
 12 files changed, 106 insertions(+), 24 deletions(-)

diff --git a/release/src/router/Makefile b/release/src/router/Makefile
index 3bfd96991d..5fce920583 100644
--- a/release/src/router/Makefile
+++ b/release/src/router/Makefile
@@ -753,7 +753,7 @@ openssl/stamp-h1:
 	shared $(OPENSSL_CIPHERS) no-ssl2 no-ssl3 \
 	no-sha0 no-smime no-camellia no-krb5 no-rmd160 no-ripemd \
 	no-seed no-capieng no-gms no-gmp no-rfc3779 \
-	no-ec no-ecdh no-ecdsa no-err no-hw no-jpake \
+	no-err no-hw no-jpake \
 	no-zlib no-engines no-sse2 no-libunbound no-ssl-trace \
 	no-dtls1 no-store no-psk no-md2 no-mdc2 no-ts
 
diff --git a/release/src/router/vsftpd/Changelog b/release/src/router/vsftpd/Changelog
index 9bf8fdb338..bdd04fe27b 100644
--- a/release/src/router/vsftpd/Changelog
+++ b/release/src/router/vsftpd/Changelog
@@ -1343,3 +1343,35 @@ At this point: v3.0.1 released!
 
 At this point: v3.0.2 released!
 ===============================
+
+- Increase VSFTP_AS_LIMIT to 200MB; various reports.
+- Make the PWD response more RFC compliant; report from Barry Kelly
+<barry@modeltwozero.com>.
+- Remove the trailing period from EPSV response to work around BT Internet
+issues; report from Tim Bishop <tdb@mirrorservice.org>.
+- Fix syslog_enable issues vs. seccomp filtering. Report from Michal Vyskocil
+<mvyskocil@suse.cz>. At least, syslogging seems to work on my Fedora now.
+- Allow gettimeofday() in the seccomp sandbox. I can't repro failures, but I
+probably have a different distro / libc / etc. and there are multiple reports.
+- Some kernels support PR_SET_NO_NEW_PRIVS but not PR_SET_SECCOMP, so handle
+this case gracefully. Report from Vasily Averin <vvs@odin.com>.
+- List the TLS1.2 cipher AES128-GCM-SHA256 as first preference by default.
+- Make some compile-time SSL defaults (such as correct client shutdown
+handling) stricter.
+- Disable Nagle algorithm during SSL data connection shutdown, to avoid 200ms
+delays. From Tim Kosse <tim.kosse@filezilla-project.org>.
+- Kill the FTP session if we see HTTP protocol commands, to avoid
+cross-protocol attacks. A report from Jann Horn <jann@thejh.net>.
+- Kill the FTP session if we see session re-use failure. A report from
+Tim Kosse <tim.kosse@filezilla-project.org>.
+(vsftpd-3.0.3pre1)
+- Enable ECDHE, Tim Kosse <tim.kosse@filezilla-project.org>.
+- Default cipher list is now just ECDHE-RSA-AES256-GCM-SHA384.
+- Minor SSL logging improvements.
+- Un-default tunable_strict_ssl_write_shutdown again. We still have
+tunable_strict_ssl_read_eof defaulted now, which is the important one to prove
+upload integrity.
+(vsftpd-3.0.3pre2)
+
+At this point: v3.0.3 released!
+===============================
diff --git a/release/src/router/vsftpd/Makefile b/release/src/router/vsftpd/Makefile
index 1f262ddb8b..acd2b18bb4 100644
--- a/release/src/router/vsftpd/Makefile
+++ b/release/src/router/vsftpd/Makefile
@@ -38,7 +38,7 @@ OBJS	=	main.o utility.o prelogin.o ftpcmdio.o postlogin.o privsock.o \
 	$(CC) -c $*.c $(CFLAGS) $(IFLAGS)
 
 vsftpd: $(OBJS) 
-	$(CC) -o vsftpd $(OBJS) $(LINK) $(LIBS) $(LDFLAGS)
+	$(CC) -o vsftpd $(OBJS) $(LINK) $(LDFLAGS) $(LIBS)
 
 install:
 	if [ -x /usr/local/sbin ]; then \
diff --git a/release/src/router/vsftpd/README b/release/src/router/vsftpd/README
index 01500cc7ef..86643c178e 100644
--- a/release/src/router/vsftpd/README
+++ b/release/src/router/vsftpd/README
@@ -1,4 +1,4 @@
-This is vsftpd, version 3.0.2
+This is vsftpd, version 3.0.3
 Author: Chris Evans
 Contact: scarybeasts@gmail.com
 Website: http://vsftpd.beasts.org/
diff --git a/release/src/router/vsftpd/defs.h b/release/src/router/vsftpd/defs.h
index f4fd11d3cc..0ff58646e5 100644
--- a/release/src/router/vsftpd/defs.h
+++ b/release/src/router/vsftpd/defs.h
@@ -19,7 +19,7 @@
 /* Must be at least the size of VSFTP_MAX_COMMAND_LINE, VSFTP_DIR_BUFSIZE and
    VSFTP_DATA_BUFSIZE*2 */
 #define VSFTP_PRIVSOCK_MAXSTR   VSFTP_DATA_BUFSIZE * 2
-#define VSFTP_AS_LIMIT          100UL * 1024 * 1024
+#define VSFTP_AS_LIMIT          200UL * 1024 * 1024
 
 #endif /* VSF_DEFS_H */
 
diff --git a/release/src/router/vsftpd/ftpdataio.c b/release/src/router/vsftpd/ftpdataio.c
index 43d777c88a..3e4e9c998b 100644
--- a/release/src/router/vsftpd/ftpdataio.c
+++ b/release/src/router/vsftpd/ftpdataio.c
@@ -181,15 +181,13 @@ vsf_ftpdataio_post_mark_connect(struct vsf_session* p_sess)
   }
   if (ret != 1)
   {
-    static struct mystr s_err_msg;
-    str_alloc_text(&s_err_msg, "SSL connection failed");
     if (tunable_require_ssl_reuse)
     {
-      str_append_text(&s_err_msg, "; session reuse required");
-      str_append_text(
-          &s_err_msg, ": see require_ssl_reuse option in vsftpd.conf man page");
+      vsf_cmdio_write_exit(p_sess, FTP_DATATLSBAD,
+                           "SSL connection failed: session reuse required", 1);
+    } else {
+      vsf_cmdio_write(p_sess, FTP_DATATLSBAD, "SSL connection failed");
     }
-    vsf_cmdio_write_str(p_sess, FTP_DATATLSBAD, &s_err_msg);
   }
   return ret;
 }
diff --git a/release/src/router/vsftpd/postlogin.c b/release/src/router/vsftpd/postlogin.c
index 8a8316407a..bf12970e72 100644
--- a/release/src/router/vsftpd/postlogin.c
+++ b/release/src/router/vsftpd/postlogin.c
@@ -439,6 +439,15 @@ process_post_login(struct vsf_session* p_sess)
     {
       /* Deliberately ignore to avoid NAT device bugs. ProFTPd does the same. */
     }
+    else if (str_equal_text(&p_sess->ftp_cmd_str, "GET") ||
+             str_equal_text(&p_sess->ftp_cmd_str, "POST") ||
+             str_equal_text(&p_sess->ftp_cmd_str, "HEAD") ||
+             str_equal_text(&p_sess->ftp_cmd_str, "OPTIONS") ||
+             str_equal_text(&p_sess->ftp_cmd_str, "CONNECT"))
+    {
+      vsf_cmdio_write_exit(p_sess, FTP_BADCMD,
+                           "HTTP protocol commands not allowed.", 1);
+    }
     else
     {
       vsf_cmdio_write(p_sess, FTP_BADCMD, "Unknown command.");
@@ -466,7 +475,7 @@ handle_pwd(struct vsf_session* p_sess)
   /* Enclose pathname in quotes */
   str_alloc_text(&s_pwd_res_str, "\"");
   str_append_str(&s_pwd_res_str, &s_cwd_buf_mangle_str);
-  str_append_text(&s_pwd_res_str, "\"");
+  str_append_text(&s_pwd_res_str, "\" is the current directory");
   vsf_cmdio_write_str(p_sess, FTP_PWDOK, &s_pwd_res_str);
 }
 
@@ -594,7 +603,7 @@ handle_pasv(struct vsf_session* p_sess, int is_epsv)
   {
     str_alloc_text(&s_pasv_res_str, "Entering Extended Passive Mode (|||");
     str_append_ulong(&s_pasv_res_str, (unsigned long) the_port);
-    str_append_text(&s_pasv_res_str, "|).");
+    str_append_text(&s_pasv_res_str, "|)");
     vsf_cmdio_write_str(p_sess, FTP_EPSVOK, &s_pasv_res_str);
     return;
   }
diff --git a/release/src/router/vsftpd/seccompsandbox.c b/release/src/router/vsftpd/seccompsandbox.c
index 0543db010a..2c350a9a99 100644
--- a/release/src/router/vsftpd/seccompsandbox.c
+++ b/release/src/router/vsftpd/seccompsandbox.c
@@ -20,6 +20,7 @@
 #include <errno.h>
 
 #include <netinet/in.h>
+#include <netinet/tcp.h>
 
 #include <sys/fcntl.h>
 #include <sys/mman.h>
@@ -300,6 +301,7 @@ seccomp_sandbox_setup_base()
   reject_nr(__NR_mremap, ENOSYS);
 
   /* Misc simple low-risk calls. */
+  allow_nr(__NR_gettimeofday); /* Used by logging. */
   allow_nr(__NR_rt_sigreturn); /* Used to handle SIGPIPE. */
   allow_nr(__NR_restart_syscall);
   allow_nr(__NR_close);
@@ -352,6 +354,11 @@ seccomp_sandbox_setup_prelogin(const struct vsf_session* p_sess)
   if (tunable_ssl_enable)
   {
     allow_nr_1_arg_match(__NR_recvmsg, 3, 0);
+    allow_nr_2_arg_match(__NR_setsockopt, 2, IPPROTO_TCP, 3, TCP_NODELAY);
+  }
+  if (tunable_syslog_enable)
+  {
+    reject_nr(__NR_socket, EACCES);
   }
 }
 
@@ -441,6 +448,16 @@ seccomp_sandbox_setup_postlogin(const struct vsf_session* p_sess)
     }
   }
 
+  if (tunable_syslog_enable)
+  {
+    /* The ability to pass an address spec isn't needed so disable it. We ensure
+     * the 6th arg (socklen) is 0. We could have checked the 5th arg (sockptr)
+     * but I don't know if 64-bit compares work in the kernel filter, so we're
+     * happy to check the socklen arg, which is 32 bits.
+     */
+    allow_nr_1_arg_match(__NR_sendto, 6, 0);
+  }
+
   if (tunable_text_userdb_names)
   {
     reject_nr(__NR_socket, EACCES);
@@ -667,6 +684,11 @@ seccomp_sandbox_lockdown()
   ret = prctl(PR_SET_SECCOMP, 2, &prog, 0, 0);
   if (ret != 0)
   {
+    if (errno == EINVAL)
+    {
+      /* Kernel isn't good enough. */
+      return;
+    }
     die("prctl PR_SET_SECCOMP failed");
   }
 }
diff --git a/release/src/router/vsftpd/ssl.c b/release/src/router/vsftpd/ssl.c
index 000a3ac1d6..c60ef2a5c7 100644
--- a/release/src/router/vsftpd/ssl.c
+++ b/release/src/router/vsftpd/ssl.c
@@ -28,6 +28,7 @@
 #include <openssl/err.h>
 #include <openssl/rand.h>
 #include <openssl/bio.h>
+#include <openssl/ec.h>
 #include <errno.h>
 #include <limits.h>
 
@@ -120,6 +121,15 @@ ssl_init(struct vsf_session* p_sess)
     {
       die("SSL: RNG is not seeded");
     }
+    {
+      EC_KEY* key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+      if (key == NULL)
+      {
+        die("SSL: failed to get curve p256");
+      }
+      SSL_CTX_set_tmp_ecdh(p_ctx, key);
+      EC_KEY_free(key);
+    }
     if (tunable_ssl_request_cert)
     {
       verify_option |= SSL_VERIFY_PEER;
@@ -275,8 +285,20 @@ ssl_read_common(struct vsf_session* p_sess,
    */
   if (retval == 0 && SSL_get_shutdown(p_ssl) != SSL_RECEIVED_SHUTDOWN)
   {
-    str_alloc_text(&debug_str, "Connection terminated without SSL shutdown "
-                               "- buggy client?");
+    if (p_ssl == p_sess->p_control_ssl)
+    {
+      str_alloc_text(&debug_str, "Control");
+    }
+    else
+    {
+      str_alloc_text(&debug_str, "DATA");
+    }
+    str_append_text(&debug_str, " connection terminated without SSL shutdown.");
+    if (p_ssl != p_sess->p_control_ssl)
+    {
+      str_append_text(&debug_str,
+                      " Buggy client! Integrity of upload cannot be asserted.");
+    }
     vsf_log_line(p_sess, kVSFLogEntryDebug, &debug_str);
     if (tunable_strict_ssl_read_eof)
     {
@@ -380,6 +402,12 @@ ssl_data_close(struct vsf_session* p_sess)
   {
     int ret;
     maybe_log_shutdown_state(p_sess);
+
+    /* Disable Nagle algorithm. We want the shutdown packet to be sent
+     * immediately, there's nothing coming after.
+     */
+    vsf_sysutil_set_nodelay(SSL_get_fd(p_ssl));
+
     /* This is a mess. Ideally, when we're the sender, we'd like to get to the
      * SSL_RECEIVED_SHUTDOWN state to get a cryptographic guarantee that the
      * peer received all the data and shut the connection down cleanly. It
diff --git a/release/src/router/vsftpd/tunables.c b/release/src/router/vsftpd/tunables.c
index 1e3f017ef7..fe2f84cf54 100644
--- a/release/src/router/vsftpd/tunables.c
+++ b/release/src/router/vsftpd/tunables.c
@@ -218,7 +218,7 @@ tunables_load_defaults()
   tunable_debug_ssl = 0;
   tunable_require_cert = 0;
   tunable_validate_cert = 0;
-  tunable_strict_ssl_read_eof = 0;
+  tunable_strict_ssl_read_eof = 1;
   tunable_strict_ssl_write_shutdown = 0;
   tunable_ssl_request_cert = 1;
   tunable_delete_failed_uploads = 0;
@@ -287,7 +287,7 @@ tunables_load_defaults()
   install_str_setting("/var/run/vsftpd/vsftpd.pem",
                       &tunable_rsa_cert_file);
   install_str_setting(0, &tunable_dsa_cert_file);
-  install_str_setting("AES128-SHA:DES-CBC3-SHA", &tunable_ssl_ciphers);
+  install_str_setting("ECDHE-RSA-AES256-GCM-SHA384", &tunable_ssl_ciphers);
   install_str_setting(0, &tunable_rsa_private_key_file);
   install_str_setting(0, &tunable_dsa_private_key_file);
   install_str_setting(0, &tunable_ca_certs_file);
diff --git a/release/src/router/vsftpd/twoprocess.c b/release/src/router/vsftpd/twoprocess.c
index 998a2fd03b..33d84dc85f 100644
--- a/release/src/router/vsftpd/twoprocess.c
+++ b/release/src/router/vsftpd/twoprocess.c
@@ -465,13 +465,6 @@ common_do_login(struct vsf_session* p_sess, const struct mystr* p_user_str,
     str_free(&chroot_str);
     str_free(&chdir_str);
     str_free(&userdir_str);
-    /* Guard against the config error of having the anonymous ftp tree owned
-     * by the user we are running as
-     */
-    if (!tunable_anon_allow_writable_root && was_anon && vsf_sysutil_write_access("/"))
-    {
-      die("vsftpd: refusing to run with writable anonymous root");
-    }
     p_sess->is_anonymous = anon;
     seccomp_sandbox_init();
     seccomp_sandbox_setup_postlogin(p_sess);
diff --git a/release/src/router/vsftpd/vsftpver.h b/release/src/router/vsftpd/vsftpver.h
index 0b7bac053d..7a77406e0f 100644
--- a/release/src/router/vsftpd/vsftpver.h
+++ b/release/src/router/vsftpd/vsftpver.h
@@ -1,7 +1,7 @@
 #ifndef VSF_VERSION_H
 #define VSF_VERSION_H
 
-#define VSF_VERSION "3.0.2"
+#define VSF_VERSION "3.0.3"
 
 #endif /* VSF_VERSION_H */
 
-- 
2.11.4.GIT