ArchPOWER/packages
1
0
Fork 0
Code Issues 8 Pull Requests 1 Actions Packages Projects Releases 18 Wiki Activity

* update lftp to 4.9.3-1

Browse Source
This commit is contained in:
Alexander Baldeck 2024-12-17 14:44:16 +01:00
parent f971c94451
commit 3ea5d5d056
17 changed files with 22 additions and 602 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
lftp/.SRCINFO
View File

@ -1,14 +1,14 @@
pkgbase = lftp
pkgdesc = Sophisticated command line based FTP client
pkgver = 4.9.2
pkgrel = 2.1
pkgver = 4.9.3
pkgrel = 1
url = https://lftp.yar.ru/
arch = x86_64
arch = powerpc64le
arch = powerpc64
arch = powerpc
arch = riscv64
license = GPL3
license = GPL-3.0-or-later
depends = glibc
depends = gcc-libs
depends = readline
@ -19,40 +19,12 @@ pkgbase = lftp
depends = ncurses
depends = sh
depends = hicolor-icon-theme
optdepends = perl: needed for convert-netscape-cookies and verify-file
optdepends = perl: needed for convert-mozilla-cookies and verify-file
backup = etc/lftp.conf
source = https://lftp.yar.ru/ftp/lftp-4.9.2.tar.xz
source = https://lftp.yar.ru/ftp/lftp-4.9.2.tar.xz.asc
source = lftp-4.0.2.91-lafile.patch
source = lftp-4.5.5-am_config_header.patch
source = lftp-4.7.0-gettext.patch
source = lftp-4.7.5-libdir-additional.patch
source = lftp-4.7.5-libdir-expat.patch
source = lftp-4.8.2-libdir-configure.patch
source = lftp-4.8.2-libdir-libidn2.patch
source = lftp-4.8.2-libdir-openssl.patch
source = lftp-4.8.2-libdir-zlib.patch
source = lftp-4.9.1-libdir-readline.patch
source = lftp-4.9.2-ac-270.patch
source = lftp-4.9.2-configure-clang16.patch
source = lftp-4.9.2-gnutls-peers2.patch
source = lftp-4.9.2-libressl.patch
source = https://lftp.yar.ru/ftp/lftp-4.9.3.tar.xz
source = https://lftp.yar.ru/ftp/lftp-4.9.3.tar.xz.asc
validpgpkeys = C027FA3148652A5513036413A824BB69F2A99A18
sha256sums = c517c4f4f9c39bd415d7313088a2b1e313b2d386867fe40b7692b83a20f0670d
sha256sums = 96e7199d7935be33cf6b1161e955b2aab40ab77ecdf2a19cea4fc1193f457edc
sha256sums = SKIP
sha256sums = b54aac35c297657290a2d9571c38bdc4bf51548f826b4ec958a768c398c0cd0b
sha256sums = 7ab090449f8c26624ebe853a0285954c414e31242fcd3db1026bd88d6ebbd6a0
sha256sums = 83134d745ea0af69adaeac9445cff6a934cf6286ec4c7b7c09e19bf32bd17385
sha256sums = 6b97d0dd4da24c421917bf1674da8f64e703efaa8055033afe8918459891000a
sha256sums = 7e7abed0395ea068828f47f1195c0c1695c95b24cb1b73e8c366a55f47cdbf6b
sha256sums = d154bdb3f3f884ef574ba64c5bfe70e613a673257b70698e76b977622309c8c8
sha256sums = 9288e0aa80570738b6e95d58614bb5d4c6deab6d038dee8b2800bb724fe5675d
sha256sums = 46ca5c6fcfeb4b5513b68e13f7e6adba8f96a03514f54dde1bfd8e5bcbff5a8c
sha256sums = 8e9af6a698fcb65f5487bf925c73826ca08df0db05efc91116927ce8acb4733b
sha256sums = 094855a3b2840b3186bfe26ee486c3a572734fe101a4fc4a31eb8457f2504764
sha256sums = 457bce1ba81f1648d5412c72336cae97b1bf09d7089418484cf45abcacf39bdc
sha256sums = f37b4e4162883d292b7db5f0c0e789a1dfa854e2e6b4e2632cbeeb5111cdd2bb
sha256sums = 85577ef131c795936aca039d18ece7ff62fdb03905d37087e5d03d53c8409a94
sha256sums = d70395aa3cf613cd5998d87825e397decc035170021f6b72601e1768544cdeeb
pkgname = lftp

5
lftp/.nvchecker.toml Normal file
View File

@ -0,0 +1,5 @@
[lftp]
source = "github"
github = "lavv17/lftp"
use_max_tag = true
prefix = "v"

77
lftp/PKGBUILD
View File

@ -3,89 +3,32 @@
# Contributor: Aaron Griffin <aaron@archlinux.org>
pkgname=lftp
pkgver=4.9.2
pkgrel=2.1
pkgver=4.9.3
pkgrel=1
pkgdesc="Sophisticated command line based FTP client"
arch=(x86_64 powerpc64le powerpc64 powerpc riscv64)
license=('GPL3')
license=('GPL-3.0-or-later')
depends=('glibc' 'gcc-libs' 'readline' 'gnutls' 'expat'
'zlib' 'libidn2' 'ncurses' 'sh' 'hicolor-icon-theme')
optdepends=('perl: needed for convert-netscape-cookies and verify-file')
optdepends=('perl: needed for convert-mozilla-cookies and verify-file')
url="https://lftp.yar.ru/"
backup=('etc/lftp.conf')
source=(https://lftp.yar.ru/ftp/${pkgname}-${pkgver}.tar.xz{,.asc}
lftp-4.0.2.91-lafile.patch
lftp-4.5.5-am_config_header.patch
lftp-4.7.0-gettext.patch
lftp-4.7.5-libdir-additional.patch
lftp-4.7.5-libdir-expat.patch
lftp-4.8.2-libdir-configure.patch
lftp-4.8.2-libdir-libidn2.patch
lftp-4.8.2-libdir-openssl.patch
lftp-4.8.2-libdir-zlib.patch
lftp-4.9.1-libdir-readline.patch
lftp-4.9.2-ac-270.patch
lftp-4.9.2-configure-clang16.patch
lftp-4.9.2-gnutls-peers2.patch
lftp-4.9.2-libressl.patch)
sha256sums=('c517c4f4f9c39bd415d7313088a2b1e313b2d386867fe40b7692b83a20f0670d'
'SKIP'
'b54aac35c297657290a2d9571c38bdc4bf51548f826b4ec958a768c398c0cd0b'
'7ab090449f8c26624ebe853a0285954c414e31242fcd3db1026bd88d6ebbd6a0'
'83134d745ea0af69adaeac9445cff6a934cf6286ec4c7b7c09e19bf32bd17385'
'6b97d0dd4da24c421917bf1674da8f64e703efaa8055033afe8918459891000a'
'7e7abed0395ea068828f47f1195c0c1695c95b24cb1b73e8c366a55f47cdbf6b'
'd154bdb3f3f884ef574ba64c5bfe70e613a673257b70698e76b977622309c8c8'
'9288e0aa80570738b6e95d58614bb5d4c6deab6d038dee8b2800bb724fe5675d'
'46ca5c6fcfeb4b5513b68e13f7e6adba8f96a03514f54dde1bfd8e5bcbff5a8c'
'8e9af6a698fcb65f5487bf925c73826ca08df0db05efc91116927ce8acb4733b'
'094855a3b2840b3186bfe26ee486c3a572734fe101a4fc4a31eb8457f2504764'
'457bce1ba81f1648d5412c72336cae97b1bf09d7089418484cf45abcacf39bdc'
'f37b4e4162883d292b7db5f0c0e789a1dfa854e2e6b4e2632cbeeb5111cdd2bb'
'85577ef131c795936aca039d18ece7ff62fdb03905d37087e5d03d53c8409a94'
'd70395aa3cf613cd5998d87825e397decc035170021f6b72601e1768544cdeeb')
source=(https://lftp.yar.ru/ftp/${pkgname}-${pkgver}.tar.xz{,.asc})
sha256sums=('96e7199d7935be33cf6b1161e955b2aab40ab77ecdf2a19cea4fc1193f457edc'
'SKIP')
validpgpkeys=('C027FA3148652A5513036413A824BB69F2A99A18') # "Alexander V. Lukyanov <lav@yars.free.net>"
prepare() {
cd "${pkgname}"-${pkgver}
patch -Np1 -i ${srcdir}/lftp-4.0.2.91-lafile.patch
patch -Np1 -i ${srcdir}/lftp-4.5.5-am_config_header.patch
patch -Np1 -i ${srcdir}/lftp-4.7.0-gettext.patch
patch -Np1 -i ${srcdir}/lftp-4.7.5-libdir-additional.patch
patch -Np1 -i ${srcdir}/lftp-4.7.5-libdir-expat.patch
patch -Np1 -i ${srcdir}/lftp-4.8.2-libdir-configure.patch
patch -Np1 -i ${srcdir}/lftp-4.8.2-libdir-libidn2.patch
patch -Np1 -i ${srcdir}/lftp-4.8.2-libdir-openssl.patch
patch -Np1 -i ${srcdir}/lftp-4.8.2-libdir-zlib.patch
patch -Np1 -i ${srcdir}/lftp-4.9.1-libdir-readline.patch
patch -Np1 -i ${srcdir}/lftp-4.9.2-ac-270.patch
patch -Np1 -i ${srcdir}/lftp-4.9.2-configure-clang16.patch
patch -Np1 -i ${srcdir}/lftp-4.9.2-gnutls-peers2.patch
patch -Np1 -i ${srcdir}/lftp-4.9.2-libressl.patch
#libtoolize -fiv
autoreconf -fiv
}
build() {
cd "${pkgname}"-${pkgver}
./configure --prefix=/usr \
--with-gnutls \
--without-openssl \
--disable-static \
--build=${CHOST} \
--enable-ipv6 \
--enable-packager-mode \
--sysconfdir=/etc/lftp \
--with-modules \
--with-readline=/usr \
--without-included-regex
--without-included-regex \
--disable-static
make
}
package() {
cd "${pkgname}"-${pkgver}
mkdir -p ${pkgdir}/usr/share
make DESTDIR="${pkgdir}" install
rm -rf "${pkgdir}"/usr/lib
rm -rfv "${pkgdir}"/usr/lib
}

21
lftp/lftp-4.0.2.91-lafile.patch
View File

@ -1,21 +0,0 @@
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -18,7 +18,8 @@
example_module1_la_SOURCES = example-module1.cc
example_module1_la_LDFLAGS = -module -avoid-version -rpath $(pkgverlibdir)
-TASK_MODULES = liblftp-pty.la liblftp-network.la proto-ftp.la proto-http.la proto-file.la proto-fish.la proto-sftp.la
+TASK_MODULES = liblftp-pty.la liblftp-network.la proto-ftp.la proto-http.la proto-file.la proto-fish.la proto-sftp.la liblftp-tasks.la liblftp-jobs.la
+
JOB_MODULES = cmd-mirror.la cmd-sleep.la cmd-torrent.la
if WITH_MODULES
pkgverlib_LTLIBRARIES = $(TASK_MODULES) $(JOB_MODULES)
@@ -26,8 +27,6 @@
TASK_MODULES_STATIC = $(TASK_MODULES)
JOB_MODULES_STATIC = $(JOB_MODULES)
endif
-lib_LTLIBRARIES = liblftp-tasks.la liblftp-jobs.la
-
proto_ftp_la_SOURCES = ftpclass.cc ftpclass.h FtpListInfo.cc FtpListInfo.h\
FtpDirList.cc FtpDirList.h ftp-opie.c FileCopyFtp.cc FileCopyFtp.h
proto_http_la_SOURCES = Http.cc Http.h HttpDir.cc HttpDir.h HttpDirXML.cc

11
lftp/lftp-4.5.5-am_config_header.patch
View File

@ -1,11 +0,0 @@
--- a/configure.ac
+++ b/configure.ac
@@ -5,7 +5,7 @@
AC_CONFIG_MACRO_DIR([m4])
AC_CONFIG_LIBOBJ_DIR([lib])
AC_CONFIG_SRCDIR([src/ftpclass.cc])
-AM_CONFIG_HEADER([lib/config.h])
+AC_CONFIG_HEADERS([lib/config.h])
AM_INIT_AUTOMAKE
dnl This doesn't *require* GNU extensions; it merely enables them if

11
lftp/lftp-4.7.0-gettext.patch
View File

@ -1,11 +0,0 @@
--- a/configure.ac
+++ b/configure.ac
@@ -138,7 +138,7 @@
ALL_LINGUAS="de es fr it ja ko pl pt_BR ru uk zh_CN zh_TW zh_HK cs"
AM_GNU_GETTEXT([external])
-AM_GNU_GETTEXT_VERSION([0.15])
+AM_GNU_GETTEXT_VERSION([0.19])
test "$MSGFMT" = "no" && MSGFMT ="$missing_dir/missing msgfmt"
test "$GMSGFMT" = "no" && GMSGFMT ="$missing_dir/missing msgfmt"
test "$XGETTEXT" = ":" && XGETTEXT="$missing_dir/missing xgettext"

12
lftp/lftp-4.7.5-libdir-additional.patch
View File

@ -1,12 +0,0 @@
--- a/m4/lib-prefix.m4
+++ b/m4/lib-prefix.m4
@@ -108,7 +108,8 @@
if test -z "$haveit"; then
if test -d "$additional_libdir"; then
dnl Really add $additional_libdir to $LDFLAGS.
- LDFLAGS="${LDFLAGS}${LDFLAGS:+ }-L$additional_libdir"
+ dnl No, let's not do that.
+ :
fi
fi
fi

11
lftp/lftp-4.7.5-libdir-expat.patch
View File

@ -1,11 +0,0 @@
--- a/m4/ax_lib_expat.m4
+++ b/m4/ax_lib_expat.m4
@@ -109,7 +109,7 @@
if test -n "$expat_prefix"; then
expat_include_dir="$expat_prefix/include"
- expat_ld_flags="-L$expat_prefix/lib"
+ expat_ld_flags="-L$libdir"
expat_lib_flags="-lexpat"
run_expat_test="yes"
elif test "$expat_requested" = "yes"; then

18
lftp/lftp-4.8.2-libdir-configure.patch
View File

@ -1,18 +0,0 @@
--- a/configure.ac
+++ b/configure.ac
@@ -186,7 +186,6 @@
esac
if test x$socks_loc != x; then
- LDFLAGS="$LDFLAGS -L$socks_loc/lib"
CPPFLAGS="$CPPFLAGS -I$socks_loc/include"
fi
@@ -307,7 +306,6 @@
AX_CHECK_ZLIB([
AC_SUBST([ZLIB],[-lz])
r=""; test "$enable_rpath" = yes -a "$ZLIB_HOME" != /usr && r=" -R${ZLIB_HOME}/lib"
- AC_SUBST([ZLIB_LDFLAGS],["-L${ZLIB_HOME}/lib$r"])
AC_SUBST([ZLIB_CPPFLAGS],["-I${ZLIB_HOME}/include"])
],[
AC_MSG_ERROR([cannot find -lz library, install zlib-devel package])

10
lftp/lftp-4.8.2-libdir-libidn2.patch
View File

@ -1,10 +0,0 @@
--- a/m4/lftp.m4
+++ b/m4/lftp.m4
@@ -319,7 +319,6 @@
libidn2=$withval, libidn2=yes)
if test "$libidn2" != "no"; then
if test "$libidn2" != "yes"; then
- LDFLAGS="${LDFLAGS} -L$libidn2/lib"
CPPFLAGS="${CPPFLAGS} -I$libidn2/include"
fi
AC_CHECK_HEADER(idn2.h,

18
lftp/lftp-4.8.2-libdir-openssl.patch
View File

@ -1,18 +0,0 @@
--- a/m4/ssl.m4
+++ b/m4/ssl.m4
@@ -10,7 +10,6 @@
old_CPPFLAGS="$CPPFLAGS"
LIBS="$LIBS -lssl -lcrypto"
if test $loc != default; then
- LDFLAGS="$LDFLAGS -L$loc/lib"
CPPFLAGS="$CPPFLAGS -I$loc/include"
fi
AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <openssl/ssl.h>
@@ -22,7 +21,6 @@
lftp_cv_openssl="OPENSSL_LIBS=\"-lssl -lcrypto\""
if test $found_loc != default; then
r=""; test "$enable_rpath" = yes -a "$found_loc" != /usr && r=" -R$found_loc/lib"
- lftp_cv_openssl="$lftp_cv_openssl OPENSSL_LDFLAGS=\"-L$found_loc/lib$r\""
lftp_cv_openssl="$lftp_cv_openssl OPENSSL_CPPFLAGS=-I$found_loc/include"
fi
break;

20
lftp/lftp-4.8.2-libdir-zlib.patch
View File

@ -1,20 +0,0 @@
--- a/m4/ax_check_zlib.m4
+++ b/m4/ax_check_zlib.m4
@@ -105,7 +105,6 @@
ZLIB_OLD_LDFLAGS="$LDFLAGS"
ZLIB_OLD_CPPFLAGS="$CPPFLAGS"
if test -n "${ZLIB_HOME}"; then
- LDFLAGS="$LDFLAGS -L${ZLIB_HOME}/lib"
CPPFLAGS="$CPPFLAGS -I${ZLIB_HOME}/include"
fi
AC_LANG_SAVE
@@ -118,8 +118,7 @@
# If both library and header were found, action-if-found
#
m4_ifblank([$1],[
- test "$enable_rpath" = yes -a "$ZLIB_HOME" != /usr && \
- LDFLAGS="$LDFLAGS -R${ZLIB_HOME}/lib"
+ test "$enable_rpath" = yes -a "$ZLIB_HOME" != /usr
LIBS="-lz $LIBS"
AC_DEFINE([HAVE_LIBZ], [1],
[Define to 1 if you have `z' library (-lz)])

11
lftp/lftp-4.9.1-libdir-readline.patch
View File

@ -1,11 +0,0 @@
--- a/m4/lftp_lib_readline.m4
+++ b/m4/lftp_lib_readline.m4
@@ -107,7 +107,7 @@
if test -f "$readline_include_dir/readline/readline.h"; then
readline_include_dir="$readline_include_dir/readline"
fi
- readline_ld_flags="-L$readline_prefix/lib"
+ readline_ld_flags="-L$libdir"
if test -z "$readline_lib_flags"; then
readline_lib_flags="-lreadline"
fi

36
lftp/lftp-4.9.2-ac-270.patch
View File

@ -1,36 +0,0 @@
--- a/m4/std-gnu11.m4
+++ b/m4/std-gnu11.m4
@@ -6,6 +6,8 @@
# This implementation will be obsolete once we can assume Autoconf 2.70
# or later is installed everywhere a Gnulib program might be developed.
+m4_version_prereq([2.70], [], [
+
# Copyright (C) 2001-2020 Free Software Foundation, Inc.
@@ -70,7 +72,7 @@ _AS_ECHO_LOG([checking for _AC_LANG compiler version])
set X $ac_compile
ac_compiler=$[2]
for ac_option in --version -v -V -qversion -version; do
- m4_ifdef([_AC_DO_LIMIT],[_AC_DO_LIMIT],[_AC_DO])([$ac_compiler $ac_option >&AS_MESSAGE_LOG_FD])
+ _AC_DO_LIMIT([$ac_compiler $ac_option >&AS_MESSAGE_LOG_FD])
done
m4_expand_once([_AC_COMPILER_EXEEXT])[]dnl
@@ -135,7 +137,7 @@ _AS_ECHO_LOG([checking for _AC_LANG compiler version])
set X $ac_compile
ac_compiler=$[2]
for ac_option in --version -v -V -qversion; do
- m4_ifdef([_AC_DO_LIMIT],[_AC_DO_LIMIT],[_AC_DO])([$ac_compiler $ac_option >&AS_MESSAGE_LOG_FD])
+ _AC_DO_LIMIT([$ac_compiler $ac_option >&AS_MESSAGE_LOG_FD])
done
m4_expand_once([_AC_COMPILER_EXEEXT])[]dnl
@@ -822,3 +824,6 @@ dnl Tru64 N/A (no support)
dnl with extended modes being tried first.
[[-std=gnu++11 -std=c++11 -std=gnu++0x -std=c++0x -qlanglvl=extended0x -AA]], [$1], [$2])[]dnl
])# _AC_PROG_CXX_CXX11
+
+
+])# m4_version_prereq

22
lftp/lftp-4.9.2-configure-clang16.patch
View File

@ -1,22 +0,0 @@
https://github.com/lavv17/lftp/commit/8af97cc255c3d2488adb107515bd1047dbedadfe
From 8af97cc255c3d2488adb107515bd1047dbedadfe Mon Sep 17 00:00:00 2001
From: DJ Delorie <dj@redhat.com>
Date: Wed, 8 Feb 2023 23:37:37 -0500
Subject: [PATCH] Fix C99 compatibility issue
Related to:
<https://fedoraproject.org/wiki/Changes/PortingToModernC>
<https://fedoraproject.org/wiki/Toolchain/PortingToModernC>
--- a/m4/needtrio.m4
+++ b/m4/needtrio.m4
@@ -9,6 +9,7 @@ AC_DEFUN([LFTP_NEED_TRIO],[
else
AC_RUN_IFELSE([AC_LANG_SOURCE([[
+ #include <stdio.h>
int main()
{
unsigned long long x=0,x1;

261
lftp/lftp-4.9.2-gnutls-peers2.patch
View File

@ -1,261 +0,0 @@
From 285c61cacb8ec0177a0b60224343dac2ec8af6b8 Mon Sep 17 00:00:00 2001
From: Miao Wang <shankerwangmiao@gmail.com>
Date: Sat, 9 Oct 2021 18:13:30 +0800
Subject: [PATCH] Use gnutls_certificate_verify_peers2 to verify server
certificates
Fixes: #641
Signed-off-by: Miao Wang <shankerwangmiao@gmail.com>
---
src/lftp_ssl.cc | 207 +++++++++++-------------------------------------
src/lftp_ssl.h | 2 -
2 files changed, 48 insertions(+), 161 deletions(-)
diff --git a/src/lftp_ssl.cc b/src/lftp_ssl.cc
index 968d3fb26..26e91e4b9 100644
--- a/src/lftp_ssl.cc
+++ b/src/lftp_ssl.cc
@@ -338,6 +338,16 @@ void lftp_ssl_gnutls::load_keys()
if(res<0)
Log::global->Format(0,"gnutls_certificate_set_x509_key_file(%s,%s): %s\n",cert_file,key_file,gnutls_strerror(res));
}
+ res = gnutls_certificate_set_x509_trust(cred, instance->ca_list, instance->ca_list_size);
+ if(res < 0)
+ Log::global->Format(0, "gnutls_certificate_set_x509_trust: %s\n", gnutls_strerror(res));
+ else
+ Log::global->Format(9, "Loaded %d CAs\n", res);
+ res = gnutls_certificate_set_x509_crl(cred, instance->crl_list, instance->crl_list_size);
+ if(res < 0)
+ Log::global->Format(0, "gnutls_certificate_set_x509_crl: %s\n", gnutls_strerror(res));
+ else
+ Log::global->Format(9, "Loaded %d CRLs\n", res);
gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, cred);
}
void lftp_ssl_gnutls::shutdown()
@@ -358,174 +368,53 @@ lftp_ssl_gnutls::~lftp_ssl_gnutls()
*/
void lftp_ssl_gnutls::verify_certificate_chain(const gnutls_datum_t *cert_chain,int cert_chain_length)
{
- int i;
- gnutls_x509_crt_t *cert=(gnutls_x509_crt_t*)alloca(cert_chain_length*sizeof(gnutls_x509_crt_t));
-
- /* Import all the certificates in the chain to
- * native certificate format.
- */
- for (i = 0; i < cert_chain_length; i++)
- {
- gnutls_x509_crt_init(&cert[i]);
- gnutls_x509_crt_import(cert[i],&cert_chain[i],GNUTLS_X509_FMT_DER);
+ int err;
+ unsigned int status;
+
+ gnutls_x509_crt_t leaf_cert;
+ err = gnutls_x509_crt_init(&leaf_cert);
+ if(err < 0){
+ set_cert_error(xstring::format("GnuTLS Error: %s", gnutls_strerror(err)), NULL);
+ goto err_out;
}
-
- /* Now verify the certificates against their issuers
- * in the chain.
- */
- for (i = 1; i < cert_chain_length; i++)
- verify_cert2(cert[i - 1], cert[i]);
-
- /* Here we must verify the last certificate in the chain against
- * our trusted CA list.
- */
- verify_last_cert(cert[cert_chain_length - 1]);
-
- /* Check if the name in the first certificate matches our destination!
- */
- bool check_hostname = ResMgr::QueryBool("ssl:check-hostname", hostname);
- if(check_hostname) {
- if(!gnutls_x509_crt_check_hostname(cert[0], hostname))
- set_cert_error(xstring::format("certificate common name doesn't match requested host name %s",quote(hostname)),get_fp(cert[0]));
- } else {
- Log::global->Format(0, "WARNING: Certificate verification: hostname checking disabled\n");
+ gnutls_x509_crt_import(leaf_cert, &cert_chain[0], GNUTLS_X509_FMT_DER);
+ if(err < 0){
+ set_cert_error(xstring::format("GnuTLS Error: %s", gnutls_strerror(err)), NULL);
+ goto deinit_cert;
}
- for (i = 0; i < cert_chain_length; i++)
- gnutls_x509_crt_deinit(cert[i]);
-}
-
-
-/* Verifies a certificate against an other certificate
- * which is supposed to be it's issuer. Also checks the
- * crl_list if the certificate is revoked.
- */
-void lftp_ssl_gnutls::verify_cert2(gnutls_x509_crt_t crt,gnutls_x509_crt_t issuer)
-{
- int ret;
- time_t now = SMTask::now;
- size_t name_size;
- char name[256];
-
- /* Print information about the certificates to
- * be checked.
- */
- name_size = sizeof(name);
- gnutls_x509_crt_get_dn(crt, name, &name_size);
-
- Log::global->Format(9, "Certificate: %s\n", name);
-
- name_size = sizeof(name);
- gnutls_x509_crt_get_issuer_dn(crt, name, &name_size);
-
- Log::global->Format(9, " Issued by: %s\n", name);
-
- /* Get the DN of the issuer cert.
- */
- name_size = sizeof(name);
- gnutls_x509_crt_get_dn(issuer, name, &name_size);
-
- Log::global->Format(9, " Checking against: %s\n", name);
-
- /* Do the actual verification.
- */
- unsigned crt_status=0;
- unsigned issuer_status=0;
- gnutls_x509_crt_verify(crt, &issuer, 1, 0, &crt_status);
- if(crt_status&GNUTLS_CERT_SIGNER_NOT_CA)
- {
- // recheck the issuer certificate against CA
- gnutls_x509_crt_verify(issuer, instance->ca_list, instance->ca_list_size, 0, &issuer_status);
- if(issuer_status==0)
- crt_status&=~GNUTLS_CERT_SIGNER_NOT_CA;
- if(crt_status==GNUTLS_CERT_INVALID)
- crt_status=0;
+ err = gnutls_certificate_verify_peers2 (session, &status);
+ if(err < 0){
+ set_cert_error(xstring::format("Cerificate Verification Error: %s", gnutls_strerror(err)), get_fp(leaf_cert));
+ goto deinit_cert;
}
- if (crt_status & GNUTLS_CERT_INVALID)
- {
- char msg[256];
- strcpy(msg,"Not trusted");
- if(crt_status & GNUTLS_CERT_SIGNER_NOT_FOUND)
- strcat(msg,": no issuer was found");
- if(crt_status & GNUTLS_CERT_SIGNER_NOT_CA)
- strcat(msg,": issuer is not a CA");
- set_cert_error(msg,get_fp(crt));
- }
- else
- Log::global->Format(9, " Trusted\n");
-
- /* Now check the expiration dates.
- */
- if (gnutls_x509_crt_get_activation_time(crt) > now)
- set_cert_error("Not yet activated",get_fp(crt));
-
- if (gnutls_x509_crt_get_expiration_time(crt) < now)
- set_cert_error("Expired",get_fp(crt));
-
- /* Check if the certificate is revoked.
- */
- ret = gnutls_x509_crt_check_revocation(crt, instance->crl_list, instance->crl_list_size);
- if (ret == 1) { /* revoked */
- set_cert_error("Revoked",get_fp(crt));
- }
-}
-
-
-/* Verifies a certificate against the trusted CA list.
- * Also checks the crl_list if the certificate is revoked.
- */
-void lftp_ssl_gnutls::verify_last_cert(gnutls_x509_crt_t crt)
-{
- unsigned int crt_status;
- int ret;
- time_t now = SMTask::now;
- size_t name_size;
- char name[256];
-
- /* Print information about the certificates to
- * be checked.
- */
- name_size = sizeof(name);
- gnutls_x509_crt_get_dn(crt, name, &name_size);
-
- Log::global->Format(9, "Certificate: %s\n", name);
-
- name_size = sizeof(name);
- gnutls_x509_crt_get_issuer_dn(crt, name, &name_size);
-
- Log::global->Format(9, " Issued by: %s\n", name);
-
- /* Do the actual verification.
- */
- gnutls_x509_crt_verify(crt, instance->ca_list, instance->ca_list_size, GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT, &crt_status);
-
- if (crt_status & GNUTLS_CERT_INVALID)
- {
- char msg[256];
- strcpy(msg,"Not trusted");
- if (crt_status & GNUTLS_CERT_SIGNER_NOT_CA)
- strcat(msg,": Issuer is not a CA");
- set_cert_error(msg,get_fp(crt));
+ if(status != 0){
+ gnutls_datum_t reason;
+ err = gnutls_certificate_verification_status_print(status, gnutls_certificate_type_get(session), &reason, 0);
+ if(err < 0){
+ set_cert_error(xstring::format("Cerificate Verification Error: %s", gnutls_strerror(err)), get_fp(leaf_cert));
+ goto deinit_cert;
+ }
+ set_cert_error((const char*)reason.data, get_fp(leaf_cert));
+ gnutls_free(reason.data);
+ goto deinit_cert;
}
- else
- Log::global->Format(9, " Trusted\n");
+ if(ResMgr::QueryBool("ssl:check-hostname", hostname)) {
+ if(!gnutls_x509_crt_check_hostname(leaf_cert, hostname)){
+ set_cert_error(xstring::format("certificate common name doesn't match requested host name %s",quote(hostname)),get_fp(leaf_cert));
+ goto deinit_cert;
+ }
+ } else {
+ Log::global->Format(0, "WARNING: Certificate verification: hostname checking disabled\n");
+ }
- /* Now check the expiration dates.
- */
- if(gnutls_x509_crt_get_activation_time(crt) > now)
- set_cert_error("Not yet activated",get_fp(crt));
-
- if(gnutls_x509_crt_get_expiration_time(crt) < now)
- set_cert_error("Expired",get_fp(crt));
+ deinit_cert:
+ gnutls_x509_crt_deinit(leaf_cert);
- /* Check if the certificate is revoked.
- */
- ret = gnutls_x509_crt_check_revocation(crt, instance->crl_list, instance->crl_list_size);
- if (ret == 1) { /* revoked */
- set_cert_error("Revoked",get_fp(crt));
- }
+ err_out:
+ return;
}
bool lftp_ssl_gnutls::check_fatal(int res)
diff --git a/src/lftp_ssl.h b/src/lftp_ssl.h
index c37b047b4..87b92d4fa 100644
--- a/src/lftp_ssl.h
+++ b/src/lftp_ssl.h
@@ -92,8 +92,6 @@ class lftp_ssl_gnutls : public lftp_ssl_base
gnutls_session_t session;
gnutls_certificate_credentials_t cred;
void verify_certificate_chain(const gnutls_datum_t *cert_chain,int cert_chain_length);
- void verify_cert2(gnutls_x509_crt_t crt,gnutls_x509_crt_t issuer);
- void verify_last_cert(gnutls_x509_crt_t crt);
int do_handshake();
bool check_fatal(int res);
static const xstring& get_fp(gnutls_x509_crt_t crt);

38
lftp/lftp-4.9.2-libressl.patch
View File

@ -1,38 +0,0 @@
https://bugs.gentoo.org/903001
https://github.com/lavv17/lftp/pull/663
https://github.com/lavv17/lftp/commit/3ffa0132987bdde986c82c924bc51b13b37f8b54
From 3ffa0132987bdde986c82c924bc51b13b37f8b54 Mon Sep 17 00:00:00 2001
From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Date: Wed, 6 Apr 2022 22:56:21 +0200
Subject: [PATCH] src/lftp_ssl.c: fix build with libressl >= 2.7.0
X509_OBJECT_get0_X509_CRL is provided by libressl since version 2.7.0
and
https://github.com/libressl-portable/openbsd/commit/9866ae34c0af718973475296bd9ef036d3aaa94e
resulting in the following build failure:
/nvmedata/autobuild/instance-21/output-1/host/opt/ext-toolchain/bin/../lib/gcc/microblaze-buildroot-linux-musl/11.2.0/../../../../microblaze-buildroot-linux-musl/bin/ld: /nvmedata/autobuild/instance-21/output-1/host/microblaze-buildroot-linux-musl/sysroot/usr/lib/libcrypto.a(x509_lu.c.o): in function `X509_OBJECT_get0_X509_CRL':
(.text+0xc3c): multiple definition of `X509_OBJECT_get0_X509_CRL'; /nvmedata/autobuild/instance-21/output-1/build/lftp-4.9.2/src/.libs/liblftp-network.a(liblftp_network_la-lftp_ssl.o):(.text+0x894): first defined here
Fixes:
- http://autobuild.buildroot.org/results/7fd1dfd5bc750ae5a3278ca950c838ae90704b23
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
src/lftp_ssl.cc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/lftp_ssl.cc b/src/lftp_ssl.cc
index 26e91e4b..a814543d 100644
--- a/src/lftp_ssl.cc
+++ b/src/lftp_ssl.cc
@@ -664,7 +664,7 @@ int gnutls_x509_crt_list_import(gnutls_x509_crt_t *certs, unsigned int* cert_max
#elif USE_OPENSSL
//static int lftp_ssl_passwd_callback(char *buf,int size,int rwflag,void *userdata);
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || LIBRESSL_VERSION_NUMBER
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || (defined (LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000L)
// for compatibility with older versions
X509_OBJECT *X509_OBJECT_new()
{