From 5947b0cc9c4c765f988148f0a42ca6e245b57ea3 Mon Sep 17 00:00:00 2001 From: Arturo Buzarra Date: Thu, 12 Jun 2025 11:19:58 +0200 Subject: [PATCH] vsftpd: add support for SSL/TLS encrypted FTP sessions This commit enables SSL/TLS support in vsftpd, allowing FTP communications to be encrypted for improved security. SSL/TLS support is enabled by default, but to preserve compatibility with clients that do not support encrypted connections, this feature can be disabled at runtime. Users can simply comment or uncomment a few lines in the `vsftpd.conf` configuration file to toggle the behavior. Signed-off-by: Arturo Buzarra --- ...001-builddefs-add-support-to-OpenSSL.patch | 23 ++++++ .../vsftpd/vsftpd/vsftpd-cert | 12 ++++ .../vsftpd/vsftpd/vsftpd-cert.service | 11 +++ .../vsftpd/vsftpd/vsftpd.conf | 9 +++ .../vsftpd/vsftpd_%.bbappend | 70 ++++++++++++++++++- 5 files changed, 124 insertions(+), 1 deletion(-) create mode 100644 meta-digi-dey/recipes-connectivity/vsftpd/vsftpd/0001-builddefs-add-support-to-OpenSSL.patch create mode 100644 meta-digi-dey/recipes-connectivity/vsftpd/vsftpd/vsftpd-cert create mode 100644 meta-digi-dey/recipes-connectivity/vsftpd/vsftpd/vsftpd-cert.service diff --git a/meta-digi-dey/recipes-connectivity/vsftpd/vsftpd/0001-builddefs-add-support-to-OpenSSL.patch b/meta-digi-dey/recipes-connectivity/vsftpd/vsftpd/0001-builddefs-add-support-to-OpenSSL.patch new file mode 100644 index 000000000..7faec7c6f --- /dev/null +++ b/meta-digi-dey/recipes-connectivity/vsftpd/vsftpd/0001-builddefs-add-support-to-OpenSSL.patch @@ -0,0 +1,23 @@ +From: Arturo Buzarra +Date: Wed, 4 Jun 2025 09:15:27 +0200 +Subject: [PATCH] builddefs: add support to OpenSSL + +Signed-off-by: Arturo Buzarra +--- + builddefs.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/builddefs.h b/builddefs.h +index 0106d1a..83de674 100644 +--- a/builddefs.h ++++ b/builddefs.h +@@ -1,9 +1,9 @@ + #ifndef VSF_BUILDDEFS_H + #define VSF_BUILDDEFS_H + + #define VSF_BUILD_TCPWRAPPERS + #define VSF_BUILD_PAM +-#undef VSF_BUILD_SSL ++#define VSF_BUILD_SSL + + #endif /* VSF_BUILDDEFS_H */ diff --git a/meta-digi-dey/recipes-connectivity/vsftpd/vsftpd/vsftpd-cert b/meta-digi-dey/recipes-connectivity/vsftpd/vsftpd/vsftpd-cert new file mode 100644 index 000000000..e7a2ab9cf --- /dev/null +++ b/meta-digi-dey/recipes-connectivity/vsftpd/vsftpd/vsftpd-cert @@ -0,0 +1,12 @@ +#!/bin/sh + +# Generate self-signed certificate and key if they don't already exist +if [ ! -f "/etc/##VSFTPD_PEM##" ] || [ ! -f "/etc/##VSFTPD_KEY##" ]; then + openssl req ##VSFTPD_KEY_SIGN_PKCS## ##VSFTPD_KEY_REQ_ARGS## \ + -out /etc/##VSFTPD_PEM## \ + -keyout /etc/##VSFTPD_KEY## + chmod 400 /etc/##VSFTPD_KEY## + echo "SSL/TLS certificate generated" +else + echo "SSL/TLS certificate already exists" +fi diff --git a/meta-digi-dey/recipes-connectivity/vsftpd/vsftpd/vsftpd-cert.service b/meta-digi-dey/recipes-connectivity/vsftpd/vsftpd/vsftpd-cert.service new file mode 100644 index 000000000..e44c52908 --- /dev/null +++ b/meta-digi-dey/recipes-connectivity/vsftpd/vsftpd/vsftpd-cert.service @@ -0,0 +1,11 @@ +[Unit] +Description=Vsftpd ftp daemon certificate generation +Before=vsftpd.service +ConditionPathExists=!/etc/##VSFTPD_PEM## + +[Service] +Type=oneshot +ExecStart=/etc/vsftpd-cert + +[Install] +WantedBy=multi-user.target diff --git a/meta-digi-dey/recipes-connectivity/vsftpd/vsftpd/vsftpd.conf b/meta-digi-dey/recipes-connectivity/vsftpd/vsftpd/vsftpd.conf index ac1ed380b..b322459e6 100644 --- a/meta-digi-dey/recipes-connectivity/vsftpd/vsftpd/vsftpd.conf +++ b/meta-digi-dey/recipes-connectivity/vsftpd/vsftpd/vsftpd.conf @@ -18,3 +18,12 @@ connect_from_port_20=YES file_open_mode=0777 local_umask=022 anon_umask=022 + +# These options specifies the location of the RSA certificate to use for SSL +# encrypted connections. +ssl_enable=YES +rsa_cert_file=/etc/##VSFTPD_PEM## +rsa_private_key_file=/etc/##VSFTPD_KEY## +# SSL session reuse is enabled by default to enhance security. +# Set to NO if clients have issues with data connections. +#require_ssl_reuse=NO diff --git a/meta-digi-dey/recipes-connectivity/vsftpd/vsftpd_%.bbappend b/meta-digi-dey/recipes-connectivity/vsftpd/vsftpd_%.bbappend index dba7c4e2f..b14c7b09d 100644 --- a/meta-digi-dey/recipes-connectivity/vsftpd/vsftpd_%.bbappend +++ b/meta-digi-dey/recipes-connectivity/vsftpd/vsftpd_%.bbappend @@ -1,7 +1,28 @@ -# Copyright (C) 2013-2019, Digi International Inc. +# Copyright (C) 2013-2025, Digi International Inc. FILESEXTRAPATHS:prepend := "${THISDIR}/${BPN}:" +SRC_URI:append = " \ + ${@bb.utils.contains('PACKAGECONFIG', 'openssl', 'file://0001-builddefs-add-support-to-OpenSSL.patch', '', d)} \ + ${@bb.utils.contains('PACKAGECONFIG', 'openssl', 'file://vsftpd-cert', '', d)} \ + ${@bb.utils.contains('PACKAGECONFIG', 'openssl', 'file://vsftpd-cert.service', '', d)} \ +" + +RDEPENDS:${PN}:append = "${@bb.utils.contains('PACKAGECONFIG', 'openssl', ' ${PN}-cert', '', d)}" + +PACKAGECONFIG:append = " openssl " +PACKAGECONFIG[openssl] = ",,openssl" + +LDFLAGS += "${@bb.utils.contains('PACKAGECONFIG', 'openssl', '-lssl -lcrypto', '', d)}" + +VSFTPD_PEM ?= "vsftpd.pem" +VSFTPD_KEY ?= "vsftpd.key" +# args to openssl req (Default is -batch for non interactive mode and +# -newkey for new certificate) +VSFTPD_KEY_REQ_ARGS ?= "-nodes -batch -newkey rsa:2048" +# Standard format for public key certificate +VSFTPD_KEY_SIGN_PKCS ?= "-x509" + do_install:append() { if ! test -z "${PAMLIB}" ; then # Access through Pluggable Authentication Modules (PAM) @@ -12,4 +33,51 @@ do_install:append() { echo "d /run/vsftpd/empty 0755 root root -" \ > ${D}${sysconfdir}/tmpfiles.d/${BPN}.conf fi + if ${@bb.utils.contains('PACKAGECONFIG', 'openssl', 'true', 'false', d)}; then + VSFTPD_PEM_BASE_NAME=$(basename ${VSFTPD_PEM}) + VSFTPD_KEY_BASE_NAME=$(basename ${VSFTPD_KEY}) + # Install user certificate if provided + if [ -f "${VSFTPD_PEM}" ] && [ -f "${VSFTPD_KEY}" ]; then + install -m 0644 ${VSFTPD_PEM} ${D}${sysconfdir}/${VSFTPD_PEM_BASE_NAME} + install -m 0400 ${VSFTPD_KEY} ${D}${sysconfdir}/${VSFTPD_KEY_BASE_NAME} + fi + + # Install systemd service + if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then + # Install systemd unit files + install -d ${D}${systemd_unitdir}/system + install -m 0644 ${WORKDIR}/vsftpd-cert.service ${D}${systemd_unitdir}/system/ + sed -i -e "s@##VSFTPD_PEM##@${VSFTPD_PEM_BASE_NAME}@g" \ + "${D}${systemd_unitdir}/system/vsftpd-cert.service" + fi + + # Install init script to generate certificate on target + install -d ${D}${sysconfdir}/init.d + install -m 0755 ${WORKDIR}/vsftpd-cert ${D}${sysconfdir}/vsftpd-cert + sed -i -e "s@##VSFTPD_PEM##@${VSFTPD_PEM_BASE_NAME}@g" \ + -e "s@##VSFTPD_KEY##@${VSFTPD_KEY_BASE_NAME}@g" \ + -e "s@##VSFTPD_KEY_SIGN_PKCS##@${VSFTPD_KEY_SIGN_PKCS}@g" \ + -e "s@##VSFTPD_KEY_REQ_ARGS##@${VSFTPD_KEY_REQ_ARGS}@g" \ + "${D}${sysconfdir}/vsftpd-cert" + ln -sf ${sysconfdir}/vsftpd-cert ${D}${sysconfdir}/init.d/vsftpd-cert + + # Customize vsftpd.conf + sed -i -e "s@##VSFTPD_PEM##@${VSFTPD_PEM_BASE_NAME}@g" \ + -e "s@##VSFTPD_KEY##@${VSFTPD_KEY_BASE_NAME}@g" \ + "${D}${sysconfdir}/vsftpd.conf" + fi } + +PACKAGES =+ "${PN}-cert" +FILES:${PN}-cert = " \ + ${sysconfdir}/vsftpd-cert \ + ${sysconfdir}/init.d/vsftpd-cert \ + ${systemd_unitdir}/system/vsftpd-cert.service \ +" + +INITSCRIPT_PACKAGES += "${@bb.utils.contains('PACKAGECONFIG', 'openssl', '${PN}-cert', '', d)}" +INITSCRIPT_NAME:${PN}-cert = "vsftpd-cert" +INITSCRIPT_PARAMS:${PN}-cert = "start 99 3 5 . stop 20 0 1 2 6 ." + +SYSTEMD_PACKAGES += "${@bb.utils.contains('PACKAGECONFIG', 'openssl', '${PN}-cert', '', d)}" +SYSTEMD_SERVICE:${PN}-cert = "vsftpd-cert.service"