Attachment #72306 for bug #111573

Lines 1-7 Link Here

(-)linux-ftpd-0.17.orig/ftpd/Makefile (-2 / +2 lines)
1	include ../MCONFIG	1	include ../MCONFIG
2		2
3	CFLAGS+=-I../support	3	CFLAGS+=-I../support -DUSE_SSL -g
4	LIBS+=-L../support -lsupport	4	LIBS+=-L../support -lsupport -lssl -lcrypto
5		5
6		6
7	OBJS=ftpd.o ftpcmd.o logutmp.o logwtmp.o popen.o	7	OBJS=ftpd.o ftpcmd.o logutmp.o logwtmp.o popen.o




/* 
 * The modifications to support SSLeay we done by Tim Hudson
 * tjh@mincom.oz.au
 *
 * You can do whatever you like with these patches except pretend that
 * you wrote them. 
 *
 * Email ssl-users-request@mincom.oz.au to get instructions on how to
 * join the mailing list that discusses SSLeay and also these patches.
 *
 */

/*
 * Copyright (c) 1985, 1988, 1993, 1994
 *	The Regents of the University of California.  All rights reserved.

extern	int portcheck;
extern	struct sockaddr_in his_addr;

#ifdef USE_SSL
/*#include "ssl_port.h"*/
typedef struct ssl_st SSL;
int     SSL_write(SSL *ssl,const char *buf,int num);
extern int do_ssl_start(void);
extern int ssl_secure_flag;
extern int ssl_active_flag;
extern SSL *ssl_con;
#define FFLUSH(X)         (ssl_active_flag && (((X)==cin)||((X)==cout)) ? 1 : fflush((X)) )
#define GETC(X)           (ssl_active_flag && (((X)==cin)||((X)==cout)) ? ssl_getc(ssl_con) : getc((X)) )
extern FILE *cin, *cout;
#endif /* USE_SSL */

off_t	restart_point;

static	int cmd_type;

	STAT	HELP	NOOP	MKD	RMD	PWD
	CDUP	STOU	SMNT	SYST	SIZE	MDTM

	UMASK	IDLE	CHMOD   AUTH

	LEXERR



%type	<i> check_login octal_number byte_size
%type	<i> struct_code mode_code type_code form_code
%type	<s> pathstring pathname password username auth_type
%type	<i> host_port

%start	cmd_list

	;

cmd
	: AUTH SP auth_type CRLF
		{
			if (!strncmp((char *) $3,"SSL",3)) {
#ifdef USE_SSL
				reply(334, "AUTH SSL OK.");

				/* now do all the hard work :-) */
				do_ssl_start();

#else /* !USE_SSL */
				reply(504,"AUTH type not supported.");
#endif /* USE_SSL */
			} else {
				reply(504,"AUTH type not supported.");
			}
			if ($3 != NULL)
				free((char *)$3);
		}
	| USER SP username CRLF
		{
#ifdef USE_SSL
			if (ssl_secure_flag && !ssl_active_flag) {
			    reply(504,"SSL is mandatory.");
			    break;
			}
#endif /* USE_SSL */
			user($3);
			free($3);
		}
	| PASS SP password CRLF
		{
#ifdef USE_SSL
			if (ssl_secure_flag && !ssl_active_flag) {
			    reply(504,"SSL is mandatory.");
			    break;
			}
#endif /* USE_SSL */
			pass($3);
			memset($3, 0, strlen($3));
			free($3);

	: STRING
	;

auth_type
	: STRING
	;

password
	: /* empty */
		{

};

struct tab cmdtab[] = {		/* In order defined in RFC 765 */
        { "AUTH", AUTH, STR1, 1,	"<sp> auth_type" },
	{ "USER", USER, STR1, 1,	"<sp> username" },
	{ "PASS", PASS, ZSTR1, 1,	"<sp> password" },
	{ "ACCT", ACCT, STR1, 0,	"(specify account)" },

{
	int c;
	register char *cs;
	char buf[16];

	cs = s;
/* tmpline may contain saved command from urgent mode interruption */

		if (c == 0)
			tmpline[0] = '\0';
	}
	while ((c = GETC(iop)) != EOF) {
		c &= 0377;
		if (c == IAC) {
		    if ((c = GETC(iop)) != EOF) {
			c &= 0377;
			switch (c) {
			case WILL:
			case WONT:
				c = GETC(iop);
				sprintf(buf,"%c%c%c", IAC, DONT, 0377&c);
#ifdef USE_SSL
				if (ssl_active_flag)
					SSL_write(ssl_con,buf,strlen(buf));
				else
#endif /* USE_SSL */
					fwrite(buf,strlen(buf),1,stdout);
				(void) FFLUSH(stdout);
				continue;
			case DO:
			case DONT:
				c = GETC(iop);
				sprintf(buf,"%c%c%c", IAC, WONT, 0377&c);
#ifdef USE_SSL
				if (ssl_active_flag)
					SSL_write(ssl_con,buf,strlen(buf));
				else
#endif /* USE_SSL */
				(void) FFLUSH(stdout);
				continue;
			case IAC:
				break;




/* 
 * The modifications to support SSLeay were done by Tim Hudson
 * tjh@cryptsoft.com
 *
 * You can do whatever you like with these patches except pretend that
 * you wrote them. 
 *
 * Email ssl-users-request@lists.cryptsoft.com to get instructions on how to
 * join the mailing list that discusses SSLeay and also these patches.
 *
 */

/*
 * Copyright (c) 1985, 1988, 1990, 1992, 1993, 1994
 *	The Regents of the University of California.  All rights reserved.

#include "pathnames.h"
#include "extern.h"

#ifdef USE_SSL

#include "sslapp.c"

BIO *bio_err;
SSL *ssl_data_con;
int ssl_auto_login=0;

static char *auth_ssl_name=NULL;
FILE *cin, *cout;

int ssl_data_active_flag=0;

/* for the moment this is a compile time option only --tjh */
int ssl_encrypt_data=1;

char ssl_file_path[1024];    /* don't look at that nasty value to the left */

X509 *ssl_public_cert;
RSA *ssl_private_key;

static char *my_ssl_key_file=NULL;
static char *my_ssl_cert_file=NULL;

#include "ssl_port.h"

int 
ssl_getc(SSL *ssl_con);
static int 
ssl_putc(SSL *ssl_con,int oneint);
static int
ssl_putc_flush(SSL *ssl_con);

#endif /* USE_SSL */

#ifdef __STDC__
#include <stdarg.h>
#else

	socklen_t addrlen;
	char *cp, line[LINE_MAX];
	FILE *fd;
	const char *argstr = "AdDhlMSt:T:u:UvPz:";
	struct hostent *hp;

#ifdef __linux__

			debug = 1;
			break;

#ifdef USE_SSL
                case 'z':
		        if (strcmp(optarg, "debug") == 0 ) {
			    ssl_debug_flag=1;
			}
		        if (strcmp(optarg, "verbose") == 0 ) {
			    ssl_verbose_flag=1;
			}
		        if (strcmp(optarg, "ssl") == 0 ) {
			    ssl_only_flag=1;
			}
		        if (strcmp(optarg, "secure") == 0 ) {
			    ssl_secure_flag=1;
			}
                        if (strcmp(optarg, "certsok") == 0) {
                            ssl_certsok_flag=1;
                        }
		        if (strncmp(optarg, "verify=", strlen("verify=")) == 0 ) {
			    ssl_verify_flag=atoi(optarg+strlen("verify="));

			}
		        if (strncmp(optarg, "cert=", strlen("cert=")) == 0 ) {
			    my_ssl_cert_file=optarg+strlen("cert=");
			}
		        if (strncmp(optarg, "key=", strlen("key=")) == 0 ) {
			    my_ssl_key_file=optarg+strlen("key=");
			}
			/* we have swallowed an extra arg */
			/*argc--;
			argv++;*/
			break;
#endif /* USE_SSL */

		default:
			warnx("unknown flag -%c ignored", optopt);
			break;
		}
	}

#ifdef USE_SSL
        /* make sure we have access to the required certificate
	 * and key files now ... before we perhaps chroot and 
	 * do the other "muck" for anon-ftp style setup ... though
	 * why we want to run SSL for anon I don't know
	 */

        {
	    /* keep the macros that are common between the client
	     * and the server happy 
	     */
	    cin=stdin;
	    cout=stderr;

	    /* do things the "default" way */
	    if (my_ssl_cert_file==NULL) {
		snprintf(ssl_file_path, sizeof(ssl_file_path), "%s/%s", X509_get_default_cert_dir(),
			    "ftpd.pem");
		ssl_cert_file=ssl_file_path;
	    } else {
	    	ssl_cert_file=my_ssl_cert_file;
	    }

	    if (!do_ssleay_init(1)) {
		fprintf(stderr,"ftpd: SSLeay initialisation failed\n");
		fflush(stderr);
		sleep(1);
		exit(1);
	    }

        }
#endif /* USE_SSL */

	(void) freopen(_PATH_DEVNULL, "w", stderr);

	/*

	/* Make sure hostname is fully qualified. */
	hp = gethostbyname(hostname);
	if (hp != NULL)
		strncpy(hostname, hp->h_name, sizeof(hostname));

	if (multihome) {
		hp = gethostbyaddr((char *) &ctrl_addr.sin_addr,
		    sizeof (struct in_addr), AF_INET);
		if (hp != NULL) {
			strncpy(dhostname, hp->h_name, sizeof(dhostname));
		} else {
			/* Default. */
			strncpy(dhostname, inet_ntoa(ctrl_addr.sin_addr), sizeof(dhostname));
		}
	}


static int askpasswd;		/* had user command, ask for passwd */
static char curname[16];	/* current USER name */

int
good_ssl_user(char *name);

/*
 * USER command.
 * Sets global passwd pointer pw if named account exists and is acceptable;

		strncpy(curname, name, sizeof(curname)-1);
		curname[sizeof(curname)-1] = '\0';
	}
#ifdef USE_SSL
        if (pw && good_ssl_user(name)) {
                reply(331, "Send dummy password to login.");
                ssl_auto_login = 1;
        } else
#endif
#ifdef SKEY
	if (!skey_haskey(name)) {
		char *myskey, *skey_keyinfo __P((char *name));

		return;
	}
	askpasswd = 0;
	if (!guest
#ifdef USE_SSL
             && !ssl_auto_login
#endif
	   ) {		/* "ftp" is only account allowed no password */
		if (pw == NULL) {
			useconds_t us;


		  (restart_point == 0 && cmd == 0 && S_ISREG(st.st_mode)));
	if ((cmd == 0) && stats)
		logxfer(name, st.st_size, start);

#ifdef USE_SSL
	if (ssl_data_active_flag && (ssl_data_con!=NULL)) {
	    SSL_free(ssl_data_con);
	    ssl_data_active_flag=0;
	    ssl_data_con=NULL;
	}
#endif /* USE_SSL */

	(void) fclose(dout);
	data = -1;
	pdata = -1;

		(void) setsockopt(s, IPPROTO_IP, IP_TOS, (char *)&tos,
		    sizeof(int));
#endif
#ifdef USE_SSL
		/* time to negotiate SSL on the data connection ...
		 * do this via SSL_accept (as we are still the server
		 * even though things are started around the other way)
		 * 
		 * note: we really *must* make sure the session stuff
		 *       is copied correctly as we cannot afford a full
		 *       SSL negotiation for each data socket!
		 */
		/* TODO XXXX fill in the blanks :-)
		 */
		ssl_data_active_flag=0;
		if (ssl_active_flag && ssl_encrypt_data) {
		    /* do SSL */

		    reply(150, "Opening %s mode SSL data connection for %s%s.",
			 type == TYPE_A ? "ASCII" : "BINARY", name, sizebuf);

		    if (ssl_data_con!=NULL) {
		      SSL_free(ssl_data_con);
		      ssl_data_con=NULL;
		    }
		    ssl_data_con=(SSL *)SSL_new(ssl_ctx);

		    /* copy session details ... */
		    SSL_copy_session_id(ssl_data_con,ssl_con);

		    /* for 0.5.2 - want to change the timeout value etc ... */

		    SSL_set_fd(ssl_data_con,pdata);
		    SSL_set_verify(ssl_data_con,ssl_verify_flag,NULL);

		    /* if is "safe" to read ahead */
		    /* SSL_set_read_ahead(ssl_data_con,1); */

		    if (ssl_debug_flag)
			BIO_printf(bio_err,"===>START SSL_accept on DATA\n");

		    if (SSL_accept(ssl_data_con)<=0) {
			static char errbuf[1024];

			snprintf(errbuf, sizeof(errstr), "ftpd: SSL_accept DATA error %s\n",
				    ERR_error_string(ERR_get_error(),NULL));
			perror_reply(425, errbuf);
			/* abort time methinks ... */
			fclose(file);
			return NULL;
		    } else {
			if (ssl_debug_flag) {
			    BIO_printf(bio_err,"[SSL DATA Cipher %s]\n",
					    SSL_get_cipher(ssl_con));
			}
			ssl_data_active_flag=1;
		    }

		    if (ssl_debug_flag)
			BIO_printf(bio_err,"===>DONE SSL_accept on DATA\n");

		} else {
		    reply(150, "Opening %s mode data connection for %s%s.",
			 type == TYPE_A ? "ASCII" : "BINARY", name, sizebuf);
		}
#else /* !USE_SSL */
		reply(150, "Opening %s mode data connection for '%s'%s.",
		     type == TYPE_A ? "ASCII" : "BINARY", name, sizebuf);
#endif /* USE_SSL */
		return (fdopen(pdata, mode));
	}
	if (data >= 0) {

		data = -1;
		return (NULL);
	}
#ifdef USE_SSL
        /* time to negotiate SSL on the data connection ...
	 * do this via SSL_accept (as we are still the server
	 * even though things are started around the other way)
	 * 
	 * note: we really *must* make sure the session stuff
	 *       is copied correctly as we cannot afford a full
	 *       SSL negotiation for each data socket!
	 */
	/* TODO XXXX fill in the blanks :-)
	 */
	ssl_data_active_flag=0;
	if (ssl_active_flag && ssl_encrypt_data) {
	    /* do SSL */

	    reply(150, "Opening %s mode SSL data connection for %s%s.",
		 type == TYPE_A ? "ASCII" : "BINARY", name, sizebuf);

	    if (ssl_data_con!=NULL) {
	      SSL_free(ssl_data_con);
	      ssl_data_con=NULL;
	    }
	    ssl_data_con=(SSL *)SSL_new(ssl_ctx);

            /* copy session details ... */
	    SSL_copy_session_id(ssl_data_con,ssl_con);

	    /* for 0.5.2 - want to change the timeout value etc ... */

	    SSL_set_fd(ssl_data_con,data);
	    SSL_set_verify(ssl_data_con,ssl_verify_flag,NULL);

	    /* if is "safe" to read ahead */
            /* SSL_set_read_ahead(ssl_data_con,1); */

	    if (ssl_debug_flag)
		BIO_printf(bio_err,"===>START SSL_accept on DATA\n");

	    if (SSL_accept(ssl_data_con)<=0) {
                static char errbuf[1024];

	        snprintf(errbuf, sizeof(errstr), "ftpd: SSL_accept DATA error %s\n",
			    ERR_error_string(ERR_get_error(),NULL));
		perror_reply(425, errbuf);
		/* abort time methinks ... */
		fclose(file);
		return NULL;
	    } else {
		if (ssl_debug_flag)
		    BIO_printf(bio_err,"[SSL DATA Cipher %s]\n",
			            SSL_get_cipher(ssl_con));
		ssl_data_active_flag=1;
	    }

	    if (ssl_debug_flag) 
		BIO_printf(bio_err,"===>DONE SSL_accept on DATA\n");

	} else {
	    reply(150, "Opening %s mode data connection for %s%s.",
		 type == TYPE_A ? "ASCII" : "BINARY", name, sizebuf);
	}
#else /* !USE_SSL */
	reply(150, "Opening %s mode data connection for '%s'%s.",
	     type == TYPE_A ? "ASCII" : "BINARY", name, sizebuf);
#endif /* USE_SSL */
	return (file);
}


			if (c == '\n') {
				if (ferror(outstr))
					goto data_err;
				(void) DATAPUTC('\r', outstr);
			}
			(void) DATAPUTC(c, outstr);
		}
		DATAFLUSH(outstr);
		transflag = 0;
		if (ferror(instr))
			goto file_err;

		netfd = fileno(outstr);
		filefd = fileno(instr);

		if (
#ifdef USE_SSL
		    !ssl_data_active_flag &&
#endif /* USE_SSL */
		    isreg && filesize < (off_t)16 * 1024 * 1024) {
			buf = mmap(0, filesize, PROT_READ, MAP_SHARED, filefd,
				   (off_t)0);
			if (buf==MAP_FAILED || buf==NULL) {

		/* failure is harmless */ 
		}
#endif	
#ifdef USE_SSL
                if (ssl_data_active_flag) {
		    while ((cnt = read(filefd, buf, (u_int)blksize)) > 0 &&
			SSL_write(ssl_data_con, buf, cnt) == cnt)
			    byte_count += cnt;
		} else
#endif /* USE_SSL */
		while ((cnt = read(filefd, buf, size)) > 0 &&
		    write(netfd, buf, cnt) == cnt)
			byte_count += cnt;

	case TYPE_L:
		signal (SIGALRM, lostconn);

#ifdef USE_SSL
                if (ssl_data_active_flag) {
		    while ((cnt = SSL_read(ssl_data_con,buf,sizeof buf)) > 0) {
			    if (write(fileno(outstr), buf, cnt) != cnt)
				    goto file_err;
			    byte_count += cnt;
		    }
		} else 
#endif /* !USE_SSL */
                {
		do {
			(void) alarm ((unsigned) timeout);
			cnt = read(fileno(instr), buf, sizeof(buf));

				byte_count += cnt;
			}
		} while (cnt > 0);
		}
		if (cnt < 0)
			goto data_err;
		transflag = 0;

		return (-1);

	case TYPE_A:
		while ((c = DATAGETC(instr)) != EOF) {
			byte_count++;
			if (c == '\n')
				bare_lfs++;
			while (c == '\r') {
				if (ferror(outstr))
					goto data_err;
				if ((c = DATAGETC(instr)) != '\n') {
					(void) putc ('\r', outstr);
					if (c == '\0' || c == EOF)
						goto contin2;

reply(int n, char *fmt, va_dcl va_alist)
#endif
{
#ifdef USE_SSL
        char outputbuf[2048];        /* allow for a 2k command string */
#endif /* USE_SSL */
	va_list ap;
#ifdef __STDC__
	va_start(ap, fmt);
#else
	va_start(ap);
#endif
#ifdef USE_SSL
        /* assemble the output into a buffer, checking for length*/
	sprintf(outputbuf,"%d ",n);
	vsnprintf(outputbuf+strlen(outputbuf),sizeof(outputbuf)-(strlen(outputbuf) + 3), fmt, ap);
	strcat(outputbuf,"\r\n");

	if (ssl_debug_flag)
	    BIO_printf(bio_err,"\n<--- %s",outputbuf);

	if (ssl_active_flag) {
	    SSL_write(ssl_con,outputbuf,strlen(outputbuf));
        } else {
	    fprintf(stdout,"%s",outputbuf);
	    fflush(stdout);
	}
	if (debug)
	    syslog(LOG_DEBUG, "<--- %s ", outputbuf);
#else /* !USE_SSL */
	(void)printf("%d ", n);
	(void)vprintf(fmt, ap);
	(void)printf("\r\n");

		syslog(LOG_DEBUG, "<--- %d ", n);
		vsyslog(LOG_DEBUG, fmt, ap);
	}
#endif /* USE_SSL */
	va_end(ap);
}

void

	va_dcl
#endif
{
#ifdef USE_SSL
        char outputbuf[2048];        /* allow for a 2k command string */
#endif /* USE_SSL */
	va_list ap;
#ifdef __STDC__
	va_start(ap, fmt);
#else
	va_start(ap);
#endif

#ifdef USE_SSL
        /* assemble the output into a buffer */
	sprintf(outputbuf,"%d- ",n);
	vsnprintf(outputbuf+strlen(outputbuf), sizeof(outputbuf)-(strlen(outputbuf) + 3) fmt, ap);
	strcat(outputbuf,"\r\n");

	if (ssl_debug_flag) 
	    BIO_printf(bio_err,"\n<--- %s",outputbuf);

	if (ssl_active_flag) {
	    SSL_write(ssl_con,outputbuf,strlen(outputbuf));
        } else {
	    fprintf(stdout,"%s",outputbuf);
	    fflush(stdout);
	}
	if (debug)
	    syslog(LOG_DEBUG, "<--- %s ", outputbuf);
#else /* !USE_SSL */
	(void)printf("%d- ", n);
	(void)vprintf(fmt, ap);
	(void)printf("\r\n");

		syslog(LOG_DEBUG, "<--- %d- ", n);
		vsyslog(LOG_DEBUG, fmt, ap);
	}
#endif /* USE_SSL */
	va_end(ap);
}

static void ack(const char *s)

	volatile int simple = 0;
	volatile int freeglob = 0;
	glob_t gl;
	char buf[1024];

	/* XXX: should the { go away if __linux__? */
	if (strpbrk(whichf, "~{[*?") != NULL) {

					goto out;
				transflag++;
			}
			snprintf(buf, sizeof(buf), "%s%s\n", dirname,
				type == TYPE_A ? "\r" : "");
#ifdef USE_SSL
			if (ssl_active_flag)
				SSL_write(ssl_data_con,buf,strlen(buf));
		    	else
#endif /* USE_SSL */
				fwrite(buf,strlen(buf),1,dout);
			byte_count += strlen(dirname) + 1;
			continue;
		} else if (!S_ISDIR(st.st_mode))

					transflag++;
				}
				if (nbuf[0] == '.' && nbuf[1] == '/')
				        sprintf(buf, "%s%s\n", &nbuf[2],
						type == TYPE_A ? "\r" : "");
				else
				        sprintf(buf, "%s%s\n", nbuf,
						type == TYPE_A ? "\r" : "");
#ifdef USE_SSL
				if (ssl_active_flag)
				  SSL_write(ssl_data_con,buf,strlen(buf));
				else
#endif /* USE_SSL */
				  fwrite(buf,strlen(buf),1,dout);
				byte_count += strlen(nbuf) + 1;
			}
		}


	transflag = 0;
	if (dout != NULL)
#ifdef USE_SSL
                if (ssl_data_active_flag && (ssl_data_con!=NULL)) {
		    SSL_free(ssl_data_con);
		    ssl_data_active_flag=0;
		    ssl_data_con=NULL;
		}
#endif /* USE_SSL */
		(void) fclose(dout);
	data = -1;
	pdata = -1;

}
#endif	/* TCPWRAPPERS */

#ifdef USE_SSL

static 
int
verify_callback(int ok,
		X509_STORE_CTX *ctx);

int
do_ssl_start(void)
{
    static char errstr[1024];

    if (ssl_debug_flag)
	BIO_printf(bio_err,"do_ssl_start triggered\n");

    /* do the SSL stuff now ... before we play with pty's */
    ssl_con=(SSL *)SSL_new(ssl_ctx);

    /* we are working with stdin (inetd based) by default */
    SSL_set_fd(ssl_con,0);

#if 0
    if (SSL_use_RSAPrivateKey(ssl_con,ssl_private_key)==0) {
        snprintf(errstr, sizeof(errstr), "ftpd: SSL_use_RSAPrivateKey %s",ERR_error_string(ERR_get_error(),NULL));
	perror_reply(421, errstr);
	dologout(1);
    }

    if (SSL_use_certificate(ssl_con,ssl_public_cert)==0) {
        snprintf(errstr, sizeof(errstr), "ftpd: SSL_use_certificate %s",ERR_error_string(ERR_get_error(),NULL));
	perror_reply(421, errstr);
	dologout(1);
    }
#endif

    SSL_set_verify(ssl_con,ssl_verify_flag,
	    ssl_certsok_flag ? verify_callback : NULL);

    if (SSL_accept(ssl_con)<=0) {
	snprintf(errstr, sizeof(errstr), "ftpd: SSL_accept %s",ERR_error_string(ERR_get_error(),NULL));

	perror_reply(421, errstr);
	dologout(1);

	SSL_free(ssl_con);
	ssl_con=NULL;

	/* we will probably want to know this sort of stuff ...
	 * at least for the moment I'd like to keep track of
	 * who is using SSL - later I will probably make this
	 * just a debug option and only log after the user has
	 * actually connected --tjh
	 */
	if (logging)
	    syslog(LOG_NOTICE, "SSL FAILED WITH %s", remotehost);

    } else {
	ssl_active_flag=1;

	if (logging) {
            if (auth_ssl_name)
                syslog(LOG_NOTICE, "SSL SUCCEEDED WITH %s as %s", remotehost,
                    auth_ssl_name);
            else
                syslog(LOG_NOTICE, "SSL SUCCEEDED WITH %s", remotehost);
	}
    }

    /* ssl_fprintf calls require that this be null to test
     * for being an ssl stream
     */
    if (!ssl_active_flag) {
	if (ssl_con!=NULL)
	  SSL_free(ssl_con);
	ssl_con=NULL;
    }

    return 0;

}

/* we really shouldn't have code like this! --tjh */
int 
ssl_getc(SSL *ssl_con)
{
    char onebyte;

    if (SSL_read(ssl_con,&onebyte,1)!=1)
      return -1;
    else {
	if (ssl_debug_flag)
	    BIO_printf(bio_err,"ssl_getc: SSL_read %d (%c) ",onebyte & 0xff,isprint(onebyte)?onebyte:'.');
	return onebyte & 0xff;
    }
}


/* got back to this an implemented some rather "simple" buffering */
static char putc_buf[BUFSIZ];
static int putc_buf_pos=0;

static int
ssl_putc_flush(SSL *ssl_con)
{
    if (putc_buf_pos>0) {
	if (SSL_write(ssl_con,putc_buf,putc_buf_pos)!=putc_buf_pos) {
	    if (ssl_debug_flag) 
		BIO_printf(bio_err,"ssl_putc_flush: WRITE FAILED\n");
	    putc_buf_pos=0;
	    return -1;
	}
    }
    putc_buf_pos=0;
    return 0;
}

static int 
ssl_putc(SSL *ssl_con,int oneint)
{
    char onebyte;

    onebyte = oneint & 0xff;

    /* make sure there is space */
    if (putc_buf_pos>=BUFSIZ) 
	if (ssl_putc_flush(ssl_con)!=0)
	  return EOF;
    putc_buf[putc_buf_pos++]=onebyte;

    return onebyte;
}

static 
int
verify_callback(int ok,
		X509_STORE_CTX *ctx)
{
    int depth,error;
    X509 *xs;

    depth=ctx->error_depth;
    error=ctx->error;
    xs=X509_STORE_CTX_get_current_cert(ctx);

    /*
     * If the verification fails, then don't remember the name.  However,
     * if we don't require a certificate, then return success which will
     * still allow us to set up an encrypted session.
     *
     */
    if (!ok) {
	/* If we can't verify the issuer, then don't accept the name. */
    if (depth != 0 && auth_ssl_name) {
		free(auth_ssl_name);
 		auth_ssl_name = 0;
 	}
 	ok=ssl_verify_flag & SSL_VERIFY_FAIL_IF_NO_PEER_CERT ? 0 : 1;
	goto done;
     }
     if (depth == 0)
 	auth_ssl_name =
 	    (char *)ONELINE_NAME(X509_get_subject_name(xs));
done: ;

     if (ssl_debug_flag)
     	BIO_printf(bio_err,"verify_callback: returning %d\n",ok);

     return ok;
}

/* return true if this auth_ssl_name is authorized to use name. */
int
good_ssl_user(char *name)
{
   FILE *user_fp;
   char buf[2048];

   if (!auth_ssl_name)
      return 0;
   if (!ssl_certsok_flag)
      return 0;	/* can't happen */
   user_fp = fopen("/etc/ssl.users", "r");
   if (!user_fp)
      return 0;
   while (fgets(buf, sizeof buf, user_fp)) {
      char *cp;
      char *n;

      /* allow for comments in the file ... always nice
       * to be able to add a little novel in files and
       * also disable easily --tjh
       */
      if (buf[0]=='#')
	  continue;

      if ((cp = strchr(buf, '\n')))
	  *cp = '\0';
      cp = strchr(buf, ':');
      if (!cp)
	  continue;
      *cp++ = '\0';
      if (strcasecmp(cp, auth_ssl_name) == 0) {
	  n = buf;
	  while (n) {
	      cp = strchr(n, ',');
	      if (cp)
		  *cp++ = '\0';
	      if (!strcmp(name, n)) {
		  fclose(user_fp);
		  return 1;
	      }
	      n = cp;
	  }
      }
   }
   fclose(user_fp);
   return 0;
}

#endif /* USE_SSL */




/* ssl_port.h    - standard porting things 
 *
 * The modifications to support SSLeay were done by Tim Hudson
 * tjh@mincom.oz.au
 *
 * You can do whatever you like with these patches except pretend that
 * you wrote them. 
 *
 * Email ssl-users-request@mincom.oz.au to get instructions on how to
 * join the mailing list that discusses SSLeay and also these patches.
 *
 */

#ifndef HEADER_SSL_PORT_H
#define HEADER_SSL_PORT_H

#ifdef USE_SSL

#include <stdio.h>

#define OLDPROTO NOPROTO
#define NOPROTO
#include <openssl/buffer.h>
#undef NOPROTO
#define NOPROTO OLDPROTO

#include <openssl/x509.h>
#include <openssl/ssl.h>
#include <openssl/err.h>

extern SSL *ssl_con;
extern SSL_CTX *ssl_ctx;
extern int ssl_debug_flag;
extern int ssl_only_flag;
extern int ssl_active_flag;
extern int ssl_verify_flag;
extern int ssl_secure_flag;
extern int ssl_enabled;

extern int ssl_encrypt_data;
extern SSL *ssl_data_con;
extern int ssl_data_active_flag;

extern char *my_ssl_cert_file;
extern char *my_ssl_key_file;
extern int ssl_certsok_flag;

extern int set_ssl_trace(SSL *s);

extern FILE *cin, *cout;

#define is_ssl_fd(X,Y)    ( (SSL_get_fd((X))==0) || \
                            (SSL_get_fd((X))==1) || \
                            (SSL_get_fd((X))==pdata) || \
			    (SSL_get_fd((X))==(Y)) \
			  )

#define is_ssl_fp(X,Y)    ( ( (SSL_get_fd((X))==0) && (fileno((Y))==0) ) || \
                            ( (SSL_get_fd((X))==1) && (fileno((Y))==1) ) || \
                            ( (SSL_get_fd((X))==pdata) && \
			    			  (fileno((Y))==pdata) ) || \
			    (SSL_get_fd((X))==fileno(Y)) \
			  )

/* these macros make things much easier to handle ... */

#define FFLUSH(X)         (ssl_active_flag && (((X)==cin)||((X)==cout)) ? 1 : fflush((X)) )

#define GETC(X)           (ssl_active_flag && (((X)==cin)||((X)==cout)) ? ssl_getc(ssl_con) : getc((X)) )

#define DATAGETC(X)       (ssl_data_active_flag && ((fileno(X)==data)||(fileno(X)==pdata)) ? ssl_getc(ssl_data_con) : getc((X)) )
#define DATAPUTC(X,Y)     (ssl_data_active_flag && ((fileno(Y)==data)||(fileno(Y)==pdata)) ? ssl_putc(ssl_data_con,(X)) : putc((X),(Y)) )
#define DATAFLUSH(X)      (ssl_data_active_flag && ((fileno(X)==data)||(fileno(X)==pdata)) ? ssl_putc_flush(ssl_data_con) : fflush((X)) )

#else

#define GETC(X)           getc((X))
#define DATAGETC(X)       getc((X))
#define DATAPUTC(X,Y)     putc((X),(Y))
#define DATAFLUSH(X)      fflush((X))
#define FFLUSH(X)         fflush((X))

#endif /* USE_SSL */

#endif /*  HEADER_SSL_PORT_H */




/* sslapp.c	- ssl application code */

/*
 * The modifications to support SSLeay were done by Tim Hudson
 * tjh@cryptsoft.com
 *
 * You can do whatever you like with these patches except pretend that
 * you wrote them.
 *
 * Email ssl-users-request@lists.cryptsoft.com to get instructions on how to
 * join the mailing list that discusses SSLeay and also these patches.
 *
 */

#ifdef USE_SSL

#include "sslapp.h"

SSL_CTX *ssl_ctx;
SSL *ssl_con;
int ssl_debug_flag=0;
int ssl_only_flag=0;
int ssl_active_flag=0;
int ssl_verify_flag=SSL_VERIFY_NONE;
int ssl_secure_flag=0;
int ssl_certsok_flag=0;
int ssl_cert_required=0;
int ssl_verbose_flag=0;
int ssl_disabled_flag=0;
char *ssl_cert_file=NULL;
char *ssl_key_file=NULL;
char *ssl_cipher_list=NULL;
char *ssl_log_file=NULL;

/* fwd decl */
static void
client_info_callback(SSL *s, int where, int ret);

int 
do_ssleay_init(int server)
{
  char *p;

  /* make sure we have somewhere we can log errors to */
  if (bio_err==NULL) {
    if ((bio_err=BIO_new(BIO_s_file()))!=NULL) {
      if (ssl_log_file==NULL)
	BIO_set_fp(bio_err,stderr,BIO_NOCLOSE);
      else {
	if (BIO_write_filename(bio_err,ssl_log_file)<=0) {
	  /* not a lot we can do */
	}
      }
    }
  }

  /* rather simple things these days ... the old SSL_LOG and SSL_ERR
   * vars are long gone now SSLeay8 has rolled around and we have 
   * a clean interface for doing things
   */
  if (ssl_debug_flag)
    BIO_printf(bio_err,"SSL_DEBUG_FLAG on\r\n");


  /* init things so we will get meaningful error messages
   * rather than numbers 
   */
  SSL_load_error_strings();

  SSLeay_add_ssl_algorithms();
  ssl_ctx=(SSL_CTX *)SSL_CTX_new(SSLv23_method());

  /* we may require a temp 512 bit RSA key because of the
   * wonderful way export things work ... if so we generate
   * one now!
   */
  if (server) {
    if (SSL_CTX_need_tmp_RSA(ssl_ctx)) {
      RSA *rsa;

      if (ssl_debug_flag)
	  BIO_printf(bio_err,"Generating temp (512 bit) RSA key ...\r\n");
      rsa=RSA_generate_key(512,RSA_F4,NULL,NULL);
      if (ssl_debug_flag)
	  BIO_printf(bio_err,"Generation of temp (512 bit) RSA key done\r\n");
   
      if (!SSL_CTX_set_tmp_rsa(ssl_ctx,rsa)) {
	BIO_printf(bio_err,"Failed to assign generated temp RSA key!\r\n");
      }
      RSA_free(rsa);
      if (ssl_debug_flag)
	  BIO_printf(bio_err,"Assigned temp (512 bit) RSA key\r\n");
    }
  }

  /* also switch on all the interoperability and bug
   * workarounds so that we will communicate with people
   * that cannot read poorly written specs :-)
   */
  SSL_CTX_set_options(ssl_ctx,SSL_OP_ALL);

  /* the user can set whatever ciphers they want to use */
  if (ssl_cipher_list==NULL) {
      p=getenv("SSL_CIPHER");
      if (p!=NULL)
        SSL_CTX_set_cipher_list(ssl_ctx,p);
  } else
      SSL_CTX_set_cipher_list(ssl_ctx,ssl_cipher_list);

  /* for verbose we use the 0.6.x info callback that I got
   * eric to finally add into the code :-) --tjh
   */
  if (ssl_verbose_flag) {
      SSL_CTX_set_info_callback(ssl_ctx,client_info_callback);
  }

  /* Add in any certificates if you want to here ... */
  if (ssl_cert_file) {
      if (!SSL_CTX_use_certificate_file(ssl_ctx, ssl_cert_file, 
		      X509_FILETYPE_PEM)) {
	  BIO_printf(bio_err,"Error loading %s: ",ssl_cert_file);
	  ERR_print_errors(bio_err);
	  BIO_printf(bio_err,"\r\n");
	  return(0);
      } else {
	  if (!ssl_key_file)
	      ssl_key_file = ssl_cert_file;
	  if (!SSL_CTX_use_RSAPrivateKey_file(ssl_ctx, ssl_key_file,
		      X509_FILETYPE_PEM)) {
	      BIO_printf(bio_err,"Error loading %s: ",ssl_key_file);
	      ERR_print_errors(bio_err);
	      BIO_printf(bio_err,"\r\n");
	      return(0);
	  }
      }
  }

  /* make sure we will find certificates in the standard
   * location ... otherwise we don't look anywhere for
   * these things which is going to make client certificate
   * exchange rather useless :-)
   */
  SSL_CTX_set_default_verify_paths(ssl_ctx);

  /* now create a connection */
  ssl_con=(SSL *)SSL_new(ssl_ctx);
  SSL_set_verify(ssl_con,ssl_verify_flag,NULL);

  return(1);
}


static void
client_info_callback(SSL *s, int where, int ret)
{
  if (where==SSL_CB_CONNECT_LOOP) {
    BIO_printf(bio_err,"SSL_connect:%s %s\r\n",
		    SSL_state_string(s),SSL_state_string_long(s));
  } else if (where==SSL_CB_CONNECT_EXIT) {
    if (ret == 0) {
      BIO_printf(bio_err,"SSL_connect:failed in %s %s\r\n",
	      SSL_state_string(s),SSL_state_string_long(s));
    } else if (ret < 0) {
      BIO_printf(bio_err,"SSL_connect:error in %s %s\r\n",
	      SSL_state_string(s),SSL_state_string_long(s));
    }
  }
}


#else /* !USE_SSL */

/* something here to stop warnings if we build without SSL support */
static int dummy_func()
{
  int i;

  i++;
}

#endif /* USE_SSL */





/* sslapp.h	- ssl application code */

/*
 * The modifications to support SSLeay were done by Tim Hudson
 * tjh@cryptsoft.com
 *
 * You can do whatever you like with these patches except pretend that
 * you wrote them.
 *
 * Email ssl-users-request@mincom.oz.au to get instructions on how to
 * join the mailing list that discusses SSLeay and also these patches.
 *
 */

#ifdef USE_SSL

#include <stdio.h>

#include <openssl/crypto.h>

#define SSL_set_pref_cipher(c,n)        SSL_set_cipher_list(c,n)
#define ONELINE_NAME(X) X509_NAME_oneline(X,NULL,0)
  
#define OLDPROTO NOPROTO
#define NOPROTO
#include <openssl/bio.h>
#undef NOPROTO
#define NOPROTO OLDPROTO
#undef OLDPROTO
#include <openssl/buffer.h>

#include <openssl/x509.h>
#include <openssl/ssl.h>
#include <openssl/err.h>

extern BIO *bio_err;
extern SSL *ssl_con;
extern SSL_CTX *ssl_ctx;
extern int ssl_debug_flag;
extern int ssl_only_flag;
extern int ssl_active_flag;
extern int ssl_verify_flag;
extern int ssl_secure_flag;
extern int ssl_verbose_flag;
extern int ssl_disabled_flag;
extern int ssl_cert_required;
extern int ssl_certsok_flag;

extern char *ssl_log_file; 
extern char *ssl_cert_file; 
extern char *ssl_key_file;
extern char *ssl_cipher_list;

/* we hide all the initialisation code in a separate file now */
extern int do_ssleay_init(int server);

/*extern int display_connect_details();
extern int server_verify_callback();
extern int client_verify_callback();*/

#endif /* USE_SSL */



Return to bug 111573

Lines 1-3 Link Here

(-)linux-ftpd-0.17.orig/ftpd/ftpcmd.y (-11 / +83 lines)
		1	/*
		2	* The modifications to support SSLeay we done by Tim Hudson
		3	* tjh@mincom.oz.au
		4	*
		5	* You can do whatever you like with these patches except pretend that
		6	* you wrote them.
		7	*
		8	* Email ssl-users-request@mincom.oz.au to get instructions on how to
		9	* join the mailing list that discusses SSLeay and also these patches.
		10	*
		11	*/
		12
1	/*	13	/*
2	* Copyright (c) 1985, 1988, 1993, 1994	14	* Copyright (c) 1985, 1988, 1993, 1994
3	* The Regents of the University of California. All rights reserved.	15	* The Regents of the University of California. All rights reserved.
Lines 92-97 extern char tmpline[]; Link Here
92	extern int portcheck;	104	extern int portcheck;
93	extern struct sockaddr_in his_addr;	105	extern struct sockaddr_in his_addr;
94		106
		107	#ifdef USE_SSL
		108	/#include "ssl_port.h"/
		109	typedef struct ssl_st SSL;
		110	int SSL_write(SSL ssl,const char buf,int num);
		111	extern int do_ssl_start(void);
		112	extern int ssl_secure_flag;
		113	extern int ssl_active_flag;
		114	extern SSL *ssl_con;
		115	#define FFLUSH(X) (ssl_active_flag && (((X)==cin)\|\|((X)==cout)) ? 1 : fflush((X)) )
		116	#define GETC(X) (ssl_active_flag && (((X)==cin)\|\|((X)==cout)) ? ssl_getc(ssl_con) : getc((X)) )
		117	extern FILE cin, cout;
		118	#endif /* USE_SSL */
		119
95	off_t restart_point;	120	off_t restart_point;
96		121
97	static int cmd_type;	122	static int cmd_type;
Lines 129-135 extern struct tab sitetab[]; Link Here
129	STAT HELP NOOP MKD RMD PWD	154	STAT HELP NOOP MKD RMD PWD
130	CDUP STOU SMNT SYST SIZE MDTM	155	CDUP STOU SMNT SYST SIZE MDTM
131		156
132	UMASK IDLE CHMOD	157	UMASK IDLE CHMOD AUTH
133		158
134	LEXERR	159	LEXERR
135		160
Lines 138-144 extern struct tab sitetab[]; Link Here
138		163
139	%type <i> check_login octal_number byte_size	164	%type <i> check_login octal_number byte_size
140	%type <i> struct_code mode_code type_code form_code	165	%type <i> struct_code mode_code type_code form_code
141	%type <s> pathstring pathname password username	166	%type <s> pathstring pathname password username auth_type
142	%type <i> host_port	167	%type <i> host_port
143		168
144	%start cmd_list	169	%start cmd_list
Lines 156-168 cmd_list Link Here
156	;	181	;
157		182
158	cmd	183	cmd
159	: USER SP username CRLF	184	: AUTH SP auth_type CRLF
		185	{
		186	if (!strncmp((char *) $3,"SSL",3)) {
		187	#ifdef USE_SSL
		188	reply(334, "AUTH SSL OK.");
		189
		190	/* now do all the hard work :-) */
		191	do_ssl_start();
		192
		193	#else /* !USE_SSL */
		194	reply(504,"AUTH type not supported.");
		195	#endif /* USE_SSL */
		196	} else {
		197	reply(504,"AUTH type not supported.");
		198	}
		199	if ($3 != NULL)
		200	free((char *)$3);
		201	}
		202	\| USER SP username CRLF
160	{	203	{
		204	#ifdef USE_SSL
		205	if (ssl_secure_flag && !ssl_active_flag) {
		206	reply(504,"SSL is mandatory.");
		207	break;
		208	}
		209	#endif /* USE_SSL */
161	user($3);	210	user($3);
162	free($3);	211	free($3);
163	}	212	}
164	\| PASS SP password CRLF	213	\| PASS SP password CRLF
165	{	214	{
		215	#ifdef USE_SSL
		216	if (ssl_secure_flag && !ssl_active_flag) {
		217	reply(504,"SSL is mandatory.");
		218	break;
		219	}
		220	#endif /* USE_SSL */
166	pass($3);	221	pass($3);
167	memset($3, 0, strlen($3));	222	memset($3, 0, strlen($3));
168	free($3);	223	free($3);
Lines 607-612 username Link Here
607	: STRING	662	: STRING
608	;	663	;
609		664
		665	auth_type
		666	: STRING
		667	;
		668
610	password	669	password
611	: /* empty */	670	: /* empty */
612	{	671	{
Lines 841-846 struct tab { Link Here
841	};	900	};
842		901
843	struct tab cmdtab[] = { /* In order defined in RFC 765 */	902	struct tab cmdtab[] = { /* In order defined in RFC 765 */
		903	{ "AUTH", AUTH, STR1, 1, "<sp> auth_type" },
844	{ "USER", USER, STR1, 1, "<sp> username" },	904	{ "USER", USER, STR1, 1, "<sp> username" },
845	{ "PASS", PASS, ZSTR1, 1, "<sp> password" },	905	{ "PASS", PASS, ZSTR1, 1, "<sp> password" },
846	{ "ACCT", ACCT, STR1, 0, "(specify account)" },	906	{ "ACCT", ACCT, STR1, 0, "(specify account)" },
Lines 923-928 char * ftpd_getline(char *s, int n, FILE Link Here
923	{	983	{
924	int c;	984	int c;
925	register char *cs;	985	register char *cs;
		986	char buf[16];
926		987
927	cs = s;	988	cs = s;
928	/* tmpline may contain saved command from urgent mode interruption */	989	/* tmpline may contain saved command from urgent mode interruption */
Lines 938-960 char * ftpd_getline(char *s, int n, FILE Link Here
938	if (c == 0)	999	if (c == 0)
939	tmpline[0] = '\0';	1000	tmpline[0] = '\0';
940	}	1001	}
941	while ((c = getc(iop)) != EOF) {	1002	while ((c = GETC(iop)) != EOF) {
942	c &= 0377;	1003	c &= 0377;
943	if (c == IAC) {	1004	if (c == IAC) {
944	if ((c = getc(iop)) != EOF) {	1005	if ((c = GETC(iop)) != EOF) {
945	c &= 0377;	1006	c &= 0377;
946	switch (c) {	1007	switch (c) {
947	case WILL:	1008	case WILL:
948	case WONT:	1009	case WONT:
949	c = getc(iop);	1010	c = GETC(iop);
950	printf("%c%c%c", IAC, DONT, 0377&c);	1011	sprintf(buf,"%c%c%c", IAC, DONT, 0377&c);
951	(void) fflush(stdout);	1012	#ifdef USE_SSL
		1013	if (ssl_active_flag)
		1014	SSL_write(ssl_con,buf,strlen(buf));
		1015	else
		1016	#endif /* USE_SSL */
		1017	fwrite(buf,strlen(buf),1,stdout);
		1018	(void) FFLUSH(stdout);
952	continue;	1019	continue;
953	case DO:	1020	case DO:
954	case DONT:	1021	case DONT:
955	c = getc(iop);	1022	c = GETC(iop);
956	printf("%c%c%c", IAC, WONT, 0377&c);	1023	sprintf(buf,"%c%c%c", IAC, WONT, 0377&c);
957	(void) fflush(stdout);	1024	#ifdef USE_SSL
		1025	if (ssl_active_flag)
		1026	SSL_write(ssl_con,buf,strlen(buf));
		1027	else
		1028	#endif /* USE_SSL */
		1029	(void) FFLUSH(stdout);
958	continue;	1030	continue;
959	case IAC:	1031	case IAC:
960	break;	1032	break;

Line 0 Link Here

(-)linux-ftpd-0.17.orig/ftpd/ssl_port.h (+85 lines)
		1	/* ssl_port.h - standard porting things
		2	*
		3	* The modifications to support SSLeay were done by Tim Hudson
		4	* tjh@mincom.oz.au
		5	*
		6	* You can do whatever you like with these patches except pretend that
		7	* you wrote them.
		8	*
		9	* Email ssl-users-request@mincom.oz.au to get instructions on how to
		10	* join the mailing list that discusses SSLeay and also these patches.
		11	*
		12	*/
		13
		14	#ifndef HEADER_SSL_PORT_H
		15	#define HEADER_SSL_PORT_H
		16
		17	#ifdef USE_SSL
		18
		19	#include <stdio.h>
		20
		21	#define OLDPROTO NOPROTO
		22	#define NOPROTO
		23	#include <openssl/buffer.h>
		24	#undef NOPROTO
		25	#define NOPROTO OLDPROTO
		26
		27	#include <openssl/x509.h>
		28	#include <openssl/ssl.h>
		29	#include <openssl/err.h>
		30
		31	extern SSL *ssl_con;
		32	extern SSL_CTX *ssl_ctx;
		33	extern int ssl_debug_flag;
		34	extern int ssl_only_flag;
		35	extern int ssl_active_flag;
		36	extern int ssl_verify_flag;
		37	extern int ssl_secure_flag;
		38	extern int ssl_enabled;
		39
		40	extern int ssl_encrypt_data;
		41	extern SSL *ssl_data_con;
		42	extern int ssl_data_active_flag;
		43
		44	extern char *my_ssl_cert_file;
		45	extern char *my_ssl_key_file;
		46	extern int ssl_certsok_flag;
		47
		48	extern int set_ssl_trace(SSL *s);
		49
		50	extern FILE cin, cout;
		51
		52	#define is_ssl_fd(X,Y) ( (SSL_get_fd((X))==0) \|\| \
		53	(SSL_get_fd((X))==1) \|\| \
		54	(SSL_get_fd((X))==pdata) \|\| \
		55	(SSL_get_fd((X))==(Y)) \
		56	)
		57
		58	#define is_ssl_fp(X,Y) ( ( (SSL_get_fd((X))==0) && (fileno((Y))==0) ) \|\| \
		59	( (SSL_get_fd((X))==1) && (fileno((Y))==1) ) \|\| \
		60	( (SSL_get_fd((X))==pdata) && \
		61	(fileno((Y))==pdata) ) \|\| \
		62	(SSL_get_fd((X))==fileno(Y)) \
		63	)
		64
65	/* these macros make things much easier to handle ... */
66
67	#define FFLUSH(X) (ssl_active_flag && (((X)==cin)\|\|((X)==cout)) ? 1 : fflush((X)) )
68
69	#define GETC(X) (ssl_active_flag && (((X)==cin)\|\|((X)==cout)) ? ssl_getc(ssl_con) : getc((X)) )
70
71	#define DATAGETC(X) (ssl_data_active_flag && ((fileno(X)==data)\|\|(fileno(X)==pdata)) ? ssl_getc(ssl_data_con) : getc((X)) )
72	#define DATAPUTC(X,Y) (ssl_data_active_flag && ((fileno(Y)==data)\|\|(fileno(Y)==pdata)) ? ssl_putc(ssl_data_con,(X)) : putc((X),(Y)) )
73	#define DATAFLUSH(X) (ssl_data_active_flag && ((fileno(X)==data)\|\|(fileno(X)==pdata)) ? ssl_putc_flush(ssl_data_con) : fflush((X)) )
74
75	#else
76
77	#define GETC(X) getc((X))
78	#define DATAGETC(X) getc((X))
79	#define DATAPUTC(X,Y) putc((X),(Y))
80	#define DATAFLUSH(X) fflush((X))
81	#define FFLUSH(X) fflush((X))
82
83	#endif /* USE_SSL */
84
85	#endif /* HEADER_SSL_PORT_H */

Line 0 Link Here

(-)linux-ftpd-0.17.orig/ftpd/sslapp.c (+182 lines)
		1	/* sslapp.c - ssl application code */
		2
		3	/*
		4	* The modifications to support SSLeay were done by Tim Hudson
		5	* tjh@cryptsoft.com
		6	*
		7	* You can do whatever you like with these patches except pretend that
		8	* you wrote them.
		9	*
		10	* Email ssl-users-request@lists.cryptsoft.com to get instructions on how to
		11	* join the mailing list that discusses SSLeay and also these patches.
		12	*
		13	*/
		14
		15	#ifdef USE_SSL
		16
		17	#include "sslapp.h"
		18
		19	SSL_CTX *ssl_ctx;
		20	SSL *ssl_con;
		21	int ssl_debug_flag=0;
		22	int ssl_only_flag=0;
		23	int ssl_active_flag=0;
		24	int ssl_verify_flag=SSL_VERIFY_NONE;
		25	int ssl_secure_flag=0;
		26	int ssl_certsok_flag=0;
		27	int ssl_cert_required=0;
		28	int ssl_verbose_flag=0;
		29	int ssl_disabled_flag=0;
		30	char *ssl_cert_file=NULL;
		31	char *ssl_key_file=NULL;
		32	char *ssl_cipher_list=NULL;
		33	char *ssl_log_file=NULL;
		34
		35	/* fwd decl */
		36	static void
		37	client_info_callback(SSL *s, int where, int ret);
		38
		39	int
		40	do_ssleay_init(int server)
		41	{
		42	char *p;
		43
		44	/* make sure we have somewhere we can log errors to */
		45	if (bio_err==NULL) {
		46	if ((bio_err=BIO_new(BIO_s_file()))!=NULL) {
		47	if (ssl_log_file==NULL)
		48	BIO_set_fp(bio_err,stderr,BIO_NOCLOSE);
		49	else {
		50	if (BIO_write_filename(bio_err,ssl_log_file)<=0) {
		51	/* not a lot we can do */
		52	}
		53	}
		54	}
		55	}
		56
		57	/* rather simple things these days ... the old SSL_LOG and SSL_ERR
		58	* vars are long gone now SSLeay8 has rolled around and we have
		59	* a clean interface for doing things
		60	*/
		61	if (ssl_debug_flag)
		62	BIO_printf(bio_err,"SSL_DEBUG_FLAG on\r\n");
		63
		64
65	/* init things so we will get meaningful error messages
66	* rather than numbers
67	*/
68	SSL_load_error_strings();
69
70	SSLeay_add_ssl_algorithms();
71	ssl_ctx=(SSL_CTX *)SSL_CTX_new(SSLv23_method());
72
73	/* we may require a temp 512 bit RSA key because of the
74	* wonderful way export things work ... if so we generate
75	* one now!
76	*/
77	if (server) {
78	if (SSL_CTX_need_tmp_RSA(ssl_ctx)) {
79	RSA *rsa;
80
81	if (ssl_debug_flag)
82	BIO_printf(bio_err,"Generating temp (512 bit) RSA key ...\r\n");
83	rsa=RSA_generate_key(512,RSA_F4,NULL,NULL);
84	if (ssl_debug_flag)
85	BIO_printf(bio_err,"Generation of temp (512 bit) RSA key done\r\n");
86
87	if (!SSL_CTX_set_tmp_rsa(ssl_ctx,rsa)) {
88	BIO_printf(bio_err,"Failed to assign generated temp RSA key!\r\n");
89	}
90	RSA_free(rsa);
91	if (ssl_debug_flag)
92	BIO_printf(bio_err,"Assigned temp (512 bit) RSA key\r\n");
93	}
94	}
95
96	/* also switch on all the interoperability and bug
97	* workarounds so that we will communicate with people
98	* that cannot read poorly written specs :-)
99	*/
100	SSL_CTX_set_options(ssl_ctx,SSL_OP_ALL);
101
102	/* the user can set whatever ciphers they want to use */
103	if (ssl_cipher_list==NULL) {
104	p=getenv("SSL_CIPHER");
105	if (p!=NULL)
106	SSL_CTX_set_cipher_list(ssl_ctx,p);
107	} else
108	SSL_CTX_set_cipher_list(ssl_ctx,ssl_cipher_list);
109
110	/* for verbose we use the 0.6.x info callback that I got
111	* eric to finally add into the code :-) --tjh
112	*/
113	if (ssl_verbose_flag) {
114	SSL_CTX_set_info_callback(ssl_ctx,client_info_callback);
115	}
116
117	/* Add in any certificates if you want to here ... */
118	if (ssl_cert_file) {
119	if (!SSL_CTX_use_certificate_file(ssl_ctx, ssl_cert_file,
120	X509_FILETYPE_PEM)) {
121	BIO_printf(bio_err,"Error loading %s: ",ssl_cert_file);
122	ERR_print_errors(bio_err);
123	BIO_printf(bio_err,"\r\n");
124	return(0);
125	} else {
126	if (!ssl_key_file)
127	ssl_key_file = ssl_cert_file;
128	if (!SSL_CTX_use_RSAPrivateKey_file(ssl_ctx, ssl_key_file,
129	X509_FILETYPE_PEM)) {
130	BIO_printf(bio_err,"Error loading %s: ",ssl_key_file);
131	ERR_print_errors(bio_err);
132	BIO_printf(bio_err,"\r\n");
133	return(0);
134	}
135	}
136	}
137
138	/* make sure we will find certificates in the standard
139	* location ... otherwise we don't look anywhere for
140	* these things which is going to make client certificate
141	* exchange rather useless :-)
142	*/
143	SSL_CTX_set_default_verify_paths(ssl_ctx);
144
145	/* now create a connection */
146	ssl_con=(SSL *)SSL_new(ssl_ctx);
147	SSL_set_verify(ssl_con,ssl_verify_flag,NULL);
148
149	return(1);
150	}
151
152
153	static void
154	client_info_callback(SSL *s, int where, int ret)
155	{
156	if (where==SSL_CB_CONNECT_LOOP) {
157	BIO_printf(bio_err,"SSL_connect:%s %s\r\n",
158	SSL_state_string(s),SSL_state_string_long(s));
159	} else if (where==SSL_CB_CONNECT_EXIT) {
160	if (ret == 0) {
161	BIO_printf(bio_err,"SSL_connect:failed in %s %s\r\n",
162	SSL_state_string(s),SSL_state_string_long(s));
163	} else if (ret < 0) {
164	BIO_printf(bio_err,"SSL_connect:error in %s %s\r\n",
165	SSL_state_string(s),SSL_state_string_long(s));
166	}
167	}
168	}
169
170
171	#else /* !USE_SSL */
172
173	/* something here to stop warnings if we build without SSL support */
174	static int dummy_func()
175	{
176	int i;
177
178	i++;
179	}
180
181	#endif /* USE_SSL */
182

Line 0 Link Here

(-)linux-ftpd-0.17.orig/ftpd/sslapp.h (+63 lines)
	1	/* sslapp.h - ssl application code */
	2
	3	/*
	4	* The modifications to support SSLeay were done by Tim Hudson
	5	* tjh@cryptsoft.com
	6	*
	7	* You can do whatever you like with these patches except pretend that
	8	* you wrote them.
	9	*
	10	* Email ssl-users-request@mincom.oz.au to get instructions on how to
	11	* join the mailing list that discusses SSLeay and also these patches.
	12	*
	13	*/
	14
	15	#ifdef USE_SSL
	16
	17	#include <stdio.h>
	18
	19	#include <openssl/crypto.h>
	20
	21	#define SSL_set_pref_cipher(c,n) SSL_set_cipher_list(c,n)
	22	#define ONELINE_NAME(X) X509_NAME_oneline(X,NULL,0)
	23
	24	#define OLDPROTO NOPROTO
	25	#define NOPROTO
	26	#include <openssl/bio.h>
	27	#undef NOPROTO
	28	#define NOPROTO OLDPROTO
	29	#undef OLDPROTO
	30	#include <openssl/buffer.h>
	31
	32	#include <openssl/x509.h>
	33	#include <openssl/ssl.h>
	34	#include <openssl/err.h>
	35
	36	extern BIO *bio_err;
	37	extern SSL *ssl_con;
	38	extern SSL_CTX *ssl_ctx;
	39	extern int ssl_debug_flag;
	40	extern int ssl_only_flag;
	41	extern int ssl_active_flag;
	42	extern int ssl_verify_flag;
	43	extern int ssl_secure_flag;
	44	extern int ssl_verbose_flag;
	45	extern int ssl_disabled_flag;
	46	extern int ssl_cert_required;
	47	extern int ssl_certsok_flag;
	48
	49	extern char *ssl_log_file;
	50	extern char *ssl_cert_file;
	51	extern char *ssl_key_file;
	52	extern char *ssl_cipher_list;
	53
	54	/* we hide all the initialisation code in a separate file now */
	55	extern int do_ssleay_init(int server);
	56
	57	/*extern int display_connect_details();
	58	extern int server_verify_callback();
	59	extern int client_verify_callback();*/
	60
	61	#endif /* USE_SSL */
	62
	63