Ag Hatzim([EMAIL PROTECTED])@Sat, Aug 20, 2005 at 08:27:25PM +0300: Just a small correction for anyone wants to try,if you apply the netkit-ftp-0.17-ssl-0.2.patch compiling will fail In addition i attach the patches for anyone is interesting. Some from gentoo,and 2 from fedora.
I applied with the following order netkit-ftp-0.17-acct.patch netkit-ftp-0.17-locale.patch netkit-ftp-0.17-runique_mget.patch netkit-ftp-0.17-security.patch netkit-ftp-0.17+ssl-0.2.diff netkit-ftp-0.17+ssl-0.2+auth.diff
Ripped from Fedora https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=17353 --- netkit-ftp-0.17/ftp/ftp.c.acct Sun Jan 21 00:08:29 2001 +++ netkit-ftp-0.17/ftp/ftp.c Sun Jan 21 00:09:04 2001 @@ -254,7 +254,8 @@ if (n == CONTINUE) { aflag++; /* fflush(stdout); */ - zacct = getpass("Account:"); + if(zacct==NULL) + zacct = getpass("Account:"); n = command("ACCT %s", zacct); } if (n != COMPLETE) {
ripped from Fedora https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=142265 --- netkit-ftp-0.17/ftp/main.c.locale 2004-12-15 16:52:14.504193752 +0000 +++ netkit-ftp-0.17/ftp/main.c 2004-12-15 16:52:51.719133655 +0000 @@ -51,6 +51,7 @@ /* #include <arpa/ftp.h> <--- unused? */ +#include <locale.h> #include <signal.h> #include <unistd.h> #include <string.h> @@ -109,6 +110,7 @@ tick = 0; + setlocale (LC_ALL, ""); sp = getservbyname("ftp", "tcp"); if (sp == 0) { fprintf(stderr, "ftp: ftp/tcp: unknown service\n");
ripped from Fedora https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=79367 --- netkit-ftp-0.17/ftp/ftp.c.runique_mget 2004-12-07 12:05:49.360133092 +0100 +++ netkit-ftp-0.17/ftp/ftp.c 2004-12-07 12:06:48.480883902 +0100 @@ -923,7 +923,9 @@ return; } } - else if (runique && (local = gunique(local)) == NULL) { + else if (runique && (strcmp(cmd, "NLST") != 0) && + (local = gunique(local)) == NULL) + { (void) signal(SIGINT, oldintr); code = -1; return;
ripped from Fedora diff -urN netkit-ftp-0.17-pre20000412/ftp/ftp.c netkit-ftp-0.17-pre20000412.new/ftp/ftp.c --- netkit-ftp-0.17-pre20000412/ftp/ftp.c Mon Dec 13 21:33:20 1999 +++ netkit-ftp-0.17-pre20000412.new/ftp/ftp.c Wed Aug 16 14:12:50 2000 @@ -883,7 +883,7 @@ } if (fstat(fileno(fout), &st) < 0 || st.st_blksize == 0) st.st_blksize = BUFSIZ; - if (st.st_blksize > bufsize) { + if ((unsigned)st.st_blksize > bufsize) { if (buf) (void) free(buf); buf = malloc((unsigned)st.st_blksize);
diff -u -r -N netkit-ftp-0.17/ftp/Makefile netkit-ftp-0.17+ssl-0.2/ftp/Makefile --- netkit-ftp-0.17/ftp/Makefile Sun Aug 1 08:00:12 1999 +++ netkit-ftp-0.17+ssl-0.2/ftp/Makefile Mon Sep 25 23:36:51 2000 @@ -8,6 +8,9 @@ LIBS += -lreadline $(LIBTERMCAP) endif +CFLAGS += -DUSE_SSL -g +LIBS += -lssl -lcrypto + ftp: cmds.o cmdtab.o domacro.o ftp.o glob.o main.o ruserpass.o $(CC) $(LDFLAGS) $^ $(LIBS) -o $@ diff -u -r -N netkit-ftp-0.17/ftp/cmds.c netkit-ftp-0.17+ssl-0.2/ftp/cmds.c --- netkit-ftp-0.17/ftp/cmds.c Sun Jul 23 03:36:59 2000 +++ netkit-ftp-0.17+ssl-0.2/ftp/cmds.c Sun Sep 24 15:09:15 2000 @@ -207,6 +207,32 @@ } port = ftp_port; if (argc > 2) { +#ifdef USE_SSL + /* not really an SSL enhancement but something that + * should have always been here --tjh + */ + if (!isdigit(argv[2][0])) { + struct servent *destsp; + + destsp = getservbyname(argv[2], "tcp"); + + /* if lookup fails for ssl-ftp we fallback to + * the default (unofficial) port number + */ + if ((strcmp(argv[2],"ssl-ftp")==0) && (destsp==NULL)) + port = 150; + else { + if (destsp == NULL ) { + printf("%s: bad port name-- %s\n",argv[1],argv[2]); + printf ("usage: %s host-name [port]\n",argv[0]); + code = -1; + return; + } else { + port = ntohs(destsp->s_port); + } + } + } else +#endif /* USE_SSL */ port = atoi(argv[2]); if (port < 1) { printf("%s: bad port number-- %s\n", argv[1], argv[2]); diff -u -r -N netkit-ftp-0.17/ftp/ftp.1 netkit-ftp-0.17+ssl-0.2/ftp/ftp.1 --- netkit-ftp-0.17/ftp/ftp.1 Mon Jul 31 01:56:59 2000 +++ netkit-ftp-0.17+ssl-0.2/ftp/ftp.1 Sun May 13 14:10:22 2001 @@ -97,6 +97,52 @@ as report on data transfer statistics. .It Fl d Enables debugging. +.It Fl z Ar option +Set SSL (Secure Socket Layer) parameters. The default is to negotiate +via ftp protocoll if SSL is availlable at server side and then to +switch it on. In this mode you can connect to both conventional and +SSL enhanced ftpd's. +.Pp +The SSL parameters are: +.Bl -tag -width Fl +.It Ic Ar debug +Send SSL related debugging information to stderr. +.It Ic Ar authdebug +Enable authentication debugging. +.It Ic Ar ssl +Negotiate SSL at first, then use ftp protocol. ftp protocol +negotiation goes encrypted. (Not yet implemented) +.It Ic Ar nossl, Ar !ssl +switch of SSL negotiation +.It Ic Ar certrequired +client certificate is mandatory +.It Ic Ar secure +Don't switch back to unencrypted mode (no SSL) if SSL is not available. +.It Ic Ar verbose +Be verbose about certificates etc. +.It Ic Ar verify=int +.\" TODO +Set the SSL verify flags (SSL_VERIFY_* in +.Ar ssl/ssl.h +). +.\" TODO +.It Ic Ar cert=cert_file +.\" TODO +Use the certificate(s) in +.Ar cert_file . +.It Ic Ar key=key_file +.\" TODO +Use the key(s) in +.Ar key_file . +.It Ic Ar cipher=ciph_list +.\" TODO +Set the preferred ciphers to +.Ar ciph_list . +.\" TODO: possible values; comma-separated list? +(See +.Ar ssl/ssl.h +). +.El .El .Pp The client host with which diff -u -r -N netkit-ftp-0.17/ftp/ftp.c netkit-ftp-0.17+ssl-0.2/ftp/ftp.c --- netkit-ftp-0.17/ftp/ftp.c Mon Dec 13 21:33:20 1999 +++ netkit-ftp-0.17+ssl-0.2/ftp/ftp.c Tue Sep 26 00:25:48 2000 @@ -1,3 +1,15 @@ +/* + * The modifications to support SSLeay were done by Tim Hudson + * [EMAIL PROTECTED] + * + * You can do whatever you like with these patches except pretend that + * you wrote them. + * + * Email [EMAIL PROTECTED] to get instructions on how to + * join the mailing list that discusses SSLeay and also these patches. + * + */ + /* * Copyright (c) 1985, 1989 Regents of the University of California. * All rights reserved. @@ -77,6 +89,17 @@ static sigjmp_buf ptabort; static int ptabflg = 0; static int abrtflag = 0; +#ifdef USE_SSL +static int pdata = -1; +static int +auth_user(char *u,char *p); +static int +ssl_getc(SSL *ssl_con); +static int +ssl_putc_flush(SSL *ssl_con); +static int +ssl_putc(SSL *ssl_con, int oneint); +#endif void lostpeer(int); extern int connected; @@ -243,14 +266,7 @@ else luser = tmp; } - n = command("USER %s", luser); - if (n == CONTINUE) { - if (pass == NULL) { - /* fflush(stdout); */ - pass = getpass("Password:"); - } - n = command("PASS %s", pass); - } + n = auth_user(luser,pass); if (n == CONTINUE) { aflag++; /* fflush(stdout); */ @@ -296,6 +312,9 @@ va_list ap; int r; void (*oldintr)(int); +#ifdef USE_SSL + char outputbuf[8192]; +#endif /* USE_SSL */ abrtflag = 0; if (debug) { @@ -316,10 +335,27 @@ } oldintr = signal(SIGINT, cmdabort); va_start(ap, fmt); +#ifdef USE_SSL + /* assemble the output into a buffer */ + vsnprintf(outputbuf,sizeof(outputbuf),fmt,ap); + strcat(outputbuf,"\r\n"); + if (ssl_active_flag) { + SSL_write(ssl_con,outputbuf,strlen(outputbuf)); + } else { + fprintf(cout,"%s",outputbuf); + fflush(cout); + } +#else /* !USE_SSL */ vfprintf(cout, fmt, ap); +#endif /* USE_SSL */ va_end(ap); + +#ifndef USE_SSL + /* we don't need this as we concatenated it above */ fprintf(cout, "\r\n"); (void) fflush(cout); +#endif /* !USE_SSL */ + cpend = 1; r = getreply(!strcmp(fmt, "QUIT")); if (abrtflag && oldintr != SIG_IGN) @@ -343,25 +379,39 @@ int pflag = 0; size_t px = 0; size_t psize = sizeof(pasv); + char buf[16]; oldintr = signal(SIGINT, cmdabort); for (;;) { dig = n = code = 0; cp = reply_string; - while ((c = getc(cin)) != '\n') { + while ((c = GETC(cin)) != '\n') { if (c == IAC) { /* handle telnet commands */ - switch (c = getc(cin)) { + switch (c = GETC(cin)) { case WILL: case WONT: - c = getc(cin); - fprintf(cout, "%c%c%c", IAC, DONT, c); - (void) fflush(cout); + c = GETC(cin); + sprintf(buf, + "%c%c%c", IAC, DONT, c); +#ifdef USE_SSL + if (ssl_active_flag) + SSL_write(ssl_con,buf,3); + else +#endif /* !USE_SSL */ + fwrite(buf,3,1,cout); + (void) FFLUSH(cout); break; case DO: case DONT: - c = getc(cin); - fprintf(cout, "%c%c%c", IAC, WONT, c); - (void) fflush(cout); + c = GETC(cin); + sprintf(buf, "%c%c%c", IAC, WONT, c); +#ifdef USE_SSL + if (ssl_active_flag) + SSL_write(ssl_con,buf,3); + else +#endif /* !USE_SSL */ + fwrite(buf,3,1,cout); + (void) FFLUSH(cout); break; default: break; @@ -600,9 +650,18 @@ errno = d = 0; while ((c = read(fileno(fin), buf, sizeof (buf))) > 0) { bytes += c; +#ifdef USE_SSL + if (ssl_data_active_flag) { + for (bufp = buf; c > 0; c -= d, bufp += d) + if ((d = SSL_write(ssl_data_con, bufp, c)) <= 0) + break; + } else +#endif /* !USE_SSL */ + { for (bufp = buf; c > 0; c -= d, bufp += d) if ((d = write(fileno(dout), bufp, c)) <= 0) break; + } if (hash) { while (bytes >= hashbytes) { (void) putchar('#'); @@ -654,16 +713,17 @@ } if (ferror(dout)) break; - (void) putc('\r', dout); + (void) DATAPUTC('\r', dout); bytes++; } - (void) putc(c, dout); + (void) DATAPUTC(c, dout); bytes++; /* if (c == '\r') { */ /* (void) putc('\0', dout); (* this violates rfc */ /* bytes++; */ /* } */ } + DATAFLUSH(dout); if (hash) { if (bytes < hashbytes) (void) putchar('#'); @@ -688,6 +748,15 @@ if (closefunc != NULL) (*closefunc)(fin); (void) fclose(dout); + +#ifdef USE_SSL + if (ssl_data_active_flag && (ssl_data_con!=NULL)) { + SSL_free(ssl_data_con); + ssl_data_active_flag=0; + ssl_data_con=NULL; + } +#endif /* USE_SSL */ + /* closes data as well, so discard it */ data = -1; (void) getreply(0); @@ -714,6 +783,15 @@ (void) close(data); data = -1; } + +#ifdef USE_SSL + if (ssl_data_active_flag && (ssl_data_con!=NULL)) { + SSL_free(ssl_data_con); + ssl_data_active_flag=0; + ssl_data_con=NULL; + } +#endif /* USE_SSL */ + (void) getreply(0); code = -1; if (closefunc != NULL && fin != NULL) @@ -908,6 +986,33 @@ return; } errno = d = 0; +#ifdef USE_SSL + if (ssl_data_active_flag) { + while ((c = SSL_read(ssl_data_con, buf, bufsize)) > 0) { + if ((d = write(fileno(fout), buf, c)) != c) + break; + bytes += c; + if (hash) { + while (bytes >= hashbytes) { + (void) putchar('#'); + hashbytes += HASHBYTES; + } + (void) fflush(stdout); + } + } + if ( c < -1 ) { + static char errbuf[1024]; + + sprintf(errbuf,"ftp: SSL_read DATA error %s\n", + ERR_error_string(ERR_get_error(),NULL)); + + /* tell the user ... who else */ + fprintf(stderr,"%s", errbuf); + fflush(stderr); + } + } else +#endif /* !USE_SSL */ + { while ((c = read(fileno(din), buf, bufsize)) > 0) { if ((d = write(fileno(fout), buf, c)) != c) break; @@ -927,6 +1032,7 @@ hashbytes += TICKBYTES; } } + } if (hash && bytes > 0) { if (bytes < HASHBYTES) (void) putchar('#'); @@ -973,7 +1079,7 @@ return; } } - while ((c = getc(din)) != EOF) { + while ((c = DATAGETC(din)) != EOF) { if (c == '\n') bare_lfs++; while (c == '\r') { @@ -991,7 +1097,7 @@ hashbytes += TICKBYTES; } bytes++; - if ((c = getc(din)) != '\n' || tcrflag) { + if ((c = DATAGETC(din)) != '\n' || tcrflag) { if (ferror(fout)) goto break2; (void) putc('\r', fout); @@ -1039,6 +1145,15 @@ (void) signal(SIGPIPE, oldintp); (void) gettimeofday(&stop, (struct timezone *)0); (void) fclose(din); + +#ifdef USE_SSL + if (ssl_data_active_flag && (ssl_data_con!=NULL)) { + SSL_free(ssl_data_con); + ssl_data_active_flag=0; + ssl_data_con=NULL; + } +#endif /* USE_SSL */ + /* closes data as well, so discard it */ data = -1; (void) getreply(0); @@ -1071,6 +1186,15 @@ (void) close(data); data = -1; } + +#ifdef USE_SSL + if (ssl_data_active_flag && (ssl_data_con!=NULL)) { + SSL_free(ssl_data_con); + ssl_data_active_flag=0; + ssl_data_con=NULL; + } +#endif /* USE_SSL */ + if (bytes > 0) ptransfer("received", bytes, &start, &stop); (void) signal(SIGINT, oldintr); @@ -1207,6 +1331,7 @@ struct sockaddr_in from; int s, tos; socklen_t fromlen = sizeof(from); + int ret; if (passivemode) return (fdopen(data, lmode)); @@ -1224,6 +1349,67 @@ if (setsockopt(s, IPPROTO_IP, IP_TOS, (char *)&tos, sizeof(int)) < 0) perror("ftp: setsockopt TOS (ignored)"); #endif + +#ifdef USE_SSL + ssl_data_active_flag=0; + if (ssl_active_flag && ssl_encrypt_data) { + /* do SSL */ + if (ssl_data_con!=NULL) { + SSL_free(ssl_data_con); + ssl_data_con=NULL; + } + ssl_data_con=(SSL *)SSL_new(ssl_ctx); + + SSL_set_fd(ssl_data_con,data); + set_ssl_trace(ssl_data_con); + + SSL_set_verify(ssl_data_con,ssl_verify_flag,NULL); + + /* this is the "magic" call that makes + * this quick assuming Eric has this going + * okay! ;-) + */ + SSL_copy_session_id(ssl_data_con,ssl_con); + + /* we are doing I/O and not using select so + * it is "safe" to read ahead + */ + /* SSL_set_read_ahead(ssl_data_con,1); */ + + if (debug) { + fprintf(stderr,"===>START SSL connect on DATA\n"); + fflush(stderr); + } + + if ((ret=SSL_connect(ssl_data_con))<=0) { + static char errbuf[1024]; + + sprintf(errbuf,"ftp: SSL_connect DATA error %d - %s\n", + ret,ERR_error_string(ERR_get_error(),NULL)); + + /* tell the user ... who else */ + fprintf(stderr,"%s", errbuf); + fflush(stderr); + + /* abort time methinks ... */ + close(data); + return NULL; + } else { + if (ssl_debug_flag) { + BIO_printf(bio_err,"[SSL DATA Cipher %s]\n", + SSL_get_cipher(ssl_con)); + } + ssl_data_active_flag=1; + } + + if (debug) { + fprintf(stderr,"===>DONE SSL connect on DATA %d\n",data); + fflush(stderr); + } + + } +#endif /* USE_SSL */ + return (fdopen(data, lmode)); } @@ -1609,3 +1795,142 @@ } (void) getreply(0); } + +static int +auth_user(char *u,char *p) +{ + int n; + +#ifdef USE_SSL + if (ssl_enabled) { + n = command("AUTH SSL"); + if (n == ERROR) { /* do normal USER/PASS */ + printf("SSL not available\n"); + /* spit the dummy as we will only talk ssl + * when running in "secure" mode + */ + if (ssl_secure_flag) + return ERROR; + } else if (n == CONTINUE ) { + /* do SSL */ + ssl_con=(SSL *)SSL_new(ssl_ctx); + + SSL_set_fd(ssl_con,fileno(cout)); + set_ssl_trace(ssl_con); + + SSL_set_verify(ssl_con,ssl_verify_flag,NULL); + + /* Add in any certificates if you want to here ... */ + if (my_ssl_cert_file) { + if (!SSL_use_certificate_file(ssl_con, my_ssl_cert_file, + X509_FILETYPE_PEM)) { + fprintf(stderr,"%s: ",my_ssl_cert_file); + ERR_print_errors_fp(stderr); + exit(1); + } else { + if (!my_ssl_key_file) + my_ssl_key_file = my_ssl_cert_file; + if (!SSL_use_RSAPrivateKey_file(ssl_con, my_ssl_key_file, + X509_FILETYPE_PEM)) { + fprintf(stderr,"%s: ", my_ssl_key_file); + ERR_print_errors_fp(stderr); + exit(1); + } + } + } + + if (SSL_connect(ssl_con)<=0) { + static char errbuf[1024]; + + sprintf(errbuf,"ftp: SSL_connect error %s\n", + ERR_error_string(ERR_get_error(),NULL)); + perror(errbuf); + /* abort time methinks ... */ + exit(1); + } else { + fprintf(stderr,"[SSL Cipher %s]\n",SSL_get_cipher(ssl_con)); + fflush(stderr); + ssl_active_flag=1; + } + + n = command("USER %s",u); + if (n == CONTINUE) { + if(p == NULL) + p = getpass("Password:"); + n = command("PASS %s",p); + } + return (n); + } + } +#endif /* USE_SSL */ + n = command("USER %s",u); + if (n == CONTINUE) { + if(p == NULL) + p = getpass("Password:"); + n = command("PASS %s",p); + } + return(n); +} + +#ifdef USE_SSL + +/* we really shouldn't have code like this! --tjh */ +static int +ssl_getc(SSL *ssl_con) +{ + char onebyte; + int ret; + + if ((ret=SSL_read(ssl_con,&onebyte,1))!=1) { + /* we want to know this stuff! */ + if (ssl_debug_flag || (ret!=0)) { + fprintf(stderr,"ssl_getc: SSL_read failed %d = %d\n",ret,errno); + fflush(stderr); + } + return -1; + } else { + if (ssl_debug_flag) { + BIO_printf(bio_err,"ssl_getc: SSL_read %d (%c) ",onebyte & 0xff,isprint(onebyte)?onebyte:'.'); + } + return onebyte & 0xff; + } +} + + +/* got back to this an implemented some rather "simple" buffering */ +static char putc_buf[BUFSIZ]; +static int putc_buf_pos=0; + +static int +ssl_putc_flush(SSL *ssl_con) +{ + if (putc_buf_pos>0) { + if (SSL_write(ssl_con,putc_buf,putc_buf_pos)!=putc_buf_pos) { + if (ssl_debug_flag) { + BIO_printf(bio_err,"ssl_putc_flush: WRITE FAILED\n"); + } + putc_buf_pos=0; + return -1; + } + } + putc_buf_pos=0; + return 0; +} + +int +ssl_putc(SSL *ssl_con,int oneint) +{ + char onebyte; + + onebyte = oneint & 0xff; + + /* make sure there is space */ + if (putc_buf_pos>=BUFSIZ) + if (ssl_putc_flush(ssl_con)!=0) + return EOF; + putc_buf[putc_buf_pos++]=onebyte; + + return onebyte; +} + +#endif /* USE_SSL */ diff -u -r -N netkit-ftp-0.17/ftp/ftp_var.h netkit-ftp-0.17+ssl-0.2/ftp/ftp_var.h --- netkit-ftp-0.17/ftp/ftp_var.h Sat Oct 2 20:39:17 1999 +++ netkit-ftp-0.17+ssl-0.2/ftp/ftp_var.h Sun Sep 24 15:48:48 2000 @@ -158,3 +158,6 @@ void setpeer(int argc, char *argv[]); void quit(void); void changetype(int newtype, int show); + +#include "sslapp.h" +#include "ssl_port.h" diff -u -r -N netkit-ftp-0.17/ftp/main.c netkit-ftp-0.17+ssl-0.2/ftp/main.c --- netkit-ftp-0.17/ftp/main.c Sat Oct 2 15:25:23 1999 +++ netkit-ftp-0.17+ssl-0.2/ftp/main.c Thu May 3 20:42:41 2001 @@ -1,3 +1,15 @@ +/* + * The modifications to support SSLeay were done by Tim Hudson + * [EMAIL PROTECTED] + * + * You can do whatever you like with these patches except pretend that + * you wrote them. + * + * Email [EMAIL PROTECTED] to get instructions on how to + * join the mailing list that discusses SSLeay and also these patches. + * + */ + /* * Copyright (c) 1985, 1989 Regents of the University of California. * All rights reserved. @@ -82,6 +94,75 @@ static void cmdscanner(int top); static char *slurpstring(void); +#ifdef USE_SSL + +/* icky way of doing things ... */ +#include "sslapp.c" + +/* +#include "ssl_err.h" +*/ + +SSL *ssl_con; +SSL *ssl_data_con; +int ssl_data_active_flag=0; + +/* for the moment this is a compile time option only --tjh */ +int ssl_encrypt_data=1; +int ssl_enabled=1; + +char *my_ssl_key_file=NULL; +char *my_ssl_cert_file=NULL; + +BIO *bio_err=NULL; + +static long +bio_dump_cb(BIO *bio, + int cmd, + char *argp, + int argi, + long argl, + long ret) + { + BIO *out; + +/* + out=(BIO *)BIO_get_callback_arg(bio); +*/ + out=bio_err; + if (out == NULL) return(ret); + + if (cmd == (BIO_CB_READ|BIO_CB_RETURN)) + { + BIO_printf(out,"read from %08X (%d bytes => %ld (%X))\n", + bio,argi,ret,ret); + BIO_dump(out,argp,(int)ret); + BIO_flush(out); + } + else if (cmd == (BIO_CB_WRITE|BIO_CB_RETURN)) + { + BIO_printf(out,"write to %08X (%d bytes => %ld (%X))\n", + bio,argi,ret,ret); + BIO_dump(out,argp,(int)ret); + BIO_flush(out); + } + return( (cmd & BIO_CB_RETURN) ? ret : 1); + } + +int +set_ssl_trace(SSL *con) +{ + if (con!=NULL) { + if (ssl_debug_flag) { + BIO_set_callback(SSL_get_rbio(con),bio_dump_cb); + BIO_set_callback_arg(SSL_get_rbio(con),bio_err); + } + } + return 0; +} + +#endif /* USE_SSL */ + static void usage(void) @@ -106,6 +187,7 @@ int top; struct passwd *pw = NULL; char homedir[MAXPATHLEN]; + char *optarg; tick = 0; @@ -134,6 +216,7 @@ argc--, argv++; while (argc > 0 && **argv == '-') { + optarg=*(argv+1); for (cp = *argv + 1; *cp; cp++) switch (*cp) { @@ -174,6 +257,44 @@ usage(); exit(0); +#ifdef USE_SSL + case 'z': + if (strcmp(optarg, "debug") == 0 ) { + ssl_debug_flag=1; + } + if (strcmp(optarg, "ssl") == 0 ) { + ssl_only_flag=1; + } + /* disable *all* ssl stuff */ + if ( (strcmp(optarg, "!ssl") == 0 ) || + (strcmp(optarg, "nossl") == 0 ) ) { + ssl_enabled=0; + } + if (strcmp(optarg, "secure") == 0 ) { + ssl_secure_flag=1; + } + if (strcmp(optarg, "certsok") == 0 ) { + ssl_certsok_flag=1; + } + if (strcmp(optarg, "verbose") == 0 ) { + ssl_verbose_flag=1; + } + if (strncmp(optarg, "verify=", strlen("verify=")) == 0 ) { + ssl_verify_flag=atoi(optarg+strlen("verify=")); + } + if (strncmp(optarg, "cert=", strlen("cert=")) == 0 ) { + my_ssl_cert_file=optarg+strlen("cert="); + } + if (strncmp(optarg, "key=", strlen("key=")) == 0 ) { + my_ssl_key_file=optarg+strlen("key="); + } + + /* we have swallowed an extra arg */ + argc--; + argv++; + break; +#endif /* USE_SSL */ + default: fprintf(stdout, "ftp: %c: unknown option\n", *cp); @@ -202,6 +323,18 @@ homedir[sizeof(homedir)-1] = 0; home = homedir; } + +#ifdef USE_SSL + if (ssl_enabled) { + if (!do_ssleay_init(0)) { + fprintf(stderr,"ftp: SSLeay initialisation failed\n"); + fflush(stderr); + ERR_print_errors_fp(stderr); + exit(1); + } + } +#endif /* USE_SSL */ + if (argc > 0) { if (sigsetjmp(toplevel, 1)) exit(0); diff -u -r -N netkit-ftp-0.17/ftp/main.c.~1~ netkit-ftp-0.17+ssl-0.2/ftp/main.c.~1~ --- netkit-ftp-0.17/ftp/main.c.~1~ Thu Jan 1 01:00:00 1970 +++ netkit-ftp-0.17+ssl-0.2/ftp/main.c.~1~ Sun Sep 24 16:30:36 2000 @@ -0,0 +1,735 @@ +/* + * The modifications to support SSLeay were done by Tim Hudson + * [EMAIL PROTECTED] + * + * You can do whatever you like with these patches except pretend that + * you wrote them. + * + * Email [EMAIL PROTECTED] to get instructions on how to + * join the mailing list that discusses SSLeay and also these patches. + * + */ + +/* + * Copyright (c) 1985, 1989 Regents of the University of California. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the University of + * California, Berkeley and its contributors. + * 4. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +char copyright[] = + "@(#) Copyright (c) 1985, 1989 Regents of the University of California.\n" + "All rights reserved.\n"; + +/* + * from: @(#)main.c 5.18 (Berkeley) 3/1/91 + */ +char main_rcsid[] = + "$Id: netkit-ftp-0.17+ssl-0.2.diff,v 1.2 2005/07/29 01:38:43 vapier Exp $"; + + +/* + * FTP User Program -- Command Interface. + */ +#include <sys/types.h> +#include <sys/socket.h> +#include <sys/ioctl.h> + +/* #include <arpa/ftp.h> <--- unused? */ + +#include <signal.h> +#include <unistd.h> +#include <string.h> +#include <stdlib.h> +#include <stdio.h> +#include <errno.h> +#include <ctype.h> +#include <netdb.h> +#include <pwd.h> +#ifdef __USE_READLINE__ +#include <readline/readline.h> +#include <readline/history.h> +#endif + +#define Extern +#include "ftp_var.h" +int traceflag = 0; +const char *home = "/"; + +extern FILE *cout; +extern int data; +extern struct cmd cmdtab[]; +extern int NCMDS; + +void intr(int); +void lostpeer(int); +void help(int argc, char *argv[]); + +static void cmdscanner(int top); +static char *slurpstring(void); + +#ifdef USE_SSL + +/* icky way of doing things ... */ +#include "sslapp.c" + +/* +#include "ssl_err.h" +*/ + +SSL *ssl_con; +SSL *ssl_data_con; +int ssl_data_active_flag=0; + +/* for the moment this is a compile time option only --tjh */ +int ssl_encrypt_data=1; +int ssl_enabled=1; + +char *my_ssl_key_file=NULL; +char *my_ssl_cert_file=NULL; + +BIO *bio_err=NULL; + +static long +bio_dump_cb(BIO *bio, + int cmd, + char *argp, + int argi, + long argl, + long ret) + { + BIO *out; + +/* + out=(BIO *)BIO_get_callback_arg(bio); +*/ + out=bio_err; + if (out == NULL) return(ret); + + if (cmd == (BIO_CB_READ|BIO_CB_RETURN)) + { + BIO_printf(out,"read from %08X (%d bytes => %ld (%X))\n", + bio,argi,ret,ret); + BIO_dump(out,argp,(int)ret); + BIO_flush(out); + } + else if (cmd == (BIO_CB_WRITE|BIO_CB_RETURN)) + { + BIO_printf(out,"write to %08X (%d bytes => %ld (%X))\n", + bio,argi,ret,ret); + BIO_dump(out,argp,(int)ret); + BIO_flush(out); + } + return( (cmd & BIO_CB_RETURN) ? ret : 1); + } + +int +set_ssl_trace(SSL *con) +{ + if (con!=NULL) { + if (ssl_debug_flag) { + BIO_set_callback(SSL_get_rbio(con),bio_dump_cb); + BIO_set_callback_arg(SSL_get_rbio(con),bio_err); + } + } + return 0; +} + +#endif /* USE_SSL */ + +static +void +usage(void) +{ + printf("\n\tUsage: { ftp | pftp } [-pinegvtd] [hostname]\n"); + printf("\t -p: enable passive mode (default for pftp)\n"); + printf("\t -i: turn off prompting during mget\n"); + printf("\t -n: inhibit auto-login\n"); + printf("\t -e: disable readline support, if present\n"); + printf("\t -g: disable filename globbing\n"); + printf("\t -v: verbose mode\n"); + printf("\t -t: enable packet tracing [nonfunctional]\n"); + printf("\t -d: enable debugging\n"); + printf("\n"); +} + +int +main(volatile int argc, char **volatile argv) +{ + register char *cp; + struct servent *sp; + int top; + struct passwd *pw = NULL; + char homedir[MAXPATHLEN]; + + tick = 0; + + sp = getservbyname("ftp", "tcp"); + if (sp == 0) { + fprintf(stderr, "ftp: ftp/tcp: unknown service\n"); + exit(1); + } + ftp_port = sp->s_port; + doglob = 1; + interactive = 1; + autologin = 1; + passivemode = 0; + + cp = strrchr(argv[0], '/'); + cp = (cp == NULL) ? argv[0] : cp+1; + if (strcmp(cp, "pftp") == 0) + passivemode = 1; + +#ifdef __USE_READLINE__ + /* + * Set terminal type so libreadline can parse .inputrc correctly + */ + rl_terminal_name = getenv("TERM"); +#endif + + argc--, argv++; + while (argc > 0 && **argv == '-') { + for (cp = *argv + 1; *cp; cp++) + switch (*cp) { + + case 'd': + options |= SO_DEBUG; + debug++; + break; + + case 'v': + verbose++; + break; + + case 't': + traceflag++; + break; + + case 'i': + interactive = 0; + break; + + case 'n': + autologin = 0; + break; + + case 'p': + passivemode = 1; + break; + + case 'g': + doglob = 0; + break; + + case 'e': + rl_inhibit = 1; + break; + + case 'h': + usage(); + exit(0); + +#ifdef USE_SSL + case 'z': + if (strcmp(optarg, "debug") == 0 ) { + ssl_debug_flag=1; + } + if (strcmp(optarg, "ssl") == 0 ) { + ssl_only_flag=1; + } + /* disable *all* ssl stuff */ + if ( (strcmp(optarg, "!ssl") == 0 ) || + (strcmp(optarg, "nossl") == 0 ) ) { + ssl_enabled=0; + } + if (strcmp(optarg, "secure") == 0 ) { + ssl_secure_flag=1; + } + if (strcmp(optarg, "certsok") == 0 ) { + ssl_certsok_flag=1; + } + if (strcmp(optarg, "verbose") == 0 ) { + ssl_verbose_flag=1; + } + if (strncmp(optarg, "verify=", strlen("verify=")) == 0 ) { + ssl_verify_flag=atoi(optarg+strlen("verify=")); + } + if (strncmp(optarg, "cert=", strlen("cert=")) == 0 ) { + my_ssl_cert_file=optarg+strlen("cert="); + } + if (strncmp(optarg, "key=", strlen("key=")) == 0 ) { + my_ssl_key_file=optarg+strlen("key="); + } + + /* we have swallowed an extra arg */ + argc--; + argv++; + break; +#endif /* USE_SSL */ + + default: + fprintf(stdout, + "ftp: %c: unknown option\n", *cp); + exit(1); + } + argc--, argv++; + } + fromatty = isatty(fileno(stdin)); + if (fromatty) + verbose++; + cpend = 0; /* no pending replies */ + proxy = 0; /* proxy not active */ + crflag = 1; /* strip c.r. on ascii gets */ + sendport = -1; /* not using ports */ + /* + * Set up the home directory in case we're globbing. + */ + cp = getlogin(); + if (cp != NULL) { + pw = getpwnam(cp); + } + if (pw == NULL) + pw = getpwuid(getuid()); + if (pw != NULL) { + strncpy(homedir, pw->pw_dir, sizeof(homedir)); + homedir[sizeof(homedir)-1] = 0; + home = homedir; + } + +#ifdef USE_SSL + if (ssl_enabled) { + if (!do_ssleay_init(0)) { + fprintf(stderr,"ftp: SSLeay initialisation failed\n"); + fflush(stderr); + ERR_print_errors_fp(stderr); + exit(1); + } + } +#endif /* USE_SSL */ + + if (argc > 0) { + if (sigsetjmp(toplevel, 1)) + exit(0); + (void) signal(SIGINT, intr); + (void) signal(SIGPIPE, lostpeer); + setpeer(argc + 1, argv - 1); + } + top = sigsetjmp(toplevel, 1) == 0; + if (top) { + (void) signal(SIGINT, intr); + (void) signal(SIGPIPE, lostpeer); + } + for (;;) { + cmdscanner(top); + top = 1; + } +} + +void +intr(int ignore) +{ + (void)ignore; + siglongjmp(toplevel, 1); +} + +void +lostpeer(int ignore) +{ + (void)ignore; + + if (connected) { + if (cout != NULL) { + shutdown(fileno(cout), 1+1); + fclose(cout); + cout = NULL; + } + if (data >= 0) { + shutdown(data, 1+1); + close(data); + data = -1; + } + connected = 0; + } + pswitch(1); + if (connected) { + if (cout != NULL) { + shutdown(fileno(cout), 1+1); + fclose(cout); + cout = NULL; + } + connected = 0; + } + proxflag = 0; + pswitch(0); +} + +/*char * +tail(filename) + char *filename; +{ + register char *s; + + while (*filename) { + s = rindex(filename, '/'); + if (s == NULL) + break; + if (s[1]) + return (s + 1); + *s = '\0'; + } + return (filename); +} +*/ + +static char *get_input_line(char *buf, int buflen) +{ +#ifdef __USE_READLINE__ + if (fromatty && !rl_inhibit) { + char *lineread = readline("ftp> "); + if (!lineread) return NULL; + strncpy(buf, lineread, buflen); + buf[buflen-1] = 0; + if (lineread[0]) add_history(lineread); + free(lineread); + return buf; + } +#endif + if (fromatty) { + printf("ftp> "); + fflush(stdout); + } + return fgets(buf, buflen, stdin); +} + + +/* + * Command parser. + */ +static void +cmdscanner(int top) +{ + int margc; + char *marg; + char **margv; + register struct cmd *c; + register int l; + + if (!top) + (void) putchar('\n'); + for (;;) { + if (!get_input_line(line, sizeof(line))) { + quit(); + } + l = strlen(line); + if (l == 0) + break; + if (line[--l] == '\n') { + if (l == 0) + break; + line[l] = '\0'; + } + else if (l == sizeof(line) - 2) { + printf("sorry, input line too long\n"); + while ((l = getchar()) != '\n' && l != EOF) + /* void */; + break; + } /* else it was a line without a newline */ + margv = makeargv(&margc, &marg); + if (margc == 0) { + continue; + } + c = getcmd(margv[0]); + if (c == (struct cmd *)-1) { + printf("?Ambiguous command\n"); + continue; + } + if (c == NULL) { + printf("?Invalid command\n"); + continue; + } + if (c->c_conn && !connected) { + printf("Not connected.\n"); + continue; + } + if (c->c_handler_v) c->c_handler_v(margc, margv); + else if (c->c_handler_0) c->c_handler_0(); + else c->c_handler_1(marg); + + if (bell && c->c_bell) putchar('\007'); + if (c->c_handler_v != help) + break; + } + (void) signal(SIGINT, intr); + (void) signal(SIGPIPE, lostpeer); +} + +struct cmd * +getcmd(const char *name) +{ + const char *p, *q; + struct cmd *c, *found; + int nmatches, longest; + + longest = 0; + nmatches = 0; + found = 0; + for (c = cmdtab; (p = c->c_name) != NULL; c++) { + for (q = name; *q == *p++; q++) + if (*q == 0) /* exact match? */ + return (c); + if (!*q) { /* the name was a prefix */ + if (q - name > longest) { + longest = q - name; + nmatches = 1; + found = c; + } else if (q - name == longest) + nmatches++; + } + } + if (nmatches > 1) + return ((struct cmd *)-1); + return (found); +} + +/* + * Slice a string up into argc/argv. + */ + +int slrflag; + +char ** +makeargv(int *pargc, char **parg) +{ + static char *rargv[20]; + int rargc = 0; + char **argp; + + argp = rargv; + stringbase = line; /* scan from first of buffer */ + argbase = argbuf; /* store from first of buffer */ + slrflag = 0; + while ((*argp++ = slurpstring())!=NULL) + rargc++; + + *pargc = rargc; + if (parg) *parg = altarg; + return rargv; +} + +/* + * Parse string into argbuf; + * implemented with FSM to + * handle quoting and strings + */ +static +char * +slurpstring(void) +{ + static char excl[] = "!", dols[] = "$"; + + int got_one = 0; + register char *sb = stringbase; + register char *ap = argbase; + char *tmp = argbase; /* will return this if token found */ + + if (*sb == '!' || *sb == '$') { /* recognize ! as a token for shell */ + switch (slrflag) { /* and $ as token for macro invoke */ + case 0: + slrflag++; + stringbase++; + return ((*sb == '!') ? excl : dols); + /* NOTREACHED */ + case 1: + slrflag++; + altarg = stringbase; + break; + default: + break; + } + } + +S0: + switch (*sb) { + + case '\0': + goto OUT; + + case ' ': + case '\t': + sb++; goto S0; + + default: + switch (slrflag) { + case 0: + slrflag++; + break; + case 1: + slrflag++; + altarg = sb; + break; + default: + break; + } + goto S1; + } + +S1: + switch (*sb) { + + case ' ': + case '\t': + case '\0': + goto OUT; /* end of token */ + + case '\\': + sb++; goto S2; /* slurp next character */ + + case '"': + sb++; goto S3; /* slurp quoted string */ + + default: + *ap++ = *sb++; /* add character to token */ + got_one = 1; + goto S1; + } + +S2: + switch (*sb) { + + case '\0': + goto OUT; + + default: + *ap++ = *sb++; + got_one = 1; + goto S1; + } + +S3: + switch (*sb) { + + case '\0': + goto OUT; + + case '"': + sb++; goto S1; + + default: + *ap++ = *sb++; + got_one = 1; + goto S3; + } + +OUT: + if (got_one) + *ap++ = '\0'; + argbase = ap; /* update storage pointer */ + stringbase = sb; /* update scan pointer */ + if (got_one) { + return(tmp); + } + switch (slrflag) { + case 0: + slrflag++; + break; + case 1: + slrflag++; + altarg = NULL; + break; + default: + break; + } + return NULL; +} + +#define HELPINDENT ((int) sizeof ("directory")) + +/* + * Help command. + * Call each command handler with argc == 0 and argv[0] == name. + */ +void +help(int argc, char *argv[]) +{ + struct cmd *c; + + if (argc == 1) { + int i, j, w; + unsigned k; + int columns, width = 0, lines; + + printf("Commands may be abbreviated. Commands are:\n\n"); + for (c = cmdtab; c < &cmdtab[NCMDS]; c++) { + int len = strlen(c->c_name); + + if (len > width) + width = len; + } + width = (width + 8) &~ 7; + columns = 80 / width; + if (columns == 0) + columns = 1; + lines = (NCMDS + columns - 1) / columns; + for (i = 0; i < lines; i++) { + for (j = 0; j < columns; j++) { + c = cmdtab + j * lines + i; + if (c->c_name && (!proxy || c->c_proxy)) { + printf("%s", c->c_name); + } + else if (c->c_name) { + for (k=0; k < strlen(c->c_name); k++) { + (void) putchar(' '); + } + } + if (c + lines >= &cmdtab[NCMDS]) { + printf("\n"); + break; + } + w = strlen(c->c_name); + while (w < width) { + w = (w + 8) &~ 7; + (void) putchar('\t'); + } + } + } + return; + } + while (--argc > 0) { + register char *arg; + arg = *++argv; + c = getcmd(arg); + if (c == (struct cmd *)-1) + printf("?Ambiguous help command %s\n", arg); + else if (c == NULL) + printf("?Invalid help command %s\n", arg); + else + printf("%-*s\t%s\n", HELPINDENT, + c->c_name, c->c_help); + } +} diff -u -r -N netkit-ftp-0.17/ftp/ssl_port.h netkit-ftp-0.17+ssl-0.2/ftp/ssl_port.h --- netkit-ftp-0.17/ftp/ssl_port.h Thu Jan 1 01:00:00 1970 +++ netkit-ftp-0.17+ssl-0.2/ftp/ssl_port.h Sun Sep 24 15:46:02 2000 @@ -0,0 +1,85 @@ +/* ssl_port.h - standard porting things + * + * The modifications to support SSLeay were done by Tim Hudson + * [EMAIL PROTECTED] + * + * You can do whatever you like with these patches except pretend that + * you wrote them. + * + * Email [EMAIL PROTECTED] to get instructions on how to + * join the mailing list that discusses SSLeay and also these patches. + * + */ + +#ifndef HEADER_SSL_PORT_H +#define HEADER_SSL_PORT_H + +#ifdef USE_SSL + +#include <stdio.h> + +#define OLDPROTO NOPROTO +#define NOPROTO +#include <openssl/buffer.h> +#undef NOPROTO +#define NOPROTO OLDPROTO + +#include <openssl/x509.h> +#include <openssl/ssl.h> +#include <openssl/err.h> + +extern SSL *ssl_con; +extern SSL_CTX *ssl_ctx; +extern int ssl_debug_flag; +extern int ssl_only_flag; +extern int ssl_active_flag; +extern int ssl_verify_flag; +extern int ssl_secure_flag; +extern int ssl_enabled; + +extern int ssl_encrypt_data; +extern SSL *ssl_data_con; +extern int ssl_data_active_flag; + +extern char *my_ssl_cert_file; +extern char *my_ssl_key_file; +extern int ssl_certsok_flag; + +extern int set_ssl_trace(SSL *s); + +extern FILE *cin, *cout; + +#define is_ssl_fd(X,Y) ( (SSL_get_fd((X))==0) || \ + (SSL_get_fd((X))==1) || \ + (SSL_get_fd((X))==pdata) || \ + (SSL_get_fd((X))==(Y)) \ + ) + +#define is_ssl_fp(X,Y) ( ( (SSL_get_fd((X))==0) && (fileno((Y))==0) ) || \ + ( (SSL_get_fd((X))==1) && (fileno((Y))==1) ) || \ + ( (SSL_get_fd((X))==pdata) && \ + (fileno((Y))==pdata) ) || \ + (SSL_get_fd((X))==fileno(Y)) \ + ) + +/* these macros make things much easier to handle ... */ + +#define FFLUSH(X) (ssl_active_flag && (((X)==cin)||((X)==cout)) ? 1 : fflush((X)) ) + +#define GETC(X) (ssl_active_flag && (((X)==cin)||((X)==cout)) ? ssl_getc(ssl_con) : getc((X)) ) + +#define DATAGETC(X) (ssl_data_active_flag && ((fileno(X)==data)||(fileno(X)==pdata)) ? ssl_getc(ssl_data_con) : getc((X)) ) +#define DATAPUTC(X,Y) (ssl_data_active_flag && ((fileno(Y)==data)||(fileno(Y)==pdata)) ? ssl_putc(ssl_data_con,(X)) : putc((X),(Y)) ) +#define DATAFLUSH(X) (ssl_data_active_flag && ((fileno(X)==data)||(fileno(X)==pdata)) ? ssl_putc_flush(ssl_data_con) : fflush((X)) ) + +#else + +#define GETC(X) getc((X)) +#define DATAGETC(X) getc((X)) +#define DATAPUTC(X,Y) putc((X),(Y)) +#define DATAFLUSH(X) fflush((X)) +#define FFLUSH(X) fflush((X)) + +#endif /* USE_SSL */ + +#endif /* HEADER_SSL_PORT_H */ diff -u -r -N netkit-ftp-0.17/ftp/sslapp.c netkit-ftp-0.17+ssl-0.2/ftp/sslapp.c --- netkit-ftp-0.17/ftp/sslapp.c Thu Jan 1 01:00:00 1970 +++ netkit-ftp-0.17+ssl-0.2/ftp/sslapp.c Sun Sep 24 18:07:23 2000 @@ -0,0 +1,186 @@ +/* sslapp.c - ssl application code */ + +/* + * The modifications to support SSLeay were done by Tim Hudson + * [EMAIL PROTECTED] + * + * You can do whatever you like with these patches except pretend that + * you wrote them. + * + * Email [EMAIL PROTECTED] to get instructions on how to + * join the mailing list that discusses SSLeay and also these patches. + * + */ + +#ifdef USE_SSL + +#include "sslapp.h" + +SSL_CTX *ssl_ctx; +SSL *ssl_con; +int ssl_debug_flag=0; +int ssl_only_flag=0; +int ssl_active_flag=0; +int ssl_verify_flag=SSL_VERIFY_NONE; +int ssl_secure_flag=0; +int ssl_certsok_flag=0; +int ssl_cert_required=0; +int ssl_verbose_flag=0; +int ssl_disabled_flag=0; +char *ssl_cert_file=NULL; +char *ssl_key_file=NULL; +char *ssl_cipher_list=NULL; +char *ssl_log_file=NULL; + +/* fwd decl */ +static void +client_info_callback(SSL *s, int where, int ret); + +int +do_ssleay_init(int server) +{ + char *p; + + /* make sure we have somewhere we can log errors to */ + if (bio_err==NULL) { + if ((bio_err=BIO_new(BIO_s_file()))!=NULL) { + if (ssl_log_file==NULL) + BIO_set_fp(bio_err,stderr,BIO_NOCLOSE); + else { + if (BIO_write_filename(bio_err,ssl_log_file)<=0) { + /* not a lot we can do */ + } + } + } + } + + /* rather simple things these days ... the old SSL_LOG and SSL_ERR + * vars are long gone now SSLeay8 has rolled around and we have + * a clean interface for doing things + */ + if (ssl_debug_flag) + BIO_printf(bio_err,"SSL_DEBUG_FLAG on\r\n"); + + + /* init things so we will get meaningful error messages + * rather than numbers + */ + SSL_load_error_strings(); + + SSLeay_add_ssl_algorithms(); + ssl_ctx=(SSL_CTX *)SSL_CTX_new(SSLv23_method()); + + /* we may require a temp 512 bit RSA key because of the + * wonderful way export things work ... if so we generate + * one now! + */ + if (server) { + if (SSL_CTX_need_tmp_RSA(ssl_ctx)) { + RSA *rsa; + + if (ssl_debug_flag) + BIO_printf(bio_err,"Generating temp (512 bit) RSA key ...\r\n"); + rsa=RSA_generate_key(512,RSA_F4,NULL,NULL); + if (ssl_debug_flag) + BIO_printf(bio_err,"Generation of temp (512 bit) RSA key done\r\n"); + + if (!SSL_CTX_set_tmp_rsa(ssl_ctx,rsa)) { + BIO_printf(bio_err,"Failed to assign generated temp RSA key!\r\n"); + } + RSA_free(rsa); + if (ssl_debug_flag) + BIO_printf(bio_err,"Assigned temp (512 bit) RSA key\r\n"); + } + } + + /* also switch on all the interoperability and bug + * workarounds so that we will communicate with people + * that cannot read poorly written specs :-) + */ + SSL_CTX_set_options(ssl_ctx,SSL_OP_ALL); + + /* the user can set whatever ciphers they want to use */ + if (ssl_cipher_list==NULL) { + p=getenv("SSL_CIPHER"); + if (p!=NULL) + SSL_CTX_set_cipher_list(ssl_ctx,p); + } else + SSL_CTX_set_cipher_list(ssl_ctx,ssl_cipher_list); + + /* for verbose we use the 0.6.x info callback that I got + * eric to finally add into the code :-) --tjh + */ + if (ssl_verbose_flag) { + SSL_CTX_set_info_callback(ssl_ctx,client_info_callback); + } + + /* Add in any certificates if you want to here ... */ + if (ssl_cert_file) { + if (!SSL_CTX_use_certificate_file(ssl_ctx, ssl_cert_file, + X509_FILETYPE_PEM)) { + BIO_printf(bio_err,"Error loading %s: ",ssl_cert_file); + ERR_print_errors(bio_err); + BIO_printf(bio_err,"\r\n"); + return(0); + } else { + if (!ssl_key_file) + ssl_key_file = ssl_cert_file; + if (!SSL_CTX_use_RSAPrivateKey_file(ssl_ctx, ssl_key_file, + X509_FILETYPE_PEM)) { + BIO_printf(bio_err,"Error loading %s: ",ssl_key_file); + ERR_print_errors(bio_err); + BIO_printf(bio_err,"\r\n"); + return(0); + } + } + } + + /* make sure we will find certificates in the standard + * location ... otherwise we don't look anywhere for + * these things which is going to make client certificate + * exchange rather useless :-) + */ + SSL_CTX_set_default_verify_paths(ssl_ctx); + + /* now create a connection */ + ssl_con=(SSL *)SSL_new(ssl_ctx); + SSL_set_verify(ssl_con,ssl_verify_flag,NULL); + +#if 0 + SSL_set_verify(ssl_con,ssl_verify_flag,client_verify_callback); +#endif + + return(1); +} + + +static void +client_info_callback(SSL *s, int where, int ret) +{ + if (where==SSL_CB_CONNECT_LOOP) { + BIO_printf(bio_err,"SSL_connect:%s %s\r\n", + SSL_state_string(s),SSL_state_string_long(s)); + } else if (where==SSL_CB_CONNECT_EXIT) { + if (ret == 0) { + BIO_printf(bio_err,"SSL_connect:failed in %s %s\r\n", + SSL_state_string(s),SSL_state_string_long(s)); + } else if (ret < 0) { + BIO_printf(bio_err,"SSL_connect:error in %s %s\r\n", + SSL_state_string(s),SSL_state_string_long(s)); + } + } +} + + +#else /* !USE_SSL */ + +/* something here to stop warnings if we build without SSL support */ +static int dummy_func() +{ + int i; + + i++; +} + +#endif /* USE_SSL */ + diff -u -r -N netkit-ftp-0.17/ftp/sslapp.h netkit-ftp-0.17+ssl-0.2/ftp/sslapp.h --- netkit-ftp-0.17/ftp/sslapp.h Thu Jan 1 01:00:00 1970 +++ netkit-ftp-0.17+ssl-0.2/ftp/sslapp.h Sun Sep 24 18:07:48 2000 @@ -0,0 +1,63 @@ +/* sslapp.h - ssl application code */ + +/* + * The modifications to support SSLeay were done by Tim Hudson + * [EMAIL PROTECTED] + * + * You can do whatever you like with these patches except pretend that + * you wrote them. + * + * Email [EMAIL PROTECTED] to get instructions on how to + * join the mailing list that discusses SSLeay and also these patches. + * + */ + +#ifdef USE_SSL + +#include <stdio.h> + +#include <openssl/crypto.h> + +#define SSL_set_pref_cipher(c,n) SSL_set_cipher_list(c,n) +#define ONELINE_NAME(X) X509_NAME_oneline(X,NULL,0) + +#define OLDPROTO NOPROTO +#define NOPROTO +#include <openssl/bio.h> +#undef NOPROTO +#define NOPROTO OLDPROTO +#undef OLDPROTO +#include <openssl/buffer.h> + +#include <openssl/x509.h> +#include <openssl/ssl.h> +#include <openssl/err.h> + +extern BIO *bio_err; +extern SSL *ssl_con; +extern SSL_CTX *ssl_ctx; +extern int ssl_debug_flag; +extern int ssl_only_flag; +extern int ssl_active_flag; +extern int ssl_verify_flag; +extern int ssl_secure_flag; +extern int ssl_verbose_flag; +extern int ssl_disabled_flag; +extern int ssl_cert_required; +extern int ssl_certsok_flag; + +extern char *ssl_log_file; +extern char *ssl_cert_file; +extern char *ssl_key_file; +extern char *ssl_cipher_list; + +/* we hide all the initialisation code in a separate file now */ +extern int do_ssleay_init(int server); + +/*extern int display_connect_details(); +extern int server_verify_callback(); +extern int client_verify_callback();*/ + +#endif /* USE_SSL */ + +
diff -urN netkit-ftp-0.17.old/ftp/ftp.c netkit-ftp-0.17.new/ftp/ftp.c --- netkit-ftp-0.17.old/ftp/ftp.c 2003-03-18 18:33:49.000000000 -0300 +++ netkit-ftp-0.17.new/ftp/ftp.c 2003-03-18 18:37:17.000000000 -0300 @@ -1811,7 +1811,7 @@ */ if (ssl_secure_flag) return ERROR; - } else if (n == CONTINUE ) { + } else if (n == CONTINUE || n == COMPLETE) { /* do SSL */ ssl_con=(SSL *)SSL_new(ssl_ctx);
-- http://linuxfromscratch.org/mailman/listinfo/lfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page