168
|
1 /*****************************************************************************/
|
|
2 /* sslcommon.c - interface to OpenSSL */
|
|
3 /* Copyright (C) 1998-2003 Brian Masney <masneyb@gftp.org> */
|
|
4 /* */
|
|
5 /* This program is free software; you can redistribute it and/or modify */
|
|
6 /* it under the terms of the GNU General Public License as published by */
|
|
7 /* the Free Software Foundation; either version 2 of the License, or */
|
|
8 /* (at your option) any later version. */
|
|
9 /* */
|
|
10 /* This program is distributed in the hope that it will be useful, */
|
|
11 /* but WITHOUT ANY WARRANTY; without even the implied warranty of */
|
|
12 /* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the */
|
|
13 /* GNU General Public License for more details. */
|
|
14 /* */
|
|
15 /* You should have received a copy of the GNU General Public License */
|
|
16 /* along with this program; if not, write to the Free Software */
|
|
17 /* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111 USA */
|
|
18 /*****************************************************************************/
|
|
19
|
|
20 #include "gftp.h"
|
|
21
|
|
22 static const char cvsid[] = "$Id$";
|
|
23
|
|
24 /* Some of the functions in here was taken either entirely or partially from
|
|
25 * the O'Reilly book Network Security with OpenSSL */
|
|
26
|
169
|
27 #ifdef USE_SSL
|
|
28
|
174
|
29 static gftp_config_vars config_vars[] =
|
|
30 {
|
|
31 {"", N_("SSL Engine"), gftp_option_type_notebook, NULL, NULL, 0, NULL,
|
|
32 GFTP_PORT_GTK, NULL},
|
|
33
|
|
34 {"entropy_source", N_("SSL Entropy File:"),
|
|
35 gftp_option_type_text, "/dev/urandom", NULL, 0,
|
|
36 N_("SSL entropy file"), GFTP_PORT_ALL, 0},
|
175
|
37 {"entropy_len", N_("Entropy Seed Length:"),
|
|
38 gftp_option_type_int, GINT_TO_POINTER(1024), NULL, 0,
|
|
39 N_("The maximum number of bytes to seed the SSL engine with"),
|
|
40 GFTP_PORT_ALL, 0},
|
416
|
41 {"verify_ssl_peer", N_("Verify SSL Peer"),
|
|
42 gftp_option_type_checkbox, GINT_TO_POINTER(1), NULL, 0,
|
|
43 N_("Verify SSL Peer"), GFTP_PORT_ALL, NULL},
|
175
|
44
|
174
|
45 {NULL, NULL, 0, NULL, NULL, 0, NULL, 0, NULL}
|
|
46 };
|
|
47
|
199
|
48 static GMutex ** gftp_ssl_mutexes = NULL;
|
|
49 static volatile int gftp_ssl_initialized = 0;
|
168
|
50 static SSL_CTX * ctx = NULL;
|
|
51
|
199
|
52 struct CRYPTO_dynlock_value
|
|
53 {
|
|
54 GMutex * mutex;
|
|
55 };
|
|
56
|
168
|
57
|
174
|
58 void
|
|
59 ssl_register_module (void)
|
|
60 {
|
|
61 static volatile int module_registered = 0;
|
|
62
|
|
63 if (!module_registered)
|
|
64 {
|
|
65 gftp_register_config_vars (config_vars);
|
|
66 module_registered = 1;
|
|
67 }
|
|
68 }
|
|
69
|
|
70
|
175
|
71 static int
|
|
72 gftp_ssl_get_index (void)
|
|
73 {
|
|
74 static volatile int index = -1;
|
|
75
|
|
76 if (index < 0)
|
|
77 index = SSL_get_ex_new_index (0, gftp_version, NULL, NULL, NULL);
|
|
78
|
|
79 return index;
|
|
80 }
|
|
81
|
|
82
|
168
|
83 static int
|
|
84 gftp_ssl_verify_callback (int ok, X509_STORE_CTX *store)
|
|
85 {
|
175
|
86 char issuer[256], subject[256];
|
|
87 gftp_request * request;
|
|
88 SSL * ssl;
|
|
89
|
|
90 ssl = X509_STORE_CTX_get_ex_data (store, SSL_get_ex_data_X509_STORE_CTX_idx ());
|
|
91 request = SSL_get_ex_data (ssl, gftp_ssl_get_index ());
|
168
|
92
|
|
93 if (!ok)
|
|
94 {
|
|
95 X509 *cert = X509_STORE_CTX_get_current_cert (store);
|
|
96 int depth = X509_STORE_CTX_get_error_depth (store);
|
|
97 int err = X509_STORE_CTX_get_error (store);
|
|
98
|
175
|
99 X509_NAME_oneline (X509_get_issuer_name (cert), issuer, sizeof (issuer));
|
|
100 X509_NAME_oneline (X509_get_subject_name (cert), subject, sizeof (subject));
|
186
|
101 request->logging_function (gftp_logging_error, request,
|
|
102 _("Error with certificate at depth: %i\nIssuer = %s\nSubject = %s\nError %i:%s\n"),
|
175
|
103 depth, issuer, subject, err,
|
|
104 X509_verify_cert_error_string (err));
|
168
|
105 }
|
|
106
|
|
107 return ok;
|
|
108 }
|
|
109
|
|
110
|
|
111 static int
|
|
112 gftp_ssl_post_connection_check (gftp_request * request)
|
|
113 {
|
|
114 char data[256], *extstr;
|
|
115 int extcount, ok, i, j;
|
|
116 X509_EXTENSION *ext;
|
|
117 X509_NAME *subj;
|
|
118 X509 *cert;
|
|
119
|
|
120 ok = 0;
|
|
121 if (!(cert = SSL_get_peer_certificate (request->ssl)))
|
|
122 {
|
186
|
123 request->logging_function (gftp_logging_error, request,
|
168
|
124 _("Cannot get peer certificate\n"));
|
|
125 return (X509_V_ERR_APPLICATION_VERIFICATION);
|
|
126 }
|
|
127
|
|
128 if ((extcount = X509_get_ext_count (cert)) > 0)
|
|
129 {
|
|
130 for (i = 0; i < extcount; i++)
|
|
131 {
|
|
132 ext = X509_get_ext (cert, i);
|
|
133 extstr = (char *) OBJ_nid2sn (OBJ_obj2nid (X509_EXTENSION_get_object (ext)));
|
|
134
|
|
135 if (strcmp (extstr, "subjectAltName") == 0)
|
|
136 {
|
199
|
137 unsigned char *data;
|
|
138 STACK_OF(CONF_VALUE) *val;
|
|
139 CONF_VALUE *nval;
|
|
140 X509V3_EXT_METHOD *meth;
|
|
141 void *ext_str = NULL;
|
168
|
142
|
199
|
143 if (!(meth = X509V3_EXT_get (ext)))
|
|
144 break;
|
|
145
|
|
146 data = ext->value->data;
|
168
|
147
|
|
148 #if (OPENSSL_VERSION_NUMBER > 0x00907000L)
|
199
|
149 if (meth->it)
|
|
150 ext_str = ASN1_item_d2i (NULL, &data, ext->value->length,
|
|
151 ASN1_ITEM_ptr (meth->it));
|
|
152 else
|
|
153 ext_str = meth->d2i (NULL, &data, ext->value->length);
|
168
|
154 #else
|
199
|
155 ext_str = meth->d2i(NULL, &data, ext->value->length);
|
168
|
156 #endif
|
199
|
157 val = meth->i2v(meth, ext_str, NULL);
|
|
158
|
|
159 for (j = 0; j < sk_CONF_VALUE_num(val); j++)
|
|
160 {
|
|
161 nval = sk_CONF_VALUE_value (val, j);
|
|
162 if (strcmp (nval->name, "DNS") == 0 &&
|
|
163 strcmp (nval->value, request->hostname) == 0)
|
|
164 {
|
|
165 ok = 1;
|
|
166 break;
|
|
167 }
|
|
168 }
|
|
169 }
|
|
170
|
|
171 if (ok)
|
|
172 break;
|
|
173 }
|
168
|
174 }
|
215
|
175
|
199
|
176 if (!ok && (subj = X509_get_subject_name (cert)) &&
|
|
177 X509_NAME_get_text_by_NID (subj, NID_commonName, data, 256) > 0)
|
|
178 {
|
|
179 data[sizeof (data) - 1] = '\0';
|
|
180 if (strcasecmp (data, request->hostname) != 0)
|
|
181 {
|
|
182 request->logging_function (gftp_logging_error, request,
|
|
183 _("ERROR: The host in the SSL certificate (%s) does not match the host that we connected to (%s). Aborting connection.\n"),
|
|
184 data, request->hostname);
|
|
185 X509_free (cert);
|
|
186 return (X509_V_ERR_APPLICATION_VERIFICATION);
|
|
187 }
|
|
188 }
|
168
|
189
|
|
190 X509_free (cert);
|
199
|
191
|
168
|
192 return (SSL_get_verify_result(request->ssl));
|
|
193 }
|
|
194
|
|
195
|
199
|
196 static void
|
|
197 _gftp_ssl_locking_function (int mode, int n, const char * file, int line)
|
|
198 {
|
|
199 if (mode & CRYPTO_LOCK)
|
|
200 g_mutex_lock (gftp_ssl_mutexes[n]);
|
|
201 else
|
|
202 g_mutex_unlock (gftp_ssl_mutexes[n]);
|
|
203 }
|
|
204
|
|
205
|
|
206 static unsigned long
|
|
207 _gftp_ssl_id_function (void)
|
|
208 {
|
|
209 #if GLIB_MAJOR_VERSION > 1
|
|
210 return ((unsigned long) g_thread_self ());
|
|
211 #else
|
210
|
212 /* FIXME _ call pthread version. Once this is done, the #ifdef below can be
|
|
213 removed */
|
199
|
214 return (0);
|
|
215 #endif
|
|
216 }
|
|
217
|
|
218
|
|
219 static struct CRYPTO_dynlock_value *
|
|
220 _gftp_ssl_create_dyn_mutex (const char *file, int line)
|
|
221 {
|
|
222 struct CRYPTO_dynlock_value *value;
|
|
223
|
|
224 value = g_malloc (sizeof (*value));
|
|
225 value->mutex = g_mutex_new ();
|
|
226 return (value);
|
|
227 }
|
|
228
|
|
229
|
|
230 static void
|
|
231 _gftp_ssl_dyn_mutex_lock (int mode, struct CRYPTO_dynlock_value *l,
|
|
232 const char *file, int line)
|
|
233 {
|
|
234 if (mode & CRYPTO_LOCK)
|
|
235 g_mutex_lock (l->mutex);
|
|
236 else
|
|
237 g_mutex_unlock (l->mutex);
|
|
238 }
|
|
239
|
|
240
|
|
241 static void
|
|
242 _gftp_ssl_destroy_dyn_mutex (struct CRYPTO_dynlock_value *l,
|
|
243 const char *file, int line)
|
|
244 {
|
|
245 g_mutex_free (l->mutex);
|
|
246 g_free (l);
|
|
247 }
|
|
248
|
|
249
|
|
250 static void
|
|
251 _gftp_ssl_thread_setup (void)
|
|
252 {
|
|
253 int i;
|
|
254
|
215
|
255 #if G_MAJOR_VERSION == 1
|
210
|
256 /* Thread setup isn't supported in glib 1.2 yet */
|
|
257 return;
|
|
258 #endif
|
|
259
|
199
|
260 gftp_ssl_mutexes = g_malloc (CRYPTO_num_locks( ) * sizeof (*gftp_ssl_mutexes));
|
|
261
|
|
262 for (i = 0; i < CRYPTO_num_locks ( ); i++)
|
|
263 gftp_ssl_mutexes[i] = g_mutex_new ();
|
|
264
|
|
265 CRYPTO_set_id_callback (_gftp_ssl_id_function);
|
|
266 CRYPTO_set_locking_callback (_gftp_ssl_locking_function);
|
|
267 CRYPTO_set_dynlock_create_callback (_gftp_ssl_create_dyn_mutex);
|
|
268 CRYPTO_set_dynlock_lock_callback (_gftp_ssl_dyn_mutex_lock);
|
|
269 CRYPTO_set_dynlock_destroy_callback (_gftp_ssl_destroy_dyn_mutex);
|
|
270 }
|
|
271
|
|
272
|
168
|
273 int
|
|
274 gftp_ssl_startup (gftp_request * request)
|
|
275 {
|
416
|
276 intptr_t entropy_len, verify_ssl_peer;
|
174
|
277 char *entropy_source;
|
|
278
|
173
|
279 if (gftp_ssl_initialized)
|
|
280 return (0);
|
|
281
|
168
|
282 gftp_ssl_initialized = 1;
|
|
283
|
199
|
284 if (g_thread_supported ())
|
|
285 _gftp_ssl_thread_setup ();
|
|
286
|
168
|
287 if (!SSL_library_init ())
|
|
288 {
|
186
|
289 request->logging_function (gftp_logging_error, request,
|
173
|
290 _("Cannot initialized the OpenSSL library\n"));
|
168
|
291 return (GFTP_EFATAL);
|
|
292 }
|
|
293
|
|
294 SSL_load_error_strings ();
|
174
|
295
|
416
|
296 gftp_lookup_request_option (request, "verify_ssl_peer", &verify_ssl_peer);
|
174
|
297 gftp_lookup_request_option (request, "entropy_source", &entropy_source);
|
175
|
298 gftp_lookup_request_option (request, "entropy_len", &entropy_len);
|
|
299 RAND_load_file (entropy_source, entropy_len);
|
168
|
300
|
|
301 ctx = SSL_CTX_new (SSLv23_method ());
|
|
302
|
|
303 if (SSL_CTX_set_default_verify_paths (ctx) != 1)
|
|
304 {
|
186
|
305 request->logging_function (gftp_logging_error, request,
|
168
|
306 _("Error loading default SSL certificates\n"));
|
173
|
307 return (GFTP_EFATAL);
|
168
|
308 }
|
|
309
|
416
|
310 if (verify_ssl_peer)
|
|
311 {
|
|
312 SSL_CTX_set_verify (ctx, SSL_VERIFY_PEER, gftp_ssl_verify_callback);
|
|
313 SSL_CTX_set_verify_depth (ctx, 9);
|
|
314 }
|
|
315
|
168
|
316 SSL_CTX_set_options (ctx, SSL_OP_ALL|SSL_OP_NO_SSLv2);
|
|
317
|
|
318 if (SSL_CTX_set_cipher_list (ctx, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH") != 1)
|
|
319 {
|
186
|
320 request->logging_function (gftp_logging_error, request,
|
168
|
321 _("Error setting cipher list (no valid ciphers)\n"));
|
|
322 return (GFTP_EFATAL);
|
|
323 }
|
|
324
|
|
325 return (0);
|
|
326 }
|
|
327
|
|
328
|
|
329 int
|
|
330 gftp_ssl_session_setup (gftp_request * request)
|
|
331 {
|
416
|
332 intptr_t verify_ssl_peer;
|
168
|
333 BIO * bio;
|
|
334 long ret;
|
|
335
|
169
|
336 g_return_val_if_fail (request->datafd > 0, GFTP_EFATAL);
|
168
|
337
|
|
338 if (!gftp_ssl_initialized)
|
|
339 {
|
186
|
340 request->logging_function (gftp_logging_error, request,
|
168
|
341 _("Error: SSL engine was not initialized\n"));
|
215
|
342 gftp_disconnect (request);
|
168
|
343 return (GFTP_EFATAL);
|
|
344 }
|
|
345
|
199
|
346 /* FIXME - take this out. I need to find out how to do timeouts with the SSL
|
|
347 functions (a select() or poll() like function) */
|
|
348
|
|
349 if (gftp_fd_set_sockblocking (request, request->datafd, 0) < 0)
|
168
|
350 {
|
|
351 gftp_disconnect (request);
|
|
352 return (GFTP_ERETRYABLE);
|
|
353 }
|
|
354
|
|
355 if ((bio = BIO_new (BIO_s_socket ())) == NULL)
|
|
356 {
|
186
|
357 request->logging_function (gftp_logging_error, request,
|
168
|
358 _("Error setting up SSL connection (BIO object)\n"));
|
215
|
359 gftp_disconnect (request);
|
168
|
360 return (GFTP_EFATAL);
|
|
361 }
|
|
362
|
169
|
363 BIO_set_fd (bio, request->datafd, BIO_NOCLOSE);
|
168
|
364
|
|
365 if ((request->ssl = SSL_new (ctx)) == NULL)
|
|
366 {
|
186
|
367 request->logging_function (gftp_logging_error, request,
|
168
|
368 _("Error setting up SSL connection (SSL object)\n"));
|
215
|
369 gftp_disconnect (request);
|
168
|
370 return (GFTP_EFATAL);
|
|
371 }
|
|
372
|
|
373 SSL_set_bio (request->ssl, bio, bio);
|
175
|
374 SSL_set_ex_data (request->ssl, gftp_ssl_get_index (), request);
|
168
|
375
|
|
376 if (SSL_connect (request->ssl) <= 0)
|
215
|
377 {
|
|
378 gftp_disconnect (request);
|
|
379 return (GFTP_EFATAL);
|
|
380 }
|
168
|
381
|
416
|
382 gftp_lookup_request_option (request, "verify_ssl_peer", &verify_ssl_peer);
|
|
383
|
|
384 if (verify_ssl_peer &&
|
|
385 (ret = gftp_ssl_post_connection_check (request)) != X509_V_OK)
|
168
|
386 {
|
199
|
387 if (ret != X509_V_ERR_APPLICATION_VERIFICATION)
|
|
388 request->logging_function (gftp_logging_error, request,
|
|
389 _("Error with peer certificate: %s\n"),
|
|
390 X509_verify_cert_error_string (ret));
|
215
|
391 gftp_disconnect (request);
|
168
|
392 return (GFTP_EFATAL);
|
|
393 }
|
|
394
|
186
|
395 request->logging_function (gftp_logging_misc, request,
|
168
|
396 "SSL connection established using %s (%s)\n",
|
|
397 SSL_get_cipher_version (request->ssl),
|
|
398 SSL_get_cipher_name (request->ssl));
|
|
399
|
|
400 return (0);
|
|
401 }
|
|
402
|
|
403
|
|
404 ssize_t
|
|
405 gftp_ssl_read (gftp_request * request, void *ptr, size_t size, int fd)
|
|
406 {
|
|
407 ssize_t ret;
|
|
408 int err;
|
|
409
|
|
410 if (!gftp_ssl_initialized)
|
|
411 {
|
186
|
412 request->logging_function (gftp_logging_error, request,
|
168
|
413 _("Error: SSL engine was not initialized\n"));
|
|
414 return (GFTP_EFATAL);
|
|
415 }
|
|
416
|
|
417 errno = 0;
|
|
418 ret = 0;
|
|
419 do
|
|
420 {
|
|
421 if ((ret = SSL_read (request->ssl, ptr, size)) < 0)
|
|
422 {
|
|
423 err = SSL_get_error (request->ssl, ret);
|
|
424 if (errno == EINTR)
|
|
425 {
|
215
|
426 if (request->cancel)
|
168
|
427 break;
|
|
428 else
|
|
429 continue;
|
|
430 }
|
|
431
|
215
|
432 request->logging_function (gftp_logging_error, request,
|
168
|
433 _("Error: Could not read from socket: %s\n"),
|
|
434 g_strerror (errno));
|
215
|
435 gftp_disconnect (request);
|
|
436
|
168
|
437 return (GFTP_ERETRYABLE);
|
|
438 }
|
|
439 }
|
|
440 while (errno == EINTR && !(request != NULL && request->cancel));
|
|
441
|
|
442 if (errno == EINTR && request != NULL && request->cancel)
|
|
443 {
|
|
444 gftp_disconnect (request);
|
|
445 return (GFTP_ERETRYABLE);
|
|
446 }
|
|
447
|
|
448 return (ret);
|
|
449 }
|
|
450
|
|
451
|
|
452 ssize_t
|
|
453 gftp_ssl_write (gftp_request * request, const char *ptr, size_t size, int fd)
|
|
454 {
|
|
455 size_t ret, w_ret;
|
|
456
|
|
457 if (!gftp_ssl_initialized)
|
|
458 {
|
186
|
459 request->logging_function (gftp_logging_error, request,
|
168
|
460 _("Error: SSL engine was not initialized\n"));
|
|
461 return (GFTP_EFATAL);
|
|
462 }
|
|
463
|
|
464 ret = 0;
|
|
465 do
|
|
466 {
|
|
467 w_ret = SSL_write (request->ssl, ptr, size);
|
|
468 if (w_ret <= 0)
|
|
469 {
|
|
470 if (errno == EINTR)
|
|
471 {
|
|
472 if (request != NULL && request->cancel)
|
|
473 break;
|
|
474 else
|
|
475 continue;
|
|
476 }
|
|
477
|
215
|
478 request->logging_function (gftp_logging_error, request,
|
168
|
479 _("Error: Could not write to socket: %s\n"),
|
|
480 g_strerror (errno));
|
215
|
481 gftp_disconnect (request);
|
|
482
|
168
|
483 return (GFTP_ERETRYABLE);
|
|
484 }
|
|
485 ptr += w_ret;
|
|
486 size -= w_ret;
|
|
487 ret += w_ret;
|
|
488 }
|
|
489 while (size > 0);
|
|
490
|
|
491 if (errno == EINTR && request != NULL && request->cancel)
|
|
492 {
|
|
493 gftp_disconnect (request);
|
|
494 return (GFTP_ERETRYABLE);
|
|
495 }
|
|
496
|
|
497 return (ret);
|
|
498 }
|
|
499
|
|
500 #endif
|