168
|
1 /*****************************************************************************/
|
|
2 /* sslcommon.c - interface to OpenSSL */
|
|
3 /* Copyright (C) 1998-2003 Brian Masney <masneyb@gftp.org> */
|
|
4 /* */
|
|
5 /* This program is free software; you can redistribute it and/or modify */
|
|
6 /* it under the terms of the GNU General Public License as published by */
|
|
7 /* the Free Software Foundation; either version 2 of the License, or */
|
|
8 /* (at your option) any later version. */
|
|
9 /* */
|
|
10 /* This program is distributed in the hope that it will be useful, */
|
|
11 /* but WITHOUT ANY WARRANTY; without even the implied warranty of */
|
|
12 /* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the */
|
|
13 /* GNU General Public License for more details. */
|
|
14 /* */
|
|
15 /* You should have received a copy of the GNU General Public License */
|
|
16 /* along with this program; if not, write to the Free Software */
|
|
17 /* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111 USA */
|
|
18 /*****************************************************************************/
|
|
19
|
|
20 #include "gftp.h"
|
|
21
|
|
22 static const char cvsid[] = "$Id$";
|
|
23
|
|
24 /* Some of the functions in here was taken either entirely or partially from
|
|
25 * the O'Reilly book Network Security with OpenSSL */
|
|
26
|
169
|
27 #ifdef USE_SSL
|
|
28
|
174
|
29 static gftp_config_vars config_vars[] =
|
|
30 {
|
|
31 {"", N_("SSL Engine"), gftp_option_type_notebook, NULL, NULL, 0, NULL,
|
|
32 GFTP_PORT_GTK, NULL},
|
|
33
|
|
34 {"entropy_source", N_("SSL Entropy File:"),
|
|
35 gftp_option_type_text, "/dev/urandom", NULL, 0,
|
|
36 N_("SSL entropy file"), GFTP_PORT_ALL, 0},
|
|
37 {NULL, NULL, 0, NULL, NULL, 0, NULL, 0, NULL}
|
|
38 };
|
|
39
|
168
|
40 static SSL_CTX * ctx = NULL;
|
|
41
|
|
42 static volatile int gftp_ssl_initialized = 0;
|
|
43
|
174
|
44 void
|
|
45 ssl_register_module (void)
|
|
46 {
|
|
47 static volatile int module_registered = 0;
|
|
48
|
|
49 if (!module_registered)
|
|
50 {
|
|
51 gftp_register_config_vars (config_vars);
|
|
52 module_registered = 1;
|
|
53 }
|
|
54 }
|
|
55
|
|
56
|
168
|
57 static int
|
|
58 gftp_ssl_verify_callback (int ok, X509_STORE_CTX *store)
|
|
59 {
|
|
60 char data[256];
|
|
61
|
|
62 if (!ok)
|
|
63 {
|
|
64 X509 *cert = X509_STORE_CTX_get_current_cert (store);
|
|
65 int depth = X509_STORE_CTX_get_error_depth (store);
|
|
66 int err = X509_STORE_CTX_get_error (store);
|
|
67
|
|
68 fprintf (stderr, "-Error with certificate at depth: %i\n", depth);
|
|
69 X509_NAME_oneline (X509_get_issuer_name (cert), data, sizeof (data));
|
|
70 fprintf (stderr, " issuer = %s\n", data);
|
|
71 X509_NAME_oneline (X509_get_subject_name (cert), data, sizeof (data));
|
|
72 fprintf (stderr, " subject = %s\n", data);
|
|
73 fprintf (stderr, " err %i:%s\n", err, X509_verify_cert_error_string (err));
|
|
74 }
|
|
75
|
|
76 return ok;
|
|
77 }
|
|
78
|
|
79
|
|
80 static int
|
|
81 gftp_ssl_post_connection_check (gftp_request * request)
|
|
82 {
|
|
83 char data[256], *extstr;
|
|
84 int extcount, ok, i, j;
|
|
85 X509_EXTENSION *ext;
|
|
86 X509_NAME *subj;
|
|
87 X509 *cert;
|
|
88
|
|
89 ok = 0;
|
|
90 if (!(cert = SSL_get_peer_certificate (request->ssl)))
|
|
91 {
|
|
92 request->logging_function (gftp_logging_error, request->user_data,
|
|
93 _("Cannot get peer certificate\n"));
|
|
94 return (X509_V_ERR_APPLICATION_VERIFICATION);
|
|
95 }
|
|
96
|
|
97 if ((extcount = X509_get_ext_count (cert)) > 0)
|
|
98 {
|
|
99 for (i = 0; i < extcount; i++)
|
|
100 {
|
|
101 ext = X509_get_ext (cert, i);
|
|
102 extstr = (char *) OBJ_nid2sn (OBJ_obj2nid (X509_EXTENSION_get_object (ext)));
|
|
103
|
|
104 if (strcmp (extstr, "subjectAltName") == 0)
|
|
105 {
|
|
106 unsigned char *data;
|
|
107 STACK_OF(CONF_VALUE) *val;
|
|
108 CONF_VALUE *nval;
|
|
109 X509V3_EXT_METHOD *meth;
|
|
110 void *ext_str = NULL;
|
|
111
|
|
112 if (!(meth = X509V3_EXT_get(ext)))
|
|
113 break;
|
|
114 data = ext->value->data;
|
|
115
|
|
116 #if (OPENSSL_VERSION_NUMBER > 0x00907000L)
|
|
117 if (meth->it)
|
|
118 ext_str = ASN1_item_d2i(NULL, &data, ext->value->length,
|
|
119 ASN1_ITEM_ptr(meth->it));
|
|
120 else
|
|
121 ext_str = meth->d2i(NULL, &data, ext->value->length);
|
|
122 #else
|
|
123 ext_str = meth->d2i(NULL, &data, ext->value->length);
|
|
124 #endif
|
|
125 val = meth->i2v(meth, ext_str, NULL);
|
|
126 for (j = 0; j < sk_CONF_VALUE_num(val); j++)
|
|
127 {
|
|
128 nval = sk_CONF_VALUE_value(val, j);
|
|
129 if (strcmp(nval->name, "DNS") == 0 && strcmp(nval->value, request->hostname) == 0)
|
|
130 {
|
|
131 ok = 1;
|
|
132 break;
|
|
133 }
|
|
134 }
|
|
135 }
|
|
136 if (ok)
|
|
137 break;
|
|
138 }
|
|
139 }
|
|
140
|
|
141 /* FIXME
|
|
142 if (!ok && (subj = X509_get_subject_name (cert)) &&
|
|
143 X509_NAME_get_text_by_NID (subj, NID_commonName, data, 256) > 0)
|
|
144 {
|
|
145 data[sizeof (data) - 1] = '\0';
|
|
146 if (strcasecmp (data, request->hostname) != 0)
|
|
147 {
|
|
148 request->logging_function (gftp_logging_error, request->user_data,
|
|
149 _("The SSL certificate's host %s does not match the host %s that we connected to\n"),
|
|
150 data, request->hostname);
|
|
151 X509_free (cert);
|
|
152 return (X509_V_ERR_APPLICATION_VERIFICATION);
|
|
153 }
|
|
154 }
|
|
155 */
|
|
156
|
|
157 X509_free (cert);
|
|
158 return (SSL_get_verify_result(request->ssl));
|
|
159 }
|
|
160
|
|
161
|
|
162 int
|
|
163 gftp_ssl_startup (gftp_request * request)
|
|
164 {
|
174
|
165 char *entropy_source;
|
|
166
|
173
|
167 if (gftp_ssl_initialized)
|
|
168 return (0);
|
|
169
|
168
|
170 gftp_ssl_initialized = 1;
|
|
171
|
|
172 /* FIXME _ thread setup */
|
|
173 if (!SSL_library_init ())
|
|
174 {
|
173
|
175 request->logging_function (gftp_logging_error, request->user_data,
|
|
176 _("Cannot initialized the OpenSSL library\n"));
|
168
|
177 return (GFTP_EFATAL);
|
|
178 }
|
|
179
|
|
180 SSL_load_error_strings ();
|
174
|
181
|
|
182 gftp_lookup_request_option (request, "entropy_source", &entropy_source);
|
|
183 RAND_load_file (entropy_source, 1024);
|
168
|
184
|
|
185 ctx = SSL_CTX_new (SSLv23_method ());
|
|
186
|
|
187 if (SSL_CTX_set_default_verify_paths (ctx) != 1)
|
|
188 {
|
|
189 request->logging_function (gftp_logging_error, request->user_data,
|
|
190 _("Error loading default SSL certificates\n"));
|
173
|
191 return (GFTP_EFATAL);
|
168
|
192 }
|
|
193
|
|
194 SSL_CTX_set_verify (ctx, SSL_VERIFY_PEER, gftp_ssl_verify_callback);
|
|
195 SSL_CTX_set_verify_depth (ctx, 4);
|
|
196 SSL_CTX_set_options (ctx, SSL_OP_ALL|SSL_OP_NO_SSLv2);
|
|
197
|
|
198 if (SSL_CTX_set_cipher_list (ctx, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH") != 1)
|
|
199 {
|
|
200 request->logging_function (gftp_logging_error, request->user_data,
|
|
201 _("Error setting cipher list (no valid ciphers)\n"));
|
|
202 return (GFTP_EFATAL);
|
|
203 }
|
|
204
|
|
205 return (0);
|
|
206 }
|
|
207
|
|
208
|
|
209 int
|
|
210 gftp_ssl_session_setup (gftp_request * request)
|
|
211 {
|
|
212 BIO * bio;
|
|
213 long ret;
|
|
214
|
169
|
215 g_return_val_if_fail (request->datafd > 0, GFTP_EFATAL);
|
168
|
216
|
|
217 if (!gftp_ssl_initialized)
|
|
218 {
|
|
219 request->logging_function (gftp_logging_error, request->user_data,
|
|
220 _("Error: SSL engine was not initialized\n"));
|
|
221 return (GFTP_EFATAL);
|
|
222 }
|
|
223
|
169
|
224 if (gftp_fd_set_sockblocking (request, request->datafd, 0) < 0) /* FIXME */
|
168
|
225 {
|
|
226 gftp_disconnect (request);
|
|
227 return (GFTP_ERETRYABLE);
|
|
228 }
|
|
229
|
|
230 if ((bio = BIO_new (BIO_s_socket ())) == NULL)
|
|
231 {
|
|
232 request->logging_function (gftp_logging_error, request->user_data,
|
|
233 _("Error setting up SSL connection (BIO object)\n"));
|
|
234 return (GFTP_EFATAL);
|
|
235 }
|
|
236
|
169
|
237 BIO_set_fd (bio, request->datafd, BIO_NOCLOSE);
|
168
|
238
|
|
239 if ((request->ssl = SSL_new (ctx)) == NULL)
|
|
240 {
|
|
241 request->logging_function (gftp_logging_error, request->user_data,
|
|
242 _("Error setting up SSL connection (SSL object)\n"));
|
|
243 return (GFTP_EFATAL);
|
|
244 }
|
|
245
|
|
246 SSL_set_bio (request->ssl, bio, bio);
|
|
247
|
|
248 if (SSL_connect (request->ssl) <= 0)
|
|
249 {
|
|
250 request->logging_function (gftp_logging_error, request->user_data,
|
|
251 _("Error connecting to SSL object\n"));
|
|
252 return (GFTP_EFATAL);
|
|
253 }
|
|
254
|
|
255 if ((ret = gftp_ssl_post_connection_check (request)) != X509_V_OK)
|
|
256 {
|
|
257 request->logging_function (gftp_logging_error, request->user_data,
|
|
258 _("Error with peer certificate: %s\n"),
|
|
259 X509_verify_cert_error_string (ret));
|
|
260 return (GFTP_EFATAL);
|
|
261 }
|
|
262
|
|
263 request->logging_function (gftp_logging_misc, request->user_data,
|
|
264 "SSL connection established using %s (%s)\n",
|
|
265 SSL_get_cipher_version (request->ssl),
|
|
266 SSL_get_cipher_name (request->ssl));
|
|
267
|
|
268 return (0);
|
|
269 }
|
|
270
|
|
271
|
|
272 ssize_t
|
|
273 gftp_ssl_read (gftp_request * request, void *ptr, size_t size, int fd)
|
|
274 {
|
|
275 ssize_t ret;
|
|
276 int err;
|
|
277
|
|
278 if (!gftp_ssl_initialized)
|
|
279 {
|
|
280 request->logging_function (gftp_logging_error, request->user_data,
|
|
281 _("Error: SSL engine was not initialized\n"));
|
|
282 return (GFTP_EFATAL);
|
|
283 }
|
|
284
|
|
285 errno = 0;
|
|
286 ret = 0;
|
|
287 do
|
|
288 {
|
|
289 if ((ret = SSL_read (request->ssl, ptr, size)) < 0)
|
|
290 {
|
|
291 err = SSL_get_error (request->ssl, ret);
|
|
292 printf ("error is %d\n", err);
|
|
293 if (errno == EINTR)
|
|
294 {
|
|
295 if (request != NULL && request->cancel)
|
|
296 break;
|
|
297 else
|
|
298 continue;
|
|
299 }
|
|
300
|
|
301 if (request != NULL)
|
|
302 {
|
|
303 request->logging_function (gftp_logging_error, request->user_data,
|
|
304 _("Error: Could not read from socket: %s\n"),
|
|
305 g_strerror (errno));
|
|
306 gftp_disconnect (request);
|
|
307 }
|
|
308 return (GFTP_ERETRYABLE);
|
|
309 }
|
|
310 }
|
|
311 while (errno == EINTR && !(request != NULL && request->cancel));
|
|
312
|
|
313 if (errno == EINTR && request != NULL && request->cancel)
|
|
314 {
|
|
315 gftp_disconnect (request);
|
|
316 return (GFTP_ERETRYABLE);
|
|
317 }
|
|
318
|
|
319 return (ret);
|
|
320 }
|
|
321
|
|
322
|
|
323 ssize_t
|
|
324 gftp_ssl_write (gftp_request * request, const char *ptr, size_t size, int fd)
|
|
325 {
|
|
326 size_t ret, w_ret;
|
|
327
|
|
328 if (!gftp_ssl_initialized)
|
|
329 {
|
|
330 request->logging_function (gftp_logging_error, request->user_data,
|
|
331 _("Error: SSL engine was not initialized\n"));
|
|
332 return (GFTP_EFATAL);
|
|
333 }
|
|
334
|
|
335 ret = 0;
|
|
336 do
|
|
337 {
|
|
338 w_ret = SSL_write (request->ssl, ptr, size);
|
|
339 if (w_ret <= 0)
|
|
340 {
|
|
341 if (errno == EINTR)
|
|
342 {
|
|
343 if (request != NULL && request->cancel)
|
|
344 break;
|
|
345 else
|
|
346 continue;
|
|
347 }
|
|
348
|
|
349 if (request != NULL)
|
|
350 {
|
|
351 request->logging_function (gftp_logging_error, request->user_data,
|
|
352 _("Error: Could not write to socket: %s\n"),
|
|
353 g_strerror (errno));
|
|
354 gftp_disconnect (request);
|
|
355 }
|
|
356 return (GFTP_ERETRYABLE);
|
|
357 }
|
|
358 ptr += w_ret;
|
|
359 size -= w_ret;
|
|
360 ret += w_ret;
|
|
361 }
|
|
362 while (size > 0);
|
|
363
|
|
364 if (errno == EINTR && request != NULL && request->cancel)
|
|
365 {
|
|
366 gftp_disconnect (request);
|
|
367 return (GFTP_ERETRYABLE);
|
|
368 }
|
|
369
|
|
370 return (ret);
|
|
371 }
|
|
372
|
|
373 #endif
|