168
|
1 /*****************************************************************************/
|
|
2 /* sslcommon.c - interface to OpenSSL */
|
885
|
3 /* Copyright (C) 1998-2007 Brian Masney <masneyb@gftp.org> */
|
168
|
4 /* */
|
|
5 /* This program is free software; you can redistribute it and/or modify */
|
|
6 /* it under the terms of the GNU General Public License as published by */
|
|
7 /* the Free Software Foundation; either version 2 of the License, or */
|
|
8 /* (at your option) any later version. */
|
|
9 /* */
|
|
10 /* This program is distributed in the hope that it will be useful, */
|
|
11 /* but WITHOUT ANY WARRANTY; without even the implied warranty of */
|
|
12 /* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the */
|
|
13 /* GNU General Public License for more details. */
|
|
14 /* */
|
|
15 /* You should have received a copy of the GNU General Public License */
|
|
16 /* along with this program; if not, write to the Free Software */
|
|
17 /* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111 USA */
|
|
18 /*****************************************************************************/
|
|
19
|
|
20 #include "gftp.h"
|
|
21
|
|
22 static const char cvsid[] = "$Id$";
|
|
23
|
|
24 /* Some of the functions in here was taken either entirely or partially from
|
|
25 * the O'Reilly book Network Security with OpenSSL */
|
|
26
|
169
|
27 #ifdef USE_SSL
|
|
28
|
174
|
29 static gftp_config_vars config_vars[] =
|
|
30 {
|
|
31 {"", N_("SSL Engine"), gftp_option_type_notebook, NULL, NULL, 0, NULL,
|
|
32 GFTP_PORT_GTK, NULL},
|
|
33
|
|
34 {"entropy_source", N_("SSL Entropy File:"),
|
|
35 gftp_option_type_text, "/dev/urandom", NULL, 0,
|
|
36 N_("SSL entropy file"), GFTP_PORT_ALL, 0},
|
175
|
37 {"entropy_len", N_("Entropy Seed Length:"),
|
|
38 gftp_option_type_int, GINT_TO_POINTER(1024), NULL, 0,
|
|
39 N_("The maximum number of bytes to seed the SSL engine with"),
|
|
40 GFTP_PORT_ALL, 0},
|
416
|
41 {"verify_ssl_peer", N_("Verify SSL Peer"),
|
|
42 gftp_option_type_checkbox, GINT_TO_POINTER(1), NULL, 0,
|
|
43 N_("Verify SSL Peer"), GFTP_PORT_ALL, NULL},
|
175
|
44
|
174
|
45 {NULL, NULL, 0, NULL, NULL, 0, NULL, 0, NULL}
|
|
46 };
|
|
47
|
199
|
48 static GMutex ** gftp_ssl_mutexes = NULL;
|
|
49 static volatile int gftp_ssl_initialized = 0;
|
168
|
50 static SSL_CTX * ctx = NULL;
|
|
51
|
199
|
52 struct CRYPTO_dynlock_value
|
|
53 {
|
|
54 GMutex * mutex;
|
|
55 };
|
|
56
|
168
|
57
|
174
|
58 void
|
|
59 ssl_register_module (void)
|
|
60 {
|
|
61 static volatile int module_registered = 0;
|
|
62
|
|
63 if (!module_registered)
|
|
64 {
|
|
65 gftp_register_config_vars (config_vars);
|
|
66 module_registered = 1;
|
|
67 }
|
|
68 }
|
|
69
|
|
70
|
175
|
71 static int
|
|
72 gftp_ssl_get_index (void)
|
|
73 {
|
|
74 static volatile int index = -1;
|
|
75
|
|
76 if (index < 0)
|
|
77 index = SSL_get_ex_new_index (0, gftp_version, NULL, NULL, NULL);
|
|
78
|
|
79 return index;
|
|
80 }
|
|
81
|
|
82
|
168
|
83 static int
|
|
84 gftp_ssl_verify_callback (int ok, X509_STORE_CTX *store)
|
|
85 {
|
175
|
86 char issuer[256], subject[256];
|
431
|
87 intptr_t verify_ssl_peer;
|
175
|
88 gftp_request * request;
|
|
89 SSL * ssl;
|
|
90
|
|
91 ssl = X509_STORE_CTX_get_ex_data (store, SSL_get_ex_data_X509_STORE_CTX_idx ());
|
|
92 request = SSL_get_ex_data (ssl, gftp_ssl_get_index ());
|
431
|
93 gftp_lookup_request_option (request, "verify_ssl_peer", &verify_ssl_peer);
|
|
94
|
|
95 if (!verify_ssl_peer)
|
|
96 ok = 1;
|
168
|
97
|
|
98 if (!ok)
|
|
99 {
|
|
100 X509 *cert = X509_STORE_CTX_get_current_cert (store);
|
|
101 int depth = X509_STORE_CTX_get_error_depth (store);
|
|
102 int err = X509_STORE_CTX_get_error (store);
|
|
103
|
175
|
104 X509_NAME_oneline (X509_get_issuer_name (cert), issuer, sizeof (issuer));
|
|
105 X509_NAME_oneline (X509_get_subject_name (cert), subject, sizeof (subject));
|
186
|
106 request->logging_function (gftp_logging_error, request,
|
|
107 _("Error with certificate at depth: %i\nIssuer = %s\nSubject = %s\nError %i:%s\n"),
|
175
|
108 depth, issuer, subject, err,
|
|
109 X509_verify_cert_error_string (err));
|
168
|
110 }
|
|
111
|
|
112 return ok;
|
|
113 }
|
|
114
|
|
115
|
|
116 static int
|
|
117 gftp_ssl_post_connection_check (gftp_request * request)
|
|
118 {
|
|
119 char data[256], *extstr;
|
|
120 int extcount, ok, i, j;
|
|
121 X509_EXTENSION *ext;
|
|
122 X509_NAME *subj;
|
|
123 X509 *cert;
|
|
124
|
|
125 ok = 0;
|
|
126 if (!(cert = SSL_get_peer_certificate (request->ssl)))
|
|
127 {
|
186
|
128 request->logging_function (gftp_logging_error, request,
|
168
|
129 _("Cannot get peer certificate\n"));
|
|
130 return (X509_V_ERR_APPLICATION_VERIFICATION);
|
|
131 }
|
|
132
|
|
133 if ((extcount = X509_get_ext_count (cert)) > 0)
|
|
134 {
|
|
135 for (i = 0; i < extcount; i++)
|
|
136 {
|
|
137 ext = X509_get_ext (cert, i);
|
|
138 extstr = (char *) OBJ_nid2sn (OBJ_obj2nid (X509_EXTENSION_get_object (ext)));
|
|
139
|
|
140 if (strcmp (extstr, "subjectAltName") == 0)
|
|
141 {
|
199
|
142 STACK_OF(CONF_VALUE) *val;
|
|
143 CONF_VALUE *nval;
|
|
144 X509V3_EXT_METHOD *meth;
|
|
145 void *ext_str = NULL;
|
168
|
146
|
199
|
147 if (!(meth = X509V3_EXT_get (ext)))
|
|
148 break;
|
|
149
|
168
|
150 #if (OPENSSL_VERSION_NUMBER > 0x00907000L)
|
199
|
151 if (meth->it)
|
971
|
152 ext_str = ASN1_item_d2i (NULL, (const unsigned char **) &ext->value->data, ext->value->length,
|
199
|
153 ASN1_ITEM_ptr (meth->it));
|
|
154 else
|
971
|
155 ext_str = meth->d2i (NULL, (const unsigned char **) &ext->value->data, ext->value->length);
|
168
|
156 #else
|
970
|
157 ext_str = meth->d2i(NULL, &ext->value->data, ext->value->length);
|
168
|
158 #endif
|
199
|
159 val = meth->i2v(meth, ext_str, NULL);
|
|
160
|
|
161 for (j = 0; j < sk_CONF_VALUE_num(val); j++)
|
|
162 {
|
|
163 nval = sk_CONF_VALUE_value (val, j);
|
|
164 if (strcmp (nval->name, "DNS") == 0 &&
|
|
165 strcmp (nval->value, request->hostname) == 0)
|
|
166 {
|
|
167 ok = 1;
|
|
168 break;
|
|
169 }
|
|
170 }
|
|
171 }
|
|
172
|
|
173 if (ok)
|
|
174 break;
|
|
175 }
|
168
|
176 }
|
215
|
177
|
199
|
178 if (!ok && (subj = X509_get_subject_name (cert)) &&
|
970
|
179 X509_NAME_get_text_by_NID (subj, NID_commonName, data, sizeof (data)) > 0)
|
199
|
180 {
|
|
181 data[sizeof (data) - 1] = '\0';
|
769
|
182 /* Check for wildcard CN (must begin with *.) */
|
|
183 if (strncmp (data, "*.", 2) == 0)
|
|
184 {
|
|
185 size_t hostname_len = strlen (data) - 1;
|
|
186 if (strlen (request->hostname) > hostname_len &&
|
|
187 strcasecmp (&(data[1]), &(request->hostname[strlen (request->hostname) - hostname_len])) == 0)
|
|
188 ok = 1;
|
|
189 }
|
|
190 else if (strcasecmp (data, request->hostname) == 0)
|
|
191 ok = 1;
|
|
192
|
|
193 if (!ok)
|
199
|
194 {
|
|
195 request->logging_function (gftp_logging_error, request,
|
|
196 _("ERROR: The host in the SSL certificate (%s) does not match the host that we connected to (%s). Aborting connection.\n"),
|
|
197 data, request->hostname);
|
|
198 X509_free (cert);
|
|
199 return (X509_V_ERR_APPLICATION_VERIFICATION);
|
|
200 }
|
|
201 }
|
168
|
202
|
|
203 X509_free (cert);
|
199
|
204
|
168
|
205 return (SSL_get_verify_result(request->ssl));
|
|
206 }
|
|
207
|
|
208
|
199
|
209 static void
|
|
210 _gftp_ssl_locking_function (int mode, int n, const char * file, int line)
|
|
211 {
|
|
212 if (mode & CRYPTO_LOCK)
|
|
213 g_mutex_lock (gftp_ssl_mutexes[n]);
|
|
214 else
|
|
215 g_mutex_unlock (gftp_ssl_mutexes[n]);
|
|
216 }
|
|
217
|
|
218
|
|
219 static unsigned long
|
|
220 _gftp_ssl_id_function (void)
|
|
221 {
|
|
222 #if GLIB_MAJOR_VERSION > 1
|
|
223 return ((unsigned long) g_thread_self ());
|
|
224 #else
|
949
|
225 /* FIXME - call pthread version. */
|
199
|
226 return (0);
|
|
227 #endif
|
|
228 }
|
|
229
|
|
230
|
|
231 static struct CRYPTO_dynlock_value *
|
|
232 _gftp_ssl_create_dyn_mutex (const char *file, int line)
|
|
233 {
|
|
234 struct CRYPTO_dynlock_value *value;
|
|
235
|
942
|
236 value = g_malloc0 (sizeof (*value));
|
199
|
237 value->mutex = g_mutex_new ();
|
|
238 return (value);
|
|
239 }
|
|
240
|
|
241
|
|
242 static void
|
|
243 _gftp_ssl_dyn_mutex_lock (int mode, struct CRYPTO_dynlock_value *l,
|
|
244 const char *file, int line)
|
|
245 {
|
|
246 if (mode & CRYPTO_LOCK)
|
|
247 g_mutex_lock (l->mutex);
|
|
248 else
|
|
249 g_mutex_unlock (l->mutex);
|
|
250 }
|
|
251
|
|
252
|
|
253 static void
|
|
254 _gftp_ssl_destroy_dyn_mutex (struct CRYPTO_dynlock_value *l,
|
|
255 const char *file, int line)
|
|
256 {
|
|
257 g_mutex_free (l->mutex);
|
|
258 g_free (l);
|
|
259 }
|
|
260
|
|
261
|
|
262 static void
|
|
263 _gftp_ssl_thread_setup (void)
|
|
264 {
|
|
265 int i;
|
|
266
|
215
|
267 #if G_MAJOR_VERSION == 1
|
210
|
268 /* Thread setup isn't supported in glib 1.2 yet */
|
|
269 return;
|
|
270 #endif
|
|
271
|
942
|
272 gftp_ssl_mutexes = g_malloc0 (CRYPTO_num_locks( ) * sizeof (*gftp_ssl_mutexes));
|
199
|
273
|
|
274 for (i = 0; i < CRYPTO_num_locks ( ); i++)
|
|
275 gftp_ssl_mutexes[i] = g_mutex_new ();
|
|
276
|
|
277 CRYPTO_set_id_callback (_gftp_ssl_id_function);
|
|
278 CRYPTO_set_locking_callback (_gftp_ssl_locking_function);
|
|
279 CRYPTO_set_dynlock_create_callback (_gftp_ssl_create_dyn_mutex);
|
|
280 CRYPTO_set_dynlock_lock_callback (_gftp_ssl_dyn_mutex_lock);
|
|
281 CRYPTO_set_dynlock_destroy_callback (_gftp_ssl_destroy_dyn_mutex);
|
|
282 }
|
|
283
|
|
284
|
168
|
285 int
|
|
286 gftp_ssl_startup (gftp_request * request)
|
|
287 {
|
431
|
288 intptr_t entropy_len;
|
174
|
289 char *entropy_source;
|
|
290
|
173
|
291 if (gftp_ssl_initialized)
|
|
292 return (0);
|
|
293
|
168
|
294 gftp_ssl_initialized = 1;
|
|
295
|
199
|
296 if (g_thread_supported ())
|
|
297 _gftp_ssl_thread_setup ();
|
|
298
|
168
|
299 if (!SSL_library_init ())
|
|
300 {
|
186
|
301 request->logging_function (gftp_logging_error, request,
|
460
|
302 _("Cannot initialize the OpenSSL library\n"));
|
168
|
303 return (GFTP_EFATAL);
|
|
304 }
|
|
305
|
|
306 SSL_load_error_strings ();
|
174
|
307
|
|
308 gftp_lookup_request_option (request, "entropy_source", &entropy_source);
|
175
|
309 gftp_lookup_request_option (request, "entropy_len", &entropy_len);
|
|
310 RAND_load_file (entropy_source, entropy_len);
|
168
|
311
|
|
312 ctx = SSL_CTX_new (SSLv23_method ());
|
|
313
|
|
314 if (SSL_CTX_set_default_verify_paths (ctx) != 1)
|
|
315 {
|
186
|
316 request->logging_function (gftp_logging_error, request,
|
168
|
317 _("Error loading default SSL certificates\n"));
|
173
|
318 return (GFTP_EFATAL);
|
168
|
319 }
|
|
320
|
431
|
321 SSL_CTX_set_verify (ctx, SSL_VERIFY_PEER, gftp_ssl_verify_callback);
|
|
322 SSL_CTX_set_verify_depth (ctx, 9);
|
416
|
323
|
168
|
324 SSL_CTX_set_options (ctx, SSL_OP_ALL|SSL_OP_NO_SSLv2);
|
|
325
|
|
326 if (SSL_CTX_set_cipher_list (ctx, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH") != 1)
|
|
327 {
|
186
|
328 request->logging_function (gftp_logging_error, request,
|
168
|
329 _("Error setting cipher list (no valid ciphers)\n"));
|
|
330 return (GFTP_EFATAL);
|
|
331 }
|
|
332
|
|
333 return (0);
|
|
334 }
|
|
335
|
|
336
|
|
337 int
|
|
338 gftp_ssl_session_setup (gftp_request * request)
|
|
339 {
|
416
|
340 intptr_t verify_ssl_peer;
|
168
|
341 BIO * bio;
|
|
342 long ret;
|
|
343
|
169
|
344 g_return_val_if_fail (request->datafd > 0, GFTP_EFATAL);
|
168
|
345
|
|
346 if (!gftp_ssl_initialized)
|
|
347 {
|
186
|
348 request->logging_function (gftp_logging_error, request,
|
168
|
349 _("Error: SSL engine was not initialized\n"));
|
215
|
350 gftp_disconnect (request);
|
168
|
351 return (GFTP_EFATAL);
|
|
352 }
|
|
353
|
199
|
354 /* FIXME - take this out. I need to find out how to do timeouts with the SSL
|
|
355 functions (a select() or poll() like function) */
|
|
356
|
|
357 if (gftp_fd_set_sockblocking (request, request->datafd, 0) < 0)
|
168
|
358 {
|
|
359 gftp_disconnect (request);
|
|
360 return (GFTP_ERETRYABLE);
|
|
361 }
|
|
362
|
|
363 if ((bio = BIO_new (BIO_s_socket ())) == NULL)
|
|
364 {
|
186
|
365 request->logging_function (gftp_logging_error, request,
|
168
|
366 _("Error setting up SSL connection (BIO object)\n"));
|
215
|
367 gftp_disconnect (request);
|
168
|
368 return (GFTP_EFATAL);
|
|
369 }
|
|
370
|
169
|
371 BIO_set_fd (bio, request->datafd, BIO_NOCLOSE);
|
168
|
372
|
|
373 if ((request->ssl = SSL_new (ctx)) == NULL)
|
|
374 {
|
186
|
375 request->logging_function (gftp_logging_error, request,
|
168
|
376 _("Error setting up SSL connection (SSL object)\n"));
|
215
|
377 gftp_disconnect (request);
|
168
|
378 return (GFTP_EFATAL);
|
|
379 }
|
|
380
|
|
381 SSL_set_bio (request->ssl, bio, bio);
|
175
|
382 SSL_set_ex_data (request->ssl, gftp_ssl_get_index (), request);
|
168
|
383
|
|
384 if (SSL_connect (request->ssl) <= 0)
|
215
|
385 {
|
|
386 gftp_disconnect (request);
|
|
387 return (GFTP_EFATAL);
|
|
388 }
|
168
|
389
|
416
|
390 gftp_lookup_request_option (request, "verify_ssl_peer", &verify_ssl_peer);
|
|
391
|
|
392 if (verify_ssl_peer &&
|
|
393 (ret = gftp_ssl_post_connection_check (request)) != X509_V_OK)
|
168
|
394 {
|
199
|
395 if (ret != X509_V_ERR_APPLICATION_VERIFICATION)
|
|
396 request->logging_function (gftp_logging_error, request,
|
|
397 _("Error with peer certificate: %s\n"),
|
|
398 X509_verify_cert_error_string (ret));
|
215
|
399 gftp_disconnect (request);
|
168
|
400 return (GFTP_EFATAL);
|
|
401 }
|
|
402
|
186
|
403 request->logging_function (gftp_logging_misc, request,
|
168
|
404 "SSL connection established using %s (%s)\n",
|
|
405 SSL_get_cipher_version (request->ssl),
|
|
406 SSL_get_cipher_name (request->ssl));
|
|
407
|
|
408 return (0);
|
|
409 }
|
|
410
|
|
411
|
|
412 ssize_t
|
|
413 gftp_ssl_read (gftp_request * request, void *ptr, size_t size, int fd)
|
|
414 {
|
|
415 ssize_t ret;
|
|
416 int err;
|
|
417
|
546
|
418 g_return_val_if_fail (request->ssl != NULL, GFTP_EFATAL);
|
|
419
|
168
|
420 if (!gftp_ssl_initialized)
|
|
421 {
|
186
|
422 request->logging_function (gftp_logging_error, request,
|
168
|
423 _("Error: SSL engine was not initialized\n"));
|
|
424 return (GFTP_EFATAL);
|
|
425 }
|
|
426
|
|
427 errno = 0;
|
|
428 ret = 0;
|
|
429 do
|
|
430 {
|
|
431 if ((ret = SSL_read (request->ssl, ptr, size)) < 0)
|
|
432 {
|
|
433 err = SSL_get_error (request->ssl, ret);
|
546
|
434 if (errno == EINTR || errno == EAGAIN)
|
168
|
435 {
|
215
|
436 if (request->cancel)
|
546
|
437 {
|
|
438 gftp_disconnect (request);
|
|
439 return (GFTP_ERETRYABLE);
|
|
440 }
|
|
441
|
|
442 continue;
|
|
443 }
|
168
|
444
|
215
|
445 request->logging_function (gftp_logging_error, request,
|
168
|
446 _("Error: Could not read from socket: %s\n"),
|
|
447 g_strerror (errno));
|
215
|
448 gftp_disconnect (request);
|
|
449
|
168
|
450 return (GFTP_ERETRYABLE);
|
|
451 }
|
546
|
452
|
|
453 break;
|
168
|
454 }
|
546
|
455 while (1);
|
168
|
456
|
|
457 return (ret);
|
|
458 }
|
|
459
|
|
460
|
|
461 ssize_t
|
|
462 gftp_ssl_write (gftp_request * request, const char *ptr, size_t size, int fd)
|
|
463 {
|
|
464 size_t ret, w_ret;
|
|
465
|
546
|
466 g_return_val_if_fail (request->ssl != NULL, GFTP_EFATAL);
|
|
467
|
168
|
468 if (!gftp_ssl_initialized)
|
|
469 {
|
186
|
470 request->logging_function (gftp_logging_error, request,
|
168
|
471 _("Error: SSL engine was not initialized\n"));
|
|
472 return (GFTP_EFATAL);
|
|
473 }
|
|
474
|
|
475 ret = 0;
|
|
476 do
|
|
477 {
|
|
478 w_ret = SSL_write (request->ssl, ptr, size);
|
|
479 if (w_ret <= 0)
|
|
480 {
|
546
|
481 if (errno == EINTR || errno == EAGAIN)
|
168
|
482 {
|
|
483 if (request != NULL && request->cancel)
|
546
|
484 {
|
|
485 gftp_disconnect (request);
|
|
486 return (GFTP_ERETRYABLE);
|
|
487 }
|
|
488
|
|
489 continue;
|
168
|
490 }
|
|
491
|
215
|
492 request->logging_function (gftp_logging_error, request,
|
168
|
493 _("Error: Could not write to socket: %s\n"),
|
|
494 g_strerror (errno));
|
215
|
495 gftp_disconnect (request);
|
|
496
|
168
|
497 return (GFTP_ERETRYABLE);
|
|
498 }
|
546
|
499
|
168
|
500 ptr += w_ret;
|
|
501 size -= w_ret;
|
|
502 ret += w_ret;
|
|
503 }
|
|
504 while (size > 0);
|
|
505
|
|
506 return (ret);
|
|
507 }
|
|
508
|
|
509 #endif
|