Mercurial > gftp.yaz
diff lib/sslcommon.c @ 168:c505d9ba9d53
2003-6-6 Brian Masney <masneyb@gftp.org>
* lib/gftp.h - if USE_SSL is defined, include the OpenSSL headers.
Added read_function, write_function and post_connect function pointers
to gftp_request structure. Added SSL object to gftp_request structure
if USE_SSL is defined. Added protocol number and init function
declarations for the HTTPS protocol
* lib/options.h - added HTTPS to the list of supported protocols
* lib/protocols.c lib/cache.c lib/rfc2068.c lib/rfc959.c lib/sshv2.c -
renamed gftp_read(), gftp_write() and gftp_set_sockblocking() to
gftp_fd_read(), gftp_fd_write() and gftp_fd_set_sockblocking()
respectively
* lib/bookmark.c lib/local.c
* lib/misc.c lib/rfc2068.c - moved base64_encode() to misc.c
* lib/protocols.c - improved parsing of URLs. Rather than calling
gftp_read() or gftp_write() directly, call the read_function or
write_function that is set in the request structure. Expanded tabs
to spaces. Cleanup for parsing of timestamps. In
gftp_connect_server(), if a post_connect function pointer is set,
call it after we are connected to the server. Improvements to
gftp_get_line ().
* lib/httpcommon.h lib/rfc2068.c - moved rfc2068_params structure to
httpcommon.h. Fix for chunked file transfers, they were not handled
at all before. Made the I/O calls a little more generic so that we can
read from either a socket or a SSL connection.
* lib/sslcommon.c - added generic SSL layer
* lib/https.c - added support for the HTTPS protocol. It piggy backs
off of the existing HTTP support and uses the generic SSL layer
* src/gtk/bookmarks.c src/gtk/chmod_dialog.c src/gtk/gftp-gtk.c
src/gtk/menu-items.c src/gtk/misc-gtk.c src/gtk/options_dialog.c
src/gtk/view_dialog.c - set the window icon name to the gFTP <version>
* configure.in - added lib back to SUBDIRS (oops)
* lib/Makefile.am - added https.c, sslcommon.c and httpcommon.h
| author | masneyb |
|---|---|
| date | Sun, 08 Jun 2003 15:04:40 +0000 |
| parents | |
| children | d40f9db52cdf |
line wrap: on
line diff
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/lib/sslcommon.c Sun Jun 08 15:04:40 2003 +0000 @@ -0,0 +1,345 @@ +/*****************************************************************************/ +/* sslcommon.c - interface to OpenSSL */ +/* Copyright (C) 1998-2003 Brian Masney <masneyb@gftp.org> */ +/* */ +/* This program is free software; you can redistribute it and/or modify */ +/* it under the terms of the GNU General Public License as published by */ +/* the Free Software Foundation; either version 2 of the License, or */ +/* (at your option) any later version. */ +/* */ +/* This program is distributed in the hope that it will be useful, */ +/* but WITHOUT ANY WARRANTY; without even the implied warranty of */ +/* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the */ +/* GNU General Public License for more details. */ +/* */ +/* You should have received a copy of the GNU General Public License */ +/* along with this program; if not, write to the Free Software */ +/* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111 USA */ +/*****************************************************************************/ + +#include "gftp.h" + +static const char cvsid[] = "$Id$"; + +/* Some of the functions in here was taken either entirely or partially from + * the O'Reilly book Network Security with OpenSSL */ + +static SSL_CTX * ctx = NULL; + +#ifdef USE_SSL + +static volatile int gftp_ssl_initialized = 0; + +static int +gftp_ssl_verify_callback (int ok, X509_STORE_CTX *store) +{ + char data[256]; + + if (!ok) + { + X509 *cert = X509_STORE_CTX_get_current_cert (store); + int depth = X509_STORE_CTX_get_error_depth (store); + int err = X509_STORE_CTX_get_error (store); + + fprintf (stderr, "-Error with certificate at depth: %i\n", depth); + X509_NAME_oneline (X509_get_issuer_name (cert), data, sizeof (data)); + fprintf (stderr, " issuer = %s\n", data); + X509_NAME_oneline (X509_get_subject_name (cert), data, sizeof (data)); + fprintf (stderr, " subject = %s\n", data); + fprintf (stderr, " err %i:%s\n", err, X509_verify_cert_error_string (err)); + } + + return ok; +} + + +static int +gftp_ssl_post_connection_check (gftp_request * request) +{ + char data[256], *extstr; + int extcount, ok, i, j; + X509_EXTENSION *ext; + X509_NAME *subj; + X509 *cert; + + ok = 0; + if (!(cert = SSL_get_peer_certificate (request->ssl))) + { + request->logging_function (gftp_logging_error, request->user_data, + _("Cannot get peer certificate\n")); + return (X509_V_ERR_APPLICATION_VERIFICATION); + } + + if ((extcount = X509_get_ext_count (cert)) > 0) + { + for (i = 0; i < extcount; i++) + { + ext = X509_get_ext (cert, i); + extstr = (char *) OBJ_nid2sn (OBJ_obj2nid (X509_EXTENSION_get_object (ext))); + + if (strcmp (extstr, "subjectAltName") == 0) + { + unsigned char *data; + STACK_OF(CONF_VALUE) *val; + CONF_VALUE *nval; + X509V3_EXT_METHOD *meth; + void *ext_str = NULL; + + if (!(meth = X509V3_EXT_get(ext))) + break; + data = ext->value->data; + +#if (OPENSSL_VERSION_NUMBER > 0x00907000L) + if (meth->it) + ext_str = ASN1_item_d2i(NULL, &data, ext->value->length, + ASN1_ITEM_ptr(meth->it)); + else + ext_str = meth->d2i(NULL, &data, ext->value->length); +#else + ext_str = meth->d2i(NULL, &data, ext->value->length); +#endif + val = meth->i2v(meth, ext_str, NULL); + for (j = 0; j < sk_CONF_VALUE_num(val); j++) + { + nval = sk_CONF_VALUE_value(val, j); + if (strcmp(nval->name, "DNS") == 0 && strcmp(nval->value, request->hostname) == 0) + { + ok = 1; + break; + } + } + } + if (ok) + break; + } + } + +/* FIXME + if (!ok && (subj = X509_get_subject_name (cert)) && + X509_NAME_get_text_by_NID (subj, NID_commonName, data, 256) > 0) + { + data[sizeof (data) - 1] = '\0'; + if (strcasecmp (data, request->hostname) != 0) + { + request->logging_function (gftp_logging_error, request->user_data, + _("The SSL certificate's host %s does not match the host %s that we connected to\n"), + data, request->hostname); + X509_free (cert); + return (X509_V_ERR_APPLICATION_VERIFICATION); + } + } +*/ + + X509_free (cert); + return (SSL_get_verify_result(request->ssl)); +} + + +int +gftp_ssl_startup (gftp_request * request) +{ + gftp_ssl_initialized = 1; + + /* FIXME _ thread setup */ + /* FIXME - only call this from one place */ + if (!SSL_library_init ()) + { + if (request != NULL) + request->logging_function (gftp_logging_error, request->user_data, + _("Cannot initialized the OpenSSL library\n")); + return (GFTP_EFATAL); + } + + SSL_load_error_strings (); + RAND_load_file ("/dev/urandom", 1024); /* FIXME - be able to specify this file */ + + ctx = SSL_CTX_new (SSLv23_method ()); + + if (SSL_CTX_set_default_verify_paths (ctx) != 1) + { + request->logging_function (gftp_logging_error, request->user_data, + _("Error loading default SSL certificates\n")); + return (GFTP_EFATAL); + } + + SSL_CTX_set_verify (ctx, SSL_VERIFY_PEER, gftp_ssl_verify_callback); + SSL_CTX_set_verify_depth (ctx, 4); + SSL_CTX_set_options (ctx, SSL_OP_ALL|SSL_OP_NO_SSLv2); + + if (SSL_CTX_set_cipher_list (ctx, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH") != 1) + { + request->logging_function (gftp_logging_error, request->user_data, + _("Error setting cipher list (no valid ciphers)\n")); + return (GFTP_EFATAL); + } + + + return (0); +} + + +int +gftp_ssl_session_setup (gftp_request * request) +{ + BIO * bio; + long ret; + + g_return_val_if_fail (request->sockfd > 0, GFTP_EFATAL); + + if (!gftp_ssl_initialized) + { + request->logging_function (gftp_logging_error, request->user_data, + _("Error: SSL engine was not initialized\n")); + return (GFTP_EFATAL); + } + + if (gftp_fd_set_sockblocking (request, request->sockfd, 0) < 0) /* FIXME */ + { + gftp_disconnect (request); + return (GFTP_ERETRYABLE); + } + + if ((bio = BIO_new (BIO_s_socket ())) == NULL) + { + request->logging_function (gftp_logging_error, request->user_data, + _("Error setting up SSL connection (BIO object)\n")); + return (GFTP_EFATAL); + } + + BIO_set_fd (bio, request->sockfd, BIO_NOCLOSE); + + if ((request->ssl = SSL_new (ctx)) == NULL) + { + request->logging_function (gftp_logging_error, request->user_data, + _("Error setting up SSL connection (SSL object)\n")); + return (GFTP_EFATAL); + } + + SSL_set_bio (request->ssl, bio, bio); + + if (SSL_connect (request->ssl) <= 0) + { + request->logging_function (gftp_logging_error, request->user_data, + _("Error connecting to SSL object\n")); + return (GFTP_EFATAL); + } + + if ((ret = gftp_ssl_post_connection_check (request)) != X509_V_OK) + { + request->logging_function (gftp_logging_error, request->user_data, + _("Error with peer certificate: %s\n"), + X509_verify_cert_error_string (ret)); + return (GFTP_EFATAL); + } + + request->logging_function (gftp_logging_misc, request->user_data, + "SSL connection established using %s (%s)\n", + SSL_get_cipher_version (request->ssl), + SSL_get_cipher_name (request->ssl)); + + return (0); +} + + +ssize_t +gftp_ssl_read (gftp_request * request, void *ptr, size_t size, int fd) +{ + ssize_t ret; + int err; + + if (!gftp_ssl_initialized) + { + request->logging_function (gftp_logging_error, request->user_data, + _("Error: SSL engine was not initialized\n")); + return (GFTP_EFATAL); + } + + errno = 0; + ret = 0; + do + { + if ((ret = SSL_read (request->ssl, ptr, size)) < 0) + { + err = SSL_get_error (request->ssl, ret); + printf ("error is %d\n", err); + if (errno == EINTR) + { + if (request != NULL && request->cancel) + break; + else + continue; + } + + if (request != NULL) + { + request->logging_function (gftp_logging_error, request->user_data, + _("Error: Could not read from socket: %s\n"), + g_strerror (errno)); + gftp_disconnect (request); + } + return (GFTP_ERETRYABLE); + } + } + while (errno == EINTR && !(request != NULL && request->cancel)); + + if (errno == EINTR && request != NULL && request->cancel) + { + gftp_disconnect (request); + return (GFTP_ERETRYABLE); + } + + return (ret); +} + + +ssize_t +gftp_ssl_write (gftp_request * request, const char *ptr, size_t size, int fd) +{ + size_t ret, w_ret; + + if (!gftp_ssl_initialized) + { + request->logging_function (gftp_logging_error, request->user_data, + _("Error: SSL engine was not initialized\n")); + return (GFTP_EFATAL); + } + + ret = 0; + do + { + w_ret = SSL_write (request->ssl, ptr, size); + if (w_ret <= 0) + { + if (errno == EINTR) + { + if (request != NULL && request->cancel) + break; + else + continue; + } + + if (request != NULL) + { + request->logging_function (gftp_logging_error, request->user_data, + _("Error: Could not write to socket: %s\n"), + g_strerror (errno)); + gftp_disconnect (request); + } + return (GFTP_ERETRYABLE); + } + ptr += w_ret; + size -= w_ret; + ret += w_ret; + } + while (size > 0); + + if (errno == EINTR && request != NULL && request->cancel) + { + gftp_disconnect (request); + return (GFTP_ERETRYABLE); + } + + return (ret); +} + +#endif