1 Description: Patches from upstream to support TLS and openssl 1.0+
2 All SSL/TLS related patches since ckermit 302.
3 See (the end of) ftp://ftp.kermitproject.org/kermit/test/text/NOTES.TXT
5 Origin: upstream, dev.14
7 Last-Update: 2015-12-14
8 Index: ckermit/ck_ssl.c
9 ===================================================================
10 --- ckermit.orig/ck_ssl.c
13 -char *cksslv = "SSL/TLS support, 9.0.227, 04 Aug 2010";
14 +char *cksslv = "SSL/TLS support, 9.0.232, 5 Feb 2015";
16 C K _ S S L . C -- OpenSSL Interface for C-Kermit
18 - Copyright (C) 1985, 2010,
19 + Copyright (C) 1985, 2015,
20 Trustees of Columbia University in the City of New York.
21 All rights reserved. See the C-Kermit COPYING.TXT file or the
22 copyright text in the ckcmai.c module for disclaimer and permissions.
23 @@ -19,7 +19,7 @@ char *cksslv = "SSL/TLS support, 9.0.227
24 . Client certificate to user id routine
26 Note: This code is written to be compatible with OpenSSL 0.9.6[abcdefgh]
27 - and 0.9.7 beta 5 (and, presumably, later).
28 + and 0.9.7 beta 5 and later, and (since July 2012) 1.0.x.
29 It will also compile with version 0.9.5 although that is discouraged
30 due to security weaknesses in that release.
32 @@ -1363,6 +1363,7 @@ ssl_once_init()
33 if ( !ck_ssleay_is_installed() )
36 + Pre-OpenSSL 1.0.0 comment:
37 OpenSSL does not provide for ABI compatibility between releases prior
38 to version 1.0.0. If the version does not match, it is not safe to
39 assume that any function you call takes the same parameters or does
40 @@ -1371,6 +1372,20 @@ ssl_once_init()
41 The test should be revised once OpenSSL 1.0.0 is released and we see what
42 its claims are as to ABI compatibility.
45 + Post-OpenSSL 1.0.0 comment:
46 + OpenSSL does not provide for ABI compatibility between releases prior
47 + to version 1.0.0. After 1.0, the following holds:
49 + Changes to last letter: security and bugfix only, no new features.
51 + Changes to last number: new ABI compatible features.
53 + Changes to middle number: major release, ABI compatibility not guaranteed.
56 + (per Dr. Stephen Henson)
58 debug(F111,"Kermit built for OpenSSL",OPENSSL_VERSION_TEXT,SSLEAY_VERSION_NUMBER);
60 debug(F111,"OpenSSL Library",SSLeay_version(SSLEAY_VERSION),
61 @@ -1380,7 +1395,10 @@ ssl_once_init()
62 debug(F110,"OpenSSL Library",SSLeay_version(SSLEAY_PLATFORM),0);
64 /* The following test is suggested by Richard Levitte */
65 - if (((OPENSSL_VERSION_NUMBER ^ SSLeay()) & 0xffffff0f)
66 + /* if (((OPENSSL_VERSION_NUMBER ^ SSLeay()) & 0xffffff0f) */
67 + /* Modified by Adam Friedlander for OpenSSL >= 1.0.0 */
68 + if (OPENSSL_VERSION_NUMBER > SSLeay()
69 + || ((OPENSSL_VERSION_NUMBER ^ SSLeay()) & COMPAT_VERSION_MASK)
71 || ckstrcmp(OPENSSL_VERSION_TEXT,(char *)SSLeay_version(SSLEAY_VERSION),-1,1)
73 @@ -1391,7 +1409,14 @@ ssl_once_init()
74 printf("?OpenSSL libraries do not match required version:\r\n");
75 printf(" . C-Kermit built with %s\r\n",OPENSSL_VERSION_TEXT);
76 printf(" . Version found %s\r\n",SSLeay_version(SSLEAY_VERSION));
77 - printf(" OpenSSL versions prior to 1.0.0 must be the same.\r\n");
79 + printf(" OpenSSL versions 1.0.0 or newer must be the same\r\n");
80 + printf(" major and minor version number, and Kermit may not\r\n");
81 + printf(" be used with a version of OpenSSL older than the one\r\n");
82 + printf(" supplied at compile time.\r\n");
84 + printf(" OpenSSL versions prior to 1.0.0 must be the same.\r\n");
85 +#endif /* OPENSSL_100 */
89 @@ -1586,20 +1611,35 @@ ssl_tn_init(mode) int mode;
95 + TLS 1.0 is the new default as of 5 Feb 2015.
96 + Previously this was commented out because
97 + "too many web servers still do not support TLSv1".
98 + Now we try TLS 1.0 first, falling back to SSL 2.3
99 + and SSL 3.0 in that order. Maybe there should be
100 + an option not to fall back.
102 tls_ctx=(SSL_CTX *)SSL_CTX_new(TLSv1_client_method());
104 - tls_ctx=(SSL_CTX *)SSL_CTX_new(SSLv23_client_method());
105 - /* This can fail because we do not have RSA available */
107 - debug(F110,"ssl_tn_init","SSLv23_client_method failed",0);
108 - tls_ctx=(SSL_CTX *)SSL_CTX_new(SSLv3_client_method());
110 -#endif /* COMMENT */
113 + debug(F110,"ssl_tn_init","TLSv1_client_method OK",0);
115 debug(F110,"ssl_tn_init","TLSv1_client_method failed",0);
116 - last_ssl_mode = -1;
118 + /* This can fail because we do not have RSA available */
119 + tls_ctx=(SSL_CTX *)SSL_CTX_new(SSLv23_client_method());
121 + debug(F110,"ssl_tn_init","SSLv23_client_method OK",0);
123 + debug(F110,"ssl_tn_init","SSLv23_client_method failed",0);
124 + tls_ctx=(SSL_CTX *)SSL_CTX_new(SSLv3_client_method());
127 + "ssl_tn_init","TLSv1_client_method failed",0);
129 + "ssl_tn_init","All SSL client methods failed",0);
130 + last_ssl_mode = -1;
136 SSL_CTX_set_client_cert_cb(ssl_ctx,ssl_client_cert_callback);
137 @@ -2153,32 +2193,25 @@ ssl_http_init(hostname) char * hostname;
138 printf("SSL_DEBUG_FLAG on\r\n");
140 if (!tls_http_ctx ) {
142 - /* too many web servers still do not support TLSv1 */
144 + TLS 1.0 is the new default as of 5 Feb 2015.
145 + Previously this was commented out because
146 + "too many web servers still do not support TLSv1".
147 + Now we try TLS 1.0 first, falling back to SSL 2.3
148 + and SSL 3.0 in that order. Maybe there should be
149 + an option not to fall back.
151 tls_http_ctx=(SSL_CTX *)SSL_CTX_new(TLSv1_client_method());
153 - tls_http_ctx=(SSL_CTX *)SSL_CTX_new(SSLv23_client_method());
154 - /* This can fail because we do not have RSA available */
155 - if ( !tls_http_ctx ) {
156 - debug(F110,"ssl_http_init","SSLv23_client_method failed",0);
157 - tls_http_ctx=(SSL_CTX *)SSL_CTX_new(SSLv3_client_method());
159 -#endif /* COMMENT */
160 - if ( !tls_http_ctx ) {
161 - debug(F110,"ssl_http_init","TLSv1_client_method failed",0);
163 + if ( tls_http_ctx ) {
164 + debug(F110,"ssl_http_init","TLSv1_client_method OK",0);
167 - SSL_CTX_set_client_cert_cb(tls_http_ctx,ssl_client_cert_callback);
168 -#endif /* USE_CERT_CB */
171 SSL_CTX_set_default_passwd_cb(tls_http_ctx,
172 (pem_password_cb *)ssl_passwd_callback);
174 /* for SSL switch on all the interoperability and bug
175 * workarounds so that we will communicate with people
176 - * that cannot read poorly written specs :-)
177 + * who cannot read poorly written specs :-)
178 * for TLS be sure to prevent use of SSLv2
180 SSL_CTX_set_options(tls_http_ctx,
181 Index: ckermit/ck_ssl.h
182 ===================================================================
183 --- ckermit.orig/ck_ssl.h
187 C K _ S S L . H -- OpenSSL Interface Header for C-Kermit
189 - Copyright (C) 1985, 2005,
190 + Copyright (C) 1985, 2013,
191 Trustees of Columbia University in the City of New York.
192 All rights reserved. See the C-Kermit COPYING.TXT file or the
193 copyright text in the ckcmai.c module for disclaimer and permissions.
195 #define OPENSSL_NO_MDC2
199 +/* Different major/minor version or development version of OpenSSL
200 + * means ABI may break compatibility.
201 + * Modified by Adam Friedlander for OpenSSL >= 1.0.0
203 +#define COMPAT_VERSION_MASK 0xffff000f
205 +/* Different major/minor/fix/development (not patch) version of OpenSSL
206 + * means ABI may break compatibility. */
207 +#define COMPAT_VERSION_MASK 0xffffff0f
209 #endif /* OPENSSL_100 */
212 Index: ckermit/ckcftp.c
213 ===================================================================
214 --- ckermit.orig/ckcftp.c
218 /* C K C F T P -- FTP Client for C-Kermit */
220 -char *ckftpv = "FTP Client, 9.0.260, 14 Jul 2011";
221 +char *ckftpv = "FTP Client, 9.0.263, 5 Feb 2015";
225 @@ -11,7 +11,7 @@ char *ckftpv = "FTP Client, 9.0.260, 14
226 Frank da Cruz <fdc@columbia.edu>,
227 The Kermit Project, Columbia University.
229 - Copyright (C) 2000, 2011,
230 + Copyright (C) 2000, 2014,
231 Trustees of Columbia University in the City of New York.
232 All rights reserved. See the C-Kermit COPYING.TXT file or the
233 copyright text in the ckcmai.c module for disclaimer and permissions.
234 @@ -1092,6 +1092,7 @@ static int
237 static int ftp_bug_use_ssl_v2 = 0; /* use SSLv2 for AUTH SSL */
238 +static int ftp_bug_use_ssl_v3 = 0; /* use SSLv3 for AUTH SSL */
242 @@ -1340,9 +1341,12 @@ static int nftpena = (sizeof(ftpenatab)
245 #define FTB_SV2 1 /* use SSLv2 */
246 +#define FTB_SV3 2 /* use SSLv3 */
248 static struct keytab ftpbugtab[] = {
249 - { "use-ssl-v2", FTB_SV2, 0 }
250 + { "use-ssl-v2", FTB_SV2, 0 },
251 + { "use-ssl-v3", FTB_SV3, 0 }
254 static int nftpbug = (sizeof(ftpbugtab) / sizeof(struct keytab));
256 @@ -2744,6 +2748,8 @@ dosetftp() {
259 return seton(&ftp_bug_use_ssl_v2);
261 + return seton(&ftp_bug_use_ssl_v3);
265 @@ -10169,6 +10175,7 @@ int
269 + CONST SSL_METHOD *client_method;
271 if (ssl_debug_flag) {
272 fprintf(stderr,"SSL DEBUG ACTIVE\n");
273 @@ -10195,16 +10202,30 @@ ssl_auth() {
274 #ifndef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
275 #define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS 0L
278 + Pick allowed SSL/TLS versions according to enabled bugs.
279 + Modified 5 Feb 2015 to default to TLS 1.0 if no bugs are enabled,
280 + instead of to SSL 3.0, which has the POODLE vulnerability.
282 + if (ftp_bug_use_ssl_v2) {
283 + /* allow SSL 2.0 or later */
284 + client_method = SSLv23_client_method();
285 + } else if (ftp_bug_use_ssl_v3) {
286 + /* allow SSL 3.0 ONLY - previous default */
287 + client_method = SSLv3_client_method();
289 + /* default - allow TLS 1.0 or later */
290 + client_method = TLSv1_client_method();
292 if (auth_type && !strcmp(auth_type,"TLS")) {
293 - ssl_ftp_ctx=SSL_CTX_new(SSLv3_client_method());
294 + ssl_ftp_ctx=SSL_CTX_new(client_method);
297 SSL_CTX_set_options(ssl_ftp_ctx,
298 SSL_OP_SINGLE_DH_USE|SSL_OP_EPHEMERAL_RSA
301 - ssl_ftp_ctx = SSL_CTX_new(ftp_bug_use_ssl_v2 ? SSLv23_client_method() :
302 - SSLv3_client_method());
303 + ssl_ftp_ctx = SSL_CTX_new(client_method);
306 SSL_CTX_set_options(ssl_ftp_ctx,
307 @@ -10428,7 +10449,9 @@ ssl_auth() {
309 ssl_ftp_active_flag = 1;
311 - if (!ssl_certsok_flag && !tls_is_krb5(1)) {
312 + if (!ssl_certsok_flag &&
313 + (ssl_verify_flag & SSL_VERIFY_PEER) && /* JEA 2013-12-10 */
315 char *subject = ssl_get_subject_name(ssl_ftp_con);
318 @@ -13161,7 +13184,7 @@ initconn() {
319 inet_ntoa(hisctladdr.sin_addr)
323 + perror("ftphookup");
325 memcpy((char *)&hisctladdr.sin_addr,
327 @@ -13361,7 +13384,9 @@ ssl_dataconn() {
329 ssl_ftp_data_active_flag=1;
331 - if (!ssl_certsok_flag && !tls_is_krb5(2)) {
332 + if (!ssl_certsok_flag &&
333 + (ssl_verify_flag & SSL_VERIFY_PEER) && /* JEA 2013-12-10 */
335 char *subject = ssl_get_subject_name(ssl_ftp_data_con);