1 Index: ckermit/ck_ssl.c
2 ===================================================================
3 --- ckermit.orig/ck_ssl.c
6 -char *cksslv = "SSL/TLS support, 9.0.227, 04 Aug 2010";
7 +char *cksslv = "SSL/TLS support, 9.0.232, 5 Feb 2015";
9 C K _ S S L . C -- OpenSSL Interface for C-Kermit
11 - Copyright (C) 1985, 2010,
12 + Copyright (C) 1985, 2015,
13 Trustees of Columbia University in the City of New York.
14 All rights reserved. See the C-Kermit COPYING.TXT file or the
15 copyright text in the ckcmai.c module for disclaimer and permissions.
16 @@ -19,7 +19,7 @@ char *cksslv = "SSL/TLS support, 9.0.227
17 . Client certificate to user id routine
19 Note: This code is written to be compatible with OpenSSL 0.9.6[abcdefgh]
20 - and 0.9.7 beta 5 (and, presumably, later).
21 + and 0.9.7 beta 5 and later, and (since July 2012) 1.0.x.
22 It will also compile with version 0.9.5 although that is discouraged
23 due to security weaknesses in that release.
25 @@ -1363,6 +1363,7 @@ ssl_once_init()
26 if ( !ck_ssleay_is_installed() )
29 + Pre-OpenSSL 1.0.0 comment:
30 OpenSSL does not provide for ABI compatibility between releases prior
31 to version 1.0.0. If the version does not match, it is not safe to
32 assume that any function you call takes the same parameters or does
33 @@ -1371,6 +1372,20 @@ ssl_once_init()
34 The test should be revised once OpenSSL 1.0.0 is released and we see what
35 its claims are as to ABI compatibility.
38 + Post-OpenSSL 1.0.0 comment:
39 + OpenSSL does not provide for ABI compatibility between releases prior
40 + to version 1.0.0. After 1.0, the following holds:
42 + Changes to last letter: security and bugfix only, no new features.
44 + Changes to last number: new ABI compatible features.
46 + Changes to middle number: major release, ABI compatibility not guaranteed.
49 + (per Dr. Stephen Henson)
51 debug(F111,"Kermit built for OpenSSL",OPENSSL_VERSION_TEXT,SSLEAY_VERSION_NUMBER);
53 debug(F111,"OpenSSL Library",SSLeay_version(SSLEAY_VERSION),
54 @@ -1380,7 +1395,10 @@ ssl_once_init()
55 debug(F110,"OpenSSL Library",SSLeay_version(SSLEAY_PLATFORM),0);
57 /* The following test is suggested by Richard Levitte */
58 - if (((OPENSSL_VERSION_NUMBER ^ SSLeay()) & 0xffffff0f)
59 + /* if (((OPENSSL_VERSION_NUMBER ^ SSLeay()) & 0xffffff0f) */
60 + /* Modified by Adam Friedlander for OpenSSL >= 1.0.0 */
61 + if (OPENSSL_VERSION_NUMBER > SSLeay()
62 + || ((OPENSSL_VERSION_NUMBER ^ SSLeay()) & COMPAT_VERSION_MASK)
64 || ckstrcmp(OPENSSL_VERSION_TEXT,(char *)SSLeay_version(SSLEAY_VERSION),-1,1)
66 @@ -1391,7 +1409,14 @@ ssl_once_init()
67 printf("?OpenSSL libraries do not match required version:\r\n");
68 printf(" . C-Kermit built with %s\r\n",OPENSSL_VERSION_TEXT);
69 printf(" . Version found %s\r\n",SSLeay_version(SSLEAY_VERSION));
70 - printf(" OpenSSL versions prior to 1.0.0 must be the same.\r\n");
72 + printf(" OpenSSL versions 1.0.0 or newer must be the same\r\n");
73 + printf(" major and minor version number, and Kermit may not\r\n");
74 + printf(" be used with a version of OpenSSL older than the one\r\n");
75 + printf(" supplied at compile time.\r\n");
77 + printf(" OpenSSL versions prior to 1.0.0 must be the same.\r\n");
78 +#endif /* OPENSSL_100 */
82 @@ -1586,20 +1611,35 @@ ssl_tn_init(mode) int mode;
88 + TLS 1.0 is the new default as of 5 Feb 2015.
89 + Previously this was commented out because
90 + "too many web servers still do not support TLSv1".
91 + Now we try TLS 1.0 first, falling back to SSL 2.3
92 + and SSL 3.0 in that order. Maybe there should be
93 + an option not to fall back.
95 tls_ctx=(SSL_CTX *)SSL_CTX_new(TLSv1_client_method());
97 - tls_ctx=(SSL_CTX *)SSL_CTX_new(SSLv23_client_method());
98 - /* This can fail because we do not have RSA available */
100 - debug(F110,"ssl_tn_init","SSLv23_client_method failed",0);
101 - tls_ctx=(SSL_CTX *)SSL_CTX_new(SSLv3_client_method());
103 -#endif /* COMMENT */
106 + debug(F110,"ssl_tn_init","TLSv1_client_method OK",0);
108 debug(F110,"ssl_tn_init","TLSv1_client_method failed",0);
109 - last_ssl_mode = -1;
111 + /* This can fail because we do not have RSA available */
112 + tls_ctx=(SSL_CTX *)SSL_CTX_new(SSLv23_client_method());
114 + debug(F110,"ssl_tn_init","SSLv23_client_method OK",0);
116 + debug(F110,"ssl_tn_init","SSLv23_client_method failed",0);
117 + tls_ctx=(SSL_CTX *)SSL_CTX_new(SSLv3_client_method());
120 + "ssl_tn_init","TLSv1_client_method failed",0);
122 + "ssl_tn_init","All SSL client methods failed",0);
123 + last_ssl_mode = -1;
129 SSL_CTX_set_client_cert_cb(ssl_ctx,ssl_client_cert_callback);
130 @@ -2153,32 +2193,25 @@ ssl_http_init(hostname) char * hostname;
131 printf("SSL_DEBUG_FLAG on\r\n");
133 if (!tls_http_ctx ) {
135 - /* too many web servers still do not support TLSv1 */
137 + TLS 1.0 is the new default as of 5 Feb 2015.
138 + Previously this was commented out because
139 + "too many web servers still do not support TLSv1".
140 + Now we try TLS 1.0 first, falling back to SSL 2.3
141 + and SSL 3.0 in that order. Maybe there should be
142 + an option not to fall back.
144 tls_http_ctx=(SSL_CTX *)SSL_CTX_new(TLSv1_client_method());
146 - tls_http_ctx=(SSL_CTX *)SSL_CTX_new(SSLv23_client_method());
147 - /* This can fail because we do not have RSA available */
148 - if ( !tls_http_ctx ) {
149 - debug(F110,"ssl_http_init","SSLv23_client_method failed",0);
150 - tls_http_ctx=(SSL_CTX *)SSL_CTX_new(SSLv3_client_method());
152 -#endif /* COMMENT */
153 - if ( !tls_http_ctx ) {
154 - debug(F110,"ssl_http_init","TLSv1_client_method failed",0);
156 + if ( tls_http_ctx ) {
157 + debug(F110,"ssl_http_init","TLSv1_client_method OK",0);
160 - SSL_CTX_set_client_cert_cb(tls_http_ctx,ssl_client_cert_callback);
161 -#endif /* USE_CERT_CB */
164 SSL_CTX_set_default_passwd_cb(tls_http_ctx,
165 (pem_password_cb *)ssl_passwd_callback);
167 /* for SSL switch on all the interoperability and bug
168 * workarounds so that we will communicate with people
169 - * that cannot read poorly written specs :-)
170 + * who cannot read poorly written specs :-)
171 * for TLS be sure to prevent use of SSLv2
173 SSL_CTX_set_options(tls_http_ctx,
174 Index: ckermit/ck_ssl.h
175 ===================================================================
176 --- ckermit.orig/ck_ssl.h
180 C K _ S S L . H -- OpenSSL Interface Header for C-Kermit
182 - Copyright (C) 1985, 2005,
183 + Copyright (C) 1985, 2013,
184 Trustees of Columbia University in the City of New York.
185 All rights reserved. See the C-Kermit COPYING.TXT file or the
186 copyright text in the ckcmai.c module for disclaimer and permissions.
188 #define OPENSSL_NO_MDC2
192 +/* Different major/minor version or development version of OpenSSL
193 + * means ABI may break compatibility.
194 + * Modified by Adam Friedlander for OpenSSL >= 1.0.0
196 +#define COMPAT_VERSION_MASK 0xffff000f
198 +/* Different major/minor/fix/development (not patch) version of OpenSSL
199 + * means ABI may break compatibility. */
200 +#define COMPAT_VERSION_MASK 0xffffff0f
202 #endif /* OPENSSL_100 */
205 Index: ckermit/ckcftp.c
206 ===================================================================
207 --- ckermit.orig/ckcftp.c
211 /* C K C F T P -- FTP Client for C-Kermit */
213 -char *ckftpv = "FTP Client, 9.0.260, 14 Jul 2011";
214 +char *ckftpv = "FTP Client, 9.0.263, 5 Feb 2015";
218 @@ -11,7 +11,7 @@ char *ckftpv = "FTP Client, 9.0.260, 14
219 Frank da Cruz <fdc@columbia.edu>,
220 The Kermit Project, Columbia University.
222 - Copyright (C) 2000, 2011,
223 + Copyright (C) 2000, 2014,
224 Trustees of Columbia University in the City of New York.
225 All rights reserved. See the C-Kermit COPYING.TXT file or the
226 copyright text in the ckcmai.c module for disclaimer and permissions.
227 @@ -1092,6 +1092,7 @@ static int
230 static int ftp_bug_use_ssl_v2 = 0; /* use SSLv2 for AUTH SSL */
231 +static int ftp_bug_use_ssl_v3 = 0; /* use SSLv3 for AUTH SSL */
235 @@ -1340,9 +1341,12 @@ static int nftpena = (sizeof(ftpenatab)
238 #define FTB_SV2 1 /* use SSLv2 */
239 +#define FTB_SV3 2 /* use SSLv3 */
241 static struct keytab ftpbugtab[] = {
242 - { "use-ssl-v2", FTB_SV2, 0 }
243 + { "use-ssl-v2", FTB_SV2, 0 },
244 + { "use-ssl-v3", FTB_SV3, 0 }
247 static int nftpbug = (sizeof(ftpbugtab) / sizeof(struct keytab));
249 @@ -2744,6 +2748,8 @@ dosetftp() {
252 return seton(&ftp_bug_use_ssl_v2);
254 + return seton(&ftp_bug_use_ssl_v3);
258 @@ -10169,6 +10175,7 @@ int
262 + CONST SSL_METHOD *client_method;
264 if (ssl_debug_flag) {
265 fprintf(stderr,"SSL DEBUG ACTIVE\n");
266 @@ -10195,16 +10202,30 @@ ssl_auth() {
267 #ifndef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
268 #define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS 0L
271 + Pick allowed SSL/TLS versions according to enabled bugs.
272 + Modified 5 Feb 2015 to default to TLS 1.0 if no bugs are enabled,
273 + instead of to SSL 3.0, which has the POODLE vulnerability.
275 + if (ftp_bug_use_ssl_v2) {
276 + /* allow SSL 2.0 or later */
277 + client_method = SSLv23_client_method();
278 + } else if (ftp_bug_use_ssl_v3) {
279 + /* allow SSL 3.0 ONLY - previous default */
280 + client_method = SSLv3_client_method();
282 + /* default - allow TLS 1.0 or later */
283 + client_method = TLSv1_client_method();
285 if (auth_type && !strcmp(auth_type,"TLS")) {
286 - ssl_ftp_ctx=SSL_CTX_new(SSLv3_client_method());
287 + ssl_ftp_ctx=SSL_CTX_new(client_method);
290 SSL_CTX_set_options(ssl_ftp_ctx,
291 SSL_OP_SINGLE_DH_USE|SSL_OP_EPHEMERAL_RSA
294 - ssl_ftp_ctx = SSL_CTX_new(ftp_bug_use_ssl_v2 ? SSLv23_client_method() :
295 - SSLv3_client_method());
296 + ssl_ftp_ctx = SSL_CTX_new(client_method);
299 SSL_CTX_set_options(ssl_ftp_ctx,
300 @@ -10428,7 +10449,9 @@ ssl_auth() {
302 ssl_ftp_active_flag = 1;
304 - if (!ssl_certsok_flag && !tls_is_krb5(1)) {
305 + if (!ssl_certsok_flag &&
306 + (ssl_verify_flag & SSL_VERIFY_PEER) && /* JEA 2013-12-10 */
308 char *subject = ssl_get_subject_name(ssl_ftp_con);
311 @@ -13161,7 +13184,7 @@ initconn() {
312 inet_ntoa(hisctladdr.sin_addr)
316 + perror("ftphookup");
318 memcpy((char *)&hisctladdr.sin_addr,
320 @@ -13361,7 +13384,9 @@ ssl_dataconn() {
322 ssl_ftp_data_active_flag=1;
324 - if (!ssl_certsok_flag && !tls_is_krb5(2)) {
325 + if (!ssl_certsok_flag &&
326 + (ssl_verify_flag & SSL_VERIFY_PEER) && /* JEA 2013-12-10 */
328 char *subject = ssl_get_subject_name(ssl_ftp_data_con);