--- /dev/null
+Index: ckermit/ck_ssl.c
+===================================================================
+--- ckermit.orig/ck_ssl.c
++++ ckermit/ck_ssl.c
+@@ -1,8 +1,8 @@
+-char *cksslv = "SSL/TLS support, 9.0.227, 04 Aug 2010";
++char *cksslv = "SSL/TLS support, 9.0.232, 5 Feb 2015";
+ /*
+ C K _ S S L . C -- OpenSSL Interface for C-Kermit
+
+- Copyright (C) 1985, 2010,
++ Copyright (C) 1985, 2015,
+ Trustees of Columbia University in the City of New York.
+ All rights reserved. See the C-Kermit COPYING.TXT file or the
+ copyright text in the ckcmai.c module for disclaimer and permissions.
+@@ -19,7 +19,7 @@ char *cksslv = "SSL/TLS support, 9.0.227
+ . Client certificate to user id routine
+
+ Note: This code is written to be compatible with OpenSSL 0.9.6[abcdefgh]
+- and 0.9.7 beta 5 (and, presumably, later).
++ and 0.9.7 beta 5 and later, and (since July 2012) 1.0.x.
+ It will also compile with version 0.9.5 although that is discouraged
+ due to security weaknesses in that release.
+ */
+@@ -1363,6 +1363,7 @@ ssl_once_init()
+ if ( !ck_ssleay_is_installed() )
+ return;
+ /*
++ Pre-OpenSSL 1.0.0 comment:
+ OpenSSL does not provide for ABI compatibility between releases prior
+ to version 1.0.0. If the version does not match, it is not safe to
+ assume that any function you call takes the same parameters or does
+@@ -1371,6 +1372,20 @@ ssl_once_init()
+ The test should be revised once OpenSSL 1.0.0 is released and we see what
+ its claims are as to ABI compatibility.
+ */
++/*
++ Post-OpenSSL 1.0.0 comment:
++ OpenSSL does not provide for ABI compatibility between releases prior
++ to version 1.0.0. After 1.0, the following holds:
++
++ Changes to last letter: security and bugfix only, no new features.
++ E.g. 1.0.0->1.0.0a
++ Changes to last number: new ABI compatible features.
++ E.g. 1.0.0->1.0.1
++ Changes to middle number: major release, ABI compatibility not guaranteed.
++ E.g. 1.0.0->1.1.0
++
++ (per Dr. Stephen Henson)
++*/
+ debug(F111,"Kermit built for OpenSSL",OPENSSL_VERSION_TEXT,SSLEAY_VERSION_NUMBER);
+ #ifndef OS2ONLY
+ debug(F111,"OpenSSL Library",SSLeay_version(SSLEAY_VERSION),
+@@ -1380,7 +1395,10 @@ ssl_once_init()
+ debug(F110,"OpenSSL Library",SSLeay_version(SSLEAY_PLATFORM),0);
+
+ /* The following test is suggested by Richard Levitte */
+- if (((OPENSSL_VERSION_NUMBER ^ SSLeay()) & 0xffffff0f)
++ /* if (((OPENSSL_VERSION_NUMBER ^ SSLeay()) & 0xffffff0f) */
++ /* Modified by Adam Friedlander for OpenSSL >= 1.0.0 */
++ if (OPENSSL_VERSION_NUMBER > SSLeay()
++ || ((OPENSSL_VERSION_NUMBER ^ SSLeay()) & COMPAT_VERSION_MASK)
+ #ifdef OS2
+ || ckstrcmp(OPENSSL_VERSION_TEXT,(char *)SSLeay_version(SSLEAY_VERSION),-1,1)
+ #endif /* OS2 */
+@@ -1391,7 +1409,14 @@ ssl_once_init()
+ printf("?OpenSSL libraries do not match required version:\r\n");
+ printf(" . C-Kermit built with %s\r\n",OPENSSL_VERSION_TEXT);
+ printf(" . Version found %s\r\n",SSLeay_version(SSLEAY_VERSION));
+- printf(" OpenSSL versions prior to 1.0.0 must be the same.\r\n");
++#ifdef OPENSSL_100
++ printf(" OpenSSL versions 1.0.0 or newer must be the same\r\n");
++ printf(" major and minor version number, and Kermit may not\r\n");
++ printf(" be used with a version of OpenSSL older than the one\r\n");
++ printf(" supplied at compile time.\r\n");
++#else
++ printf(" OpenSSL versions prior to 1.0.0 must be the same.\r\n");
++#endif /* OPENSSL_100 */
+
+ s = "R";
+ #ifdef SOLARIS
+@@ -1586,20 +1611,35 @@ ssl_tn_init(mode) int mode;
+ last_ssl_mode = -1;
+ return(0);
+ }
+-#ifndef COMMENT
++ /*
++ TLS 1.0 is the new default as of 5 Feb 2015.
++ Previously this was commented out because
++ "too many web servers still do not support TLSv1".
++ Now we try TLS 1.0 first, falling back to SSL 2.3
++ and SSL 3.0 in that order. Maybe there should be
++ an option not to fall back.
++ */
+ tls_ctx=(SSL_CTX *)SSL_CTX_new(TLSv1_client_method());
+-#else /* COMMENT */
+- tls_ctx=(SSL_CTX *)SSL_CTX_new(SSLv23_client_method());
+- /* This can fail because we do not have RSA available */
+- if ( !tls_ctx ) {
+- debug(F110,"ssl_tn_init","SSLv23_client_method failed",0);
+- tls_ctx=(SSL_CTX *)SSL_CTX_new(SSLv3_client_method());
+- }
+-#endif /* COMMENT */
+- if ( !tls_ctx ) {
++ if ( tls_ctx ) {
++ debug(F110,"ssl_tn_init","TLSv1_client_method OK",0);
++ } else {
+ debug(F110,"ssl_tn_init","TLSv1_client_method failed",0);
+- last_ssl_mode = -1;
+- return(0);
++ /* This can fail because we do not have RSA available */
++ tls_ctx=(SSL_CTX *)SSL_CTX_new(SSLv23_client_method());
++ if ( !tls_ctx ) {
++ debug(F110,"ssl_tn_init","SSLv23_client_method OK",0);
++ } else {
++ debug(F110,"ssl_tn_init","SSLv23_client_method failed",0);
++ tls_ctx=(SSL_CTX *)SSL_CTX_new(SSLv3_client_method());
++ if ( !tls_ctx ) {
++ debug(F110,
++ "ssl_tn_init","TLSv1_client_method failed",0);
++ debug(F110,
++ "ssl_tn_init","All SSL client methods failed",0);
++ last_ssl_mode = -1;
++ return(0);
++ }
++ }
+ }
+ #ifdef USE_CERT_CB
+ SSL_CTX_set_client_cert_cb(ssl_ctx,ssl_client_cert_callback);
+@@ -2153,32 +2193,25 @@ ssl_http_init(hostname) char * hostname;
+ printf("SSL_DEBUG_FLAG on\r\n");
+
+ if (!tls_http_ctx ) {
+-#ifdef COMMENT
+- /* too many web servers still do not support TLSv1 */
++ /*
++ TLS 1.0 is the new default as of 5 Feb 2015.
++ Previously this was commented out because
++ "too many web servers still do not support TLSv1".
++ Now we try TLS 1.0 first, falling back to SSL 2.3
++ and SSL 3.0 in that order. Maybe there should be
++ an option not to fall back.
++ */
+ tls_http_ctx=(SSL_CTX *)SSL_CTX_new(TLSv1_client_method());
+-#else /* COMMENT */
+- tls_http_ctx=(SSL_CTX *)SSL_CTX_new(SSLv23_client_method());
+- /* This can fail because we do not have RSA available */
+- if ( !tls_http_ctx ) {
+- debug(F110,"ssl_http_init","SSLv23_client_method failed",0);
+- tls_http_ctx=(SSL_CTX *)SSL_CTX_new(SSLv3_client_method());
+- }
+-#endif /* COMMENT */
+- if ( !tls_http_ctx ) {
+- debug(F110,"ssl_http_init","TLSv1_client_method failed",0);
+- return(0);
++ if ( tls_http_ctx ) {
++ debug(F110,"ssl_http_init","TLSv1_client_method OK",0);
+ }
+-#ifdef USE_CERT_CB
+- SSL_CTX_set_client_cert_cb(tls_http_ctx,ssl_client_cert_callback);
+-#endif /* USE_CERT_CB */
+ }
+-
+ SSL_CTX_set_default_passwd_cb(tls_http_ctx,
+ (pem_password_cb *)ssl_passwd_callback);
+
+ /* for SSL switch on all the interoperability and bug
+ * workarounds so that we will communicate with people
+- * that cannot read poorly written specs :-)
++ * who cannot read poorly written specs :-)
+ * for TLS be sure to prevent use of SSLv2
+ */
+ SSL_CTX_set_options(tls_http_ctx,
+Index: ckermit/ck_ssl.h
+===================================================================
+--- ckermit.orig/ck_ssl.h
++++ ckermit/ck_ssl.h
+@@ -1,7 +1,7 @@
+ /*
+ C K _ S S L . H -- OpenSSL Interface Header for C-Kermit
+
+- Copyright (C) 1985, 2005,
++ Copyright (C) 1985, 2013,
+ Trustees of Columbia University in the City of New York.
+ All rights reserved. See the C-Kermit COPYING.TXT file or the
+ copyright text in the ckcmai.c module for disclaimer and permissions.
+@@ -41,6 +41,17 @@
+ #define OPENSSL_NO_MDC2
+ #ifdef OPENSSL_100
+ #define OPENSSL_098
++
++/* Different major/minor version or development version of OpenSSL
++ * means ABI may break compatibility.
++ * Modified by Adam Friedlander for OpenSSL >= 1.0.0
++ */
++#define COMPAT_VERSION_MASK 0xffff000f
++#else
++/* Different major/minor/fix/development (not patch) version of OpenSSL
++ * means ABI may break compatibility. */
++#define COMPAT_VERSION_MASK 0xffffff0f
++
+ #endif /* OPENSSL_100 */
+ #ifdef OPENSSL_098
+ #define OPENSSL_097
+Index: ckermit/ckcftp.c
+===================================================================
+--- ckermit.orig/ckcftp.c
++++ ckermit/ckcftp.c
+@@ -2,7 +2,7 @@
+
+ /* C K C F T P -- FTP Client for C-Kermit */
+
+-char *ckftpv = "FTP Client, 9.0.260, 14 Jul 2011";
++char *ckftpv = "FTP Client, 9.0.263, 5 Feb 2015";
+
+ /*
+ Authors:
+@@ -11,7 +11,7 @@ char *ckftpv = "FTP Client, 9.0.260, 14
+ Frank da Cruz <fdc@columbia.edu>,
+ The Kermit Project, Columbia University.
+
+- Copyright (C) 2000, 2011,
++ Copyright (C) 2000, 2014,
+ Trustees of Columbia University in the City of New York.
+ All rights reserved. See the C-Kermit COPYING.TXT file or the
+ copyright text in the ckcmai.c module for disclaimer and permissions.
+@@ -1092,6 +1092,7 @@ static int
+
+ #ifdef CK_SSL
+ static int ftp_bug_use_ssl_v2 = 0; /* use SSLv2 for AUTH SSL */
++static int ftp_bug_use_ssl_v3 = 0; /* use SSLv3 for AUTH SSL */
+ #endif /* CK_SSL */
+
+ static int
+@@ -1340,9 +1341,12 @@ static int nftpena = (sizeof(ftpenatab)
+ /* FTP BUGS */
+
+ #define FTB_SV2 1 /* use SSLv2 */
++#define FTB_SV3 2 /* use SSLv3 */
+
+ static struct keytab ftpbugtab[] = {
+- { "use-ssl-v2", FTB_SV2, 0 }
++ { "use-ssl-v2", FTB_SV2, 0 },
++ { "use-ssl-v3", FTB_SV3, 0 }
++
+ };
+ static int nftpbug = (sizeof(ftpbugtab) / sizeof(struct keytab));
+
+@@ -2744,6 +2748,8 @@ dosetftp() {
+ #ifdef CK_SSL
+ case FTB_SV2:
+ return seton(&ftp_bug_use_ssl_v2);
++ case FTB_SV3:
++ return seton(&ftp_bug_use_ssl_v3);
+ #endif /* CK_SSL */
+ default:
+ return(-2);
+@@ -10169,6 +10175,7 @@ int
+ ssl_auth() {
+ int i;
+ char* p;
++ CONST SSL_METHOD *client_method;
+
+ if (ssl_debug_flag) {
+ fprintf(stderr,"SSL DEBUG ACTIVE\n");
+@@ -10195,16 +10202,30 @@ ssl_auth() {
+ #ifndef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
+ #define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS 0L
+ #endif
++/*
++ Pick allowed SSL/TLS versions according to enabled bugs.
++ Modified 5 Feb 2015 to default to TLS 1.0 if no bugs are enabled,
++ instead of to SSL 3.0, which has the POODLE vulnerability.
++*/
++ if (ftp_bug_use_ssl_v2) {
++ /* allow SSL 2.0 or later */
++ client_method = SSLv23_client_method();
++ } else if (ftp_bug_use_ssl_v3) {
++ /* allow SSL 3.0 ONLY - previous default */
++ client_method = SSLv3_client_method();
++ } else {
++ /* default - allow TLS 1.0 or later */
++ client_method = TLSv1_client_method();
++ }
+ if (auth_type && !strcmp(auth_type,"TLS")) {
+- ssl_ftp_ctx=SSL_CTX_new(SSLv3_client_method());
++ ssl_ftp_ctx=SSL_CTX_new(client_method);
+ if (!ssl_ftp_ctx)
+ return(0);
+ SSL_CTX_set_options(ssl_ftp_ctx,
+ SSL_OP_SINGLE_DH_USE|SSL_OP_EPHEMERAL_RSA
+ );
+ } else {
+- ssl_ftp_ctx = SSL_CTX_new(ftp_bug_use_ssl_v2 ? SSLv23_client_method() :
+- SSLv3_client_method());
++ ssl_ftp_ctx = SSL_CTX_new(client_method);
+ if (!ssl_ftp_ctx)
+ return(0);
+ SSL_CTX_set_options(ssl_ftp_ctx,
+@@ -10428,7 +10449,9 @@ ssl_auth() {
+ } else {
+ ssl_ftp_active_flag = 1;
+
+- if (!ssl_certsok_flag && !tls_is_krb5(1)) {
++ if (!ssl_certsok_flag &&
++ (ssl_verify_flag & SSL_VERIFY_PEER) && /* JEA 2013-12-10 */
++ !tls_is_krb5(1)) {
+ char *subject = ssl_get_subject_name(ssl_ftp_con);
+
+ if (!subject) {
+@@ -13161,7 +13184,7 @@ initconn() {
+ inet_ntoa(hisctladdr.sin_addr)
+ );
+ errno = oerrno;
+- perror((char *)0);
++ perror("ftphookup");
+ hp->h_addr_list++;
+ memcpy((char *)&hisctladdr.sin_addr,
+ hp->h_addr_list[0],
+@@ -13361,7 +13384,9 @@ ssl_dataconn() {
+ } else {
+ ssl_ftp_data_active_flag=1;
+
+- if (!ssl_certsok_flag && !tls_is_krb5(2)) {
++ if (!ssl_certsok_flag &&
++ (ssl_verify_flag & SSL_VERIFY_PEER) && /* JEA 2013-12-10 */
++ !tls_is_krb5(2)) {
+ char *subject = ssl_get_subject_name(ssl_ftp_data_con);
+
+ if (!subject) {
projects / ckermit.git / blobdiff