2 * Part of Very Secure FTPd
3 * Licence: GPL v2. Note that this code interfaces with with the OpenSSL
4 * libraries, so please read LICENSE where I give explicit permission to link
5 * against the OpenSSL libraries.
9 * Routines to handle a SSL/TLS-based implementation of RFC 2228, i.e.
22 #include "builddefs.h"
27 #include <openssl/ssl.h>
28 #include <openssl/err.h>
29 #include <openssl/rand.h>
30 #include <openssl/bio.h>
31 #include <openssl/ec.h>
35 static char* get_ssl_error();
36 static SSL
* get_ssl(struct vsf_session
* p_sess
, int fd
);
37 static int ssl_session_init(struct vsf_session
* p_sess
);
38 static void setup_bio_callbacks();
39 static long bio_callback(
40 BIO
* p_bio
, int oper
, const char* p_arg
, int argi
, long argl
, long retval
);
41 static int ssl_verify_callback(int verify_ok
, X509_STORE_CTX
* p_ctx
);
42 static int ssl_cert_digest(
43 SSL
* p_ssl
, struct vsf_session
* p_sess
, struct mystr
* p_str
);
44 static void maybe_log_shutdown_state(struct vsf_session
* p_sess
);
45 static void maybe_log_ssl_error_state(struct vsf_session
* p_sess
, int ret
);
46 static int ssl_read_common(struct vsf_session
* p_sess
,
50 int (*p_ssl_func
)(SSL
*, void*, int));
52 static int ssl_inited
;
53 static struct mystr debug_str
;
56 ssl_init(struct vsf_session
* p_sess
)
62 int verify_option
= 0;
64 p_ctx
= SSL_CTX_new(SSLv23_server_method());
67 die("SSL: could not allocate SSL context");
72 options
|= SSL_OP_NO_SSLv2
;
76 options
|= SSL_OP_NO_SSLv3
;
80 options
|= SSL_OP_NO_TLSv1
;
82 SSL_CTX_set_options(p_ctx
, options
);
83 if (tunable_rsa_cert_file
)
85 const char* p_key
= tunable_rsa_private_key_file
;
88 p_key
= tunable_rsa_cert_file
;
90 if (SSL_CTX_use_certificate_chain_file(p_ctx
, tunable_rsa_cert_file
) != 1)
92 die("SSL: cannot load RSA certificate");
94 if (SSL_CTX_use_PrivateKey_file(p_ctx
, p_key
, X509_FILETYPE_PEM
) != 1)
96 die("SSL: cannot load RSA private key");
99 if (tunable_dsa_cert_file
)
101 const char* p_key
= tunable_dsa_private_key_file
;
104 p_key
= tunable_dsa_cert_file
;
106 if (SSL_CTX_use_certificate_chain_file(p_ctx
, tunable_dsa_cert_file
) != 1)
108 die("SSL: cannot load DSA certificate");
110 if (SSL_CTX_use_PrivateKey_file(p_ctx
, p_key
, X509_FILETYPE_PEM
) != 1)
112 die("SSL: cannot load DSA private key");
115 if (tunable_ssl_ciphers
&&
116 SSL_CTX_set_cipher_list(p_ctx
, tunable_ssl_ciphers
) != 1)
118 die("SSL: could not set cipher list");
120 if (RAND_status() != 1)
122 die("SSL: RNG is not seeded");
125 EC_KEY
* key
= EC_KEY_new_by_curve_name(NID_X9_62_prime256v1
);
128 die("SSL: failed to get curve p256");
130 SSL_CTX_set_tmp_ecdh(p_ctx
, key
);
133 if (tunable_ssl_request_cert
)
135 verify_option
|= SSL_VERIFY_PEER
;
137 if (tunable_require_cert
)
139 verify_option
|= SSL_VERIFY_FAIL_IF_NO_PEER_CERT
;
143 SSL_CTX_set_verify(p_ctx
, verify_option
, ssl_verify_callback
);
144 if (tunable_ca_certs_file
)
146 STACK_OF(X509_NAME
)* p_names
;
147 if (!SSL_CTX_load_verify_locations(p_ctx
, tunable_ca_certs_file
, NULL
))
149 die("SSL: could not load verify file");
151 p_names
= SSL_load_client_CA_file(tunable_ca_certs_file
);
154 die("SSL: could not load client certs file");
156 SSL_CTX_set_client_CA_list(p_ctx
, p_names
);
160 static const char* p_ctx_id
= "vsftpd";
161 SSL_CTX_set_session_id_context(p_ctx
, (void*) p_ctx_id
,
162 vsf_sysutil_strlen(p_ctx_id
));
164 if (tunable_require_ssl_reuse
)
166 /* Ensure cached session doesn't expire */
167 SSL_CTX_set_timeout(p_ctx
, INT_MAX
);
169 p_sess
->p_ssl_ctx
= p_ctx
;
175 ssl_control_handshake(struct vsf_session
* p_sess
)
177 if (!ssl_session_init(p_sess
))
179 struct mystr err_str
= INIT_MYSTR
;
180 str_alloc_text(&err_str
, "Negotiation failed: ");
181 /* Technically, we shouldn't leak such detailed error messages. */
182 str_append_text(&err_str
, get_ssl_error());
183 vsf_cmdio_write_str(p_sess
, FTP_TLS_FAIL
, &err_str
);
186 p_sess
->control_use_ssl
= 1;
190 handle_auth(struct vsf_session
* p_sess
)
192 str_upper(&p_sess
->ftp_arg_str
);
193 if (str_equal_text(&p_sess
->ftp_arg_str
, "TLS") ||
194 str_equal_text(&p_sess
->ftp_arg_str
, "TLS-C") ||
195 str_equal_text(&p_sess
->ftp_arg_str
, "SSL") ||
196 str_equal_text(&p_sess
->ftp_arg_str
, "TLS-P"))
198 vsf_cmdio_write(p_sess
, FTP_AUTHOK
, "Proceed with negotiation.");
199 ssl_control_handshake(p_sess
);
200 if (str_equal_text(&p_sess
->ftp_arg_str
, "SSL") ||
201 str_equal_text(&p_sess
->ftp_arg_str
, "TLS-P"))
203 p_sess
->data_use_ssl
= 1;
208 vsf_cmdio_write(p_sess
, FTP_BADAUTH
, "Unknown AUTH type.");
213 handle_pbsz(struct vsf_session
* p_sess
)
215 if (!p_sess
->control_use_ssl
)
217 vsf_cmdio_write(p_sess
, FTP_BADPBSZ
, "PBSZ needs a secure connection.");
221 vsf_cmdio_write(p_sess
, FTP_PBSZOK
, "PBSZ set to 0.");
226 handle_prot(struct vsf_session
* p_sess
)
228 str_upper(&p_sess
->ftp_arg_str
);
229 if (!p_sess
->control_use_ssl
)
231 vsf_cmdio_write(p_sess
, FTP_BADPROT
, "PROT needs a secure connection.");
233 else if (str_equal_text(&p_sess
->ftp_arg_str
, "C"))
235 p_sess
->data_use_ssl
= 0;
236 vsf_cmdio_write(p_sess
, FTP_PROTOK
, "PROT now Clear.");
238 else if (str_equal_text(&p_sess
->ftp_arg_str
, "P"))
240 p_sess
->data_use_ssl
= 1;
241 vsf_cmdio_write(p_sess
, FTP_PROTOK
, "PROT now Private.");
243 else if (str_equal_text(&p_sess
->ftp_arg_str
, "S") ||
244 str_equal_text(&p_sess
->ftp_arg_str
, "E"))
246 vsf_cmdio_write(p_sess
, FTP_NOHANDLEPROT
, "PROT not supported.");
250 vsf_cmdio_write(p_sess
, FTP_NOSUCHPROT
, "PROT not recognized.");
255 ssl_read(struct vsf_session
* p_sess
, void* p_ssl
, char* p_buf
, unsigned int len
)
257 return ssl_read_common(p_sess
, (SSL
*) p_ssl
, p_buf
, len
, SSL_read
);
261 ssl_peek(struct vsf_session
* p_sess
, void* p_ssl
, char* p_buf
, unsigned int len
)
263 return ssl_read_common(p_sess
, (SSL
*) p_ssl
, p_buf
, len
, SSL_peek
);
267 ssl_read_common(struct vsf_session
* p_sess
,
271 int (*p_ssl_func
)(SSL
*, void*, int))
275 SSL
* p_ssl
= (SSL
*) p_void_ssl
;
278 retval
= (*p_ssl_func
)(p_ssl
, p_buf
, len
);
279 err
= SSL_get_error(p_ssl
, retval
);
281 while (retval
< 0 && (err
== SSL_ERROR_WANT_READ
||
282 err
== SSL_ERROR_WANT_WRITE
));
283 /* If we hit an EOF, make sure it was from the peer, not injected by the
286 if (retval
== 0 && SSL_get_shutdown(p_ssl
) != SSL_RECEIVED_SHUTDOWN
)
288 if (p_ssl
== p_sess
->p_control_ssl
)
290 str_alloc_text(&debug_str
, "Control");
294 str_alloc_text(&debug_str
, "DATA");
296 str_append_text(&debug_str
, " connection terminated without SSL shutdown.");
297 if (p_ssl
!= p_sess
->p_control_ssl
)
299 str_append_text(&debug_str
,
300 " Buggy client! Integrity of upload cannot be asserted.");
302 vsf_log_line(p_sess
, kVSFLogEntryDebug
, &debug_str
);
303 if (tunable_strict_ssl_read_eof
)
312 ssl_write(void* p_ssl
, const char* p_buf
, unsigned int len
)
318 retval
= SSL_write((SSL
*) p_ssl
, p_buf
, len
);
319 err
= SSL_get_error((SSL
*) p_ssl
, retval
);
321 while (retval
< 0 && (err
== SSL_ERROR_WANT_READ
||
322 err
== SSL_ERROR_WANT_WRITE
));
327 ssl_write_str(void* p_ssl
, const struct mystr
* p_str
)
329 unsigned int len
= str_getlen(p_str
);
330 int ret
= SSL_write((SSL
*) p_ssl
, str_getbuf(p_str
), len
);
331 if ((unsigned int) ret
!= len
)
339 ssl_read_into_str(struct vsf_session
* p_sess
, void* p_ssl
, struct mystr
* p_str
)
341 unsigned int len
= str_getlen(p_str
);
342 int ret
= ssl_read(p_sess
, p_ssl
, (char*) str_getbuf(p_str
), len
);
345 str_trunc(p_str
, (unsigned int) ret
);
355 maybe_log_shutdown_state(struct vsf_session
* p_sess
)
357 if (tunable_debug_ssl
)
359 int ret
= SSL_get_shutdown(p_sess
->p_data_ssl
);
360 str_alloc_text(&debug_str
, "SSL shutdown state is: ");
363 str_append_text(&debug_str
, "NONE");
365 else if (ret
== SSL_SENT_SHUTDOWN
)
367 str_append_text(&debug_str
, "SSL_SENT_SHUTDOWN");
369 else if (ret
== SSL_RECEIVED_SHUTDOWN
)
371 str_append_text(&debug_str
, "SSL_RECEIVED_SHUTDOWN");
375 str_append_ulong(&debug_str
, ret
);
377 vsf_log_line(p_sess
, kVSFLogEntryDebug
, &debug_str
);
382 maybe_log_ssl_error_state(struct vsf_session
* p_sess
, int ret
)
384 if (tunable_debug_ssl
)
386 str_alloc_text(&debug_str
, "SSL ret: ");
387 str_append_ulong(&debug_str
, ret
);
388 str_append_text(&debug_str
, ", SSL error: ");
389 str_append_text(&debug_str
, get_ssl_error());
390 str_append_text(&debug_str
, ", errno: ");
391 str_append_ulong(&debug_str
, errno
);
392 vsf_log_line(p_sess
, kVSFLogEntryDebug
, &debug_str
);
397 ssl_data_close(struct vsf_session
* p_sess
)
400 SSL
* p_ssl
= p_sess
->p_data_ssl
;
404 maybe_log_shutdown_state(p_sess
);
406 /* Disable Nagle algorithm. We want the shutdown packet to be sent
407 * immediately, there's nothing coming after.
409 vsf_sysutil_set_nodelay(SSL_get_fd(p_ssl
));
411 /* This is a mess. Ideally, when we're the sender, we'd like to get to the
412 * SSL_RECEIVED_SHUTDOWN state to get a cryptographic guarantee that the
413 * peer received all the data and shut the connection down cleanly. It
414 * doesn't matter hugely apart from logging, but it's a nagging detail.
415 * Unfortunately, no FTP client I found was able to get sends into that
416 * state, so the best we can do is issue SSL_shutdown but not check the
417 * errors / returns. At least this enables the receiver to be sure of the
418 * integrity of the send in terms of unwanted truncation.
420 ret
= SSL_shutdown(p_ssl
);
421 maybe_log_shutdown_state(p_sess
);
424 ret
= SSL_shutdown(p_ssl
);
425 maybe_log_shutdown_state(p_sess
);
428 if (tunable_strict_ssl_write_shutdown
)
432 maybe_log_shutdown_state(p_sess
);
433 maybe_log_ssl_error_state(p_sess
, ret
);
438 if (tunable_strict_ssl_write_shutdown
)
442 maybe_log_ssl_error_state(p_sess
, ret
);
445 p_sess
->p_data_ssl
= NULL
;
451 ssl_accept(struct vsf_session
* p_sess
, int fd
)
453 /* SECURITY: data SSL connections don't have any auth on them as part of the
454 * protocol. If a client sends an unfortunately optional client cert then
455 * we can check for a match between the control and data connections.
459 if (p_sess
->p_data_ssl
!= NULL
)
461 die("p_data_ssl should be NULL.");
463 p_ssl
= get_ssl(p_sess
, fd
);
468 p_sess
->p_data_ssl
= p_ssl
;
469 setup_bio_callbacks(p_ssl
);
470 reused
= SSL_session_reused(p_ssl
);
471 if (tunable_require_ssl_reuse
&& !reused
)
473 str_alloc_text(&debug_str
, "No SSL session reuse on data channel.");
474 vsf_log_line(p_sess
, kVSFLogEntryDebug
, &debug_str
);
475 ssl_data_close(p_sess
);
478 if (str_getlen(&p_sess
->control_cert_digest
) > 0)
480 static struct mystr data_cert_digest
;
481 if (!ssl_cert_digest(p_ssl
, p_sess
, &data_cert_digest
))
483 str_alloc_text(&debug_str
, "Missing cert on data channel.");
484 vsf_log_line(p_sess
, kVSFLogEntryDebug
, &debug_str
);
485 ssl_data_close(p_sess
);
488 if (str_strcmp(&p_sess
->control_cert_digest
, &data_cert_digest
))
490 str_alloc_text(&debug_str
, "DIFFERENT cert on data channel.");
491 vsf_log_line(p_sess
, kVSFLogEntryDebug
, &debug_str
);
492 ssl_data_close(p_sess
);
495 if (tunable_debug_ssl
)
497 str_alloc_text(&debug_str
, "Matching cert on data channel.");
498 vsf_log_line(p_sess
, kVSFLogEntryDebug
, &debug_str
);
505 ssl_comm_channel_init(struct vsf_session
* p_sess
)
507 const struct vsf_sysutil_socketpair_retval retval
=
508 vsf_sysutil_unix_stream_socketpair();
509 if (p_sess
->ssl_consumer_fd
!= -1)
511 bug("ssl_consumer_fd active");
513 if (p_sess
->ssl_slave_fd
!= -1)
515 bug("ssl_slave_fd active");
517 p_sess
->ssl_consumer_fd
= retval
.socket_one
;
518 p_sess
->ssl_slave_fd
= retval
.socket_two
;
522 ssl_comm_channel_set_consumer_context(struct vsf_session
* p_sess
)
524 if (p_sess
->ssl_slave_fd
== -1)
526 bug("ssl_slave_fd already closed");
528 vsf_sysutil_close(p_sess
->ssl_slave_fd
);
529 p_sess
->ssl_slave_fd
= -1;
533 ssl_comm_channel_set_producer_context(struct vsf_session
* p_sess
)
535 if (p_sess
->ssl_consumer_fd
== -1)
537 bug("ssl_consumer_fd already closed");
539 vsf_sysutil_close(p_sess
->ssl_consumer_fd
);
540 p_sess
->ssl_consumer_fd
= -1;
544 get_ssl(struct vsf_session
* p_sess
, int fd
)
546 SSL
* p_ssl
= SSL_new(p_sess
->p_ssl_ctx
);
549 if (tunable_debug_ssl
)
551 str_alloc_text(&debug_str
, "SSL_new failed");
552 vsf_log_line(p_sess
, kVSFLogEntryDebug
, &debug_str
);
556 if (!SSL_set_fd(p_ssl
, fd
))
558 if (tunable_debug_ssl
)
560 str_alloc_text(&debug_str
, "SSL_set_fd failed");
561 vsf_log_line(p_sess
, kVSFLogEntryDebug
, &debug_str
);
566 if (SSL_accept(p_ssl
) != 1)
568 const char* p_err
= get_ssl_error();
569 if (tunable_debug_ssl
)
571 str_alloc_text(&debug_str
, "SSL_accept failed: ");
572 str_append_text(&debug_str
, p_err
);
573 vsf_log_line(p_sess
, kVSFLogEntryDebug
, &debug_str
);
575 /* The RFC is quite clear that we can just close the control channel
580 if (tunable_debug_ssl
)
582 const char* p_ssl_version
= SSL_get_cipher_version(p_ssl
);
583 const SSL_CIPHER
* p_ssl_cipher
= SSL_get_current_cipher(p_ssl
);
584 const char* p_cipher_name
= SSL_CIPHER_get_name(p_ssl_cipher
);
585 X509
* p_ssl_cert
= SSL_get_peer_certificate(p_ssl
);
586 int reused
= SSL_session_reused(p_ssl
);
587 str_alloc_text(&debug_str
, "SSL version: ");
588 str_append_text(&debug_str
, p_ssl_version
);
589 str_append_text(&debug_str
, ", SSL cipher: ");
590 str_append_text(&debug_str
, p_cipher_name
);
593 str_append_text(&debug_str
, ", reused");
597 str_append_text(&debug_str
, ", not reused");
599 if (p_ssl_cert
!= NULL
)
601 str_append_text(&debug_str
, ", CERT PRESENTED");
602 X509_free(p_ssl_cert
);
606 str_append_text(&debug_str
, ", no cert");
608 vsf_log_line(p_sess
, kVSFLogEntryDebug
, &debug_str
);
614 ssl_session_init(struct vsf_session
* p_sess
)
616 SSL
* p_ssl
= get_ssl(p_sess
, VSFTP_COMMAND_FD
);
621 p_sess
->p_control_ssl
= p_ssl
;
622 (void) ssl_cert_digest(p_ssl
, p_sess
, &p_sess
->control_cert_digest
);
623 setup_bio_callbacks(p_ssl
);
628 ssl_cert_digest(SSL
* p_ssl
, struct vsf_session
* p_sess
, struct mystr
* p_str
)
630 X509
* p_cert
= SSL_get_peer_certificate(p_ssl
);
631 unsigned int num_bytes
= 0;
636 str_reserve(p_str
, EVP_MAX_MD_SIZE
);
638 str_rpad(p_str
, EVP_MAX_MD_SIZE
);
639 if (!X509_digest(p_cert
, EVP_sha256(), (unsigned char*) str_getbuf(p_str
),
642 die("X509_digest failed");
645 if (tunable_debug_ssl
)
648 str_alloc_text(&debug_str
, "Cert digest:");
649 for (i
= 0; i
< num_bytes
; ++i
)
651 str_append_char(&debug_str
, ' ');
653 &debug_str
, (unsigned long) (unsigned char) str_get_char_at(p_str
, i
));
655 vsf_log_line(p_sess
, kVSFLogEntryDebug
, &debug_str
);
657 str_trunc(p_str
, num_bytes
);
664 SSL_load_error_strings();
665 return ERR_error_string(ERR_get_error(), NULL
);
668 static void setup_bio_callbacks(SSL
* p_ssl
)
670 BIO
* p_bio
= SSL_get_rbio(p_ssl
);
671 BIO_set_callback(p_bio
, bio_callback
);
672 p_bio
= SSL_get_wbio(p_ssl
);
673 BIO_set_callback(p_bio
, bio_callback
);
678 BIO
* p_bio
, int oper
, const char* p_arg
, int argi
, long argl
, long ret
)
685 if (oper
== (BIO_CB_READ
| BIO_CB_RETURN
) ||
686 oper
== (BIO_CB_WRITE
| BIO_CB_RETURN
))
689 fd
= BIO_get_fd(p_bio
, NULL
);
691 vsf_sysutil_check_pending_actions(kVSFSysUtilIO
, retval
, fd
);
696 ssl_verify_callback(int verify_ok
, X509_STORE_CTX
* p_ctx
)
699 if (tunable_validate_cert
)
707 ssl_add_entropy(struct vsf_session
* p_sess
)
709 /* Although each child does seem to have its different pool of entropy, I
710 * don't trust the interaction of OpenSSL's opaque RAND API and fork(). So
711 * throw a bit more in (only works on systems with /dev/urandom for now).
713 int ret
= RAND_load_file("/dev/urandom", 16);
716 str_alloc_text(&debug_str
, "Couldn't add extra OpenSSL entropy: ");
717 str_append_ulong(&debug_str
, (unsigned long) ret
);
718 vsf_log_line(p_sess
, kVSFLogEntryDebug
, &debug_str
);
722 #else /* VSF_BUILD_SSL */
725 ssl_init(struct vsf_session
* p_sess
)
728 die("SSL: ssl_enable is set but SSL support not compiled in");
732 ssl_control_handshake(struct vsf_session
* p_sess
)
738 handle_auth(struct vsf_session
* p_sess
)
744 handle_pbsz(struct vsf_session
* p_sess
)
750 handle_prot(struct vsf_session
* p_sess
)
756 ssl_read(struct vsf_session
* p_sess
, void* p_ssl
, char* p_buf
, unsigned int len
)
766 ssl_peek(struct vsf_session
* p_sess
, void* p_ssl
, char* p_buf
, unsigned int len
)
776 ssl_write(void* p_ssl
, const char* p_buf
, unsigned int len
)
785 ssl_write_str(void* p_ssl
, const struct mystr
* p_str
)
793 ssl_accept(struct vsf_session
* p_sess
, int fd
)
801 ssl_data_close(struct vsf_session
* p_sess
)
808 ssl_comm_channel_init(struct vsf_session
* p_sess
)
814 ssl_comm_channel_set_consumer_context(struct vsf_session
* p_sess
)
820 ssl_comm_channel_set_producer_context(struct vsf_session
* p_sess
)
826 ssl_add_entropy(struct vsf_session
* p_sess
)
832 ssl_read_into_str(struct vsf_session
* p_sess
, void* p_ssl
, struct mystr
* p_str
)
840 #endif /* VSF_BUILD_SSL */