2 * Copyright (c) 1998-2002, 2005 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35 #include "ftpd_locl.h"
40 RCSID("$Id: security.c 21225 2007-06-20 10:16:02Z lha $");
42 static enum protection_level command_prot;
43 static enum protection_level data_prot;
44 static size_t buffer_size;
53 static struct buffer in_buffer, out_buffer;
57 enum protection_level level;
60 { prot_clear, "clear" },
61 { prot_safe, "safe" },
62 { prot_confidential, "confidential" },
63 { prot_private, "private" }
67 level_to_name(enum protection_level level)
70 for(i = 0; i < sizeof(level_names) / sizeof(level_names[0]); i++)
71 if(level_names[i].level == level)
72 return level_names[i].name;
76 #ifndef FTP_SERVER /* not used in server */
77 static enum protection_level
78 name_to_level(const char *name)
81 for(i = 0; i < sizeof(level_names) / sizeof(level_names[0]); i++)
82 if(!strncasecmp(level_names[i].name, name, strlen(name)))
83 return level_names[i].level;
84 return (enum protection_level)-1;
90 static struct sec_server_mech *mechs[] = {
100 static struct sec_server_mech *mech;
104 static struct sec_client_mech *mechs[] = {
114 static struct sec_client_mech *mech;
118 static void *app_data;
123 if(sec_complete && data_prot) {
125 if(sec_read(fileno(F), &c, 1) <= 0)
133 block_read(int fd, void *buf, size_t len)
135 unsigned char *p = buf;
138 b = read(fd, p, len);
146 return p - (unsigned char*)buf;
150 block_write(int fd, void *buf, size_t len)
152 unsigned char *p = buf;
155 b = write(fd, p, len);
161 return p - (unsigned char*)buf;
165 sec_get_data(int fd, struct buffer *buf, int level)
171 b = block_read(fd, &len, sizeof(len));
177 tmp = realloc(buf->data, len);
181 b = block_read(fd, buf->data, len);
186 buf->size = (*mech->decode)(app_data, buf->data, len, data_prot);
192 buffer_read(struct buffer *buf, void *dataptr, size_t len)
194 len = min(len, buf->size - buf->index);
195 memcpy(dataptr, (char*)buf->data + buf->index, len);
201 buffer_write(struct buffer *buf, void *dataptr, size_t len)
203 if(buf->index + len > buf->size) {
205 if(buf->data == NULL)
208 tmp = realloc(buf->data, buf->index + len);
212 buf->size = buf->index + len;
214 memcpy((char*)buf->data + buf->index, dataptr, len);
220 sec_read(int fd, void *dataptr, int length)
225 if(sec_complete == 0 || data_prot == 0)
226 return read(fd, dataptr, length);
228 if(in_buffer.eof_flag){
229 in_buffer.eof_flag = 0;
233 len = buffer_read(&in_buffer, dataptr, length);
236 dataptr = (char*)dataptr + len;
241 ret = sec_get_data(fd, &in_buffer, data_prot);
244 if(ret == 0 && in_buffer.size == 0) {
246 in_buffer.eof_flag = 1;
249 len = buffer_read(&in_buffer, dataptr, length);
252 dataptr = (char*)dataptr + len;
258 sec_send(int fd, char *from, int length)
262 bytes = (*mech->encode)(app_data, from, length, data_prot, &buf);
263 bytes = htonl(bytes);
264 block_write(fd, &bytes, sizeof(bytes));
265 block_write(fd, buf, ntohl(bytes));
273 if(data_prot != prot_clear) {
274 if(out_buffer.index > 0){
275 sec_write(fileno(F), out_buffer.data, out_buffer.index);
276 out_buffer.index = 0;
278 sec_send(fileno(F), NULL, 0);
285 sec_write(int fd, char *dataptr, int length)
287 int len = buffer_size;
290 if(data_prot == prot_clear)
291 return write(fd, dataptr, length);
293 len -= (*mech->overhead)(app_data, data_prot, len);
297 sec_send(fd, dataptr, len);
306 sec_vfprintf2(FILE *f, const char *fmt, va_list ap)
310 if(data_prot == prot_clear)
311 return vfprintf(f, fmt, ap);
314 len = vasprintf(&buf, fmt, ap);
317 ret = buffer_write(&out_buffer, buf, len);
324 sec_fprintf2(FILE *f, const char *fmt, ...)
329 ret = sec_vfprintf2(f, fmt, ap);
335 sec_putc(int c, FILE *F)
338 if(data_prot == prot_clear)
341 buffer_write(&out_buffer, &ch, 1);
342 if(c == '\n' || out_buffer.index >= 1024 /* XXX */) {
343 sec_write(fileno(F), out_buffer.data, out_buffer.index);
344 out_buffer.index = 0;
350 sec_read_msg(char *s, int level)
356 buf = malloc(strlen(s));
357 len = base64_decode(s + 4, buf); /* XXX */
359 len = (*mech->decode)(app_data, buf, len, level);
368 sscanf(buf, "%d", &return_code);
369 if(buf[len-1] == '\n')
377 sec_vfprintf(FILE *f, const char *fmt, va_list ap)
383 return vfprintf(f, fmt, ap);
385 if (vasprintf(&buf, fmt, ap) == -1) {
386 printf("Failed to allocate command.\n");
389 len = (*mech->encode)(app_data, buf, strlen(buf), command_prot, &enc);
392 printf("Failed to encode command.\n");
395 if(base64_encode(enc, len, &buf) < 0){
397 printf("Out of memory base64-encoding.\n");
402 if(command_prot == prot_safe)
403 fprintf(f, "631 %s\r\n", buf);
404 else if(command_prot == prot_private)
405 fprintf(f, "632 %s\r\n", buf);
406 else if(command_prot == prot_confidential)
407 fprintf(f, "633 %s\r\n", buf);
409 if(command_prot == prot_safe)
410 fprintf(f, "MIC %s", buf);
411 else if(command_prot == prot_private)
412 fprintf(f, "ENC %s", buf);
413 else if(command_prot == prot_confidential)
414 fprintf(f, "CONF %s", buf);
421 sec_fprintf(FILE *f, const char *fmt, ...)
426 ret = sec_vfprintf(f, fmt, ap);
431 /* end common stuff */
438 auth(char *auth_name)
443 for(i = 0; (mech = mechs[i]) != NULL; i++){
444 if(!strcasecmp(auth_name, mech->name)){
445 tmp = realloc(app_data, mech->size);
447 reply(431, "Unable to accept %s at this time", mech->name);
452 if(mech->init && (*mech->init)(app_data) != 0) {
453 reply(431, "Unable to accept %s at this time", mech->name);
457 (*mech->auth)(app_data);
461 reply(334, "Send authorization data.");
463 reply(234, "Authorization complete.");
469 reply(504, "%s is unknown to me", auth_name);
473 adat(char *auth_data)
475 if(mech && !sec_complete) {
476 void *buf = malloc(strlen(auth_data));
478 len = base64_decode(auth_data, buf);
479 (*mech->adat)(app_data, buf, len);
482 reply(503, "You must %sissue an AUTH first.", mech ? "re-" : "");
489 reply(503, "Incomplete security data exchange.");
491 new = (*mech->pbsz)(app_data, size);
492 if(buffer_size != new){
496 reply(200, "PBSZ=%lu", (unsigned long)new);
506 if(buffer_size == 0){
507 reply(503, "No protection buffer size negotiated.");
511 if(!strcasecmp(pl, "C"))
513 else if(!strcasecmp(pl, "S"))
515 else if(!strcasecmp(pl, "E"))
516 p = prot_confidential;
517 else if(!strcasecmp(pl, "P"))
520 reply(504, "Unrecognized protection level.");
525 if((*mech->check_prot)(app_data, p)){
526 reply(536, "%s does not support %s protection.",
527 mech->name, level_to_name(p));
529 data_prot = (enum protection_level)p;
530 reply(200, "Data protection is %s.", level_to_name(p));
533 reply(503, "Incomplete security data exchange.");
540 if(mech->ccc && (*mech->ccc)(app_data) == 0) {
541 command_prot = data_prot = prot_clear;
544 reply(534, "You must be joking.");
546 reply(503, "Incomplete security data exchange.");
549 void mec(char *msg, enum protection_level level)
552 size_t len, buf_size;
554 reply(503, "Incomplete security data exchange.");
557 buf_size = strlen(msg) + 2;
558 buf = malloc(buf_size);
559 len = base64_decode(msg, buf);
560 command_prot = level;
561 if(len == (size_t)-1) {
562 reply(501, "Failed to base64-decode command");
565 len = (*mech->decode)(app_data, buf, len, level);
566 if(len == (size_t)-1) {
567 reply(535, "Failed to decode command");
570 ((char*)buf)[len] = '\0';
571 if(strstr((char*)buf, "\r\n") == NULL)
572 strlcat((char*)buf, "\r\n", buf_size);
573 new_ftp_command(buf);
576 /* ------------------------------------------------------------ */
579 sec_userok(char *userstr)
582 return (*mech->userok)(app_data, userstr);
587 sec_session(char *user)
589 if(sec_complete && mech->session)
590 return (*mech->session)(app_data, user);
597 new_ftp_command(char *command)
599 ftp_command = command;
603 delete_ftp_command(void)
612 return ftp_command != NULL;
615 enum protection_level
616 get_command_prot(void)
621 #else /* FTP_SERVER */
627 printf("Using %s for authentication.\n", mech->name);
628 printf("Using %s command channel.\n", level_to_name(command_prot));
629 printf("Using %s data channel.\n", level_to_name(data_prot));
631 printf("Protection buffer size: %lu.\n",
632 (unsigned long)buffer_size);
634 printf("Not using any security mechanism.\n");
639 sec_prot_internal(int level)
643 unsigned int s = 1048576;
645 int old_verbose = verbose;
649 printf("No security data exchange has taken place.\n");
654 ret = command("PBSZ %u", s);
656 printf("Failed to set protection buffer size.\n");
660 p = strstr(reply_string, "PBSZ=");
662 sscanf(p, "PBSZ=%u", &s);
666 verbose = old_verbose;
667 ret = command("PROT %c", level["CSEP"]); /* XXX :-) */
669 printf("Failed to set protection level.\n");
673 data_prot = (enum protection_level)level;
677 enum protection_level
678 set_command_prot(enum protection_level level)
681 enum protection_level old = command_prot;
682 if(level != command_prot && level == prot_clear) {
683 ret = command("CCC");
684 if(ret != COMPLETE) {
685 printf("Failed to clear command channel.\n");
689 command_prot = level;
694 sec_prot(int argc, char **argv)
706 printf("No security data exchange has taken place.\n");
710 level = name_to_level(argv[argc - 1]);
715 if((*mech->check_prot)(app_data, level)) {
716 printf("%s does not implement %s protection.\n",
717 mech->name, level_to_name(level));
722 if(argc == 2 || strncasecmp(argv[1], "data", strlen(argv[1])) == 0) {
723 if(sec_prot_internal(level) < 0){
727 } else if(strncasecmp(argv[1], "command", strlen(argv[1])) == 0) {
728 if(set_command_prot(level) < 0) {
737 printf("usage: %s [command|data] [clear|safe|confidential|private]\n",
743 sec_prot_command(int argc, char **argv)
751 printf("No security data exchange has taken place.\n");
759 level = name_to_level(argv[1]);
763 if((*mech->check_prot)(app_data, level)) {
764 printf("%s does not implement %s protection.\n",
765 mech->name, level_to_name(level));
769 if(set_command_prot(level) < 0) {
777 printf("usage: %s [clear|safe|confidential|private]\n",
782 static enum protection_level request_data_prot;
785 sec_set_protection_level(void)
787 if(sec_complete && data_prot != request_data_prot)
788 sec_prot_internal(request_data_prot);
793 sec_request_prot(char *level)
795 int l = name_to_level(level);
798 request_data_prot = (enum protection_level)l;
803 sec_login(char *host)
806 struct sec_client_mech **m;
807 int old_verbose = verbose;
809 verbose = -1; /* shut up all messages this will produce (they
810 are usually not very user friendly) */
812 for(m = mechs; *m && (*m)->name; m++) {
815 tmp = realloc(app_data, (*m)->size);
817 warnx ("realloc %lu failed", (unsigned long)(*m)->size);
822 if((*m)->init && (*(*m)->init)(app_data) != 0) {
823 printf("Skipping %s...\n", (*m)->name);
826 printf("Trying %s...\n", (*m)->name);
827 ret = command("AUTH %s", (*m)->name);
830 printf("%s is not supported by the server.\n", (*m)->name);
831 }else if(code == 534){
832 printf("%s rejected as security mechanism.\n", (*m)->name);
833 }else if(ret == ERROR) {
834 printf("The server doesn't support the FTP "
835 "security extensions.\n");
836 verbose = old_verbose;
842 ret = (*(*m)->auth)(app_data, host);
844 if(ret == AUTH_CONTINUE)
846 else if(ret != AUTH_OK){
847 /* mechanism is supposed to output error string */
848 verbose = old_verbose;
854 command_prot = prot_private;
855 request_data_prot = prot_private;
857 command_prot = prot_safe;
862 verbose = old_verbose;
871 (*mech->end)(app_data);
872 if (app_data != NULL) {
873 memset(app_data, 0, mech->size);
879 data_prot = (enum protection_level)0;
882 #endif /* FTP_SERVER */