You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by wr...@apache.org on 2007/12/04 23:59:04 UTC
svn commit: r601135 - in /httpd/mod_ftp/trunk/modules/ftp: ftp_commands.c
ftp_connection.c
Author: wrowe
Date: Tue Dec 4 14:59:03 2007
New Revision: 601135
URL: http://svn.apache.org/viewvc?rev=601135&view=rev
Log:
A more intuitive solution than r570492; treat an Implicit SSL session
as FTP_AUTH_SSL (there's no such thing under rfc4217), allowing the
PROT/PBSZ semantics to work without extra tests.
If the user wants to hack this to strict rfc behavior, it's simpler
to just change this in ftp_commands (only tollerating "AUTH TLS" and
dropping any implicit ssl support).
Modified:
httpd/mod_ftp/trunk/modules/ftp/ftp_commands.c
httpd/mod_ftp/trunk/modules/ftp/ftp_connection.c
Modified: httpd/mod_ftp/trunk/modules/ftp/ftp_commands.c
URL: http://svn.apache.org/viewvc/httpd/mod_ftp/trunk/modules/ftp/ftp_commands.c?rev=601135&r1=601134&r2=601135&view=diff
==============================================================================
--- httpd/mod_ftp/trunk/modules/ftp/ftp_commands.c (original)
+++ httpd/mod_ftp/trunk/modules/ftp/ftp_commands.c Tue Dec 4 14:59:03 2007
@@ -273,10 +273,13 @@
}
/* RFC 2228 states these arguments are case insensitive.
- * draft-murray-auth-ftp-ssl-06.txt defines these 4 AUTH mechanisms.
+ * draft-murray-auth-ftp-ssl-06.txt defined these 4 AUTH mechanisms.
* TLS or TLS-C will encrypt the control connection, leaving the
* data channel clear. SSL or TLS-P will encrypt both the control
- * and data connections. */
+ * and data connections.
+ * As it evolved to publication, all but "TLS" were dropped from RFC4217,
+ * as RFC 2228 previously insisted that PROT defaults to 'C'lear text.
+ */
if ((strcasecmp(arg, "SSL") == 0) ||
(strcasecmp(arg, "TLS-P") == 0)) {
@@ -1667,7 +1670,7 @@
* clients still send PBSZ even with Implicit SSL. So we
* allow this misbehavior...
*/
- if (fc->auth == FTP_AUTH_NONE && !fsc->implicit_ssl) {
+ if (fc->auth == FTP_AUTH_NONE) {
return FTP_REPLY_BAD_SEQUENCE;
}
@@ -1934,8 +1937,12 @@
ftp_server_config *fsc = ftp_get_module_config(r->server->module_config);
ftp_connection *fc = ftp_get_module_config(r->request_config);
- /* Return 503 if the user has not done a PBSZ command yet */
- if (fc->auth == FTP_AUTH_NONE && !fsc->implicit_ssl) {
+ /* Return 503 if the user has not done a AUTH command yet.
+ * Although RFC2228 and RFC4217 are very explicit that PBSZ must
+ * preceed PROT, it's entirely worthless in the context of TLS,
+ * and not even worth enforcing.
+ */
+ if (fc->auth == FTP_AUTH_NONE) {
return FTP_REPLY_BAD_SEQUENCE;
}
@@ -1954,13 +1961,12 @@
"Using private data channel");
fc->prot = FTP_PROT_PRIVATE;
return FTP_REPLY_COMMAND_OK;
- default:
- /* We don't understand */
- fc->response_notes = apr_pstrdup(r->pool, "PROT argument not "
- "understood.");
- return FTP_REPLY_COMMAND_NOT_IMPL_PARAM;
}
- /* NOT REACHED */
+
+ /* We don't understand */
+ fc->response_notes = apr_pstrdup(r->pool, "PROT argument not "
+ "understood.");
+ return FTP_REPLY_COMMAND_NOT_IMPL_PARAM;
}
static int ftp_cmd_pwd(request_rec *r, const char *arg)
Modified: httpd/mod_ftp/trunk/modules/ftp/ftp_connection.c
URL: http://svn.apache.org/viewvc/httpd/mod_ftp/trunk/modules/ftp/ftp_connection.c?rev=601135&r1=601134&r2=601135&view=diff
==============================================================================
--- httpd/mod_ftp/trunk/modules/ftp/ftp_connection.c (original)
+++ httpd/mod_ftp/trunk/modules/ftp/ftp_connection.c Tue Dec 4 14:59:03 2007
@@ -195,17 +195,17 @@
return OK;
}
- /**
- * From draft-murray-auth-ftp-ssl-06.txt:
- *
+ /* From draft-murray-auth-ftp-ssl-06.txt:
* For implicit SSL the data connection should be implicitly
* protected (i.e. the PBSZ 0, PROT P command sequence is not
* required but the client and server will protect the data channel
* as if it had).
*
- * Support for Implicit SSL has been declared deprecated as of
- * April 5, 2001 in draft-murray-auth-ftp-ssl-07.txt.
+ * Support for Implicit SSL was declared deprecated as of
+ * draft-murray-auth-ftp-ssl-07.txt, and is not documented
+ * whatsoever within RFC4217.
*/
+ fc->auth = FTP_AUTH_SSL;
fc->prot = FTP_PROT_PRIVATE;
fc->is_secure = 1;
}