You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by wr...@apache.org on 2007/12/04 23:59:04 UTC

svn commit: r601135 - in /httpd/mod_ftp/trunk/modules/ftp: ftp_commands.c ftp_connection.c

Author: wrowe
Date: Tue Dec  4 14:59:03 2007
New Revision: 601135

URL: http://svn.apache.org/viewvc?rev=601135&view=rev
Log:
A more intuitive solution than r570492; treat an Implicit SSL session
as FTP_AUTH_SSL (there's no such thing under rfc4217), allowing the
PROT/PBSZ semantics to work without extra tests.

If the user wants to hack this to strict rfc behavior, it's simpler
to just change this in ftp_commands (only tollerating "AUTH TLS" and
dropping any implicit ssl support).

Modified:
    httpd/mod_ftp/trunk/modules/ftp/ftp_commands.c
    httpd/mod_ftp/trunk/modules/ftp/ftp_connection.c

Modified: httpd/mod_ftp/trunk/modules/ftp/ftp_commands.c
URL: http://svn.apache.org/viewvc/httpd/mod_ftp/trunk/modules/ftp/ftp_commands.c?rev=601135&r1=601134&r2=601135&view=diff
==============================================================================
--- httpd/mod_ftp/trunk/modules/ftp/ftp_commands.c (original)
+++ httpd/mod_ftp/trunk/modules/ftp/ftp_commands.c Tue Dec  4 14:59:03 2007
@@ -273,10 +273,13 @@
     }
 
     /* RFC 2228 states these arguments are case insensitive.
-     * draft-murray-auth-ftp-ssl-06.txt defines these 4 AUTH mechanisms.
+     * draft-murray-auth-ftp-ssl-06.txt defined these 4 AUTH mechanisms.
      * TLS or TLS-C  will encrypt the control connection, leaving the
      * data channel clear.  SSL or TLS-P will encrypt both the control
-     * and data connections. */
+     * and data connections.
+     * As it evolved to publication, all but "TLS" were dropped from RFC4217,
+     * as RFC 2228 previously insisted that PROT defaults to 'C'lear text.
+     */
     if ((strcasecmp(arg, "SSL") == 0) || 
         (strcasecmp(arg, "TLS-P") == 0)) {
 
@@ -1667,7 +1670,7 @@
      * clients still send PBSZ even with Implicit SSL. So we
      * allow this misbehavior...
      */
-    if (fc->auth == FTP_AUTH_NONE && !fsc->implicit_ssl) {
+    if (fc->auth == FTP_AUTH_NONE) {
         return FTP_REPLY_BAD_SEQUENCE;
     }
 
@@ -1934,8 +1937,12 @@
     ftp_server_config *fsc = ftp_get_module_config(r->server->module_config);
     ftp_connection *fc = ftp_get_module_config(r->request_config);
 
-    /* Return 503 if the user has not done a PBSZ command yet */
-    if (fc->auth == FTP_AUTH_NONE && !fsc->implicit_ssl) {
+    /* Return 503 if the user has not done a AUTH command yet.
+     * Although RFC2228 and RFC4217 are very explicit that PBSZ must
+     * preceed PROT, it's entirely worthless in the context of TLS,
+     * and not even worth enforcing.
+     */
+    if (fc->auth == FTP_AUTH_NONE) {
         return FTP_REPLY_BAD_SEQUENCE;
     }
 
@@ -1954,13 +1961,12 @@
                                          "Using private data channel");
         fc->prot = FTP_PROT_PRIVATE;
         return FTP_REPLY_COMMAND_OK;
-    default:
-        /* We don't understand */
-        fc->response_notes = apr_pstrdup(r->pool, "PROT argument not "
-                                         "understood.");
-        return FTP_REPLY_COMMAND_NOT_IMPL_PARAM;
     }
-    /* NOT REACHED */
+
+    /* We don't understand */
+    fc->response_notes = apr_pstrdup(r->pool, "PROT argument not "
+                                     "understood.");
+    return FTP_REPLY_COMMAND_NOT_IMPL_PARAM;
 }
 
 static int ftp_cmd_pwd(request_rec *r, const char *arg)

Modified: httpd/mod_ftp/trunk/modules/ftp/ftp_connection.c
URL: http://svn.apache.org/viewvc/httpd/mod_ftp/trunk/modules/ftp/ftp_connection.c?rev=601135&r1=601134&r2=601135&view=diff
==============================================================================
--- httpd/mod_ftp/trunk/modules/ftp/ftp_connection.c (original)
+++ httpd/mod_ftp/trunk/modules/ftp/ftp_connection.c Tue Dec  4 14:59:03 2007
@@ -195,17 +195,17 @@
             return OK;
         }
 
-        /** 
-         * From draft-murray-auth-ftp-ssl-06.txt:
-         *
+        /* From draft-murray-auth-ftp-ssl-06.txt:
          * For implicit SSL the data connection should be implicitly
          * protected (i.e. the PBSZ 0, PROT P command sequence is not 
          * required but the client and server will protect the data channel 
          * as if it had).
          *
-         * Support for Implicit SSL has been declared deprecated as of
-         * April 5, 2001 in draft-murray-auth-ftp-ssl-07.txt.
+         * Support for Implicit SSL was declared deprecated as of
+         * draft-murray-auth-ftp-ssl-07.txt, and is not documented 
+         * whatsoever within RFC4217.
          */
+        fc->auth = FTP_AUTH_SSL;
         fc->prot = FTP_PROT_PRIVATE;
         fc->is_secure = 1;
     }