- Linus Nielsen Feltzing introduced the --ftp-ssl-ccc command line option to
curl that uses the new CURLOPT_FTP_SSL_CCC option in libcurl. If enabled, it will make libcurl shutdown SSL/TLS after the authentication is done on a FTP-SSL operation.
This commit is contained in:
		
							
								
								
									
										6
									
								
								CHANGES
									
									
									
									
									
								
							
							
						
						
									
										6
									
								
								CHANGES
									
									
									
									
									
								
							| @@ -6,6 +6,12 @@ | |||||||
|  |  | ||||||
|                                   Changelog |                                   Changelog | ||||||
|  |  | ||||||
|  | Daniel (5 January 2007) | ||||||
|  | - Linus Nielsen Feltzing introduced the --ftp-ssl-ccc command line option to | ||||||
|  |   curl that uses the new CURLOPT_FTP_SSL_CCC option in libcurl. If enabled, it | ||||||
|  |   will make libcurl shutdown SSL/TLS after the authentication is done on a | ||||||
|  |   FTP-SSL operation. | ||||||
|  |  | ||||||
| Daniel (4 January 2007) | Daniel (4 January 2007) | ||||||
| - David McCreedy made changes to allow base64 encoding/decoding to work on | - David McCreedy made changes to allow base64 encoding/decoding to work on | ||||||
|   non-ASCII platforms. |   non-ASCII platforms. | ||||||
|   | |||||||
| @@ -5,7 +5,7 @@ Curl and libcurl 7.16.1 | |||||||
|  Available command line options:           112 |  Available command line options:           112 | ||||||
|  Available curl_easy_setopt() options:     133 |  Available curl_easy_setopt() options:     133 | ||||||
|  Number of public functions in libcurl:    54 |  Number of public functions in libcurl:    54 | ||||||
|  Amount of public web site mirrors:        39 |  Amount of public web site mirrors:        38 | ||||||
|  Number of known libcurl bindings:         35 |  Number of known libcurl bindings:         35 | ||||||
|  Number of contributors:                   524 |  Number of contributors:                   524 | ||||||
|  |  | ||||||
| @@ -13,6 +13,7 @@ This release includes the following changes: | |||||||
|   |   | ||||||
|  o Support for SCP and SFTP were added |  o Support for SCP and SFTP were added | ||||||
|  o CURLOPT_CLOSEPOLICY is now deprecated |  o CURLOPT_CLOSEPOLICY is now deprecated | ||||||
|  |  o --ftp-ssl-ccc and CURLOPT_FTP_SSL_CCC were added | ||||||
|  |  | ||||||
| This release includes the following bugfixes: | This release includes the following bugfixes: | ||||||
|  |  | ||||||
| @@ -67,6 +68,6 @@ advice from friends like these: | |||||||
|  Matt Witherspoon, Alexey Simak, Martin Skinner, Sh Diao, Jared Lundell, |  Matt Witherspoon, Alexey Simak, Martin Skinner, Sh Diao, Jared Lundell, | ||||||
|  Stefan Krause, Sebastien Willemijns, Alexey Simak, Brendan Jurd, |  Stefan Krause, Sebastien Willemijns, Alexey Simak, Brendan Jurd, | ||||||
|  Robson Braga Araujo, David McCreedy, Robert Foreman, Nathanael Nerode, |  Robson Braga Araujo, David McCreedy, Robert Foreman, Nathanael Nerode, | ||||||
|  Victor Snezhko |  Victor Snezhko, Linus Nielsen Feltzing | ||||||
|  |  | ||||||
|         Thanks! (and sorry if I forgot to mention someone) |         Thanks! (and sorry if I forgot to mention someone) | ||||||
|   | |||||||
							
								
								
									
										10
									
								
								docs/curl.1
									
									
									
									
									
								
							
							
						
						
									
										10
									
								
								docs/curl.1
									
									
									
									
									
								
							| @@ -5,7 +5,7 @@ | |||||||
| .\" *                            | (__| |_| |  _ <| |___ | .\" *                            | (__| |_| |  _ <| |___ | ||||||
| .\" *                             \___|\___/|_| \_\_____| | .\" *                             \___|\___/|_| \_\_____| | ||||||
| .\" * | .\" * | ||||||
| .\" * Copyright (C) 1998 - 2006, Daniel Stenberg, <daniel@haxx.se>, et al. | .\" * Copyright (C) 1998 - 2007, Daniel Stenberg, <daniel@haxx.se>, et al. | ||||||
| .\" * | .\" * | ||||||
| .\" * This software is licensed as described in the file COPYING, which | .\" * This software is licensed as described in the file COPYING, which | ||||||
| .\" * you should have received as part of this distribution. The terms | .\" * you should have received as part of this distribution. The terms | ||||||
| @@ -432,6 +432,14 @@ If this option is used twice, the second will again disable this. | |||||||
| Terminates the connection if the server doesn't support SSL/TLS. | Terminates the connection if the server doesn't support SSL/TLS. | ||||||
| (Added in 7.15.5) | (Added in 7.15.5) | ||||||
|  |  | ||||||
|  | If this option is used twice, the second will again disable this. | ||||||
|  | .IP "--ftp-ssl-ccc" | ||||||
|  | (FTP) Use CCC (Clear Command Channel) | ||||||
|  | Shuts down the SSL/TLS layer after authenticating. The rest of the | ||||||
|  | control channel communication will be unencrypted. This allows | ||||||
|  | NAT routers to follow the FTP transaction. | ||||||
|  | (Added in 7.16.1) | ||||||
|  |  | ||||||
| If this option is used twice, the second will again disable this. | If this option is used twice, the second will again disable this. | ||||||
| .IP "-F/--form <name=content>" | .IP "-F/--form <name=content>" | ||||||
| (HTTP) This lets curl emulate a filled in form in which a user has pressed the | (HTTP) This lets curl emulate a filled in form in which a user has pressed the | ||||||
|   | |||||||
| @@ -5,7 +5,7 @@ | |||||||
| .\" *                            | (__| |_| |  _ <| |___ | .\" *                            | (__| |_| |  _ <| |___ | ||||||
| .\" *                             \___|\___/|_| \_\_____| | .\" *                             \___|\___/|_| \_\_____| | ||||||
| .\" * | .\" * | ||||||
| .\" * Copyright (C) 1998 - 2006, Daniel Stenberg, <daniel@haxx.se>, et al. | .\" * Copyright (C) 1998 - 2007, Daniel Stenberg, <daniel@haxx.se>, et al. | ||||||
| .\" * | .\" * | ||||||
| .\" * This software is licensed as described in the file COPYING, which | .\" * This software is licensed as described in the file COPYING, which | ||||||
| .\" * you should have received as part of this distribution. The terms | .\" * you should have received as part of this distribution. The terms | ||||||
| @@ -925,6 +925,12 @@ Try "AUTH SSL" first, and only if that fails try "AUTH TLS" | |||||||
| .IP CURLFTPAUTH_TLS | .IP CURLFTPAUTH_TLS | ||||||
| Try "AUTH TLS" first, and only if that fails try "AUTH SSL" | Try "AUTH TLS" first, and only if that fails try "AUTH SSL" | ||||||
| .RE | .RE | ||||||
|  | .IP CURLOPT_FTP_SSL_CCC | ||||||
|  | Pass a long that is set to 0 to disable and 1 to enable. If enabled, this | ||||||
|  | option makes libcurl use CCC (Clear Command Channel). It shuts down the | ||||||
|  | SSL/TLS layer after authenticating. The rest of the control channel | ||||||
|  | communication will be unencrypted. This allows NAT routers to follow the FTP | ||||||
|  | transaction.  (Added in 7.16.1) | ||||||
| .IP CURLOPT_FTP_ACCOUNT | .IP CURLOPT_FTP_ACCOUNT | ||||||
| Pass a pointer to a zero-terminated string (or NULL to disable). When an FTP | Pass a pointer to a zero-terminated string (or NULL to disable). When an FTP | ||||||
| server asks for "account data" after user name and password has been provided, | server asks for "account data" after user name and password has been provided, | ||||||
|   | |||||||
| @@ -7,7 +7,7 @@ | |||||||
|  *                            | (__| |_| |  _ <| |___ |  *                            | (__| |_| |  _ <| |___ | ||||||
|  *                             \___|\___/|_| \_\_____| |  *                             \___|\___/|_| \_\_____| | ||||||
|  * |  * | ||||||
|  * Copyright (C) 1998 - 2006, Daniel Stenberg, <daniel@haxx.se>, et al. |  * Copyright (C) 1998 - 2007, Daniel Stenberg, <daniel@haxx.se>, et al. | ||||||
|  * |  * | ||||||
|  * This software is licensed as described in the file COPYING, which |  * This software is licensed as described in the file COPYING, which | ||||||
|  * you should have received as part of this distribution. The terms |  * you should have received as part of this distribution. The terms | ||||||
| @@ -397,6 +397,8 @@ typedef enum { | |||||||
|                                     generic so the error message will be of |                                     generic so the error message will be of | ||||||
|                                     interest when this has happened */ |                                     interest when this has happened */ | ||||||
|  |  | ||||||
|  |   CURLE_FTP_SSL_CCC_FAILED,      /* 80 - Failed to clear the FTP command | ||||||
|  |                                     channel */ | ||||||
|   CURL_LAST /* never use! */ |   CURL_LAST /* never use! */ | ||||||
| } CURLcode; | } CURLcode; | ||||||
|  |  | ||||||
| @@ -1049,6 +1051,9 @@ typedef enum { | |||||||
|   CINIT(SSH_PUBLIC_KEYFILE, OBJECTPOINT, 152), |   CINIT(SSH_PUBLIC_KEYFILE, OBJECTPOINT, 152), | ||||||
|   CINIT(SSH_PRIVATE_KEYFILE, OBJECTPOINT, 153), |   CINIT(SSH_PRIVATE_KEYFILE, OBJECTPOINT, 153), | ||||||
|  |  | ||||||
|  |   /* Send CCC (Clear Command Channel) after authentication */ | ||||||
|  |   CINIT(FTP_SSL_CCC, LONG, 154), | ||||||
|  |  | ||||||
|   CURLOPT_LASTENTRY /* the last unused */ |   CURLOPT_LASTENTRY /* the last unused */ | ||||||
| } CURLoption; | } CURLoption; | ||||||
|  |  | ||||||
|   | |||||||
							
								
								
									
										24
									
								
								lib/ftp.c
									
									
									
									
									
								
							
							
						
						
									
										24
									
								
								lib/ftp.c
									
									
									
									
									
								
							| @@ -5,7 +5,7 @@ | |||||||
|  *                            | (__| |_| |  _ <| |___ |  *                            | (__| |_| |  _ <| |___ | ||||||
|  *                             \___|\___/|_| \_\_____| |  *                             \___|\___/|_| \_\_____| | ||||||
|  * |  * | ||||||
|  * Copyright (C) 1998 - 2006, Daniel Stenberg, <daniel@haxx.se>, et al. |  * Copyright (C) 1998 - 2007, Daniel Stenberg, <daniel@haxx.se>, et al. | ||||||
|  * |  * | ||||||
|  * This software is licensed as described in the file COPYING, which |  * This software is licensed as described in the file COPYING, which | ||||||
|  * you should have received as part of this distribution. The terms |  * you should have received as part of this distribution. The terms | ||||||
| @@ -666,6 +666,7 @@ static void state(struct connectdata *conn, | |||||||
|     "ACCT", |     "ACCT", | ||||||
|     "PBSZ", |     "PBSZ", | ||||||
|     "PROT", |     "PROT", | ||||||
|  |     "CCC", | ||||||
|     "PWD", |     "PWD", | ||||||
|     "QUOTE", |     "QUOTE", | ||||||
|     "RETR_PREQUOTE", |     "RETR_PREQUOTE", | ||||||
| @@ -2545,6 +2546,27 @@ static CURLcode ftp_statemach_act(struct connectdata *conn) | |||||||
|         /* we failed and bails out */ |         /* we failed and bails out */ | ||||||
|         return CURLE_FTP_SSL_FAILED; |         return CURLE_FTP_SSL_FAILED; | ||||||
|  |  | ||||||
|  |       if(data->set.ftp_use_ccc) { | ||||||
|  |         /* CCC - Clear Command Channel | ||||||
|  |          */ | ||||||
|  |         NBFTPSENDF(conn, "CCC", NULL); | ||||||
|  |         state(conn, FTP_CCC); | ||||||
|  |       } | ||||||
|  |       else { | ||||||
|  |         result = ftp_state_pwd(conn); | ||||||
|  |         if(result) | ||||||
|  |           return result; | ||||||
|  |       } | ||||||
|  |       break; | ||||||
|  |  | ||||||
|  |     case FTP_CCC: | ||||||
|  |       /* First shut down the SSL layer (note: this call will block) */ | ||||||
|  |       result = Curl_ssl_shutdown(conn, FIRSTSOCKET); | ||||||
|  |  | ||||||
|  |       if(result) | ||||||
|  |         return CURLE_FTP_SSL_CCC_FAILED; | ||||||
|  |  | ||||||
|  |       /* Then continue as normal */ | ||||||
|       result = ftp_state_pwd(conn); |       result = ftp_state_pwd(conn); | ||||||
|       if(result) |       if(result) | ||||||
|         return result; |         return result; | ||||||
|   | |||||||
							
								
								
									
										68
									
								
								lib/gtls.c
									
									
									
									
									
								
							
							
						
						
									
										68
									
								
								lib/gtls.c
									
									
									
									
									
								
							| @@ -5,7 +5,7 @@ | |||||||
|  *                            | (__| |_| |  _ <| |___ |  *                            | (__| |_| |  _ <| |___ | ||||||
|  *                             \___|\___/|_| \_\_____| |  *                             \___|\___/|_| \_\_____| | ||||||
|  * |  * | ||||||
|  * Copyright (C) 1998 - 2006, Daniel Stenberg, <daniel@haxx.se>, et al. |  * Copyright (C) 1998 - 2007, Daniel Stenberg, <daniel@haxx.se>, et al. | ||||||
|  * |  * | ||||||
|  * This software is licensed as described in the file COPYING, which |  * This software is licensed as described in the file COPYING, which | ||||||
|  * you should have received as part of this distribution. The terms |  * you should have received as part of this distribution. The terms | ||||||
| @@ -516,6 +516,72 @@ void Curl_gtls_close(struct connectdata *conn) | |||||||
|     close_one(conn, 1); |     close_one(conn, 1); | ||||||
| } | } | ||||||
|  |  | ||||||
|  | /* | ||||||
|  |  * This function is called to shut down the SSL layer but keep the | ||||||
|  |  * socket open (CCC - Clear Command Channel) | ||||||
|  |  */ | ||||||
|  | int Curl_gtls_shutdown(struct connectdata *conn, int sockindex) | ||||||
|  | { | ||||||
|  |   int result; | ||||||
|  |   int retval = 0; | ||||||
|  |   struct SessionHandle *data = conn->data; | ||||||
|  |   int done = 0; | ||||||
|  |   ssize_t nread; | ||||||
|  |   char buf[120]; | ||||||
|  |  | ||||||
|  |   /* This has only been tested on the proftpd server, and the mod_tls code | ||||||
|  |      sends a close notify alert without waiting for a close notify alert in | ||||||
|  |      response. Thus we wait for a close notify alert from the server, but | ||||||
|  |      we do not send one. Let's hope other servers do the same... */ | ||||||
|  |  | ||||||
|  |   if(conn->ssl[sockindex].session) { | ||||||
|  |     while(!done) { | ||||||
|  |       int what = Curl_select(conn->sock[sockindex], | ||||||
|  |                              CURL_SOCKET_BAD, SSL_SHUTDOWN_TIMEOUT); | ||||||
|  |       if(what > 0) { | ||||||
|  |         /* Something to read, let's do it and hope that it is the close | ||||||
|  |            notify alert from the server */ | ||||||
|  |         result = gnutls_record_recv(conn->ssl[sockindex].session, | ||||||
|  |                                     buf, sizeof(buf)); | ||||||
|  |         switch(result) { | ||||||
|  |         case 0: | ||||||
|  |           /* This is the expected response. There was no data but only | ||||||
|  |              the close notify alert */ | ||||||
|  |           done = 1; | ||||||
|  |           break; | ||||||
|  |         case GNUTLS_E_AGAIN: | ||||||
|  |         case GNUTLS_E_INTERRUPTED: | ||||||
|  |           infof(data, "GNUTLS_E_AGAIN || GNUTLS_E_INTERRUPTED\n"); | ||||||
|  |           break; | ||||||
|  |         default: | ||||||
|  |           retval = -1; | ||||||
|  |           done = 1; | ||||||
|  |           break; | ||||||
|  |         } | ||||||
|  |       } | ||||||
|  |       else if(0 == what) { | ||||||
|  |         /* timeout */ | ||||||
|  |         failf(data, "SSL shutdown timeout"); | ||||||
|  |         done = 1; | ||||||
|  |         break; | ||||||
|  |       } | ||||||
|  |       else { | ||||||
|  |         /* anything that gets here is fatally bad */ | ||||||
|  |         failf(data, "select on SSL socket, errno: %d", Curl_sockerrno()); | ||||||
|  |         retval = -1; | ||||||
|  |         done = 1; | ||||||
|  |       } | ||||||
|  |     } | ||||||
|  |     gnutls_deinit(conn->ssl[sockindex].session); | ||||||
|  |   } | ||||||
|  |   gnutls_certificate_free_credentials(conn->ssl[sockindex].cred); | ||||||
|  |  | ||||||
|  |   conn->ssl[sockindex].session = NULL; | ||||||
|  |   conn->ssl[sockindex].use = FALSE; | ||||||
|  |  | ||||||
|  |   return retval; | ||||||
|  | } | ||||||
|  |  | ||||||
| /* | /* | ||||||
|  * If the read would block we return -1 and set 'wouldblock' to TRUE. |  * If the read would block we return -1 and set 'wouldblock' to TRUE. | ||||||
|  * Otherwise we return the amount of data read. Other errors should return -1 |  * Otherwise we return the amount of data read. Other errors should return -1 | ||||||
|   | |||||||
| @@ -7,7 +7,7 @@ | |||||||
|  *                            | (__| |_| |  _ <| |___ |  *                            | (__| |_| |  _ <| |___ | ||||||
|  *                             \___|\___/|_| \_\_____| |  *                             \___|\___/|_| \_\_____| | ||||||
|  * |  * | ||||||
|  * Copyright (C) 1998 - 2006, Daniel Stenberg, <daniel@haxx.se>, et al. |  * Copyright (C) 1998 - 2007, Daniel Stenberg, <daniel@haxx.se>, et al. | ||||||
|  * |  * | ||||||
|  * This software is licensed as described in the file COPYING, which |  * This software is licensed as described in the file COPYING, which | ||||||
|  * you should have received as part of this distribution. The terms |  * you should have received as part of this distribution. The terms | ||||||
| @@ -41,5 +41,6 @@ ssize_t Curl_gtls_recv(struct connectdata *conn, /* connection data */ | |||||||
|                        bool *wouldblock); |                        bool *wouldblock); | ||||||
| void Curl_gtls_session_free(void *ptr); | void Curl_gtls_session_free(void *ptr); | ||||||
| size_t Curl_gtls_version(char *buffer, size_t size); | size_t Curl_gtls_version(char *buffer, size_t size); | ||||||
|  | int Curl_gtls_shutdown(struct connectdata *conn, int sockindex); | ||||||
|  |  | ||||||
| #endif | #endif | ||||||
|   | |||||||
							
								
								
									
										14
									
								
								lib/sslgen.c
									
									
									
									
									
								
							
							
						
						
									
										14
									
								
								lib/sslgen.c
									
									
									
									
									
								
							| @@ -5,7 +5,7 @@ | |||||||
|  *                            | (__| |_| |  _ <| |___ |  *                            | (__| |_| |  _ <| |___ | ||||||
|  *                             \___|\___/|_| \_\_____| |  *                             \___|\___/|_| \_\_____| | ||||||
|  * |  * | ||||||
|  * Copyright (C) 1998 - 2006, Daniel Stenberg, <daniel@haxx.se>, et al. |  * Copyright (C) 1998 - 2007, Daniel Stenberg, <daniel@haxx.se>, et al. | ||||||
|  * |  * | ||||||
|  * This software is licensed as described in the file COPYING, which |  * This software is licensed as described in the file COPYING, which | ||||||
|  * you should have received as part of this distribution. The terms |  * you should have received as part of this distribution. The terms | ||||||
| @@ -397,6 +397,18 @@ void Curl_ssl_close(struct connectdata *conn) | |||||||
|   } |   } | ||||||
| } | } | ||||||
|  |  | ||||||
|  | CURLcode Curl_ssl_shutdown(struct connectdata *conn, int sockindex) | ||||||
|  | { | ||||||
|  |   if(conn->ssl[sockindex].use) { | ||||||
|  | #ifdef USE_GNUTLS | ||||||
|  |     return Curl_gtls_shutdown(conn, sockindex); | ||||||
|  | #else | ||||||
|  |     return Curl_ossl_shutdown(conn, sockindex); | ||||||
|  | #endif | ||||||
|  |   } | ||||||
|  |   return CURLE_OK; | ||||||
|  | } | ||||||
|  |  | ||||||
| /* Selects an (Open)SSL crypto engine | /* Selects an (Open)SSL crypto engine | ||||||
|  */ |  */ | ||||||
| CURLcode Curl_ssl_set_engine(struct SessionHandle *data, const char *engine) | CURLcode Curl_ssl_set_engine(struct SessionHandle *data, const char *engine) | ||||||
|   | |||||||
| @@ -7,7 +7,7 @@ | |||||||
|  *                            | (__| |_| |  _ <| |___ |  *                            | (__| |_| |  _ <| |___ | ||||||
|  *                             \___|\___/|_| \_\_____| |  *                             \___|\___/|_| \_\_____| | ||||||
|  * |  * | ||||||
|  * Copyright (C) 1998 - 2006, Daniel Stenberg, <daniel@haxx.se>, et al. |  * Copyright (C) 1998 - 2007, Daniel Stenberg, <daniel@haxx.se>, et al. | ||||||
|  * |  * | ||||||
|  * This software is licensed as described in the file COPYING, which |  * This software is licensed as described in the file COPYING, which | ||||||
|  * you should have received as part of this distribution. The terms |  * you should have received as part of this distribution. The terms | ||||||
| @@ -69,9 +69,13 @@ size_t Curl_ssl_version(char *buffer, size_t size); | |||||||
|  |  | ||||||
| int Curl_ssl_check_cxn(struct connectdata *conn); | int Curl_ssl_check_cxn(struct connectdata *conn); | ||||||
|  |  | ||||||
|  | CURLcode Curl_ssl_shutdown(struct connectdata *conn, int sockindex); | ||||||
|  |  | ||||||
| #if !defined(USE_SSL) && !defined(SSLGEN_C) | #if !defined(USE_SSL) && !defined(SSLGEN_C) | ||||||
| /* set up blank macros for none-SSL builds */ | /* set up blank macros for none-SSL builds */ | ||||||
| #define Curl_ssl_close_all(x) | #define Curl_ssl_close_all(x) | ||||||
| #endif | #endif | ||||||
|  |  | ||||||
|  | #define SSL_SHUTDOWN_TIMEOUT 10000 /* ms */ | ||||||
|  |  | ||||||
| #endif | #endif | ||||||
|   | |||||||
							
								
								
									
										100
									
								
								lib/ssluse.c
									
									
									
									
									
								
							
							
						
						
									
										100
									
								
								lib/ssluse.c
									
									
									
									
									
								
							| @@ -5,7 +5,7 @@ | |||||||
|  *                            | (__| |_| |  _ <| |___ |  *                            | (__| |_| |  _ <| |___ | ||||||
|  *                             \___|\___/|_| \_\_____| |  *                             \___|\___/|_| \_\_____| | ||||||
|  * |  * | ||||||
|  * Copyright (C) 1998 - 2006, Daniel Stenberg, <daniel@haxx.se>, et al. |  * Copyright (C) 1998 - 2007, Daniel Stenberg, <daniel@haxx.se>, et al. | ||||||
|  * |  * | ||||||
|  * This software is licensed as described in the file COPYING, which |  * This software is licensed as described in the file COPYING, which | ||||||
|  * you should have received as part of this distribution. The terms |  * you should have received as part of this distribution. The terms | ||||||
| @@ -728,6 +728,102 @@ void Curl_ossl_close(struct connectdata *conn) | |||||||
|   } |   } | ||||||
| } | } | ||||||
|  |  | ||||||
|  | /* | ||||||
|  |  * This function is called to shut down the SSL layer but keep the | ||||||
|  |  * socket open (CCC - Clear Command Channel) | ||||||
|  |  */ | ||||||
|  | int Curl_ossl_shutdown(struct connectdata *conn, int sockindex) | ||||||
|  | { | ||||||
|  |   int result; | ||||||
|  |   int retval = 0; | ||||||
|  |   struct ssl_connect_data *connssl = &conn->ssl[sockindex]; | ||||||
|  |   struct SessionHandle *data = conn->data; | ||||||
|  |   char buf[120]; /* We will use this for the OpenSSL error buffer, so it has | ||||||
|  |                     to be at least 120 bytes long. */ | ||||||
|  |   unsigned long sslerror; | ||||||
|  |   ssize_t nread; | ||||||
|  |   int err; | ||||||
|  |   int done = 0; | ||||||
|  |  | ||||||
|  |   /* This has only been tested on the proftpd server, and the mod_tls code | ||||||
|  |      sends a close notify alert without waiting for a close notify alert in | ||||||
|  |      response. Thus we wait for a close notify alert from the server, but | ||||||
|  |      we do not send one. Let's hope other servers do the same... */ | ||||||
|  |  | ||||||
|  |   if(connssl->handle) { | ||||||
|  |     while(!done) { | ||||||
|  |       int what = Curl_select(conn->sock[sockindex], | ||||||
|  |                              CURL_SOCKET_BAD, SSL_SHUTDOWN_TIMEOUT); | ||||||
|  |       if(what > 0) { | ||||||
|  |         /* Something to read, let's do it and hope that it is the close | ||||||
|  |            notify alert from the server */ | ||||||
|  |         nread = (ssize_t)SSL_read(conn->ssl[sockindex].handle, buf, | ||||||
|  |                                   sizeof(buf)); | ||||||
|  |         err = SSL_get_error(conn->ssl[sockindex].handle, (int)nread); | ||||||
|  |  | ||||||
|  |         switch(err) { | ||||||
|  |         case SSL_ERROR_NONE: /* this is not an error */ | ||||||
|  |         case SSL_ERROR_ZERO_RETURN: /* no more data */ | ||||||
|  |           /* This is the expected response. There was no data but only | ||||||
|  |              the close notify alert */ | ||||||
|  |           done = 1; | ||||||
|  |           break; | ||||||
|  |         case SSL_ERROR_WANT_READ: | ||||||
|  |           /* there's data pending, re-invoke SSL_read() */ | ||||||
|  |           infof(data, "SSL_ERROR_WANT_READ\n"); | ||||||
|  |           break; | ||||||
|  |         case SSL_ERROR_WANT_WRITE: | ||||||
|  |           /* SSL wants a write. Really odd. Let's bail out. */ | ||||||
|  |           infof(data, "SSL_ERROR_WANT_WRITE\n"); | ||||||
|  |           done = 1; | ||||||
|  |           break; | ||||||
|  |         default: | ||||||
|  |           /* openssl/ssl.h says "look at error stack/return value/errno" */ | ||||||
|  |           sslerror = ERR_get_error(); | ||||||
|  |           failf(conn->data, "SSL read: %s, errno %d", | ||||||
|  |                 ERR_error_string(sslerror, buf), | ||||||
|  |                 Curl_sockerrno() ); | ||||||
|  |           done = 1; | ||||||
|  |           break; | ||||||
|  |         } | ||||||
|  |       } | ||||||
|  |       else if(0 == what) { | ||||||
|  |         /* timeout */ | ||||||
|  |         failf(data, "SSL shutdown timeout"); | ||||||
|  |         done = 1; | ||||||
|  |         break; | ||||||
|  |       } | ||||||
|  |       else { | ||||||
|  |         /* anything that gets here is fatally bad */ | ||||||
|  |         failf(data, "select on SSL socket, errno: %d", Curl_sockerrno()); | ||||||
|  |         retval = -1; | ||||||
|  |         done = 1; | ||||||
|  |       } | ||||||
|  |     } /* while()-loop for the select() */ | ||||||
|  |  | ||||||
|  |     if(data->set.verbose) { | ||||||
|  |       switch(SSL_get_shutdown(connssl->handle)) { | ||||||
|  |       case SSL_SENT_SHUTDOWN: | ||||||
|  |         infof(data, "SSL_get_shutdown() returned SSL_SENT_SHUTDOWN\n"); | ||||||
|  |         break; | ||||||
|  |       case SSL_RECEIVED_SHUTDOWN: | ||||||
|  |         infof(data, "SSL_get_shutdown() returned SSL_RECEIVED_SHUTDOWN\n"); | ||||||
|  |         break; | ||||||
|  |       case SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN: | ||||||
|  |         infof(data, "SSL_get_shutdown() returned SSL_SENT_SHUTDOWN|" | ||||||
|  |               "SSL_RECEIVED__SHUTDOWN\n"); | ||||||
|  |         break; | ||||||
|  |       } | ||||||
|  |     } | ||||||
|  |  | ||||||
|  |     connssl->use = FALSE; /* get back to ordinary socket usage */ | ||||||
|  |  | ||||||
|  |     SSL_free (connssl->handle); | ||||||
|  |     connssl->handle = NULL; | ||||||
|  |   } | ||||||
|  |   return retval; | ||||||
|  | } | ||||||
|  |  | ||||||
| void Curl_ossl_session_free(void *ptr) | void Curl_ossl_session_free(void *ptr) | ||||||
| { | { | ||||||
|   /* free the ID */ |   /* free the ID */ | ||||||
| @@ -1629,7 +1725,7 @@ Curl_ossl_connect_common(struct connectdata *conn, | |||||||
|       while(1) { |       while(1) { | ||||||
|         int what = Curl_select(readfd, writefd, nonblocking?0:(int)timeout_ms); |         int what = Curl_select(readfd, writefd, nonblocking?0:(int)timeout_ms); | ||||||
|         if(what > 0) |         if(what > 0) | ||||||
|           /* reabable or writable, go loop in the outer loop */ |           /* readable or writable, go loop in the outer loop */ | ||||||
|           break; |           break; | ||||||
|         else if(0 == what) { |         else if(0 == what) { | ||||||
|           if (nonblocking) { |           if (nonblocking) { | ||||||
|   | |||||||
| @@ -7,7 +7,7 @@ | |||||||
|  *                            | (__| |_| |  _ <| |___ |  *                            | (__| |_| |  _ <| |___ | ||||||
|  *                             \___|\___/|_| \_\_____| |  *                             \___|\___/|_| \_\_____| | ||||||
|  * |  * | ||||||
|  * Copyright (C) 1998 - 2006, Daniel Stenberg, <daniel@haxx.se>, et al. |  * Copyright (C) 1998 - 2007, Daniel Stenberg, <daniel@haxx.se>, et al. | ||||||
|  * |  * | ||||||
|  * This software is licensed as described in the file COPYING, which |  * This software is licensed as described in the file COPYING, which | ||||||
|  * you should have received as part of this distribution. The terms |  * you should have received as part of this distribution. The terms | ||||||
| @@ -29,8 +29,8 @@ | |||||||
|  |  | ||||||
| #include "urldata.h" | #include "urldata.h" | ||||||
| CURLcode Curl_ossl_connect(struct connectdata *conn, int sockindex); | CURLcode Curl_ossl_connect(struct connectdata *conn, int sockindex); | ||||||
| CURLcode Curl_ossl_connect_nonblocking(struct connectdata *conn,  | CURLcode Curl_ossl_connect_nonblocking(struct connectdata *conn, | ||||||
|                                        int sockindex,  |                                        int sockindex, | ||||||
|                                        bool *done); |                                        bool *done); | ||||||
| void Curl_ossl_close(struct connectdata *conn); /* close a SSL connection */ | void Curl_ossl_close(struct connectdata *conn); /* close a SSL connection */ | ||||||
| /* tell OpenSSL to close down all open information regarding connections (and | /* tell OpenSSL to close down all open information regarding connections (and | ||||||
| @@ -66,4 +66,6 @@ size_t Curl_ossl_version(char *buffer, size_t size); | |||||||
| int Curl_ossl_check_cxn(struct connectdata *cxn); | int Curl_ossl_check_cxn(struct connectdata *cxn); | ||||||
| int Curl_ossl_seed(struct SessionHandle *data); | int Curl_ossl_seed(struct SessionHandle *data); | ||||||
|  |  | ||||||
|  | int Curl_ossl_shutdown(struct connectdata *conn, int sockindex); | ||||||
|  |  | ||||||
| #endif | #endif | ||||||
|   | |||||||
| @@ -5,7 +5,7 @@ | |||||||
|  *                            | (__| |_| |  _ <| |___ |  *                            | (__| |_| |  _ <| |___ | ||||||
|  *                             \___|\___/|_| \_\_____| |  *                             \___|\___/|_| \_\_____| | ||||||
|  * |  * | ||||||
|  * Copyright (C) 2004 - 2006, Daniel Stenberg, <daniel@haxx.se>, et al. |  * Copyright (C) 2004 - 2007, Daniel Stenberg, <daniel@haxx.se>, et al. | ||||||
|  * |  * | ||||||
|  * This software is licensed as described in the file COPYING, which |  * This software is licensed as described in the file COPYING, which | ||||||
|  * you should have received as part of this distribution. The terms |  * you should have received as part of this distribution. The terms | ||||||
| @@ -244,6 +244,9 @@ curl_easy_strerror(CURLcode error) | |||||||
|   case CURLE_FTP_SSL_FAILED: |   case CURLE_FTP_SSL_FAILED: | ||||||
|     return "Requested FTP SSL level failed"; |     return "Requested FTP SSL level failed"; | ||||||
|  |  | ||||||
|  |   case CURLE_FTP_SSL_CCC_FAILED: | ||||||
|  |     return "Failed to clear the FTP command channel"; | ||||||
|  |  | ||||||
|   case CURLE_SEND_FAIL_REWIND: |   case CURLE_SEND_FAIL_REWIND: | ||||||
|     return "Send failed since rewinding of the data stream failed"; |     return "Send failed since rewinding of the data stream failed"; | ||||||
|  |  | ||||||
|   | |||||||
| @@ -5,7 +5,7 @@ | |||||||
|  *                            | (__| |_| |  _ <| |___ |  *                            | (__| |_| |  _ <| |___ | ||||||
|  *                             \___|\___/|_| \_\_____| |  *                             \___|\___/|_| \_\_____| | ||||||
|  * |  * | ||||||
|  * Copyright (C) 1998 - 2006, Daniel Stenberg, <daniel@haxx.se>, et al. |  * Copyright (C) 1998 - 2007, Daniel Stenberg, <daniel@haxx.se>, et al. | ||||||
|  * |  * | ||||||
|  * This software is licensed as described in the file COPYING, which |  * This software is licensed as described in the file COPYING, which | ||||||
|  * you should have received as part of this distribution. The terms |  * you should have received as part of this distribution. The terms | ||||||
| @@ -1140,6 +1140,10 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option, | |||||||
|     data->set.ftp_use_epsv = (bool)(0 != va_arg(param, long)); |     data->set.ftp_use_epsv = (bool)(0 != va_arg(param, long)); | ||||||
|     break; |     break; | ||||||
|  |  | ||||||
|  |   case CURLOPT_FTP_SSL_CCC: | ||||||
|  |     data->set.ftp_use_ccc = (bool)(0 != va_arg(param, long)); | ||||||
|  |     break; | ||||||
|  |  | ||||||
|   case CURLOPT_FTP_SKIP_PASV_IP: |   case CURLOPT_FTP_SKIP_PASV_IP: | ||||||
|     /* |     /* | ||||||
|      * Enable or disable FTP_SKIP_PASV_IP, which will disable/enable the |      * Enable or disable FTP_SKIP_PASV_IP, which will disable/enable the | ||||||
|   | |||||||
| @@ -7,7 +7,7 @@ | |||||||
|  *                            | (__| |_| |  _ <| |___ |  *                            | (__| |_| |  _ <| |___ | ||||||
|  *                             \___|\___/|_| \_\_____| |  *                             \___|\___/|_| \_\_____| | ||||||
|  * |  * | ||||||
|  * Copyright (C) 1998 - 2006, Daniel Stenberg, <daniel@haxx.se>, et al. |  * Copyright (C) 1998 - 2007, Daniel Stenberg, <daniel@haxx.se>, et al. | ||||||
|  * |  * | ||||||
|  * This software is licensed as described in the file COPYING, which |  * This software is licensed as described in the file COPYING, which | ||||||
|  * you should have received as part of this distribution. The terms |  * you should have received as part of this distribution. The terms | ||||||
| @@ -302,7 +302,7 @@ struct HTTP { | |||||||
|  ***************************************************************************/ |  ***************************************************************************/ | ||||||
| typedef enum { | typedef enum { | ||||||
|   FTP_STOP,    /* do nothing state, stops the state machine */ |   FTP_STOP,    /* do nothing state, stops the state machine */ | ||||||
|   FTP_WAIT220, /* waiting for the inintial 220 response immediately after |   FTP_WAIT220, /* waiting for the initial 220 response immediately after | ||||||
|                   a connect */ |                   a connect */ | ||||||
|   FTP_AUTH, |   FTP_AUTH, | ||||||
|   FTP_USER, |   FTP_USER, | ||||||
| @@ -310,6 +310,7 @@ typedef enum { | |||||||
|   FTP_ACCT, |   FTP_ACCT, | ||||||
|   FTP_PBSZ, |   FTP_PBSZ, | ||||||
|   FTP_PROT, |   FTP_PROT, | ||||||
|  |   FTP_CCC, | ||||||
|   FTP_PWD, |   FTP_PWD, | ||||||
|   FTP_QUOTE, /* waiting for a response to a command sent in a quote list */ |   FTP_QUOTE, /* waiting for a response to a command sent in a quote list */ | ||||||
|   FTP_RETR_PREQUOTE, |   FTP_RETR_PREQUOTE, | ||||||
| @@ -1273,6 +1274,8 @@ struct UserDefined { | |||||||
|   bool reuse_fresh;      /* do not re-use an existing connection  */ |   bool reuse_fresh;      /* do not re-use an existing connection  */ | ||||||
|   bool ftp_use_epsv;     /* if EPSV is to be attempted or not */ |   bool ftp_use_epsv;     /* if EPSV is to be attempted or not */ | ||||||
|   bool ftp_use_eprt;     /* if EPRT is to be attempted or not */ |   bool ftp_use_eprt;     /* if EPRT is to be attempted or not */ | ||||||
|  |   bool ftp_use_ccc;      /* if CCC is to be attempted or not */ | ||||||
|  |  | ||||||
|   curl_ftpssl ftp_ssl;   /* if AUTH TLS is to be attempted etc */ |   curl_ftpssl ftp_ssl;   /* if AUTH TLS is to be attempted etc */ | ||||||
|   curl_ftpauth ftpsslauth; /* what AUTH XXX to be attempted */ |   curl_ftpauth ftpsslauth; /* what AUTH XXX to be attempted */ | ||||||
|   bool no_signal;        /* do not use any signal/alarm handler */ |   bool no_signal;        /* do not use any signal/alarm handler */ | ||||||
|   | |||||||
							
								
								
									
										12
									
								
								src/main.c
									
									
									
									
									
								
							
							
						
						
									
										12
									
								
								src/main.c
									
									
									
									
									
								
							| @@ -5,7 +5,7 @@ | |||||||
|  *                            | (__| |_| |  _ <| |___ |  *                            | (__| |_| |  _ <| |___ | ||||||
|  *                             \___|\___/|_| \_\_____| |  *                             \___|\___/|_| \_\_____| | ||||||
|  * |  * | ||||||
|  * Copyright (C) 1998 - 2006, Daniel Stenberg, <daniel@haxx.se>, et al. |  * Copyright (C) 1998 - 2007, Daniel Stenberg, <daniel@haxx.se>, et al. | ||||||
|  * |  * | ||||||
|  * This software is licensed as described in the file COPYING, which |  * This software is licensed as described in the file COPYING, which | ||||||
|  * you should have received as part of this distribution. The terms |  * you should have received as part of this distribution. The terms | ||||||
| @@ -349,6 +349,7 @@ struct Configurable { | |||||||
|   bool ftp_ssl; |   bool ftp_ssl; | ||||||
|   bool ftp_ssl_reqd; |   bool ftp_ssl_reqd; | ||||||
|   bool ftp_ssl_control; |   bool ftp_ssl_control; | ||||||
|  |   bool ftp_ssl_ccc; | ||||||
|  |  | ||||||
|   char *socksproxy; /* set to server string */ |   char *socksproxy; /* set to server string */ | ||||||
|   int socksver;     /* set to CURLPROXY_SOCKS* define */ |   int socksver;     /* set to CURLPROXY_SOCKS* define */ | ||||||
| @@ -529,6 +530,7 @@ static void help(void) | |||||||
|     "    --ftp-ssl       Try SSL/TLS for ftp transfer (F)", |     "    --ftp-ssl       Try SSL/TLS for ftp transfer (F)", | ||||||
|     "    --ftp-ssl-control Require SSL/TLS for ftp login, clear for transfer (F)", |     "    --ftp-ssl-control Require SSL/TLS for ftp login, clear for transfer (F)", | ||||||
|     "    --ftp-ssl-reqd  Require SSL/TLS for ftp transfer (F)", |     "    --ftp-ssl-reqd  Require SSL/TLS for ftp transfer (F)", | ||||||
|  |     "    --ftp-ssl-ccc   Send CCC after authenticating (F)", | ||||||
|     " -F/--form <name=content> Specify HTTP multipart POST data (H)", |     " -F/--form <name=content> Specify HTTP multipart POST data (H)", | ||||||
|     "    --form-string <name=string> Specify HTTP multipart POST data (H)", |     "    --form-string <name=string> Specify HTTP multipart POST data (H)", | ||||||
|     " -g/--globoff       Disable URL sequences and ranges using {} and []", |     " -g/--globoff       Disable URL sequences and ranges using {} and []", | ||||||
| @@ -1355,6 +1357,7 @@ static ParameterError getparameter(char *flag, /* f or -long-flag */ | |||||||
|     {"$v", "ftp-ssl-reqd", FALSE}, |     {"$v", "ftp-ssl-reqd", FALSE}, | ||||||
|     {"$w", "no-sessionid", FALSE}, |     {"$w", "no-sessionid", FALSE}, | ||||||
|     {"$x", "ftp-ssl-control", FALSE}, |     {"$x", "ftp-ssl-control", FALSE}, | ||||||
|  |     {"$y", "ftp-ssl-ccc", FALSE}, | ||||||
|  |  | ||||||
|     {"0", "http1.0",     FALSE}, |     {"0", "http1.0",     FALSE}, | ||||||
|     {"1", "tlsv1",       FALSE}, |     {"1", "tlsv1",       FALSE}, | ||||||
| @@ -1779,6 +1782,9 @@ static ParameterError getparameter(char *flag, /* f or -long-flag */ | |||||||
|       case 'x': /* --ftp-ssl-control */ |       case 'x': /* --ftp-ssl-control */ | ||||||
|         config->ftp_ssl_control ^= TRUE; |         config->ftp_ssl_control ^= TRUE; | ||||||
|         break; |         break; | ||||||
|  |       case 'y': /* --ftp-ssl-ccc */ | ||||||
|  |         config->ftp_ssl_ccc ^= TRUE; | ||||||
|  |         break; | ||||||
|       } |       } | ||||||
|       break; |       break; | ||||||
|     case '#': /* --progress-bar */ |     case '#': /* --progress-bar */ | ||||||
| @@ -4002,6 +4008,10 @@ operate(struct Configurable *config, int argc, char *argv[]) | |||||||
|         else if(config->ftp_ssl_control) |         else if(config->ftp_ssl_control) | ||||||
|           curl_easy_setopt(curl, CURLOPT_FTP_SSL, CURLFTPSSL_CONTROL); |           curl_easy_setopt(curl, CURLOPT_FTP_SSL, CURLFTPSSL_CONTROL); | ||||||
|  |  | ||||||
|  |         /* new in curl 7.16.1 */ | ||||||
|  |         if(config->ftp_ssl_ccc) | ||||||
|  |           curl_easy_setopt(curl, CURLOPT_FTP_SSL_CCC, TRUE); | ||||||
|  |  | ||||||
|         /* new in curl 7.11.1, modified in 7.15.2 */ |         /* new in curl 7.11.1, modified in 7.15.2 */ | ||||||
|         if(config->socksproxy) { |         if(config->socksproxy) { | ||||||
|           curl_easy_setopt(curl, CURLOPT_PROXY, config->socksproxy); |           curl_easy_setopt(curl, CURLOPT_PROXY, config->socksproxy); | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user
	 Daniel Stenberg
					Daniel Stenberg