--- CVS-latest\lib\ftp.c Mon Dec 01 11:14:39 2003 +++ lib\ftp.c Tue Dec 02 12:57:31 2003 @@ -405,6 +405,22 @@ return result; } +#define TRY_AUTH_SSL_FIRST 1 + +static struct { + const char *auth; + unsigned ok_resp; + } ssl_auth_try[] = { +#if TRY_AUTH_SSL_FIRST + { "AUTH SSL", 334 }, + { "AUTH TLS", 234 }, +#else + { "AUTH TLS", 234 }, + { "AUTH SSL", 334 }, +#endif + { NULL, 0 } + }; + /* * Curl_ftp_connect() should do everything that is to be considered a part of * the connection phase. @@ -417,7 +433,7 @@ char *buf = data->state.buffer; /* this is our buffer */ struct FTP *ftp; CURLcode result; - int ftpcode; + int ftpcode, try; ftp = (struct FTP *)malloc(sizeof(struct FTP)); if(!ftp) @@ -445,6 +461,7 @@ return result; } +#if (TRY_AUTH_SSL_FIRST == 0) if(conn->protocol & PROT_FTPS) { /* FTPS is simply ftp with SSL for the control channel */ /* now, perform the SSL initialization for this socket */ @@ -452,7 +469,7 @@ if(result) return result; } - +#endif /* The first thing we do is wait for the "220*" line: */ result = Curl_GetFTPResponse(&nread, conn, &ftpcode); @@ -464,7 +481,8 @@ return CURLE_FTP_WEIRD_SERVER_REPLY; } -#ifdef KRB4 +#if defined(KRB4) + /* if not anonymous login, try a secure login */ if(data->set.krb4) { @@ -482,11 +500,18 @@ } #endif + for (try = 0; ssl_auth_try[try].auth; try++) { if(data->set.ftp_ssl && !conn->ssl[FIRSTSOCKET].use) { /* we don't have a ssl connection, try a FTPS connection now */ - FTPSENDF(conn, "AUTH TLS", NULL); + + printf ("use 1st sock %d, trying %s -> ", + conn->ssl[FIRSTSOCKET].use, ssl_auth_try[try].auth); + fflush (stdout); + + FTPSENDF(conn, ssl_auth_try[try].auth, NULL); result = Curl_GetFTPResponse(&nread, conn, &ftpcode); + if(result) return result; @@ -494,15 +519,19 @@ * * If the server is willing to accept the named security mechanism, and * does not require any security data, it must respond with reply code - * 234. + * 234/334. */ - if(234 == ftpcode) { + if(ftpcode == ssl_auth_try[try].ok_resp) { result = Curl_SSLConnect(conn, FIRSTSOCKET); if(result) return result; conn->protocol |= PROT_FTPS; conn->ssl[SECONDARYSOCKET].use = FALSE; /* clear-text data */ + if (try == 1-TRY_AUTH_SSL_FIRST) + conn->ssl[FIRSTSOCKET].use = FALSE; + break; + } } } @@ -549,6 +578,7 @@ /* 230 User ... logged in. (the user logged in without password) */ infof(data, "We have successfully logged in\n"); + if (conn->ssl[FIRSTSOCKET].use) { #ifdef KRB4 /* we are logged in (with Kerberos) * now set the requested protection level @@ -566,6 +596,7 @@ } #endif } + } else { failf(data, "Odd return code after USER"); return CURLE_FTP_WEIRD_USER_REPLY; @@ -1759,7 +1790,7 @@ if(conn->ssl[SECONDARYSOCKET].use) { /* since we only have a plaintext TCP connection here, we must now do the TLS stuff */ - infof(data, "Doing the SSL/TSL handshake on the data stream\n"); + infof(data, "Doing the SSL/TLS handshake on the data stream\n"); result = Curl_SSLConnect(conn, SECONDARYSOCKET); if(result) return result; @@ -2024,7 +2055,7 @@ if(conn->ssl[SECONDARYSOCKET].use) { /* since we only have a plaintext TCP connection here, we must now do the TLS stuff */ - infof(data, "Doing the SSL/TSL handshake on the data stream\n"); + infof(data, "Doing the SSL/TLS handshake on the data stream\n"); result = Curl_SSLConnect(conn, SECONDARYSOCKET); if(result) return result; @@ -2220,7 +2251,7 @@ else { /* We have chosen (this is default) to use the PASV command */ result = ftp_use_pasv(conn, connected); - if(!result && *connected) + if(CURLE_OK == result && *connected) infof(data, "Connected the data stream with PASV!\n"); }