From cd653f1be9e32581495696183a95085d7045ab80 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 1 Dec 2003 10:14:39 +0000
Subject: FTPS now works with active ftp and uploads too.

---
 lib/ftp.c | 108 ++++++++++++++++++++++++++++++++++----------------------------
 1 file changed, 59 insertions(+), 49 deletions(-)

diff --git a/lib/ftp.c b/lib/ftp.c
index d0c6255a8..b0bc61800 100644
--- a/lib/ftp.c
+++ b/lib/ftp.c
@@ -174,6 +174,7 @@ static CURLcode AllowServerConnect(struct connectdata *conn)
     }
     break;
   }
+
   return CURLE_OK;
 }
 
@@ -504,47 +505,6 @@ CURLcode Curl_ftp_connect(struct connectdata *conn)
       conn->ssl[SECONDARYSOCKET].use = FALSE; /* clear-text data */
     }
   }
-  if(conn->ssl[FIRSTSOCKET].use) {
-    /* PBSZ = PROTECTION BUFFER SIZE.
-
-       The 'draft-murray-auth-ftp-ssl' (draft 12, page 7) says:
-
-       Specifically, the PROT command MUST be preceded by a PBSZ command
-       and a PBSZ command MUST be preceded by a successful security data
-       exchange (the TLS negotiation in this case)
-
-       ... (and on page 8):
-         
-       Thus the PBSZ command must still be issued, but must have a parameter
-       of '0' to indicate that no buffering is taking place and the data
-       connection should not be encapsulated.
-    */
-    FTPSENDF(conn, "PBSZ %d", 0);
-    result = Curl_GetFTPResponse(&nread, conn, &ftpcode);
-    if(result)
-      return result;
-
-    /* For TLS, the data connection can have one of two security levels.
-
-       1)Clear (requested by 'PROT C')
-
-       2)Private (requested by 'PROT P')
-    */
-    if(!conn->ssl[SECONDARYSOCKET].use) {
-      FTPSENDF(conn, "PROT %c", 'P');
-      result = Curl_GetFTPResponse(&nread, conn, &ftpcode);
-      if(result)
-        return result;
-    
-      if(ftpcode == 200)
-        /* We have enabled SSL for the data connection! */
-        conn->ssl[SECONDARYSOCKET].use = TRUE;
-
-      /* FTP servers typically responds with 500 if they decide to reject
-         our 'P' request */
-    }
-  }
-
   
   /* send USER */
   FTPSENDF(conn, "USER %s", ftp->user?ftp->user:"");
@@ -611,6 +571,47 @@ CURLcode Curl_ftp_connect(struct connectdata *conn)
     return CURLE_FTP_WEIRD_USER_REPLY;
   }
 
+  if(conn->ssl[FIRSTSOCKET].use) {
+    /* PBSZ = PROTECTION BUFFER SIZE.
+
+       The 'draft-murray-auth-ftp-ssl' (draft 12, page 7) says:
+
+       Specifically, the PROT command MUST be preceded by a PBSZ command
+       and a PBSZ command MUST be preceded by a successful security data
+       exchange (the TLS negotiation in this case)
+
+       ... (and on page 8):
+         
+       Thus the PBSZ command must still be issued, but must have a parameter
+       of '0' to indicate that no buffering is taking place and the data
+       connection should not be encapsulated.
+    */
+    FTPSENDF(conn, "PBSZ %d", 0);
+    result = Curl_GetFTPResponse(&nread, conn, &ftpcode);
+    if(result)
+      return result;
+
+    /* For TLS, the data connection can have one of two security levels.
+
+       1)Clear (requested by 'PROT C')
+
+       2)Private (requested by 'PROT P')
+    */
+    if(!conn->ssl[SECONDARYSOCKET].use) {
+      FTPSENDF(conn, "PROT %c", 'P');
+      result = Curl_GetFTPResponse(&nread, conn, &ftpcode);
+      if(result)
+        return result;
+    
+      if(ftpcode == 200)
+        /* We have enabled SSL for the data connection! */
+        conn->ssl[SECONDARYSOCKET].use = TRUE;
+
+      /* FTP servers typically responds with 500 if they decide to reject
+         our 'P' request */
+    }
+  }
+
   /* send PWD to discover our entry point */
   FTPSENDF(conn, "PWD", NULL);
 
@@ -1611,7 +1612,7 @@ CURLcode ftp_use_pasv(struct connectdata *conn,
     /* this just dumps information about this second connection */
     ftp_pasv_verbose(conn, conninfo, newhostp, connectport);
   
-  if (data->set.tunnel_thru_httpproxy) {
+  if(data->set.tunnel_thru_httpproxy) {
     /* We want "seamless" FTP operations through HTTP proxy tunnel */
     result = Curl_ConnectHTTPProxyTunnel(conn, SECONDARYSOCKET,
                                          newhostp, newport);
@@ -1755,6 +1756,15 @@ CURLcode Curl_ftp_nextconnect(struct connectdata *conn)
         return result;
     }
 
+    if(conn->ssl[SECONDARYSOCKET].use) {
+      /* since we only have a plaintext TCP connection here, we must now
+	 do the TLS stuff */
+      infof(data, "Doing the SSL/TSL handshake on the data stream\n");
+      result = Curl_SSLConnect(conn, SECONDARYSOCKET);
+      if(result)
+	return result;
+    }
+
     *bytecountp=0;
 
     /* When we know we're uploading a specified file, we can get the file
@@ -2011,15 +2021,15 @@ CURLcode Curl_ftp_nextconnect(struct connectdata *conn)
           return result;
       }
 
-#if 1
       if(conn->ssl[SECONDARYSOCKET].use) {
-        /* since we only have a TCP connection, we must now do the TLS stuff */
-        infof(data, "Doing the SSL/TSL handshake on the data stream\n");
-        result = Curl_SSLConnect(conn, SECONDARYSOCKET);
-        if(result)
-          return result;
+	/* since we only have a plaintext TCP connection here, we must now
+	   do the TLS stuff */
+	infof(data, "Doing the SSL/TSL handshake on the data stream\n");
+	result = Curl_SSLConnect(conn, SECONDARYSOCKET);
+	if(result)
+	  return result;
       }
-#endif
+
       infof(data, "Getting file with size: %d\n", size);
 
       /* FTP download: */
-- 
cgit v1.2.3