Melhorando tratamento de erros SSL

perry.werneck@gmail.com
1 parent 61dff045
Showing 2 changed files with 55 additions and 74 deletions Show diff stats
src/include/lib3270/session.h
src/lib3270/telnet.c
@@ -377,7 +377,7 @@
 		int						  excepting				: 1;
  
 		// SSL Data (Always defined to mantain the same structure size)
-		unsigned long 			  last_ssl_error;
+		unsigned long 			  ssl_error;
 		SSL 					* ssl_con;
  
 		// State change callbacks.
@@ -136,7 +136,7 @@ static void check_in3270(H3270 *session);
 static void store3270in(H3270 *hSession, unsigned char c);
 static void check_linemode(H3270 *hSession, Boolean init);
 static int non_blocking(H3270 *session, Boolean on);
-static void net_connected(H3270 *session);
+static int net_connected(H3270 *session);
 #if defined(X3270_TN3270E) /*[*/
 static int tn3270e_negotiate(H3270 *hSession);
 #endif /*]*/
@@ -595,7 +595,6 @@ int net_connect(H3270 *session, const char *host, char *portname, Boolean ls, Bo
  
 	/* init ssl */
 #if defined(HAVE_LIBSSL)
-	session->last_ssl_error = !0;
 	if (session->ssl_host)
 		ssl_init(session);
 #endif
@@ -607,7 +606,8 @@ int net_connect(H3270 *session, const char *host, char *portname, Boolean ls, Bo
 	if(!rc)
 	{
 		trace_dsn(session,"Connected.\n");
-		net_connected(session);
+		if(net_connected(session))
+			return -1;
 	}
 	else
 	{
@@ -729,10 +729,12 @@ static void setup_lus(H3270 *hSession)
 }
  
 #if defined(HAVE_LIBSSL)
-static void ssl_negotiate(H3270 *hSession)
+static int ssl_negotiate(H3270 *hSession)
 {
 	int rv;
  
+	trace("%s",__FUNCTION__);
+
 	set_ssl_state(hSession,LIB3270_SSL_NEGOTIATING);
 	non_blocking(hSession,False);
  
@@ -743,7 +745,7 @@ static void ssl_negotiate(H3270 *hSession)
 		/* Failed. */
 		popup_an_error(hSession,_( "SSL init failed!"));
 		net_disconnect(hSession);
-		return;
+		return -1;
 	}
  
 	/* Set up the TLS/SSL connection. */
@@ -752,7 +754,7 @@ static void ssl_negotiate(H3270 *hSession)
 		trace_dsn(hSession,"SSL_set_fd failed!\n");
 		popup_an_error(hSession,_( "SSL_set_fd failed!"));
 		net_disconnect(hSession);
-		return;
+		return -1;
 	}
  
 	trace("%s: Running SSL_connect",__FUNCTION__);
@@ -761,13 +763,34 @@ static void ssl_negotiate(H3270 *hSession)
  
 	if (rv != 1)
 	{
-		trace_dsn(hSession,"continue_tls: SSL_connect failed\n");
-		popup_an_error(hSession,_( "SSL connect failed!"));
+		int ssl_error =  SSL_get_error(hSession->ssl_con,rv);
+
+		if(ssl_error == SSL_ERROR_SYSCALL)
+		{
+			if(!hSession->ssl_error)
+			{
+				trace_dsn(hSession,"SSL_connect failed (ssl_error=%lu)\n",hSession->ssl_error);
+				popup_an_error(hSession,_( "SSL connect failed!"));
+			}
+			else
+			{
+				trace_dsn(hSession,"SSL_connect failed: %s %s\n",
+						ERR_lib_error_string(hSession->ssl_error),
+						ERR_reason_error_string(hSession->ssl_error));
+				popup_an_error(hSession,_( ERR_reason_error_string(hSession->ssl_error) ));
+			}
+
+		}
+		else
+		{
+			trace_dsn(hSession,"SSL_connect failed (ssl_error=%d errno=%d)\n",ssl_error,errno);
+			popup_an_error(hSession,_( "SSL connect failed!"));
+		}
+
 		net_disconnect(hSession);
-		return;
+		return -1;
 	}
  
-//	hSession->secure_connection = True;
 	non_blocking(hSession,True);
  
 	/* Success. */
@@ -816,10 +839,11 @@ static void ssl_negotiate(H3270 *hSession)
  
 	/* Tell the world that we are (still) connected, now in secure mode. */
 	lib3270_set_connected(hSession);
+	return 0;
 }
 #endif // HAVE_LIBSSL
  
-static void net_connected(H3270 *hSession)
+static int net_connected(H3270 *hSession)
 {
 	if(hSession->proxy_type > 0)
 	{
@@ -829,62 +853,24 @@ static void net_connected(H3270 *hSession)
 		if (proxy_negotiate(hSession, hSession->proxy_type, hSession->sock, hSession->hostname,hSession->current_port) < 0)
 		{
 			host_disconnect(hSession,True);
-			return;
+			return -1;
 		}
 	}
  
 	trace_dsn(hSession,"Connected to %s, port %u%s.\n", hSession->hostname, hSession->current_port,hSession->ssl_host? " via SSL": "");
  
-#if defined(HAVE_LIBSSL) /*[*/
+#if defined(HAVE_LIBSSL)
 	/* Set up SSL. */
 	if(hSession->ssl_con && hSession->secure == LIB3270_SSL_UNDEFINED)
 	{
-		ssl_negotiate(hSession);
-/*
-		int rc;
-
-		set_ssl_state(hSession,LIB3270_SSL_NEGOTIATING);
-
-		if (SSL_set_fd(hSession->ssl_con, hSession->sock) != 1)
-		{
-			trace_dsn(hSession,"Can't set fd!\n");
-			popup_system_error(hSession,_( "Connection failed" ), _( "Can't set SSL socket file descriptor" ), "%s", SSL_state_string_long(hSession->ssl_con));
-			set_ssl_state(hSession,LIB3270_SSL_UNSECURE);
-		}
-		else
-		{
-			rc = SSL_connect(hSession->ssl_con);
-
-			if(rc != 1)
-			{
-				unsigned long 	  e		= ERR_get_error();
-				const char  	* state	= SSL_state_string_long(hSession->ssl_con);
-
-				trace_dsn(hSession,"TLS/SSL tunneled connection failed with error %ld, rc=%d and state=%s",e,rc,state);
-
-				host_disconnect(hSession,True);
-
-				if(e != hSession->last_ssl_error)
-				{
-					hSession->message(hSession,LIB3270_NOTIFY_ERROR,_( "Connection failed" ),_( "SSL negotiation failed" ),state);
-					hSession->last_ssl_error = e;
-				}
-				return;
-
-			}
-		}
-
-//		hSession->secure_connection = True;
-		trace_dsn(hSession,"TLS/SSL tunneled connection complete. Connection is now secure.\n");
-
-		// Tell everyone else again.
-		lib3270_set_connected(hSession);
-*/
+		if(ssl_negotiate(hSession))
+			return -1;
 	}
-#endif /*]*/
+#endif
  
 	lib3270_setup_session(hSession);
  
+	return 0;
 }
  
 /**
@@ -1120,7 +1106,8 @@ void net_input(H3270 *hSession)
  
 			host_disconnect(hSession,True);
 			return;
-		} else if (nr == 0)
+		}
+		else if (nr == 0)
 		{
 			/* Host disconnected. */
 			trace_dsn(hSession,"RCVD disconnect\n");
@@ -1137,7 +1124,8 @@ void net_input(H3270 *hSession)
 				return;
 			}
 			lib3270_set_connected(hSession);
-			net_connected(hSession);
+			if(net_connected(hSession))
+				return;
 		}
  
 		lib3270_data_recv(hSession, nr, buffer);
@@ -3094,6 +3082,7 @@ static void ssl_init(H3270 *session)
 {
 	static SSL_CTX *ssl_ctx = NULL;
  
+	session->ssl_error = 0;
 	set_ssl_state(session,LIB3270_SSL_UNDEFINED);
  
 	if(ssl_ctx == NULL)
@@ -3129,6 +3118,7 @@ static void ssl_init(H3270 *session)
  
 	SSL_set_ex_data(session->ssl_con,ssl_3270_ex_index,(char *) session);
  
+//	SSL_set_verify(session->ssl_con, SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
 	SSL_set_verify(session->ssl_con, 0, NULL);
  
 }
@@ -3164,14 +3154,9 @@ static void ssl_info_callback(INFO_CONST SSL *s, int where, int ret)
 			unsigned long e = ERR_get_error();
 			char err_buf[1024];
  
-			while(ERR_peek_error() == e)	// Remove other messages with the same error
-				e = ERR_get_error();
-
 			if(e != 0)
 			{
-				if(e == hSession->last_ssl_error)
-					return;
-				hSession->last_ssl_error = e;
+				hSession->ssl_error = e;
 				(void) ERR_error_string_n(e, err_buf, 1023);
 			}
 #if defined(_WIN32)
@@ -3190,16 +3175,12 @@ static void ssl_info_callback(INFO_CONST SSL *s, int where, int ret)
 				err_buf[0] = '\0';
 			}
  
-			trace_dsn(hSession,"SSL Connect error in %s\nState: %s\nAlert: %s\n",err_buf,SSL_state_string_long(s),SSL_alert_type_string_long(ret));
-
-			lib3270_popup_dialog(	hSession,									// H3270 *session,
-									PW3270_DIALOG_CRITICAL,						//	PW3270_DIALOG type,
-									_( "SSL Connect error" ),					// Title
-									err_buf,									// Message
-									_( "<b>Connection state:</b> %s\n<b>Alert message:</b> %s" ),
-									SSL_state_string_long(s),
-									SSL_alert_type_string_long(ret));
-
+			trace_dsn(hSession,"SSL Connect error %d\nMessage: %s\nState: %s\nAlert: %s\n",
+							ret,
+							err_buf,
+							SSL_state_string_long(s),
+							SSL_alert_type_string_long(ret)
+						);
  
 		}
...	...	@@ -377,7 +377,7 @@
377	377	int excepting : 1;
378	378
379	379	// SSL Data (Always defined to mantain the same structure size)
380		- unsigned long last_ssl_error;
	380	+ unsigned long ssl_error;
381	381	SSL * ssl_con;
382	382
383	383	// State change callbacks.
...	...
...	...	@@ -136,7 +136,7 @@ static void check_in3270(H3270 *session);
136	136	static void store3270in(H3270 *hSession, unsigned char c);
137	137	static void check_linemode(H3270 *hSession, Boolean init);
138	138	static int non_blocking(H3270 *session, Boolean on);
139		-static void net_connected(H3270 *session);
	139	+static int net_connected(H3270 *session);
140	140	#if defined(X3270_TN3270E) /[/
141	141	static int tn3270e_negotiate(H3270 *hSession);
142	142	#endif /]/
...	...	@@ -595,7 +595,6 @@ int net_connect(H3270 session, const char host, char *portname, Boolean ls, Bo
595	595
596	596	/* init ssl */
597	597	#if defined(HAVE_LIBSSL)
598		- session->last_ssl_error = !0;
599	598	if (session->ssl_host)
600	599	ssl_init(session);
601	600	#endif
...	...	@@ -607,7 +606,8 @@ int net_connect(H3270 session, const char host, char *portname, Boolean ls, Bo
607	606	if(!rc)
608	607	{
609	608	trace_dsn(session,"Connected.\n");
610		- net_connected(session);
	609	+ if(net_connected(session))
	610	+ return -1;
611	611	}
612	612	else
613	613	{
...	...	@@ -729,10 +729,12 @@ static void setup_lus(H3270 *hSession)
729	729	}
730	730
731	731	#if defined(HAVE_LIBSSL)
732		-static void ssl_negotiate(H3270 *hSession)
	732	+static int ssl_negotiate(H3270 *hSession)
733	733	{
734	734	int rv;
735	735
	736	+ trace("%s",__FUNCTION__);
	737	+
736	738	set_ssl_state(hSession,LIB3270_SSL_NEGOTIATING);
737	739	non_blocking(hSession,False);
738	740
...	...	@@ -743,7 +745,7 @@ static void ssl_negotiate(H3270 *hSession)
743	745	/* Failed. */
744	746	popup_an_error(hSession,_( "SSL init failed!"));
745	747	net_disconnect(hSession);
746		- return;
	748	+ return -1;
747	749	}
748	750
749	751	/* Set up the TLS/SSL connection. */
...	...	@@ -752,7 +754,7 @@ static void ssl_negotiate(H3270 *hSession)
752	754	trace_dsn(hSession,"SSL_set_fd failed!\n");
753	755	popup_an_error(hSession,_( "SSL_set_fd failed!"));
754	756	net_disconnect(hSession);
755		- return;
	757	+ return -1;
756	758	}
757	759
758	760	trace("%s: Running SSL_connect",__FUNCTION__);
...	...	@@ -761,13 +763,34 @@ static void ssl_negotiate(H3270 *hSession)
761	763
762	764	if (rv != 1)
763	765	{
764		- trace_dsn(hSession,"continue_tls: SSL_connect failed\n");
765		- popup_an_error(hSession,_( "SSL connect failed!"));
	766	+ int ssl_error = SSL_get_error(hSession->ssl_con,rv);
	767	+
	768	+ if(ssl_error == SSL_ERROR_SYSCALL)
	769	+ {
	770	+ if(!hSession->ssl_error)
	771	+ {
	772	+ trace_dsn(hSession,"SSL_connect failed (ssl_error=%lu)\n",hSession->ssl_error);
	773	+ popup_an_error(hSession,_( "SSL connect failed!"));
	774	+ }
	775	+ else
	776	+ {
	777	+ trace_dsn(hSession,"SSL_connect failed: %s %s\n",
	778	+ ERR_lib_error_string(hSession->ssl_error),
	779	+ ERR_reason_error_string(hSession->ssl_error));
	780	+ popup_an_error(hSession,_( ERR_reason_error_string(hSession->ssl_error) ));
	781	+ }
	782	+
	783	+ }
	784	+ else
	785	+ {
	786	+ trace_dsn(hSession,"SSL_connect failed (ssl_error=%d errno=%d)\n",ssl_error,errno);
	787	+ popup_an_error(hSession,_( "SSL connect failed!"));
	788	+ }
	789	+
766	790	net_disconnect(hSession);
767		- return;
	791	+ return -1;
768	792	}
769	793
770		-// hSession->secure_connection = True;
771	794	non_blocking(hSession,True);
772	795
773	796	/* Success. */
...	...	@@ -816,10 +839,11 @@ static void ssl_negotiate(H3270 *hSession)
816	839
817	840	/* Tell the world that we are (still) connected, now in secure mode. */
818	841	lib3270_set_connected(hSession);
	842	+ return 0;
819	843	}
820	844	#endif // HAVE_LIBSSL
821	845
822		-static void net_connected(H3270 *hSession)
	846	+static int net_connected(H3270 *hSession)
823	847	{
824	848	if(hSession->proxy_type > 0)
825	849	{
...	...	@@ -829,62 +853,24 @@ static void net_connected(H3270 *hSession)
829	853	if (proxy_negotiate(hSession, hSession->proxy_type, hSession->sock, hSession->hostname,hSession->current_port) < 0)
830	854	{
831	855	host_disconnect(hSession,True);
832		- return;
	856	+ return -1;
833	857	}
834	858	}
835	859
836	860	trace_dsn(hSession,"Connected to %s, port %u%s.\n", hSession->hostname, hSession->current_port,hSession->ssl_host? " via SSL": "");
837	861
838		-#if defined(HAVE_LIBSSL) /[/
	862	+#if defined(HAVE_LIBSSL)
839	863	/* Set up SSL. */
840	864	if(hSession->ssl_con && hSession->secure == LIB3270_SSL_UNDEFINED)
841	865	{
842		- ssl_negotiate(hSession);
843		-/*
844		- int rc;
845		-
846		- set_ssl_state(hSession,LIB3270_SSL_NEGOTIATING);
847		-
848		- if (SSL_set_fd(hSession->ssl_con, hSession->sock) != 1)
849		- {
850		- trace_dsn(hSession,"Can't set fd!\n");
851		- popup_system_error(hSession,_( "Connection failed" ), _( "Can't set SSL socket file descriptor" ), "%s", SSL_state_string_long(hSession->ssl_con));
852		- set_ssl_state(hSession,LIB3270_SSL_UNSECURE);
853		- }
854		- else
855		- {
856		- rc = SSL_connect(hSession->ssl_con);
857		-
858		- if(rc != 1)
859		- {
860		- unsigned long e = ERR_get_error();
861		- const char * state = SSL_state_string_long(hSession->ssl_con);
862		-
863		- trace_dsn(hSession,"TLS/SSL tunneled connection failed with error %ld, rc=%d and state=%s",e,rc,state);
864		-
865		- host_disconnect(hSession,True);
866		-
867		- if(e != hSession->last_ssl_error)
868		- {
869		- hSession->message(hSession,LIB3270_NOTIFY_ERROR,_( "Connection failed" ),_( "SSL negotiation failed" ),state);
870		- hSession->last_ssl_error = e;
871		- }
872		- return;
873		-
874		- }
875		- }
876		-
877		-// hSession->secure_connection = True;
878		- trace_dsn(hSession,"TLS/SSL tunneled connection complete. Connection is now secure.\n");
879		-
880		- // Tell everyone else again.
881		- lib3270_set_connected(hSession);
882		-*/
	866	+ if(ssl_negotiate(hSession))
	867	+ return -1;
883	868	}
884		-#endif /]/
	869	+#endif
885	870
886	871	lib3270_setup_session(hSession);
887	872
	873	+ return 0;
888	874	}
889	875
890	876	/**
...	...	@@ -1120,7 +1106,8 @@ void net_input(H3270 *hSession)
1120	1106
1121	1107	host_disconnect(hSession,True);
1122	1108	return;
1123		- } else if (nr == 0)
	1109	+ }
	1110	+ else if (nr == 0)
1124	1111	{
1125	1112	/* Host disconnected. */
1126	1113	trace_dsn(hSession,"RCVD disconnect\n");
...	...	@@ -1137,7 +1124,8 @@ void net_input(H3270 *hSession)
1137	1124	return;
1138	1125	}
1139	1126	lib3270_set_connected(hSession);
1140		- net_connected(hSession);
	1127	+ if(net_connected(hSession))
	1128	+ return;
1141	1129	}
1142	1130
1143	1131	lib3270_data_recv(hSession, nr, buffer);
...	...	@@ -3094,6 +3082,7 @@ static void ssl_init(H3270 *session)
3094	3082	{
3095	3083	static SSL_CTX *ssl_ctx = NULL;
3096	3084
	3085	+ session->ssl_error = 0;
3097	3086	set_ssl_state(session,LIB3270_SSL_UNDEFINED);
3098	3087
3099	3088	if(ssl_ctx == NULL)
...	...	@@ -3129,6 +3118,7 @@ static void ssl_init(H3270 *session)
3129	3118
3130	3119	SSL_set_ex_data(session->ssl_con,ssl_3270_ex_index,(char *) session);
3131	3120
	3121	+// SSL_set_verify(session->ssl_con, SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
3132	3122	SSL_set_verify(session->ssl_con, 0, NULL);
3133	3123
3134	3124	}
...	...	@@ -3164,14 +3154,9 @@ static void ssl_info_callback(INFO_CONST SSL *s, int where, int ret)
3164	3154	unsigned long e = ERR_get_error();
3165	3155	char err_buf[1024];
3166	3156
3167		- while(ERR_peek_error() == e) // Remove other messages with the same error
3168		- e = ERR_get_error();
3169		-
3170	3157	if(e != 0)
3171	3158	{
3172		- if(e == hSession->last_ssl_error)
3173		- return;
3174		- hSession->last_ssl_error = e;
	3159	+ hSession->ssl_error = e;
3175	3160	(void) ERR_error_string_n(e, err_buf, 1023);
3176	3161	}
3177	3162	#if defined(_WIN32)
...	...	@@ -3190,16 +3175,12 @@ static void ssl_info_callback(INFO_CONST SSL *s, int where, int ret)
3190	3175	err_buf[0] = '\0';
3191	3176	}
3192	3177
3193		- trace_dsn(hSession,"SSL Connect error in %s\nState: %s\nAlert: %s\n",err_buf,SSL_state_string_long(s),SSL_alert_type_string_long(ret));
3194		-
3195		- lib3270_popup_dialog( hSession, // H3270 *session,
3196		- PW3270_DIALOG_CRITICAL, // PW3270_DIALOG type,
3197		- _( "SSL Connect error" ), // Title
3198		- err_buf, // Message
3199		- _( "<b>Connection state:</b> %s\n<b>Alert message:</b> %s" ),
3200		- SSL_state_string_long(s),
3201		- SSL_alert_type_string_long(ret));
3202		-
	3178	+ trace_dsn(hSession,"SSL Connect error %d\nMessage: %s\nState: %s\nAlert: %s\n",
	3179	+ ret,
	3180	+ err_buf,
	3181	+ SSL_state_string_long(s),
	3182	+ SSL_alert_type_string_long(ret)
	3183	+ );
3203	3184
3204	3185	}
3205	3186
...	...