Improving SSL state indicator.

Perry Werneck
1 parent 9186a206
Showing 1 changed file with 42 additions and 35 deletions Show diff stats
src/ssl/negotiate.c
@@ -161,17 +161,52 @@ static int background_ssl_negotiation(H3270 *hSession, void *message)
  
 	}
  
+	//
 	// Success.
-	X509 * peer = NULL;
+	//
+
+	// Get peer certificate, notify application before validation.
+	X509 * peer = SSL_get_peer_certificate(hSession->ssl.con);
+
+	if(peer)
+	{
+		if(lib3270_get_toggle(hSession,LIB3270_TOGGLE_SSL_TRACE))
+		{
+			BIO				* out	= BIO_new(BIO_s_mem());
+			unsigned char	* data;
+			unsigned char	* text;
+			int				  n;
+
+			X509_print(out,peer);
+
+			n		= BIO_get_mem_data(out, &data);
+			text	= (unsigned char *) malloc (n+1);
+			text[n]	='\0';
+			memcpy(text,data,n);
+
+			trace_ssl(hSession,"TLS/SSL peer certificate:\n%s\n",text);
+
+			free(text);
+			BIO_free(out);
+
+		}
+
+		hSession->cbk.set_peer_certificate(peer);
+
+		X509_free(peer);
+	}
+
+
+	// Validate certificate.
 	rv = SSL_get_verify_result(hSession->ssl.con);
  
 	debug("SSL Verify result was %d", rv);
-
 	const struct ssl_status_msg * msg = ssl_get_status_from_error_code((long) rv);
  
 	if(!msg)
 	{
 		trace_ssl(hSession,"Unexpected or invalid TLS/SSL verify result %d\n",rv);
+		set_ssl_state(hSession,LIB3270_SSL_UNSECURE);
  
 #ifdef SSL_ENABLE_CRL_EXPIRATION_CHECK
 		((SSL_ERROR_MESSAGE *) message)->title = _( "Security error" );
@@ -186,16 +221,16 @@ static int background_ssl_negotiation(H3270 *hSession, void *message)
 		switch(rv)
 		{
 		case X509_V_OK:
-			peer = SSL_get_peer_certificate(hSession->ssl.con);
 			trace_ssl(hSession,"TLS/SSL negotiated connection complete. Peer certificate %s presented.\n", peer ? "was" : "was not");
+			set_ssl_state(hSession,LIB3270_SSL_SECURE);
 			break;
  
 		case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
  
-			peer = SSL_get_peer_certificate(hSession->ssl.con);
-
 			trace_ssl(hSession,"TLS/SSL negotiated connection complete with self signed certificate in certificate chain (rc=%d)\n",rv);
  
+			set_ssl_state(hSession,LIB3270_SSL_NEGOTIATED);
+
 	#ifdef SSL_ENABLE_SELF_SIGNED_CERT_CHECK
 			((SSL_ERROR_MESSAGE *) message)->title = _( "Security error" );
 			((SSL_ERROR_MESSAGE *) message)->text = _( "The SSL certificate for this host is not trusted." );
@@ -214,6 +249,8 @@ static int background_ssl_negotiation(H3270 *hSession, void *message)
 			((SSL_ERROR_MESSAGE *) message)->text = gettext(msg->message);
 			((SSL_ERROR_MESSAGE *) message)->description = gettext(msg->description);
  
+			set_ssl_state(hSession,LIB3270_SSL_NEGOTIATED);
+
 			if(msg->icon == LIB3270_NOTIFY_ERROR)
 			{
 				((SSL_ERROR_MESSAGE *) message)->title = _( "Security error" );
@@ -240,36 +277,6 @@ static int background_ssl_negotiation(H3270 *hSession, void *message)
 						alg_bits);
 	}
  
-
-	if(peer)
-	{
-		if(lib3270_get_toggle(hSession,LIB3270_TOGGLE_SSL_TRACE))
-		{
-			BIO				* out	= BIO_new(BIO_s_mem());
-			unsigned char	* data;
-			unsigned char	* text;
-			int				  n;
-
-			X509_print(out,peer);
-
-			n		= BIO_get_mem_data(out, &data);
-			text	= (unsigned char *) malloc (n+1);
-			text[n]	='\0';
-			memcpy(text,data,n);
-
-			trace_ssl(hSession,"TLS/SSL peer certificate:\n%s\n",text);
-
-			free(text);
-			BIO_free(out);
-
-		}
-
-		hSession->cbk.set_peer_certificate(peer);
-
-		set_ssl_state(hSession,LIB3270_SSL_SECURE);
-		X509_free(peer);
-	}
-
 	return 0;
 }
...	...	@@ -161,17 +161,52 @@ static int background_ssl_negotiation(H3270 hSession, void message)
161	161
162	162	}
163	163
	164	+ //
164	165	// Success.
165		- X509 * peer = NULL;
	166	+ //
	167	+
	168	+ // Get peer certificate, notify application before validation.
	169	+ X509 * peer = SSL_get_peer_certificate(hSession->ssl.con);
	170	+
	171	+ if(peer)
	172	+ {
	173	+ if(lib3270_get_toggle(hSession,LIB3270_TOGGLE_SSL_TRACE))
	174	+ {
	175	+ BIO * out = BIO_new(BIO_s_mem());
	176	+ unsigned char * data;
	177	+ unsigned char * text;
	178	+ int n;
	179	+
	180	+ X509_print(out,peer);
	181	+
	182	+ n = BIO_get_mem_data(out, &data);
	183	+ text = (unsigned char *) malloc (n+1);
	184	+ text[n] ='\0';
	185	+ memcpy(text,data,n);
	186	+
	187	+ trace_ssl(hSession,"TLS/SSL peer certificate:\n%s\n",text);
	188	+
	189	+ free(text);
	190	+ BIO_free(out);
	191	+
	192	+ }
	193	+
	194	+ hSession->cbk.set_peer_certificate(peer);
	195	+
	196	+ X509_free(peer);
	197	+ }
	198	+
	199	+
	200	+ // Validate certificate.
166	201	rv = SSL_get_verify_result(hSession->ssl.con);
167	202
168	203	debug("SSL Verify result was %d", rv);
169		-
170	204	const struct ssl_status_msg * msg = ssl_get_status_from_error_code((long) rv);
171	205
172	206	if(!msg)
173	207	{
174	208	trace_ssl(hSession,"Unexpected or invalid TLS/SSL verify result %d\n",rv);
	209	+ set_ssl_state(hSession,LIB3270_SSL_UNSECURE);
175	210
176	211	#ifdef SSL_ENABLE_CRL_EXPIRATION_CHECK
177	212	((SSL_ERROR_MESSAGE *) message)->title = _( "Security error" );
...	...	@@ -186,16 +221,16 @@ static int background_ssl_negotiation(H3270 hSession, void message)
186	221	switch(rv)
187	222	{
188	223	case X509_V_OK:
189		- peer = SSL_get_peer_certificate(hSession->ssl.con);
190	224	trace_ssl(hSession,"TLS/SSL negotiated connection complete. Peer certificate %s presented.\n", peer ? "was" : "was not");
	225	+ set_ssl_state(hSession,LIB3270_SSL_SECURE);
191	226	break;
192	227
193	228	case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
194	229
195		- peer = SSL_get_peer_certificate(hSession->ssl.con);
196		-
197	230	trace_ssl(hSession,"TLS/SSL negotiated connection complete with self signed certificate in certificate chain (rc=%d)\n",rv);
198	231
	232	+ set_ssl_state(hSession,LIB3270_SSL_NEGOTIATED);
	233	+
199	234	#ifdef SSL_ENABLE_SELF_SIGNED_CERT_CHECK
200	235	((SSL_ERROR_MESSAGE *) message)->title = _( "Security error" );
201	236	((SSL_ERROR_MESSAGE *) message)->text = _( "The SSL certificate for this host is not trusted." );
...	...	@@ -214,6 +249,8 @@ static int background_ssl_negotiation(H3270 hSession, void message)
214	249	((SSL_ERROR_MESSAGE *) message)->text = gettext(msg->message);
215	250	((SSL_ERROR_MESSAGE *) message)->description = gettext(msg->description);
216	251
	252	+ set_ssl_state(hSession,LIB3270_SSL_NEGOTIATED);
	253	+
217	254	if(msg->icon == LIB3270_NOTIFY_ERROR)
218	255	{
219	256	((SSL_ERROR_MESSAGE *) message)->title = _( "Security error" );
...	...	@@ -240,36 +277,6 @@ static int background_ssl_negotiation(H3270 hSession, void message)
240	277	alg_bits);
241	278	}
242	279
243		-
244		- if(peer)
245		- {
246		- if(lib3270_get_toggle(hSession,LIB3270_TOGGLE_SSL_TRACE))
247		- {
248		- BIO * out = BIO_new(BIO_s_mem());
249		- unsigned char * data;
250		- unsigned char * text;
251		- int n;
252		-
253		- X509_print(out,peer);
254		-
255		- n = BIO_get_mem_data(out, &data);
256		- text = (unsigned char *) malloc (n+1);
257		- text[n] ='\0';
258		- memcpy(text,data,n);
259		-
260		- trace_ssl(hSession,"TLS/SSL peer certificate:\n%s\n",text);
261		-
262		- free(text);
263		- BIO_free(out);
264		-
265		- }
266		-
267		- hSession->cbk.set_peer_certificate(peer);
268		-
269		- set_ssl_state(hSession,LIB3270_SSL_SECURE);
270		- X509_free(peer);
271		- }
272		-
273	280	return 0;
274	281	}
275	282
...	...