From 19db0d3670f970bbdb1f00131a96266089327423 Mon Sep 17 00:00:00 2001 From: Perry Werneck Date: Wed, 4 Sep 2019 11:29:49 -0300 Subject: [PATCH] Improving SSL state indicator. --- src/ssl/negotiate.c | 77 ++++++++++++++++++++++++++++++++++++++++++----------------------------------- 1 file changed, 42 insertions(+), 35 deletions(-) diff --git a/src/ssl/negotiate.c b/src/ssl/negotiate.c index 76add03..ad61d58 100644 --- a/src/ssl/negotiate.c +++ b/src/ssl/negotiate.c @@ -161,17 +161,52 @@ static int background_ssl_negotiation(H3270 *hSession, void *message) } + // // Success. - X509 * peer = NULL; + // + + // Get peer certificate, notify application before validation. + X509 * peer = SSL_get_peer_certificate(hSession->ssl.con); + + if(peer) + { + if(lib3270_get_toggle(hSession,LIB3270_TOGGLE_SSL_TRACE)) + { + BIO * out = BIO_new(BIO_s_mem()); + unsigned char * data; + unsigned char * text; + int n; + + X509_print(out,peer); + + n = BIO_get_mem_data(out, &data); + text = (unsigned char *) malloc (n+1); + text[n] ='\0'; + memcpy(text,data,n); + + trace_ssl(hSession,"TLS/SSL peer certificate:\n%s\n",text); + + free(text); + BIO_free(out); + + } + + hSession->cbk.set_peer_certificate(peer); + + X509_free(peer); + } + + + // Validate certificate. rv = SSL_get_verify_result(hSession->ssl.con); debug("SSL Verify result was %d", rv); - const struct ssl_status_msg * msg = ssl_get_status_from_error_code((long) rv); if(!msg) { trace_ssl(hSession,"Unexpected or invalid TLS/SSL verify result %d\n",rv); + set_ssl_state(hSession,LIB3270_SSL_UNSECURE); #ifdef SSL_ENABLE_CRL_EXPIRATION_CHECK ((SSL_ERROR_MESSAGE *) message)->title = _( "Security error" ); @@ -186,16 +221,16 @@ static int background_ssl_negotiation(H3270 *hSession, void *message) switch(rv) { case X509_V_OK: - peer = SSL_get_peer_certificate(hSession->ssl.con); trace_ssl(hSession,"TLS/SSL negotiated connection complete. Peer certificate %s presented.\n", peer ? "was" : "was not"); + set_ssl_state(hSession,LIB3270_SSL_SECURE); break; case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: - peer = SSL_get_peer_certificate(hSession->ssl.con); - trace_ssl(hSession,"TLS/SSL negotiated connection complete with self signed certificate in certificate chain (rc=%d)\n",rv); + set_ssl_state(hSession,LIB3270_SSL_NEGOTIATED); + #ifdef SSL_ENABLE_SELF_SIGNED_CERT_CHECK ((SSL_ERROR_MESSAGE *) message)->title = _( "Security error" ); ((SSL_ERROR_MESSAGE *) message)->text = _( "The SSL certificate for this host is not trusted." ); @@ -214,6 +249,8 @@ static int background_ssl_negotiation(H3270 *hSession, void *message) ((SSL_ERROR_MESSAGE *) message)->text = gettext(msg->message); ((SSL_ERROR_MESSAGE *) message)->description = gettext(msg->description); + set_ssl_state(hSession,LIB3270_SSL_NEGOTIATED); + if(msg->icon == LIB3270_NOTIFY_ERROR) { ((SSL_ERROR_MESSAGE *) message)->title = _( "Security error" ); @@ -240,36 +277,6 @@ static int background_ssl_negotiation(H3270 *hSession, void *message) alg_bits); } - - if(peer) - { - if(lib3270_get_toggle(hSession,LIB3270_TOGGLE_SSL_TRACE)) - { - BIO * out = BIO_new(BIO_s_mem()); - unsigned char * data; - unsigned char * text; - int n; - - X509_print(out,peer); - - n = BIO_get_mem_data(out, &data); - text = (unsigned char *) malloc (n+1); - text[n] ='\0'; - memcpy(text,data,n); - - trace_ssl(hSession,"TLS/SSL peer certificate:\n%s\n",text); - - free(text); - BIO_free(out); - - } - - hSession->cbk.set_peer_certificate(peer); - - set_ssl_state(hSession,LIB3270_SSL_SECURE); - X509_free(peer); - } - return 0; } -- libgit2 0.21.2