Download as
Browse Code »

Commit 19db0d3670f970bbdb1f00131a96266089327423

Authored by Perry Werneck
1 parent 9186a206
Exists in master and in 3 other branches develop, macos, network_module

Improving SSL state indicator.

Showing 1 changed file with 42 additions and 35 deletions   Show diff stats
src/ssl/negotiate.c
  Diff comments   View file @19db0d3
@@ -161,17 +161,52 @@ static int background_ssl_negotiation(H3270 *hSession, void *message) @@ -161,17 +161,52 @@ static int background_ssl_negotiation(H3270 *hSession, void *message)
161 161
162 } 162 }
163 163
  164 + //
164 // Success. 165 // Success.
165 - X509 * peer = NULL; 166 + //
  167 +
  168 + // Get peer certificate, notify application before validation.
  169 + X509 * peer = SSL_get_peer_certificate(hSession->ssl.con);
  170 +
  171 + if(peer)
  172 + {
  173 + if(lib3270_get_toggle(hSession,LIB3270_TOGGLE_SSL_TRACE))
  174 + {
  175 + BIO * out = BIO_new(BIO_s_mem());
  176 + unsigned char * data;
  177 + unsigned char * text;
  178 + int n;
  179 +
  180 + X509_print(out,peer);
  181 +
  182 + n = BIO_get_mem_data(out, &data);
  183 + text = (unsigned char *) malloc (n+1);
  184 + text[n] ='\0';
  185 + memcpy(text,data,n);
  186 +
  187 + trace_ssl(hSession,"TLS/SSL peer certificate:\n%s\n",text);
  188 +
  189 + free(text);
  190 + BIO_free(out);
  191 +
  192 + }
  193 +
  194 + hSession->cbk.set_peer_certificate(peer);
  195 +
  196 + X509_free(peer);
  197 + }
  198 +
  199 +
  200 + // Validate certificate.
166 rv = SSL_get_verify_result(hSession->ssl.con); 201 rv = SSL_get_verify_result(hSession->ssl.con);
167 202
168 debug("SSL Verify result was %d", rv); 203 debug("SSL Verify result was %d", rv);
169 -  
170 const struct ssl_status_msg * msg = ssl_get_status_from_error_code((long) rv); 204 const struct ssl_status_msg * msg = ssl_get_status_from_error_code((long) rv);
171 205
172 if(!msg) 206 if(!msg)
173 { 207 {
174 trace_ssl(hSession,"Unexpected or invalid TLS/SSL verify result %d\n",rv); 208 trace_ssl(hSession,"Unexpected or invalid TLS/SSL verify result %d\n",rv);
  209 + set_ssl_state(hSession,LIB3270_SSL_UNSECURE);
175 210
176 #ifdef SSL_ENABLE_CRL_EXPIRATION_CHECK 211 #ifdef SSL_ENABLE_CRL_EXPIRATION_CHECK
177 ((SSL_ERROR_MESSAGE *) message)->title = _( "Security error" ); 212 ((SSL_ERROR_MESSAGE *) message)->title = _( "Security error" );
@@ -186,16 +221,16 @@ static int background_ssl_negotiation(H3270 *hSession, void *message) @@ -186,16 +221,16 @@ static int background_ssl_negotiation(H3270 *hSession, void *message)
186 switch(rv) 221 switch(rv)
187 { 222 {
188 case X509_V_OK: 223 case X509_V_OK:
189 - peer = SSL_get_peer_certificate(hSession->ssl.con);  
190 trace_ssl(hSession,"TLS/SSL negotiated connection complete. Peer certificate %s presented.\n", peer ? "was" : "was not"); 224 trace_ssl(hSession,"TLS/SSL negotiated connection complete. Peer certificate %s presented.\n", peer ? "was" : "was not");
  225 + set_ssl_state(hSession,LIB3270_SSL_SECURE);
191 break; 226 break;
192 227
193 case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: 228 case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
194 229
195 - peer = SSL_get_peer_certificate(hSession->ssl.con);  
196 -  
197 trace_ssl(hSession,"TLS/SSL negotiated connection complete with self signed certificate in certificate chain (rc=%d)\n",rv); 230 trace_ssl(hSession,"TLS/SSL negotiated connection complete with self signed certificate in certificate chain (rc=%d)\n",rv);
198 231
  232 + set_ssl_state(hSession,LIB3270_SSL_NEGOTIATED);
  233 +
199 #ifdef SSL_ENABLE_SELF_SIGNED_CERT_CHECK 234 #ifdef SSL_ENABLE_SELF_SIGNED_CERT_CHECK
200 ((SSL_ERROR_MESSAGE *) message)->title = _( "Security error" ); 235 ((SSL_ERROR_MESSAGE *) message)->title = _( "Security error" );
201 ((SSL_ERROR_MESSAGE *) message)->text = _( "The SSL certificate for this host is not trusted." ); 236 ((SSL_ERROR_MESSAGE *) message)->text = _( "The SSL certificate for this host is not trusted." );
@@ -214,6 +249,8 @@ static int background_ssl_negotiation(H3270 *hSession, void *message) @@ -214,6 +249,8 @@ static int background_ssl_negotiation(H3270 *hSession, void *message)
214 ((SSL_ERROR_MESSAGE *) message)->text = gettext(msg->message); 249 ((SSL_ERROR_MESSAGE *) message)->text = gettext(msg->message);
215 ((SSL_ERROR_MESSAGE *) message)->description = gettext(msg->description); 250 ((SSL_ERROR_MESSAGE *) message)->description = gettext(msg->description);
216 251
  252 + set_ssl_state(hSession,LIB3270_SSL_NEGOTIATED);
  253 +
217 if(msg->icon == LIB3270_NOTIFY_ERROR) 254 if(msg->icon == LIB3270_NOTIFY_ERROR)
218 { 255 {
219 ((SSL_ERROR_MESSAGE *) message)->title = _( "Security error" ); 256 ((SSL_ERROR_MESSAGE *) message)->title = _( "Security error" );
@@ -240,36 +277,6 @@ static int background_ssl_negotiation(H3270 *hSession, void *message) @@ -240,36 +277,6 @@ static int background_ssl_negotiation(H3270 *hSession, void *message)
240 alg_bits); 277 alg_bits);
241 } 278 }
242 279
243 -  
244 - if(peer)  
245 - {  
246 - if(lib3270_get_toggle(hSession,LIB3270_TOGGLE_SSL_TRACE))  
247 - {  
248 - BIO * out = BIO_new(BIO_s_mem());  
249 - unsigned char * data;  
250 - unsigned char * text;  
251 - int n;  
252 -  
253 - X509_print(out,peer);  
254 -  
255 - n = BIO_get_mem_data(out, &data);  
256 - text = (unsigned char *) malloc (n+1);  
257 - text[n] ='\0';  
258 - memcpy(text,data,n);  
259 -  
260 - trace_ssl(hSession,"TLS/SSL peer certificate:\n%s\n",text);  
261 -  
262 - free(text);  
263 - BIO_free(out);  
264 -  
265 - }  
266 -  
267 - hSession->cbk.set_peer_certificate(peer);  
268 -  
269 - set_ssl_state(hSession,LIB3270_SSL_SECURE);  
270 - X509_free(peer);  
271 - }  
272 -  
273 return 0; 280 return 0;
274 } 281 }
275 282