Commit 19db0d3670f970bbdb1f00131a96266089327423
1 parent
9186a206
Exists in
master
and in
3 other branches
Improving SSL state indicator.
Showing
1 changed file
with
42 additions
and
35 deletions
Show diff stats
src/ssl/negotiate.c
@@ -161,17 +161,52 @@ static int background_ssl_negotiation(H3270 *hSession, void *message) | @@ -161,17 +161,52 @@ static int background_ssl_negotiation(H3270 *hSession, void *message) | ||
161 | 161 | ||
162 | } | 162 | } |
163 | 163 | ||
164 | + // | ||
164 | // Success. | 165 | // Success. |
165 | - X509 * peer = NULL; | 166 | + // |
167 | + | ||
168 | + // Get peer certificate, notify application before validation. | ||
169 | + X509 * peer = SSL_get_peer_certificate(hSession->ssl.con); | ||
170 | + | ||
171 | + if(peer) | ||
172 | + { | ||
173 | + if(lib3270_get_toggle(hSession,LIB3270_TOGGLE_SSL_TRACE)) | ||
174 | + { | ||
175 | + BIO * out = BIO_new(BIO_s_mem()); | ||
176 | + unsigned char * data; | ||
177 | + unsigned char * text; | ||
178 | + int n; | ||
179 | + | ||
180 | + X509_print(out,peer); | ||
181 | + | ||
182 | + n = BIO_get_mem_data(out, &data); | ||
183 | + text = (unsigned char *) malloc (n+1); | ||
184 | + text[n] ='\0'; | ||
185 | + memcpy(text,data,n); | ||
186 | + | ||
187 | + trace_ssl(hSession,"TLS/SSL peer certificate:\n%s\n",text); | ||
188 | + | ||
189 | + free(text); | ||
190 | + BIO_free(out); | ||
191 | + | ||
192 | + } | ||
193 | + | ||
194 | + hSession->cbk.set_peer_certificate(peer); | ||
195 | + | ||
196 | + X509_free(peer); | ||
197 | + } | ||
198 | + | ||
199 | + | ||
200 | + // Validate certificate. | ||
166 | rv = SSL_get_verify_result(hSession->ssl.con); | 201 | rv = SSL_get_verify_result(hSession->ssl.con); |
167 | 202 | ||
168 | debug("SSL Verify result was %d", rv); | 203 | debug("SSL Verify result was %d", rv); |
169 | - | ||
170 | const struct ssl_status_msg * msg = ssl_get_status_from_error_code((long) rv); | 204 | const struct ssl_status_msg * msg = ssl_get_status_from_error_code((long) rv); |
171 | 205 | ||
172 | if(!msg) | 206 | if(!msg) |
173 | { | 207 | { |
174 | trace_ssl(hSession,"Unexpected or invalid TLS/SSL verify result %d\n",rv); | 208 | trace_ssl(hSession,"Unexpected or invalid TLS/SSL verify result %d\n",rv); |
209 | + set_ssl_state(hSession,LIB3270_SSL_UNSECURE); | ||
175 | 210 | ||
176 | #ifdef SSL_ENABLE_CRL_EXPIRATION_CHECK | 211 | #ifdef SSL_ENABLE_CRL_EXPIRATION_CHECK |
177 | ((SSL_ERROR_MESSAGE *) message)->title = _( "Security error" ); | 212 | ((SSL_ERROR_MESSAGE *) message)->title = _( "Security error" ); |
@@ -186,16 +221,16 @@ static int background_ssl_negotiation(H3270 *hSession, void *message) | @@ -186,16 +221,16 @@ static int background_ssl_negotiation(H3270 *hSession, void *message) | ||
186 | switch(rv) | 221 | switch(rv) |
187 | { | 222 | { |
188 | case X509_V_OK: | 223 | case X509_V_OK: |
189 | - peer = SSL_get_peer_certificate(hSession->ssl.con); | ||
190 | trace_ssl(hSession,"TLS/SSL negotiated connection complete. Peer certificate %s presented.\n", peer ? "was" : "was not"); | 224 | trace_ssl(hSession,"TLS/SSL negotiated connection complete. Peer certificate %s presented.\n", peer ? "was" : "was not"); |
225 | + set_ssl_state(hSession,LIB3270_SSL_SECURE); | ||
191 | break; | 226 | break; |
192 | 227 | ||
193 | case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: | 228 | case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: |
194 | 229 | ||
195 | - peer = SSL_get_peer_certificate(hSession->ssl.con); | ||
196 | - | ||
197 | trace_ssl(hSession,"TLS/SSL negotiated connection complete with self signed certificate in certificate chain (rc=%d)\n",rv); | 230 | trace_ssl(hSession,"TLS/SSL negotiated connection complete with self signed certificate in certificate chain (rc=%d)\n",rv); |
198 | 231 | ||
232 | + set_ssl_state(hSession,LIB3270_SSL_NEGOTIATED); | ||
233 | + | ||
199 | #ifdef SSL_ENABLE_SELF_SIGNED_CERT_CHECK | 234 | #ifdef SSL_ENABLE_SELF_SIGNED_CERT_CHECK |
200 | ((SSL_ERROR_MESSAGE *) message)->title = _( "Security error" ); | 235 | ((SSL_ERROR_MESSAGE *) message)->title = _( "Security error" ); |
201 | ((SSL_ERROR_MESSAGE *) message)->text = _( "The SSL certificate for this host is not trusted." ); | 236 | ((SSL_ERROR_MESSAGE *) message)->text = _( "The SSL certificate for this host is not trusted." ); |
@@ -214,6 +249,8 @@ static int background_ssl_negotiation(H3270 *hSession, void *message) | @@ -214,6 +249,8 @@ static int background_ssl_negotiation(H3270 *hSession, void *message) | ||
214 | ((SSL_ERROR_MESSAGE *) message)->text = gettext(msg->message); | 249 | ((SSL_ERROR_MESSAGE *) message)->text = gettext(msg->message); |
215 | ((SSL_ERROR_MESSAGE *) message)->description = gettext(msg->description); | 250 | ((SSL_ERROR_MESSAGE *) message)->description = gettext(msg->description); |
216 | 251 | ||
252 | + set_ssl_state(hSession,LIB3270_SSL_NEGOTIATED); | ||
253 | + | ||
217 | if(msg->icon == LIB3270_NOTIFY_ERROR) | 254 | if(msg->icon == LIB3270_NOTIFY_ERROR) |
218 | { | 255 | { |
219 | ((SSL_ERROR_MESSAGE *) message)->title = _( "Security error" ); | 256 | ((SSL_ERROR_MESSAGE *) message)->title = _( "Security error" ); |
@@ -240,36 +277,6 @@ static int background_ssl_negotiation(H3270 *hSession, void *message) | @@ -240,36 +277,6 @@ static int background_ssl_negotiation(H3270 *hSession, void *message) | ||
240 | alg_bits); | 277 | alg_bits); |
241 | } | 278 | } |
242 | 279 | ||
243 | - | ||
244 | - if(peer) | ||
245 | - { | ||
246 | - if(lib3270_get_toggle(hSession,LIB3270_TOGGLE_SSL_TRACE)) | ||
247 | - { | ||
248 | - BIO * out = BIO_new(BIO_s_mem()); | ||
249 | - unsigned char * data; | ||
250 | - unsigned char * text; | ||
251 | - int n; | ||
252 | - | ||
253 | - X509_print(out,peer); | ||
254 | - | ||
255 | - n = BIO_get_mem_data(out, &data); | ||
256 | - text = (unsigned char *) malloc (n+1); | ||
257 | - text[n] ='\0'; | ||
258 | - memcpy(text,data,n); | ||
259 | - | ||
260 | - trace_ssl(hSession,"TLS/SSL peer certificate:\n%s\n",text); | ||
261 | - | ||
262 | - free(text); | ||
263 | - BIO_free(out); | ||
264 | - | ||
265 | - } | ||
266 | - | ||
267 | - hSession->cbk.set_peer_certificate(peer); | ||
268 | - | ||
269 | - set_ssl_state(hSession,LIB3270_SSL_SECURE); | ||
270 | - X509_free(peer); | ||
271 | - } | ||
272 | - | ||
273 | return 0; | 280 | return 0; |
274 | } | 281 | } |
275 | 282 |