Commit 339372a78f553e74cd8a94b38e0bd61941a515aa
1 parent
d908bfc4
Exists in
master
and in
2 other branches
Fixing CRL download.
Showing
2 changed files
with
76 additions
and
21 deletions
Show diff stats
src/network_modules/openssl/crl.c
| ... | ... | @@ -27,7 +27,7 @@ |
| 27 | 27 | * |
| 28 | 28 | */ |
| 29 | 29 | |
| 30 | -/// @brief Get CRL infro from X509 cert. | |
| 30 | +/// @brief Get CRL info from X509 cert. | |
| 31 | 31 | /// |
| 32 | 32 | /// References: |
| 33 | 33 | /// |
| ... | ... | @@ -35,6 +35,7 @@ |
| 35 | 35 | |
| 36 | 36 | |
| 37 | 37 | #include "private.h" |
| 38 | +#include <utilc.h> | |
| 38 | 39 | |
| 39 | 40 | /*--[ Implement ]------------------------------------------------------------------------------------*/ |
| 40 | 41 | |
| ... | ... | @@ -79,7 +80,13 @@ LIB3270_STRING_ARRAY * lib3270_openssl_get_crls_from_peer(H3270 *hSession, X509 |
| 79 | 80 | #endif // OpenSSL 1.1.0+ |
| 80 | 81 | |
| 81 | 82 | if(data && length > 0) |
| 82 | - lib3270_string_array_append_with_length(uris,(char *) data, (size_t) length); | |
| 83 | + { | |
| 84 | + lib3270_autoptr(char) uri = lib3270_malloc( ((size_t) length) + 1); | |
| 85 | + strncpy(uri,(char *) data, (size_t) length); | |
| 86 | + | |
| 87 | + lib3270_autoptr(char) unescaped = lib3270_unescape(uri); | |
| 88 | + lib3270_string_array_append(uris,unescaped); | |
| 89 | + } | |
| 83 | 90 | |
| 84 | 91 | } |
| 85 | 92 | ... | ... |
src/network_modules/openssl/start.c
| ... | ... | @@ -104,25 +104,26 @@ |
| 104 | 104 | |
| 105 | 105 | if(X509_STORE_add_crl(store, x509_crl)) { |
| 106 | 106 | trace_ssl(hSession,"CRL was added to context cert store\n"); |
| 107 | - } else { | |
| 108 | - trace_ssl(hSession,"CRL was not added to context cert store\n"); | |
| 107 | + return 0; | |
| 109 | 108 | } |
| 110 | 109 | |
| 111 | - return 0; | |
| 110 | + trace_ssl(hSession,"CRL was not added to context cert store\n"); | |
| 111 | + | |
| 112 | + return -1; | |
| 112 | 113 | |
| 113 | 114 | } |
| 114 | 115 | |
| 115 | - static void download_crl_from_peer(H3270 *hSession, SSL_CTX * ctx_context, LIB3270_NET_CONTEXT * context, X509 *peer) { | |
| 116 | + static int download_crl_from_peer(H3270 *hSession, SSL_CTX * ctx_context, LIB3270_NET_CONTEXT * context, X509 *peer) { | |
| 116 | 117 | |
| 117 | 118 | debug("%s peer=%p",__FUNCTION__,(void *) peer); |
| 118 | 119 | |
| 119 | 120 | if(!peer) |
| 120 | - return; | |
| 121 | + return -1; | |
| 121 | 122 | |
| 122 | 123 | lib3270_autoptr(LIB3270_STRING_ARRAY) uris = lib3270_openssl_get_crls_from_peer(hSession, peer); |
| 123 | 124 | if(!uris) { |
| 124 | 125 | trace_ssl(hSession,"Can't get distpoints from peer certificate\n"); |
| 125 | - return; | |
| 126 | + return -1; | |
| 126 | 127 | } |
| 127 | 128 | |
| 128 | 129 | size_t ix; |
| ... | ... | @@ -135,11 +136,11 @@ |
| 135 | 136 | |
| 136 | 137 | if(!import_crl(hSession,ctx_context,context,uris->str[ix])) { |
| 137 | 138 | trace_ssl(hSession,"Got CRL from %s\n",uris->str[ix]); |
| 138 | - return; | |
| 139 | + return 0; | |
| 139 | 140 | } |
| 140 | 141 | |
| 141 | 142 | } |
| 142 | - return; | |
| 143 | + return -1; | |
| 143 | 144 | |
| 144 | 145 | } |
| 145 | 146 | |
| ... | ... | @@ -153,12 +154,9 @@ |
| 153 | 154 | if(strncasecmp(prefer,uris->str[ix],length)) |
| 154 | 155 | continue; |
| 155 | 156 | |
| 156 | - lib3270_autoptr(char) url = lib3270_unescape(uris->str[ix]); | |
| 157 | - debug("Trying %s",url); | |
| 158 | - | |
| 159 | - if(!import_crl(hSession,ctx_context,context,url)) { | |
| 160 | - trace_ssl(hSession,"Got CRL from %s\n",url); | |
| 161 | - return; | |
| 157 | + if(!import_crl(hSession,ctx_context,context,uris->str[ix])) { | |
| 158 | + trace_ssl(hSession,"Got CRL from %s\n",uris->str[ix]); | |
| 159 | + return 0; | |
| 162 | 160 | } |
| 163 | 161 | |
| 164 | 162 | } |
| ... | ... | @@ -171,13 +169,34 @@ |
| 171 | 169 | |
| 172 | 170 | if(!import_crl(hSession,ctx_context,context,uris->str[ix])) { |
| 173 | 171 | trace_ssl(hSession,"Got CRL from %s\n",uris->str[ix]); |
| 174 | - return; | |
| 172 | + return 0; | |
| 175 | 173 | } |
| 176 | 174 | |
| 177 | 175 | } |
| 178 | 176 | |
| 177 | + return -1; | |
| 178 | + | |
| 179 | 179 | } |
| 180 | 180 | |
| 181 | +int x509_store_ctx_error_callback(int ok, X509_STORE_CTX GNUC_UNUSED(*ctx)) | |
| 182 | +{ | |
| 183 | + debug("%s(%d)",__FUNCTION__,ok); | |
| 184 | + | |
| 185 | +/* | |
| 186 | + 55 { | |
| 187 | + 56 if (!ok) { | |
| 188 | + 57 Category::getInstance("OpenSSL").error( | |
| 189 | + 58 "path validation failure at depth(%d): %s", | |
| 190 | + 59 X509_STORE_CTX_get_error_depth(ctx), | |
| 191 | + 60 X509_verify_cert_error_string(X509_STORE_CTX_get_error(ctx)) | |
| 192 | + 61 ); | |
| 193 | + 62 } | |
| 194 | + 63 return ok; | |
| 195 | + 64 } | |
| 196 | +*/ | |
| 197 | + return ok; | |
| 198 | +} | |
| 199 | + | |
| 181 | 200 | int openssl_network_start_tls(H3270 *hSession) { |
| 182 | 201 | |
| 183 | 202 | SSL_CTX * ctx_context = (SSL_CTX *) lib3270_openssl_get_context(hSession); |
| ... | ... | @@ -202,7 +221,8 @@ |
| 202 | 221 | |
| 203 | 222 | SSL_set_ex_data(context->con,lib3270_openssl_get_ex_index(hSession),(char *) hSession); |
| 204 | 223 | // SSL_set_verify(context->con, SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL); |
| 205 | - SSL_set_verify(context->con, 0, NULL); | |
| 224 | +// SSL_set_verify(context->con, SSL_VERIFY_PEER, NULL); | |
| 225 | + SSL_set_verify(context->con, SSL_VERIFY_NONE, NULL); | |
| 206 | 226 | |
| 207 | 227 | if(SSL_set_fd(context->con, context->sock) != 1) |
| 208 | 228 | { |
| ... | ... | @@ -298,13 +318,40 @@ |
| 298 | 318 | |
| 299 | 319 | // CRL download is enabled and verification has failed; look for CRL file. |
| 300 | 320 | |
| 321 | + | |
| 301 | 322 | trace_ssl(hSession,"CRL Validation has failed, requesting CRL download\n"); |
| 302 | 323 | set_ssl_state(hSession,LIB3270_SSL_VERIFYING); |
| 303 | 324 | |
| 325 | + int rc_download = -1; | |
| 326 | + | |
| 304 | 327 | if(context->crl.url) { |
| 305 | - import_crl(hSession, ctx_context,context,context->crl.url); | |
| 328 | + rc_download = import_crl(hSession, ctx_context,context,context->crl.url); | |
| 306 | 329 | } else { |
| 307 | - download_crl_from_peer(hSession, ctx_context, context, peer); | |
| 330 | + rc_download = download_crl_from_peer(hSession, ctx_context, context, peer); | |
| 331 | + } | |
| 332 | + | |
| 333 | + debug("Download rc=%d",rc_download); | |
| 334 | + | |
| 335 | + if(!rc_download) | |
| 336 | + { | |
| 337 | + // Got CRL, verify it! | |
| 338 | + // Reference: https://stackoverflow.com/questions/10510850/how-to-verify-the-certificate-for-the-ongoing-ssl-session | |
| 339 | + | |
| 340 | + X509_STORE_CTX *csc = X509_STORE_CTX_new(); | |
| 341 | + X509_STORE_CTX_set_verify_cb(csc, x509_store_ctx_error_callback); | |
| 342 | + X509_STORE_CTX_init(csc, SSL_CTX_get_cert_store(ctx_context), peer, NULL); | |
| 343 | + | |
| 344 | + if(X509_verify_cert(csc) != 1) | |
| 345 | + rv = X509_STORE_CTX_get_error(csc); | |
| 346 | + else | |
| 347 | + rv = X509_V_OK; | |
| 348 | + | |
| 349 | + trace_ssl(hSession, "X509_verify_cert error code was %d\n", rv); | |
| 350 | + | |
| 351 | + SSL_set_verify_result(context->con, rv); | |
| 352 | + | |
| 353 | + X509_STORE_CTX_free(csc); | |
| 354 | + | |
| 308 | 355 | } |
| 309 | 356 | |
| 310 | 357 | } |
| ... | ... | @@ -316,6 +363,7 @@ |
| 316 | 363 | |
| 317 | 364 | // Get validation message. |
| 318 | 365 | hSession->ssl.message = lib3270_openssl_message_from_id(verify_result); |
| 366 | + debug("Verify message: %s",hSession->ssl.message->summary); | |
| 319 | 367 | |
| 320 | 368 | // Trace cypher |
| 321 | 369 | if(lib3270_get_toggle(hSession,LIB3270_TOGGLE_SSL_TRACE)) |
| ... | ... | @@ -334,7 +382,7 @@ |
| 334 | 382 | |
| 335 | 383 | // Check results. |
| 336 | 384 | if(hSession->ssl.message) |
| 337 | - trace_ssl(hSession,"%s",hSession->ssl.message->summary); | |
| 385 | + trace_ssl(hSession,"%s\n",hSession->ssl.message->summary); | |
| 338 | 386 | else |
| 339 | 387 | trace_ssl(hSession,"TLS/SSL verify result was %ld\n", verify_result); |
| 340 | 388 | ... | ... |