Download as
Browse Code »

Commit 4df3e30abfe601bbfd366bcd79b835c4f9bc2ea8

Authored by Perry Werneck
1 parent ed91a6f4
Exists in master and in 3 other branches develop, macos, network_module

Organizing CRL check engine to avoid duplications.

Showing 13 changed files with 383 additions and 284 deletions   Show diff stats
configure.ac
  Diff comments   View file @4df3e30
... ... @@ -388,10 +388,10 @@ if test "$app_cv_enable_crl_check" == "yes"; then
388 388 AC_DEFINE(SSL_ENABLE_CRL_CHECK)
389 389 fi
390 390  
391   -AC_ARG_WITH([default-crl-url],
392   - [AS_HELP_STRING([--with-default-crl-url], [Set lib3270 default crl url])],
  391 +AC_ARG_WITH([crl-url],
  392 + [AS_HELP_STRING([--with-crl-url], [Set a hardcoded URL for CRL download])],
393 393 [
394   - AC_DEFINE_UNQUOTED(SSL_DEFAULT_CRL_URL,"$withval")
  394 + AC_DEFINE_UNQUOTED(SSL_CRL_URL,"$withval")
395 395 ],[
396 396 AC_MSG_NOTICE(No default crl url)
397 397 ])
... ...
lib3270.cbp
  Diff comments   View file @4df3e30
... ... @@ -232,6 +232,7 @@
232 232 <Unit filename="src/include/cg.h" />
233 233 <Unit filename="src/include/config.h" />
234 234 <Unit filename="src/include/config.h.in" />
  235 + <Unit filename="src/include/crl.h" />
235 236 <Unit filename="src/include/ctlrc.h" />
236 237 <Unit filename="src/include/ft_cut_ds.h" />
237 238 <Unit filename="src/include/ft_cutc.h" />
... ... @@ -304,6 +305,7 @@
304 305 <Unit filename="src/ssl/crl.c">
305 306 <Option compilerVar="CC" />
306 307 </Unit>
  308 + <Unit filename="src/ssl/crl.h" />
307 309 <Unit filename="src/ssl/linux/curl.c">
308 310 <Option compilerVar="CC" />
309 311 </Unit>
... ... @@ -320,6 +322,10 @@
320 322 <Unit filename="src/ssl/negotiate.c">
321 323 <Option compilerVar="CC" />
322 324 </Unit>
  325 + <Unit filename="src/ssl/notify.c">
  326 + <Option compilerVar="CC" />
  327 + </Unit>
  328 + <Unit filename="src/ssl/private.h" />
323 329 <Unit filename="src/ssl/properties.c">
324 330 <Option compilerVar="CC" />
325 331 </Unit>
... ...
src/core/connect.c
  Diff comments   View file @4df3e30
... ... @@ -36,9 +36,7 @@
36 36 #include <lib3270/toggle.h>
37 37 #include <trace_dsc.h>
38 38  
39   -#if defined(HAVE_LIBSSL)
40   - #include <openssl/err.h>
41   -#endif
  39 +#include "../ssl/crl.h"
42 40  
43 41 /*---[ Implement ]-------------------------------------------------------------------------------*/
44 42  
... ... @@ -55,104 +53,22 @@
55 53  
56 54 }
57 55  
58   -static int background_ssl_crl_get(H3270 *hSession, void *ssl_error)
59   -{
60   - if(ssl_ctx_init(hSession, (SSL_ERROR_MESSAGE *) ssl_error)) {
61   - return -1;
62   - }
63   -
64   - // Do I have X509 CRL?
65   - if(hSession->ssl.crl.cert)
66   - {
67   - // Ok, have it. Is it valid?
68   -
69   - // https://stackoverflow.com/questions/23407376/testing-x509-certificate-expiry-date-with-c
70   - // X509_CRL_get_nextUpdate is deprecated in openssl 1.1.0
71   - #if OPENSSL_VERSION_NUMBER < 0x10100000L
72   - const ASN1_TIME * next_update = X509_CRL_get_nextUpdate(hSession->ssl.crl.cert);
73   - #else
74   - const ASN1_TIME * next_update = X509_CRL_get0_nextUpdate(hSession->ssl.crl.cert);
75   - #endif
76   -
77   - if(X509_cmp_current_time(next_update) == 1)
78   - {
79   - int day, sec;
80   - if(ASN1_TIME_diff(&day, &sec, NULL, next_update))
81   - {
82   - trace_ssl(hSession,"CRL Certificate is valid for %d day(s) and %d second(s)\n",day,sec);
83   - return 0;
84   - }
85   - else
86   - {
87   - trace_ssl(hSession,"Can't get CRL next update, releasing it\n");
88   - }
89   -
90   - }
91   - else
92   - {
93   - trace_ssl(hSession,"CRL Certificate is no longer valid\n");
94   - }
95   -
96   - // Certificate is no longer valid, release it.
97   - X509_CRL_free(hSession->ssl.crl.cert);
98   - hSession->ssl.crl.cert = NULL;
99   -
100   - }
101   -
102   - //
103   - // Get CRL
104   - //
105   - // https://stackoverflow.com/questions/10510850/how-to-verify-the-certificate-for-the-ongoing-ssl-session
106   - //
107   - return lib3270_get_crl_from_url(hSession, ssl_error, lib3270_get_crl_url(hSession));
108   -
109   -}
110   -
111   -#ifdef SSL_ENABLE_CRL_CHECK
112   -static int notify_crl_error(H3270 *hSession, int rc, const SSL_ERROR_MESSAGE *message)
113   -{
114   - lib3270_write_log(
115   - hSession,
116   - "SSL-CRL-GET",
117   - "CRL GET error: %s (rc=%d ssl_error=%d)",
118   - message->title,
119   - rc,
120   - message->error
121   - );
122   -
123   - if(message->description)
124   - {
125   - if(popup_ssl_error(hSession,rc,message->title,message->text,message->description))
126   - return rc;
127   - }
128   -#ifdef _WIN32
129   - else if(message->lasterror)
130   - {
131   - lib3270_autoptr(char) windows_error = lib3270_win32_translate_error_code(message->lasterror);
132   - lib3270_autoptr(char) formatted_error = lib3270_strdup_printf(_( "Windows error was \"%s\" (%u)" ), windows_error,(unsigned int) message->lasterror);
133 56  
134   - if(popup_ssl_error(hSession,rc,message->title,message->text,formatted_error))
135   - return rc;
  57 +#if defined(HAVE_LIBSSL)
136 58  
137   - }
138   -#endif // WIN32
139   - else if(message->error)
140   - {
141   - lib3270_autoptr(char) formatted_error = lib3270_strdup_printf(_( "%s (SSL error %d)" ),ERR_reason_error_string(message->error),message->error);
142   - lib3270_write_log(hSession,"SSL-CRL-GET","%s",formatted_error);
  59 + static int background_ssl_init(H3270 *hSession, void *ssl_error)
  60 + {
  61 + if(ssl_ctx_init(hSession, (SSL_ERROR_MESSAGE *) ssl_error))
  62 + return -1;
143 63  
144   - if(popup_ssl_error(hSession,rc,message->title,message->text,formatted_error))
145   - return rc;
146   - }
147   - else
148   - {
149   - if(popup_ssl_error(hSession,rc,message->title,message->text,""))
150   - return rc;
151   - }
  64 +#if defined(SSL_ENABLE_CRL_CHECK)
  65 + lib3270_crl_free_if_expired(hSession);
  66 +#endif // defined(SSL_ENABLE_CRL_CHECK)
152 67  
153 68 return 0;
154   -}
155   -#endif // SSL_ENABLE_CRL_CHECK
  69 + }
  70 +
  71 +#endif // HAVE_LIBSSL
156 72  
157 73 int lib3270_reconnect(H3270 *hSession, int seconds)
158 74 {
... ... @@ -186,24 +102,20 @@ static int notify_crl_error(H3270 *hSession, int rc, const SSL_ERROR_MESSAGE *me
186 102 }
187 103 }
188 104  
189   -#ifdef SSL_ENABLE_CRL_CHECK
190   -
191   - SSL_ERROR_MESSAGE ssl_error;
192   - memset(&ssl_error,0,sizeof(ssl_error));
193   -
194   - set_ssl_state(hSession,LIB3270_SSL_NEGOTIATING);
195   - int rc = lib3270_run_task(hSession, background_ssl_crl_get, &ssl_error);
196   -
197   - debug("CRL check returns %d",rc);
  105 +#if defined(HAVE_LIBSSL)
  106 + {
  107 + SSL_ERROR_MESSAGE ssl_error;
  108 + memset(&ssl_error,0,sizeof(ssl_error));
198 109  
199   - if(rc && notify_crl_error(hSession, rc,&ssl_error))
200   - return errno = rc;
  110 + set_ssl_state(hSession,LIB3270_SSL_NEGOTIATING);
  111 + int rc = lib3270_run_task(hSession, background_ssl_init, &ssl_error);
201 112  
202   -#endif // SSL_ENABLE_CRL_CHECK
  113 + if(rc && notify_ssl_error(hSession, rc, &ssl_error))
  114 + return errno = rc;
203 115  
204   -#if defined(HAVE_LIBSSL)
205   - set_ssl_state(hSession,LIB3270_SSL_UNDEFINED);
206   - hSession->ssl.host = 0;
  116 + set_ssl_state(hSession,LIB3270_SSL_UNDEFINED);
  117 + hSession->ssl.host = 0;
  118 + }
207 119 #endif // HAVE_LIBSSL
208 120  
209 121 snprintf(hSession->full_model_name,LIB3270_FULL_MODEL_NAME_LENGTH,"IBM-327%c-%d",hSession->m3279 ? '9' : '8', hSession->model_num);
... ...
src/core/session.c
  Diff comments   View file @4df3e30
... ... @@ -44,6 +44,7 @@
44 44 #include "kybdc.h"
45 45 #include "3270ds.h"
46 46 #include "popupsc.h"
  47 +#include "../ssl/crl.h"
47 48 #include <lib3270/trace.h>
48 49 #include <lib3270/log.h>
49 50  
... ... @@ -88,11 +89,7 @@ void lib3270_session_free(H3270 *h)
88 89 h->ssl.crl.prefer = NULL;
89 90 }
90 91  
91   - if(h->ssl.crl.cert)
92   - {
93   - X509_CRL_free(h->ssl.crl.cert);
94   - h->ssl.crl.cert = NULL;
95   - }
  92 + lib3270_crl_free(h);
96 93 #endif // SSL_ENABLE_CRL_CHECK
97 94  
98 95 // Release state change callbacks
... ...
src/include/config.h.in
  Diff comments   View file @4df3e30
... ... @@ -72,7 +72,7 @@
72 72 #undef SSL_ENABLE_NOTIFICATION_WHEN_FAILED
73 73  
74 74 /* If defined uses a hardcoded CRL path */
75   - #undef SSL_DEFAULT_CRL_URL
  75 + #undef SSL_CRL_URL
76 76  
77 77 /* Optional parts. */
78 78 #undef X3270_DBCS
... ...
src/include/lib3270-internals.h
  Diff comments   View file @4df3e30
... ... @@ -849,11 +849,11 @@ LIB3270_INTERNAL int non_blocking(H3270 *session, Boolean on);
849 849 */
850 850 LIB3270_INTERNAL int popup_ssl_error(H3270 *session, int rc, const char *title, const char *summary, const char *body);
851 851  
852   - #ifdef SSL_ENABLE_CRL_CHECK
853   - LIB3270_INTERNAL X509_CRL * lib3270_get_crl(H3270 *hSession, SSL_ERROR_MESSAGE * message, const char *url);
854   - LIB3270_INTERNAL int lib3270_get_crl_from_url(H3270 *hSession, void *ssl_error, const char *url);
855   - LIB3270_INTERNAL int lib3270_get_crl_from_dist_points(H3270 *hSession, CRL_DIST_POINTS * dist_points, void *ssl_error);
856   - #endif // SSL_ENABLE_CRL_CHECK
  852 + /**
  853 + * @brief Emite popup on SSL error.
  854 + *
  855 + */
  856 + LIB3270_INTERNAL int notify_ssl_error(H3270 *hSession, int rc, const SSL_ERROR_MESSAGE *message);
857 857  
858 858 #endif
859 859  
... ...
src/ssl/crl.c
  Diff comments   View file @4df3e30
... ... @@ -28,46 +28,92 @@
28 28 */
29 29  
30 30 #include <config.h>
  31 +
31 32 #include <lib3270-internals.h>
32   -#include <lib3270.h>
33 33 #include <lib3270/log.h>
  34 +#include <lib3270/trace.h>
  35 +#include <lib3270/toggle.h>
34 36 #include <trace_dsc.h>
35   -#include <array.h>
36 37  
37   -#ifdef HAVE_LIBSSL
38   - #include <openssl/ssl.h>
39   - #include <openssl/err.h>
40   -#endif // HAVE_LIBSSL
  38 +#include "crl.h"
41 39  
42 40 /*--[ Implement ]------------------------------------------------------------------------------------*/
43 41  
44   -#ifdef SSL_ENABLE_CRL_CHECK
45   -int lib3270_get_crl_from_url(H3270 *hSession, void *ssl_error, const char *url)
46   -{
47   -
48   - if(!(url && *url))
49   - return -1;
  42 +#if defined(SSL_ENABLE_CRL_CHECK) && defined(HAVE_LIBSSL)
50 43  
51   - // Invalidate current certificate.
  44 +void lib3270_crl_free(H3270 *hSession)
  45 +{
52 46 if(hSession->ssl.crl.cert)
53 47 {
54   - trace_ssl(hSession,"%s\n","Discarding current CRL");
55 48 X509_CRL_free(hSession->ssl.crl.cert);
56 49 hSession->ssl.crl.cert = NULL;
57 50 }
58 51  
  52 +}
  53 +
  54 +void lib3270_crl_free_if_expired(H3270 *hSession)
  55 +{
  56 + if(!hSession->ssl.crl.cert)
  57 + return;
  58 +
  59 + // https://stackoverflow.com/questions/23407376/testing-x509-certificate-expiry-date-with-c
  60 + // X509_CRL_get_nextUpdate is deprecated in openssl 1.1.0
  61 + #if OPENSSL_VERSION_NUMBER < 0x10100000L
  62 + const ASN1_TIME * next_update = X509_CRL_get_nextUpdate(hSession->ssl.crl.cert);
  63 + #else
  64 + const ASN1_TIME * next_update = X509_CRL_get0_nextUpdate(hSession->ssl.crl.cert);
  65 + #endif
  66 +
  67 + if(X509_cmp_current_time(next_update) == 1)
  68 + {
  69 + int day, sec;
  70 + if(ASN1_TIME_diff(&day, &sec, NULL, next_update))
  71 + {
  72 + trace_ssl(hSession,"CRL is valid for %d day(s) and %d second(s)\n",day,sec);
  73 + return;
  74 + }
  75 +
  76 + trace_ssl(hSession,"Can't get CRL next update, discarding it\n");
  77 +
  78 + }
  79 + else
  80 + {
  81 + trace_ssl(hSession,"CRL is no longer valid\n");
  82 + }
  83 +
  84 + // Certificate is no longer valid, release it.
  85 + X509_CRL_free(hSession->ssl.crl.cert);
  86 + hSession->ssl.crl.cert = NULL;
  87 +
  88 +}
  89 +
  90 +int lib3270_crl_new_from_url(H3270 *hSession, void *ssl_error, const char *url)
  91 +{
  92 + if(!(url && *url))
  93 + return -1;
  94 +
  95 + lib3270_crl_free(hSession); // Just in case!
  96 +
59 97 //
60 98 // Get the new CRL
61 99 //
62 100 // https://stackoverflow.com/questions/10510850/how-to-verify-the-certificate-for-the-ongoing-ssl-session
63 101 //
64   - trace_ssl(hSession,"Getting new CRL from %s\n",url);
  102 + trace_ssl(hSession,"Getting CRL from %s\n",url);
65 103  
66   - hSession->ssl.crl.cert = lib3270_get_crl(hSession,(SSL_ERROR_MESSAGE *) ssl_error,url);
  104 + hSession->ssl.crl.cert = lib3270_download_crl(hSession,(SSL_ERROR_MESSAGE *) ssl_error, url);
67 105  
68 106 if(hSession->ssl.crl.cert)
69 107 {
70   - // Got CRL, add it to ssl store
  108 + // Got CRL!
  109 +
  110 + // Update URL
  111 + if(hSession->ssl.crl.url)
  112 + lib3270_free(hSession->ssl.crl.url);
  113 +
  114 + hSession->ssl.crl.url = lib3270_strdup(url);
  115 +
  116 + // Add it to ssl store
71 117 if(lib3270_get_toggle(hSession,LIB3270_TOGGLE_SSL_TRACE))
72 118 {
73 119 lib3270_autoptr(char) text = lib3270_get_ssl_crl_text(hSession);
... ... @@ -94,95 +140,5 @@ int lib3270_get_crl_from_url(H3270 *hSession, void *ssl_error, const char *url)
94 140 return -1;
95 141  
96 142 }
97   -#endif // SSL_ENABLE_CRL_CHECK
98   -
99   -#if !defined(SSL_DEFAULT_CRL_URL) && defined(SSL_ENABLE_CRL_CHECK)
100   -int lib3270_get_crl_from_dist_points(H3270 *hSession, CRL_DIST_POINTS * dist_points, void *ssl_error)
101   -{
102   - size_t ix;
103   - int i, gtype;
104   - lib3270_autoptr(LIB3270_STRING_ARRAY) uris = lib3270_string_array_new();
105   -
106   - // https://nougat.cablelabs.com/DLNA-RUI/openssl/commit/57912ed329f870b237f2fd9f2de8dec3477d1729
107   -
108   - for(ix = 0; ix < (size_t) sk_DIST_POINT_num(dist_points); ix++) {
109 143  
110   - DIST_POINT *dp = sk_DIST_POINT_value(dist_points, ix);
111   -
112   - if(!dp->distpoint || dp->distpoint->type != 0)
113   - continue;
114   -
115   - GENERAL_NAMES *gens = dp->distpoint->name.fullname;
116   -
117   - for (i = 0; i < sk_GENERAL_NAME_num(gens); i++)
118   - {
119   - GENERAL_NAME *gen = sk_GENERAL_NAME_value(gens, i);
120   - ASN1_STRING *uri = GENERAL_NAME_get0_value(gen, &gtype);
121   - if(uri)
122   - {
123   -#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) // OpenSSL 1.1.0+
124   - const unsigned char * data = ASN1_STRING_get0_data(uri);
125   -#else
126   - const unsigned char * data = ASN1_STRING_data(uri); // ASN1_STRING_get0_data(uri);
127   -#endif // OpenSSL 1.1.0+
128   - if(data)
129   - {
130   - lib3270_string_array_append(uris,(char *) data);
131   - }
132   - }
133   -
134   - }
135   -
136   - }
137   -
138   -#ifdef DEBUG
139   - {
140   - for(ix = 0; ix < uris->length; ix++)
141   - {
142   - debug("%u: %s", (unsigned int) ix, uris->str[ix]);
143   - }
144   - }
145   -#endif // DEBUG
146   -
147   - if(hSession->ssl.crl.url)
148   - {
149   - // Check if we already have the URL.
150   - if(!strcmp(hSession->ssl.crl.url,uris->str[ix]))
151   - {
152   - trace_ssl(hSession,"Keeping CRL from %s\n",hSession->ssl.crl.url);
153   - return 0;
154   - }
155   -
156   - // The URL is invalid or not to this cert, remove it!
157   - lib3270_free(hSession->ssl.crl.url);
158   - hSession->ssl.crl.url = NULL;
159   - }
160   -
161   - if(hSession->ssl.crl.prefer && *hSession->ssl.crl.prefer)
162   - {
163   - size_t length = strlen(hSession->ssl.crl.prefer);
164   -
165   - for(ix = 0; ix < uris->length; ix++)
166   - {
167   - if(!strncmp(uris->str[ix],hSession->ssl.crl.prefer,length))
168   - {
169   - trace_ssl(hSession,"Trying preferred URL %s\n",uris->str[ix]);
170   - if(lib3270_get_crl_from_url(hSession, ssl_error, uris->str[ix]) == 0)
171   - return 0;
172   - }
173   -
174   - }
175   -
176   - }
177   -
178   - // Can't load, try all of them.
179   - for(ix = 0; ix < uris->length; ix++)
180   - {
181   - trace_ssl(hSession,"Trying CRL from %s\n",uris->str[ix]);
182   - if(lib3270_get_crl_from_url(hSession, ssl_error, uris->str[ix]) == 0)
183   - return 0;
184   - }
185   -
186   - return -1;
187   -}
188   -#endif // !SSL_DEFAULT_CRL_URL && SSL_ENABLE_CRL_CHECK
  144 +#endif // SSL_ENABLE_CRL_CHECK && HAVE_LIBSSL
... ...
src/ssl/crl.h 0 → 100644
  Diff comments   View file @4df3e30
... ... @@ -0,0 +1,60 @@
  1 +/*
  2 + * "Software G3270, desenvolvido com base nos códigos fontes do WC3270 e X3270
  3 + * (Paul Mattes Paul.Mattes@usa.net), de emulação de terminal 3270 para acesso a
  4 + * aplicativos mainframe. Registro no INPI sob o nome G3270.
  5 + *
  6 + * Copyright (C) <2008> <Banco do Brasil S.A.>
  7 + *
  8 + * Este programa é software livre. Você pode redistribuí-lo e/ou modificá-lo sob
  9 + * os termos da GPL v.2 - Licença Pública Geral ', conforme publicado pela
  10 + * Free Software Foundation.
  11 + *
  12 + * Este programa é distribuído na expectativa de ser útil, mas SEM QUALQUER
  13 + * GARANTIA; sem mesmo a garantia implícita de COMERCIALIZAÇÃO ou de ADEQUAÇÃO
  14 + * A QUALQUER PROPÓSITO EM PARTICULAR. Consulte a Licença Pública Geral GNU para
  15 + * obter mais detalhes.
  16 + *
  17 + * Você deve ter recebido uma cópia da Licença Pública Geral GNU junto com este
  18 + * programa; se não, escreva para a Free Software Foundation, Inc., 51 Franklin
  19 + * St, Fifth Floor, Boston, MA 02110-1301 USA
  20 + *
  21 + * Este programa está nomeado como private.h e possui - linhas de código.
  22 + *
  23 + * Contatos:
  24 + *
  25 + * perry.werneck@gmail.com (Alexandre Perry de Souza Werneck)
  26 + * erico.mendonca@gmail.com (Erico Mascarenhas de Mendonça)
  27 + *
  28 + */
  29 +
  30 +#ifdef WIN32
  31 + #include <winsock2.h>
  32 + #include <windows.h>
  33 +#endif // WIN32
  34 +
  35 +#include <config.h> /* autoconf settings */
  36 +#include <lib3270.h> /* lib3270 API calls and defs */
  37 +
  38 +#if defined(SSL_ENABLE_CRL_CHECK) && defined(HAVE_LIBSSL)
  39 +
  40 + #include <openssl/ssl.h>
  41 + #include <openssl/err.h>
  42 +
  43 + /// @brief Unconditional release of the session CRL.
  44 + LIB3270_INTERNAL void lib3270_crl_free(H3270 *hSession);
  45 +
  46 + /// @brief Release CRL if expired.
  47 + LIB3270_INTERNAL void lib3270_crl_free_if_expired(H3270 *hSession);
  48 +
  49 + /// @brief Load CRL from URL.
  50 + LIB3270_INTERNAL int lib3270_crl_new_from_url(H3270 *hSession, void *ssl_error, const char *url);
  51 +
  52 +
  53 + LIB3270_INTERNAL X509_CRL * lib3270_download_crl(H3270 *hSession, SSL_ERROR_MESSAGE * message, const char *url);
  54 +// LIB3270_INTERNAL int lib3270_get_crl_from_url(H3270 *hSession, void *ssl_error, const char *url);
  55 +// LIB3270_INTERNAL int lib3270_get_crl_from_dist_points(H3270 *hSession, CRL_DIST_POINTS * dist_points, void *ssl_error);
  56 +
  57 +#endif // SSL_ENABLE_CRL_CHECK && HAVE_LIBSSL
  58 +
  59 +
  60 +
... ...
src/ssl/linux/getcrl.c
  Diff comments   View file @4df3e30
... ... @@ -45,7 +45,7 @@ static inline void lib3270_autoptr_cleanup_FILE(FILE **file)
45 45 fclose(*file);
46 46 }
47 47  
48   -LIB3270_INTERNAL X509_CRL * lib3270_get_crl(H3270 *hSession, SSL_ERROR_MESSAGE * message, const char *consturl)
  48 +LIB3270_INTERNAL X509_CRL * lib3270_download_crl(H3270 *hSession, SSL_ERROR_MESSAGE * message, const char *consturl)
49 49 {
50 50 X509_CRL * x509_crl = NULL;
51 51  
... ...
src/ssl/linux/init.c
  Diff comments   View file @4df3e30
... ... @@ -106,6 +106,7 @@ int ssl_ctx_init(H3270 *hSession, SSL_ERROR_MESSAGE * message)
106 106 X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK);
107 107 X509_STORE_set1_param(store, param);
108 108 X509_VERIFY_PARAM_free(param);
  109 +
109 110 trace_ssl(hSession,"CRL CHECK was enabled\n");
110 111  
111 112 #endif // SSL_ENABLE_CRL_CHECK
... ...
src/ssl/negotiate.c
  Diff comments   View file @4df3e30
... ... @@ -48,6 +48,8 @@
48 48 #define SSL_ST_OK 3
49 49 #endif // !SSL_ST_OK
50 50  
  51 + #include "crl.h"
  52 +
51 53 #endif
52 54  
53 55 #include <errno.h>
... ... @@ -133,7 +135,7 @@ static int background_ssl_init(H3270 *hSession, void *message)
133 135 return 0;
134 136 }
135 137  
136   -#if !defined(SSL_DEFAULT_CRL_URL) && defined(SSL_ENABLE_CRL_CHECK)
  138 +#if !defined(SSL_CRL_URL) && defined(SSL_ENABLE_CRL_CHECK)
137 139 int x509_store_ctx_error_callback(int ok, X509_STORE_CTX GNUC_UNUSED(*ctx))
138 140 {
139 141 debug("%s(%d)",__FUNCTION__,ok);
... ... @@ -152,8 +154,26 @@ int x509_store_ctx_error_callback(int ok, X509_STORE_CTX GNUC_UNUSED(*ctx))
152 154 */
153 155 return ok;
154 156 }
155   -#endif // !SSL_DEFAULT_CRL_URL && SSL_ENABLE_CRL_CHECK
  157 +#endif // !SSL_CRL_URL && SSL_ENABLE_CRL_CHECK
156 158  
  159 +static int x509_store_ctx_error_callback(int ok, X509_STORE_CTX GNUC_UNUSED(*ctx))
  160 +{
  161 + debug("%s(%d)",__FUNCTION__,ok);
  162 +
  163 +/*
  164 + 55 {
  165 + 56 if (!ok) {
  166 + 57 Category::getInstance("OpenSSL").error(
  167 + 58 "path validation failure at depth(%d): %s",
  168 + 59 X509_STORE_CTX_get_error_depth(ctx),
  169 + 60 X509_verify_cert_error_string(X509_STORE_CTX_get_error(ctx))
  170 + 61 );
  171 + 62 }
  172 + 63 return ok;
  173 + 64 }
  174 +*/
  175 + return ok;
  176 +}
157 177  
158 178 static int background_ssl_negotiation(H3270 *hSession, void *message)
159 179 {
... ... @@ -234,7 +254,21 @@ static int background_ssl_negotiation(H3270 *hSession, void *message)
234 254  
235 255 hSession->cbk.set_peer_certificate(peer);
236 256  
237   -#if !defined(SSL_DEFAULT_CRL_URL) && defined(SSL_ENABLE_CRL_CHECK)
  257 +#ifdef SSL_CRL_URL
  258 +
  259 + // Load CRL from pre-defined URL
  260 + if(lib3270_crl_new_from_url(hSession, message, SSL_CRL_URL))
  261 + return EACCES;
  262 +
  263 +#endif // SSL_CRL_URL
  264 +
  265 + }
  266 +
  267 + /*
  268 + if(peer)
  269 + {
  270 +
  271 +#if !defined(SSL_CRL_URL) && defined(SSL_ENABLE_CRL_CHECK)
238 272 //
239 273 // No default CRL, try to download from the peer
240 274 //
... ... @@ -274,17 +308,60 @@ static int background_ssl_negotiation(H3270 *hSession, void *message)
274 308 // No CRL download, use the standard verification.
275 309 rv = SSL_get_verify_result(hSession->ssl.con);
276 310  
277   -#endif // !SSL_DEFAULT_CRL_URL && SSL_ENABLE_CRL_CHECK
  311 +#endif // !SSL_CRL_URL && SSL_ENABLE_CRL_CHECK
278 312  
279 313 }
280 314 else
281 315 {
282 316 rv = SSL_get_verify_result(hSession->ssl.con);
283 317 }
  318 + */
  319 +
  320 + if(SSL_get_verify_result(hSession->ssl.con) == X509_V_ERR_UNABLE_TO_GET_CRL && hSession->ssl.crl.cert)
  321 + {
  322 + // Verify CRL
  323 + //
  324 + // References:
  325 + //
  326 + // http://www.zedwood.com/article/cpp-check-crl-for-revocation
  327 + //
284 328  
  329 + trace_ssl(hSession,"Doing CRL check using %s\n",hSession->ssl.crl.url);
285 330  
286   - // Validate certificate.
  331 + // Got CRL, verify it!
  332 + // Reference: https://stackoverflow.com/questions/10510850/how-to-verify-the-certificate-for-the-ongoing-ssl-session
  333 + X509_STORE_CTX *csc = X509_STORE_CTX_new();
  334 + X509_STORE_CTX_set_verify_cb(csc, x509_store_ctx_error_callback);
  335 + X509_STORE_CTX_init(csc, SSL_CTX_get_cert_store(ssl_ctx), peer, NULL);
  336 +
  337 +/*
  338 +#ifdef SSL_ENABLE_CRL_CHECK
  339 + // Enable CRL check
  340 + X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_new();
  341 + X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK);
  342 + X509_STORE_CTX_set0_param(csc, param);
  343 +#endif // SSL_ENABLE_CRL_CHECK
  344 +*/
  345 +
  346 + if(X509_verify_cert(csc) != 1)
  347 + rv = X509_STORE_CTX_get_error(csc);
  348 + else
  349 + rv = X509_V_OK;
  350 +
  351 + debug("CRL Check response was %d", rv);
  352 +
  353 + SSL_set_verify_result(hSession->ssl.con, rv);
  354 +
  355 + X509_STORE_CTX_free(csc);
287 356  
  357 +#ifdef SSL_ENABLE_CRL_CHECK
  358 +// X509_VERIFY_PARAM_free(param);
  359 +#endif // SSL_ENABLE_CRL_CHECK
  360 +
  361 + }
  362 +
  363 + // Check validation state.
  364 + rv = SSL_get_verify_result(hSession->ssl.con);
288 365 debug("SSL Verify result was %d", rv);
289 366 const struct ssl_status_msg * msg = ssl_get_status_from_error_code((long) rv);
290 367  
... ... @@ -526,45 +603,3 @@ void ssl_info_callback(INFO_CONST SSL *s, int where, int ret)
526 603  
527 604 #endif /*]*/
528 605  
529   -int popup_ssl_error(H3270 GNUC_UNUSED(*hSession), int rc, const char GNUC_UNUSED(*title), const char *summary, const char *body)
530   -{
531   -#ifdef _WIN32
532   -
533   - lib3270_autoptr(char) rcMessage = lib3270_strdup_printf("The error code was %d",rc);
534   -
535   - const char *outMsg[] = {
536   - title,
537   - summary,
538   - (body ? body : ""),
539   - rcMessage
540   - };
541   -
542   - ReportEvent(
543   - hEventLog,
544   - EVENTLOG_ERROR_TYPE,
545   - 1,
546   - 0,
547   - NULL,
548   - (sizeof(outMsg)/sizeof(outMsg[0])),
549   - 0,
550   - outMsg,
551   - NULL
552   - );
553   -
554   -#else
555   -
556   - lib3270_write_log(hSession, "SSL", "%s %s (rc=%d)", summary, (body ? body : ""), rc);
557   -
558   -#endif // _WIN32
559   -
560   -#ifdef SSL_ENABLE_NOTIFICATION_WHEN_FAILED
561   -
562   - return hSession->cbk.popup_ssl_error(hSession,rc,title,summary,body);
563   -
564   -#else
565   -
566   - return 0;
567   -
568   -#endif // SSL_ENABLE_NOTIFICATION_WHEN_FAILED
569   -
570   -}
... ...
src/ssl/notify.c 0 → 100644
  Diff comments   View file @4df3e30
... ... @@ -0,0 +1,132 @@
  1 +/*
  2 + * "Software pw3270, desenvolvido com base nos códigos fontes do WC3270 e X3270
  3 + * (Paul Mattes Paul.Mattes@usa.net), de emulação de terminal 3270 para acesso a
  4 + * aplicativos mainframe. Registro no INPI sob o nome G3270.
  5 + *
  6 + * Copyright (C) <2008> <Banco do Brasil S.A.>
  7 + *
  8 + * Este programa é software livre. Você pode redistribuí-lo e/ou modificá-lo sob
  9 + * os termos da GPL v.2 - Licença Pública Geral GNU, conforme publicado pela
  10 + * Free Software Foundation.
  11 + *
  12 + * Este programa é distribuído na expectativa de ser útil, mas SEM QUALQUER
  13 + * GARANTIA; sem mesmo a garantia implícita de COMERCIALIZAÇÃO ou de ADEQUAÇÃO
  14 + * A QUALQUER PROPÓSITO EM PARTICULAR. Consulte a Licença Pública Geral GNU para
  15 + * obter mais detalhes.
  16 + *
  17 + * Você deve ter recebido uma cópia da Licença Pública Geral GNU junto com este
  18 + * programa; se não, escreva para a Free Software Foundation, Inc., 51 Franklin
  19 + * St, Fifth Floor, Boston, MA 02110-1301 USA
  20 + *
  21 + * Este programa está nomeado como - e possui - linhas de código.
  22 + *
  23 + * Contatos:
  24 + *
  25 + * perry.werneck@gmail.com (Alexandre Perry de Souza Werneck)
  26 + * erico.mendonca@gmail.com (Erico Mascarenhas Mendonça)
  27 + *
  28 + *
  29 + * References:
  30 + *
  31 + * http://www.openssl.org/docs/ssl/
  32 + *
  33 + */
  34 +
  35 +
  36 +#include <config.h>
  37 +#include <lib3270-internals.h>
  38 +#include <lib3270/log.h>
  39 +
  40 +/*--[ Implement ]------------------------------------------------------------------------------------*/
  41 +
  42 +#if defined(HAVE_LIBSSL)
  43 +
  44 +#include <openssl/err.h>
  45 +
  46 +int popup_ssl_error(H3270 GNUC_UNUSED(*hSession), int rc, const char GNUC_UNUSED(*title), const char *summary, const char *body)
  47 +{
  48 +#ifdef _WIN32
  49 +
  50 + lib3270_autoptr(char) rcMessage = lib3270_strdup_printf("The error code was %d",rc);
  51 +
  52 + const char *outMsg[] = {
  53 + title,
  54 + summary,
  55 + (body ? body : ""),
  56 + rcMessage
  57 + };
  58 +
  59 + ReportEvent(
  60 + hEventLog,
  61 + EVENTLOG_ERROR_TYPE,
  62 + 1,
  63 + 0,
  64 + NULL,
  65 + (sizeof(outMsg)/sizeof(outMsg[0])),
  66 + 0,
  67 + outMsg,
  68 + NULL
  69 + );
  70 +
  71 +#else
  72 +
  73 + lib3270_write_log(hSession, "SSL", "%s %s (rc=%d)", summary, (body ? body : ""), rc);
  74 +
  75 +#endif // _WIN32
  76 +
  77 +#ifdef SSL_ENABLE_NOTIFICATION_WHEN_FAILED
  78 +
  79 + return hSession->cbk.popup_ssl_error(hSession,rc,title,summary,body);
  80 +
  81 +#else
  82 +
  83 + return 0;
  84 +
  85 +#endif // SSL_ENABLE_NOTIFICATION_WHEN_FAILED
  86 +}
  87 +
  88 +int notify_ssl_error(H3270 *hSession, int rc, const SSL_ERROR_MESSAGE *message)
  89 +{
  90 + lib3270_write_log(
  91 + hSession,
  92 + "SSL-CRL-GET",
  93 + "CRL GET error: %s (rc=%d ssl_error=%d)",
  94 + message->title,
  95 + rc,
  96 + message->error
  97 + );
  98 +
  99 + if(message->description)
  100 + {
  101 + if(popup_ssl_error(hSession,rc,message->title,message->text,message->description))
  102 + return rc;
  103 + }
  104 +#ifdef _WIN32
  105 + else if(message->lasterror)
  106 + {
  107 + lib3270_autoptr(char) windows_error = lib3270_win32_translate_error_code(message->lasterror);
  108 + lib3270_autoptr(char) formatted_error = lib3270_strdup_printf(_( "Windows error was \"%s\" (%u)" ), windows_error,(unsigned int) message->lasterror);
  109 +
  110 + if(popup_ssl_error(hSession,rc,message->title,message->text,formatted_error))
  111 + return rc;
  112 +
  113 + }
  114 +#endif // WIN32
  115 + else if(message->error)
  116 + {
  117 + lib3270_autoptr(char) formatted_error = lib3270_strdup_printf(_( "%s (SSL error %d)" ),ERR_reason_error_string(message->error),message->error);
  118 + lib3270_write_log(hSession,"SSL-CRL-GET","%s",formatted_error);
  119 +
  120 + if(popup_ssl_error(hSession,rc,message->title,message->text,formatted_error))
  121 + return rc;
  122 + }
  123 + else
  124 + {
  125 + if(popup_ssl_error(hSession,rc,message->title,message->text,""))
  126 + return rc;
  127 + }
  128 +
  129 + return 0;
  130 +}
  131 +
  132 +#endif // defined(HAVE_LIBSSL)
... ...
src/ssl/properties.c
  Diff comments   View file @4df3e30
... ... @@ -124,11 +124,11 @@ LIB3270_EXPORT char * lib3270_get_ssl_peer_certificate_text(const H3270 *hSessio
124 124 if(hSession->ssl.crl.url)
125 125 return hSession->ssl.crl.url;
126 126  
127   -#ifdef SSL_DEFAULT_CRL_URL
128   - return SSL_DEFAULT_CRL_URL;
  127 +#ifdef SSL_CRL_URL
  128 + return SSL_CRL_URL;
129 129 #else
130 130 return getenv("LIB3270_DEFAULT_CRL");
131   -#endif // SSL_DEFAULT_CRL_URL
  131 +#endif // SSL_CRL_URL
132 132  
133 133 #else
134 134 errno = ENOTSUP;
... ...