diff --git a/configure.ac b/configure.ac
index 4bb2e74..6598523 100644
--- a/configure.ac
+++ b/configure.ac
@@ -388,10 +388,10 @@ if test "$app_cv_enable_crl_check" == "yes"; then
AC_DEFINE(SSL_ENABLE_CRL_CHECK)
fi
-AC_ARG_WITH([default-crl-url],
- [AS_HELP_STRING([--with-default-crl-url], [Set lib3270 default crl url])],
+AC_ARG_WITH([crl-url],
+ [AS_HELP_STRING([--with-crl-url], [Set a hardcoded URL for CRL download])],
[
- AC_DEFINE_UNQUOTED(SSL_DEFAULT_CRL_URL,"$withval")
+ AC_DEFINE_UNQUOTED(SSL_CRL_URL,"$withval")
],[
AC_MSG_NOTICE(No default crl url)
])
diff --git a/lib3270.cbp b/lib3270.cbp
index a99e29a..71a6dec 100644
--- a/lib3270.cbp
+++ b/lib3270.cbp
@@ -232,6 +232,7 @@
+
@@ -304,6 +305,7 @@
+
@@ -320,6 +322,10 @@
+
+
+
+
diff --git a/src/core/connect.c b/src/core/connect.c
index 40d3745..d8c5383 100644
--- a/src/core/connect.c
+++ b/src/core/connect.c
@@ -36,9 +36,7 @@
#include
#include
-#if defined(HAVE_LIBSSL)
- #include
-#endif
+#include "../ssl/crl.h"
/*---[ Implement ]-------------------------------------------------------------------------------*/
@@ -55,104 +53,22 @@
}
-static int background_ssl_crl_get(H3270 *hSession, void *ssl_error)
-{
- if(ssl_ctx_init(hSession, (SSL_ERROR_MESSAGE *) ssl_error)) {
- return -1;
- }
-
- // Do I have X509 CRL?
- if(hSession->ssl.crl.cert)
- {
- // Ok, have it. Is it valid?
-
- // https://stackoverflow.com/questions/23407376/testing-x509-certificate-expiry-date-with-c
- // X509_CRL_get_nextUpdate is deprecated in openssl 1.1.0
- #if OPENSSL_VERSION_NUMBER < 0x10100000L
- const ASN1_TIME * next_update = X509_CRL_get_nextUpdate(hSession->ssl.crl.cert);
- #else
- const ASN1_TIME * next_update = X509_CRL_get0_nextUpdate(hSession->ssl.crl.cert);
- #endif
-
- if(X509_cmp_current_time(next_update) == 1)
- {
- int day, sec;
- if(ASN1_TIME_diff(&day, &sec, NULL, next_update))
- {
- trace_ssl(hSession,"CRL Certificate is valid for %d day(s) and %d second(s)\n",day,sec);
- return 0;
- }
- else
- {
- trace_ssl(hSession,"Can't get CRL next update, releasing it\n");
- }
-
- }
- else
- {
- trace_ssl(hSession,"CRL Certificate is no longer valid\n");
- }
-
- // Certificate is no longer valid, release it.
- X509_CRL_free(hSession->ssl.crl.cert);
- hSession->ssl.crl.cert = NULL;
-
- }
-
- //
- // Get CRL
- //
- // https://stackoverflow.com/questions/10510850/how-to-verify-the-certificate-for-the-ongoing-ssl-session
- //
- return lib3270_get_crl_from_url(hSession, ssl_error, lib3270_get_crl_url(hSession));
-
-}
-
-#ifdef SSL_ENABLE_CRL_CHECK
-static int notify_crl_error(H3270 *hSession, int rc, const SSL_ERROR_MESSAGE *message)
-{
- lib3270_write_log(
- hSession,
- "SSL-CRL-GET",
- "CRL GET error: %s (rc=%d ssl_error=%d)",
- message->title,
- rc,
- message->error
- );
-
- if(message->description)
- {
- if(popup_ssl_error(hSession,rc,message->title,message->text,message->description))
- return rc;
- }
-#ifdef _WIN32
- else if(message->lasterror)
- {
- lib3270_autoptr(char) windows_error = lib3270_win32_translate_error_code(message->lasterror);
- lib3270_autoptr(char) formatted_error = lib3270_strdup_printf(_( "Windows error was \"%s\" (%u)" ), windows_error,(unsigned int) message->lasterror);
- if(popup_ssl_error(hSession,rc,message->title,message->text,formatted_error))
- return rc;
+#if defined(HAVE_LIBSSL)
- }
-#endif // WIN32
- else if(message->error)
- {
- lib3270_autoptr(char) formatted_error = lib3270_strdup_printf(_( "%s (SSL error %d)" ),ERR_reason_error_string(message->error),message->error);
- lib3270_write_log(hSession,"SSL-CRL-GET","%s",formatted_error);
+ static int background_ssl_init(H3270 *hSession, void *ssl_error)
+ {
+ if(ssl_ctx_init(hSession, (SSL_ERROR_MESSAGE *) ssl_error))
+ return -1;
- if(popup_ssl_error(hSession,rc,message->title,message->text,formatted_error))
- return rc;
- }
- else
- {
- if(popup_ssl_error(hSession,rc,message->title,message->text,""))
- return rc;
- }
+#if defined(SSL_ENABLE_CRL_CHECK)
+ lib3270_crl_free_if_expired(hSession);
+#endif // defined(SSL_ENABLE_CRL_CHECK)
return 0;
-}
-#endif // SSL_ENABLE_CRL_CHECK
+ }
+
+#endif // HAVE_LIBSSL
int lib3270_reconnect(H3270 *hSession, int seconds)
{
@@ -186,24 +102,20 @@ static int notify_crl_error(H3270 *hSession, int rc, const SSL_ERROR_MESSAGE *me
}
}
-#ifdef SSL_ENABLE_CRL_CHECK
-
- SSL_ERROR_MESSAGE ssl_error;
- memset(&ssl_error,0,sizeof(ssl_error));
-
- set_ssl_state(hSession,LIB3270_SSL_NEGOTIATING);
- int rc = lib3270_run_task(hSession, background_ssl_crl_get, &ssl_error);
-
- debug("CRL check returns %d",rc);
+#if defined(HAVE_LIBSSL)
+ {
+ SSL_ERROR_MESSAGE ssl_error;
+ memset(&ssl_error,0,sizeof(ssl_error));
- if(rc && notify_crl_error(hSession, rc,&ssl_error))
- return errno = rc;
+ set_ssl_state(hSession,LIB3270_SSL_NEGOTIATING);
+ int rc = lib3270_run_task(hSession, background_ssl_init, &ssl_error);
-#endif // SSL_ENABLE_CRL_CHECK
+ if(rc && notify_ssl_error(hSession, rc, &ssl_error))
+ return errno = rc;
-#if defined(HAVE_LIBSSL)
- set_ssl_state(hSession,LIB3270_SSL_UNDEFINED);
- hSession->ssl.host = 0;
+ set_ssl_state(hSession,LIB3270_SSL_UNDEFINED);
+ hSession->ssl.host = 0;
+ }
#endif // HAVE_LIBSSL
snprintf(hSession->full_model_name,LIB3270_FULL_MODEL_NAME_LENGTH,"IBM-327%c-%d",hSession->m3279 ? '9' : '8', hSession->model_num);
diff --git a/src/core/session.c b/src/core/session.c
index aa0d6be..c526427 100644
--- a/src/core/session.c
+++ b/src/core/session.c
@@ -44,6 +44,7 @@
#include "kybdc.h"
#include "3270ds.h"
#include "popupsc.h"
+#include "../ssl/crl.h"
#include
#include
@@ -88,11 +89,7 @@ void lib3270_session_free(H3270 *h)
h->ssl.crl.prefer = NULL;
}
- if(h->ssl.crl.cert)
- {
- X509_CRL_free(h->ssl.crl.cert);
- h->ssl.crl.cert = NULL;
- }
+ lib3270_crl_free(h);
#endif // SSL_ENABLE_CRL_CHECK
// Release state change callbacks
diff --git a/src/include/config.h.in b/src/include/config.h.in
index 9a22917..1d39334 100644
--- a/src/include/config.h.in
+++ b/src/include/config.h.in
@@ -72,7 +72,7 @@
#undef SSL_ENABLE_NOTIFICATION_WHEN_FAILED
/* If defined uses a hardcoded CRL path */
- #undef SSL_DEFAULT_CRL_URL
+ #undef SSL_CRL_URL
/* Optional parts. */
#undef X3270_DBCS
diff --git a/src/include/lib3270-internals.h b/src/include/lib3270-internals.h
index 90bd6ae..dcc4fab 100644
--- a/src/include/lib3270-internals.h
+++ b/src/include/lib3270-internals.h
@@ -849,11 +849,11 @@ LIB3270_INTERNAL int non_blocking(H3270 *session, Boolean on);
*/
LIB3270_INTERNAL int popup_ssl_error(H3270 *session, int rc, const char *title, const char *summary, const char *body);
- #ifdef SSL_ENABLE_CRL_CHECK
- LIB3270_INTERNAL X509_CRL * lib3270_get_crl(H3270 *hSession, SSL_ERROR_MESSAGE * message, const char *url);
- LIB3270_INTERNAL int lib3270_get_crl_from_url(H3270 *hSession, void *ssl_error, const char *url);
- LIB3270_INTERNAL int lib3270_get_crl_from_dist_points(H3270 *hSession, CRL_DIST_POINTS * dist_points, void *ssl_error);
- #endif // SSL_ENABLE_CRL_CHECK
+ /**
+ * @brief Emite popup on SSL error.
+ *
+ */
+ LIB3270_INTERNAL int notify_ssl_error(H3270 *hSession, int rc, const SSL_ERROR_MESSAGE *message);
#endif
diff --git a/src/ssl/crl.c b/src/ssl/crl.c
index 51829a6..2ae8282 100644
--- a/src/ssl/crl.c
+++ b/src/ssl/crl.c
@@ -28,46 +28,92 @@
*/
#include
+
#include
-#include
#include
+#include
+#include
#include
-#include
-#ifdef HAVE_LIBSSL
- #include
- #include
-#endif // HAVE_LIBSSL
+#include "crl.h"
/*--[ Implement ]------------------------------------------------------------------------------------*/
-#ifdef SSL_ENABLE_CRL_CHECK
-int lib3270_get_crl_from_url(H3270 *hSession, void *ssl_error, const char *url)
-{
-
- if(!(url && *url))
- return -1;
+#if defined(SSL_ENABLE_CRL_CHECK) && defined(HAVE_LIBSSL)
- // Invalidate current certificate.
+void lib3270_crl_free(H3270 *hSession)
+{
if(hSession->ssl.crl.cert)
{
- trace_ssl(hSession,"%s\n","Discarding current CRL");
X509_CRL_free(hSession->ssl.crl.cert);
hSession->ssl.crl.cert = NULL;
}
+}
+
+void lib3270_crl_free_if_expired(H3270 *hSession)
+{
+ if(!hSession->ssl.crl.cert)
+ return;
+
+ // https://stackoverflow.com/questions/23407376/testing-x509-certificate-expiry-date-with-c
+ // X509_CRL_get_nextUpdate is deprecated in openssl 1.1.0
+ #if OPENSSL_VERSION_NUMBER < 0x10100000L
+ const ASN1_TIME * next_update = X509_CRL_get_nextUpdate(hSession->ssl.crl.cert);
+ #else
+ const ASN1_TIME * next_update = X509_CRL_get0_nextUpdate(hSession->ssl.crl.cert);
+ #endif
+
+ if(X509_cmp_current_time(next_update) == 1)
+ {
+ int day, sec;
+ if(ASN1_TIME_diff(&day, &sec, NULL, next_update))
+ {
+ trace_ssl(hSession,"CRL is valid for %d day(s) and %d second(s)\n",day,sec);
+ return;
+ }
+
+ trace_ssl(hSession,"Can't get CRL next update, discarding it\n");
+
+ }
+ else
+ {
+ trace_ssl(hSession,"CRL is no longer valid\n");
+ }
+
+ // Certificate is no longer valid, release it.
+ X509_CRL_free(hSession->ssl.crl.cert);
+ hSession->ssl.crl.cert = NULL;
+
+}
+
+int lib3270_crl_new_from_url(H3270 *hSession, void *ssl_error, const char *url)
+{
+ if(!(url && *url))
+ return -1;
+
+ lib3270_crl_free(hSession); // Just in case!
+
//
// Get the new CRL
//
// https://stackoverflow.com/questions/10510850/how-to-verify-the-certificate-for-the-ongoing-ssl-session
//
- trace_ssl(hSession,"Getting new CRL from %s\n",url);
+ trace_ssl(hSession,"Getting CRL from %s\n",url);
- hSession->ssl.crl.cert = lib3270_get_crl(hSession,(SSL_ERROR_MESSAGE *) ssl_error,url);
+ hSession->ssl.crl.cert = lib3270_download_crl(hSession,(SSL_ERROR_MESSAGE *) ssl_error, url);
if(hSession->ssl.crl.cert)
{
- // Got CRL, add it to ssl store
+ // Got CRL!
+
+ // Update URL
+ if(hSession->ssl.crl.url)
+ lib3270_free(hSession->ssl.crl.url);
+
+ hSession->ssl.crl.url = lib3270_strdup(url);
+
+ // Add it to ssl store
if(lib3270_get_toggle(hSession,LIB3270_TOGGLE_SSL_TRACE))
{
lib3270_autoptr(char) text = lib3270_get_ssl_crl_text(hSession);
@@ -94,95 +140,5 @@ int lib3270_get_crl_from_url(H3270 *hSession, void *ssl_error, const char *url)
return -1;
}
-#endif // SSL_ENABLE_CRL_CHECK
-
-#if !defined(SSL_DEFAULT_CRL_URL) && defined(SSL_ENABLE_CRL_CHECK)
-int lib3270_get_crl_from_dist_points(H3270 *hSession, CRL_DIST_POINTS * dist_points, void *ssl_error)
-{
- size_t ix;
- int i, gtype;
- lib3270_autoptr(LIB3270_STRING_ARRAY) uris = lib3270_string_array_new();
-
- // https://nougat.cablelabs.com/DLNA-RUI/openssl/commit/57912ed329f870b237f2fd9f2de8dec3477d1729
-
- for(ix = 0; ix < (size_t) sk_DIST_POINT_num(dist_points); ix++) {
- DIST_POINT *dp = sk_DIST_POINT_value(dist_points, ix);
-
- if(!dp->distpoint || dp->distpoint->type != 0)
- continue;
-
- GENERAL_NAMES *gens = dp->distpoint->name.fullname;
-
- for (i = 0; i < sk_GENERAL_NAME_num(gens); i++)
- {
- GENERAL_NAME *gen = sk_GENERAL_NAME_value(gens, i);
- ASN1_STRING *uri = GENERAL_NAME_get0_value(gen, >ype);
- if(uri)
- {
-#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) // OpenSSL 1.1.0+
- const unsigned char * data = ASN1_STRING_get0_data(uri);
-#else
- const unsigned char * data = ASN1_STRING_data(uri); // ASN1_STRING_get0_data(uri);
-#endif // OpenSSL 1.1.0+
- if(data)
- {
- lib3270_string_array_append(uris,(char *) data);
- }
- }
-
- }
-
- }
-
-#ifdef DEBUG
- {
- for(ix = 0; ix < uris->length; ix++)
- {
- debug("%u: %s", (unsigned int) ix, uris->str[ix]);
- }
- }
-#endif // DEBUG
-
- if(hSession->ssl.crl.url)
- {
- // Check if we already have the URL.
- if(!strcmp(hSession->ssl.crl.url,uris->str[ix]))
- {
- trace_ssl(hSession,"Keeping CRL from %s\n",hSession->ssl.crl.url);
- return 0;
- }
-
- // The URL is invalid or not to this cert, remove it!
- lib3270_free(hSession->ssl.crl.url);
- hSession->ssl.crl.url = NULL;
- }
-
- if(hSession->ssl.crl.prefer && *hSession->ssl.crl.prefer)
- {
- size_t length = strlen(hSession->ssl.crl.prefer);
-
- for(ix = 0; ix < uris->length; ix++)
- {
- if(!strncmp(uris->str[ix],hSession->ssl.crl.prefer,length))
- {
- trace_ssl(hSession,"Trying preferred URL %s\n",uris->str[ix]);
- if(lib3270_get_crl_from_url(hSession, ssl_error, uris->str[ix]) == 0)
- return 0;
- }
-
- }
-
- }
-
- // Can't load, try all of them.
- for(ix = 0; ix < uris->length; ix++)
- {
- trace_ssl(hSession,"Trying CRL from %s\n",uris->str[ix]);
- if(lib3270_get_crl_from_url(hSession, ssl_error, uris->str[ix]) == 0)
- return 0;
- }
-
- return -1;
-}
-#endif // !SSL_DEFAULT_CRL_URL && SSL_ENABLE_CRL_CHECK
+#endif // SSL_ENABLE_CRL_CHECK && HAVE_LIBSSL
diff --git a/src/ssl/crl.h b/src/ssl/crl.h
new file mode 100644
index 0000000..8f1761c
--- /dev/null
+++ b/src/ssl/crl.h
@@ -0,0 +1,60 @@
+/*
+ * "Software G3270, desenvolvido com base nos códigos fontes do WC3270 e X3270
+ * (Paul Mattes Paul.Mattes@usa.net), de emulação de terminal 3270 para acesso a
+ * aplicativos mainframe. Registro no INPI sob o nome G3270.
+ *
+ * Copyright (C) <2008>
+ *
+ * Este programa é software livre. Você pode redistribuí-lo e/ou modificá-lo sob
+ * os termos da GPL v.2 - Licença Pública Geral ', conforme publicado pela
+ * Free Software Foundation.
+ *
+ * Este programa é distribuído na expectativa de ser útil, mas SEM QUALQUER
+ * GARANTIA; sem mesmo a garantia implícita de COMERCIALIZAÇÃO ou de ADEQUAÇÃO
+ * A QUALQUER PROPÓSITO EM PARTICULAR. Consulte a Licença Pública Geral GNU para
+ * obter mais detalhes.
+ *
+ * Você deve ter recebido uma cópia da Licença Pública Geral GNU junto com este
+ * programa; se não, escreva para a Free Software Foundation, Inc., 51 Franklin
+ * St, Fifth Floor, Boston, MA 02110-1301 USA
+ *
+ * Este programa está nomeado como private.h e possui - linhas de código.
+ *
+ * Contatos:
+ *
+ * perry.werneck@gmail.com (Alexandre Perry de Souza Werneck)
+ * erico.mendonca@gmail.com (Erico Mascarenhas de Mendonça)
+ *
+ */
+
+#ifdef WIN32
+ #include
+ #include
+#endif // WIN32
+
+#include /* autoconf settings */
+#include /* lib3270 API calls and defs */
+
+#if defined(SSL_ENABLE_CRL_CHECK) && defined(HAVE_LIBSSL)
+
+ #include
+ #include
+
+ /// @brief Unconditional release of the session CRL.
+ LIB3270_INTERNAL void lib3270_crl_free(H3270 *hSession);
+
+ /// @brief Release CRL if expired.
+ LIB3270_INTERNAL void lib3270_crl_free_if_expired(H3270 *hSession);
+
+ /// @brief Load CRL from URL.
+ LIB3270_INTERNAL int lib3270_crl_new_from_url(H3270 *hSession, void *ssl_error, const char *url);
+
+
+ LIB3270_INTERNAL X509_CRL * lib3270_download_crl(H3270 *hSession, SSL_ERROR_MESSAGE * message, const char *url);
+// LIB3270_INTERNAL int lib3270_get_crl_from_url(H3270 *hSession, void *ssl_error, const char *url);
+// LIB3270_INTERNAL int lib3270_get_crl_from_dist_points(H3270 *hSession, CRL_DIST_POINTS * dist_points, void *ssl_error);
+
+#endif // SSL_ENABLE_CRL_CHECK && HAVE_LIBSSL
+
+
+
diff --git a/src/ssl/linux/getcrl.c b/src/ssl/linux/getcrl.c
index ed201be..eba0ebe 100644
--- a/src/ssl/linux/getcrl.c
+++ b/src/ssl/linux/getcrl.c
@@ -45,7 +45,7 @@ static inline void lib3270_autoptr_cleanup_FILE(FILE **file)
fclose(*file);
}
-LIB3270_INTERNAL X509_CRL * lib3270_get_crl(H3270 *hSession, SSL_ERROR_MESSAGE * message, const char *consturl)
+LIB3270_INTERNAL X509_CRL * lib3270_download_crl(H3270 *hSession, SSL_ERROR_MESSAGE * message, const char *consturl)
{
X509_CRL * x509_crl = NULL;
diff --git a/src/ssl/linux/init.c b/src/ssl/linux/init.c
index 4bcd494..7ddfa07 100644
--- a/src/ssl/linux/init.c
+++ b/src/ssl/linux/init.c
@@ -106,6 +106,7 @@ int ssl_ctx_init(H3270 *hSession, SSL_ERROR_MESSAGE * message)
X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK);
X509_STORE_set1_param(store, param);
X509_VERIFY_PARAM_free(param);
+
trace_ssl(hSession,"CRL CHECK was enabled\n");
#endif // SSL_ENABLE_CRL_CHECK
diff --git a/src/ssl/negotiate.c b/src/ssl/negotiate.c
index 8bc7816..0d22bac 100644
--- a/src/ssl/negotiate.c
+++ b/src/ssl/negotiate.c
@@ -48,6 +48,8 @@
#define SSL_ST_OK 3
#endif // !SSL_ST_OK
+ #include "crl.h"
+
#endif
#include
@@ -133,7 +135,7 @@ static int background_ssl_init(H3270 *hSession, void *message)
return 0;
}
-#if !defined(SSL_DEFAULT_CRL_URL) && defined(SSL_ENABLE_CRL_CHECK)
+#if !defined(SSL_CRL_URL) && defined(SSL_ENABLE_CRL_CHECK)
int x509_store_ctx_error_callback(int ok, X509_STORE_CTX GNUC_UNUSED(*ctx))
{
debug("%s(%d)",__FUNCTION__,ok);
@@ -152,8 +154,26 @@ int x509_store_ctx_error_callback(int ok, X509_STORE_CTX GNUC_UNUSED(*ctx))
*/
return ok;
}
-#endif // !SSL_DEFAULT_CRL_URL && SSL_ENABLE_CRL_CHECK
+#endif // !SSL_CRL_URL && SSL_ENABLE_CRL_CHECK
+static int x509_store_ctx_error_callback(int ok, X509_STORE_CTX GNUC_UNUSED(*ctx))
+{
+ debug("%s(%d)",__FUNCTION__,ok);
+
+/*
+ 55 {
+ 56 if (!ok) {
+ 57 Category::getInstance("OpenSSL").error(
+ 58 "path validation failure at depth(%d): %s",
+ 59 X509_STORE_CTX_get_error_depth(ctx),
+ 60 X509_verify_cert_error_string(X509_STORE_CTX_get_error(ctx))
+ 61 );
+ 62 }
+ 63 return ok;
+ 64 }
+*/
+ return ok;
+}
static int background_ssl_negotiation(H3270 *hSession, void *message)
{
@@ -234,7 +254,21 @@ static int background_ssl_negotiation(H3270 *hSession, void *message)
hSession->cbk.set_peer_certificate(peer);
-#if !defined(SSL_DEFAULT_CRL_URL) && defined(SSL_ENABLE_CRL_CHECK)
+#ifdef SSL_CRL_URL
+
+ // Load CRL from pre-defined URL
+ if(lib3270_crl_new_from_url(hSession, message, SSL_CRL_URL))
+ return EACCES;
+
+#endif // SSL_CRL_URL
+
+ }
+
+ /*
+ if(peer)
+ {
+
+#if !defined(SSL_CRL_URL) && defined(SSL_ENABLE_CRL_CHECK)
//
// No default CRL, try to download from the peer
//
@@ -274,17 +308,60 @@ static int background_ssl_negotiation(H3270 *hSession, void *message)
// No CRL download, use the standard verification.
rv = SSL_get_verify_result(hSession->ssl.con);
-#endif // !SSL_DEFAULT_CRL_URL && SSL_ENABLE_CRL_CHECK
+#endif // !SSL_CRL_URL && SSL_ENABLE_CRL_CHECK
}
else
{
rv = SSL_get_verify_result(hSession->ssl.con);
}
+ */
+
+ if(SSL_get_verify_result(hSession->ssl.con) == X509_V_ERR_UNABLE_TO_GET_CRL && hSession->ssl.crl.cert)
+ {
+ // Verify CRL
+ //
+ // References:
+ //
+ // http://www.zedwood.com/article/cpp-check-crl-for-revocation
+ //
+ trace_ssl(hSession,"Doing CRL check using %s\n",hSession->ssl.crl.url);
- // Validate certificate.
+ // Got CRL, verify it!
+ // Reference: https://stackoverflow.com/questions/10510850/how-to-verify-the-certificate-for-the-ongoing-ssl-session
+ X509_STORE_CTX *csc = X509_STORE_CTX_new();
+ X509_STORE_CTX_set_verify_cb(csc, x509_store_ctx_error_callback);
+ X509_STORE_CTX_init(csc, SSL_CTX_get_cert_store(ssl_ctx), peer, NULL);
+
+/*
+#ifdef SSL_ENABLE_CRL_CHECK
+ // Enable CRL check
+ X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_new();
+ X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK);
+ X509_STORE_CTX_set0_param(csc, param);
+#endif // SSL_ENABLE_CRL_CHECK
+*/
+
+ if(X509_verify_cert(csc) != 1)
+ rv = X509_STORE_CTX_get_error(csc);
+ else
+ rv = X509_V_OK;
+
+ debug("CRL Check response was %d", rv);
+
+ SSL_set_verify_result(hSession->ssl.con, rv);
+
+ X509_STORE_CTX_free(csc);
+#ifdef SSL_ENABLE_CRL_CHECK
+// X509_VERIFY_PARAM_free(param);
+#endif // SSL_ENABLE_CRL_CHECK
+
+ }
+
+ // Check validation state.
+ rv = SSL_get_verify_result(hSession->ssl.con);
debug("SSL Verify result was %d", rv);
const struct ssl_status_msg * msg = ssl_get_status_from_error_code((long) rv);
@@ -526,45 +603,3 @@ void ssl_info_callback(INFO_CONST SSL *s, int where, int ret)
#endif /*]*/
-int popup_ssl_error(H3270 GNUC_UNUSED(*hSession), int rc, const char GNUC_UNUSED(*title), const char *summary, const char *body)
-{
-#ifdef _WIN32
-
- lib3270_autoptr(char) rcMessage = lib3270_strdup_printf("The error code was %d",rc);
-
- const char *outMsg[] = {
- title,
- summary,
- (body ? body : ""),
- rcMessage
- };
-
- ReportEvent(
- hEventLog,
- EVENTLOG_ERROR_TYPE,
- 1,
- 0,
- NULL,
- (sizeof(outMsg)/sizeof(outMsg[0])),
- 0,
- outMsg,
- NULL
- );
-
-#else
-
- lib3270_write_log(hSession, "SSL", "%s %s (rc=%d)", summary, (body ? body : ""), rc);
-
-#endif // _WIN32
-
-#ifdef SSL_ENABLE_NOTIFICATION_WHEN_FAILED
-
- return hSession->cbk.popup_ssl_error(hSession,rc,title,summary,body);
-
-#else
-
- return 0;
-
-#endif // SSL_ENABLE_NOTIFICATION_WHEN_FAILED
-
-}
diff --git a/src/ssl/notify.c b/src/ssl/notify.c
new file mode 100644
index 0000000..cc130e5
--- /dev/null
+++ b/src/ssl/notify.c
@@ -0,0 +1,132 @@
+/*
+ * "Software pw3270, desenvolvido com base nos códigos fontes do WC3270 e X3270
+ * (Paul Mattes Paul.Mattes@usa.net), de emulação de terminal 3270 para acesso a
+ * aplicativos mainframe. Registro no INPI sob o nome G3270.
+ *
+ * Copyright (C) <2008>
+ *
+ * Este programa é software livre. Você pode redistribuí-lo e/ou modificá-lo sob
+ * os termos da GPL v.2 - Licença Pública Geral GNU, conforme publicado pela
+ * Free Software Foundation.
+ *
+ * Este programa é distribuído na expectativa de ser útil, mas SEM QUALQUER
+ * GARANTIA; sem mesmo a garantia implícita de COMERCIALIZAÇÃO ou de ADEQUAÇÃO
+ * A QUALQUER PROPÓSITO EM PARTICULAR. Consulte a Licença Pública Geral GNU para
+ * obter mais detalhes.
+ *
+ * Você deve ter recebido uma cópia da Licença Pública Geral GNU junto com este
+ * programa; se não, escreva para a Free Software Foundation, Inc., 51 Franklin
+ * St, Fifth Floor, Boston, MA 02110-1301 USA
+ *
+ * Este programa está nomeado como - e possui - linhas de código.
+ *
+ * Contatos:
+ *
+ * perry.werneck@gmail.com (Alexandre Perry de Souza Werneck)
+ * erico.mendonca@gmail.com (Erico Mascarenhas Mendonça)
+ *
+ *
+ * References:
+ *
+ * http://www.openssl.org/docs/ssl/
+ *
+ */
+
+
+#include
+#include
+#include
+
+/*--[ Implement ]------------------------------------------------------------------------------------*/
+
+#if defined(HAVE_LIBSSL)
+
+#include
+
+int popup_ssl_error(H3270 GNUC_UNUSED(*hSession), int rc, const char GNUC_UNUSED(*title), const char *summary, const char *body)
+{
+#ifdef _WIN32
+
+ lib3270_autoptr(char) rcMessage = lib3270_strdup_printf("The error code was %d",rc);
+
+ const char *outMsg[] = {
+ title,
+ summary,
+ (body ? body : ""),
+ rcMessage
+ };
+
+ ReportEvent(
+ hEventLog,
+ EVENTLOG_ERROR_TYPE,
+ 1,
+ 0,
+ NULL,
+ (sizeof(outMsg)/sizeof(outMsg[0])),
+ 0,
+ outMsg,
+ NULL
+ );
+
+#else
+
+ lib3270_write_log(hSession, "SSL", "%s %s (rc=%d)", summary, (body ? body : ""), rc);
+
+#endif // _WIN32
+
+#ifdef SSL_ENABLE_NOTIFICATION_WHEN_FAILED
+
+ return hSession->cbk.popup_ssl_error(hSession,rc,title,summary,body);
+
+#else
+
+ return 0;
+
+#endif // SSL_ENABLE_NOTIFICATION_WHEN_FAILED
+}
+
+int notify_ssl_error(H3270 *hSession, int rc, const SSL_ERROR_MESSAGE *message)
+{
+ lib3270_write_log(
+ hSession,
+ "SSL-CRL-GET",
+ "CRL GET error: %s (rc=%d ssl_error=%d)",
+ message->title,
+ rc,
+ message->error
+ );
+
+ if(message->description)
+ {
+ if(popup_ssl_error(hSession,rc,message->title,message->text,message->description))
+ return rc;
+ }
+#ifdef _WIN32
+ else if(message->lasterror)
+ {
+ lib3270_autoptr(char) windows_error = lib3270_win32_translate_error_code(message->lasterror);
+ lib3270_autoptr(char) formatted_error = lib3270_strdup_printf(_( "Windows error was \"%s\" (%u)" ), windows_error,(unsigned int) message->lasterror);
+
+ if(popup_ssl_error(hSession,rc,message->title,message->text,formatted_error))
+ return rc;
+
+ }
+#endif // WIN32
+ else if(message->error)
+ {
+ lib3270_autoptr(char) formatted_error = lib3270_strdup_printf(_( "%s (SSL error %d)" ),ERR_reason_error_string(message->error),message->error);
+ lib3270_write_log(hSession,"SSL-CRL-GET","%s",formatted_error);
+
+ if(popup_ssl_error(hSession,rc,message->title,message->text,formatted_error))
+ return rc;
+ }
+ else
+ {
+ if(popup_ssl_error(hSession,rc,message->title,message->text,""))
+ return rc;
+ }
+
+ return 0;
+}
+
+#endif // defined(HAVE_LIBSSL)
diff --git a/src/ssl/properties.c b/src/ssl/properties.c
index c3aadca..eb0140c 100644
--- a/src/ssl/properties.c
+++ b/src/ssl/properties.c
@@ -124,11 +124,11 @@ LIB3270_EXPORT char * lib3270_get_ssl_peer_certificate_text(const H3270 *hSessio
if(hSession->ssl.crl.url)
return hSession->ssl.crl.url;
-#ifdef SSL_DEFAULT_CRL_URL
- return SSL_DEFAULT_CRL_URL;
+#ifdef SSL_CRL_URL
+ return SSL_CRL_URL;
#else
return getenv("LIB3270_DEFAULT_CRL");
-#endif // SSL_DEFAULT_CRL_URL
+#endif // SSL_CRL_URL
#else
errno = ENOTSUP;
--
libgit2 0.21.2