Download as
Browse Code »

Commit 4ee2d89f0aaf845bc6c028164592f541385e1358

Authored by Perry Werneck
1 parent 1b835d4f
Exists in master and in 3 other branches develop, macos, network_module

Moving SSL state methods to main library.

Showing 6 changed files with 360 additions and 12 deletions   Show diff stats
lib3270.cbp
  Diff comments   View file @4ee2d89
... ... @@ -69,7 +69,6 @@
69 69 <Unit filename="src/include/lib3270/html.h" />
70 70 <Unit filename="src/include/lib3270/internals.h" />
71 71 <Unit filename="src/include/lib3270/log.h" />
72   - <Unit filename="src/include/lib3270/macros.h" />
73 72 <Unit filename="src/include/lib3270/popup.h" />
74 73 <Unit filename="src/include/lib3270/properties.h" />
75 74 <Unit filename="src/include/lib3270/selection.h" />
... ...
src/include/lib3270.h
  Diff comments   View file @4ee2d89
... ... @@ -502,6 +502,18 @@
502 502 LIB3270_EXPORT int lib3270_get_secure_host(H3270 *hSession);
503 503  
504 504 /**
  505 + * @brief Get security state as text.
  506 + *
  507 + */
  508 + LIB3270_EXPORT const char * lib3270_get_ssl_state_message(H3270 *hSession);
  509 +
  510 + /**
  511 + * @brief Get security state message.
  512 + *
  513 + */
  514 + LIB3270_EXPORT const char * lib3270_get_ssl_state_description(H3270 *hSession);
  515 +
  516 + /**
505 517 * @brief Get service or port for the connect/reconnect operations.
506 518 *
507 519 * @param h Session handle.
... ...
src/include/lib3270/popup.h
  Diff comments   View file @4ee2d89
... ... @@ -43,12 +43,13 @@
43 43 */
44 44 typedef enum _LIB3270_NOTIFY
45 45 {
46   - LIB3270_NOTIFY_INFO, /**< Simple information dialog */
47   - LIB3270_NOTIFY_WARNING,
48   - LIB3270_NOTIFY_ERROR,
49   - LIB3270_NOTIFY_CRITICAL, /**< Critical error, user can abort application */
  46 + LIB3270_NOTIFY_INFO, ///< @brief Simple information dialog.
  47 + LIB3270_NOTIFY_WARNING, ///< @brief Warning message.
  48 + LIB3270_NOTIFY_ERROR, ///< @brief Error message.
  49 + LIB3270_NOTIFY_CRITICAL, ///< @brief Critical error, user can abort application.
  50 + LIB3270_NOTIFY_SECURE, ///< @brief Secure host dialog.
50 51  
51   - LIB3270_NOTIFY_USER /**< Reserved, always the last one */
  52 + LIB3270_NOTIFY_USER ///< @brief Reserved, always the last one.
52 53 } LIB3270_NOTIFY;
53 54  
54 55 LIB3270_EXPORT void lib3270_set_popup_handler(H3270 *session, void (*handler)(H3270 *, LIB3270_NOTIFY, const char *, const char *, const char *, va_list));
... ... @@ -67,6 +68,8 @@
67 68  
68 69 LIB3270_EXPORT void lib3270_popup_va(H3270 *session, LIB3270_NOTIFY id , const char *title, const char *message, const char *fmt, va_list);
69 70  
  71 + LIB3270_EXPORT LIB3270_NOTIFY lib3270_get_ssl_state_icon(H3270 *hSession);
  72 +
70 73 #ifdef __cplusplus
71 74 }
72 75 #endif
... ...
src/lib3270/properties.c
  Diff comments   View file @4ee2d89
... ... @@ -418,6 +418,19 @@
418 418 NULL // Set value.
419 419 },
420 420  
  421 + {
  422 + "sslmessage", // Property name.
  423 + N_( "The security state" ), // Property description.
  424 + lib3270_get_ssl_state_message, // Get value.
  425 + NULL // Set value.
  426 + },
  427 +
  428 + {
  429 + "ssldescription", // Property name.
  430 + N_( "Description of the current security state" ), // Property description.
  431 + lib3270_get_ssl_state_description, // Get value.
  432 + NULL // Set value.
  433 + },
421 434  
422 435 /*
423 436 {
... ...
src/lib3270/ssl/negotiate.c
  Diff comments   View file @4ee2d89
... ... @@ -167,17 +167,12 @@ static int background_ssl_negotiation(H3270 *hSession, void *message)
167 167 // https://www.openssl.org/docs/man1.0.2/crypto/X509_STORE_CTX_set_error.html
168 168 case X509_V_OK:
169 169 peer = SSL_get_peer_certificate(hSession->ssl.con);
170   -
171   - debug("TLS/SSL negotiated connection complete. Peer certificate %s presented.", peer ? "was" : "was not");
172 170 trace_ssl(hSession,"TLS/SSL negotiated connection complete. Peer certificate %s presented.\n", peer ? "was" : "was not");
173   -
174 171 break;
175 172  
176 173 case X509_V_ERR_UNABLE_TO_GET_CRL:
177 174  
178   - debug("%s","The CRL of a certificate could not be found." );
179 175 trace_ssl(hSession,"%s","The CRL of a certificate could not be found.\n" );
180   -
181 176 ((SSL_ERROR_MESSAGE *) message)->title = _( "SSL error" );
182 177 ((SSL_ERROR_MESSAGE *) message)->text = _( "Unable to get certificate CRL." );
183 178 ((SSL_ERROR_MESSAGE *) message)->description = _( "The Certificate revocation list (CRL) of a certificate could not be found." );
... ... @@ -222,8 +217,15 @@ static int background_ssl_negotiation(H3270 *hSession, void *message)
222 217  
223 218 default:
224 219  
225   - debug("Unexpected or invalid TLS/SSL verify result %d",rv);
226 220 trace_ssl(hSession,"Unexpected or invalid TLS/SSL verify result %d\n",rv);
  221 +
  222 +#ifdef SSL_ENABLE_CRL_EXPIRATION_CHECK
  223 + ((SSL_ERROR_MESSAGE *) message)->title = _( "SSL error" );
  224 + ((SSL_ERROR_MESSAGE *) message)->text = _( "Can't verify." );
  225 + ((SSL_ERROR_MESSAGE *) message)->description = _( "Unexpected or invalid TLS/SSL verify result" );
  226 + return -1;
  227 +#endif // SSL_ENABLE_CRL_EXPIRATION_CHECK
  228 +
227 229 }
228 230  
229 231 if(lib3270_get_toggle(hSession,LIB3270_TOGGLE_SSL_TRACE))
... ...
src/lib3270/ssl/state.c
  Diff comments   View file @4ee2d89
... ... @@ -32,9 +32,15 @@
32 32 #include <errno.h>
33 33 #include <lib3270.h>
34 34 #include <lib3270/internals.h>
  35 +#include <lib3270/popup.h>
35 36 #include <lib3270/trace.h>
36 37 #include <trace_dsc.h>
37 38  
  39 +#ifdef HAVE_LIBSSL
  40 + #include <openssl/ssl.h>
  41 + #include <openssl/err.h>
  42 +#endif // HAVE_LIBSSL
  43 +
38 44 /*--[ Implement ]------------------------------------------------------------------------------------*/
39 45  
40 46 LIB3270_EXPORT int lib3270_is_secure(H3270 *hSession)
... ... @@ -72,3 +78,316 @@ void set_ssl_state(H3270 *hSession, LIB3270_SSL_STATE state)
72 78  
73 79 hSession->cbk.update_ssl(hSession,hSession->ssl.state);
74 80 }
  81 +
  82 +#ifdef HAVE_LIBSSL
  83 + static const struct ssl_status_msg
  84 + {
  85 + long id;
  86 + LIB3270_NOTIFY icon;
  87 + const char * message;
  88 + const char * description;
  89 + }
  90 + status_msg[] =
  91 + {
  92 + // http://www.openssl.org/docs/apps/verify.html
  93 + {
  94 + X509_V_OK,
  95 + LIB3270_NOTIFY_SECURE,
  96 + N_( "Secure connection was successful." ),
  97 + N_( "The connection is secure and the host identity was confirmed." )
  98 + },
  99 +
  100 + {
  101 + X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT,
  102 + LIB3270_NOTIFY_ERROR,
  103 + N_( "Unable to get issuer certificate" ),
  104 + N_( "The issuer certificate of a looked up certificate could not be found. This normally means the list of trusted certificates is not complete." )
  105 + },
  106 +
  107 + {
  108 + X509_V_ERR_UNABLE_TO_GET_CRL,
  109 + LIB3270_NOTIFY_ERROR,
  110 + N_( "Unable to get certificate CRL." ),
  111 + N_( "The Certificate revocation list (CRL) of a certificate could not be found." )
  112 + },
  113 +
  114 + {
  115 + X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE,
  116 + LIB3270_NOTIFY_ERROR,
  117 + N_( "Unable to decrypt certificate's signature" ),
  118 + N_( "The certificate signature could not be decrypted. This means that the actual signature value could not be determined rather than it not matching the expected value, this is only meaningful for RSA keys." )
  119 + },
  120 +
  121 + {
  122 + X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE,
  123 + LIB3270_NOTIFY_ERROR,
  124 + N_( "Unable to decrypt CRL's signature" ),
  125 + N_( "The CRL signature could not be decrypted: this means that the actual signature value could not be determined rather than it not matching the expected value. Unused." )
  126 + },
  127 +
  128 + {
  129 + X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY,
  130 + LIB3270_NOTIFY_ERROR,
  131 + N_( "Unable to decode issuer public key" ),
  132 + N_( "The public key in the certificate SubjectPublicKeyInfo could not be read." )
  133 + },
  134 +
  135 + {
  136 + X509_V_ERR_CERT_SIGNATURE_FAILURE,
  137 + LIB3270_NOTIFY_ERROR,
  138 + N_( "Certificate signature failure" ),
  139 + N_( "The signature of the certificate is invalid." )
  140 + },
  141 +
  142 + {
  143 + X509_V_ERR_CRL_SIGNATURE_FAILURE,
  144 + LIB3270_NOTIFY_ERROR,
  145 + N_( "CRL signature failure" ),
  146 + N_( "The signature of the certificate is invalid." )
  147 + },
  148 +
  149 + {
  150 + X509_V_ERR_CERT_NOT_YET_VALID,
  151 + LIB3270_NOTIFY_WARNING,
  152 + N_( "Certificate is not yet valid" ),
  153 + N_( "The certificate is not yet valid: the notBefore date is after the current time." )
  154 + },
  155 +
  156 + {
  157 + X509_V_ERR_CERT_HAS_EXPIRED,
  158 + LIB3270_NOTIFY_ERROR,
  159 + N_( "Certificate has expired" ),
  160 + N_( "The certificate has expired: that is the notAfter date is before the current time." )
  161 + },
  162 +
  163 + {
  164 + X509_V_ERR_CRL_NOT_YET_VALID,
  165 + LIB3270_NOTIFY_WARNING,
  166 + N_( "The CRL is not yet valid." ),
  167 + N_( "The Certificate revocation list (CRL) is not yet valid." )
  168 + },
  169 +
  170 + {
  171 + X509_V_ERR_CRL_HAS_EXPIRED,
  172 +#ifdef SSL_ENABLE_CRL_EXPIRATION_CHECK
  173 + LIB3270_NOTIFY_ERROR,
  174 +#else
  175 + LIB3270_NOTIFY_WARNING,
  176 +#endif // SSL_ENABLE_CRL_EXPIRATION_CHECK
  177 + N_( "The CRL has expired." ),
  178 + N_( "The Certificate revocation list (CRL) has expired.")
  179 + },
  180 +
  181 + {
  182 + X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD,
  183 + LIB3270_NOTIFY_ERROR,
  184 + N_( "Format error in certificate's notBefore field" ),
  185 + N_( "The certificate notBefore field contains an invalid time." )
  186 + },
  187 +
  188 + {
  189 + X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD,
  190 + LIB3270_NOTIFY_ERROR,
  191 + N_( "Format error in certificate's notAfter field" ),
  192 + N_( "The certificate notAfter field contains an invalid time." )
  193 + },
  194 +
  195 + {
  196 + X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD,
  197 + LIB3270_NOTIFY_ERROR,
  198 + N_( "Format error in CRL's lastUpdate field" ),
  199 + N_( "The CRL lastUpdate field contains an invalid time." )
  200 + },
  201 +
  202 + {
  203 + X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD,
  204 + LIB3270_NOTIFY_ERROR,
  205 + N_( "Format error in CRL's nextUpdate field" ),
  206 + N_( "The CRL nextUpdate field contains an invalid time." )
  207 + },
  208 +
  209 + {
  210 + X509_V_ERR_OUT_OF_MEM,
  211 + LIB3270_NOTIFY_ERROR,
  212 + N_( "Out of memory" ),
  213 + N_( "An error occurred trying to allocate memory. This should never happen." )
  214 + },
  215 +
  216 + {
  217 + X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT,
  218 + LIB3270_NOTIFY_WARNING,
  219 + N_( "Self signed certificate" ),
  220 + N_( "The passed certificate is self signed and the same certificate cannot be found in the list of trusted certificates." )
  221 + },
  222 +
  223 + {
  224 + X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN,
  225 +#ifdef SSL_ENABLE_SELF_SIGNED_CERT_CHECK
  226 + LIB3270_NOTIFY_ERROR,
  227 + N_( "The SSL certificate for this host is not trusted." ),
  228 + N_( "The security certificate presented by this host was not issued by a trusted certificate authority." )
  229 +#else
  230 + LIB3270_NOTIFY_WARNING,
  231 + N_( "Self signed certificate in certificate chain" ),
  232 + N_( "The certificate chain could be built up using the untrusted certificates but the root could not be found locally." )
  233 +#endif // SSL_ENABLE_SELF_SIGNED_CERT_CHECK
  234 + },
  235 +
  236 + {
  237 + X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY,
  238 + LIB3270_NOTIFY_WARNING,
  239 + N_( "Unable to get local issuer certificate" ),
  240 + N_( "The issuer certificate could not be found: this occurs if the issuer certificate of an untrusted certificate cannot be found." )
  241 + },
  242 +
  243 + {
  244 + X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE,
  245 + LIB3270_NOTIFY_ERROR,
  246 + N_( "Unable to verify the first certificate" ),
  247 + N_( "No signatures could be verified because the chain contains only one certificate and it is not self signed." )
  248 + },
  249 +
  250 + {
  251 + X509_V_ERR_CERT_REVOKED,
  252 + LIB3270_NOTIFY_ERROR,
  253 + N_( "Certificate revoked" ),
  254 + N_( "The certificate has been revoked." )
  255 + },
  256 +
  257 + {
  258 + X509_V_ERR_INVALID_CA,
  259 + LIB3270_NOTIFY_ERROR,
  260 + N_( "Invalid CA certificate" ),
  261 + N_( "A CA certificate is invalid. Either it is not a CA or its extensions are not consistent with the supplied purpose." )
  262 + },
  263 +
  264 + {
  265 + X509_V_ERR_PATH_LENGTH_EXCEEDED,
  266 + LIB3270_NOTIFY_ERROR,
  267 + N_( "Path length constraint exceeded" ),
  268 + N_( "The basicConstraints pathlength parameter has been exceeded." ),
  269 + },
  270 +
  271 + {
  272 + X509_V_ERR_INVALID_PURPOSE,
  273 + LIB3270_NOTIFY_ERROR,
  274 + N_( "Unsupported certificate purpose" ),
  275 + N_( "The supplied certificate cannot be used for the specified purpose." )
  276 + },
  277 +
  278 + {
  279 + X509_V_ERR_CERT_UNTRUSTED,
  280 + LIB3270_NOTIFY_WARNING,
  281 + N_( "Certificate not trusted" ),
  282 + N_( "The root CA is not marked as trusted for the specified purpose." )
  283 + },
  284 +
  285 + {
  286 + X509_V_ERR_CERT_REJECTED,
  287 + LIB3270_NOTIFY_ERROR,
  288 + N_( "Certificate rejected" ),
  289 + N_( "The root CA is marked to reject the specified purpose." )
  290 + },
  291 +
  292 + {
  293 + X509_V_ERR_SUBJECT_ISSUER_MISMATCH,
  294 + LIB3270_NOTIFY_ERROR,
  295 + N_( "Subject issuer mismatch" ),
  296 + N_( "The current candidate issuer certificate was rejected because its subject name did not match the issuer name of the current certificate. Only displayed when the -issuer_checks option is set." )
  297 + },
  298 +
  299 + {
  300 + X509_V_ERR_AKID_SKID_MISMATCH,
  301 + LIB3270_NOTIFY_ERROR,
  302 + N_( "Authority and subject key identifier mismatch" ),
  303 + N_( "The current candidate issuer certificate was rejected because its subject key identifier was present and did not match the authority key identifier current certificate. Only displayed when the -issuer_checks option is set." )
  304 + },
  305 +
  306 + {
  307 + X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH,
  308 + LIB3270_NOTIFY_ERROR,
  309 + N_( "Authority and issuer serial number mismatch" ),
  310 + N_( "The current candidate issuer certificate was rejected because its issuer name and serial number was present and did not match the authority key identifier of the current certificate. Only displayed when the -issuer_checks option is set." )
  311 + },
  312 +
  313 + {
  314 + X509_V_ERR_KEYUSAGE_NO_CERTSIGN,
  315 + LIB3270_NOTIFY_ERROR,
  316 + N_( "Key usage does not include certificate signing" ),
  317 + N_( "The current candidate issuer certificate was rejected because its keyUsage extension does not permit certificate signing." )
  318 + }
  319 +
  320 + };
  321 +
  322 + static const struct ssl_status_msg * get_ssl_status_msg(H3270 *hSession)
  323 + {
  324 + size_t f;
  325 + long id = lib3270_get_SSL_verify_result(hSession);
  326 +
  327 + for(f=0;f < (sizeof(status_msg)/sizeof(status_msg[0]));f++)
  328 + {
  329 + if(status_msg[f].id == id)
  330 + return status_msg+f;
  331 + }
  332 + return NULL;
  333 + }
  334 +
  335 + const char * lib3270_get_ssl_state_message(H3270 *hSession)
  336 + {
  337 + if(lib3270_get_secure(hSession) != LIB3270_SSL_UNSECURE)
  338 + {
  339 + const struct ssl_status_msg *info = get_ssl_status_msg(hSession);
  340 + if(info)
  341 + return gettext(info->message);
  342 + }
  343 +
  344 + return lib3270_get_hostname(hSession);
  345 + }
  346 +
  347 + const char * lib3270_get_ssl_state_description(H3270 *hSession)
  348 + {
  349 + if(lib3270_get_secure(hSession) != LIB3270_SSL_UNSECURE)
  350 + {
  351 + const struct ssl_status_msg *info = get_ssl_status_msg(hSession);
  352 + if(info)
  353 + return gettext(info->description);
  354 + }
  355 + else
  356 + {
  357 + return _( "The connection is insecure" );
  358 + }
  359 +
  360 + return _( "Unexpected or unknown security status");
  361 + }
  362 +
  363 + LIB3270_NOTIFY lib3270_get_ssl_state_icon(H3270 *hSession)
  364 + {
  365 + if(lib3270_get_secure(hSession) != LIB3270_SSL_UNSECURE)
  366 + {
  367 + const struct ssl_status_msg *info = get_ssl_status_msg(hSession);
  368 + if(info)
  369 + return info->icon;
  370 + }
  371 +
  372 + return LIB3270_NOTIFY_ERROR;
  373 + }
  374 +
  375 +#else
  376 +
  377 + const char * lib3270_get_ssl_state_message(H3270 *hSession)
  378 + {
  379 + return lib3270_get_hostname(hSession);
  380 + }
  381 +
  382 + const char * lib3270_get_ssl_state_description(H3270 *hSession)
  383 + {
  384 + return _( "The connection is insecure" );
  385 + }
  386 +
  387 + LIB3270_NOTIFY lib3270_get_ssl_state_icon(H3270 *hSession)
  388 + {
  389 + return LIB3270_NOTIFY_ERROR;
  390 + }
  391 +
  392 +#endif // HAVE_LIBSSL
  393 +
... ...