Commit 5b8675fe37c7e80c83ed0b38cafda3c1ee8d3bd1

Authored by Perry Werneck
1 parent bb6f1004

Improving CRL property

Adding options to test program
configure.ac
... ... @@ -340,7 +340,7 @@ AC_ARG_ENABLE([ssl-crl-check],
340 340 app_cv_enable_crl_check="no"
341 341 ])
342 342  
343   -if test "$app_cv_self_signed_certs" == "yes"; then
  343 +if test "$app_cv_enable_crl_check" == "yes"; then
344 344 AC_DEFINE(SSL_ENABLE_CRL_CHECK)
345 345 fi
346 346  
... ...
src/include/lib3270.h
... ... @@ -474,7 +474,9 @@
474 474 * @return 0 on sucess, non zero on error (sets errno).
475 475 *
476 476 */
477   - LIB3270_EXPORT int lib3270_set_crl(H3270 *hSession, const char *crl);
  477 + LIB3270_EXPORT int lib3270_set_crl_url(H3270 *hSession, const char *crl);
  478 +
  479 + LIB3270_EXPORT const char * lib3270_get_crl_url(H3270 *hSession);
478 480  
479 481 /**
480 482 * @brief Get hostname for the connect/reconnect operations.
... ...
src/lib3270/properties.c
... ... @@ -285,7 +285,26 @@
285 285 return lib3270_get_revision();
286 286 }
287 287  
288   - int lib3270_set_crl(H3270 *hSession, const char *crl)
  288 + const char * lib3270_get_crl_url(H3270 *hSession)
  289 + {
  290 +#ifdef SSL_ENABLE_CRL_CHECK
  291 + if(hSession->ssl.crl)
  292 + return hSession->ssl.crl;
  293 +
  294 +#ifdef LIB3270_DEFAULT_CRL
  295 + return LIB3270_DEFAULT_CRL;
  296 +#else
  297 + return getenv("LIB3270_DEFAULT_CRL");
  298 +#endif // LIB3270_DEFAULT_CRL
  299 +
  300 +#else
  301 + errno = ENOTSUP;
  302 + return "";
  303 +#endif
  304 + }
  305 +
  306 +
  307 + int lib3270_set_crl_url(H3270 *hSession, const char *crl)
289 308 {
290 309  
291 310 FAIL_IF_ONLINE(hSession);
... ... @@ -313,15 +332,6 @@
313 332  
314 333 }
315 334  
316   - static const char * lib3270_get_crl(H3270 *hSession)
317   - {
318   -#ifdef SSL_ENABLE_CRL_CHECK
319   - if(hSession->ssl.crl)
320   - return hSession->ssl.crl;
321   -#endif
322   - return "";
323   - }
324   -
325 335 LIB3270_EXPORT const LIB3270_STRING_PROPERTY * lib3270_get_string_properties_list(void)
326 336 {
327 337 static const LIB3270_STRING_PROPERTY properties[] = {
... ... @@ -383,10 +393,10 @@
383 393 },
384 394  
385 395 {
386   - "crl", // Property name.
  396 + "crlpath", // Property name.
387 397 N_( "URL for the CRL file" ), // Property description.
388   - lib3270_get_crl, // Get value.
389   - lib3270_set_crl, // Set value.
  398 + lib3270_get_crl_url, // Get value.
  399 + lib3270_set_crl_url, // Set value.
390 400 },
391 401  
392 402  
... ...
src/lib3270/ssl/ctx_init.c
... ... @@ -111,42 +111,38 @@ int ssl_ctx_init(H3270 *hSession, SSL_ERROR_MESSAGE * message)
111 111 //
112 112 // https://stackoverflow.com/questions/10510850/how-to-verify-the-certificate-for-the-ongoing-ssl-session
113 113 //
114   - if(hSession->ssl.crl)
115   - {
116   - lib3270_autoptr(X509_CRL) crl = lib3270_get_X509_CRL(hSession,message);
117   -
118   - if(!crl)
119   - return -1;
120   -
121   - if(lib3270_get_toggle(hSession,LIB3270_TOGGLE_SSL_TRACE))
122   - {
123   - BIO * out = BIO_new(BIO_s_mem());
124   - unsigned char * data;
125   - unsigned char * text;
126   - int n;
  114 + lib3270_autoptr(X509_CRL) crl = lib3270_get_X509_CRL(hSession,message);
127 115  
128   - X509_CRL_print(out,crl);
  116 + if(!crl)
  117 + return -1;
129 118  
130   - n = BIO_get_mem_data(out, &data);
131   - text = (unsigned char *) malloc (n+1);
132   - text[n] ='\0';
133   - memcpy(text,data,n);
  119 + if(lib3270_get_toggle(hSession,LIB3270_TOGGLE_SSL_TRACE))
  120 + {
  121 + BIO * out = BIO_new(BIO_s_mem());
  122 + unsigned char * data;
  123 + unsigned char * text;
  124 + int n;
134 125  
135   - trace_ssl(hSession,"\n%s\n",text);
  126 + X509_CRL_print(out,crl);
136 127  
137   - free(text);
138   - BIO_free(out);
  128 + n = BIO_get_mem_data(out, &data);
  129 + text = (unsigned char *) malloc (n+1);
  130 + text[n] ='\0';
  131 + memcpy(text,data,n);
139 132  
140   - }
  133 + trace_ssl(hSession,"\n%s\n",text);
141 134  
142   - X509_STORE *store = SSL_CTX_get_cert_store(ssl_ctx);
143   - X509_STORE_add_crl(store, crl);
144   - X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_new();
145   - X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK);
146   - X509_STORE_set1_param(store, param);
147   - X509_VERIFY_PARAM_free(param);
  135 + free(text);
  136 + BIO_free(out);
148 137  
149 138 }
  139 +
  140 + X509_STORE *store = SSL_CTX_get_cert_store(ssl_ctx);
  141 + X509_STORE_add_crl(store, crl);
  142 + X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_new();
  143 + X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK);
  144 + X509_STORE_set1_param(store, param);
  145 + X509_VERIFY_PARAM_free(param);
150 146 #endif // SSL_ENABLE_CRL_CHECK
151 147  
152 148 return 0;
... ...
src/lib3270/ssl/linux/getcrl.c
... ... @@ -96,29 +96,23 @@ static inline void lib3270_autoptr_cleanup_LDAPPTR(char **ptr)
96 96  
97 97 X509_CRL * lib3270_get_X509_CRL(H3270 *hSession, SSL_ERROR_MESSAGE * message)
98 98 {
99   - X509_CRL * crl = NULL;
  99 + X509_CRL * crl = NULL;
  100 + const char * consturl = lib3270_get_crl_url(hSession);
100 101  
101   - if(!hSession->ssl.crl)
102   - {
103   -#ifdef LIB3270_DEFAULT_CRL
104   - hSession->ssl.crl = strdup(LIB3270_DEFAULT_CRL);
105   -#else
106   - char *env = getenv("LIB3270_DEFAULT_CRL");
107   - if(env)
108   - hSession->ssl.crl = strdup(env);
109   -#endif // LIB3270_DEFAULT_CRL
110   - }
111   -
112   - if(!hSession->ssl.crl)
  102 + if(!(consturl && *consturl))
113 103 {
  104 + message->error = hSession->ssl.error = 0;
  105 + message->title = N_( "Security error" );
  106 + message->text = N_( "Can't open CRL File" );
  107 + message->description = N_("The URL for the CRL is undefined or empty");
114 108 return NULL;
115 109 }
116 110  
117   - trace_ssl(hSession, "crl=%s",hSession->ssl.crl);
  111 + trace_ssl(hSession, "crl=%s",consturl);
118 112  
119   - if(strncasecmp(hSession->ssl.crl,"file://",7) == 0)
  113 + if(strncasecmp(consturl,"file://",7) == 0)
120 114 {
121   - lib3270_autoptr(FILE) hCRL = fopen(hSession->ssl.crl+7,"r");
  115 + lib3270_autoptr(FILE) hCRL = fopen(consturl+7,"r");
122 116  
123 117 if(!hCRL)
124 118 {
... ... @@ -127,20 +121,20 @@ X509_CRL * lib3270_get_X509_CRL(H3270 *hSession, SSL_ERROR_MESSAGE * message)
127 121 message->title = N_( "Security error" );
128 122 message->text = N_( "Can't open CRL File" );
129 123 message->description = strerror(errno);
130   - lib3270_write_log(hSession,"ssl","Can't open %s: %s",hSession->ssl.crl,message->description);
  124 + lib3270_write_log(hSession,"ssl","Can't open %s: %s",consturl,message->description);
131 125 return NULL;
132 126  
133 127 }
134 128  
135   - lib3270_write_log(hSession,"ssl","Loading CRL from %s",hSession->ssl.crl+7);
  129 + lib3270_write_log(hSession,"ssl","Loading CRL from %s",consturl+7);
136 130 d2i_X509_CRL_fp(hCRL, &crl);
137 131  
138 132 }
139 133 #ifdef HAVE_LDAP
140   - else if(strncasecmp(hSession->ssl.crl,"ldap",4) == 0)
  134 + else if(strncasecmp(consturl,"ldap",4) == 0)
141 135 {
142 136 int rc;
143   - lib3270_autoptr(char) url = strdup(hSession->ssl.crl);
  137 + lib3270_autoptr(char) url = strdup(consturl);
144 138  
145 139 char * attrs[] = { NULL, NULL };
146 140 char * base = NULL;
... ... @@ -307,7 +301,7 @@ X509_CRL * lib3270_get_X509_CRL(H3270 *hSession, SSL_ERROR_MESSAGE * message)
307 301 message->title = N_( "Security error" );
308 302 message->text = N_( "Unexpected or invalid CRL URL" );
309 303 message->description = N_("The URL scheme is unknown");
310   - lib3270_write_log(hSession,"ssl","%s: %s",hSession->ssl.crl, message->description);
  304 + lib3270_write_log(hSession,"ssl","%s: %s",consturl, message->description);
311 305 return NULL;
312 306 }
313 307  
... ...
src/lib3270/testprogram/testprogram.c
... ... @@ -2,20 +2,47 @@
2 2 #include <stdio.h>
3 3 #include <string.h>
4 4 #include <stdlib.h>
  5 +#include <getopt.h>
5 6  
6 7 #include <lib3270.h>
7 8  
8 9 #define MAX_ARGS 10
9 10  
10   -int main(int numpar, char *param[])
  11 +int main(int argc, char *argv[])
11 12 {
  13 + #pragma GCC diagnostic push
  14 + #pragma GCC diagnostic ignored "-Wzero-as-null-pointer-constant"
  15 + static struct option options[] = {
  16 + { "crl", required_argument, 0, 'C' },
  17 + { "url", required_argument, 0, 'U' },
  18 +
  19 + { 0, 0, 0, 0}
  20 +
  21 + };
  22 + #pragma GCC diagnostic pop
  23 +
12 24 H3270 * h;
13 25 int rc = 0;
14 26  
15 27 h = lib3270_session_new("");
16 28 printf("3270 session %p created\n]",h);
17 29  
18   - // lib3270_set_url(h,url ? url : "tn3270://fandezhi.efglobe.com");
  30 + int long_index =0;
  31 + int opt;
  32 + while((opt = getopt_long(argc, argv, "C:U:", options, &long_index )) != -1) {
  33 + switch(opt) {
  34 + case 'U':
  35 + lib3270_set_url(h,optarg);
  36 + break;
  37 +
  38 + case 'C':
  39 + lib3270_set_crl_url(h,optarg);
  40 + break;
  41 + }
  42 +
  43 + }
  44 +
  45 + printf("HOST URL: %s\HOST CRL: %s\n",lib3270_get_url(h),lib3270_get_crl_url(h));
19 46  
20 47 if(lib3270_set_url(h,NULL))
21 48 lib3270_set_url(h,"tn3270://fandezhi.efglobe.com");
... ...