From 5b8675fe37c7e80c83ed0b38cafda3c1ee8d3bd1 Mon Sep 17 00:00:00 2001 From: Perry Werneck Date: Wed, 16 Jan 2019 09:01:36 -0200 Subject: [PATCH] Improving CRL property Adding options to test program --- configure.ac | 2 +- src/include/lib3270.h | 4 +++- src/lib3270/properties.c | 36 +++++++++++++++++++++++------------- src/lib3270/ssl/ctx_init.c | 52 ++++++++++++++++++++++++---------------------------- src/lib3270/ssl/linux/getcrl.c | 36 +++++++++++++++--------------------- src/lib3270/testprogram/testprogram.c | 31 +++++++++++++++++++++++++++++-- 6 files changed, 95 insertions(+), 66 deletions(-) diff --git a/configure.ac b/configure.ac index 5832eda..20c95e3 100644 --- a/configure.ac +++ b/configure.ac @@ -340,7 +340,7 @@ AC_ARG_ENABLE([ssl-crl-check], app_cv_enable_crl_check="no" ]) -if test "$app_cv_self_signed_certs" == "yes"; then +if test "$app_cv_enable_crl_check" == "yes"; then AC_DEFINE(SSL_ENABLE_CRL_CHECK) fi diff --git a/src/include/lib3270.h b/src/include/lib3270.h index 577ae29..ce851ae 100644 --- a/src/include/lib3270.h +++ b/src/include/lib3270.h @@ -474,7 +474,9 @@ * @return 0 on sucess, non zero on error (sets errno). * */ - LIB3270_EXPORT int lib3270_set_crl(H3270 *hSession, const char *crl); + LIB3270_EXPORT int lib3270_set_crl_url(H3270 *hSession, const char *crl); + + LIB3270_EXPORT const char * lib3270_get_crl_url(H3270 *hSession); /** * @brief Get hostname for the connect/reconnect operations. diff --git a/src/lib3270/properties.c b/src/lib3270/properties.c index 3622ee6..0e2931b 100644 --- a/src/lib3270/properties.c +++ b/src/lib3270/properties.c @@ -285,7 +285,26 @@ return lib3270_get_revision(); } - int lib3270_set_crl(H3270 *hSession, const char *crl) + const char * lib3270_get_crl_url(H3270 *hSession) + { +#ifdef SSL_ENABLE_CRL_CHECK + if(hSession->ssl.crl) + return hSession->ssl.crl; + +#ifdef LIB3270_DEFAULT_CRL + return LIB3270_DEFAULT_CRL; +#else + return getenv("LIB3270_DEFAULT_CRL"); +#endif // LIB3270_DEFAULT_CRL + +#else + errno = ENOTSUP; + return ""; +#endif + } + + + int lib3270_set_crl_url(H3270 *hSession, const char *crl) { FAIL_IF_ONLINE(hSession); @@ -313,15 +332,6 @@ } - static const char * lib3270_get_crl(H3270 *hSession) - { -#ifdef SSL_ENABLE_CRL_CHECK - if(hSession->ssl.crl) - return hSession->ssl.crl; -#endif - return ""; - } - LIB3270_EXPORT const LIB3270_STRING_PROPERTY * lib3270_get_string_properties_list(void) { static const LIB3270_STRING_PROPERTY properties[] = { @@ -383,10 +393,10 @@ }, { - "crl", // Property name. + "crlpath", // Property name. N_( "URL for the CRL file" ), // Property description. - lib3270_get_crl, // Get value. - lib3270_set_crl, // Set value. + lib3270_get_crl_url, // Get value. + lib3270_set_crl_url, // Set value. }, diff --git a/src/lib3270/ssl/ctx_init.c b/src/lib3270/ssl/ctx_init.c index d8e6942..b0646ca 100644 --- a/src/lib3270/ssl/ctx_init.c +++ b/src/lib3270/ssl/ctx_init.c @@ -111,42 +111,38 @@ int ssl_ctx_init(H3270 *hSession, SSL_ERROR_MESSAGE * message) // // https://stackoverflow.com/questions/10510850/how-to-verify-the-certificate-for-the-ongoing-ssl-session // - if(hSession->ssl.crl) - { - lib3270_autoptr(X509_CRL) crl = lib3270_get_X509_CRL(hSession,message); - - if(!crl) - return -1; - - if(lib3270_get_toggle(hSession,LIB3270_TOGGLE_SSL_TRACE)) - { - BIO * out = BIO_new(BIO_s_mem()); - unsigned char * data; - unsigned char * text; - int n; + lib3270_autoptr(X509_CRL) crl = lib3270_get_X509_CRL(hSession,message); - X509_CRL_print(out,crl); + if(!crl) + return -1; - n = BIO_get_mem_data(out, &data); - text = (unsigned char *) malloc (n+1); - text[n] ='\0'; - memcpy(text,data,n); + if(lib3270_get_toggle(hSession,LIB3270_TOGGLE_SSL_TRACE)) + { + BIO * out = BIO_new(BIO_s_mem()); + unsigned char * data; + unsigned char * text; + int n; - trace_ssl(hSession,"\n%s\n",text); + X509_CRL_print(out,crl); - free(text); - BIO_free(out); + n = BIO_get_mem_data(out, &data); + text = (unsigned char *) malloc (n+1); + text[n] ='\0'; + memcpy(text,data,n); - } + trace_ssl(hSession,"\n%s\n",text); - X509_STORE *store = SSL_CTX_get_cert_store(ssl_ctx); - X509_STORE_add_crl(store, crl); - X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_new(); - X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK); - X509_STORE_set1_param(store, param); - X509_VERIFY_PARAM_free(param); + free(text); + BIO_free(out); } + + X509_STORE *store = SSL_CTX_get_cert_store(ssl_ctx); + X509_STORE_add_crl(store, crl); + X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_new(); + X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK); + X509_STORE_set1_param(store, param); + X509_VERIFY_PARAM_free(param); #endif // SSL_ENABLE_CRL_CHECK return 0; diff --git a/src/lib3270/ssl/linux/getcrl.c b/src/lib3270/ssl/linux/getcrl.c index e9d4e16..19e9667 100644 --- a/src/lib3270/ssl/linux/getcrl.c +++ b/src/lib3270/ssl/linux/getcrl.c @@ -96,29 +96,23 @@ static inline void lib3270_autoptr_cleanup_LDAPPTR(char **ptr) X509_CRL * lib3270_get_X509_CRL(H3270 *hSession, SSL_ERROR_MESSAGE * message) { - X509_CRL * crl = NULL; + X509_CRL * crl = NULL; + const char * consturl = lib3270_get_crl_url(hSession); - if(!hSession->ssl.crl) - { -#ifdef LIB3270_DEFAULT_CRL - hSession->ssl.crl = strdup(LIB3270_DEFAULT_CRL); -#else - char *env = getenv("LIB3270_DEFAULT_CRL"); - if(env) - hSession->ssl.crl = strdup(env); -#endif // LIB3270_DEFAULT_CRL - } - - if(!hSession->ssl.crl) + if(!(consturl && *consturl)) { + message->error = hSession->ssl.error = 0; + message->title = N_( "Security error" ); + message->text = N_( "Can't open CRL File" ); + message->description = N_("The URL for the CRL is undefined or empty"); return NULL; } - trace_ssl(hSession, "crl=%s",hSession->ssl.crl); + trace_ssl(hSession, "crl=%s",consturl); - if(strncasecmp(hSession->ssl.crl,"file://",7) == 0) + if(strncasecmp(consturl,"file://",7) == 0) { - lib3270_autoptr(FILE) hCRL = fopen(hSession->ssl.crl+7,"r"); + lib3270_autoptr(FILE) hCRL = fopen(consturl+7,"r"); if(!hCRL) { @@ -127,20 +121,20 @@ X509_CRL * lib3270_get_X509_CRL(H3270 *hSession, SSL_ERROR_MESSAGE * message) message->title = N_( "Security error" ); message->text = N_( "Can't open CRL File" ); message->description = strerror(errno); - lib3270_write_log(hSession,"ssl","Can't open %s: %s",hSession->ssl.crl,message->description); + lib3270_write_log(hSession,"ssl","Can't open %s: %s",consturl,message->description); return NULL; } - lib3270_write_log(hSession,"ssl","Loading CRL from %s",hSession->ssl.crl+7); + lib3270_write_log(hSession,"ssl","Loading CRL from %s",consturl+7); d2i_X509_CRL_fp(hCRL, &crl); } #ifdef HAVE_LDAP - else if(strncasecmp(hSession->ssl.crl,"ldap",4) == 0) + else if(strncasecmp(consturl,"ldap",4) == 0) { int rc; - lib3270_autoptr(char) url = strdup(hSession->ssl.crl); + lib3270_autoptr(char) url = strdup(consturl); char * attrs[] = { NULL, NULL }; char * base = NULL; @@ -307,7 +301,7 @@ X509_CRL * lib3270_get_X509_CRL(H3270 *hSession, SSL_ERROR_MESSAGE * message) message->title = N_( "Security error" ); message->text = N_( "Unexpected or invalid CRL URL" ); message->description = N_("The URL scheme is unknown"); - lib3270_write_log(hSession,"ssl","%s: %s",hSession->ssl.crl, message->description); + lib3270_write_log(hSession,"ssl","%s: %s",consturl, message->description); return NULL; } diff --git a/src/lib3270/testprogram/testprogram.c b/src/lib3270/testprogram/testprogram.c index ee9970a..8bc4f96 100644 --- a/src/lib3270/testprogram/testprogram.c +++ b/src/lib3270/testprogram/testprogram.c @@ -2,20 +2,47 @@ #include #include #include +#include #include #define MAX_ARGS 10 -int main(int numpar, char *param[]) +int main(int argc, char *argv[]) { + #pragma GCC diagnostic push + #pragma GCC diagnostic ignored "-Wzero-as-null-pointer-constant" + static struct option options[] = { + { "crl", required_argument, 0, 'C' }, + { "url", required_argument, 0, 'U' }, + + { 0, 0, 0, 0} + + }; + #pragma GCC diagnostic pop + H3270 * h; int rc = 0; h = lib3270_session_new(""); printf("3270 session %p created\n]",h); - // lib3270_set_url(h,url ? url : "tn3270://fandezhi.efglobe.com"); + int long_index =0; + int opt; + while((opt = getopt_long(argc, argv, "C:U:", options, &long_index )) != -1) { + switch(opt) { + case 'U': + lib3270_set_url(h,optarg); + break; + + case 'C': + lib3270_set_crl_url(h,optarg); + break; + } + + } + + printf("HOST URL: %s\HOST CRL: %s\n",lib3270_get_url(h),lib3270_get_crl_url(h)); if(lib3270_set_url(h,NULL)) lib3270_set_url(h,"tn3270://fandezhi.efglobe.com"); -- libgit2 0.21.2