Refactoring CRL check.

Perry Werneck
1 parent 019aa4ba
Showing 2 changed files with 65 additions and 3 deletions Show diff stats
src/ssl/negotiate.c
src/testprogram/testprogram.c
@@ -40,6 +40,7 @@
 	#include <openssl/ssl.h>
 	#include <openssl/err.h>
 	#include <openssl/x509_vfy.h>
+	#include <openssl/x509v3.h>
  
 	#ifndef SSL_ST_OK
 		#define SSL_ST_OK 3
@@ -73,6 +74,24 @@
  */
  SSL_CTX * ssl_ctx = NULL;
  
+ /**
+  * @brief X509 auto-cleanup.
+  */
+static inline void lib3270_autoptr_cleanup_X509(X509 **ptr)
+{
+	if(*ptr)
+		X509_free(*ptr);
+}
+
+ /**
+  * @brief Dist points auto-cleanup.
+  */
+static inline void lib3270_autoptr_cleanup_CRL_DIST_POINTS(CRL_DIST_POINTS **ptr)
+{
+	if(*ptr)
+		CRL_DIST_POINTS_free(*ptr);
+}
+
 /**
  * @brief Initialize openssl session.
  *
@@ -81,7 +100,6 @@
  * @return 0 if ok, non zero if fails.
  *
  */
-
 static int background_ssl_init(H3270 *hSession, void *message)
 {
 	set_ssl_state(hSession,LIB3270_SSL_UNDEFINED);
@@ -114,6 +132,24 @@ static int background_ssl_init(H3270 *hSession, void *message)
 	return 0;
 }
  
+#if !defined(SSL_DEFAULT_CRL_URL) && defined(SSL_ENABLE_CRL_CHECK)
+
+static int getCRLFromDistPoints(CRL_DIST_POINTS * dist_points, SSL_ERROR_MESSAGE *message)
+{
+	int ix;
+
+	for(ix = 0; ix < sk_DIST_POINT_num(dist_points); ix++) {
+
+		debug("CRL(%d):", ix);
+
+
+	}
+
+	return 0;
+}
+
+#endif // !SSL_DEFAULT_CRL_URL && SSL_ENABLE_CRL_CHECK
+
 static int background_ssl_negotiation(H3270 *hSession, void *message)
 {
 	int rv;
@@ -166,7 +202,7 @@ static int background_ssl_negotiation(H3270 *hSession, void *message)
 	//
  
 	// Get peer certificate, notify application before validation.
-	X509 * peer = SSL_get_peer_certificate(hSession->ssl.con);
+	lib3270_autoptr(X509) peer = SSL_get_peer_certificate(hSession->ssl.con);
  
 	if(peer)
 	{
@@ -193,7 +229,29 @@ static int background_ssl_negotiation(H3270 *hSession, void *message)
  
 		hSession->cbk.set_peer_certificate(peer);
  
-		X509_free(peer);
+#if !defined(SSL_DEFAULT_CRL_URL) && defined(SSL_ENABLE_CRL_CHECK)
+		//
+		// No default CRL, try to download from the peer
+		//
+		// References:
+		//
+		// http://www.zedwood.com/article/cpp-check-crl-for-revocation
+		//
+
+		lib3270_autoptr(CRL_DIST_POINTS) dist_points = (CRL_DIST_POINTS *) X509_get_ext_d2i(peer, NID_crl_distribution_points, NULL, NULL);
+		if(!dist_points)
+		{
+			((SSL_ERROR_MESSAGE *) message)->title = _( "Security error" );
+			((SSL_ERROR_MESSAGE *) message)->text = _( "Can't verify." );
+			((SSL_ERROR_MESSAGE *) message)->description = _( "The host certificate doesn't have CRL distribution points" );
+			return EACCES;
+		}
+
+		if(getCRLFromDistPoints(dist_points, (SSL_ERROR_MESSAGE *) message))
+			return EACCES;
+
+#endif // !SSL_DEFAULT_CRL_URL && SSL_ENABLE_CRL_CHECK
+
 	}
  
  
@@ -107,6 +107,7 @@ int main(int argc, char *argv[])
 		lib3270_wait_for_ready(h,10);
 		printf("Waiting ends %u\n\n",(unsigned int) time(NULL));
  
+		/*
 		lib3270_enter(h);
 		lib3270_wait(h,5);
  
@@ -128,6 +129,9 @@ int main(int argc, char *argv[])
 			if(text)
 				printf("Screen:\n[%s]\n",text);
 		}
+		*/
+
+		lib3270_disconnect(h);
  
 	}
...	...	@@ -40,6 +40,7 @@
40	40	#include <openssl/ssl.h>
41	41	#include <openssl/err.h>
42	42	#include <openssl/x509_vfy.h>
	43	+ #include <openssl/x509v3.h>
43	44
44	45	#ifndef SSL_ST_OK
45	46	#define SSL_ST_OK 3
...	...	@@ -73,6 +74,24 @@
73	74	*/
74	75	SSL_CTX * ssl_ctx = NULL;
75	76
	77	+ /**
	78	+ * @brief X509 auto-cleanup.
	79	+ */
	80	+static inline void lib3270_autoptr_cleanup_X509(X509 **ptr)
	81	+{
	82	+ if(*ptr)
	83	+ X509_free(*ptr);
	84	+}
	85	+
	86	+ /**
	87	+ * @brief Dist points auto-cleanup.
	88	+ */
	89	+static inline void lib3270_autoptr_cleanup_CRL_DIST_POINTS(CRL_DIST_POINTS **ptr)
	90	+{
	91	+ if(*ptr)
	92	+ CRL_DIST_POINTS_free(*ptr);
	93	+}
	94	+
76	95	/**
77	96	* @brief Initialize openssl session.
78	97	*
...	...	@@ -81,7 +100,6 @@
81	100	* @return 0 if ok, non zero if fails.
82	101	*
83	102	*/
84		-
85	103	static int background_ssl_init(H3270 hSession, void message)
86	104	{
87	105	set_ssl_state(hSession,LIB3270_SSL_UNDEFINED);
...	...	@@ -114,6 +132,24 @@ static int background_ssl_init(H3270 hSession, void message)
114	132	return 0;
115	133	}
116	134
	135	+#if !defined(SSL_DEFAULT_CRL_URL) && defined(SSL_ENABLE_CRL_CHECK)
	136	+
	137	+static int getCRLFromDistPoints(CRL_DIST_POINTS * dist_points, SSL_ERROR_MESSAGE *message)
	138	+{
	139	+ int ix;
	140	+
	141	+ for(ix = 0; ix < sk_DIST_POINT_num(dist_points); ix++) {
	142	+
	143	+ debug("CRL(%d):", ix);
	144	+
	145	+
	146	+ }
	147	+
	148	+ return 0;
	149	+}
	150	+
	151	+#endif // !SSL_DEFAULT_CRL_URL && SSL_ENABLE_CRL_CHECK
	152	+
117	153	static int background_ssl_negotiation(H3270 hSession, void message)
118	154	{
119	155	int rv;
...	...	@@ -166,7 +202,7 @@ static int background_ssl_negotiation(H3270 hSession, void message)
166	202	//
167	203
168	204	// Get peer certificate, notify application before validation.
169		- X509 * peer = SSL_get_peer_certificate(hSession->ssl.con);
	205	+ lib3270_autoptr(X509) peer = SSL_get_peer_certificate(hSession->ssl.con);
170	206
171	207	if(peer)
172	208	{
...	...	@@ -193,7 +229,29 @@ static int background_ssl_negotiation(H3270 hSession, void message)
193	229
194	230	hSession->cbk.set_peer_certificate(peer);
195	231
196		- X509_free(peer);
	232	+#if !defined(SSL_DEFAULT_CRL_URL) && defined(SSL_ENABLE_CRL_CHECK)
	233	+ //
	234	+ // No default CRL, try to download from the peer
	235	+ //
	236	+ // References:
	237	+ //
	238	+ // http://www.zedwood.com/article/cpp-check-crl-for-revocation
	239	+ //
	240	+
	241	+ lib3270_autoptr(CRL_DIST_POINTS) dist_points = (CRL_DIST_POINTS *) X509_get_ext_d2i(peer, NID_crl_distribution_points, NULL, NULL);
	242	+ if(!dist_points)
	243	+ {
	244	+ ((SSL_ERROR_MESSAGE *) message)->title = _( "Security error" );
	245	+ ((SSL_ERROR_MESSAGE *) message)->text = _( "Can't verify." );
	246	+ ((SSL_ERROR_MESSAGE *) message)->description = _( "The host certificate doesn't have CRL distribution points" );
	247	+ return EACCES;
	248	+ }
	249	+
	250	+ if(getCRLFromDistPoints(dist_points, (SSL_ERROR_MESSAGE *) message))
	251	+ return EACCES;
	252	+
	253	+#endif // !SSL_DEFAULT_CRL_URL && SSL_ENABLE_CRL_CHECK
	254	+
197	255	}
198	256
199	257
...	...
...	...	@@ -107,6 +107,7 @@ int main(int argc, char *argv[])
107	107	lib3270_wait_for_ready(h,10);
108	108	printf("Waiting ends %u\n\n",(unsigned int) time(NULL));
109	109
	110	+ /*
110	111	lib3270_enter(h);
111	112	lib3270_wait(h,5);
112	113
...	...	@@ -128,6 +129,9 @@ int main(int argc, char *argv[])
128	129	if(text)
129	130	printf("Screen:\n[%s]\n",text);
130	131	}
	132	+ */
	133	+
	134	+ lib3270_disconnect(h);
131	135
132	136	}
133	137
...	...