Commit 5d32071a1900495adcbb1aff027ec9faddfbcf81
1 parent
019aa4ba
Exists in
master
and in
3 other branches
Refactoring CRL check.
Showing
2 changed files
with
65 additions
and
3 deletions
Show diff stats
src/ssl/negotiate.c
| @@ -40,6 +40,7 @@ | @@ -40,6 +40,7 @@ | ||
| 40 | #include <openssl/ssl.h> | 40 | #include <openssl/ssl.h> |
| 41 | #include <openssl/err.h> | 41 | #include <openssl/err.h> |
| 42 | #include <openssl/x509_vfy.h> | 42 | #include <openssl/x509_vfy.h> |
| 43 | + #include <openssl/x509v3.h> | ||
| 43 | 44 | ||
| 44 | #ifndef SSL_ST_OK | 45 | #ifndef SSL_ST_OK |
| 45 | #define SSL_ST_OK 3 | 46 | #define SSL_ST_OK 3 |
| @@ -73,6 +74,24 @@ | @@ -73,6 +74,24 @@ | ||
| 73 | */ | 74 | */ |
| 74 | SSL_CTX * ssl_ctx = NULL; | 75 | SSL_CTX * ssl_ctx = NULL; |
| 75 | 76 | ||
| 77 | + /** | ||
| 78 | + * @brief X509 auto-cleanup. | ||
| 79 | + */ | ||
| 80 | +static inline void lib3270_autoptr_cleanup_X509(X509 **ptr) | ||
| 81 | +{ | ||
| 82 | + if(*ptr) | ||
| 83 | + X509_free(*ptr); | ||
| 84 | +} | ||
| 85 | + | ||
| 86 | + /** | ||
| 87 | + * @brief Dist points auto-cleanup. | ||
| 88 | + */ | ||
| 89 | +static inline void lib3270_autoptr_cleanup_CRL_DIST_POINTS(CRL_DIST_POINTS **ptr) | ||
| 90 | +{ | ||
| 91 | + if(*ptr) | ||
| 92 | + CRL_DIST_POINTS_free(*ptr); | ||
| 93 | +} | ||
| 94 | + | ||
| 76 | /** | 95 | /** |
| 77 | * @brief Initialize openssl session. | 96 | * @brief Initialize openssl session. |
| 78 | * | 97 | * |
| @@ -81,7 +100,6 @@ | @@ -81,7 +100,6 @@ | ||
| 81 | * @return 0 if ok, non zero if fails. | 100 | * @return 0 if ok, non zero if fails. |
| 82 | * | 101 | * |
| 83 | */ | 102 | */ |
| 84 | - | ||
| 85 | static int background_ssl_init(H3270 *hSession, void *message) | 103 | static int background_ssl_init(H3270 *hSession, void *message) |
| 86 | { | 104 | { |
| 87 | set_ssl_state(hSession,LIB3270_SSL_UNDEFINED); | 105 | set_ssl_state(hSession,LIB3270_SSL_UNDEFINED); |
| @@ -114,6 +132,24 @@ static int background_ssl_init(H3270 *hSession, void *message) | @@ -114,6 +132,24 @@ static int background_ssl_init(H3270 *hSession, void *message) | ||
| 114 | return 0; | 132 | return 0; |
| 115 | } | 133 | } |
| 116 | 134 | ||
| 135 | +#if !defined(SSL_DEFAULT_CRL_URL) && defined(SSL_ENABLE_CRL_CHECK) | ||
| 136 | + | ||
| 137 | +static int getCRLFromDistPoints(CRL_DIST_POINTS * dist_points, SSL_ERROR_MESSAGE *message) | ||
| 138 | +{ | ||
| 139 | + int ix; | ||
| 140 | + | ||
| 141 | + for(ix = 0; ix < sk_DIST_POINT_num(dist_points); ix++) { | ||
| 142 | + | ||
| 143 | + debug("CRL(%d):", ix); | ||
| 144 | + | ||
| 145 | + | ||
| 146 | + } | ||
| 147 | + | ||
| 148 | + return 0; | ||
| 149 | +} | ||
| 150 | + | ||
| 151 | +#endif // !SSL_DEFAULT_CRL_URL && SSL_ENABLE_CRL_CHECK | ||
| 152 | + | ||
| 117 | static int background_ssl_negotiation(H3270 *hSession, void *message) | 153 | static int background_ssl_negotiation(H3270 *hSession, void *message) |
| 118 | { | 154 | { |
| 119 | int rv; | 155 | int rv; |
| @@ -166,7 +202,7 @@ static int background_ssl_negotiation(H3270 *hSession, void *message) | @@ -166,7 +202,7 @@ static int background_ssl_negotiation(H3270 *hSession, void *message) | ||
| 166 | // | 202 | // |
| 167 | 203 | ||
| 168 | // Get peer certificate, notify application before validation. | 204 | // Get peer certificate, notify application before validation. |
| 169 | - X509 * peer = SSL_get_peer_certificate(hSession->ssl.con); | 205 | + lib3270_autoptr(X509) peer = SSL_get_peer_certificate(hSession->ssl.con); |
| 170 | 206 | ||
| 171 | if(peer) | 207 | if(peer) |
| 172 | { | 208 | { |
| @@ -193,7 +229,29 @@ static int background_ssl_negotiation(H3270 *hSession, void *message) | @@ -193,7 +229,29 @@ static int background_ssl_negotiation(H3270 *hSession, void *message) | ||
| 193 | 229 | ||
| 194 | hSession->cbk.set_peer_certificate(peer); | 230 | hSession->cbk.set_peer_certificate(peer); |
| 195 | 231 | ||
| 196 | - X509_free(peer); | 232 | +#if !defined(SSL_DEFAULT_CRL_URL) && defined(SSL_ENABLE_CRL_CHECK) |
| 233 | + // | ||
| 234 | + // No default CRL, try to download from the peer | ||
| 235 | + // | ||
| 236 | + // References: | ||
| 237 | + // | ||
| 238 | + // http://www.zedwood.com/article/cpp-check-crl-for-revocation | ||
| 239 | + // | ||
| 240 | + | ||
| 241 | + lib3270_autoptr(CRL_DIST_POINTS) dist_points = (CRL_DIST_POINTS *) X509_get_ext_d2i(peer, NID_crl_distribution_points, NULL, NULL); | ||
| 242 | + if(!dist_points) | ||
| 243 | + { | ||
| 244 | + ((SSL_ERROR_MESSAGE *) message)->title = _( "Security error" ); | ||
| 245 | + ((SSL_ERROR_MESSAGE *) message)->text = _( "Can't verify." ); | ||
| 246 | + ((SSL_ERROR_MESSAGE *) message)->description = _( "The host certificate doesn't have CRL distribution points" ); | ||
| 247 | + return EACCES; | ||
| 248 | + } | ||
| 249 | + | ||
| 250 | + if(getCRLFromDistPoints(dist_points, (SSL_ERROR_MESSAGE *) message)) | ||
| 251 | + return EACCES; | ||
| 252 | + | ||
| 253 | +#endif // !SSL_DEFAULT_CRL_URL && SSL_ENABLE_CRL_CHECK | ||
| 254 | + | ||
| 197 | } | 255 | } |
| 198 | 256 | ||
| 199 | 257 |
src/testprogram/testprogram.c
| @@ -107,6 +107,7 @@ int main(int argc, char *argv[]) | @@ -107,6 +107,7 @@ int main(int argc, char *argv[]) | ||
| 107 | lib3270_wait_for_ready(h,10); | 107 | lib3270_wait_for_ready(h,10); |
| 108 | printf("Waiting ends %u\n\n",(unsigned int) time(NULL)); | 108 | printf("Waiting ends %u\n\n",(unsigned int) time(NULL)); |
| 109 | 109 | ||
| 110 | + /* | ||
| 110 | lib3270_enter(h); | 111 | lib3270_enter(h); |
| 111 | lib3270_wait(h,5); | 112 | lib3270_wait(h,5); |
| 112 | 113 | ||
| @@ -128,6 +129,9 @@ int main(int argc, char *argv[]) | @@ -128,6 +129,9 @@ int main(int argc, char *argv[]) | ||
| 128 | if(text) | 129 | if(text) |
| 129 | printf("Screen:\n[%s]\n",text); | 130 | printf("Screen:\n[%s]\n",text); |
| 130 | } | 131 | } |
| 132 | + */ | ||
| 133 | + | ||
| 134 | + lib3270_disconnect(h); | ||
| 131 | 135 | ||
| 132 | } | 136 | } |
| 133 | 137 |