Commit 5ddaf550a4bb2c9b53c16a0e015163445255792e
1 parent
8f457049
Exists in
master
and in
3 other branches
Adjustments in the SSL negotiation.
Showing
7 changed files
with
34 additions
and
77 deletions
Show diff stats
lib3270.cbp
src/core/host.c
| ... | ... | @@ -220,7 +220,7 @@ void lib3270_st_changed(H3270 *h, LIB3270_STATE tx, int mode) |
| 220 | 220 | |
| 221 | 221 | static void update_url(H3270 *hSession) |
| 222 | 222 | { |
| 223 | - Replace(hSession->host.full, | |
| 223 | + Replace(hSession->host.url, | |
| 224 | 224 | lib3270_strdup_printf( |
| 225 | 225 | "%s%s:%s", |
| 226 | 226 | #ifdef HAVE_LIBSSL |
| ... | ... | @@ -236,7 +236,7 @@ static void update_url(H3270 *hSession) |
| 236 | 236 | lib3270_crl_free(hSession); |
| 237 | 237 | #endif // SSL_ENABLE_CRL_CHECK |
| 238 | 238 | |
| 239 | - hSession->cbk.update_url(hSession, hSession->host.full); | |
| 239 | + hSession->cbk.update_url(hSession, hSession->host.url); | |
| 240 | 240 | |
| 241 | 241 | } |
| 242 | 242 | |
| ... | ... | @@ -249,8 +249,8 @@ LIB3270_EXPORT int lib3270_set_luname(H3270 *hSession, const char *luname) |
| 249 | 249 | |
| 250 | 250 | LIB3270_EXPORT const char * lib3270_get_url(const H3270 *hSession) |
| 251 | 251 | { |
| 252 | - if(hSession->host.full) | |
| 253 | - return hSession->host.full; | |
| 252 | + if(hSession->host.url) | |
| 253 | + return hSession->host.url; | |
| 254 | 254 | |
| 255 | 255 | #ifdef LIB3270_DEFAULT_HOST |
| 256 | 256 | return LIB3270_DEFAULT_HOST; |
| ... | ... | @@ -422,7 +422,7 @@ LIB3270_EXPORT void lib3270_set_srvcname(H3270 *h, const char *srvc) |
| 422 | 422 | |
| 423 | 423 | LIB3270_EXPORT const char * lib3270_get_host(const H3270 *h) |
| 424 | 424 | { |
| 425 | - return h->host.full; | |
| 425 | + return h->host.url; | |
| 426 | 426 | } |
| 427 | 427 | |
| 428 | 428 | LIB3270_EXPORT const char * lib3270_get_luname(const H3270 *h) | ... | ... |
src/core/session.c
| ... | ... | @@ -114,7 +114,7 @@ void lib3270_session_free(H3270 *h) |
| 114 | 114 | |
| 115 | 115 | // Release hostname info |
| 116 | 116 | release_pointer(h->host.current); |
| 117 | - release_pointer(h->host.full); | |
| 117 | + release_pointer(h->host.url); | |
| 118 | 118 | release_pointer(h->host.srvc); |
| 119 | 119 | release_pointer(h->host.qualified); |
| 120 | 120 | ... | ... |
src/include/lib3270-internals.h
| ... | ... | @@ -402,13 +402,12 @@ struct _h3270 |
| 402 | 402 | |
| 403 | 403 | struct |
| 404 | 404 | { |
| 405 | + char * url; /**< The host URL, for use in reconnecting */ | |
| 405 | 406 | char * current; /**< The hostname part, stripped of qualifiers, luname and port number */ |
| 406 | - char * full; /**< The entire string, for use in reconnecting */ | |
| 407 | 407 | char * srvc; /**< The service name */ |
| 408 | 408 | char * qualified; |
| 409 | 409 | } host; |
| 410 | 410 | |
| 411 | - // char * proxy; /**< Proxy server (type:host[:port]) */ | |
| 412 | 411 | char * termname; |
| 413 | 412 | |
| 414 | 413 | struct lib3270_charset charset; |
| ... | ... | @@ -506,6 +505,7 @@ struct _h3270 |
| 506 | 505 | /// @brief Proxy |
| 507 | 506 | struct |
| 508 | 507 | { |
| 508 | + char * proxy; ///< Proxy server (type:host[:port]) | |
| 509 | 509 | int type; |
| 510 | 510 | char * host; |
| 511 | 511 | char * portname; | ... | ... |
src/include/lib3270.h
| ... | ... | @@ -579,7 +579,7 @@ |
| 579 | 579 | * @return Pointer to host URL set (internal data, do not change it) |
| 580 | 580 | * |
| 581 | 581 | */ |
| 582 | - LIB3270_EXPORT const char * lib3270_get_host(const H3270 *h); | |
| 582 | + LIB3270_EXPORT const char * LIB3270_DEPRECATED(lib3270_get_host(const H3270 *h)); | |
| 583 | 583 | |
| 584 | 584 | |
| 585 | 585 | /** | ... | ... |
src/ssl/crl.h
| ... | ... | @@ -35,28 +35,11 @@ |
| 35 | 35 | #include <config.h> /* autoconf settings */ |
| 36 | 36 | #include <lib3270.h> /* lib3270 API calls and defs */ |
| 37 | 37 | |
| 38 | -#if defined(SSL_ENABLE_CRL_CHECK) && defined(HAVE_LIBSSL) | |
| 38 | +#if defined(HAVE_LIBSSL) | |
| 39 | 39 | |
| 40 | 40 | #include <openssl/ssl.h> |
| 41 | 41 | #include <openssl/err.h> |
| 42 | 42 | |
| 43 | - /// @brief Unconditional release of the session CRL. | |
| 44 | - LIB3270_INTERNAL void lib3270_crl_free(H3270 *hSession); | |
| 45 | - | |
| 46 | - /// @brief Release CRL if expired. | |
| 47 | - LIB3270_INTERNAL void lib3270_crl_free_if_expired(H3270 *hSession); | |
| 48 | - | |
| 49 | - /// @brief Load CRL from URL. | |
| 50 | - LIB3270_INTERNAL int lib3270_crl_new_from_url(H3270 *hSession, void *ssl_error, const char *url); | |
| 51 | - | |
| 52 | - /// @brief Load CRL from X509 certificate. | |
| 53 | - LIB3270_INTERNAL int lib3270_crl_new_from_x509(H3270 *hSession, void *ssl_error, X509 *cert); | |
| 54 | - | |
| 55 | - /// @brief Load CRL from distribution points. | |
| 56 | - LIB3270_INTERNAL int lib3270_crl_new_from_dist_points(H3270 *hSession, void *ssl_error, CRL_DIST_POINTS * dist_points); | |
| 57 | - | |
| 58 | - LIB3270_INTERNAL X509_CRL * lib3270_download_crl(H3270 *hSession, SSL_ERROR_MESSAGE * message, const char *url); | |
| 59 | - | |
| 60 | 43 | /** |
| 61 | 44 | * @brief X509 auto-cleanup. |
| 62 | 45 | */ |
| ... | ... | @@ -76,6 +59,28 @@ |
| 76 | 59 | } |
| 77 | 60 | |
| 78 | 61 | |
| 62 | +#endif // HAVE_LIBSSL | |
| 63 | + | |
| 64 | +#if defined(SSL_ENABLE_CRL_CHECK) && defined(HAVE_LIBSSL) | |
| 65 | + | |
| 66 | + /// @brief Unconditional release of the session CRL. | |
| 67 | + LIB3270_INTERNAL void lib3270_crl_free(H3270 *hSession); | |
| 68 | + | |
| 69 | + /// @brief Release CRL if expired. | |
| 70 | + LIB3270_INTERNAL void lib3270_crl_free_if_expired(H3270 *hSession); | |
| 71 | + | |
| 72 | + /// @brief Load CRL from URL. | |
| 73 | + LIB3270_INTERNAL int lib3270_crl_new_from_url(H3270 *hSession, void *ssl_error, const char *url); | |
| 74 | + | |
| 75 | + /// @brief Load CRL from X509 certificate. | |
| 76 | + LIB3270_INTERNAL int lib3270_crl_new_from_x509(H3270 *hSession, void *ssl_error, X509 *cert); | |
| 77 | + | |
| 78 | + /// @brief Load CRL from distribution points. | |
| 79 | + LIB3270_INTERNAL int lib3270_crl_new_from_dist_points(H3270 *hSession, void *ssl_error, CRL_DIST_POINTS * dist_points); | |
| 80 | + | |
| 81 | + LIB3270_INTERNAL X509_CRL * lib3270_download_crl(H3270 *hSession, SSL_ERROR_MESSAGE * message, const char *url); | |
| 82 | + | |
| 83 | + | |
| 79 | 84 | #endif // SSL_ENABLE_CRL_CHECK && HAVE_LIBSSL |
| 80 | 85 | |
| 81 | 86 | ... | ... |
src/ssl/negotiate.c
| ... | ... | @@ -239,55 +239,7 @@ static int background_ssl_negotiation(H3270 *hSession, void *message) |
| 239 | 239 | |
| 240 | 240 | } |
| 241 | 241 | |
| 242 | - /* | |
| 243 | - if(peer) | |
| 244 | - { | |
| 245 | - | |
| 246 | -#if !defined(SSL_CRL_URL) && defined(SSL_ENABLE_CRL_CHECK) | |
| 247 | - // | |
| 248 | - // No default CRL, try to download from the peer | |
| 249 | - // | |
| 250 | - | |
| 251 | - lib3270_autoptr(CRL_DIST_POINTS) dist_points = (CRL_DIST_POINTS *) X509_get_ext_d2i(peer, NID_crl_distribution_points, NULL, NULL); | |
| 252 | - if(!dist_points) | |
| 253 | - { | |
| 254 | - ((SSL_ERROR_MESSAGE *) message)->title = _( "Security error" ); | |
| 255 | - ((SSL_ERROR_MESSAGE *) message)->text = _( "Can't verify." ); | |
| 256 | - ((SSL_ERROR_MESSAGE *) message)->description = _( "The host certificate doesn't have CRL distribution points" ); | |
| 257 | - return EACCES; | |
| 258 | - } | |
| 259 | - | |
| 260 | - if(lib3270_get_crl_from_dist_points(hSession, dist_points, (SSL_ERROR_MESSAGE *) message)) | |
| 261 | - return EACCES; | |
| 262 | - | |
| 263 | - // Got CRL, verify it! | |
| 264 | - // Reference: https://stackoverflow.com/questions/10510850/how-to-verify-the-certificate-for-the-ongoing-ssl-session | |
| 265 | - X509_STORE_CTX *csc = X509_STORE_CTX_new(); | |
| 266 | - X509_STORE_CTX_set_verify_cb(csc,x509_store_ctx_error_callback); | |
| 267 | - X509_STORE_CTX_init(csc, SSL_CTX_get_cert_store(ssl_ctx), peer, NULL); | |
| 268 | - | |
| 269 | - if(X509_verify_cert(csc) != 1) | |
| 270 | - rv = X509_STORE_CTX_get_error(csc); | |
| 271 | - else | |
| 272 | - rv = X509_V_OK; | |
| 273 | - | |
| 274 | - SSL_set_verify_result(hSession->ssl.con, rv); | |
| 275 | - | |
| 276 | - X509_STORE_CTX_free(csc); | |
| 277 | - | |
| 278 | -#else | |
| 279 | - // No CRL download, use the standard verification. | |
| 280 | - rv = SSL_get_verify_result(hSession->ssl.con); | |
| 281 | - | |
| 282 | -#endif // !SSL_CRL_URL && SSL_ENABLE_CRL_CHECK | |
| 283 | - | |
| 284 | - } | |
| 285 | - else | |
| 286 | - { | |
| 287 | - rv = SSL_get_verify_result(hSession->ssl.con); | |
| 288 | - } | |
| 289 | - */ | |
| 290 | - | |
| 242 | +#ifdef SSL_ENABLE_CRL_CHECK | |
| 291 | 243 | if(SSL_get_verify_result(hSession->ssl.con) == X509_V_ERR_UNABLE_TO_GET_CRL && hSession->ssl.crl.cert && peer) |
| 292 | 244 | { |
| 293 | 245 | // |
| ... | ... | @@ -318,6 +270,7 @@ static int background_ssl_negotiation(H3270 *hSession, void *message) |
| 318 | 270 | X509_STORE_CTX_free(csc); |
| 319 | 271 | |
| 320 | 272 | } |
| 273 | +#endif // SSL_ENABLE_CRL_CHECK | |
| 321 | 274 | |
| 322 | 275 | // Check validation state. |
| 323 | 276 | rv = SSL_get_verify_result(hSession->ssl.con); | ... | ... |