From 5ddaf550a4bb2c9b53c16a0e015163445255792e Mon Sep 17 00:00:00 2001 From: Perry Werneck Date: Wed, 16 Oct 2019 13:45:01 -0300 Subject: [PATCH] Adjustments in the SSL negotiation. --- lib3270.cbp | 1 - src/core/host.c | 10 +++++----- src/core/session.c | 2 +- src/include/lib3270-internals.h | 4 ++-- src/include/lib3270.h | 2 +- src/ssl/crl.h | 41 +++++++++++++++++++++++------------------ src/ssl/negotiate.c | 51 ++------------------------------------------------- 7 files changed, 34 insertions(+), 77 deletions(-) diff --git a/lib3270.cbp b/lib3270.cbp index 71a6dec..754d5f6 100644 --- a/lib3270.cbp +++ b/lib3270.cbp @@ -325,7 +325,6 @@ - diff --git a/src/core/host.c b/src/core/host.c index da24055..8eddebc 100644 --- a/src/core/host.c +++ b/src/core/host.c @@ -220,7 +220,7 @@ void lib3270_st_changed(H3270 *h, LIB3270_STATE tx, int mode) static void update_url(H3270 *hSession) { - Replace(hSession->host.full, + Replace(hSession->host.url, lib3270_strdup_printf( "%s%s:%s", #ifdef HAVE_LIBSSL @@ -236,7 +236,7 @@ static void update_url(H3270 *hSession) lib3270_crl_free(hSession); #endif // SSL_ENABLE_CRL_CHECK - hSession->cbk.update_url(hSession, hSession->host.full); + hSession->cbk.update_url(hSession, hSession->host.url); } @@ -249,8 +249,8 @@ LIB3270_EXPORT int lib3270_set_luname(H3270 *hSession, const char *luname) LIB3270_EXPORT const char * lib3270_get_url(const H3270 *hSession) { - if(hSession->host.full) - return hSession->host.full; + if(hSession->host.url) + return hSession->host.url; #ifdef LIB3270_DEFAULT_HOST return LIB3270_DEFAULT_HOST; @@ -422,7 +422,7 @@ LIB3270_EXPORT void lib3270_set_srvcname(H3270 *h, const char *srvc) LIB3270_EXPORT const char * lib3270_get_host(const H3270 *h) { - return h->host.full; + return h->host.url; } LIB3270_EXPORT const char * lib3270_get_luname(const H3270 *h) diff --git a/src/core/session.c b/src/core/session.c index 04c09eb..5dce063 100644 --- a/src/core/session.c +++ b/src/core/session.c @@ -114,7 +114,7 @@ void lib3270_session_free(H3270 *h) // Release hostname info release_pointer(h->host.current); - release_pointer(h->host.full); + release_pointer(h->host.url); release_pointer(h->host.srvc); release_pointer(h->host.qualified); diff --git a/src/include/lib3270-internals.h b/src/include/lib3270-internals.h index dcc4fab..0527c22 100644 --- a/src/include/lib3270-internals.h +++ b/src/include/lib3270-internals.h @@ -402,13 +402,12 @@ struct _h3270 struct { + char * url; /**< The host URL, for use in reconnecting */ char * current; /**< The hostname part, stripped of qualifiers, luname and port number */ - char * full; /**< The entire string, for use in reconnecting */ char * srvc; /**< The service name */ char * qualified; } host; - // char * proxy; /**< Proxy server (type:host[:port]) */ char * termname; struct lib3270_charset charset; @@ -506,6 +505,7 @@ struct _h3270 /// @brief Proxy struct { + char * proxy; ///< Proxy server (type:host[:port]) int type; char * host; char * portname; diff --git a/src/include/lib3270.h b/src/include/lib3270.h index 4099e44..160cf77 100644 --- a/src/include/lib3270.h +++ b/src/include/lib3270.h @@ -579,7 +579,7 @@ * @return Pointer to host URL set (internal data, do not change it) * */ - LIB3270_EXPORT const char * lib3270_get_host(const H3270 *h); + LIB3270_EXPORT const char * LIB3270_DEPRECATED(lib3270_get_host(const H3270 *h)); /** diff --git a/src/ssl/crl.h b/src/ssl/crl.h index 5c9d12b..3d03dea 100644 --- a/src/ssl/crl.h +++ b/src/ssl/crl.h @@ -35,28 +35,11 @@ #include /* autoconf settings */ #include /* lib3270 API calls and defs */ -#if defined(SSL_ENABLE_CRL_CHECK) && defined(HAVE_LIBSSL) +#if defined(HAVE_LIBSSL) #include #include - /// @brief Unconditional release of the session CRL. - LIB3270_INTERNAL void lib3270_crl_free(H3270 *hSession); - - /// @brief Release CRL if expired. - LIB3270_INTERNAL void lib3270_crl_free_if_expired(H3270 *hSession); - - /// @brief Load CRL from URL. - LIB3270_INTERNAL int lib3270_crl_new_from_url(H3270 *hSession, void *ssl_error, const char *url); - - /// @brief Load CRL from X509 certificate. - LIB3270_INTERNAL int lib3270_crl_new_from_x509(H3270 *hSession, void *ssl_error, X509 *cert); - - /// @brief Load CRL from distribution points. - LIB3270_INTERNAL int lib3270_crl_new_from_dist_points(H3270 *hSession, void *ssl_error, CRL_DIST_POINTS * dist_points); - - LIB3270_INTERNAL X509_CRL * lib3270_download_crl(H3270 *hSession, SSL_ERROR_MESSAGE * message, const char *url); - /** * @brief X509 auto-cleanup. */ @@ -76,6 +59,28 @@ } +#endif // HAVE_LIBSSL + +#if defined(SSL_ENABLE_CRL_CHECK) && defined(HAVE_LIBSSL) + + /// @brief Unconditional release of the session CRL. + LIB3270_INTERNAL void lib3270_crl_free(H3270 *hSession); + + /// @brief Release CRL if expired. + LIB3270_INTERNAL void lib3270_crl_free_if_expired(H3270 *hSession); + + /// @brief Load CRL from URL. + LIB3270_INTERNAL int lib3270_crl_new_from_url(H3270 *hSession, void *ssl_error, const char *url); + + /// @brief Load CRL from X509 certificate. + LIB3270_INTERNAL int lib3270_crl_new_from_x509(H3270 *hSession, void *ssl_error, X509 *cert); + + /// @brief Load CRL from distribution points. + LIB3270_INTERNAL int lib3270_crl_new_from_dist_points(H3270 *hSession, void *ssl_error, CRL_DIST_POINTS * dist_points); + + LIB3270_INTERNAL X509_CRL * lib3270_download_crl(H3270 *hSession, SSL_ERROR_MESSAGE * message, const char *url); + + #endif // SSL_ENABLE_CRL_CHECK && HAVE_LIBSSL diff --git a/src/ssl/negotiate.c b/src/ssl/negotiate.c index 92d046c..6a7656d 100644 --- a/src/ssl/negotiate.c +++ b/src/ssl/negotiate.c @@ -239,55 +239,7 @@ static int background_ssl_negotiation(H3270 *hSession, void *message) } - /* - if(peer) - { - -#if !defined(SSL_CRL_URL) && defined(SSL_ENABLE_CRL_CHECK) - // - // No default CRL, try to download from the peer - // - - lib3270_autoptr(CRL_DIST_POINTS) dist_points = (CRL_DIST_POINTS *) X509_get_ext_d2i(peer, NID_crl_distribution_points, NULL, NULL); - if(!dist_points) - { - ((SSL_ERROR_MESSAGE *) message)->title = _( "Security error" ); - ((SSL_ERROR_MESSAGE *) message)->text = _( "Can't verify." ); - ((SSL_ERROR_MESSAGE *) message)->description = _( "The host certificate doesn't have CRL distribution points" ); - return EACCES; - } - - if(lib3270_get_crl_from_dist_points(hSession, dist_points, (SSL_ERROR_MESSAGE *) message)) - return EACCES; - - // Got CRL, verify it! - // Reference: https://stackoverflow.com/questions/10510850/how-to-verify-the-certificate-for-the-ongoing-ssl-session - X509_STORE_CTX *csc = X509_STORE_CTX_new(); - X509_STORE_CTX_set_verify_cb(csc,x509_store_ctx_error_callback); - X509_STORE_CTX_init(csc, SSL_CTX_get_cert_store(ssl_ctx), peer, NULL); - - if(X509_verify_cert(csc) != 1) - rv = X509_STORE_CTX_get_error(csc); - else - rv = X509_V_OK; - - SSL_set_verify_result(hSession->ssl.con, rv); - - X509_STORE_CTX_free(csc); - -#else - // No CRL download, use the standard verification. - rv = SSL_get_verify_result(hSession->ssl.con); - -#endif // !SSL_CRL_URL && SSL_ENABLE_CRL_CHECK - - } - else - { - rv = SSL_get_verify_result(hSession->ssl.con); - } - */ - +#ifdef SSL_ENABLE_CRL_CHECK if(SSL_get_verify_result(hSession->ssl.con) == X509_V_ERR_UNABLE_TO_GET_CRL && hSession->ssl.crl.cert && peer) { // @@ -318,6 +270,7 @@ static int background_ssl_negotiation(H3270 *hSession, void *message) X509_STORE_CTX_free(csc); } +#endif // SSL_ENABLE_CRL_CHECK // Check validation state. rv = SSL_get_verify_result(hSession->ssl.con); -- libgit2 0.21.2