Commit 5ddaf550a4bb2c9b53c16a0e015163445255792e
1 parent
8f457049
Exists in
master
and in
3 other branches
Adjustments in the SSL negotiation.
Showing
7 changed files
with
34 additions
and
77 deletions
Show diff stats
lib3270.cbp
| @@ -325,7 +325,6 @@ | @@ -325,7 +325,6 @@ | ||
| 325 | <Unit filename="src/ssl/notify.c"> | 325 | <Unit filename="src/ssl/notify.c"> |
| 326 | <Option compilerVar="CC" /> | 326 | <Option compilerVar="CC" /> |
| 327 | </Unit> | 327 | </Unit> |
| 328 | - <Unit filename="src/ssl/private.h" /> | ||
| 329 | <Unit filename="src/ssl/properties.c"> | 328 | <Unit filename="src/ssl/properties.c"> |
| 330 | <Option compilerVar="CC" /> | 329 | <Option compilerVar="CC" /> |
| 331 | </Unit> | 330 | </Unit> |
src/core/host.c
| @@ -220,7 +220,7 @@ void lib3270_st_changed(H3270 *h, LIB3270_STATE tx, int mode) | @@ -220,7 +220,7 @@ void lib3270_st_changed(H3270 *h, LIB3270_STATE tx, int mode) | ||
| 220 | 220 | ||
| 221 | static void update_url(H3270 *hSession) | 221 | static void update_url(H3270 *hSession) |
| 222 | { | 222 | { |
| 223 | - Replace(hSession->host.full, | 223 | + Replace(hSession->host.url, |
| 224 | lib3270_strdup_printf( | 224 | lib3270_strdup_printf( |
| 225 | "%s%s:%s", | 225 | "%s%s:%s", |
| 226 | #ifdef HAVE_LIBSSL | 226 | #ifdef HAVE_LIBSSL |
| @@ -236,7 +236,7 @@ static void update_url(H3270 *hSession) | @@ -236,7 +236,7 @@ static void update_url(H3270 *hSession) | ||
| 236 | lib3270_crl_free(hSession); | 236 | lib3270_crl_free(hSession); |
| 237 | #endif // SSL_ENABLE_CRL_CHECK | 237 | #endif // SSL_ENABLE_CRL_CHECK |
| 238 | 238 | ||
| 239 | - hSession->cbk.update_url(hSession, hSession->host.full); | 239 | + hSession->cbk.update_url(hSession, hSession->host.url); |
| 240 | 240 | ||
| 241 | } | 241 | } |
| 242 | 242 | ||
| @@ -249,8 +249,8 @@ LIB3270_EXPORT int lib3270_set_luname(H3270 *hSession, const char *luname) | @@ -249,8 +249,8 @@ LIB3270_EXPORT int lib3270_set_luname(H3270 *hSession, const char *luname) | ||
| 249 | 249 | ||
| 250 | LIB3270_EXPORT const char * lib3270_get_url(const H3270 *hSession) | 250 | LIB3270_EXPORT const char * lib3270_get_url(const H3270 *hSession) |
| 251 | { | 251 | { |
| 252 | - if(hSession->host.full) | ||
| 253 | - return hSession->host.full; | 252 | + if(hSession->host.url) |
| 253 | + return hSession->host.url; | ||
| 254 | 254 | ||
| 255 | #ifdef LIB3270_DEFAULT_HOST | 255 | #ifdef LIB3270_DEFAULT_HOST |
| 256 | return LIB3270_DEFAULT_HOST; | 256 | return LIB3270_DEFAULT_HOST; |
| @@ -422,7 +422,7 @@ LIB3270_EXPORT void lib3270_set_srvcname(H3270 *h, const char *srvc) | @@ -422,7 +422,7 @@ LIB3270_EXPORT void lib3270_set_srvcname(H3270 *h, const char *srvc) | ||
| 422 | 422 | ||
| 423 | LIB3270_EXPORT const char * lib3270_get_host(const H3270 *h) | 423 | LIB3270_EXPORT const char * lib3270_get_host(const H3270 *h) |
| 424 | { | 424 | { |
| 425 | - return h->host.full; | 425 | + return h->host.url; |
| 426 | } | 426 | } |
| 427 | 427 | ||
| 428 | LIB3270_EXPORT const char * lib3270_get_luname(const H3270 *h) | 428 | LIB3270_EXPORT const char * lib3270_get_luname(const H3270 *h) |
src/core/session.c
| @@ -114,7 +114,7 @@ void lib3270_session_free(H3270 *h) | @@ -114,7 +114,7 @@ void lib3270_session_free(H3270 *h) | ||
| 114 | 114 | ||
| 115 | // Release hostname info | 115 | // Release hostname info |
| 116 | release_pointer(h->host.current); | 116 | release_pointer(h->host.current); |
| 117 | - release_pointer(h->host.full); | 117 | + release_pointer(h->host.url); |
| 118 | release_pointer(h->host.srvc); | 118 | release_pointer(h->host.srvc); |
| 119 | release_pointer(h->host.qualified); | 119 | release_pointer(h->host.qualified); |
| 120 | 120 |
src/include/lib3270-internals.h
| @@ -402,13 +402,12 @@ struct _h3270 | @@ -402,13 +402,12 @@ struct _h3270 | ||
| 402 | 402 | ||
| 403 | struct | 403 | struct |
| 404 | { | 404 | { |
| 405 | + char * url; /**< The host URL, for use in reconnecting */ | ||
| 405 | char * current; /**< The hostname part, stripped of qualifiers, luname and port number */ | 406 | char * current; /**< The hostname part, stripped of qualifiers, luname and port number */ |
| 406 | - char * full; /**< The entire string, for use in reconnecting */ | ||
| 407 | char * srvc; /**< The service name */ | 407 | char * srvc; /**< The service name */ |
| 408 | char * qualified; | 408 | char * qualified; |
| 409 | } host; | 409 | } host; |
| 410 | 410 | ||
| 411 | - // char * proxy; /**< Proxy server (type:host[:port]) */ | ||
| 412 | char * termname; | 411 | char * termname; |
| 413 | 412 | ||
| 414 | struct lib3270_charset charset; | 413 | struct lib3270_charset charset; |
| @@ -506,6 +505,7 @@ struct _h3270 | @@ -506,6 +505,7 @@ struct _h3270 | ||
| 506 | /// @brief Proxy | 505 | /// @brief Proxy |
| 507 | struct | 506 | struct |
| 508 | { | 507 | { |
| 508 | + char * proxy; ///< Proxy server (type:host[:port]) | ||
| 509 | int type; | 509 | int type; |
| 510 | char * host; | 510 | char * host; |
| 511 | char * portname; | 511 | char * portname; |
src/include/lib3270.h
| @@ -579,7 +579,7 @@ | @@ -579,7 +579,7 @@ | ||
| 579 | * @return Pointer to host URL set (internal data, do not change it) | 579 | * @return Pointer to host URL set (internal data, do not change it) |
| 580 | * | 580 | * |
| 581 | */ | 581 | */ |
| 582 | - LIB3270_EXPORT const char * lib3270_get_host(const H3270 *h); | 582 | + LIB3270_EXPORT const char * LIB3270_DEPRECATED(lib3270_get_host(const H3270 *h)); |
| 583 | 583 | ||
| 584 | 584 | ||
| 585 | /** | 585 | /** |
src/ssl/crl.h
| @@ -35,28 +35,11 @@ | @@ -35,28 +35,11 @@ | ||
| 35 | #include <config.h> /* autoconf settings */ | 35 | #include <config.h> /* autoconf settings */ |
| 36 | #include <lib3270.h> /* lib3270 API calls and defs */ | 36 | #include <lib3270.h> /* lib3270 API calls and defs */ |
| 37 | 37 | ||
| 38 | -#if defined(SSL_ENABLE_CRL_CHECK) && defined(HAVE_LIBSSL) | 38 | +#if defined(HAVE_LIBSSL) |
| 39 | 39 | ||
| 40 | #include <openssl/ssl.h> | 40 | #include <openssl/ssl.h> |
| 41 | #include <openssl/err.h> | 41 | #include <openssl/err.h> |
| 42 | 42 | ||
| 43 | - /// @brief Unconditional release of the session CRL. | ||
| 44 | - LIB3270_INTERNAL void lib3270_crl_free(H3270 *hSession); | ||
| 45 | - | ||
| 46 | - /// @brief Release CRL if expired. | ||
| 47 | - LIB3270_INTERNAL void lib3270_crl_free_if_expired(H3270 *hSession); | ||
| 48 | - | ||
| 49 | - /// @brief Load CRL from URL. | ||
| 50 | - LIB3270_INTERNAL int lib3270_crl_new_from_url(H3270 *hSession, void *ssl_error, const char *url); | ||
| 51 | - | ||
| 52 | - /// @brief Load CRL from X509 certificate. | ||
| 53 | - LIB3270_INTERNAL int lib3270_crl_new_from_x509(H3270 *hSession, void *ssl_error, X509 *cert); | ||
| 54 | - | ||
| 55 | - /// @brief Load CRL from distribution points. | ||
| 56 | - LIB3270_INTERNAL int lib3270_crl_new_from_dist_points(H3270 *hSession, void *ssl_error, CRL_DIST_POINTS * dist_points); | ||
| 57 | - | ||
| 58 | - LIB3270_INTERNAL X509_CRL * lib3270_download_crl(H3270 *hSession, SSL_ERROR_MESSAGE * message, const char *url); | ||
| 59 | - | ||
| 60 | /** | 43 | /** |
| 61 | * @brief X509 auto-cleanup. | 44 | * @brief X509 auto-cleanup. |
| 62 | */ | 45 | */ |
| @@ -76,6 +59,28 @@ | @@ -76,6 +59,28 @@ | ||
| 76 | } | 59 | } |
| 77 | 60 | ||
| 78 | 61 | ||
| 62 | +#endif // HAVE_LIBSSL | ||
| 63 | + | ||
| 64 | +#if defined(SSL_ENABLE_CRL_CHECK) && defined(HAVE_LIBSSL) | ||
| 65 | + | ||
| 66 | + /// @brief Unconditional release of the session CRL. | ||
| 67 | + LIB3270_INTERNAL void lib3270_crl_free(H3270 *hSession); | ||
| 68 | + | ||
| 69 | + /// @brief Release CRL if expired. | ||
| 70 | + LIB3270_INTERNAL void lib3270_crl_free_if_expired(H3270 *hSession); | ||
| 71 | + | ||
| 72 | + /// @brief Load CRL from URL. | ||
| 73 | + LIB3270_INTERNAL int lib3270_crl_new_from_url(H3270 *hSession, void *ssl_error, const char *url); | ||
| 74 | + | ||
| 75 | + /// @brief Load CRL from X509 certificate. | ||
| 76 | + LIB3270_INTERNAL int lib3270_crl_new_from_x509(H3270 *hSession, void *ssl_error, X509 *cert); | ||
| 77 | + | ||
| 78 | + /// @brief Load CRL from distribution points. | ||
| 79 | + LIB3270_INTERNAL int lib3270_crl_new_from_dist_points(H3270 *hSession, void *ssl_error, CRL_DIST_POINTS * dist_points); | ||
| 80 | + | ||
| 81 | + LIB3270_INTERNAL X509_CRL * lib3270_download_crl(H3270 *hSession, SSL_ERROR_MESSAGE * message, const char *url); | ||
| 82 | + | ||
| 83 | + | ||
| 79 | #endif // SSL_ENABLE_CRL_CHECK && HAVE_LIBSSL | 84 | #endif // SSL_ENABLE_CRL_CHECK && HAVE_LIBSSL |
| 80 | 85 | ||
| 81 | 86 |
src/ssl/negotiate.c
| @@ -239,55 +239,7 @@ static int background_ssl_negotiation(H3270 *hSession, void *message) | @@ -239,55 +239,7 @@ static int background_ssl_negotiation(H3270 *hSession, void *message) | ||
| 239 | 239 | ||
| 240 | } | 240 | } |
| 241 | 241 | ||
| 242 | - /* | ||
| 243 | - if(peer) | ||
| 244 | - { | ||
| 245 | - | ||
| 246 | -#if !defined(SSL_CRL_URL) && defined(SSL_ENABLE_CRL_CHECK) | ||
| 247 | - // | ||
| 248 | - // No default CRL, try to download from the peer | ||
| 249 | - // | ||
| 250 | - | ||
| 251 | - lib3270_autoptr(CRL_DIST_POINTS) dist_points = (CRL_DIST_POINTS *) X509_get_ext_d2i(peer, NID_crl_distribution_points, NULL, NULL); | ||
| 252 | - if(!dist_points) | ||
| 253 | - { | ||
| 254 | - ((SSL_ERROR_MESSAGE *) message)->title = _( "Security error" ); | ||
| 255 | - ((SSL_ERROR_MESSAGE *) message)->text = _( "Can't verify." ); | ||
| 256 | - ((SSL_ERROR_MESSAGE *) message)->description = _( "The host certificate doesn't have CRL distribution points" ); | ||
| 257 | - return EACCES; | ||
| 258 | - } | ||
| 259 | - | ||
| 260 | - if(lib3270_get_crl_from_dist_points(hSession, dist_points, (SSL_ERROR_MESSAGE *) message)) | ||
| 261 | - return EACCES; | ||
| 262 | - | ||
| 263 | - // Got CRL, verify it! | ||
| 264 | - // Reference: https://stackoverflow.com/questions/10510850/how-to-verify-the-certificate-for-the-ongoing-ssl-session | ||
| 265 | - X509_STORE_CTX *csc = X509_STORE_CTX_new(); | ||
| 266 | - X509_STORE_CTX_set_verify_cb(csc,x509_store_ctx_error_callback); | ||
| 267 | - X509_STORE_CTX_init(csc, SSL_CTX_get_cert_store(ssl_ctx), peer, NULL); | ||
| 268 | - | ||
| 269 | - if(X509_verify_cert(csc) != 1) | ||
| 270 | - rv = X509_STORE_CTX_get_error(csc); | ||
| 271 | - else | ||
| 272 | - rv = X509_V_OK; | ||
| 273 | - | ||
| 274 | - SSL_set_verify_result(hSession->ssl.con, rv); | ||
| 275 | - | ||
| 276 | - X509_STORE_CTX_free(csc); | ||
| 277 | - | ||
| 278 | -#else | ||
| 279 | - // No CRL download, use the standard verification. | ||
| 280 | - rv = SSL_get_verify_result(hSession->ssl.con); | ||
| 281 | - | ||
| 282 | -#endif // !SSL_CRL_URL && SSL_ENABLE_CRL_CHECK | ||
| 283 | - | ||
| 284 | - } | ||
| 285 | - else | ||
| 286 | - { | ||
| 287 | - rv = SSL_get_verify_result(hSession->ssl.con); | ||
| 288 | - } | ||
| 289 | - */ | ||
| 290 | - | 242 | +#ifdef SSL_ENABLE_CRL_CHECK |
| 291 | if(SSL_get_verify_result(hSession->ssl.con) == X509_V_ERR_UNABLE_TO_GET_CRL && hSession->ssl.crl.cert && peer) | 243 | if(SSL_get_verify_result(hSession->ssl.con) == X509_V_ERR_UNABLE_TO_GET_CRL && hSession->ssl.crl.cert && peer) |
| 292 | { | 244 | { |
| 293 | // | 245 | // |
| @@ -318,6 +270,7 @@ static int background_ssl_negotiation(H3270 *hSession, void *message) | @@ -318,6 +270,7 @@ static int background_ssl_negotiation(H3270 *hSession, void *message) | ||
| 318 | X509_STORE_CTX_free(csc); | 270 | X509_STORE_CTX_free(csc); |
| 319 | 271 | ||
| 320 | } | 272 | } |
| 273 | +#endif // SSL_ENABLE_CRL_CHECK | ||
| 321 | 274 | ||
| 322 | // Check validation state. | 275 | // Check validation state. |
| 323 | rv = SSL_get_verify_result(hSession->ssl.con); | 276 | rv = SSL_get_verify_result(hSession->ssl.con); |