Still refactoring the CRL download methods.

Perry Werneck
1 parent 265084d8
Showing 13 changed files with 304 additions and 100 deletions Show diff stats
lib3270.cbp
src/core/connect.c
src/core/properties/string.c
src/core/session.c
src/include/lib3270-internals.h
src/include/lib3270.h
src/ssl/crl.c
src/ssl/linux/getcrl.c
src/ssl/linux/ldap.c
src/ssl/negotiate.c
src/ssl/properties.c
src/ssl/windows/getcrl.c
src/testprogram/testprogram.c
@@ -301,6 +301,9 @@
 		<Unit filename="src/selection/selection.c">
 			<Option compilerVar="CC" />
 		</Unit>
+		<Unit filename="src/ssl/crl.c">
+			<Option compilerVar="CC" />
+		</Unit>
 		<Unit filename="src/ssl/linux/curl.c">
 			<Option compilerVar="CC" />
 		</Unit>
@@ -55,7 +55,6 @@
  
  }
  
-#ifdef SSL_ENABLE_CRL_CHECK
 static int background_ssl_crl_get(H3270 *hSession, void *ssl_error)
 {
 	if(ssl_ctx_init(hSession, (SSL_ERROR_MESSAGE *) ssl_error)) {
@@ -105,39 +104,11 @@ static int background_ssl_crl_get(H3270 *hSession, void *ssl_error)
 	//
 	// https://stackoverflow.com/questions/10510850/how-to-verify-the-certificate-for-the-ongoing-ssl-session
 	//
-	trace_ssl(hSession,"Getting CRL from %s\n",lib3270_get_crl_url(hSession));
-
-	hSession->ssl.crl.cert = lib3270_get_crl(hSession,(SSL_ERROR_MESSAGE *) ssl_error,lib3270_get_crl_url(hSession));
-	if(hSession->ssl.crl.cert)
-	{
-		// Got CRL, add it to ssl store
-		if(lib3270_get_toggle(hSession,LIB3270_TOGGLE_SSL_TRACE))
-		{
-			lib3270_autoptr(char) text = lib3270_get_ssl_crl_text(hSession);
-
-			if(text)
-				trace_ssl(hSession,"\n%s\n",text);
-
-		}
-
-		// Add CRL in the store.
-		X509_STORE *store = SSL_CTX_get_cert_store(ssl_ctx);
-		if(X509_STORE_add_crl(store, hSession->ssl.crl.cert))
-		{
-			trace_ssl(hSession,"CRL was added to cert store\n");
-		}
-		else
-		{
-			trace_ssl(hSession,"CRL was not added to cert store\n");
-		}
-
-
-	}
-
-	return 0;
+	return lib3270_get_crl_from_url(hSession, ssl_error, lib3270_get_crl_url(hSession));
  
 }
  
+#ifdef SSL_ENABLE_CRL_CHECK
 static int notify_crl_error(H3270 *hSession, int rc, const SSL_ERROR_MESSAGE *message)
 {
 	lib3270_write_log(
@@ -181,7 +152,6 @@ static int notify_crl_error(H3270 *hSession, int rc, const SSL_ERROR_MESSAGE *me
  
 	return 0;
 }
-
 #endif // SSL_ENABLE_CRL_CHECK
  
  int lib3270_reconnect(H3270 *hSession, int seconds)
@@ -136,6 +136,13 @@
 		},
  
 		{
+			.name = "crlprefer",										//  Property name.
+			.description = N_( "Prefered protocol for CRL" ),			//  Property description.
+			.get = lib3270_get_crl_prefered_protocol,					//  Get value.
+			.set = lib3270_set_crl_prefered_protocol,					//  Set value.
+		},
+
+		{
 			.name = "default_host",										//  Property name.
 			.description = N_( "Default host URL" ),					//  Property description.
 			.get = lib3270_get_default_host,							//  Get value.
@@ -82,6 +82,12 @@ void lib3270_session_free(H3270 *h)
 		h->ssl.crl.url = NULL;
 	}
  
+	if(h->ssl.crl.prefer)
+	{
+		free(h->ssl.crl.prefer);
+		h->ssl.crl.prefer = NULL;
+	}
+
 	if(h->ssl.crl.cert)
 	{
 		X509_CRL_free(h->ssl.crl.cert);
@@ -41,6 +41,8 @@
  
 #if defined(HAVE_LIBSSL)
 	#include <openssl/ssl.h>
+	#include <openssl/x509v3.h>
+
 #endif // HAVE_LIBSSL
  
 #if defined(X3270_TN3270E) && !defined(X3270_ANSI) /*[*/
@@ -693,8 +695,9 @@ struct _h3270
 #ifdef SSL_ENABLE_CRL_CHECK
 		struct
 		{
-			char			* url;
-			X509_CRL 		* cert;
+			char			* prefer;	///< @brief Prefered protocol for CRL.
+			char			* url;		///< @brief URL for CRL download.
+			X509_CRL 		* cert;		///< @brief Loaded CRL (can be null).
 		} crl;
 #endif // SSL_ENABLE_CRL_CHECK
 		SSL 				* con;
@@ -848,6 +851,8 @@ LIB3270_INTERNAL int	non_blocking(H3270 *session, Boolean on);
  
 	#ifdef SSL_ENABLE_CRL_CHECK
 		LIB3270_INTERNAL X509_CRL * lib3270_get_crl(H3270 *hSession, SSL_ERROR_MESSAGE * message, const char *url);
+		LIB3270_INTERNAL int lib3270_get_crl_from_url(H3270 *hSession, void *ssl_error, const char *url);
+		LIB3270_INTERNAL int lib3270_get_crl_from_dist_points(H3270 *hSession, CRL_DIST_POINTS * dist_points, void *ssl_error);
 	#endif // SSL_ENABLE_CRL_CHECK
  
 #endif
@@ -862,4 +867,3 @@ LIB3270_INTERNAL int	non_blocking(H3270 *session, Boolean on);
  
 	LIB3270_INTERNAL char * lib3270_get_user_name();
  
-
@@ -490,9 +490,11 @@
 	 *
 	 */
 	 LIB3270_EXPORT int lib3270_set_crl_url(H3270 *hSession, const char *crl);
-
 	 LIB3270_EXPORT const char * lib3270_get_crl_url(const H3270 *hSession);
  
+	 LIB3270_EXPORT int lib3270_set_crl_prefered_protocol(H3270 *hSession, const char *protocol);
+	 LIB3270_EXPORT const char * lib3270_get_crl_prefered_protocol(H3270 *hSession);
+
 	/**
 	 * @brief Get hostname for the connect/reconnect operations.
 	 *
@@ -0,0 +1,184 @@
+/*
+ * "Software pw3270, desenvolvido com base nos códigos fontes do WC3270  e X3270
+ * (Paul Mattes Paul.Mattes@usa.net), de emulação de terminal 3270 para acesso a
+ * aplicativos mainframe. Registro no INPI sob o nome G3270.
+ *
+ * Copyright (C) <2008> <Banco do Brasil S.A.>
+ *
+ * Este programa é software livre. Você pode redistribuí-lo e/ou modificá-lo sob
+ * os termos da GPL v.2 - Licença Pública Geral  GNU,  conforme  publicado  pela
+ * Free Software Foundation.
+ *
+ * Este programa é distribuído na expectativa de  ser  útil,  mas  SEM  QUALQUER
+ * GARANTIA; sem mesmo a garantia implícita de COMERCIALIZAÇÃO ou  de  ADEQUAÇÃO
+ * A QUALQUER PROPÓSITO EM PARTICULAR. Consulte a Licença Pública Geral GNU para
+ * obter mais detalhes.
+ *
+ * Você deve ter recebido uma cópia da Licença Pública Geral GNU junto com este
+ * programa; se não, escreva para a Free Software Foundation, Inc., 51 Franklin
+ * St, Fifth Floor, Boston, MA  02110-1301  USA
+ *
+ * Este programa está nomeado como - e possui - linhas de código.
+ *
+ * Contatos:
+ *
+ * perry.werneck@gmail.com	(Alexandre Perry de Souza Werneck)
+ * erico.mendonca@gmail.com	(Erico Mascarenhas Mendonça)
+ *
+ */
+
+#include <config.h>
+#include <lib3270.h>
+#include <lib3270/log.h>
+#include <trace_dsc.h>
+#include <lib3270-internals.h>
+#include <array.h>
+
+#ifdef HAVE_LIBSSL
+	#include <openssl/ssl.h>
+	#include <openssl/err.h>
+#endif // HAVE_LIBSSL
+
+/*--[ Implement ]------------------------------------------------------------------------------------*/
+
+#ifdef SSL_ENABLE_CRL_CHECK
+int lib3270_get_crl_from_url(H3270 *hSession, void *ssl_error, const char *url)
+{
+
+	if(!(url && *url))
+		return -1;
+
+	// Invalidate current certificate.
+	if(hSession->ssl.crl.cert)
+	{
+		trace_ssl(hSession,"%s\n","Discarding current CRL");
+		X509_CRL_free(hSession->ssl.crl.cert);
+		hSession->ssl.crl.cert = NULL;
+	}
+
+	//
+	// Get the new CRL
+	//
+	// https://stackoverflow.com/questions/10510850/how-to-verify-the-certificate-for-the-ongoing-ssl-session
+	//
+	trace_ssl(hSession,"Getting new CRL from %s\n",url);
+
+	hSession->ssl.crl.cert = lib3270_get_crl(hSession,(SSL_ERROR_MESSAGE *) ssl_error,url);
+
+	if(hSession->ssl.crl.cert)
+	{
+		// Got CRL, add it to ssl store
+		if(lib3270_get_toggle(hSession,LIB3270_TOGGLE_SSL_TRACE))
+		{
+			lib3270_autoptr(char) text = lib3270_get_ssl_crl_text(hSession);
+
+			if(text)
+				trace_ssl(hSession,"\n%s\n",text);
+
+		}
+
+		// Add CRL in the store.
+		X509_STORE *store = SSL_CTX_get_cert_store(ssl_ctx);
+		if(X509_STORE_add_crl(store, hSession->ssl.crl.cert))
+		{
+			trace_ssl(hSession,"CRL was added to context cert store\n");
+		}
+		else
+		{
+			trace_ssl(hSession,"CRL was not added to context cert store\n");
+		}
+
+		return 0;
+	}
+
+	return -1;
+
+}
+#endif // SSL_ENABLE_CRL_CHECK
+
+#if !defined(SSL_DEFAULT_CRL_URL) && defined(SSL_ENABLE_CRL_CHECK)
+int lib3270_get_crl_from_dist_points(H3270 *hSession, CRL_DIST_POINTS * dist_points, void *ssl_error)
+{
+	size_t ix;
+	int i, gtype;
+	lib3270_autoptr(LIB3270_STRING_ARRAY) uris = lib3270_string_array_new();
+
+	// https://nougat.cablelabs.com/DLNA-RUI/openssl/commit/57912ed329f870b237f2fd9f2de8dec3477d1729
+
+	for(ix = 0; ix < (size_t) sk_DIST_POINT_num(dist_points); ix++) {
+
+		DIST_POINT *dp = sk_DIST_POINT_value(dist_points, ix);
+
+		if(!dp->distpoint || dp->distpoint->type != 0)
+			continue;
+
+		GENERAL_NAMES *gens = dp->distpoint->name.fullname;
+
+		for (i = 0; i < sk_GENERAL_NAME_num(gens); i++)
+		{
+			GENERAL_NAME *gen = sk_GENERAL_NAME_value(gens, i);
+			ASN1_STRING *uri = GENERAL_NAME_get0_value(gen, &gtype);
+			if(uri)
+			{
+				const unsigned char * data = ASN1_STRING_get0_data(uri);
+				if(data)
+				{
+					lib3270_string_array_append(uris,(char *) data);
+				}
+			}
+
+		}
+
+	}
+
+#ifdef DEBUG
+	{
+		for(ix = 0; ix < uris->length; ix++)
+		{
+			debug("%u: %s", (unsigned int) ix, uris->str[ix]);
+		}
+	}
+#endif // DEBUG
+
+	if(hSession->ssl.crl.url)
+	{
+		// Check if we already have the URL.
+		if(!strcmp(hSession->ssl.crl.url,uris->str[ix]))
+		{
+			trace_ssl(hSession,"Keeping CRL from %s\n",hSession->ssl.crl.url);
+			return 0;
+		}
+
+		// The URL is invalid or not to this cert, remove it!
+		lib3270_free(hSession->ssl.crl.url);
+		hSession->ssl.crl.url = NULL;
+	}
+
+	if(hSession->ssl.crl.prefer && *hSession->ssl.crl.prefer)
+	{
+		size_t length = strlen(hSession->ssl.crl.prefer);
+
+		for(ix = 0; ix < uris->length; ix++)
+		{
+			if(!strncmp(uris->str[ix],hSession->ssl.crl.prefer,length))
+			{
+				trace_ssl(hSession,"Trying preferred URL %s\n",uris->str[ix]);
+				if(lib3270_get_crl_from_url(hSession, ssl_error, uris->str[ix]) == 0)
+					return 0;
+			}
+
+		}
+
+	}
+
+	// Can't load, try all of them.
+	for(ix = 0; ix < uris->length; ix++)
+	{
+		trace_ssl(hSession,"Trying CRL from %s\n",uris->str[ix]);
+		if(lib3270_get_crl_from_url(hSession, ssl_error, uris->str[ix]) == 0)
+			return 0;
+	}
+
+	return -1;
+}
+#endif // !SSL_DEFAULT_CRL_URL && SSL_ENABLE_CRL_CHECK
@@ -59,8 +59,6 @@ LIB3270_INTERNAL X509_CRL * lib3270_get_crl(H3270 *hSession, SSL_ERROR_MESSAGE *
 		return NULL;
 	}
  
-	trace_ssl(hSession, "Getting CRL from \"%s\"\n",consturl);
-
 	if(strncasecmp(consturl,"file://",7) == 0)
 	{
 		lib3270_autoptr(FILE) hCRL = fopen(consturl+7,"r");
@@ -88,7 +88,7 @@ LIB3270_INTERNAL X509_CRL * get_crl_using_ldap(H3270 *hSession, SSL_ERROR_MESSAG
 	X509_CRL * x509_crl = NULL;
  
 	int	rc;
-	lib3270_autoptr(char) url = strdup(consturl);
+	lib3270_autoptr(char) url = lib3270_unescape(consturl);
 	char * base = strchr(url+7,'/');
 	char * attrs[] = { NULL, NULL };
  
@@ -134,67 +134,27 @@ static int background_ssl_init(H3270 *hSession, void *message)
 }
  
 #if !defined(SSL_DEFAULT_CRL_URL) && defined(SSL_ENABLE_CRL_CHECK)
-
-static int getCRLFromDistPoints(H3270 *hSession, CRL_DIST_POINTS * dist_points, SSL_ERROR_MESSAGE *message)
+int x509_store_ctx_error_callback(int ok, X509_STORE_CTX *ctx)
 {
-	int ix, i, gtype;
-	lib3270_autoptr(LIB3270_STRING_ARRAY) uris = lib3270_string_array_new();
-
-	// https://nougat.cablelabs.com/DLNA-RUI/openssl/commit/57912ed329f870b237f2fd9f2de8dec3477d1729
-
-	for(ix = 0; ix < sk_DIST_POINT_num(dist_points); ix++) {
-
-		DIST_POINT *dp = sk_DIST_POINT_value(dist_points, ix);
-
-		if(!dp->distpoint || dp->distpoint->type != 0)
-			continue;
-
-		GENERAL_NAMES *gens = dp->distpoint->name.fullname;
+	debug("%s(%d)",__FUNCTION__,ok);
  
-		for (i = 0; i < sk_GENERAL_NAME_num(gens); i++)
-		{
-			GENERAL_NAME *gen = sk_GENERAL_NAME_value(gens, i);
-			ASN1_STRING *uri = GENERAL_NAME_get0_value(gen, &gtype);
-			if(uri)
-			{
-				const unsigned char * data = ASN1_STRING_get0_data(uri);
-				if(data)
-				{
-					lib3270_string_array_append(uris,(char *) data);
-				}
-			}
-
-		}
-
-	}
-
-#ifdef DEBUG
-	{
-		for(ix = 0; ix < uris->length; ix++)
-		{
-			debug("%u: %s", (unsigned int) ix, uris->str[ix]);
-		}
-	}
-#endif // DEBUG
-
-	/*
-	if(hSession->ssl.crl.url)
-	{
-		// Check if we already have the URL.
-
-
-		// The URL is invalid or not to this cert, remove it!
-		lib3270_free(hSession->ssl.crl.url);
-		hSession->ssl.crl.url = NULL;
-	}
-	*/
-
-
-	return 0;
+/*
+  55     {
+  56         if (!ok) {
+  57             Category::getInstance("OpenSSL").error(
+  58                 "path validation failure at depth(%d): %s",
+  59                 X509_STORE_CTX_get_error_depth(ctx),
+  60                 X509_verify_cert_error_string(X509_STORE_CTX_get_error(ctx))
+  61                 );
+  62         }
+  63         return ok;
+  64     }
+*/
+	return ok;
 }
-
 #endif // !SSL_DEFAULT_CRL_URL && SSL_ENABLE_CRL_CHECK
  
+
 static int background_ssl_negotiation(H3270 *hSession, void *message)
 {
 	int rv;
@@ -225,7 +185,7 @@ static int background_ssl_negotiation(H3270 *hSession, void *message)
  
 	if (rv != 1)
 	{
-		const char	* msg 		= "";
+		const char * msg = "";
  
 		((SSL_ERROR_MESSAGE *) message)->error = SSL_get_error(hSession->ssl.con,rv);
 		if(((SSL_ERROR_MESSAGE *) message)->error == SSL_ERROR_SYSCALL && hSession->ssl.error)
@@ -292,16 +252,38 @@ static int background_ssl_negotiation(H3270 *hSession, void *message)
 			return EACCES;
 		}
  
-		if(getCRLFromDistPoints(hSession, dist_points, (SSL_ERROR_MESSAGE *) message))
+		if(lib3270_get_crl_from_dist_points(hSession, dist_points, (SSL_ERROR_MESSAGE *) message))
 			return EACCES;
  
+		// Got CRL, verify it!
+		// Reference: https://stackoverflow.com/questions/10510850/how-to-verify-the-certificate-for-the-ongoing-ssl-session
+		X509_STORE_CTX *csc = X509_STORE_CTX_new();
+
+		X509_STORE_CTX_set_verify_cb(csc,x509_store_ctx_error_callback);
+
+		X509_STORE_CTX_init(csc, SSL_CTX_get_cert_store(ssl_ctx), peer, NULL);
+
+		if(X509_verify_cert(csc) != 1)
+			rv = X509_STORE_CTX_get_error(csc);
+		else
+			rv = X509_V_OK;
+
+		X509_STORE_CTX_free(csc);
+
+#else
+		// No CRL download, use the standard verification.
+		rv = SSL_get_verify_result(hSession->ssl.con);
+
 #endif // !SSL_DEFAULT_CRL_URL && SSL_ENABLE_CRL_CHECK
  
 	}
+	else
+	{
+		rv = SSL_get_verify_result(hSession->ssl.con);
+	}
  
  
 	// Validate certificate.
-	rv = SSL_get_verify_result(hSession->ssl.con);
  
 	debug("SSL Verify result was %d", rv);
 	const struct ssl_status_msg * msg = ssl_get_status_from_error_code((long) rv);
@@ -174,3 +174,52 @@ LIB3270_EXPORT char * lib3270_get_ssl_peer_certificate_text(const H3270 *hSessio
  }
  #pragma GCC diagnostic pop
  
+ #pragma GCC diagnostic push
+ #pragma GCC diagnostic ignored "-Wunused-parameter"
+ const char * lib3270_get_crl_prefered_protocol(H3270 *hSession)
+ {
+#ifdef SSL_ENABLE_CRL_CHECK
+	if(hSession->ssl.crl.prefer)
+		return hSession->ssl.crl.prefer;
+#endif
+	errno = ENODATA;
+	return "";
+ }
+ #pragma GCC diagnostic pop
+
+ #pragma GCC diagnostic push
+ #pragma GCC diagnostic ignored "-Wunused-parameter"
+ int lib3270_set_crl_prefered_protocol(H3270 *hSession, const char *protocol)
+ {
+
+    FAIL_IF_ONLINE(hSession);
+
+#ifdef SSL_ENABLE_CRL_CHECK
+
+	if(hSession->ssl.crl.prefer)
+	{
+		free(hSession->ssl.crl.prefer);
+		hSession->ssl.crl.prefer = NULL;
+	}
+
+	if(hSession->ssl.crl.prefer)
+	{
+		X509_CRL_free(hSession->ssl.crl.prefer);
+		hSession->ssl.crl.prefer = NULL;
+	}
+
+	if(protocol)
+	{
+		hSession->ssl.crl.prefer = strdup(protocol);
+	}
+
+	return 0;
+
+#else
+
+	return errno = ENOTSUP;
+
+#endif // SSL_ENABLE_CRL_CHECK
+
+ }
+ #pragma GCC diagnostic pop
@@ -65,8 +65,6 @@ LIB3270_INTERNAL X509_CRL * lib3270_get_crl(H3270 *hSession, SSL_ERROR_MESSAGE *
 		return NULL;
 	}
  
-	trace_ssl(hSession, "Getting CRL from \"%s\"\n",consturl);
-
 	if(strncasecmp(consturl,"file://",7) == 0)
 	{
 		lib3270_autoptr(FILE) hCRL = fopen(consturl+7,"r");
@@ -43,6 +43,7 @@ int main(int argc, char *argv[])
  
 	printf("3270 session %p created\n]",h);
  
+	lib3270_set_crl_prefered_protocol(h,"ldap");
 	lib3270_set_url(h,NULL);
  
 	int long_index =0;
...	...	@@ -301,6 +301,9 @@
301	301	<Unit filename="src/selection/selection.c">
302	302	<Option compilerVar="CC" />
303	303	</Unit>
	304	+ <Unit filename="src/ssl/crl.c">
	305	+ <Option compilerVar="CC" />
	306	+ </Unit>
304	307	<Unit filename="src/ssl/linux/curl.c">
305	308	<Option compilerVar="CC" />
306	309	</Unit>
...	...
...	...	@@ -55,7 +55,6 @@
55	55
56	56	}
57	57
58		-#ifdef SSL_ENABLE_CRL_CHECK
59	58	static int background_ssl_crl_get(H3270 hSession, void ssl_error)
60	59	{
61	60	if(ssl_ctx_init(hSession, (SSL_ERROR_MESSAGE *) ssl_error)) {
...	...	@@ -105,39 +104,11 @@ static int background_ssl_crl_get(H3270 hSession, void ssl_error)
105	104	//
106	105	// https://stackoverflow.com/questions/10510850/how-to-verify-the-certificate-for-the-ongoing-ssl-session
107	106	//
108		- trace_ssl(hSession,"Getting CRL from %s\n",lib3270_get_crl_url(hSession));
109		-
110		- hSession->ssl.crl.cert = lib3270_get_crl(hSession,(SSL_ERROR_MESSAGE *) ssl_error,lib3270_get_crl_url(hSession));
111		- if(hSession->ssl.crl.cert)
112		- {
113		- // Got CRL, add it to ssl store
114		- if(lib3270_get_toggle(hSession,LIB3270_TOGGLE_SSL_TRACE))
115		- {
116		- lib3270_autoptr(char) text = lib3270_get_ssl_crl_text(hSession);
117		-
118		- if(text)
119		- trace_ssl(hSession,"\n%s\n",text);
120		-
121		- }
122		-
123		- // Add CRL in the store.
124		- X509_STORE *store = SSL_CTX_get_cert_store(ssl_ctx);
125		- if(X509_STORE_add_crl(store, hSession->ssl.crl.cert))
126		- {
127		- trace_ssl(hSession,"CRL was added to cert store\n");
128		- }
129		- else
130		- {
131		- trace_ssl(hSession,"CRL was not added to cert store\n");
132		- }
133		-
134		-
135		- }
136		-
137		- return 0;
	107	+ return lib3270_get_crl_from_url(hSession, ssl_error, lib3270_get_crl_url(hSession));
138	108
139	109	}
140	110
	111	+#ifdef SSL_ENABLE_CRL_CHECK
141	112	static int notify_crl_error(H3270 hSession, int rc, const SSL_ERROR_MESSAGE message)
142	113	{
143	114	lib3270_write_log(
...	...	@@ -181,7 +152,6 @@ static int notify_crl_error(H3270 hSession, int rc, const SSL_ERROR_MESSAGE me
181	152
182	153	return 0;
183	154	}
184		-
185	155	#endif // SSL_ENABLE_CRL_CHECK
186	156
187	157	int lib3270_reconnect(H3270 *hSession, int seconds)
...	...
...	...	@@ -136,6 +136,13 @@
136	136	},
137	137
138	138	{
	139	+ .name = "crlprefer", // Property name.
	140	+ .description = N_( "Prefered protocol for CRL" ), // Property description.
	141	+ .get = lib3270_get_crl_prefered_protocol, // Get value.
	142	+ .set = lib3270_set_crl_prefered_protocol, // Set value.
	143	+ },
	144	+
	145	+ {
139	146	.name = "default_host", // Property name.
140	147	.description = N_( "Default host URL" ), // Property description.
141	148	.get = lib3270_get_default_host, // Get value.
...	...
...	...	@@ -82,6 +82,12 @@ void lib3270_session_free(H3270 *h)
82	82	h->ssl.crl.url = NULL;
83	83	}
84	84
	85	+ if(h->ssl.crl.prefer)
	86	+ {
	87	+ free(h->ssl.crl.prefer);
	88	+ h->ssl.crl.prefer = NULL;
	89	+ }
	90	+
85	91	if(h->ssl.crl.cert)
86	92	{
87	93	X509_CRL_free(h->ssl.crl.cert);
...	...
...	...	@@ -41,6 +41,8 @@
41	41
42	42	#if defined(HAVE_LIBSSL)
43	43	#include <openssl/ssl.h>
	44	+ #include <openssl/x509v3.h>
	45	+
44	46	#endif // HAVE_LIBSSL
45	47
46	48	#if defined(X3270_TN3270E) && !defined(X3270_ANSI) /[/
...	...	@@ -693,8 +695,9 @@ struct _h3270
693	695	#ifdef SSL_ENABLE_CRL_CHECK
694	696	struct
695	697	{
696		- char * url;
697		- X509_CRL * cert;
	698	+ char * prefer; ///< @brief Prefered protocol for CRL.
	699	+ char * url; ///< @brief URL for CRL download.
	700	+ X509_CRL * cert; ///< @brief Loaded CRL (can be null).
698	701	} crl;
699	702	#endif // SSL_ENABLE_CRL_CHECK
700	703	SSL * con;
...	...	@@ -848,6 +851,8 @@ LIB3270_INTERNAL int non_blocking(H3270 *session, Boolean on);
848	851
849	852	#ifdef SSL_ENABLE_CRL_CHECK
850	853	LIB3270_INTERNAL X509_CRL * lib3270_get_crl(H3270 hSession, SSL_ERROR_MESSAGE message, const char *url);
	854	+ LIB3270_INTERNAL int lib3270_get_crl_from_url(H3270 hSession, void ssl_error, const char *url);
	855	+ LIB3270_INTERNAL int lib3270_get_crl_from_dist_points(H3270 hSession, CRL_DIST_POINTS dist_points, void *ssl_error);
851	856	#endif // SSL_ENABLE_CRL_CHECK
852	857
853	858	#endif
...	...	@@ -862,4 +867,3 @@ LIB3270_INTERNAL int non_blocking(H3270 *session, Boolean on);
862	867
863	868	LIB3270_INTERNAL char * lib3270_get_user_name();
864	869
865		-
...	...
...	...	@@ -490,9 +490,11 @@
490	490	*
491	491	*/
492	492	LIB3270_EXPORT int lib3270_set_crl_url(H3270 hSession, const char crl);
493		-
494	493	LIB3270_EXPORT const char * lib3270_get_crl_url(const H3270 *hSession);
495	494
	495	+ LIB3270_EXPORT int lib3270_set_crl_prefered_protocol(H3270 hSession, const char protocol);
	496	+ LIB3270_EXPORT const char * lib3270_get_crl_prefered_protocol(H3270 *hSession);
	497	+
496	498	/**
497	499	* @brief Get hostname for the connect/reconnect operations.
498	500	*
...	...
...	...	@@ -0,0 +1,184 @@
	1	+/*
	2	+ * "Software pw3270, desenvolvido com base nos códigos fontes do WC3270 e X3270
	3	+ * (Paul Mattes Paul.Mattes@usa.net), de emulação de terminal 3270 para acesso a
	4	+ * aplicativos mainframe. Registro no INPI sob o nome G3270.
	5	+ *
	6	+ * Copyright (C) <2008> <Banco do Brasil S.A.>
	7	+ *
	8	+ * Este programa é software livre. Você pode redistribuí-lo e/ou modificá-lo sob
	9	+ * os termos da GPL v.2 - Licença Pública Geral GNU, conforme publicado pela
	10	+ * Free Software Foundation.
	11	+ *
	12	+ * Este programa é distribuído na expectativa de ser útil, mas SEM QUALQUER
	13	+ * GARANTIA; sem mesmo a garantia implícita de COMERCIALIZAÇÃO ou de ADEQUAÇÃO
	14	+ * A QUALQUER PROPÓSITO EM PARTICULAR. Consulte a Licença Pública Geral GNU para
	15	+ * obter mais detalhes.
	16	+ *
	17	+ * Você deve ter recebido uma cópia da Licença Pública Geral GNU junto com este
	18	+ * programa; se não, escreva para a Free Software Foundation, Inc., 51 Franklin
	19	+ * St, Fifth Floor, Boston, MA 02110-1301 USA
	20	+ *
	21	+ * Este programa está nomeado como - e possui - linhas de código.
	22	+ *
	23	+ * Contatos:
	24	+ *
	25	+ * perry.werneck@gmail.com (Alexandre Perry de Souza Werneck)
	26	+ * erico.mendonca@gmail.com (Erico Mascarenhas Mendonça)
	27	+ *
	28	+ */
	29	+
	30	+#include <config.h>
	31	+#include <lib3270.h>
	32	+#include <lib3270/log.h>
	33	+#include <trace_dsc.h>
	34	+#include <lib3270-internals.h>
	35	+#include <array.h>
	36	+
	37	+#ifdef HAVE_LIBSSL
	38	+ #include <openssl/ssl.h>
	39	+ #include <openssl/err.h>
	40	+#endif // HAVE_LIBSSL
	41	+
	42	+/--[ Implement ]------------------------------------------------------------------------------------/
	43	+
	44	+#ifdef SSL_ENABLE_CRL_CHECK
	45	+int lib3270_get_crl_from_url(H3270 hSession, void ssl_error, const char *url)
	46	+{
	47	+
	48	+ if(!(url && *url))
	49	+ return -1;
	50	+
	51	+ // Invalidate current certificate.
	52	+ if(hSession->ssl.crl.cert)
	53	+ {
	54	+ trace_ssl(hSession,"%s\n","Discarding current CRL");
	55	+ X509_CRL_free(hSession->ssl.crl.cert);
	56	+ hSession->ssl.crl.cert = NULL;
	57	+ }
	58	+
	59	+ //
	60	+ // Get the new CRL
	61	+ //
	62	+ // https://stackoverflow.com/questions/10510850/how-to-verify-the-certificate-for-the-ongoing-ssl-session
	63	+ //
	64	+ trace_ssl(hSession,"Getting new CRL from %s\n",url);
	65	+
	66	+ hSession->ssl.crl.cert = lib3270_get_crl(hSession,(SSL_ERROR_MESSAGE *) ssl_error,url);
	67	+
	68	+ if(hSession->ssl.crl.cert)
	69	+ {
	70	+ // Got CRL, add it to ssl store
	71	+ if(lib3270_get_toggle(hSession,LIB3270_TOGGLE_SSL_TRACE))
	72	+ {
	73	+ lib3270_autoptr(char) text = lib3270_get_ssl_crl_text(hSession);
	74	+
	75	+ if(text)
	76	+ trace_ssl(hSession,"\n%s\n",text);
	77	+
	78	+ }
	79	+
	80	+ // Add CRL in the store.
	81	+ X509_STORE *store = SSL_CTX_get_cert_store(ssl_ctx);
	82	+ if(X509_STORE_add_crl(store, hSession->ssl.crl.cert))
	83	+ {
	84	+ trace_ssl(hSession,"CRL was added to context cert store\n");
	85	+ }
	86	+ else
	87	+ {
	88	+ trace_ssl(hSession,"CRL was not added to context cert store\n");
	89	+ }
	90	+
	91	+ return 0;
	92	+ }
	93	+
	94	+ return -1;
	95	+
	96	+}
	97	+#endif // SSL_ENABLE_CRL_CHECK
	98	+
	99	+#if !defined(SSL_DEFAULT_CRL_URL) && defined(SSL_ENABLE_CRL_CHECK)
	100	+int lib3270_get_crl_from_dist_points(H3270 hSession, CRL_DIST_POINTS dist_points, void *ssl_error)
	101	+{
	102	+ size_t ix;
	103	+ int i, gtype;
	104	+ lib3270_autoptr(LIB3270_STRING_ARRAY) uris = lib3270_string_array_new();
	105	+
	106	+ // https://nougat.cablelabs.com/DLNA-RUI/openssl/commit/57912ed329f870b237f2fd9f2de8dec3477d1729
	107	+
	108	+ for(ix = 0; ix < (size_t) sk_DIST_POINT_num(dist_points); ix++) {
	109	+
	110	+ DIST_POINT *dp = sk_DIST_POINT_value(dist_points, ix);
	111	+
	112	+ if(!dp->distpoint \|\| dp->distpoint->type != 0)
	113	+ continue;
	114	+
	115	+ GENERAL_NAMES *gens = dp->distpoint->name.fullname;
	116	+
	117	+ for (i = 0; i < sk_GENERAL_NAME_num(gens); i++)
	118	+ {
	119	+ GENERAL_NAME *gen = sk_GENERAL_NAME_value(gens, i);
	120	+ ASN1_STRING *uri = GENERAL_NAME_get0_value(gen, &gtype);
	121	+ if(uri)
	122	+ {
	123	+ const unsigned char * data = ASN1_STRING_get0_data(uri);
	124	+ if(data)
	125	+ {
	126	+ lib3270_string_array_append(uris,(char *) data);
	127	+ }
	128	+ }
	129	+
	130	+ }
	131	+
	132	+ }
	133	+
	134	+#ifdef DEBUG
	135	+ {
	136	+ for(ix = 0; ix < uris->length; ix++)
	137	+ {
	138	+ debug("%u: %s", (unsigned int) ix, uris->str[ix]);
	139	+ }
	140	+ }
	141	+#endif // DEBUG
	142	+
	143	+ if(hSession->ssl.crl.url)
	144	+ {
	145	+ // Check if we already have the URL.
	146	+ if(!strcmp(hSession->ssl.crl.url,uris->str[ix]))
	147	+ {
	148	+ trace_ssl(hSession,"Keeping CRL from %s\n",hSession->ssl.crl.url);
	149	+ return 0;
	150	+ }
	151	+
	152	+ // The URL is invalid or not to this cert, remove it!
	153	+ lib3270_free(hSession->ssl.crl.url);
	154	+ hSession->ssl.crl.url = NULL;
	155	+ }
	156	+
	157	+ if(hSession->ssl.crl.prefer && *hSession->ssl.crl.prefer)
	158	+ {
	159	+ size_t length = strlen(hSession->ssl.crl.prefer);
	160	+
	161	+ for(ix = 0; ix < uris->length; ix++)
	162	+ {
	163	+ if(!strncmp(uris->str[ix],hSession->ssl.crl.prefer,length))
	164	+ {
	165	+ trace_ssl(hSession,"Trying preferred URL %s\n",uris->str[ix]);
	166	+ if(lib3270_get_crl_from_url(hSession, ssl_error, uris->str[ix]) == 0)
	167	+ return 0;
	168	+ }
	169	+
	170	+ }
	171	+
	172	+ }
	173	+
	174	+ // Can't load, try all of them.
	175	+ for(ix = 0; ix < uris->length; ix++)
	176	+ {
	177	+ trace_ssl(hSession,"Trying CRL from %s\n",uris->str[ix]);
	178	+ if(lib3270_get_crl_from_url(hSession, ssl_error, uris->str[ix]) == 0)
	179	+ return 0;
	180	+ }
	181	+
	182	+ return -1;
	183	+}
	184	+#endif // !SSL_DEFAULT_CRL_URL && SSL_ENABLE_CRL_CHECK
...	...
...	...	@@ -59,8 +59,6 @@ LIB3270_INTERNAL X509_CRL * lib3270_get_crl(H3270 hSession, SSL_ERROR_MESSAGE
59	59	return NULL;
60	60	}
61	61
62		- trace_ssl(hSession, "Getting CRL from \"%s\"\n",consturl);
63		-
64	62	if(strncasecmp(consturl,"file://",7) == 0)
65	63	{
66	64	lib3270_autoptr(FILE) hCRL = fopen(consturl+7,"r");
...	...
...	...	@@ -88,7 +88,7 @@ LIB3270_INTERNAL X509_CRL * get_crl_using_ldap(H3270 *hSession, SSL_ERROR_MESSAG
88	88	X509_CRL * x509_crl = NULL;
89	89
90	90	int rc;
91		- lib3270_autoptr(char) url = strdup(consturl);
	91	+ lib3270_autoptr(char) url = lib3270_unescape(consturl);
92	92	char * base = strchr(url+7,'/');
93	93	char * attrs[] = { NULL, NULL };
94	94
...	...
...	...	@@ -134,67 +134,27 @@ static int background_ssl_init(H3270 hSession, void message)
134	134	}
135	135
136	136	#if !defined(SSL_DEFAULT_CRL_URL) && defined(SSL_ENABLE_CRL_CHECK)
137		-
138		-static int getCRLFromDistPoints(H3270 hSession, CRL_DIST_POINTS dist_points, SSL_ERROR_MESSAGE *message)
	137	+int x509_store_ctx_error_callback(int ok, X509_STORE_CTX *ctx)
139	138	{
140		- int ix, i, gtype;
141		- lib3270_autoptr(LIB3270_STRING_ARRAY) uris = lib3270_string_array_new();
142		-
143		- // https://nougat.cablelabs.com/DLNA-RUI/openssl/commit/57912ed329f870b237f2fd9f2de8dec3477d1729
144		-
145		- for(ix = 0; ix < sk_DIST_POINT_num(dist_points); ix++) {
146		-
147		- DIST_POINT *dp = sk_DIST_POINT_value(dist_points, ix);
148		-
149		- if(!dp->distpoint \|\| dp->distpoint->type != 0)
150		- continue;
151		-
152		- GENERAL_NAMES *gens = dp->distpoint->name.fullname;
	139	+ debug("%s(%d)",__FUNCTION__,ok);
153	140
154		- for (i = 0; i < sk_GENERAL_NAME_num(gens); i++)
155		- {
156		- GENERAL_NAME *gen = sk_GENERAL_NAME_value(gens, i);
157		- ASN1_STRING *uri = GENERAL_NAME_get0_value(gen, &gtype);
158		- if(uri)
159		- {
160		- const unsigned char * data = ASN1_STRING_get0_data(uri);
161		- if(data)
162		- {
163		- lib3270_string_array_append(uris,(char *) data);
164		- }
165		- }
166		-
167		- }
168		-
169		- }
170		-
171		-#ifdef DEBUG
172		- {
173		- for(ix = 0; ix < uris->length; ix++)
174		- {
175		- debug("%u: %s", (unsigned int) ix, uris->str[ix]);
176		- }
177		- }
178		-#endif // DEBUG
179		-
180		- /*
181		- if(hSession->ssl.crl.url)
182		- {
183		- // Check if we already have the URL.
184		-
185		-
186		- // The URL is invalid or not to this cert, remove it!
187		- lib3270_free(hSession->ssl.crl.url);
188		- hSession->ssl.crl.url = NULL;
189		- }
190		- */
191		-
192		-
193		- return 0;
	141	+/*
	142	+ 55 {
	143	+ 56 if (!ok) {
	144	+ 57 Category::getInstance("OpenSSL").error(
	145	+ 58 "path validation failure at depth(%d): %s",
	146	+ 59 X509_STORE_CTX_get_error_depth(ctx),
	147	+ 60 X509_verify_cert_error_string(X509_STORE_CTX_get_error(ctx))
	148	+ 61 );
	149	+ 62 }
	150	+ 63 return ok;
	151	+ 64 }
	152	+*/
	153	+ return ok;
194	154	}
195		-
196	155	#endif // !SSL_DEFAULT_CRL_URL && SSL_ENABLE_CRL_CHECK
197	156
	157	+
198	158	static int background_ssl_negotiation(H3270 hSession, void message)
199	159	{
200	160	int rv;
...	...	@@ -225,7 +185,7 @@ static int background_ssl_negotiation(H3270 hSession, void message)
225	185
226	186	if (rv != 1)
227	187	{
228		- const char * msg = "";
	188	+ const char * msg = "";
229	189
230	190	((SSL_ERROR_MESSAGE *) message)->error = SSL_get_error(hSession->ssl.con,rv);
231	191	if(((SSL_ERROR_MESSAGE *) message)->error == SSL_ERROR_SYSCALL && hSession->ssl.error)
...	...	@@ -292,16 +252,38 @@ static int background_ssl_negotiation(H3270 hSession, void message)
292	252	return EACCES;
293	253	}
294	254
295		- if(getCRLFromDistPoints(hSession, dist_points, (SSL_ERROR_MESSAGE *) message))
	255	+ if(lib3270_get_crl_from_dist_points(hSession, dist_points, (SSL_ERROR_MESSAGE *) message))
296	256	return EACCES;
297	257
	258	+ // Got CRL, verify it!
	259	+ // Reference: https://stackoverflow.com/questions/10510850/how-to-verify-the-certificate-for-the-ongoing-ssl-session
	260	+ X509_STORE_CTX *csc = X509_STORE_CTX_new();
	261	+
	262	+ X509_STORE_CTX_set_verify_cb(csc,x509_store_ctx_error_callback);
	263	+
	264	+ X509_STORE_CTX_init(csc, SSL_CTX_get_cert_store(ssl_ctx), peer, NULL);
	265	+
	266	+ if(X509_verify_cert(csc) != 1)
	267	+ rv = X509_STORE_CTX_get_error(csc);
	268	+ else
	269	+ rv = X509_V_OK;
	270	+
	271	+ X509_STORE_CTX_free(csc);
	272	+
	273	+#else
	274	+ // No CRL download, use the standard verification.
	275	+ rv = SSL_get_verify_result(hSession->ssl.con);
	276	+
298	277	#endif // !SSL_DEFAULT_CRL_URL && SSL_ENABLE_CRL_CHECK
299	278
300	279	}
	280	+ else
	281	+ {
	282	+ rv = SSL_get_verify_result(hSession->ssl.con);
	283	+ }
301	284
302	285
303	286	// Validate certificate.
304		- rv = SSL_get_verify_result(hSession->ssl.con);
305	287
306	288	debug("SSL Verify result was %d", rv);
307	289	const struct ssl_status_msg * msg = ssl_get_status_from_error_code((long) rv);
...	...