Adding callback to let the application (or user) to decide if the

connection will continue on SSL error.

Adding callback to let the application (or user) to decide if the
connection will continue on SSL error.
Perry Werneck
1 parent 99a99f76
Showing 7 changed files with 132 additions and 119 deletions Show diff stats
lib3270.cbp
src/core/connect.c
src/core/session.c
src/include/lib3270-internals.h
src/include/lib3270/session.h
src/ssl/ctx_init.c
src/testprogram/testprogram.c
@@ -194,7 +194,6 @@
 		<Unit filename="src/include/icmdc.h" />
 		<Unit filename="src/include/keypadc.h" />
 		<Unit filename="src/include/kybdc.h" />
-		<Unit filename="src/include/lib3270++.h" />
 		<Unit filename="src/include/lib3270-internals.h" />
 		<Unit filename="src/include/lib3270.h" />
 		<Unit filename="src/include/lib3270/X11keysym.h" />
@@ -33,6 +33,7 @@
 #include <errno.h>
 #include <lib3270/log.h>
 #include <lib3270/trace.h>
+#include <trace_dsc.h>
 #if defined(HAVE_LIBSSL)
 	#include <openssl/err.h>
@@ -54,10 +55,123 @@
  }
 #ifdef SSL_ENABLE_CRL_CHECK
-static int background_ssl_crl_check(H3270 *hSession, void *ssl_error)
+static int background_ssl_crl_get(H3270 *hSession, void *ssl_error)
 {
-	return lib3270_check_X509_crl(hSession, (SSL_ERROR_MESSAGE *) ssl_error);
+	if(ssl_ctx_init(hSession, (SSL_ERROR_MESSAGE *) ssl_error)) {
+		return -1;
+	}
+
+	// Do I have X509 CRL?
+	if(hSession->ssl.crl.cert)
+	{
+		// Ok, have it. Is it valid?
+
+		// https://stackoverflow.com/questions/23407376/testing-x509-certificate-expiry-date-with-c
+		// X509_CRL_get_nextUpdate is deprecated in openssl 1.1.0
+		#if OPENSSL_VERSION_NUMBER < 0x10100000L
+			const ASN1_TIME * next_update = X509_CRL_get_nextUpdate(hSession->ssl.crl.cert);
+		#else
+			const ASN1_TIME * next_update = X509_CRL_get0_nextUpdate(hSession->ssl.crl.cert);
+		#endif
+
+		if(X509_cmp_current_time(next_update) == 1)
+		{
+			int day, sec;
+			if(ASN1_TIME_diff(&day, &sec, NULL, next_update))
+			{
+				trace_ssl(hSession,"CRL Certificate is valid for %d day(s) and %d second(s)\n",day,sec);
+				return 0;
+			}
+			else
+			{
+				trace_ssl(hSession,"Can't get CRL next update, releasing it\n");
+			}
+
+		}
+		else
+		{
+			trace_ssl(hSession,"CRL Certificate is no longer valid\n");
+		}
+
+		// Certificate is no longer valid, release it.
+		X509_CRL_free(hSession->ssl.crl.cert);
+		hSession->ssl.crl.cert = NULL;
+
+	}
+
+	//
+	// Get CRL
+	//
+	// https://stackoverflow.com/questions/10510850/how-to-verify-the-certificate-for-the-ongoing-ssl-session
+	//
+	trace_ssl(hSession,"Getting CRL from %s\n",lib3270_get_crl_url(hSession));
+
+	hSession->ssl.crl.cert = lib3270_get_crl(hSession,(SSL_ERROR_MESSAGE *) ssl_error,lib3270_get_crl_url(hSession));
+	if(hSession->ssl.crl.cert)
+	{
+		// Got CRL, add it to ssl store
+		if(lib3270_get_toggle(hSession,LIB3270_TOGGLE_SSL_TRACE))
+		{
+			lib3270_autoptr(char) text = lib3270_get_ssl_crl_text(hSession);
+
+			if(text)
+				trace_ssl(hSession,"\n%s\n",text);
+
+		}
+
+		// Add CRL in the store.
+		X509_STORE *store = SSL_CTX_get_cert_store(ssl_ctx);
+		if(X509_STORE_add_crl(store, hSession->ssl.crl.cert))
+		{
+			trace_ssl(hSession,"CRL was added to cert store\n");
+		}
+		else
+		{
+			trace_ssl(hSession,"CRL was not added to cert store\n");
+		}
+
+
+	}
+
+	return 0;
+
 }
+
+static int notify_crl_error(H3270 *hSession, int rc, const SSL_ERROR_MESSAGE *message)
+{
+	lib3270_write_log(
+		hSession,
+		"SSL-CRL-GET",
+		"CRL GET error: %s (rc=%d ssl_error=%d)",
+			message->title,
+			rc,
+			message->error
+	);
+
+	if(message->description)
+	{
+		lib3270_write_log(hSession,"SSL-CRL-GET","%s",message->description);
+
+		if(hSession->cbk.popup_ssl_error(hSession,rc,message->title,message->text,message->description))
+			return rc;
+	}
+	else if(message->error)
+	{
+		lib3270_autoptr(char) formatted_error = lib3270_strdup_printf(_( "%s (SSL error %d)" ),ERR_reason_error_string(message->error),message->error);
+		lib3270_write_log(hSession,"SSL-CRL-GET","%s",formatted_error);
+
+		if(hSession->cbk.popup_ssl_error(hSession,rc,message->title,message->text,formatted_error))
+			return rc;
+	}
+	else
+	{
+		if(hSession->cbk.popup_ssl_error(hSession,rc,message->title,message->text,""))
+			return rc;
+	}
+
+	return 0;
+}
+
 #endif // SSL_ENABLE_CRL_CHECK
  int lib3270_reconnect(H3270 *hSession, int seconds)
@@ -93,44 +207,18 @@ static int background_ssl_crl_check(H3270 *hSession, void *ssl_error)
 	}
 #ifdef SSL_ENABLE_CRL_CHECK
+
 	SSL_ERROR_MESSAGE ssl_error;
 	memset(&ssl_error,0,sizeof(ssl_error));
 	set_ssl_state(hSession,LIB3270_SSL_NEGOTIATING);
-	int rc = lib3270_run_task(hSession, background_ssl_crl_check, &ssl_error);
+	int rc = lib3270_run_task(hSession, background_ssl_crl_get, &ssl_error);
 	debug("CRL check returns %d",rc);
-	if(rc)
-	{
-		lib3270_write_log(
-			hSession,
-			"SSL-CRL-CHECK",
-			"CRL Check error: %s (rc=%d ssl_error=%d)",
-				ssl_error.title,
-				rc,
-				ssl_error.error
-		);
-
-		if(ssl_error.description)
-		{
-			lib3270_write_log(hSession,"SSL-CRL-CHECK","%s",ssl_error.description);
-			lib3270_popup_dialog(hSession, LIB3270_NOTIFY_ERROR, ssl_error.title, ssl_error.text, "%s", ssl_error.description);
-		}
-		else if(ssl_error.error)
-		{
-			lib3270_autoptr(char) formatted_error = lib3270_strdup_printf("%s (SSL error %d)",ERR_reason_error_string(ssl_error.error),ssl_error.error);
-			lib3270_write_log(hSession,"SSL-CRL-CHECK","%s",formatted_error);
-			lib3270_popup_dialog(hSession, LIB3270_NOTIFY_ERROR, ssl_error.title, ssl_error.text, "%s", formatted_error);
-		}
-		else
-		{
-			lib3270_popup_dialog(hSession, LIB3270_NOTIFY_ERROR, ssl_error.title, ssl_error.text, "%s","");
-		}
-
-		// return errno = rc;
+	if(rc && notify_crl_error(hSession, rc,&ssl_error))
+		return errno = rc;
-	}
 #endif // SSL_ENABLE_CRL_CHECK
 #if defined(HAVE_LIBSSL)
@@ -224,6 +224,12 @@ static void def_popup(H3270 *session, LIB3270_NOTIFY GNUC_UNUSED(type), const ch
 #endif // ANDROID
 }
+static int def_popup_ssl_error(H3270 *session, int GNUC_UNUSED(rc), const char *title, const char *summary, const char *body)
+{
+	lib3270_popup_dialog(session, LIB3270_NOTIFY_ERROR, title, summary, "%s", body);
+    return -1;
+}
+
 static void def_trace(H3270 GNUC_UNUSED(*session), void GNUC_UNUSED(*userdata), const char *fmt, va_list args)
 {
 	vfprintf(stdout,fmt,args);
@@ -287,6 +293,7 @@ void lib3270_reset_callbacks(H3270 *hSession)
 	hSession->cbk.cursor 				= set_cursor;
 	hSession->cbk.message				= message;
 	hSession->cbk.popup					= def_popup;
+	hSession->cbk.popup_ssl_error		= def_popup_ssl_error;
 	hSession->cbk.update_ssl			= update_ssl;
 	hSession->cbk.display				= screen_disp;
 	hSession->cbk.set_width				= nop_int;
@@ -773,7 +773,6 @@ LIB3270_INTERNAL int	non_blocking(H3270 *session, Boolean on);
 	#ifdef SSL_ENABLE_CRL_CHECK
 		LIB3270_INTERNAL X509_CRL * lib3270_get_crl(H3270 *hSession, SSL_ERROR_MESSAGE * message, const char *url);
-		LIB3270_INTERNAL int lib3270_check_X509_crl(H3270 *hSession, SSL_ERROR_MESSAGE * message);
 	#endif // SSL_ENABLE_CRL_CHECK
 	/// @brief Clear element at adress.
@@ -78,6 +78,7 @@
 		void (*message)(H3270 *session, LIB3270_NOTIFY id , const char *title, const char *message, const char *text);
 		void (*popup)(H3270 *session, LIB3270_NOTIFY id, const char *title, const char *msg, const char *fmt, va_list);
+		int  (*popup_ssl_error)(H3270 *session, int rc, const char *title, const char *summary, const char *body);
 #ifdef HAVE_LIBSSL
 		void (*set_peer_certificate)(const X509 *cert);
@@ -63,8 +63,6 @@
 /*--[ Implement ]------------------------------------------------------------------------------------*/
-#ifdef SSL_ENABLE_CRL_CHECK
-
 /*
 #pragma GCC diagnostic push
 #pragma GCC diagnostic ignored "-Wsequence-point"
@@ -101,85 +99,6 @@ static time_t ASN1_GetTimeT(const ASN1_TIME* time)
 #pragma GCC diagnostic pop
 */
-int lib3270_check_X509_crl(H3270 *hSession, SSL_ERROR_MESSAGE * message)
-{
-	// Returns if don't have an SSL context.
-	if(!ssl_ctx)
-	{
-		trace("No SSL context %s will return %d",__FUNCTION__,0);
-		return 0;
-	}
-
-	// Do I have X509 CRL? Is it valid?
-	if(hSession->ssl.crl.cert)
-	{
-
-		// https://stackoverflow.com/questions/23407376/testing-x509-certificate-expiry-date-with-c
-		// X509_CRL_get_nextUpdate is deprecated in openssl 1.1.0
-		#if OPENSSL_VERSION_NUMBER < 0x10100000L
-			const ASN1_TIME * next_update = X509_CRL_get_nextUpdate(hSession->ssl.crl.cert);
-		#else
-			const ASN1_TIME * next_update = X509_CRL_get0_nextUpdate(hSession->ssl.crl.cert);
-		#endif
-
-		if(X509_cmp_current_time(next_update) == 1)
-		{
-			int day, sec;
-			if(ASN1_TIME_diff(&day, &sec, NULL, next_update))
-			{
-				trace_ssl(hSession,"CRL Certificate is valid for %d day(s) and %d second(s)\n",day,sec);
-				return 0;
-			}
-			else
-			{
-				trace_ssl(hSession,"Can't get CRL next update\n");
-			}
-
-		}
-
-		// Certificate is no longer valid, release it.
-		trace_ssl(hSession,"CRL Certificate is no longer valid\n");
-
-		X509_CRL_free(hSession->ssl.crl.cert);
-		hSession->ssl.crl.cert = NULL;
-
-	}
-
-	//
-	// Set up CRL validation
-	//
-	// https://stackoverflow.com/questions/10510850/how-to-verify-the-certificate-for-the-ongoing-ssl-session
-	//
-	hSession->ssl.crl.cert = lib3270_get_crl(hSession,message,lib3270_get_crl_url(hSession));
-	if(!hSession->ssl.crl.cert)
-	{
-		return -1;
-	}
-
-	if(lib3270_get_toggle(hSession,LIB3270_TOGGLE_SSL_TRACE))
-	{
-		lib3270_autoptr(char) text = lib3270_get_ssl_crl_text(hSession);
-
-		if(text)
-			trace_ssl(hSession,"\n%s\n",text);
-
-	}
-
-	// Add CRL in the store.
-	X509_STORE *store = SSL_CTX_get_cert_store(ssl_ctx);
-	if(X509_STORE_add_crl(store, hSession->ssl.crl.cert))
-	{
-		trace_ssl(hSession,"CRL was added to cert store\n");
-		return 0;
-	}
-
-	trace_ssl(hSession,"CRL was not added to cert store\n");
-
-	return -1;
-}
-#endif // SSL_ENABLE_CRL_CHECK
-
-
 /**
  * @brief Initialize openssl library.
  *
@@ -251,11 +170,10 @@ int ssl_ctx_init(H3270 *hSession, SSL_ERROR_MESSAGE * message)
 	X509_VERIFY_PARAM_free(param);
 	trace_ssl(hSession,"CRL CHECK was enabled\n");
-	return lib3270_check_X509_crl(hSession,message);
-#else
-	return 0;
 #endif // SSL_ENABLE_CRL_CHECK
+	return 0;
+
 }
 #endif // HAVE_LIBSSL
@@ -5,6 +5,7 @@
 #include <getopt.h>
 #include <lib3270.h>
+#include <lib3270-internals.h>
 #include <lib3270/actions.h>
 #include <lib3270/trace.h>
@@ -12,7 +13,7 @@
 const char *trace_file = "test.trace";
-static void write_trace(H3270 *session, void *userdata, const char *fmt, va_list args)
+static void write_trace(H3270 GNUC_UNUSED(*session), void GNUC_UNUSED(*userdata), const char *fmt, va_list args)
 {
 	FILE *out = fopen(trace_file,"a");
 	if(out)
	@@ -33,6 +33,7 @@		@@ -33,6 +33,7 @@
33	#include <errno.h>	33	#include <errno.h>
34	#include <lib3270/log.h>	34	#include <lib3270/log.h>
35	#include <lib3270/trace.h>	35	#include <lib3270/trace.h>
		36	+#include <trace_dsc.h>
36		37
37	#if defined(HAVE_LIBSSL)	38	#if defined(HAVE_LIBSSL)
38	#include <openssl/err.h>	39	#include <openssl/err.h>
	@@ -54,10 +55,123 @@		@@ -54,10 +55,123 @@
54	}	55	}
55		56
56	#ifdef SSL_ENABLE_CRL_CHECK	57	#ifdef SSL_ENABLE_CRL_CHECK
57	-static int background_ssl_crl_check(H3270 hSession, void ssl_error)	58	+static int background_ssl_crl_get(H3270 hSession, void ssl_error)
58	{	59	{
59	- return lib3270_check_X509_crl(hSession, (SSL_ERROR_MESSAGE *) ssl_error);	60	+ if(ssl_ctx_init(hSession, (SSL_ERROR_MESSAGE *) ssl_error)) {
		61	+ return -1;
		62	+ }
		63	+
		64	+ // Do I have X509 CRL?
		65	+ if(hSession->ssl.crl.cert)
		66	+ {
		67	+ // Ok, have it. Is it valid?
		68	+
		69	+ // https://stackoverflow.com/questions/23407376/testing-x509-certificate-expiry-date-with-c
		70	+ // X509_CRL_get_nextUpdate is deprecated in openssl 1.1.0
		71	+ #if OPENSSL_VERSION_NUMBER < 0x10100000L
		72	+ const ASN1_TIME * next_update = X509_CRL_get_nextUpdate(hSession->ssl.crl.cert);
		73	+ #else
		74	+ const ASN1_TIME * next_update = X509_CRL_get0_nextUpdate(hSession->ssl.crl.cert);
		75	+ #endif
		76	+
		77	+ if(X509_cmp_current_time(next_update) == 1)
		78	+ {
		79	+ int day, sec;
		80	+ if(ASN1_TIME_diff(&day, &sec, NULL, next_update))
		81	+ {
		82	+ trace_ssl(hSession,"CRL Certificate is valid for %d day(s) and %d second(s)\n",day,sec);
		83	+ return 0;
		84	+ }
		85	+ else
		86	+ {
		87	+ trace_ssl(hSession,"Can't get CRL next update, releasing it\n");
		88	+ }
		89	+
		90	+ }
		91	+ else
		92	+ {
		93	+ trace_ssl(hSession,"CRL Certificate is no longer valid\n");
		94	+ }
		95	+
		96	+ // Certificate is no longer valid, release it.
		97	+ X509_CRL_free(hSession->ssl.crl.cert);
		98	+ hSession->ssl.crl.cert = NULL;
		99	+
		100	+ }
		101	+
		102	+ //
		103	+ // Get CRL
		104	+ //
		105	+ // https://stackoverflow.com/questions/10510850/how-to-verify-the-certificate-for-the-ongoing-ssl-session
		106	+ //
		107	+ trace_ssl(hSession,"Getting CRL from %s\n",lib3270_get_crl_url(hSession));
		108	+
		109	+ hSession->ssl.crl.cert = lib3270_get_crl(hSession,(SSL_ERROR_MESSAGE *) ssl_error,lib3270_get_crl_url(hSession));
		110	+ if(hSession->ssl.crl.cert)
		111	+ {
		112	+ // Got CRL, add it to ssl store
		113	+ if(lib3270_get_toggle(hSession,LIB3270_TOGGLE_SSL_TRACE))
		114	+ {
		115	+ lib3270_autoptr(char) text = lib3270_get_ssl_crl_text(hSession);
		116	+
		117	+ if(text)
		118	+ trace_ssl(hSession,"\n%s\n",text);
		119	+
		120	+ }
		121	+
		122	+ // Add CRL in the store.
		123	+ X509_STORE *store = SSL_CTX_get_cert_store(ssl_ctx);
		124	+ if(X509_STORE_add_crl(store, hSession->ssl.crl.cert))
		125	+ {
		126	+ trace_ssl(hSession,"CRL was added to cert store\n");
		127	+ }
		128	+ else
		129	+ {
		130	+ trace_ssl(hSession,"CRL was not added to cert store\n");
		131	+ }
		132	+
		133	+
		134	+ }
		135	+
		136	+ return 0;
		137	+
60	}	138	}
		139	+
		140	+static int notify_crl_error(H3270 hSession, int rc, const SSL_ERROR_MESSAGE message)
		141	+{
		142	+ lib3270_write_log(
		143	+ hSession,
		144	+ "SSL-CRL-GET",
		145	+ "CRL GET error: %s (rc=%d ssl_error=%d)",
		146	+ message->title,
		147	+ rc,
		148	+ message->error
		149	+ );
		150	+
		151	+ if(message->description)
		152	+ {
		153	+ lib3270_write_log(hSession,"SSL-CRL-GET","%s",message->description);
		154	+
		155	+ if(hSession->cbk.popup_ssl_error(hSession,rc,message->title,message->text,message->description))
		156	+ return rc;
		157	+ }
		158	+ else if(message->error)
		159	+ {
		160	+ lib3270_autoptr(char) formatted_error = lib3270_strdup_printf(_( "%s (SSL error %d)" ),ERR_reason_error_string(message->error),message->error);
		161	+ lib3270_write_log(hSession,"SSL-CRL-GET","%s",formatted_error);
		162	+
		163	+ if(hSession->cbk.popup_ssl_error(hSession,rc,message->title,message->text,formatted_error))
		164	+ return rc;
		165	+ }
		166	+ else
		167	+ {
		168	+ if(hSession->cbk.popup_ssl_error(hSession,rc,message->title,message->text,""))
		169	+ return rc;
		170	+ }
		171	+
		172	+ return 0;
		173	+}
		174	+
61	#endif // SSL_ENABLE_CRL_CHECK	175	#endif // SSL_ENABLE_CRL_CHECK
62		176
63	int lib3270_reconnect(H3270 *hSession, int seconds)	177	int lib3270_reconnect(H3270 *hSession, int seconds)
	@@ -93,44 +207,18 @@ static int background_ssl_crl_check(H3270 hSession, void ssl_error)		@@ -93,44 +207,18 @@ static int background_ssl_crl_check(H3270 hSession, void ssl_error)
93	}	207	}
94		208
95	#ifdef SSL_ENABLE_CRL_CHECK	209	#ifdef SSL_ENABLE_CRL_CHECK
		210	+
96	SSL_ERROR_MESSAGE ssl_error;	211	SSL_ERROR_MESSAGE ssl_error;
97	memset(&ssl_error,0,sizeof(ssl_error));	212	memset(&ssl_error,0,sizeof(ssl_error));
98		213
99	set_ssl_state(hSession,LIB3270_SSL_NEGOTIATING);	214	set_ssl_state(hSession,LIB3270_SSL_NEGOTIATING);
100	- int rc = lib3270_run_task(hSession, background_ssl_crl_check, &ssl_error);	215	+ int rc = lib3270_run_task(hSession, background_ssl_crl_get, &ssl_error);
101		216
102	debug("CRL check returns %d",rc);	217	debug("CRL check returns %d",rc);
103		218
104	- if(rc)
105	- {
106	- lib3270_write_log(
107	- hSession,
108	- "SSL-CRL-CHECK",
109	- "CRL Check error: %s (rc=%d ssl_error=%d)",
110	- ssl_error.title,
111	- rc,
112	- ssl_error.error
113	- );
114	-
115	- if(ssl_error.description)
116	- {
117	- lib3270_write_log(hSession,"SSL-CRL-CHECK","%s",ssl_error.description);
118	- lib3270_popup_dialog(hSession, LIB3270_NOTIFY_ERROR, ssl_error.title, ssl_error.text, "%s", ssl_error.description);
119	- }
120	- else if(ssl_error.error)
121	- {
122	- lib3270_autoptr(char) formatted_error = lib3270_strdup_printf("%s (SSL error %d)",ERR_reason_error_string(ssl_error.error),ssl_error.error);
123	- lib3270_write_log(hSession,"SSL-CRL-CHECK","%s",formatted_error);
124	- lib3270_popup_dialog(hSession, LIB3270_NOTIFY_ERROR, ssl_error.title, ssl_error.text, "%s", formatted_error);
125	- }
126	- else
127	- {
128	- lib3270_popup_dialog(hSession, LIB3270_NOTIFY_ERROR, ssl_error.title, ssl_error.text, "%s","");
129	- }
130	-
131	- // return errno = rc;	219	+ if(rc && notify_crl_error(hSession, rc,&ssl_error))
		220	+ return errno = rc;
132		221
133	- }
134	#endif // SSL_ENABLE_CRL_CHECK	222	#endif // SSL_ENABLE_CRL_CHECK
135		223
136	#if defined(HAVE_LIBSSL)	224	#if defined(HAVE_LIBSSL)
	@@ -773,7 +773,6 @@ LIB3270_INTERNAL int non_blocking(H3270 *session, Boolean on);		@@ -773,7 +773,6 @@ LIB3270_INTERNAL int non_blocking(H3270 *session, Boolean on);
773		773
774	#ifdef SSL_ENABLE_CRL_CHECK	774	#ifdef SSL_ENABLE_CRL_CHECK
775	LIB3270_INTERNAL X509_CRL * lib3270_get_crl(H3270 hSession, SSL_ERROR_MESSAGE message, const char *url);	775	LIB3270_INTERNAL X509_CRL * lib3270_get_crl(H3270 hSession, SSL_ERROR_MESSAGE message, const char *url);
776	- LIB3270_INTERNAL int lib3270_check_X509_crl(H3270 hSession, SSL_ERROR_MESSAGE message);
777	#endif // SSL_ENABLE_CRL_CHECK	776	#endif // SSL_ENABLE_CRL_CHECK
778		777
779	/// @brief Clear element at adress.	778	/// @brief Clear element at adress.
	@@ -78,6 +78,7 @@		@@ -78,6 +78,7 @@
78		78
79	void (message)(H3270 session, LIB3270_NOTIFY id , const char title, const char message, const char *text);	79	void (message)(H3270 session, LIB3270_NOTIFY id , const char title, const char message, const char *text);
80	void (popup)(H3270 session, LIB3270_NOTIFY id, const char title, const char msg, const char *fmt, va_list);	80	void (popup)(H3270 session, LIB3270_NOTIFY id, const char title, const char msg, const char *fmt, va_list);
		81	+ int (popup_ssl_error)(H3270 session, int rc, const char title, const char summary, const char *body);
81		82
82	#ifdef HAVE_LIBSSL	83	#ifdef HAVE_LIBSSL
83	void (set_peer_certificate)(const X509 cert);	84	void (set_peer_certificate)(const X509 cert);
	@@ -63,8 +63,6 @@		@@ -63,8 +63,6 @@
63		63
64	/--[ Implement ]------------------------------------------------------------------------------------/	64	/--[ Implement ]------------------------------------------------------------------------------------/
65		65
66	-#ifdef SSL_ENABLE_CRL_CHECK
67	-
68	/*	66	/*
69	#pragma GCC diagnostic push	67	#pragma GCC diagnostic push
70	#pragma GCC diagnostic ignored "-Wsequence-point"	68	#pragma GCC diagnostic ignored "-Wsequence-point"
	@@ -101,85 +99,6 @@ static time_t ASN1_GetTimeT(const ASN1_TIME* time)		@@ -101,85 +99,6 @@ static time_t ASN1_GetTimeT(const ASN1_TIME* time)
101	#pragma GCC diagnostic pop	99	#pragma GCC diagnostic pop
102	*/	100	*/
103		101
104	-int lib3270_check_X509_crl(H3270 hSession, SSL_ERROR_MESSAGE message)
105	-{
106	- // Returns if don't have an SSL context.
107	- if(!ssl_ctx)
108	- {
109	- trace("No SSL context %s will return %d",__FUNCTION__,0);
110	- return 0;
111	- }
112	-
113	- // Do I have X509 CRL? Is it valid?
114	- if(hSession->ssl.crl.cert)
115	- {
116	-
117	- // https://stackoverflow.com/questions/23407376/testing-x509-certificate-expiry-date-with-c
118	- // X509_CRL_get_nextUpdate is deprecated in openssl 1.1.0
119	- #if OPENSSL_VERSION_NUMBER < 0x10100000L
120	- const ASN1_TIME * next_update = X509_CRL_get_nextUpdate(hSession->ssl.crl.cert);
121	- #else
122	- const ASN1_TIME * next_update = X509_CRL_get0_nextUpdate(hSession->ssl.crl.cert);
123	- #endif
124	-
125	- if(X509_cmp_current_time(next_update) == 1)
126	- {
127	- int day, sec;
128	- if(ASN1_TIME_diff(&day, &sec, NULL, next_update))
129	- {
130	- trace_ssl(hSession,"CRL Certificate is valid for %d day(s) and %d second(s)\n",day,sec);
131	- return 0;
132	- }
133	- else
134	- {
135	- trace_ssl(hSession,"Can't get CRL next update\n");
136	- }
137	-
138	- }
139	-
140	- // Certificate is no longer valid, release it.
141	- trace_ssl(hSession,"CRL Certificate is no longer valid\n");
142	-
143	- X509_CRL_free(hSession->ssl.crl.cert);
144	- hSession->ssl.crl.cert = NULL;
145	-
146	- }
147	-
148	- //
149	- // Set up CRL validation
150	- //
151	- // https://stackoverflow.com/questions/10510850/how-to-verify-the-certificate-for-the-ongoing-ssl-session
152	- //
153	- hSession->ssl.crl.cert = lib3270_get_crl(hSession,message,lib3270_get_crl_url(hSession));
154	- if(!hSession->ssl.crl.cert)
155	- {
156	- return -1;
157	- }
158	-
159	- if(lib3270_get_toggle(hSession,LIB3270_TOGGLE_SSL_TRACE))
160	- {
161	- lib3270_autoptr(char) text = lib3270_get_ssl_crl_text(hSession);
162	-
163	- if(text)
164	- trace_ssl(hSession,"\n%s\n",text);
165	-
166	- }
167	-
168	- // Add CRL in the store.
169	- X509_STORE *store = SSL_CTX_get_cert_store(ssl_ctx);
170	- if(X509_STORE_add_crl(store, hSession->ssl.crl.cert))
171	- {
172	- trace_ssl(hSession,"CRL was added to cert store\n");
173	- return 0;
174	- }
175	-
176	- trace_ssl(hSession,"CRL was not added to cert store\n");
177	-
178	- return -1;
179	-}
180	-#endif // SSL_ENABLE_CRL_CHECK
181	-
182	-
183	/**	102	/**
184	* @brief Initialize openssl library.	103	* @brief Initialize openssl library.
185	*	104	*
	@@ -251,11 +170,10 @@ int ssl_ctx_init(H3270 hSession, SSL_ERROR_MESSAGE message)		@@ -251,11 +170,10 @@ int ssl_ctx_init(H3270 hSession, SSL_ERROR_MESSAGE message)
251	X509_VERIFY_PARAM_free(param);	170	X509_VERIFY_PARAM_free(param);
252	trace_ssl(hSession,"CRL CHECK was enabled\n");	171	trace_ssl(hSession,"CRL CHECK was enabled\n");
253		172
254	- return lib3270_check_X509_crl(hSession,message);
255	-#else
256	- return 0;
257	#endif // SSL_ENABLE_CRL_CHECK	173	#endif // SSL_ENABLE_CRL_CHECK
258		174
		175	+ return 0;
		176	+
259	}	177	}
260		178
261	#endif // HAVE_LIBSSL	179	#endif // HAVE_LIBSSL