From 6021974de50002a61e0ba3487236c39a0b7ba6ff Mon Sep 17 00:00:00 2001 From: Perry Werneck Date: Tue, 15 Jan 2019 10:48:54 -0200 Subject: [PATCH] Working on CRL validation. --- lib3270.cbp | 3 --- src/include/lib3270.h | 9 +++++++++ src/lib3270/private.h | 68 +++++++++++++++++++++++++++++++++----------------------------------- src/lib3270/properties.c | 24 ++++++++++++++++++++++++ src/lib3270/ssl/ctx_init.c | 155 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ src/lib3270/ssl/linux/ctx_init.c | 202 ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- src/lib3270/ssl/negotiate.c | 16 ++++++++++++++++ src/lib3270/ssl/windows/ctx_init.c | 176 -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- src/lib3270/util.c | 7 +++++++ 9 files changed, 244 insertions(+), 416 deletions(-) create mode 100644 src/lib3270/ssl/ctx_init.c delete mode 100644 src/lib3270/ssl/linux/ctx_init.c delete mode 100644 src/lib3270/ssl/windows/ctx_init.c diff --git a/lib3270.cbp b/lib3270.cbp index f995b31..81dc8c6 100644 --- a/lib3270.cbp +++ b/lib3270.cbp @@ -126,9 +126,6 @@ - - diff --git a/src/include/lib3270.h b/src/include/lib3270.h index 4674d33..38bed3e 100644 --- a/src/include/lib3270.h +++ b/src/include/lib3270.h @@ -1176,6 +1176,14 @@ LIB3270_EXPORT void * lib3270_replace(void **p, void *ptr); LIB3270_EXPORT void * lib3270_strdup(const char *str); + #define LIB3270_AUTOPTR_FUNC_NAME(TypeName) lib3270_autoptr_cleanup_##TypeName + + /** + * @brief Declare an auto-cleanup pointer. + * + */ + #define lib3270_autoptr(TypeName) TypeName * __attribute__ ((__cleanup__(LIB3270_AUTOPTR_FUNC_NAME(TypeName)))) + /** * @brief Release allocated memory. * @@ -1185,6 +1193,7 @@ */ LIB3270_EXPORT void * lib3270_free(void *p); + LIB3270_EXPORT void lib3270_autoptr_cleanup_char(char **ptr); /** * Get default session handle. diff --git a/src/lib3270/private.h b/src/lib3270/private.h index 50cf0b3..b0057d9 100644 --- a/src/lib3270/private.h +++ b/src/lib3270/private.h @@ -234,10 +234,6 @@ struct lib3270_text unsigned short attr; ///< @brief Converted character attribute (color & etc) }; -#ifndef HEADER_SSL_H - #define SSL void -#endif // !HEADER_SSL_H - #ifndef LIB3270_TA #define LIB3270_TA void #endif // !LIB3270_TA @@ -314,7 +310,6 @@ struct _h3270 // flags LIB3270_OPTION options; ///< @brief Session options. -// int bgthread : 1; ///< @brief Running on a background thread ?. int selected : 1; ///< @brief Has selected region? int rectsel : 1; ///< @brief Selected region is a rectangle ? int vcontrol : 1; ///< @brief Visible control ? @@ -334,15 +329,15 @@ struct _h3270 int onlcr : 1; int bsd_tm : 1; int syncing : 1; - int reverse : 1; /**< reverse-input mode */ + int reverse : 1; /**< @brief reverse-input mode */ int dbcs : 1; int linemode : 1; int trace_skipping : 1; int need_tls_follows : 1; int cut_xfer_in_progress : 1; // int auto_keymap : 1; - int formatted : 1; /**< Formatted screen flag */ - int starting : 1; /**< Is starting (no first screen)? */ + int formatted : 1; /**< @brief Formatted screen flag */ + int starting : 1; /**< @brief Is starting (no first screen)? */ char * oversize; @@ -382,7 +377,7 @@ struct _h3270 unsigned short current_port; // Misc - H3270FT * ft; /**< Active file transfer data */ + H3270FT * ft; /**< @brief Active file transfer data */ // screen info int ov_rows; @@ -395,14 +390,14 @@ struct _h3270 int cursor_addr; int buffer_addr; char flipped; - int screen_alt; /**< alternate screen? */ + int screen_alt; /**< @brief alternate screen? */ int is_altbuffer; // Screen contents - void * buffer[2]; /**< Internal buffers */ - struct lib3270_ea * ea_buf; /**< 3270 device buffer. ea_buf[-1] is the dummy default field attribute */ - struct lib3270_ea * aea_buf; /**< alternate 3270 extended attribute buffer */ - struct lib3270_text * text; /**< Converted 3270 chars */ + void * buffer[2]; /**< @brief Internal buffers */ + struct lib3270_ea * ea_buf; /**< @brief 3270 device buffer. ea_buf[-1] is the dummy default field attribute */ + struct lib3270_ea * aea_buf; /**< @brief alternate 3270 extended attribute buffer */ + struct lib3270_text * text; /**< @brief Converted 3270 chars */ // host.c char std_ds_host; @@ -424,7 +419,7 @@ struct _h3270 int mticking : 1; int crm_nattr; unsigned char crm_attr[16]; - unsigned char * zero_buf; /**< empty buffer, for area clears */ + unsigned char * zero_buf; /**< @brief Empty buffer, for area clears */ struct timeval t_start; void * tick_id; @@ -432,8 +427,8 @@ struct _h3270 // Telnet.c unsigned char * ibuf; - int ibuf_size; /**< size of ibuf */ - unsigned char * obuf; /**< 3270 output buffer */ + int ibuf_size; /**< @brief size of ibuf */ + unsigned char * obuf; /**< @brief 3270 output buffer */ unsigned char * obptr; time_t ns_time; int ns_brcvd; @@ -441,8 +436,8 @@ struct _h3270 int ns_bsent; int ns_rsent; struct timeval ds_ts; - unsigned long e_funcs; /**< negotiated TN3270E functions */ - unsigned short e_xmit_seq; /**< transmit sequence number */ + unsigned long e_funcs; /**< @brief negotiated TN3270E functions */ + unsigned short e_xmit_seq; /**< @brief transmit sequence number */ int response_required; int tn3270e_bound; int tn3270e_negotiated; @@ -468,7 +463,7 @@ struct _h3270 E_SSCP } tn3270e_submode; - unsigned char * lbuf; /**< line-mode input buffer */ + unsigned char * lbuf; /**< @brief line-mode input buffer */ unsigned char * lbptr; @@ -476,7 +471,6 @@ struct _h3270 unsigned char * ibptr; unsigned char * obuf_base; int obuf_size; -// unsigned char * netrbuf; // network input buffer unsigned char * sbbuf; @@ -484,14 +478,13 @@ struct _h3270 // telnet sub-option buffer unsigned char * sbptr; unsigned char telnet_state; -// char ttype_tmpval[13]; unsigned char myopts[LIB3270_TELNET_N_OPTS]; unsigned char hisopts[LIB3270_TELNET_N_OPTS]; // kybd.c - unsigned int kybdlock; ///< @brief keyboard lock state - unsigned char aid; ///< @brief current attention ID + unsigned int kybdlock; ///< @brief @brief keyboard lock state. + unsigned char aid; ///< @brief @brief current attention ID. void * unlock_id; time_t unlock_delay_time; unsigned long unlock_delay_ms; ///< @brief Delay before actually unlocking the keyboard after the host permits it. @@ -548,12 +541,12 @@ struct _h3270 int saved_wide_mode : 1; int saved_altbuffer : 1; - int ansi_reset : 1; /**< Non zero if the ansi_reset() was called in this session */ + int ansi_reset : 1; /**< @brief Non zero if the ansi_reset() was called in this session */ int ansi_ch; int cs_to_change; - /** ANSI Character sets. */ + /** @brief ANSI Character sets. */ enum lib3270_ansi_cs { LIB3270_ANSI_CS_G0 = 0, @@ -563,7 +556,7 @@ struct _h3270 } cset; enum lib3270_ansi_cs saved_cset; - /** Character set designations. */ + /** @brief Character set designations. */ enum lib3270_ansi_csd { LIB3270_ANSI_CSD_LD = 0, @@ -605,7 +598,8 @@ struct _h3270 void * except; } xio; - // SSL Data (Always defined to maintain the structure size) +#ifdef HAVE_LIBSSL + /// @brief SSL Data. struct { char host; @@ -613,12 +607,13 @@ struct _h3270 unsigned long error; SSL * con; } ssl; +#endif // HAVE_LIBSSL timeout_t * timeouts; input_t * inputs; int inputs_changed : 1; - // Trace Window. + // Trace methods. struct { void (*handler)(H3270 *session, void *userdata, const char *fmt, va_list args); void *userdata; @@ -662,7 +657,7 @@ LIB3270_INTERNAL int check_offline_session(H3270 *hSession); LIB3270_INTERNAL int non_blocking(H3270 *session, Boolean on); -#if defined(HAVE_LIBSSL) /*[*/ +#if defined(HAVE_LIBSSL) typedef struct _ssl_error_message { @@ -672,17 +667,16 @@ LIB3270_INTERNAL int non_blocking(H3270 *session, Boolean on); const char * description; } SSL_ERROR_MESSAGE; - LIB3270_INTERNAL int ssl_ctx_init(H3270 *hSession, SSL_ERROR_MESSAGE *message); LIB3270_INTERNAL int ssl_init(H3270 *session); LIB3270_INTERNAL int ssl_negotiate(H3270 *hSession); LIB3270_INTERNAL void set_ssl_state(H3270 *session, LIB3270_SSL_STATE state); - #if OPENSSL_VERSION_NUMBER >= 0x00907000L /*[*/ + #if OPENSSL_VERSION_NUMBER >= 0x00907000L #define INFO_CONST const - #else /*][*/ + #else #define INFO_CONST - #endif /*]*/ + #endif LIB3270_INTERNAL void ssl_info_callback(INFO_CONST SSL *s, int where, int ret); @@ -698,5 +692,9 @@ LIB3270_INTERNAL int non_blocking(H3270 *session, Boolean on); */ LIB3270_INTERNAL int ssl_3270_ex_index; -#endif /*]*/ + #ifdef SSL_ENABLE_CRL_CHECK + X509_CRL * lib3270_get_X509_CRL(H3270 *hSession, SSL_ERROR_MESSAGE * message); + #endif // SSL_ENABLE_CRL_CHECK + +#endif diff --git a/src/lib3270/properties.c b/src/lib3270/properties.c index 1b2e6db..9b18ba4 100644 --- a/src/lib3270/properties.c +++ b/src/lib3270/properties.c @@ -48,6 +48,16 @@ return (int) lib3270_get_program_message(hSession); } + int lib3270_is_starting(H3270 *hSession) + { + return hSession->starting != 0; + } + + int lib3270_get_formatted(H3270 *hSession) + { + return hSession->formatted != 0; + } + const LIB3270_INT_PROPERTY * lib3270_get_boolean_properties_list(void) { static const LIB3270_INT_PROPERTY properties[] = { @@ -142,6 +152,20 @@ NULL // Set value. }, + { + "starting", // Property name. + N_( "Is starting (no first screen)?" ), // Property description. + lib3270_is_starting, // Get value. + NULL // Set value. + }, + + { + "formatted", // Property name. + N_( "Formatted screen" ), // Property description. + lib3270_get_formatted, // Get value. + NULL // Set value. + }, + /* { "", // Property name. diff --git a/src/lib3270/ssl/ctx_init.c b/src/lib3270/ssl/ctx_init.c new file mode 100644 index 0000000..3b6d290 --- /dev/null +++ b/src/lib3270/ssl/ctx_init.c @@ -0,0 +1,155 @@ +/* + * "Software pw3270, desenvolvido com base nos códigos fontes do WC3270 e X3270 + * (Paul Mattes Paul.Mattes@usa.net), de emulação de terminal 3270 para acesso a + * aplicativos mainframe. Registro no INPI sob o nome G3270. + * + * Copyright (C) <2008> + * + * Este programa é software livre. Você pode redistribuí-lo e/ou modificá-lo sob + * os termos da GPL v.2 - Licença Pública Geral GNU, conforme publicado pela + * Free Software Foundation. + * + * Este programa é distribuído na expectativa de ser útil, mas SEM QUALQUER + * GARANTIA; sem mesmo a garantia implícita de COMERCIALIZAÇÃO ou de ADEQUAÇÃO + * A QUALQUER PROPÓSITO EM PARTICULAR. Consulte a Licença Pública Geral GNU para + * obter mais detalhes. + * + * Você deve ter recebido uma cópia da Licença Pública Geral GNU junto com este + * programa; se não, escreva para a Free Software Foundation, Inc., 51 Franklin + * St, Fifth Floor, Boston, MA 02110-1301 USA + * + * Este programa está nomeado como - e possui - linhas de código. + * + * Contatos: + * + * perry.werneck@gmail.com (Alexandre Perry de Souza Werneck) + * erico.mendonca@gmail.com (Erico Mascarenhas Mendonça) + * + * + * References: + * + * http://www.openssl.org/docs/ssl/ + * https://stackoverflow.com/questions/4389954/does-openssl-automatically-handle-crls-certificate-revocation-lists-now + * + */ + +/** + * @brief OpenSSL initialization for linux. + * + */ + +#include +#if defined(HAVE_LIBSSL) + +#include +#include +#include + +#ifndef SSL_ST_OK + #define SSL_ST_OK 3 +#endif // !SSL_ST_OK + +#include "../private.h" +#include +#include +#include +#include +#include +#include "trace_dsc.h" + +#ifdef SSL_ENABLE_CRL_CHECK + #include +#endif // SSL_ENABLE_CRL_CHECK + +/*--[ Implement ]------------------------------------------------------------------------------------*/ + +#ifdef SSL_ENABLE_CRL_CHECK +static inline void lib3270_autoptr_cleanup_X509_CRL(X509_CRL **crl) +{ + if(*crl) + X509_CRL_free(*crl); +} +#endif // SSL_ENABLE_CRL_CHECK + +/** + * @brief Initialize openssl library. + * + * @return 0 if ok, non zero if fails. + * + */ +int ssl_ctx_init(H3270 *hSession, SSL_ERROR_MESSAGE * message) +{ + debug("%s ssl_ctx=%p",__FUNCTION__,ssl_ctx); + + if(ssl_ctx) + return 0; + + trace_dsn(hSession,"Initializing SSL context.\n"); + + SSL_load_error_strings(); + SSL_library_init(); + + ssl_ctx = SSL_CTX_new(SSLv23_method()); + if(ssl_ctx == NULL) + { + message->error = hSession->ssl.error = ERR_get_error(); + message->title = N_( "Security error" ); + message->text = N_( "Cant initialize the SSL context." ); + return -1; + } + + SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL); + SSL_CTX_set_info_callback(ssl_ctx, ssl_info_callback); + + SSL_CTX_set_default_verify_paths(ssl_ctx); + + ssl_3270_ex_index = SSL_get_ex_new_index(0,NULL,NULL,NULL,NULL); + +#ifdef SSL_ENABLE_CRL_CHECK + // + // Set up CRL validation + // + // https://stackoverflow.com/questions/10510850/how-to-verify-the-certificate-for-the-ongoing-ssl-session + // + lib3270_autoptr(X509_CRL) crl = lib3270_get_X509_CRL(hSession,message); + + if(!crl) + return -1; + +// const ASN1_TIME *X509_CRL_get0_nextUpdate(const X509_CRL *crl); +// X509_NAME *X509_CRL_get_issuer(const X509_CRL *crl); + + if(lib3270_get_toggle(hSession,LIB3270_TOGGLE_DS_TRACE)) + { + BIO * out = BIO_new(BIO_s_mem()); + unsigned char * data; + unsigned char * text; + int n; + + X509_CRL_print(out,crl); + + n = BIO_get_mem_data(out, &data); + text = (unsigned char *) malloc (n+1); + text[n] ='\0'; + memcpy(text,data,n); + + trace_dsn(hSession,"\n%s\n",text); + + free(text); + BIO_free(out); + + } + + X509_STORE *store = SSL_CTX_get_cert_store(ssl_ctx); + X509_STORE_add_crl(store, crl); + X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_new(); + X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK); + X509_STORE_set1_param(store, param); + X509_VERIFY_PARAM_free(param); + +#endif // SSL_ENABLE_CRL_CHECK + + return 0; +} + +#endif // HAVE_LIBSSL diff --git a/src/lib3270/ssl/linux/ctx_init.c b/src/lib3270/ssl/linux/ctx_init.c deleted file mode 100644 index 9aa7f4a..0000000 --- a/src/lib3270/ssl/linux/ctx_init.c +++ /dev/null @@ -1,202 +0,0 @@ -/* - * "Software pw3270, desenvolvido com base nos códigos fontes do WC3270 e X3270 - * (Paul Mattes Paul.Mattes@usa.net), de emulação de terminal 3270 para acesso a - * aplicativos mainframe. Registro no INPI sob o nome G3270. - * - * Copyright (C) <2008> - * - * Este programa é software livre. Você pode redistribuí-lo e/ou modificá-lo sob - * os termos da GPL v.2 - Licença Pública Geral GNU, conforme publicado pela - * Free Software Foundation. - * - * Este programa é distribuído na expectativa de ser útil, mas SEM QUALQUER - * GARANTIA; sem mesmo a garantia implícita de COMERCIALIZAÇÃO ou de ADEQUAÇÃO - * A QUALQUER PROPÓSITO EM PARTICULAR. Consulte a Licença Pública Geral GNU para - * obter mais detalhes. - * - * Você deve ter recebido uma cópia da Licença Pública Geral GNU junto com este - * programa; se não, escreva para a Free Software Foundation, Inc., 51 Franklin - * St, Fifth Floor, Boston, MA 02110-1301 USA - * - * Este programa está nomeado como - e possui - linhas de código. - * - * Contatos: - * - * perry.werneck@gmail.com (Alexandre Perry de Souza Werneck) - * erico.mendonca@gmail.com (Erico Mascarenhas Mendonça) - * - * - * References: - * - * http://www.openssl.org/docs/ssl/ - * https://stackoverflow.com/questions/4389954/does-openssl-automatically-handle-crls-certificate-revocation-lists-now - * - */ - -/** - * @brief OpenSSL initialization for linux. - * - */ - -#include -#if defined(HAVE_LIBSSL) - -#include -#include -#include - -#ifndef SSL_ST_OK - #define SSL_ST_OK 3 -#endif // !SSL_ST_OK - -#include "../../private.h" -#include -#include -#include -#include -#include -#include "trace_dsc.h" - -#ifdef SSL_ENABLE_CRL_CHECK - #include -#endif // SSL_ENABLE_CRL_CHECK - -/*--[ Implement ]------------------------------------------------------------------------------------*/ - -#ifdef SSL_ENABLE_CRL_CHECK -static inline void auto_close_file(FILE **file) -{ - if(*file) - fclose(*file); -} - -static inline void auto_close_crl(X509_CRL **crl) -{ - if(*crl) - X509_CRL_free(*crl); -} - -static inline void auto_free_text(char **text) -{ - if(*text) - lib3270_free(*text); -} - -#endif // SSL_ENABLE_CRL_CHECK - -/** - * @brief Initialize openssl library. - * - * @return 0 if ok, non zero if fails. - * - */ -int ssl_ctx_init(H3270 *hSession, SSL_ERROR_MESSAGE * message) -{ - debug("%s ssl_ctx=%p",__FUNCTION__,ssl_ctx); - - if(ssl_ctx) - return 0; - - trace_dsn(hSession,"Initializing SSL context.\n"); - - SSL_load_error_strings(); - SSL_library_init(); - - ssl_ctx = SSL_CTX_new(SSLv23_method()); - if(ssl_ctx == NULL) - { - message->error = hSession->ssl.error = ERR_get_error(); - message->title = N_( "Security error" ); - message->text = N_( "Cant initialize the SSL context." ); - return -1; - } - - SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL); - SSL_CTX_set_info_callback(ssl_ctx, ssl_info_callback); - - SSL_CTX_set_default_verify_paths(ssl_ctx); - - ssl_3270_ex_index = SSL_get_ex_new_index(0,NULL,NULL,NULL,NULL); - -#ifdef SSL_ENABLE_CRL_CHECK - // - // Set up CRL validation - // - // https://stackoverflow.com/questions/10510850/how-to-verify-the-certificate-for-the-ongoing-ssl-session - // - char __attribute__ ((__cleanup__(auto_free_text))) * crl_file = lib3270_strdup_printf("%s/.cache/" PACKAGE_NAME ".crl",getenv("HOME")); - X509_CRL * __attribute__ ((__cleanup__(auto_close_crl))) crl = NULL; - FILE * __attribute__ ((__cleanup__(auto_close_file))) hCRL = fopen(crl_file,"r"); - - if(!hCRL) - { - // Can't open CRL File. - message->error = hSession->ssl.error = 0; - message->title = N_( "Security error" ); - message->text = N_( "Can't open CRL File" ); - message->description = strerror(errno); - lib3270_write_log(hSession,"ssl","Can't open %s: %s",crl_file,message->description); - return -1; - - } - - lib3270_write_log(hSession,"ssl","Loading CRL from %s",crl_file); - - d2i_X509_CRL_fp(hCRL, &crl); - - X509_STORE *store = SSL_CTX_get_cert_store(ssl_ctx); - X509_STORE_add_crl(store, crl); - X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_new(); - X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK); - X509_STORE_set1_param(store, param); - X509_VERIFY_PARAM_free(param); - -#endif // SSL_ENABLE_CRL_CHECK - - return 0; -} - -#endif // HAVE_LIBSSL - -/* -// Load CRLs into the `X509_STORE` - -X509_STORE *x509_store = SSL_CTX_get_cert_store(ctx); -X509_STORE_add_crl(x509_store, crl); - -// Enable CRL checking -X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_new(); -X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK); -SSL_CTX_set1_param(ctx, param); -X509_VERIFY_PARAM_free(param); - - - - } - - - - -#if defined(SSL_ENABLE_CRL_CHECK) - // Set up CRL validation - // https://stackoverflow.com/questions/4389954/does-openssl-automatically-handle-crls-certificate-revocation-lists-now - X509_STORE *store = SSL_CTX_get_cert_store(ssl_ctx); - - // Enable CRL checking - X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_new(); - X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK); - X509_STORE_set1_param(store, param); - X509_VERIFY_PARAM_free(param); - - // X509_STORE_free(store); - - trace_dsn(hSession,"CRL CHECK is enabled.\n"); - -#else - - trace_dsn(hSession,"CRL CHECK is disabled.\n"); - -#endif // SSL_ENABLE_CRL_CHECK - -*/ - diff --git a/src/lib3270/ssl/negotiate.c b/src/lib3270/ssl/negotiate.c index c8b86d3..e5cdb5b 100644 --- a/src/lib3270/ssl/negotiate.c +++ b/src/lib3270/ssl/negotiate.c @@ -163,6 +163,7 @@ static int background_ssl_negotiation(H3270 *hSession, void *message) switch(rv) { + // https://www.openssl.org/docs/man1.0.2/crypto/X509_STORE_CTX_set_error.html case X509_V_OK: peer = SSL_get_peer_certificate(hSession->ssl.con); @@ -182,6 +183,21 @@ static int background_ssl_negotiation(H3270 *hSession, void *message) return -1; + case X509_V_ERR_CRL_NOT_YET_VALID: + trace_dsn(hSession,"%s","The CRL of a certificate is not yet valid.\n" ); + + ((SSL_ERROR_MESSAGE *) message)->title = _( "SSL error" ); + ((SSL_ERROR_MESSAGE *) message)->text = _( "The CRL is not yet valid." ); + ((SSL_ERROR_MESSAGE *) message)->description = _( "The Certificate revocation list (CRL) is not yet valid." ); + return -1; + + case X509_V_ERR_CRL_HAS_EXPIRED: + trace_dsn(hSession,"%s","The CRL of a certificate has expired.\n" ); + ((SSL_ERROR_MESSAGE *) message)->title = _( "SSL error" ); + ((SSL_ERROR_MESSAGE *) message)->text = _( "The CRL has expired." ); + ((SSL_ERROR_MESSAGE *) message)->description = _( "The Certificate revocation list (CRL) has expired." ); + return -1; + case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: peer = SSL_get_peer_certificate(hSession->ssl.con); diff --git a/src/lib3270/ssl/windows/ctx_init.c b/src/lib3270/ssl/windows/ctx_init.c deleted file mode 100644 index 7cc644e..0000000 --- a/src/lib3270/ssl/windows/ctx_init.c +++ /dev/null @@ -1,176 +0,0 @@ -/* - * "Software pw3270, desenvolvido com base nos códigos fontes do WC3270 e X3270 - * (Paul Mattes Paul.Mattes@usa.net), de emulação de terminal 3270 para acesso a - * aplicativos mainframe. Registro no INPI sob o nome G3270. - * - * Copyright (C) <2008> - * - * Este programa é software livre. Você pode redistribuí-lo e/ou modificá-lo sob - * os termos da GPL v.2 - Licença Pública Geral GNU, conforme publicado pela - * Free Software Foundation. - * - * Este programa é distribuído na expectativa de ser útil, mas SEM QUALQUER - * GARANTIA; sem mesmo a garantia implícita de COMERCIALIZAÇÃO ou de ADEQUAÇÃO - * A QUALQUER PROPÓSITO EM PARTICULAR. Consulte a Licença Pública Geral GNU para - * obter mais detalhes. - * - * Você deve ter recebido uma cópia da Licença Pública Geral GNU junto com este - * programa; se não, escreva para a Free Software Foundation, Inc., 51 Franklin - * St, Fifth Floor, Boston, MA 02110-1301 USA - * - * Este programa está nomeado como - e possui - linhas de código. - * - * Contatos: - * - * perry.werneck@gmail.com (Alexandre Perry de Souza Werneck) - * erico.mendonca@gmail.com (Erico Mascarenhas Mendonça) - * - * - * References: - * - * http://www.openssl.org/docs/ssl/ - * https://stackoverflow.com/questions/4389954/does-openssl-automatically-handle-crls-certificate-revocation-lists-now - * - */ - -/** - * @brief OpenSSL initialization for windows. - * - */ - -#include -#if defined(HAVE_LIBSSL) -#include -#include -#include - -#ifndef SSL_ST_OK - #define SSL_ST_OK 3 -#endif // !SSL_ST_OK - -#include "../../private.h" -#include -#include -#include -#include -#include "trace_dsc.h" - -/*--[ Implement ]------------------------------------------------------------------------------------*/ - -/** - * @brief Initialize openssl library. - * - * @return 0 if ok, non zero if fails. - * - */ -int ssl_ctx_init(H3270 *hSession) -{ - debug("%s ssl_ctx=%p",__FUNCTION__,ssl_ctx); - - if(ssl_ctx) - return 0; - - trace_dsn(hSession,"Initializing SSL context.\n"); - - SSL_load_error_strings(); - SSL_library_init(); - - ssl_ctx = SSL_CTX_new(SSLv23_method()); - if(ssl_ctx == NULL) - return -1; - - SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL); - SSL_CTX_set_info_callback(ssl_ctx, ssl_info_callback); - SSL_CTX_set_default_verify_paths(ssl_ctx); - - // - // Get path from windows registry. - // - HKEY hKey = 0; - - if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\" PACKAGE_NAME,0,KEY_QUERY_VALUE,&hKey) == ERROR_SUCCESS) - { - char data[4096]; - unsigned long datalen = sizeof(data); // data field length(in), data returned length(out) - unsigned long datatype; // #defined in winnt.h (predefined types 0-11) - - if(RegQueryValueExA(hKey,"datadir",NULL,&datatype,(LPBYTE) data,&datalen) == ERROR_SUCCESS) - { - strncat(data,"\\certs",4095); - - if(!SSL_CTX_load_verify_locations(ssl_ctx,NULL,data)) - { - hSession->ssl.error = ERR_get_error(); - - trace_dsn( - hSession, - "Cant set default locations for trusted CA certificates to %s\n%s\m" - data, - ERR_lib_error_string(hSession->ssl.error) - ); - - lib3270_write_log( - hSession, - "ssl", - "Cant set default locations for trusted CA certificates to %s\n%s", - data, - ERR_lib_error_string(hSession->ssl.error) - ); - - } - } - RegCloseKey(hKey); - } - - ssl_3270_ex_index = SSL_get_ex_new_index(0,NULL,NULL,NULL,NULL); - - // - // Initialize CUSTOM CRL CHECK - // - - return 0; -} - -#endif // HAVE_LIBSSL - -/* -// Load CRLs into the `X509_STORE` - -X509_STORE *x509_store = SSL_CTX_get_cert_store(ctx); -X509_STORE_add_crl(x509_store, crl); - -// Enable CRL checking -X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_new(); -X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK); -SSL_CTX_set1_param(ctx, param); -X509_VERIFY_PARAM_free(param); - - - - } - - - -/* -#if defined(SSL_ENABLE_CRL_CHECK) - // Set up CRL validation - // https://stackoverflow.com/questions/4389954/does-openssl-automatically-handle-crls-certificate-revocation-lists-now - X509_STORE *store = SSL_CTX_get_cert_store(ssl_ctx); - - // Enable CRL checking - X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_new(); - X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK); - X509_STORE_set1_param(store, param); - X509_VERIFY_PARAM_free(param); - - // X509_STORE_free(store); - - trace_dsn(hSession,"CRL CHECK is enabled.\n"); - -#else - - trace_dsn(hSession,"CRL CHECK is disabled.\n"); - -#endif // SSL_ENABLE_CRL_CHECK -*/ - diff --git a/src/lib3270/util.c b/src/lib3270/util.c index e0ec00b..eaed157 100644 --- a/src/lib3270/util.c +++ b/src/lib3270/util.c @@ -504,6 +504,13 @@ LIB3270_EXPORT void * lib3270_free(void *p) return NULL; } +LIB3270_EXPORT void lib3270_autoptr_cleanup_char(char **ptr) +{ + if(*ptr) + free(*ptr); + *ptr = NULL; +} + LIB3270_EXPORT void * lib3270_realloc(void *p, int len) { p = realloc(p, len); -- libgit2 0.21.2