Commit 641a1b5b5e751c0b593588b8aad33ae924e0063e
1 parent
d1aacba7
Exists in
master
and in
3 other branches
Reactivating optional CRL download.
Showing
9 changed files
with
138 additions
and
108 deletions
Show diff stats
src/core/properties/boolean.c
| ... | ... | @@ -45,29 +45,17 @@ |
| 45 | 45 | return hSession->starting != 0; |
| 46 | 46 | } |
| 47 | 47 | |
| 48 | -#if defined(HAVE_LIBSSLx) && defined(SSL_ENABLE_CRL_CHECK) | |
| 49 | - LIB3270_EXPORT int lib3270_ssl_set_crl_download(H3270 *hSession, int enabled) | |
| 50 | - { | |
| 51 | - FAIL_IF_ONLINE(hSession); | |
| 52 | - hSession->ssl.crl.download = enabled ? 1 : 0; | |
| 48 | + LIB3270_EXPORT int lib3270_ssl_set_crl_download(H3270 *hSession, int enabled) | |
| 49 | + { | |
| 50 | + FAIL_IF_ONLINE(hSession); | |
| 51 | + hSession->ssl.download_crl = (enabled ? 1 : 0); | |
| 53 | 52 | return 0; |
| 54 | - } | |
| 55 | - | |
| 56 | -LIB3270_EXPORT int lib3270_ssl_get_crl_download(const H3270 *hSession) | |
| 57 | -{ | |
| 58 | - return hSession->ssl.crl.download; | |
| 59 | -} | |
| 60 | -#else | |
| 61 | - LIB3270_EXPORT int lib3270_ssl_set_crl_download(H3270 GNUC_UNUSED(*hSession), int GNUC_UNUSED(enabled)) | |
| 62 | - { | |
| 63 | - return errno = ENOTSUP; | |
| 64 | - } | |
| 53 | + } | |
| 65 | 54 | |
| 66 | - LIB3270_EXPORT int lib3270_ssl_get_crl_download(const H3270 GNUC_UNUSED(*hSession)) | |
| 55 | + LIB3270_EXPORT int lib3270_ssl_get_crl_download(const H3270 *hSession) | |
| 67 | 56 | { |
| 68 | - return 0; | |
| 57 | + return hSession->ssl.download_crl; | |
| 69 | 58 | } |
| 70 | -#endif // SSL_ENABLE_CRL_CHECK | |
| 71 | 59 | |
| 72 | 60 | const LIB3270_INT_PROPERTY * lib3270_get_boolean_properties_list(void) |
| 73 | 61 | { | ... | ... |
src/core/properties/string.c
| ... | ... | @@ -147,6 +147,7 @@ |
| 147 | 147 | .get = lib3270_crl_get_url, // Get value. |
| 148 | 148 | .set = lib3270_crl_set_url, // Set value. |
| 149 | 149 | }, |
| 150 | + */ | |
| 150 | 151 | |
| 151 | 152 | { |
| 152 | 153 | .name = "crl_preferred_protocol", // Property name. |
| ... | ... | @@ -155,7 +156,6 @@ |
| 155 | 156 | .get = lib3270_crl_get_preferred_protocol, // Get value. |
| 156 | 157 | .set = lib3270_crl_set_preferred_protocol, // Set value. |
| 157 | 158 | }, |
| 158 | - */ | |
| 159 | 159 | |
| 160 | 160 | { |
| 161 | 161 | .name = "default_host", // Property name. | ... | ... |
src/core/session.c
| ... | ... | @@ -304,13 +304,13 @@ void lib3270_reset_callbacks(H3270 *hSession) |
| 304 | 304 | |
| 305 | 305 | static void lib3270_session_init(H3270 *hSession, const char *model, const char *charset) |
| 306 | 306 | { |
| 307 | - int f; | |
| 307 | + int f; | |
| 308 | 308 | |
| 309 | 309 | memset(hSession,0,sizeof(H3270)); |
| 310 | 310 | lib3270_set_default_network_module(hSession); |
| 311 | 311 | |
| 312 | -#if defined(SSL_ENABLE_CRL_CHECK) && defined(HAVE_LIBSSLx) | |
| 313 | - hSession->ssl.crl.download = 1; | |
| 312 | +#if defined(SSL_ENABLE_CRL_CHECK) | |
| 313 | + hSession->ssl.download_crl = 1; | |
| 314 | 314 | #endif // SSL_ENABLE_CRL_CHECK |
| 315 | 315 | |
| 316 | 316 | lib3270_set_host_charset(hSession,charset); | ... | ... |
src/include/internals.h
| ... | ... | @@ -683,10 +683,12 @@ struct _h3270 |
| 683 | 683 | |
| 684 | 684 | struct |
| 685 | 685 | { |
| 686 | - int host : 1; ///< @brief Non zero if host requires SSL. | |
| 686 | + int host : 1; ///< @brief Non zero if host requires SSL. | |
| 687 | + int download_crl : 1; ///< @brief Non zero to download CRL. | |
| 687 | 688 | LIB3270_SSL_STATE state; |
| 688 | 689 | int error; |
| 689 | - const LIB3270_SSL_MESSAGE * message; ///< @brief Pointer to SSL messages for current state. | |
| 690 | + const LIB3270_SSL_MESSAGE * message; ///< @brief Pointer to SSL messages for current state. | |
| 691 | + unsigned short crl_preferred_protocol; ///< @brief The CRL Preferred protocol. | |
| 690 | 692 | } ssl; |
| 691 | 693 | |
| 692 | 694 | /// @brief Event Listeners. | ... | ... |
src/network_modules/default/main.c
| ... | ... | @@ -151,7 +151,7 @@ void lib3270_set_default_network_module(H3270 *hSession) { |
| 151 | 151 | |
| 152 | 152 | static const LIB3270_NET_MODULE module = { |
| 153 | 153 | .name = "tn3270", |
| 154 | - .service = "tn3270", | |
| 154 | + .service = "23", | |
| 155 | 155 | .init = unsecure_network_init, |
| 156 | 156 | .finalize = unsecure_network_finalize, |
| 157 | 157 | .connect = unsecure_network_connect, | ... | ... |
src/network_modules/openssl/main.c
| ... | ... | @@ -243,7 +243,7 @@ static char * openssl_network_getcrl(const H3270 *hSession) { |
| 243 | 243 | unsigned char * text; |
| 244 | 244 | int n; |
| 245 | 245 | |
| 246 | - X509_print(out,context->crl.cert); | |
| 246 | + X509_CRL_print(out,context->crl.cert); | |
| 247 | 247 | |
| 248 | 248 | n = BIO_get_mem_data(out, &data); |
| 249 | 249 | text = (unsigned char *) lib3270_malloc(n+1); | ... | ... |
src/network_modules/openssl/start.c
| ... | ... | @@ -88,6 +88,86 @@ |
| 88 | 88 | |
| 89 | 89 | } |
| 90 | 90 | |
| 91 | + static void download_crl(H3270 *hSession, SSL_CTX * ctx_context, LIB3270_NET_CONTEXT * context, X509 *peer) { | |
| 92 | + | |
| 93 | + debug("%s peer=%p",__FUNCTION__,(void *) peer); | |
| 94 | + | |
| 95 | + if(!peer) | |
| 96 | + return; | |
| 97 | + | |
| 98 | + lib3270_autoptr(LIB3270_STRING_ARRAY) uris = lib3270_openssl_get_crls_from_peer(hSession, peer); | |
| 99 | + if(!uris) { | |
| 100 | + trace_ssl(hSession,"Can't get distpoints from peer certificate\n"); | |
| 101 | + return; | |
| 102 | + } | |
| 103 | + | |
| 104 | + size_t ix; | |
| 105 | + const char * error_message = NULL; | |
| 106 | + lib3270_autoptr(char) crl_text = NULL; | |
| 107 | + | |
| 108 | + const char *prefer = lib3270_crl_get_preferred_protocol(hSession); | |
| 109 | + if(!prefer) { | |
| 110 | + | |
| 111 | + // No preferred protocol, try all uris. | |
| 112 | + for(ix = 0; ix < uris->length; ix++) { | |
| 113 | + | |
| 114 | + debug("Trying %s",uris->str[ix]); | |
| 115 | + crl_text = lib3270_url_get(hSession, uris->str[ix], &error_message); | |
| 116 | + | |
| 117 | + if(error_message) { | |
| 118 | + trace_ssl(hSession,"Error downloading CRL from %s: %s\n",uris->str[ix],error_message); | |
| 119 | + } else if(!import_crl(hSession, ctx_context, context, crl_text)) { | |
| 120 | + trace_ssl(hSession,"Got CRL from %s\n",uris->str[ix]); | |
| 121 | + return; | |
| 122 | + } | |
| 123 | + | |
| 124 | + } | |
| 125 | + return; | |
| 126 | + | |
| 127 | + } | |
| 128 | + | |
| 129 | + // Try preferred protocol. | |
| 130 | + trace_ssl(hSession,"CRL download protocol is set to %s\n",prefer); | |
| 131 | + | |
| 132 | + size_t length = strlen(prefer); | |
| 133 | + | |
| 134 | + for(ix = 0; ix < uris->length; ix++) { | |
| 135 | + | |
| 136 | + if(strncasecmp(prefer,uris->str[ix],length)) | |
| 137 | + continue; | |
| 138 | + | |
| 139 | + debug("Trying %s",uris->str[ix]); | |
| 140 | + crl_text = lib3270_url_get(hSession, uris->str[ix], &error_message); | |
| 141 | + | |
| 142 | + if(error_message) { | |
| 143 | + trace_ssl(hSession,"Error downloading CRL from %s: %s\n",uris->str[ix],error_message); | |
| 144 | + } else if(!import_crl(hSession, ctx_context, context, crl_text)) { | |
| 145 | + trace_ssl(hSession,"Got CRL from %s\n",uris->str[ix]); | |
| 146 | + return; | |
| 147 | + } | |
| 148 | + | |
| 149 | + } | |
| 150 | + | |
| 151 | + // Not found; try other ones | |
| 152 | + for(ix = 0; ix < uris->length; ix++) { | |
| 153 | + | |
| 154 | + if(!strncasecmp(prefer,uris->str[ix],length)) | |
| 155 | + continue; | |
| 156 | + | |
| 157 | + debug("Trying %s",uris->str[ix]); | |
| 158 | + crl_text = lib3270_url_get(hSession, uris->str[ix], &error_message); | |
| 159 | + | |
| 160 | + if(error_message) { | |
| 161 | + trace_ssl(hSession,"Error downloading CRL from %s: %s\n",uris->str[ix],error_message); | |
| 162 | + } else if(!import_crl(hSession, ctx_context, context, crl_text)) { | |
| 163 | + trace_ssl(hSession,"Got CRL from %s\n",uris->str[ix]); | |
| 164 | + return; | |
| 165 | + } | |
| 166 | + | |
| 167 | + } | |
| 168 | + | |
| 169 | + } | |
| 170 | + | |
| 91 | 171 | int openssl_network_start_tls(H3270 *hSession) { |
| 92 | 172 | |
| 93 | 173 | SSL_CTX * ctx_context = (SSL_CTX *) lib3270_openssl_get_context(hSession); |
| ... | ... | @@ -186,44 +266,7 @@ |
| 186 | 266 | |
| 187 | 267 | // CRL download is enabled and verification has failed; look for CRL file. |
| 188 | 268 | trace_ssl(hSession,"CRL Validation has failed, requesting CRL download\n"); |
| 189 | - | |
| 190 | - lib3270_autoptr(char) crl_text = NULL; | |
| 191 | - if(context->crl.url) { | |
| 192 | - | |
| 193 | - // There's a pre-defined URL, use it. | |
| 194 | - const char *error_message = NULL; | |
| 195 | - crl_text = lib3270_url_get(hSession, context->crl.url,&error_message); | |
| 196 | - | |
| 197 | - if(error_message) { | |
| 198 | - trace_ssl(hSession,"Error downloading CRL from %s: %s\n",context->crl.url,error_message); | |
| 199 | - } else { | |
| 200 | - import_crl(hSession, ctx_context, context, crl_text); | |
| 201 | - } | |
| 202 | - | |
| 203 | - | |
| 204 | - } else if(peer) { | |
| 205 | - | |
| 206 | - // There's no pre-defined URL, get them from peer. | |
| 207 | - lib3270_autoptr(LIB3270_STRING_ARRAY) uris = lib3270_openssl_get_crls_from_peer(hSession, peer); | |
| 208 | - | |
| 209 | - if(uris) { | |
| 210 | - | |
| 211 | - size_t ix; | |
| 212 | - for(ix = 0; ix < uris->length; ix++) { | |
| 213 | - | |
| 214 | - const char * error_message = NULL; | |
| 215 | - crl_text = lib3270_url_get(hSession, uris->str[ix], &error_message); | |
| 216 | - | |
| 217 | - if(error_message) { | |
| 218 | - trace_ssl(hSession,"Error downloading CRL from %s: %s\n",uris->str[ix],error_message); | |
| 219 | - } else if(!import_crl(hSession, ctx_context, context, crl_text)) { | |
| 220 | - break; | |
| 221 | - } | |
| 222 | - | |
| 223 | - } | |
| 224 | - } | |
| 225 | - | |
| 226 | - } | |
| 269 | + download_crl(hSession, ctx_context, context, peer); | |
| 227 | 270 | |
| 228 | 271 | } |
| 229 | 272 | ... | ... |
src/network_modules/tools.c
| ... | ... | @@ -212,3 +212,43 @@ int lib3270_socket_set_non_blocking(H3270 *hSession, int sock, const unsigned ch |
| 212 | 212 | return 0; |
| 213 | 213 | |
| 214 | 214 | } |
| 215 | + | |
| 216 | + static const char * crl_download_protocols[] = { | |
| 217 | + NULL, | |
| 218 | + "http", | |
| 219 | + "https", | |
| 220 | +#ifdef HAVE_LDAP | |
| 221 | + "ldap", | |
| 222 | + "ldaps" | |
| 223 | +#endif // HAVE_LDAP | |
| 224 | + }; | |
| 225 | + | |
| 226 | + const char * lib3270_crl_get_preferred_protocol(const H3270 *hSession) | |
| 227 | + { | |
| 228 | + debug("%s: selected: %d",__FUNCTION__,(int) hSession->ssl.crl_preferred_protocol); | |
| 229 | + if(hSession->ssl.crl_preferred_protocol < (sizeof(crl_download_protocols)/sizeof(crl_download_protocols[0]))) | |
| 230 | + return crl_download_protocols[hSession->ssl.crl_preferred_protocol]; | |
| 231 | + | |
| 232 | + errno = EINVAL; | |
| 233 | + return NULL; | |
| 234 | + } | |
| 235 | + | |
| 236 | + int lib3270_crl_set_preferred_protocol(H3270 *hSession, const char *protocol) | |
| 237 | + { | |
| 238 | + FAIL_IF_ONLINE(hSession); | |
| 239 | + | |
| 240 | + debug("%s(%s)",__FUNCTION__,protocol); | |
| 241 | + size_t ix; | |
| 242 | + for(ix = 0; ix < (sizeof(crl_download_protocols)/sizeof(crl_download_protocols[0])); ix++) { | |
| 243 | + | |
| 244 | + debug("[%s] [%s]",protocol,crl_download_protocols[ix]); | |
| 245 | + if(crl_download_protocols[ix] && !strcasecmp(protocol,crl_download_protocols[ix])) { | |
| 246 | + hSession->ssl.crl_preferred_protocol = (unsigned short) ix; | |
| 247 | + return 0; | |
| 248 | + } | |
| 249 | + } | |
| 250 | + | |
| 251 | + debug("Unsupported protocol: %s",protocol); | |
| 252 | + | |
| 253 | + return EINVAL; | |
| 254 | + } | ... | ... |
src/ssl/properties.c
| ... | ... | @@ -197,46 +197,3 @@ LIB3270_EXPORT char * lib3270_get_ssl_peer_certificate_text(const H3270 *hSessio |
| 197 | 197 | } |
| 198 | 198 | |
| 199 | 199 | |
| 200 | - #pragma GCC diagnostic push | |
| 201 | - #pragma GCC diagnostic ignored "-Wunused-parameter" | |
| 202 | - const char * lib3270_crl_get_preferred_protocol(const H3270 *hSession) | |
| 203 | - { | |
| 204 | -#if defined(HAVE_LIBSSL) && defined(SSL_ENABLE_CRL_CHECK) | |
| 205 | - if(hSession->ssl.crl.prefer) | |
| 206 | - return hSession->ssl.crl.prefer; | |
| 207 | -#endif | |
| 208 | - errno = ENODATA; | |
| 209 | - return ""; | |
| 210 | - } | |
| 211 | - #pragma GCC diagnostic pop | |
| 212 | - | |
| 213 | - #pragma GCC diagnostic push | |
| 214 | - #pragma GCC diagnostic ignored "-Wunused-parameter" | |
| 215 | - int lib3270_crl_set_preferred_protocol(H3270 *hSession, const char *protocol) | |
| 216 | - { | |
| 217 | - | |
| 218 | - FAIL_IF_ONLINE(hSession); | |
| 219 | - | |
| 220 | -#if defined(HAVE_LIBSSL) && defined(HAVE_SSL_ENABLE_CRL_CHECK) | |
| 221 | - | |
| 222 | - if(hSession->ssl.crl.prefer) | |
| 223 | - { | |
| 224 | - lib3270_free(hSession->ssl.crl.prefer); | |
| 225 | - hSession->ssl.crl.prefer = NULL; | |
| 226 | - } | |
| 227 | - | |
| 228 | - if(protocol) | |
| 229 | - { | |
| 230 | - hSession->ssl.crl.prefer = strdup(protocol); | |
| 231 | - } | |
| 232 | - | |
| 233 | - return 0; | |
| 234 | - | |
| 235 | -#else | |
| 236 | - | |
| 237 | - return errno = ENOTSUP; | |
| 238 | - | |
| 239 | -#endif // SSL_ENABLE_CRL_CHECK | |
| 240 | - | |
| 241 | - } | |
| 242 | - #pragma GCC diagnostic pop | ... | ... |