diff --git a/src/core/properties/boolean.c b/src/core/properties/boolean.c index 3474037..5afc5d2 100644 --- a/src/core/properties/boolean.c +++ b/src/core/properties/boolean.c @@ -45,29 +45,17 @@ return hSession->starting != 0; } -#if defined(HAVE_LIBSSLx) && defined(SSL_ENABLE_CRL_CHECK) - LIB3270_EXPORT int lib3270_ssl_set_crl_download(H3270 *hSession, int enabled) - { - FAIL_IF_ONLINE(hSession); - hSession->ssl.crl.download = enabled ? 1 : 0; + LIB3270_EXPORT int lib3270_ssl_set_crl_download(H3270 *hSession, int enabled) + { + FAIL_IF_ONLINE(hSession); + hSession->ssl.download_crl = (enabled ? 1 : 0); return 0; - } - -LIB3270_EXPORT int lib3270_ssl_get_crl_download(const H3270 *hSession) -{ - return hSession->ssl.crl.download; -} -#else - LIB3270_EXPORT int lib3270_ssl_set_crl_download(H3270 GNUC_UNUSED(*hSession), int GNUC_UNUSED(enabled)) - { - return errno = ENOTSUP; - } + } - LIB3270_EXPORT int lib3270_ssl_get_crl_download(const H3270 GNUC_UNUSED(*hSession)) + LIB3270_EXPORT int lib3270_ssl_get_crl_download(const H3270 *hSession) { - return 0; + return hSession->ssl.download_crl; } -#endif // SSL_ENABLE_CRL_CHECK const LIB3270_INT_PROPERTY * lib3270_get_boolean_properties_list(void) { diff --git a/src/core/properties/string.c b/src/core/properties/string.c index 22fc51b..d5e1643 100644 --- a/src/core/properties/string.c +++ b/src/core/properties/string.c @@ -147,6 +147,7 @@ .get = lib3270_crl_get_url, // Get value. .set = lib3270_crl_set_url, // Set value. }, + */ { .name = "crl_preferred_protocol", // Property name. @@ -155,7 +156,6 @@ .get = lib3270_crl_get_preferred_protocol, // Get value. .set = lib3270_crl_set_preferred_protocol, // Set value. }, - */ { .name = "default_host", // Property name. diff --git a/src/core/session.c b/src/core/session.c index f4d4ebf..223e6f2 100644 --- a/src/core/session.c +++ b/src/core/session.c @@ -304,13 +304,13 @@ void lib3270_reset_callbacks(H3270 *hSession) static void lib3270_session_init(H3270 *hSession, const char *model, const char *charset) { - int f; + int f; memset(hSession,0,sizeof(H3270)); lib3270_set_default_network_module(hSession); -#if defined(SSL_ENABLE_CRL_CHECK) && defined(HAVE_LIBSSLx) - hSession->ssl.crl.download = 1; +#if defined(SSL_ENABLE_CRL_CHECK) + hSession->ssl.download_crl = 1; #endif // SSL_ENABLE_CRL_CHECK lib3270_set_host_charset(hSession,charset); diff --git a/src/include/internals.h b/src/include/internals.h index 21c0786..ae51e79 100644 --- a/src/include/internals.h +++ b/src/include/internals.h @@ -683,10 +683,12 @@ struct _h3270 struct { - int host : 1; ///< @brief Non zero if host requires SSL. + int host : 1; ///< @brief Non zero if host requires SSL. + int download_crl : 1; ///< @brief Non zero to download CRL. LIB3270_SSL_STATE state; int error; - const LIB3270_SSL_MESSAGE * message; ///< @brief Pointer to SSL messages for current state. + const LIB3270_SSL_MESSAGE * message; ///< @brief Pointer to SSL messages for current state. + unsigned short crl_preferred_protocol; ///< @brief The CRL Preferred protocol. } ssl; /// @brief Event Listeners. diff --git a/src/network_modules/default/main.c b/src/network_modules/default/main.c index c2fcae8..d82e869 100644 --- a/src/network_modules/default/main.c +++ b/src/network_modules/default/main.c @@ -151,7 +151,7 @@ void lib3270_set_default_network_module(H3270 *hSession) { static const LIB3270_NET_MODULE module = { .name = "tn3270", - .service = "tn3270", + .service = "23", .init = unsecure_network_init, .finalize = unsecure_network_finalize, .connect = unsecure_network_connect, diff --git a/src/network_modules/openssl/main.c b/src/network_modules/openssl/main.c index b3a9cc5..fbac266 100644 --- a/src/network_modules/openssl/main.c +++ b/src/network_modules/openssl/main.c @@ -243,7 +243,7 @@ static char * openssl_network_getcrl(const H3270 *hSession) { unsigned char * text; int n; - X509_print(out,context->crl.cert); + X509_CRL_print(out,context->crl.cert); n = BIO_get_mem_data(out, &data); text = (unsigned char *) lib3270_malloc(n+1); diff --git a/src/network_modules/openssl/start.c b/src/network_modules/openssl/start.c index 5147ae9..5e91535 100644 --- a/src/network_modules/openssl/start.c +++ b/src/network_modules/openssl/start.c @@ -88,6 +88,86 @@ } + static void download_crl(H3270 *hSession, SSL_CTX * ctx_context, LIB3270_NET_CONTEXT * context, X509 *peer) { + + debug("%s peer=%p",__FUNCTION__,(void *) peer); + + if(!peer) + return; + + lib3270_autoptr(LIB3270_STRING_ARRAY) uris = lib3270_openssl_get_crls_from_peer(hSession, peer); + if(!uris) { + trace_ssl(hSession,"Can't get distpoints from peer certificate\n"); + return; + } + + size_t ix; + const char * error_message = NULL; + lib3270_autoptr(char) crl_text = NULL; + + const char *prefer = lib3270_crl_get_preferred_protocol(hSession); + if(!prefer) { + + // No preferred protocol, try all uris. + for(ix = 0; ix < uris->length; ix++) { + + debug("Trying %s",uris->str[ix]); + crl_text = lib3270_url_get(hSession, uris->str[ix], &error_message); + + if(error_message) { + trace_ssl(hSession,"Error downloading CRL from %s: %s\n",uris->str[ix],error_message); + } else if(!import_crl(hSession, ctx_context, context, crl_text)) { + trace_ssl(hSession,"Got CRL from %s\n",uris->str[ix]); + return; + } + + } + return; + + } + + // Try preferred protocol. + trace_ssl(hSession,"CRL download protocol is set to %s\n",prefer); + + size_t length = strlen(prefer); + + for(ix = 0; ix < uris->length; ix++) { + + if(strncasecmp(prefer,uris->str[ix],length)) + continue; + + debug("Trying %s",uris->str[ix]); + crl_text = lib3270_url_get(hSession, uris->str[ix], &error_message); + + if(error_message) { + trace_ssl(hSession,"Error downloading CRL from %s: %s\n",uris->str[ix],error_message); + } else if(!import_crl(hSession, ctx_context, context, crl_text)) { + trace_ssl(hSession,"Got CRL from %s\n",uris->str[ix]); + return; + } + + } + + // Not found; try other ones + for(ix = 0; ix < uris->length; ix++) { + + if(!strncasecmp(prefer,uris->str[ix],length)) + continue; + + debug("Trying %s",uris->str[ix]); + crl_text = lib3270_url_get(hSession, uris->str[ix], &error_message); + + if(error_message) { + trace_ssl(hSession,"Error downloading CRL from %s: %s\n",uris->str[ix],error_message); + } else if(!import_crl(hSession, ctx_context, context, crl_text)) { + trace_ssl(hSession,"Got CRL from %s\n",uris->str[ix]); + return; + } + + } + + } + int openssl_network_start_tls(H3270 *hSession) { SSL_CTX * ctx_context = (SSL_CTX *) lib3270_openssl_get_context(hSession); @@ -186,44 +266,7 @@ // CRL download is enabled and verification has failed; look for CRL file. trace_ssl(hSession,"CRL Validation has failed, requesting CRL download\n"); - - lib3270_autoptr(char) crl_text = NULL; - if(context->crl.url) { - - // There's a pre-defined URL, use it. - const char *error_message = NULL; - crl_text = lib3270_url_get(hSession, context->crl.url,&error_message); - - if(error_message) { - trace_ssl(hSession,"Error downloading CRL from %s: %s\n",context->crl.url,error_message); - } else { - import_crl(hSession, ctx_context, context, crl_text); - } - - - } else if(peer) { - - // There's no pre-defined URL, get them from peer. - lib3270_autoptr(LIB3270_STRING_ARRAY) uris = lib3270_openssl_get_crls_from_peer(hSession, peer); - - if(uris) { - - size_t ix; - for(ix = 0; ix < uris->length; ix++) { - - const char * error_message = NULL; - crl_text = lib3270_url_get(hSession, uris->str[ix], &error_message); - - if(error_message) { - trace_ssl(hSession,"Error downloading CRL from %s: %s\n",uris->str[ix],error_message); - } else if(!import_crl(hSession, ctx_context, context, crl_text)) { - break; - } - - } - } - - } + download_crl(hSession, ctx_context, context, peer); } diff --git a/src/network_modules/tools.c b/src/network_modules/tools.c index e30ecf9..21f6a51 100644 --- a/src/network_modules/tools.c +++ b/src/network_modules/tools.c @@ -212,3 +212,43 @@ int lib3270_socket_set_non_blocking(H3270 *hSession, int sock, const unsigned ch return 0; } + + static const char * crl_download_protocols[] = { + NULL, + "http", + "https", +#ifdef HAVE_LDAP + "ldap", + "ldaps" +#endif // HAVE_LDAP + }; + + const char * lib3270_crl_get_preferred_protocol(const H3270 *hSession) + { + debug("%s: selected: %d",__FUNCTION__,(int) hSession->ssl.crl_preferred_protocol); + if(hSession->ssl.crl_preferred_protocol < (sizeof(crl_download_protocols)/sizeof(crl_download_protocols[0]))) + return crl_download_protocols[hSession->ssl.crl_preferred_protocol]; + + errno = EINVAL; + return NULL; + } + + int lib3270_crl_set_preferred_protocol(H3270 *hSession, const char *protocol) + { + FAIL_IF_ONLINE(hSession); + + debug("%s(%s)",__FUNCTION__,protocol); + size_t ix; + for(ix = 0; ix < (sizeof(crl_download_protocols)/sizeof(crl_download_protocols[0])); ix++) { + + debug("[%s] [%s]",protocol,crl_download_protocols[ix]); + if(crl_download_protocols[ix] && !strcasecmp(protocol,crl_download_protocols[ix])) { + hSession->ssl.crl_preferred_protocol = (unsigned short) ix; + return 0; + } + } + + debug("Unsupported protocol: %s",protocol); + + return EINVAL; + } diff --git a/src/ssl/properties.c b/src/ssl/properties.c index 8133beb..a7742e5 100644 --- a/src/ssl/properties.c +++ b/src/ssl/properties.c @@ -197,46 +197,3 @@ LIB3270_EXPORT char * lib3270_get_ssl_peer_certificate_text(const H3270 *hSessio } - #pragma GCC diagnostic push - #pragma GCC diagnostic ignored "-Wunused-parameter" - const char * lib3270_crl_get_preferred_protocol(const H3270 *hSession) - { -#if defined(HAVE_LIBSSL) && defined(SSL_ENABLE_CRL_CHECK) - if(hSession->ssl.crl.prefer) - return hSession->ssl.crl.prefer; -#endif - errno = ENODATA; - return ""; - } - #pragma GCC diagnostic pop - - #pragma GCC diagnostic push - #pragma GCC diagnostic ignored "-Wunused-parameter" - int lib3270_crl_set_preferred_protocol(H3270 *hSession, const char *protocol) - { - - FAIL_IF_ONLINE(hSession); - -#if defined(HAVE_LIBSSL) && defined(HAVE_SSL_ENABLE_CRL_CHECK) - - if(hSession->ssl.crl.prefer) - { - lib3270_free(hSession->ssl.crl.prefer); - hSession->ssl.crl.prefer = NULL; - } - - if(protocol) - { - hSession->ssl.crl.prefer = strdup(protocol); - } - - return 0; - -#else - - return errno = ENOTSUP; - -#endif // SSL_ENABLE_CRL_CHECK - - } - #pragma GCC diagnostic pop -- libgit2 0.21.2