Commit 641a1b5b5e751c0b593588b8aad33ae924e0063e
1 parent
d1aacba7
Exists in
master
and in
3 other branches
Reactivating optional CRL download.
Showing
9 changed files
with
138 additions
and
108 deletions
Show diff stats
src/core/properties/boolean.c
| @@ -45,29 +45,17 @@ | @@ -45,29 +45,17 @@ | ||
| 45 | return hSession->starting != 0; | 45 | return hSession->starting != 0; |
| 46 | } | 46 | } |
| 47 | 47 | ||
| 48 | -#if defined(HAVE_LIBSSLx) && defined(SSL_ENABLE_CRL_CHECK) | ||
| 49 | - LIB3270_EXPORT int lib3270_ssl_set_crl_download(H3270 *hSession, int enabled) | ||
| 50 | - { | ||
| 51 | - FAIL_IF_ONLINE(hSession); | ||
| 52 | - hSession->ssl.crl.download = enabled ? 1 : 0; | 48 | + LIB3270_EXPORT int lib3270_ssl_set_crl_download(H3270 *hSession, int enabled) |
| 49 | + { | ||
| 50 | + FAIL_IF_ONLINE(hSession); | ||
| 51 | + hSession->ssl.download_crl = (enabled ? 1 : 0); | ||
| 53 | return 0; | 52 | return 0; |
| 54 | - } | ||
| 55 | - | ||
| 56 | -LIB3270_EXPORT int lib3270_ssl_get_crl_download(const H3270 *hSession) | ||
| 57 | -{ | ||
| 58 | - return hSession->ssl.crl.download; | ||
| 59 | -} | ||
| 60 | -#else | ||
| 61 | - LIB3270_EXPORT int lib3270_ssl_set_crl_download(H3270 GNUC_UNUSED(*hSession), int GNUC_UNUSED(enabled)) | ||
| 62 | - { | ||
| 63 | - return errno = ENOTSUP; | ||
| 64 | - } | 53 | + } |
| 65 | 54 | ||
| 66 | - LIB3270_EXPORT int lib3270_ssl_get_crl_download(const H3270 GNUC_UNUSED(*hSession)) | 55 | + LIB3270_EXPORT int lib3270_ssl_get_crl_download(const H3270 *hSession) |
| 67 | { | 56 | { |
| 68 | - return 0; | 57 | + return hSession->ssl.download_crl; |
| 69 | } | 58 | } |
| 70 | -#endif // SSL_ENABLE_CRL_CHECK | ||
| 71 | 59 | ||
| 72 | const LIB3270_INT_PROPERTY * lib3270_get_boolean_properties_list(void) | 60 | const LIB3270_INT_PROPERTY * lib3270_get_boolean_properties_list(void) |
| 73 | { | 61 | { |
src/core/properties/string.c
| @@ -147,6 +147,7 @@ | @@ -147,6 +147,7 @@ | ||
| 147 | .get = lib3270_crl_get_url, // Get value. | 147 | .get = lib3270_crl_get_url, // Get value. |
| 148 | .set = lib3270_crl_set_url, // Set value. | 148 | .set = lib3270_crl_set_url, // Set value. |
| 149 | }, | 149 | }, |
| 150 | + */ | ||
| 150 | 151 | ||
| 151 | { | 152 | { |
| 152 | .name = "crl_preferred_protocol", // Property name. | 153 | .name = "crl_preferred_protocol", // Property name. |
| @@ -155,7 +156,6 @@ | @@ -155,7 +156,6 @@ | ||
| 155 | .get = lib3270_crl_get_preferred_protocol, // Get value. | 156 | .get = lib3270_crl_get_preferred_protocol, // Get value. |
| 156 | .set = lib3270_crl_set_preferred_protocol, // Set value. | 157 | .set = lib3270_crl_set_preferred_protocol, // Set value. |
| 157 | }, | 158 | }, |
| 158 | - */ | ||
| 159 | 159 | ||
| 160 | { | 160 | { |
| 161 | .name = "default_host", // Property name. | 161 | .name = "default_host", // Property name. |
src/core/session.c
| @@ -304,13 +304,13 @@ void lib3270_reset_callbacks(H3270 *hSession) | @@ -304,13 +304,13 @@ void lib3270_reset_callbacks(H3270 *hSession) | ||
| 304 | 304 | ||
| 305 | static void lib3270_session_init(H3270 *hSession, const char *model, const char *charset) | 305 | static void lib3270_session_init(H3270 *hSession, const char *model, const char *charset) |
| 306 | { | 306 | { |
| 307 | - int f; | 307 | + int f; |
| 308 | 308 | ||
| 309 | memset(hSession,0,sizeof(H3270)); | 309 | memset(hSession,0,sizeof(H3270)); |
| 310 | lib3270_set_default_network_module(hSession); | 310 | lib3270_set_default_network_module(hSession); |
| 311 | 311 | ||
| 312 | -#if defined(SSL_ENABLE_CRL_CHECK) && defined(HAVE_LIBSSLx) | ||
| 313 | - hSession->ssl.crl.download = 1; | 312 | +#if defined(SSL_ENABLE_CRL_CHECK) |
| 313 | + hSession->ssl.download_crl = 1; | ||
| 314 | #endif // SSL_ENABLE_CRL_CHECK | 314 | #endif // SSL_ENABLE_CRL_CHECK |
| 315 | 315 | ||
| 316 | lib3270_set_host_charset(hSession,charset); | 316 | lib3270_set_host_charset(hSession,charset); |
src/include/internals.h
| @@ -683,10 +683,12 @@ struct _h3270 | @@ -683,10 +683,12 @@ struct _h3270 | ||
| 683 | 683 | ||
| 684 | struct | 684 | struct |
| 685 | { | 685 | { |
| 686 | - int host : 1; ///< @brief Non zero if host requires SSL. | 686 | + int host : 1; ///< @brief Non zero if host requires SSL. |
| 687 | + int download_crl : 1; ///< @brief Non zero to download CRL. | ||
| 687 | LIB3270_SSL_STATE state; | 688 | LIB3270_SSL_STATE state; |
| 688 | int error; | 689 | int error; |
| 689 | - const LIB3270_SSL_MESSAGE * message; ///< @brief Pointer to SSL messages for current state. | 690 | + const LIB3270_SSL_MESSAGE * message; ///< @brief Pointer to SSL messages for current state. |
| 691 | + unsigned short crl_preferred_protocol; ///< @brief The CRL Preferred protocol. | ||
| 690 | } ssl; | 692 | } ssl; |
| 691 | 693 | ||
| 692 | /// @brief Event Listeners. | 694 | /// @brief Event Listeners. |
src/network_modules/default/main.c
| @@ -151,7 +151,7 @@ void lib3270_set_default_network_module(H3270 *hSession) { | @@ -151,7 +151,7 @@ void lib3270_set_default_network_module(H3270 *hSession) { | ||
| 151 | 151 | ||
| 152 | static const LIB3270_NET_MODULE module = { | 152 | static const LIB3270_NET_MODULE module = { |
| 153 | .name = "tn3270", | 153 | .name = "tn3270", |
| 154 | - .service = "tn3270", | 154 | + .service = "23", |
| 155 | .init = unsecure_network_init, | 155 | .init = unsecure_network_init, |
| 156 | .finalize = unsecure_network_finalize, | 156 | .finalize = unsecure_network_finalize, |
| 157 | .connect = unsecure_network_connect, | 157 | .connect = unsecure_network_connect, |
src/network_modules/openssl/main.c
| @@ -243,7 +243,7 @@ static char * openssl_network_getcrl(const H3270 *hSession) { | @@ -243,7 +243,7 @@ static char * openssl_network_getcrl(const H3270 *hSession) { | ||
| 243 | unsigned char * text; | 243 | unsigned char * text; |
| 244 | int n; | 244 | int n; |
| 245 | 245 | ||
| 246 | - X509_print(out,context->crl.cert); | 246 | + X509_CRL_print(out,context->crl.cert); |
| 247 | 247 | ||
| 248 | n = BIO_get_mem_data(out, &data); | 248 | n = BIO_get_mem_data(out, &data); |
| 249 | text = (unsigned char *) lib3270_malloc(n+1); | 249 | text = (unsigned char *) lib3270_malloc(n+1); |
src/network_modules/openssl/start.c
| @@ -88,6 +88,86 @@ | @@ -88,6 +88,86 @@ | ||
| 88 | 88 | ||
| 89 | } | 89 | } |
| 90 | 90 | ||
| 91 | + static void download_crl(H3270 *hSession, SSL_CTX * ctx_context, LIB3270_NET_CONTEXT * context, X509 *peer) { | ||
| 92 | + | ||
| 93 | + debug("%s peer=%p",__FUNCTION__,(void *) peer); | ||
| 94 | + | ||
| 95 | + if(!peer) | ||
| 96 | + return; | ||
| 97 | + | ||
| 98 | + lib3270_autoptr(LIB3270_STRING_ARRAY) uris = lib3270_openssl_get_crls_from_peer(hSession, peer); | ||
| 99 | + if(!uris) { | ||
| 100 | + trace_ssl(hSession,"Can't get distpoints from peer certificate\n"); | ||
| 101 | + return; | ||
| 102 | + } | ||
| 103 | + | ||
| 104 | + size_t ix; | ||
| 105 | + const char * error_message = NULL; | ||
| 106 | + lib3270_autoptr(char) crl_text = NULL; | ||
| 107 | + | ||
| 108 | + const char *prefer = lib3270_crl_get_preferred_protocol(hSession); | ||
| 109 | + if(!prefer) { | ||
| 110 | + | ||
| 111 | + // No preferred protocol, try all uris. | ||
| 112 | + for(ix = 0; ix < uris->length; ix++) { | ||
| 113 | + | ||
| 114 | + debug("Trying %s",uris->str[ix]); | ||
| 115 | + crl_text = lib3270_url_get(hSession, uris->str[ix], &error_message); | ||
| 116 | + | ||
| 117 | + if(error_message) { | ||
| 118 | + trace_ssl(hSession,"Error downloading CRL from %s: %s\n",uris->str[ix],error_message); | ||
| 119 | + } else if(!import_crl(hSession, ctx_context, context, crl_text)) { | ||
| 120 | + trace_ssl(hSession,"Got CRL from %s\n",uris->str[ix]); | ||
| 121 | + return; | ||
| 122 | + } | ||
| 123 | + | ||
| 124 | + } | ||
| 125 | + return; | ||
| 126 | + | ||
| 127 | + } | ||
| 128 | + | ||
| 129 | + // Try preferred protocol. | ||
| 130 | + trace_ssl(hSession,"CRL download protocol is set to %s\n",prefer); | ||
| 131 | + | ||
| 132 | + size_t length = strlen(prefer); | ||
| 133 | + | ||
| 134 | + for(ix = 0; ix < uris->length; ix++) { | ||
| 135 | + | ||
| 136 | + if(strncasecmp(prefer,uris->str[ix],length)) | ||
| 137 | + continue; | ||
| 138 | + | ||
| 139 | + debug("Trying %s",uris->str[ix]); | ||
| 140 | + crl_text = lib3270_url_get(hSession, uris->str[ix], &error_message); | ||
| 141 | + | ||
| 142 | + if(error_message) { | ||
| 143 | + trace_ssl(hSession,"Error downloading CRL from %s: %s\n",uris->str[ix],error_message); | ||
| 144 | + } else if(!import_crl(hSession, ctx_context, context, crl_text)) { | ||
| 145 | + trace_ssl(hSession,"Got CRL from %s\n",uris->str[ix]); | ||
| 146 | + return; | ||
| 147 | + } | ||
| 148 | + | ||
| 149 | + } | ||
| 150 | + | ||
| 151 | + // Not found; try other ones | ||
| 152 | + for(ix = 0; ix < uris->length; ix++) { | ||
| 153 | + | ||
| 154 | + if(!strncasecmp(prefer,uris->str[ix],length)) | ||
| 155 | + continue; | ||
| 156 | + | ||
| 157 | + debug("Trying %s",uris->str[ix]); | ||
| 158 | + crl_text = lib3270_url_get(hSession, uris->str[ix], &error_message); | ||
| 159 | + | ||
| 160 | + if(error_message) { | ||
| 161 | + trace_ssl(hSession,"Error downloading CRL from %s: %s\n",uris->str[ix],error_message); | ||
| 162 | + } else if(!import_crl(hSession, ctx_context, context, crl_text)) { | ||
| 163 | + trace_ssl(hSession,"Got CRL from %s\n",uris->str[ix]); | ||
| 164 | + return; | ||
| 165 | + } | ||
| 166 | + | ||
| 167 | + } | ||
| 168 | + | ||
| 169 | + } | ||
| 170 | + | ||
| 91 | int openssl_network_start_tls(H3270 *hSession) { | 171 | int openssl_network_start_tls(H3270 *hSession) { |
| 92 | 172 | ||
| 93 | SSL_CTX * ctx_context = (SSL_CTX *) lib3270_openssl_get_context(hSession); | 173 | SSL_CTX * ctx_context = (SSL_CTX *) lib3270_openssl_get_context(hSession); |
| @@ -186,44 +266,7 @@ | @@ -186,44 +266,7 @@ | ||
| 186 | 266 | ||
| 187 | // CRL download is enabled and verification has failed; look for CRL file. | 267 | // CRL download is enabled and verification has failed; look for CRL file. |
| 188 | trace_ssl(hSession,"CRL Validation has failed, requesting CRL download\n"); | 268 | trace_ssl(hSession,"CRL Validation has failed, requesting CRL download\n"); |
| 189 | - | ||
| 190 | - lib3270_autoptr(char) crl_text = NULL; | ||
| 191 | - if(context->crl.url) { | ||
| 192 | - | ||
| 193 | - // There's a pre-defined URL, use it. | ||
| 194 | - const char *error_message = NULL; | ||
| 195 | - crl_text = lib3270_url_get(hSession, context->crl.url,&error_message); | ||
| 196 | - | ||
| 197 | - if(error_message) { | ||
| 198 | - trace_ssl(hSession,"Error downloading CRL from %s: %s\n",context->crl.url,error_message); | ||
| 199 | - } else { | ||
| 200 | - import_crl(hSession, ctx_context, context, crl_text); | ||
| 201 | - } | ||
| 202 | - | ||
| 203 | - | ||
| 204 | - } else if(peer) { | ||
| 205 | - | ||
| 206 | - // There's no pre-defined URL, get them from peer. | ||
| 207 | - lib3270_autoptr(LIB3270_STRING_ARRAY) uris = lib3270_openssl_get_crls_from_peer(hSession, peer); | ||
| 208 | - | ||
| 209 | - if(uris) { | ||
| 210 | - | ||
| 211 | - size_t ix; | ||
| 212 | - for(ix = 0; ix < uris->length; ix++) { | ||
| 213 | - | ||
| 214 | - const char * error_message = NULL; | ||
| 215 | - crl_text = lib3270_url_get(hSession, uris->str[ix], &error_message); | ||
| 216 | - | ||
| 217 | - if(error_message) { | ||
| 218 | - trace_ssl(hSession,"Error downloading CRL from %s: %s\n",uris->str[ix],error_message); | ||
| 219 | - } else if(!import_crl(hSession, ctx_context, context, crl_text)) { | ||
| 220 | - break; | ||
| 221 | - } | ||
| 222 | - | ||
| 223 | - } | ||
| 224 | - } | ||
| 225 | - | ||
| 226 | - } | 269 | + download_crl(hSession, ctx_context, context, peer); |
| 227 | 270 | ||
| 228 | } | 271 | } |
| 229 | 272 |
src/network_modules/tools.c
| @@ -212,3 +212,43 @@ int lib3270_socket_set_non_blocking(H3270 *hSession, int sock, const unsigned ch | @@ -212,3 +212,43 @@ int lib3270_socket_set_non_blocking(H3270 *hSession, int sock, const unsigned ch | ||
| 212 | return 0; | 212 | return 0; |
| 213 | 213 | ||
| 214 | } | 214 | } |
| 215 | + | ||
| 216 | + static const char * crl_download_protocols[] = { | ||
| 217 | + NULL, | ||
| 218 | + "http", | ||
| 219 | + "https", | ||
| 220 | +#ifdef HAVE_LDAP | ||
| 221 | + "ldap", | ||
| 222 | + "ldaps" | ||
| 223 | +#endif // HAVE_LDAP | ||
| 224 | + }; | ||
| 225 | + | ||
| 226 | + const char * lib3270_crl_get_preferred_protocol(const H3270 *hSession) | ||
| 227 | + { | ||
| 228 | + debug("%s: selected: %d",__FUNCTION__,(int) hSession->ssl.crl_preferred_protocol); | ||
| 229 | + if(hSession->ssl.crl_preferred_protocol < (sizeof(crl_download_protocols)/sizeof(crl_download_protocols[0]))) | ||
| 230 | + return crl_download_protocols[hSession->ssl.crl_preferred_protocol]; | ||
| 231 | + | ||
| 232 | + errno = EINVAL; | ||
| 233 | + return NULL; | ||
| 234 | + } | ||
| 235 | + | ||
| 236 | + int lib3270_crl_set_preferred_protocol(H3270 *hSession, const char *protocol) | ||
| 237 | + { | ||
| 238 | + FAIL_IF_ONLINE(hSession); | ||
| 239 | + | ||
| 240 | + debug("%s(%s)",__FUNCTION__,protocol); | ||
| 241 | + size_t ix; | ||
| 242 | + for(ix = 0; ix < (sizeof(crl_download_protocols)/sizeof(crl_download_protocols[0])); ix++) { | ||
| 243 | + | ||
| 244 | + debug("[%s] [%s]",protocol,crl_download_protocols[ix]); | ||
| 245 | + if(crl_download_protocols[ix] && !strcasecmp(protocol,crl_download_protocols[ix])) { | ||
| 246 | + hSession->ssl.crl_preferred_protocol = (unsigned short) ix; | ||
| 247 | + return 0; | ||
| 248 | + } | ||
| 249 | + } | ||
| 250 | + | ||
| 251 | + debug("Unsupported protocol: %s",protocol); | ||
| 252 | + | ||
| 253 | + return EINVAL; | ||
| 254 | + } |
src/ssl/properties.c
| @@ -197,46 +197,3 @@ LIB3270_EXPORT char * lib3270_get_ssl_peer_certificate_text(const H3270 *hSessio | @@ -197,46 +197,3 @@ LIB3270_EXPORT char * lib3270_get_ssl_peer_certificate_text(const H3270 *hSessio | ||
| 197 | } | 197 | } |
| 198 | 198 | ||
| 199 | 199 | ||
| 200 | - #pragma GCC diagnostic push | ||
| 201 | - #pragma GCC diagnostic ignored "-Wunused-parameter" | ||
| 202 | - const char * lib3270_crl_get_preferred_protocol(const H3270 *hSession) | ||
| 203 | - { | ||
| 204 | -#if defined(HAVE_LIBSSL) && defined(SSL_ENABLE_CRL_CHECK) | ||
| 205 | - if(hSession->ssl.crl.prefer) | ||
| 206 | - return hSession->ssl.crl.prefer; | ||
| 207 | -#endif | ||
| 208 | - errno = ENODATA; | ||
| 209 | - return ""; | ||
| 210 | - } | ||
| 211 | - #pragma GCC diagnostic pop | ||
| 212 | - | ||
| 213 | - #pragma GCC diagnostic push | ||
| 214 | - #pragma GCC diagnostic ignored "-Wunused-parameter" | ||
| 215 | - int lib3270_crl_set_preferred_protocol(H3270 *hSession, const char *protocol) | ||
| 216 | - { | ||
| 217 | - | ||
| 218 | - FAIL_IF_ONLINE(hSession); | ||
| 219 | - | ||
| 220 | -#if defined(HAVE_LIBSSL) && defined(HAVE_SSL_ENABLE_CRL_CHECK) | ||
| 221 | - | ||
| 222 | - if(hSession->ssl.crl.prefer) | ||
| 223 | - { | ||
| 224 | - lib3270_free(hSession->ssl.crl.prefer); | ||
| 225 | - hSession->ssl.crl.prefer = NULL; | ||
| 226 | - } | ||
| 227 | - | ||
| 228 | - if(protocol) | ||
| 229 | - { | ||
| 230 | - hSession->ssl.crl.prefer = strdup(protocol); | ||
| 231 | - } | ||
| 232 | - | ||
| 233 | - return 0; | ||
| 234 | - | ||
| 235 | -#else | ||
| 236 | - | ||
| 237 | - return errno = ENOTSUP; | ||
| 238 | - | ||
| 239 | -#endif // SSL_ENABLE_CRL_CHECK | ||
| 240 | - | ||
| 241 | - } | ||
| 242 | - #pragma GCC diagnostic pop |