Enablind CRL download with LIBCURL.

Perry Werneck
1 parent e496981f
Showing 4 changed files with 160 additions and 10 deletions Show diff stats
configure.ac
src/lib3270/Makefile.in
src/lib3270/ssl/linux/getcrl.c
src/lib3270/testprogram/testprogram.c
@@ -482,13 +482,13 @@ dnl Check for LDAP
 dnl ---------------------------------------------------------------------------
  
 AC_ARG_ENABLE([ldap],
-        AS_HELP_STRING([--disable-ldap],[Disable optional LDAP support]),
+        AS_HELP_STRING([--enable-ldap],[Enable optional LDAP support]),
                 [case "${enableval}" in
                         yes) have_ldap=yes ;;
                         no) have_ldap=no ;;
                         *) AC_MSG_ERROR(bad value ${enableval} for --disable-ldap);;
                 esac],
-                [have_ldap=auto])
+                [have_ldap=no])
  
  
 if test "x${have_ldap}" != xno ; then
@@ -523,13 +523,13 @@ dnl Check for CURL
 dnl ---------------------------------------------------------------------------
  
 AC_ARG_ENABLE([curl],
-        AS_HELP_STRING([--disable-curl],[Disable optional CURL support]),
+        AS_HELP_STRING([--enable-curl],[Enable optional CURL support]),
                 [case "${enableval}" in
                         yes) have_curl=yes ;;
                         no) have_curl=no ;;
                         *) AC_MSG_ERROR(bad value ${enableval} for --disable-curl);;
                 esac],
-                [have_curl=auto])
+                [have_curl=no])
  
  
 if test "x${have_curl}" != xno ; then
@@ -539,7 +539,6 @@ fi
 AC_SUBST(LIBCURL_LIBS)
 AC_SUBST(LIBCURL_CFLAGS)
  
-
 dnl ---------------------------------------------------------------------------
 dnl Directory config
 dnl ---------------------------------------------------------------------------
@@ -95,14 +95,16 @@ CFLAGS= \
 	-I../include
 	-DBUILD_DATE=`date +%Y%m%d` \
 	@LIBSSL_CFLAGS@ \
-	@LDAP_CFLAGS@
+	@LDAP_CFLAGS@ \
+	@LIBCURL_CFLAGS@
  
 LIBS= \
 	@LIBS@ \
 	@LIBSSL_LIBS@ \
 	@LIBICONV@ \
 	@INTL_LIBS@ \
-	@LDAP_LIBS@
+	@LDAP_LIBS@ \
+	@LIBCURL_LIBS@
  
 #---[ Debug Rules ]----------------------------------------------------------------------
  
@@ -33,7 +33,10 @@
  *
  */
  
+#define CRL_DATA_LENGTH 4096
+
 #include <config.h>
+
 #if defined(HAVE_LIBSSL) && defined(SSL_ENABLE_CRL_CHECK)
  
 #include <openssl/ssl.h>
@@ -46,6 +49,10 @@
 	#include <ldap.h>
 #endif // HAVE_LDAP
  
+#ifdef HAVE_LIBCURL
+	#include <curl/curl.h>
+#endif // HAVE_LIBCURL
+
 #include "../../private.h"
 #include <trace_dsc.h>
 #include <errno.h>
@@ -94,6 +101,71 @@ static inline void lib3270_autoptr_cleanup_LDAPPTR(char **ptr)
  
 #endif // HAVE_LDAP
  
+#ifdef HAVE_LIBCURL
+static inline void lib3270_autoptr_cleanup_CURL(CURL **ptr)
+{
+	debug("%s(%p)",__FUNCTION__,*ptr);
+	if(*ptr)
+		curl_easy_cleanup(*ptr);
+	*ptr = NULL;
+}
+
+typedef struct _curldata
+{
+	size_t		  		  length;
+	SSL_ERROR_MESSAGE	* message;
+	unsigned char		  contents[CRL_DATA_LENGTH];
+} CURLDATA;
+
+static inline void lib3270_autoptr_cleanup_CURLDATA(CURLDATA **ptr)
+{
+	debug("%s(%p)",__FUNCTION__,*ptr);
+	if(*ptr)
+		lib3270_free(*ptr);
+	*ptr = NULL;
+}
+
+
+static size_t internal_curl_write_callback(void *contents, size_t size, size_t nmemb, void *userp)
+{
+	CURLDATA * data = (CURLDATA *) userp;
+
+	size_t realsize = size * nmemb;
+
+	if((size + data->length) > CRL_DATA_LENGTH)
+	{
+		debug("CRL Data block is bigger than allocated block (%u bytes)",(unsigned int) size);
+		return 0;
+	}
+
+	debug("Received %u bytes", (unsigned int) realsize);
+
+	memcpy(&(data->contents[data->length]),contents,realsize);
+	data->length += realsize;
+
+	/*
+	struct MemoryStruct *mem = (struct MemoryStruct *)userp;
+
+	char *ptr = realloc(mem->memory, mem->size + realsize + 1);
+	if(ptr == NULL) {
+	printf("not enough memory (realloc returned NULL)\n");
+	return 0;
+	}
+
+	mem->memory = ptr;
+	memcpy(&(mem->memory[mem->size]), contents, realsize);
+	mem->size += realsize;
+	mem->memory[mem->size] = 0;
+
+	*/
+
+
+	return realsize;
+}
+
+#endif // HAVE_LIBCURL
+
+
 X509_CRL * lib3270_get_X509_CRL(H3270 *hSession, SSL_ERROR_MESSAGE * message)
 {
 	X509_CRL	* crl = NULL;
@@ -297,12 +369,89 @@ X509_CRL * lib3270_get_X509_CRL(H3270 *hSession, SSL_ERROR_MESSAGE * message)
 #endif // HAVE_LDAP
 	else
 	{
+#ifdef HAVE_LIBCURL
+
+		// Use CURL to download the CRL
+		lib3270_autoptr(CURLDATA) crl_data = lib3270_malloc(sizeof(CURLDATA));
+		lib3270_autoptr(CURL) hCurl = curl_easy_init();
+
+		memset(crl_data,0,sizeof(CURLDATA));
+		crl_data->message = message;
+
+		if(hCurl)
+		{
+			CURLcode res;
+
+			curl_easy_setopt(hCurl, CURLOPT_URL, consturl);
+			curl_easy_setopt(hCurl, CURLOPT_FOLLOWLOCATION, 1L);
+
+			curl_easy_setopt(hCurl, CURLOPT_WRITEFUNCTION, internal_curl_write_callback);
+			curl_easy_setopt(hCurl, CURLOPT_WRITEDATA, (void *) crl_data);
+
+			res = curl_easy_perform(hCurl);
+
+			if(res != CURLE_OK)
+			{
+				message->error = hSession->ssl.error = 0;
+				message->title = N_( "Security error" );
+				message->text = N_( "Error loading CRL" );
+				message->description =  curl_easy_strerror(res);
+				lib3270_write_log(hSession,"ssl","%s: %s",consturl, message->description);
+				return NULL;
+			}
+
+			char *ct = NULL;
+			res = curl_easy_getinfo(hCurl, CURLINFO_CONTENT_TYPE, &ct);
+			if(res != CURLE_OK)
+			{
+				message->error = hSession->ssl.error = 0;
+				message->title = N_( "Security error" );
+				message->text = N_( "Error loading CRL" );
+				message->description =  curl_easy_strerror(res);
+				lib3270_write_log(hSession,"ssl","%s: %s",consturl, message->description);
+				return NULL;
+			}
+
+			if(ct)
+			{
+				const unsigned char * data = crl_data->contents;
+
+				if(strcasecmp(ct,"application/pkix-crl") == 0)
+				{
+					// CRL File, convert it
+					if(!d2i_X509_CRL(&crl, &data, crl_data->length))
+					{
+						message->error = hSession->ssl.error = ERR_get_error();
+						message->title = N_( "Security error" );
+						message->text = N_( "Got an invalid CRL from server" );
+						lib3270_write_log(hSession,"ssl","%s: %s",consturl, message->text);
+					}
+				}
+				else
+				{
+					message->error = hSession->ssl.error = ERR_get_error();
+					message->title = N_( "Security error" );
+					message->text = N_( "Got an invalid CRL from server" );
+					lib3270_write_log(hSession,"ssl","%s: content-type unexpected: \"%s\"",consturl, ct);
+				}
+			}
+
+			debug("content-type: %s",ct);
+
+
+
+		}
+
+#else
+		// Can't get CRL.
+
 		message->error = hSession->ssl.error = 0;
 		message->title = N_( "Security error" );
 		message->text = N_( "Unexpected or invalid CRL URL" );
 		message->description = N_("The URL scheme is unknown");
 		lib3270_write_log(hSession,"ssl","%s: %s",consturl, message->description);
 		return NULL;
+#endif // HAVE_LIBCURL
 	}
  
 	return crl;
@@ -11,8 +11,8 @@
  
 int main(int argc, char *argv[])
 {
-	#pragma GCC diagnostic push
-	#pragma GCC diagnostic ignored "-Wzero-as-null-pointer-constant"
+//	#pragma GCC diagnostic push
+//	#pragma GCC diagnostic ignored "-Wzero-as-null-pointer-constant"
 	static struct option options[] = {
 		{ "crl",		required_argument,	0,	'C' },
 		{ "url",		required_argument,	0,	'U' },
@@ -20,7 +20,7 @@ int main(int argc, char *argv[])
 		{ 0, 0, 0, 0}
  
 	};
-	#pragma GCC diagnostic pop
+//	#pragma GCC diagnostic pop
  
 	H3270		* h;
 	int			  rc	= 0;
...	...	@@ -482,13 +482,13 @@ dnl Check for LDAP
482	482	dnl ---------------------------------------------------------------------------
483	483
484	484	AC_ARG_ENABLE([ldap],
485		- AS_HELP_STRING([--disable-ldap],[Disable optional LDAP support]),
	485	+ AS_HELP_STRING([--enable-ldap],[Enable optional LDAP support]),
486	486	[case "${enableval}" in
487	487	yes) have_ldap=yes ;;
488	488	no) have_ldap=no ;;
489	489	*) AC_MSG_ERROR(bad value ${enableval} for --disable-ldap);;
490	490	esac],
491		- [have_ldap=auto])
	491	+ [have_ldap=no])
492	492
493	493
494	494	if test "x${have_ldap}" != xno ; then
...	...	@@ -523,13 +523,13 @@ dnl Check for CURL
523	523	dnl ---------------------------------------------------------------------------
524	524
525	525	AC_ARG_ENABLE([curl],
526		- AS_HELP_STRING([--disable-curl],[Disable optional CURL support]),
	526	+ AS_HELP_STRING([--enable-curl],[Enable optional CURL support]),
527	527	[case "${enableval}" in
528	528	yes) have_curl=yes ;;
529	529	no) have_curl=no ;;
530	530	*) AC_MSG_ERROR(bad value ${enableval} for --disable-curl);;
531	531	esac],
532		- [have_curl=auto])
	532	+ [have_curl=no])
533	533
534	534
535	535	if test "x${have_curl}" != xno ; then
...	...	@@ -539,7 +539,6 @@ fi
539	539	AC_SUBST(LIBCURL_LIBS)
540	540	AC_SUBST(LIBCURL_CFLAGS)
541	541
542		-
543	542	dnl ---------------------------------------------------------------------------
544	543	dnl Directory config
545	544	dnl ---------------------------------------------------------------------------
...	...
...	...	@@ -95,14 +95,16 @@ CFLAGS= \
95	95	-I../include
96	96	-DBUILD_DATE=`date +%Y%m%d` \
97	97	@LIBSSL_CFLAGS@ \
98		- @LDAP_CFLAGS@
	98	+ @LDAP_CFLAGS@ \
	99	+ @LIBCURL_CFLAGS@
99	100
100	101	LIBS= \
101	102	@LIBS@ \
102	103	@LIBSSL_LIBS@ \
103	104	@LIBICONV@ \
104	105	@INTL_LIBS@ \
105		- @LDAP_LIBS@
	106	+ @LDAP_LIBS@ \
	107	+ @LIBCURL_LIBS@
106	108
107	109	#---[ Debug Rules ]----------------------------------------------------------------------
108	110
...	...
...	...	@@ -33,7 +33,10 @@
33	33	*
34	34	*/
35	35
	36	+#define CRL_DATA_LENGTH 4096
	37	+
36	38	#include <config.h>
	39	+
37	40	#if defined(HAVE_LIBSSL) && defined(SSL_ENABLE_CRL_CHECK)
38	41
39	42	#include <openssl/ssl.h>
...	...	@@ -46,6 +49,10 @@
46	49	#include <ldap.h>
47	50	#endif // HAVE_LDAP
48	51
	52	+#ifdef HAVE_LIBCURL
	53	+ #include <curl/curl.h>
	54	+#endif // HAVE_LIBCURL
	55	+
49	56	#include "../../private.h"
50	57	#include <trace_dsc.h>
51	58	#include <errno.h>
...	...	@@ -94,6 +101,71 @@ static inline void lib3270_autoptr_cleanup_LDAPPTR(char **ptr)
94	101
95	102	#endif // HAVE_LDAP
96	103
	104	+#ifdef HAVE_LIBCURL
	105	+static inline void lib3270_autoptr_cleanup_CURL(CURL **ptr)
	106	+{
	107	+ debug("%s(%p)",__FUNCTION__,*ptr);
	108	+ if(*ptr)
	109	+ curl_easy_cleanup(*ptr);
	110	+ *ptr = NULL;
	111	+}
	112	+
	113	+typedef struct _curldata
	114	+{
	115	+ size_t length;
	116	+ SSL_ERROR_MESSAGE * message;
	117	+ unsigned char contents[CRL_DATA_LENGTH];
	118	+} CURLDATA;
	119	+
	120	+static inline void lib3270_autoptr_cleanup_CURLDATA(CURLDATA **ptr)
	121	+{
	122	+ debug("%s(%p)",__FUNCTION__,*ptr);
	123	+ if(*ptr)
	124	+ lib3270_free(*ptr);
	125	+ *ptr = NULL;
	126	+}
	127	+
	128	+
	129	+static size_t internal_curl_write_callback(void contents, size_t size, size_t nmemb, void userp)
	130	+{
	131	+ CURLDATA * data = (CURLDATA *) userp;
	132	+
	133	+ size_t realsize = size * nmemb;
	134	+
	135	+ if((size + data->length) > CRL_DATA_LENGTH)
	136	+ {
	137	+ debug("CRL Data block is bigger than allocated block (%u bytes)",(unsigned int) size);
	138	+ return 0;
	139	+ }
	140	+
	141	+ debug("Received %u bytes", (unsigned int) realsize);
	142	+
	143	+ memcpy(&(data->contents[data->length]),contents,realsize);
	144	+ data->length += realsize;
	145	+
	146	+ /*
	147	+ struct MemoryStruct mem = (struct MemoryStruct )userp;
	148	+
	149	+ char *ptr = realloc(mem->memory, mem->size + realsize + 1);
	150	+ if(ptr == NULL) {
	151	+ printf("not enough memory (realloc returned NULL)\n");
	152	+ return 0;
	153	+ }
	154	+
	155	+ mem->memory = ptr;
	156	+ memcpy(&(mem->memory[mem->size]), contents, realsize);
	157	+ mem->size += realsize;
	158	+ mem->memory[mem->size] = 0;
	159	+
	160	+ */
	161	+
	162	+
	163	+ return realsize;
	164	+}
	165	+
	166	+#endif // HAVE_LIBCURL
	167	+
	168	+
97	169	X509_CRL * lib3270_get_X509_CRL(H3270 hSession, SSL_ERROR_MESSAGE message)
98	170	{
99	171	X509_CRL * crl = NULL;
...	...	@@ -297,12 +369,89 @@ X509_CRL * lib3270_get_X509_CRL(H3270 hSession, SSL_ERROR_MESSAGE message)
297	369	#endif // HAVE_LDAP
298	370	else
299	371	{
	372	+#ifdef HAVE_LIBCURL
	373	+
	374	+ // Use CURL to download the CRL
	375	+ lib3270_autoptr(CURLDATA) crl_data = lib3270_malloc(sizeof(CURLDATA));
	376	+ lib3270_autoptr(CURL) hCurl = curl_easy_init();
	377	+
	378	+ memset(crl_data,0,sizeof(CURLDATA));
	379	+ crl_data->message = message;
	380	+
	381	+ if(hCurl)
	382	+ {
	383	+ CURLcode res;
	384	+
	385	+ curl_easy_setopt(hCurl, CURLOPT_URL, consturl);
	386	+ curl_easy_setopt(hCurl, CURLOPT_FOLLOWLOCATION, 1L);
	387	+
	388	+ curl_easy_setopt(hCurl, CURLOPT_WRITEFUNCTION, internal_curl_write_callback);
	389	+ curl_easy_setopt(hCurl, CURLOPT_WRITEDATA, (void *) crl_data);
	390	+
	391	+ res = curl_easy_perform(hCurl);
	392	+
	393	+ if(res != CURLE_OK)
	394	+ {
	395	+ message->error = hSession->ssl.error = 0;
	396	+ message->title = N_( "Security error" );
	397	+ message->text = N_( "Error loading CRL" );
	398	+ message->description = curl_easy_strerror(res);
	399	+ lib3270_write_log(hSession,"ssl","%s: %s",consturl, message->description);
	400	+ return NULL;
	401	+ }
	402	+
	403	+ char *ct = NULL;
	404	+ res = curl_easy_getinfo(hCurl, CURLINFO_CONTENT_TYPE, &ct);
	405	+ if(res != CURLE_OK)
	406	+ {
	407	+ message->error = hSession->ssl.error = 0;
	408	+ message->title = N_( "Security error" );
	409	+ message->text = N_( "Error loading CRL" );
	410	+ message->description = curl_easy_strerror(res);
	411	+ lib3270_write_log(hSession,"ssl","%s: %s",consturl, message->description);
	412	+ return NULL;
	413	+ }
	414	+
	415	+ if(ct)
	416	+ {
	417	+ const unsigned char * data = crl_data->contents;
	418	+
	419	+ if(strcasecmp(ct,"application/pkix-crl") == 0)
	420	+ {
	421	+ // CRL File, convert it
	422	+ if(!d2i_X509_CRL(&crl, &data, crl_data->length))
	423	+ {
	424	+ message->error = hSession->ssl.error = ERR_get_error();
	425	+ message->title = N_( "Security error" );
	426	+ message->text = N_( "Got an invalid CRL from server" );
	427	+ lib3270_write_log(hSession,"ssl","%s: %s",consturl, message->text);
	428	+ }
	429	+ }
	430	+ else
	431	+ {
	432	+ message->error = hSession->ssl.error = ERR_get_error();
	433	+ message->title = N_( "Security error" );
	434	+ message->text = N_( "Got an invalid CRL from server" );
	435	+ lib3270_write_log(hSession,"ssl","%s: content-type unexpected: \"%s\"",consturl, ct);
	436	+ }
	437	+ }
	438	+
	439	+ debug("content-type: %s",ct);
	440	+
	441	+
	442	+
	443	+ }
	444	+
	445	+#else
	446	+ // Can't get CRL.
	447	+
300	448	message->error = hSession->ssl.error = 0;
301	449	message->title = N_( "Security error" );
302	450	message->text = N_( "Unexpected or invalid CRL URL" );
303	451	message->description = N_("The URL scheme is unknown");
304	452	lib3270_write_log(hSession,"ssl","%s: %s",consturl, message->description);
305	453	return NULL;
	454	+#endif // HAVE_LIBCURL
306	455	}
307	456
308	457	return crl;
...	...
...	...	@@ -11,8 +11,8 @@
11	11
12	12	int main(int argc, char *argv[])
13	13	{
14		- #pragma GCC diagnostic push
15		- #pragma GCC diagnostic ignored "-Wzero-as-null-pointer-constant"
	14	+// #pragma GCC diagnostic push
	15	+// #pragma GCC diagnostic ignored "-Wzero-as-null-pointer-constant"
16	16	static struct option options[] = {
17	17	{ "crl", required_argument, 0, 'C' },
18	18	{ "url", required_argument, 0, 'U' },
...	...	@@ -20,7 +20,7 @@ int main(int argc, char *argv[])
20	20	{ 0, 0, 0, 0}
21	21
22	22	};
23		- #pragma GCC diagnostic pop
	23	+// #pragma GCC diagnostic pop
24	24
25	25	H3270 * h;
26	26	int rc = 0;
...	...