From 7b9887abd77cab5ec3ace26d709b3f08824b9a18 Mon Sep 17 00:00:00 2001 From: Perry Werneck Date: Tue, 22 Jan 2019 16:00:36 -0200 Subject: [PATCH] Enablind CRL download with LIBCURL. --- configure.ac | 9 ++++----- src/lib3270/Makefile.in | 6 ++++-- src/lib3270/ssl/linux/getcrl.c | 149 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ src/lib3270/testprogram/testprogram.c | 6 +++--- 4 files changed, 160 insertions(+), 10 deletions(-) diff --git a/configure.ac b/configure.ac index 71125a8..fc62df9 100644 --- a/configure.ac +++ b/configure.ac @@ -482,13 +482,13 @@ dnl Check for LDAP dnl --------------------------------------------------------------------------- AC_ARG_ENABLE([ldap], - AS_HELP_STRING([--disable-ldap],[Disable optional LDAP support]), + AS_HELP_STRING([--enable-ldap],[Enable optional LDAP support]), [case "${enableval}" in yes) have_ldap=yes ;; no) have_ldap=no ;; *) AC_MSG_ERROR(bad value ${enableval} for --disable-ldap);; esac], - [have_ldap=auto]) + [have_ldap=no]) if test "x${have_ldap}" != xno ; then @@ -523,13 +523,13 @@ dnl Check for CURL dnl --------------------------------------------------------------------------- AC_ARG_ENABLE([curl], - AS_HELP_STRING([--disable-curl],[Disable optional CURL support]), + AS_HELP_STRING([--enable-curl],[Enable optional CURL support]), [case "${enableval}" in yes) have_curl=yes ;; no) have_curl=no ;; *) AC_MSG_ERROR(bad value ${enableval} for --disable-curl);; esac], - [have_curl=auto]) + [have_curl=no]) if test "x${have_curl}" != xno ; then @@ -539,7 +539,6 @@ fi AC_SUBST(LIBCURL_LIBS) AC_SUBST(LIBCURL_CFLAGS) - dnl --------------------------------------------------------------------------- dnl Directory config dnl --------------------------------------------------------------------------- diff --git a/src/lib3270/Makefile.in b/src/lib3270/Makefile.in index 4fa04c1..7b94560 100644 --- a/src/lib3270/Makefile.in +++ b/src/lib3270/Makefile.in @@ -95,14 +95,16 @@ CFLAGS= \ -I../include -DBUILD_DATE=`date +%Y%m%d` \ @LIBSSL_CFLAGS@ \ - @LDAP_CFLAGS@ + @LDAP_CFLAGS@ \ + @LIBCURL_CFLAGS@ LIBS= \ @LIBS@ \ @LIBSSL_LIBS@ \ @LIBICONV@ \ @INTL_LIBS@ \ - @LDAP_LIBS@ + @LDAP_LIBS@ \ + @LIBCURL_LIBS@ #---[ Debug Rules ]---------------------------------------------------------------------- diff --git a/src/lib3270/ssl/linux/getcrl.c b/src/lib3270/ssl/linux/getcrl.c index 19e9667..08f182a 100644 --- a/src/lib3270/ssl/linux/getcrl.c +++ b/src/lib3270/ssl/linux/getcrl.c @@ -33,7 +33,10 @@ * */ +#define CRL_DATA_LENGTH 4096 + #include + #if defined(HAVE_LIBSSL) && defined(SSL_ENABLE_CRL_CHECK) #include @@ -46,6 +49,10 @@ #include #endif // HAVE_LDAP +#ifdef HAVE_LIBCURL + #include +#endif // HAVE_LIBCURL + #include "../../private.h" #include #include @@ -94,6 +101,71 @@ static inline void lib3270_autoptr_cleanup_LDAPPTR(char **ptr) #endif // HAVE_LDAP +#ifdef HAVE_LIBCURL +static inline void lib3270_autoptr_cleanup_CURL(CURL **ptr) +{ + debug("%s(%p)",__FUNCTION__,*ptr); + if(*ptr) + curl_easy_cleanup(*ptr); + *ptr = NULL; +} + +typedef struct _curldata +{ + size_t length; + SSL_ERROR_MESSAGE * message; + unsigned char contents[CRL_DATA_LENGTH]; +} CURLDATA; + +static inline void lib3270_autoptr_cleanup_CURLDATA(CURLDATA **ptr) +{ + debug("%s(%p)",__FUNCTION__,*ptr); + if(*ptr) + lib3270_free(*ptr); + *ptr = NULL; +} + + +static size_t internal_curl_write_callback(void *contents, size_t size, size_t nmemb, void *userp) +{ + CURLDATA * data = (CURLDATA *) userp; + + size_t realsize = size * nmemb; + + if((size + data->length) > CRL_DATA_LENGTH) + { + debug("CRL Data block is bigger than allocated block (%u bytes)",(unsigned int) size); + return 0; + } + + debug("Received %u bytes", (unsigned int) realsize); + + memcpy(&(data->contents[data->length]),contents,realsize); + data->length += realsize; + + /* + struct MemoryStruct *mem = (struct MemoryStruct *)userp; + + char *ptr = realloc(mem->memory, mem->size + realsize + 1); + if(ptr == NULL) { + printf("not enough memory (realloc returned NULL)\n"); + return 0; + } + + mem->memory = ptr; + memcpy(&(mem->memory[mem->size]), contents, realsize); + mem->size += realsize; + mem->memory[mem->size] = 0; + + */ + + + return realsize; +} + +#endif // HAVE_LIBCURL + + X509_CRL * lib3270_get_X509_CRL(H3270 *hSession, SSL_ERROR_MESSAGE * message) { X509_CRL * crl = NULL; @@ -297,12 +369,89 @@ X509_CRL * lib3270_get_X509_CRL(H3270 *hSession, SSL_ERROR_MESSAGE * message) #endif // HAVE_LDAP else { +#ifdef HAVE_LIBCURL + + // Use CURL to download the CRL + lib3270_autoptr(CURLDATA) crl_data = lib3270_malloc(sizeof(CURLDATA)); + lib3270_autoptr(CURL) hCurl = curl_easy_init(); + + memset(crl_data,0,sizeof(CURLDATA)); + crl_data->message = message; + + if(hCurl) + { + CURLcode res; + + curl_easy_setopt(hCurl, CURLOPT_URL, consturl); + curl_easy_setopt(hCurl, CURLOPT_FOLLOWLOCATION, 1L); + + curl_easy_setopt(hCurl, CURLOPT_WRITEFUNCTION, internal_curl_write_callback); + curl_easy_setopt(hCurl, CURLOPT_WRITEDATA, (void *) crl_data); + + res = curl_easy_perform(hCurl); + + if(res != CURLE_OK) + { + message->error = hSession->ssl.error = 0; + message->title = N_( "Security error" ); + message->text = N_( "Error loading CRL" ); + message->description = curl_easy_strerror(res); + lib3270_write_log(hSession,"ssl","%s: %s",consturl, message->description); + return NULL; + } + + char *ct = NULL; + res = curl_easy_getinfo(hCurl, CURLINFO_CONTENT_TYPE, &ct); + if(res != CURLE_OK) + { + message->error = hSession->ssl.error = 0; + message->title = N_( "Security error" ); + message->text = N_( "Error loading CRL" ); + message->description = curl_easy_strerror(res); + lib3270_write_log(hSession,"ssl","%s: %s",consturl, message->description); + return NULL; + } + + if(ct) + { + const unsigned char * data = crl_data->contents; + + if(strcasecmp(ct,"application/pkix-crl") == 0) + { + // CRL File, convert it + if(!d2i_X509_CRL(&crl, &data, crl_data->length)) + { + message->error = hSession->ssl.error = ERR_get_error(); + message->title = N_( "Security error" ); + message->text = N_( "Got an invalid CRL from server" ); + lib3270_write_log(hSession,"ssl","%s: %s",consturl, message->text); + } + } + else + { + message->error = hSession->ssl.error = ERR_get_error(); + message->title = N_( "Security error" ); + message->text = N_( "Got an invalid CRL from server" ); + lib3270_write_log(hSession,"ssl","%s: content-type unexpected: \"%s\"",consturl, ct); + } + } + + debug("content-type: %s",ct); + + + + } + +#else + // Can't get CRL. + message->error = hSession->ssl.error = 0; message->title = N_( "Security error" ); message->text = N_( "Unexpected or invalid CRL URL" ); message->description = N_("The URL scheme is unknown"); lib3270_write_log(hSession,"ssl","%s: %s",consturl, message->description); return NULL; +#endif // HAVE_LIBCURL } return crl; diff --git a/src/lib3270/testprogram/testprogram.c b/src/lib3270/testprogram/testprogram.c index 0180775..c4d8e6c 100644 --- a/src/lib3270/testprogram/testprogram.c +++ b/src/lib3270/testprogram/testprogram.c @@ -11,8 +11,8 @@ int main(int argc, char *argv[]) { - #pragma GCC diagnostic push - #pragma GCC diagnostic ignored "-Wzero-as-null-pointer-constant" +// #pragma GCC diagnostic push +// #pragma GCC diagnostic ignored "-Wzero-as-null-pointer-constant" static struct option options[] = { { "crl", required_argument, 0, 'C' }, { "url", required_argument, 0, 'U' }, @@ -20,7 +20,7 @@ int main(int argc, char *argv[]) { 0, 0, 0, 0} }; - #pragma GCC diagnostic pop +// #pragma GCC diagnostic pop H3270 * h; int rc = 0; -- libgit2 0.21.2