Enablind CRL download with LIBCURL.

Perry Werneck
1 parent e496981f
Showing 4 changed files with 160 additions and 10 deletions Show diff stats
configure.ac
src/lib3270/Makefile.in
src/lib3270/ssl/linux/getcrl.c
src/lib3270/testprogram/testprogram.c
@@ -482,13 +482,13 @@ dnl Check for LDAP
 dnl ---------------------------------------------------------------------------
 AC_ARG_ENABLE([ldap],
-        AS_HELP_STRING([--disable-ldap],[Disable optional LDAP support]),
+        AS_HELP_STRING([--enable-ldap],[Enable optional LDAP support]),
                 [case "${enableval}" in
                         yes) have_ldap=yes ;;
                         no) have_ldap=no ;;
                         *) AC_MSG_ERROR(bad value ${enableval} for --disable-ldap);;
                 esac],
-                [have_ldap=auto])
+                [have_ldap=no])
 if test "x${have_ldap}" != xno ; then
@@ -523,13 +523,13 @@ dnl Check for CURL
 dnl ---------------------------------------------------------------------------
 AC_ARG_ENABLE([curl],
-        AS_HELP_STRING([--disable-curl],[Disable optional CURL support]),
+        AS_HELP_STRING([--enable-curl],[Enable optional CURL support]),
                 [case "${enableval}" in
                         yes) have_curl=yes ;;
                         no) have_curl=no ;;
                         *) AC_MSG_ERROR(bad value ${enableval} for --disable-curl);;
                 esac],
-                [have_curl=auto])
+                [have_curl=no])
 if test "x${have_curl}" != xno ; then
@@ -539,7 +539,6 @@ fi
 AC_SUBST(LIBCURL_LIBS)
 AC_SUBST(LIBCURL_CFLAGS)
-
 dnl ---------------------------------------------------------------------------
 dnl Directory config
 dnl ---------------------------------------------------------------------------
@@ -95,14 +95,16 @@ CFLAGS= \
 	-I../include
 	-DBUILD_DATE=`date +%Y%m%d` \
 	@LIBSSL_CFLAGS@ \
-	@LDAP_CFLAGS@
+	@LDAP_CFLAGS@ \
+	@LIBCURL_CFLAGS@
 LIBS= \
 	@LIBS@ \
 	@LIBSSL_LIBS@ \
 	@LIBICONV@ \
 	@INTL_LIBS@ \
-	@LDAP_LIBS@
+	@LDAP_LIBS@ \
+	@LIBCURL_LIBS@
 #---[ Debug Rules ]----------------------------------------------------------------------
@@ -33,7 +33,10 @@
  *
  */
+#define CRL_DATA_LENGTH 4096
+
 #include <config.h>
+
 #if defined(HAVE_LIBSSL) && defined(SSL_ENABLE_CRL_CHECK)
 #include <openssl/ssl.h>
@@ -46,6 +49,10 @@
 	#include <ldap.h>
 #endif // HAVE_LDAP
+#ifdef HAVE_LIBCURL
+	#include <curl/curl.h>
+#endif // HAVE_LIBCURL
+
 #include "../../private.h"
 #include <trace_dsc.h>
 #include <errno.h>
@@ -94,6 +101,71 @@ static inline void lib3270_autoptr_cleanup_LDAPPTR(char **ptr)
 #endif // HAVE_LDAP
+#ifdef HAVE_LIBCURL
+static inline void lib3270_autoptr_cleanup_CURL(CURL **ptr)
+{
+	debug("%s(%p)",__FUNCTION__,*ptr);
+	if(*ptr)
+		curl_easy_cleanup(*ptr);
+	*ptr = NULL;
+}
+
+typedef struct _curldata
+{
+	size_t		  		  length;
+	SSL_ERROR_MESSAGE	* message;
+	unsigned char		  contents[CRL_DATA_LENGTH];
+} CURLDATA;
+
+static inline void lib3270_autoptr_cleanup_CURLDATA(CURLDATA **ptr)
+{
+	debug("%s(%p)",__FUNCTION__,*ptr);
+	if(*ptr)
+		lib3270_free(*ptr);
+	*ptr = NULL;
+}
+
+
+static size_t internal_curl_write_callback(void *contents, size_t size, size_t nmemb, void *userp)
+{
+	CURLDATA * data = (CURLDATA *) userp;
+
+	size_t realsize = size * nmemb;
+
+	if((size + data->length) > CRL_DATA_LENGTH)
+	{
+		debug("CRL Data block is bigger than allocated block (%u bytes)",(unsigned int) size);
+		return 0;
+	}
+
+	debug("Received %u bytes", (unsigned int) realsize);
+
+	memcpy(&(data->contents[data->length]),contents,realsize);
+	data->length += realsize;
+
+	/*
+	struct MemoryStruct *mem = (struct MemoryStruct *)userp;
+
+	char *ptr = realloc(mem->memory, mem->size + realsize + 1);
+	if(ptr == NULL) {
+	printf("not enough memory (realloc returned NULL)\n");
+	return 0;
+	}
+
+	mem->memory = ptr;
+	memcpy(&(mem->memory[mem->size]), contents, realsize);
+	mem->size += realsize;
+	mem->memory[mem->size] = 0;
+
+	*/
+
+
+	return realsize;
+}
+
+#endif // HAVE_LIBCURL
+
+
 X509_CRL * lib3270_get_X509_CRL(H3270 *hSession, SSL_ERROR_MESSAGE * message)
 {
 	X509_CRL	* crl = NULL;
@@ -297,12 +369,89 @@ X509_CRL * lib3270_get_X509_CRL(H3270 *hSession, SSL_ERROR_MESSAGE * message)
 #endif // HAVE_LDAP
 	else
 	{
+#ifdef HAVE_LIBCURL
+
+		// Use CURL to download the CRL
+		lib3270_autoptr(CURLDATA) crl_data = lib3270_malloc(sizeof(CURLDATA));
+		lib3270_autoptr(CURL) hCurl = curl_easy_init();
+
+		memset(crl_data,0,sizeof(CURLDATA));
+		crl_data->message = message;
+
+		if(hCurl)
+		{
+			CURLcode res;
+
+			curl_easy_setopt(hCurl, CURLOPT_URL, consturl);
+			curl_easy_setopt(hCurl, CURLOPT_FOLLOWLOCATION, 1L);
+
+			curl_easy_setopt(hCurl, CURLOPT_WRITEFUNCTION, internal_curl_write_callback);
+			curl_easy_setopt(hCurl, CURLOPT_WRITEDATA, (void *) crl_data);
+
+			res = curl_easy_perform(hCurl);
+
+			if(res != CURLE_OK)
+			{
+				message->error = hSession->ssl.error = 0;
+				message->title = N_( "Security error" );
+				message->text = N_( "Error loading CRL" );
+				message->description =  curl_easy_strerror(res);
+				lib3270_write_log(hSession,"ssl","%s: %s",consturl, message->description);
+				return NULL;
+			}
+
+			char *ct = NULL;
+			res = curl_easy_getinfo(hCurl, CURLINFO_CONTENT_TYPE, &ct);
+			if(res != CURLE_OK)
+			{
+				message->error = hSession->ssl.error = 0;
+				message->title = N_( "Security error" );
+				message->text = N_( "Error loading CRL" );
+				message->description =  curl_easy_strerror(res);
+				lib3270_write_log(hSession,"ssl","%s: %s",consturl, message->description);
+				return NULL;
+			}
+
+			if(ct)
+			{
+				const unsigned char * data = crl_data->contents;
+
+				if(strcasecmp(ct,"application/pkix-crl") == 0)
+				{
+					// CRL File, convert it
+					if(!d2i_X509_CRL(&crl, &data, crl_data->length))
+					{
+						message->error = hSession->ssl.error = ERR_get_error();
+						message->title = N_( "Security error" );
+						message->text = N_( "Got an invalid CRL from server" );
+						lib3270_write_log(hSession,"ssl","%s: %s",consturl, message->text);
+					}
+				}
+				else
+				{
+					message->error = hSession->ssl.error = ERR_get_error();
+					message->title = N_( "Security error" );
+					message->text = N_( "Got an invalid CRL from server" );
+					lib3270_write_log(hSession,"ssl","%s: content-type unexpected: \"%s\"",consturl, ct);
+				}
+			}
+
+			debug("content-type: %s",ct);
+
+
+
+		}
+
+#else
+		// Can't get CRL.
+
 		message->error = hSession->ssl.error = 0;
 		message->title = N_( "Security error" );
 		message->text = N_( "Unexpected or invalid CRL URL" );
 		message->description = N_("The URL scheme is unknown");
 		lib3270_write_log(hSession,"ssl","%s: %s",consturl, message->description);
 		return NULL;
+#endif // HAVE_LIBCURL
 	}
 	return crl;
@@ -11,8 +11,8 @@
 int main(int argc, char *argv[])
 {
-	#pragma GCC diagnostic push
-	#pragma GCC diagnostic ignored "-Wzero-as-null-pointer-constant"
+//	#pragma GCC diagnostic push
+//	#pragma GCC diagnostic ignored "-Wzero-as-null-pointer-constant"
 	static struct option options[] = {
 		{ "crl",		required_argument,	0,	'C' },
 		{ "url",		required_argument,	0,	'U' },
@@ -20,7 +20,7 @@ int main(int argc, char *argv[])
 		{ 0, 0, 0, 0}
 	};
-	#pragma GCC diagnostic pop
+//	#pragma GCC diagnostic pop
 	H3270		* h;
 	int			  rc	= 0;
	@@ -482,13 +482,13 @@ dnl Check for LDAP		@@ -482,13 +482,13 @@ dnl Check for LDAP
482	dnl ---------------------------------------------------------------------------	482	dnl ---------------------------------------------------------------------------
483		483
484	AC_ARG_ENABLE([ldap],	484	AC_ARG_ENABLE([ldap],
485	- AS_HELP_STRING([--disable-ldap],[Disable optional LDAP support]),	485	+ AS_HELP_STRING([--enable-ldap],[Enable optional LDAP support]),
486	[case "${enableval}" in	486	[case "${enableval}" in
487	yes) have_ldap=yes ;;	487	yes) have_ldap=yes ;;
488	no) have_ldap=no ;;	488	no) have_ldap=no ;;
489	*) AC_MSG_ERROR(bad value ${enableval} for --disable-ldap);;	489	*) AC_MSG_ERROR(bad value ${enableval} for --disable-ldap);;
490	esac],	490	esac],
491	- [have_ldap=auto])	491	+ [have_ldap=no])
492		492
493		493
494	if test "x${have_ldap}" != xno ; then	494	if test "x${have_ldap}" != xno ; then
	@@ -523,13 +523,13 @@ dnl Check for CURL		@@ -523,13 +523,13 @@ dnl Check for CURL
523	dnl ---------------------------------------------------------------------------	523	dnl ---------------------------------------------------------------------------
524		524
525	AC_ARG_ENABLE([curl],	525	AC_ARG_ENABLE([curl],
526	- AS_HELP_STRING([--disable-curl],[Disable optional CURL support]),	526	+ AS_HELP_STRING([--enable-curl],[Enable optional CURL support]),
527	[case "${enableval}" in	527	[case "${enableval}" in
528	yes) have_curl=yes ;;	528	yes) have_curl=yes ;;
529	no) have_curl=no ;;	529	no) have_curl=no ;;
530	*) AC_MSG_ERROR(bad value ${enableval} for --disable-curl);;	530	*) AC_MSG_ERROR(bad value ${enableval} for --disable-curl);;
531	esac],	531	esac],
532	- [have_curl=auto])	532	+ [have_curl=no])
533		533
534		534
535	if test "x${have_curl}" != xno ; then	535	if test "x${have_curl}" != xno ; then
	@@ -539,7 +539,6 @@ fi		@@ -539,7 +539,6 @@ fi
539	AC_SUBST(LIBCURL_LIBS)	539	AC_SUBST(LIBCURL_LIBS)
540	AC_SUBST(LIBCURL_CFLAGS)	540	AC_SUBST(LIBCURL_CFLAGS)
541		541
542	-
543	dnl ---------------------------------------------------------------------------	542	dnl ---------------------------------------------------------------------------
544	dnl Directory config	543	dnl Directory config
545	dnl ---------------------------------------------------------------------------	544	dnl ---------------------------------------------------------------------------
	@@ -33,7 +33,10 @@		@@ -33,7 +33,10 @@
33	*	33	*
34	*/	34	*/
35		35
		36	+#define CRL_DATA_LENGTH 4096
		37	+
36	#include <config.h>	38	#include <config.h>
		39	+
37	#if defined(HAVE_LIBSSL) && defined(SSL_ENABLE_CRL_CHECK)	40	#if defined(HAVE_LIBSSL) && defined(SSL_ENABLE_CRL_CHECK)
38		41
39	#include <openssl/ssl.h>	42	#include <openssl/ssl.h>
	@@ -46,6 +49,10 @@		@@ -46,6 +49,10 @@
46	#include <ldap.h>	49	#include <ldap.h>
47	#endif // HAVE_LDAP	50	#endif // HAVE_LDAP
48		51
		52	+#ifdef HAVE_LIBCURL
		53	+ #include <curl/curl.h>
		54	+#endif // HAVE_LIBCURL
		55	+
49	#include "../../private.h"	56	#include "../../private.h"
50	#include <trace_dsc.h>	57	#include <trace_dsc.h>
51	#include <errno.h>	58	#include <errno.h>
	@@ -94,6 +101,71 @@ static inline void lib3270_autoptr_cleanup_LDAPPTR(char **ptr)		@@ -94,6 +101,71 @@ static inline void lib3270_autoptr_cleanup_LDAPPTR(char **ptr)
94		101
95	#endif // HAVE_LDAP	102	#endif // HAVE_LDAP
96		103
		104	+#ifdef HAVE_LIBCURL
		105	+static inline void lib3270_autoptr_cleanup_CURL(CURL **ptr)
		106	+{
		107	+ debug("%s(%p)",__FUNCTION__,*ptr);
		108	+ if(*ptr)
		109	+ curl_easy_cleanup(*ptr);
		110	+ *ptr = NULL;
		111	+}
		112	+
		113	+typedef struct _curldata
		114	+{
		115	+ size_t length;
		116	+ SSL_ERROR_MESSAGE * message;
		117	+ unsigned char contents[CRL_DATA_LENGTH];
		118	+} CURLDATA;
		119	+
		120	+static inline void lib3270_autoptr_cleanup_CURLDATA(CURLDATA **ptr)
		121	+{
		122	+ debug("%s(%p)",__FUNCTION__,*ptr);
		123	+ if(*ptr)
		124	+ lib3270_free(*ptr);
		125	+ *ptr = NULL;
		126	+}
		127	+
		128	+
		129	+static size_t internal_curl_write_callback(void contents, size_t size, size_t nmemb, void userp)
		130	+{
		131	+ CURLDATA * data = (CURLDATA *) userp;
		132	+
		133	+ size_t realsize = size * nmemb;
		134	+
		135	+ if((size + data->length) > CRL_DATA_LENGTH)
		136	+ {
		137	+ debug("CRL Data block is bigger than allocated block (%u bytes)",(unsigned int) size);
		138	+ return 0;
		139	+ }
		140	+
		141	+ debug("Received %u bytes", (unsigned int) realsize);
		142	+
		143	+ memcpy(&(data->contents[data->length]),contents,realsize);
		144	+ data->length += realsize;
		145	+
		146	+ /*
		147	+ struct MemoryStruct mem = (struct MemoryStruct )userp;
		148	+
		149	+ char *ptr = realloc(mem->memory, mem->size + realsize + 1);
		150	+ if(ptr == NULL) {
		151	+ printf("not enough memory (realloc returned NULL)\n");
		152	+ return 0;
		153	+ }
		154	+
		155	+ mem->memory = ptr;
		156	+ memcpy(&(mem->memory[mem->size]), contents, realsize);
		157	+ mem->size += realsize;
		158	+ mem->memory[mem->size] = 0;
		159	+
		160	+ */
		161	+
		162	+
		163	+ return realsize;
		164	+}
		165	+
		166	+#endif // HAVE_LIBCURL
		167	+
		168	+
97	X509_CRL * lib3270_get_X509_CRL(H3270 hSession, SSL_ERROR_MESSAGE message)	169	X509_CRL * lib3270_get_X509_CRL(H3270 hSession, SSL_ERROR_MESSAGE message)
98	{	170	{
99	X509_CRL * crl = NULL;	171	X509_CRL * crl = NULL;
	@@ -297,12 +369,89 @@ X509_CRL * lib3270_get_X509_CRL(H3270 hSession, SSL_ERROR_MESSAGE message)		@@ -297,12 +369,89 @@ X509_CRL * lib3270_get_X509_CRL(H3270 hSession, SSL_ERROR_MESSAGE message)
297	#endif // HAVE_LDAP	369	#endif // HAVE_LDAP
298	else	370	else
299	{	371	{
		372	+#ifdef HAVE_LIBCURL
		373	+
		374	+ // Use CURL to download the CRL
		375	+ lib3270_autoptr(CURLDATA) crl_data = lib3270_malloc(sizeof(CURLDATA));
		376	+ lib3270_autoptr(CURL) hCurl = curl_easy_init();
		377	+
		378	+ memset(crl_data,0,sizeof(CURLDATA));
		379	+ crl_data->message = message;
		380	+
		381	+ if(hCurl)
		382	+ {
		383	+ CURLcode res;
		384	+
		385	+ curl_easy_setopt(hCurl, CURLOPT_URL, consturl);
		386	+ curl_easy_setopt(hCurl, CURLOPT_FOLLOWLOCATION, 1L);
		387	+
		388	+ curl_easy_setopt(hCurl, CURLOPT_WRITEFUNCTION, internal_curl_write_callback);
		389	+ curl_easy_setopt(hCurl, CURLOPT_WRITEDATA, (void *) crl_data);
		390	+
		391	+ res = curl_easy_perform(hCurl);
		392	+
		393	+ if(res != CURLE_OK)
		394	+ {
		395	+ message->error = hSession->ssl.error = 0;
		396	+ message->title = N_( "Security error" );
		397	+ message->text = N_( "Error loading CRL" );
		398	+ message->description = curl_easy_strerror(res);
		399	+ lib3270_write_log(hSession,"ssl","%s: %s",consturl, message->description);
		400	+ return NULL;
		401	+ }
		402	+
		403	+ char *ct = NULL;
		404	+ res = curl_easy_getinfo(hCurl, CURLINFO_CONTENT_TYPE, &ct);
		405	+ if(res != CURLE_OK)
		406	+ {
		407	+ message->error = hSession->ssl.error = 0;
		408	+ message->title = N_( "Security error" );
		409	+ message->text = N_( "Error loading CRL" );
		410	+ message->description = curl_easy_strerror(res);
		411	+ lib3270_write_log(hSession,"ssl","%s: %s",consturl, message->description);
		412	+ return NULL;
		413	+ }
		414	+
		415	+ if(ct)
		416	+ {
		417	+ const unsigned char * data = crl_data->contents;
		418	+
		419	+ if(strcasecmp(ct,"application/pkix-crl") == 0)
		420	+ {
		421	+ // CRL File, convert it
		422	+ if(!d2i_X509_CRL(&crl, &data, crl_data->length))
		423	+ {
		424	+ message->error = hSession->ssl.error = ERR_get_error();
		425	+ message->title = N_( "Security error" );
		426	+ message->text = N_( "Got an invalid CRL from server" );
		427	+ lib3270_write_log(hSession,"ssl","%s: %s",consturl, message->text);
		428	+ }
		429	+ }
		430	+ else
		431	+ {
		432	+ message->error = hSession->ssl.error = ERR_get_error();
		433	+ message->title = N_( "Security error" );
		434	+ message->text = N_( "Got an invalid CRL from server" );
		435	+ lib3270_write_log(hSession,"ssl","%s: content-type unexpected: \"%s\"",consturl, ct);
		436	+ }
		437	+ }
		438	+
		439	+ debug("content-type: %s",ct);
		440	+
		441	+
		442	+
		443	+ }
		444	+
		445	+#else
		446	+ // Can't get CRL.
		447	+
300	message->error = hSession->ssl.error = 0;	448	message->error = hSession->ssl.error = 0;
301	message->title = N_( "Security error" );	449	message->title = N_( "Security error" );
302	message->text = N_( "Unexpected or invalid CRL URL" );	450	message->text = N_( "Unexpected or invalid CRL URL" );
303	message->description = N_("The URL scheme is unknown");	451	message->description = N_("The URL scheme is unknown");
304	lib3270_write_log(hSession,"ssl","%s: %s",consturl, message->description);	452	lib3270_write_log(hSession,"ssl","%s: %s",consturl, message->description);
305	return NULL;	453	return NULL;
		454	+#endif // HAVE_LIBCURL
306	}	455	}
307		456
308	return crl;	457	return crl;