Commit 7d1938cc9f4f90345014d53999db035f0b522ca4
1 parent
b8383bb6
Exists in
master
and in
3 other branches
Implementing SSL CRL Check.
Showing
7 changed files
with
116 additions
and
67 deletions
Show diff stats
.gitignore
Makefile.in
| ... | ... | @@ -154,22 +154,24 @@ install: \ |
| 154 | 154 | install-dev |
| 155 | 155 | |
| 156 | 156 | install-shared: |
| 157 | - $(MAKE) DESTDIR=$(DESTDIR) -C src/lib3270 $@ | |
| 158 | - $(MAKE) DESTDIR=$(DESTDIR) -C src/lib3270++ $@ | |
| 157 | + @$(MAKE) DESTDIR=$(DESTDIR) -C src/lib3270 $@ | |
| 158 | + @$(MAKE) DESTDIR=$(DESTDIR) -C src/lib3270++ $@ | |
| 159 | 159 | |
| 160 | 160 | install-static: |
| 161 | - $(MAKE) DESTDIR=$(DESTDIR) -C src/lib3270 $@ | |
| 162 | - $(MAKE) DESTDIR=$(DESTDIR) -C src/lib3270++ $@ | |
| 161 | + @$(MAKE) DESTDIR=$(DESTDIR) -C src/lib3270 $@ | |
| 162 | + @$(MAKE) DESTDIR=$(DESTDIR) -C src/lib3270++ $@ | |
| 163 | 163 | |
| 164 | 164 | install-dev: |
| 165 | - $(MAKE) DESTDIR=$(DESTDIR) -C src/lib3270 $@ | |
| 166 | - $(MAKE) DESTDIR=$(DESTDIR) -C src/lib3270++ $@ | |
| 165 | + @$(MAKE) DESTDIR=$(DESTDIR) -C src/lib3270 $@ | |
| 166 | + @$(MAKE) DESTDIR=$(DESTDIR) -C src/lib3270++ $@ | |
| 167 | 167 | |
| 168 | 168 | #---[ Debug Targets ]-------------------------------------------------------------------- |
| 169 | 169 | |
| 170 | 170 | Debug: \ |
| 171 | 171 | $(BINDBG)/lib@LIB3270_NAME@@DLLEXT@ |
| 172 | 172 | |
| 173 | +run: | |
| 174 | + @$(MAKE) -C src/lib3270 $@ | |
| 173 | 175 | |
| 174 | 176 | #---[ Clean Targets ]-------------------------------------------------------------------- |
| 175 | 177 | ... | ... |
configure.ac
| ... | ... | @@ -332,6 +332,18 @@ if test "$app_cv_self_signed_certs" == "yes"; then |
| 332 | 332 | AC_DEFINE(SSL_ALLOW_SELF_SIGNED_CERT) |
| 333 | 333 | fi |
| 334 | 334 | |
| 335 | +AC_ARG_ENABLE([ssl-crl-check], | |
| 336 | + [AS_HELP_STRING([--enable-ssl-crl-check], [Enable use of SSL Certificate Revocation List])], | |
| 337 | +[ | |
| 338 | + app_cv_enable_crl_check="$enableval" | |
| 339 | +],[ | |
| 340 | + app_cv_enable_crl_check="no" | |
| 341 | +]) | |
| 342 | + | |
| 343 | +if test "$app_cv_self_signed_certs" == "yes"; then | |
| 344 | + AC_DEFINE(SSL_ENABLE_CRL_CHECK) | |
| 345 | +fi | |
| 346 | + | |
| 335 | 347 | dnl --------------------------------------------------------------------------- |
| 336 | 348 | dnl Check for pic |
| 337 | 349 | dnl --------------------------------------------------------------------------- | ... | ... |
src/include/config.h.in
src/lib3270/private.h
| ... | ... | @@ -664,12 +664,20 @@ LIB3270_INTERNAL int non_blocking(H3270 *session, Boolean on); |
| 664 | 664 | |
| 665 | 665 | #if defined(HAVE_LIBSSL) /*[*/ |
| 666 | 666 | |
| 667 | - LIB3270_INTERNAL int ssl_ctx_init(H3270 *hSession); | |
| 667 | + typedef struct _ssl_error_message | |
| 668 | + { | |
| 669 | + int error; | |
| 670 | + const char * title; | |
| 671 | + const char * text; | |
| 672 | + const char * description; | |
| 673 | + } SSL_ERROR_MESSAGE; | |
| 674 | + | |
| 675 | + | |
| 676 | + LIB3270_INTERNAL int ssl_ctx_init(H3270 *hSession, SSL_ERROR_MESSAGE *message); | |
| 668 | 677 | LIB3270_INTERNAL int ssl_init(H3270 *session); |
| 669 | 678 | LIB3270_INTERNAL int ssl_negotiate(H3270 *hSession); |
| 670 | 679 | LIB3270_INTERNAL void set_ssl_state(H3270 *session, LIB3270_SSL_STATE state); |
| 671 | 680 | |
| 672 | - | |
| 673 | 681 | #if OPENSSL_VERSION_NUMBER >= 0x00907000L /*[*/ |
| 674 | 682 | #define INFO_CONST const |
| 675 | 683 | #else /*][*/ | ... | ... |
src/lib3270/ssl/linux/ctx_init.c
| ... | ... | @@ -54,17 +54,43 @@ |
| 54 | 54 | #include <lib3270.h> |
| 55 | 55 | #include <lib3270/internals.h> |
| 56 | 56 | #include <lib3270/trace.h> |
| 57 | +#include <lib3270/log.h> | |
| 57 | 58 | #include "trace_dsc.h" |
| 58 | 59 | |
| 60 | +#ifdef SSL_ENABLE_CRL_CHECK | |
| 61 | + #include <openssl/x509.h> | |
| 62 | +#endif // SSL_ENABLE_CRL_CHECK | |
| 63 | + | |
| 59 | 64 | /*--[ Implement ]------------------------------------------------------------------------------------*/ |
| 60 | 65 | |
| 66 | +#ifdef SSL_ENABLE_CRL_CHECK | |
| 67 | +static inline void auto_close_file(FILE **file) | |
| 68 | +{ | |
| 69 | + if(*file) | |
| 70 | + fclose(*file); | |
| 71 | +} | |
| 72 | + | |
| 73 | +static inline void auto_close_crl(X509_CRL **crl) | |
| 74 | +{ | |
| 75 | + if(*crl) | |
| 76 | + X509_CRL_free(*crl); | |
| 77 | +} | |
| 78 | + | |
| 79 | +static inline void auto_free_text(char **text) | |
| 80 | +{ | |
| 81 | + if(*text) | |
| 82 | + lib3270_free(*text); | |
| 83 | +} | |
| 84 | + | |
| 85 | +#endif // SSL_ENABLE_CRL_CHECK | |
| 86 | + | |
| 61 | 87 | /** |
| 62 | 88 | * @brief Initialize openssl library. |
| 63 | 89 | * |
| 64 | 90 | * @return 0 if ok, non zero if fails. |
| 65 | 91 | * |
| 66 | 92 | */ |
| 67 | -int ssl_ctx_init(H3270 *hSession) | |
| 93 | +int ssl_ctx_init(H3270 *hSession, SSL_ERROR_MESSAGE * message) | |
| 68 | 94 | { |
| 69 | 95 | debug("%s ssl_ctx=%p",__FUNCTION__,ssl_ctx); |
| 70 | 96 | |
| ... | ... | @@ -78,40 +104,54 @@ int ssl_ctx_init(H3270 *hSession) |
| 78 | 104 | |
| 79 | 105 | ssl_ctx = SSL_CTX_new(SSLv23_method()); |
| 80 | 106 | if(ssl_ctx == NULL) |
| 107 | + { | |
| 108 | + message->error = hSession->ssl.error = ERR_get_error(); | |
| 109 | + message->title = N_( "Security error" ); | |
| 110 | + message->text = N_( "Cant initialize the SSL context." ); | |
| 81 | 111 | return -1; |
| 112 | + } | |
| 82 | 113 | |
| 83 | 114 | SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL); |
| 84 | 115 | SSL_CTX_set_info_callback(ssl_ctx, ssl_info_callback); |
| 85 | 116 | |
| 86 | 117 | SSL_CTX_set_default_verify_paths(ssl_ctx); |
| 87 | 118 | |
| 88 | - /* | |
| 89 | - static const char * ssldir[] = | |
| 90 | - { | |
| 91 | -#ifdef DATAROOTDIR | |
| 92 | - DATAROOTDIR "/" PACKAGE_NAME "/certs", | |
| 93 | -#endif // DATAROOTDIR | |
| 94 | -#ifdef SYSCONFDIR | |
| 95 | - SYSCONFDIR "/ssl/certs", | |
| 96 | - SYSCONFDIR "/certs", | |
| 97 | -#endif | |
| 98 | - "/etc/ssl/certs" | |
| 99 | - }; | |
| 100 | - | |
| 101 | - size_t f; | |
| 102 | - | |
| 103 | - for(f = 0;f < sizeof(ssldir) / sizeof(ssldir[0]);f++) | |
| 104 | - { | |
| 105 | - SSL_CTX_load_verify_locations(ssl_ctx,NULL,ssldir[f]); | |
| 106 | - } | |
| 107 | - */ | |
| 108 | - | |
| 109 | 119 | ssl_3270_ex_index = SSL_get_ex_new_index(0,NULL,NULL,NULL,NULL); |
| 110 | 120 | |
| 121 | +#ifdef SSL_ENABLE_CRL_CHECK | |
| 122 | + // | |
| 123 | + // Set up CRL validation | |
| 111 | 124 | // |
| 112 | - // Initialize CUSTOM CRL CHECK | |
| 125 | + // https://stackoverflow.com/questions/10510850/how-to-verify-the-certificate-for-the-ongoing-ssl-session | |
| 113 | 126 | // |
| 127 | + char __attribute__ ((__cleanup__(auto_free_text))) * crl_file = lib3270_strdup_printf("%s/.cache/" PACKAGE_NAME ".crl",getenv("HOME")); | |
| 128 | + X509_CRL * __attribute__ ((__cleanup__(auto_close_crl))) crl = NULL; | |
| 129 | + FILE * __attribute__ ((__cleanup__(auto_close_file))) hCRL = fopen(crl_file,"r"); | |
| 130 | + | |
| 131 | + if(!hCRL) | |
| 132 | + { | |
| 133 | + // Can't open CRL File. | |
| 134 | + message->error = hSession->ssl.error = 0; | |
| 135 | + message->title = N_( "Security error" ); | |
| 136 | + message->text = N_( "Can't open CRL File" ); | |
| 137 | + message->description = strerror(errno); | |
| 138 | + lib3270_write_log(hSession,"ssl","Can't open %s: %s",crl_file,message->description); | |
| 139 | + return -1; | |
| 140 | + | |
| 141 | + } | |
| 142 | + | |
| 143 | + lib3270_write_log(hSession,"ssl","Loading CRL from %s",crl_file); | |
| 114 | 144 | |
| 145 | + d2i_X509_CRL_fp(hCRL, &crl); | |
| 146 | + | |
| 147 | + X509_STORE *store = SSL_CTX_get_cert_store(ssl_ctx); | |
| 148 | + X509_STORE_add_crl(store, crl); | |
| 149 | + X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_new(); | |
| 150 | + X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK); | |
| 151 | + X509_STORE_set1_param(store, param); | |
| 152 | + X509_VERIFY_PARAM_free(param); | |
| 153 | + | |
| 154 | +#endif // SSL_ENABLE_CRL_CHECK | |
| 115 | 155 | |
| 116 | 156 | return 0; |
| 117 | 157 | } | ... | ... |
src/lib3270/ssl/negotiate.c
| ... | ... | @@ -70,15 +70,6 @@ |
| 70 | 70 | */ |
| 71 | 71 | SSL_CTX * ssl_ctx = NULL; |
| 72 | 72 | |
| 73 | -struct ssl_error_message | |
| 74 | -{ | |
| 75 | - int error; | |
| 76 | - const char * title; | |
| 77 | - const char * text; | |
| 78 | - const char * description; | |
| 79 | -}; | |
| 80 | - | |
| 81 | - | |
| 82 | 73 | /** |
| 83 | 74 | * @brief Initialize openssl session. |
| 84 | 75 | * |
| ... | ... | @@ -94,15 +85,9 @@ static int background_ssl_init(H3270 *hSession, void *message) |
| 94 | 85 | hSession->ssl.error = 0; |
| 95 | 86 | hSession->ssl.host = False; |
| 96 | 87 | |
| 97 | - if(ssl_ctx_init(hSession)) { | |
| 98 | - | |
| 99 | - ((struct ssl_error_message *) message)->error = hSession->ssl.error = ERR_get_error(); | |
| 100 | - ((struct ssl_error_message *) message)->title = N_( "Security error" ); | |
| 101 | - ((struct ssl_error_message *) message)->text = N_( "SSL context initialization has failed" ); | |
| 102 | - | |
| 88 | + if(ssl_ctx_init(hSession, (SSL_ERROR_MESSAGE *) message)) { | |
| 103 | 89 | set_ssl_state(hSession,LIB3270_SSL_UNDEFINED); |
| 104 | 90 | hSession->ssl.host = False; |
| 105 | - | |
| 106 | 91 | return -1; |
| 107 | 92 | } |
| 108 | 93 | |
| ... | ... | @@ -112,9 +97,9 @@ static int background_ssl_init(H3270 *hSession, void *message) |
| 112 | 97 | hSession->ssl.con = SSL_new(ssl_ctx); |
| 113 | 98 | if(hSession->ssl.con == NULL) |
| 114 | 99 | { |
| 115 | - ((struct ssl_error_message *) message)->error = hSession->ssl.error = ERR_get_error(); | |
| 116 | - ((struct ssl_error_message *) message)->title = N_( "Security error" ); | |
| 117 | - ((struct ssl_error_message *) message)->text = N_( "Cant create a new SSL structure for current connection." ); | |
| 100 | + ((SSL_ERROR_MESSAGE *) message)->error = hSession->ssl.error = ERR_get_error(); | |
| 101 | + ((SSL_ERROR_MESSAGE *) message)->title = N_( "Security error" ); | |
| 102 | + ((SSL_ERROR_MESSAGE *) message)->text = N_( "Cant create a new SSL structure for current connection." ); | |
| 118 | 103 | return -1; |
| 119 | 104 | } |
| 120 | 105 | |
| ... | ... | @@ -142,9 +127,9 @@ static int background_ssl_negotiation(H3270 *hSession, void *message) |
| 142 | 127 | { |
| 143 | 128 | trace_dsn(hSession,"%s","SSL_set_fd failed!\n"); |
| 144 | 129 | |
| 145 | - ((struct ssl_error_message *) message)->title = N_( "Security error" ); | |
| 146 | - ((struct ssl_error_message *) message)->text = N_( "SSL negotiation failed" ); | |
| 147 | - ((struct ssl_error_message *) message)->description = N_( "Cant set the file descriptor for the input/output facility for the TLS/SSL (encrypted) side of ssl." ); | |
| 130 | + ((SSL_ERROR_MESSAGE *) message)->title = N_( "Security error" ); | |
| 131 | + ((SSL_ERROR_MESSAGE *) message)->text = N_( "SSL negotiation failed" ); | |
| 132 | + ((SSL_ERROR_MESSAGE *) message)->description = N_( "Cant set the file descriptor for the input/output facility for the TLS/SSL (encrypted) side of ssl." ); | |
| 148 | 133 | |
| 149 | 134 | return -1; |
| 150 | 135 | } |
| ... | ... | @@ -157,16 +142,16 @@ static int background_ssl_negotiation(H3270 *hSession, void *message) |
| 157 | 142 | { |
| 158 | 143 | const char * msg = ""; |
| 159 | 144 | |
| 160 | - ((struct ssl_error_message *) message)->error = SSL_get_error(hSession->ssl.con,rv); | |
| 161 | - if(((struct ssl_error_message *) message)->error == SSL_ERROR_SYSCALL && hSession->ssl.error) | |
| 162 | - ((struct ssl_error_message *) message)->error = hSession->ssl.error; | |
| 145 | + ((SSL_ERROR_MESSAGE *) message)->error = SSL_get_error(hSession->ssl.con,rv); | |
| 146 | + if(((SSL_ERROR_MESSAGE *) message)->error == SSL_ERROR_SYSCALL && hSession->ssl.error) | |
| 147 | + ((SSL_ERROR_MESSAGE *) message)->error = hSession->ssl.error; | |
| 163 | 148 | |
| 164 | - msg = ERR_lib_error_string(((struct ssl_error_message *) message)->error); | |
| 149 | + msg = ERR_lib_error_string(((SSL_ERROR_MESSAGE *) message)->error); | |
| 165 | 150 | |
| 166 | 151 | trace_dsn(hSession,"SSL_connect failed: %s %s\n",msg,ERR_reason_error_string(hSession->ssl.error)); |
| 167 | 152 | |
| 168 | - ((struct ssl_error_message *) message)->title = N_( "Security error" ); | |
| 169 | - ((struct ssl_error_message *) message)->text = N_( "SSL Connect failed" ); | |
| 153 | + ((SSL_ERROR_MESSAGE *) message)->title = N_( "Security error" ); | |
| 154 | + ((SSL_ERROR_MESSAGE *) message)->text = N_( "SSL Connect failed" ); | |
| 170 | 155 | lib3270_disconnect(hSession); |
| 171 | 156 | return -1; |
| 172 | 157 | |
| ... | ... | @@ -191,9 +176,9 @@ static int background_ssl_negotiation(H3270 *hSession, void *message) |
| 191 | 176 | debug("%s","The CRL of a certificate could not be found." ); |
| 192 | 177 | trace_dsn(hSession,"%s","The CRL of a certificate could not be found.\n" ); |
| 193 | 178 | |
| 194 | - ((struct ssl_error_message *) message)->title = _( "SSL error" ); | |
| 195 | - ((struct ssl_error_message *) message)->text = _( "Unable to get certificate CRL." ); | |
| 196 | - ((struct ssl_error_message *) message)->description = _( "The Certificate revocation list (CRL) of a certificate could not be found." ); | |
| 179 | + ((SSL_ERROR_MESSAGE *) message)->title = _( "SSL error" ); | |
| 180 | + ((SSL_ERROR_MESSAGE *) message)->text = _( "Unable to get certificate CRL." ); | |
| 181 | + ((SSL_ERROR_MESSAGE *) message)->description = _( "The Certificate revocation list (CRL) of a certificate could not be found." ); | |
| 197 | 182 | |
| 198 | 183 | return -1; |
| 199 | 184 | |
| ... | ... | @@ -207,9 +192,9 @@ static int background_ssl_negotiation(H3270 *hSession, void *message) |
| 207 | 192 | #ifdef SSL_ALLOW_SELF_SIGNED_CERT |
| 208 | 193 | break; |
| 209 | 194 | #else |
| 210 | - ((struct ssl_error_message *) message)->title = _( "SSL error" ); | |
| 211 | - ((struct ssl_error_message *) message)->text = _( "The SSL certificate for this host is not trusted." ); | |
| 212 | - ((struct ssl_error_message *) message)->description = _( "The security certificate presented by this host was not issued by a trusted certificate authority." ); | |
| 195 | + ((SSL_ERROR_MESSAGE *) message)->title = _( "SSL error" ); | |
| 196 | + ((SSL_ERROR_MESSAGE *) message)->text = _( "The SSL certificate for this host is not trusted." ); | |
| 197 | + ((SSL_ERROR_MESSAGE *) message)->description = _( "The security certificate presented by this host was not issued by a trusted certificate authority." ); | |
| 213 | 198 | return -1; |
| 214 | 199 | #endif // SSL_ALLOW_SELF_SIGNED_CERT |
| 215 | 200 | |
| ... | ... | @@ -273,7 +258,7 @@ static int background_ssl_negotiation(H3270 *hSession, void *message) |
| 273 | 258 | int ssl_negotiate(H3270 *hSession) |
| 274 | 259 | { |
| 275 | 260 | int rc; |
| 276 | - struct ssl_error_message msg; | |
| 261 | + SSL_ERROR_MESSAGE msg; | |
| 277 | 262 | |
| 278 | 263 | memset(&msg,0,sizeof(msg)); |
| 279 | 264 | |
| ... | ... | @@ -301,7 +286,7 @@ int ssl_negotiate(H3270 *hSession) |
| 301 | 286 | int ssl_init(H3270 *hSession) { |
| 302 | 287 | |
| 303 | 288 | int rc; |
| 304 | - struct ssl_error_message msg; | |
| 289 | + SSL_ERROR_MESSAGE msg; | |
| 305 | 290 | |
| 306 | 291 | memset(&msg,0,sizeof(msg)); |
| 307 | 292 | ... | ... |