From 7d1938cc9f4f90345014d53999db035f0b522ca4 Mon Sep 17 00:00:00 2001 From: Perry Werneck Date: Mon, 14 Jan 2019 17:08:26 -0200 Subject: [PATCH] Implementing SSL CRL Check. --- .gitignore | 1 + Makefile.in | 14 ++++++++------ configure.ac | 12 ++++++++++++ src/include/config.h.in | 1 + src/lib3270/private.h | 12 ++++++++++-- src/lib3270/ssl/linux/ctx_init.c | 86 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++----------------------- src/lib3270/ssl/negotiate.c | 57 +++++++++++++++++++++------------------------------------ 7 files changed, 116 insertions(+), 67 deletions(-) diff --git a/.gitignore b/.gitignore index b180c9c..5883eec 100644 --- a/.gitignore +++ b/.gitignore @@ -49,6 +49,7 @@ makeruntime.sh scripts vgcore.* doxygen/html +*.crl src/include/lib3270/actions.h doxygen/doxyfile diff --git a/Makefile.in b/Makefile.in index 4b14d78..db991e1 100644 --- a/Makefile.in +++ b/Makefile.in @@ -154,22 +154,24 @@ install: \ install-dev install-shared: - $(MAKE) DESTDIR=$(DESTDIR) -C src/lib3270 $@ - $(MAKE) DESTDIR=$(DESTDIR) -C src/lib3270++ $@ + @$(MAKE) DESTDIR=$(DESTDIR) -C src/lib3270 $@ + @$(MAKE) DESTDIR=$(DESTDIR) -C src/lib3270++ $@ install-static: - $(MAKE) DESTDIR=$(DESTDIR) -C src/lib3270 $@ - $(MAKE) DESTDIR=$(DESTDIR) -C src/lib3270++ $@ + @$(MAKE) DESTDIR=$(DESTDIR) -C src/lib3270 $@ + @$(MAKE) DESTDIR=$(DESTDIR) -C src/lib3270++ $@ install-dev: - $(MAKE) DESTDIR=$(DESTDIR) -C src/lib3270 $@ - $(MAKE) DESTDIR=$(DESTDIR) -C src/lib3270++ $@ + @$(MAKE) DESTDIR=$(DESTDIR) -C src/lib3270 $@ + @$(MAKE) DESTDIR=$(DESTDIR) -C src/lib3270++ $@ #---[ Debug Targets ]-------------------------------------------------------------------- Debug: \ $(BINDBG)/lib@LIB3270_NAME@@DLLEXT@ +run: + @$(MAKE) -C src/lib3270 $@ #---[ Clean Targets ]-------------------------------------------------------------------- diff --git a/configure.ac b/configure.ac index 7bbf964..7f7adc9 100644 --- a/configure.ac +++ b/configure.ac @@ -332,6 +332,18 @@ if test "$app_cv_self_signed_certs" == "yes"; then AC_DEFINE(SSL_ALLOW_SELF_SIGNED_CERT) fi +AC_ARG_ENABLE([ssl-crl-check], + [AS_HELP_STRING([--enable-ssl-crl-check], [Enable use of SSL Certificate Revocation List])], +[ + app_cv_enable_crl_check="$enableval" +],[ + app_cv_enable_crl_check="no" +]) + +if test "$app_cv_self_signed_certs" == "yes"; then + AC_DEFINE(SSL_ENABLE_CRL_CHECK) +fi + dnl --------------------------------------------------------------------------- dnl Check for pic dnl --------------------------------------------------------------------------- diff --git a/src/include/config.h.in b/src/include/config.h.in index 2565d36..eb23510 100644 --- a/src/include/config.h.in +++ b/src/include/config.h.in @@ -50,6 +50,7 @@ #undef HAVE_LDAP #undef HAVE_LIBSSL #undef SSL_ALLOW_SELF_SIGNED_CERT + #undef SSL_ENABLE_CRL_CHECK /* Windows Options */ #ifdef WIN32 diff --git a/src/lib3270/private.h b/src/lib3270/private.h index d276e86..50cf0b3 100644 --- a/src/lib3270/private.h +++ b/src/lib3270/private.h @@ -664,12 +664,20 @@ LIB3270_INTERNAL int non_blocking(H3270 *session, Boolean on); #if defined(HAVE_LIBSSL) /*[*/ - LIB3270_INTERNAL int ssl_ctx_init(H3270 *hSession); + typedef struct _ssl_error_message + { + int error; + const char * title; + const char * text; + const char * description; + } SSL_ERROR_MESSAGE; + + + LIB3270_INTERNAL int ssl_ctx_init(H3270 *hSession, SSL_ERROR_MESSAGE *message); LIB3270_INTERNAL int ssl_init(H3270 *session); LIB3270_INTERNAL int ssl_negotiate(H3270 *hSession); LIB3270_INTERNAL void set_ssl_state(H3270 *session, LIB3270_SSL_STATE state); - #if OPENSSL_VERSION_NUMBER >= 0x00907000L /*[*/ #define INFO_CONST const #else /*][*/ diff --git a/src/lib3270/ssl/linux/ctx_init.c b/src/lib3270/ssl/linux/ctx_init.c index 9bbf9e1..9aa7f4a 100644 --- a/src/lib3270/ssl/linux/ctx_init.c +++ b/src/lib3270/ssl/linux/ctx_init.c @@ -54,17 +54,43 @@ #include #include #include +#include #include "trace_dsc.h" +#ifdef SSL_ENABLE_CRL_CHECK + #include +#endif // SSL_ENABLE_CRL_CHECK + /*--[ Implement ]------------------------------------------------------------------------------------*/ +#ifdef SSL_ENABLE_CRL_CHECK +static inline void auto_close_file(FILE **file) +{ + if(*file) + fclose(*file); +} + +static inline void auto_close_crl(X509_CRL **crl) +{ + if(*crl) + X509_CRL_free(*crl); +} + +static inline void auto_free_text(char **text) +{ + if(*text) + lib3270_free(*text); +} + +#endif // SSL_ENABLE_CRL_CHECK + /** * @brief Initialize openssl library. * * @return 0 if ok, non zero if fails. * */ -int ssl_ctx_init(H3270 *hSession) +int ssl_ctx_init(H3270 *hSession, SSL_ERROR_MESSAGE * message) { debug("%s ssl_ctx=%p",__FUNCTION__,ssl_ctx); @@ -78,40 +104,54 @@ int ssl_ctx_init(H3270 *hSession) ssl_ctx = SSL_CTX_new(SSLv23_method()); if(ssl_ctx == NULL) + { + message->error = hSession->ssl.error = ERR_get_error(); + message->title = N_( "Security error" ); + message->text = N_( "Cant initialize the SSL context." ); return -1; + } SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL); SSL_CTX_set_info_callback(ssl_ctx, ssl_info_callback); SSL_CTX_set_default_verify_paths(ssl_ctx); - /* - static const char * ssldir[] = - { -#ifdef DATAROOTDIR - DATAROOTDIR "/" PACKAGE_NAME "/certs", -#endif // DATAROOTDIR -#ifdef SYSCONFDIR - SYSCONFDIR "/ssl/certs", - SYSCONFDIR "/certs", -#endif - "/etc/ssl/certs" - }; - - size_t f; - - for(f = 0;f < sizeof(ssldir) / sizeof(ssldir[0]);f++) - { - SSL_CTX_load_verify_locations(ssl_ctx,NULL,ssldir[f]); - } - */ - ssl_3270_ex_index = SSL_get_ex_new_index(0,NULL,NULL,NULL,NULL); +#ifdef SSL_ENABLE_CRL_CHECK + // + // Set up CRL validation // - // Initialize CUSTOM CRL CHECK + // https://stackoverflow.com/questions/10510850/how-to-verify-the-certificate-for-the-ongoing-ssl-session // + char __attribute__ ((__cleanup__(auto_free_text))) * crl_file = lib3270_strdup_printf("%s/.cache/" PACKAGE_NAME ".crl",getenv("HOME")); + X509_CRL * __attribute__ ((__cleanup__(auto_close_crl))) crl = NULL; + FILE * __attribute__ ((__cleanup__(auto_close_file))) hCRL = fopen(crl_file,"r"); + + if(!hCRL) + { + // Can't open CRL File. + message->error = hSession->ssl.error = 0; + message->title = N_( "Security error" ); + message->text = N_( "Can't open CRL File" ); + message->description = strerror(errno); + lib3270_write_log(hSession,"ssl","Can't open %s: %s",crl_file,message->description); + return -1; + + } + + lib3270_write_log(hSession,"ssl","Loading CRL from %s",crl_file); + d2i_X509_CRL_fp(hCRL, &crl); + + X509_STORE *store = SSL_CTX_get_cert_store(ssl_ctx); + X509_STORE_add_crl(store, crl); + X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_new(); + X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK); + X509_STORE_set1_param(store, param); + X509_VERIFY_PARAM_free(param); + +#endif // SSL_ENABLE_CRL_CHECK return 0; } diff --git a/src/lib3270/ssl/negotiate.c b/src/lib3270/ssl/negotiate.c index 877fb59..c8b86d3 100644 --- a/src/lib3270/ssl/negotiate.c +++ b/src/lib3270/ssl/negotiate.c @@ -70,15 +70,6 @@ */ SSL_CTX * ssl_ctx = NULL; -struct ssl_error_message -{ - int error; - const char * title; - const char * text; - const char * description; -}; - - /** * @brief Initialize openssl session. * @@ -94,15 +85,9 @@ static int background_ssl_init(H3270 *hSession, void *message) hSession->ssl.error = 0; hSession->ssl.host = False; - if(ssl_ctx_init(hSession)) { - - ((struct ssl_error_message *) message)->error = hSession->ssl.error = ERR_get_error(); - ((struct ssl_error_message *) message)->title = N_( "Security error" ); - ((struct ssl_error_message *) message)->text = N_( "SSL context initialization has failed" ); - + if(ssl_ctx_init(hSession, (SSL_ERROR_MESSAGE *) message)) { set_ssl_state(hSession,LIB3270_SSL_UNDEFINED); hSession->ssl.host = False; - return -1; } @@ -112,9 +97,9 @@ static int background_ssl_init(H3270 *hSession, void *message) hSession->ssl.con = SSL_new(ssl_ctx); if(hSession->ssl.con == NULL) { - ((struct ssl_error_message *) message)->error = hSession->ssl.error = ERR_get_error(); - ((struct ssl_error_message *) message)->title = N_( "Security error" ); - ((struct ssl_error_message *) message)->text = N_( "Cant create a new SSL structure for current connection." ); + ((SSL_ERROR_MESSAGE *) message)->error = hSession->ssl.error = ERR_get_error(); + ((SSL_ERROR_MESSAGE *) message)->title = N_( "Security error" ); + ((SSL_ERROR_MESSAGE *) message)->text = N_( "Cant create a new SSL structure for current connection." ); return -1; } @@ -142,9 +127,9 @@ static int background_ssl_negotiation(H3270 *hSession, void *message) { trace_dsn(hSession,"%s","SSL_set_fd failed!\n"); - ((struct ssl_error_message *) message)->title = N_( "Security error" ); - ((struct ssl_error_message *) message)->text = N_( "SSL negotiation failed" ); - ((struct ssl_error_message *) message)->description = N_( "Cant set the file descriptor for the input/output facility for the TLS/SSL (encrypted) side of ssl." ); + ((SSL_ERROR_MESSAGE *) message)->title = N_( "Security error" ); + ((SSL_ERROR_MESSAGE *) message)->text = N_( "SSL negotiation failed" ); + ((SSL_ERROR_MESSAGE *) message)->description = N_( "Cant set the file descriptor for the input/output facility for the TLS/SSL (encrypted) side of ssl." ); return -1; } @@ -157,16 +142,16 @@ static int background_ssl_negotiation(H3270 *hSession, void *message) { const char * msg = ""; - ((struct ssl_error_message *) message)->error = SSL_get_error(hSession->ssl.con,rv); - if(((struct ssl_error_message *) message)->error == SSL_ERROR_SYSCALL && hSession->ssl.error) - ((struct ssl_error_message *) message)->error = hSession->ssl.error; + ((SSL_ERROR_MESSAGE *) message)->error = SSL_get_error(hSession->ssl.con,rv); + if(((SSL_ERROR_MESSAGE *) message)->error == SSL_ERROR_SYSCALL && hSession->ssl.error) + ((SSL_ERROR_MESSAGE *) message)->error = hSession->ssl.error; - msg = ERR_lib_error_string(((struct ssl_error_message *) message)->error); + msg = ERR_lib_error_string(((SSL_ERROR_MESSAGE *) message)->error); trace_dsn(hSession,"SSL_connect failed: %s %s\n",msg,ERR_reason_error_string(hSession->ssl.error)); - ((struct ssl_error_message *) message)->title = N_( "Security error" ); - ((struct ssl_error_message *) message)->text = N_( "SSL Connect failed" ); + ((SSL_ERROR_MESSAGE *) message)->title = N_( "Security error" ); + ((SSL_ERROR_MESSAGE *) message)->text = N_( "SSL Connect failed" ); lib3270_disconnect(hSession); return -1; @@ -191,9 +176,9 @@ static int background_ssl_negotiation(H3270 *hSession, void *message) debug("%s","The CRL of a certificate could not be found." ); trace_dsn(hSession,"%s","The CRL of a certificate could not be found.\n" ); - ((struct ssl_error_message *) message)->title = _( "SSL error" ); - ((struct ssl_error_message *) message)->text = _( "Unable to get certificate CRL." ); - ((struct ssl_error_message *) message)->description = _( "The Certificate revocation list (CRL) of a certificate could not be found." ); + ((SSL_ERROR_MESSAGE *) message)->title = _( "SSL error" ); + ((SSL_ERROR_MESSAGE *) message)->text = _( "Unable to get certificate CRL." ); + ((SSL_ERROR_MESSAGE *) message)->description = _( "The Certificate revocation list (CRL) of a certificate could not be found." ); return -1; @@ -207,9 +192,9 @@ static int background_ssl_negotiation(H3270 *hSession, void *message) #ifdef SSL_ALLOW_SELF_SIGNED_CERT break; #else - ((struct ssl_error_message *) message)->title = _( "SSL error" ); - ((struct ssl_error_message *) message)->text = _( "The SSL certificate for this host is not trusted." ); - ((struct ssl_error_message *) message)->description = _( "The security certificate presented by this host was not issued by a trusted certificate authority." ); + ((SSL_ERROR_MESSAGE *) message)->title = _( "SSL error" ); + ((SSL_ERROR_MESSAGE *) message)->text = _( "The SSL certificate for this host is not trusted." ); + ((SSL_ERROR_MESSAGE *) message)->description = _( "The security certificate presented by this host was not issued by a trusted certificate authority." ); return -1; #endif // SSL_ALLOW_SELF_SIGNED_CERT @@ -273,7 +258,7 @@ static int background_ssl_negotiation(H3270 *hSession, void *message) int ssl_negotiate(H3270 *hSession) { int rc; - struct ssl_error_message msg; + SSL_ERROR_MESSAGE msg; memset(&msg,0,sizeof(msg)); @@ -301,7 +286,7 @@ int ssl_negotiate(H3270 *hSession) int ssl_init(H3270 *hSession) { int rc; - struct ssl_error_message msg; + SSL_ERROR_MESSAGE msg; memset(&msg,0,sizeof(msg)); -- libgit2 0.21.2