From b407b35c7352e5c95e66b0f1acb8b3c2a8419391 Mon Sep 17 00:00:00 2001
From: Perry Werneck <perry.werneck@gmail.com>
Date: Wed, 16 Oct 2019 15:09:01 -0300
Subject: [PATCH] Adding CRL download using winhttp api.

---
 configure.ac                  |  13 +++++++++++++
 lib3270.cbp                   |   3 +++
 src/ssl/windows/getcrl.c      |   4 ++++
 src/ssl/windows/http.c        | 192 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 src/ssl/windows/private.h     |   4 ++++
 src/testprogram/testprogram.c |   3 +++
 6 files changed, 219 insertions(+), 0 deletions(-)
 create mode 100644 src/ssl/windows/http.c

diff --git a/configure.ac b/configure.ac
index 6598523..4bd1a52 100644
--- a/configure.ac
+++ b/configure.ac
@@ -447,16 +447,29 @@ AC_ARG_WITH([libname], [AS_HELP_STRING([--with-libname], [Setup library name])],
 AC_DEFINE_UNQUOTED(LIB3270_NAME,$app_cv_libname)
 AC_SUBST(LIB3270_NAME,$app_cv_libname)
 
+dnl ---------------------------------------------------------------------------
+dnl OS Defs
+dnl ---------------------------------------------------------------------------
+
 case "$host" in
 	*-mingw32|*-pc-msys)
+
 		AC_SUBST(SONAME,lib$app_cv_libname.dll)
+
+		if test "$app_cv_enable_crl_check" == "yes"; then
+			LIBS="$LIBS -lwinhttp"
+		fi
+
 		;;
 
  	s390x-*)
+
 		AC_SUBST(SONAME,lib$app_cv_libname.so)
+
 		;;
 
  	*)
+
 		AC_SUBST(SONAME,lib$app_cv_libname.so.$app_vrs_major.$app_vrs_minor)
 
 esac
diff --git a/lib3270.cbp b/lib3270.cbp
index 754d5f6..77e4022 100644
--- a/lib3270.cbp
+++ b/lib3270.cbp
@@ -337,6 +337,9 @@
 		<Unit filename="src/ssl/windows/getcrl.c">
 			<Option compilerVar="CC" />
 		</Unit>
+		<Unit filename="src/ssl/windows/http.c">
+			<Option compilerVar="CC" />
+		</Unit>
 		<Unit filename="src/ssl/windows/init.c">
 			<Option compilerVar="CC" />
 		</Unit>
diff --git a/src/ssl/windows/getcrl.c b/src/ssl/windows/getcrl.c
index f280a86..7360cdf 100644
--- a/src/ssl/windows/getcrl.c
+++ b/src/ssl/windows/getcrl.c
@@ -99,6 +99,10 @@ X509_CRL * lib3270_download_crl(H3270 *hSession, SSL_ERROR_MESSAGE * message, co
 
 	}
 #endif // HAVE_LDAP
+	else if(strncasecmp(consturl,"http://",7) == 0 && strlen(consturl) > 8)
+	{
+		return get_crl_using_http(hSession, message, consturl);
+	}
 	else
 	{
 #ifdef HAVE_LIBCURL
diff --git a/src/ssl/windows/http.c b/src/ssl/windows/http.c
new file mode 100644
index 0000000..91ac23e
--- /dev/null
+++ b/src/ssl/windows/http.c
@@ -0,0 +1,192 @@
+/*
+ * "Software pw3270, desenvolvido com base nos códigos fontes do WC3270  e X3270
+ * (Paul Mattes Paul.Mattes@usa.net), de emulação de terminal 3270 para acesso a
+ * aplicativos mainframe. Registro no INPI sob o nome G3270.
+ *
+ * Copyright (C) <2008> <Banco do Brasil S.A.>
+ *
+ * Este programa é software livre. Você pode redistribuí-lo e/ou modificá-lo sob
+ * os termos da GPL v.2 - Licença Pública Geral  GNU,  conforme  publicado  pela
+ * Free Software Foundation.
+ *
+ * Este programa é distribuído na expectativa de  ser  útil,  mas  SEM  QUALQUER
+ * GARANTIA; sem mesmo a garantia implícita de COMERCIALIZAÇÃO ou  de  ADEQUAÇÃO
+ * A QUALQUER PROPÓSITO EM PARTICULAR. Consulte a Licença Pública Geral GNU para
+ * obter mais detalhes.
+ *
+ * Você deve ter recebido uma cópia da Licença Pública Geral GNU junto com este
+ * programa; se não, escreva para a Free Software Foundation, Inc., 51 Franklin
+ * St, Fifth Floor, Boston, MA  02110-1301  USA
+ *
+ * Este programa está nomeado como - e possui - linhas de código.
+ *
+ * Contatos:
+ *
+ * perry.werneck@gmail.com	(Alexandre Perry de Souza Werneck)
+ * erico.mendonca@gmail.com	(Erico Mascarenhas Mendonça)
+ *
+ * References:
+ *
+ * https://docs.microsoft.com/en-us/windows/win32/winhttp/winhttp-autoproxy-api
+ *
+ */
+
+/**
+ * @brief Implements CRL download using winhttp.
+ *
+ */
+
+#include <config.h>
+#include "private.h"
+
+#if defined(HAVE_LIBSSL) && defined(SSL_ENABLE_CRL_CHECK)
+
+#include <winhttp.h>
+#include <utilc.h>
+
+/*--[ Implement ]------------------------------------------------------------------------------------*/
+
+static void lib3270_autoptr_cleanup_HINTERNET(HINTERNET **hInternet)
+{
+	if(*hInternet)
+		WinHttpCloseHandle(*hInternet);
+	*hInternet = 0;
+}
+
+X509_CRL * get_crl_using_http(H3270 *hSession, SSL_ERROR_MESSAGE * message, const char *consturl)
+{
+	// Strip URL.
+	lib3270_autoptr(char) urldup = lib3270_unescape(consturl);
+
+	char *hostname = strstr(urldup,"://");
+	if(!hostname)
+		hostname = urldup;
+	else
+		hostname += 3;
+
+	char *path = strchr(hostname,'/');
+	if(path)
+		*(path++) = 0;
+
+	// https://docs.microsoft.com/en-us/windows/desktop/api/winhttp/nf-winhttp-winhttpopenrequest
+
+	// Open HTTP session
+	// https://docs.microsoft.com/en-us/windows/desktop/api/winhttp/nf-winhttp-winhttpopenrequest
+	static const char * userAgent = PACKAGE_NAME "/" PACKAGE_VERSION;
+	wchar_t wUserAgent[256];
+	mbstowcs(wUserAgent, userAgent, strlen(userAgent)+1);
+	lib3270_autoptr(HINTERNET) httpSession = WinHttpOpen(wUserAgent, WINHTTP_ACCESS_TYPE_NO_PROXY, WINHTTP_NO_PROXY_NAME, WINHTTP_NO_PROXY_BYPASS, 0 );
+	if(!httpSession)
+	{
+		lib3270_autoptr(char) windows_error = lib3270_win32_translate_error_code(GetLastError());
+		lib3270_write_log(hSession,"ssl","%s: %s",consturl, windows_error);
+
+		message->error = hSession->ssl.error = 0;
+		message->title = _( "Security error" );
+		message->text = _( "Can't open HTTP session" );
+		debug("%s",message->text);
+		errno = EINVAL;
+		return NULL;
+	}
+
+	// Connect to server
+	debug("Hostname: \"%s\"",hostname);
+	wchar_t wHostname[4096];
+	mbstowcs(wHostname, hostname, strlen(hostname)+1);
+	lib3270_autoptr(HINTERNET) hConnect = WinHttpConnect(httpSession, wHostname, INTERNET_DEFAULT_HTTP_PORT, 0);
+	if(!hConnect)
+	{
+		lib3270_autoptr(char) windows_error = lib3270_win32_translate_error_code(GetLastError());
+		lib3270_write_log(hSession,"ssl","%s: %s",consturl, windows_error);
+
+		message->error = hSession->ssl.error = 0;
+		message->title = _( "Security error" );
+		message->text = _( "Can't connect to HTTP server." );
+		debug("%s",message->text);
+		errno = EINVAL;
+		return NULL;
+	}
+
+	// Create request.
+	debug("Path: \"%s\"",path);
+	wchar_t wPath[4096];
+	mbstowcs(wPath, path, strlen(path)+1);
+	lib3270_autoptr(HINTERNET) hRequest = WinHttpOpenRequest(hConnect, L"GET", wPath, NULL, WINHTTP_NO_REFERER, WINHTTP_DEFAULT_ACCEPT_TYPES, WINHTTP_FLAG_ESCAPE_PERCENT);
+	if(!hConnect)
+	{
+		message->error = hSession->ssl.error = 0;
+		message->title = _( "Security error" );
+		message->text = _( "Can't create HTTP request." );
+		debug("%s",message->text);
+		errno = EINVAL;
+		return NULL;
+	}
+
+	WinHttpSetOption(hRequest, WINHTTP_OPTION_CLIENT_CERT_CONTEXT, WINHTTP_NO_CLIENT_CERT_CONTEXT, 0);
+
+	// Send request.
+	if(!WinHttpSendRequest(hRequest, WINHTTP_NO_ADDITIONAL_HEADERS, 0, WINHTTP_NO_REQUEST_DATA, 0, 0, 0))
+	{
+		message->error = hSession->ssl.error = 0;
+		message->title = _( "Security error" );
+		message->text = _( "Can't send HTTP request." );
+		debug("%s",message->text);
+		errno = EINVAL;
+		return NULL;
+	}
+
+	// Get response
+	if(!WinHttpReceiveResponse(hRequest, NULL))
+	{
+		message->error = hSession->ssl.error = 0;
+		message->title = _( "Security error" );
+		message->text = _( "Can't receive HTTP response." );
+		debug("%s",message->text);
+		errno = EINVAL;
+		return NULL;
+	}
+
+	DWORD szResponse = 0;
+	if(!WinHttpQueryDataAvailable(hRequest, &szResponse))
+	{
+		message->error = hSession->ssl.error = 0;
+		message->title = _( "Security error" );
+		message->text = _( "Empty response from HTTP server." );
+		debug("%s",message->text);
+		errno = EINVAL;
+		return NULL;
+	}
+
+	lib3270_autoptr(char) httpText = lib3270_malloc(szResponse+1);
+	memset(httpText,0,szResponse+1);
+
+	debug("Response length: %u", (unsigned int) szResponse);
+
+	if(!WinHttpReadData(hRequest,httpText,szResponse,&szResponse)){
+		message->error = hSession->ssl.error = 0;
+		message->title = _( "Security error" );
+		message->text = _( "Can't read HTTP response." );
+		debug("%s",message->text);
+		errno = EINVAL;
+		return NULL;
+	}
+
+	//
+	// Parse CRL
+	//
+	X509_CRL * x509_crl = NULL;
+
+	if(!d2i_X509_CRL(&x509_crl, (const unsigned char **) &httpText, szResponse))
+	{
+		message->error = hSession->ssl.error = ERR_get_error();
+		message->title = _( "Security error" );
+		message->text = _( "Can't decode certificate revocation list" );
+		lib3270_write_log(hSession,"ssl","%s: %s",consturl, message->text);
+		return NULL;
+	}
+
+	return x509_crl;
+
+}
+
+#endif //  defined(HAVE_LIBSSL) && defined(SSL_ENABLE_CRL_CHECK)
diff --git a/src/ssl/windows/private.h b/src/ssl/windows/private.h
index 5514908..3e889d0 100644
--- a/src/ssl/windows/private.h
+++ b/src/ssl/windows/private.h
@@ -64,4 +64,8 @@
 
 	#endif // HAVE_LDAP
 
+	/// @brief Use winhttp to get CRL.
+	LIB3270_INTERNAL X509_CRL * get_crl_using_http(H3270 *hSession, SSL_ERROR_MESSAGE * message, const char *consturl);
+
+
 #endif // !LIB3270_WIN32_SSL_PRIVATE_H_INCLUDED
diff --git a/src/testprogram/testprogram.c b/src/testprogram/testprogram.c
index 99aa745..0d75e0b 100644
--- a/src/testprogram/testprogram.c
+++ b/src/testprogram/testprogram.c
@@ -43,7 +43,10 @@ int main(int argc, char *argv[])
 
 	printf("3270 session %p created\n]",h);
 
+#ifdef HAVE_LDAP
 	lib3270_set_crl_prefered_protocol(h,"ldap");
+#endif // HAVE_LDAP
+
 	lib3270_set_url(h,NULL);
 
 	int long_index =0;
--
libgit2 0.21.2