Hello community, here is the log from the commit of package lib3270 for openSUSE:Factory checked in at 2020-12-08 13:24:59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/lib3270 (Old) and /work/SRC/openSUSE:Factory/.lib3270.new.5913 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "lib3270" Tue Dec 8 13:24:59 2020 rev:4 rq:853773 version:5.3 Changes: -------- --- /work/SRC/openSUSE:Factory/lib3270/lib3270.changes 2020-11-04 18:32:08.608180808 +0100 +++ /work/SRC/openSUSE:Factory/.lib3270.new.5913/lib3270.changes 2020-12-08 13:26:05.554776518 +0100 @@ -1,0 +2,6 @@ +Wed Nov 18 21:07:38 UTC 2020 - Perry Werneck <perry.wern...@gmail.com> + +- Fixing CRL download engine + * Added fix-crl-get-engine.patch + +------------------------------------------------------------------- New: ---- fix-crl-get-engine.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ lib3270.spec ++++++ --- /var/tmp/diff_new_pack.LP1Kd9/_old 2020-12-08 13:26:06.066777278 +0100 +++ /var/tmp/diff_new_pack.LP1Kd9/_new 2020-12-08 13:26:06.070777284 +0100 @@ -25,6 +25,7 @@ Group: Development/Libraries/C and C++ URL: https://github.com/PerryWerneck/lib3270 Source: %{name}-%{version}.tar.xz +Patch0: fix-crl-get-engine.patch BuildRequires: autoconf >= 2.61 BuildRequires: automake BuildRequires: binutils @@ -73,6 +74,7 @@ %prep %setup -q +%patch0 -p1 NOCONFIGURE=1 ./autogen.sh %configure --with-release=%{release} ++++++ fix-crl-get-engine.patch ++++++ diff --git a/src/network_modules/openssl/crl.c b/src/network_modules/openssl/crl.c index 408340a..b07c08b 100644 --- a/src/network_modules/openssl/crl.c +++ b/src/network_modules/openssl/crl.c @@ -27,7 +27,7 @@ * */ -/// @brief Get CRL infro from X509 cert. +/// @brief Get CRL info from X509 cert. /// /// References: /// @@ -35,6 +35,7 @@ #include "private.h" +#include <utilc.h> /*--[ Implement ]------------------------------------------------------------------------------------*/ @@ -79,7 +80,13 @@ LIB3270_STRING_ARRAY * lib3270_openssl_get_crls_from_peer(H3270 *hSession, X509 #endif // OpenSSL 1.1.0+ if(data && length > 0) - lib3270_string_array_append_with_length(uris,(char *) data, (size_t) length); + { + lib3270_autoptr(char) uri = lib3270_malloc( ((size_t) length) + 1); + strncpy(uri,(char *) data, (size_t) length); + + lib3270_autoptr(char) unescaped = lib3270_unescape(uri); + lib3270_string_array_append(uris,unescaped); + } } diff --git a/src/network_modules/openssl/start.c b/src/network_modules/openssl/start.c index f0ecb92..d720117 100644 --- a/src/network_modules/openssl/start.c +++ b/src/network_modules/openssl/start.c @@ -34,6 +34,7 @@ #include "private.h" #include <lib3270/properties.h> + #include <utilc.h> static int import_crl(H3270 *hSession, SSL_CTX * ssl_ctx, LIB3270_NET_CONTEXT * context, const char *url) { @@ -103,25 +104,26 @@ if(X509_STORE_add_crl(store, x509_crl)) { trace_ssl(hSession,"CRL was added to context cert store\n"); - } else { - trace_ssl(hSession,"CRL was not added to context cert store\n"); + return 0; } - return 0; + trace_ssl(hSession,"CRL was not added to context cert store\n"); + + return -1; } - static void download_crl_from_peer(H3270 *hSession, SSL_CTX * ctx_context, LIB3270_NET_CONTEXT * context, X509 *peer) { + static int download_crl_from_peer(H3270 *hSession, SSL_CTX * ctx_context, LIB3270_NET_CONTEXT * context, X509 *peer) { debug("%s peer=%p",__FUNCTION__,(void *) peer); if(!peer) - return; + return -1; lib3270_autoptr(LIB3270_STRING_ARRAY) uris = lib3270_openssl_get_crls_from_peer(hSession, peer); if(!uris) { trace_ssl(hSession,"Can't get distpoints from peer certificate\n"); - return; + return -1; } size_t ix; @@ -134,11 +136,11 @@ if(!import_crl(hSession,ctx_context,context,uris->str[ix])) { trace_ssl(hSession,"Got CRL from %s\n",uris->str[ix]); - return; + return 0; } } - return; + return -1; } @@ -152,10 +154,9 @@ if(strncasecmp(prefer,uris->str[ix],length)) continue; - debug("Trying %s",uris->str[ix]); if(!import_crl(hSession,ctx_context,context,uris->str[ix])) { trace_ssl(hSession,"Got CRL from %s\n",uris->str[ix]); - return; + return 0; } } @@ -168,13 +169,34 @@ if(!import_crl(hSession,ctx_context,context,uris->str[ix])) { trace_ssl(hSession,"Got CRL from %s\n",uris->str[ix]); - return; + return 0; } } + return -1; + } +int x509_store_ctx_error_callback(int ok, X509_STORE_CTX GNUC_UNUSED(*ctx)) +{ + debug("%s(%d)",__FUNCTION__,ok); + +/* + 55 { + 56 if (!ok) { + 57 Category::getInstance("OpenSSL").error( + 58 "path validation failure at depth(%d): %s", + 59 X509_STORE_CTX_get_error_depth(ctx), + 60 X509_verify_cert_error_string(X509_STORE_CTX_get_error(ctx)) + 61 ); + 62 } + 63 return ok; + 64 } +*/ + return ok; +} + int openssl_network_start_tls(H3270 *hSession) { SSL_CTX * ctx_context = (SSL_CTX *) lib3270_openssl_get_context(hSession); @@ -199,7 +221,8 @@ SSL_set_ex_data(context->con,lib3270_openssl_get_ex_index(hSession),(char *) hSession); // SSL_set_verify(context->con, SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL); - SSL_set_verify(context->con, 0, NULL); +// SSL_set_verify(context->con, SSL_VERIFY_PEER, NULL); + SSL_set_verify(context->con, SSL_VERIFY_NONE, NULL); if(SSL_set_fd(context->con, context->sock) != 1) { @@ -295,13 +318,40 @@ // CRL download is enabled and verification has failed; look for CRL file. + trace_ssl(hSession,"CRL Validation has failed, requesting CRL download\n"); set_ssl_state(hSession,LIB3270_SSL_VERIFYING); + int rc_download = -1; + if(context->crl.url) { - import_crl(hSession, ctx_context,context,context->crl.url); + rc_download = import_crl(hSession, ctx_context,context,context->crl.url); } else { - download_crl_from_peer(hSession, ctx_context, context, peer); + rc_download = download_crl_from_peer(hSession, ctx_context, context, peer); + } + + debug("Download rc=%d",rc_download); + + if(!rc_download) + { + // Got CRL, verify it! + // Reference: https://stackoverflow.com/questions/10510850/how-to-verify-the-certificate-for-the-ongoing-ssl-session + + X509_STORE_CTX *csc = X509_STORE_CTX_new(); + X509_STORE_CTX_set_verify_cb(csc, x509_store_ctx_error_callback); + X509_STORE_CTX_init(csc, SSL_CTX_get_cert_store(ctx_context), peer, NULL); + + if(X509_verify_cert(csc) != 1) + rv = X509_STORE_CTX_get_error(csc); + else + rv = X509_V_OK; + + trace_ssl(hSession, "X509_verify_cert error code was %d\n", rv); + + SSL_set_verify_result(context->con, rv); + + X509_STORE_CTX_free(csc); + } } @@ -313,6 +363,7 @@ // Get validation message. hSession->ssl.message = lib3270_openssl_message_from_id(verify_result); + debug("Verify message: %s",hSession->ssl.message->summary); // Trace cypher if(lib3270_get_toggle(hSession,LIB3270_TOGGLE_SSL_TRACE)) @@ -331,7 +382,7 @@ // Check results. if(hSession->ssl.message) - trace_ssl(hSession,"%s",hSession->ssl.message->summary); + trace_ssl(hSession,"%s\n",hSession->ssl.message->summary); else trace_ssl(hSession,"TLS/SSL verify result was %ld\n", verify_result); _______________________________________________ openSUSE Commits mailing list -- commit@lists.opensuse.org To unsubscribe, email commit-le...@lists.opensuse.org List Netiquette: https://en.opensuse.org/openSUSE:Mailing_list_netiquette List Archives: https://lists.opensuse.org/archives/list/commit@lists.opensuse.org
