From 65c0559d8a91c8153e72dbb2524386ce37cc325a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dan=20Hor=C3=A1k?= Date: Mon, 20 Feb 2017 14:47:03 +0100 Subject: [PATCH 1/4] fix build with -Werror=format-security --- curses/cursesterm.c | 4 ++-- lib5250/sslstream.c | 2 +- lib5250/telnetstr.c | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/curses/cursesterm.c b/curses/cursesterm.c index bf20f05..2aa65b8 100644 --- a/curses/cursesterm.c +++ b/curses/cursesterm.c @@ -640,9 +640,9 @@ static void curses_terminal_update(Tn5250Terminal * This, Tn5250Display *display if(This->data->is_xterm) { if (This->data->font_132!=NULL) { if (tn5250_display_width (display)>100) - printf(This->data->font_132); + printf("%s",This->data->font_132); else - printf(This->data->font_80); + printf("%s",This->data->font_80); } printf ("\x1b[8;%d;%dt", tn5250_display_height (display)+1, tn5250_display_width (display)); diff --git a/lib5250/sslstream.c b/lib5250/sslstream.c index e0b720a..77aab64 100644 --- a/lib5250/sslstream.c +++ b/lib5250/sslstream.c @@ -317,7 +317,7 @@ static void ssl_log_SB_buf(unsigned char *buf, int len) if (!tn5250_logfile) return; - fprintf(tn5250_logfile,ssl_getTelOpt(type=*buf++)); + fprintf(tn5250_logfile,"%s",ssl_getTelOpt(type=*buf++)); switch (c=*buf++) { case IS: fputs("",tn5250_logfile); diff --git a/lib5250/telnetstr.c b/lib5250/telnetstr.c index 763c519..f95a737 100644 --- a/lib5250/telnetstr.c +++ b/lib5250/telnetstr.c @@ -292,7 +292,7 @@ static void log_SB_buf(unsigned char *buf, int len) if (!tn5250_logfile) return; - fprintf(tn5250_logfile,getTelOpt(type=*buf++)); + fprintf(tn5250_logfile,"%s",getTelOpt(type=*buf++)); switch (c=*buf++) { case IS: fputs("",tn5250_logfile); -- 2.7.4 From 0b6bd9bb964a04b5dd8a0278af1c16d8b71e09f4 Mon Sep 17 00:00:00 2001 From: Michael Orlitzky Date: Tue, 23 Aug 2016 18:13:47 -0400 Subject: [PATCH 2/4] sslstream.c: ignore the user's choice of ssl_method. The SSLv2 and SSLv3 protocols are insecure, and people have begun to operate without them. LibreSSL, for example, does not have them enabled, and it is possible to build OpenSSL in the same manner. If SSLv[23] are disabled, the user would not be able to choose "ssl2" or "ssl3" as his "ssl_method", an option that was undocumented anywhere. Therefore there is not much lost, and some security to gain, by removing the option completely. This commit does that, and uses the automatic protocol choice that is capable of negotiating TLSv1, TLSv1.1 and TLSv1.2. Gentoo-Bug: 591940 --- lib5250/sslstream.c | 26 ++++++++++---------------- 1 file changed, 10 insertions(+), 16 deletions(-) diff --git a/lib5250/sslstream.c b/lib5250/sslstream.c index 77aab64..f4353a9 100644 --- a/lib5250/sslstream.c +++ b/lib5250/sslstream.c @@ -372,22 +372,16 @@ int tn5250_ssl_stream_init (Tn5250Stream *This) /* which SSL method do we use? */ - strcpy(methstr,"auto"); - if (This->config!=NULL && tn5250_config_get (This->config, "ssl_method")) { - strncpy(methstr, tn5250_config_get (This->config, "ssl_method"), 4); - methstr[4] = '\0'; - } - - if (!strcmp(methstr, "ssl2")) { - meth = SSLv2_client_method(); - TN5250_LOG(("SSL Method = SSLv2_client_method()\n")); - } else if (!strcmp(methstr, "ssl3")) { - meth = SSLv3_client_method(); - TN5250_LOG(("SSL Method = SSLv3_client_method()\n")); - } else { - meth = SSLv23_client_method(); - TN5250_LOG(("SSL Method = SSLv23_client_method()\n")); - } + /* Ignore the user's choice of ssl_method (which isn't documented + * anyway...) if it was either "ssl2" or "ssl3". Both are insecure, + * and this is only safe supported method left. + * + * This is a Gentoo-specific modification that lets us build + * against LibreSSL and newer OpenSSL with its insecure protocols + * disabled. + */ + meth = SSLv23_client_method(); + TN5250_LOG(("SSL Method = SSLv23_client_method()\n")); /* create a new SSL context */ -- 2.7.4 From 66e1a2f80091e9ee9b99156ae23e5faaf9f24fe0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dan=20Hor=C3=A1k?= Date: Mon, 20 Feb 2017 15:06:36 +0100 Subject: [PATCH 3/4] remove duplicate definition for tn3270_ssl_stream_init() --- lib5250/sslstream.c | 93 ----------------------------------------------------- 1 file changed, 93 deletions(-) diff --git a/lib5250/sslstream.c b/lib5250/sslstream.c index f4353a9..86d38cf 100644 --- a/lib5250/sslstream.c +++ b/lib5250/sslstream.c @@ -477,99 +477,6 @@ int tn5250_ssl_stream_init (Tn5250Stream *This) return 0; /* Ok */ } -/****f* lib5250/tn3270_ssl_stream_init - * NAME - * tn3270_ssl_stream_init - * SYNOPSIS - * ret = tn3270_ssl_stream_init (This); - * INPUTS - * Tn5250Stream * This - - * DESCRIPTION - * DOCUMENT ME!!! - *****/ -int tn3270_ssl_stream_init (Tn5250Stream *This) -{ - int len; - -/* initialize SSL library */ - - SSL_load_error_strings(); - SSL_library_init(); - -/* create a new SSL context */ - - This->ssl_context = SSL_CTX_new(SSLv23_client_method()); - if (This->ssl_context==NULL) { - DUMP_ERR_STACK (); - return -1; - } - -/* if a certificate authority file is defined, load it into this context */ - - if (This->config!=NULL && tn5250_config_get (This->config, "ssl_ca_file")) { - if (SSL_CTX_load_verify_locations(This->ssl_context, - tn5250_config_get (This->config, "ssl_ca_file"), NULL)<1) { - DUMP_ERR_STACK (); - return -1; - } - } - -/* if a certificate authority file is defined, load it into this context */ - - if (This->config!=NULL && tn5250_config_get (This->config, "ssl_ca_file")) { - if (SSL_CTX_load_verify_locations(This->ssl_context, - tn5250_config_get (This->config, "ssl_ca_file"), NULL)<1) { - DUMP_ERR_STACK (); - return -1; - } - } - - This->userdata = NULL; - -/* if a PEM passphrase is defined, set things up so that it can be used */ - - if (This->config!=NULL && tn5250_config_get (This->config,"ssl_pem_pass")){ - TN5250_LOG(("SSL: Setting password callback\n")); - len = strlen(tn5250_config_get (This->config, "ssl_pem_pass")); - This->userdata = malloc(len+1); - strncpy(This->userdata, - tn5250_config_get (This->config, "ssl_pem_pass"), len); - SSL_CTX_set_default_passwd_cb(This->ssl_context, - (pem_password_cb *)ssl_stream_passwd_cb); - SSL_CTX_set_default_passwd_cb_userdata(This->ssl_context, (void *)This); - - } - -/* If a certificate file has been defined, load it into this context as well */ - - if (This->config!=NULL && tn5250_config_get (This->config, "ssl_cert_file")){ - TN5250_LOG(("SSL: Loading certificates from certificate file\n")); - if (SSL_CTX_use_certificate_file(This->ssl_context, - tn5250_config_get (This->config, "ssl_cert_file"), - SSL_FILETYPE_PEM) <= 0) { - DUMP_ERR_STACK (); - return -1; - } - TN5250_LOG(("SSL: Loading private keys from certificate file\n")); - if (SSL_CTX_use_PrivateKey_file(This->ssl_context, - tn5250_config_get (This->config, "ssl_cert_file"), - SSL_FILETYPE_PEM) <= 0) { - DUMP_ERR_STACK (); - return -1; - } - } - - This->ssl_handle = NULL; - This->connect = ssl_stream_connect; - This->accept = ssl_stream_accept; - This->disconnect = ssl_stream_disconnect; - This->handle_receive = ssl_stream_handle_receive; - This->send_packet = tn3270_ssl_stream_send_packet; - This->destroy = ssl_stream_destroy; - This->streamtype = TN3270E_STREAM; - return 0; /* Ok */ -} - /****i* lib5250/ssl_stream_connect * NAME * ssl_stream_connect -- 2.7.4 From 5922e57bb5ea78ff35f82a60f1721d533cc0584a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dan=20Hor=C3=A1k?= Date: Mon, 20 Feb 2017 15:37:51 +0100 Subject: [PATCH 4/4] port to OpenSSL 1.1 - check for better functions in configure - update SSL initialization call --- configure.ac | 8 ++++---- lib5250/sslstream.c | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/configure.ac b/configure.ac index 4ba0007..8a16cff 100644 --- a/configure.ac +++ b/configure.ac @@ -152,13 +152,13 @@ dnl ** happily, we don't have to hunt for them thanks to ldconfig! dnl ** if test -n $sslincludedir; then CPPFLAGS="$CPPFLAGS $sslincludedir" - AC_CHECK_LIB(crypto,CRYPTO_num_locks) - if test "$ac_cv_lib_crypto_CRYPTO_num_locks" != "yes" + AC_CHECK_LIB(crypto,OPENSSL_init) + if test "$ac_cv_lib_crypto_OPENSSL_init" != "yes" then AC_MSG_ERROR([** Unable to find OpenSSL libraries!]) fi - AC_CHECK_LIB(ssl,SSL_library_init) - if test "$ac_cv_lib_ssl_SSL_library_init" != "yes" + AC_CHECK_LIB(ssl,OPENSSL_init_ssl) + if test "$ac_cv_lib_ssl_OPENSSL_init_ssl" != "yes" then AC_MSG_ERROR([** Unable to find OpenSSL libraries!]) fi diff --git a/lib5250/sslstream.c b/lib5250/sslstream.c index 86d38cf..3c0f390 100644 --- a/lib5250/sslstream.c +++ b/lib5250/sslstream.c @@ -368,7 +368,7 @@ int tn5250_ssl_stream_init (Tn5250Stream *This) /* initialize SSL library */ SSL_load_error_strings(); - SSL_library_init(); + OPENSSL_init_ssl(0, NULL); /* which SSL method do we use? */ -- 2.7.4