287 lines
9.5 KiB
Diff
287 lines
9.5 KiB
Diff
From 65c0559d8a91c8153e72dbb2524386ce37cc325a Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Dan=20Hor=C3=A1k?= <dan@danny.cz>
|
|
Date: Mon, 20 Feb 2017 14:47:03 +0100
|
|
Subject: [PATCH 1/4] fix build with -Werror=format-security
|
|
|
|
---
|
|
curses/cursesterm.c | 4 ++--
|
|
lib5250/sslstream.c | 2 +-
|
|
lib5250/telnetstr.c | 2 +-
|
|
3 files changed, 4 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/curses/cursesterm.c b/curses/cursesterm.c
|
|
index bf20f05..2aa65b8 100644
|
|
--- a/curses/cursesterm.c
|
|
+++ b/curses/cursesterm.c
|
|
@@ -640,9 +640,9 @@ static void curses_terminal_update(Tn5250Terminal * This, Tn5250Display *display
|
|
if(This->data->is_xterm) {
|
|
if (This->data->font_132!=NULL) {
|
|
if (tn5250_display_width (display)>100)
|
|
- printf(This->data->font_132);
|
|
+ printf("%s",This->data->font_132);
|
|
else
|
|
- printf(This->data->font_80);
|
|
+ printf("%s",This->data->font_80);
|
|
}
|
|
printf ("\x1b[8;%d;%dt", tn5250_display_height (display)+1,
|
|
tn5250_display_width (display));
|
|
diff --git a/lib5250/sslstream.c b/lib5250/sslstream.c
|
|
index e0b720a..77aab64 100644
|
|
--- a/lib5250/sslstream.c
|
|
+++ b/lib5250/sslstream.c
|
|
@@ -317,7 +317,7 @@ static void ssl_log_SB_buf(unsigned char *buf, int len)
|
|
|
|
if (!tn5250_logfile)
|
|
return;
|
|
- fprintf(tn5250_logfile,ssl_getTelOpt(type=*buf++));
|
|
+ fprintf(tn5250_logfile,"%s",ssl_getTelOpt(type=*buf++));
|
|
switch (c=*buf++) {
|
|
case IS:
|
|
fputs("<IS>",tn5250_logfile);
|
|
diff --git a/lib5250/telnetstr.c b/lib5250/telnetstr.c
|
|
index 763c519..f95a737 100644
|
|
--- a/lib5250/telnetstr.c
|
|
+++ b/lib5250/telnetstr.c
|
|
@@ -292,7 +292,7 @@ static void log_SB_buf(unsigned char *buf, int len)
|
|
|
|
if (!tn5250_logfile)
|
|
return;
|
|
- fprintf(tn5250_logfile,getTelOpt(type=*buf++));
|
|
+ fprintf(tn5250_logfile,"%s",getTelOpt(type=*buf++));
|
|
switch (c=*buf++) {
|
|
case IS:
|
|
fputs("<IS>",tn5250_logfile);
|
|
--
|
|
2.7.4
|
|
|
|
|
|
From 0b6bd9bb964a04b5dd8a0278af1c16d8b71e09f4 Mon Sep 17 00:00:00 2001
|
|
From: Michael Orlitzky <michael@orlitzky.com>
|
|
Date: Tue, 23 Aug 2016 18:13:47 -0400
|
|
Subject: [PATCH 2/4] sslstream.c: ignore the user's choice of ssl_method.
|
|
|
|
The SSLv2 and SSLv3 protocols are insecure, and people have begun to
|
|
operate without them. LibreSSL, for example, does not have them
|
|
enabled, and it is possible to build OpenSSL in the same manner.
|
|
|
|
If SSLv[23] are disabled, the user would not be able to choose "ssl2"
|
|
or "ssl3" as his "ssl_method", an option that was undocumented
|
|
anywhere. Therefore there is not much lost, and some security to gain,
|
|
by removing the option completely. This commit does that, and uses the
|
|
automatic protocol choice that is capable of negotiating TLSv1,
|
|
TLSv1.1 and TLSv1.2.
|
|
|
|
Gentoo-Bug: 591940
|
|
---
|
|
lib5250/sslstream.c | 26 ++++++++++----------------
|
|
1 file changed, 10 insertions(+), 16 deletions(-)
|
|
|
|
diff --git a/lib5250/sslstream.c b/lib5250/sslstream.c
|
|
index 77aab64..f4353a9 100644
|
|
--- a/lib5250/sslstream.c
|
|
+++ b/lib5250/sslstream.c
|
|
@@ -372,22 +372,16 @@ int tn5250_ssl_stream_init (Tn5250Stream *This)
|
|
|
|
/* which SSL method do we use? */
|
|
|
|
- strcpy(methstr,"auto");
|
|
- if (This->config!=NULL && tn5250_config_get (This->config, "ssl_method")) {
|
|
- strncpy(methstr, tn5250_config_get (This->config, "ssl_method"), 4);
|
|
- methstr[4] = '\0';
|
|
- }
|
|
-
|
|
- if (!strcmp(methstr, "ssl2")) {
|
|
- meth = SSLv2_client_method();
|
|
- TN5250_LOG(("SSL Method = SSLv2_client_method()\n"));
|
|
- } else if (!strcmp(methstr, "ssl3")) {
|
|
- meth = SSLv3_client_method();
|
|
- TN5250_LOG(("SSL Method = SSLv3_client_method()\n"));
|
|
- } else {
|
|
- meth = SSLv23_client_method();
|
|
- TN5250_LOG(("SSL Method = SSLv23_client_method()\n"));
|
|
- }
|
|
+ /* Ignore the user's choice of ssl_method (which isn't documented
|
|
+ * anyway...) if it was either "ssl2" or "ssl3". Both are insecure,
|
|
+ * and this is only safe supported method left.
|
|
+ *
|
|
+ * This is a Gentoo-specific modification that lets us build
|
|
+ * against LibreSSL and newer OpenSSL with its insecure protocols
|
|
+ * disabled.
|
|
+ */
|
|
+ meth = SSLv23_client_method();
|
|
+ TN5250_LOG(("SSL Method = SSLv23_client_method()\n"));
|
|
|
|
/* create a new SSL context */
|
|
|
|
--
|
|
2.7.4
|
|
|
|
|
|
From 66e1a2f80091e9ee9b99156ae23e5faaf9f24fe0 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Dan=20Hor=C3=A1k?= <dan@danny.cz>
|
|
Date: Mon, 20 Feb 2017 15:06:36 +0100
|
|
Subject: [PATCH 3/4] remove duplicate definition for tn3270_ssl_stream_init()
|
|
|
|
---
|
|
lib5250/sslstream.c | 93 -----------------------------------------------------
|
|
1 file changed, 93 deletions(-)
|
|
|
|
diff --git a/lib5250/sslstream.c b/lib5250/sslstream.c
|
|
index f4353a9..86d38cf 100644
|
|
--- a/lib5250/sslstream.c
|
|
+++ b/lib5250/sslstream.c
|
|
@@ -477,99 +477,6 @@ int tn5250_ssl_stream_init (Tn5250Stream *This)
|
|
return 0; /* Ok */
|
|
}
|
|
|
|
-/****f* lib5250/tn3270_ssl_stream_init
|
|
- * NAME
|
|
- * tn3270_ssl_stream_init
|
|
- * SYNOPSIS
|
|
- * ret = tn3270_ssl_stream_init (This);
|
|
- * INPUTS
|
|
- * Tn5250Stream * This -
|
|
- * DESCRIPTION
|
|
- * DOCUMENT ME!!!
|
|
- *****/
|
|
-int tn3270_ssl_stream_init (Tn5250Stream *This)
|
|
-{
|
|
- int len;
|
|
-
|
|
-/* initialize SSL library */
|
|
-
|
|
- SSL_load_error_strings();
|
|
- SSL_library_init();
|
|
-
|
|
-/* create a new SSL context */
|
|
-
|
|
- This->ssl_context = SSL_CTX_new(SSLv23_client_method());
|
|
- if (This->ssl_context==NULL) {
|
|
- DUMP_ERR_STACK ();
|
|
- return -1;
|
|
- }
|
|
-
|
|
-/* if a certificate authority file is defined, load it into this context */
|
|
-
|
|
- if (This->config!=NULL && tn5250_config_get (This->config, "ssl_ca_file")) {
|
|
- if (SSL_CTX_load_verify_locations(This->ssl_context,
|
|
- tn5250_config_get (This->config, "ssl_ca_file"), NULL)<1) {
|
|
- DUMP_ERR_STACK ();
|
|
- return -1;
|
|
- }
|
|
- }
|
|
-
|
|
-/* if a certificate authority file is defined, load it into this context */
|
|
-
|
|
- if (This->config!=NULL && tn5250_config_get (This->config, "ssl_ca_file")) {
|
|
- if (SSL_CTX_load_verify_locations(This->ssl_context,
|
|
- tn5250_config_get (This->config, "ssl_ca_file"), NULL)<1) {
|
|
- DUMP_ERR_STACK ();
|
|
- return -1;
|
|
- }
|
|
- }
|
|
-
|
|
- This->userdata = NULL;
|
|
-
|
|
-/* if a PEM passphrase is defined, set things up so that it can be used */
|
|
-
|
|
- if (This->config!=NULL && tn5250_config_get (This->config,"ssl_pem_pass")){
|
|
- TN5250_LOG(("SSL: Setting password callback\n"));
|
|
- len = strlen(tn5250_config_get (This->config, "ssl_pem_pass"));
|
|
- This->userdata = malloc(len+1);
|
|
- strncpy(This->userdata,
|
|
- tn5250_config_get (This->config, "ssl_pem_pass"), len);
|
|
- SSL_CTX_set_default_passwd_cb(This->ssl_context,
|
|
- (pem_password_cb *)ssl_stream_passwd_cb);
|
|
- SSL_CTX_set_default_passwd_cb_userdata(This->ssl_context, (void *)This);
|
|
-
|
|
- }
|
|
-
|
|
-/* If a certificate file has been defined, load it into this context as well */
|
|
-
|
|
- if (This->config!=NULL && tn5250_config_get (This->config, "ssl_cert_file")){
|
|
- TN5250_LOG(("SSL: Loading certificates from certificate file\n"));
|
|
- if (SSL_CTX_use_certificate_file(This->ssl_context,
|
|
- tn5250_config_get (This->config, "ssl_cert_file"),
|
|
- SSL_FILETYPE_PEM) <= 0) {
|
|
- DUMP_ERR_STACK ();
|
|
- return -1;
|
|
- }
|
|
- TN5250_LOG(("SSL: Loading private keys from certificate file\n"));
|
|
- if (SSL_CTX_use_PrivateKey_file(This->ssl_context,
|
|
- tn5250_config_get (This->config, "ssl_cert_file"),
|
|
- SSL_FILETYPE_PEM) <= 0) {
|
|
- DUMP_ERR_STACK ();
|
|
- return -1;
|
|
- }
|
|
- }
|
|
-
|
|
- This->ssl_handle = NULL;
|
|
- This->connect = ssl_stream_connect;
|
|
- This->accept = ssl_stream_accept;
|
|
- This->disconnect = ssl_stream_disconnect;
|
|
- This->handle_receive = ssl_stream_handle_receive;
|
|
- This->send_packet = tn3270_ssl_stream_send_packet;
|
|
- This->destroy = ssl_stream_destroy;
|
|
- This->streamtype = TN3270E_STREAM;
|
|
- return 0; /* Ok */
|
|
-}
|
|
-
|
|
/****i* lib5250/ssl_stream_connect
|
|
* NAME
|
|
* ssl_stream_connect
|
|
--
|
|
2.7.4
|
|
|
|
|
|
From 5922e57bb5ea78ff35f82a60f1721d533cc0584a Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Dan=20Hor=C3=A1k?= <dan@danny.cz>
|
|
Date: Mon, 20 Feb 2017 15:37:51 +0100
|
|
Subject: [PATCH 4/4] port to OpenSSL 1.1
|
|
|
|
- check for better functions in configure
|
|
- update SSL initialization call
|
|
---
|
|
configure.ac | 8 ++++----
|
|
lib5250/sslstream.c | 2 +-
|
|
2 files changed, 5 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/configure.ac b/configure.ac
|
|
index 4ba0007..8a16cff 100644
|
|
--- a/configure.ac
|
|
+++ b/configure.ac
|
|
@@ -152,13 +152,13 @@ dnl ** happily, we don't have to hunt for them thanks to ldconfig!
|
|
dnl **
|
|
if test -n $sslincludedir; then
|
|
CPPFLAGS="$CPPFLAGS $sslincludedir"
|
|
- AC_CHECK_LIB(crypto,CRYPTO_num_locks)
|
|
- if test "$ac_cv_lib_crypto_CRYPTO_num_locks" != "yes"
|
|
+ AC_CHECK_LIB(crypto,OPENSSL_init)
|
|
+ if test "$ac_cv_lib_crypto_OPENSSL_init" != "yes"
|
|
then
|
|
AC_MSG_ERROR([** Unable to find OpenSSL libraries!])
|
|
fi
|
|
- AC_CHECK_LIB(ssl,SSL_library_init)
|
|
- if test "$ac_cv_lib_ssl_SSL_library_init" != "yes"
|
|
+ AC_CHECK_LIB(ssl,OPENSSL_init_ssl)
|
|
+ if test "$ac_cv_lib_ssl_OPENSSL_init_ssl" != "yes"
|
|
then
|
|
AC_MSG_ERROR([** Unable to find OpenSSL libraries!])
|
|
fi
|
|
diff --git a/lib5250/sslstream.c b/lib5250/sslstream.c
|
|
index 86d38cf..3c0f390 100644
|
|
--- a/lib5250/sslstream.c
|
|
+++ b/lib5250/sslstream.c
|
|
@@ -368,7 +368,7 @@ int tn5250_ssl_stream_init (Tn5250Stream *This)
|
|
/* initialize SSL library */
|
|
|
|
SSL_load_error_strings();
|
|
- SSL_library_init();
|
|
+ OPENSSL_init_ssl(0, NULL);
|
|
|
|
/* which SSL method do we use? */
|
|
|
|
--
|
|
2.7.4
|
|
|