Browse Source

Added support for OpenSSL 1.1

Some KOpenSSLProxy methods have been renamed to be consistent
with OpenSSL 1.1 API names and to prevent hidden API changes.
To ensure API / ABI compatibility, the original methods are
still included but have been marked as deprecated.

+ SSLv23_client_method => TLS_client_method
+ X509_STORE_CTX_set_chain => X509_STORE_CTX_set0_untrusted
+ sk_dup => OPENSSL_sk_dup
+ sk_free => OPENSSL_sk_free
+ sk_new => OPENSSL_sk_new
+ sk_num => OPENSSL_sk_num
+ sk_pop => OPENSSL_sk_pop
+ sk_push => OPENSSL_sk_push
+ sk_value => OPENSSL_sk_value

Additional methods have been added to KOpenSSLProxy to support
the new OpenSSL 1.1 API functions that provide access to the
(now) opaque SSL structures. Compatibility with OpenSSL < 1.1
is handled internally in KOpenSSLProxy.

+ BIO_get_data
+ DSA_get0_key
+ DSA_get0_pqg
+ EVP_PKEY_base_id
+ EVP_PKEY_get0_DSA
+ EVP_PKEY_get0_RSA
+ RSA_get0_key
+ X509_CRL_get0_lastUpdate
+ X509_CRL_get0_nextUpdate
+ X509_OBJECT_get0_X509
+ X509_OBJECT_get_type
+ X509_STORE_CTX_get_current_cert
+ X509_STORE_CTX_get_error
+ X509_STORE_CTX_get_error_depth
+ X509_STORE_CTX_set_error
+ X509_STORE_get0_objects
+ X509_STORE_set_verify_cb
+ X509_get0_signature
+ X509_getm_notAfter
+ X509_getm_notBefore
+ X509_subject_name_cmp
+ _SSL_session_reused
+ _SSL_set_options

Method "KSSL::setSession" has been renamed to "KSSL::takeSession"
and its functionality has changed: the session is now transferred
from the argument object to the invoked object. Since it is only
used internally in TDE and the functionality is different, the
method with the previous name has not been preserved.

Signed-off-by: Slávek Banko <slavek.banko@axis.cz>
Signed-off-by: Michele Calgaro <michele.calgaro@yahoo.it>
pull/1/head
Slávek Banko 2 years ago
parent
commit
e1861cb681
14 changed files with 981 additions and 375 deletions
  1. +3
    -10
      tdecert/tdecertpart.cc
  2. +612
    -112
      tdeio/kssl/kopenssl.cc
  3. +191
    -31
      tdeio/kssl/kopenssl.h
  4. +11
    -18
      tdeio/kssl/ksmimecrypto.cc
  5. +20
    -17
      tdeio/kssl/kssl.cc
  6. +3
    -4
      tdeio/kssl/kssl.h
  7. +11
    -4
      tdeio/kssl/ksslcallback.c
  8. +26
    -48
      tdeio/kssl/ksslcertchain.cc
  9. +64
    -40
      tdeio/kssl/ksslcertificate.cc
  10. +4
    -25
      tdeio/kssl/ksslpkcs12.cc
  11. +0
    -19
      tdeio/kssl/ksslpkcs7.cc
  12. +29
    -40
      tdeio/kssl/ksslsettings.cc
  13. +4
    -4
      tdeio/kssl/ksslutils.cc
  14. +3
    -3
      tdeio/tdeio/tcpslavebase.cpp

+ 3
- 10
tdecert/tdecertpart.cc View File

@@ -557,9 +557,6 @@ if (whatType == "application/x-pkcs12") {
return false;
}

#define sk_free KOSSL::self()->sk_free
#define sk_num KOSSL::self()->sk_num
#define sk_value KOSSL::self()->sk_value
STACK_OF(X509_INFO) *sx5i = KOSSL::self()->PEM_X509_INFO_read(fp, NULL, KSSLPemCallback, NULL);

if (!sx5i) {
@@ -569,8 +566,8 @@ if (whatType == "application/x-pkcs12") {
}

_ca_filenameLabel->setText(m_file);
for (int i = 0; i < sk_X509_INFO_num(sx5i); i++) {
X509_INFO* x5i = sk_X509_INFO_value(sx5i, i);
for (int i = 0; i < KOSSL::self()->OPENSSL_sk_num(sx5i); i++) {
X509_INFO* x5i = reinterpret_cast<X509_INFO*>(KOSSL::self()->OPENSSL_sk_value(sx5i, i));
if (x5i->x_pkey && x5i->x509) { // a personal cert (like PKCS12)
KSSLCertificate *xc = KSSLCertificate::fromX509(x5i->x509);
new KX509Item(_sideList, xc);
@@ -584,11 +581,7 @@ if (whatType == "application/x-pkcs12") {
}
}

sk_X509_INFO_free(sx5i);

#undef sk_free
#undef sk_num
#undef sk_value
KOSSL::self()->OPENSSL_sk_free(sx5i);

fclose(fp);
return true;

+ 612
- 112
tdeio/kssl/kopenssl.cc
File diff suppressed because it is too large
View File


+ 191
- 31
tdeio/kssl/kopenssl.h View File

@@ -48,13 +48,22 @@ class KOpenSSLProxyPrivate;
#include <openssl/stack.h>
#include <openssl/bn.h>
#undef crypt
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
#define STACK OPENSSL_STACK
#else
#if OPENSSL_VERSION_NUMBER >= 0x10000000L
#define STACK _STACK
#endif
#endif
#endif

#include <kstaticdeleter.h>

#if OPENSSL_VERSION_NUMBER < 0x10100000L
typedef int (*X509_STORE_CTX_verify_cb)(int, X509_STORE_CTX *);
typedef int X509_LOOKUP_TYPE;
#endif

/**
* Dynamically load and wrap OpenSSL.
*
@@ -178,17 +187,14 @@ public:
*/
SSL_CIPHER *SSL_get_current_cipher(SSL *ssl);

/*
* SSL_set_options - manipulate SSL engine options
* Note: These are all mapped to SSL_ctrl so call them as the comment
* specifies but know that they use SSL_ctrl. They are #define
* so they will map to the one in this class if called as a
* member function of this class.
*/
/* long SSL_set_options(SSL *ssl, long options); */
/* Returns 0 if not reused, 1 if session id is reused */
/* int SSL_session_reused(SSL *ssl); */
long SSL_ctrl(SSL *ssl,int cmd, long larg, char *parg);
/* SSL_set_options - manipulate SSL engine options */
long _SSL_set_options(SSL *ssl, long options);

/* Returns 0 if not reused, 1 if session id is reused */
int _SSL_session_reused(SSL *ssl);

/* SSL control */
long SSL_ctrl(SSL *ssl, int cmd, long larg, void *parg);

/*
* RAND_egd - set the path to the EGD
@@ -233,9 +239,9 @@ public:


/*
* SSLv23_client_method - return a SSLv23 client method object
* TLS_client_method - return client method object
*/
SSL_METHOD *SSLv23_client_method();
SSL_METHOD *TLS_client_method();


/*
@@ -310,12 +316,38 @@ public:


/*
* X509_subject_name_cmp - compare subject name of two X509 objects
*/
int X509_subject_name_cmp(const X509 *a, const X509 *b);


/*
* X509_dup - duplicate an X509 object
*/
X509 *X509_dup(X509 *x509);


/*
* X509_get0_signature - get signature and algorithm
*/
void X509_get0_signature(const ASN1_BIT_STRING **psig,
const X509_ALGOR **palg, const X509 *x);



/*
*
*/
ASN1_TIME *X509_getm_notAfter(const X509 *x);


/*
*
*/
ASN1_TIME *X509_getm_notBefore(const X509 *x);


/*
* X509_STORE_CTX_new - create an X509 store context
*/
X509_STORE_CTX *X509_STORE_CTX_new(void);
@@ -328,15 +360,66 @@ public:


/*
* X509_STORE_CTX_set_chain - set the certificate chain
* X509_STORE_CTX_set0_untrusted - set the certificate chain
*/
void X509_STORE_CTX_set_chain(X509_STORE_CTX *v, STACK_OF(X509)* x);
void X509_STORE_CTX_set0_untrusted(X509_STORE_CTX *v, STACK_OF(X509)* x);


/*
* X509_STORE_CTX_set_purpose - set the purpose of the certificate
*/
void X509_STORE_CTX_set_purpose(X509_STORE_CTX *v, int purpose);


/*
*
*/
X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx);


/*
*
*/
int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx);


/*
*
*/
int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx);


/*
*
*/
void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int s);


/*
*
*/
void X509_STORE_set_verify_cb(X509_STORE *ctx,
X509_STORE_CTX_verify_cb verify_cb);


/*
*
*/
STACK_OF(X509_OBJECT) *X509_STORE_get0_objects(X509_STORE *v);


/*
*
*/
X509_LOOKUP_TYPE X509_OBJECT_get_type(const X509_OBJECT *a);


/*
*
*/
X509 *X509_OBJECT_get0_X509(const X509_OBJECT *a);


/*
* X509_verify_cert - verify the certificate
*/
@@ -367,6 +450,18 @@ public:


/*
*
*/
const ASN1_TIME *X509_CRL_get0_lastUpdate(const X509_CRL *crl);


/*
*
*/
const ASN1_TIME *X509_CRL_get0_nextUpdate(const X509_CRL *crl);


/*
* X509_NAME_oneline - return the X509 data in a string
*/
char *X509_NAME_oneline(X509_NAME *a, char *buf, int size);
@@ -455,6 +550,11 @@ public:
int BIO_write(BIO *b, const void *data, int len);

/*
* BIO_get_data - retrieve (custom) data from BIO
*/
void *BIO_get_data(BIO *a);

/*
* PEM_write_bio_X509 - write a PEM encoded cert to a BIO*
*/
int PEM_write_bio_X509(BIO *bp, X509 *x);
@@ -536,53 +636,51 @@ public:
/*
* Pop off the stack
*/
char *sk_pop(STACK *s);
char *OPENSSL_sk_pop(STACK *s);

char *OPENSSL_sk_pop(void *s) { return OPENSSL_sk_pop(reinterpret_cast<STACK*>(s)); }


/*
* Free the stack
*/
void sk_free(STACK *s);
void OPENSSL_sk_free(STACK *s);

#if OPENSSL_VERSION_NUMBER >= 0x10000000L
void sk_free(void *s) { return sk_free(reinterpret_cast<STACK*>(s)); }
#endif
void OPENSSL_sk_free(void *s) { OPENSSL_sk_free(reinterpret_cast<STACK*>(s)); }

/*
* Number of elements in the stack
*/
int sk_num(STACK *s);
int OPENSSL_sk_num(STACK *s);

int OPENSSL_sk_num(void *s) { return OPENSSL_sk_num(reinterpret_cast<STACK*>(s)); }

/*
* Value of element n in the stack
*/
char *sk_value(STACK *s, int n);
char *OPENSSL_sk_value(STACK *s, int n);

#if OPENSSL_VERSION_NUMBER >= 0x10000000L
char *sk_value(void *s, int n) { return sk_value(reinterpret_cast<STACK*>(s), n); }
#endif
char *OPENSSL_sk_value(void *s, int n) { return OPENSSL_sk_value(reinterpret_cast<STACK*>(s), n); }

/*
* Create a new stack
*/
STACK *sk_new(int (*cmp)());
STACK *OPENSSL_sk_new(int (*cmp)());


/*
* Add an element to the stack
*/
int sk_push(STACK *s, char *d);
int OPENSSL_sk_push(STACK *s, char *d);

#if OPENSSL_VERSION_NUMBER >= 0x10000000L
int sk_push(void *s, void *d) { return sk_push(reinterpret_cast<STACK*>(s), reinterpret_cast<char*>(d)); }
#endif
int OPENSSL_sk_push(void *s, void *d) { return OPENSSL_sk_push(reinterpret_cast<STACK*>(s), reinterpret_cast<char*>(d)); }

/*
* Duplicate the stack
*/
STACK *sk_dup(STACK *s);
STACK *OPENSSL_sk_dup(const STACK *s);

STACK *OPENSSL_sk_dup(const void *s) { return OPENSSL_sk_dup(reinterpret_cast<const STACK*>(s)); }

/*
* Convert an ASN1_INTEGER to it's text form
@@ -824,12 +922,37 @@ public:


/*
* Get EVP private key type
*/
int EVP_PKEY_base_id(const EVP_PKEY *pkey);


/*
* Assign a private key
*/
int EVP_PKEY_assign(EVP_PKEY *pkey, int type, char *key);


/*
* Get RSA key
*/
RSA *EVP_PKEY_get0_RSA(EVP_PKEY *pkey);


/*
* Get DSA key
*/
DSA *EVP_PKEY_get0_DSA(EVP_PKEY *pkey);


/*
* RSA_get0_key - retreive key parameters
*/
void RSA_get0_key(const RSA *r,
const BIGNUM **n, const BIGNUM **e, const BIGNUM **d);


/*
* Generate a RSA key
*/
RSA *RSA_generate_key(int bits, unsigned long e, void
@@ -837,6 +960,20 @@ public:


/*
* DSA_get0_pqg - retreive key parameters
*/
void DSA_get0_pqg(const DSA *d,
const BIGNUM **p, const BIGNUM **q, const BIGNUM **g);


/*
* DSA_get0_key - retreive key
*/
void DSA_get0_key(const DSA *d,
const BIGNUM **pub_key, const BIGNUM **priv_key);


/*
* Create/destroy a certificate request
*/
X509_REQ *X509_REQ_new();
@@ -912,6 +1049,29 @@ public:
/* get list of available SSL_CIPHER's sorted by preference */
STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL* ssl);


/* cover KOpenSSLProxy API compatibility */
#if OPENSSL_VERSION_NUMBER >= 0x10100000L && OPENSSL_API_COMPAT < 0x10100000L
# undef sk_dup
# undef sk_free
# undef sk_new
# undef sk_num
# undef sk_pop
# undef sk_push
# undef sk_value
# undef X509_STORE_CTX_set_chain
# undef SSLv23_client_method
#endif
STACK *sk_dup(const STACK *s) KDE_DEPRECATED;
void sk_free(STACK *s) KDE_DEPRECATED;
STACK *sk_new(int (*cmp)()) KDE_DEPRECATED;
int sk_num(STACK *s) KDE_DEPRECATED;
char *sk_pop(STACK *s) KDE_DEPRECATED;
int sk_push(STACK *s, char *d) KDE_DEPRECATED;
char *sk_value(STACK *s, int n) KDE_DEPRECATED;
void X509_STORE_CTX_set_chain(X509_STORE_CTX *v, STACK_OF(X509)* x) KDE_DEPRECATED;
SSL_METHOD *SSLv23_client_method() KDE_DEPRECATED;

#endif

private:

+ 11
- 18
tdeio/kssl/ksmimecrypto.cc View File

@@ -38,15 +38,6 @@
#endif


// forward included macros to KOpenSSLProxy
#define sk_new kossl->sk_new
#define sk_free kossl->sk_free
#define sk_push kossl->sk_push
#define sk_value kossl->sk_value
#define sk_num kossl->sk_num
#define BIO_ctrl kossl->BIO_ctrl


#ifdef KSSL_HAVE_SSL
static const char eot = 0;

@@ -87,10 +78,10 @@ KSMIMECryptoPrivate::KSMIMECryptoPrivate(KOpenSSLProxy *kossl): kossl(kossl) {


STACK_OF(X509) *KSMIMECryptoPrivate::certsToX509(TQPtrList<KSSLCertificate> &certs) {
STACK_OF(X509) *x509 = reinterpret_cast<STACK_OF(X509)*>(sk_new(NULL));
STACK_OF(X509) *x509 = reinterpret_cast<STACK_OF(X509)*>(kossl->OPENSSL_sk_new(NULL));
KSSLCertificate *cert = certs.first();
while(cert) {
sk_X509_push(x509, cert->getCert());
kossl->OPENSSL_sk_push(x509, cert->getCert());
cert = certs.next();
}
return x509;
@@ -111,7 +102,7 @@ KSMIMECrypto::rc KSMIMECryptoPrivate::signMessage(BIO *clearText,
PKCS7 *p7 = kossl->PKCS7_sign(privKey.getCertificate()->getCert(), privKey.getPrivateKey(),
other, clearText, flags);

if (other) sk_X509_free(other);
if (other) kossl->OPENSSL_sk_free(other);

if (!p7) return sslErrToRc();

@@ -154,7 +145,7 @@ KSMIMECrypto::rc KSMIMECryptoPrivate::encryptMessage(BIO *clearText,

PKCS7 *p7 = kossl->PKCS7_encrypt(certs, clearText, cipher, 0);

sk_X509_free(certs);
kossl->OPENSSL_sk_free(certs);

if (!p7) return sslErrToRc();

@@ -192,14 +183,14 @@ KSMIMECrypto::rc KSMIMECryptoPrivate::checkSignature(BIO *clearText,
X509_STORE *dummystore = kossl->X509_STORE_new();
if (kossl->PKCS7_verify(p7, NULL, dummystore, in, out, PKCS7_NOVERIFY)) {
STACK_OF(X509) *signers = kossl->PKCS7_get0_signers(p7, 0, PKCS7_NOVERIFY);
int num = sk_X509_num(signers);
int num = kossl->OPENSSL_sk_num(signers);

for(int n=0; n<num; n++) {
KSSLCertificate *signer = KSSLCertificate::fromX509(sk_X509_value(signers, n));
KSSLCertificate *signer = KSSLCertificate::fromX509(reinterpret_cast<X509*>(kossl->OPENSSL_sk_value(signers, n)));
recip.append(signer);
}

sk_X509_free(signers);
kossl->OPENSSL_sk_free(signers);
rc = KSMIMECrypto::KSC_R_OK;
} else {
rc = sslErrToRc();
@@ -236,13 +227,14 @@ KSMIMECrypto::rc KSMIMECryptoPrivate::decryptMessage(BIO *cipherText,

void KSMIMECryptoPrivate::MemBIOToQByteArray(BIO *src, TQByteArray &dest) {
char *buf;
long len = BIO_get_mem_data(src, &buf);
long len = kossl->BIO_get_mem_data(src, &buf);
dest.assign(buf, len);
/* Now this goes quite a bit into openssl internals.
We assume that openssl uses malloc() (it does in
default config) and rip out the buffer.
*/
reinterpret_cast<BUF_MEM *>(src->ptr)->data = NULL;
void *ptr = kossl->BIO_get_data(src);
reinterpret_cast<BUF_MEM *>(ptr)->data = NULL;
}

@@ -422,3 +414,4 @@ KSMIMECrypto::rc KSMIMECrypto::decryptMessage(const TQByteArray &cipherText,
return KSC_R_NO_SSL;
#endif
}


+ 20
- 17
tdeio/kssl/kssl.cc View File

@@ -51,7 +51,6 @@
#include <tdelocale.h>
#include <ksocks.h>

#define sk_dup d->kossl->sk_dup

class KSSLPrivate {
public:
@@ -180,7 +179,7 @@ bool KSSL::initialize() {
d->m_meth = d->kossl->TLSv1_client_method();
else if (!m_cfg->tlsv1() && m_cfg->sslv3() && !m_cfg->sslv2())
d->m_meth = d->kossl->SSLv3_client_method();
else d->m_meth = d->kossl->SSLv23_client_method();
else d->m_meth = d->kossl->TLS_client_method();

/*
if (m_cfg->sslv2() && m_cfg->sslv3()) kdDebug(7029) << "Double method" << endl;
@@ -207,7 +206,7 @@ return false;
}


bool KSSL::setSession(const KSSLSession *session) {
bool KSSL::takeSession(KSSLSession *session) {
#ifdef KSSL_HAVE_SSL
if (!session) {
delete d->session;
@@ -215,11 +214,10 @@ bool KSSL::setSession(const KSSLSession *session) {
return true;
}

// Obtain a reference by incrementing the reference count. Yuck.
static_cast<SSL_SESSION*>(session->_session)->references++;

// Take session reference
d->session = new KSSLSession;
d->session->_session = session->_session;
session->_session = 0L;

return true;
#else
@@ -284,12 +282,16 @@ int rc;
return -1;

if (d->session) {
#if OPENSSL_VERSION_NUMBER < 0x10100000L
if (static_cast<SSL_SESSION*>(d->session->_session)->sess_cert == 0)
{
kdDebug(7029) << "Can't reuse session, no certificate." << endl;
delete d->session;
d->session = 0;
} else if (1 == d->kossl->SSL_set_session(d->m_ssl,
}
else
#endif
if (1 == d->kossl->SSL_set_session(d->m_ssl,
static_cast<SSL_SESSION*>(d->session->_session))) {
kdDebug(7029) << "Session ID is being reused." << endl;
} else {
@@ -316,7 +318,7 @@ int rc;
if (!m_cfg->sslv2())
off |= SSL_OP_NO_SSLv2;

d->kossl->SSL_set_options(d->m_ssl, off);
d->kossl->_SSL_set_options(d->m_ssl, off);

rc = d->kossl->SSL_set_fd(d->m_ssl, sock);
if (rc == 0) {
@@ -341,7 +343,7 @@ int rc;
return -1;
}

if (!d->kossl->SSL_session_reused(d->m_ssl)) {
if (!d->kossl->_SSL_session_reused(d->m_ssl)) {
if (d->session) {
kdDebug(7029) << "Session reuse failed. New session used instead." << endl;
delete d->session;
@@ -375,12 +377,16 @@ int rc;
return -1;

if (d->session) {
#if OPENSSL_VERSION_NUMBER < 0x10100000L
if (static_cast<SSL_SESSION*>(d->session->_session)->sess_cert == 0)
{
kdDebug(7029) << "Can't reuse session, no certificate." << endl;
delete d->session;
d->session = 0;
} else if (1 == d->kossl->SSL_set_session(d->m_ssl,
}
else
#endif
if (1 == d->kossl->SSL_set_session(d->m_ssl,
static_cast<SSL_SESSION*>(d->session->_session))) {
kdDebug(7029) << "Session ID is being reused." << endl;
} else {
@@ -407,7 +413,7 @@ int rc;
if (!m_cfg->sslv2())
off |= SSL_OP_NO_SSLv2;

d->kossl->SSL_set_options(d->m_ssl, off);
d->kossl->_SSL_set_options(d->m_ssl, off);

rc = d->kossl->SSL_set_fd(d->m_ssl, sock);
if (rc == 0) {
@@ -441,7 +447,7 @@ connect_again:
}
}

if (!d->kossl->SSL_session_reused(d->m_ssl)) {
if (!d->kossl->_SSL_session_reused(d->m_ssl)) {
if (d->session) {
kdDebug(7029) << "Session reuse failed. New session used instead." << endl;
delete d->session;
@@ -613,7 +619,7 @@ void KSSL::setPeerInfo() {
m_pi.m_cert.setCert(d->kossl->SSL_get_peer_certificate(d->m_ssl));
STACK_OF(X509) *xs = d->kossl->SSL_get_peer_cert_chain(d->m_ssl);
if (xs)
xs = sk_X509_dup(xs); // Leak?
xs = reinterpret_cast<STACK_OF(X509)*>(d->kossl->OPENSSL_sk_dup(xs)); // Leak?
m_pi.m_cert.setChain((void *)xs);
#endif
}
@@ -671,18 +677,15 @@ EVP_PKEY *k = pkcs->getPrivateKey();
#endif
}

#undef sk_dup

const KSSLSession* KSSL::session() const {
return d->session;
}

bool KSSL::reusingSession() const {
#ifdef KSSL_HAVE_SSL
return (d->m_ssl && d->kossl->SSL_session_reused(d->m_ssl));
return (d->m_ssl && d->kossl->_SSL_session_reused(d->m_ssl));
#else
return false;
#endif
}



+ 3
- 4
tdeio/kssl/kssl.h View File

@@ -82,16 +82,15 @@ public:
bool TLSInit();

/**
* Set an SSL session to use. This deep copies the session so it
* doesn't have to remain valid. You need to call it after calling
* initialize or reInitialize. The ID is cleared in close().
* Set an SSL session to use. This takes the session from the original
* KSSL object, so it is in fact a session move operation.
*
* @param session A valid session to reuse. If 0L, it will clear the
* session ID in memory.
*
* @return true on success
*/
bool setSession(const KSSLSession *session);
bool takeSession(KSSLSession *session);

/**
* Close the SSL session.

+ 11
- 4
tdeio/kssl/ksslcallback.c View File

@@ -27,8 +27,9 @@ bool KSSL_X509CallBack_ca_found;

extern "C" {
static int X509Callback(int ok, X509_STORE_CTX *ctx) {
kdDebug(7029) << "X509Callback: ok = " << ok << " error = " << ctx->error << " depth = " << ctx->error_depth << endl;

kdDebug(7029) << "X509Callback: ok = " << ok << " error = " << KOSSL::self()->X509_STORE_CTX_get_error(ctx) << " depth = "
<< KOSSL::self()->X509_STORE_CTX_get_error_depth(ctx) << endl;
// Here is how this works. We put "ok = 1;" in any case that we
// don't consider to be an error. In that case, it will return OK
// for the certificate check as long as there are no other critical
@@ -39,14 +40,20 @@ static int X509Callback(int ok, X509_STORE_CTX *ctx) {

if (KSSL_X509CallBack_ca)
{
if (KOSSL::self()->X509_cmp(ctx->current_cert, KSSL_X509CallBack_ca) != 0)
if (KOSSL::self()->X509_cmp(KOSSL::self()->X509_STORE_CTX_get_current_cert(ctx), KSSL_X509CallBack_ca) != 0 &&
/*
* With OpenSSL >= 1.1 certificate in chain can be replaced by a certificate from the local certificate store.
* It is therefore necessary to compare the subject name, rather than the entire certificate.
*/
KOSSL::self()->X509_subject_name_cmp(KOSSL::self()->X509_STORE_CTX_get_current_cert(ctx), KSSL_X509CallBack_ca) != 0) {
return 1; // Ignore errors for this certificate
}

KSSL_X509CallBack_ca_found = true;
}
if (!ok) {
switch (ctx->error) {
switch (KOSSL::self()->X509_STORE_CTX_get_error(ctx)) {
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
case X509_V_ERR_UNABLE_TO_GET_CRL:
case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:

+ 26
- 48
tdeio/kssl/ksslcertchain.cc View File

@@ -44,17 +44,6 @@
#include <tqstringlist.h>



#ifdef KSSL_HAVE_SSL
#define sk_new d->kossl->sk_new
#define sk_push d->kossl->sk_push
#define sk_free d->kossl->sk_free
#define sk_value d->kossl->sk_value
#define sk_num d->kossl->sk_num
#define sk_dup d->kossl->sk_dup
#define sk_pop d->kossl->sk_pop
#endif

class KSSLCertChainPrivate {
public:
KSSLCertChainPrivate() {
@@ -79,11 +68,11 @@ KSSLCertChain::~KSSLCertChain() {
STACK_OF(X509) *x = (STACK_OF(X509) *)_chain;

for (;;) {
X509* x5 = sk_X509_pop(x);
X509* x5 = reinterpret_cast<X509*>(d->kossl->OPENSSL_sk_pop(x));
if (!x5) break;
d->kossl->X509_free(x5);
}
sk_X509_free(x);
d->kossl->OPENSSL_sk_free(x);
}
#endif
delete d;
@@ -107,7 +96,7 @@ return x;

int KSSLCertChain::depth() {
#ifdef KSSL_HAVE_SSL
return sk_X509_num((STACK_OF(X509)*)_chain);
return d->kossl->OPENSSL_sk_num((STACK_OF(X509)*)_chain);
#endif
return 0;
}
@@ -119,8 +108,8 @@ if (!_chain) return cl;
#ifdef KSSL_HAVE_SSL
STACK_OF(X509) *x = (STACK_OF(X509) *)_chain;

for (int i = 0; i < sk_X509_num(x); i++) {
X509* x5 = sk_X509_value(x, i);
for (int i = 0; i < d->kossl->OPENSSL_sk_num(x); i++) {
X509* x5 = reinterpret_cast<X509*>(d->kossl->OPENSSL_sk_value(x, i));
if (!x5) continue;
KSSLCertificate *nc = new KSSLCertificate;
nc->setCert(d->kossl->X509_dup(x5));
@@ -138,18 +127,18 @@ if (_chain) {
STACK_OF(X509) *x = (STACK_OF(X509) *)_chain;

for (;;) {
X509* x5 = sk_X509_pop(x);
X509* x5 = reinterpret_cast<X509*>(d->kossl->OPENSSL_sk_pop(x));
if (!x5) break;
d->kossl->X509_free(x5);
}
sk_X509_free(x);
d->kossl->OPENSSL_sk_free(x);
_chain = NULL;
}

if (chain.count() == 0) return;
_chain = (void *)sk_new(NULL);
_chain = reinterpret_cast<STACK_OF(X509)*>(d->kossl->OPENSSL_sk_new(NULL));
for (KSSLCertificate *x = chain.first(); x != 0; x = chain.next()) {
sk_X509_push((STACK_OF(X509)*)_chain, d->kossl->X509_dup(x->getCert()));
d->kossl->OPENSSL_sk_push((STACK_OF(X509) *)_chain, d->kossl->X509_dup(x->getCert()));
}

#endif
@@ -158,31 +147,31 @@ if (_chain) {
void KSSLCertChain::setChain(void *stack_of_x509) {
#ifdef KSSL_HAVE_SSL
if (_chain) {
STACK_OF(X509) *x = (STACK_OF(X509) *)_chain;

for (;;) {
X509* x5 = sk_X509_pop(x);
if (!x5) break;
d->kossl->X509_free(x5);
if (_chain) {
STACK_OF(X509) *x = (STACK_OF(X509) *)_chain;

for (;;) {
X509* x5 = reinterpret_cast<X509*>(d->kossl->OPENSSL_sk_pop(x));
if (!x5) break;
d->kossl->X509_free(x5);
}
d->kossl->OPENSSL_sk_free(x);
_chain = NULL;
}
sk_X509_free(x);
_chain = NULL;
}

if (!stack_of_x509) return;
if (!stack_of_x509) return;

_chain = (void *)sk_new(NULL);
STACK_OF(X509) *x = (STACK_OF(X509) *)stack_of_x509;
_chain = reinterpret_cast<STACK_OF(X509)*>(d->kossl->OPENSSL_sk_new(NULL));
STACK_OF(X509) *x = (STACK_OF(X509) *)stack_of_x509;

for (int i = 0; i < sk_X509_num(x); i++) {
X509* x5 = sk_X509_value(x, i);
for (int i = 0; i < d->kossl->OPENSSL_sk_num(x); i++) {
X509* x5 = reinterpret_cast<X509*>(d->kossl->OPENSSL_sk_value(x, i));
if (!x5) continue;
sk_X509_push((STACK_OF(X509)*)_chain,d->kossl->X509_dup(x5));
d->kossl->OPENSSL_sk_push((STACK_OF(X509)*)_chain,d->kossl->X509_dup(x5));
}

#else
_chain = NULL;
_chain = NULL;
#endif
}

@@ -203,14 +192,3 @@ void KSSLCertChain::setCertChain(const TQStringList& chain) {
setChain(cl);
}


#ifdef KSSL_HAVE_SSL
#undef sk_new
#undef sk_push
#undef sk_free
#undef sk_value
#undef sk_num
#undef sk_dup
#undef sk_pop
#endif


+ 64
- 40
tdeio/kssl/ksslcertificate.cc View File

@@ -198,7 +198,7 @@ TQString rc = "";
if (!t)
return rc;
rc = t;
d->kossl->OPENSSL_free(t);
d->kossl->CRYPTO_free(t);
#endif
return rc;
}
@@ -225,14 +225,17 @@ TQString rc = "";
char *s;
int n, i;

i = d->kossl->OBJ_obj2nid(d->m_cert->sig_alg->algorithm);
const ASN1_BIT_STRING *signature = 0L;
const X509_ALGOR *sig_alg = 0L;
d->kossl->X509_get0_signature(&signature, &sig_alg, d->m_cert);
i = d->kossl->OBJ_obj2nid(sig_alg->algorithm);
rc = i18n("Signature Algorithm: ");
rc += (i == NID_undef)?i18n("Unknown"):TQString(d->kossl->OBJ_nid2ln(i));

rc += "\n";
rc += i18n("Signature Contents:");
n = d->m_cert->signature->length;
s = (char *)d->m_cert->signature->data;
n = signature->length;
s = (char *)signature->data;
for (i = 0; i < n; i++) {
if (i%20 != 0) rc += ":";
else rc += "\n";
@@ -254,8 +257,8 @@ void KSSLCertificate::getEmails(TQStringList &to) const {
STACK *s = d->kossl->X509_get1_email(d->m_cert);
if (s) {
for(int n=0; n < s->num; n++) {
to.append(d->kossl->sk_value(s,n));
for(int n=0; n < d->kossl->OPENSSL_sk_num(s); n++) {
to.append(d->kossl->OPENSSL_sk_value(s,n));
}
d->kossl->X509_email_free(s);
}
@@ -336,12 +339,12 @@ TQString rc = "";
EVP_PKEY *pkey = d->kossl->X509_get_pubkey(d->m_cert);
if (pkey) {
#ifndef NO_RSA
if (pkey->type == EVP_PKEY_RSA)
if (d->kossl->EVP_PKEY_base_id(pkey) == EVP_PKEY_RSA)
rc = "RSA";
else
#endif
#ifndef NO_DSA
if (pkey->type == EVP_PKEY_DSA)
if (d->kossl->EVP_PKEY_base_id(pkey) == EVP_PKEY_DSA)
rc = "DSA";
else
#endif
@@ -364,10 +367,14 @@ char *x = NULL;
if (pkey) {
rc = i18n("Unknown", "Unknown key algorithm");
#ifndef NO_RSA
if (pkey->type == EVP_PKEY_RSA) {
if (d->kossl->EVP_PKEY_base_id(pkey) == EVP_PKEY_RSA) {
rc = i18n("Key type: RSA (%1 bit)") + "\n";

x = d->kossl->BN_bn2hex(pkey->pkey.rsa->n);
RSA *pkey_rsa = d->kossl->EVP_PKEY_get0_RSA(pkey);
const BIGNUM *bn_n = 0L;
const BIGNUM *bn_e = 0L;
d->kossl->RSA_get0_key(pkey_rsa, &bn_n, &bn_e, NULL);
x = d->kossl->BN_bn2hex(bn_n);
rc += i18n("Modulus: ");
rc = rc.arg(strlen(x)*4);
for (unsigned int i = 0; i < strlen(x); i++) {
@@ -378,18 +385,26 @@ char *x = NULL;
rc += x[i];
}
rc += "\n";
d->kossl->OPENSSL_free(x);
d->kossl->CRYPTO_free(x);

x = d->kossl->BN_bn2hex(pkey->pkey.rsa->e);
x = d->kossl->BN_bn2hex(bn_e);
rc += i18n("Exponent: 0x") + x + "\n";
d->kossl->OPENSSL_free(x);
d->kossl->CRYPTO_free(x);
}
#endif
#ifndef NO_DSA
if (pkey->type == EVP_PKEY_DSA) {
if (d->kossl->EVP_PKEY_base_id(pkey) == EVP_PKEY_DSA) {
rc = i18n("Key type: DSA (%1 bit)") + "\n";

x = d->kossl->BN_bn2hex(pkey->pkey.dsa->p);
DSA *pkey_dsa = d->kossl->EVP_PKEY_get0_DSA(pkey);
const BIGNUM *bn_p = 0L;
const BIGNUM *bn_q = 0L;
const BIGNUM *bn_g = 0L;
const BIGNUM *bn_pub_key = 0L;
d->kossl->DSA_get0_pqg(pkey_dsa, &bn_p, &bn_q, &bn_g);
d->kossl->DSA_get0_key(pkey_dsa, &bn_pub_key, NULL);

x = d->kossl->BN_bn2hex(bn_p);
rc += i18n("Prime: ");
// hack - this may not be always accurate
rc = rc.arg(strlen(x)*4) ;
@@ -401,9 +416,9 @@ char *x = NULL;
rc += x[i];
}
rc += "\n";
d->kossl->OPENSSL_free(x);
d->kossl->CRYPTO_free(x);

x = d->kossl->BN_bn2hex(pkey->pkey.dsa->q);
x = d->kossl->BN_bn2hex(bn_q);
rc += i18n("160 bit prime factor: ");
for (unsigned int i = 0; i < strlen(x); i++) {
if (i%40 != 0 && i%2 == 0)
@@ -413,9 +428,9 @@ char *x = NULL;
rc += x[i];
}
rc += "\n";
d->kossl->OPENSSL_free(x);
d->kossl->CRYPTO_free(x);
x = d->kossl->BN_bn2hex(pkey->pkey.dsa->g);
x = d->kossl->BN_bn2hex(bn_g);
rc += TQString("g: ");
for (unsigned int i = 0; i < strlen(x); i++) {
if (i%40 != 0 && i%2 == 0)
@@ -425,9 +440,9 @@ char *x = NULL;
rc += x[i];
}
rc += "\n";
d->kossl->OPENSSL_free(x);
d->kossl->CRYPTO_free(x);
x = d->kossl->BN_bn2hex(pkey->pkey.dsa->pub_key);
x = d->kossl->BN_bn2hex(bn_pub_key);
rc += i18n("Public key: ");
for (unsigned int i = 0; i < strlen(x); i++) {
if (i%40 != 0 && i%2 == 0)
@@ -437,7 +452,7 @@ char *x = NULL;
rc += x[i];
}
rc += "\n";
d->kossl->OPENSSL_free(x);
d->kossl->CRYPTO_free(x);
}
#endif
d->kossl->EVP_PKEY_free(pkey);
@@ -459,7 +474,7 @@ TQString rc = "";
return rc;

rc = t;
d->kossl->OPENSSL_free(t);
d->kossl->CRYPTO_free(t);
#endif

return rc;
@@ -696,7 +711,7 @@ KSSLCertificate::KSSLValidationList KSSLCertificate::validateVerbose(KSSLCertifi
return errors;
}

X509_STORE_set_verify_cb_func(certStore, X509Callback);
d->kossl->X509_STORE_set_verify_cb(certStore, X509Callback);

certLookup = d->kossl->X509_STORE_add_lookup(certStore, d->kossl->X509_LOOKUP_file());
if (!certLookup) {
@@ -727,7 +742,7 @@ KSSLCertificate::KSSLValidationList KSSLCertificate::validateVerbose(KSSLCertifi

d->kossl->X509_STORE_CTX_init(certStoreCTX, certStore, d->m_cert, NULL);
if (d->_chain.isValid()) {
d->kossl->X509_STORE_CTX_set_chain(certStoreCTX, (STACK_OF(X509)*)d->_chain.rawChain());
d->kossl->X509_STORE_CTX_set0_untrusted(certStoreCTX, (STACK_OF(X509)*)d->_chain.rawChain());
}

//kdDebug(7029) << "KSSL setting CRL.............." << endl;
@@ -738,9 +753,9 @@ KSSLCertificate::KSSLValidationList KSSLCertificate::validateVerbose(KSSLCertifi
KSSL_X509CallBack_ca = ca ? ca->d->m_cert : 0;
KSSL_X509CallBack_ca_found = false;

certStoreCTX->error = X509_V_OK;
d->kossl->X509_STORE_CTX_set_error(certStoreCTX, X509_V_OK);
d->kossl->X509_verify_cert(certStoreCTX);
int errcode = certStoreCTX->error;
int errcode = d->kossl->X509_STORE_CTX_get_error(certStoreCTX);
if (ca && !KSSL_X509CallBack_ca_found) {
ksslv = KSSLCertificate::Irrelevant;
} else {
@@ -753,9 +768,9 @@ KSSLCertificate::KSSLValidationList KSSLCertificate::validateVerbose(KSSLCertifi
d->kossl->X509_STORE_CTX_set_purpose(certStoreCTX,
X509_PURPOSE_NS_SSL_SERVER);

certStoreCTX->error = X509_V_OK;
d->kossl->X509_STORE_CTX_set_error(certStoreCTX, X509_V_OK);
d->kossl->X509_verify_cert(certStoreCTX);
errcode = certStoreCTX->error;
errcode = d->kossl->X509_STORE_CTX_get_error(certStoreCTX);
ksslv = processError(errcode);
}
d->kossl->X509_STORE_CTX_free(certStoreCTX);
@@ -888,7 +903,7 @@ return rc;

TQString KSSLCertificate::getNotBefore() const {
#ifdef KSSL_HAVE_SSL
return ASN1_UTCTIME_QString(X509_get_notBefore(d->m_cert));
return ASN1_UTCTIME_QString(d->kossl->X509_getm_notBefore(d->m_cert));
#else
return TQString::null;
#endif
@@ -897,7 +912,7 @@ return TQString::null;

TQString KSSLCertificate::getNotAfter() const {
#ifdef KSSL_HAVE_SSL
return ASN1_UTCTIME_QString(X509_get_notAfter(d->m_cert));
return ASN1_UTCTIME_QString(d->kossl->X509_getm_notAfter(d->m_cert));
#else
return TQString::null;
#endif
@@ -906,7 +921,7 @@ return TQString::null;

TQDateTime KSSLCertificate::getQDTNotBefore() const {
#ifdef KSSL_HAVE_SSL
return ASN1_UTCTIME_QDateTime(X509_get_notBefore(d->m_cert), NULL);
return ASN1_UTCTIME_QDateTime(d->kossl->X509_getm_notBefore(d->m_cert), NULL);
#else
return TQDateTime::currentDateTime();
#endif
@@ -915,7 +930,7 @@ return TQDateTime::currentDateTime();

TQDateTime KSSLCertificate::getQDTNotAfter() const {
#ifdef KSSL_HAVE_SSL
return ASN1_UTCTIME_QDateTime(X509_get_notAfter(d->m_cert), NULL);
return ASN1_UTCTIME_QDateTime(d->kossl->X509_getm_notAfter(d->m_cert), NULL);
#else
return TQDateTime::currentDateTime();
#endif
@@ -924,7 +939,7 @@ return TQDateTime::currentDateTime();

TQDateTime KSSLCertificate::getQDTLastUpdate() const {
#ifdef KSSL_HAVE_SSL
return ASN1_UTCTIME_QDateTime(X509_CRL_get_lastUpdate(d->m_cert_crl), NULL);
return ASN1_UTCTIME_QDateTime((ASN1_UTCTIME*)d->kossl->X509_CRL_get0_lastUpdate(d->m_cert_crl), NULL);
#else
return TQDateTime::currentDateTime();
#endif
@@ -933,7 +948,7 @@ return TQDateTime::currentDateTime();

TQDateTime KSSLCertificate::getQDTNextUpdate() const {
#ifdef KSSL_HAVE_SSL
return ASN1_UTCTIME_QDateTime(X509_CRL_get_nextUpdate(d->m_cert_crl), NULL);
return ASN1_UTCTIME_QDateTime((ASN1_UTCTIME*)d->kossl->X509_CRL_get0_nextUpdate(d->m_cert_crl), NULL);
#else
return TQDateTime::currentDateTime();
#endif
@@ -1053,6 +1068,15 @@ return qba;


#define NETSCAPE_CERT_HDR "certificate"
#ifdef KSSL_HAVE_SSL
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
typedef struct NETSCAPE_X509_st
{
ASN1_OCTET_STRING *header;
X509 *cert;
} NETSCAPE_X509;
#endif
#endif

// what a piece of crap this is
TQByteArray KSSLCertificate::toNetscape() {
@@ -1062,8 +1086,8 @@ TQByteArray qba;
NETSCAPE_X509 nx;
ASN1_OCTET_STRING hdr;
#else
ASN1_HEADER ah;
ASN1_OCTET_STRING os;
ASN1_HEADER ah;
ASN1_OCTET_STRING os;
#endif
KTempFile ktf;

@@ -1159,10 +1183,10 @@ TQStringList KSSLCertificate::subjAltNames() const {
return rc;
}

int cnt = d->kossl->sk_GENERAL_NAME_num(names);
int cnt = d->kossl->OPENSSL_sk_num(names);

for (int i = 0; i < cnt; i++) {
const GENERAL_NAME *val = (const GENERAL_NAME *)d->kossl->sk_value(names, i);
const GENERAL_NAME *val = (const GENERAL_NAME *)d->kossl->OPENSSL_sk_value(names, i);
if (val->type != GEN_DNS) {
continue;
}
@@ -1174,7 +1198,7 @@ TQStringList KSSLCertificate::subjAltNames() const {
rc += s;
}
}
d->kossl->sk_free(names);
d->kossl->OPENSSL_sk_free(names);
#endif
return rc;
}

+ 4
- 25
tdeio/kssl/ksslpkcs12.cc View File

@@ -34,16 +34,6 @@

#include <assert.h>

#ifdef KSSL_HAVE_SSL
#define sk_new kossl->sk_new
#define sk_push kossl->sk_push
#define sk_free kossl->sk_free
#define sk_value kossl->sk_value
#define sk_num kossl->sk_num
#define sk_dup kossl->sk_dup
#define sk_pop kossl->sk_pop
#endif


KSSLPKCS12::KSSLPKCS12() {
_pkcs = NULL;
@@ -60,11 +50,11 @@ KSSLPKCS12::~KSSLPKCS12() {
if (_pkey) kossl->EVP_PKEY_free(_pkey);
if (_caStack) {
for (;;) {
X509* x5 = sk_X509_pop(_caStack);
X509* x5 = reinterpret_cast<X509*>(kossl->OPENSSL_sk_pop(_caStack));
if (!x5) break;
kossl->X509_free(x5);
}
sk_X509_free(_caStack);
kossl->OPENSSL_sk_free(_caStack);
}
if (_pkcs) kossl->PKCS12_free(_pkcs);
#endif
@@ -151,11 +141,11 @@ X509 *x = NULL;
if (_pkey) kossl->EVP_PKEY_free(_pkey);
if (_caStack) {
for (;;) {
X509* x5 = sk_X509_pop(_caStack);
X509* x5 = reinterpret_cast<X509*>(kossl->OPENSSL_sk_pop(_caStack));
if (!x5) break;
kossl->X509_free(x5);
}
sk_X509_free(_caStack);
kossl->OPENSSL_sk_free(_caStack);
}
_pkey = NULL;
_caStack = NULL;
@@ -282,14 +272,3 @@ TQString KSSLPKCS12::name() {
return _cert->getSubject();
}

#ifdef KSSL_HAVE_SSL
#undef sk_new
#undef sk_push
#undef sk_free
#undef sk_value
#undef sk_num
#undef sk_pop
#undef sk_dup
#endif


+ 0
- 19
tdeio/kssl/ksslpkcs7.cc View File

@@ -34,15 +34,6 @@

#include <assert.h>

#ifdef KSSL_HAVE_SSL
#define sk_new kossl->sk_new
#define sk_push kossl->sk_push
#define sk_free kossl->sk_free
#define sk_value kossl->sk_value
#define sk_num kossl->sk_num
#define sk_dup kossl->sk_dup
#endif


KSSLPKCS7::KSSLPKCS7() {
_pkcs = NULL;
@@ -196,13 +187,3 @@ TQString KSSLPKCS7::name() {
return TQString();
}

#ifdef KSSL_HAVE_SSL
#undef sk_new
#undef sk_push
#undef sk_free
#undef sk_value
#undef sk_num
#undef sk_dup
#endif


+ 29
- 40
tdeio/kssl/ksslsettings.cc View File

@@ -46,29 +46,20 @@
#endif
#include <kopenssl.h>

#ifdef KSSL_HAVE_SSL
#define sk_new d->kossl->sk_new
#define sk_push d->kossl->sk_push
#define sk_free d->kossl->sk_free
#define sk_value d->kossl->sk_value
#define sk_num d->kossl->sk_num
#define sk_dup d->kossl->sk_dup
#define sk_pop d->kossl->sk_pop
#endif

class CipherNode {
public:
CipherNode(const char *_name, int _keylen) :
name(_name), keylen(_keylen) {}
TQString name;
int keylen;
inline int operator==(CipherNode &x)
{ return ((x.keylen == keylen) && (x.name == name)); }
inline int operator< (CipherNode &x) { return keylen < x.keylen; }
inline int operator<=(CipherNode &x) { return keylen <= x.keylen; }
inline int operator> (CipherNode &x) { return keylen > x.keylen; }
inline int operator>=(CipherNode &x) { return keylen >= x.keylen; }
};
class CipherNode {
public:
CipherNode(const char *_name, int _keylen) :
name(_name), keylen(_keylen) {}
TQString name;
int keylen;
inline int operator==(CipherNode &x)
{ return ((x.keylen == keylen) && (x.name == name)); }
inline int operator< (CipherNode &x) { return keylen < x.keylen; }
inline int operator<=(CipherNode &x) { return keylen <= x.keylen; }
inline int operator> (CipherNode &x) { return keylen > x.keylen; }
inline int operator>=(CipherNode &x) { return keylen >= x.keylen; }
};


class KSSLSettingsPrivate {
@@ -145,7 +136,7 @@ TQString KSSLSettings::getCipherList() {
d->kossl = KOSSL::self();

if (m_bUseSSLv3 && m_bUseSSLv2)
meth = d->kossl->SSLv23_client_method();
meth = d->kossl->TLS_client_method();
else if(m_bUseSSLv3)
meth = d->kossl->SSLv3_client_method();
else if (m_bUseSSLv2)
@@ -154,9 +145,9 @@ TQString KSSLSettings::getCipherList() {
SSL_CTX *ctx = d->kossl->SSL_CTX_new(meth);
SSL* ssl = d->kossl->SSL_new(ctx);
STACK_OF(SSL_CIPHER)* sk = d->kossl->SSL_get_ciphers(ssl);
int cnt = sk_SSL_CIPHER_num(sk);
int cnt = d->kossl->OPENSSL_sk_num(sk);
for (int i=0; i< cnt; i++) {
SSL_CIPHER *sc = sk_SSL_CIPHER_value(sk,i);
SSL_CIPHER *sc = reinterpret_cast<SSL_CIPHER*>(d->kossl->OPENSSL_sk_value(sk,i));
if (!sc)
break;

@@ -165,10 +156,10 @@ TQString KSSLSettings::getCipherList() {
else
m_cfg->setGroup("SSLv3");

tcipher.sprintf("cipher_%s", sc->name);
tcipher.sprintf("cipher_%s", d->kossl->SSL_CIPHER_get_name(sc));
int bits = d->kossl->SSL_CIPHER_get_bits(sc, NULL);
if (m_cfg->readBoolEntry(tcipher, bits >= 56)) {
CipherNode *xx = new CipherNode(sc->name,bits);
CipherNode *xx = new CipherNode(d->kossl->SSL_CIPHER_get_name(sc),bits);
if (!cipherList.contains(xx))
cipherList.prepend(xx);
else
@@ -212,13 +203,21 @@ void KSSLSettings::load() {

m_cfg->setGroup("TLS");
m_bUseTLSv1 = m_cfg->readBoolEntry("Enabled", true);

#if OPENSSL_VERSION_NUMBER >= 0x10100000L || defined(OPENSSL_NO_SSL2)
m_bUseSSLv2 = false;
#else
m_cfg->setGroup("SSLv2");
m_bUseSSLv2 = m_cfg->readBoolEntry("Enabled", false);
#endif

#if defined(OPENSSL_NO_SSL3)
m_bUseSSLv3 = false;
#else
m_cfg->setGroup("SSLv3");
m_bUseSSLv3 = m_cfg->readBoolEntry("Enabled", true);
#endif

m_cfg->setGroup("Warnings");
m_bWarnOnEnter = m_cfg->readBoolEntry("OnEnter", false);
m_bWarnOnLeave = m_cfg->readBoolEntry("OnLeave", true);
@@ -344,13 +343,3 @@ void KSSLSettings::setSSLv3(bool enabled) { m_bUseSSLv3 = enabled; }

TQString& KSSLSettings::getEGDPath() { return d->m_EGDPath; }

#ifdef KSSL_HAVE_SSL
#undef sk_new
#undef sk_push
#undef sk_free
#undef sk_value
#undef sk_num
#undef sk_pop
#undef sk_dup
#endif


+ 4
- 4
tdeio/kssl/ksslutils.cc View File

@@ -92,10 +92,10 @@ TQString ASN1_UTCTIME_QString(ASN1_UTCTIME *tm) {


TQString ASN1_INTEGER_QString(ASN1_INTEGER *aint) {
char *rep = KOSSL::self()->i2s_ASN1_INTEGER(NULL, aint);
TQString yy = rep;
KOSSL::self()->OPENSSL_free(rep);
return yy;
char *rep = KOSSL::self()->i2s_ASN1_INTEGER(NULL, aint);
TQString yy = rep;
KOSSL::self()->CRYPTO_free(rep);
return yy;
}



+ 3
- 3
tdeio/tdeio/tcpslavebase.cpp View File

@@ -471,7 +471,7 @@ int TCPSlaveBase::startTLS()
if (hasMetaData("ssl_session_id")) {
KSSLSession *s = KSSLSession::fromString(metaData("ssl_session_id"));
if (s) {
d->kssl->setSession(s);
d->kssl->takeSession(s);
delete s;
}
}
@@ -1301,9 +1301,9 @@ bool TCPSlaveBase::doSSLHandShake( bool sendError )
if (hasMetaData("ssl_session_id")) {
KSSLSession *s = KSSLSession::fromString(metaData("ssl_session_id"));
if (s) {
d->kssl->setSession(s);
d->kssl->takeSession(s);
delete s;
}
}
}
certificatePrompt();


Loading…
Cancel
Save