TDE core libraries
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

ksslcallback.c 3.7KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596
  1. /* This file is part of the KDE project
  2. *
  3. * Copyright (C) 2000 George Staikos <staikos@kde.org>
  4. *
  5. * This library is free software; you can redistribute it and/or
  6. * modify it under the terms of the GNU Library General Public
  7. * License as published by the Free Software Foundation; either
  8. * version 2 of the License, or (at your option) any later version.
  9. *
  10. * This library is distributed in the hope that it will be useful,
  11. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  12. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  13. * Library General Public License for more details.
  14. *
  15. * You should have received a copy of the GNU Library General Public License
  16. * along with this library; see the file COPYING.LIB. If not, write to
  17. * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
  18. * Boston, MA 02110-1301, USA.
  19. */
  20. #ifdef KSSL_HAVE_SSL
  21. #ifndef _kde_ksslcallback_c
  22. #define _kde_ksslcallback_c
  23. X509 *KSSL_X509CallBack_ca;
  24. bool KSSL_X509CallBack_ca_found;
  25. extern "C" {
  26. static int X509Callback(int ok, X509_STORE_CTX *ctx) {
  27. kdDebug(7029) << "X509Callback: ok = " << ok << " error = " << KOSSL::self()->X509_STORE_CTX_get_error(ctx) << " depth = "
  28. << KOSSL::self()->X509_STORE_CTX_get_error_depth(ctx) << endl;
  29. // Here is how this works. We put "ok = 1;" in any case that we
  30. // don't consider to be an error. In that case, it will return OK
  31. // for the certificate check as long as there are no other critical
  32. // errors. Don't forget that there can be multiple errors.
  33. //
  34. // Of course we can also put other code in here but any data returned
  35. // back will not be threadsafe ofcourse.
  36. if (KSSL_X509CallBack_ca)
  37. {
  38. if (KOSSL::self()->X509_cmp(KOSSL::self()->X509_STORE_CTX_get_current_cert(ctx), KSSL_X509CallBack_ca) != 0 &&
  39. /*
  40. * With OpenSSL >= 1.1 certificate in chain can be replaced by a certificate from the local certificate store.
  41. * It is therefore necessary to compare the subject name, rather than the entire certificate.
  42. */
  43. KOSSL::self()->X509_subject_name_cmp(KOSSL::self()->X509_STORE_CTX_get_current_cert(ctx), KSSL_X509CallBack_ca) != 0) {
  44. return 1; // Ignore errors for this certificate
  45. }
  46. KSSL_X509CallBack_ca_found = true;
  47. }
  48. if (!ok) {
  49. switch (KOSSL::self()->X509_STORE_CTX_get_error(ctx)) {
  50. case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
  51. case X509_V_ERR_UNABLE_TO_GET_CRL:
  52. case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
  53. case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE:
  54. case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:
  55. case X509_V_ERR_CERT_SIGNATURE_FAILURE:
  56. case X509_V_ERR_CRL_SIGNATURE_FAILURE:
  57. case X509_V_ERR_CERT_NOT_YET_VALID:
  58. case X509_V_ERR_CERT_HAS_EXPIRED:
  59. case X509_V_ERR_CRL_NOT_YET_VALID:
  60. case X509_V_ERR_CRL_HAS_EXPIRED:
  61. case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
  62. case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
  63. case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD:
  64. case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:
  65. case X509_V_ERR_OUT_OF_MEM:
  66. case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
  67. case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
  68. case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
  69. case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
  70. case X509_V_ERR_CERT_CHAIN_TOO_LONG:
  71. case X509_V_ERR_CERT_REVOKED:
  72. case X509_V_ERR_INVALID_CA:
  73. case X509_V_ERR_PATH_LENGTH_EXCEEDED:
  74. case X509_V_ERR_INVALID_PURPOSE:
  75. case X509_V_ERR_CERT_UNTRUSTED:
  76. case X509_V_ERR_CERT_REJECTED:
  77. case X509_V_ERR_APPLICATION_VERIFICATION:
  78. default:
  79. break;
  80. }
  81. }
  82. return(ok);
  83. }
  84. }
  85. #endif
  86. #endif