You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
tdelibs/tdeio/kssl/ksslsettings.cc

346 lines
9.9 KiB

/* This file is part of the KDE project
*
* Copyright (C) 2000 George Staikos <staikos@kde.org>
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Library General Public
* License as published by the Free Software Foundation; either
* version 2 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Library General Public License for more details.
*
* You should have received a copy of the GNU Library General Public License
* along with this library; see the file COPYING.LIB. If not, write to
* the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
* Boston, MA 02110-1301, USA.
*/
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
#include <sys/types.h>
#include <sys/stat.h>
#include <stdlib.h>
#include <pwd.h>
#include <unistd.h>
#include <tqfile.h>
#include <tqsortedlist.h>
#include "ksslsettings.h"
#include <tdeglobal.h>
#include <kstandarddirs.h>
#include <kdebug.h>
// this hack provided by Malte Starostik to avoid glibc/openssl bug
// on some systems
#ifdef KSSL_HAVE_SSL
#define crypt _openssl_crypt
#include <openssl/ssl.h>
#undef crypt
#endif
#include <kopenssl.h>
Added support for OpenSSL 1.1 Some KOpenSSLProxy methods have been renamed to be consistent with OpenSSL 1.1 API names and to prevent hidden API changes. To ensure API / ABI compatibility, the original methods are still included but have been marked as deprecated. + SSLv23_client_method => TLS_client_method + X509_STORE_CTX_set_chain => X509_STORE_CTX_set0_untrusted + sk_dup => OPENSSL_sk_dup + sk_free => OPENSSL_sk_free + sk_new => OPENSSL_sk_new + sk_num => OPENSSL_sk_num + sk_pop => OPENSSL_sk_pop + sk_push => OPENSSL_sk_push + sk_value => OPENSSL_sk_value Additional methods have been added to KOpenSSLProxy to support the new OpenSSL 1.1 API functions that provide access to the (now) opaque SSL structures. Compatibility with OpenSSL < 1.1 is handled internally in KOpenSSLProxy. + BIO_get_data + DSA_get0_key + DSA_get0_pqg + EVP_PKEY_base_id + EVP_PKEY_get0_DSA + EVP_PKEY_get0_RSA + RSA_get0_key + X509_CRL_get0_lastUpdate + X509_CRL_get0_nextUpdate + X509_OBJECT_get0_X509 + X509_OBJECT_get_type + X509_STORE_CTX_get_current_cert + X509_STORE_CTX_get_error + X509_STORE_CTX_get_error_depth + X509_STORE_CTX_set_error + X509_STORE_get0_objects + X509_STORE_set_verify_cb + X509_get0_signature + X509_getm_notAfter + X509_getm_notBefore + X509_subject_name_cmp + _SSL_session_reused + _SSL_set_options Method "KSSL::setSession" has been renamed to "KSSL::takeSession" and its functionality has changed: the session is now transferred from the argument object to the invoked object. Since it is only used internally in TDE and the functionality is different, the method with the previous name has not been preserved. Signed-off-by: Slávek Banko <slavek.banko@axis.cz> Signed-off-by: Michele Calgaro <michele.calgaro@yahoo.it> (cherry picked from commit e1861cb6811f7bac405ece204407ca46c000a453)
8 years ago
class CipherNode {
public:
CipherNode(const char *_name, int _keylen) :
name(_name), keylen(_keylen) {}
TQString name;
int keylen;
inline int operator==(CipherNode &x)
{ return ((x.keylen == keylen) && (x.name == name)); }
inline int operator< (CipherNode &x) { return keylen < x.keylen; }
inline int operator<=(CipherNode &x) { return keylen <= x.keylen; }
inline int operator> (CipherNode &x) { return keylen > x.keylen; }
inline int operator>=(CipherNode &x) { return keylen >= x.keylen; }
};
class KSSLSettingsPrivate {
public:
KSSLSettingsPrivate() {
kossl = NULL; // try to delay this as long as possible
}
~KSSLSettingsPrivate() {
}
KOSSL *kossl;
bool m_bUseEGD;
bool m_bUseEFile;
TQString m_EGDPath;
bool m_bSendX509;
bool m_bPromptX509;
};
//
// FIXME
// Implementation note: for now, we only read cipher settings from disk,
// and do not store them in memory. This should change.
//
KSSLSettings::KSSLSettings(bool readConfig) {
d = new KSSLSettingsPrivate;
m_cfg = new TDEConfig("cryptodefaults", false, false);
if (!TDEGlobal::dirs()->addResourceType("kssl", TDEStandardDirs::kde_default("data") + "kssl")) {
//kdDebug(7029) << "Error adding (kssl, share/apps/kssl)" << endl;
}
if (readConfig) load();
}
// we don't save settings incase it was a temporary object
KSSLSettings::~KSSLSettings() {
delete m_cfg;
delete d;
}
bool KSSLSettings::sslv2() const {
return m_bUseSSLv2;
}
bool KSSLSettings::sslv3() const {
return m_bUseSSLv3;
}
bool KSSLSettings::tlsv1() const {
return m_bUseTLSv1;
}
// FIXME: we should make a default list available if this fails
// since OpenSSL seems to just choose any old thing if it's given an
// empty list. This behavior is not confirmed though.
TQString KSSLSettings::getCipherList() {
TQString clist;
#ifdef KSSL_HAVE_SSL
TQString tcipher;
bool firstcipher = true;
SSL_METHOD *meth = 0L;
TQPtrList<CipherNode> cipherList;
cipherList.setAutoDelete(true);
if (!d->kossl)
d->kossl = KOSSL::self();
if (m_bUseSSLv3 && m_bUseSSLv2)
Added support for OpenSSL 1.1 Some KOpenSSLProxy methods have been renamed to be consistent with OpenSSL 1.1 API names and to prevent hidden API changes. To ensure API / ABI compatibility, the original methods are still included but have been marked as deprecated. + SSLv23_client_method => TLS_client_method + X509_STORE_CTX_set_chain => X509_STORE_CTX_set0_untrusted + sk_dup => OPENSSL_sk_dup + sk_free => OPENSSL_sk_free + sk_new => OPENSSL_sk_new + sk_num => OPENSSL_sk_num + sk_pop => OPENSSL_sk_pop + sk_push => OPENSSL_sk_push + sk_value => OPENSSL_sk_value Additional methods have been added to KOpenSSLProxy to support the new OpenSSL 1.1 API functions that provide access to the (now) opaque SSL structures. Compatibility with OpenSSL < 1.1 is handled internally in KOpenSSLProxy. + BIO_get_data + DSA_get0_key + DSA_get0_pqg + EVP_PKEY_base_id + EVP_PKEY_get0_DSA + EVP_PKEY_get0_RSA + RSA_get0_key + X509_CRL_get0_lastUpdate + X509_CRL_get0_nextUpdate + X509_OBJECT_get0_X509 + X509_OBJECT_get_type + X509_STORE_CTX_get_current_cert + X509_STORE_CTX_get_error + X509_STORE_CTX_get_error_depth + X509_STORE_CTX_set_error + X509_STORE_get0_objects + X509_STORE_set_verify_cb + X509_get0_signature + X509_getm_notAfter + X509_getm_notBefore + X509_subject_name_cmp + _SSL_session_reused + _SSL_set_options Method "KSSL::setSession" has been renamed to "KSSL::takeSession" and its functionality has changed: the session is now transferred from the argument object to the invoked object. Since it is only used internally in TDE and the functionality is different, the method with the previous name has not been preserved. Signed-off-by: Slávek Banko <slavek.banko@axis.cz> Signed-off-by: Michele Calgaro <michele.calgaro@yahoo.it> (cherry picked from commit e1861cb6811f7bac405ece204407ca46c000a453)
8 years ago
meth = d->kossl->TLS_client_method();
else if(m_bUseSSLv3)
meth = d->kossl->SSLv3_client_method();
else if (m_bUseSSLv2)
meth = d->kossl->SSLv2_client_method();
SSL_CTX *ctx = d->kossl->SSL_CTX_new(meth);
SSL* ssl = d->kossl->SSL_new(ctx);
STACK_OF(SSL_CIPHER)* sk = d->kossl->SSL_get_ciphers(ssl);
Added support for OpenSSL 1.1 Some KOpenSSLProxy methods have been renamed to be consistent with OpenSSL 1.1 API names and to prevent hidden API changes. To ensure API / ABI compatibility, the original methods are still included but have been marked as deprecated. + SSLv23_client_method => TLS_client_method + X509_STORE_CTX_set_chain => X509_STORE_CTX_set0_untrusted + sk_dup => OPENSSL_sk_dup + sk_free => OPENSSL_sk_free + sk_new => OPENSSL_sk_new + sk_num => OPENSSL_sk_num + sk_pop => OPENSSL_sk_pop + sk_push => OPENSSL_sk_push + sk_value => OPENSSL_sk_value Additional methods have been added to KOpenSSLProxy to support the new OpenSSL 1.1 API functions that provide access to the (now) opaque SSL structures. Compatibility with OpenSSL < 1.1 is handled internally in KOpenSSLProxy. + BIO_get_data + DSA_get0_key + DSA_get0_pqg + EVP_PKEY_base_id + EVP_PKEY_get0_DSA + EVP_PKEY_get0_RSA + RSA_get0_key + X509_CRL_get0_lastUpdate + X509_CRL_get0_nextUpdate + X509_OBJECT_get0_X509 + X509_OBJECT_get_type + X509_STORE_CTX_get_current_cert + X509_STORE_CTX_get_error + X509_STORE_CTX_get_error_depth + X509_STORE_CTX_set_error + X509_STORE_get0_objects + X509_STORE_set_verify_cb + X509_get0_signature + X509_getm_notAfter + X509_getm_notBefore + X509_subject_name_cmp + _SSL_session_reused + _SSL_set_options Method "KSSL::setSession" has been renamed to "KSSL::takeSession" and its functionality has changed: the session is now transferred from the argument object to the invoked object. Since it is only used internally in TDE and the functionality is different, the method with the previous name has not been preserved. Signed-off-by: Slávek Banko <slavek.banko@axis.cz> Signed-off-by: Michele Calgaro <michele.calgaro@yahoo.it> (cherry picked from commit e1861cb6811f7bac405ece204407ca46c000a453)
8 years ago
int cnt = d->kossl->OPENSSL_sk_num(sk);
for (int i=0; i< cnt; i++) {
Added support for OpenSSL 1.1 Some KOpenSSLProxy methods have been renamed to be consistent with OpenSSL 1.1 API names and to prevent hidden API changes. To ensure API / ABI compatibility, the original methods are still included but have been marked as deprecated. + SSLv23_client_method => TLS_client_method + X509_STORE_CTX_set_chain => X509_STORE_CTX_set0_untrusted + sk_dup => OPENSSL_sk_dup + sk_free => OPENSSL_sk_free + sk_new => OPENSSL_sk_new + sk_num => OPENSSL_sk_num + sk_pop => OPENSSL_sk_pop + sk_push => OPENSSL_sk_push + sk_value => OPENSSL_sk_value Additional methods have been added to KOpenSSLProxy to support the new OpenSSL 1.1 API functions that provide access to the (now) opaque SSL structures. Compatibility with OpenSSL < 1.1 is handled internally in KOpenSSLProxy. + BIO_get_data + DSA_get0_key + DSA_get0_pqg + EVP_PKEY_base_id + EVP_PKEY_get0_DSA + EVP_PKEY_get0_RSA + RSA_get0_key + X509_CRL_get0_lastUpdate + X509_CRL_get0_nextUpdate + X509_OBJECT_get0_X509 + X509_OBJECT_get_type + X509_STORE_CTX_get_current_cert + X509_STORE_CTX_get_error + X509_STORE_CTX_get_error_depth + X509_STORE_CTX_set_error + X509_STORE_get0_objects + X509_STORE_set_verify_cb + X509_get0_signature + X509_getm_notAfter + X509_getm_notBefore + X509_subject_name_cmp + _SSL_session_reused + _SSL_set_options Method "KSSL::setSession" has been renamed to "KSSL::takeSession" and its functionality has changed: the session is now transferred from the argument object to the invoked object. Since it is only used internally in TDE and the functionality is different, the method with the previous name has not been preserved. Signed-off-by: Slávek Banko <slavek.banko@axis.cz> Signed-off-by: Michele Calgaro <michele.calgaro@yahoo.it> (cherry picked from commit e1861cb6811f7bac405ece204407ca46c000a453)
8 years ago
SSL_CIPHER *sc = reinterpret_cast<SSL_CIPHER*>(d->kossl->OPENSSL_sk_value(sk,i));
if (!sc)
break;
if(!strcmp("SSLv2", d->kossl->SSL_CIPHER_get_version(sc)))
m_cfg->setGroup("SSLv2");
else
m_cfg->setGroup("SSLv3");
Added support for OpenSSL 1.1 Some KOpenSSLProxy methods have been renamed to be consistent with OpenSSL 1.1 API names and to prevent hidden API changes. To ensure API / ABI compatibility, the original methods are still included but have been marked as deprecated. + SSLv23_client_method => TLS_client_method + X509_STORE_CTX_set_chain => X509_STORE_CTX_set0_untrusted + sk_dup => OPENSSL_sk_dup + sk_free => OPENSSL_sk_free + sk_new => OPENSSL_sk_new + sk_num => OPENSSL_sk_num + sk_pop => OPENSSL_sk_pop + sk_push => OPENSSL_sk_push + sk_value => OPENSSL_sk_value Additional methods have been added to KOpenSSLProxy to support the new OpenSSL 1.1 API functions that provide access to the (now) opaque SSL structures. Compatibility with OpenSSL < 1.1 is handled internally in KOpenSSLProxy. + BIO_get_data + DSA_get0_key + DSA_get0_pqg + EVP_PKEY_base_id + EVP_PKEY_get0_DSA + EVP_PKEY_get0_RSA + RSA_get0_key + X509_CRL_get0_lastUpdate + X509_CRL_get0_nextUpdate + X509_OBJECT_get0_X509 + X509_OBJECT_get_type + X509_STORE_CTX_get_current_cert + X509_STORE_CTX_get_error + X509_STORE_CTX_get_error_depth + X509_STORE_CTX_set_error + X509_STORE_get0_objects + X509_STORE_set_verify_cb + X509_get0_signature + X509_getm_notAfter + X509_getm_notBefore + X509_subject_name_cmp + _SSL_session_reused + _SSL_set_options Method "KSSL::setSession" has been renamed to "KSSL::takeSession" and its functionality has changed: the session is now transferred from the argument object to the invoked object. Since it is only used internally in TDE and the functionality is different, the method with the previous name has not been preserved. Signed-off-by: Slávek Banko <slavek.banko@axis.cz> Signed-off-by: Michele Calgaro <michele.calgaro@yahoo.it> (cherry picked from commit e1861cb6811f7bac405ece204407ca46c000a453)
8 years ago
tcipher.sprintf("cipher_%s", d->kossl->SSL_CIPHER_get_name(sc));
int bits = d->kossl->SSL_CIPHER_get_bits(sc, NULL);
if (m_cfg->readBoolEntry(tcipher, bits >= 56)) {
Added support for OpenSSL 1.1 Some KOpenSSLProxy methods have been renamed to be consistent with OpenSSL 1.1 API names and to prevent hidden API changes. To ensure API / ABI compatibility, the original methods are still included but have been marked as deprecated. + SSLv23_client_method => TLS_client_method + X509_STORE_CTX_set_chain => X509_STORE_CTX_set0_untrusted + sk_dup => OPENSSL_sk_dup + sk_free => OPENSSL_sk_free + sk_new => OPENSSL_sk_new + sk_num => OPENSSL_sk_num + sk_pop => OPENSSL_sk_pop + sk_push => OPENSSL_sk_push + sk_value => OPENSSL_sk_value Additional methods have been added to KOpenSSLProxy to support the new OpenSSL 1.1 API functions that provide access to the (now) opaque SSL structures. Compatibility with OpenSSL < 1.1 is handled internally in KOpenSSLProxy. + BIO_get_data + DSA_get0_key + DSA_get0_pqg + EVP_PKEY_base_id + EVP_PKEY_get0_DSA + EVP_PKEY_get0_RSA + RSA_get0_key + X509_CRL_get0_lastUpdate + X509_CRL_get0_nextUpdate + X509_OBJECT_get0_X509 + X509_OBJECT_get_type + X509_STORE_CTX_get_current_cert + X509_STORE_CTX_get_error + X509_STORE_CTX_get_error_depth + X509_STORE_CTX_set_error + X509_STORE_get0_objects + X509_STORE_set_verify_cb + X509_get0_signature + X509_getm_notAfter + X509_getm_notBefore + X509_subject_name_cmp + _SSL_session_reused + _SSL_set_options Method "KSSL::setSession" has been renamed to "KSSL::takeSession" and its functionality has changed: the session is now transferred from the argument object to the invoked object. Since it is only used internally in TDE and the functionality is different, the method with the previous name has not been preserved. Signed-off-by: Slávek Banko <slavek.banko@axis.cz> Signed-off-by: Michele Calgaro <michele.calgaro@yahoo.it> (cherry picked from commit e1861cb6811f7bac405ece204407ca46c000a453)
8 years ago
CipherNode *xx = new CipherNode(d->kossl->SSL_CIPHER_get_name(sc),bits);
if (!cipherList.contains(xx))
cipherList.prepend(xx);
else
delete xx;
}
}
d->kossl->SSL_free(ssl);
d->kossl->SSL_CTX_free(ctx);
// Remove any ADH ciphers as per RFC2246
// Also remove NULL ciphers and 168bit ciphers
for (unsigned int i = 0; i < cipherList.count(); i++) {
CipherNode *j = 0L;
while ((j = cipherList.at(i)) != 0L) {
if (j->name.contains("ADH-") || j->name.contains("NULL-") || j->name.contains("DES-CBC3-SHA") || j->name.contains("FZA")) {
cipherList.remove(j);
} else {
break;
}
}
}
// now assemble the list cipher1:cipher2:cipher3:...:ciphern
while (!cipherList.isEmpty()) {
if (firstcipher)
firstcipher = false;
else clist.append(":");
clist.append(cipherList.getLast()->name);
cipherList.removeLast();
} // while
kdDebug(7029) << "Cipher list is: " << clist << endl;
#endif
return clist;
}
// FIXME - sync these up so that we can use them with the control module!!
void KSSLSettings::load() {
m_cfg->reparseConfiguration();
m_cfg->setGroup("TLS");
m_bUseTLSv1 = m_cfg->readBoolEntry("Enabled", true);
Added support for OpenSSL 1.1 Some KOpenSSLProxy methods have been renamed to be consistent with OpenSSL 1.1 API names and to prevent hidden API changes. To ensure API / ABI compatibility, the original methods are still included but have been marked as deprecated. + SSLv23_client_method => TLS_client_method + X509_STORE_CTX_set_chain => X509_STORE_CTX_set0_untrusted + sk_dup => OPENSSL_sk_dup + sk_free => OPENSSL_sk_free + sk_new => OPENSSL_sk_new + sk_num => OPENSSL_sk_num + sk_pop => OPENSSL_sk_pop + sk_push => OPENSSL_sk_push + sk_value => OPENSSL_sk_value Additional methods have been added to KOpenSSLProxy to support the new OpenSSL 1.1 API functions that provide access to the (now) opaque SSL structures. Compatibility with OpenSSL < 1.1 is handled internally in KOpenSSLProxy. + BIO_get_data + DSA_get0_key + DSA_get0_pqg + EVP_PKEY_base_id + EVP_PKEY_get0_DSA + EVP_PKEY_get0_RSA + RSA_get0_key + X509_CRL_get0_lastUpdate + X509_CRL_get0_nextUpdate + X509_OBJECT_get0_X509 + X509_OBJECT_get_type + X509_STORE_CTX_get_current_cert + X509_STORE_CTX_get_error + X509_STORE_CTX_get_error_depth + X509_STORE_CTX_set_error + X509_STORE_get0_objects + X509_STORE_set_verify_cb + X509_get0_signature + X509_getm_notAfter + X509_getm_notBefore + X509_subject_name_cmp + _SSL_session_reused + _SSL_set_options Method "KSSL::setSession" has been renamed to "KSSL::takeSession" and its functionality has changed: the session is now transferred from the argument object to the invoked object. Since it is only used internally in TDE and the functionality is different, the method with the previous name has not been preserved. Signed-off-by: Slávek Banko <slavek.banko@axis.cz> Signed-off-by: Michele Calgaro <michele.calgaro@yahoo.it> (cherry picked from commit e1861cb6811f7bac405ece204407ca46c000a453)
8 years ago
#if OPENSSL_VERSION_NUMBER >= 0x10100000L || defined(OPENSSL_NO_SSL2)
m_bUseSSLv2 = false;
#else
m_cfg->setGroup("SSLv2");
m_bUseSSLv2 = m_cfg->readBoolEntry("Enabled", false);
Added support for OpenSSL 1.1 Some KOpenSSLProxy methods have been renamed to be consistent with OpenSSL 1.1 API names and to prevent hidden API changes. To ensure API / ABI compatibility, the original methods are still included but have been marked as deprecated. + SSLv23_client_method => TLS_client_method + X509_STORE_CTX_set_chain => X509_STORE_CTX_set0_untrusted + sk_dup => OPENSSL_sk_dup + sk_free => OPENSSL_sk_free + sk_new => OPENSSL_sk_new + sk_num => OPENSSL_sk_num + sk_pop => OPENSSL_sk_pop + sk_push => OPENSSL_sk_push + sk_value => OPENSSL_sk_value Additional methods have been added to KOpenSSLProxy to support the new OpenSSL 1.1 API functions that provide access to the (now) opaque SSL structures. Compatibility with OpenSSL < 1.1 is handled internally in KOpenSSLProxy. + BIO_get_data + DSA_get0_key + DSA_get0_pqg + EVP_PKEY_base_id + EVP_PKEY_get0_DSA + EVP_PKEY_get0_RSA + RSA_get0_key + X509_CRL_get0_lastUpdate + X509_CRL_get0_nextUpdate + X509_OBJECT_get0_X509 + X509_OBJECT_get_type + X509_STORE_CTX_get_current_cert + X509_STORE_CTX_get_error + X509_STORE_CTX_get_error_depth + X509_STORE_CTX_set_error + X509_STORE_get0_objects + X509_STORE_set_verify_cb + X509_get0_signature + X509_getm_notAfter + X509_getm_notBefore + X509_subject_name_cmp + _SSL_session_reused + _SSL_set_options Method "KSSL::setSession" has been renamed to "KSSL::takeSession" and its functionality has changed: the session is now transferred from the argument object to the invoked object. Since it is only used internally in TDE and the functionality is different, the method with the previous name has not been preserved. Signed-off-by: Slávek Banko <slavek.banko@axis.cz> Signed-off-by: Michele Calgaro <michele.calgaro@yahoo.it> (cherry picked from commit e1861cb6811f7bac405ece204407ca46c000a453)
8 years ago
#endif
#if defined(OPENSSL_NO_SSL3)
m_bUseSSLv3 = false;
#else
m_cfg->setGroup("SSLv3");
m_bUseSSLv3 = m_cfg->readBoolEntry("Enabled", true);
Added support for OpenSSL 1.1 Some KOpenSSLProxy methods have been renamed to be consistent with OpenSSL 1.1 API names and to prevent hidden API changes. To ensure API / ABI compatibility, the original methods are still included but have been marked as deprecated. + SSLv23_client_method => TLS_client_method + X509_STORE_CTX_set_chain => X509_STORE_CTX_set0_untrusted + sk_dup => OPENSSL_sk_dup + sk_free => OPENSSL_sk_free + sk_new => OPENSSL_sk_new + sk_num => OPENSSL_sk_num + sk_pop => OPENSSL_sk_pop + sk_push => OPENSSL_sk_push + sk_value => OPENSSL_sk_value Additional methods have been added to KOpenSSLProxy to support the new OpenSSL 1.1 API functions that provide access to the (now) opaque SSL structures. Compatibility with OpenSSL < 1.1 is handled internally in KOpenSSLProxy. + BIO_get_data + DSA_get0_key + DSA_get0_pqg + EVP_PKEY_base_id + EVP_PKEY_get0_DSA + EVP_PKEY_get0_RSA + RSA_get0_key + X509_CRL_get0_lastUpdate + X509_CRL_get0_nextUpdate + X509_OBJECT_get0_X509 + X509_OBJECT_get_type + X509_STORE_CTX_get_current_cert + X509_STORE_CTX_get_error + X509_STORE_CTX_get_error_depth + X509_STORE_CTX_set_error + X509_STORE_get0_objects + X509_STORE_set_verify_cb + X509_get0_signature + X509_getm_notAfter + X509_getm_notBefore + X509_subject_name_cmp + _SSL_session_reused + _SSL_set_options Method "KSSL::setSession" has been renamed to "KSSL::takeSession" and its functionality has changed: the session is now transferred from the argument object to the invoked object. Since it is only used internally in TDE and the functionality is different, the method with the previous name has not been preserved. Signed-off-by: Slávek Banko <slavek.banko@axis.cz> Signed-off-by: Michele Calgaro <michele.calgaro@yahoo.it> (cherry picked from commit e1861cb6811f7bac405ece204407ca46c000a453)
8 years ago
#endif
m_cfg->setGroup("Warnings");
m_bWarnOnEnter = m_cfg->readBoolEntry("OnEnter", false);
m_bWarnOnLeave = m_cfg->readBoolEntry("OnLeave", true);
m_bWarnOnUnencrypted = m_cfg->readBoolEntry("OnUnencrypted", true);
m_bWarnOnMixed = m_cfg->readBoolEntry("OnMixed", true);
m_cfg->setGroup("Validation");
m_bWarnSelfSigned = m_cfg->readBoolEntry("WarnSelfSigned", true);
m_bWarnExpired = m_cfg->readBoolEntry("WarnExpired", true);
m_bWarnRevoked = m_cfg->readBoolEntry("WarnRevoked", true);
m_cfg->setGroup("EGD");
d->m_bUseEGD = m_cfg->readBoolEntry("UseEGD", false);
d->m_bUseEFile = m_cfg->readBoolEntry("UseEFile", false);
d->m_EGDPath = m_cfg->readPathEntry("EGDPath");
m_cfg->setGroup("Auth");
d->m_bSendX509 = ("send" == m_cfg->readEntry("AuthMethod", ""));
d->m_bPromptX509 = ("prompt" == m_cfg->readEntry("AuthMethod", ""));
#ifdef KSSL_HAVE_SSL
#endif
}
void KSSLSettings::defaults() {
m_bUseTLSv1 = true;
m_bUseSSLv2 = false;
m_bUseSSLv3 = true;
m_bWarnOnEnter = false;
m_bWarnOnLeave = true;
m_bWarnOnUnencrypted = true;
m_bWarnOnMixed = true;
m_bWarnSelfSigned = true;
m_bWarnExpired = true;
m_bWarnRevoked = true;
d->m_bUseEGD = false;
d->m_bUseEFile = false;
d->m_EGDPath = "";
}
void KSSLSettings::save() {
m_cfg->setGroup("TLS");
m_cfg->writeEntry("Enabled", m_bUseTLSv1);
m_cfg->setGroup("SSLv2");
m_cfg->writeEntry("Enabled", m_bUseSSLv2);
m_cfg->setGroup("SSLv3");
m_cfg->writeEntry("Enabled", m_bUseSSLv3);
m_cfg->setGroup("Warnings");
m_cfg->writeEntry("OnEnter", m_bWarnOnEnter);
m_cfg->writeEntry("OnLeave", m_bWarnOnLeave);
m_cfg->writeEntry("OnUnencrypted", m_bWarnOnUnencrypted);
m_cfg->writeEntry("OnMixed", m_bWarnOnMixed);
m_cfg->setGroup("Validation");
m_cfg->writeEntry("WarnSelfSigned", m_bWarnSelfSigned);
m_cfg->writeEntry("WarnExpired", m_bWarnExpired);
m_cfg->writeEntry("WarnRevoked", m_bWarnRevoked);
m_cfg->setGroup("EGD");
m_cfg->writeEntry("UseEGD", d->m_bUseEGD);
m_cfg->writeEntry("UseEFile", d->m_bUseEFile);
m_cfg->writePathEntry("EGDPath", d->m_EGDPath);
m_cfg->sync();
// FIXME - ciphers
#if 0
#ifdef KSSL_HAVE_SSL
m_cfg->setGroup("SSLv2");
for (unsigned int i = 0; i < v2ciphers.count(); i++) {
TQString ciphername;
ciphername.sprintf("cipher_%s", v2ciphers[i].ascii());
if (v2selectedciphers.contains(v2ciphers[i])) {
m_cfg->writeEntry(ciphername, true);
} else m_cfg->writeEntry(ciphername, false);
}
m_cfg->setGroup("SSLv3");
for (unsigned int i = 0; i < v3ciphers.count(); i++) {
TQString ciphername;
ciphername.sprintf("cipher_%s", v3ciphers[i].ascii());
if (v3selectedciphers.contains(v3ciphers[i])) {
m_cfg->writeEntry(ciphername, true);
} else m_cfg->writeEntry(ciphername, false);
}
#endif
m_cfg->sync();
// insure proper permissions -- contains sensitive data
TQString cfgName(TDEGlobal::dirs()->findResource("config", "cryptodefaults"));
if (!cfgName.isEmpty())
::chmod(TQFile::encodeName(cfgName), 0600);
#endif
}
bool KSSLSettings::warnOnEnter() const { return m_bWarnOnEnter; }
void KSSLSettings::setWarnOnEnter(bool x) { m_bWarnOnEnter = x; }
bool KSSLSettings::warnOnUnencrypted() const { return m_bWarnOnUnencrypted; }
void KSSLSettings::setWarnOnUnencrypted(bool x) { m_bWarnOnUnencrypted = x; }
bool KSSLSettings::warnOnLeave() const { return m_bWarnOnLeave; }
void KSSLSettings::setWarnOnLeave(bool x) { m_bWarnOnLeave = x; }
bool KSSLSettings::warnOnMixed() const { return m_bWarnOnMixed; }
bool KSSLSettings::warnOnSelfSigned() const { return m_bWarnSelfSigned; }
bool KSSLSettings::warnOnRevoked() const { return m_bWarnRevoked; }
bool KSSLSettings::warnOnExpired() const { return m_bWarnExpired; }
bool KSSLSettings::useEGD() const { return d->m_bUseEGD; }
bool KSSLSettings::useEFile() const { return d->m_bUseEFile; }
bool KSSLSettings::autoSendX509() const { return d->m_bSendX509; }
bool KSSLSettings::promptSendX509() const { return d->m_bPromptX509; }
void KSSLSettings::setTLSv1(bool enabled) { m_bUseTLSv1 = enabled; }
void KSSLSettings::setSSLv2(bool enabled) { m_bUseSSLv2 = enabled; }
void KSSLSettings::setSSLv3(bool enabled) { m_bUseSSLv3 = enabled; }
TQString& KSSLSettings::getEGDPath() { return d->m_EGDPath; }