Added support for OpenSSL 1.1

Some KOpenSSLProxy methods have been renamed to be consistent
with OpenSSL 1.1 API names and to prevent hidden API changes.
To ensure API / ABI compatibility, the original methods are
still included but have been marked as deprecated.

+ SSLv23_client_method => TLS_client_method
+ X509_STORE_CTX_set_chain => X509_STORE_CTX_set0_untrusted
+ sk_dup => OPENSSL_sk_dup
+ sk_free => OPENSSL_sk_free
+ sk_new => OPENSSL_sk_new
+ sk_num => OPENSSL_sk_num
+ sk_pop => OPENSSL_sk_pop
+ sk_push => OPENSSL_sk_push
+ sk_value => OPENSSL_sk_value

Additional methods have been added to KOpenSSLProxy to support
the new OpenSSL 1.1 API functions that provide access to the
(now) opaque SSL structures. Compatibility with OpenSSL < 1.1
is handled internally in KOpenSSLProxy.

+ BIO_get_data
+ DSA_get0_key
+ DSA_get0_pqg
+ EVP_PKEY_base_id
+ EVP_PKEY_get0_DSA
+ EVP_PKEY_get0_RSA
+ RSA_get0_key
+ X509_CRL_get0_lastUpdate
+ X509_CRL_get0_nextUpdate
+ X509_OBJECT_get0_X509
+ X509_OBJECT_get_type
+ X509_STORE_CTX_get_current_cert
+ X509_STORE_CTX_get_error
+ X509_STORE_CTX_get_error_depth
+ X509_STORE_CTX_set_error
+ X509_STORE_get0_objects
+ X509_STORE_set_verify_cb
+ X509_get0_signature
+ X509_getm_notAfter
+ X509_getm_notBefore
+ X509_subject_name_cmp
+ _SSL_session_reused
+ _SSL_set_options

Method "KSSL::setSession" has been renamed to "KSSL::takeSession"
and its functionality has changed: the session is now transferred
from the argument object to the invoked object. Since it is only
used internally in TDE and the functionality is different, the
method with the previous name has not been preserved.

Signed-off-by: Slávek Banko <slavek.banko@axis.cz>
Signed-off-by: Michele Calgaro <michele.calgaro@yahoo.it>
pull/1/head
Slávek Banko 8 years ago
parent f32bc51762
commit e1861cb681

@ -557,9 +557,6 @@ if (whatType == "application/x-pkcs12") {
return false; return false;
} }
#define sk_free KOSSL::self()->sk_free
#define sk_num KOSSL::self()->sk_num
#define sk_value KOSSL::self()->sk_value
STACK_OF(X509_INFO) *sx5i = KOSSL::self()->PEM_X509_INFO_read(fp, NULL, KSSLPemCallback, NULL); STACK_OF(X509_INFO) *sx5i = KOSSL::self()->PEM_X509_INFO_read(fp, NULL, KSSLPemCallback, NULL);
if (!sx5i) { if (!sx5i) {
@ -569,8 +566,8 @@ if (whatType == "application/x-pkcs12") {
} }
_ca_filenameLabel->setText(m_file); _ca_filenameLabel->setText(m_file);
for (int i = 0; i < sk_X509_INFO_num(sx5i); i++) { for (int i = 0; i < KOSSL::self()->OPENSSL_sk_num(sx5i); i++) {
X509_INFO* x5i = sk_X509_INFO_value(sx5i, i); X509_INFO* x5i = reinterpret_cast<X509_INFO*>(KOSSL::self()->OPENSSL_sk_value(sx5i, i));
if (x5i->x_pkey && x5i->x509) { // a personal cert (like PKCS12) if (x5i->x_pkey && x5i->x509) { // a personal cert (like PKCS12)
KSSLCertificate *xc = KSSLCertificate::fromX509(x5i->x509); KSSLCertificate *xc = KSSLCertificate::fromX509(x5i->x509);
new KX509Item(_sideList, xc); new KX509Item(_sideList, xc);
@ -584,11 +581,7 @@ if (whatType == "application/x-pkcs12") {
} }
} }
sk_X509_INFO_free(sx5i); KOSSL::self()->OPENSSL_sk_free(sx5i);
#undef sk_free
#undef sk_num
#undef sk_value
fclose(fp); fclose(fp);
return true; return true;

File diff suppressed because it is too large Load Diff

@ -48,13 +48,22 @@ class KOpenSSLProxyPrivate;
#include <openssl/stack.h> #include <openssl/stack.h>
#include <openssl/bn.h> #include <openssl/bn.h>
#undef crypt #undef crypt
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
#define STACK OPENSSL_STACK
#else
#if OPENSSL_VERSION_NUMBER >= 0x10000000L #if OPENSSL_VERSION_NUMBER >= 0x10000000L
#define STACK _STACK #define STACK _STACK
#endif #endif
#endif #endif
#endif
#include <kstaticdeleter.h> #include <kstaticdeleter.h>
#if OPENSSL_VERSION_NUMBER < 0x10100000L
typedef int (*X509_STORE_CTX_verify_cb)(int, X509_STORE_CTX *);
typedef int X509_LOOKUP_TYPE;
#endif
/** /**
* Dynamically load and wrap OpenSSL. * Dynamically load and wrap OpenSSL.
* *
@ -178,17 +187,14 @@ public:
*/ */
SSL_CIPHER *SSL_get_current_cipher(SSL *ssl); SSL_CIPHER *SSL_get_current_cipher(SSL *ssl);
/* /* SSL_set_options - manipulate SSL engine options */
* SSL_set_options - manipulate SSL engine options long _SSL_set_options(SSL *ssl, long options);
* Note: These are all mapped to SSL_ctrl so call them as the comment
* specifies but know that they use SSL_ctrl. They are #define /* Returns 0 if not reused, 1 if session id is reused */
* so they will map to the one in this class if called as a int _SSL_session_reused(SSL *ssl);
* member function of this class.
*/ /* SSL control */
/* long SSL_set_options(SSL *ssl, long options); */ long SSL_ctrl(SSL *ssl, int cmd, long larg, void *parg);
/* Returns 0 if not reused, 1 if session id is reused */
/* int SSL_session_reused(SSL *ssl); */
long SSL_ctrl(SSL *ssl,int cmd, long larg, char *parg);
/* /*
* RAND_egd - set the path to the EGD * RAND_egd - set the path to the EGD
@ -233,9 +239,9 @@ public:
/* /*
* SSLv23_client_method - return a SSLv23 client method object * TLS_client_method - return client method object
*/ */
SSL_METHOD *SSLv23_client_method(); SSL_METHOD *TLS_client_method();
/* /*
@ -309,12 +315,38 @@ public:
int X509_cmp(X509 *a, X509 *b); int X509_cmp(X509 *a, X509 *b);
/*
* X509_subject_name_cmp - compare subject name of two X509 objects
*/
int X509_subject_name_cmp(const X509 *a, const X509 *b);
/* /*
* X509_dup - duplicate an X509 object * X509_dup - duplicate an X509 object
*/ */
X509 *X509_dup(X509 *x509); X509 *X509_dup(X509 *x509);
/*
* X509_get0_signature - get signature and algorithm
*/
void X509_get0_signature(const ASN1_BIT_STRING **psig,
const X509_ALGOR **palg, const X509 *x);
/*
*
*/
ASN1_TIME *X509_getm_notAfter(const X509 *x);
/*
*
*/
ASN1_TIME *X509_getm_notBefore(const X509 *x);
/* /*
* X509_STORE_CTX_new - create an X509 store context * X509_STORE_CTX_new - create an X509 store context
*/ */
@ -328,15 +360,66 @@ public:
/* /*
* X509_STORE_CTX_set_chain - set the certificate chain * X509_STORE_CTX_set0_untrusted - set the certificate chain
*/ */
void X509_STORE_CTX_set_chain(X509_STORE_CTX *v, STACK_OF(X509)* x); void X509_STORE_CTX_set0_untrusted(X509_STORE_CTX *v, STACK_OF(X509)* x);
/* /*
* X509_STORE_CTX_set_purpose - set the purpose of the certificate * X509_STORE_CTX_set_purpose - set the purpose of the certificate
*/ */
void X509_STORE_CTX_set_purpose(X509_STORE_CTX *v, int purpose); void X509_STORE_CTX_set_purpose(X509_STORE_CTX *v, int purpose);
/*
*
*/
X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx);
/*
*
*/
int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx);
/*
*
*/
int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx);
/*
*
*/
void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int s);
/*
*
*/
void X509_STORE_set_verify_cb(X509_STORE *ctx,
X509_STORE_CTX_verify_cb verify_cb);
/*
*
*/
STACK_OF(X509_OBJECT) *X509_STORE_get0_objects(X509_STORE *v);
/*
*
*/
X509_LOOKUP_TYPE X509_OBJECT_get_type(const X509_OBJECT *a);
/*
*
*/
X509 *X509_OBJECT_get0_X509(const X509_OBJECT *a);
/* /*
* X509_verify_cert - verify the certificate * X509_verify_cert - verify the certificate
*/ */
@ -366,6 +449,18 @@ public:
void X509_CRL_free(X509_CRL *v); void X509_CRL_free(X509_CRL *v);
/*
*
*/
const ASN1_TIME *X509_CRL_get0_lastUpdate(const X509_CRL *crl);
/*
*
*/
const ASN1_TIME *X509_CRL_get0_nextUpdate(const X509_CRL *crl);
/* /*
* X509_NAME_oneline - return the X509 data in a string * X509_NAME_oneline - return the X509 data in a string
*/ */
@ -454,6 +549,11 @@ public:
*/ */
int BIO_write(BIO *b, const void *data, int len); int BIO_write(BIO *b, const void *data, int len);
/*
* BIO_get_data - retrieve (custom) data from BIO
*/
void *BIO_get_data(BIO *a);
/* /*
* PEM_write_bio_X509 - write a PEM encoded cert to a BIO* * PEM_write_bio_X509 - write a PEM encoded cert to a BIO*
*/ */
@ -536,53 +636,51 @@ public:
/* /*
* Pop off the stack * Pop off the stack
*/ */
char *sk_pop(STACK *s); char *OPENSSL_sk_pop(STACK *s);
char *OPENSSL_sk_pop(void *s) { return OPENSSL_sk_pop(reinterpret_cast<STACK*>(s)); }
/* /*
* Free the stack * Free the stack
*/ */
void sk_free(STACK *s); void OPENSSL_sk_free(STACK *s);
#if OPENSSL_VERSION_NUMBER >= 0x10000000L void OPENSSL_sk_free(void *s) { OPENSSL_sk_free(reinterpret_cast<STACK*>(s)); }
void sk_free(void *s) { return sk_free(reinterpret_cast<STACK*>(s)); }
#endif
/* /*
* Number of elements in the stack * Number of elements in the stack
*/ */
int sk_num(STACK *s); int OPENSSL_sk_num(STACK *s);
int OPENSSL_sk_num(void *s) { return OPENSSL_sk_num(reinterpret_cast<STACK*>(s)); }
/* /*
* Value of element n in the stack * Value of element n in the stack
*/ */
char *sk_value(STACK *s, int n); char *OPENSSL_sk_value(STACK *s, int n);
#if OPENSSL_VERSION_NUMBER >= 0x10000000L char *OPENSSL_sk_value(void *s, int n) { return OPENSSL_sk_value(reinterpret_cast<STACK*>(s), n); }
char *sk_value(void *s, int n) { return sk_value(reinterpret_cast<STACK*>(s), n); }
#endif
/* /*
* Create a new stack * Create a new stack
*/ */
STACK *sk_new(int (*cmp)()); STACK *OPENSSL_sk_new(int (*cmp)());
/* /*
* Add an element to the stack * Add an element to the stack
*/ */
int sk_push(STACK *s, char *d); int OPENSSL_sk_push(STACK *s, char *d);
#if OPENSSL_VERSION_NUMBER >= 0x10000000L int OPENSSL_sk_push(void *s, void *d) { return OPENSSL_sk_push(reinterpret_cast<STACK*>(s), reinterpret_cast<char*>(d)); }
int sk_push(void *s, void *d) { return sk_push(reinterpret_cast<STACK*>(s), reinterpret_cast<char*>(d)); }
#endif
/* /*
* Duplicate the stack * Duplicate the stack
*/ */
STACK *sk_dup(STACK *s); STACK *OPENSSL_sk_dup(const STACK *s);
STACK *OPENSSL_sk_dup(const void *s) { return OPENSSL_sk_dup(reinterpret_cast<const STACK*>(s)); }
/* /*
* Convert an ASN1_INTEGER to it's text form * Convert an ASN1_INTEGER to it's text form
@ -823,12 +921,37 @@ public:
EVP_PKEY* EVP_PKEY_new(); EVP_PKEY* EVP_PKEY_new();
/*
* Get EVP private key type
*/
int EVP_PKEY_base_id(const EVP_PKEY *pkey);
/* /*
* Assign a private key * Assign a private key
*/ */
int EVP_PKEY_assign(EVP_PKEY *pkey, int type, char *key); int EVP_PKEY_assign(EVP_PKEY *pkey, int type, char *key);
/*
* Get RSA key
*/
RSA *EVP_PKEY_get0_RSA(EVP_PKEY *pkey);
/*
* Get DSA key
*/
DSA *EVP_PKEY_get0_DSA(EVP_PKEY *pkey);
/*
* RSA_get0_key - retreive key parameters
*/
void RSA_get0_key(const RSA *r,
const BIGNUM **n, const BIGNUM **e, const BIGNUM **d);
/* /*
* Generate a RSA key * Generate a RSA key
*/ */
@ -836,6 +959,20 @@ public:
(*callback)(int,int,void *), void *cb_arg); (*callback)(int,int,void *), void *cb_arg);
/*
* DSA_get0_pqg - retreive key parameters
*/
void DSA_get0_pqg(const DSA *d,
const BIGNUM **p, const BIGNUM **q, const BIGNUM **g);
/*
* DSA_get0_key - retreive key
*/
void DSA_get0_key(const DSA *d,
const BIGNUM **pub_key, const BIGNUM **priv_key);
/* /*
* Create/destroy a certificate request * Create/destroy a certificate request
*/ */
@ -912,6 +1049,29 @@ public:
/* get list of available SSL_CIPHER's sorted by preference */ /* get list of available SSL_CIPHER's sorted by preference */
STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL* ssl); STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL* ssl);
/* cover KOpenSSLProxy API compatibility */
#if OPENSSL_VERSION_NUMBER >= 0x10100000L && OPENSSL_API_COMPAT < 0x10100000L
# undef sk_dup
# undef sk_free
# undef sk_new
# undef sk_num
# undef sk_pop
# undef sk_push
# undef sk_value
# undef X509_STORE_CTX_set_chain
# undef SSLv23_client_method
#endif
STACK *sk_dup(const STACK *s) KDE_DEPRECATED;
void sk_free(STACK *s) KDE_DEPRECATED;
STACK *sk_new(int (*cmp)()) KDE_DEPRECATED;
int sk_num(STACK *s) KDE_DEPRECATED;
char *sk_pop(STACK *s) KDE_DEPRECATED;
int sk_push(STACK *s, char *d) KDE_DEPRECATED;
char *sk_value(STACK *s, int n) KDE_DEPRECATED;
void X509_STORE_CTX_set_chain(X509_STORE_CTX *v, STACK_OF(X509)* x) KDE_DEPRECATED;
SSL_METHOD *SSLv23_client_method() KDE_DEPRECATED;
#endif #endif
private: private:

@ -38,15 +38,6 @@
#endif #endif
// forward included macros to KOpenSSLProxy
#define sk_new kossl->sk_new
#define sk_free kossl->sk_free
#define sk_push kossl->sk_push
#define sk_value kossl->sk_value
#define sk_num kossl->sk_num
#define BIO_ctrl kossl->BIO_ctrl
#ifdef KSSL_HAVE_SSL #ifdef KSSL_HAVE_SSL
static const char eot = 0; static const char eot = 0;
@ -87,10 +78,10 @@ KSMIMECryptoPrivate::KSMIMECryptoPrivate(KOpenSSLProxy *kossl): kossl(kossl) {
STACK_OF(X509) *KSMIMECryptoPrivate::certsToX509(TQPtrList<KSSLCertificate> &certs) { STACK_OF(X509) *KSMIMECryptoPrivate::certsToX509(TQPtrList<KSSLCertificate> &certs) {
STACK_OF(X509) *x509 = reinterpret_cast<STACK_OF(X509)*>(sk_new(NULL)); STACK_OF(X509) *x509 = reinterpret_cast<STACK_OF(X509)*>(kossl->OPENSSL_sk_new(NULL));
KSSLCertificate *cert = certs.first(); KSSLCertificate *cert = certs.first();
while(cert) { while(cert) {
sk_X509_push(x509, cert->getCert()); kossl->OPENSSL_sk_push(x509, cert->getCert());
cert = certs.next(); cert = certs.next();
} }
return x509; return x509;
@ -111,7 +102,7 @@ KSMIMECrypto::rc KSMIMECryptoPrivate::signMessage(BIO *clearText,
PKCS7 *p7 = kossl->PKCS7_sign(privKey.getCertificate()->getCert(), privKey.getPrivateKey(), PKCS7 *p7 = kossl->PKCS7_sign(privKey.getCertificate()->getCert(), privKey.getPrivateKey(),
other, clearText, flags); other, clearText, flags);
if (other) sk_X509_free(other); if (other) kossl->OPENSSL_sk_free(other);
if (!p7) return sslErrToRc(); if (!p7) return sslErrToRc();
@ -154,7 +145,7 @@ KSMIMECrypto::rc KSMIMECryptoPrivate::encryptMessage(BIO *clearText,
PKCS7 *p7 = kossl->PKCS7_encrypt(certs, clearText, cipher, 0); PKCS7 *p7 = kossl->PKCS7_encrypt(certs, clearText, cipher, 0);
sk_X509_free(certs); kossl->OPENSSL_sk_free(certs);
if (!p7) return sslErrToRc(); if (!p7) return sslErrToRc();
@ -192,14 +183,14 @@ KSMIMECrypto::rc KSMIMECryptoPrivate::checkSignature(BIO *clearText,
X509_STORE *dummystore = kossl->X509_STORE_new(); X509_STORE *dummystore = kossl->X509_STORE_new();
if (kossl->PKCS7_verify(p7, NULL, dummystore, in, out, PKCS7_NOVERIFY)) { if (kossl->PKCS7_verify(p7, NULL, dummystore, in, out, PKCS7_NOVERIFY)) {
STACK_OF(X509) *signers = kossl->PKCS7_get0_signers(p7, 0, PKCS7_NOVERIFY); STACK_OF(X509) *signers = kossl->PKCS7_get0_signers(p7, 0, PKCS7_NOVERIFY);
int num = sk_X509_num(signers); int num = kossl->OPENSSL_sk_num(signers);
for(int n=0; n<num; n++) { for(int n=0; n<num; n++) {
KSSLCertificate *signer = KSSLCertificate::fromX509(sk_X509_value(signers, n)); KSSLCertificate *signer = KSSLCertificate::fromX509(reinterpret_cast<X509*>(kossl->OPENSSL_sk_value(signers, n)));
recip.append(signer); recip.append(signer);
} }
sk_X509_free(signers); kossl->OPENSSL_sk_free(signers);
rc = KSMIMECrypto::KSC_R_OK; rc = KSMIMECrypto::KSC_R_OK;
} else { } else {
rc = sslErrToRc(); rc = sslErrToRc();
@ -236,13 +227,14 @@ KSMIMECrypto::rc KSMIMECryptoPrivate::decryptMessage(BIO *cipherText,
void KSMIMECryptoPrivate::MemBIOToQByteArray(BIO *src, TQByteArray &dest) { void KSMIMECryptoPrivate::MemBIOToQByteArray(BIO *src, TQByteArray &dest) {
char *buf; char *buf;
long len = BIO_get_mem_data(src, &buf); long len = kossl->BIO_get_mem_data(src, &buf);
dest.assign(buf, len); dest.assign(buf, len);
/* Now this goes quite a bit into openssl internals. /* Now this goes quite a bit into openssl internals.
We assume that openssl uses malloc() (it does in We assume that openssl uses malloc() (it does in
default config) and rip out the buffer. default config) and rip out the buffer.
*/ */
reinterpret_cast<BUF_MEM *>(src->ptr)->data = NULL; void *ptr = kossl->BIO_get_data(src);
reinterpret_cast<BUF_MEM *>(ptr)->data = NULL;
} }
@ -422,3 +414,4 @@ KSMIMECrypto::rc KSMIMECrypto::decryptMessage(const TQByteArray &cipherText,
return KSC_R_NO_SSL; return KSC_R_NO_SSL;
#endif #endif
} }

@ -51,7 +51,6 @@
#include <tdelocale.h> #include <tdelocale.h>
#include <ksocks.h> #include <ksocks.h>
#define sk_dup d->kossl->sk_dup
class KSSLPrivate { class KSSLPrivate {
public: public:
@ -180,7 +179,7 @@ bool KSSL::initialize() {
d->m_meth = d->kossl->TLSv1_client_method(); d->m_meth = d->kossl->TLSv1_client_method();
else if (!m_cfg->tlsv1() && m_cfg->sslv3() && !m_cfg->sslv2()) else if (!m_cfg->tlsv1() && m_cfg->sslv3() && !m_cfg->sslv2())
d->m_meth = d->kossl->SSLv3_client_method(); d->m_meth = d->kossl->SSLv3_client_method();
else d->m_meth = d->kossl->SSLv23_client_method(); else d->m_meth = d->kossl->TLS_client_method();
/* /*
if (m_cfg->sslv2() && m_cfg->sslv3()) kdDebug(7029) << "Double method" << endl; if (m_cfg->sslv2() && m_cfg->sslv3()) kdDebug(7029) << "Double method" << endl;
@ -207,7 +206,7 @@ return false;
} }
bool KSSL::setSession(const KSSLSession *session) { bool KSSL::takeSession(KSSLSession *session) {
#ifdef KSSL_HAVE_SSL #ifdef KSSL_HAVE_SSL
if (!session) { if (!session) {
delete d->session; delete d->session;
@ -215,11 +214,10 @@ bool KSSL::setSession(const KSSLSession *session) {
return true; return true;
} }
// Obtain a reference by incrementing the reference count. Yuck. // Take session reference
static_cast<SSL_SESSION*>(session->_session)->references++;
d->session = new KSSLSession; d->session = new KSSLSession;
d->session->_session = session->_session; d->session->_session = session->_session;
session->_session = 0L;
return true; return true;
#else #else
@ -284,12 +282,16 @@ int rc;
return -1; return -1;
if (d->session) { if (d->session) {
#if OPENSSL_VERSION_NUMBER < 0x10100000L
if (static_cast<SSL_SESSION*>(d->session->_session)->sess_cert == 0) if (static_cast<SSL_SESSION*>(d->session->_session)->sess_cert == 0)
{ {
kdDebug(7029) << "Can't reuse session, no certificate." << endl; kdDebug(7029) << "Can't reuse session, no certificate." << endl;
delete d->session; delete d->session;
d->session = 0; d->session = 0;
} else if (1 == d->kossl->SSL_set_session(d->m_ssl, }
else
#endif
if (1 == d->kossl->SSL_set_session(d->m_ssl,
static_cast<SSL_SESSION*>(d->session->_session))) { static_cast<SSL_SESSION*>(d->session->_session))) {
kdDebug(7029) << "Session ID is being reused." << endl; kdDebug(7029) << "Session ID is being reused." << endl;
} else { } else {
@ -316,7 +318,7 @@ int rc;
if (!m_cfg->sslv2()) if (!m_cfg->sslv2())
off |= SSL_OP_NO_SSLv2; off |= SSL_OP_NO_SSLv2;
d->kossl->SSL_set_options(d->m_ssl, off); d->kossl->_SSL_set_options(d->m_ssl, off);
rc = d->kossl->SSL_set_fd(d->m_ssl, sock); rc = d->kossl->SSL_set_fd(d->m_ssl, sock);
if (rc == 0) { if (rc == 0) {
@ -341,7 +343,7 @@ int rc;
return -1; return -1;
} }
if (!d->kossl->SSL_session_reused(d->m_ssl)) { if (!d->kossl->_SSL_session_reused(d->m_ssl)) {
if (d->session) { if (d->session) {
kdDebug(7029) << "Session reuse failed. New session used instead." << endl; kdDebug(7029) << "Session reuse failed. New session used instead." << endl;
delete d->session; delete d->session;
@ -375,12 +377,16 @@ int rc;
return -1; return -1;
if (d->session) { if (d->session) {
#if OPENSSL_VERSION_NUMBER < 0x10100000L
if (static_cast<SSL_SESSION*>(d->session->_session)->sess_cert == 0) if (static_cast<SSL_SESSION*>(d->session->_session)->sess_cert == 0)
{ {
kdDebug(7029) << "Can't reuse session, no certificate." << endl; kdDebug(7029) << "Can't reuse session, no certificate." << endl;
delete d->session; delete d->session;
d->session = 0; d->session = 0;
} else if (1 == d->kossl->SSL_set_session(d->m_ssl, }
else
#endif
if (1 == d->kossl->SSL_set_session(d->m_ssl,
static_cast<SSL_SESSION*>(d->session->_session))) { static_cast<SSL_SESSION*>(d->session->_session))) {
kdDebug(7029) << "Session ID is being reused." << endl; kdDebug(7029) << "Session ID is being reused." << endl;
} else { } else {
@ -407,7 +413,7 @@ int rc;
if (!m_cfg->sslv2()) if (!m_cfg->sslv2())
off |= SSL_OP_NO_SSLv2; off |= SSL_OP_NO_SSLv2;
d->kossl->SSL_set_options(d->m_ssl, off); d->kossl->_SSL_set_options(d->m_ssl, off);
rc = d->kossl->SSL_set_fd(d->m_ssl, sock); rc = d->kossl->SSL_set_fd(d->m_ssl, sock);
if (rc == 0) { if (rc == 0) {
@ -441,7 +447,7 @@ connect_again:
} }
} }
if (!d->kossl->SSL_session_reused(d->m_ssl)) { if (!d->kossl->_SSL_session_reused(d->m_ssl)) {
if (d->session) { if (d->session) {
kdDebug(7029) << "Session reuse failed. New session used instead." << endl; kdDebug(7029) << "Session reuse failed. New session used instead." << endl;
delete d->session; delete d->session;
@ -613,7 +619,7 @@ void KSSL::setPeerInfo() {
m_pi.m_cert.setCert(d->kossl->SSL_get_peer_certificate(d->m_ssl)); m_pi.m_cert.setCert(d->kossl->SSL_get_peer_certificate(d->m_ssl));
STACK_OF(X509) *xs = d->kossl->SSL_get_peer_cert_chain(d->m_ssl); STACK_OF(X509) *xs = d->kossl->SSL_get_peer_cert_chain(d->m_ssl);
if (xs) if (xs)
xs = sk_X509_dup(xs); // Leak? xs = reinterpret_cast<STACK_OF(X509)*>(d->kossl->OPENSSL_sk_dup(xs)); // Leak?
m_pi.m_cert.setChain((void *)xs); m_pi.m_cert.setChain((void *)xs);
#endif #endif
} }
@ -671,18 +677,15 @@ EVP_PKEY *k = pkcs->getPrivateKey();
#endif #endif
} }
#undef sk_dup
const KSSLSession* KSSL::session() const { const KSSLSession* KSSL::session() const {
return d->session; return d->session;
} }
bool KSSL::reusingSession() const { bool KSSL::reusingSession() const {
#ifdef KSSL_HAVE_SSL #ifdef KSSL_HAVE_SSL
return (d->m_ssl && d->kossl->SSL_session_reused(d->m_ssl)); return (d->m_ssl && d->kossl->_SSL_session_reused(d->m_ssl));
#else #else
return false; return false;
#endif #endif
} }

@ -82,16 +82,15 @@ public:
bool TLSInit(); bool TLSInit();
/** /**
* Set an SSL session to use. This deep copies the session so it * Set an SSL session to use. This takes the session from the original
* doesn't have to remain valid. You need to call it after calling * KSSL object, so it is in fact a session move operation.
* initialize or reInitialize. The ID is cleared in close().
* *
* @param session A valid session to reuse. If 0L, it will clear the * @param session A valid session to reuse. If 0L, it will clear the
* session ID in memory. * session ID in memory.
* *
* @return true on success * @return true on success
*/ */
bool setSession(const KSSLSession *session); bool takeSession(KSSLSession *session);
/** /**
* Close the SSL session. * Close the SSL session.

@ -27,8 +27,9 @@ bool KSSL_X509CallBack_ca_found;
extern "C" { extern "C" {
static int X509Callback(int ok, X509_STORE_CTX *ctx) { static int X509Callback(int ok, X509_STORE_CTX *ctx) {
kdDebug(7029) << "X509Callback: ok = " << ok << " error = " << ctx->error << " depth = " << ctx->error_depth << endl; kdDebug(7029) << "X509Callback: ok = " << ok << " error = " << KOSSL::self()->X509_STORE_CTX_get_error(ctx) << " depth = "
<< KOSSL::self()->X509_STORE_CTX_get_error_depth(ctx) << endl;
// Here is how this works. We put "ok = 1;" in any case that we // Here is how this works. We put "ok = 1;" in any case that we
// don't consider to be an error. In that case, it will return OK // don't consider to be an error. In that case, it will return OK
// for the certificate check as long as there are no other critical // for the certificate check as long as there are no other critical
@ -39,14 +40,20 @@ static int X509Callback(int ok, X509_STORE_CTX *ctx) {
if (KSSL_X509CallBack_ca) if (KSSL_X509CallBack_ca)
{ {
if (KOSSL::self()->X509_cmp(ctx->current_cert, KSSL_X509CallBack_ca) != 0) if (KOSSL::self()->X509_cmp(KOSSL::self()->X509_STORE_CTX_get_current_cert(ctx), KSSL_X509CallBack_ca) != 0 &&
/*
* With OpenSSL >= 1.1 certificate in chain can be replaced by a certificate from the local certificate store.
* It is therefore necessary to compare the subject name, rather than the entire certificate.
*/
KOSSL::self()->X509_subject_name_cmp(KOSSL::self()->X509_STORE_CTX_get_current_cert(ctx), KSSL_X509CallBack_ca) != 0) {
return 1; // Ignore errors for this certificate return 1; // Ignore errors for this certificate
}
KSSL_X509CallBack_ca_found = true; KSSL_X509CallBack_ca_found = true;
} }
if (!ok) { if (!ok) {
switch (ctx->error) { switch (KOSSL::self()->X509_STORE_CTX_get_error(ctx)) {
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
case X509_V_ERR_UNABLE_TO_GET_CRL: case X509_V_ERR_UNABLE_TO_GET_CRL:
case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:

@ -44,17 +44,6 @@
#include <tqstringlist.h> #include <tqstringlist.h>
#ifdef KSSL_HAVE_SSL
#define sk_new d->kossl->sk_new
#define sk_push d->kossl->sk_push
#define sk_free d->kossl->sk_free
#define sk_value d->kossl->sk_value
#define sk_num d->kossl->sk_num
#define sk_dup d->kossl->sk_dup
#define sk_pop d->kossl->sk_pop
#endif
class KSSLCertChainPrivate { class KSSLCertChainPrivate {
public: public:
KSSLCertChainPrivate() { KSSLCertChainPrivate() {
@ -79,11 +68,11 @@ KSSLCertChain::~KSSLCertChain() {
STACK_OF(X509) *x = (STACK_OF(X509) *)_chain; STACK_OF(X509) *x = (STACK_OF(X509) *)_chain;
for (;;) { for (;;) {
X509* x5 = sk_X509_pop(x); X509* x5 = reinterpret_cast<X509*>(d->kossl->OPENSSL_sk_pop(x));
if (!x5) break; if (!x5) break;
d->kossl->X509_free(x5); d->kossl->X509_free(x5);
} }
sk_X509_free(x); d->kossl->OPENSSL_sk_free(x);
} }
#endif #endif
delete d; delete d;
@ -107,7 +96,7 @@ return x;
int KSSLCertChain::depth() { int KSSLCertChain::depth() {
#ifdef KSSL_HAVE_SSL #ifdef KSSL_HAVE_SSL
return sk_X509_num((STACK_OF(X509)*)_chain); return d->kossl->OPENSSL_sk_num((STACK_OF(X509)*)_chain);
#endif #endif
return 0; return 0;
} }
@ -119,8 +108,8 @@ if (!_chain) return cl;
#ifdef KSSL_HAVE_SSL #ifdef KSSL_HAVE_SSL
STACK_OF(X509) *x = (STACK_OF(X509) *)_chain; STACK_OF(X509) *x = (STACK_OF(X509) *)_chain;
for (int i = 0; i < sk_X509_num(x); i++) { for (int i = 0; i < d->kossl->OPENSSL_sk_num(x); i++) {
X509* x5 = sk_X509_value(x, i); X509* x5 = reinterpret_cast<X509*>(d->kossl->OPENSSL_sk_value(x, i));
if (!x5) continue; if (!x5) continue;
KSSLCertificate *nc = new KSSLCertificate; KSSLCertificate *nc = new KSSLCertificate;
nc->setCert(d->kossl->X509_dup(x5)); nc->setCert(d->kossl->X509_dup(x5));
@ -138,18 +127,18 @@ if (_chain) {
STACK_OF(X509) *x = (STACK_OF(X509) *)_chain; STACK_OF(X509) *x = (STACK_OF(X509) *)_chain;
for (;;) { for (;;) {
X509* x5 = sk_X509_pop(x); X509* x5 = reinterpret_cast<X509*>(d->kossl->OPENSSL_sk_pop(x));
if (!x5) break; if (!x5) break;
d->kossl->X509_free(x5); d->kossl->X509_free(x5);
} }
sk_X509_free(x); d->kossl->OPENSSL_sk_free(x);
_chain = NULL; _chain = NULL;
} }
if (chain.count() == 0) return; if (chain.count() == 0) return;
_chain = (void *)sk_new(NULL); _chain = reinterpret_cast<STACK_OF(X509)*>(d->kossl->OPENSSL_sk_new(NULL));
for (KSSLCertificate *x = chain.first(); x != 0; x = chain.next()) { for (KSSLCertificate *x = chain.first(); x != 0; x = chain.next()) {
sk_X509_push((STACK_OF(X509)*)_chain, d->kossl->X509_dup(x->getCert())); d->kossl->OPENSSL_sk_push((STACK_OF(X509) *)_chain, d->kossl->X509_dup(x->getCert()));
} }
#endif #endif
@ -158,31 +147,31 @@ if (_chain) {
void KSSLCertChain::setChain(void *stack_of_x509) { void KSSLCertChain::setChain(void *stack_of_x509) {
#ifdef KSSL_HAVE_SSL #ifdef KSSL_HAVE_SSL
if (_chain) { if (_chain) {
STACK_OF(X509) *x = (STACK_OF(X509) *)_chain; STACK_OF(X509) *x = (STACK_OF(X509) *)_chain;
for (;;) { for (;;) {
X509* x5 = sk_X509_pop(x); X509* x5 = reinterpret_cast<X509*>(d->kossl->OPENSSL_sk_pop(x));
if (!x5) break; if (!x5) break;
d->kossl->X509_free(x5); d->kossl->X509_free(x5);
}
d->kossl->OPENSSL_sk_free(x);
_chain = NULL;
} }
sk_X509_free(x);
_chain = NULL;
}
if (!stack_of_x509) return; if (!stack_of_x509) return;
_chain = (void *)sk_new(NULL); _chain = reinterpret_cast<STACK_OF(X509)*>(d->kossl->OPENSSL_sk_new(NULL));
STACK_OF(X509) *x = (STACK_OF(X509) *)stack_of_x509; STACK_OF(X509) *x = (STACK_OF(X509) *)stack_of_x509;
for (int i = 0; i < sk_X509_num(x); i++) { for (int i = 0; i < d->kossl->OPENSSL_sk_num(x); i++) {
X509* x5 = sk_X509_value(x, i); X509* x5 = reinterpret_cast<X509*>(d->kossl->OPENSSL_sk_value(x, i));
if (!x5) continue; if (!x5) continue;
sk_X509_push((STACK_OF(X509)*)_chain,d->kossl->X509_dup(x5)); d->kossl->OPENSSL_sk_push((STACK_OF(X509)*)_chain,d->kossl->X509_dup(x5));
} }
#else #else
_chain = NULL; _chain = NULL;
#endif #endif
} }
@ -203,14 +192,3 @@ void KSSLCertChain::setCertChain(const TQStringList& chain) {
setChain(cl); setChain(cl);
} }
#ifdef KSSL_HAVE_SSL
#undef sk_new
#undef sk_push
#undef sk_free
#undef sk_value
#undef sk_num
#undef sk_dup
#undef sk_pop
#endif

@ -198,7 +198,7 @@ TQString rc = "";
if (!t) if (!t)
return rc; return rc;
rc = t; rc = t;
d->kossl->OPENSSL_free(t); d->kossl->CRYPTO_free(t);
#endif #endif
return rc; return rc;
} }
@ -225,14 +225,17 @@ TQString rc = "";
char *s; char *s;
int n, i; int n, i;
i = d->kossl->OBJ_obj2nid(d->m_cert->sig_alg->algorithm); const ASN1_BIT_STRING *signature = 0L;
const X509_ALGOR *sig_alg = 0L;
d->kossl->X509_get0_signature(&signature, &sig_alg, d->m_cert);
i = d->kossl->OBJ_obj2nid(sig_alg->algorithm);
rc = i18n("Signature Algorithm: "); rc = i18n("Signature Algorithm: ");
rc += (i == NID_undef)?i18n("Unknown"):TQString(d->kossl->OBJ_nid2ln(i)); rc += (i == NID_undef)?i18n("Unknown"):TQString(d->kossl->OBJ_nid2ln(i));
rc += "\n"; rc += "\n";
rc += i18n("Signature Contents:"); rc += i18n("Signature Contents:");
n = d->m_cert->signature->length; n = signature->length;
s = (char *)d->m_cert->signature->data; s = (char *)signature->data;
for (i = 0; i < n; i++) { for (i = 0; i < n; i++) {
if (i%20 != 0) rc += ":"; if (i%20 != 0) rc += ":";
else rc += "\n"; else rc += "\n";
@ -254,8 +257,8 @@ void KSSLCertificate::getEmails(TQStringList &to) const {
STACK *s = d->kossl->X509_get1_email(d->m_cert); STACK *s = d->kossl->X509_get1_email(d->m_cert);
if (s) { if (s) {
for(int n=0; n < s->num; n++) { for(int n=0; n < d->kossl->OPENSSL_sk_num(s); n++) {
to.append(d->kossl->sk_value(s,n)); to.append(d->kossl->OPENSSL_sk_value(s,n));
} }
d->kossl->X509_email_free(s); d->kossl->X509_email_free(s);
} }
@ -336,12 +339,12 @@ TQString rc = "";
EVP_PKEY *pkey = d->kossl->X509_get_pubkey(d->m_cert); EVP_PKEY *pkey = d->kossl->X509_get_pubkey(d->m_cert);
if (pkey) { if (pkey) {
#ifndef NO_RSA #ifndef NO_RSA
if (pkey->type == EVP_PKEY_RSA) if (d->kossl->EVP_PKEY_base_id(pkey) == EVP_PKEY_RSA)
rc = "RSA"; rc = "RSA";
else else
#endif #endif
#ifndef NO_DSA #ifndef NO_DSA
if (pkey->type == EVP_PKEY_DSA) if (d->kossl->EVP_PKEY_base_id(pkey) == EVP_PKEY_DSA)
rc = "DSA"; rc = "DSA";
else else
#endif #endif
@ -364,10 +367,14 @@ char *x = NULL;
if (pkey) { if (pkey) {
rc = i18n("Unknown", "Unknown key algorithm"); rc = i18n("Unknown", "Unknown key algorithm");
#ifndef NO_RSA #ifndef NO_RSA
if (pkey->type == EVP_PKEY_RSA) { if (d->kossl->EVP_PKEY_base_id(pkey) == EVP_PKEY_RSA) {
rc = i18n("Key type: RSA (%1 bit)") + "\n"; rc = i18n("Key type: RSA (%1 bit)") + "\n";
x = d->kossl->BN_bn2hex(pkey->pkey.rsa->n); RSA *pkey_rsa = d->kossl->EVP_PKEY_get0_RSA(pkey);
const BIGNUM *bn_n = 0L;
const BIGNUM *bn_e = 0L;
d->kossl->RSA_get0_key(pkey_rsa, &bn_n, &bn_e, NULL);
x = d->kossl->BN_bn2hex(bn_n);
rc += i18n("Modulus: "); rc += i18n("Modulus: ");
rc = rc.arg(strlen(x)*4); rc = rc.arg(strlen(x)*4);
for (unsigned int i = 0; i < strlen(x); i++) { for (unsigned int i = 0; i < strlen(x); i++) {
@ -378,18 +385,26 @@ char *x = NULL;
rc += x[i]; rc += x[i];
} }
rc += "\n"; rc += "\n";
d->kossl->OPENSSL_free(x); d->kossl->CRYPTO_free(x);
x = d->kossl->BN_bn2hex(pkey->pkey.rsa->e); x = d->kossl->BN_bn2hex(bn_e);
rc += i18n("Exponent: 0x") + x + "\n"; rc += i18n("Exponent: 0x") + x + "\n";
d->kossl->OPENSSL_free(x); d->kossl->CRYPTO_free(x);
} }
#endif #endif
#ifndef NO_DSA #ifndef NO_DSA
if (pkey->type == EVP_PKEY_DSA) { if (d->kossl->EVP_PKEY_base_id(pkey) == EVP_PKEY_DSA) {
rc = i18n("Key type: DSA (%1 bit)") + "\n"; rc = i18n("Key type: DSA (%1 bit)") + "\n";
x = d->kossl->BN_bn2hex(pkey->pkey.dsa->p); DSA *pkey_dsa = d->kossl->EVP_PKEY_get0_DSA(pkey);
const BIGNUM *bn_p = 0L;
const BIGNUM *bn_q = 0L;
const BIGNUM *bn_g = 0L;
const BIGNUM *bn_pub_key = 0L;
d->kossl->DSA_get0_pqg(pkey_dsa, &bn_p, &bn_q, &bn_g);
d->kossl->DSA_get0_key(pkey_dsa, &bn_pub_key, NULL);
x = d->kossl->BN_bn2hex(bn_p);
rc += i18n("Prime: "); rc += i18n("Prime: ");
// hack - this may not be always accurate // hack - this may not be always accurate
rc = rc.arg(strlen(x)*4) ; rc = rc.arg(strlen(x)*4) ;
@ -401,9 +416,9 @@ char *x = NULL;
rc += x[i]; rc += x[i];
} }
rc += "\n"; rc += "\n";
d->kossl->OPENSSL_free(x); d->kossl->CRYPTO_free(x);
x = d->kossl->BN_bn2hex(pkey->pkey.dsa->q); x = d->kossl->BN_bn2hex(bn_q);
rc += i18n("160 bit prime factor: "); rc += i18n("160 bit prime factor: ");
for (unsigned int i = 0; i < strlen(x); i++) { for (unsigned int i = 0; i < strlen(x); i++) {
if (i%40 != 0 && i%2 == 0) if (i%40 != 0 && i%2 == 0)
@ -413,9 +428,9 @@ char *x = NULL;
rc += x[i]; rc += x[i];
} }
rc += "\n"; rc += "\n";
d->kossl->OPENSSL_free(x); d->kossl->CRYPTO_free(x);
x = d->kossl->BN_bn2hex(pkey->pkey.dsa->g); x = d->kossl->BN_bn2hex(bn_g);
rc += TQString("g: "); rc += TQString("g: ");
for (unsigned int i = 0; i < strlen(x); i++) { for (unsigned int i = 0; i < strlen(x); i++) {
if (i%40 != 0 && i%2 == 0) if (i%40 != 0 && i%2 == 0)
@ -425,9 +440,9 @@ char *x = NULL;
rc += x[i]; rc += x[i];
} }
rc += "\n"; rc += "\n";
d->kossl->OPENSSL_free(x); d->kossl->CRYPTO_free(x);
x = d->kossl->BN_bn2hex(pkey->pkey.dsa->pub_key); x = d->kossl->BN_bn2hex(bn_pub_key);
rc += i18n("Public key: "); rc += i18n("Public key: ");
for (unsigned int i = 0; i < strlen(x); i++) { for (unsigned int i = 0; i < strlen(x); i++) {
if (i%40 != 0 && i%2 == 0) if (i%40 != 0 && i%2 == 0)
@ -437,7 +452,7 @@ char *x = NULL;
rc += x[i]; rc += x[i];
} }
rc += "\n"; rc += "\n";
d->kossl->OPENSSL_free(x); d->kossl->CRYPTO_free(x);
} }
#endif #endif
d->kossl->EVP_PKEY_free(pkey); d->kossl->EVP_PKEY_free(pkey);
@ -459,7 +474,7 @@ TQString rc = "";
return rc; return rc;
rc = t; rc = t;
d->kossl->OPENSSL_free(t); d->kossl->CRYPTO_free(t);
#endif #endif
return rc; return rc;
@ -696,7 +711,7 @@ KSSLCertificate::KSSLValidationList KSSLCertificate::validateVerbose(KSSLCertifi
return errors; return errors;
} }
X509_STORE_set_verify_cb_func(certStore, X509Callback); d->kossl->X509_STORE_set_verify_cb(certStore, X509Callback);
certLookup = d->kossl->X509_STORE_add_lookup(certStore, d->kossl->X509_LOOKUP_file()); certLookup = d->kossl->X509_STORE_add_lookup(certStore, d->kossl->X509_LOOKUP_file());
if (!certLookup) { if (!certLookup) {
@ -727,7 +742,7 @@ KSSLCertificate::KSSLValidationList KSSLCertificate::validateVerbose(KSSLCertifi
d->kossl->X509_STORE_CTX_init(certStoreCTX, certStore, d->m_cert, NULL); d->kossl->X509_STORE_CTX_init(certStoreCTX, certStore, d->m_cert, NULL);
if (d->_chain.isValid()) { if (d->_chain.isValid()) {
d->kossl->X509_STORE_CTX_set_chain(certStoreCTX, (STACK_OF(X509)*)d->_chain.rawChain()); d->kossl->X509_STORE_CTX_set0_untrusted(certStoreCTX, (STACK_OF(X509)*)d->_chain.rawChain());
} }
//kdDebug(7029) << "KSSL setting CRL.............." << endl; //kdDebug(7029) << "KSSL setting CRL.............." << endl;
@ -738,9 +753,9 @@ KSSLCertificate::KSSLValidationList KSSLCertificate::validateVerbose(KSSLCertifi
KSSL_X509CallBack_ca = ca ? ca->d->m_cert : 0; KSSL_X509CallBack_ca = ca ? ca->d->m_cert : 0;
KSSL_X509CallBack_ca_found = false; KSSL_X509CallBack_ca_found = false;
certStoreCTX->error = X509_V_OK; d->kossl->X509_STORE_CTX_set_error(certStoreCTX, X509_V_OK);
d->kossl->X509_verify_cert(certStoreCTX); d->kossl->X509_verify_cert(certStoreCTX);
int errcode = certStoreCTX->error; int errcode = d->kossl->X509_STORE_CTX_get_error(certStoreCTX);
if (ca && !KSSL_X509CallBack_ca_found) { if (ca && !KSSL_X509CallBack_ca_found) {
ksslv = KSSLCertificate::Irrelevant; ksslv = KSSLCertificate::Irrelevant;
} else { } else {
@ -753,9 +768,9 @@ KSSLCertificate::KSSLValidationList KSSLCertificate::validateVerbose(KSSLCertifi
d->kossl->X509_STORE_CTX_set_purpose(certStoreCTX, d->kossl->X509_STORE_CTX_set_purpose(certStoreCTX,
X509_PURPOSE_NS_SSL_SERVER); X509_PURPOSE_NS_SSL_SERVER);
certStoreCTX->error = X509_V_OK; d->kossl->X509_STORE_CTX_set_error(certStoreCTX, X509_V_OK);
d->kossl->X509_verify_cert(certStoreCTX); d->kossl->X509_verify_cert(certStoreCTX);
errcode = certStoreCTX->error; errcode = d->kossl->X509_STORE_CTX_get_error(certStoreCTX);
ksslv = processError(errcode); ksslv = processError(errcode);
} }
d->kossl->X509_STORE_CTX_free(certStoreCTX); d->kossl->X509_STORE_CTX_free(certStoreCTX);
@ -888,7 +903,7 @@ return rc;
TQString KSSLCertificate::getNotBefore() const { TQString KSSLCertificate::getNotBefore() const {
#ifdef KSSL_HAVE_SSL #ifdef KSSL_HAVE_SSL
return ASN1_UTCTIME_QString(X509_get_notBefore(d->m_cert)); return ASN1_UTCTIME_QString(d->kossl->X509_getm_notBefore(d->m_cert));
#else #else
return TQString::null; return TQString::null;
#endif #endif
@ -897,7 +912,7 @@ return TQString::null;
TQString KSSLCertificate::getNotAfter() const { TQString KSSLCertificate::getNotAfter() const {
#ifdef KSSL_HAVE_SSL #ifdef KSSL_HAVE_SSL
return ASN1_UTCTIME_QString(X509_get_notAfter(d->m_cert)); return ASN1_UTCTIME_QString(d->kossl->X509_getm_notAfter(d->m_cert));
#else #else
return TQString::null; return TQString::null;
#endif #endif
@ -906,7 +921,7 @@ return TQString::null;
TQDateTime KSSLCertificate::getQDTNotBefore() const { TQDateTime KSSLCertificate::getQDTNotBefore() const {
#ifdef KSSL_HAVE_SSL #ifdef KSSL_HAVE_SSL
return ASN1_UTCTIME_QDateTime(X509_get_notBefore(d->m_cert), NULL); return ASN1_UTCTIME_QDateTime(d->kossl->X509_getm_notBefore(d->m_cert), NULL);
#else #else
return TQDateTime::currentDateTime(); return TQDateTime::currentDateTime();
#endif #endif
@ -915,7 +930,7 @@ return TQDateTime::currentDateTime();
TQDateTime KSSLCertificate::getQDTNotAfter() const { TQDateTime KSSLCertificate::getQDTNotAfter() const {
#ifdef KSSL_HAVE_SSL #ifdef KSSL_HAVE_SSL
return ASN1_UTCTIME_QDateTime(X509_get_notAfter(d->m_cert), NULL); return ASN1_UTCTIME_QDateTime(d->kossl->X509_getm_notAfter(d->m_cert), NULL);
#else #else
return TQDateTime::currentDateTime(); return TQDateTime::currentDateTime();
#endif #endif
@ -924,7 +939,7 @@ return TQDateTime::currentDateTime();
TQDateTime KSSLCertificate::getQDTLastUpdate() const { TQDateTime KSSLCertificate::getQDTLastUpdate() const {
#ifdef KSSL_HAVE_SSL #ifdef KSSL_HAVE_SSL
return ASN1_UTCTIME_QDateTime(X509_CRL_get_lastUpdate(d->m_cert_crl), NULL); return ASN1_UTCTIME_QDateTime((ASN1_UTCTIME*)d->kossl->X509_CRL_get0_lastUpdate(d->m_cert_crl), NULL);
#else #else
return TQDateTime::currentDateTime(); return TQDateTime::currentDateTime();
#endif #endif
@ -933,7 +948,7 @@ return TQDateTime::currentDateTime();
TQDateTime KSSLCertificate::getQDTNextUpdate() const { TQDateTime KSSLCertificate::getQDTNextUpdate() const {
#ifdef KSSL_HAVE_SSL #ifdef KSSL_HAVE_SSL
return ASN1_UTCTIME_QDateTime(X509_CRL_get_nextUpdate(d->m_cert_crl), NULL); return ASN1_UTCTIME_QDateTime((ASN1_UTCTIME*)d->kossl->X509_CRL_get0_nextUpdate(d->m_cert_crl), NULL);
#else #else
return TQDateTime::currentDateTime(); return TQDateTime::currentDateTime();
#endif #endif
@ -1053,6 +1068,15 @@ return qba;
#define NETSCAPE_CERT_HDR "certificate" #define NETSCAPE_CERT_HDR "certificate"
#ifdef KSSL_HAVE_SSL
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
typedef struct NETSCAPE_X509_st
{
ASN1_OCTET_STRING *header;
X509 *cert;
} NETSCAPE_X509;
#endif
#endif
// what a piece of crap this is // what a piece of crap this is
TQByteArray KSSLCertificate::toNetscape() { TQByteArray KSSLCertificate::toNetscape() {
@ -1062,8 +1086,8 @@ TQByteArray qba;
NETSCAPE_X509 nx; NETSCAPE_X509 nx;
ASN1_OCTET_STRING hdr; ASN1_OCTET_STRING hdr;
#else #else
ASN1_HEADER ah; ASN1_HEADER ah;
ASN1_OCTET_STRING os; ASN1_OCTET_STRING os;
#endif #endif
KTempFile ktf; KTempFile ktf;
@ -1159,10 +1183,10 @@ TQStringList KSSLCertificate::subjAltNames() const {
return rc; return rc;
} }
int cnt = d->kossl->sk_GENERAL_NAME_num(names); int cnt = d->kossl->OPENSSL_sk_num(names);
for (int i = 0; i < cnt; i++) { for (int i = 0; i < cnt; i++) {
const GENERAL_NAME *val = (const GENERAL_NAME *)d->kossl->sk_value(names, i); const GENERAL_NAME *val = (const GENERAL_NAME *)d->kossl->OPENSSL_sk_value(names, i);
if (val->type != GEN_DNS) { if (val->type != GEN_DNS) {
continue; continue;
} }
@ -1174,7 +1198,7 @@ TQStringList KSSLCertificate::subjAltNames() const {
rc += s; rc += s;
} }
} }
d->kossl->sk_free(names); d->kossl->OPENSSL_sk_free(names);
#endif #endif
return rc; return rc;
} }

@ -34,16 +34,6 @@
#include <assert.h> #include <assert.h>
#ifdef KSSL_HAVE_SSL
#define sk_new kossl->sk_new
#define sk_push kossl->sk_push
#define sk_free kossl->sk_free
#define sk_value kossl->sk_value
#define sk_num kossl->sk_num
#define sk_dup kossl->sk_dup
#define sk_pop kossl->sk_pop
#endif
KSSLPKCS12::KSSLPKCS12() { KSSLPKCS12::KSSLPKCS12() {
_pkcs = NULL; _pkcs = NULL;
@ -60,11 +50,11 @@ KSSLPKCS12::~KSSLPKCS12() {
if (_pkey) kossl->EVP_PKEY_free(_pkey); if (_pkey) kossl->EVP_PKEY_free(_pkey);
if (_caStack) { if (_caStack) {
for (;;) { for (;;) {
X509* x5 = sk_X509_pop(_caStack); X509* x5 = reinterpret_cast<X509*>(kossl->OPENSSL_sk_pop(_caStack));
if (!x5) break; if (!x5) break;
kossl->X509_free(x5); kossl->X509_free(x5);
} }
sk_X509_free(_caStack); kossl->OPENSSL_sk_free(_caStack);
} }
if (_pkcs) kossl->PKCS12_free(_pkcs); if (_pkcs) kossl->PKCS12_free(_pkcs);
#endif #endif
@ -151,11 +141,11 @@ X509 *x = NULL;
if (_pkey) kossl->EVP_PKEY_free(_pkey); if (_pkey) kossl->EVP_PKEY_free(_pkey);
if (_caStack) { if (_caStack) {
for (;;) { for (;;) {
X509* x5 = sk_X509_pop(_caStack); X509* x5 = reinterpret_cast<X509*>(kossl->OPENSSL_sk_pop(_caStack));
if (!x5) break; if (!x5) break;
kossl->X509_free(x5); kossl->X509_free(x5);
} }
sk_X509_free(_caStack); kossl->OPENSSL_sk_free(_caStack);
} }
_pkey = NULL; _pkey = NULL;
_caStack = NULL; _caStack = NULL;
@ -282,14 +272,3 @@ TQString KSSLPKCS12::name() {
return _cert->getSubject(); return _cert->getSubject();
} }
#ifdef KSSL_HAVE_SSL
#undef sk_new
#undef sk_push
#undef sk_free
#undef sk_value
#undef sk_num
#undef sk_pop
#undef sk_dup
#endif

@ -34,15 +34,6 @@
#include <assert.h> #include <assert.h>
#ifdef KSSL_HAVE_SSL
#define sk_new kossl->sk_new
#define sk_push kossl->sk_push
#define sk_free kossl->sk_free
#define sk_value kossl->sk_value
#define sk_num kossl->sk_num
#define sk_dup kossl->sk_dup
#endif
KSSLPKCS7::KSSLPKCS7() { KSSLPKCS7::KSSLPKCS7() {
_pkcs = NULL; _pkcs = NULL;
@ -196,13 +187,3 @@ TQString KSSLPKCS7::name() {
return TQString(); return TQString();
} }
#ifdef KSSL_HAVE_SSL
#undef sk_new
#undef sk_push
#undef sk_free
#undef sk_value
#undef sk_num
#undef sk_dup
#endif

@ -46,29 +46,20 @@
#endif #endif
#include <kopenssl.h> #include <kopenssl.h>
#ifdef KSSL_HAVE_SSL
#define sk_new d->kossl->sk_new
#define sk_push d->kossl->sk_push
#define sk_free d->kossl->sk_free
#define sk_value d->kossl->sk_value
#define sk_num d->kossl->sk_num
#define sk_dup d->kossl->sk_dup
#define sk_pop d->kossl->sk_pop
#endif
class CipherNode { class CipherNode {
public: public:
CipherNode(const char *_name, int _keylen) : CipherNode(const char *_name, int _keylen) :
name(_name), keylen(_keylen) {} name(_name), keylen(_keylen) {}
TQString name; TQString name;
int keylen; int keylen;
inline int operator==(CipherNode &x) inline int operator==(CipherNode &x)
{ return ((x.keylen == keylen) && (x.name == name)); } { return ((x.keylen == keylen) && (x.name == name)); }
inline int operator< (CipherNode &x) { return keylen < x.keylen; } inline int operator< (CipherNode &x) { return keylen < x.keylen; }
inline int operator<=(CipherNode &x) { return keylen <= x.keylen; } inline int operator<=(CipherNode &x) { return keylen <= x.keylen; }
inline int operator> (CipherNode &x) { return keylen > x.keylen; } inline int operator> (CipherNode &x) { return keylen > x.keylen; }
inline int operator>=(CipherNode &x) { return keylen >= x.keylen; } inline int operator>=(CipherNode &x) { return keylen >= x.keylen; }
}; };
class KSSLSettingsPrivate { class KSSLSettingsPrivate {
@ -145,7 +136,7 @@ TQString KSSLSettings::getCipherList() {
d->kossl = KOSSL::self(); d->kossl = KOSSL::self();
if (m_bUseSSLv3 && m_bUseSSLv2) if (m_bUseSSLv3 && m_bUseSSLv2)
meth = d->kossl->SSLv23_client_method(); meth = d->kossl->TLS_client_method();
else if(m_bUseSSLv3) else if(m_bUseSSLv3)
meth = d->kossl->SSLv3_client_method(); meth = d->kossl->SSLv3_client_method();
else if (m_bUseSSLv2) else if (m_bUseSSLv2)
@ -154,9 +145,9 @@ TQString KSSLSettings::getCipherList() {
SSL_CTX *ctx = d->kossl->SSL_CTX_new(meth); SSL_CTX *ctx = d->kossl->SSL_CTX_new(meth);
SSL* ssl = d->kossl->SSL_new(ctx); SSL* ssl = d->kossl->SSL_new(ctx);
STACK_OF(SSL_CIPHER)* sk = d->kossl->SSL_get_ciphers(ssl); STACK_OF(SSL_CIPHER)* sk = d->kossl->SSL_get_ciphers(ssl);
int cnt = sk_SSL_CIPHER_num(sk); int cnt = d->kossl->OPENSSL_sk_num(sk);
for (int i=0; i< cnt; i++) { for (int i=0; i< cnt; i++) {
SSL_CIPHER *sc = sk_SSL_CIPHER_value(sk,i); SSL_CIPHER *sc = reinterpret_cast<SSL_CIPHER*>(d->kossl->OPENSSL_sk_value(sk,i));
if (!sc) if (!sc)
break; break;
@ -165,10 +156,10 @@ TQString KSSLSettings::getCipherList() {
else else
m_cfg->setGroup("SSLv3"); m_cfg->setGroup("SSLv3");
tcipher.sprintf("cipher_%s", sc->name); tcipher.sprintf("cipher_%s", d->kossl->SSL_CIPHER_get_name(sc));
int bits = d->kossl->SSL_CIPHER_get_bits(sc, NULL); int bits = d->kossl->SSL_CIPHER_get_bits(sc, NULL);
if (m_cfg->readBoolEntry(tcipher, bits >= 56)) { if (m_cfg->readBoolEntry(tcipher, bits >= 56)) {
CipherNode *xx = new CipherNode(sc->name,bits); CipherNode *xx = new CipherNode(d->kossl->SSL_CIPHER_get_name(sc),bits);
if (!cipherList.contains(xx)) if (!cipherList.contains(xx))
cipherList.prepend(xx); cipherList.prepend(xx);
else else
@ -212,13 +203,21 @@ void KSSLSettings::load() {
m_cfg->setGroup("TLS"); m_cfg->setGroup("TLS");
m_bUseTLSv1 = m_cfg->readBoolEntry("Enabled", true); m_bUseTLSv1 = m_cfg->readBoolEntry("Enabled", true);
#if OPENSSL_VERSION_NUMBER >= 0x10100000L || defined(OPENSSL_NO_SSL2)
m_bUseSSLv2 = false;
#else
m_cfg->setGroup("SSLv2"); m_cfg->setGroup("SSLv2");
m_bUseSSLv2 = m_cfg->readBoolEntry("Enabled", false); m_bUseSSLv2 = m_cfg->readBoolEntry("Enabled", false);
#endif
#if defined(OPENSSL_NO_SSL3)
m_bUseSSLv3 = false;
#else
m_cfg->setGroup("SSLv3"); m_cfg->setGroup("SSLv3");
m_bUseSSLv3 = m_cfg->readBoolEntry("Enabled", true); m_bUseSSLv3 = m_cfg->readBoolEntry("Enabled", true);
#endif
m_cfg->setGroup("Warnings"); m_cfg->setGroup("Warnings");
m_bWarnOnEnter = m_cfg->readBoolEntry("OnEnter", false); m_bWarnOnEnter = m_cfg->readBoolEntry("OnEnter", false);
m_bWarnOnLeave = m_cfg->readBoolEntry("OnLeave", true); m_bWarnOnLeave = m_cfg->readBoolEntry("OnLeave", true);
@ -344,13 +343,3 @@ void KSSLSettings::setSSLv3(bool enabled) { m_bUseSSLv3 = enabled; }
TQString& KSSLSettings::getEGDPath() { return d->m_EGDPath; } TQString& KSSLSettings::getEGDPath() { return d->m_EGDPath; }
#ifdef KSSL_HAVE_SSL
#undef sk_new
#undef sk_push
#undef sk_free
#undef sk_value
#undef sk_num
#undef sk_pop
#undef sk_dup
#endif

@ -92,10 +92,10 @@ TQString ASN1_UTCTIME_QString(ASN1_UTCTIME *tm) {
TQString ASN1_INTEGER_QString(ASN1_INTEGER *aint) { TQString ASN1_INTEGER_QString(ASN1_INTEGER *aint) {
char *rep = KOSSL::self()->i2s_ASN1_INTEGER(NULL, aint); char *rep = KOSSL::self()->i2s_ASN1_INTEGER(NULL, aint);
TQString yy = rep; TQString yy = rep;
KOSSL::self()->OPENSSL_free(rep); KOSSL::self()->CRYPTO_free(rep);
return yy; return yy;
} }

@ -471,7 +471,7 @@ int TCPSlaveBase::startTLS()
if (hasMetaData("ssl_session_id")) { if (hasMetaData("ssl_session_id")) {
KSSLSession *s = KSSLSession::fromString(metaData("ssl_session_id")); KSSLSession *s = KSSLSession::fromString(metaData("ssl_session_id"));
if (s) { if (s) {
d->kssl->setSession(s); d->kssl->takeSession(s);
delete s; delete s;
} }
} }
@ -1301,9 +1301,9 @@ bool TCPSlaveBase::doSSLHandShake( bool sendError )
if (hasMetaData("ssl_session_id")) { if (hasMetaData("ssl_session_id")) {
KSSLSession *s = KSSLSession::fromString(metaData("ssl_session_id")); KSSLSession *s = KSSLSession::fromString(metaData("ssl_session_id"));
if (s) { if (s) {
d->kssl->setSession(s); d->kssl->takeSession(s);
delete s; delete s;
} }
} }
certificatePrompt(); certificatePrompt();

Loading…
Cancel
Save