You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
97 lines
3.7 KiB
97 lines
3.7 KiB
/* This file is part of the KDE project
|
|
*
|
|
* Copyright (C) 2000 George Staikos <staikos@kde.org>
|
|
*
|
|
* This library is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU Library General Public
|
|
* License as published by the Free Software Foundation; either
|
|
* version 2 of the License, or (at your option) any later version.
|
|
*
|
|
* This library is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
* Library General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU Library General Public License
|
|
* along with this library; see the file COPYING.LIB. If not, write to
|
|
* the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
|
* Boston, MA 02110-1301, USA.
|
|
*/
|
|
|
|
#ifdef KSSL_HAVE_SSL
|
|
#ifndef _kde_ksslcallback_c
|
|
#define _kde_ksslcallback_c
|
|
|
|
X509 *KSSL_X509CallBack_ca;
|
|
bool KSSL_X509CallBack_ca_found;
|
|
|
|
extern "C" {
|
|
static int X509Callback(int ok, X509_STORE_CTX *ctx) {
|
|
|
|
kdDebug(7029) << "X509Callback: ok = " << ok << " error = " << KOSSL::self()->X509_STORE_CTX_get_error(ctx) << " depth = "
|
|
<< KOSSL::self()->X509_STORE_CTX_get_error_depth(ctx) << endl;
|
|
// Here is how this works. We put "ok = 1;" in any case that we
|
|
// don't consider to be an error. In that case, it will return OK
|
|
// for the certificate check as long as there are no other critical
|
|
// errors. Don't forget that there can be multiple errors.
|
|
//
|
|
// Of course we can also put other code in here but any data returned
|
|
// back will not be threadsafe ofcourse.
|
|
|
|
if (KSSL_X509CallBack_ca)
|
|
{
|
|
if (KOSSL::self()->X509_cmp(KOSSL::self()->X509_STORE_CTX_get_current_cert(ctx), KSSL_X509CallBack_ca) != 0 &&
|
|
/*
|
|
* With OpenSSL >= 1.1 certificate in chain can be replaced by a certificate from the local certificate store.
|
|
* It is therefore necessary to compare the subject name, rather than the entire certificate.
|
|
*/
|
|
KOSSL::self()->X509_subject_name_cmp(KOSSL::self()->X509_STORE_CTX_get_current_cert(ctx), KSSL_X509CallBack_ca) != 0) {
|
|
return 1; // Ignore errors for this certificate
|
|
}
|
|
|
|
KSSL_X509CallBack_ca_found = true;
|
|
}
|
|
|
|
if (!ok) {
|
|
switch (KOSSL::self()->X509_STORE_CTX_get_error(ctx)) {
|
|
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
|
|
case X509_V_ERR_UNABLE_TO_GET_CRL:
|
|
case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
|
|
case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE:
|
|
case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:
|
|
case X509_V_ERR_CERT_SIGNATURE_FAILURE:
|
|
case X509_V_ERR_CRL_SIGNATURE_FAILURE:
|
|
case X509_V_ERR_CERT_NOT_YET_VALID:
|
|
case X509_V_ERR_CERT_HAS_EXPIRED:
|
|
case X509_V_ERR_CRL_NOT_YET_VALID:
|
|
case X509_V_ERR_CRL_HAS_EXPIRED:
|
|
case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
|
|
case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
|
|
case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD:
|
|
case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:
|
|
case X509_V_ERR_OUT_OF_MEM:
|
|
case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
|
|
case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
|
|
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
|
|
case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
|
|
case X509_V_ERR_CERT_CHAIN_TOO_LONG:
|
|
case X509_V_ERR_CERT_REVOKED:
|
|
case X509_V_ERR_INVALID_CA:
|
|
case X509_V_ERR_PATH_LENGTH_EXCEEDED:
|
|
case X509_V_ERR_INVALID_PURPOSE:
|
|
case X509_V_ERR_CERT_UNTRUSTED:
|
|
case X509_V_ERR_CERT_REJECTED:
|
|
case X509_V_ERR_APPLICATION_VERIFICATION:
|
|
default:
|
|
break;
|
|
}
|
|
}
|
|
|
|
return(ok);
|
|
}
|
|
}
|
|
|
|
#endif
|
|
#endif
|
|
|