summaryrefslogtreecommitdiffstats
path: root/kio/kssl/ksslcallback.c
blob: 1a105db3f26e09ff36430ef1a938ea84c17bd996 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
/* This file is part of the KDE project
 *
 * Copyright (C) 2000 George Staikos <staikos@kde.org>
 *
 * This library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Library General Public
 * License as published by the Free Software Foundation; either
 * version 2 of the License, or (at your option) any later version.
 *
 * This library is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Library General Public License for more details.
 *
 * You should have received a copy of the GNU Library General Public License
 * along with this library; see the file COPYING.LIB.  If not, write to
 * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
 * Boston, MA 02110-1301, USA.
 */

#ifdef KSSL_HAVE_SSL
#ifndef _kde_ksslcallback_c
#define _kde_ksslcallback_c

X509 *KSSL_X509CallBack_ca;
bool KSSL_X509CallBack_ca_found;

extern "C" {
static int X509Callback(int ok, X509_STORE_CTX *ctx) {

  kdDebug(7029) << "X509Callback: ok = " << ok << " error = " << KOSSL::self()->X509_STORE_CTX_get_error(ctx) << " depth = "
  							<< KOSSL::self()->X509_STORE_CTX_get_error_depth(ctx) << endl;
  // Here is how this works.  We put "ok = 1;" in any case that we
  // don't consider to be an error.  In that case, it will return OK
  // for the certificate check as long as there are no other critical
  // errors.  Don't forget that there can be multiple errors.
  // 
  // Of course we can also put other code in here but any data returned
  // back will not be threadsafe ofcourse.

  if (KSSL_X509CallBack_ca)
  {
     if (KOSSL::self()->X509_cmp(KOSSL::self()->X509_STORE_CTX_get_current_cert(ctx), KSSL_X509CallBack_ca) != 0 &&
         /*
          * With OpenSSL >= 1.1 certificate in chain can be replaced by a certificate from the local certificate store.
          * It is therefore necessary to compare the subject name, rather than the entire certificate.
          */
         KOSSL::self()->X509_subject_name_cmp(KOSSL::self()->X509_STORE_CTX_get_current_cert(ctx), KSSL_X509CallBack_ca) != 0) {
        return 1; // Ignore errors for this certificate
     }

     KSSL_X509CallBack_ca_found = true;
  }
 
  if (!ok) {
    switch (KOSSL::self()->X509_STORE_CTX_get_error(ctx)) {
      case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
      case X509_V_ERR_UNABLE_TO_GET_CRL:
      case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
      case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE:
      case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:
      case X509_V_ERR_CERT_SIGNATURE_FAILURE:
      case X509_V_ERR_CRL_SIGNATURE_FAILURE:
      case X509_V_ERR_CERT_NOT_YET_VALID:
      case X509_V_ERR_CERT_HAS_EXPIRED:
      case X509_V_ERR_CRL_NOT_YET_VALID:
      case X509_V_ERR_CRL_HAS_EXPIRED:
      case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
      case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
      case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD:
      case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:
      case X509_V_ERR_OUT_OF_MEM:
      case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
      case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
      case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
      case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
      case X509_V_ERR_CERT_CHAIN_TOO_LONG:
      case X509_V_ERR_CERT_REVOKED:
      case X509_V_ERR_INVALID_CA:
      case X509_V_ERR_PATH_LENGTH_EXCEEDED:
      case X509_V_ERR_INVALID_PURPOSE:
      case X509_V_ERR_CERT_UNTRUSTED:
      case X509_V_ERR_CERT_REJECTED:
      case X509_V_ERR_APPLICATION_VERIFICATION:
    default:
     break;
    }
  }
 
  return(ok);
}
}

#endif
#endif