diff options
Diffstat (limited to 'tderesources/groupwise/soap/ksslsocket.cpp')
-rw-r--r-- | tderesources/groupwise/soap/ksslsocket.cpp | 408 |
1 files changed, 408 insertions, 0 deletions
diff --git a/tderesources/groupwise/soap/ksslsocket.cpp b/tderesources/groupwise/soap/ksslsocket.cpp new file mode 100644 index 000000000..90ccf83d6 --- /dev/null +++ b/tderesources/groupwise/soap/ksslsocket.cpp @@ -0,0 +1,408 @@ +/* + ksslsocket.cpp - KDE SSL Socket + + Copyright (c) 2004 by Jason Keirstead <jason@keirstead.org> + + Kopete (c) 2002-2003 by the Kopete developers <kopete-devel@kde.org> + + stolen from kopete, but this is a modified version. + + ************************************************************************* + * * + * This program is free software; you can redistribute it and/or modify * + * it under the terms of the GNU General Public License as published by * + * the Free Software Foundation; either version 2 of the License, or * + * (at your option) any later version. * + * * + ************************************************************************* +*/ + +#include <tqsocketnotifier.h> + +#include <dcopclient.h> +#include <klocale.h> +#include <kdebug.h> +#include <kssl.h> +#include <ksslinfodlg.h> +#include <ksslpeerinfo.h> +#include <ksslcertchain.h> +#include <ksslcertificatecache.h> +#include <kapplication.h> +#include <kmessagebox.h> + +#include "ksslsocket.h" + +#include "stdlib.h" + +struct KSSLSocketPrivate +{ + mutable KSSL *kssl; + KSSLCertificateCache *cc; + DCOPClient *dcc; + TQMap<TQString,TQString> metaData; + TQSocketNotifier *socketNotifier; +}; + +KSSLSocket::KSSLSocket() : KExtendedSocket() +{ +// kdDebug() << "KSSLSocket() " << (void*)this << endl; + + d = new KSSLSocketPrivate; + d->kssl = 0L; + d->dcc = 0L; + d->cc = new KSSLCertificateCache; + d->cc->reload(); + + //No blocking + setBlockingMode(false); + + //Connect internal slots + TQObject::connect( this, TQT_SIGNAL(connectionSuccess()), this, TQT_SLOT(slotConnected()) ); + TQObject::connect( this, TQT_SIGNAL(closed(int)), this, TQT_SLOT(slotDisconnected()) ); + TQObject::connect( this, TQT_SIGNAL(connectionFailed(int)), this, TQT_SLOT(slotDisconnected())); +} + +KSSLSocket::~KSSLSocket() +{ +// kdDebug() << "KSSLSocket()::~KSSLSocket() " << (void*)this << endl; + + //Close connection + closeNow(); + + if( d->kssl ) + { + d->kssl->close(); + delete d->kssl; + } + + if ( d->dcc ) + d->dcc->detach(); + delete d->dcc; + delete d->cc; + delete d; +} + +TQ_LONG KSSLSocket::readBlock( char* data, TQ_ULONG maxLen ) +{ + return d->kssl->read( data, maxLen ); +} + +TQ_LONG KSSLSocket::writeBlock( const char* data, TQ_ULONG len ) +{ +// kdDebug() << "KSSLSocket::writeBlock() " << (void*)this << endl; +// kdDebug() << " d->kssl: " << (void*)d->kssl << endl; + return d->kssl->write( data, len ); +} + +void KSSLSocket::slotConnected() +{ +// kdDebug() << "KSSLSocket::slotConnected() " << (void*)this << endl; + if( KSSL::doesSSLWork() ) + { +// kdDebug(0) << k_funcinfo << "Trying SSL connection..." << endl; + if( !d->kssl ) + { + d->kssl = new KSSL(); + } + else + { + d->kssl->reInitialize(); + } + d->kssl->setPeerHost(host()); +// kdDebug() << "SOCKET STATUS: " << sockeStatus() << endl; + int rc = d->kssl->connect( sockfd ); + if ( rc <= 0 ) { + kdError() << "Error connecting KSSL: " << rc << endl; + kdDebug() << "SYSTEM ERROR: " << systemError() << endl; + emit sslFailure(); + closeNow(); + } else { + readNotifier()->setEnabled(true); + + if( verifyCertificate() != 1 ) + { + closeNow(); + } + } + } + else + { + kdError(0) << k_funcinfo << "SSL not functional!" << endl; + + d->kssl = 0L; + emit sslFailure(); + closeNow(); + } +} + +void KSSLSocket::slotDisconnected() +{ +// kdDebug() << "KSSLSocket::slotDisconnected() " << (void*)this << endl; + if( readNotifier() ) + readNotifier()->setEnabled(false); +} + +void KSSLSocket::setMetaData( const TQString &key, const TQVariant &data ) +{ + TQVariant v = data; + d->metaData[key] = v.asString(); +} + +bool KSSLSocket::hasMetaData( const TQString &key ) +{ + return d->metaData.contains(key); +} + +TQString KSSLSocket::metaData( const TQString &key ) +{ + if( d->metaData.contains(key) ) + return d->metaData[key]; + return TQString(); +} + +/* +I basically copied the below from tcpTDEIO::SlaveBase.hpp, with some modificaions and formatting. + + * Copyright (C) 2000 Alex Zepeda <zipzippy@sonic.net + * Copyright (C) 2001-2003 George Staikos <staikos@kde.org> + * Copyright (C) 2001 Dawit Alemayehu <adawit@kde.org> +*/ + +int KSSLSocket::messageBox( TDEIO::SlaveBase::MessageBoxType type, const TQString &text, const TQString &caption, + const TQString &buttonYes, const TQString &buttonNo ) +{ + kdDebug(0) << "messageBox " << type << " " << text << " - " << caption << buttonYes << buttonNo << endl; + TQByteArray data, result; + TQCString returnType; + TQDataStream arg(data, IO_WriteOnly); + arg << (int)1 << (int)type << text << caption << buttonYes << buttonNo; + + if ( ! d->dcc ){ + d->dcc = new DCOPClient(); + d->dcc->attach(); + } + if (!d->dcc->isApplicationRegistered("kio_uiserver")) + { + TDEApplication::startServiceByDesktopPath("kio_uiserver.desktop",TQStringList()); + } + + d->dcc->call("kio_uiserver", "UIServer", + "messageBox(int,int,TQString,TQString,TQString,TQString)", data, returnType, result); + + if( returnType == "int" ) + { + int res; + TQDataStream r(result, IO_ReadOnly); + r >> res; + return res; + } + else + return 0; // communication failure +} + + +// Returns 0 for failed verification, -1 for rejected cert and 1 for ok +int KSSLSocket::verifyCertificate() +{ + int rc = 0; + bool permacache = false; + bool _IPmatchesCN = false; + int result; + bool doAddHost = false; + TQString ourHost = host(); + TQString ourIp = peerAddress()->pretty(); + + TQString theurl = "https://" + ourHost + ":" + port(); + + if (!d->cc) + d->cc = new KSSLCertificateCache; + + KSSLCertificate& pc = d->kssl->peerInfo().getPeerCertificate(); + + KSSLCertificate::KSSLValidationList ksvl = pc.validateVerbose(KSSLCertificate::SSLServer); + + if ( ksvl.count() == 1 && ksvl.first() == KSSLCertificate::Unknown ) { + kdDebug() << "Unknown validation error" << endl; + return 0; + } + + _IPmatchesCN = d->kssl->peerInfo().certMatchesAddress(); + + if (!_IPmatchesCN && (metaData("ssl_militant") == "TRUE") ) + { + ksvl << KSSLCertificate::InvalidHost; + } + + KSSLCertificate::KSSLValidation ksv = KSSLCertificate::Ok; + if (!ksvl.isEmpty()) + ksv = ksvl.first(); + + /* Setting the various bits of meta-info that will be needed. */ + setMetaData("ssl_cipher", d->kssl->connectionInfo().getCipher()); + setMetaData("ssl_cipher_desc", d->kssl->connectionInfo().getCipherDescription()); + setMetaData("ssl_cipher_version", d->kssl->connectionInfo().getCipherVersion()); + setMetaData("ssl_cipher_used_bits", TQString::number(d->kssl->connectionInfo().getCipherUsedBits())); + setMetaData("ssl_cipher_bits", TQString::number(d->kssl->connectionInfo().getCipherBits())); + setMetaData("ssl_peer_ip", ourIp ); + + TQString errorStr; + for(KSSLCertificate::KSSLValidationList::ConstIterator it = ksvl.begin(); + it != ksvl.end(); ++it) + { + errorStr += TQString::number(*it)+":"; + } + + setMetaData("ssl_cert_errors", errorStr); + setMetaData("ssl_peer_certificate", pc.toString()); + + if (pc.chain().isValid() && pc.chain().depth() > 1) + { + TQString theChain; + TQPtrList<KSSLCertificate> chain = pc.chain().getChain(); + for (KSSLCertificate *c = chain.first(); c; c = chain.next()) + { + theChain += c->toString(); + theChain += "\n"; + } + setMetaData("ssl_peer_chain", theChain); + } + else + { + setMetaData("ssl_peer_chain", ""); + } + + setMetaData("ssl_cert_state", TQString::number(ksv)); + + if (ksv == KSSLCertificate::Ok) + { + rc = 1; + setMetaData("ssl_action", "accept"); + } + + // Since we're the parent, we need to teach the child. + setMetaData("ssl_parent_ip", ourIp ); + setMetaData("ssl_parent_cert", pc.toString()); + + // - Read from cache and see if there is a policy for this + KSSLCertificateCache::KSSLCertificatePolicy cp = d->cc->getPolicyByCertificate(pc); + // - validation code + if (ksv != KSSLCertificate::Ok) + { + if( cp == KSSLCertificateCache::Unknown || cp == KSSLCertificateCache::Ambiguous) + { + cp = KSSLCertificateCache::Prompt; + } + else + { + // A policy was already set so let's honor that. + permacache = d->cc->isPermanent(pc); + } + + if (!_IPmatchesCN && (metaData("ssl_militant") == "TRUE") + && cp == KSSLCertificateCache::Accept) + { + cp = KSSLCertificateCache::Prompt; + } + + // Precondition: cp is one of Reject, Accept or Prompt + switch (cp) + { + case KSSLCertificateCache::Accept: + rc = 1; + break; + + case KSSLCertificateCache::Reject: + rc = -1; + break; + + case KSSLCertificateCache::Prompt: + { + do + { + if (ksv == KSSLCertificate::InvalidHost) + { + TQString msg = i18n("The IP address of the host %1 " + "does not match the one the " + "certificate was issued to."); + result = messageBox( TDEIO::SlaveBase::WarningYesNoCancel, + msg.arg(ourHost), + i18n("Server Authentication"), + i18n("&Details"), + KStdGuiItem::cont().text() ); + } + else + { + TQString msg = i18n("The server certificate failed the " + "authenticity test (%1)."); + result = messageBox( TDEIO::SlaveBase::WarningYesNoCancel, + msg.arg(ourHost), + i18n("Server Authentication"), + i18n("&Details"), + KStdGuiItem::cont().text() ); + } + } + while (result == KMessageBox::Yes); + + if (result == KMessageBox::No) + { + rc = 1; + cp = KSSLCertificateCache::Accept; + doAddHost = true; + result = messageBox( TDEIO::SlaveBase::WarningYesNo, + i18n("Would you like to accept this " + "certificate forever without " + "being prompted?"), + i18n("Server Authentication"), + i18n("&Forever"), + i18n("&Current Sessions Only")); + if (result == KMessageBox::Yes) + permacache = true; + else + permacache = false; + } + else + { + rc = -1; + cp = KSSLCertificateCache::Prompt; + } + + break; + } + default: + kdDebug(0) << "SSL error in cert code." + << endl; + break; + } + } + + // - cache the results + d->cc->addCertificate(pc, cp, permacache); + if (doAddHost) + d->cc->addHost(pc, ourHost); + + + if (rc == -1) + return rc; + + if ( getenv("DEBUG_GW_RESOURCE") ) { + kdDebug(0) << "SSL connection information follows:" << endl + << "+-----------------------------------------------" << endl + << "| Cipher: " << d->kssl->connectionInfo().getCipher() << endl + << "| Description: " << d->kssl->connectionInfo().getCipherDescription() << endl + << "| Version: " << d->kssl->connectionInfo().getCipherVersion() << endl + << "| Strength: " << d->kssl->connectionInfo().getCipherUsedBits() + << " of " << d->kssl->connectionInfo().getCipherBits() + << " bits used." << endl + << "| PEER:" << endl + << "| Subject: " << d->kssl->peerInfo().getPeerCertificate().getSubject() << endl + << "| Issuer: " << d->kssl->peerInfo().getPeerCertificate().getIssuer() << endl + << "| Validation: " << (int)ksv << endl + << "| Certificate matches IP: " << _IPmatchesCN << endl + << "+-----------------------------------------------" + << endl; + } + return rc; +} + + +#include "ksslsocket.moc" |