Line
Link Here
|
0 |
-- kio/kssl/kssl.cc |
0 |
++ kio/kssl/kssl.cc |
Lines 129-135
Link Here
|
129 |
return false; |
129 |
return false; |
130 |
|
130 |
|
131 |
if (m_bAutoReconfig) |
131 |
if (m_bAutoReconfig) |
132 |
m_cfg->load(); |
132 |
m_cfg->load(); |
133 |
|
133 |
|
134 |
if (!m_cfg->tlsv1()) |
134 |
if (!m_cfg->tlsv1()) |
135 |
return false; |
135 |
return false; |
Lines 138-143
Link Here
|
138 |
d->m_meth = d->kossl->TLSv1_client_method(); |
138 |
d->m_meth = d->kossl->TLSv1_client_method(); |
139 |
d->lastInitTLS = true; |
139 |
d->lastInitTLS = true; |
140 |
|
140 |
|
|
|
141 |
m_pi.reset(); |
142 |
|
141 |
d->m_ctx = d->kossl->SSL_CTX_new(d->m_meth); |
143 |
d->m_ctx = d->kossl->SSL_CTX_new(d->m_meth); |
142 |
if (d->m_ctx == 0L) { |
144 |
if (d->m_ctx == 0L) { |
143 |
return false; |
145 |
return false; |
Lines 172-180
Link Here
|
172 |
|
174 |
|
173 |
m_pi.reset(); |
175 |
m_pi.reset(); |
174 |
|
176 |
|
175 |
if (m_cfg->sslv2() && !m_cfg->sslv3()) |
177 |
if (!m_cfg->tlsv1() && !m_cfg->sslv3() && m_cfg->sslv2()) |
176 |
d->m_meth = d->kossl->SSLv2_client_method(); |
178 |
d->m_meth = d->kossl->SSLv2_client_method(); |
177 |
else if (m_cfg->sslv3() && !m_cfg->sslv2()) |
179 |
else if (m_cfg->tlsv1() && !m_cfg->sslv3() && !m_cfg->sslv2()) |
|
|
180 |
d->m_meth = d->kossl->TLSv1_client_method(); |
181 |
else if (!m_cfg->tlsv1() && m_cfg->sslv3() && !m_cfg->sslv2()) |
178 |
d->m_meth = d->kossl->SSLv3_client_method(); |
182 |
d->m_meth = d->kossl->SSLv3_client_method(); |
179 |
else d->m_meth = d->kossl->SSLv23_client_method(); |
183 |
else d->m_meth = d->kossl->SSLv23_client_method(); |
180 |
|
184 |
|
Lines 304-313
Link Here
|
304 |
} |
308 |
} |
305 |
*/ |
309 |
*/ |
306 |
|
310 |
|
307 |
if (!d->lastInitTLS) |
311 |
int off = SSL_OP_ALL; |
308 |
d->kossl->SSL_set_options(d->m_ssl, SSL_OP_NO_TLSv1); |
312 |
if (!d->lastInitTLS && !m_cfg->tlsv1()) |
|
|
313 |
off |= SSL_OP_NO_TLSv1; |
314 |
if (!m_cfg->sslv3()) |
315 |
off |= SSL_OP_NO_SSLv3; |
316 |
if (!m_cfg->sslv2()) |
317 |
off |= SSL_OP_NO_SSLv2; |
309 |
|
318 |
|
310 |
d->kossl->SSL_set_options(d->m_ssl, SSL_OP_ALL); |
319 |
d->kossl->SSL_set_options(d->m_ssl, off); |
311 |
|
320 |
|
312 |
rc = d->kossl->SSL_set_fd(d->m_ssl, sock); |
321 |
rc = d->kossl->SSL_set_fd(d->m_ssl, sock); |
313 |
if (rc == 0) { |
322 |
if (rc == 0) { |
Lines 390-399
Link Here
|
390 |
} |
399 |
} |
391 |
*/ |
400 |
*/ |
392 |
|
401 |
|
393 |
if (!d->lastInitTLS) |
402 |
int off = SSL_OP_ALL; |
394 |
d->kossl->SSL_set_options(d->m_ssl, SSL_OP_NO_TLSv1); |
403 |
if (!d->lastInitTLS && !m_cfg->tlsv1()) |
|
|
404 |
off |= SSL_OP_NO_TLSv1; |
405 |
if (!m_cfg->sslv3()) |
406 |
off |= SSL_OP_NO_SSLv3; |
407 |
if (!m_cfg->sslv2()) |
408 |
off |= SSL_OP_NO_SSLv2; |
395 |
|
409 |
|
396 |
d->kossl->SSL_set_options(d->m_ssl, SSL_OP_ALL); |
410 |
d->kossl->SSL_set_options(d->m_ssl, off); |
397 |
|
411 |
|
398 |
rc = d->kossl->SSL_set_fd(d->m_ssl, sock); |
412 |
rc = d->kossl->SSL_set_fd(d->m_ssl, sock); |
399 |
if (rc == 0) { |
413 |
if (rc == 0) { |
Lines 499-504
Link Here
|
499 |
if (err != SSL_ERROR_NONE && |
513 |
if (err != SSL_ERROR_NONE && |
500 |
err != SSL_ERROR_ZERO_RETURN && err != SSL_ERROR_SYSCALL) { |
514 |
err != SSL_ERROR_ZERO_RETURN && err != SSL_ERROR_SYSCALL) { |
501 |
rc = -1; // OpenSSL returns 0 on error too |
515 |
rc = -1; // OpenSSL returns 0 on error too |
|
|
516 |
d->kossl->ERR_print_errors_fp(stderr); |
502 |
} |
517 |
} |
503 |
|
518 |
|
504 |
// else if (err == SSL_ERROR_ZERO_RETURN) |
519 |
// else if (err == SSL_ERROR_ZERO_RETURN) |
505 |
-- kio/kssl/kopenssl.h |
520 |
++ kio/kssl/kopenssl.h |
Lines 882-887
Link Here
|
882 |
/* Set the subject */ |
882 |
/* Set the subject */ |
883 |
int X509_REQ_set_subject_name(X509_REQ*,X509_NAME*); |
883 |
int X509_REQ_set_subject_name(X509_REQ*,X509_NAME*); |
884 |
|
884 |
|
|
|
885 |
/* get list of available SSL_CIPHER's sorted by preference */ |
886 |
STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL* ssl); |
887 |
|
885 |
#endif |
888 |
#endif |
886 |
|
889 |
|
887 |
private: |
890 |
private: |
888 |
-- kio/kssl/ksslsettings.cc |
891 |
++ kio/kssl/ksslsettings.cc |
Lines 179-188
Link Here
|
179 |
} |
179 |
} |
180 |
|
180 |
|
181 |
// Remove any ADH ciphers as per RFC2246 |
181 |
// Remove any ADH ciphers as per RFC2246 |
|
|
182 |
// Also remove NULL ciphers and 168bit ciphers |
182 |
for (unsigned int i = 0; i < cipherSort.count(); i++) { |
183 |
for (unsigned int i = 0; i < cipherSort.count(); i++) { |
183 |
CipherNode *j = 0L; |
184 |
CipherNode *j = 0L; |
184 |
while ((j = cipherSort.at(i)) != 0L) { |
185 |
while ((j = cipherSort.at(i)) != 0L) { |
185 |
if (j->name.contains("ADH-")) { |
186 |
if (j->name.contains("ADH-") || j->name.contains("NULL-") || j->name.contains("DES-CBC3-SHA") || j->name.contains("FZA")) { |
186 |
cipherSort.remove(j); |
187 |
cipherSort.remove(j); |
187 |
} else { |
188 |
} else { |
188 |
break; |
189 |
break; |
189 |
-- kio/kssl/ksslsettings.cc |
190 |
++ kio/kssl/ksslsettings.cc |
Lines 44-52
Link Here
|
44 |
#include <openssl/ssl.h> |
44 |
#include <openssl/ssl.h> |
45 |
#undef crypt |
45 |
#undef crypt |
46 |
#endif |
46 |
#endif |
47 |
|
|
|
48 |
#include <kopenssl.h> |
47 |
#include <kopenssl.h> |
49 |
|
48 |
|
|
|
49 |
#ifdef KSSL_HAVE_SSL |
50 |
#define sk_new d->kossl->sk_new |
51 |
#define sk_push d->kossl->sk_push |
52 |
#define sk_free d->kossl->sk_free |
53 |
#define sk_value d->kossl->sk_value |
54 |
#define sk_num d->kossl->sk_num |
55 |
#define sk_dup d->kossl->sk_dup |
56 |
#define sk_pop d->kossl->sk_pop |
57 |
#endif |
58 |
|
50 |
class CipherNode { |
59 |
class CipherNode { |
51 |
public: |
60 |
public: |
52 |
CipherNode(const char *_name, int _keylen) : |
61 |
CipherNode(const char *_name, int _keylen) : |
Lines 128-190
Link Here
|
128 |
QString tcipher; |
137 |
QString tcipher; |
129 |
bool firstcipher = true; |
138 |
bool firstcipher = true; |
130 |
SSL_METHOD *meth = 0L; |
139 |
SSL_METHOD *meth = 0L; |
131 |
QSortedList<CipherNode> cipherSort; |
140 |
QPtrList<CipherNode> cipherList; |
132 |
|
141 |
|
133 |
cipherSort.setAutoDelete(true); |
142 |
cipherList.setAutoDelete(true); |
134 |
|
143 |
|
135 |
if (!d->kossl) |
144 |
if (!d->kossl) |
136 |
d->kossl = KOSSL::self(); |
145 |
d->kossl = KOSSL::self(); |
137 |
|
146 |
|
138 |
if (m_bUseSSLv3) { |
147 |
if (m_bUseSSLv3 && m_bUseSSLv2) |
139 |
m_cfg->setGroup("SSLv3"); |
148 |
meth = d->kossl->SSLv23_client_method(); |
|
|
149 |
else if(m_bUseSSLv3) |
140 |
meth = d->kossl->SSLv3_client_method(); |
150 |
meth = d->kossl->SSLv3_client_method(); |
141 |
for(int i = 0; ; i++) { |
151 |
else if (m_bUseSSLv2) |
142 |
SSL_CIPHER *sc = (meth->get_cipher)(i); |
|
|
143 |
if (!sc) |
144 |
break; |
145 |
tcipher.sprintf("cipher_%s", sc->name); |
146 |
int bits = d->kossl->SSL_CIPHER_get_bits(sc, NULL); |
147 |
|
148 |
if (m_cfg->readBoolEntry(tcipher, bits >= 56)) { |
149 |
CipherNode *xx = new CipherNode(sc->name,bits); |
150 |
if (!cipherSort.contains(xx)) { |
151 |
cipherSort.prepend(xx); |
152 |
} else { |
153 |
delete xx; |
154 |
} |
155 |
} |
156 |
} |
157 |
} |
158 |
|
159 |
if (m_bUseSSLv2) { |
160 |
m_cfg->setGroup("SSLv2"); |
161 |
meth = d->kossl->SSLv2_client_method(); |
152 |
meth = d->kossl->SSLv2_client_method(); |
162 |
|
153 |
|
163 |
for(int i = 0; meth; i++) { |
154 |
SSL_CTX *ctx = d->kossl->SSL_CTX_new(meth); |
164 |
SSL_CIPHER *sc = (meth->get_cipher)(i); |
155 |
SSL* ssl = d->kossl->SSL_new(ctx); |
165 |
if (!sc) |
156 |
STACK_OF(SSL_CIPHER)* sk = d->kossl->SSL_get_ciphers(ssl); |
166 |
break; |
157 |
int cnt = sk_SSL_CIPHER_num(sk); |
167 |
tcipher.sprintf("cipher_%s", sc->name); |
158 |
for (int i=0; i< cnt; i++) { |
168 |
int bits = d->kossl->SSL_CIPHER_get_bits(sc, NULL); |
159 |
SSL_CIPHER *sc = sk_SSL_CIPHER_value(sk,i); |
169 |
|
160 |
if (!sc) |
170 |
if (m_cfg->readBoolEntry(tcipher, bits >= 56)) { |
161 |
break; |
171 |
CipherNode *xx = new CipherNode(sc->name,bits); |
162 |
|
172 |
if (!cipherSort.contains(xx)) { |
163 |
if(!strcmp("SSLv2", d->kossl->SSL_CIPHER_get_version(sc))) |
173 |
cipherSort.prepend(xx); |
164 |
m_cfg->setGroup("SSLv2"); |
174 |
} else { |
165 |
else |
175 |
delete xx; |
166 |
m_cfg->setGroup("SSLv3"); |
176 |
} |
167 |
|
177 |
} |
168 |
tcipher.sprintf("cipher_%s", sc->name); |
|
|
169 |
int bits = d->kossl->SSL_CIPHER_get_bits(sc, NULL); |
170 |
if (m_cfg->readBoolEntry(tcipher, bits >= 56)) { |
171 |
CipherNode *xx = new CipherNode(sc->name,bits); |
172 |
if (!cipherList.contains(xx)) |
173 |
cipherList.prepend(xx); |
174 |
else |
175 |
delete xx; |
178 |
} |
176 |
} |
179 |
} |
177 |
} |
|
|
178 |
d->kossl->SSL_free(ssl); |
179 |
d->kossl->SSL_CTX_free(ctx); |
180 |
|
180 |
|
181 |
// Remove any ADH ciphers as per RFC2246 |
181 |
// Remove any ADH ciphers as per RFC2246 |
182 |
// Also remove NULL ciphers and 168bit ciphers |
182 |
// Also remove NULL ciphers and 168bit ciphers |
183 |
for (unsigned int i = 0; i < cipherSort.count(); i++) { |
183 |
for (unsigned int i = 0; i < cipherList.count(); i++) { |
184 |
CipherNode *j = 0L; |
184 |
CipherNode *j = 0L; |
185 |
while ((j = cipherSort.at(i)) != 0L) { |
185 |
while ((j = cipherList.at(i)) != 0L) { |
186 |
if (j->name.contains("ADH-") || j->name.contains("NULL-") || j->name.contains("DES-CBC3-SHA") || j->name.contains("FZA")) { |
186 |
if (j->name.contains("ADH-") || j->name.contains("NULL-") || j->name.contains("DES-CBC3-SHA") || j->name.contains("FZA")) { |
187 |
cipherSort.remove(j); |
187 |
cipherList.remove(j); |
188 |
} else { |
188 |
} else { |
189 |
break; |
189 |
break; |
190 |
} |
190 |
} |
Lines 192-203
Link Here
|
192 |
} |
192 |
} |
193 |
|
193 |
|
194 |
// now assemble the list cipher1:cipher2:cipher3:...:ciphern |
194 |
// now assemble the list cipher1:cipher2:cipher3:...:ciphern |
195 |
while (!cipherSort.isEmpty()) { |
195 |
while (!cipherList.isEmpty()) { |
196 |
if (firstcipher) |
196 |
if (firstcipher) |
197 |
firstcipher = false; |
197 |
firstcipher = false; |
198 |
else clist.append(":"); |
198 |
else clist.append(":"); |
199 |
clist.append(cipherSort.getLast()->name); |
199 |
clist.append(cipherList.getLast()->name); |
200 |
cipherSort.removeLast(); |
200 |
cipherList.removeLast(); |
201 |
} // while |
201 |
} // while |
202 |
|
202 |
|
203 |
kdDebug(7029) << "Cipher list is: " << clist << endl; |
203 |
kdDebug(7029) << "Cipher list is: " << clist << endl; |
Lines 344-346
Link Here
|
344 |
|
344 |
|
345 |
QString& KSSLSettings::getEGDPath() { return d->m_EGDPath; } |
345 |
QString& KSSLSettings::getEGDPath() { return d->m_EGDPath; } |
346 |
|
346 |
|
347 |
-- kio/kssl/kopenssl.cc |
347 |
#ifdef KSSL_HAVE_SSL |
|
|
348 |
#undef sk_new |
349 |
#undef sk_push |
350 |
#undef sk_free |
351 |
#undef sk_value |
352 |
#undef sk_num |
353 |
#undef sk_pop |
354 |
#undef sk_dup |
355 |
#endif |
356 |
|
|
|
357 |
++ kio/kssl/kopenssl.cc |
Lines 20-26
Link Here
|
20 |
#include <config.h> |
20 |
#include <config.h> |
21 |
#endif |
21 |
#endif |
22 |
|
22 |
|
23 |
|
|
|
24 |
#ifdef KSSL_HAVE_SSL |
23 |
#ifdef KSSL_HAVE_SSL |
25 |
#include <openssl/opensslv.h> |
24 |
#include <openssl/opensslv.h> |
26 |
#endif |
25 |
#endif |
Lines 197-202
Link Here
|
197 |
static X509_NAME *(*K_X509_NAME_new)() = 0L; |
196 |
static X509_NAME *(*K_X509_NAME_new)() = 0L; |
198 |
static int (*K_X509_REQ_set_subject_name)(X509_REQ*,X509_NAME*) = 0L; |
197 |
static int (*K_X509_REQ_set_subject_name)(X509_REQ*,X509_NAME*) = 0L; |
199 |
static unsigned char *(*K_ASN1_STRING_data)(ASN1_STRING*) = 0L; |
198 |
static unsigned char *(*K_ASN1_STRING_data)(ASN1_STRING*) = 0L; |
|
|
199 |
static STACK_OF(SSL_CIPHER) *(*K_SSL_get_ciphers)(const SSL *ssl) = 0L; |
200 |
|
200 |
#endif |
201 |
#endif |
201 |
} |
202 |
} |
202 |
|
203 |
|
Lines 567-572
Link Here
|
567 |
K_SSL_set_session = (int (*)(SSL*,SSL_SESSION*)) _sslLib->symbol("SSL_set_session"); |
568 |
K_SSL_set_session = (int (*)(SSL*,SSL_SESSION*)) _sslLib->symbol("SSL_set_session"); |
568 |
K_d2i_SSL_SESSION = (SSL_SESSION* (*)(SSL_SESSION**,unsigned char**, long)) _sslLib->symbol("d2i_SSL_SESSION"); |
569 |
K_d2i_SSL_SESSION = (SSL_SESSION* (*)(SSL_SESSION**,unsigned char**, long)) _sslLib->symbol("d2i_SSL_SESSION"); |
569 |
K_i2d_SSL_SESSION = (int (*)(SSL_SESSION*,unsigned char**)) _sslLib->symbol("i2d_SSL_SESSION"); |
570 |
K_i2d_SSL_SESSION = (int (*)(SSL_SESSION*,unsigned char**)) _sslLib->symbol("i2d_SSL_SESSION"); |
|
|
571 |
K_SSL_get_ciphers = (STACK *(*)(const SSL*)) _sslLib->symbol("SSL_get_ciphers"); |
570 |
#endif |
572 |
#endif |
571 |
|
573 |
|
572 |
|
574 |
|
Lines 1543-1547
Link Here
|
1543 |
return 0L; |
1545 |
return 0L; |
1544 |
} |
1546 |
} |
1545 |
|
1547 |
|
|
|
1548 |
STACK_OF(SSL_CIPHER) *KOpenSSLProxy::SSL_get_ciphers(const SSL* ssl) { |
1549 |
if (K_SSL_get_ciphers) return (K_SSL_get_ciphers)(ssl); |
1550 |
return 0L; |
1551 |
} |
1552 |
|
1546 |
#endif |
1553 |
#endif |
1547 |
|
1554 |
|