1 /* This file is part of the KDE project
2  *
3  * Copyright (C) 2000 George Staikos <staikos@kde.org>
4  *
5  * This library is free software; you can redistribute it and/or
6  * modify it under the terms of the GNU Library General Public
7  * License as published by the Free Software Foundation; either
8  * version 2 of the License, or (at your option) any later version.
9  *
10  * This library is distributed in the hope that it will be useful,
11  * but WITHOUT ANY WARRANTY; without even the implied warranty of
12  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
13  * Library General Public License for more details.
14  *
15  * You should have received a copy of the GNU Library General Public License
16  * along with this library; see the file COPYING.LIB.  If not, write to
17  * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
18  * Boston, MA 02110-1301, USA.
19  */
20 
21 #if KSSL_HAVE_SSL
22 #ifndef _kde_ksslcallback_c
23 #define _kde_ksslcallback_c
24 
25 X509 *KSSL_X509CallBack_ca;
26 bool KSSL_X509CallBack_ca_found;
27 
28 extern "C" {
X509Callback(int ok,X509_STORE_CTX * ctx)29     static int X509Callback(int ok, X509_STORE_CTX *ctx)
30     {
31 
32         //qDebug() << "X509Callback: ok = " << ok << " error = " << ctx->error << " depth = " << ctx->error_depth;
33         // Here is how this works.  We put "ok = 1;" in any case that we
34         // don't consider to be an error.  In that case, it will return OK
35         // for the certificate check as long as there are no other critical
36         // errors.  Don't forget that there can be multiple errors.
37         //
38         // Of course we can also put other code in here but any data returned
39         // back will not be threadsafe ofcourse.
40 
41         if (KSSL_X509CallBack_ca) {
42             if (KOSSL::self()->X509_cmp(KOSSL::self()->X509_STORE_CTX_get_current_cert(ctx), KSSL_X509CallBack_ca) != 0) {
43                 return 1;    // Ignore errors for this certificate
44             }
45 
46             KSSL_X509CallBack_ca_found = true;
47         }
48 
49         if (!ok) {
50             switch (KOSSL::self()->X509_STORE_CTX_get_error(ctx)) {
51             case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
52             case X509_V_ERR_UNABLE_TO_GET_CRL:
53             case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
54             case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE:
55             case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:
56             case X509_V_ERR_CERT_SIGNATURE_FAILURE:
57             case X509_V_ERR_CRL_SIGNATURE_FAILURE:
58             case X509_V_ERR_CERT_NOT_YET_VALID:
59             case X509_V_ERR_CERT_HAS_EXPIRED:
60             case X509_V_ERR_CRL_NOT_YET_VALID:
61             case X509_V_ERR_CRL_HAS_EXPIRED:
62             case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
63             case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
64             case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD:
65             case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:
66             case X509_V_ERR_OUT_OF_MEM:
67             case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
68             case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
69             case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
70             case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
71             case X509_V_ERR_CERT_CHAIN_TOO_LONG:
72             case X509_V_ERR_CERT_REVOKED:
73             case X509_V_ERR_INVALID_CA:
74             case X509_V_ERR_PATH_LENGTH_EXCEEDED:
75             case X509_V_ERR_INVALID_PURPOSE:
76             case X509_V_ERR_CERT_UNTRUSTED:
77             case X509_V_ERR_CERT_REJECTED:
78             case X509_V_ERR_APPLICATION_VERIFICATION:
79             default:
80                 break;
81             }
82         }
83 
84         return (ok);
85     }
86 }
87 
88 #endif
89 #endif
90 
91