1 /* This file is part of the KDE project 2 * 3 * Copyright (C) 2000 George Staikos <staikos@kde.org> 4 * 5 * This library is free software; you can redistribute it and/or 6 * modify it under the terms of the GNU Library General Public 7 * License as published by the Free Software Foundation; either 8 * version 2 of the License, or (at your option) any later version. 9 * 10 * This library is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 13 * Library General Public License for more details. 14 * 15 * You should have received a copy of the GNU Library General Public License 16 * along with this library; see the file COPYING.LIB. If not, write to 17 * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, 18 * Boston, MA 02110-1301, USA. 19 */ 20 21 #if KSSL_HAVE_SSL 22 #ifndef _kde_ksslcallback_c 23 #define _kde_ksslcallback_c 24 25 X509 *KSSL_X509CallBack_ca; 26 bool KSSL_X509CallBack_ca_found; 27 28 extern "C" { X509Callback(int ok,X509_STORE_CTX * ctx)29 static int X509Callback(int ok, X509_STORE_CTX *ctx) 30 { 31 32 //qDebug() << "X509Callback: ok = " << ok << " error = " << ctx->error << " depth = " << ctx->error_depth; 33 // Here is how this works. We put "ok = 1;" in any case that we 34 // don't consider to be an error. In that case, it will return OK 35 // for the certificate check as long as there are no other critical 36 // errors. Don't forget that there can be multiple errors. 37 // 38 // Of course we can also put other code in here but any data returned 39 // back will not be threadsafe ofcourse. 40 41 if (KSSL_X509CallBack_ca) { 42 if (KOSSL::self()->X509_cmp(KOSSL::self()->X509_STORE_CTX_get_current_cert(ctx), KSSL_X509CallBack_ca) != 0) { 43 return 1; // Ignore errors for this certificate 44 } 45 46 KSSL_X509CallBack_ca_found = true; 47 } 48 49 if (!ok) { 50 switch (KOSSL::self()->X509_STORE_CTX_get_error(ctx)) { 51 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: 52 case X509_V_ERR_UNABLE_TO_GET_CRL: 53 case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: 54 case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: 55 case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: 56 case X509_V_ERR_CERT_SIGNATURE_FAILURE: 57 case X509_V_ERR_CRL_SIGNATURE_FAILURE: 58 case X509_V_ERR_CERT_NOT_YET_VALID: 59 case X509_V_ERR_CERT_HAS_EXPIRED: 60 case X509_V_ERR_CRL_NOT_YET_VALID: 61 case X509_V_ERR_CRL_HAS_EXPIRED: 62 case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: 63 case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: 64 case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: 65 case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: 66 case X509_V_ERR_OUT_OF_MEM: 67 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: 68 case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: 69 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: 70 case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: 71 case X509_V_ERR_CERT_CHAIN_TOO_LONG: 72 case X509_V_ERR_CERT_REVOKED: 73 case X509_V_ERR_INVALID_CA: 74 case X509_V_ERR_PATH_LENGTH_EXCEEDED: 75 case X509_V_ERR_INVALID_PURPOSE: 76 case X509_V_ERR_CERT_UNTRUSTED: 77 case X509_V_ERR_CERT_REJECTED: 78 case X509_V_ERR_APPLICATION_VERIFICATION: 79 default: 80 break; 81 } 82 } 83 84 return (ok); 85 } 86 } 87 88 #endif 89 #endif 90 91