25 #include <sys/types.h> 33 #include <tqsortedlist.h> 35 #include "ksslsettings.h" 36 #include <tdeglobal.h> 37 #include <kstandarddirs.h> 43 #define crypt _openssl_crypt 44 #include <openssl/ssl.h> 50 #define sk_new d->kossl->sk_new 51 #define sk_push d->kossl->sk_push 52 #define sk_free d->kossl->sk_free 53 #define sk_value d->kossl->sk_value 54 #define sk_num d->kossl->sk_num 55 #define sk_dup d->kossl->sk_dup 56 #define sk_pop d->kossl->sk_pop 61 CipherNode(
const char *_name,
int _keylen) :
62 name(_name), keylen(_keylen) {}
65 inline int operator==(CipherNode &x)
66 {
return ((x.keylen == keylen) && (x.name == name)); }
67 inline int operator< (CipherNode &x) {
return keylen < x.keylen; }
68 inline int operator<=(CipherNode &x) {
return keylen <= x.keylen; }
69 inline int operator> (CipherNode &x) {
return keylen > x.keylen; }
70 inline int operator>=(CipherNode &x) {
return keylen >= x.keylen; }
74 class KSSLSettingsPrivate {
76 KSSLSettingsPrivate() {
79 ~KSSLSettingsPrivate() {
98 d =
new KSSLSettingsPrivate;
99 m_cfg =
new TDEConfig(
"cryptodefaults",
false,
false);
101 if (!TDEGlobal::dirs()->addResourceType(
"kssl", TDEStandardDirs::kde_default(
"data") +
"kssl")) {
105 if (readConfig) load();
138 bool firstcipher =
true;
139 SSL_METHOD *meth = 0L;
140 TQPtrList<CipherNode> cipherList;
142 cipherList.setAutoDelete(
true);
145 d->kossl = KOSSL::self();
147 if (m_bUseSSLv3 && m_bUseSSLv2)
148 meth = d->kossl->SSLv23_client_method();
150 meth = d->kossl->SSLv3_client_method();
151 else if (m_bUseSSLv2)
152 meth = d->kossl->SSLv2_client_method();
154 SSL_CTX *ctx = d->kossl->SSL_CTX_new(meth);
155 SSL* ssl = d->kossl->SSL_new(ctx);
156 STACK_OF(SSL_CIPHER)* sk = d->kossl->SSL_get_ciphers(ssl);
157 int cnt = sk_SSL_CIPHER_num(sk);
158 for (
int i=0; i< cnt; i++) {
159 SSL_CIPHER *sc = sk_SSL_CIPHER_value(sk,i);
163 if(!strcmp(
"SSLv2", d->kossl->SSL_CIPHER_get_version(sc)))
164 m_cfg->setGroup(
"SSLv2");
166 m_cfg->setGroup(
"SSLv3");
168 tcipher.sprintf(
"cipher_%s", sc->name);
169 int bits = d->kossl->SSL_CIPHER_get_bits(sc, NULL);
170 if (m_cfg->readBoolEntry(tcipher, bits >= 56)) {
171 CipherNode *xx =
new CipherNode(sc->name,bits);
172 if (!cipherList.contains(xx))
173 cipherList.prepend(xx);
178 d->kossl->SSL_free(ssl);
179 d->kossl->SSL_CTX_free(ctx);
183 for (
unsigned int i = 0; i < cipherList.count(); i++) {
185 while ((j = cipherList.at(i)) != 0L) {
186 if (j->name.contains(
"ADH-") || j->name.contains(
"NULL-") || j->name.contains(
"DES-CBC3-SHA") || j->name.contains(
"FZA")) {
187 cipherList.remove(j);
195 while (!cipherList.isEmpty()) {
198 else clist.append(
":");
199 clist.append(cipherList.getLast()->name);
200 cipherList.removeLast();
203 kdDebug(7029) <<
"Cipher list is: " << clist << endl;
211 m_cfg->reparseConfiguration();
213 m_cfg->setGroup(
"TLS");
214 m_bUseTLSv1 = m_cfg->readBoolEntry(
"Enabled",
true);
216 m_cfg->setGroup(
"SSLv2");
217 m_bUseSSLv2 = m_cfg->readBoolEntry(
"Enabled",
false);
219 m_cfg->setGroup(
"SSLv3");
220 m_bUseSSLv3 = m_cfg->readBoolEntry(
"Enabled",
true);
222 m_cfg->setGroup(
"Warnings");
223 m_bWarnOnEnter = m_cfg->readBoolEntry(
"OnEnter",
false);
224 m_bWarnOnLeave = m_cfg->readBoolEntry(
"OnLeave",
true);
225 m_bWarnOnUnencrypted = m_cfg->readBoolEntry(
"OnUnencrypted",
true);
226 m_bWarnOnMixed = m_cfg->readBoolEntry(
"OnMixed",
true);
228 m_cfg->setGroup(
"Validation");
229 m_bWarnSelfSigned = m_cfg->readBoolEntry(
"WarnSelfSigned",
true);
230 m_bWarnExpired = m_cfg->readBoolEntry(
"WarnExpired",
true);
231 m_bWarnRevoked = m_cfg->readBoolEntry(
"WarnRevoked",
true);
233 m_cfg->setGroup(
"EGD");
234 d->m_bUseEGD = m_cfg->readBoolEntry(
"UseEGD",
false);
235 d->m_bUseEFile = m_cfg->readBoolEntry(
"UseEFile",
false);
236 d->m_EGDPath = m_cfg->readPathEntry(
"EGDPath");
238 m_cfg->setGroup(
"Auth");
239 d->m_bSendX509 = (
"send" == m_cfg->readEntry(
"AuthMethod",
""));
240 d->m_bPromptX509 = (
"prompt" == m_cfg->readEntry(
"AuthMethod",
""));
254 m_bWarnOnEnter =
false;
255 m_bWarnOnLeave =
true;
256 m_bWarnOnUnencrypted =
true;
257 m_bWarnOnMixed =
true;
258 m_bWarnSelfSigned =
true;
259 m_bWarnExpired =
true;
260 m_bWarnRevoked =
true;
261 d->m_bUseEGD =
false;
262 d->m_bUseEFile =
false;
268 m_cfg->setGroup(
"TLS");
269 m_cfg->writeEntry(
"Enabled", m_bUseTLSv1);
271 m_cfg->setGroup(
"SSLv2");
272 m_cfg->writeEntry(
"Enabled", m_bUseSSLv2);
274 m_cfg->setGroup(
"SSLv3");
275 m_cfg->writeEntry(
"Enabled", m_bUseSSLv3);
277 m_cfg->setGroup(
"Warnings");
278 m_cfg->writeEntry(
"OnEnter", m_bWarnOnEnter);
279 m_cfg->writeEntry(
"OnLeave", m_bWarnOnLeave);
280 m_cfg->writeEntry(
"OnUnencrypted", m_bWarnOnUnencrypted);
281 m_cfg->writeEntry(
"OnMixed", m_bWarnOnMixed);
283 m_cfg->setGroup(
"Validation");
284 m_cfg->writeEntry(
"WarnSelfSigned", m_bWarnSelfSigned);
285 m_cfg->writeEntry(
"WarnExpired", m_bWarnExpired);
286 m_cfg->writeEntry(
"WarnRevoked", m_bWarnRevoked);
288 m_cfg->setGroup(
"EGD");
289 m_cfg->writeEntry(
"UseEGD", d->m_bUseEGD);
290 m_cfg->writeEntry(
"UseEFile", d->m_bUseEFile);
291 m_cfg->writePathEntry(
"EGDPath", d->m_EGDPath);
297 m_cfg->setGroup(
"SSLv2");
298 for (
unsigned int i = 0; i < v2ciphers.count(); i++) {
300 ciphername.sprintf(
"cipher_%s", v2ciphers[i].ascii());
301 if (v2selectedciphers.contains(v2ciphers[i])) {
302 m_cfg->writeEntry(ciphername,
true);
303 }
else m_cfg->writeEntry(ciphername,
false);
306 m_cfg->setGroup(
"SSLv3");
307 for (
unsigned int i = 0; i < v3ciphers.count(); i++) {
309 ciphername.sprintf(
"cipher_%s", v3ciphers[i].ascii());
310 if (v3selectedciphers.contains(v3ciphers[i])) {
311 m_cfg->writeEntry(ciphername,
true);
312 }
else m_cfg->writeEntry(ciphername,
false);
319 TQString cfgName(TDEGlobal::dirs()->findResource(
"config",
"cryptodefaults"));
320 if (!cfgName.isEmpty())
321 ::chmod(TQFile::encodeName(cfgName), 0600);
bool warnOnRevoked() const KDE_DEPRECATED
Do not use this.
bool warnOnLeave() const
Does the user want to be warned on leaving SSL mode.
bool useEFile() const
Does the user want to use an entropy file?
bool autoSendX509() const
Does the user want X.509 client certificates to always be sent when possible?
void setTLSv1(bool enabled)
Change the user's TLSv1 preference.
void setSSLv2(bool enabled)
Change the user's SSLv2 preference.
void setWarnOnLeave(bool x)
Change the user's warnOnLeave() setting.
bool sslv3() const
Does the user allow SSLv3.
bool warnOnMixed() const
Does the user want to be warned during mixed SSL/non-SSL mode.
void setWarnOnEnter(bool x)
Change the user's warnOnEnter() setting.
bool useEGD() const
Does the user want to use the Entropy Gathering Daemon?
bool warnOnUnencrypted() const
Does the user want to be warned on sending unencrypted data.
KSSLSettings(bool readConfig=true)
Construct a KSSL Settings object.
void setWarnOnUnencrypted(bool x)
Change the user's warnOnUnencrypted() setting.
void setSSLv3(bool enabled)
Change the user's SSLv3 preference.
void defaults()
Revert to default settings.
void load()
Load the user's settings.
TQString & getEGDPath()
Get the configured path to the entropy gathering daemon or entropy file.
bool warnOnSelfSigned() const KDE_DEPRECATED
Do not use this.
bool tlsv1() const
Does the user allow TLSv1.
TQString getCipherList()
Get the OpenSSL cipher list for selecting the list of ciphers to use in a connection.
~KSSLSettings()
Destroy this KSSL Settings object.
bool promptSendX509() const
Does the user want to be prompted to send X.509 client certificates when possible?
bool warnOnEnter() const
Does the user want to be warned on entering SSL mode.
bool sslv2() const
Does the user allow SSLv2.
void save()
Save the current settings.
bool warnOnExpired() const KDE_DEPRECATED
Do not use this.