25 #include <sys/types.h>
33 #include <tqsortedlist.h>
35 #include "ksslsettings.h"
36 #include <tdeglobal.h>
37 #include <kstandarddirs.h>
43 #define crypt _openssl_crypt
44 #include <openssl/ssl.h>
52 CipherNode(
const char *_name,
int _keylen) :
53 name(_name), keylen(_keylen) {}
56 inline int operator==(CipherNode &x)
57 {
return ((x.keylen == keylen) && (x.name == name)); }
58 inline int operator< (CipherNode &x) {
return keylen < x.keylen; }
59 inline int operator<=(CipherNode &x) {
return keylen <= x.keylen; }
60 inline int operator> (CipherNode &x) {
return keylen > x.keylen; }
61 inline int operator>=(CipherNode &x) {
return keylen >= x.keylen; }
65 class KSSLSettingsPrivate {
67 KSSLSettingsPrivate() {
70 ~KSSLSettingsPrivate() {
89 d =
new KSSLSettingsPrivate;
90 m_cfg =
new TDEConfig(
"cryptodefaults",
false,
false);
92 if (!TDEGlobal::dirs()->addResourceType(
"kssl", TDEStandardDirs::kde_default(
"data") +
"kssl")) {
96 if (readConfig)
load();
129 bool firstcipher =
true;
130 SSL_METHOD *meth = 0L;
131 TQPtrList<CipherNode> cipherList;
133 cipherList.setAutoDelete(
true);
136 d->kossl = KOSSL::self();
138 if (m_bUseSSLv3 && m_bUseSSLv2)
139 meth = d->kossl->TLS_client_method();
141 meth = d->kossl->SSLv3_client_method();
142 else if (m_bUseSSLv2)
143 meth = d->kossl->SSLv2_client_method();
145 SSL_CTX *ctx = d->kossl->SSL_CTX_new(meth);
146 SSL* ssl = d->kossl->SSL_new(ctx);
147 STACK_OF(SSL_CIPHER)* sk = d->kossl->SSL_get_ciphers(ssl);
148 int cnt = d->kossl->OPENSSL_sk_num(sk);
149 for (
int i=0; i< cnt; i++) {
150 SSL_CIPHER *sc =
reinterpret_cast<SSL_CIPHER*
>(d->kossl->OPENSSL_sk_value(sk,i));
154 if(!strcmp(
"SSLv2", d->kossl->SSL_CIPHER_get_version(sc)))
155 m_cfg->setGroup(
"SSLv2");
157 m_cfg->setGroup(
"SSLv3");
159 tcipher.sprintf(
"cipher_%s", d->kossl->SSL_CIPHER_get_name(sc));
160 int bits = d->kossl->SSL_CIPHER_get_bits(sc, NULL);
161 if (m_cfg->readBoolEntry(tcipher, bits >= 56)) {
162 CipherNode *xx =
new CipherNode(d->kossl->SSL_CIPHER_get_name(sc),bits);
163 if (!cipherList.contains(xx))
164 cipherList.prepend(xx);
169 d->kossl->SSL_free(ssl);
170 d->kossl->SSL_CTX_free(ctx);
174 for (
unsigned int i = 0; i < cipherList.count(); i++) {
176 while ((j = cipherList.at(i)) != 0L) {
177 if (j->name.contains(
"ADH-") || j->name.contains(
"NULL-") || j->name.contains(
"DES-CBC3-SHA") || j->name.contains(
"FZA")) {
178 cipherList.remove(j);
186 while (!cipherList.isEmpty()) {
189 else clist.append(
":");
190 clist.append(cipherList.getLast()->name);
191 cipherList.removeLast();
194 kdDebug(7029) <<
"Cipher list is: " << clist << endl;
202 m_cfg->reparseConfiguration();
204 m_cfg->setGroup(
"TLS");
205 m_bUseTLSv1 = m_cfg->readBoolEntry(
"Enabled",
true);
207 #if OPENSSL_VERSION_NUMBER >= 0x10100000L || defined(OPENSSL_NO_SSL2)
210 m_cfg->setGroup(
"SSLv2");
211 m_bUseSSLv2 = m_cfg->readBoolEntry(
"Enabled",
false);
214 #if defined(OPENSSL_NO_SSL3)
217 m_cfg->setGroup(
"SSLv3");
218 m_bUseSSLv3 = m_cfg->readBoolEntry(
"Enabled",
true);
221 m_cfg->setGroup(
"Warnings");
222 m_bWarnOnEnter = m_cfg->readBoolEntry(
"OnEnter",
false);
223 m_bWarnOnLeave = m_cfg->readBoolEntry(
"OnLeave",
true);
224 m_bWarnOnUnencrypted = m_cfg->readBoolEntry(
"OnUnencrypted",
true);
225 m_bWarnOnMixed = m_cfg->readBoolEntry(
"OnMixed",
true);
227 m_cfg->setGroup(
"Validation");
228 m_bWarnSelfSigned = m_cfg->readBoolEntry(
"WarnSelfSigned",
true);
229 m_bWarnExpired = m_cfg->readBoolEntry(
"WarnExpired",
true);
230 m_bWarnRevoked = m_cfg->readBoolEntry(
"WarnRevoked",
true);
232 m_cfg->setGroup(
"EGD");
233 d->m_bUseEGD = m_cfg->readBoolEntry(
"UseEGD",
false);
234 d->m_bUseEFile = m_cfg->readBoolEntry(
"UseEFile",
false);
235 d->m_EGDPath = m_cfg->readPathEntry(
"EGDPath");
237 m_cfg->setGroup(
"Auth");
238 d->m_bSendX509 = (
"send" == m_cfg->readEntry(
"AuthMethod",
""));
239 d->m_bPromptX509 = (
"prompt" == m_cfg->readEntry(
"AuthMethod",
""));
253 m_bWarnOnEnter =
false;
254 m_bWarnOnLeave =
true;
255 m_bWarnOnUnencrypted =
true;
256 m_bWarnOnMixed =
true;
257 m_bWarnSelfSigned =
true;
258 m_bWarnExpired =
true;
259 m_bWarnRevoked =
true;
260 d->m_bUseEGD =
false;
261 d->m_bUseEFile =
false;
267 m_cfg->setGroup(
"TLS");
268 m_cfg->writeEntry(
"Enabled", m_bUseTLSv1);
270 m_cfg->setGroup(
"SSLv2");
271 m_cfg->writeEntry(
"Enabled", m_bUseSSLv2);
273 m_cfg->setGroup(
"SSLv3");
274 m_cfg->writeEntry(
"Enabled", m_bUseSSLv3);
276 m_cfg->setGroup(
"Warnings");
277 m_cfg->writeEntry(
"OnEnter", m_bWarnOnEnter);
278 m_cfg->writeEntry(
"OnLeave", m_bWarnOnLeave);
279 m_cfg->writeEntry(
"OnUnencrypted", m_bWarnOnUnencrypted);
280 m_cfg->writeEntry(
"OnMixed", m_bWarnOnMixed);
282 m_cfg->setGroup(
"Validation");
283 m_cfg->writeEntry(
"WarnSelfSigned", m_bWarnSelfSigned);
284 m_cfg->writeEntry(
"WarnExpired", m_bWarnExpired);
285 m_cfg->writeEntry(
"WarnRevoked", m_bWarnRevoked);
287 m_cfg->setGroup(
"EGD");
288 m_cfg->writeEntry(
"UseEGD", d->m_bUseEGD);
289 m_cfg->writeEntry(
"UseEFile", d->m_bUseEFile);
290 m_cfg->writePathEntry(
"EGDPath", d->m_EGDPath);
296 m_cfg->setGroup(
"SSLv2");
297 for (
unsigned int i = 0; i < v2ciphers.count(); i++) {
299 ciphername.sprintf(
"cipher_%s", v2ciphers[i].ascii());
300 if (v2selectedciphers.contains(v2ciphers[i])) {
301 m_cfg->writeEntry(ciphername,
true);
302 }
else m_cfg->writeEntry(ciphername,
false);
305 m_cfg->setGroup(
"SSLv3");
306 for (
unsigned int i = 0; i < v3ciphers.count(); i++) {
308 ciphername.sprintf(
"cipher_%s", v3ciphers[i].ascii());
309 if (v3selectedciphers.contains(v3ciphers[i])) {
310 m_cfg->writeEntry(ciphername,
true);
311 }
else m_cfg->writeEntry(ciphername,
false);
318 TQString cfgName(TDEGlobal::dirs()->findResource(
"config",
"cryptodefaults"));
319 if (!cfgName.isEmpty())
320 ::chmod(TQFile::encodeName(cfgName), 0600);
bool warnOnRevoked() const KDE_DEPRECATED
Do not use this.
bool warnOnLeave() const
Does the user want to be warned on leaving SSL mode.
bool useEFile() const
Does the user want to use an entropy file?
bool autoSendX509() const
Does the user want X.509 client certificates to always be sent when possible?
void setTLSv1(bool enabled)
Change the user's TLSv1 preference.
void setSSLv2(bool enabled)
Change the user's SSLv2 preference.
void setWarnOnLeave(bool x)
Change the user's warnOnLeave() setting.
bool sslv3() const
Does the user allow SSLv3.
bool warnOnMixed() const
Does the user want to be warned during mixed SSL/non-SSL mode.
void setWarnOnEnter(bool x)
Change the user's warnOnEnter() setting.
bool useEGD() const
Does the user want to use the Entropy Gathering Daemon?
bool warnOnUnencrypted() const
Does the user want to be warned on sending unencrypted data.
KSSLSettings(bool readConfig=true)
Construct a KSSL Settings object.
void setWarnOnUnencrypted(bool x)
Change the user's warnOnUnencrypted() setting.
void setSSLv3(bool enabled)
Change the user's SSLv3 preference.
void defaults()
Revert to default settings.
void load()
Load the user's settings.
TQString & getEGDPath()
Get the configured path to the entropy gathering daemon or entropy file.
bool warnOnSelfSigned() const KDE_DEPRECATED
Do not use this.
bool tlsv1() const
Does the user allow TLSv1.
TQString getCipherList()
Get the OpenSSL cipher list for selecting the list of ciphers to use in a connection.
~KSSLSettings()
Destroy this KSSL Settings object.
bool promptSendX509() const
Does the user want to be prompted to send X.509 client certificates when possible?
bool warnOnEnter() const
Does the user want to be warned on entering SSL mode.
bool sslv2() const
Does the user allow SSLv2.
void save()
Save the current settings.
bool warnOnExpired() const KDE_DEPRECATED
Do not use this.