1 /***************************************************************************
2 * Copyright (C) 2005-2016 by the Quassel Project *
3 * devel@quassel-irc.org *
5 * This program is free software; you can redistribute it and/or modify *
6 * it under the terms of the GNU General Public License as published by *
7 * the Free Software Foundation; either version 2 of the License, or *
8 * (at your option) version 3. *
10 * This program is distributed in the hope that it will be useful, *
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of *
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
13 * GNU General Public License for more details. *
15 * You should have received a copy of the GNU General Public License *
16 * along with this program; if not, write to the *
17 * Free Software Foundation, Inc., *
18 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. *
19 ***************************************************************************/
21 #include "sslserver.h"
24 # include <QSslSocket>
35 SslServer::SslServer(QObject *parent)
39 // Keep track if the SSL warning has been mentioned at least once before
40 static bool sslWarningShown = false;
42 if(Quassel::isOptionSet("ssl-cert")) {
43 _sslCertPath = Quassel::optionValue("ssl-cert");
45 _sslCertPath = Quassel::configDirPath() + "quasselCert.pem";
48 if(Quassel::isOptionSet("ssl-key")) {
49 _sslKeyPath = Quassel::optionValue("ssl-key");
51 _sslKeyPath = _sslCertPath;
54 // Initialize the certificates for first-time usage
56 if (!sslWarningShown) {
58 << "SslServer: Unable to set certificate file\n"
59 << " Quassel Core will still work, but cannot provide SSL for client connections.\n"
60 << " Please see http://quassel-irc.org/faq/cert to learn how to enable SSL support.";
61 sslWarningShown = true;
67 QTcpSocket *SslServer::nextPendingConnection()
69 if (_pendingConnections.isEmpty())
72 return _pendingConnections.takeFirst();
75 #if QT_VERSION >= 0x050000
76 void SslServer::incomingConnection(qintptr socketDescriptor)
78 void SslServer::incomingConnection(int socketDescriptor)
81 QSslSocket *serverSocket = new QSslSocket(this);
82 if (serverSocket->setSocketDescriptor(socketDescriptor)) {
84 serverSocket->setLocalCertificate(_cert);
85 serverSocket->setPrivateKey(_key);
86 serverSocket->addCaCertificates(_ca);
88 _pendingConnections << serverSocket;
97 bool SslServer::loadCerts()
99 // Load the certificates specified in the path. If needed, other prep work can be done here.
100 return setCertificate(_sslCertPath, _sslKeyPath);
104 bool SslServer::reloadCerts()
109 // Reloading certificates currently only occur in response to a request. Always print an
110 // error if something goes wrong, in order to simplify checking if it's working.
113 << "SslServer: Unable to reload certificate file, reverting\n"
114 << " Quassel Core will use the previous key to provide SSL for client connections.\n"
115 << " Please see http://quassel-irc.org/faq/cert to learn how to enable SSL support.";
118 << "SslServer: Unable to reload certificate file\n"
119 << " Quassel Core will still work, but cannot provide SSL for client connections.\n"
120 << " Please see http://quassel-irc.org/faq/cert to learn how to enable SSL support.";
127 bool SslServer::setCertificate(const QString &path, const QString &keyPath)
129 // Don't reset _isCertValid here, in case an older but valid certificate is still loaded.
130 // Use temporary variables in order to avoid overwriting the existing certificates until
131 // everything is confirmed good.
132 QSslCertificate untestedCert;
133 QList<QSslCertificate> untestedCA;
139 QFile certFile(path);
140 if (!certFile.exists()) {
141 quWarning() << "SslServer: Certificate file" << qPrintable(path) << "does not exist";
145 if (!certFile.open(QIODevice::ReadOnly)) {
147 << "SslServer: Failed to open certificate file" << qPrintable(path)
148 << "error:" << certFile.error();
152 QList<QSslCertificate> certList = QSslCertificate::fromDevice(&certFile);
154 if (certList.isEmpty()) {
155 quWarning() << "SslServer: Certificate file doesn't contain a certificate";
159 untestedCert = certList[0];
160 certList.removeFirst(); // remove server cert
162 // store CA and intermediates certs
163 untestedCA = certList;
165 if (!certFile.reset()) {
166 quWarning() << "SslServer: IO error reading certificate file";
170 // load key from keyPath if it differs from path, otherwise load key from path
171 if(path != keyPath) {
172 QFile keyFile(keyPath);
173 if(!keyFile.exists()) {
174 quWarning() << "SslServer: Key file" << qPrintable(keyPath) << "does not exist";
178 if (!keyFile.open(QIODevice::ReadOnly)) {
180 << "SslServer: Failed to open key file" << qPrintable(keyPath)
181 << "error:" << keyFile.error();
185 untestedKey = QSslKey(&keyFile, QSsl::Rsa);
188 untestedKey = QSslKey(&certFile, QSsl::Rsa);
193 if (untestedCert.isNull()) {
194 quWarning() << "SslServer:" << qPrintable(path) << "contains no certificate data";
198 // We allow the core to offer SSL anyway, so no "return false" here. Client will warn about the cert being invalid.
199 const QDateTime now = QDateTime::currentDateTime();
200 if (now < untestedCert.effectiveDate())
201 quWarning() << "SslServer: Certificate won't be valid before" << untestedCert.effectiveDate().toString();
203 else if (now > untestedCert.expiryDate())
204 quWarning() << "SslServer: Certificate expired on" << untestedCert.expiryDate().toString();
206 else { // Qt4's isValid() checks for time range and blacklist; avoid a double warning, hence the else block
207 #if QT_VERSION < 0x050000
208 if (!untestedCert.isValid())
210 if (untestedCert.isBlacklisted())
212 quWarning() << "SslServer: Certificate blacklisted";
214 if (untestedKey.isNull()) {
215 quWarning() << "SslServer:" << qPrintable(keyPath) << "contains no key data";
221 // All keys are valid, update the externally visible copy used for new connections.
222 _cert = untestedCert;