+
+
+/*** SSL Stuff ***/
+
+void ClientAuthHandler::checkAndEnableSsl(bool coreSupportsSsl)
+{
+#ifndef HAVE_SSL
+ Q_UNUSED(coreSupportsSsl);
+#else
+ CoreAccountSettings s;
+ if (coreSupportsSsl && _account.useSsl()) {
+ // Make sure the warning is shown next time we don't have SSL in the core
+ s.setAccountValue("ShowNoCoreSslWarning", true);
+
+ QSslSocket *sslSocket = qobject_cast<QSslSocket *>(socket());
+ Q_ASSERT(sslSocket);
+ connect(sslSocket, SIGNAL(encrypted()), SLOT(onSslSocketEncrypted()));
+ connect(sslSocket, SIGNAL(sslErrors(QList<QSslError>)), SLOT(onSslErrors()));
+ qDebug() << "Starting encryption...";
+ sslSocket->flush();
+ sslSocket->startClientEncryption();
+ }
+ else {
+ if (s.accountValue("ShowNoCoreSslWarning", true).toBool()) {
+ bool accepted = false;
+ emit handleNoSslInCore(&accepted);
+ if (!accepted) {
+ requestDisconnect(tr("Unencrypted connection cancelled"));
+ return;
+ }
+ s.setAccountValue("ShowNoCoreSslWarning", false);
+ s.setAccountValue("SslCert", QString());
+ s.setAccountValue("SslCertDigestVersion", QVariant(QVariant::Int));
+ }
+ if (_legacy)
+ onConnectionReady();
+ else
+ startRegistration();
+ }
+#endif
+}
+
+#ifdef HAVE_SSL
+
+void ClientAuthHandler::onSslSocketEncrypted()
+{
+ QSslSocket *socket = qobject_cast<QSslSocket *>(sender());
+ Q_ASSERT(socket);
+
+ if (!socket->sslErrors().count()) {
+ // Cert is valid, so we don't want to store it as known
+ // That way, a warning will appear in case it becomes invalid at some point
+ CoreAccountSettings s;
+ s.setAccountValue("SSLCert", QString());
+ s.setAccountValue("SslCertDigestVersion", QVariant(QVariant::Int));
+ }
+
+ emit encrypted(true);
+
+ if (_legacy)
+ onConnectionReady();
+ else
+ startRegistration();
+}
+
+
+void ClientAuthHandler::onSslErrors()
+{
+ QSslSocket *socket = qobject_cast<QSslSocket *>(sender());
+ Q_ASSERT(socket);
+
+ CoreAccountSettings s;
+ QByteArray knownDigest = s.accountValue("SslCert").toByteArray();
+ ClientAuthHandler::DigestVersion knownDigestVersion = static_cast<ClientAuthHandler::DigestVersion>(s.accountValue("SslCertDigestVersion").toInt());
+
+ QByteArray calculatedDigest;
+ switch (knownDigestVersion) {
+ case ClientAuthHandler::DigestVersion::Md5:
+ calculatedDigest = socket->peerCertificate().digest(QCryptographicHash::Md5);
+ break;
+
+ case ClientAuthHandler::DigestVersion::Sha2_512:
+#if QT_VERSION >= 0x050000
+ calculatedDigest = socket->peerCertificate().digest(QCryptographicHash::Sha512);
+#else
+ calculatedDigest = sha2_512(socket->peerCertificate().toDer());
+#endif
+ break;
+
+ default:
+ qWarning() << "Certificate digest version" << QString(knownDigestVersion) << "is not supported";
+ }
+
+ if (knownDigest != calculatedDigest) {
+ bool accepted = false;
+ bool permanently = false;
+ emit handleSslErrors(socket, &accepted, &permanently);
+
+ if (!accepted) {
+ requestDisconnect(tr("Unencrypted connection canceled"));
+ return;
+ }
+
+ if (permanently) {
+#if QT_VERSION >= 0x050000
+ s.setAccountValue("SslCert", socket->peerCertificate().digest(QCryptographicHash::Sha512));
+#else
+ s.setAccountValue("SslCert", sha2_512(socket->peerCertificate().toDer()));
+#endif
+ s.setAccountValue("SslCertDigestVersion", ClientAuthHandler::DigestVersion::Latest);
+ }
+ else {
+ s.setAccountValue("SslCert", QString());
+ s.setAccountValue("SslCertDigestVersion", QVariant(QVariant::Int));
+ }
+ }
+ else if (knownDigestVersion != ClientAuthHandler::DigestVersion::Latest) {
+#if QT_VERSION >= 0x050000
+ s.setAccountValue("SslCert", socket->peerCertificate().digest(QCryptographicHash::Sha512));
+#else
+ s.setAccountValue("SslCert", sha2_512(socket->peerCertificate().toDer()));
+#endif
+ s.setAccountValue("SslCertDigestVersion", ClientAuthHandler::DigestVersion::Latest);
+ }
+
+ socket->ignoreSslErrors();
+}
+
+#if QT_VERSION < 0x050000
+QByteArray ClientAuthHandler::sha2_512(const QByteArray &input) {
+ unsigned char output[64];
+ sha512((unsigned char*) input.constData(), input.size(), output, false);
+ // QByteArray::fromRawData() cannot be used here because that constructor
+ // does not copy "output" and the data is clobbered when the variable goes
+ // out of scope.
+ QByteArray result;
+ result.append((char*) output, 64);
+ return result;
+}
+#endif
+
+#endif /* HAVE_SSL */