+
+
+/*** SSL Stuff ***/
+
+void ClientAuthHandler::checkAndEnableSsl(bool coreSupportsSsl)
+{
+#ifndef HAVE_SSL
+ Q_UNUSED(coreSupportsSsl);
+#else
+ CoreAccountSettings s;
+ if (coreSupportsSsl && _account.useSsl()) {
+ // Make sure the warning is shown next time we don't have SSL in the core
+ s.setAccountValue("ShowNoCoreSslWarning", true);
+
+ QSslSocket *sslSocket = qobject_cast<QSslSocket *>(socket());
+ Q_ASSERT(sslSocket);
+ connect(sslSocket, SIGNAL(encrypted()), SLOT(onSslSocketEncrypted()));
+ connect(sslSocket, SIGNAL(sslErrors(QList<QSslError>)), SLOT(onSslErrors()));
+ qDebug() << "Starting encryption...";
+ sslSocket->flush();
+ sslSocket->startClientEncryption();
+ }
+ else {
+ if (s.accountValue("ShowNoCoreSslWarning", true).toBool()) {
+ bool accepted = false;
+ emit handleNoSslInCore(&accepted);
+ if (!accepted) {
+ requestDisconnect(tr("Unencrypted connection cancelled"));
+ return;
+ }
+ s.setAccountValue("ShowNoCoreSslWarning", false);
+ s.setAccountValue("SslCert", QString());
+ s.setAccountValue("SslCertDigestVersion", QVariant(QVariant::Int));
+ }
+ if (_legacy)
+ onConnectionReady();
+ else
+ startRegistration();
+ }
+#endif
+}
+
+#ifdef HAVE_SSL
+
+void ClientAuthHandler::onSslSocketEncrypted()
+{
+ QSslSocket *socket = qobject_cast<QSslSocket *>(sender());
+ Q_ASSERT(socket);
+
+ if (!socket->sslErrors().count()) {
+ // Cert is valid, so we don't want to store it as known
+ // That way, a warning will appear in case it becomes invalid at some point
+ CoreAccountSettings s;
+ s.setAccountValue("SSLCert", QString());
+ s.setAccountValue("SslCertDigestVersion", QVariant(QVariant::Int));
+ }
+
+ emit encrypted(true);
+
+ if (_legacy)
+ onConnectionReady();
+ else
+ startRegistration();
+}
+
+
+void ClientAuthHandler::onSslErrors()
+{
+ QSslSocket *socket = qobject_cast<QSslSocket *>(sender());
+ Q_ASSERT(socket);
+
+ CoreAccountSettings s;
+ QByteArray knownDigest = s.accountValue("SslCert").toByteArray();
+ ClientAuthHandler::DigestVersion knownDigestVersion = static_cast<ClientAuthHandler::DigestVersion>(s.accountValue("SslCertDigestVersion").toInt());
+
+ QByteArray calculatedDigest;
+ switch (knownDigestVersion) {
+ case ClientAuthHandler::DigestVersion::Md5:
+ calculatedDigest = socket->peerCertificate().digest(QCryptographicHash::Md5);
+ break;
+
+ case ClientAuthHandler::DigestVersion::Sha2_512:
+ calculatedDigest = socket->peerCertificate().digest(QCryptographicHash::Sha512);
+ break;
+
+ default:
+ qWarning() << "Certificate digest version" << QString(knownDigestVersion) << "is not supported";
+ }
+
+ if (knownDigest != calculatedDigest) {
+ bool accepted = false;
+ bool permanently = false;
+ emit handleSslErrors(socket, &accepted, &permanently);
+
+ if (!accepted) {
+ requestDisconnect(tr("Unencrypted connection canceled"));
+ return;
+ }
+
+ if (permanently) {
+ s.setAccountValue("SslCert", socket->peerCertificate().digest(QCryptographicHash::Sha512));
+ s.setAccountValue("SslCertDigestVersion", ClientAuthHandler::DigestVersion::Latest);
+ }
+ else {
+ s.setAccountValue("SslCert", QString());
+ s.setAccountValue("SslCertDigestVersion", QVariant(QVariant::Int));
+ }
+ }
+ else if (knownDigestVersion != ClientAuthHandler::DigestVersion::Latest) {
+ s.setAccountValue("SslCert", socket->peerCertificate().digest(QCryptographicHash::Sha512));
+ s.setAccountValue("SslCertDigestVersion", ClientAuthHandler::DigestVersion::Latest);
+ }
+
+ socket->ignoreSslErrors();
+}
+
+#endif /* HAVE_SSL */