X-Git-Url: https://git.quassel-irc.org/?a=blobdiff_plain;f=src%2Fcore%2Fsslserver.cpp;h=183bbe18c7a486bb34f9d81b473f81806b4a7a7e;hb=f12d6496251729f7d21f4fbcb0814dec7fba4b75;hp=c31b507f73638c01ce17fe28916bb34fa86c22d0;hpb=694f9bfbf7f1af19108461c7e00d133e55082bce;p=quassel.git diff --git a/src/core/sslserver.cpp b/src/core/sslserver.cpp index c31b507f..183bbe18 100644 --- a/src/core/sslserver.cpp +++ b/src/core/sslserver.cpp @@ -1,5 +1,5 @@ /*************************************************************************** - * Copyright (C) 2005-09 by the Quassel Project * + * Copyright (C) 2005-2018 by the Quassel Project * * devel@quassel-irc.org * * * * This program is free software; you can redistribute it and/or modify * @@ -15,7 +15,7 @@ * You should have received a copy of the GNU General Public License * * along with this program; if not, write to the * * Free Software Foundation, Inc., * - * 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. * ***************************************************************************/ #include "sslserver.h" @@ -24,10 +24,10 @@ # include #endif -#include +#include -#include "logger.h" #include "quassel.h" +#include "logmessage.h" #ifdef HAVE_SSL @@ -35,13 +35,28 @@ SslServer::SslServer(QObject *parent) : QTcpServer(parent), _isCertValid(false) { + // Keep track if the SSL warning has been mentioned at least once before static bool sslWarningShown = false; - if (!setCertificate(Quassel::configDirPath() + "quasselCert.pem")) { + + if(Quassel::isOptionSet("ssl-cert")) { + _sslCertPath = Quassel::optionValue("ssl-cert"); + } else { + _sslCertPath = Quassel::configDirPath() + "quasselCert.pem"; + } + + if(Quassel::isOptionSet("ssl-key")) { + _sslKeyPath = Quassel::optionValue("ssl-key"); + } else { + _sslKeyPath = _sslCertPath; + } + + // Initialize the certificates for first-time usage + if (!loadCerts()) { if (!sslWarningShown) { quWarning() << "SslServer: Unable to set certificate file\n" << " Quassel Core will still work, but cannot provide SSL for client connections.\n" - << " Please see http://quassel-irc.org/faq/cert to learn how to enable SSL support."; + << " Please see https://quassel-irc.org/faq/cert to learn how to enable SSL support."; sslWarningShown = true; } } @@ -56,8 +71,11 @@ QTcpSocket *SslServer::nextPendingConnection() return _pendingConnections.takeFirst(); } - +#if QT_VERSION >= 0x050000 +void SslServer::incomingConnection(qintptr socketDescriptor) +#else void SslServer::incomingConnection(int socketDescriptor) +#endif { QSslSocket *serverSocket = new QSslSocket(this); if (serverSocket->setSocketDescriptor(socketDescriptor)) { @@ -75,9 +93,44 @@ void SslServer::incomingConnection(int socketDescriptor) } -bool SslServer::setCertificate(const QString &path) +bool SslServer::loadCerts() { - _isCertValid = false; + // Load the certificates specified in the path. If needed, other prep work can be done here. + return setCertificate(_sslCertPath, _sslKeyPath); +} + + +bool SslServer::reloadCerts() +{ + if (loadCerts()) { + return true; + } else { + // Reloading certificates currently only occur in response to a request. Always print an + // error if something goes wrong, in order to simplify checking if it's working. + if (isCertValid()) { + quWarning() + << "SslServer: Unable to reload certificate file, reverting\n" + << " Quassel Core will use the previous key to provide SSL for client connections.\n" + << " Please see https://quassel-irc.org/faq/cert to learn how to enable SSL support."; + } else { + quWarning() + << "SslServer: Unable to reload certificate file\n" + << " Quassel Core will still work, but cannot provide SSL for client connections.\n" + << " Please see https://quassel-irc.org/faq/cert to learn how to enable SSL support."; + } + return false; + } +} + + +bool SslServer::setCertificate(const QString &path, const QString &keyPath) +{ + // Don't reset _isCertValid here, in case an older but valid certificate is still loaded. + // Use temporary variables in order to avoid overwriting the existing certificates until + // everything is confirmed good. + QSslCertificate untestedCert; + QList untestedCA; + QSslKey untestedKey; if (path.isEmpty()) return false; @@ -102,36 +155,92 @@ bool SslServer::setCertificate(const QString &path) return false; } - _cert = certList[0]; + untestedCert = certList[0]; certList.removeFirst(); // remove server cert // store CA and intermediates certs - _ca = certList; + untestedCA = certList; if (!certFile.reset()) { quWarning() << "SslServer: IO error reading certificate file"; return false; } - _key = QSslKey(&certFile, QSsl::Rsa); + // load key from keyPath if it differs from path, otherwise load key from path + if(path != keyPath) { + QFile keyFile(keyPath); + if(!keyFile.exists()) { + quWarning() << "SslServer: Key file" << qPrintable(keyPath) << "does not exist"; + return false; + } + + if (!keyFile.open(QIODevice::ReadOnly)) { + quWarning() + << "SslServer: Failed to open key file" << qPrintable(keyPath) + << "error:" << keyFile.error(); + return false; + } + + untestedKey = loadKey(&keyFile); + keyFile.close(); + } else { + untestedKey = loadKey(&certFile); + } + certFile.close(); - if (_cert.isNull()) { + if (untestedCert.isNull()) { quWarning() << "SslServer:" << qPrintable(path) << "contains no certificate data"; return false; } - if (!_cert.isValid()) { - quWarning() << "SslServer: Invalid certificate (most likely expired)"; + + // We allow the core to offer SSL anyway, so no "return false" here. Client will warn about the cert being invalid. + const QDateTime now = QDateTime::currentDateTime(); + if (now < untestedCert.effectiveDate()) + quWarning() << "SslServer: Certificate won't be valid before" << untestedCert.effectiveDate().toString(); + + else if (now > untestedCert.expiryDate()) + quWarning() << "SslServer: Certificate expired on" << untestedCert.expiryDate().toString(); + + else { // Qt4's isValid() checks for time range and blacklist; avoid a double warning, hence the else block +#if QT_VERSION < 0x050000 + if (!untestedCert.isValid()) +#else + if (untestedCert.isBlacklisted()) +#endif + quWarning() << "SslServer: Certificate blacklisted"; } - if (_key.isNull()) { - quWarning() << "SslServer:" << qPrintable(path) << "contains no key data"; + if (untestedKey.isNull()) { + quWarning() << "SslServer:" << qPrintable(keyPath) << "contains no key data"; return false; } _isCertValid = true; + // All keys are valid, update the externally visible copy used for new connections. + _cert = untestedCert; + _ca = untestedCA; + _key = untestedKey; + return _isCertValid; } +QSslKey SslServer::loadKey(QFile *keyFile) +{ + QSslKey key; + key = QSslKey(keyFile, QSsl::Rsa); +#if QT_VERSION >= 0x050500 + if (key.isNull()) { + if (!keyFile->reset()) { + quWarning() << "SslServer: IO error reading key file"; + return key; + } + key = QSslKey(keyFile, QSsl::Ec); + } +#endif + return key; +} + + #endif // HAVE_SSL