+
+/*** SSL Stuff ***/
+
+void ClientAuthHandler::checkAndEnableSsl(bool coreSupportsSsl)
+{
+ CoreAccountSettings s;
+ if (coreSupportsSsl) {
+ // Make sure the warning is shown next time we don't have SSL in the core
+ s.setAccountValue("ShowNoCoreSslWarning", true);
+
+ connect(socket(), &QSslSocket::encrypted, this, &ClientAuthHandler::onSslSocketEncrypted);
+ connect(socket(), selectOverload<const QList<QSslError>&>(&QSslSocket::sslErrors), this, &ClientAuthHandler::onSslErrors);
+ qDebug() << "Starting encryption...";
+ socket()->flush();
+ socket()->startClientEncryption();
+ }
+ else {
+ if (s.accountValue("ShowNoCoreSslWarning", true).toBool()) {
+ bool accepted = false;
+ emit handleNoSslInCore(&accepted);
+ if (!accepted) {
+ requestDisconnect(tr("Unencrypted connection cancelled"));
+ return;
+ }
+ s.setAccountValue("ShowNoCoreSslWarning", false);
+ s.setAccountValue("SslCert", QString());
+ s.setAccountValue("SslCertDigestVersion", QVariant(QVariant::Int));
+ }
+ if (_legacy)
+ onConnectionReady();
+ else
+ startRegistration();
+ }
+}
+
+
+void ClientAuthHandler::onSslSocketEncrypted()
+{
+ auto* socket = qobject_cast<QSslSocket*>(sender());
+ Q_ASSERT(socket);
+
+#if QT_VERSION < QT_VERSION_CHECK(5, 15, 0)
+ if (!socket->sslErrors().count()) {
+#else
+ if (!socket->sslHandshakeErrors().count()) {
+#endif
+ // Cert is valid, so we don't want to store it as known
+ // That way, a warning will appear in case it becomes invalid at some point
+ CoreAccountSettings s;
+ s.setAccountValue("SSLCert", QString());
+ s.setAccountValue("SslCertDigestVersion", QVariant(QVariant::Int));
+ }
+
+ emit encrypted(true);
+
+ if (_legacy)
+ onConnectionReady();
+ else
+ startRegistration();
+}
+
+void ClientAuthHandler::onSslErrors()
+{
+ CoreAccountSettings s;
+ QByteArray knownDigest = s.accountValue("SslCert").toByteArray();
+ ClientAuthHandler::DigestVersion knownDigestVersion = static_cast<ClientAuthHandler::DigestVersion>(
+ s.accountValue("SslCertDigestVersion").toInt());
+
+ QByteArray calculatedDigest;
+ switch (knownDigestVersion) {
+ case ClientAuthHandler::DigestVersion::Md5:
+ calculatedDigest = socket()->peerCertificate().digest(QCryptographicHash::Md5);
+ break;
+
+ case ClientAuthHandler::DigestVersion::Sha2_512:
+ calculatedDigest = socket()->peerCertificate().digest(QCryptographicHash::Sha512);
+ break;
+
+ default:
+ qWarning() << "Certificate digest version" << QString(knownDigestVersion) << "is not supported";
+ }
+
+ if (knownDigest != calculatedDigest) {
+ bool accepted = false;
+ bool permanently = false;
+ emit handleSslErrors(socket(), &accepted, &permanently);
+
+ if (!accepted) {
+ requestDisconnect(tr("Unencrypted connection canceled"));
+ return;
+ }
+
+ if (permanently) {
+ s.setAccountValue("SslCert", socket()->peerCertificate().digest(QCryptographicHash::Sha512));
+ s.setAccountValue("SslCertDigestVersion", ClientAuthHandler::DigestVersion::Latest);
+ }
+ else {
+ s.setAccountValue("SslCert", QString());
+ s.setAccountValue("SslCertDigestVersion", QVariant(QVariant::Int));
+ }
+ }
+ else if (knownDigestVersion != ClientAuthHandler::DigestVersion::Latest) {
+ s.setAccountValue("SslCert", socket()->peerCertificate().digest(QCryptographicHash::Sha512));
+ s.setAccountValue("SslCertDigestVersion", ClientAuthHandler::DigestVersion::Latest);
+ }
+
+ socket()->ignoreSslErrors();
+}