cmake: avoid de-duplication of user's CXXFLAGS

[quassel.git] / src / core / sslserver.cpp
diff --git a/src/core/sslserver.cpp b/src/core/sslserver.cpp

index e5d6e27..cf98bc2 100644 (file)
--- a/src/core/sslserver.cpp
+++ b/src/core/sslserver.cpp
@@ -1,5 +1,5 @@
  /***************************************************************************
- *   Copyright (C) 2005-2019 by the Quassel Project                        *
+ *   Copyright (C) 2005-2022 by the Quassel Project                        *
   *   devel@quassel-irc.org                                                 *
   *                                                                         *
   *   This program is free software; you can redistribute it and/or modify  *
@@ -20,16 +20,13 @@
  
  #include "sslserver.h"
  
-#ifdef HAVE_SSL
-#    include <QSslSocket>
-#endif
-
  #include <QDateTime>
+#include <QSslConfiguration>
+#include <QSslSocket>
  
+#include "core.h"
  #include "quassel.h"
  
-#ifdef HAVE_SSL
-
  SslServer::SslServer(QObject* parent)
      : QTcpServer(parent)
  {
@@ -52,6 +49,13 @@ SslServer::SslServer(QObject* parent)
  
      // Initialize the certificates for first-time usage
      if (!loadCerts()) {
+        // If the core is unable to load a certificate, and "--require-ssl" is specified,
+        // do not proceed, throw an exception and quit. This prevents the core from falling
+        // back to a plaintext-only core when they should be expecting SSL/TLS only.
+        if (Quassel::isOptionSet("require-ssl")) {
+            throw ExitException{EXIT_FAILURE, tr("--require-ssl is set, but no SSL certificate is available. Exiting.\n"
+                                                 "Please see https://quassel-irc.org/faq/cert to learn how to enable SSL support.")};
+        }
          if (!sslWarningShown) {
              qWarning() << "SslServer: Unable to set certificate file\n"
                         << "          Quassel Core will still work, but cannot provide SSL for client connections.\n"
@@ -61,28 +65,23 @@ SslServer::SslServer(QObject* parent)
      }
  }
  
-QTcpSocket* SslServer::nextPendingConnection()
-{
-    if (_pendingConnections.isEmpty())
-        return nullptr;
-    else
-        return _pendingConnections.takeFirst();
-}
-
  void SslServer::incomingConnection(qintptr socketDescriptor)
  {
-    auto* serverSocket = new QSslSocket(this);
-    if (serverSocket->setSocketDescriptor(socketDescriptor)) {
+    auto* socket = new QSslSocket(this);
+    if (socket->setSocketDescriptor(socketDescriptor)) {
          if (isCertValid()) {
-            serverSocket->setLocalCertificate(_cert);
-            serverSocket->setPrivateKey(_key);
-            serverSocket->addCaCertificates(_ca);
+            auto config = socket->sslConfiguration();
+            config.setLocalCertificate(_cert);
+            config.setPrivateKey(_key);
+            auto certificates = config.caCertificates();
+            certificates += _ca;
+            config.setCaCertificates(certificates);
+            socket->setSslConfiguration(config);
          }
-        _pendingConnections << serverSocket;
-        emit newConnection();
+        addPendingConnection(socket);
      }
      else {
-        delete serverSocket;
+        delete socket;
      }
  }
  
@@ -199,6 +198,11 @@ bool SslServer::setCertificate(const QString& path, const QString& keyPath)
          return false;
      }
  
+    _certificateExpires = untestedCert.expiryDate();
+    if (_metricsServer) {
+        _metricsServer->setCertificateExpires(_certificateExpires);
+    }
+
      _isCertValid = true;
  
      // All keys are valid, update the externally visible copy used for new connections.
@@ -223,4 +227,10 @@ QSslKey SslServer::loadKey(QFile* keyFile)
      return key;
  }
  
-#endif  // HAVE_SSL
+void SslServer::setMetricsServer(MetricsServer* metricsServer)
+{
+    _metricsServer = metricsServer;
+    if (_metricsServer) {
+        _metricsServer->setCertificateExpires(_certificateExpires);
+    }
+}