X-Git-Url: https://git.quassel-irc.org/?p=quassel.git;a=blobdiff_plain;f=src%2Fcore%2Fsslserver.cpp;h=9c3c7edc15fde749230164c77249990a1dc87e6b;hp=203ec76115292f20da937ab744b1f21cece513a3;hb=99055e8e4a83c234ae424cc225d3a7aa17c1544b;hpb=ffcc8befd931340321e3aa2029cb5667373fd584

diff --git a/src/core/sslserver.cpp b/src/core/sslserver.cpp
index 203ec761..9c3c7edc 100644
--- a/src/core/sslserver.cpp
+++ b/src/core/sslserver.cpp
@@ -1,5 +1,5 @@
 /***************************************************************************
- *   Copyright (C) 2005-09 by the Quassel Project                          *
+ *   Copyright (C) 2005-2020 by the Quassel Project                        *
  *   devel@quassel-irc.org                                                 *
  *                                                                         *
  *   This program is free software; you can redistribute it and/or modify  *
@@ -15,68 +15,215 @@
  *   You should have received a copy of the GNU General Public License     *
  *   along with this program; if not, write to the                         *
  *   Free Software Foundation, Inc.,                                       *
- *   59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.             *
+ *   51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.         *
  ***************************************************************************/
 
 #include "sslserver.h"
 
-#ifdef HAVE_SSL
-#  include <QSslSocket>
-#endif
+#include <QDateTime>
+#include <QSslConfiguration>
+#include <QSslSocket>
 
-#include <QFile>
-#include <QDebug>
+#include "core.h"
+#include "quassel.h"
 
-#include "logger.h"
-#include "util.h"
+SslServer::SslServer(QObject* parent)
+    : QTcpServer(parent)
+{
+    // Keep track if the SSL warning has been mentioned at least once before
+    static bool sslWarningShown = false;
 
-#ifdef HAVE_SSL
+    if (Quassel::isOptionSet("ssl-cert")) {
+        _sslCertPath = Quassel::optionValue("ssl-cert");
+    }
+    else {
+        _sslCertPath = Quassel::configDirPath() + "quasselCert.pem";
+    }
 
-SslServer::SslServer(QObject *parent)
-  : QTcpServer(parent)
+    if (Quassel::isOptionSet("ssl-key")) {
+        _sslKeyPath = Quassel::optionValue("ssl-key");
+    }
+    else {
+        _sslKeyPath = _sslCertPath;
+    }
+
+    // Initialize the certificates for first-time usage
+    if (!loadCerts()) {
+        if (!sslWarningShown) {
+            qWarning() << "SslServer: Unable to set certificate file\n"
+                       << "          Quassel Core will still work, but cannot provide SSL for client connections.\n"
+                       << "          Please see https://quassel-irc.org/faq/cert to learn how to enable SSL support.";
+            sslWarningShown = true;
+        }
+    }
+}
+
+void SslServer::incomingConnection(qintptr socketDescriptor)
 {
-  setCertificate(quasselDir().absolutePath() + "/quasselCert.pem");
+    auto* socket = new QSslSocket(this);
+    if (socket->setSocketDescriptor(socketDescriptor)) {
+        if (isCertValid()) {
+            auto config = socket->sslConfiguration();
+            config.setLocalCertificate(_cert);
+            config.setPrivateKey(_key);
+            auto certificates = config.caCertificates();
+            certificates += _ca;
+            config.setCaCertificates(certificates);
+            socket->setSslConfiguration(config);
+        }
+        addPendingConnection(socket);
+    }
+    else {
+        delete socket;
+    }
 }
 
-QTcpSocket *SslServer::nextPendingConnection() {
-  if(_pendingConnections.isEmpty())
-    return 0;
-  else
-    return _pendingConnections.takeFirst();
+bool SslServer::loadCerts()
+{
+    // Load the certificates specified in the path.  If needed, other prep work can be done here.
+    return setCertificate(_sslCertPath, _sslKeyPath);
 }
 
-void SslServer::incomingConnection(int socketDescriptor) {
-  QSslSocket *serverSocket = new QSslSocket(this);
-  if(serverSocket->setSocketDescriptor(socketDescriptor)) {
-    if(certIsValid()) {
-      serverSocket->setLocalCertificate(_cert);
-      serverSocket->setPrivateKey(_key);
-    }
-    _pendingConnections << serverSocket;
-    emit newConnection();
-  } else {
-    delete serverSocket;
-  }
+bool SslServer::reloadCerts()
+{
+    if (loadCerts()) {
+        return true;
+    }
+    else {
+        // Reloading certificates currently only occur in response to a request.  Always print an
+        // error if something goes wrong, in order to simplify checking if it's working.
+        if (isCertValid()) {
+            qWarning() << "SslServer: Unable to reload certificate file, reverting\n"
+                       << "          Quassel Core will use the previous key to provide SSL for client connections.\n"
+                       << "          Please see https://quassel-irc.org/faq/cert to learn how to enable SSL support.";
+        }
+        else {
+            qWarning() << "SslServer: Unable to reload certificate file\n"
+                       << "          Quassel Core will still work, but cannot provide SSL for client connections.\n"
+                       << "          Please see https://quassel-irc.org/faq/cert to learn how to enable SSL support.";
+        }
+        return false;
+    }
 }
 
-bool SslServer::setCertificate(const QString &path) {
-  QFile certFile(path);
-  certFile.open(QIODevice::ReadOnly);
-  _cert = QSslCertificate(&certFile);
-  certFile.close();
+bool SslServer::setCertificate(const QString& path, const QString& keyPath)
+{
+    // Don't reset _isCertValid here, in case an older but valid certificate is still loaded.
+    // Use temporary variables in order to avoid overwriting the existing certificates until
+    // everything is confirmed good.
+    QSslCertificate untestedCert;
+    QList<QSslCertificate> untestedCA;
+    QSslKey untestedKey;
+
+    if (path.isEmpty())
+        return false;
 
-  certFile.open(QIODevice::ReadOnly);
-  _key = QSslKey(&certFile, QSsl::Rsa);
-  certFile.close();
+    QFile certFile(path);
+    if (!certFile.exists()) {
+        qWarning() << "SslServer: Certificate file" << qPrintable(path) << "does not exist";
+        return false;
+    }
+
+    if (!certFile.open(QIODevice::ReadOnly)) {
+        qWarning() << "SslServer: Failed to open certificate file" << qPrintable(path) << "error:" << certFile.error();
+        return false;
+    }
 
-  _certIsValid = !_cert.isNull() && _cert.isValid() && !_key.isNull();
-  if(!_certIsValid) {
-    qWarning() << "SslServer: SSL Certificate is either missing or has a wrong format!\n"
-               << "          Quassel Core will still work, but cannot provide SSL for client connections.\n"
-               << "          Please see http://quassel-irc.org/faq/cert to learn how to enable SSL support.";
-  }
+    QList<QSslCertificate> certList = QSslCertificate::fromDevice(&certFile);
+
+    if (certList.isEmpty()) {
+        qWarning() << "SslServer: Certificate file doesn't contain a certificate";
+        return false;
+    }
+
+    untestedCert = certList[0];
+    certList.removeFirst();  // remove server cert
+
+    // store CA and intermediates certs
+    untestedCA = certList;
+
+    if (!certFile.reset()) {
+        qWarning() << "SslServer: IO error reading certificate file";
+        return false;
+    }
 
-  return _certIsValid;
+    // load key from keyPath if it differs from path, otherwise load key from path
+    if (path != keyPath) {
+        QFile keyFile(keyPath);
+        if (!keyFile.exists()) {
+            qWarning() << "SslServer: Key file" << qPrintable(keyPath) << "does not exist";
+            return false;
+        }
+
+        if (!keyFile.open(QIODevice::ReadOnly)) {
+            qWarning() << "SslServer: Failed to open key file" << qPrintable(keyPath) << "error:" << keyFile.error();
+            return false;
+        }
+
+        untestedKey = loadKey(&keyFile);
+        keyFile.close();
+    }
+    else {
+        untestedKey = loadKey(&certFile);
+    }
+
+    certFile.close();
+
+    if (untestedCert.isNull()) {
+        qWarning() << "SslServer:" << qPrintable(path) << "contains no certificate data";
+        return false;
+    }
+
+    // We allow the core to offer SSL anyway, so no "return false" here. Client will warn about the cert being invalid.
+    const QDateTime now = QDateTime::currentDateTime();
+    if (now < untestedCert.effectiveDate()) {
+        qWarning() << "SslServer: Certificate won't be valid before" << untestedCert.effectiveDate().toString();
+    }
+    else if (now > untestedCert.expiryDate()) {
+        qWarning() << "SslServer: Certificate expired on" << untestedCert.expiryDate().toString();
+    }
+    else if (untestedCert.isBlacklisted()) {
+        qWarning() << "SslServer: Certificate blacklisted";
+    }
+
+    if (untestedKey.isNull()) {
+        qWarning() << "SslServer:" << qPrintable(keyPath) << "contains no key data";
+        return false;
+    }
+
+    _certificateExpires = untestedCert.expiryDate();
+    if (_metricsServer) {
+        _metricsServer->setCertificateExpires(_certificateExpires);
+    }
+
+    _isCertValid = true;
+
+    // All keys are valid, update the externally visible copy used for new connections.
+    _cert = untestedCert;
+    _ca = untestedCA;
+    _key = untestedKey;
+
+    return _isCertValid;
+}
+
+QSslKey SslServer::loadKey(QFile* keyFile)
+{
+    QSslKey key;
+    key = QSslKey(keyFile, QSsl::Rsa);
+    if (key.isNull()) {
+        if (!keyFile->reset()) {
+            qWarning() << "SslServer: IO error reading key file";
+            return key;
+        }
+        key = QSslKey(keyFile, QSsl::Ec);
+    }
+    return key;
 }
 
-#endif // HAVE_SSL
+void SslServer::setMetricsServer(MetricsServer* metricsServer)
+{
+    _metricsServer = metricsServer;
+    if (_metricsServer) {
+        _metricsServer->setCertificateExpires(_certificateExpires);
+    }
+}