X-Git-Url: https://git.quassel-irc.org/?p=quassel.git;a=blobdiff_plain;f=src%2Fcore%2Fsslserver.cpp;h=9c3c7edc15fde749230164c77249990a1dc87e6b;hp=8b0d06577b292200b48ef95c48dfdfdfb4591643;hb=99055e8e4a83c234ae424cc225d3a7aa17c1544b;hpb=c2e3479b87e7d0713d302d26fb2d7d01d7b8c9c2 diff --git a/src/core/sslserver.cpp b/src/core/sslserver.cpp index 8b0d0657..9c3c7edc 100644 --- a/src/core/sslserver.cpp +++ b/src/core/sslserver.cpp @@ -1,5 +1,5 @@ /*************************************************************************** - * Copyright (C) 2005-2016 by the Quassel Project * + * Copyright (C) 2005-2020 by the Quassel Project * * devel@quassel-irc.org * * * * This program is free software; you can redistribute it and/or modify * @@ -20,111 +20,93 @@ #include "sslserver.h" -#ifdef HAVE_SSL -# include -#endif - #include -#include +#include +#include -#include "logger.h" +#include "core.h" #include "quassel.h" -#ifdef HAVE_SSL - -SslServer::SslServer(QObject *parent) - : QTcpServer(parent), - _isCertValid(false) +SslServer::SslServer(QObject* parent) + : QTcpServer(parent) { // Keep track if the SSL warning has been mentioned at least once before static bool sslWarningShown = false; - if(Quassel::isOptionSet("ssl-cert")) { + if (Quassel::isOptionSet("ssl-cert")) { _sslCertPath = Quassel::optionValue("ssl-cert"); - } else { + } + else { _sslCertPath = Quassel::configDirPath() + "quasselCert.pem"; } - if(Quassel::isOptionSet("ssl-key")) { + if (Quassel::isOptionSet("ssl-key")) { _sslKeyPath = Quassel::optionValue("ssl-key"); - } else { + } + else { _sslKeyPath = _sslCertPath; } // Initialize the certificates for first-time usage if (!loadCerts()) { if (!sslWarningShown) { - quWarning() - << "SslServer: Unable to set certificate file\n" - << " Quassel Core will still work, but cannot provide SSL for client connections.\n" - << " Please see https://quassel-irc.org/faq/cert to learn how to enable SSL support."; + qWarning() << "SslServer: Unable to set certificate file\n" + << " Quassel Core will still work, but cannot provide SSL for client connections.\n" + << " Please see https://quassel-irc.org/faq/cert to learn how to enable SSL support."; sslWarningShown = true; } } } - -QTcpSocket *SslServer::nextPendingConnection() -{ - if (_pendingConnections.isEmpty()) - return 0; - else - return _pendingConnections.takeFirst(); -} - -#if QT_VERSION >= 0x050000 void SslServer::incomingConnection(qintptr socketDescriptor) -#else -void SslServer::incomingConnection(int socketDescriptor) -#endif { - QSslSocket *serverSocket = new QSslSocket(this); - if (serverSocket->setSocketDescriptor(socketDescriptor)) { + auto* socket = new QSslSocket(this); + if (socket->setSocketDescriptor(socketDescriptor)) { if (isCertValid()) { - serverSocket->setLocalCertificate(_cert); - serverSocket->setPrivateKey(_key); - serverSocket->addCaCertificates(_ca); + auto config = socket->sslConfiguration(); + config.setLocalCertificate(_cert); + config.setPrivateKey(_key); + auto certificates = config.caCertificates(); + certificates += _ca; + config.setCaCertificates(certificates); + socket->setSslConfiguration(config); } - _pendingConnections << serverSocket; - emit newConnection(); + addPendingConnection(socket); } else { - delete serverSocket; + delete socket; } } - bool SslServer::loadCerts() { // Load the certificates specified in the path. If needed, other prep work can be done here. return setCertificate(_sslCertPath, _sslKeyPath); } - bool SslServer::reloadCerts() { if (loadCerts()) { return true; - } else { + } + else { // Reloading certificates currently only occur in response to a request. Always print an // error if something goes wrong, in order to simplify checking if it's working. if (isCertValid()) { - quWarning() - << "SslServer: Unable to reload certificate file, reverting\n" - << " Quassel Core will use the previous key to provide SSL for client connections.\n" - << " Please see https://quassel-irc.org/faq/cert to learn how to enable SSL support."; - } else { - quWarning() - << "SslServer: Unable to reload certificate file\n" - << " Quassel Core will still work, but cannot provide SSL for client connections.\n" - << " Please see https://quassel-irc.org/faq/cert to learn how to enable SSL support."; + qWarning() << "SslServer: Unable to reload certificate file, reverting\n" + << " Quassel Core will use the previous key to provide SSL for client connections.\n" + << " Please see https://quassel-irc.org/faq/cert to learn how to enable SSL support."; + } + else { + qWarning() << "SslServer: Unable to reload certificate file\n" + << " Quassel Core will still work, but cannot provide SSL for client connections.\n" + << " Please see https://quassel-irc.org/faq/cert to learn how to enable SSL support."; } return false; } } - -bool SslServer::setCertificate(const QString &path, const QString &keyPath) +bool SslServer::setCertificate(const QString& path, const QString& keyPath) { // Don't reset _isCertValid here, in case an older but valid certificate is still loaded. // Use temporary variables in order to avoid overwriting the existing certificates until @@ -138,84 +120,82 @@ bool SslServer::setCertificate(const QString &path, const QString &keyPath) QFile certFile(path); if (!certFile.exists()) { - quWarning() << "SslServer: Certificate file" << qPrintable(path) << "does not exist"; + qWarning() << "SslServer: Certificate file" << qPrintable(path) << "does not exist"; return false; } if (!certFile.open(QIODevice::ReadOnly)) { - quWarning() - << "SslServer: Failed to open certificate file" << qPrintable(path) - << "error:" << certFile.error(); + qWarning() << "SslServer: Failed to open certificate file" << qPrintable(path) << "error:" << certFile.error(); return false; } QList certList = QSslCertificate::fromDevice(&certFile); if (certList.isEmpty()) { - quWarning() << "SslServer: Certificate file doesn't contain a certificate"; + qWarning() << "SslServer: Certificate file doesn't contain a certificate"; return false; } untestedCert = certList[0]; - certList.removeFirst(); // remove server cert + certList.removeFirst(); // remove server cert // store CA and intermediates certs untestedCA = certList; if (!certFile.reset()) { - quWarning() << "SslServer: IO error reading certificate file"; + qWarning() << "SslServer: IO error reading certificate file"; return false; } // load key from keyPath if it differs from path, otherwise load key from path - if(path != keyPath) { + if (path != keyPath) { QFile keyFile(keyPath); - if(!keyFile.exists()) { - quWarning() << "SslServer: Key file" << qPrintable(keyPath) << "does not exist"; + if (!keyFile.exists()) { + qWarning() << "SslServer: Key file" << qPrintable(keyPath) << "does not exist"; return false; } if (!keyFile.open(QIODevice::ReadOnly)) { - quWarning() - << "SslServer: Failed to open key file" << qPrintable(keyPath) - << "error:" << keyFile.error(); + qWarning() << "SslServer: Failed to open key file" << qPrintable(keyPath) << "error:" << keyFile.error(); return false; } - untestedKey = QSslKey(&keyFile, QSsl::Rsa); + untestedKey = loadKey(&keyFile); keyFile.close(); - } else { - untestedKey = QSslKey(&certFile, QSsl::Rsa); + } + else { + untestedKey = loadKey(&certFile); } certFile.close(); if (untestedCert.isNull()) { - quWarning() << "SslServer:" << qPrintable(path) << "contains no certificate data"; + qWarning() << "SslServer:" << qPrintable(path) << "contains no certificate data"; return false; } // We allow the core to offer SSL anyway, so no "return false" here. Client will warn about the cert being invalid. const QDateTime now = QDateTime::currentDateTime(); - if (now < untestedCert.effectiveDate()) - quWarning() << "SslServer: Certificate won't be valid before" << untestedCert.effectiveDate().toString(); - - else if (now > untestedCert.expiryDate()) - quWarning() << "SslServer: Certificate expired on" << untestedCert.expiryDate().toString(); - - else { // Qt4's isValid() checks for time range and blacklist; avoid a double warning, hence the else block -#if QT_VERSION < 0x050000 - if (!untestedCert.isValid()) -#else - if (untestedCert.isBlacklisted()) -#endif - quWarning() << "SslServer: Certificate blacklisted"; + if (now < untestedCert.effectiveDate()) { + qWarning() << "SslServer: Certificate won't be valid before" << untestedCert.effectiveDate().toString(); } + else if (now > untestedCert.expiryDate()) { + qWarning() << "SslServer: Certificate expired on" << untestedCert.expiryDate().toString(); + } + else if (untestedCert.isBlacklisted()) { + qWarning() << "SslServer: Certificate blacklisted"; + } + if (untestedKey.isNull()) { - quWarning() << "SslServer:" << qPrintable(keyPath) << "contains no key data"; + qWarning() << "SslServer:" << qPrintable(keyPath) << "contains no key data"; return false; } + _certificateExpires = untestedCert.expiryDate(); + if (_metricsServer) { + _metricsServer->setCertificateExpires(_certificateExpires); + } + _isCertValid = true; // All keys are valid, update the externally visible copy used for new connections. @@ -226,5 +206,24 @@ bool SslServer::setCertificate(const QString &path, const QString &keyPath) return _isCertValid; } +QSslKey SslServer::loadKey(QFile* keyFile) +{ + QSslKey key; + key = QSslKey(keyFile, QSsl::Rsa); + if (key.isNull()) { + if (!keyFile->reset()) { + qWarning() << "SslServer: IO error reading key file"; + return key; + } + key = QSslKey(keyFile, QSsl::Ec); + } + return key; +} -#endif // HAVE_SSL +void SslServer::setMetricsServer(MetricsServer* metricsServer) +{ + _metricsServer = metricsServer; + if (_metricsServer) { + _metricsServer->setCertificateExpires(_certificateExpires); + } +}