X-Git-Url: https://git.quassel-irc.org/?p=quassel.git;a=blobdiff_plain;f=src%2Fcore%2Fsslserver.cpp;h=b6becaf6c00fabed2539cf3d1d10f7f4ebaa49a2;hp=c44f40963fe8d64d1883aa1ad77e30073cd91029;hb=10e6f4629e39c66cfb8db6ab2806bf8f13ec700b;hpb=9d54503555534a2c554f09a33df6afa33d6308ec diff --git a/src/core/sslserver.cpp b/src/core/sslserver.cpp index c44f4096..b6becaf6 100644 --- a/src/core/sslserver.cpp +++ b/src/core/sslserver.cpp @@ -1,5 +1,5 @@ /*************************************************************************** - * Copyright (C) 2005-2014 by the Quassel Project * + * Copyright (C) 2005-2016 by the Quassel Project * * devel@quassel-irc.org * * * * This program is free software; you can redistribute it and/or modify * @@ -24,6 +24,7 @@ # include #endif +#include #include #include "logger.h" @@ -35,8 +36,23 @@ SslServer::SslServer(QObject *parent) : QTcpServer(parent), _isCertValid(false) { + // Keep track if the SSL warning has been mentioned at least once before static bool sslWarningShown = false; - if (!setCertificate(Quassel::configDirPath() + "quasselCert.pem")) { + + if(Quassel::isOptionSet("ssl-cert")) { + _sslCertPath = Quassel::optionValue("ssl-cert"); + } else { + _sslCertPath = Quassel::configDirPath() + "quasselCert.pem"; + } + + if(Quassel::isOptionSet("ssl-key")) { + _sslKeyPath = Quassel::optionValue("ssl-key"); + } else { + _sslKeyPath = _sslCertPath; + } + + // Initialize the certificates for first-time usage + if (!loadCerts()) { if (!sslWarningShown) { quWarning() << "SslServer: Unable to set certificate file\n" @@ -56,8 +72,11 @@ QTcpSocket *SslServer::nextPendingConnection() return _pendingConnections.takeFirst(); } - +#if QT_VERSION >= 0x050000 +void SslServer::incomingConnection(qintptr socketDescriptor) +#else void SslServer::incomingConnection(int socketDescriptor) +#endif { QSslSocket *serverSocket = new QSslSocket(this); if (serverSocket->setSocketDescriptor(socketDescriptor)) { @@ -75,9 +94,44 @@ void SslServer::incomingConnection(int socketDescriptor) } -bool SslServer::setCertificate(const QString &path) +bool SslServer::loadCerts() +{ + // Load the certificates specified in the path. If needed, other prep work can be done here. + return setCertificate(_sslCertPath, _sslKeyPath); +} + + +bool SslServer::reloadCerts() +{ + if (loadCerts()) { + return true; + } else { + // Reloading certificates currently only occur in response to a request. Always print an + // error if something goes wrong, in order to simplify checking if it's working. + if (isCertValid()) { + quWarning() + << "SslServer: Unable to reload certificate file, reverting\n" + << " Quassel Core will use the previous key to provide SSL for client connections.\n" + << " Please see http://quassel-irc.org/faq/cert to learn how to enable SSL support."; + } else { + quWarning() + << "SslServer: Unable to reload certificate file\n" + << " Quassel Core will still work, but cannot provide SSL for client connections.\n" + << " Please see http://quassel-irc.org/faq/cert to learn how to enable SSL support."; + } + return false; + } +} + + +bool SslServer::setCertificate(const QString &path, const QString &keyPath) { - _isCertValid = false; + // Don't reset _isCertValid here, in case an older but valid certificate is still loaded. + // Use temporary variables in order to avoid overwriting the existing certificates until + // everything is confirmed good. + QSslCertificate untestedCert; + QList untestedCA; + QSslKey untestedKey; if (path.isEmpty()) return false; @@ -102,35 +156,73 @@ bool SslServer::setCertificate(const QString &path) return false; } - _cert = certList[0]; + untestedCert = certList[0]; certList.removeFirst(); // remove server cert // store CA and intermediates certs - _ca = certList; + untestedCA = certList; if (!certFile.reset()) { quWarning() << "SslServer: IO error reading certificate file"; return false; } - _key = QSslKey(&certFile, QSsl::Rsa); + // load key from keyPath if it differs from path, otherwise load key from path + if(path != keyPath) { + QFile keyFile(keyPath); + if(!keyFile.exists()) { + quWarning() << "SslServer: Key file" << qPrintable(keyPath) << "does not exist"; + return false; + } + + if (!keyFile.open(QIODevice::ReadOnly)) { + quWarning() + << "SslServer: Failed to open key file" << qPrintable(keyPath) + << "error:" << keyFile.error(); + return false; + } + + untestedKey = QSslKey(&keyFile, QSsl::Rsa); + keyFile.close(); + } else { + untestedKey = QSslKey(&certFile, QSsl::Rsa); + } + certFile.close(); - if (_cert.isNull()) { + if (untestedCert.isNull()) { quWarning() << "SslServer:" << qPrintable(path) << "contains no certificate data"; return false; } - if (!_cert.isValid()) { - quWarning() << "SslServer: Invalid certificate (most likely expired)"; - // We allow the core to offer SSL anyway, so no "return false" here. Client will warn about the cert being invalid. + + // We allow the core to offer SSL anyway, so no "return false" here. Client will warn about the cert being invalid. + const QDateTime now = QDateTime::currentDateTime(); + if (now < untestedCert.effectiveDate()) + quWarning() << "SslServer: Certificate won't be valid before" << untestedCert.effectiveDate().toString(); + + else if (now > untestedCert.expiryDate()) + quWarning() << "SslServer: Certificate expired on" << untestedCert.expiryDate().toString(); + + else { // Qt4's isValid() checks for time range and blacklist; avoid a double warning, hence the else block +#if QT_VERSION < 0x050000 + if (!untestedCert.isValid()) +#else + if (untestedCert.isBlacklisted()) +#endif + quWarning() << "SslServer: Certificate blacklisted"; } - if (_key.isNull()) { - quWarning() << "SslServer:" << qPrintable(path) << "contains no key data"; + if (untestedKey.isNull()) { + quWarning() << "SslServer:" << qPrintable(keyPath) << "contains no key data"; return false; } _isCertValid = true; + // All keys are valid, update the externally visible copy used for new connections. + _cert = untestedCert; + _ca = untestedCA; + _key = untestedKey; + return _isCertValid; }