X-Git-Url: https://git.quassel-irc.org/?p=quassel.git;a=blobdiff_plain;f=src%2Fcore%2Fsslserver.cpp;h=f7d35c3447df70f49d5f871fc7f80e6a3c848638;hp=bfcdbf26907ee54fd6a57922477513d3e8ab1c42;hb=b62292bbe3f21887dc5ee4353ca9cf675f9aa3f3;hpb=d85397ae518ecbfbad66c8c8a74eee92d77656db diff --git a/src/core/sslserver.cpp b/src/core/sslserver.cpp index bfcdbf26..f7d35c34 100644 --- a/src/core/sslserver.cpp +++ b/src/core/sslserver.cpp @@ -1,5 +1,5 @@ /*************************************************************************** - * Copyright (C) 2005-09 by the Quassel Project * + * Copyright (C) 2005-2020 by the Quassel Project * * devel@quassel-irc.org * * * * This program is free software; you can redistribute it and/or modify * @@ -15,105 +15,209 @@ * You should have received a copy of the GNU General Public License * * along with this program; if not, write to the * * Free Software Foundation, Inc., * - * 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. * ***************************************************************************/ #include "sslserver.h" -#ifdef HAVE_SSL -# include -#endif +#include +#include -#include -#include +#include "core.h" +#include "quassel.h" -#include "logger.h" -#include "util.h" +SslServer::SslServer(QObject* parent) + : QTcpServer(parent) +{ + // Keep track if the SSL warning has been mentioned at least once before + static bool sslWarningShown = false; + + if (Quassel::isOptionSet("ssl-cert")) { + _sslCertPath = Quassel::optionValue("ssl-cert"); + } + else { + _sslCertPath = Quassel::configDirPath() + "quasselCert.pem"; + } + + if (Quassel::isOptionSet("ssl-key")) { + _sslKeyPath = Quassel::optionValue("ssl-key"); + } + else { + _sslKeyPath = _sslCertPath; + } -#ifdef HAVE_SSL + // Initialize the certificates for first-time usage + if (!loadCerts()) { + if (!sslWarningShown) { + qWarning() << "SslServer: Unable to set certificate file\n" + << " Quassel Core will still work, but cannot provide SSL for client connections.\n" + << " Please see https://quassel-irc.org/faq/cert to learn how to enable SSL support."; + sslWarningShown = true; + } + } +} -static bool SslServer_longMessShown=false; +void SslServer::incomingConnection(qintptr socketDescriptor) +{ + auto* socket = new QSslSocket(this); + if (socket->setSocketDescriptor(socketDescriptor)) { + if (isCertValid()) { + socket->setLocalCertificate(_cert); + socket->setPrivateKey(_key); + socket->addCaCertificates(_ca); + } + addPendingConnection(socket); + } + else { + delete socket; + } +} -SslServer::SslServer(QObject *parent) - : QTcpServer(parent) +bool SslServer::loadCerts() { - if (! setCertificate(quasselDir().absolutePath() + "/quasselCert.pem")) { - if (! SslServer_longMessShown) { - qWarning() - << "SslServer: Unable to set certificate file\n" - << " Quassel Core will still work, but cannot provide SSL for client connections.\n" - << " Please see http://quassel-irc.org/faq/cert to learn how to enable SSL support."; - SslServer_longMessShown=true; - } - } + // Load the certificates specified in the path. If needed, other prep work can be done here. + return setCertificate(_sslCertPath, _sslKeyPath); } -QTcpSocket *SslServer::nextPendingConnection() { - if(_pendingConnections.isEmpty()) - return 0; - else - return _pendingConnections.takeFirst(); +bool SslServer::reloadCerts() +{ + if (loadCerts()) { + return true; + } + else { + // Reloading certificates currently only occur in response to a request. Always print an + // error if something goes wrong, in order to simplify checking if it's working. + if (isCertValid()) { + qWarning() << "SslServer: Unable to reload certificate file, reverting\n" + << " Quassel Core will use the previous key to provide SSL for client connections.\n" + << " Please see https://quassel-irc.org/faq/cert to learn how to enable SSL support."; + } + else { + qWarning() << "SslServer: Unable to reload certificate file\n" + << " Quassel Core will still work, but cannot provide SSL for client connections.\n" + << " Please see https://quassel-irc.org/faq/cert to learn how to enable SSL support."; + } + return false; + } } -void SslServer::incomingConnection(int socketDescriptor) { - QSslSocket *serverSocket = new QSslSocket(this); - if(serverSocket->setSocketDescriptor(socketDescriptor)) { - if(certIsValid()) { - serverSocket->setLocalCertificate(_cert); - serverSocket->setPrivateKey(_key); - } - _pendingConnections << serverSocket; - emit newConnection(); - } else { - delete serverSocket; - } +bool SslServer::setCertificate(const QString& path, const QString& keyPath) +{ + // Don't reset _isCertValid here, in case an older but valid certificate is still loaded. + // Use temporary variables in order to avoid overwriting the existing certificates until + // everything is confirmed good. + QSslCertificate untestedCert; + QList untestedCA; + QSslKey untestedKey; + + if (path.isEmpty()) + return false; + + QFile certFile(path); + if (!certFile.exists()) { + qWarning() << "SslServer: Certificate file" << qPrintable(path) << "does not exist"; + return false; + } + + if (!certFile.open(QIODevice::ReadOnly)) { + qWarning() << "SslServer: Failed to open certificate file" << qPrintable(path) << "error:" << certFile.error(); + return false; + } + + QList certList = QSslCertificate::fromDevice(&certFile); + + if (certList.isEmpty()) { + qWarning() << "SslServer: Certificate file doesn't contain a certificate"; + return false; + } + + untestedCert = certList[0]; + certList.removeFirst(); // remove server cert + + // store CA and intermediates certs + untestedCA = certList; + + if (!certFile.reset()) { + qWarning() << "SslServer: IO error reading certificate file"; + return false; + } + + // load key from keyPath if it differs from path, otherwise load key from path + if (path != keyPath) { + QFile keyFile(keyPath); + if (!keyFile.exists()) { + qWarning() << "SslServer: Key file" << qPrintable(keyPath) << "does not exist"; + return false; + } + + if (!keyFile.open(QIODevice::ReadOnly)) { + qWarning() << "SslServer: Failed to open key file" << qPrintable(keyPath) << "error:" << keyFile.error(); + return false; + } + + untestedKey = loadKey(&keyFile); + keyFile.close(); + } + else { + untestedKey = loadKey(&certFile); + } + + certFile.close(); + + if (untestedCert.isNull()) { + qWarning() << "SslServer:" << qPrintable(path) << "contains no certificate data"; + return false; + } + + // We allow the core to offer SSL anyway, so no "return false" here. Client will warn about the cert being invalid. + const QDateTime now = QDateTime::currentDateTime(); + if (now < untestedCert.effectiveDate()) { + qWarning() << "SslServer: Certificate won't be valid before" << untestedCert.effectiveDate().toString(); + } + else if (now > untestedCert.expiryDate()) { + qWarning() << "SslServer: Certificate expired on" << untestedCert.expiryDate().toString(); + } + else if (untestedCert.isBlacklisted()) { + qWarning() << "SslServer: Certificate blacklisted"; + } + + if (untestedKey.isNull()) { + qWarning() << "SslServer:" << qPrintable(keyPath) << "contains no key data"; + return false; + } + + _certificateExpires = untestedCert.expiryDate(); + if (_metricsServer) { + _metricsServer->setCertificateExpires(_certificateExpires); + } + + _isCertValid = true; + + // All keys are valid, update the externally visible copy used for new connections. + _cert = untestedCert; + _ca = untestedCA; + _key = untestedKey; + + return _isCertValid; } -bool SslServer::setCertificate(const QString &path) { - _certIsValid = false; - - if (path.isNull()) { - return false; - } - - QFile certFile(path); - if (! certFile.exists()) { - qWarning() << "SslServer: Certificate file" << qPrintable(path) << "does not exist"; - return false; - } - - if (! certFile.open(QIODevice::ReadOnly)) { - qWarning() - << "SslServer: Failed to open certificate file" << qPrintable(path) - << "error:" << certFile.error(); - return false; - } - _cert = QSslCertificate(&certFile); - - if (! certFile.reset()) { - qWarning() << "SslServer: IO error reading certificate file"; - return false; - } - - _key = QSslKey(&certFile, QSsl::Rsa); - certFile.close(); - - if (_cert.isNull()) { - qWarning() << "SslServer:" << qPrintable(path) << "contains no certificate data"; - return false; - } - if (! _cert.isValid()) { - qWarning() << "SslServer: Invalid certificate"; - return false; - } - if (_key.isNull()) { - qWarning() << "SslServer:" << qPrintable(path) << "contains no key data"; - return false; - } - - _certIsValid = true; - - return _certIsValid; +QSslKey SslServer::loadKey(QFile* keyFile) +{ + QSslKey key; + key = QSslKey(keyFile, QSsl::Rsa); + if (key.isNull()) { + if (!keyFile->reset()) { + qWarning() << "SslServer: IO error reading key file"; + return key; + } + key = QSslKey(keyFile, QSsl::Ec); + } + return key; } -#endif // HAVE_SSL +void SslServer::setMetricsServer(MetricsServer* metricsServer) { + _metricsServer = metricsServer; + if (_metricsServer) { + _metricsServer->setCertificateExpires(_certificateExpires); + } +}