SSL: Implement session sharing and use it from QNetworkAccessManager

This improves performance since a network round trip can be avoided. Change-Id: I1aaff7e48ef9638cb137de0f43942c3a4dd2884a Initial-patch-by: Markus Goetz <markus@woboq.com> Reviewed-by: Richard J. Moore <rich@kde.org>
author: Peter Hartmann <phartmann@rim.com> 2012-12-21 14:02:38 +0100
committer: The Qt Project <gerrit-noreply@qt-project.org> 2013-02-06 23:24:44 +0100
commit: b5652df775efbd1c52eecee5f08e40e600e5d70b (patch)
tree: 6e860637d9f4997234d9f3631d339796481911a2 /src/network/ssl/qsslcontext.cpp
parent: 7765dff1bb8104ea145d55d32da194acb2de03ce (diff)
1 files changed, 306 insertions, 0 deletions
diff --git a/src/network/ssl/qsslcontext.cpp b/src/network/ssl/qsslcontext.cpp
new file mode 100644
index 0000000000..4e0143253d
--- /dev/null
+++ b/src/network/ssl/qsslcontext.cpp
@@ -0,0 +1,306 @@
+/****************************************************************************
+**
+** Copyright (C) 2013 Digia Plc and/or its subsidiary(-ies).
+** Contact: http://www.qt-project.org/legal
+**
+** This file is part of the QtNetwork module of the Qt Toolkit.
+**
+** $QT_BEGIN_LICENSE:LGPL$
+** Commercial License Usage
+** Licensees holding valid commercial Qt licenses may use this file in
+** accordance with the commercial license agreement provided with the
+** Software or, alternatively, in accordance with the terms contained in
+** a written agreement between you and Digia.  For licensing terms and
+** conditions see http://qt.digia.com/licensing.  For further information
+** use the contact form at http://qt.digia.com/contact-us.
+**
+** GNU Lesser General Public License Usage
+** Alternatively, this file may be used under the terms of the GNU Lesser
+** General Public License version 2.1 as published by the Free Software
+** Foundation and appearing in the file LICENSE.LGPL included in the
+** packaging of this file.  Please review the following information to
+** ensure the GNU Lesser General Public License version 2.1 requirements
+** will be met: http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html.
+**
+** In addition, as a special exception, Digia gives you certain additional
+** rights.  These rights are described in the Digia Qt LGPL Exception
+** version 1.1, included in the file LGPL_EXCEPTION.txt in this package.
+**
+** GNU General Public License Usage
+** Alternatively, this file may be used under the terms of the GNU
+** General Public License version 3.0 as published by the Free Software
+** Foundation and appearing in the file LICENSE.GPL included in the
+** packaging of this file.  Please review the following information to
+** ensure the GNU General Public License version 3.0 requirements will be
+** met: http://www.gnu.org/copyleft/gpl.html.
+**
+**
+** $QT_END_LICENSE$
+**
+****************************************************************************/
+
+
+#include <QtNetwork/qsslsocket.h>
+#include <QtCore/qmutex.h>
+
+#include "private/qsslcontext_p.h"
+#include "private/qsslsocket_p.h"
+#include "private/qsslsocket_openssl_p.h"
+#include "private/qsslsocket_openssl_symbols_p.h"
+
+QT_BEGIN_NAMESPACE
+
+// defined in qsslsocket_openssl.cpp:
+extern int q_X509Callback(int ok, X509_STORE_CTX *ctx);
+extern QString getErrorsFromOpenSsl();
+
+QSslContext::QSslContext()
+    : ctx(0),
+    pkey(0),
+    session(0)
+{
+}
+
+QSslContext::~QSslContext()
+{
+    if (ctx)
+        // This will decrement the reference count by 1 and free the context eventually when possible
+        q_SSL_CTX_free(ctx);
+
+    if (pkey)
+        q_EVP_PKEY_free(pkey);
+
+    if (session)
+        q_SSL_SESSION_free(session);
+}
+
+QSslContext* QSslContext::fromConfiguration(QSslSocket::SslMode mode, const QSslConfiguration &configuration, bool allowRootCertOnDemandLoading)
+{
+    QSslContext *sslContext = new QSslContext();
+    sslContext->sslConfiguration = configuration;
+    sslContext->errorCode = QSslError::NoError;
+
+    bool client = (mode == QSslSocket::SslClientMode);
+
+    bool reinitialized = false;
+init_context:
+    switch (sslContext->sslConfiguration.protocol()) {
+    case QSsl::SslV2:
+#ifndef OPENSSL_NO_SSL2
+        sslContext->ctx = q_SSL_CTX_new(client ? q_SSLv2_client_method() : q_SSLv2_server_method());
+#else
+        sslContext->ctx = 0; // SSL 2 not supported by the system, but chosen deliberately -> error
+#endif
+        break;
+    case QSsl::SslV3:
+        sslContext->ctx = q_SSL_CTX_new(client ? q_SSLv3_client_method() : q_SSLv3_server_method());
+        break;
+    case QSsl::SecureProtocols: // SslV2 will be disabled below
+    case QSsl::TlsV1SslV3: // SslV2 will be disabled below
+    case QSsl::AnyProtocol:
+    default:
+        sslContext->ctx = q_SSL_CTX_new(client ? q_SSLv23_client_method() : q_SSLv23_server_method());
+        break;
+    case QSsl::TlsV1_0:
+        sslContext->ctx = q_SSL_CTX_new(client ? q_TLSv1_client_method() : q_TLSv1_server_method());
+        break;
+    case QSsl::TlsV1_1:
+#if OPENSSL_VERSION_NUMBER >= 0x10001000L
+        sslContext->ctx = q_SSL_CTX_new(client ? q_TLSv1_1_client_method() : q_TLSv1_1_server_method());
+#else
+        sslContext->ctx = 0; // TLS 1.1 not supported by the system, but chosen deliberately -> error
+#endif
+        break;
+    case QSsl::TlsV1_2:
+#if OPENSSL_VERSION_NUMBER >= 0x10001000L
+        sslContext->ctx = q_SSL_CTX_new(client ? q_TLSv1_2_client_method() : q_TLSv1_2_server_method());
+#else
+        sslContext->ctx = 0; // TLS 1.2 not supported by the system, but chosen deliberately -> error
+#endif
+        break;
+    }
+    if (!sslContext->ctx) {
+        // After stopping Flash 10 the SSL library looses its ciphers. Try re-adding them
+        // by re-initializing the library.
+        if (!reinitialized) {
+            reinitialized = true;
+            if (q_SSL_library_init() == 1)
+                goto init_context;
+        }
+
+        sslContext->errorStr = QSslSocket::tr("Error creating SSL context (%1)").arg(QSslSocketBackendPrivate::getErrorsFromOpenSsl());
+        sslContext->errorCode = QSslError::UnspecifiedError;
+        return sslContext;
+    }
+
+    // Enable bug workarounds.
+    long options = QSslSocketBackendPrivate::setupOpenSslOptions(configuration.protocol(), configuration.d->sslOptions);
+    q_SSL_CTX_set_options(sslContext->ctx, options);
+
+#if OPENSSL_VERSION_NUMBER >= 0x10000000L
+    // Tell OpenSSL to release memory early
+    // http://www.openssl.org/docs/ssl/SSL_CTX_set_mode.html
+    if (q_SSLeay() >= 0x10000000L)
+        q_SSL_CTX_set_mode(sslContext->ctx, SSL_MODE_RELEASE_BUFFERS);
+#endif
+
+    // Initialize ciphers
+    QByteArray cipherString;
+    int first = true;
+    QList<QSslCipher> ciphers = sslContext->sslConfiguration.ciphers();
+    if (ciphers.isEmpty())
+        ciphers = QSslSocketPrivate::defaultCiphers();
+    foreach (const QSslCipher &cipher, ciphers) {
+        if (first)
+            first = false;
+        else
+            cipherString.append(':');
+        cipherString.append(cipher.name().toLatin1());
+    }
+
+    if (!q_SSL_CTX_set_cipher_list(sslContext->ctx, cipherString.data())) {
+        sslContext->errorStr = QSslSocket::tr("Invalid or empty cipher list (%1)").arg(QSslSocketBackendPrivate::getErrorsFromOpenSsl());
+        sslContext->errorCode = QSslError::UnspecifiedError;
+        return sslContext;
+    }
+
+    // Add all our CAs to this store.
+    QList<QSslCertificate> expiredCerts;
+    foreach (const QSslCertificate &caCertificate, sslContext->sslConfiguration.caCertificates()) {
+        // add expired certs later, so that the
+        // valid ones are used before the expired ones
+        if (caCertificate.expiryDate() < QDateTime::currentDateTime()) {
+            expiredCerts.append(caCertificate);
+        } else {
+            q_X509_STORE_add_cert(sslContext->ctx->cert_store, (X509 *)caCertificate.handle());
+        }
+    }
+
+    bool addExpiredCerts = true;
+#if defined(Q_OS_MAC) && (MAC_OS_X_VERSION_MAX_ALLOWED == MAC_OS_X_VERSION_10_5)
+    //On Leopard SSL does not work if we add the expired certificates.
+    if (QSysInfo::MacintoshVersion == QSysInfo::MV_10_5)
+        addExpiredCerts = false;
+#endif
+    // now add the expired certs
+    if (addExpiredCerts) {
+        foreach (const QSslCertificate &caCertificate, expiredCerts) {
+            q_X509_STORE_add_cert(sslContext->ctx->cert_store, reinterpret_cast<X509 *>(caCertificate.handle()));
+        }
+    }
+
+    if (QSslSocketPrivate::s_loadRootCertsOnDemand && allowRootCertOnDemandLoading) {
+        // tell OpenSSL the directories where to look up the root certs on demand
+        QList<QByteArray> unixDirs = QSslSocketPrivate::unixRootCertDirectories();
+        for (int a = 0; a < unixDirs.count(); ++a)
+            q_SSL_CTX_load_verify_locations(sslContext->ctx, 0, unixDirs.at(a).constData());
+    }
+
+    // Register a custom callback to get all verification errors.
+    X509_STORE_set_verify_cb_func(sslContext->ctx->cert_store, q_X509Callback);
+
+    if (!sslContext->sslConfiguration.localCertificate().isNull()) {
+        // Require a private key as well.
+        if (sslContext->sslConfiguration.privateKey().isNull()) {
+            sslContext->errorStr = QSslSocket::tr("Cannot provide a certificate with no key, %1").arg(QSslSocketBackendPrivate::getErrorsFromOpenSsl());
+            sslContext->errorCode = QSslError::UnspecifiedError;
+            return sslContext;
+        }
+
+        // Load certificate
+        if (!q_SSL_CTX_use_certificate(sslContext->ctx, (X509 *)sslContext->sslConfiguration.localCertificate().handle())) {
+            sslContext->errorStr = QSslSocket::tr("Error loading local certificate, %1").arg(QSslSocketBackendPrivate::getErrorsFromOpenSsl());
+            sslContext->errorCode = QSslError::UnspecifiedError;
+            return sslContext;
+        }
+
+        if (configuration.d->privateKey.algorithm() == QSsl::Opaque) {
+            sslContext->pkey = reinterpret_cast<EVP_PKEY *>(configuration.d->privateKey.handle());
+        } else {
+            // Load private key
+            sslContext->pkey = q_EVP_PKEY_new();
+            // before we were using EVP_PKEY_assign_R* functions and did not use EVP_PKEY_free.
+            // this lead to a memory leak. Now we use the *_set1_* functions which do not
+            // take ownership of the RSA/DSA key instance because the QSslKey already has ownership.
+            if (configuration.d->privateKey.algorithm() == QSsl::Rsa)
+                q_EVP_PKEY_set1_RSA(sslContext->pkey, reinterpret_cast<RSA *>(configuration.d->privateKey.handle()));
+            else
+                q_EVP_PKEY_set1_DSA(sslContext->pkey, reinterpret_cast<DSA *>(configuration.d->privateKey.handle()));
+        }
+
+        if (!q_SSL_CTX_use_PrivateKey(sslContext->ctx, sslContext->pkey)) {
+            sslContext->errorStr = QSslSocket::tr("Error loading private key, %1").arg(QSslSocketBackendPrivate::getErrorsFromOpenSsl());
+            sslContext->errorCode = QSslError::UnspecifiedError;
+            return sslContext;
+        }
+        if (configuration.d->privateKey.algorithm() == QSsl::Opaque)
+            sslContext->pkey = 0; // Don't free the private key, it belongs to QSslKey
+
+        // Check if the certificate matches the private key.
+        if (!q_SSL_CTX_check_private_key(sslContext->ctx)) {
+            sslContext->errorStr = QSslSocket::tr("Private key does not certify public key, %1").arg(QSslSocketBackendPrivate::getErrorsFromOpenSsl());
+            sslContext->errorCode = QSslError::UnspecifiedError;
+            return sslContext;
+        }
+    }
+
+    // Initialize peer verification.
+    if (sslContext->sslConfiguration.peerVerifyMode() == QSslSocket::VerifyNone) {
+        q_SSL_CTX_set_verify(sslContext->ctx, SSL_VERIFY_NONE, 0);
+    } else {
+        q_SSL_CTX_set_verify(sslContext->ctx, SSL_VERIFY_PEER, q_X509Callback);
+    }
+
+    // Set verification depth.
+    if (sslContext->sslConfiguration.peerVerifyDepth() != 0)
+        q_SSL_CTX_set_verify_depth(sslContext->ctx, sslContext->sslConfiguration.peerVerifyDepth());
+
+    return sslContext;
+}
+
+// Needs to be deleted by caller
+SSL* QSslContext::createSsl()
+{
+    SSL* ssl = q_SSL_new(ctx);
+    q_SSL_clear(ssl);
+
+    if (session) {
+        // Try to resume the last session we cached
+        if (!q_SSL_set_session(ssl, session)) {
+            qWarning("could not set SSL session");
+            q_SSL_SESSION_free(session);
+            session = 0;
+        }
+    }
+    return ssl;
+}
+
+// We cache exactly one session here
+bool QSslContext::cacheSession(SSL* ssl)
+{
+    // dont cache the same session again
+    if (session && session == q_SSL_get_session(ssl))
+        return true;
+
+    // decrease refcount of currently stored session
+    // (this might happen if there are several concurrent handshakes in flight)
+    if (session)
+        q_SSL_SESSION_free(session);
+
+    // cache the session the caller gave us and increase reference count
+    session = q_SSL_get1_session(ssl);
+    return (session != NULL);
+
+}
+
+QSslError::SslError QSslContext::error() const
+{
+    return errorCode;
+}
+
+QString QSslContext::errorString() const
+{
+    return errorStr;
+}
+
+QT_END_NAMESPACE
author	Peter Hartmann <phartmann@rim.com>	2012-12-21 14:02:38 +0100
committer	The Qt Project <gerrit-noreply@qt-project.org>	2013-02-06 23:24:44 +0100
commit	b5652df775efbd1c52eecee5f08e40e600e5d70b (patch)
tree	6e860637d9f4997234d9f3631d339796481911a2 /src/network/ssl/qsslcontext.cpp
parent	7765dff1bb8104ea145d55d32da194acb2de03ce (diff)