diff options
Diffstat (limited to 'src/network/ssl/qsslsocket.cpp')
-rw-r--r-- | src/network/ssl/qsslsocket.cpp | 237 |
1 files changed, 150 insertions, 87 deletions
diff --git a/src/network/ssl/qsslsocket.cpp b/src/network/ssl/qsslsocket.cpp index 8f1d5d377d..c455f70d55 100644 --- a/src/network/ssl/qsslsocket.cpp +++ b/src/network/ssl/qsslsocket.cpp @@ -228,6 +228,74 @@ */ /*! + \enum QAlertLevel + \brief Describes the level of an alert message + \relates QSslSocket + \since 6.0 + + \ingroup network + \ingroup ssl + \inmodule QtNetwork + + This enum describes the level of an alert message that was sent + or received. + + \value Warning Non-fatal alert message + \value Fatal Fatal alert message, the underlying backend will + handle such an alert properly and close the connection. + \value Unknown An alert of unknown level of severity. +*/ + +/*! + \enum QAlertType + \brief Enumerates possible codes that an alert message can have + \relates QSslSocket + \since 6.0 + + \ingroup network + \ingroup ssl + \inmodule QtNetwork + + See \l{https://tools.ietf.org/html/rfc8446#page-85}{RFC 8446, section 6} + for the possible values and their meaning. + + \value CloseNotify, + \value UnexpectedMessage + \value BadRecordMac + \value RecordOverflow + \value DecompressionFailure + \value HandshakeFailure + \value NoCertificate + \value BadCertificate + \value UnsupportedCertificate + \value CertificateRevoked + \value CertificateExpired + \value CertificateUnknown + \value IllegalParameter + \value UnknownCa + \value AccessDenied + \value DecodeError + \value DecryptError + \value ExportRestriction + \value ProtocolVersion + \value InsufficientSecurity + \value InternalError + \value InappropriateFallback + \value UserCancelled + \value NoRenegotiation + \value MissingExtension + \value UnsupportedExtension + \value CertificateUnobtainable + \value UnrecognizedName + \value BadCertificateStatusResponse + \value BadCertificateHashValue + \value UnknownPskIdentity + \value CertificateRequired + \value NoApplicationProtocol + \value UnknownAlertMessage +*/ + +/*! \fn void QSslSocket::encrypted() This signal is emitted when QSslSocket enters encrypted mode. After this @@ -323,6 +391,49 @@ */ /*! + \fn void QSslSocket::alertSent(QAlertLevel level, QAlertType type, const QString &description) + + QSslSocket emits this signal if an alert message was sent to a peer. \a level + describes if it was a warning or a fatal error. \a type gives the code + of the alert message. When a textual description of the alert message is + available, it is supplied in \a description. + + \note This signal is mostly informational and can be used for debugging + purposes, normally it does not require any actions from the application. + \note Not all backends support this functionality. + + \sa alertReceived(), QAlertLevel, QAlertType +*/ + +/*! + \fn void QSslSocket::alertReceived(QAlertLevel level, QAlertType type, const QString &description) + + QSslSocket emits this signal if an alert message was received from a peer. + \a level tells if the alert was fatal or it was a warning. \a type is the + code explaining why the alert was sent. When a textual description of + the alert message is available, it is supplied in \a description. + + \note The signal is mostly for informational and debugging purposes and does not + require any handling in the application. If the alert was fatal, underlying + backend will handle it and close the connection. + \note Not all backends support this functionality. + + \sa alertSent(), QAlertLevel, QAlertType +*/ + +/*! + \fn void QSslSocket::handshakeInterruptedOnError(const QSslError &error) + + QSslSocket emits this signal if a certificate verification error was + found and if early error reporting was enabled in QSslConfiguration. + An application is expected to inspect the \a error and decide if + it wants to continue the handshake, or abort it and send an alert message + to the peer. The signal-slot connection must be direct. + + \sa continueInterruptedHandshake(), sslErrors(), QSslConfiguration::setHandshakeMustInterruptOnError() +*/ + +/*! \fn void QSslSocket::newSessionTicketReceived() \since 5.15 @@ -993,7 +1104,10 @@ void QSslSocket::setSslConfiguration(const QSslConfiguration &configuration) #if QT_CONFIG(ocsp) d->configuration.ocspStaplingEnabled = configuration.ocspStaplingEnabled(); #endif - +#if QT_CONFIG(openssl) + d->configuration.reportFromCallback = configuration.handshakeMustInterruptOnError(); + d->configuration.missingCertIsFatal = configuration.missingCertificateIsFatal(); +#endif // openssl // if the CA certificates were set explicitly (either via // QSslConfiguration::setCaCertificates() or QSslSocket::setCaCertificates(), // we cannot load the certificates on demand @@ -1413,40 +1527,6 @@ QList<QSslCipher> QSslSocket::supportedCiphers() /*! \deprecated - Use QSslConfiguration::addCaCertificates() instead. - - Searches all files in the \a path for certificates encoded in the - specified \a format and adds them to this socket's CA certificate - database. \a path must be a file or a pattern matching one or more - files, as specified by \a syntax. Returns \c true if one or more - certificates are added to the socket's CA certificate database; - otherwise returns \c false. - - The CA certificate database is used by the socket during the - handshake phase to validate the peer's certificate. - - For more precise control, use addCaCertificate(). - - \sa addCaCertificate(), QSslCertificate::fromPath() -*/ -bool QSslSocket::addCaCertificates(const QString &path, QSsl::EncodingFormat format, - QRegExp::PatternSyntax syntax) -{ - Q_D(QSslSocket); -QT_WARNING_PUSH -QT_WARNING_DISABLE_DEPRECATED - QList<QSslCertificate> certs = QSslCertificate::fromPath(path, format, syntax); -QT_WARNING_POP - if (certs.isEmpty()) - return false; - - d->configuration.caCertificates += certs; - return true; -} - -/*! - \deprecated - Use QSslConfiguration::addCaCertificate() instead. Adds the \a certificate to this socket's CA certificate database. @@ -1533,29 +1613,6 @@ QList<QSslCertificate> QSslSocket::caCertificates() const /*! \deprecated - Use QSslConfiguration::addCaCertificates() on the default QSslConfiguration instead. - - Searches all files in the \a path for certificates with the - specified \a encoding and adds them to the default CA certificate - database. \a path can be an explicit file, or it can contain - wildcards in the format specified by \a syntax. Returns \c true if - any CA certificates are added to the default database. - - Each SSL socket's CA certificate database is initialized to the - default CA certificate database. - - \sa QSslConfiguration::caCertificates(), QSslConfiguration::addCaCertificates(), - QSslConfiguration::addCaCertificate() -*/ -bool QSslSocket::addDefaultCaCertificates(const QString &path, QSsl::EncodingFormat encoding, - QRegExp::PatternSyntax syntax) -{ - return QSslSocketPrivate::addDefaultCaCertificates(path, encoding, syntax); -} - -/*! - \deprecated - Use QSslConfiguration::addCaCertificate() on the default QSslConfiguration instead. Adds \a certificate to the default CA certificate database. Each @@ -2083,6 +2140,23 @@ void QSslSocket::ignoreSslErrors(const QList<QSslError> &errors) d->ignoreErrorsList = errors; } + +/*! + \since 6.0 + + If an application wants to conclude a handshake even after receiving + handshakeInterruptedOnError() signal, it must call this function. + This call must be done from a slot function attached to the signal. + The signal-slot connection must be direct. + + \sa handshakeInterruptedOnError(), QSslConfiguration::setHandshakeMustInterruptOnError() +*/ +void QSslSocket::continueInterruptedHandshake() +{ + Q_D(QSslSocket); + d->handshakeInterrupted = false; +} + /*! \internal */ @@ -2257,13 +2331,24 @@ void QSslSocketPrivate::init() */ bool QSslSocketPrivate::verifyProtocolSupported(const char *where) { - if (configuration.protocol == QSsl::SslV2 || configuration.protocol == QSsl::SslV3) { - qCWarning(lcSsl) << where << "Attempted to use an unsupported protocol."; + QLatin1String protocolName("DTLS"); + switch (configuration.protocol) { + case QSsl::UnknownProtocol: + // UnknownProtocol, according to our docs, is for cipher whose protocol is unknown. + // Should not be used when configuring QSslSocket. + protocolName = QLatin1String("UnknownProtocol"); + Q_FALLTHROUGH(); + case QSsl::DtlsV1_0: + case QSsl::DtlsV1_2: + case QSsl::DtlsV1_0OrLater: + case QSsl::DtlsV1_2OrLater: + qCWarning(lcSsl) << where << "QSslConfiguration with unexpected protocol" << protocolName; setErrorAndEmit(QAbstractSocket::SslInvalidUserDataError, QSslSocket::tr("Attempted to use an unsupported protocol.")); return false; + default: + return true; } - return true; } /*! @@ -2376,28 +2461,6 @@ void QSslSocketPrivate::setDefaultCaCertificates(const QList<QSslCertificate> &c /*! \internal */ -bool QSslSocketPrivate::addDefaultCaCertificates(const QString &path, QSsl::EncodingFormat format, - QRegExp::PatternSyntax syntax) -{ - QSslSocketPrivate::ensureInitialized(); -QT_WARNING_PUSH -QT_WARNING_DISABLE_DEPRECATED - QList<QSslCertificate> certs = QSslCertificate::fromPath(path, format, syntax); -QT_WARNING_POP - if (certs.isEmpty()) - return false; - - QMutexLocker locker(&globalData()->mutex); - globalData()->config.detach(); - globalData()->config->caCertificates += certs; - globalData()->dtlsConfig.detach(); - globalData()->dtlsConfig->caCertificates += certs; - return true; -} - -/*! - \internal -*/ void QSslSocketPrivate::addDefaultCaCertificate(const QSslCertificate &cert) { QSslSocketPrivate::ensureInitialized(); @@ -2477,6 +2540,10 @@ void QSslConfigurationPrivate::deepCopyDefaultConfiguration(QSslConfigurationPri #if QT_CONFIG(ocsp) ptr->ocspStaplingEnabled = global->ocspStaplingEnabled; #endif +#if QT_CONFIG(openssl) + ptr->reportFromCallback = global->reportFromCallback; + ptr->missingCertIsFatal = global->missingCertIsFatal; +#endif } /*! @@ -2519,10 +2586,6 @@ void QSslSocketPrivate::createPlainSocket(QIODevice::OpenMode openMode) q->setPeerName(QString()); plainSocket = new QTcpSocket(q); -#ifndef QT_NO_BEARERMANAGEMENT // ### Qt6: Remove section - //copy network session down to the plain socket (if it has been set) - plainSocket->setProperty("_q_networksession", q->property("_q_networksession")); -#endif q->connect(plainSocket, SIGNAL(connected()), q, SLOT(_q_connectedSlot()), Qt::DirectConnection); |