diff options
Diffstat (limited to 'src/network/ssl/qsslsocket_openssl.cpp')
-rw-r--r-- | src/network/ssl/qsslsocket_openssl.cpp | 165 |
1 files changed, 61 insertions, 104 deletions
diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp index dd47dfc45f..fcc267e7cc 100644 --- a/src/network/ssl/qsslsocket_openssl.cpp +++ b/src/network/ssl/qsslsocket_openssl.cpp @@ -1,32 +1,38 @@ /**************************************************************************** ** -** Copyright (C) 2015 The Qt Company Ltd. +** Copyright (C) 2016 The Qt Company Ltd. ** Copyright (C) 2014 Governikus GmbH & Co. KG -** Contact: http://www.qt.io/licensing/ +** Contact: https://www.qt.io/licensing/ ** ** This file is part of the QtNetwork module of the Qt Toolkit. ** -** $QT_BEGIN_LICENSE:LGPL21$ +** $QT_BEGIN_LICENSE:LGPL$ ** Commercial License Usage ** Licensees holding valid commercial Qt licenses may use this file in ** accordance with the commercial license agreement provided with the ** Software or, alternatively, in accordance with the terms contained in ** a written agreement between you and The Qt Company. For licensing terms -** and conditions see http://www.qt.io/terms-conditions. For further -** information use the contact form at http://www.qt.io/contact-us. +** and conditions see https://www.qt.io/terms-conditions. For further +** information use the contact form at https://www.qt.io/contact-us. ** ** GNU Lesser General Public License Usage ** Alternatively, this file may be used under the terms of the GNU Lesser -** General Public License version 2.1 or version 3 as published by the Free -** Software Foundation and appearing in the file LICENSE.LGPLv21 and -** LICENSE.LGPLv3 included in the packaging of this file. Please review the -** following information to ensure the GNU Lesser General Public License -** requirements will be met: https://www.gnu.org/licenses/lgpl.html and -** http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html. +** General Public License version 3 as published by the Free Software +** Foundation and appearing in the file LICENSE.LGPL3 included in the +** packaging of this file. Please review the following information to +** ensure the GNU Lesser General Public License version 3 requirements +** will be met: https://www.gnu.org/licenses/lgpl-3.0.html. ** -** As a special exception, The Qt Company gives you certain additional -** rights. These rights are described in The Qt Company LGPL Exception -** version 1.1, included in the file LGPL_EXCEPTION.txt in this package. +** GNU General Public License Usage +** Alternatively, this file may be used under the terms of the GNU +** General Public License version 2.0 or (at your option) the GNU General +** Public license version 3 or any later version approved by the KDE Free +** Qt Foundation. The licenses are as published by the Free Software +** Foundation and appearing in the file LICENSE.GPL2 and LICENSE.GPL3 +** included in the packaging of this file. Please review the following +** information to ensure the GNU General Public License requirements will +** be met: https://www.gnu.org/licenses/gpl-2.0.html and +** https://www.gnu.org/licenses/gpl-3.0.html. ** ** $QT_END_LICENSE$ ** @@ -78,12 +84,7 @@ QT_BEGIN_NAMESPACE -#if defined(Q_OS_MACX) -#define kSecTrustSettingsDomainSystem 2 // so we do not need to include the header file - PtrSecCertificateCopyData QSslSocketPrivate::ptrSecCertificateCopyData = 0; - PtrSecTrustSettingsCopyCertificates QSslSocketPrivate::ptrSecTrustSettingsCopyCertificates = 0; - PtrSecTrustCopyAnchorCertificates QSslSocketPrivate::ptrSecTrustCopyAnchorCertificates = 0; -#elif defined(Q_OS_WIN) +#if defined(Q_OS_WIN) PtrCertOpenSystemStoreW QSslSocketPrivate::ptrCertOpenSystemStoreW = 0; PtrCertFindCertificateInStore QSslSocketPrivate::ptrCertFindCertificateInStore = 0; PtrCertCloseStore QSslSocketPrivate::ptrCertCloseStore = 0; @@ -258,12 +259,21 @@ QSslCipher QSslSocketBackendPrivate::QSslCipher_from_SSL_CIPHER(SSL_CIPHER *ciph return ciph; } +// static +inline QSslErrorEntry QSslErrorEntry::fromStoreContext(X509_STORE_CTX *ctx) { + QSslErrorEntry result = { + q_X509_STORE_CTX_get_error(ctx), + q_X509_STORE_CTX_get_error_depth(ctx) + }; + return result; +} + // ### This list is shared between all threads, and protected by a // mutex. Investigate using thread local storage instead. struct QSslErrorList { QMutex mutex; - QList<QPair<int, int> > errors; + QVector<QSslErrorEntry> errors; }; Q_GLOBAL_STATIC(QSslErrorList, _q_sslErrorList) @@ -271,7 +281,7 @@ int q_X509Callback(int ok, X509_STORE_CTX *ctx) { if (!ok) { // Store the error and at which depth the error was detected. - _q_sslErrorList()->errors << qMakePair<int, int>(q_X509_STORE_CTX_get_error(ctx), q_X509_STORE_CTX_get_error_depth(ctx)); + _q_sslErrorList()->errors << QSslErrorEntry::fromStoreContext(ctx); #ifdef QSSLSOCKET_DEBUG qCDebug(lcSsl) << "verification error: dumping bad certificate"; qCDebug(lcSsl) << QSslCertificatePrivate::QSslCertificate_from_X509(q_X509_STORE_CTX_get_current_cert(ctx)).toPem(); @@ -359,8 +369,7 @@ bool QSslSocketBackendPrivate::initSslContext() // create a deep copy of our configuration QSslConfigurationPrivate *configurationCopy = new QSslConfigurationPrivate(configuration); configurationCopy->ref.store(0); // the QSslConfiguration constructor refs up - sslContextPointer = QSharedPointer<QSslContext>( - QSslContext::fromConfiguration(mode, configurationCopy, allowRootCertOnDemandLoading)); + sslContextPointer = QSslContext::sharedFromConfiguration(mode, configurationCopy, allowRootCertOnDemandLoading); } if (sslContextPointer->error() != QSslError::NoError) { @@ -506,23 +515,7 @@ void QSslSocketPrivate::ensureCiphersAndCertsLoaded() #ifndef QT_NO_LIBRARY //load symbols needed to receive certificates from system store -#if defined(Q_OS_MACX) - QLibrary securityLib("/System/Library/Frameworks/Security.framework/Versions/Current/Security"); - if (securityLib.load()) { - ptrSecCertificateCopyData = (PtrSecCertificateCopyData) securityLib.resolve("SecCertificateCopyData"); - if (!ptrSecCertificateCopyData) - qCWarning(lcSsl, "could not resolve symbols in security library"); // should never happen - - ptrSecTrustSettingsCopyCertificates = (PtrSecTrustSettingsCopyCertificates) securityLib.resolve("SecTrustSettingsCopyCertificates"); - if (!ptrSecTrustSettingsCopyCertificates) { // method was introduced in Leopard, use legacy method if it's not there - ptrSecTrustCopyAnchorCertificates = (PtrSecTrustCopyAnchorCertificates) securityLib.resolve("SecTrustCopyAnchorCertificates"); - if (!ptrSecTrustCopyAnchorCertificates) - qCWarning(lcSsl, "could not resolve symbols in security library"); // should never happen - } - } else { - qCWarning(lcSsl, "could not load security library"); - } -#elif defined(Q_OS_WIN) +#if defined(Q_OS_WIN) HINSTANCE hLib = LoadLibraryW(L"Crypt32"); if (hLib) { #if defined(Q_OS_WINCE) @@ -680,6 +673,7 @@ void QSslSocketPrivate::resetDefaultEllipticCurves() setDefaultSupportedEllipticCurves(curves); } +#ifndef Q_OS_DARWIN // Apple implementation in qsslsocket_mac_shared.cpp QList<QSslCertificate> QSslSocketPrivate::systemCaCertificates() { ensureInitialized(); @@ -688,43 +682,7 @@ QList<QSslCertificate> QSslSocketPrivate::systemCaCertificates() timer.start(); #endif QList<QSslCertificate> systemCerts; -#if defined(Q_OS_MACX) - CFArrayRef cfCerts; - OSStatus status = 1; - - CFDataRef SecCertificateCopyData ( - SecCertificateRef certificate - ); - - if (ptrSecCertificateCopyData) { - if (ptrSecTrustSettingsCopyCertificates) - status = ptrSecTrustSettingsCopyCertificates(kSecTrustSettingsDomainSystem, &cfCerts); - else if (ptrSecTrustCopyAnchorCertificates) - status = ptrSecTrustCopyAnchorCertificates(&cfCerts); - if (!status) { - CFIndex size = CFArrayGetCount(cfCerts); - for (CFIndex i = 0; i < size; ++i) { - SecCertificateRef cfCert = (SecCertificateRef)CFArrayGetValueAtIndex(cfCerts, i); - CFDataRef data; - - data = ptrSecCertificateCopyData(cfCert); - - if (data == NULL) { - qCWarning(lcSsl, "error retrieving a CA certificate from the system store"); - } else { - QByteArray rawCert = QByteArray::fromRawData((const char *)CFDataGetBytePtr(data), CFDataGetLength(data)); - systemCerts.append(QSslCertificate::fromData(rawCert, QSsl::Der)); - CFRelease(data); - } - } - CFRelease(cfCerts); - } - else { - // no detailed error handling here - qCWarning(lcSsl, "could not retrieve system CA certificates"); - } - } -#elif defined(Q_OS_WIN) +#if defined(Q_OS_WIN) if (ptrCertOpenSystemStoreW && ptrCertFindCertificateInStore && ptrCertCloseStore) { HCERTSTORE hSystemStore; #if defined(Q_OS_WINCE) @@ -801,6 +759,7 @@ QList<QSslCertificate> QSslSocketPrivate::systemCaCertificates() return systemCerts; } +#endif // Q_OS_DARWIN void QSslSocketBackendPrivate::startClientEncryption() { @@ -892,6 +851,7 @@ void QSslSocketBackendPrivate::transmit() emit q->bytesWritten(totalBytesWritten); emittedBytesWritten = false; } + emit q->channelBytesWritten(0, totalBytesWritten); } } @@ -990,12 +950,12 @@ void QSslSocketBackendPrivate::transmit() #ifdef QSSLSOCKET_DEBUG qCDebug(lcSsl) << "QSslSocketBackendPrivate::transmit: decrypted" << readBytes << "bytes"; #endif - char *ptr = buffer.reserve(readBytes); - ::memcpy(ptr, data.data(), readBytes); + buffer.append(data.constData(), readBytes); if (readyReadEmittedPointer) *readyReadEmittedPointer = true; emit q->readyRead(); + emit q->channelReadyRead(0); transmitting = true; continue; } @@ -1091,23 +1051,22 @@ bool QSslSocketBackendPrivate::startHandshake() // Check if the connection has been established. Get all errors from the // verification stage. - _q_sslErrorList()->mutex.lock(); + QMutexLocker locker(&_q_sslErrorList()->mutex); _q_sslErrorList()->errors.clear(); int result = (mode == QSslSocket::SslClientMode) ? q_SSL_connect(ssl) : q_SSL_accept(ssl); - const QList<QPair<int, int> > &lastErrors = _q_sslErrorList()->errors; + const auto &lastErrors = _q_sslErrorList()->errors; if (!lastErrors.isEmpty()) storePeerCertificates(); - for (int i = 0; i < lastErrors.size(); ++i) { - const QPair<int, int> ¤tError = lastErrors.at(i); - emit q->peerVerifyError(_q_OpenSSL_to_QSslError(currentError.first, - configuration.peerCertificateChain.value(currentError.second))); + for (const auto ¤tError : lastErrors) { + emit q->peerVerifyError(_q_OpenSSL_to_QSslError(currentError.code, + configuration.peerCertificateChain.value(currentError.depth))); if (q->state() != QAbstractSocket::ConnectedState) break; } errorList << lastErrors; - _q_sslErrorList()->mutex.unlock(); + locker.unlock(); // Connection aborted during handshake phase. if (q->state() != QAbstractSocket::ConnectedState) @@ -1184,14 +1143,9 @@ bool QSslSocketBackendPrivate::startHandshake() } // Translate errors from the error list into QSslErrors. - const int numErrors = errorList.size(); - errors.reserve(errors.size() + numErrors); - for (int i = 0; i < numErrors; ++i) { - const QPair<int, int> &errorAndDepth = errorList.at(i); - int err = errorAndDepth.first; - int depth = errorAndDepth.second; - errors << _q_OpenSSL_to_QSslError(err, configuration.peerCertificateChain.value(depth)); - } + errors.reserve(errors.size() + errorList.size()); + for (const auto &error : qAsConst(errorList)) + errors << _q_OpenSSL_to_QSslError(error.code, configuration.peerCertificateChain.value(error.depth)); if (!errors.isEmpty()) { sslErrors = errors; @@ -1621,6 +1575,14 @@ void QSslSocketBackendPrivate::continueHandshake() } #endif // OPENSSL_VERSION_NUMBER >= 0x1000100fL ... +#if OPENSSL_VERSION_NUMBER >= 0x10002000L + if (q_SSLeay() >= 0x10002000L && mode == QSslSocket::SslClientMode) { + EVP_PKEY *key; + if (q_SSL_get_server_tmp_key(ssl, &key)) + configuration.ephemeralServerKey = QSslKey(key, QSsl::PublicKey); + } +#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L ... + connectionEncrypted = true; emit q->encrypted(); if (autoStartHandshake && pendingClose) { @@ -1735,7 +1697,7 @@ QList<QSslError> QSslSocketBackendPrivate::verify(const QList<QSslCertificate> & #endif // Now process the errors - const QList<QPair<int, int> > errorList = _q_sslErrorList()->errors; + const auto errorList = std::move(_q_sslErrorList()->errors); _q_sslErrorList()->errors.clear(); sslErrorListMutexLocker.unlock(); @@ -1754,14 +1716,9 @@ QList<QSslError> QSslSocketBackendPrivate::verify(const QList<QSslCertificate> & } // Translate errors from the error list into QSslErrors. - const int numErrors = errorList.size(); - errors.reserve(errors.size() + numErrors); - for (int i = 0; i < numErrors; ++i) { - const QPair<int, int> &errorAndDepth = errorList.at(i); - int err = errorAndDepth.first; - int depth = errorAndDepth.second; - errors << _q_OpenSSL_to_QSslError(err, certificateChain.value(depth)); - } + errors.reserve(errors.size() + errorList.size()); + for (const auto &error : qAsConst(errorList)) + errors << _q_OpenSSL_to_QSslError(error.code, certificateChain.value(error.depth)); q_X509_STORE_free(certStore); |