diff options
Diffstat (limited to 'src/network/ssl/qsslsocket_openssl.cpp')
-rw-r--r-- | src/network/ssl/qsslsocket_openssl.cpp | 91 |
1 files changed, 46 insertions, 45 deletions
diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp index 3aa6247a1f..bf348f6f9f 100644 --- a/src/network/ssl/qsslsocket_openssl.cpp +++ b/src/network/ssl/qsslsocket_openssl.cpp @@ -50,6 +50,7 @@ //#define QSSLSOCKET_DEBUG //#define QT_DECRYPT_SSL_TRAFFIC +#include "qssl_p.h" #include "qsslsocket_openssl_p.h" #include "qsslsocket_openssl_symbols_p.h" #include "qsslsocket.h" @@ -252,24 +253,24 @@ int q_X509Callback(int ok, X509_STORE_CTX *ctx) // Store the error and at which depth the error was detected. _q_sslErrorList()->errors << qMakePair<int, int>(q_X509_STORE_CTX_get_error(ctx), q_X509_STORE_CTX_get_error_depth(ctx)); #ifdef QSSLSOCKET_DEBUG - qDebug() << "verification error: dumping bad certificate"; - qDebug() << QSslCertificatePrivate::QSslCertificate_from_X509(q_X509_STORE_CTX_get_current_cert(ctx)).toPem(); - qDebug() << "dumping chain"; + qCDebug(lcSsl) << "verification error: dumping bad certificate"; + qCDebug(lcSsl) << QSslCertificatePrivate::QSslCertificate_from_X509(q_X509_STORE_CTX_get_current_cert(ctx)).toPem(); + qCDebug(lcSsl) << "dumping chain"; foreach (QSslCertificate cert, QSslSocketBackendPrivate::STACKOFX509_to_QSslCertificates(q_X509_STORE_CTX_get_chain(ctx))) { QString certFormat(QStringLiteral("O=%1 CN=%2 L=%3 OU=%4 C=%5 ST=%6")); - qDebug() << "Issuer:" << "O=" << cert.issuerInfo(QSslCertificate::Organization) + qCDebug(lcSsl) << "Issuer:" << "O=" << cert.issuerInfo(QSslCertificate::Organization) << "CN=" << cert.issuerInfo(QSslCertificate::CommonName) << "L=" << cert.issuerInfo(QSslCertificate::LocalityName) << "OU=" << cert.issuerInfo(QSslCertificate::OrganizationalUnitName) << "C=" << cert.issuerInfo(QSslCertificate::CountryName) << "ST=" << cert.issuerInfo(QSslCertificate::StateOrProvinceName); - qDebug() << "Subject:" << "O=" << cert.subjectInfo(QSslCertificate::Organization) + qCDebug(lcSsl) << "Subject:" << "O=" << cert.subjectInfo(QSslCertificate::Organization) << "CN=" << cert.subjectInfo(QSslCertificate::CommonName) << "L=" << cert.subjectInfo(QSslCertificate::LocalityName) << "OU=" << cert.subjectInfo(QSslCertificate::OrganizationalUnitName) << "C=" << cert.subjectInfo(QSslCertificate::CountryName) << "ST=" << cert.subjectInfo(QSslCertificate::StateOrProvinceName); - qDebug() << "Valid:" << cert.effectiveDate() << "-" << cert.expiryDate(); + qCDebug(lcSsl) << "Valid:" << cert.effectiveDate() << "-" << cert.expiryDate(); } #endif } @@ -363,7 +364,7 @@ bool QSslSocketBackendPrivate::initSslContext() && !QHostAddress().setAddress(tlsHostName) && !(configuration.sslOptions & QSsl::SslOptionDisableServerNameIndication)) { if (!q_SSL_ctrl(ssl, SSL_CTRL_SET_TLSEXT_HOSTNAME, TLSEXT_NAMETYPE_host_name, ace.data())) - qWarning("could not set SSL_CTRL_SET_TLSEXT_HOSTNAME, Server Name Indication disabled"); + qCWarning(lcSsl, "could not set SSL_CTRL_SET_TLSEXT_HOSTNAME, Server Name Indication disabled"); } } #endif @@ -490,16 +491,16 @@ void QSslSocketPrivate::ensureCiphersAndCertsLoaded() if (securityLib.load()) { ptrSecCertificateCopyData = (PtrSecCertificateCopyData) securityLib.resolve("SecCertificateCopyData"); if (!ptrSecCertificateCopyData) - qWarning("could not resolve symbols in security library"); // should never happen + qCWarning(lcSsl, "could not resolve symbols in security library"); // should never happen ptrSecTrustSettingsCopyCertificates = (PtrSecTrustSettingsCopyCertificates) securityLib.resolve("SecTrustSettingsCopyCertificates"); if (!ptrSecTrustSettingsCopyCertificates) { // method was introduced in Leopard, use legacy method if it's not there ptrSecTrustCopyAnchorCertificates = (PtrSecTrustCopyAnchorCertificates) securityLib.resolve("SecTrustCopyAnchorCertificates"); if (!ptrSecTrustCopyAnchorCertificates) - qWarning("could not resolve symbols in security library"); // should never happen + qCWarning(lcSsl, "could not resolve symbols in security library"); // should never happen } } else { - qWarning("could not load security library"); + qCWarning(lcSsl, "could not load security library"); } #elif defined(Q_OS_WIN) HINSTANCE hLib = LoadLibraryW(L"Crypt32"); @@ -514,9 +515,9 @@ void QSslSocketPrivate::ensureCiphersAndCertsLoaded() ptrCertCloseStore = (PtrCertCloseStore)GetProcAddress(hLib, "CertCloseStore"); #endif if (!ptrCertOpenSystemStoreW || !ptrCertFindCertificateInStore || !ptrCertCloseStore) - qWarning("could not resolve symbols in crypt32 library"); // should never happen + qCWarning(lcSsl, "could not resolve symbols in crypt32 library"); // should never happen } else { - qWarning("could not load crypt32 library"); // should never happen + qCWarning(lcSsl, "could not load crypt32 library"); // should never happen } #elif defined(Q_OS_QNX) s_loadRootCertsOnDemand = true; @@ -685,7 +686,7 @@ QList<QSslCertificate> QSslSocketPrivate::systemCaCertificates() data = ptrSecCertificateCopyData(cfCert); if (data == NULL) { - qWarning("error retrieving a CA certificate from the system store"); + qCWarning(lcSsl, "error retrieving a CA certificate from the system store"); } else { QByteArray rawCert = QByteArray::fromRawData((const char *)CFDataGetBytePtr(data), CFDataGetLength(data)); systemCerts.append(QSslCertificate::fromData(rawCert, QSsl::Der)); @@ -696,7 +697,7 @@ QList<QSslCertificate> QSslSocketPrivate::systemCaCertificates() } else { // no detailed error handling here - qWarning("could not retrieve system CA certificates"); + qCWarning(lcSsl, "could not retrieve system CA certificates"); } } #elif defined(Q_OS_WIN) @@ -770,8 +771,8 @@ QList<QSslCertificate> QSslSocketPrivate::systemCaCertificates() } #endif #ifdef QSSLSOCKET_DEBUG - qDebug() << "systemCaCertificates retrieval time " << timer.elapsed() << "ms"; - qDebug() << "imported " << systemCerts.count() << " certificates"; + qCDebug(lcSsl) << "systemCaCertificates retrieval time " << timer.elapsed() << "ms"; + qCDebug(lcSsl) << "imported " << systemCerts.count() << " certificates"; #endif return systemCerts; @@ -852,7 +853,7 @@ void QSslSocketBackendPrivate::transmit() } } #ifdef QSSLSOCKET_DEBUG - qDebug() << "QSslSocketBackendPrivate::transmit: encrypted" << writtenBytes << "bytes"; + qCDebug(lcSsl) << "QSslSocketBackendPrivate::transmit: encrypted" << writtenBytes << "bytes"; #endif writeBuffer.free(writtenBytes); totalBytesWritten += writtenBytes; @@ -885,7 +886,7 @@ void QSslSocketBackendPrivate::transmit() // Write encrypted data from the buffer to the socket. qint64 actualWritten = plainSocket->write(data.constData(), encryptedBytesRead); #ifdef QSSLSOCKET_DEBUG - qDebug() << "QSslSocketBackendPrivate::transmit: wrote" << encryptedBytesRead << "encrypted bytes to the socket" << actualWritten << "actual."; + qCDebug(lcSsl) << "QSslSocketBackendPrivate::transmit: wrote" << encryptedBytesRead << "encrypted bytes to the socket" << actualWritten << "actual."; #endif if (actualWritten < 0) { //plain socket write fails if it was in the pending close state. @@ -906,7 +907,7 @@ void QSslSocketBackendPrivate::transmit() int encryptedBytesRead = plainSocket->peek(data.data(), pendingBytes); #ifdef QSSLSOCKET_DEBUG - qDebug() << "QSslSocketBackendPrivate::transmit: read" << encryptedBytesRead << "encrypted bytes from the socket"; + qCDebug(lcSsl) << "QSslSocketBackendPrivate::transmit: read" << encryptedBytesRead << "encrypted bytes from the socket"; #endif // Write encrypted data from the buffer into the read BIO. int writtenToBio = q_BIO_write(readBio, data.constData(), encryptedBytesRead); @@ -930,17 +931,17 @@ void QSslSocketBackendPrivate::transmit() // connect / accept. if (!connectionEncrypted) { #ifdef QSSLSOCKET_DEBUG - qDebug() << "QSslSocketBackendPrivate::transmit: testing encryption"; + qCDebug(lcSsl) << "QSslSocketBackendPrivate::transmit: testing encryption"; #endif if (startHandshake()) { #ifdef QSSLSOCKET_DEBUG - qDebug() << "QSslSocketBackendPrivate::transmit: encryption established"; + qCDebug(lcSsl) << "QSslSocketBackendPrivate::transmit: encryption established"; #endif connectionEncrypted = true; transmitting = true; } else if (plainSocket->state() != QAbstractSocket::ConnectedState) { #ifdef QSSLSOCKET_DEBUG - qDebug() << "QSslSocketBackendPrivate::transmit: connection lost"; + qCDebug(lcSsl) << "QSslSocketBackendPrivate::transmit: connection lost"; #endif break; } else if (paused) { @@ -948,7 +949,7 @@ void QSslSocketBackendPrivate::transmit() return; } else { #ifdef QSSLSOCKET_DEBUG - qDebug() << "QSslSocketBackendPrivate::transmit: encryption not done yet"; + qCDebug(lcSsl) << "QSslSocketBackendPrivate::transmit: encryption not done yet"; #endif } } @@ -969,7 +970,7 @@ void QSslSocketBackendPrivate::transmit() // Don't use SSL_pending(). It's very unreliable. if ((readBytes = q_SSL_read(ssl, data.data(), data.size())) > 0) { #ifdef QSSLSOCKET_DEBUG - qDebug() << "QSslSocketBackendPrivate::transmit: decrypted" << readBytes << "bytes"; + qCDebug(lcSsl) << "QSslSocketBackendPrivate::transmit: decrypted" << readBytes << "bytes"; #endif char *ptr = buffer.reserve(readBytes); ::memcpy(ptr, data.data(), readBytes); @@ -990,7 +991,7 @@ void QSslSocketBackendPrivate::transmit() case SSL_ERROR_ZERO_RETURN: // The remote host closed the connection. #ifdef QSSLSOCKET_DEBUG - qDebug() << "QSslSocketBackendPrivate::transmit: remote disconnect"; + qCDebug(lcSsl) << "QSslSocketBackendPrivate::transmit: remote disconnect"; #endif shutdown = true; // the other side shut down, make sure we do not send shutdown ourselves q->setErrorString(QSslSocket::tr("The TLS/SSL connection has been closed")); @@ -1109,7 +1110,7 @@ bool QSslSocketBackendPrivate::startHandshake() q->setErrorString(QSslSocket::tr("Error during SSL handshake: %1").arg(getErrorsFromOpenSsl())); q->setSocketError(QAbstractSocket::SslHandshakeFailedError); #ifdef QSSLSOCKET_DEBUG - qDebug() << "QSslSocketBackendPrivate::startHandshake: error!" << q->errorString(); + qCDebug(lcSsl) << "QSslSocketBackendPrivate::startHandshake: error!" << q->errorString(); #endif emit q->error(QAbstractSocket::SslHandshakeFailedError); q->abort(); @@ -1212,7 +1213,7 @@ bool QSslSocketBackendPrivate::startHandshake() break; default: #ifdef QSSLSOCKET_DEBUG - qDebug() << sslErrors.at(i).errorString(); + qCDebug(lcSsl) << sslErrors.at(i).errorString(); #endif break; } @@ -1346,7 +1347,7 @@ void QWindowsCaRootFetcher::start() PCCERT_CONTEXT wincert = CertCreateCertificateContext(X509_ASN_ENCODING, (const BYTE *)der.constData(), der.length()); if (!wincert) { #ifdef QSSLSOCKET_DEBUG - qDebug("QWindowsCaRootFetcher failed to convert certificate to windows form"); + qCDebug(lcSsl, "QWindowsCaRootFetcher failed to convert certificate to windows form"); #endif emit finished(cert, QSslCertificate()); deleteLater(); @@ -1377,32 +1378,32 @@ void QWindowsCaRootFetcher::start() 0, //reserved &chain); #ifdef QSSLSOCKET_DEBUG - qDebug() << "QWindowsCaRootFetcher" << stopwatch.elapsed() << "ms to get chain"; + qCDebug(lcSsl) << "QWindowsCaRootFetcher" << stopwatch.elapsed() << "ms to get chain"; #endif QSslCertificate trustedRoot; if (result) { #ifdef QSSLSOCKET_DEBUG - qDebug() << "QWindowsCaRootFetcher - examining windows chains"; + qCDebug(lcSsl) << "QWindowsCaRootFetcher - examining windows chains"; if (chain->TrustStatus.dwErrorStatus == CERT_TRUST_NO_ERROR) - qDebug() << " - TRUSTED"; + qCDebug(lcSsl) << " - TRUSTED"; else - qDebug() << " - NOT TRUSTED" << chain->TrustStatus.dwErrorStatus; + qCDebug(lcSsl) << " - NOT TRUSTED" << chain->TrustStatus.dwErrorStatus; if (chain->TrustStatus.dwInfoStatus & CERT_TRUST_IS_SELF_SIGNED) - qDebug() << " - SELF SIGNED"; - qDebug() << "QSslSocketBackendPrivate::fetchCaRootForCert - dumping simple chains"; + qCDebug(lcSsl) << " - SELF SIGNED"; + qCDebug(lcSsl) << "QSslSocketBackendPrivate::fetchCaRootForCert - dumping simple chains"; for (unsigned int i = 0; i < chain->cChain; i++) { if (chain->rgpChain[i]->TrustStatus.dwErrorStatus == CERT_TRUST_NO_ERROR) - qDebug() << " - TRUSTED SIMPLE CHAIN" << i; + qCDebug(lcSsl) << " - TRUSTED SIMPLE CHAIN" << i; else - qDebug() << " - UNTRUSTED SIMPLE CHAIN" << i << "reason:" << chain->rgpChain[i]->TrustStatus.dwErrorStatus; + qCDebug(lcSsl) << " - UNTRUSTED SIMPLE CHAIN" << i << "reason:" << chain->rgpChain[i]->TrustStatus.dwErrorStatus; for (unsigned int j = 0; j < chain->rgpChain[i]->cElement; j++) { QSslCertificate foundCert(QByteArray((const char *)chain->rgpChain[i]->rgpElement[j]->pCertContext->pbCertEncoded , chain->rgpChain[i]->rgpElement[j]->pCertContext->cbCertEncoded), QSsl::Der); - qDebug() << " - " << foundCert; + qCDebug(lcSsl) << " - " << foundCert; } } - qDebug() << " - and" << chain->cLowerQualityChainContext << "low quality chains"; //expect 0, we haven't asked for them + qCDebug(lcSsl) << " - and" << chain->cLowerQualityChainContext << "low quality chains"; //expect 0, we haven't asked for them #endif //based on http://msdn.microsoft.com/en-us/library/windows/desktop/aa377182%28v=vs.85%29.aspx @@ -1521,12 +1522,12 @@ void QSslSocketBackendPrivate::continueHandshake() QString sslKeyFile = QDir::tempPath() + QLatin1String("/qt-ssl-keys"); QFile file(sslKeyFile); if (!file.open(QIODevice::Append)) - qWarning() << "could not open file" << sslKeyFile << "for appending"; + qCWarning(lcSsl) << "could not open file" << sslKeyFile << "for appending"; if (!file.write(debugLineClientRandom)) - qWarning() << "could not write to file" << sslKeyFile; + qCWarning(lcSsl) << "could not write to file" << sslKeyFile; file.close(); } else { - qWarning("could not decrypt SSL traffic"); + qCWarning(lcSsl, "could not decrypt SSL traffic"); } #endif @@ -1585,7 +1586,7 @@ QList<QSslError> QSslSocketBackendPrivate::verify(QList<QSslCertificate> certifi // Setup the store with the default CA certificates X509_STORE *certStore = q_X509_STORE_new(); if (!certStore) { - qWarning() << "Unable to create certificate store"; + qCWarning(lcSsl) << "Unable to create certificate store"; errors << QSslError(QSslError::UnspecifiedError); return errors; } @@ -1722,7 +1723,7 @@ bool QSslSocketBackendPrivate::importPkcs12(QIODevice *device, // Create the PKCS#12 object PKCS12 *p12 = q_d2i_PKCS12_bio(bio, 0); if (!p12) { - qWarning("Unable to read PKCS#12 structure, %s", q_ERR_error_string(q_ERR_get_error(), 0)); + qCWarning(lcSsl, "Unable to read PKCS#12 structure, %s", q_ERR_error_string(q_ERR_get_error(), 0)); q_BIO_free(bio); return false; } @@ -1733,7 +1734,7 @@ bool QSslSocketBackendPrivate::importPkcs12(QIODevice *device, STACK_OF(X509) *ca = 0; if (!q_PKCS12_parse(p12, passPhrase.constData(), &pkey, &x509, &ca)) { - qWarning("Unable to parse PKCS#12 structure, %s", q_ERR_error_string(q_ERR_get_error(), 0)); + qCWarning(lcSsl, "Unable to parse PKCS#12 structure, %s", q_ERR_error_string(q_ERR_get_error(), 0)); q_PKCS12_free(p12); q_BIO_free(bio); return false; @@ -1741,7 +1742,7 @@ bool QSslSocketBackendPrivate::importPkcs12(QIODevice *device, // Convert to Qt types if (!key->d->fromEVP_PKEY(pkey)) { - qWarning("Unable to convert private key"); + qCWarning(lcSsl, "Unable to convert private key"); q_sk_pop_free(reinterpret_cast<STACK *>(ca), reinterpret_cast<void(*)(void*)>(q_sk_free)); q_X509_free(x509); q_EVP_PKEY_free(pkey); |