diff options
Diffstat (limited to 'src/network/ssl/qsslsocket_openssl.cpp')
-rw-r--r-- | src/network/ssl/qsslsocket_openssl.cpp | 196 |
1 files changed, 76 insertions, 120 deletions
diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp index 82644c155c..b3820aea97 100644 --- a/src/network/ssl/qsslsocket_openssl.cpp +++ b/src/network/ssl/qsslsocket_openssl.cpp @@ -1,32 +1,38 @@ /**************************************************************************** ** -** Copyright (C) 2015 The Qt Company Ltd. +** Copyright (C) 2016 The Qt Company Ltd. ** Copyright (C) 2014 Governikus GmbH & Co. KG -** Contact: http://www.qt.io/licensing/ +** Contact: https://www.qt.io/licensing/ ** ** This file is part of the QtNetwork module of the Qt Toolkit. ** -** $QT_BEGIN_LICENSE:LGPL21$ +** $QT_BEGIN_LICENSE:LGPL$ ** Commercial License Usage ** Licensees holding valid commercial Qt licenses may use this file in ** accordance with the commercial license agreement provided with the ** Software or, alternatively, in accordance with the terms contained in ** a written agreement between you and The Qt Company. For licensing terms -** and conditions see http://www.qt.io/terms-conditions. For further -** information use the contact form at http://www.qt.io/contact-us. +** and conditions see https://www.qt.io/terms-conditions. For further +** information use the contact form at https://www.qt.io/contact-us. ** ** GNU Lesser General Public License Usage ** Alternatively, this file may be used under the terms of the GNU Lesser -** General Public License version 2.1 or version 3 as published by the Free -** Software Foundation and appearing in the file LICENSE.LGPLv21 and -** LICENSE.LGPLv3 included in the packaging of this file. Please review the -** following information to ensure the GNU Lesser General Public License -** requirements will be met: https://www.gnu.org/licenses/lgpl.html and -** http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html. +** General Public License version 3 as published by the Free Software +** Foundation and appearing in the file LICENSE.LGPL3 included in the +** packaging of this file. Please review the following information to +** ensure the GNU Lesser General Public License version 3 requirements +** will be met: https://www.gnu.org/licenses/lgpl-3.0.html. ** -** As a special exception, The Qt Company gives you certain additional -** rights. These rights are described in The Qt Company LGPL Exception -** version 1.1, included in the file LGPL_EXCEPTION.txt in this package. +** GNU General Public License Usage +** Alternatively, this file may be used under the terms of the GNU +** General Public License version 2.0 or (at your option) the GNU General +** Public license version 3 or any later version approved by the KDE Free +** Qt Foundation. The licenses are as published by the Free Software +** Foundation and appearing in the file LICENSE.GPL2 and LICENSE.GPL3 +** included in the packaging of this file. Please review the following +** information to ensure the GNU General Public License requirements will +** be met: https://www.gnu.org/licenses/gpl-2.0.html and +** https://www.gnu.org/licenses/gpl-3.0.html. ** ** $QT_END_LICENSE$ ** @@ -78,12 +84,7 @@ QT_BEGIN_NAMESPACE -#if defined(Q_OS_MACX) -#define kSecTrustSettingsDomainSystem 2 // so we do not need to include the header file - PtrSecCertificateCopyData QSslSocketPrivate::ptrSecCertificateCopyData = 0; - PtrSecTrustSettingsCopyCertificates QSslSocketPrivate::ptrSecTrustSettingsCopyCertificates = 0; - PtrSecTrustCopyAnchorCertificates QSslSocketPrivate::ptrSecTrustCopyAnchorCertificates = 0; -#elif defined(Q_OS_WIN) +#if defined(Q_OS_WIN) PtrCertOpenSystemStoreW QSslSocketPrivate::ptrCertOpenSystemStoreW = 0; PtrCertFindCertificateInStore QSslSocketPrivate::ptrCertFindCertificateInStore = 0; PtrCertCloseStore QSslSocketPrivate::ptrCertCloseStore = 0; @@ -225,13 +226,13 @@ QSslCipher QSslSocketBackendPrivate::QSslCipher_from_SSL_CIPHER(SSL_CIPHER *ciph char buf [256]; QString descriptionOneLine = QString::fromLatin1(q_SSL_CIPHER_description(cipher, buf, sizeof(buf))); - QStringList descriptionList = descriptionOneLine.split(QLatin1Char(' '), QString::SkipEmptyParts); + const auto descriptionList = descriptionOneLine.splitRef(QLatin1Char(' '), QString::SkipEmptyParts); if (descriptionList.size() > 5) { // ### crude code. ciph.d->isNull = false; - ciph.d->name = descriptionList.at(0); + ciph.d->name = descriptionList.at(0).toString(); - QString protoString = descriptionList.at(1); + QString protoString = descriptionList.at(1).toString(); ciph.d->protocolString = protoString; ciph.d->protocol = QSsl::UnknownProtocol; if (protoString == QLatin1String("SSLv3")) @@ -246,11 +247,11 @@ QSslCipher QSslSocketBackendPrivate::QSslCipher_from_SSL_CIPHER(SSL_CIPHER *ciph ciph.d->protocol = QSsl::TlsV1_2; if (descriptionList.at(2).startsWith(QLatin1String("Kx="))) - ciph.d->keyExchangeMethod = descriptionList.at(2).mid(3); + ciph.d->keyExchangeMethod = descriptionList.at(2).mid(3).toString(); if (descriptionList.at(3).startsWith(QLatin1String("Au="))) - ciph.d->authenticationMethod = descriptionList.at(3).mid(3); + ciph.d->authenticationMethod = descriptionList.at(3).mid(3).toString(); if (descriptionList.at(4).startsWith(QLatin1String("Enc="))) - ciph.d->encryptionMethod = descriptionList.at(4).mid(4); + ciph.d->encryptionMethod = descriptionList.at(4).mid(4).toString(); ciph.d->exportable = (descriptionList.size() > 6 && descriptionList.at(6) == QLatin1String("export")); ciph.d->bits = q_SSL_CIPHER_get_bits(cipher, &ciph.d->supportedBits); @@ -258,12 +259,21 @@ QSslCipher QSslSocketBackendPrivate::QSslCipher_from_SSL_CIPHER(SSL_CIPHER *ciph return ciph; } +// static +inline QSslErrorEntry QSslErrorEntry::fromStoreContext(X509_STORE_CTX *ctx) { + QSslErrorEntry result = { + q_X509_STORE_CTX_get_error(ctx), + q_X509_STORE_CTX_get_error_depth(ctx) + }; + return result; +} + // ### This list is shared between all threads, and protected by a // mutex. Investigate using thread local storage instead. struct QSslErrorList { QMutex mutex; - QList<QPair<int, int> > errors; + QVector<QSslErrorEntry> errors; }; Q_GLOBAL_STATIC(QSslErrorList, _q_sslErrorList) @@ -271,12 +281,13 @@ int q_X509Callback(int ok, X509_STORE_CTX *ctx) { if (!ok) { // Store the error and at which depth the error was detected. - _q_sslErrorList()->errors << qMakePair<int, int>(q_X509_STORE_CTX_get_error(ctx), q_X509_STORE_CTX_get_error_depth(ctx)); + _q_sslErrorList()->errors << QSslErrorEntry::fromStoreContext(ctx); #ifdef QSSLSOCKET_DEBUG qCDebug(lcSsl) << "verification error: dumping bad certificate"; qCDebug(lcSsl) << QSslCertificatePrivate::QSslCertificate_from_X509(q_X509_STORE_CTX_get_current_cert(ctx)).toPem(); qCDebug(lcSsl) << "dumping chain"; - foreach (QSslCertificate cert, QSslSocketBackendPrivate::STACKOFX509_to_QSslCertificates(q_X509_STORE_CTX_get_chain(ctx))) { + const auto certs = QSslSocketBackendPrivate::STACKOFX509_to_QSslCertificates(q_X509_STORE_CTX_get_chain(ctx)); + for (const QSslCertificate &cert : certs) { qCDebug(lcSsl) << "Issuer:" << "O=" << cert.issuerInfo(QSslCertificate::Organization) << "CN=" << cert.issuerInfo(QSslCertificate::CommonName) << "L=" << cert.issuerInfo(QSslCertificate::LocalityName) @@ -358,8 +369,7 @@ bool QSslSocketBackendPrivate::initSslContext() // create a deep copy of our configuration QSslConfigurationPrivate *configurationCopy = new QSslConfigurationPrivate(configuration); configurationCopy->ref.store(0); // the QSslConfiguration constructor refs up - sslContextPointer = QSharedPointer<QSslContext>( - QSslContext::fromConfiguration(mode, configurationCopy, allowRootCertOnDemandLoading)); + sslContextPointer = QSslContext::sharedFromConfiguration(mode, configurationCopy, allowRootCertOnDemandLoading); } if (sslContextPointer->error() != QSslError::NoError) { @@ -509,23 +519,7 @@ void QSslSocketPrivate::ensureCiphersAndCertsLoaded() #ifndef QT_NO_LIBRARY //load symbols needed to receive certificates from system store -#if defined(Q_OS_MACX) - QLibrary securityLib("/System/Library/Frameworks/Security.framework/Versions/Current/Security"); - if (securityLib.load()) { - ptrSecCertificateCopyData = (PtrSecCertificateCopyData) securityLib.resolve("SecCertificateCopyData"); - if (!ptrSecCertificateCopyData) - qCWarning(lcSsl, "could not resolve symbols in security library"); // should never happen - - ptrSecTrustSettingsCopyCertificates = (PtrSecTrustSettingsCopyCertificates) securityLib.resolve("SecTrustSettingsCopyCertificates"); - if (!ptrSecTrustSettingsCopyCertificates) { // method was introduced in Leopard, use legacy method if it's not there - ptrSecTrustCopyAnchorCertificates = (PtrSecTrustCopyAnchorCertificates) securityLib.resolve("SecTrustCopyAnchorCertificates"); - if (!ptrSecTrustCopyAnchorCertificates) - qCWarning(lcSsl, "could not resolve symbols in security library"); // should never happen - } - } else { - qCWarning(lcSsl, "could not load security library"); - } -#elif defined(Q_OS_WIN) +#if defined(Q_OS_WIN) HINSTANCE hLib = LoadLibraryW(L"Crypt32"); if (hLib) { #if defined(Q_OS_WINCE) @@ -685,6 +679,7 @@ void QSslSocketPrivate::resetDefaultEllipticCurves() setDefaultSupportedEllipticCurves(curves); } +#ifndef Q_OS_DARWIN // Apple implementation in qsslsocket_mac_shared.cpp QList<QSslCertificate> QSslSocketPrivate::systemCaCertificates() { ensureInitialized(); @@ -693,43 +688,7 @@ QList<QSslCertificate> QSslSocketPrivate::systemCaCertificates() timer.start(); #endif QList<QSslCertificate> systemCerts; -#if defined(Q_OS_MACX) - CFArrayRef cfCerts; - OSStatus status = 1; - - CFDataRef SecCertificateCopyData ( - SecCertificateRef certificate - ); - - if (ptrSecCertificateCopyData) { - if (ptrSecTrustSettingsCopyCertificates) - status = ptrSecTrustSettingsCopyCertificates(kSecTrustSettingsDomainSystem, &cfCerts); - else if (ptrSecTrustCopyAnchorCertificates) - status = ptrSecTrustCopyAnchorCertificates(&cfCerts); - if (!status) { - CFIndex size = CFArrayGetCount(cfCerts); - for (CFIndex i = 0; i < size; ++i) { - SecCertificateRef cfCert = (SecCertificateRef)CFArrayGetValueAtIndex(cfCerts, i); - CFDataRef data; - - data = ptrSecCertificateCopyData(cfCert); - - if (data == NULL) { - qCWarning(lcSsl, "error retrieving a CA certificate from the system store"); - } else { - QByteArray rawCert = QByteArray::fromRawData((const char *)CFDataGetBytePtr(data), CFDataGetLength(data)); - systemCerts.append(QSslCertificate::fromData(rawCert, QSsl::Der)); - CFRelease(data); - } - } - CFRelease(cfCerts); - } - else { - // no detailed error handling here - qCWarning(lcSsl, "could not retrieve system CA certificates"); - } - } -#elif defined(Q_OS_WIN) +#if defined(Q_OS_WIN) if (ptrCertOpenSystemStoreW && ptrCertFindCertificateInStore && ptrCertCloseStore) { HCERTSTORE hSystemStore; #if defined(Q_OS_WINCE) @@ -770,14 +729,12 @@ QList<QSslCertificate> QSslSocketPrivate::systemCaCertificates() directories << ministroPath; nameFilters << QLatin1String("*.der"); platformEncodingFormat = QSsl::Der; -# ifndef Q_OS_ANDROID_NO_SDK if (ministroPath.isEmpty()) { QList<QByteArray> certificateData = fetchSslCertificateData(); for (int i = 0; i < certificateData.size(); ++i) { systemCerts.append(QSslCertificate::fromData(certificateData.at(i), QSsl::Der)); } } else -# endif //Q_OS_ANDROID_NO_SDK # endif //Q_OS_ANDROID { currentDir.setNameFilters(nameFilters); @@ -790,9 +747,8 @@ QList<QSslCertificate> QSslSocketPrivate::systemCaCertificates() certFiles.insert(it.fileInfo().canonicalFilePath()); } } - QSetIterator<QString> it(certFiles); - while (it.hasNext()) - systemCerts.append(QSslCertificate::fromPath(it.next(), platformEncodingFormat)); + for (const QString& file : qAsConst(certFiles)) + systemCerts.append(QSslCertificate::fromPath(file, platformEncodingFormat)); # ifndef Q_OS_ANDROID systemCerts.append(QSslCertificate::fromPath(QLatin1String("/etc/pki/tls/certs/ca-bundle.crt"), QSsl::Pem)); // Fedora, Mandriva systemCerts.append(QSslCertificate::fromPath(QLatin1String("/usr/local/share/certs/ca-root-nss.crt"), QSsl::Pem)); // FreeBSD's ca_root_nss @@ -806,6 +762,7 @@ QList<QSslCertificate> QSslSocketPrivate::systemCaCertificates() return systemCerts; } +#endif // Q_OS_DARWIN void QSslSocketBackendPrivate::startClientEncryption() { @@ -897,6 +854,7 @@ void QSslSocketBackendPrivate::transmit() emit q->bytesWritten(totalBytesWritten); emittedBytesWritten = false; } + emit q->channelBytesWritten(0, totalBytesWritten); } } @@ -995,12 +953,12 @@ void QSslSocketBackendPrivate::transmit() #ifdef QSSLSOCKET_DEBUG qCDebug(lcSsl) << "QSslSocketBackendPrivate::transmit: decrypted" << readBytes << "bytes"; #endif - char *ptr = buffer.reserve(readBytes); - ::memcpy(ptr, data.data(), readBytes); + buffer.append(data.constData(), readBytes); if (readyReadEmittedPointer) *readyReadEmittedPointer = true; emit q->readyRead(); + emit q->channelReadyRead(0); transmitting = true; continue; } @@ -1096,23 +1054,22 @@ bool QSslSocketBackendPrivate::startHandshake() // Check if the connection has been established. Get all errors from the // verification stage. - _q_sslErrorList()->mutex.lock(); + QMutexLocker locker(&_q_sslErrorList()->mutex); _q_sslErrorList()->errors.clear(); int result = (mode == QSslSocket::SslClientMode) ? q_SSL_connect(ssl) : q_SSL_accept(ssl); - const QList<QPair<int, int> > &lastErrors = _q_sslErrorList()->errors; + const auto &lastErrors = _q_sslErrorList()->errors; if (!lastErrors.isEmpty()) storePeerCertificates(); - for (int i = 0; i < lastErrors.size(); ++i) { - const QPair<int, int> ¤tError = lastErrors.at(i); - emit q->peerVerifyError(_q_OpenSSL_to_QSslError(currentError.first, - configuration.peerCertificateChain.value(currentError.second))); + for (const auto ¤tError : lastErrors) { + emit q->peerVerifyError(_q_OpenSSL_to_QSslError(currentError.code, + configuration.peerCertificateChain.value(currentError.depth))); if (q->state() != QAbstractSocket::ConnectedState) break; } errorList << lastErrors; - _q_sslErrorList()->mutex.unlock(); + locker.unlock(); // Connection aborted during handshake phase. if (q->state() != QAbstractSocket::ConnectedState) @@ -1144,7 +1101,7 @@ bool QSslSocketBackendPrivate::startHandshake() QList<QSslError> errors; // check the whole chain for blacklisting (including root, as we check for subjectInfo and issuer) - foreach (const QSslCertificate &cert, configuration.peerCertificateChain) { + for (const QSslCertificate &cert : qAsConst(configuration.peerCertificateChain)) { if (QSslCertificatePrivate::isBlacklisted(cert)) { QSslError error(QSslError::CertificateBlacklisted, cert); errors << error; @@ -1189,14 +1146,9 @@ bool QSslSocketBackendPrivate::startHandshake() } // Translate errors from the error list into QSslErrors. - const int numErrors = errorList.size(); - errors.reserve(errors.size() + numErrors); - for (int i = 0; i < numErrors; ++i) { - const QPair<int, int> &errorAndDepth = errorList.at(i); - int err = errorAndDepth.first; - int depth = errorAndDepth.second; - errors << _q_OpenSSL_to_QSslError(err, configuration.peerCertificateChain.value(depth)); - } + errors.reserve(errors.size() + errorList.size()); + for (const auto &error : qAsConst(errorList)) + errors << _q_OpenSSL_to_QSslError(error.code, configuration.peerCertificateChain.value(error.depth)); if (!errors.isEmpty()) { sslErrors = errors; @@ -1287,7 +1239,7 @@ bool QSslSocketBackendPrivate::checkSslErrors() pauseSocketNotifiers(q); paused = true; } else { - setErrorAndEmit(QAbstractSocket::SslHandshakeFailedError, sslErrors.first().errorString()); + setErrorAndEmit(QAbstractSocket::SslHandshakeFailedError, sslErrors.constFirst().errorString()); plainSocket->disconnectFromHost(); } return false; @@ -1635,6 +1587,14 @@ void QSslSocketBackendPrivate::continueHandshake() } #endif // OPENSSL_VERSION_NUMBER >= 0x1000100fL ... +#if OPENSSL_VERSION_NUMBER >= 0x10002000L + if (q_SSLeay() >= 0x10002000L && mode == QSslSocket::SslClientMode) { + EVP_PKEY *key; + if (q_SSL_get_server_tmp_key(ssl, &key)) + configuration.ephemeralServerKey = QSslKey(key, QSsl::PublicKey); + } +#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L ... + connectionEncrypted = true; emit q->encrypted(); if (autoStartHandshake && pendingClose) { @@ -1675,7 +1635,8 @@ QList<QSslError> QSslSocketBackendPrivate::verify(const QList<QSslCertificate> & } const QDateTime now = QDateTime::currentDateTimeUtc(); - foreach (const QSslCertificate &caCertificate, QSslConfiguration::defaultConfiguration().caCertificates()) { + const auto caCertificates = QSslConfiguration::defaultConfiguration().caCertificates(); + for (const QSslCertificate &caCertificate : caCertificates) { // From https://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html: // // If several CA certificates matching the name, key identifier, and @@ -1709,7 +1670,7 @@ QList<QSslError> QSslSocketBackendPrivate::verify(const QList<QSslCertificate> & } bool first = true; - foreach (const QSslCertificate &cert, certificateChain) { + for (const QSslCertificate &cert : certificateChain) { if (first) { first = false; continue; @@ -1749,7 +1710,7 @@ QList<QSslError> QSslSocketBackendPrivate::verify(const QList<QSslCertificate> & #endif // Now process the errors - const QList<QPair<int, int> > errorList = _q_sslErrorList()->errors; + const auto errorList = std::move(_q_sslErrorList()->errors); _q_sslErrorList()->errors.clear(); sslErrorListMutexLocker.unlock(); @@ -1768,14 +1729,9 @@ QList<QSslError> QSslSocketBackendPrivate::verify(const QList<QSslCertificate> & } // Translate errors from the error list into QSslErrors. - const int numErrors = errorList.size(); - errors.reserve(errors.size() + numErrors); - for (int i = 0; i < numErrors; ++i) { - const QPair<int, int> &errorAndDepth = errorList.at(i); - int err = errorAndDepth.first; - int depth = errorAndDepth.second; - errors << _q_OpenSSL_to_QSslError(err, certificateChain.value(depth)); - } + errors.reserve(errors.size() + errorList.size()); + for (const auto &error : qAsConst(errorList)) + errors << _q_OpenSSL_to_QSslError(error.code, certificateChain.value(error.depth)); q_X509_STORE_free(certStore); |