From e5438e8ded27eb6f7f0e85704d6843069296c698 Mon Sep 17 00:00:00 2001 From: Timur Pocheptsov Date: Wed, 30 Oct 2019 11:49:07 +0100 Subject: QSslSocket (OpenSSL) improve alert messages handling MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 1. Add a new verification callback. This gives an option to report errors directly from this callback (by emitting handshakeInterruptedOnError()). This allows an application to explain to its peer why the handshake was interrupted (by sending a corresponding alert message). 2. This also means we want to notice such alerts (in Qt, from the application's point of view, they are mostly informational only, no interaction is required). So we also introduce a new 'info callback', that can notice alert messages read or written. We also introduce two new enums describing the level and type of an alert message. QSslSocket gets three new signals (for incoming/outgoing alerts and verification errors found early). 3. In case we requested a certificate, but the peer provided none, we would previously abruptly close the connection without a proper alert message (and such a situation is not handled by any verification callbacks, since there is no certificate(s) to verify essentially). So we now introduce a new verification option that maps to what OpenSSL calls 'SSL_VERIFY_FAIL_IF_NO_PEER_CERT'. This way, the proper alert will be generated. Fixes: QTBUG-68419 Change-Id: I5d1e9298b4040a2d4f867f5b1a3567a2253927b8 Reviewed-by: MÃ¥rten Nordheim --- src/network/ssl/qsslsocket_openssl_symbols.cpp | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'src/network/ssl/qsslsocket_openssl_symbols.cpp') diff --git a/src/network/ssl/qsslsocket_openssl_symbols.cpp b/src/network/ssl/qsslsocket_openssl_symbols.cpp index 3504924888..5b0a70d495 100644 --- a/src/network/ssl/qsslsocket_openssl_symbols.cpp +++ b/src/network/ssl/qsslsocket_openssl_symbols.cpp @@ -156,6 +156,10 @@ DEFINEFUNC(void, OPENSSL_sk_free, OPENSSL_STACK *a, a, return, DUMMYARG) DEFINEFUNC2(void *, OPENSSL_sk_value, OPENSSL_STACK *a, a, int b, b, return nullptr, return) DEFINEFUNC(int, SSL_session_reused, SSL *a, a, return 0, return) DEFINEFUNC2(unsigned long, SSL_CTX_set_options, SSL_CTX *ctx, ctx, unsigned long op, op, return 0, return) +using info_callback = void (*) (const SSL *ssl, int type, int val); +DEFINEFUNC2(void, SSL_set_info_callback, SSL *ssl, ssl, info_callback cb, cb, return, return) +DEFINEFUNC(const char *, SSL_alert_type_string, int value, value, return nullptr, return) +DEFINEFUNC(const char *, SSL_alert_desc_string_long, int value, value, return nullptr, return) #ifdef TLS1_3_VERSION DEFINEFUNC2(int, SSL_CTX_set_ciphersuites, SSL_CTX *ctx, ctx, const char *str, str, return 0, return) DEFINEFUNC2(void, SSL_set_psk_use_session_callback, SSL *ssl, ssl, q_SSL_psk_use_session_cb_func_t callback, callback, return, DUMMYARG) @@ -839,7 +843,9 @@ bool q_resolveOpenSslSymbols() RESOLVEFUNC(OPENSSL_sk_value) RESOLVEFUNC(DH_get0_pqg) RESOLVEFUNC(SSL_CTX_set_options) - + RESOLVEFUNC(SSL_set_info_callback) + RESOLVEFUNC(SSL_alert_type_string) + RESOLVEFUNC(SSL_alert_desc_string_long) #ifdef TLS1_3_VERSION RESOLVEFUNC(SSL_CTX_set_ciphersuites) RESOLVEFUNC(SSL_set_psk_use_session_callback) -- cgit v1.2.3