Quassel IRC  Pre-Release
 All Classes Namespaces Files Functions Variables Typedefs Enumerations Enumerator Properties Friends Macros
sslserver.cpp
Go to the documentation of this file.
1 /***************************************************************************
2  * Copyright (C) 2005-2015 by the Quassel Project *
3  * devel@quassel-irc.org *
4  * *
5  * This program is free software; you can redistribute it and/or modify *
6  * it under the terms of the GNU General Public License as published by *
7  * the Free Software Foundation; either version 2 of the License, or *
8  * (at your option) version 3. *
9  * *
10  * This program is distributed in the hope that it will be useful, *
11  * but WITHOUT ANY WARRANTY; without even the implied warranty of *
12  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
13  * GNU General Public License for more details. *
14  * *
15  * You should have received a copy of the GNU General Public License *
16  * along with this program; if not, write to the *
17  * Free Software Foundation, Inc., *
18  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. *
19  ***************************************************************************/
20 
21 #include "sslserver.h"
22 
23 #ifdef HAVE_SSL
24 # include <QSslSocket>
25 #endif
26 
27 #include <QDateTime>
28 #include <QFile>
29 
30 #include "logger.h"
31 #include "quassel.h"
32 
33 #ifdef HAVE_SSL
34 
35 SslServer::SslServer(QObject *parent)
36  : QTcpServer(parent),
37  _isCertValid(false)
38 {
39  static bool sslWarningShown = false;
40 
41  QString ssl_cert;
42  QString ssl_key;
43 
44  if(Quassel::isOptionSet("ssl-cert")) {
45  ssl_cert = Quassel::optionValue("ssl-cert");
46  } else {
47  ssl_cert = Quassel::configDirPath() + "quasselCert.pem";
48  }
49 
50  if(Quassel::isOptionSet("ssl-key")) {
51  ssl_key = Quassel::optionValue("ssl-key");
52  } else {
53  ssl_key = ssl_cert;
54  }
55 
56  if (!setCertificate(ssl_cert, ssl_key)) {
57  if (!sslWarningShown) {
58  quWarning()
59  << "SslServer: Unable to set certificate file\n"
60  << " Quassel Core will still work, but cannot provide SSL for client connections.\n"
61  << " Please see http://quassel-irc.org/faq/cert to learn how to enable SSL support.";
62  sslWarningShown = true;
63  }
64  }
65 }
66 
67 
68 QTcpSocket *SslServer::nextPendingConnection()
69 {
70  if (_pendingConnections.isEmpty())
71  return 0;
72  else
73  return _pendingConnections.takeFirst();
74 }
75 
76 #if QT_VERSION >= 0x050000
77 void SslServer::incomingConnection(qintptr socketDescriptor)
78 #else
79 void SslServer::incomingConnection(int socketDescriptor)
80 #endif
81 {
82  QSslSocket *serverSocket = new QSslSocket(this);
83  if (serverSocket->setSocketDescriptor(socketDescriptor)) {
84  if (isCertValid()) {
85  serverSocket->setLocalCertificate(_cert);
86  serverSocket->setPrivateKey(_key);
87  serverSocket->addCaCertificates(_ca);
88  }
89  _pendingConnections << serverSocket;
90  emit newConnection();
91  }
92  else {
93  delete serverSocket;
94  }
95 }
96 
97 
98 bool SslServer::setCertificate(const QString &path, const QString &keyPath)
99 {
100  _isCertValid = false;
101 
102  if (path.isEmpty())
103  return false;
104 
105  QFile certFile(path);
106  if (!certFile.exists()) {
107  quWarning() << "SslServer: Certificate file" << qPrintable(path) << "does not exist";
108  return false;
109  }
110 
111  if (!certFile.open(QIODevice::ReadOnly)) {
112  quWarning()
113  << "SslServer: Failed to open certificate file" << qPrintable(path)
114  << "error:" << certFile.error();
115  return false;
116  }
117 
118  QList<QSslCertificate> certList = QSslCertificate::fromDevice(&certFile);
119 
120  if (certList.isEmpty()) {
121  quWarning() << "SslServer: Certificate file doesn't contain a certificate";
122  return false;
123  }
124 
125  _cert = certList[0];
126  certList.removeFirst(); // remove server cert
127 
128  // store CA and intermediates certs
129  _ca = certList;
130 
131  if (!certFile.reset()) {
132  quWarning() << "SslServer: IO error reading certificate file";
133  return false;
134  }
135 
136  // load key from keyPath if it differs from path, otherwise load key from path
137  if(path != keyPath) {
138  QFile keyFile(keyPath);
139  if(!keyFile.exists()) {
140  quWarning() << "SslServer: Key file" << qPrintable(keyPath) << "does not exist";
141  return false;
142  }
143 
144  if (!keyFile.open(QIODevice::ReadOnly)) {
145  quWarning()
146  << "SslServer: Failed to open key file" << qPrintable(keyPath)
147  << "error:" << keyFile.error();
148  return false;
149  }
150 
151  _key = QSslKey(&keyFile, QSsl::Rsa);
152  keyFile.close();
153  } else {
154  _key = QSslKey(&certFile, QSsl::Rsa);
155  }
156 
157  certFile.close();
158 
159  if (_cert.isNull()) {
160  quWarning() << "SslServer:" << qPrintable(path) << "contains no certificate data";
161  return false;
162  }
163 
164  // We allow the core to offer SSL anyway, so no "return false" here. Client will warn about the cert being invalid.
165  const QDateTime now = QDateTime::currentDateTime();
166  if (now < _cert.effectiveDate())
167  quWarning() << "SslServer: Certificate won't be valid before" << _cert.effectiveDate().toString();
168 
169  else if (now > _cert.expiryDate())
170  quWarning() << "SslServer: Certificate expired on" << _cert.expiryDate().toString();
171 
172  else { // Qt4's isValid() checks for time range and blacklist; avoid a double warning, hence the else block
173 #if QT_VERSION < 0x050000
174  if (!_cert.isValid())
175 #else
176  if (_cert.isBlacklisted())
177 #endif
178  quWarning() << "SslServer: Certificate blacklisted";
179  }
180  if (_key.isNull()) {
181  quWarning() << "SslServer:" << qPrintable(keyPath) << "contains no key data";
182  return false;
183  }
184 
185  _isCertValid = true;
186 
187  return _isCertValid;
188 }
189 
190 
191 #endif // HAVE_SSL