NetworkManager::Security8021xSetting::Security8021xSetting(const Ptr &other)
: Setting(other)
, d_ptr(new Security8021xSettingPrivate())
{
setEapMethods(other->eapMethods());
setIdentity(other->identity());
setAnonymousIdentity(other->anonymousIdentity());
setPacFile(other->pacFile());
setCaCertificate(other->caCertificate());
setCaPath(other->caPath());
setSubjectMatch(other->subjectMatch());
setAltSubjectMatches(other->altSubjectMatches());
setClientCertificate(other->clientCertificate());
setPhase1PeapVersion(other->phase1PeapVersion());
setPhase1PeapLabel(other->phase1PeapLabel());
setPhase1FastProvisioning(other->phase1FastProvisioning());
setPhase2AuthMethod(other->phase2AuthMethod());
setPhase2AuthEapMethod(other->phase2AuthEapMethod());
setPhase2CaCertificate(other->phase2CaCertificate());
setPhase2CaPath(other->phase2CaPath());
setPhase2SubjectMatch(other->phase2SubjectMatch());
setPhase2AltSubjectMatches(other->phase2AltSubjectMatches());
setPassword(other->password());
setPasswordFlags(other->passwordFlags());
setPasswordRaw(other->passwordRaw());
setPasswordRawFlags(other->passwordRawFlags());
setPrivateKey(other->privateKey());
setPrivateKeyPassword(other->privateKeyPassword());
setPrivateKeyPasswordFlags(other->privateKeyPasswordFlags());
setPhase2PrivateKey(other->phase2PrivateKey());
setPhase2PrivateKeyPassword(other->phase2PrivateKeyPassword());
setPhase2PrivateKeyPasswordFlags(other->phase2PrivateKeyPasswordFlags());
setSystemCaCertificates(other->systemCaCertificates());
}
void
SslSocketBase::setPKI(const QSslKey &privateKey,
const QSslCertificate &localCertificate) {
setPrivateKey(privateKey);
setLocalCertificate(localCertificate);
}
void
SslSocketBase::setPKI(const QString &keyFilePath,
const QString &certFilePath) {
setPrivateKey(keyFilePath);
setLocalCertificate(certFilePath);
}
Connection::Connection(int socketDescriptor, const QString &cert, const QString &key)
: serverMode(true), readSize(0)
{
setSocketDescriptor(socketDescriptor);
setLocalCertificate(cert);
setPrivateKey(key);
init();
handshake();
}
GroupSocket::GroupSocket(GroupAuthority *authority, QObject *parent)
: QObject(parent)
, socket{this}
, timer{this}
, authority(authority)
{
timer.setInterval(FIVE_SECOND_TIMEOUT);
timer.setSingleShot(true);
connect(&timer, &QTimer::timeout, this, &GroupSocket::onTimeout);
const auto get_ssl_config = [this, authority]() {
auto config = socket.sslConfiguration();
config.setCaCertificates({});
config.setLocalCertificate(authority->getLocalCertificate());
config.setPrivateKey(authority->getPrivateKey());
config.setPeerVerifyMode(QSslSocket::QueryPeer);
// CVE-2012-4929 forced the below option to be enabled by default but we can disable it because
// the vulernability only impacts browsers
config.setSslOption(QSsl::SslOption::SslOptionDisableCompression, false);
return config;
};
socket.setSslConfiguration(get_ssl_config());
socket.setPeerVerifyName(GROUP_COMMON_NAME);
connect(&socket, &QAbstractSocket::hostFound, this, [this]() { emit sendLog("Host found..."); });
connect(&socket, &QAbstractSocket::connected, this, [this]() {
socket.setSocketOption(QAbstractSocket::LowDelayOption, true);
socket.setSocketOption(QAbstractSocket::KeepAliveOption, true);
if (io::tuneKeepAlive(socket.socketDescriptor())) {
emit sendLog("Tuned TCP keep alive parameters for socket");
}
setProtocolState(ProtocolState::AwaitingLogin);
emit sendLog("Connection established...");
emit connectionEstablished(this);
});
connect(&socket, &QSslSocket::encrypted, this, [this]() {
timer.stop();
secret
= socket.peerCertificate().digest(QCryptographicHash::Algorithm::Sha1).toHex().toLower();
emit sendLog("Connection successfully encrypted...");
emit connectionEncrypted(this);
});
connect(&socket, &QAbstractSocket::disconnected, this, [this]() {
timer.stop();
emit connectionClosed(this);
});
connect(&socket, &QIODevice::readyRead, this, &GroupSocket::onReadyRead);
connect(&socket,
static_cast<void (QAbstractSocket::*)(QAbstractSocket::SocketError)>(
&QAbstractSocket::error),
this,
&GroupSocket::onError);
connect(&socket, &QSslSocket::peerVerifyError, this, &GroupSocket::onPeerVerifyError);
}
void Session::setAsymmetricCryptoOp(AsymmetricAlgorithm *asymmetricCryptoOp)
{
if (this->asymmetricCryptoOp != NULL)
{
setPublicKey(NULL);
setPrivateKey(NULL);
CryptoFactory::i()->recycleAsymmetricAlgorithm(asymmetricCryptoOp);
}
this->asymmetricCryptoOp = asymmetricCryptoOp;
}
void S3::setup(kerberos::StringMap & settings)
{
Cloud::setup(settings);
// -------------------------
// Initialize S3 credentials
setBucket(settings.at("clouds.S3.bucket"));
setFolder(settings.at("clouds.S3.folder"));
setPublicKey(settings.at("clouds.S3.publicKey"));
setPrivateKey(settings.at("clouds.S3.privateKey"));
}
//Permet de renseigner le client avec qui le socket doit communiquer
bool Socket::setDescriptor(int socketDescriptor)
{
if(this->state()==QAbstractSocket::ConnectedState) return false;
if(!this->setSocketDescriptor(socketDescriptor)) return false;
//On récupère la clé privée du serveur
QFile file(PRIVATEKEY_FILE);
if(!file.open(QIODevice::ReadOnly))
{
qDebug("La clé privée du serveur est introuvable.");
return false;
}
QSslKey key(&file, QSsl::Rsa, QSsl::Pem, QSsl::PrivateKey, "pass");
if (key.isNull())
{
qDebug("La clé privée du serveur est nulle");
return false;
}
file.close();
setPrivateKey(key);
//on charge le certificat du client
setLocalCertificate( LOCALCERTIFICATE_FILE );
//on charge le certificat de notre ca
if(!addCaCertificates(CACERTIFICATES_FILE))
{
qDebug("Impossible de charger le certificat du CA.");
return false;
}
//on supprime la vérification des certificats des clients
//seuls ces derniers vérifient les clés et certificat du serveur
setPeerVerifyMode(QSslSocket::VerifyNone);
//on ignore les erreurs car on a un certificat auto signé
ignoreSslErrors();
//on se connecte au serveur
startServerEncryption();
//On attends au plus 30secondes pour que la connexion s'établisse
bool result = waitForConnected();
if(!result) return result;
result=waitForEncrypted();
return result;
}
sslConnection::sslConnection( int socketDescriptor, QObject *parent ) : QSslSocket( parent )
{
if( !setSocketDescriptor( socketDescriptor ) )
{
qDebug() << "Couldn't set socket descriptor";
deleteLater();
return;
}
setPeerVerifyMode(QSslSocket::VerifyPeer);
setLocalCertificate( "mycert.pem" );
setPrivateKey("mycert.pem");
startServerEncryption();
}
void GKeyPair::generateKeyPair(unsigned int uintCount, const unsigned int* pRawCryptographicBytes1, const unsigned int* pRawCryptographicBytes2, const unsigned int* pRawCryptographicBytes3)
{
// Make places to put the data
GBigInt* pOutPublicKey = new GBigInt();
GBigInt* pOutPrivateKey = new GBigInt();
GBigInt* pOutN = new GBigInt();
// Find two primes
GBigInt p;
GBigInt q;
int n;
for(n = (int)uintCount - 1; n >= 0; n--)
p.setUInt(n, pRawCryptographicBytes1[n]);
for(n = uintCount - 1; n >= 0; n--)
q.setUInt(n, pRawCryptographicBytes2[n]);
p.setBit(0, true);
q.setBit(0, true);
int nTries = 0;
while(!p.isPrime())
{
p.increment();
p.increment();
nTries++;
}
nTries = 0;
while(!q.isPrime())
{
q.increment();
q.increment();
nTries++;
}
// Calculate N (the product of the two primes)
pOutN->multiply(&p, &q);
// Calculate prod ((p - 1) * (q - 1))
p.decrement();
q.decrement();
GBigInt prod;
prod.multiply(&p, &q);
// Calculate public and private keys
pOutPublicKey->selectPublicKey(pRawCryptographicBytes3, uintCount, &prod);
pOutPrivateKey->calculatePrivateKey(pOutPublicKey, &prod);
// Fill in "this" GKeyPair object
setPublicKey(pOutPublicKey);
setPrivateKey(pOutPrivateKey);
setN(pOutN);
}
RSAZCryptor::RSAZCryptor(const char* privatekey, const char* passphrase)
{
init();
setPrivateKey(privatekey, passphrase);
}
/*!
* This is an overloaded function, provided for convenience.
*
* Sets the private key used for encryption to the key contained in the file specified by
* \a path. The specified algorithm, format, and pass phrase are used to decrypt the key.
*
* \sa privateKey
*/
void QxtSslServer::setPrivateKey(const QString& path, QSsl::KeyAlgorithm algo, QSsl::EncodingFormat format, const QByteArray& passPhrase)
{
QFile file(path);
if(!file.open(QIODevice::ReadOnly)) return;
setPrivateKey(QSslKey(&file, algo, format, QSsl::PrivateKey, passPhrase));
}
void NetworkManager::Security8021xSetting::fromMap(const QVariantMap &setting)
{
if (setting.contains(QLatin1String(NM_SETTING_802_1X_EAP))) {
const QStringList methods = setting.value(QLatin1String(NM_SETTING_802_1X_EAP)).toStringList();
QList<EapMethod> eapMethods;
Q_FOREACH (const QString & method, methods) {
if (method == "leap") {
eapMethods << EapMethodLeap;
} else if (method == "md5") {
eapMethods << EapMethodMd5;
} else if (method == "tls") {
eapMethods << EapMethodTls;
} else if (method == "peap") {
eapMethods << EapMethodPeap;
} else if (method == "ttls") {
eapMethods << EapMethodTtls;
} else if (method == "sim") {
eapMethods << EapMethodSim;
} else if (method == "fast") {
eapMethods << EapMethodFast;
}
}
setEapMethods(eapMethods);
}
if (setting.contains(QLatin1String(NM_SETTING_802_1X_IDENTITY))) {
setIdentity(setting.value(QLatin1String(NM_SETTING_802_1X_IDENTITY)).toString());
}
if (setting.contains(QLatin1String(NM_SETTING_802_1X_ANONYMOUS_IDENTITY))) {
setAnonymousIdentity(setting.value(QLatin1String(NM_SETTING_802_1X_ANONYMOUS_IDENTITY)).toString());
}
if (setting.contains(QLatin1String(NM_SETTING_802_1X_PAC_FILE))) {
setPacFile(setting.value(QLatin1String(NM_SETTING_802_1X_PAC_FILE)).toString());
}
if (setting.contains(QLatin1String(NM_SETTING_802_1X_CA_CERT))) {
setCaCertificate(setting.value(QLatin1String(NM_SETTING_802_1X_CA_CERT)).toByteArray());
}
if (setting.contains(QLatin1String(NM_SETTING_802_1X_CA_PATH))) {
setCaPath(setting.value(QLatin1String(NM_SETTING_802_1X_CA_PATH)).toString());
}
if (setting.contains(QLatin1String(NM_SETTING_802_1X_SUBJECT_MATCH))) {
setSubjectMatch(setting.value(QLatin1String(NM_SETTING_802_1X_SUBJECT_MATCH)).toString());
}
if (setting.contains(QLatin1String(NM_SETTING_802_1X_ALTSUBJECT_MATCHES))) {
setAltSubjectMatches(setting.value(QLatin1String(NM_SETTING_802_1X_ALTSUBJECT_MATCHES)).toStringList());
}
if (setting.contains(QLatin1String(NM_SETTING_802_1X_CLIENT_CERT))) {
setClientCertificate(setting.value(QLatin1String(NM_SETTING_802_1X_CLIENT_CERT)).toByteArray());
}
if (setting.contains(QLatin1String(NM_SETTING_802_1X_PHASE1_PEAPVER))) {
const QString version = setting.value(QLatin1String(NM_SETTING_802_1X_PHASE1_PEAPVER)).toString();
if (version == "0") {
setPhase1PeapVersion(PeapVersionZero);
} else if (version == "1") {
setPhase1PeapVersion(PeapVersionOne);
}
}
if (setting.contains(QLatin1String(NM_SETTING_802_1X_PHASE1_PEAPLABEL))) {
const QString label = setting.value(QLatin1String(NM_SETTING_802_1X_PHASE1_PEAPLABEL)).toString();
if (label == "1") {
setPhase1PeapLabel(PeapLabelForce);
}
}
if (setting.contains(QLatin1String(NM_SETTING_802_1X_PHASE1_FAST_PROVISIONING))) {
const QString provisioning = setting.value(QLatin1String(NM_SETTING_802_1X_PHASE1_FAST_PROVISIONING)).toString();
if (provisioning == "0") {
setPhase1FastProvisioning(FastProvisioningDisabled);
} else if (provisioning == "1") {
setPhase1FastProvisioning(FastProvisioningAllowUnauthenticated);
} else if (provisioning == "2") {
setPhase1FastProvisioning(FastProvisioningAllowAuthenticated);
} else if (provisioning == "3") {
setPhase1FastProvisioning(FastProvisioningAllowBoth);
}
}
if (setting.contains(QLatin1String(NM_SETTING_802_1X_PHASE2_AUTH))) {
const QString authMethod = setting.value(QLatin1String(NM_SETTING_802_1X_PHASE2_AUTH)).toString();
if (authMethod == "pap") {
setPhase2AuthMethod(AuthMethodPap);
} else if (authMethod == "chap") {
setPhase2AuthMethod(AuthMethodChap);
} else if (authMethod == "mschap") {
setPhase2AuthMethod(AuthMethodMschap);
} else if (authMethod == "mschapv2") {
setPhase2AuthMethod(AuthMethodMschapv2);
} else if (authMethod == "gtc") {
setPhase2AuthMethod(AuthMethodGtc);
} else if (authMethod == "otp") {
setPhase2AuthMethod(AuthMethodOtp);
} else if (authMethod == "md5") {
setPhase2AuthMethod(AuthMethodMd5);
} else if (authMethod == "tls") {
setPhase2AuthMethod(AuthMethodTls);
}
}
if (setting.contains(QLatin1String(NM_SETTING_802_1X_PHASE2_AUTHEAP))) {
const QString authEapMethod = setting.value(QLatin1String(NM_SETTING_802_1X_PHASE2_AUTHEAP)).toString();
if (authEapMethod == "md5") {
setPhase2AuthEapMethod(AuthEapMethodMd5);
} else if (authEapMethod == "mschapv2") {
setPhase2AuthEapMethod(AuthEapMethodMschapv2);
} else if (authEapMethod == "otp") {
setPhase2AuthEapMethod(AuthEapMethodOtp);
} else if (authEapMethod == "gtc") {
setPhase2AuthEapMethod(AuthEapMethodGtc);
} else if (authEapMethod == "tls") {
setPhase2AuthEapMethod(AuthEapMethodTls);
}
}
if (setting.contains(QLatin1String(NM_SETTING_802_1X_PHASE2_CA_CERT))) {
setPhase2CaCertificate(setting.value(QLatin1String(NM_SETTING_802_1X_PHASE2_CA_CERT)).toByteArray());
}
if (setting.contains(QLatin1String(NM_SETTING_802_1X_PHASE2_CA_PATH))) {
setPhase2CaPath(setting.value(QLatin1String(NM_SETTING_802_1X_PHASE2_CA_PATH)).toString());
}
if (setting.contains(QLatin1String(NM_SETTING_802_1X_PHASE2_SUBJECT_MATCH))) {
setPhase2SubjectMatch(setting.value(QLatin1String(NM_SETTING_802_1X_PHASE2_SUBJECT_MATCH)).toString());
}
if (setting.contains(QLatin1String(NM_SETTING_802_1X_PHASE2_ALTSUBJECT_MATCHES))) {
setPhase2AltSubjectMatches(setting.value(QLatin1String(NM_SETTING_802_1X_PHASE2_ALTSUBJECT_MATCHES)).toStringList());
}
if (setting.contains(QLatin1String(NM_SETTING_802_1X_PHASE2_CLIENT_CERT))) {
setPhase2ClientCertificate(setting.value(QLatin1String(NM_SETTING_802_1X_PHASE2_CLIENT_CERT)).toByteArray());
}
if (setting.contains(QLatin1String(NM_SETTING_802_1X_PASSWORD))) {
setPassword(setting.value(QLatin1String(NM_SETTING_802_1X_PASSWORD)).toString());
}
if (setting.contains(QLatin1String(NM_SETTING_802_1X_PASSWORD_FLAGS))) {
setPasswordFlags((Setting::SecretFlags)setting.value(QLatin1String(NM_SETTING_802_1X_PASSWORD_FLAGS)).toUInt());
}
if (setting.contains(QLatin1String(NM_SETTING_802_1X_PASSWORD_RAW))) {
setPasswordRaw(setting.value(QLatin1String(NM_SETTING_802_1X_PASSWORD_RAW)).toByteArray());
}
if (setting.contains(QLatin1String(NM_SETTING_802_1X_PASSWORD_RAW_FLAGS))) {
setPasswordRawFlags((Setting::SecretFlags)setting.value(QLatin1String(NM_SETTING_802_1X_PASSWORD_RAW_FLAGS)).toUInt());
}
if (setting.contains(QLatin1String(NM_SETTING_802_1X_PRIVATE_KEY))) {
setPrivateKey(setting.value(QLatin1String(NM_SETTING_802_1X_PRIVATE_KEY)).toByteArray());
}
if (setting.contains(QLatin1String(NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD))) {
setPrivateKeyPassword(setting.value(QLatin1String(NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD)).toString());
}
if (setting.contains(QLatin1String(NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD_FLAGS))) {
setPrivateKeyPasswordFlags((Setting::SecretFlags)setting.value(QLatin1String(NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD_FLAGS)).toUInt());
}
if (setting.contains(QLatin1String(NM_SETTING_802_1X_PHASE2_PRIVATE_KEY))) {
setPhase2PrivateKey(setting.value(QLatin1String(NM_SETTING_802_1X_PHASE2_PRIVATE_KEY)).toByteArray());
}
if (setting.contains(QLatin1String(NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD))) {
setPhase2PrivateKeyPassword(setting.value(QLatin1String(NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD)).toString());
}
if (setting.contains(QLatin1String(NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD_FLAGS))) {
setPhase2PrivateKeyPasswordFlags((Setting::SecretFlags)setting.value(QLatin1String(NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD_FLAGS)).toUInt());
}
if (setting.contains(QLatin1String(NM_SETTING_802_1X_PIN))) {
setPin(setting.value(QLatin1String(NM_SETTING_802_1X_PIN)).toString());
}
if (setting.contains(QLatin1String(NM_SETTING_802_1X_PIN_FLAGS))) {
setPinFlags((Setting::SecretFlags)setting.value(QLatin1String(NM_SETTING_802_1X_PIN_FLAGS)).toUInt());
}
if (setting.contains(QLatin1String(NM_SETTING_802_1X_SYSTEM_CA_CERTS))) {
setSystemCaCertificates(setting.value(QLatin1String(NM_SETTING_802_1X_SYSTEM_CA_CERTS)).toBool());
}
}