void
SslSocketBase::setPKI(const QSslKey &privateKey,
const QSslCertificate &localCertificate) {
setPrivateKey(privateKey);
setLocalCertificate(localCertificate);
}
void
SslSocketBase::setPKI(const QString &keyFilePath,
const QString &certFilePath) {
setPrivateKey(keyFilePath);
setLocalCertificate(certFilePath);
}
Connection::Connection(int socketDescriptor, const QString &cert, const QString &key)
: serverMode(true), readSize(0)
{
setSocketDescriptor(socketDescriptor);
setLocalCertificate(cert);
setPrivateKey(key);
init();
handshake();
}
GroupSocket::GroupSocket(GroupAuthority *authority, QObject *parent)
: QObject(parent)
, socket{this}
, timer{this}
, authority(authority)
{
timer.setInterval(FIVE_SECOND_TIMEOUT);
timer.setSingleShot(true);
connect(&timer, &QTimer::timeout, this, &GroupSocket::onTimeout);
const auto get_ssl_config = [this, authority]() {
auto config = socket.sslConfiguration();
config.setCaCertificates({});
config.setLocalCertificate(authority->getLocalCertificate());
config.setPrivateKey(authority->getPrivateKey());
config.setPeerVerifyMode(QSslSocket::QueryPeer);
// CVE-2012-4929 forced the below option to be enabled by default but we can disable it because
// the vulernability only impacts browsers
config.setSslOption(QSsl::SslOption::SslOptionDisableCompression, false);
return config;
};
socket.setSslConfiguration(get_ssl_config());
socket.setPeerVerifyName(GROUP_COMMON_NAME);
connect(&socket, &QAbstractSocket::hostFound, this, [this]() { emit sendLog("Host found..."); });
connect(&socket, &QAbstractSocket::connected, this, [this]() {
socket.setSocketOption(QAbstractSocket::LowDelayOption, true);
socket.setSocketOption(QAbstractSocket::KeepAliveOption, true);
if (io::tuneKeepAlive(socket.socketDescriptor())) {
emit sendLog("Tuned TCP keep alive parameters for socket");
}
setProtocolState(ProtocolState::AwaitingLogin);
emit sendLog("Connection established...");
emit connectionEstablished(this);
});
connect(&socket, &QSslSocket::encrypted, this, [this]() {
timer.stop();
secret
= socket.peerCertificate().digest(QCryptographicHash::Algorithm::Sha1).toHex().toLower();
emit sendLog("Connection successfully encrypted...");
emit connectionEncrypted(this);
});
connect(&socket, &QAbstractSocket::disconnected, this, [this]() {
timer.stop();
emit connectionClosed(this);
});
connect(&socket, &QIODevice::readyRead, this, &GroupSocket::onReadyRead);
connect(&socket,
static_cast<void (QAbstractSocket::*)(QAbstractSocket::SocketError)>(
&QAbstractSocket::error),
this,
&GroupSocket::onError);
connect(&socket, &QSslSocket::peerVerifyError, this, &GroupSocket::onPeerVerifyError);
}
//Permet de renseigner le client avec qui le socket doit communiquer
bool Socket::setDescriptor(int socketDescriptor)
{
if(this->state()==QAbstractSocket::ConnectedState) return false;
if(!this->setSocketDescriptor(socketDescriptor)) return false;
//On récupère la clé privée du serveur
QFile file(PRIVATEKEY_FILE);
if(!file.open(QIODevice::ReadOnly))
{
qDebug("La clé privée du serveur est introuvable.");
return false;
}
QSslKey key(&file, QSsl::Rsa, QSsl::Pem, QSsl::PrivateKey, "pass");
if (key.isNull())
{
qDebug("La clé privée du serveur est nulle");
return false;
}
file.close();
setPrivateKey(key);
//on charge le certificat du client
setLocalCertificate( LOCALCERTIFICATE_FILE );
//on charge le certificat de notre ca
if(!addCaCertificates(CACERTIFICATES_FILE))
{
qDebug("Impossible de charger le certificat du CA.");
return false;
}
//on supprime la vérification des certificats des clients
//seuls ces derniers vérifient les clés et certificat du serveur
setPeerVerifyMode(QSslSocket::VerifyNone);
//on ignore les erreurs car on a un certificat auto signé
ignoreSslErrors();
//on se connecte au serveur
startServerEncryption();
//On attends au plus 30secondes pour que la connexion s'établisse
bool result = waitForConnected();
if(!result) return result;
result=waitForEncrypted();
return result;
}
sslConnection::sslConnection( int socketDescriptor, QObject *parent ) : QSslSocket( parent )
{
if( !setSocketDescriptor( socketDescriptor ) )
{
qDebug() << "Couldn't set socket descriptor";
deleteLater();
return;
}
setPeerVerifyMode(QSslSocket::VerifyPeer);
setLocalCertificate( "mycert.pem" );
setPrivateKey("mycert.pem");
startServerEncryption();
}
/*!
* This is an overloaded function, provided for convenience.
*
* Sets the certificate to be presented to clients during the SSL handshake to
* the first certificate contained in the file specified by \a path.
*
* \sa localCertificate
*/
void QxtSslServer::setLocalCertificate(const QString& path, QSsl::EncodingFormat format)
{
QFile file(path);
if(!file.open(QIODevice::ReadOnly)) return;
setLocalCertificate(QSslCertificate(&file, format));
}
