bool KIO::Integration::sslConfigFromMetaData(const KIO::MetaData& metadata, QSslConfiguration& sslconfig)
{
bool success = false;
if (metadata.contains(QL1S("ssl_in_use"))) {
const QSsl::SslProtocol sslProto = qSslProtocolFromString(metadata.value(QL1S("ssl_protocol_version")));
QList<QSslCipher> cipherList;
cipherList << QSslCipher(metadata.value(QL1S("ssl_cipher_name")), sslProto);
sslconfig.setCaCertificates(QSslCertificate::fromData(metadata.value(QL1S("ssl_peer_chain")).toUtf8()));
sslconfig.setCiphers(cipherList);
sslconfig.setProtocol(sslProto);
success = sslconfig.isNull();
}
return success;
}
EnginioClientConnectionPrivate::EnginioClientConnectionPrivate() :
_identity(),
_serviceUrl(EnginioString::apiEnginIo),
_networkManager(),
_uploadChunkSize(512 * 1024),
_authenticationState(Enginio::NotAuthenticated)
{
assignNetworkManager();
#if defined(ENGINIO_VALGRIND_DEBUG)
QSslConfiguration conf = QSslConfiguration::defaultConfiguration();
conf.setCiphers(QList<QSslCipher>() << QSslCipher(QStringLiteral("ECDHE-RSA-DES-CBC3-SHA"), QSsl::SslV3));
_request.setSslConfiguration(conf);
#endif
_request.setHeader(QNetworkRequest::ContentTypeHeader,
QStringLiteral("application/json"));
}
void LanLinkProvider::configureSslSocket(QSslSocket* socket, const QString& deviceId, bool isDeviceTrusted)
{
// Setting supported ciphers manually
// Top 3 ciphers are for new Android devices, botton two are for old Android devices
// FIXME : These cipher suites should be checked whether they are supported or not on device
QList<QSslCipher> socketCiphers;
socketCiphers.append(QSslCipher(QStringLiteral("ECDHE-ECDSA-AES256-GCM-SHA384")));
socketCiphers.append(QSslCipher(QStringLiteral("ECDHE-ECDSA-AES128-GCM-SHA256")));
socketCiphers.append(QSslCipher(QStringLiteral("ECDHE-RSA-AES128-SHA")));
socketCiphers.append(QSslCipher(QStringLiteral("RC4-SHA")));
socketCiphers.append(QSslCipher(QStringLiteral("RC4-MD5")));
// Configure for ssl
QSslConfiguration sslConfig;
sslConfig.setCiphers(socketCiphers);
sslConfig.setProtocol(QSsl::TlsV1_0);
socket->setSslConfiguration(sslConfig);
socket->setLocalCertificate(KdeConnectConfig::instance()->certificate());
socket->setPrivateKey(KdeConnectConfig::instance()->privateKeyPath());
socket->setPeerVerifyName(deviceId);
if (isDeviceTrusted) {
QString certString = KdeConnectConfig::instance()->getDeviceProperty(deviceId, QStringLiteral("certificate"), QString());
socket->addCaCertificate(QSslCertificate(certString.toLatin1()));
socket->setPeerVerifyMode(QSslSocket::VerifyPeer);
} else {
socket->setPeerVerifyMode(QSslSocket::QueryPeer);
}
//Usually SSL errors are only bad for trusted devices. Uncomment this section to log errors in any case, for debugging.
//QObject::connect(socket, static_cast<void (QSslSocket::*)(const QList<QSslError>&)>(&QSslSocket::sslErrors), [](const QList<QSslError>& errors)
//{
// Q_FOREACH (const QSslError &error, errors) {
// qCDebug(KDECONNECT_CORE) << "SSL Error:" << error.errorString();
// }
//});
}
void ProtocolController::prepareConnection(QSslSocket *socket)
{
// Ciphers allowed
QList<QSslCipher> ciphers;
ciphers << QSslCipher("ECDHE-RSA-AES256-GCM-SHA384");
// Update config
QSslConfiguration config = socket->sslConfiguration();
config.setProtocol(QSsl::TlsV1_2);
// Set allowed ciphers
config.setCiphers(ciphers);
socket->setSslConfiguration(config);
QFile caFile("certificates/cert.pem");
caFile.open(QIODevice::ReadOnly);
QByteArray data = caFile.readAll();
caFile.close();
QSslCertificate certifacte(data);
socket->addCaCertificate(certifacte);
}
void OcNetwork::sslErrorHandler(QNetworkReply* rep,const QList<QSslError> &errors)
{
QVariantMap account = config.getAccount();
bool ignoreSSLerrors = false;
if (account["state"].toInt() == 0)
{
ignoreSSLerrors = account["ignoresslerror"].toBool();
}
if (ignoreSSLerrors)
{
rep->ignoreSslErrors();
QLOG_WARN() << "Network: ignore SSL errors";
} else {
foreach (const QSslError &error, errors)
{
QLOG_ERROR() << "Network SSL error: " << error.errorString();
}
// get certificate checksum
QString checksum = QString::fromLatin1(rep->sslConfiguration().peerCertificateChain().last().digest(QCryptographicHash::Md5).toHex().toLower());
// set string for temporary file path
QString filePath(QDir::homePath());
filePath.append(BASE_PATH).append(QDir::separator()).append(checksum).append(".der");
// store server certificate temporary
QFile x509Temp(filePath);
x509Temp.open(QIODevice::WriteOnly);
x509Temp.write(rep->sslConfiguration().peerCertificateChain().last().toDer());
x509Temp.close();
#if defined(MEEGO_EDITION_HARMATTAN)
// set credential
int credSuc = aegis_certman_set_credentials("buschtrommel-ocnews::CertOCNewsSSL");
if (credSuc != 0) qDebug() << "set credential error: " << credSuc;
// open file for X509 struct
FILE * crtFile;
crtFile = fopen(filePath.toAscii().data(), "r");
if (crtFile == NULL) qDebug() << "Can not open cert file.";
X509 * crt;
crt = d2i_X509_fp(crtFile, NULL);
if (crt == NULL) qDebug() << "Error importing X509 Certificate";
// get server key id
aegis_key_id crtKeyId;
aegis_certman_get_key_id(crt, crtKeyId);
// open ssl domain
domain_handle ownDomain;
int openCheck = aegis_certman_open_domain("ssl-ocnews", AEGIS_CERTMAN_DOMAIN_PRIVATE, &ownDomain);
if (openCheck != 0) QLOG_ERROR() << "Network: Error Opening SSL Domain: " << openCheck;
int guiCheck = aegis_certman_gui_check_certificate(crt, 120);
QLOG_INFO() << "Network Certificate check: " << guiCheck;
if (guiCheck == 0)
{
// check if cert is already in domain
X509 * storedCert;
int loadStoredCert = aegis_certman_load_cert(ownDomain, crtKeyId, &storedCert);
if (loadStoredCert == 0 && storedCert != NULL)
{
QLOG_INFO() << "Network Load Cert: " << loadStoredCert;
// convert internal X509 structure to DER
int len;
unsigned char *buf;
buf = NULL;
len = i2d_X509(storedCert, &buf);
if (len > 0) {
// create Qt Certificate from buffer
QByteArray buffer(reinterpret_cast<const char*>(buf), len);
QSslCertificate sslCert(buffer, QSsl::Der);
// create list and append cert
QList<QSslCertificate> sslCerts;
sslCerts.append(sslCert);
// put ssl into ssl error for ignored errors
QSslError sslError(QSslError::SelfSignedCertificate, sslCerts.at(0));
QList<QSslError> expectedSslErrors;
expectedSslErrors.append(sslError);
// add certificate to socket and current configuration
QSslSocket::addDefaultCaCertificates(sslCerts);
QList<QSslCipher> ciphers = rep->sslConfiguration().ciphers();
QSslConfiguration sslConfig;
sslConfig.setCiphers(ciphers);
sslConfig.setCaCertificates(sslCerts);
rep->setSslConfiguration(sslConfig);
// ignore only this ssl error
rep->ignoreSslErrors(expectedSslErrors);
} else {
QLOG_ERROR() << "Network: Can not decode cert to DER.";
}
} else {
int addCheck = aegis_certman_add_cert(ownDomain, crt);
QLOG_INFO() << "Network Add Cert: " << addCheck;
// convert internal X509 structure to DER
int len;
unsigned char *buf;
buf = NULL;
len = i2d_X509(crt, &buf);
if (len > 0) {
// create Qt Certificate from buffer
QByteArray buffer(reinterpret_cast<const char*>(buf), len);
QSslCertificate sslCert(buffer, QSsl::Der);
// create list and append cert
QList<QSslCertificate> sslCerts;
sslCerts.append(sslCert);
// put ssl into ssl error for ignored errors
QSslError sslError(QSslError::SelfSignedCertificate, sslCerts.at(0));
QList<QSslError> expectedSslErrors;
expectedSslErrors.append(sslError);
// add certificate to socket and current configuration
QSslSocket::addDefaultCaCertificates(sslCerts);
QList<QSslCipher> ciphers = rep->sslConfiguration().ciphers();
QSslConfiguration sslConfig;
sslConfig.setCiphers(ciphers);
sslConfig.setCaCertificates(sslCerts);
rep->setSslConfiguration(sslConfig);
// ignore only these ssl error
rep->ignoreSslErrors(expectedSslErrors);
} else {
QLOG_ERROR() << "Network: Can not decode cert to DER.";
}
}
} else {
// remove cert if not approved
int removeCheck = aegis_certman_rm_cert(ownDomain, crtKeyId);
QLOG_INFO() << "Network Remove Cert: " << removeCheck;
}
aegis_certman_close_domain(ownDomain);
x509Temp.remove(); // remove temporary cert file
#else
// rep->ignoreSslErrors();
rep->abort();
QLOG_WARN() << "Abort network operation...";
#endif
}
}
void Server::update() {
if (qsRegName.isEmpty() || qsRegPassword.isEmpty() || !qurlRegWeb.isValid() || !qsPassword.isEmpty() || !bAllowPing)
return;
// When QNAM distinguishes connections by client cert, move this to Meta
if (! qnamNetwork)
qnamNetwork = new QNetworkAccessManager(this);
qtTick.start(1000 * (60 * 60 + (qrand() % 300)));
QDomDocument doc;
QDomElement root=doc.createElement(QLatin1String("server"));
doc.appendChild(root);
OSInfo::fillXml(doc, root, meta->qsOS, meta->qsOSVersion, qlBind);
QDomElement tag;
QDomText t;
tag=doc.createElement(QLatin1String("name"));
root.appendChild(tag);
t=doc.createTextNode(qsRegName);
tag.appendChild(t);
tag=doc.createElement(QLatin1String("host"));
root.appendChild(tag);
t=doc.createTextNode(qsRegHost);
tag.appendChild(t);
tag=doc.createElement(QLatin1String("password"));
root.appendChild(tag);
t=doc.createTextNode(qsRegPassword);
tag.appendChild(t);
tag=doc.createElement(QLatin1String("port"));
root.appendChild(tag);
t=doc.createTextNode(QString::number(usPort));
tag.appendChild(t);
tag=doc.createElement(QLatin1String("url"));
root.appendChild(tag);
t=doc.createTextNode(qurlRegWeb.toString());
tag.appendChild(t);
tag=doc.createElement(QLatin1String("digest"));
root.appendChild(tag);
t=doc.createTextNode(getDigest());
tag.appendChild(t);
tag=doc.createElement(QLatin1String("users"));
root.appendChild(tag);
t=doc.createTextNode(QString::number(qhUsers.count()));
tag.appendChild(t);
tag=doc.createElement(QLatin1String("channels"));
root.appendChild(tag);
t=doc.createTextNode(QString::number(qhChannels.count()));
tag.appendChild(t);
if (!qsRegLocation.isEmpty()) {
tag=doc.createElement(QLatin1String("location"));
root.appendChild(tag);
t=doc.createTextNode(qsRegLocation);
tag.appendChild(t);
}
QNetworkRequest qnr(QUrl(QLatin1String("https://mumble.info/register.cgi")));
qnr.setHeader(QNetworkRequest::ContentTypeHeader, QLatin1String("text/xml"));
QSslConfiguration ssl = qnr.sslConfiguration();
ssl.setLocalCertificate(qscCert);
ssl.setPrivateKey(qskKey);
/* Work around bug in QSslConfiguration */
QList<QSslCertificate> calist = ssl.caCertificates();
calist << QSslSocket::defaultCaCertificates();
calist << Meta::mp.qlCA;
calist << Meta::mp.qlIntermediates;
calist << qscCert;
ssl.setCaCertificates(calist);
ssl.setCiphers(Meta::mp.qlCiphers);
qnr.setSslConfiguration(ssl);
QNetworkReply *rep = qnamNetwork->post(qnr, doc.toString().toUtf8());
connect(rep, SIGNAL(finished()), this, SLOT(finished()));
connect(rep, SIGNAL(sslErrors(const QList<QSslError> &)), this, SLOT(regSslError(const QList<QSslError> &)));
}
void WebsocketServer::initialisieren(const QString &name, const QString &ipAdresse, const int &anschluss, const QStringList &sslAlgorithmen,
const QStringList &ssl_EK, const QString &ssl_DH, const QString &zertifikatSchluessel,
const QString &zertifikat, const QString &zertifkatKette, const bool &ssl_aktiv)
{
QWebSocketServer::SslMode SSL_Modus;
if (ssl_aktiv)
{
SSL_Modus=QWebSocketServer::SecureMode;
K_IPAdresse=QHostAddress(ipAdresse);
}
else
{
SSL_Modus=QWebSocketServer::NonSecureMode;
K_IPAdresse=QHostAddress(QHostAddress::LocalHost);
}
K_Server=new QWebSocketServer(name,SSL_Modus,this);
connect(K_Server,&QWebSocketServer::sslErrors,this, &WebsocketServer::SSL_Fehler);
connect(K_Server,&QWebSocketServer::serverError,this,&WebsocketServer::SSL_Serverfehler);
connect(K_Server,&QWebSocketServer::newConnection,this,&WebsocketServer::NeuerKlient);
connect(K_Server,&QWebSocketServer::acceptError,this,&WebsocketServer::Verbindungsfehler);
K_Anschluss=anschluss;
QSslConfiguration SSL;
QList<QSslCipher> Algorithmen;
QVector<QSslEllipticCurve> EK;
SSL.setProtocol(QSsl::TlsV1_2OrLater);
SSL.setPeerVerifyMode(QSslSocket::VerifyNone);
QSslCipher Algorithmus;
QSslEllipticCurve Kurve;
if (ssl_aktiv)
{
//BUG Das mit der Reihenfolge geht nicht
for (auto Eintrag : sslAlgorithmen)
{
Algorithmus=QSslCipher(Eintrag);
if (Algorithmus.isNull())
qCWarning(qalarm_serverWebsocketServer)<< tr("Algorithmus %1 wird nicht unterstützt.").arg(Eintrag);
else
Algorithmen.append(Algorithmus);
}
SSL.setCiphers(Algorithmen);
//BUG Es werden nie Kurven angeboten
for (auto Eintrag : ssl_EK)
{
Kurve=QSslEllipticCurve::fromShortName(Eintrag);
if (!Kurve.isValid())
qCWarning(qalarm_serverWebsocketServer)<< tr("Kurve %1 wird nicht unterstützt.").arg(Eintrag);
else
EK.append(Kurve);
}
SSL.setEllipticCurves(EK);
if(!ssl_DH.isEmpty())
{
#if (QT_VERSION >= QT_VERSION_CHECK(5,8,0))
SSL.setDiffieHellmanParameters(QSslDiffieHellmanParameters::fromEncoded(DateiLaden(ssl_DH,tr("Die DH Parameter %1 konnten nicht geladen werden."))));
#else
qCWarning(qalarm_serverWebsocketServer)<<tr("Qt kann die DH Parameter erst ab Version 5.8.0 setzen");
#endif
}
QList<QSslCertificate> Zertifikate;
Zertifikate=QSslCertificate::fromDevice(DateiLaden(zertifikat,tr("Zertifikat %1 konnte nicht geladen werden.").arg(zertifikat)));
Zertifikate.append(QSslCertificate::fromDevice(DateiLaden(zertifkatKette,tr("Die Zertifikatskette %1 konnte nicht geladen werden.").arg(zertifkatKette))));
SSL.setLocalCertificateChain(Zertifikate);
SSL.setPrivateKey(QSslKey(DateiLaden(zertifikatSchluessel,tr("Der Schlüssel %1 für das Zertifikat konnte nicht geladen werden.").arg(zertifikatSchluessel)),QSsl::Rsa));
if(SSL.privateKey().isNull() || SSL.localCertificate().isNull() || SSL.localCertificateChain().isEmpty())
return;
qCDebug(qalarm_serverWebsocketServer)<<tr("Setze SSL Konfiguration");
qCDebug(qalarm_serverWebsocketServer)<<tr("Privater Schlüssel: ")<<SSL.privateKey();
qCDebug(qalarm_serverWebsocketServer)<<tr("Zertifikate: ")<<SSL.localCertificateChain();
#if (QT_VERSION >= QT_VERSION_CHECK(5,8,0))
qCDebug(qalarm_serverWebsocketServer)<<tr("DH Parameter: ")<<SSL.diffieHellmanParameters();
#endif
qCDebug(qalarm_serverWebsocketServer)<<tr("Zerttest: ")<<SSL.peerVerifyMode();
qCDebug(qalarm_serverWebsocketServer)<<tr("Elliptische Kurven: ")<<SSL.ellipticCurves();
qCDebug(qalarm_serverWebsocketServer)<<tr("Algorithmen: ")<<SSL.ciphers();
K_Server->setSslConfiguration(SSL);
}
if(!K_Initfehler)
Q_EMIT Initialisiert();
}
