1 | // Copyright (C) 2021 The Qt Company Ltd. |
---|---|
2 | // Copyright (C) 2014 BlackBerry Limited. All rights reserved. |
3 | // SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only |
4 | |
5 | |
6 | //#define QSSLSOCKET_DEBUG |
7 | |
8 | /*! |
9 | \class QSslSocket |
10 | \brief The QSslSocket class provides an SSL encrypted socket for both |
11 | clients and servers. |
12 | \since 4.3 |
13 | |
14 | \reentrant |
15 | \ingroup network |
16 | \ingroup ssl |
17 | \inmodule QtNetwork |
18 | |
19 | QSslSocket establishes a secure, encrypted TCP connection you can |
20 | use for transmitting encrypted data. It can operate in both client |
21 | and server mode, and it supports modern TLS protocols, including |
22 | TLS 1.3. By default, QSslSocket uses only TLS protocols |
23 | which are considered to be secure (QSsl::SecureProtocols), but you can |
24 | change the TLS protocol by calling setProtocol() as long as you do |
25 | it before the handshake has started. |
26 | |
27 | SSL encryption operates on top of the existing TCP stream after |
28 | the socket enters the ConnectedState. There are two simple ways to |
29 | establish a secure connection using QSslSocket: With an immediate |
30 | SSL handshake, or with a delayed SSL handshake occurring after the |
31 | connection has been established in unencrypted mode. |
32 | |
33 | The most common way to use QSslSocket is to construct an object |
34 | and start a secure connection by calling connectToHostEncrypted(). |
35 | This method starts an immediate SSL handshake once the connection |
36 | has been established. |
37 | |
38 | \snippet code/src_network_ssl_qsslsocket.cpp 0 |
39 | |
40 | As with a plain QTcpSocket, QSslSocket enters the HostLookupState, |
41 | ConnectingState, and finally the ConnectedState, if the connection |
42 | is successful. The handshake then starts automatically, and if it |
43 | succeeds, the encrypted() signal is emitted to indicate the socket |
44 | has entered the encrypted state and is ready for use. |
45 | |
46 | Note that data can be written to the socket immediately after the |
47 | return from connectToHostEncrypted() (i.e., before the encrypted() |
48 | signal is emitted). The data is queued in QSslSocket until after |
49 | the encrypted() signal is emitted. |
50 | |
51 | An example of using the delayed SSL handshake to secure an |
52 | existing connection is the case where an SSL server secures an |
53 | incoming connection. Suppose you create an SSL server class as a |
54 | subclass of QTcpServer. You would override |
55 | QTcpServer::incomingConnection() with something like the example |
56 | below, which first constructs an instance of QSslSocket and then |
57 | calls setSocketDescriptor() to set the new socket's descriptor to |
58 | the existing one passed in. It then initiates the SSL handshake |
59 | by calling startServerEncryption(). |
60 | |
61 | \snippet code/src_network_ssl_qsslsocket.cpp 1 |
62 | |
63 | If an error occurs, QSslSocket emits the sslErrors() signal. In this |
64 | case, if no action is taken to ignore the error(s), the connection |
65 | is dropped. To continue, despite the occurrence of an error, you |
66 | can call ignoreSslErrors(), either from within this slot after the |
67 | error occurs, or any time after construction of the QSslSocket and |
68 | before the connection is attempted. This will allow QSslSocket to |
69 | ignore the errors it encounters when establishing the identity of |
70 | the peer. Ignoring errors during an SSL handshake should be used |
71 | with caution, since a fundamental characteristic of secure |
72 | connections is that they should be established with a successful |
73 | handshake. |
74 | |
75 | Once encrypted, you use QSslSocket as a regular QTcpSocket. When |
76 | readyRead() is emitted, you can call read(), canReadLine() and |
77 | readLine(), or getChar() to read decrypted data from QSslSocket's |
78 | internal buffer, and you can call write() or putChar() to write |
79 | data back to the peer. QSslSocket will automatically encrypt the |
80 | written data for you, and emit encryptedBytesWritten() once |
81 | the data has been written to the peer. |
82 | |
83 | As a convenience, QSslSocket supports QTcpSocket's blocking |
84 | functions waitForConnected(), waitForReadyRead(), |
85 | waitForBytesWritten(), and waitForDisconnected(). It also provides |
86 | waitForEncrypted(), which will block the calling thread until an |
87 | encrypted connection has been established. |
88 | |
89 | \snippet code/src_network_ssl_qsslsocket.cpp 2 |
90 | |
91 | QSslSocket provides an extensive, easy-to-use API for handling |
92 | cryptographic ciphers, private keys, and local, peer, and |
93 | Certification Authority (CA) certificates. It also provides an API |
94 | for handling errors that occur during the handshake phase. |
95 | |
96 | The following features can also be customized: |
97 | |
98 | \list |
99 | \li The socket's cryptographic cipher suite can be customized before |
100 | the handshake phase with QSslConfiguration::setCiphers(). |
101 | \li The socket's local certificate and private key can be customized |
102 | before the handshake phase with setLocalCertificate() and |
103 | setPrivateKey(). |
104 | \li The CA certificate database can be extended and customized with |
105 | QSslConfiguration::addCaCertificate(), |
106 | QSslConfiguration::addCaCertificates(). |
107 | \endlist |
108 | |
109 | To extend the list of \e default CA certificates used by the SSL sockets |
110 | during the SSL handshake you must update the default configuration, as |
111 | in the snippet below: |
112 | |
113 | \code |
114 | QList<QSslCertificate> certificates = getCertificates(); |
115 | QSslConfiguration configuration = QSslConfiguration::defaultConfiguration(); |
116 | configuration.addCaCertificates(certificates); |
117 | QSslConfiguration::setDefaultConfiguration(configuration); |
118 | \endcode |
119 | |
120 | \note If available, root certificates on Unix (excluding \macos) will be |
121 | loaded on demand from the standard certificate directories. If you do not |
122 | want to load root certificates on demand, you need to call either |
123 | QSslConfiguration::defaultConfiguration().setCaCertificates() before the first |
124 | SSL handshake is made in your application (for example, via passing |
125 | QSslSocket::systemCaCertificates() to it), or call |
126 | QSslConfiguration::defaultConfiguration()::setCaCertificates() on your QSslSocket instance |
127 | prior to the SSL handshake. |
128 | |
129 | For more information about ciphers and certificates, refer to QSslCipher and |
130 | QSslCertificate. |
131 | |
132 | This product includes software developed by the OpenSSL Project |
133 | for use in the OpenSSL Toolkit (\l{http://www.openssl.org/}). |
134 | |
135 | \note Be aware of the difference between the bytesWritten() signal and |
136 | the encryptedBytesWritten() signal. For a QTcpSocket, bytesWritten() |
137 | will get emitted as soon as data has been written to the TCP socket. |
138 | For a QSslSocket, bytesWritten() will get emitted when the data |
139 | is being encrypted and encryptedBytesWritten() |
140 | will get emitted as soon as data has been written to the TCP socket. |
141 | |
142 | \sa QSslCertificate, QSslCipher, QSslError |
143 | */ |
144 | |
145 | /*! |
146 | \enum QSslSocket::SslMode |
147 | |
148 | Describes the connection modes available for QSslSocket. |
149 | |
150 | \value UnencryptedMode The socket is unencrypted. Its |
151 | behavior is identical to QTcpSocket. |
152 | |
153 | \value SslClientMode The socket is a client-side SSL socket. |
154 | It is either already encrypted, or it is in the SSL handshake |
155 | phase (see QSslSocket::isEncrypted()). |
156 | |
157 | \value SslServerMode The socket is a server-side SSL socket. |
158 | It is either already encrypted, or it is in the SSL handshake |
159 | phase (see QSslSocket::isEncrypted()). |
160 | */ |
161 | |
162 | /*! |
163 | \enum QSslSocket::PeerVerifyMode |
164 | \since 4.4 |
165 | |
166 | Describes the peer verification modes for QSslSocket. The default mode is |
167 | AutoVerifyPeer, which selects an appropriate mode depending on the |
168 | socket's QSocket::SslMode. |
169 | |
170 | \value VerifyNone QSslSocket will not request a certificate from the |
171 | peer. You can set this mode if you are not interested in the identity of |
172 | the other side of the connection. The connection will still be encrypted, |
173 | and your socket will still send its local certificate to the peer if it's |
174 | requested. |
175 | |
176 | \value QueryPeer QSslSocket will request a certificate from the peer, but |
177 | does not require this certificate to be valid. This is useful when you |
178 | want to display peer certificate details to the user without affecting the |
179 | actual SSL handshake. This mode is the default for servers. |
180 | Note: In Schannel this value acts the same as VerifyNone. |
181 | |
182 | \value VerifyPeer QSslSocket will request a certificate from the peer |
183 | during the SSL handshake phase, and requires that this certificate is |
184 | valid. On failure, QSslSocket will emit the QSslSocket::sslErrors() |
185 | signal. This mode is the default for clients. |
186 | |
187 | \value AutoVerifyPeer QSslSocket will automatically use QueryPeer for |
188 | server sockets and VerifyPeer for client sockets. |
189 | |
190 | \sa QSslSocket::peerVerifyMode() |
191 | */ |
192 | |
193 | /*! |
194 | \fn void QSslSocket::encrypted() |
195 | |
196 | This signal is emitted when QSslSocket enters encrypted mode. After this |
197 | signal has been emitted, QSslSocket::isEncrypted() will return true, and |
198 | all further transmissions on the socket will be encrypted. |
199 | |
200 | \sa QSslSocket::connectToHostEncrypted(), QSslSocket::isEncrypted() |
201 | */ |
202 | |
203 | /*! |
204 | \fn void QSslSocket::modeChanged(QSslSocket::SslMode mode) |
205 | |
206 | This signal is emitted when QSslSocket changes from \l |
207 | QSslSocket::UnencryptedMode to either \l QSslSocket::SslClientMode or \l |
208 | QSslSocket::SslServerMode. \a mode is the new mode. |
209 | |
210 | \sa QSslSocket::mode() |
211 | */ |
212 | |
213 | /*! |
214 | \fn void QSslSocket::encryptedBytesWritten(qint64 written) |
215 | \since 4.4 |
216 | |
217 | This signal is emitted when QSslSocket writes its encrypted data to the |
218 | network. The \a written parameter contains the number of bytes that were |
219 | successfully written. |
220 | |
221 | \sa QIODevice::bytesWritten() |
222 | */ |
223 | |
224 | /*! |
225 | \fn void QSslSocket::peerVerifyError(const QSslError &error) |
226 | \since 4.4 |
227 | |
228 | QSslSocket can emit this signal several times during the SSL handshake, |
229 | before encryption has been established, to indicate that an error has |
230 | occurred while establishing the identity of the peer. The \a error is |
231 | usually an indication that QSslSocket is unable to securely identify the |
232 | peer. |
233 | |
234 | This signal provides you with an early indication when something's wrong. |
235 | By connecting to this signal, you can manually choose to tear down the |
236 | connection from inside the connected slot before the handshake has |
237 | completed. If no action is taken, QSslSocket will proceed to emitting |
238 | QSslSocket::sslErrors(). |
239 | |
240 | \sa sslErrors() |
241 | */ |
242 | |
243 | /*! |
244 | \fn void QSslSocket::sslErrors(const QList<QSslError> &errors); |
245 | |
246 | QSslSocket emits this signal after the SSL handshake to indicate that one |
247 | or more errors have occurred while establishing the identity of the |
248 | peer. The errors are usually an indication that QSslSocket is unable to |
249 | securely identify the peer. Unless any action is taken, the connection |
250 | will be dropped after this signal has been emitted. |
251 | |
252 | If you want to continue connecting despite the errors that have occurred, |
253 | you must call QSslSocket::ignoreSslErrors() from inside a slot connected to |
254 | this signal. If you need to access the error list at a later point, you |
255 | can call sslHandshakeErrors(). |
256 | |
257 | \a errors contains one or more errors that prevent QSslSocket from |
258 | verifying the identity of the peer. |
259 | |
260 | \note You cannot use Qt::QueuedConnection when connecting to this signal, |
261 | or calling QSslSocket::ignoreSslErrors() will have no effect. |
262 | |
263 | \sa peerVerifyError() |
264 | */ |
265 | |
266 | /*! |
267 | \fn void QSslSocket::preSharedKeyAuthenticationRequired(QSslPreSharedKeyAuthenticator *authenticator) |
268 | \since 5.5 |
269 | |
270 | QSslSocket emits this signal when it negotiates a PSK ciphersuite, and |
271 | therefore a PSK authentication is then required. |
272 | |
273 | When using PSK, the client must send to the server a valid identity and a |
274 | valid pre shared key, in order for the SSL handshake to continue. |
275 | Applications can provide this information in a slot connected to this |
276 | signal, by filling in the passed \a authenticator object according to their |
277 | needs. |
278 | |
279 | \note Ignoring this signal, or failing to provide the required credentials, |
280 | will cause the handshake to fail, and therefore the connection to be aborted. |
281 | |
282 | \note The \a authenticator object is owned by the socket and must not be |
283 | deleted by the application. |
284 | |
285 | \sa QSslPreSharedKeyAuthenticator |
286 | */ |
287 | |
288 | /*! |
289 | \fn void QSslSocket::alertSent(QSsl::AlertLevel level, QSsl::AlertType type, const QString &description) |
290 | |
291 | QSslSocket emits this signal if an alert message was sent to a peer. \a level |
292 | describes if it was a warning or a fatal error. \a type gives the code |
293 | of the alert message. When a textual description of the alert message is |
294 | available, it is supplied in \a description. |
295 | |
296 | \note This signal is mostly informational and can be used for debugging |
297 | purposes, normally it does not require any actions from the application. |
298 | \note Not all backends support this functionality. |
299 | |
300 | \sa alertReceived(), QSsl::AlertLevel, QSsl::AlertType |
301 | */ |
302 | |
303 | /*! |
304 | \fn void QSslSocket::alertReceived(QSsl::AlertLevel level, QSsl::AlertType type, const QString &description) |
305 | |
306 | QSslSocket emits this signal if an alert message was received from a peer. |
307 | \a level tells if the alert was fatal or it was a warning. \a type is the |
308 | code explaining why the alert was sent. When a textual description of |
309 | the alert message is available, it is supplied in \a description. |
310 | |
311 | \note The signal is mostly for informational and debugging purposes and does not |
312 | require any handling in the application. If the alert was fatal, underlying |
313 | backend will handle it and close the connection. |
314 | \note Not all backends support this functionality. |
315 | |
316 | \sa alertSent(), QSsl::AlertLevel, QSsl::AlertType |
317 | */ |
318 | |
319 | /*! |
320 | \fn void QSslSocket::handshakeInterruptedOnError(const QSslError &error) |
321 | |
322 | QSslSocket emits this signal if a certificate verification error was |
323 | found and if early error reporting was enabled in QSslConfiguration. |
324 | An application is expected to inspect the \a error and decide if |
325 | it wants to continue the handshake, or abort it and send an alert message |
326 | to the peer. The signal-slot connection must be direct. |
327 | |
328 | \sa continueInterruptedHandshake(), sslErrors(), QSslConfiguration::setHandshakeMustInterruptOnError() |
329 | */ |
330 | |
331 | /*! |
332 | \fn void QSslSocket::newSessionTicketReceived() |
333 | \since 5.15 |
334 | |
335 | If TLS 1.3 protocol was negotiated during a handshake, QSslSocket |
336 | emits this signal after receiving NewSessionTicket message. Session |
337 | and session ticket's lifetime hint are updated in the socket's |
338 | configuration. The session can be used for session resumption (and |
339 | a shortened handshake) in future TLS connections. |
340 | |
341 | \note This functionality enabled only with OpenSSL backend and requires |
342 | OpenSSL v 1.1.1 or above. |
343 | |
344 | \sa QSslSocket::sslConfiguration(), QSslConfiguration::sessionTicket(), QSslConfiguration::sessionTicketLifeTimeHint() |
345 | */ |
346 | |
347 | #include "qssl_p.h" |
348 | #include "qsslsocket.h" |
349 | #include "qsslcipher.h" |
350 | #include "qocspresponse.h" |
351 | #include "qtlsbackend_p.h" |
352 | #include "qsslconfiguration_p.h" |
353 | #include "qsslsocket_p.h" |
354 | |
355 | #include <QtCore/qdebug.h> |
356 | #include <QtCore/qdir.h> |
357 | #include <QtCore/qmutex.h> |
358 | #include <QtCore/qurl.h> |
359 | #include <QtCore/qelapsedtimer.h> |
360 | #include <QtNetwork/qhostaddress.h> |
361 | #include <QtNetwork/qhostinfo.h> |
362 | |
363 | QT_BEGIN_NAMESPACE |
364 | |
365 | using namespace Qt::StringLiterals; |
366 | |
367 | #ifdef Q_OS_VXWORKS |
368 | constexpr auto isVxworks = true; |
369 | #else |
370 | constexpr auto isVxworks = false; |
371 | #endif |
372 | |
373 | class QSslSocketGlobalData |
374 | { |
375 | public: |
376 | QSslSocketGlobalData() |
377 | : config(new QSslConfigurationPrivate), |
378 | dtlsConfig(new QSslConfigurationPrivate) |
379 | { |
380 | #if QT_CONFIG(dtls) |
381 | dtlsConfig->protocol = QSsl::DtlsV1_2OrLater; |
382 | #endif // dtls |
383 | } |
384 | |
385 | QMutex mutex; |
386 | QList<QSslCipher> supportedCiphers; |
387 | QList<QSslEllipticCurve> supportedEllipticCurves; |
388 | QExplicitlySharedDataPointer<QSslConfigurationPrivate> config; |
389 | QExplicitlySharedDataPointer<QSslConfigurationPrivate> dtlsConfig; |
390 | }; |
391 | Q_GLOBAL_STATIC(QSslSocketGlobalData, globalData) |
392 | |
393 | /*! |
394 | Constructs a QSslSocket object. \a parent is passed to QObject's |
395 | constructor. The new socket's \l {QSslCipher} {cipher} suite is |
396 | set to the one returned by the static method defaultCiphers(). |
397 | */ |
398 | QSslSocket::QSslSocket(QObject *parent) |
399 | : QTcpSocket(*new QSslSocketPrivate, parent) |
400 | { |
401 | Q_D(QSslSocket); |
402 | #ifdef QSSLSOCKET_DEBUG |
403 | qCDebug(lcSsl) << "QSslSocket::QSslSocket("<< parent << "), this ="<< (void *)this; |
404 | #endif |
405 | d->q_ptr = this; |
406 | d->init(); |
407 | } |
408 | |
409 | /*! |
410 | Destroys the QSslSocket. |
411 | */ |
412 | QSslSocket::~QSslSocket() |
413 | { |
414 | Q_D(QSslSocket); |
415 | #ifdef QSSLSOCKET_DEBUG |
416 | qCDebug(lcSsl) << "QSslSocket::~QSslSocket(), this ="<< (void *)this; |
417 | #endif |
418 | delete d->plainSocket; |
419 | d->plainSocket = nullptr; |
420 | } |
421 | |
422 | /*! |
423 | \reimp |
424 | |
425 | \since 5.0 |
426 | |
427 | Continues data transfer on the socket after it has been paused. If |
428 | "setPauseMode(QAbstractSocket::PauseOnSslErrors);" has been called on |
429 | this socket and a sslErrors() signal is received, calling this method |
430 | is necessary for the socket to continue. |
431 | |
432 | \sa QAbstractSocket::pauseMode(), QAbstractSocket::setPauseMode() |
433 | */ |
434 | void QSslSocket::resume() |
435 | { |
436 | Q_D(QSslSocket); |
437 | if (!d->paused) |
438 | return; |
439 | // continuing might emit signals, rather do this through the event loop |
440 | QMetaObject::invokeMethod(obj: this, member: "_q_resumeImplementation", c: Qt::QueuedConnection); |
441 | } |
442 | |
443 | /*! |
444 | Starts an encrypted connection to the device \a hostName on \a |
445 | port, using \a mode as the \l OpenMode. This is equivalent to |
446 | calling connectToHost() to establish the connection, followed by a |
447 | call to startClientEncryption(). The \a protocol parameter can be |
448 | used to specify which network protocol to use (eg. IPv4 or IPv6). |
449 | |
450 | QSslSocket first enters the HostLookupState. Then, after entering |
451 | either the event loop or one of the waitFor...() functions, it |
452 | enters the ConnectingState, emits connected(), and then initiates |
453 | the SSL client handshake. At each state change, QSslSocket emits |
454 | signal stateChanged(). |
455 | |
456 | After initiating the SSL client handshake, if the identity of the |
457 | peer can't be established, signal sslErrors() is emitted. If you |
458 | want to ignore the errors and continue connecting, you must call |
459 | ignoreSslErrors(), either from inside a slot function connected to |
460 | the sslErrors() signal, or prior to entering encrypted mode. If |
461 | ignoreSslErrors() is not called, the connection is dropped, signal |
462 | disconnected() is emitted, and QSslSocket returns to the |
463 | UnconnectedState. |
464 | |
465 | If the SSL handshake is successful, QSslSocket emits encrypted(). |
466 | |
467 | \snippet code/src_network_ssl_qsslsocket.cpp 3 |
468 | |
469 | \note The example above shows that text can be written to |
470 | the socket immediately after requesting the encrypted connection, |
471 | before the encrypted() signal has been emitted. In such cases, the |
472 | text is queued in the object and written to the socket \e after |
473 | the connection is established and the encrypted() signal has been |
474 | emitted. |
475 | |
476 | The default for \a mode is \l ReadWrite. |
477 | |
478 | If you want to create a QSslSocket on the server side of a connection, you |
479 | should instead call startServerEncryption() upon receiving the incoming |
480 | connection through QTcpServer. |
481 | |
482 | \sa connectToHost(), startClientEncryption(), waitForConnected(), waitForEncrypted() |
483 | */ |
484 | void QSslSocket::connectToHostEncrypted(const QString &hostName, quint16 port, OpenMode mode, NetworkLayerProtocol protocol) |
485 | { |
486 | Q_D(QSslSocket); |
487 | if (d->state == ConnectedState || d->state == ConnectingState) { |
488 | qCWarning(lcSsl, |
489 | "QSslSocket::connectToHostEncrypted() called when already connecting/connected"); |
490 | return; |
491 | } |
492 | |
493 | if (!supportsSsl()) { |
494 | qCWarning(lcSsl, "QSslSocket::connectToHostEncrypted: TLS initialization failed"); |
495 | d->setErrorAndEmit(errorCode: QAbstractSocket::SslInternalError, errorString: tr(s: "TLS initialization failed")); |
496 | return; |
497 | } |
498 | |
499 | if (!d->verifyProtocolSupported(where: "QSslSocket::connectToHostEncrypted:")) |
500 | return; |
501 | |
502 | d->init(); |
503 | d->autoStartHandshake = true; |
504 | d->initialized = true; |
505 | |
506 | // Note: When connecting to localhost, some platforms (e.g., HP-UX and some BSDs) |
507 | // establish the connection immediately (i.e., first attempt). |
508 | connectToHost(hostName, port, openMode: mode, protocol); |
509 | } |
510 | |
511 | /*! |
512 | \since 4.6 |
513 | \overload |
514 | |
515 | In addition to the original behaviour of connectToHostEncrypted, |
516 | this overloaded method enables the usage of a different hostname |
517 | (\a sslPeerName) for the certificate validation instead of |
518 | the one used for the TCP connection (\a hostName). |
519 | |
520 | \sa connectToHostEncrypted() |
521 | */ |
522 | void QSslSocket::connectToHostEncrypted(const QString &hostName, quint16 port, |
523 | const QString &sslPeerName, OpenMode mode, |
524 | NetworkLayerProtocol protocol) |
525 | { |
526 | Q_D(QSslSocket); |
527 | if (d->state == ConnectedState || d->state == ConnectingState) { |
528 | qCWarning(lcSsl, |
529 | "QSslSocket::connectToHostEncrypted() called when already connecting/connected"); |
530 | return; |
531 | } |
532 | |
533 | if (!supportsSsl()) { |
534 | qCWarning(lcSsl, "QSslSocket::connectToHostEncrypted: TLS initialization failed"); |
535 | d->setErrorAndEmit(errorCode: QAbstractSocket::SslInternalError, errorString: tr(s: "TLS initialization failed")); |
536 | return; |
537 | } |
538 | |
539 | d->init(); |
540 | d->autoStartHandshake = true; |
541 | d->initialized = true; |
542 | d->verificationPeerName = sslPeerName; |
543 | |
544 | // Note: When connecting to localhost, some platforms (e.g., HP-UX and some BSDs) |
545 | // establish the connection immediately (i.e., first attempt). |
546 | connectToHost(hostName, port, openMode: mode, protocol); |
547 | } |
548 | |
549 | /*! |
550 | Initializes QSslSocket with the native socket descriptor \a |
551 | socketDescriptor. Returns \c true if \a socketDescriptor is accepted |
552 | as a valid socket descriptor; otherwise returns \c false. |
553 | The socket is opened in the mode specified by \a openMode, and |
554 | enters the socket state specified by \a state. |
555 | |
556 | \note It is not possible to initialize two sockets with the same |
557 | native socket descriptor. |
558 | |
559 | \sa socketDescriptor() |
560 | */ |
561 | bool QSslSocket::setSocketDescriptor(qintptr socketDescriptor, SocketState state, OpenMode openMode) |
562 | { |
563 | Q_D(QSslSocket); |
564 | #ifdef QSSLSOCKET_DEBUG |
565 | qCDebug(lcSsl) << "QSslSocket::setSocketDescriptor("<< socketDescriptor << ',' |
566 | << state << ',' << openMode << ')'; |
567 | #endif |
568 | if (!d->plainSocket) |
569 | d->createPlainSocket(openMode); |
570 | bool retVal = d->plainSocket->setSocketDescriptor(socketDescriptor, state, openMode); |
571 | d->cachedSocketDescriptor = d->plainSocket->socketDescriptor(); |
572 | d->setError(errorCode: d->plainSocket->error(), errorString: d->plainSocket->errorString()); |
573 | setSocketState(state); |
574 | setOpenMode(openMode); |
575 | setLocalPort(d->plainSocket->localPort()); |
576 | setLocalAddress(d->plainSocket->localAddress()); |
577 | setPeerPort(d->plainSocket->peerPort()); |
578 | setPeerAddress(d->plainSocket->peerAddress()); |
579 | setPeerName(d->plainSocket->peerName()); |
580 | d->readChannelCount = d->plainSocket->readChannelCount(); |
581 | d->writeChannelCount = d->plainSocket->writeChannelCount(); |
582 | return retVal; |
583 | } |
584 | |
585 | /*! |
586 | \since 4.6 |
587 | Sets the given \a option to the value described by \a value. |
588 | |
589 | \sa socketOption() |
590 | */ |
591 | void QSslSocket::setSocketOption(QAbstractSocket::SocketOption option, const QVariant &value) |
592 | { |
593 | Q_D(QSslSocket); |
594 | if (d->plainSocket) |
595 | d->plainSocket->setSocketOption(option, value); |
596 | } |
597 | |
598 | /*! |
599 | \since 4.6 |
600 | Returns the value of the \a option option. |
601 | |
602 | \sa setSocketOption() |
603 | */ |
604 | QVariant QSslSocket::socketOption(QAbstractSocket::SocketOption option) |
605 | { |
606 | Q_D(QSslSocket); |
607 | if (d->plainSocket) |
608 | return d->plainSocket->socketOption(option); |
609 | else |
610 | return QVariant(); |
611 | } |
612 | |
613 | /*! |
614 | Returns the current mode for the socket; either UnencryptedMode, where |
615 | QSslSocket behaves identially to QTcpSocket, or one of SslClientMode or |
616 | SslServerMode, where the client is either negotiating or in encrypted |
617 | mode. |
618 | |
619 | When the mode changes, QSslSocket emits modeChanged() |
620 | |
621 | \sa SslMode |
622 | */ |
623 | QSslSocket::SslMode QSslSocket::mode() const |
624 | { |
625 | Q_D(const QSslSocket); |
626 | return d->mode; |
627 | } |
628 | |
629 | /*! |
630 | Returns \c true if the socket is encrypted; otherwise, false is returned. |
631 | |
632 | An encrypted socket encrypts all data that is written by calling write() |
633 | or putChar() before the data is written to the network, and decrypts all |
634 | incoming data as the data is received from the network, before you call |
635 | read(), readLine() or getChar(). |
636 | |
637 | QSslSocket emits encrypted() when it enters encrypted mode. |
638 | |
639 | You can call sessionCipher() to find which cryptographic cipher is used to |
640 | encrypt and decrypt your data. |
641 | |
642 | \sa mode() |
643 | */ |
644 | bool QSslSocket::isEncrypted() const |
645 | { |
646 | Q_D(const QSslSocket); |
647 | return d->connectionEncrypted; |
648 | } |
649 | |
650 | /*! |
651 | Returns the socket's SSL protocol. By default, \l QSsl::SecureProtocols is used. |
652 | |
653 | \sa setProtocol() |
654 | */ |
655 | QSsl::SslProtocol QSslSocket::protocol() const |
656 | { |
657 | Q_D(const QSslSocket); |
658 | return d->configuration.protocol; |
659 | } |
660 | |
661 | /*! |
662 | Sets the socket's SSL protocol to \a protocol. This will affect the next |
663 | initiated handshake; calling this function on an already-encrypted socket |
664 | will not affect the socket's protocol. |
665 | */ |
666 | void QSslSocket::setProtocol(QSsl::SslProtocol protocol) |
667 | { |
668 | Q_D(QSslSocket); |
669 | d->configuration.protocol = protocol; |
670 | } |
671 | |
672 | /*! |
673 | \since 4.4 |
674 | |
675 | Returns the socket's verify mode. This mode decides whether |
676 | QSslSocket should request a certificate from the peer (i.e., the client |
677 | requests a certificate from the server, or a server requesting a |
678 | certificate from the client), and whether it should require that this |
679 | certificate is valid. |
680 | |
681 | The default mode is AutoVerifyPeer, which tells QSslSocket to use |
682 | VerifyPeer for clients and QueryPeer for servers. |
683 | |
684 | \sa setPeerVerifyMode(), peerVerifyDepth(), mode() |
685 | */ |
686 | QSslSocket::PeerVerifyMode QSslSocket::peerVerifyMode() const |
687 | { |
688 | Q_D(const QSslSocket); |
689 | return d->configuration.peerVerifyMode; |
690 | } |
691 | |
692 | /*! |
693 | \since 4.4 |
694 | |
695 | Sets the socket's verify mode to \a mode. This mode decides whether |
696 | QSslSocket should request a certificate from the peer (i.e., the client |
697 | requests a certificate from the server, or a server requesting a |
698 | certificate from the client), and whether it should require that this |
699 | certificate is valid. |
700 | |
701 | The default mode is AutoVerifyPeer, which tells QSslSocket to use |
702 | VerifyPeer for clients and QueryPeer for servers. |
703 | |
704 | Setting this mode after encryption has started has no effect on the |
705 | current connection. |
706 | |
707 | \sa peerVerifyMode(), setPeerVerifyDepth(), mode() |
708 | */ |
709 | void QSslSocket::setPeerVerifyMode(QSslSocket::PeerVerifyMode mode) |
710 | { |
711 | Q_D(QSslSocket); |
712 | d->configuration.peerVerifyMode = mode; |
713 | } |
714 | |
715 | /*! |
716 | \since 4.4 |
717 | |
718 | Returns the maximum number of certificates in the peer's certificate chain |
719 | to be checked during the SSL handshake phase, or 0 (the default) if no |
720 | maximum depth has been set, indicating that the whole certificate chain |
721 | should be checked. |
722 | |
723 | The certificates are checked in issuing order, starting with the peer's |
724 | own certificate, then its issuer's certificate, and so on. |
725 | |
726 | \sa setPeerVerifyDepth(), peerVerifyMode() |
727 | */ |
728 | int QSslSocket::peerVerifyDepth() const |
729 | { |
730 | Q_D(const QSslSocket); |
731 | return d->configuration.peerVerifyDepth; |
732 | } |
733 | |
734 | /*! |
735 | \since 4.4 |
736 | |
737 | Sets the maximum number of certificates in the peer's certificate chain to |
738 | be checked during the SSL handshake phase, to \a depth. Setting a depth of |
739 | 0 means that no maximum depth is set, indicating that the whole |
740 | certificate chain should be checked. |
741 | |
742 | The certificates are checked in issuing order, starting with the peer's |
743 | own certificate, then its issuer's certificate, and so on. |
744 | |
745 | \sa peerVerifyDepth(), setPeerVerifyMode() |
746 | */ |
747 | void QSslSocket::setPeerVerifyDepth(int depth) |
748 | { |
749 | Q_D(QSslSocket); |
750 | if (depth < 0) { |
751 | qCWarning(lcSsl, "QSslSocket::setPeerVerifyDepth: cannot set negative depth of %d", depth); |
752 | return; |
753 | } |
754 | d->configuration.peerVerifyDepth = depth; |
755 | } |
756 | |
757 | /*! |
758 | \since 4.8 |
759 | |
760 | Returns the different hostname for the certificate validation, as set by |
761 | setPeerVerifyName or by connectToHostEncrypted. |
762 | |
763 | \sa setPeerVerifyName(), connectToHostEncrypted() |
764 | */ |
765 | QString QSslSocket::peerVerifyName() const |
766 | { |
767 | Q_D(const QSslSocket); |
768 | return d->verificationPeerName; |
769 | } |
770 | |
771 | /*! |
772 | \since 4.8 |
773 | |
774 | Sets a different host name, given by \a hostName, for the certificate |
775 | validation instead of the one used for the TCP connection. |
776 | |
777 | \sa connectToHostEncrypted() |
778 | */ |
779 | void QSslSocket::setPeerVerifyName(const QString &hostName) |
780 | { |
781 | Q_D(QSslSocket); |
782 | d->verificationPeerName = hostName; |
783 | } |
784 | |
785 | /*! |
786 | \reimp |
787 | |
788 | Returns the number of decrypted bytes that are immediately available for |
789 | reading. |
790 | */ |
791 | qint64 QSslSocket::bytesAvailable() const |
792 | { |
793 | Q_D(const QSslSocket); |
794 | if (d->mode == UnencryptedMode) |
795 | return QAbstractSocket::bytesAvailable() + (d->plainSocket ? d->plainSocket->bytesAvailable() : 0); |
796 | return QAbstractSocket::bytesAvailable(); |
797 | } |
798 | |
799 | /*! |
800 | \reimp |
801 | |
802 | Returns the number of unencrypted bytes that are waiting to be encrypted |
803 | and written to the network. |
804 | */ |
805 | qint64 QSslSocket::bytesToWrite() const |
806 | { |
807 | Q_D(const QSslSocket); |
808 | if (d->mode == UnencryptedMode) |
809 | return d->plainSocket ? d->plainSocket->bytesToWrite() : 0; |
810 | return d->writeBuffer.size(); |
811 | } |
812 | |
813 | /*! |
814 | \since 4.4 |
815 | |
816 | Returns the number of encrypted bytes that are awaiting decryption. |
817 | Normally, this function will return 0 because QSslSocket decrypts its |
818 | incoming data as soon as it can. |
819 | */ |
820 | qint64 QSslSocket::encryptedBytesAvailable() const |
821 | { |
822 | Q_D(const QSslSocket); |
823 | if (d->mode == UnencryptedMode) |
824 | return 0; |
825 | return d->plainSocket->bytesAvailable(); |
826 | } |
827 | |
828 | /*! |
829 | \since 4.4 |
830 | |
831 | Returns the number of encrypted bytes that are waiting to be written to |
832 | the network. |
833 | */ |
834 | qint64 QSslSocket::encryptedBytesToWrite() const |
835 | { |
836 | Q_D(const QSslSocket); |
837 | if (d->mode == UnencryptedMode) |
838 | return 0; |
839 | return d->plainSocket->bytesToWrite(); |
840 | } |
841 | |
842 | /*! |
843 | \reimp |
844 | |
845 | Returns \c true if you can read one while line (terminated by a single ASCII |
846 | '\\n' character) of decrypted characters; otherwise, false is returned. |
847 | */ |
848 | bool QSslSocket::canReadLine() const |
849 | { |
850 | Q_D(const QSslSocket); |
851 | if (d->mode == UnencryptedMode) |
852 | return QAbstractSocket::canReadLine() || (d->plainSocket && d->plainSocket->canReadLine()); |
853 | return QAbstractSocket::canReadLine(); |
854 | } |
855 | |
856 | /*! |
857 | \reimp |
858 | */ |
859 | void QSslSocket::close() |
860 | { |
861 | #ifdef QSSLSOCKET_DEBUG |
862 | qCDebug(lcSsl) << "QSslSocket::close()"; |
863 | #endif |
864 | Q_D(QSslSocket); |
865 | |
866 | // On Windows, CertGetCertificateChain is probably still doing its |
867 | // job, if the socket is re-used, we want to ignore its reported |
868 | // root CA. |
869 | if (auto *backend = d->backend.get()) |
870 | backend->cancelCAFetch(); |
871 | |
872 | if (!d->abortCalled && (encryptedBytesToWrite() || !d->writeBuffer.isEmpty())) |
873 | flush(); |
874 | if (d->plainSocket) { |
875 | if (d->abortCalled) |
876 | d->plainSocket->abort(); |
877 | else |
878 | d->plainSocket->close(); |
879 | } |
880 | QTcpSocket::close(); |
881 | |
882 | // must be cleared, reading/writing not possible on closed socket: |
883 | d->buffer.clear(); |
884 | d->writeBuffer.clear(); |
885 | } |
886 | |
887 | /*! |
888 | \reimp |
889 | */ |
890 | bool QSslSocket::atEnd() const |
891 | { |
892 | Q_D(const QSslSocket); |
893 | if (d->mode == UnencryptedMode) |
894 | return QAbstractSocket::atEnd() && (!d->plainSocket || d->plainSocket->atEnd()); |
895 | return QAbstractSocket::atEnd(); |
896 | } |
897 | |
898 | /*! |
899 | \since 4.4 |
900 | |
901 | Sets the size of QSslSocket's internal read buffer to be \a size bytes. |
902 | */ |
903 | void QSslSocket::setReadBufferSize(qint64 size) |
904 | { |
905 | Q_D(QSslSocket); |
906 | d->readBufferMaxSize = size; |
907 | |
908 | if (d->plainSocket) |
909 | d->plainSocket->setReadBufferSize(size); |
910 | } |
911 | |
912 | /*! |
913 | \since 4.4 |
914 | |
915 | Returns the socket's SSL configuration state. The default SSL |
916 | configuration of a socket is to use the default ciphers, |
917 | default CA certificates, no local private key or certificate. |
918 | |
919 | The SSL configuration also contains fields that can change with |
920 | time without notice. |
921 | |
922 | \sa localCertificate(), peerCertificate(), peerCertificateChain(), |
923 | sessionCipher(), privateKey(), QSslConfiguration::ciphers(), |
924 | QSslConfiguration::caCertificates() |
925 | */ |
926 | QSslConfiguration QSslSocket::sslConfiguration() const |
927 | { |
928 | Q_D(const QSslSocket); |
929 | |
930 | // create a deep copy of our configuration |
931 | QSslConfigurationPrivate *copy = new QSslConfigurationPrivate(d->configuration); |
932 | copy->ref.storeRelaxed(newValue: 0); // the QSslConfiguration constructor refs up |
933 | copy->sessionCipher = d->sessionCipher(); |
934 | copy->sessionProtocol = d->sessionProtocol(); |
935 | |
936 | return QSslConfiguration(copy); |
937 | } |
938 | |
939 | /*! |
940 | \since 4.4 |
941 | |
942 | Sets the socket's SSL configuration to be the contents of \a configuration. |
943 | This function sets the local certificate, the ciphers, the private key and the CA |
944 | certificates to those stored in \a configuration. |
945 | |
946 | It is not possible to set the SSL-state related fields. |
947 | |
948 | \sa setLocalCertificate(), setPrivateKey(), QSslConfiguration::setCaCertificates(), |
949 | QSslConfiguration::setCiphers() |
950 | */ |
951 | void QSslSocket::setSslConfiguration(const QSslConfiguration &configuration) |
952 | { |
953 | Q_D(QSslSocket); |
954 | d->configuration.localCertificateChain = configuration.localCertificateChain(); |
955 | d->configuration.privateKey = configuration.privateKey(); |
956 | d->configuration.ciphers = configuration.ciphers(); |
957 | d->configuration.ellipticCurves = configuration.ellipticCurves(); |
958 | d->configuration.preSharedKeyIdentityHint = configuration.preSharedKeyIdentityHint(); |
959 | d->configuration.dhParams = configuration.diffieHellmanParameters(); |
960 | d->configuration.caCertificates = configuration.caCertificates(); |
961 | d->configuration.peerVerifyDepth = configuration.peerVerifyDepth(); |
962 | d->configuration.peerVerifyMode = configuration.peerVerifyMode(); |
963 | d->configuration.protocol = configuration.protocol(); |
964 | d->configuration.backendConfig = configuration.backendConfiguration(); |
965 | d->configuration.sslOptions = configuration.d->sslOptions; |
966 | d->configuration.sslSession = configuration.sessionTicket(); |
967 | d->configuration.sslSessionTicketLifeTimeHint = configuration.sessionTicketLifeTimeHint(); |
968 | d->configuration.nextAllowedProtocols = configuration.allowedNextProtocols(); |
969 | d->configuration.nextNegotiatedProtocol = configuration.nextNegotiatedProtocol(); |
970 | d->configuration.nextProtocolNegotiationStatus = configuration.nextProtocolNegotiationStatus(); |
971 | #if QT_CONFIG(ocsp) |
972 | d->configuration.ocspStaplingEnabled = configuration.ocspStaplingEnabled(); |
973 | #endif |
974 | #if QT_CONFIG(openssl) |
975 | d->configuration.reportFromCallback = configuration.handshakeMustInterruptOnError(); |
976 | d->configuration.missingCertIsFatal = configuration.missingCertificateIsFatal(); |
977 | #endif // openssl |
978 | // if the CA certificates were set explicitly (either via |
979 | // QSslConfiguration::setCaCertificates() or QSslSocket::setCaCertificates(), |
980 | // we cannot load the certificates on demand |
981 | if (!configuration.d->allowRootCertOnDemandLoading) { |
982 | d->allowRootCertOnDemandLoading = false; |
983 | d->configuration.allowRootCertOnDemandLoading = false; |
984 | } |
985 | } |
986 | |
987 | /*! |
988 | Sets the certificate chain to be presented to the peer during the |
989 | SSL handshake to be \a localChain. |
990 | |
991 | \sa QSslConfiguration::setLocalCertificateChain() |
992 | \since 5.1 |
993 | */ |
994 | void QSslSocket::setLocalCertificateChain(const QList<QSslCertificate> &localChain) |
995 | { |
996 | Q_D(QSslSocket); |
997 | d->configuration.localCertificateChain = localChain; |
998 | } |
999 | |
1000 | /*! |
1001 | Returns the socket's local \l {QSslCertificate} {certificate} chain, |
1002 | or an empty list if no local certificates have been assigned. |
1003 | |
1004 | \sa setLocalCertificateChain() |
1005 | \since 5.1 |
1006 | */ |
1007 | QList<QSslCertificate> QSslSocket::localCertificateChain() const |
1008 | { |
1009 | Q_D(const QSslSocket); |
1010 | return d->configuration.localCertificateChain; |
1011 | } |
1012 | |
1013 | /*! |
1014 | Sets the socket's local certificate to \a certificate. The local |
1015 | certificate is necessary if you need to confirm your identity to the |
1016 | peer. It is used together with the private key; if you set the local |
1017 | certificate, you must also set the private key. |
1018 | |
1019 | The local certificate and private key are always necessary for server |
1020 | sockets, but are also rarely used by client sockets if the server requires |
1021 | the client to authenticate. |
1022 | |
1023 | \note Secure Transport SSL backend on macOS may update the default keychain |
1024 | (the default is probably your login keychain) by importing your local certificates |
1025 | and keys. This can also result in system dialogs showing up and asking for |
1026 | permission when your application is using these private keys. If such behavior |
1027 | is undesired, set the QT_SSL_USE_TEMPORARY_KEYCHAIN environment variable to a |
1028 | non-zero value; this will prompt QSslSocket to use its own temporary keychain. |
1029 | |
1030 | \sa localCertificate(), setPrivateKey() |
1031 | */ |
1032 | void QSslSocket::setLocalCertificate(const QSslCertificate &certificate) |
1033 | { |
1034 | Q_D(QSslSocket); |
1035 | d->configuration.localCertificateChain = QList<QSslCertificate>(); |
1036 | d->configuration.localCertificateChain += certificate; |
1037 | } |
1038 | |
1039 | /*! |
1040 | \overload |
1041 | |
1042 | Sets the socket's local \l {QSslCertificate} {certificate} to the |
1043 | first one found in file \a path, which is parsed according to the |
1044 | specified \a format. |
1045 | */ |
1046 | void QSslSocket::setLocalCertificate(const QString &path, |
1047 | QSsl::EncodingFormat format) |
1048 | { |
1049 | QFile file(path); |
1050 | if (file.open(flags: QIODevice::ReadOnly | QIODevice::Text)) |
1051 | setLocalCertificate(QSslCertificate(file.readAll(), format)); |
1052 | |
1053 | } |
1054 | |
1055 | /*! |
1056 | Returns the socket's local \l {QSslCertificate} {certificate}, or |
1057 | an empty certificate if no local certificate has been assigned. |
1058 | |
1059 | \sa setLocalCertificate(), privateKey() |
1060 | */ |
1061 | QSslCertificate QSslSocket::localCertificate() const |
1062 | { |
1063 | Q_D(const QSslSocket); |
1064 | if (d->configuration.localCertificateChain.isEmpty()) |
1065 | return QSslCertificate(); |
1066 | return d->configuration.localCertificateChain[0]; |
1067 | } |
1068 | |
1069 | /*! |
1070 | Returns the peer's digital certificate (i.e., the immediate |
1071 | certificate of the host you are connected to), or a null |
1072 | certificate, if the peer has not assigned a certificate. |
1073 | |
1074 | The peer certificate is checked automatically during the |
1075 | handshake phase, so this function is normally used to fetch |
1076 | the certificate for display or for connection diagnostic |
1077 | purposes. It contains information about the peer, including |
1078 | its host name, the certificate issuer, and the peer's public |
1079 | key. |
1080 | |
1081 | Because the peer certificate is set during the handshake phase, it |
1082 | is safe to access the peer certificate from a slot connected to |
1083 | the sslErrors() signal or the encrypted() signal. |
1084 | |
1085 | If a null certificate is returned, it can mean the SSL handshake |
1086 | failed, or it can mean the host you are connected to doesn't have |
1087 | a certificate, or it can mean there is no connection. |
1088 | |
1089 | If you want to check the peer's complete chain of certificates, |
1090 | use peerCertificateChain() to get them all at once. |
1091 | |
1092 | \sa peerCertificateChain() |
1093 | */ |
1094 | QSslCertificate QSslSocket::peerCertificate() const |
1095 | { |
1096 | Q_D(const QSslSocket); |
1097 | return d->configuration.peerCertificate; |
1098 | } |
1099 | |
1100 | /*! |
1101 | Returns the peer's chain of digital certificates, or an empty list |
1102 | of certificates. |
1103 | |
1104 | Peer certificates are checked automatically during the handshake |
1105 | phase. This function is normally used to fetch certificates for |
1106 | display, or for performing connection diagnostics. Certificates |
1107 | contain information about the peer and the certificate issuers, |
1108 | including host name, issuer names, and issuer public keys. |
1109 | |
1110 | The peer certificates are set in QSslSocket during the handshake |
1111 | phase, so it is safe to call this function from a slot connected |
1112 | to the sslErrors() signal or the encrypted() signal. |
1113 | |
1114 | If an empty list is returned, it can mean the SSL handshake |
1115 | failed, or it can mean the host you are connected to doesn't have |
1116 | a certificate, or it can mean there is no connection. |
1117 | |
1118 | If you want to get only the peer's immediate certificate, use |
1119 | peerCertificate(). |
1120 | |
1121 | \sa peerCertificate() |
1122 | */ |
1123 | QList<QSslCertificate> QSslSocket::peerCertificateChain() const |
1124 | { |
1125 | Q_D(const QSslSocket); |
1126 | return d->configuration.peerCertificateChain; |
1127 | } |
1128 | |
1129 | /*! |
1130 | Returns the socket's cryptographic \l {QSslCipher} {cipher}, or a |
1131 | null cipher if the connection isn't encrypted. The socket's cipher |
1132 | for the session is set during the handshake phase. The cipher is |
1133 | used to encrypt and decrypt data transmitted through the socket. |
1134 | |
1135 | QSslSocket also provides functions for setting the ordered list of |
1136 | ciphers from which the handshake phase will eventually select the |
1137 | session cipher. This ordered list must be in place before the |
1138 | handshake phase begins. |
1139 | |
1140 | \sa QSslConfiguration::ciphers(), QSslConfiguration::setCiphers(), |
1141 | QSslConfiguration::setCiphers(), |
1142 | QSslConfiguration::ciphers(), |
1143 | QSslConfiguration::supportedCiphers() |
1144 | */ |
1145 | QSslCipher QSslSocket::sessionCipher() const |
1146 | { |
1147 | Q_D(const QSslSocket); |
1148 | return d->sessionCipher(); |
1149 | } |
1150 | |
1151 | /*! |
1152 | Returns the socket's SSL/TLS protocol or UnknownProtocol if the |
1153 | connection isn't encrypted. The socket's protocol for the session |
1154 | is set during the handshake phase. |
1155 | |
1156 | \sa protocol(), setProtocol() |
1157 | \since 5.4 |
1158 | */ |
1159 | QSsl::SslProtocol QSslSocket::sessionProtocol() const |
1160 | { |
1161 | Q_D(const QSslSocket); |
1162 | return d->sessionProtocol(); |
1163 | } |
1164 | |
1165 | /*! |
1166 | \since 5.13 |
1167 | |
1168 | This function returns Online Certificate Status Protocol responses that |
1169 | a server may send during a TLS handshake using OCSP stapling. The list |
1170 | is empty if no definitive response or no response at all was received. |
1171 | |
1172 | \sa QSslConfiguration::setOcspStaplingEnabled() |
1173 | */ |
1174 | QList<QOcspResponse> QSslSocket::ocspResponses() const |
1175 | { |
1176 | Q_D(const QSslSocket); |
1177 | if (const auto *backend = d->backend.get()) |
1178 | return backend->ocsps(); |
1179 | return {}; |
1180 | } |
1181 | |
1182 | /*! |
1183 | Sets the socket's private \l {QSslKey} {key} to \a key. The |
1184 | private key and the local \l {QSslCertificate} {certificate} are |
1185 | used by clients and servers that must prove their identity to |
1186 | SSL peers. |
1187 | |
1188 | Both the key and the local certificate are required if you are |
1189 | creating an SSL server socket. If you are creating an SSL client |
1190 | socket, the key and local certificate are required if your client |
1191 | must identify itself to an SSL server. |
1192 | |
1193 | \sa privateKey(), setLocalCertificate() |
1194 | */ |
1195 | void QSslSocket::setPrivateKey(const QSslKey &key) |
1196 | { |
1197 | Q_D(QSslSocket); |
1198 | d->configuration.privateKey = key; |
1199 | } |
1200 | |
1201 | /*! |
1202 | \overload |
1203 | |
1204 | Reads the string in file \a fileName and decodes it using |
1205 | a specified \a algorithm and encoding \a format to construct |
1206 | an \l {QSslKey} {SSL key}. If the encoded key is encrypted, |
1207 | \a passPhrase is used to decrypt it. |
1208 | |
1209 | The socket's private key is set to the constructed key. The |
1210 | private key and the local \l {QSslCertificate} {certificate} are |
1211 | used by clients and servers that must prove their identity to SSL |
1212 | peers. |
1213 | |
1214 | Both the key and the local certificate are required if you are |
1215 | creating an SSL server socket. If you are creating an SSL client |
1216 | socket, the key and local certificate are required if your client |
1217 | must identify itself to an SSL server. |
1218 | |
1219 | \sa privateKey(), setLocalCertificate() |
1220 | */ |
1221 | void QSslSocket::setPrivateKey(const QString &fileName, QSsl::KeyAlgorithm algorithm, |
1222 | QSsl::EncodingFormat format, const QByteArray &passPhrase) |
1223 | { |
1224 | QFile file(fileName); |
1225 | if (!file.open(flags: QIODevice::ReadOnly)) { |
1226 | qCWarning(lcSsl, "QSslSocket::setPrivateKey: Couldn't open file for reading"); |
1227 | return; |
1228 | } |
1229 | |
1230 | QSslKey key(file.readAll(), algorithm, format, QSsl::PrivateKey, passPhrase); |
1231 | if (key.isNull()) { |
1232 | qCWarning(lcSsl, "QSslSocket::setPrivateKey: " |
1233 | "The specified file does not contain a valid key"); |
1234 | return; |
1235 | } |
1236 | |
1237 | Q_D(QSslSocket); |
1238 | d->configuration.privateKey = key; |
1239 | } |
1240 | |
1241 | /*! |
1242 | Returns this socket's private key. |
1243 | |
1244 | \sa setPrivateKey(), localCertificate() |
1245 | */ |
1246 | QSslKey QSslSocket::privateKey() const |
1247 | { |
1248 | Q_D(const QSslSocket); |
1249 | return d->configuration.privateKey; |
1250 | } |
1251 | |
1252 | /*! |
1253 | Waits until the socket is connected, or \a msecs milliseconds, |
1254 | whichever happens first. If the connection has been established, |
1255 | this function returns \c true; otherwise it returns \c false. |
1256 | |
1257 | \sa QAbstractSocket::waitForConnected() |
1258 | */ |
1259 | bool QSslSocket::waitForConnected(int msecs) |
1260 | { |
1261 | Q_D(QSslSocket); |
1262 | if (!d->plainSocket) |
1263 | return false; |
1264 | bool retVal = d->plainSocket->waitForConnected(msecs); |
1265 | if (!retVal) { |
1266 | setSocketState(d->plainSocket->state()); |
1267 | d->setError(errorCode: d->plainSocket->error(), errorString: d->plainSocket->errorString()); |
1268 | } |
1269 | return retVal; |
1270 | } |
1271 | |
1272 | /*! |
1273 | Waits until the socket has completed the SSL handshake and has |
1274 | emitted encrypted(), or \a msecs milliseconds, whichever comes |
1275 | first. If encrypted() has been emitted, this function returns |
1276 | true; otherwise (e.g., the socket is disconnected, or the SSL |
1277 | handshake fails), false is returned. |
1278 | |
1279 | The following example waits up to one second for the socket to be |
1280 | encrypted: |
1281 | |
1282 | \snippet code/src_network_ssl_qsslsocket.cpp 5 |
1283 | |
1284 | If msecs is -1, this function will not time out. |
1285 | |
1286 | \sa startClientEncryption(), startServerEncryption(), encrypted(), isEncrypted() |
1287 | */ |
1288 | bool QSslSocket::waitForEncrypted(int msecs) |
1289 | { |
1290 | Q_D(QSslSocket); |
1291 | if (!d->plainSocket || d->connectionEncrypted) |
1292 | return false; |
1293 | if (d->mode == UnencryptedMode && !d->autoStartHandshake) |
1294 | return false; |
1295 | if (!d->verifyProtocolSupported(where: "QSslSocket::waitForEncrypted:")) |
1296 | return false; |
1297 | |
1298 | QElapsedTimer stopWatch; |
1299 | stopWatch.start(); |
1300 | |
1301 | if (d->plainSocket->state() != QAbstractSocket::ConnectedState) { |
1302 | // Wait until we've entered connected state. |
1303 | if (!d->plainSocket->waitForConnected(msecs)) |
1304 | return false; |
1305 | } |
1306 | |
1307 | while (!d->connectionEncrypted) { |
1308 | // Start the handshake, if this hasn't been started yet. |
1309 | if (d->mode == UnencryptedMode) |
1310 | startClientEncryption(); |
1311 | // Loop, waiting until the connection has been encrypted or an error |
1312 | // occurs. |
1313 | if (!d->plainSocket->waitForReadyRead(msecs: qt_subtract_from_timeout(timeout: msecs, elapsed: stopWatch.elapsed()))) |
1314 | return false; |
1315 | } |
1316 | return d->connectionEncrypted; |
1317 | } |
1318 | |
1319 | /*! |
1320 | \reimp |
1321 | */ |
1322 | bool QSslSocket::waitForReadyRead(int msecs) |
1323 | { |
1324 | Q_D(QSslSocket); |
1325 | if (!d->plainSocket) |
1326 | return false; |
1327 | if (d->mode == UnencryptedMode && !d->autoStartHandshake) |
1328 | return d->plainSocket->waitForReadyRead(msecs); |
1329 | |
1330 | // This function must return true if and only if readyRead() *was* emitted. |
1331 | // So we initialize "readyReadEmitted" to false and check if it was set to true. |
1332 | // waitForReadyRead() could be called recursively, so we can't use the same variable |
1333 | // (the inner waitForReadyRead() may fail, but the outer one still succeeded) |
1334 | bool readyReadEmitted = false; |
1335 | bool *previousReadyReadEmittedPointer = d->readyReadEmittedPointer; |
1336 | d->readyReadEmittedPointer = &readyReadEmitted; |
1337 | |
1338 | QElapsedTimer stopWatch; |
1339 | stopWatch.start(); |
1340 | |
1341 | if (!d->connectionEncrypted) { |
1342 | // Wait until we've entered encrypted mode, or until a failure occurs. |
1343 | if (!waitForEncrypted(msecs)) { |
1344 | d->readyReadEmittedPointer = previousReadyReadEmittedPointer; |
1345 | return false; |
1346 | } |
1347 | } |
1348 | |
1349 | if (!d->writeBuffer.isEmpty()) { |
1350 | // empty our cleartext write buffer first |
1351 | d->transmit(); |
1352 | } |
1353 | |
1354 | // test readyReadEmitted first because either operation above |
1355 | // (waitForEncrypted or transmit) may have set it |
1356 | while (!readyReadEmitted && |
1357 | d->plainSocket->waitForReadyRead(msecs: qt_subtract_from_timeout(timeout: msecs, elapsed: stopWatch.elapsed()))) { |
1358 | } |
1359 | |
1360 | d->readyReadEmittedPointer = previousReadyReadEmittedPointer; |
1361 | return readyReadEmitted; |
1362 | } |
1363 | |
1364 | /*! |
1365 | \reimp |
1366 | */ |
1367 | bool QSslSocket::waitForBytesWritten(int msecs) |
1368 | { |
1369 | Q_D(QSslSocket); |
1370 | if (!d->plainSocket) |
1371 | return false; |
1372 | if (d->mode == UnencryptedMode) |
1373 | return d->plainSocket->waitForBytesWritten(msecs); |
1374 | |
1375 | QElapsedTimer stopWatch; |
1376 | stopWatch.start(); |
1377 | |
1378 | if (!d->connectionEncrypted) { |
1379 | // Wait until we've entered encrypted mode, or until a failure occurs. |
1380 | if (!waitForEncrypted(msecs)) |
1381 | return false; |
1382 | } |
1383 | if (!d->writeBuffer.isEmpty()) { |
1384 | // empty our cleartext write buffer first |
1385 | d->transmit(); |
1386 | } |
1387 | |
1388 | return d->plainSocket->waitForBytesWritten(msecs: qt_subtract_from_timeout(timeout: msecs, elapsed: stopWatch.elapsed())); |
1389 | } |
1390 | |
1391 | /*! |
1392 | Waits until the socket has disconnected or \a msecs milliseconds, |
1393 | whichever comes first. If the connection has been disconnected, |
1394 | this function returns \c true; otherwise it returns \c false. |
1395 | |
1396 | \sa QAbstractSocket::waitForDisconnected() |
1397 | */ |
1398 | bool QSslSocket::waitForDisconnected(int msecs) |
1399 | { |
1400 | Q_D(QSslSocket); |
1401 | |
1402 | // require calling connectToHost() before waitForDisconnected() |
1403 | if (state() == UnconnectedState) { |
1404 | qCWarning(lcSsl, "QSslSocket::waitForDisconnected() is not allowed in UnconnectedState"); |
1405 | return false; |
1406 | } |
1407 | |
1408 | if (!d->plainSocket) |
1409 | return false; |
1410 | // Forward to the plain socket unless the connection is secure. |
1411 | if (d->mode == UnencryptedMode && !d->autoStartHandshake) |
1412 | return d->plainSocket->waitForDisconnected(msecs); |
1413 | |
1414 | QElapsedTimer stopWatch; |
1415 | stopWatch.start(); |
1416 | |
1417 | if (!d->connectionEncrypted) { |
1418 | // Wait until we've entered encrypted mode, or until a failure occurs. |
1419 | if (!waitForEncrypted(msecs)) |
1420 | return false; |
1421 | } |
1422 | // We are delaying the disconnect, if the write buffer is not empty. |
1423 | // So, start the transmission. |
1424 | if (!d->writeBuffer.isEmpty()) |
1425 | d->transmit(); |
1426 | |
1427 | // At this point, the socket might be disconnected, if disconnectFromHost() |
1428 | // was called just after the connectToHostEncrypted() call. Also, we can |
1429 | // lose the connection as a result of the transmit() call. |
1430 | if (state() == UnconnectedState) |
1431 | return true; |
1432 | |
1433 | bool retVal = d->plainSocket->waitForDisconnected(msecs: qt_subtract_from_timeout(timeout: msecs, elapsed: stopWatch.elapsed())); |
1434 | if (!retVal) { |
1435 | setSocketState(d->plainSocket->state()); |
1436 | d->setError(errorCode: d->plainSocket->error(), errorString: d->plainSocket->errorString()); |
1437 | } |
1438 | return retVal; |
1439 | } |
1440 | |
1441 | /*! |
1442 | \since 5.15 |
1443 | |
1444 | Returns a list of the last SSL errors that occurred. This is the |
1445 | same list as QSslSocket passes via the sslErrors() signal. If the |
1446 | connection has been encrypted with no errors, this function will |
1447 | return an empty list. |
1448 | |
1449 | \sa connectToHostEncrypted() |
1450 | */ |
1451 | QList<QSslError> QSslSocket::sslHandshakeErrors() const |
1452 | { |
1453 | Q_D(const QSslSocket); |
1454 | if (const auto *backend = d->backend.get()) |
1455 | return backend->tlsErrors(); |
1456 | return {}; |
1457 | } |
1458 | |
1459 | /*! |
1460 | Returns \c true if this platform supports SSL; otherwise, returns |
1461 | false. If the platform doesn't support SSL, the socket will fail |
1462 | in the connection phase. |
1463 | */ |
1464 | bool QSslSocket::supportsSsl() |
1465 | { |
1466 | return QSslSocketPrivate::supportsSsl(); |
1467 | } |
1468 | |
1469 | /*! |
1470 | \since 5.0 |
1471 | Returns the version number of the SSL library in use. Note that |
1472 | this is the version of the library in use at run-time not compile |
1473 | time. If no SSL support is available then this will return -1. |
1474 | */ |
1475 | long QSslSocket::sslLibraryVersionNumber() |
1476 | { |
1477 | if (const auto *tlsBackend = QSslSocketPrivate::tlsBackendInUse()) |
1478 | return tlsBackend->tlsLibraryVersionNumber(); |
1479 | |
1480 | return -1; |
1481 | } |
1482 | |
1483 | /*! |
1484 | \since 5.0 |
1485 | Returns the version string of the SSL library in use. Note that |
1486 | this is the version of the library in use at run-time not compile |
1487 | time. If no SSL support is available then this will return an empty value. |
1488 | */ |
1489 | QString QSslSocket::sslLibraryVersionString() |
1490 | { |
1491 | if (const auto *tlsBackend = QSslSocketPrivate::tlsBackendInUse()) |
1492 | return tlsBackend->tlsLibraryVersionString(); |
1493 | return {}; |
1494 | } |
1495 | |
1496 | /*! |
1497 | \since 5.4 |
1498 | Returns the version number of the SSL library in use at compile |
1499 | time. If no SSL support is available then this will return -1. |
1500 | |
1501 | \sa sslLibraryVersionNumber() |
1502 | */ |
1503 | long QSslSocket::sslLibraryBuildVersionNumber() |
1504 | { |
1505 | if (const auto *tlsBackend = QSslSocketPrivate::tlsBackendInUse()) |
1506 | return tlsBackend->tlsLibraryBuildVersionNumber(); |
1507 | return -1; |
1508 | } |
1509 | |
1510 | /*! |
1511 | \since 5.4 |
1512 | Returns the version string of the SSL library in use at compile |
1513 | time. If no SSL support is available then this will return an |
1514 | empty value. |
1515 | |
1516 | \sa sslLibraryVersionString() |
1517 | */ |
1518 | QString QSslSocket::sslLibraryBuildVersionString() |
1519 | { |
1520 | if (const auto *tlsBackend = QSslSocketPrivate::tlsBackendInUse()) |
1521 | return tlsBackend->tlsLibraryBuildVersionString(); |
1522 | |
1523 | return {}; |
1524 | } |
1525 | |
1526 | /*! |
1527 | \since 6.1 |
1528 | Returns the names of the currently available backends. These names |
1529 | are in lower case, e.g. "openssl", "securetransport", "schannel" |
1530 | (similar to the already existing feature names for TLS backends in Qt). |
1531 | |
1532 | \sa activeBackend() |
1533 | */ |
1534 | QList<QString> QSslSocket::availableBackends() |
1535 | { |
1536 | return QTlsBackend::availableBackendNames(); |
1537 | } |
1538 | |
1539 | /*! |
1540 | \since 6.1 |
1541 | Returns the name of the backend that QSslSocket and related classes |
1542 | use. If the active backend was not set explicitly, this function |
1543 | returns the name of a default backend that QSslSocket selects implicitly |
1544 | from the list of available backends. |
1545 | |
1546 | \note When selecting a default backend implicitly, QSslSocket prefers |
1547 | the OpenSSL backend if available. If it's not available, the Schannel backend |
1548 | is implicitly selected on Windows, and Secure Transport on Darwin platforms. |
1549 | Failing these, if a custom TLS backend is found, it is used. |
1550 | If no other backend is found, the "certificate only" backend is selected. |
1551 | For more information about TLS plugins, please see |
1552 | \l {Enabling and Disabling SSL Support when Building Qt from Source}. |
1553 | |
1554 | \sa setActiveBackend(), availableBackends() |
1555 | */ |
1556 | QString QSslSocket::activeBackend() |
1557 | { |
1558 | const QMutexLocker locker(&QSslSocketPrivate::backendMutex); |
1559 | |
1560 | if (!QSslSocketPrivate::activeBackendName.size()) |
1561 | QSslSocketPrivate::activeBackendName = QTlsBackend::defaultBackendName(); |
1562 | |
1563 | return QSslSocketPrivate::activeBackendName; |
1564 | } |
1565 | |
1566 | /*! |
1567 | \since 6.1 |
1568 | Returns true if a backend with name \a backendName was set as |
1569 | active backend. \a backendName must be one of names returned |
1570 | by availableBackends(). |
1571 | |
1572 | \note An application cannot mix different backends simultaneously. |
1573 | This implies that a non-default backend must be selected prior |
1574 | to any use of QSslSocket or related classes, e.g. QSslCertificate |
1575 | or QSslKey. |
1576 | |
1577 | \sa activeBackend(), availableBackends() |
1578 | */ |
1579 | bool QSslSocket::setActiveBackend(const QString &backendName) |
1580 | { |
1581 | if (!backendName.size()) { |
1582 | qCWarning(lcSsl, "Invalid parameter (backend name cannot be an empty string)"); |
1583 | return false; |
1584 | } |
1585 | |
1586 | QMutexLocker locker(&QSslSocketPrivate::backendMutex); |
1587 | if (QSslSocketPrivate::tlsBackend) { |
1588 | qCWarning(lcSsl) << "Cannot set backend named"<< backendName |
1589 | << "as active, another backend is already in use"; |
1590 | locker.unlock(); |
1591 | return activeBackend() == backendName; |
1592 | } |
1593 | |
1594 | if (!QTlsBackend::availableBackendNames().contains(str: backendName)) { |
1595 | qCWarning(lcSsl) << "Cannot set unavailable backend named"<< backendName |
1596 | << "as active"; |
1597 | return false; |
1598 | } |
1599 | |
1600 | QSslSocketPrivate::activeBackendName = backendName; |
1601 | |
1602 | return true; |
1603 | } |
1604 | |
1605 | /*! |
1606 | \since 6.1 |
1607 | If a backend with name \a backendName is available, this function returns the |
1608 | list of TLS protocol versions supported by this backend. An empty \a backendName |
1609 | is understood as a query about the currently active backend. Otherwise, this |
1610 | function returns an empty list. |
1611 | |
1612 | \sa availableBackends(), activeBackend(), isProtocolSupported() |
1613 | */ |
1614 | QList<QSsl::SslProtocol> QSslSocket::supportedProtocols(const QString &backendName) |
1615 | { |
1616 | return QTlsBackend::supportedProtocols(backendName: backendName.size() ? backendName : activeBackend()); |
1617 | } |
1618 | |
1619 | /*! |
1620 | \since 6.1 |
1621 | Returns true if \a protocol is supported by a backend named \a backendName. An empty |
1622 | \a backendName is understood as a query about the currently active backend. |
1623 | |
1624 | \sa supportedProtocols() |
1625 | */ |
1626 | bool QSslSocket::isProtocolSupported(QSsl::SslProtocol protocol, const QString &backendName) |
1627 | { |
1628 | const auto versions = supportedProtocols(backendName); |
1629 | return versions.contains(t: protocol); |
1630 | } |
1631 | |
1632 | /*! |
1633 | \since 6.1 |
1634 | This function returns backend-specific classes implemented by the backend named |
1635 | \a backendName. An empty \a backendName is understood as a query about the |
1636 | currently active backend. |
1637 | |
1638 | \sa QSsl::ImplementedClass, activeBackend(), isClassImplemented() |
1639 | */ |
1640 | QList<QSsl::ImplementedClass> QSslSocket::implementedClasses(const QString &backendName) |
1641 | { |
1642 | return QTlsBackend::implementedClasses(backendName: backendName.size() ? backendName : activeBackend()); |
1643 | } |
1644 | |
1645 | /*! |
1646 | \since 6.1 |
1647 | Returns true if a class \a cl is implemented by the backend named \a backendName. An empty |
1648 | \a backendName is understood as a query about the currently active backend. |
1649 | |
1650 | \sa implementedClasses() |
1651 | */ |
1652 | |
1653 | bool QSslSocket::isClassImplemented(QSsl::ImplementedClass cl, const QString &backendName) |
1654 | { |
1655 | return implementedClasses(backendName).contains(t: cl); |
1656 | } |
1657 | |
1658 | /*! |
1659 | \since 6.1 |
1660 | This function returns features supported by a backend named \a backendName. |
1661 | An empty \a backendName is understood as a query about the currently active backend. |
1662 | |
1663 | \sa QSsl::SupportedFeature, activeBackend() |
1664 | */ |
1665 | QList<QSsl::SupportedFeature> QSslSocket::supportedFeatures(const QString &backendName) |
1666 | { |
1667 | return QTlsBackend::supportedFeatures(backendName: backendName.size() ? backendName : activeBackend()); |
1668 | } |
1669 | |
1670 | /*! |
1671 | \since 6.1 |
1672 | Returns true if a feature \a ft is supported by a backend named \a backendName. An empty |
1673 | \a backendName is understood as a query about the currently active backend. |
1674 | |
1675 | \sa QSsl::SupportedFeature, supportedFeatures() |
1676 | */ |
1677 | bool QSslSocket::isFeatureSupported(QSsl::SupportedFeature ft, const QString &backendName) |
1678 | { |
1679 | return supportedFeatures(backendName).contains(t: ft); |
1680 | } |
1681 | |
1682 | /*! |
1683 | Starts a delayed SSL handshake for a client connection. This |
1684 | function can be called when the socket is in the \l ConnectedState |
1685 | but still in the \l UnencryptedMode. If it is not yet connected, |
1686 | or if it is already encrypted, this function has no effect. |
1687 | |
1688 | Clients that implement STARTTLS functionality often make use of |
1689 | delayed SSL handshakes. Most other clients can avoid calling this |
1690 | function directly by using connectToHostEncrypted() instead, which |
1691 | automatically performs the handshake. |
1692 | |
1693 | \sa connectToHostEncrypted(), startServerEncryption() |
1694 | */ |
1695 | void QSslSocket::startClientEncryption() |
1696 | { |
1697 | Q_D(QSslSocket); |
1698 | if (d->mode != UnencryptedMode) { |
1699 | qCWarning(lcSsl, |
1700 | "QSslSocket::startClientEncryption: cannot start handshake on non-plain connection"); |
1701 | return; |
1702 | } |
1703 | if (state() != ConnectedState) { |
1704 | qCWarning(lcSsl, |
1705 | "QSslSocket::startClientEncryption: cannot start handshake when not connected"); |
1706 | return; |
1707 | } |
1708 | |
1709 | if (!supportsSsl()) { |
1710 | qCWarning(lcSsl, "QSslSocket::startClientEncryption: TLS initialization failed"); |
1711 | d->setErrorAndEmit(errorCode: QAbstractSocket::SslInternalError, errorString: tr(s: "TLS initialization failed")); |
1712 | return; |
1713 | } |
1714 | |
1715 | if (!d->verifyProtocolSupported(where: "QSslSocket::startClientEncryption:")) |
1716 | return; |
1717 | |
1718 | #ifdef QSSLSOCKET_DEBUG |
1719 | qCDebug(lcSsl) << "QSslSocket::startClientEncryption()"; |
1720 | #endif |
1721 | d->mode = SslClientMode; |
1722 | emit modeChanged(newMode: d->mode); |
1723 | d->startClientEncryption(); |
1724 | } |
1725 | |
1726 | /*! |
1727 | Starts a delayed SSL handshake for a server connection. This |
1728 | function can be called when the socket is in the \l ConnectedState |
1729 | but still in \l UnencryptedMode. If it is not connected or it is |
1730 | already encrypted, the function has no effect. |
1731 | |
1732 | For server sockets, calling this function is the only way to |
1733 | initiate the SSL handshake. Most servers will call this function |
1734 | immediately upon receiving a connection, or as a result of having |
1735 | received a protocol-specific command to enter SSL mode (e.g, the |
1736 | server may respond to receiving the string "STARTTLS\\r\\n" by |
1737 | calling this function). |
1738 | |
1739 | The most common way to implement an SSL server is to create a |
1740 | subclass of QTcpServer and reimplement |
1741 | QTcpServer::incomingConnection(). The returned socket descriptor |
1742 | is then passed to QSslSocket::setSocketDescriptor(). |
1743 | |
1744 | \sa connectToHostEncrypted(), startClientEncryption() |
1745 | */ |
1746 | void QSslSocket::startServerEncryption() |
1747 | { |
1748 | Q_D(QSslSocket); |
1749 | if (d->mode != UnencryptedMode) { |
1750 | qCWarning(lcSsl, "QSslSocket::startServerEncryption: cannot start handshake on non-plain connection"); |
1751 | return; |
1752 | } |
1753 | #ifdef QSSLSOCKET_DEBUG |
1754 | qCDebug(lcSsl) << "QSslSocket::startServerEncryption()"; |
1755 | #endif |
1756 | if (!supportsSsl()) { |
1757 | qCWarning(lcSsl, "QSslSocket::startServerEncryption: TLS initialization failed"); |
1758 | d->setErrorAndEmit(errorCode: QAbstractSocket::SslInternalError, errorString: tr(s: "TLS initialization failed")); |
1759 | return; |
1760 | } |
1761 | if (!d->verifyProtocolSupported(where: "QSslSocket::startServerEncryption")) |
1762 | return; |
1763 | |
1764 | d->mode = SslServerMode; |
1765 | emit modeChanged(newMode: d->mode); |
1766 | d->startServerEncryption(); |
1767 | } |
1768 | |
1769 | /*! |
1770 | This slot tells QSslSocket to ignore errors during QSslSocket's |
1771 | handshake phase and continue connecting. If you want to continue |
1772 | with the connection even if errors occur during the handshake |
1773 | phase, then you must call this slot, either from a slot connected |
1774 | to sslErrors(), or before the handshake phase. If you don't call |
1775 | this slot, either in response to errors or before the handshake, |
1776 | the connection will be dropped after the sslErrors() signal has |
1777 | been emitted. |
1778 | |
1779 | If there are no errors during the SSL handshake phase (i.e., the |
1780 | identity of the peer is established with no problems), QSslSocket |
1781 | will not emit the sslErrors() signal, and it is unnecessary to |
1782 | call this function. |
1783 | |
1784 | \warning Be sure to always let the user inspect the errors |
1785 | reported by the sslErrors() signal, and only call this method |
1786 | upon confirmation from the user that proceeding is ok. |
1787 | If there are unexpected errors, the connection should be aborted. |
1788 | Calling this method without inspecting the actual errors will |
1789 | most likely pose a security risk for your application. Use it |
1790 | with great care! |
1791 | |
1792 | \sa sslErrors() |
1793 | */ |
1794 | void QSslSocket::ignoreSslErrors() |
1795 | { |
1796 | Q_D(QSslSocket); |
1797 | d->ignoreAllSslErrors = true; |
1798 | } |
1799 | |
1800 | /*! |
1801 | \overload |
1802 | \since 4.6 |
1803 | |
1804 | This method tells QSslSocket to ignore only the errors given in \a |
1805 | errors. |
1806 | |
1807 | \note Because most SSL errors are associated with a certificate, for most |
1808 | of them you must set the expected certificate this SSL error is related to. |
1809 | If, for instance, you want to connect to a server that uses |
1810 | a self-signed certificate, consider the following snippet: |
1811 | |
1812 | \snippet code/src_network_ssl_qsslsocket.cpp 6 |
1813 | |
1814 | Multiple calls to this function will replace the list of errors that |
1815 | were passed in previous calls. |
1816 | You can clear the list of errors you want to ignore by calling this |
1817 | function with an empty list. |
1818 | |
1819 | \sa sslErrors(), sslHandshakeErrors() |
1820 | */ |
1821 | void QSslSocket::ignoreSslErrors(const QList<QSslError> &errors) |
1822 | { |
1823 | Q_D(QSslSocket); |
1824 | d->ignoreErrorsList = errors; |
1825 | } |
1826 | |
1827 | |
1828 | /*! |
1829 | \since 6.0 |
1830 | |
1831 | If an application wants to conclude a handshake even after receiving |
1832 | handshakeInterruptedOnError() signal, it must call this function. |
1833 | This call must be done from a slot function attached to the signal. |
1834 | The signal-slot connection must be direct. |
1835 | |
1836 | \sa handshakeInterruptedOnError(), QSslConfiguration::setHandshakeMustInterruptOnError() |
1837 | */ |
1838 | void QSslSocket::continueInterruptedHandshake() |
1839 | { |
1840 | Q_D(QSslSocket); |
1841 | if (auto *backend = d->backend.get()) |
1842 | backend->enableHandshakeContinuation(); |
1843 | } |
1844 | |
1845 | /*! |
1846 | \internal |
1847 | */ |
1848 | void QSslSocket::connectToHost(const QString &hostName, quint16 port, OpenMode openMode, NetworkLayerProtocol protocol) |
1849 | { |
1850 | Q_D(QSslSocket); |
1851 | d->preferredNetworkLayerProtocol = protocol; |
1852 | if (!d->initialized) |
1853 | d->init(); |
1854 | d->initialized = false; |
1855 | |
1856 | #ifdef QSSLSOCKET_DEBUG |
1857 | qCDebug(lcSsl) << "QSslSocket::connectToHost(" |
1858 | << hostName << ',' << port << ',' << openMode << ')'; |
1859 | #endif |
1860 | if (!d->plainSocket) { |
1861 | #ifdef QSSLSOCKET_DEBUG |
1862 | qCDebug(lcSsl) << "\tcreating internal plain socket"; |
1863 | #endif |
1864 | d->createPlainSocket(openMode); |
1865 | } |
1866 | #ifndef QT_NO_NETWORKPROXY |
1867 | d->plainSocket->setProtocolTag(d->protocolTag); |
1868 | d->plainSocket->setProxy(proxy()); |
1869 | #endif |
1870 | QIODevice::open(mode: openMode); |
1871 | d->readChannelCount = d->writeChannelCount = 0; |
1872 | d->plainSocket->connectToHost(hostName, port, mode: openMode, protocol: d->preferredNetworkLayerProtocol); |
1873 | d->cachedSocketDescriptor = d->plainSocket->socketDescriptor(); |
1874 | } |
1875 | |
1876 | /*! |
1877 | \internal |
1878 | */ |
1879 | void QSslSocket::disconnectFromHost() |
1880 | { |
1881 | Q_D(QSslSocket); |
1882 | #ifdef QSSLSOCKET_DEBUG |
1883 | qCDebug(lcSsl) << "QSslSocket::disconnectFromHost()"; |
1884 | #endif |
1885 | if (!d->plainSocket) |
1886 | return; |
1887 | if (d->state == UnconnectedState) |
1888 | return; |
1889 | if (d->mode == UnencryptedMode && !d->autoStartHandshake) { |
1890 | d->plainSocket->disconnectFromHost(); |
1891 | return; |
1892 | } |
1893 | if (d->state <= ConnectingState) { |
1894 | d->pendingClose = true; |
1895 | return; |
1896 | } |
1897 | // Make sure we don't process any signal from the CA fetcher |
1898 | // (Windows): |
1899 | if (auto *backend = d->backend.get()) |
1900 | backend->cancelCAFetch(); |
1901 | |
1902 | // Perhaps emit closing() |
1903 | if (d->state != ClosingState) { |
1904 | d->state = ClosingState; |
1905 | emit stateChanged(d->state); |
1906 | } |
1907 | |
1908 | if (!d->writeBuffer.isEmpty()) { |
1909 | d->pendingClose = true; |
1910 | return; |
1911 | } |
1912 | |
1913 | if (d->mode == UnencryptedMode) { |
1914 | d->plainSocket->disconnectFromHost(); |
1915 | } else { |
1916 | d->disconnectFromHost(); |
1917 | } |
1918 | } |
1919 | |
1920 | /*! |
1921 | \reimp |
1922 | */ |
1923 | qint64 QSslSocket::readData(char *data, qint64 maxlen) |
1924 | { |
1925 | Q_D(QSslSocket); |
1926 | qint64 readBytes = 0; |
1927 | |
1928 | if (d->mode == UnencryptedMode && !d->autoStartHandshake) { |
1929 | readBytes = d->plainSocket->read(data, maxlen); |
1930 | #ifdef QSSLSOCKET_DEBUG |
1931 | qCDebug(lcSsl) << "QSslSocket::readData("<< (void *)data << ',' << maxlen << ") ==" |
1932 | << readBytes; |
1933 | #endif |
1934 | } else { |
1935 | // possibly trigger another transmit() to decrypt more data from the socket |
1936 | if (d->plainSocket->bytesAvailable() || d->hasUndecryptedData()) |
1937 | QMetaObject::invokeMethod(obj: this, member: "_q_flushReadBuffer", c: Qt::QueuedConnection); |
1938 | else if (d->state != QAbstractSocket::ConnectedState) |
1939 | return maxlen ? qint64(-1) : qint64(0); |
1940 | } |
1941 | |
1942 | return readBytes; |
1943 | } |
1944 | |
1945 | /*! |
1946 | \reimp |
1947 | */ |
1948 | qint64 QSslSocket::writeData(const char *data, qint64 len) |
1949 | { |
1950 | Q_D(QSslSocket); |
1951 | #ifdef QSSLSOCKET_DEBUG |
1952 | qCDebug(lcSsl) << "QSslSocket::writeData("<< (void *)data << ',' << len << ')'; |
1953 | #endif |
1954 | if (d->mode == UnencryptedMode && !d->autoStartHandshake) |
1955 | return d->plainSocket->write(data, len); |
1956 | |
1957 | d->write(data, size: len); |
1958 | |
1959 | // make sure we flush to the plain socket's buffer |
1960 | if (!d->flushTriggered) { |
1961 | d->flushTriggered = true; |
1962 | QMetaObject::invokeMethod(obj: this, member: "_q_flushWriteBuffer", c: Qt::QueuedConnection); |
1963 | } |
1964 | |
1965 | return len; |
1966 | } |
1967 | |
1968 | bool QSslSocketPrivate::s_loadRootCertsOnDemand = false; |
1969 | |
1970 | /*! |
1971 | \internal |
1972 | */ |
1973 | QSslSocketPrivate::QSslSocketPrivate() |
1974 | : initialized(false) |
1975 | , mode(QSslSocket::UnencryptedMode) |
1976 | , autoStartHandshake(false) |
1977 | , connectionEncrypted(false) |
1978 | , ignoreAllSslErrors(false) |
1979 | , readyReadEmittedPointer(nullptr) |
1980 | , allowRootCertOnDemandLoading(true) |
1981 | , plainSocket(nullptr) |
1982 | , paused(false) |
1983 | , flushTriggered(false) |
1984 | { |
1985 | QSslConfigurationPrivate::deepCopyDefaultConfiguration(config: &configuration); |
1986 | // If the global configuration doesn't allow root certificates to be loaded |
1987 | // on demand then we have to disable it for this socket as well. |
1988 | if (!configuration.allowRootCertOnDemandLoading) |
1989 | allowRootCertOnDemandLoading = false; |
1990 | |
1991 | const auto *tlsBackend = tlsBackendInUse(); |
1992 | if (!tlsBackend) { |
1993 | qCWarning(lcSsl, "No TLS backend is available"); |
1994 | return; |
1995 | } |
1996 | backend.reset(p: tlsBackend->createTlsCryptograph()); |
1997 | if (!backend.get()) { |
1998 | qCWarning(lcSsl) << "The backend named"<< tlsBackend->backendName() |
1999 | << "does not support TLS"; |
2000 | } |
2001 | } |
2002 | |
2003 | /*! |
2004 | \internal |
2005 | */ |
2006 | QSslSocketPrivate::~QSslSocketPrivate() |
2007 | { |
2008 | } |
2009 | |
2010 | /*! |
2011 | \internal |
2012 | */ |
2013 | bool QSslSocketPrivate::supportsSsl() |
2014 | { |
2015 | if (const auto *tlsBackend = tlsBackendInUse()) |
2016 | return tlsBackend->implementedClasses().contains(t: QSsl::ImplementedClass::Socket); |
2017 | return false; |
2018 | } |
2019 | |
2020 | /*! |
2021 | \internal |
2022 | |
2023 | Declared static in QSslSocketPrivate, makes sure the SSL libraries have |
2024 | been initialized. |
2025 | */ |
2026 | void QSslSocketPrivate::ensureInitialized() |
2027 | { |
2028 | if (!supportsSsl()) |
2029 | return; |
2030 | |
2031 | const auto *tlsBackend = tlsBackendInUse(); |
2032 | Q_ASSERT(tlsBackend); |
2033 | tlsBackend->ensureInitialized(); |
2034 | } |
2035 | |
2036 | /*! |
2037 | \internal |
2038 | */ |
2039 | void QSslSocketPrivate::init() |
2040 | { |
2041 | // TLSTODO: delete those data members. |
2042 | mode = QSslSocket::UnencryptedMode; |
2043 | autoStartHandshake = false; |
2044 | connectionEncrypted = false; |
2045 | ignoreAllSslErrors = false; |
2046 | abortCalled = false; |
2047 | pendingClose = false; |
2048 | flushTriggered = false; |
2049 | // We don't want to clear the ignoreErrorsList, so |
2050 | // that it is possible setting it before connecting. |
2051 | |
2052 | buffer.clear(); |
2053 | writeBuffer.clear(); |
2054 | configuration.peerCertificate.clear(); |
2055 | configuration.peerCertificateChain.clear(); |
2056 | |
2057 | if (backend.get()) { |
2058 | Q_ASSERT(q_ptr); |
2059 | backend->init(q: static_cast<QSslSocket *>(q_ptr), d: this); |
2060 | } |
2061 | } |
2062 | |
2063 | /*! |
2064 | \internal |
2065 | */ |
2066 | bool QSslSocketPrivate::verifyProtocolSupported(const char *where) |
2067 | { |
2068 | auto protocolName = "DTLS"_L1; |
2069 | switch (configuration.protocol) { |
2070 | case QSsl::UnknownProtocol: |
2071 | // UnknownProtocol, according to our docs, is for cipher whose protocol is unknown. |
2072 | // Should not be used when configuring QSslSocket. |
2073 | protocolName = "UnknownProtocol"_L1; |
2074 | Q_FALLTHROUGH(); |
2075 | QT_WARNING_PUSH |
2076 | QT_WARNING_DISABLE_DEPRECATED |
2077 | case QSsl::DtlsV1_0: |
2078 | case QSsl::DtlsV1_2: |
2079 | case QSsl::DtlsV1_0OrLater: |
2080 | case QSsl::DtlsV1_2OrLater: |
2081 | qCWarning(lcSsl) << where << "QSslConfiguration with unexpected protocol"<< protocolName; |
2082 | setErrorAndEmit(errorCode: QAbstractSocket::SslInvalidUserDataError, |
2083 | errorString: QSslSocket::tr(s: "Attempted to use an unsupported protocol.")); |
2084 | return false; |
2085 | QT_WARNING_POP |
2086 | default: |
2087 | return true; |
2088 | } |
2089 | } |
2090 | |
2091 | /*! |
2092 | \internal |
2093 | */ |
2094 | QList<QSslCipher> QSslSocketPrivate::defaultCiphers() |
2095 | { |
2096 | QSslSocketPrivate::ensureInitialized(); |
2097 | QMutexLocker locker(&globalData()->mutex); |
2098 | return globalData()->config->ciphers; |
2099 | } |
2100 | |
2101 | /*! |
2102 | \internal |
2103 | */ |
2104 | QList<QSslCipher> QSslSocketPrivate::supportedCiphers() |
2105 | { |
2106 | QSslSocketPrivate::ensureInitialized(); |
2107 | QMutexLocker locker(&globalData()->mutex); |
2108 | return globalData()->supportedCiphers; |
2109 | } |
2110 | |
2111 | /*! |
2112 | \internal |
2113 | */ |
2114 | void QSslSocketPrivate::setDefaultCiphers(const QList<QSslCipher> &ciphers) |
2115 | { |
2116 | QMutexLocker locker(&globalData()->mutex); |
2117 | globalData()->config.detach(); |
2118 | globalData()->config->ciphers = ciphers; |
2119 | } |
2120 | |
2121 | /*! |
2122 | \internal |
2123 | */ |
2124 | void QSslSocketPrivate::setDefaultSupportedCiphers(const QList<QSslCipher> &ciphers) |
2125 | { |
2126 | QMutexLocker locker(&globalData()->mutex); |
2127 | globalData()->config.detach(); |
2128 | globalData()->supportedCiphers = ciphers; |
2129 | } |
2130 | |
2131 | /*! |
2132 | \internal |
2133 | */ |
2134 | void QSslSocketPrivate::resetDefaultEllipticCurves() |
2135 | { |
2136 | const auto *tlsBackend = tlsBackendInUse(); |
2137 | if (!tlsBackend) |
2138 | return; |
2139 | |
2140 | auto ids = tlsBackend->ellipticCurvesIds(); |
2141 | if (!ids.size()) |
2142 | return; |
2143 | |
2144 | QList<QSslEllipticCurve> curves; |
2145 | curves.reserve(size: ids.size()); |
2146 | for (int id : ids) { |
2147 | QSslEllipticCurve curve; |
2148 | curve.id = id; |
2149 | curves.append(t: curve); |
2150 | } |
2151 | |
2152 | // Set the list of supported ECs, but not the list |
2153 | // of *default* ECs. OpenSSL doesn't like forcing an EC for the wrong |
2154 | // ciphersuite, so don't try it -- leave the empty list to mean |
2155 | // "the implementation will choose the most suitable one". |
2156 | setDefaultSupportedEllipticCurves(curves); |
2157 | } |
2158 | |
2159 | /*! |
2160 | \internal |
2161 | */ |
2162 | void QSslSocketPrivate::setDefaultDtlsCiphers(const QList<QSslCipher> &ciphers) |
2163 | { |
2164 | QMutexLocker locker(&globalData()->mutex); |
2165 | globalData()->dtlsConfig.detach(); |
2166 | globalData()->dtlsConfig->ciphers = ciphers; |
2167 | } |
2168 | |
2169 | /*! |
2170 | \internal |
2171 | */ |
2172 | QList<QSslCipher> QSslSocketPrivate::defaultDtlsCiphers() |
2173 | { |
2174 | QSslSocketPrivate::ensureInitialized(); |
2175 | QMutexLocker locker(&globalData()->mutex); |
2176 | return globalData()->dtlsConfig->ciphers; |
2177 | } |
2178 | |
2179 | /*! |
2180 | \internal |
2181 | */ |
2182 | QList<QSslEllipticCurve> QSslSocketPrivate::supportedEllipticCurves() |
2183 | { |
2184 | QSslSocketPrivate::ensureInitialized(); |
2185 | const QMutexLocker locker(&globalData()->mutex); |
2186 | return globalData()->supportedEllipticCurves; |
2187 | } |
2188 | |
2189 | /*! |
2190 | \internal |
2191 | */ |
2192 | void QSslSocketPrivate::setDefaultSupportedEllipticCurves(const QList<QSslEllipticCurve> &curves) |
2193 | { |
2194 | const QMutexLocker locker(&globalData()->mutex); |
2195 | globalData()->config.detach(); |
2196 | globalData()->dtlsConfig.detach(); |
2197 | globalData()->supportedEllipticCurves = curves; |
2198 | } |
2199 | |
2200 | /*! |
2201 | \internal |
2202 | */ |
2203 | QList<QSslCertificate> QSslSocketPrivate::defaultCaCertificates() |
2204 | { |
2205 | QSslSocketPrivate::ensureInitialized(); |
2206 | QMutexLocker locker(&globalData()->mutex); |
2207 | return globalData()->config->caCertificates; |
2208 | } |
2209 | |
2210 | /*! |
2211 | \internal |
2212 | */ |
2213 | void QSslSocketPrivate::setDefaultCaCertificates(const QList<QSslCertificate> &certs) |
2214 | { |
2215 | QSslSocketPrivate::ensureInitialized(); |
2216 | QMutexLocker locker(&globalData()->mutex); |
2217 | globalData()->config.detach(); |
2218 | globalData()->config->caCertificates = certs; |
2219 | globalData()->dtlsConfig.detach(); |
2220 | globalData()->dtlsConfig->caCertificates = certs; |
2221 | // when the certificates are set explicitly, we do not want to |
2222 | // load the system certificates on demand |
2223 | s_loadRootCertsOnDemand = false; |
2224 | } |
2225 | |
2226 | /*! |
2227 | \internal |
2228 | */ |
2229 | void QSslSocketPrivate::addDefaultCaCertificate(const QSslCertificate &cert) |
2230 | { |
2231 | QSslSocketPrivate::ensureInitialized(); |
2232 | QMutexLocker locker(&globalData()->mutex); |
2233 | if (globalData()->config->caCertificates.contains(t: cert)) |
2234 | return; |
2235 | globalData()->config.detach(); |
2236 | globalData()->config->caCertificates += cert; |
2237 | globalData()->dtlsConfig.detach(); |
2238 | globalData()->dtlsConfig->caCertificates += cert; |
2239 | } |
2240 | |
2241 | /*! |
2242 | \internal |
2243 | */ |
2244 | void QSslSocketPrivate::addDefaultCaCertificates(const QList<QSslCertificate> &certs) |
2245 | { |
2246 | QSslSocketPrivate::ensureInitialized(); |
2247 | QMutexLocker locker(&globalData()->mutex); |
2248 | globalData()->config.detach(); |
2249 | globalData()->config->caCertificates += certs; |
2250 | globalData()->dtlsConfig.detach(); |
2251 | globalData()->dtlsConfig->caCertificates += certs; |
2252 | } |
2253 | |
2254 | /*! |
2255 | \internal |
2256 | */ |
2257 | QSslConfiguration QSslConfigurationPrivate::defaultConfiguration() |
2258 | { |
2259 | QSslSocketPrivate::ensureInitialized(); |
2260 | QMutexLocker locker(&globalData()->mutex); |
2261 | return QSslConfiguration(globalData()->config.data()); |
2262 | } |
2263 | |
2264 | /*! |
2265 | \internal |
2266 | */ |
2267 | void QSslConfigurationPrivate::setDefaultConfiguration(const QSslConfiguration &configuration) |
2268 | { |
2269 | QSslSocketPrivate::ensureInitialized(); |
2270 | QMutexLocker locker(&globalData()->mutex); |
2271 | if (globalData()->config == configuration.d) |
2272 | return; // nothing to do |
2273 | |
2274 | globalData()->config = const_cast<QSslConfigurationPrivate*>(configuration.d.constData()); |
2275 | } |
2276 | |
2277 | /*! |
2278 | \internal |
2279 | */ |
2280 | void QSslConfigurationPrivate::deepCopyDefaultConfiguration(QSslConfigurationPrivate *ptr) |
2281 | { |
2282 | QSslSocketPrivate::ensureInitialized(); |
2283 | QMutexLocker locker(&globalData()->mutex); |
2284 | const QSslConfigurationPrivate *global = globalData()->config.constData(); |
2285 | |
2286 | if (!global) |
2287 | return; |
2288 | |
2289 | ptr->ref.storeRelaxed(newValue: 1); |
2290 | ptr->peerCertificate = global->peerCertificate; |
2291 | ptr->peerCertificateChain = global->peerCertificateChain; |
2292 | ptr->localCertificateChain = global->localCertificateChain; |
2293 | ptr->privateKey = global->privateKey; |
2294 | ptr->sessionCipher = global->sessionCipher; |
2295 | ptr->sessionProtocol = global->sessionProtocol; |
2296 | ptr->ciphers = global->ciphers; |
2297 | ptr->caCertificates = global->caCertificates; |
2298 | ptr->allowRootCertOnDemandLoading = global->allowRootCertOnDemandLoading; |
2299 | ptr->protocol = global->protocol; |
2300 | ptr->peerVerifyMode = global->peerVerifyMode; |
2301 | ptr->peerVerifyDepth = global->peerVerifyDepth; |
2302 | ptr->sslOptions = global->sslOptions; |
2303 | ptr->ellipticCurves = global->ellipticCurves; |
2304 | ptr->backendConfig = global->backendConfig; |
2305 | #if QT_CONFIG(dtls) |
2306 | ptr->dtlsCookieEnabled = global->dtlsCookieEnabled; |
2307 | #endif |
2308 | #if QT_CONFIG(ocsp) |
2309 | ptr->ocspStaplingEnabled = global->ocspStaplingEnabled; |
2310 | #endif |
2311 | #if QT_CONFIG(openssl) |
2312 | ptr->reportFromCallback = global->reportFromCallback; |
2313 | ptr->missingCertIsFatal = global->missingCertIsFatal; |
2314 | #endif |
2315 | } |
2316 | |
2317 | /*! |
2318 | \internal |
2319 | */ |
2320 | QSslConfiguration QSslConfigurationPrivate::defaultDtlsConfiguration() |
2321 | { |
2322 | QSslSocketPrivate::ensureInitialized(); |
2323 | QMutexLocker locker(&globalData()->mutex); |
2324 | |
2325 | return QSslConfiguration(globalData()->dtlsConfig.data()); |
2326 | } |
2327 | |
2328 | /*! |
2329 | \internal |
2330 | */ |
2331 | void QSslConfigurationPrivate::setDefaultDtlsConfiguration(const QSslConfiguration &configuration) |
2332 | { |
2333 | QSslSocketPrivate::ensureInitialized(); |
2334 | QMutexLocker locker(&globalData()->mutex); |
2335 | if (globalData()->dtlsConfig == configuration.d) |
2336 | return; // nothing to do |
2337 | |
2338 | globalData()->dtlsConfig = const_cast<QSslConfigurationPrivate*>(configuration.d.constData()); |
2339 | } |
2340 | |
2341 | /*! |
2342 | \internal |
2343 | */ |
2344 | void QSslSocketPrivate::createPlainSocket(QIODevice::OpenMode openMode) |
2345 | { |
2346 | Q_Q(QSslSocket); |
2347 | q->setOpenMode(openMode); // <- from QIODevice |
2348 | q->setSocketState(QAbstractSocket::UnconnectedState); |
2349 | q->setSocketError(QAbstractSocket::UnknownSocketError); |
2350 | q->setLocalPort(0); |
2351 | q->setLocalAddress(QHostAddress()); |
2352 | q->setPeerPort(0); |
2353 | q->setPeerAddress(QHostAddress()); |
2354 | q->setPeerName(QString()); |
2355 | |
2356 | plainSocket = new QTcpSocket(q); |
2357 | q->connect(sender: plainSocket, SIGNAL(connected()), |
2358 | receiver: q, SLOT(_q_connectedSlot()), |
2359 | Qt::DirectConnection); |
2360 | q->connect(sender: plainSocket, SIGNAL(hostFound()), |
2361 | receiver: q, SLOT(_q_hostFoundSlot()), |
2362 | Qt::DirectConnection); |
2363 | q->connect(sender: plainSocket, SIGNAL(disconnected()), |
2364 | receiver: q, SLOT(_q_disconnectedSlot()), |
2365 | Qt::DirectConnection); |
2366 | q->connect(sender: plainSocket, SIGNAL(stateChanged(QAbstractSocket::SocketState)), |
2367 | receiver: q, SLOT(_q_stateChangedSlot(QAbstractSocket::SocketState)), |
2368 | Qt::DirectConnection); |
2369 | q->connect(sender: plainSocket, SIGNAL(errorOccurred(QAbstractSocket::SocketError)), |
2370 | receiver: q, SLOT(_q_errorSlot(QAbstractSocket::SocketError)), |
2371 | Qt::DirectConnection); |
2372 | q->connect(sender: plainSocket, SIGNAL(readyRead()), |
2373 | receiver: q, SLOT(_q_readyReadSlot()), |
2374 | Qt::DirectConnection); |
2375 | q->connect(sender: plainSocket, SIGNAL(channelReadyRead(int)), |
2376 | receiver: q, SLOT(_q_channelReadyReadSlot(int)), |
2377 | Qt::DirectConnection); |
2378 | q->connect(sender: plainSocket, SIGNAL(bytesWritten(qint64)), |
2379 | receiver: q, SLOT(_q_bytesWrittenSlot(qint64)), |
2380 | Qt::DirectConnection); |
2381 | q->connect(sender: plainSocket, SIGNAL(channelBytesWritten(int,qint64)), |
2382 | receiver: q, SLOT(_q_channelBytesWrittenSlot(int,qint64)), |
2383 | Qt::DirectConnection); |
2384 | q->connect(sender: plainSocket, SIGNAL(readChannelFinished()), |
2385 | receiver: q, SLOT(_q_readChannelFinishedSlot()), |
2386 | Qt::DirectConnection); |
2387 | #ifndef QT_NO_NETWORKPROXY |
2388 | q->connect(sender: plainSocket, SIGNAL(proxyAuthenticationRequired(QNetworkProxy,QAuthenticator*)), |
2389 | receiver: q, SIGNAL(proxyAuthenticationRequired(QNetworkProxy,QAuthenticator*))); |
2390 | #endif |
2391 | |
2392 | buffer.clear(); |
2393 | writeBuffer.clear(); |
2394 | connectionEncrypted = false; |
2395 | configuration.peerCertificate.clear(); |
2396 | configuration.peerCertificateChain.clear(); |
2397 | mode = QSslSocket::UnencryptedMode; |
2398 | q->setReadBufferSize(readBufferMaxSize); |
2399 | } |
2400 | |
2401 | void QSslSocketPrivate::pauseSocketNotifiers(QSslSocket *socket) |
2402 | { |
2403 | if (!socket->d_func()->plainSocket) |
2404 | return; |
2405 | QAbstractSocketPrivate::pauseSocketNotifiers(socket->d_func()->plainSocket); |
2406 | } |
2407 | |
2408 | void QSslSocketPrivate::resumeSocketNotifiers(QSslSocket *socket) |
2409 | { |
2410 | if (!socket->d_func()->plainSocket) |
2411 | return; |
2412 | QAbstractSocketPrivate::resumeSocketNotifiers(socket->d_func()->plainSocket); |
2413 | } |
2414 | |
2415 | bool QSslSocketPrivate::isPaused() const |
2416 | { |
2417 | return paused; |
2418 | } |
2419 | |
2420 | void QSslSocketPrivate::setPaused(bool p) |
2421 | { |
2422 | paused = p; |
2423 | } |
2424 | |
2425 | bool QSslSocketPrivate::bind(const QHostAddress &address, quint16 port, QAbstractSocket::BindMode mode) |
2426 | { |
2427 | // this function is called from QAbstractSocket::bind |
2428 | if (!initialized) |
2429 | init(); |
2430 | initialized = false; |
2431 | |
2432 | #ifdef QSSLSOCKET_DEBUG |
2433 | qCDebug(lcSsl) << "QSslSocket::bind("<< address << ',' << port << ',' << mode << ')'; |
2434 | #endif |
2435 | if (!plainSocket) { |
2436 | #ifdef QSSLSOCKET_DEBUG |
2437 | qCDebug(lcSsl) << "\tcreating internal plain socket"; |
2438 | #endif |
2439 | createPlainSocket(openMode: QIODevice::ReadWrite); |
2440 | } |
2441 | bool ret = plainSocket->bind(address, port, mode); |
2442 | localPort = plainSocket->localPort(); |
2443 | localAddress = plainSocket->localAddress(); |
2444 | cachedSocketDescriptor = plainSocket->socketDescriptor(); |
2445 | readChannelCount = writeChannelCount = 0; |
2446 | return ret; |
2447 | } |
2448 | |
2449 | /*! |
2450 | \internal |
2451 | */ |
2452 | void QSslSocketPrivate::_q_connectedSlot() |
2453 | { |
2454 | Q_Q(QSslSocket); |
2455 | q->setLocalPort(plainSocket->localPort()); |
2456 | q->setLocalAddress(plainSocket->localAddress()); |
2457 | q->setPeerPort(plainSocket->peerPort()); |
2458 | q->setPeerAddress(plainSocket->peerAddress()); |
2459 | q->setPeerName(plainSocket->peerName()); |
2460 | cachedSocketDescriptor = plainSocket->socketDescriptor(); |
2461 | readChannelCount = plainSocket->readChannelCount(); |
2462 | writeChannelCount = plainSocket->writeChannelCount(); |
2463 | |
2464 | #ifdef QSSLSOCKET_DEBUG |
2465 | qCDebug(lcSsl) << "QSslSocket::_q_connectedSlot()"; |
2466 | qCDebug(lcSsl) << "\tstate ="<< q->state(); |
2467 | qCDebug(lcSsl) << "\tpeer ="<< q->peerName() << q->peerAddress() << q->peerPort(); |
2468 | qCDebug(lcSsl) << "\tlocal ="<< QHostInfo::fromName(q->localAddress().toString()).hostName() |
2469 | << q->localAddress() << q->localPort(); |
2470 | #endif |
2471 | |
2472 | if (autoStartHandshake) |
2473 | q->startClientEncryption(); |
2474 | |
2475 | emit q->connected(); |
2476 | |
2477 | if (pendingClose && !autoStartHandshake) { |
2478 | pendingClose = false; |
2479 | q->disconnectFromHost(); |
2480 | } |
2481 | } |
2482 | |
2483 | /*! |
2484 | \internal |
2485 | */ |
2486 | void QSslSocketPrivate::_q_hostFoundSlot() |
2487 | { |
2488 | Q_Q(QSslSocket); |
2489 | #ifdef QSSLSOCKET_DEBUG |
2490 | qCDebug(lcSsl) << "QSslSocket::_q_hostFoundSlot()"; |
2491 | qCDebug(lcSsl) << "\tstate ="<< q->state(); |
2492 | #endif |
2493 | emit q->hostFound(); |
2494 | } |
2495 | |
2496 | /*! |
2497 | \internal |
2498 | */ |
2499 | void QSslSocketPrivate::_q_disconnectedSlot() |
2500 | { |
2501 | Q_Q(QSslSocket); |
2502 | #ifdef QSSLSOCKET_DEBUG |
2503 | qCDebug(lcSsl) << "QSslSocket::_q_disconnectedSlot()"; |
2504 | qCDebug(lcSsl) << "\tstate ="<< q->state(); |
2505 | #endif |
2506 | disconnected(); |
2507 | emit q->disconnected(); |
2508 | |
2509 | q->setLocalPort(0); |
2510 | q->setLocalAddress(QHostAddress()); |
2511 | q->setPeerPort(0); |
2512 | q->setPeerAddress(QHostAddress()); |
2513 | q->setPeerName(QString()); |
2514 | cachedSocketDescriptor = -1; |
2515 | } |
2516 | |
2517 | /*! |
2518 | \internal |
2519 | */ |
2520 | void QSslSocketPrivate::_q_stateChangedSlot(QAbstractSocket::SocketState state) |
2521 | { |
2522 | Q_Q(QSslSocket); |
2523 | #ifdef QSSLSOCKET_DEBUG |
2524 | qCDebug(lcSsl) << "QSslSocket::_q_stateChangedSlot("<< state << ')'; |
2525 | #endif |
2526 | q->setSocketState(state); |
2527 | emit q->stateChanged(state); |
2528 | } |
2529 | |
2530 | /*! |
2531 | \internal |
2532 | */ |
2533 | void QSslSocketPrivate::_q_errorSlot(QAbstractSocket::SocketError error) |
2534 | { |
2535 | Q_UNUSED(error); |
2536 | #ifdef QSSLSOCKET_DEBUG |
2537 | Q_Q(QSslSocket); |
2538 | qCDebug(lcSsl) << "QSslSocket::_q_errorSlot("<< error << ')'; |
2539 | qCDebug(lcSsl) << "\tstate ="<< q->state(); |
2540 | qCDebug(lcSsl) << "\terrorString ="<< q->errorString(); |
2541 | #endif |
2542 | // this moves encrypted bytes from plain socket into our buffer |
2543 | if (plainSocket->bytesAvailable() && mode != QSslSocket::UnencryptedMode) { |
2544 | qint64 tmpReadBufferMaxSize = readBufferMaxSize; |
2545 | readBufferMaxSize = 0; // reset temporarily so the plain sockets completely drained drained |
2546 | transmit(); |
2547 | readBufferMaxSize = tmpReadBufferMaxSize; |
2548 | } |
2549 | |
2550 | setErrorAndEmit(errorCode: plainSocket->error(), errorString: plainSocket->errorString()); |
2551 | } |
2552 | |
2553 | /*! |
2554 | \internal |
2555 | */ |
2556 | void QSslSocketPrivate::_q_readyReadSlot() |
2557 | { |
2558 | Q_Q(QSslSocket); |
2559 | #ifdef QSSLSOCKET_DEBUG |
2560 | qCDebug(lcSsl) << "QSslSocket::_q_readyReadSlot() -"<< plainSocket->bytesAvailable() << "bytes available"; |
2561 | #endif |
2562 | if (mode == QSslSocket::UnencryptedMode) { |
2563 | if (readyReadEmittedPointer) |
2564 | *readyReadEmittedPointer = true; |
2565 | emit q->readyRead(); |
2566 | return; |
2567 | } |
2568 | |
2569 | transmit(); |
2570 | } |
2571 | |
2572 | /*! |
2573 | \internal |
2574 | */ |
2575 | void QSslSocketPrivate::_q_channelReadyReadSlot(int channel) |
2576 | { |
2577 | Q_Q(QSslSocket); |
2578 | if (mode == QSslSocket::UnencryptedMode) |
2579 | emit q->channelReadyRead(channel); |
2580 | } |
2581 | |
2582 | /*! |
2583 | \internal |
2584 | */ |
2585 | void QSslSocketPrivate::_q_bytesWrittenSlot(qint64 written) |
2586 | { |
2587 | Q_Q(QSslSocket); |
2588 | #ifdef QSSLSOCKET_DEBUG |
2589 | qCDebug(lcSsl) << "QSslSocket::_q_bytesWrittenSlot("<< written << ')'; |
2590 | #endif |
2591 | |
2592 | if (mode == QSslSocket::UnencryptedMode) |
2593 | emit q->bytesWritten(bytes: written); |
2594 | else |
2595 | emit q->encryptedBytesWritten(totalBytes: written); |
2596 | if (state == QAbstractSocket::ClosingState && writeBuffer.isEmpty()) |
2597 | q->disconnectFromHost(); |
2598 | } |
2599 | |
2600 | /*! |
2601 | \internal |
2602 | */ |
2603 | void QSslSocketPrivate::_q_channelBytesWrittenSlot(int channel, qint64 written) |
2604 | { |
2605 | Q_Q(QSslSocket); |
2606 | if (mode == QSslSocket::UnencryptedMode) |
2607 | emit q->channelBytesWritten(channel, bytes: written); |
2608 | } |
2609 | |
2610 | /*! |
2611 | \internal |
2612 | */ |
2613 | void QSslSocketPrivate::_q_readChannelFinishedSlot() |
2614 | { |
2615 | Q_Q(QSslSocket); |
2616 | emit q->readChannelFinished(); |
2617 | } |
2618 | |
2619 | /*! |
2620 | \internal |
2621 | */ |
2622 | void QSslSocketPrivate::_q_flushWriteBuffer() |
2623 | { |
2624 | Q_Q(QSslSocket); |
2625 | |
2626 | // need to notice if knock-on effects of this flush (e.g. a readReady() via transmit()) |
2627 | // make another necessary, so clear flag before calling: |
2628 | flushTriggered = false; |
2629 | if (!writeBuffer.isEmpty()) |
2630 | q->flush(); |
2631 | } |
2632 | |
2633 | /*! |
2634 | \internal |
2635 | */ |
2636 | void QSslSocketPrivate::_q_flushReadBuffer() |
2637 | { |
2638 | // trigger a read from the plainSocket into SSL |
2639 | if (mode != QSslSocket::UnencryptedMode) |
2640 | transmit(); |
2641 | } |
2642 | |
2643 | /*! |
2644 | \internal |
2645 | */ |
2646 | void QSslSocketPrivate::_q_resumeImplementation() |
2647 | { |
2648 | if (plainSocket) |
2649 | plainSocket->resume(); |
2650 | paused = false; |
2651 | if (!connectionEncrypted) { |
2652 | if (verifyErrorsHaveBeenIgnored()) { |
2653 | continueHandshake(); |
2654 | } else { |
2655 | const auto sslErrors = backend->tlsErrors(); |
2656 | Q_ASSERT(!sslErrors.isEmpty()); |
2657 | setErrorAndEmit(errorCode: QAbstractSocket::SslHandshakeFailedError, errorString: sslErrors.constFirst().errorString()); |
2658 | plainSocket->disconnectFromHost(); |
2659 | return; |
2660 | } |
2661 | } |
2662 | transmit(); |
2663 | } |
2664 | |
2665 | /*! |
2666 | \internal |
2667 | */ |
2668 | bool QSslSocketPrivate::verifyErrorsHaveBeenIgnored() |
2669 | { |
2670 | Q_ASSERT(backend.get()); |
2671 | |
2672 | bool doEmitSslError; |
2673 | if (!ignoreErrorsList.empty()) { |
2674 | // check whether the errors we got are all in the list of expected errors |
2675 | // (applies only if the method QSslSocket::ignoreSslErrors(const QList<QSslError> &errors) |
2676 | // was called) |
2677 | const auto &sslErrors = backend->tlsErrors(); |
2678 | doEmitSslError = false; |
2679 | for (int a = 0; a < sslErrors.size(); a++) { |
2680 | if (!ignoreErrorsList.contains(t: sslErrors.at(i: a))) { |
2681 | doEmitSslError = true; |
2682 | break; |
2683 | } |
2684 | } |
2685 | } else { |
2686 | // if QSslSocket::ignoreSslErrors(const QList<QSslError> &errors) was not called and |
2687 | // we get an SSL error, emit a signal unless we ignored all errors (by calling |
2688 | // QSslSocket::ignoreSslErrors() ) |
2689 | doEmitSslError = !ignoreAllSslErrors; |
2690 | } |
2691 | return !doEmitSslError; |
2692 | } |
2693 | |
2694 | /*! |
2695 | \internal |
2696 | */ |
2697 | bool QSslSocketPrivate::isAutoStartingHandshake() const |
2698 | { |
2699 | return autoStartHandshake; |
2700 | } |
2701 | |
2702 | /*! |
2703 | \internal |
2704 | */ |
2705 | bool QSslSocketPrivate::isPendingClose() const |
2706 | { |
2707 | return pendingClose; |
2708 | } |
2709 | |
2710 | /*! |
2711 | \internal |
2712 | */ |
2713 | void QSslSocketPrivate::setPendingClose(bool pc) |
2714 | { |
2715 | pendingClose = pc; |
2716 | } |
2717 | |
2718 | /*! |
2719 | \internal |
2720 | */ |
2721 | qint64 QSslSocketPrivate::maxReadBufferSize() const |
2722 | { |
2723 | return readBufferMaxSize; |
2724 | } |
2725 | |
2726 | /*! |
2727 | \internal |
2728 | */ |
2729 | void QSslSocketPrivate::setMaxReadBufferSize(qint64 maxSize) |
2730 | { |
2731 | readBufferMaxSize = maxSize; |
2732 | } |
2733 | |
2734 | /*! |
2735 | \internal |
2736 | */ |
2737 | void QSslSocketPrivate::setEncrypted(bool enc) |
2738 | { |
2739 | connectionEncrypted = enc; |
2740 | } |
2741 | |
2742 | /*! |
2743 | \internal |
2744 | */ |
2745 | QIODevicePrivate::QRingBufferRef &QSslSocketPrivate::tlsWriteBuffer() |
2746 | { |
2747 | return writeBuffer; |
2748 | } |
2749 | |
2750 | /*! |
2751 | \internal |
2752 | */ |
2753 | QIODevicePrivate::QRingBufferRef &QSslSocketPrivate::tlsBuffer() |
2754 | { |
2755 | return buffer; |
2756 | } |
2757 | |
2758 | /*! |
2759 | \internal |
2760 | */ |
2761 | bool &QSslSocketPrivate::tlsEmittedBytesWritten() |
2762 | { |
2763 | return emittedBytesWritten; |
2764 | } |
2765 | |
2766 | /*! |
2767 | \internal |
2768 | */ |
2769 | bool *QSslSocketPrivate::readyReadPointer() |
2770 | { |
2771 | return readyReadEmittedPointer; |
2772 | } |
2773 | |
2774 | bool QSslSocketPrivate::hasUndecryptedData() const |
2775 | { |
2776 | return backend.get() && backend->hasUndecryptedData(); |
2777 | } |
2778 | |
2779 | /*! |
2780 | \internal |
2781 | */ |
2782 | qint64 QSslSocketPrivate::peek(char *data, qint64 maxSize) |
2783 | { |
2784 | if (mode == QSslSocket::UnencryptedMode && !autoStartHandshake) { |
2785 | //unencrypted mode - do not use QIODevice::peek, as it reads ahead data from the plain socket |
2786 | //peek at data already in the QIODevice buffer (from a previous read) |
2787 | qint64 r = buffer.peek(data, maxLength: maxSize, pos: transactionPos); |
2788 | if (r == maxSize) |
2789 | return r; |
2790 | data += r; |
2791 | //peek at data in the plain socket |
2792 | if (plainSocket) { |
2793 | qint64 r2 = plainSocket->peek(data, maxlen: maxSize - r); |
2794 | if (r2 < 0) |
2795 | return (r > 0 ? r : r2); |
2796 | return r + r2; |
2797 | } |
2798 | |
2799 | return -1; |
2800 | } else { |
2801 | //encrypted mode - the socket engine will read and decrypt data into the QIODevice buffer |
2802 | return QTcpSocketPrivate::peek(data, maxSize); |
2803 | } |
2804 | } |
2805 | |
2806 | /*! |
2807 | \internal |
2808 | */ |
2809 | QByteArray QSslSocketPrivate::peek(qint64 maxSize) |
2810 | { |
2811 | if (mode == QSslSocket::UnencryptedMode && !autoStartHandshake) { |
2812 | //unencrypted mode - do not use QIODevice::peek, as it reads ahead data from the plain socket |
2813 | //peek at data already in the QIODevice buffer (from a previous read) |
2814 | QByteArray ret; |
2815 | ret.reserve(asize: maxSize); |
2816 | ret.resize(size: buffer.peek(data: ret.data(), maxLength: maxSize, pos: transactionPos)); |
2817 | if (ret.size() == maxSize) |
2818 | return ret; |
2819 | //peek at data in the plain socket |
2820 | if (plainSocket) |
2821 | return ret + plainSocket->peek(maxlen: maxSize - ret.size()); |
2822 | |
2823 | return QByteArray(); |
2824 | } else { |
2825 | //encrypted mode - the socket engine will read and decrypt data into the QIODevice buffer |
2826 | return QTcpSocketPrivate::peek(maxSize); |
2827 | } |
2828 | } |
2829 | |
2830 | /*! |
2831 | \reimp |
2832 | */ |
2833 | qint64 QSslSocket::skipData(qint64 maxSize) |
2834 | { |
2835 | Q_D(QSslSocket); |
2836 | |
2837 | if (d->mode == QSslSocket::UnencryptedMode && !d->autoStartHandshake) |
2838 | return d->plainSocket->skip(maxSize); |
2839 | |
2840 | // In encrypted mode, the SSL backend writes decrypted data directly into the |
2841 | // QIODevice's read buffer. As this buffer is always emptied by the caller, |
2842 | // we need to wait for more incoming data. |
2843 | return (d->state == QAbstractSocket::ConnectedState) ? Q_INT64_C(0) : Q_INT64_C(-1); |
2844 | } |
2845 | |
2846 | /*! |
2847 | \internal |
2848 | */ |
2849 | bool QSslSocketPrivate::flush() |
2850 | { |
2851 | #ifdef QSSLSOCKET_DEBUG |
2852 | qCDebug(lcSsl) << "QSslSocketPrivate::flush()"; |
2853 | #endif |
2854 | if (mode != QSslSocket::UnencryptedMode) { |
2855 | // encrypt any unencrypted bytes in our buffer |
2856 | transmit(); |
2857 | } |
2858 | |
2859 | return plainSocket && plainSocket->flush(); |
2860 | } |
2861 | |
2862 | /*! |
2863 | \internal |
2864 | */ |
2865 | void QSslSocketPrivate::startClientEncryption() |
2866 | { |
2867 | if (backend.get()) |
2868 | backend->startClientEncryption(); |
2869 | } |
2870 | |
2871 | /*! |
2872 | \internal |
2873 | */ |
2874 | void QSslSocketPrivate::startServerEncryption() |
2875 | { |
2876 | if (backend.get()) |
2877 | backend->startServerEncryption(); |
2878 | } |
2879 | |
2880 | /*! |
2881 | \internal |
2882 | */ |
2883 | void QSslSocketPrivate::transmit() |
2884 | { |
2885 | if (backend.get()) |
2886 | backend->transmit(); |
2887 | } |
2888 | |
2889 | /*! |
2890 | \internal |
2891 | */ |
2892 | void QSslSocketPrivate::disconnectFromHost() |
2893 | { |
2894 | if (backend.get()) |
2895 | backend->disconnectFromHost(); |
2896 | } |
2897 | |
2898 | /*! |
2899 | \internal |
2900 | */ |
2901 | void QSslSocketPrivate::disconnected() |
2902 | { |
2903 | if (backend.get()) |
2904 | backend->disconnected(); |
2905 | } |
2906 | |
2907 | /*! |
2908 | \internal |
2909 | */ |
2910 | QSslCipher QSslSocketPrivate::sessionCipher() const |
2911 | { |
2912 | if (backend.get()) |
2913 | return backend->sessionCipher(); |
2914 | |
2915 | return {}; |
2916 | } |
2917 | |
2918 | /*! |
2919 | \internal |
2920 | */ |
2921 | QSsl::SslProtocol QSslSocketPrivate::sessionProtocol() const |
2922 | { |
2923 | if (backend.get()) |
2924 | return backend->sessionProtocol(); |
2925 | |
2926 | return QSsl::UnknownProtocol; |
2927 | } |
2928 | |
2929 | /*! |
2930 | \internal |
2931 | */ |
2932 | void QSslSocketPrivate::continueHandshake() |
2933 | { |
2934 | if (backend.get()) |
2935 | backend->continueHandshake(); |
2936 | } |
2937 | |
2938 | /*! |
2939 | \internal |
2940 | */ |
2941 | bool QSslSocketPrivate::rootCertOnDemandLoadingSupported() |
2942 | { |
2943 | return s_loadRootCertsOnDemand; |
2944 | } |
2945 | |
2946 | /*! |
2947 | \internal |
2948 | */ |
2949 | void QSslSocketPrivate::setRootCertOnDemandLoadingSupported(bool supported) |
2950 | { |
2951 | s_loadRootCertsOnDemand = supported; |
2952 | } |
2953 | |
2954 | /*! |
2955 | \internal |
2956 | */ |
2957 | QList<QByteArray> QSslSocketPrivate::unixRootCertDirectories() |
2958 | { |
2959 | const auto ba = [](const auto &cstr) constexpr { |
2960 | return QByteArray::fromRawData(data: std::begin(cstr), size: std::size(cstr) - 1); |
2961 | }; |
2962 | static const QByteArray dirs[] = { |
2963 | ba("/etc/ssl/certs/"), // (K)ubuntu, OpenSUSE, Mandriva ... |
2964 | ba("/usr/lib/ssl/certs/"), // Gentoo, Mandrake |
2965 | ba("/usr/share/ssl/"), // Centos, Redhat, SuSE |
2966 | ba("/usr/local/ssl/"), // Normal OpenSSL Tarball |
2967 | ba("/var/ssl/certs/"), // AIX |
2968 | ba("/usr/local/ssl/certs/"), // Solaris |
2969 | ba("/etc/openssl/certs/"), // BlackBerry |
2970 | ba("/opt/openssl/certs/"), // HP-UX |
2971 | ba("/etc/ssl/"), // OpenBSD |
2972 | }; |
2973 | QList<QByteArray> result = QList<QByteArray>::fromReadOnlyData(t: dirs); |
2974 | if constexpr (isVxworks) { |
2975 | static QByteArray vxworksCertsDir = qgetenv(varName: "VXWORKS_CERTS_DIR"); |
2976 | if (!vxworksCertsDir.isEmpty()) |
2977 | result.push_back(t: vxworksCertsDir); |
2978 | } |
2979 | return result; |
2980 | } |
2981 | |
2982 | /*! |
2983 | \internal |
2984 | */ |
2985 | void QSslSocketPrivate::checkSettingSslContext(QSslSocket* socket, std::shared_ptr<QSslContext> tlsContext) |
2986 | { |
2987 | if (!socket) |
2988 | return; |
2989 | |
2990 | if (auto *backend = socket->d_func()->backend.get()) |
2991 | backend->checkSettingSslContext(tlsContext); |
2992 | } |
2993 | |
2994 | /*! |
2995 | \internal |
2996 | */ |
2997 | std::shared_ptr<QSslContext> QSslSocketPrivate::sslContext(QSslSocket *socket) |
2998 | { |
2999 | if (!socket) |
3000 | return {}; |
3001 | |
3002 | if (const auto *backend = socket->d_func()->backend.get()) |
3003 | return backend->sslContext(); |
3004 | |
3005 | return {}; |
3006 | } |
3007 | |
3008 | bool QSslSocketPrivate::isMatchingHostname(const QSslCertificate &cert, const QString &peerName) |
3009 | { |
3010 | QHostAddress hostAddress(peerName); |
3011 | if (!hostAddress.isNull()) { |
3012 | const auto subjectAlternativeNames = cert.subjectAlternativeNames(); |
3013 | const auto ipAddresses = subjectAlternativeNames.equal_range(akey: QSsl::AlternativeNameEntryType::IpAddressEntry); |
3014 | |
3015 | for (auto it = ipAddresses.first; it != ipAddresses.second; it++) { |
3016 | if (QHostAddress(*it).isEqual(address: hostAddress, mode: QHostAddress::StrictConversion)) |
3017 | return true; |
3018 | } |
3019 | } |
3020 | |
3021 | const QString lowerPeerName = QString::fromLatin1(ba: QUrl::toAce(domain: peerName)); |
3022 | const QStringList commonNames = cert.subjectInfo(info: QSslCertificate::CommonName); |
3023 | |
3024 | for (const QString &commonName : commonNames) { |
3025 | if (isMatchingHostname(cn: commonName, hostname: lowerPeerName)) |
3026 | return true; |
3027 | } |
3028 | |
3029 | const auto subjectAlternativeNames = cert.subjectAlternativeNames(); |
3030 | const auto altNames = subjectAlternativeNames.equal_range(akey: QSsl::DnsEntry); |
3031 | for (auto it = altNames.first; it != altNames.second; ++it) { |
3032 | if (isMatchingHostname(cn: *it, hostname: lowerPeerName)) |
3033 | return true; |
3034 | } |
3035 | |
3036 | return false; |
3037 | } |
3038 | |
3039 | /*! \internal |
3040 | Checks if the certificate's name \a cn matches the \a hostname. |
3041 | \a hostname must be normalized in ASCII-Compatible Encoding, but \a cn is not normalized |
3042 | */ |
3043 | bool QSslSocketPrivate::isMatchingHostname(const QString &cn, const QString &hostname) |
3044 | { |
3045 | qsizetype wildcard = cn.indexOf(ch: u'*'); |
3046 | |
3047 | // Check this is a wildcard cert, if not then just compare the strings |
3048 | if (wildcard < 0) |
3049 | return QLatin1StringView(QUrl::toAce(domain: cn)) == hostname; |
3050 | |
3051 | qsizetype firstCnDot = cn.indexOf(ch: u'.'); |
3052 | qsizetype secondCnDot = cn.indexOf(ch: u'.', from: firstCnDot+1); |
3053 | |
3054 | // Check at least 3 components |
3055 | if ((-1 == secondCnDot) || (secondCnDot+1 >= cn.size())) |
3056 | return false; |
3057 | |
3058 | // Check * is last character of 1st component (ie. there's a following .) |
3059 | if (wildcard+1 != firstCnDot) |
3060 | return false; |
3061 | |
3062 | // Check only one star |
3063 | if (cn.lastIndexOf(c: u'*') != wildcard) |
3064 | return false; |
3065 | |
3066 | // Reject wildcard character embedded within the A-labels or U-labels of an internationalized |
3067 | // domain name (RFC6125 section 7.2) |
3068 | if (cn.startsWith(s: "xn--"_L1, cs: Qt::CaseInsensitive)) |
3069 | return false; |
3070 | |
3071 | // Check characters preceding * (if any) match |
3072 | if (wildcard && QStringView{hostname}.left(n: wildcard).compare(other: QStringView{cn}.left(n: wildcard), cs: Qt::CaseInsensitive) != 0) |
3073 | return false; |
3074 | |
3075 | // Check characters following first . match |
3076 | qsizetype hnDot = hostname.indexOf(ch: u'.'); |
3077 | if (QStringView{hostname}.mid(pos: hnDot + 1) != QStringView{cn}.mid(pos: firstCnDot + 1) |
3078 | && QStringView{hostname}.mid(pos: hnDot + 1) != QLatin1StringView(QUrl::toAce(domain: cn.mid(position: firstCnDot + 1)))) { |
3079 | return false; |
3080 | } |
3081 | |
3082 | // Check if the hostname is an IP address, if so then wildcards are not allowed |
3083 | QHostAddress addr(hostname); |
3084 | if (!addr.isNull()) |
3085 | return false; |
3086 | |
3087 | // Ok, I guess this was a wildcard CN and the hostname matches. |
3088 | return true; |
3089 | } |
3090 | |
3091 | /*! |
3092 | \internal |
3093 | */ |
3094 | QTlsBackend *QSslSocketPrivate::tlsBackendInUse() |
3095 | { |
3096 | const QMutexLocker locker(&backendMutex); |
3097 | if (tlsBackend) |
3098 | return tlsBackend; |
3099 | |
3100 | if (!activeBackendName.size()) |
3101 | activeBackendName = QTlsBackend::defaultBackendName(); |
3102 | |
3103 | if (!activeBackendName.size()) { |
3104 | qCWarning(lcSsl, "No functional TLS backend was found"); |
3105 | return nullptr; |
3106 | } |
3107 | |
3108 | tlsBackend = QTlsBackend::findBackend(backendName: activeBackendName); |
3109 | if (tlsBackend) { |
3110 | QObject::connect(sender: tlsBackend, signal: &QObject::destroyed, context: tlsBackend, slot: [] { |
3111 | const QMutexLocker locker(&backendMutex); |
3112 | tlsBackend = nullptr; |
3113 | }, |
3114 | type: Qt::DirectConnection); |
3115 | } |
3116 | return tlsBackend; |
3117 | } |
3118 | |
3119 | /*! |
3120 | \internal |
3121 | */ |
3122 | QSslSocket::SslMode QSslSocketPrivate::tlsMode() const |
3123 | { |
3124 | return mode; |
3125 | } |
3126 | |
3127 | /*! |
3128 | \internal |
3129 | */ |
3130 | bool QSslSocketPrivate::isRootsOnDemandAllowed() const |
3131 | { |
3132 | return allowRootCertOnDemandLoading; |
3133 | } |
3134 | |
3135 | /*! |
3136 | \internal |
3137 | */ |
3138 | QString QSslSocketPrivate::verificationName() const |
3139 | { |
3140 | return verificationPeerName; |
3141 | } |
3142 | |
3143 | /*! |
3144 | \internal |
3145 | */ |
3146 | QString QSslSocketPrivate::tlsHostName() const |
3147 | { |
3148 | return hostName; |
3149 | } |
3150 | |
3151 | QTcpSocket *QSslSocketPrivate::plainTcpSocket() const |
3152 | { |
3153 | return plainSocket; |
3154 | } |
3155 | |
3156 | /*! |
3157 | \internal |
3158 | */ |
3159 | QList<QSslCertificate> QSslSocketPrivate::systemCaCertificates() |
3160 | { |
3161 | if (const auto *tlsBackend = tlsBackendInUse()) |
3162 | return tlsBackend->systemCaCertificates(); |
3163 | return {}; |
3164 | } |
3165 | |
3166 | QT_END_NAMESPACE |
3167 | |
3168 | #include "moc_qsslsocket.cpp" |
3169 |
Definitions
- isVxworks
- QSslSocketGlobalData
- QSslSocketGlobalData
- globalData
- QSslSocket
- ~QSslSocket
- resume
- connectToHostEncrypted
- connectToHostEncrypted
- setSocketDescriptor
- setSocketOption
- socketOption
- mode
- isEncrypted
- protocol
- setProtocol
- peerVerifyMode
- setPeerVerifyMode
- peerVerifyDepth
- setPeerVerifyDepth
- peerVerifyName
- setPeerVerifyName
- bytesAvailable
- bytesToWrite
- encryptedBytesAvailable
- encryptedBytesToWrite
- canReadLine
- close
- atEnd
- setReadBufferSize
- sslConfiguration
- setSslConfiguration
- setLocalCertificateChain
- localCertificateChain
- setLocalCertificate
- setLocalCertificate
- localCertificate
- peerCertificate
- peerCertificateChain
- sessionCipher
- sessionProtocol
- ocspResponses
- setPrivateKey
- setPrivateKey
- privateKey
- waitForConnected
- waitForEncrypted
- waitForReadyRead
- waitForBytesWritten
- waitForDisconnected
- sslHandshakeErrors
- supportsSsl
- sslLibraryVersionNumber
- sslLibraryVersionString
- sslLibraryBuildVersionNumber
- sslLibraryBuildVersionString
- availableBackends
- activeBackend
- setActiveBackend
- supportedProtocols
- isProtocolSupported
- implementedClasses
- isClassImplemented
- supportedFeatures
- isFeatureSupported
- startClientEncryption
- startServerEncryption
- ignoreSslErrors
- ignoreSslErrors
- continueInterruptedHandshake
- connectToHost
- disconnectFromHost
- readData
- writeData
- s_loadRootCertsOnDemand
- QSslSocketPrivate
- ~QSslSocketPrivate
- supportsSsl
- ensureInitialized
- init
- verifyProtocolSupported
- defaultCiphers
- supportedCiphers
- setDefaultCiphers
- setDefaultSupportedCiphers
- resetDefaultEllipticCurves
- setDefaultDtlsCiphers
- defaultDtlsCiphers
- supportedEllipticCurves
- setDefaultSupportedEllipticCurves
- defaultCaCertificates
- setDefaultCaCertificates
- addDefaultCaCertificate
- addDefaultCaCertificates
- defaultConfiguration
- setDefaultConfiguration
- deepCopyDefaultConfiguration
- defaultDtlsConfiguration
- setDefaultDtlsConfiguration
- createPlainSocket
- pauseSocketNotifiers
- resumeSocketNotifiers
- isPaused
- setPaused
- bind
- _q_connectedSlot
- _q_hostFoundSlot
- _q_disconnectedSlot
- _q_stateChangedSlot
- _q_errorSlot
- _q_readyReadSlot
- _q_channelReadyReadSlot
- _q_bytesWrittenSlot
- _q_channelBytesWrittenSlot
- _q_readChannelFinishedSlot
- _q_flushWriteBuffer
- _q_flushReadBuffer
- _q_resumeImplementation
- verifyErrorsHaveBeenIgnored
- isAutoStartingHandshake
- isPendingClose
- setPendingClose
- maxReadBufferSize
- setMaxReadBufferSize
- setEncrypted
- tlsWriteBuffer
- tlsBuffer
- tlsEmittedBytesWritten
- readyReadPointer
- hasUndecryptedData
- peek
- peek
- skipData
- flush
- startClientEncryption
- startServerEncryption
- transmit
- disconnectFromHost
- disconnected
- sessionCipher
- sessionProtocol
- continueHandshake
- rootCertOnDemandLoadingSupported
- setRootCertOnDemandLoadingSupported
- unixRootCertDirectories
- checkSettingSslContext
- sslContext
- isMatchingHostname
- isMatchingHostname
- tlsBackendInUse
- tlsMode
- isRootsOnDemandAllowed
- verificationName
- tlsHostName
- plainTcpSocket
Start learning QML with our Intro Training
Find out more