| 1 | // Copyright (C) 2021 The Qt Company Ltd. |
|---|
| 2 | // SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only |
|---|
| 3 | // Qt-Security score:significant reason:default |
|---|
| 4 | |
|---|
| 5 | #ifndef QTLS_OPENSSL_P_H |
|---|
| 6 | #define QTLS_OPENSSL_P_H |
|---|
| 7 | |
|---|
| 8 | // |
|---|
| 9 | // W A R N I N G |
|---|
| 10 | // ------------- |
|---|
| 11 | // |
|---|
| 12 | // This file is not part of the Qt API. It exists purely as an |
|---|
| 13 | // implementation detail. This header file may change from version to |
|---|
| 14 | // version without notice, or even be removed. |
|---|
| 15 | // |
|---|
| 16 | // We mean it. |
|---|
| 17 | // |
|---|
| 18 | |
|---|
| 19 | #include <QtNetwork/private/qtnetworkglobal_p.h> |
|---|
| 20 | |
|---|
| 21 | #include "qtlsbackend_openssl_p.h" |
|---|
| 22 | #include "qsslcontext_openssl_p.h" |
|---|
| 23 | #include "qopenssl_p.h" |
|---|
| 24 | |
|---|
| 25 | #include <QtNetwork/qsslcertificate.h> |
|---|
| 26 | #include <QtNetwork/qocspresponse.h> |
|---|
| 27 | |
|---|
| 28 | #include <QtCore/qsharedpointer.h> |
|---|
| 29 | #include <QtCore/qbytearray.h> |
|---|
| 30 | #include <QtCore/qglobal.h> |
|---|
| 31 | #include <QtCore/qlist.h> |
|---|
| 32 | |
|---|
| 33 | QT_BEGIN_NAMESPACE |
|---|
| 34 | |
|---|
| 35 | namespace QTlsPrivate { |
|---|
| 36 | |
|---|
| 37 | class TlsCryptographOpenSSL : public TlsCryptograph |
|---|
| 38 | { |
|---|
| 39 | public: |
|---|
| 40 | enum ExDataOffset { |
|---|
| 41 | errorOffsetInExData = 1, |
|---|
| 42 | socketOffsetInExData = 2 |
|---|
| 43 | }; |
|---|
| 44 | |
|---|
| 45 | ~TlsCryptographOpenSSL(); |
|---|
| 46 | |
|---|
| 47 | void init(QSslSocket *qObj, QSslSocketPrivate *dObj) override; |
|---|
| 48 | void checkSettingSslContext(std::shared_ptr<QSslContext> tlsContext) override; |
|---|
| 49 | std::shared_ptr<QSslContext> sslContext() const override; |
|---|
| 50 | |
|---|
| 51 | QList<QSslError> tlsErrors() const override; |
|---|
| 52 | |
|---|
| 53 | void startClientEncryption() override; |
|---|
| 54 | void startServerEncryption() override; |
|---|
| 55 | bool startHandshake(); |
|---|
| 56 | void enableHandshakeContinuation() override; |
|---|
| 57 | void cancelCAFetch() override; |
|---|
| 58 | void continueHandshake() override; |
|---|
| 59 | void transmit() override; |
|---|
| 60 | void disconnectFromHost() override; |
|---|
| 61 | void disconnected() override; |
|---|
| 62 | QSslCipher sessionCipher() const override; |
|---|
| 63 | QSsl::SslProtocol sessionProtocol() const override; |
|---|
| 64 | QList<QOcspResponse> ocsps() const override; |
|---|
| 65 | |
|---|
| 66 | bool checkSslErrors(); |
|---|
| 67 | int handleNewSessionTicket(SSL *connection); |
|---|
| 68 | |
|---|
| 69 | void alertMessageSent(int encoded); |
|---|
| 70 | void alertMessageReceived(int encoded); |
|---|
| 71 | |
|---|
| 72 | int emitErrorFromCallback(X509_STORE_CTX *ctx); |
|---|
| 73 | void trySendFatalAlert(); |
|---|
| 74 | |
|---|
| 75 | #if QT_CONFIG(ocsp) |
|---|
| 76 | bool checkOcspStatus(); |
|---|
| 77 | #endif |
|---|
| 78 | |
|---|
| 79 | QSslSocket *q = nullptr; |
|---|
| 80 | QSslSocketPrivate *d = nullptr; |
|---|
| 81 | |
|---|
| 82 | void storePeerCertificates(); |
|---|
| 83 | |
|---|
| 84 | unsigned pskClientTlsCallback(const char *hint, char *identity, unsigned max_identity_len, |
|---|
| 85 | unsigned char *psk, unsigned max_psk_len); |
|---|
| 86 | unsigned pskServerTlsCallback(const char *identity, unsigned char *psk, |
|---|
| 87 | unsigned max_psk_len); |
|---|
| 88 | |
|---|
| 89 | bool isInSslRead() const; |
|---|
| 90 | void setRenegotiated(bool renegotiated); |
|---|
| 91 | |
|---|
| 92 | #ifdef Q_OS_WIN |
|---|
| 93 | void fetchCaRootForCert(const QSslCertificate &cert); |
|---|
| 94 | void caRootLoaded(QSslCertificate certificate, QSslCertificate trustedRoot); |
|---|
| 95 | #endif |
|---|
| 96 | |
|---|
| 97 | QByteArray ocspResponseDer; |
|---|
| 98 | private: |
|---|
| 99 | // TLSTODO: names were preserved, to make comparison |
|---|
| 100 | // easier (see qsslsocket_openssl.cpp, while it exists). |
|---|
| 101 | bool initSslContext(); |
|---|
| 102 | void destroySslContext(); |
|---|
| 103 | |
|---|
| 104 | std::shared_ptr<QSslContext> sslContextPointer; |
|---|
| 105 | SSL *ssl = nullptr; // TLSTODO: RAII. |
|---|
| 106 | |
|---|
| 107 | QList<QSslErrorEntry> errorList; |
|---|
| 108 | QList<QSslError> sslErrors; |
|---|
| 109 | |
|---|
| 110 | BIO *readBio = nullptr; |
|---|
| 111 | BIO *writeBio = nullptr; |
|---|
| 112 | |
|---|
| 113 | QList<QOcspResponse> ocspResponses; |
|---|
| 114 | |
|---|
| 115 | // This description will go to setErrorAndEmit(SslHandshakeError, ocspErrorDescription) |
|---|
| 116 | QString ocspErrorDescription; |
|---|
| 117 | // These will go to sslErrors() |
|---|
| 118 | QList<QSslError> ocspErrors; |
|---|
| 119 | |
|---|
| 120 | bool = false; |
|---|
| 121 | bool handshakeInterrupted = false; |
|---|
| 122 | |
|---|
| 123 | bool fetchAuthorityInformation = false; |
|---|
| 124 | std::optional<QSslCertificate> caToFetch; |
|---|
| 125 | |
|---|
| 126 | bool inSetAndEmitError = false; |
|---|
| 127 | bool pendingFatalAlert = false; |
|---|
| 128 | bool errorsReportedFromCallback = false; |
|---|
| 129 | |
|---|
| 130 | bool shutdown = false; |
|---|
| 131 | |
|---|
| 132 | bool inSslRead = false; |
|---|
| 133 | bool renegotiated = false; |
|---|
| 134 | }; |
|---|
| 135 | |
|---|
| 136 | } // namespace QTlsPrivate |
|---|
| 137 | |
|---|
| 138 | QT_END_NAMESPACE |
|---|
| 139 | |
|---|
| 140 | #endif // QTLS_OPENSSL_P_H |
|---|
| 141 | |
|---|
| 142 | |
|---|
