| 1 | // Copyright (C) 2021 The Qt Company Ltd. |
|---|---|
| 2 | // SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only |
| 3 | |
| 4 | #include "qsslsocket_openssl_symbols_p.h" |
| 5 | #include "qtlsbackend_openssl_p.h" |
| 6 | #include "qtlskey_openssl_p.h" |
| 7 | #include "qx509_openssl_p.h" |
| 8 | #include "qtls_openssl_p.h" |
| 9 | |
| 10 | #if QT_CONFIG(dtls) |
| 11 | #include "qdtls_openssl_p.h" |
| 12 | #endif // QT_CONFIG(dtls) |
| 13 | |
| 14 | #include <QtNetwork/private/qsslcipher_p.h> |
| 15 | |
| 16 | #include <QtNetwork/qsslcipher.h> |
| 17 | #include <QtNetwork/qssl.h> |
| 18 | |
| 19 | #include <QtCore/qdir.h> |
| 20 | #include <QtCore/qdirlisting.h> |
| 21 | #include <QtCore/qlist.h> |
| 22 | #include <QtCore/qmutex.h> |
| 23 | #include <QtCore/qscopeguard.h> |
| 24 | #include <QtCore/qset.h> |
| 25 | |
| 26 | #include "qopenssl_p.h" |
| 27 | |
| 28 | #include <algorithm> |
| 29 | |
| 30 | QT_BEGIN_NAMESPACE |
| 31 | |
| 32 | using namespace Qt::StringLiterals; |
| 33 | |
| 34 | #if defined(Q_OS_WIN) || defined(Q_OS_MACOS) |
| 35 | constexpr auto DefaultWarningLevel = QtCriticalMsg; |
| 36 | #else |
| 37 | constexpr auto DefaultWarningLevel = QtDebugMsg; |
| 38 | #endif |
| 39 | |
| 40 | Q_LOGGING_CATEGORY(lcTlsBackend, "qt.tlsbackend.ossl", DefaultWarningLevel); |
| 41 | |
| 42 | static void q_loadCiphersForConnection(SSL *connection, QList<QSslCipher> &ciphers, |
| 43 | QList<QSslCipher> &defaultCiphers) |
| 44 | { |
| 45 | Q_ASSERT(connection); |
| 46 | |
| 47 | STACK_OF(SSL_CIPHER) *supportedCiphers = q_SSL_get_ciphers(a: connection); |
| 48 | for (int i = 0; i < q_sk_SSL_CIPHER_num(supportedCiphers); ++i) { |
| 49 | if (SSL_CIPHER *cipher = q_sk_SSL_CIPHER_value(supportedCiphers, i)) { |
| 50 | const auto ciph = QTlsBackendOpenSSL::qt_OpenSSL_cipher_to_QSslCipher(cipher); |
| 51 | if (!ciph.isNull()) { |
| 52 | // Unconditionally exclude ADH and AECDH ciphers since they offer no MITM protection |
| 53 | if (!ciph.name().toLower().startsWith(s: "adh"_L1) && |
| 54 | !ciph.name().toLower().startsWith(s: "exp-adh"_L1) && |
| 55 | !ciph.name().toLower().startsWith(s: "aecdh"_L1)) { |
| 56 | ciphers << ciph; |
| 57 | |
| 58 | if (ciph.usedBits() >= 128) |
| 59 | defaultCiphers << ciph; |
| 60 | } |
| 61 | } |
| 62 | } |
| 63 | } |
| 64 | } |
| 65 | |
| 66 | int QTlsBackendOpenSSL::s_indexForSSLExtraData = -1; |
| 67 | |
| 68 | QString QTlsBackendOpenSSL::getErrorsFromOpenSsl() |
| 69 | { |
| 70 | QString errorString; |
| 71 | char buf[256] = {}; // OpenSSL docs claim both 120 and 256; use the larger. |
| 72 | unsigned long errNum; |
| 73 | while ((errNum = q_ERR_get_error())) { |
| 74 | if (!errorString.isEmpty()) |
| 75 | errorString.append(s: ", "_L1); |
| 76 | q_ERR_error_string_n(e: errNum, buf, len: sizeof buf); |
| 77 | errorString.append(s: QLatin1StringView(buf)); // error is ascii according to man ERR_error_string |
| 78 | } |
| 79 | return errorString; |
| 80 | } |
| 81 | |
| 82 | void QTlsBackendOpenSSL::logAndClearErrorQueue() |
| 83 | { |
| 84 | const auto errors = getErrorsFromOpenSsl(); |
| 85 | if (errors.size()) |
| 86 | qCWarning(lcTlsBackend) << "Discarding errors:"<< errors; |
| 87 | } |
| 88 | |
| 89 | void QTlsBackendOpenSSL::clearErrorQueue() |
| 90 | { |
| 91 | while (q_ERR_get_error()) |
| 92 | ; |
| 93 | } |
| 94 | |
| 95 | bool QTlsBackendOpenSSL::ensureLibraryLoaded() |
| 96 | { |
| 97 | static bool libraryLoaded = []() { |
| 98 | if (!q_resolveOpenSslSymbols()) |
| 99 | return false; |
| 100 | |
| 101 | // Initialize OpenSSL. |
| 102 | if (q_OPENSSL_init_ssl(opts: 0, settings: nullptr) != 1) |
| 103 | return false; |
| 104 | |
| 105 | if (q_OpenSSL_version_num() < 0x10101000L) { |
| 106 | qCWarning(lcTlsBackend, "QSslSocket: OpenSSL >= 1.1.1 is required; %s was found instead", q_OpenSSL_version(OPENSSL_VERSION)); |
| 107 | return false; |
| 108 | } |
| 109 | |
| 110 | q_SSL_load_error_strings(); |
| 111 | q_OpenSSL_add_all_algorithms(); |
| 112 | |
| 113 | s_indexForSSLExtraData = q_CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL, argl: 0L, argp: nullptr, new_func: nullptr, |
| 114 | dup_func: nullptr, free_func: nullptr); |
| 115 | |
| 116 | // Initialize OpenSSL's random seed. |
| 117 | if (!q_RAND_status()) { |
| 118 | qWarning(msg: "Random number generator not seeded, disabling SSL support"); |
| 119 | return false; |
| 120 | } |
| 121 | |
| 122 | return true; |
| 123 | }(); |
| 124 | |
| 125 | return libraryLoaded; |
| 126 | } |
| 127 | |
| 128 | QString QTlsBackendOpenSSL::backendName() const |
| 129 | { |
| 130 | return builtinBackendNames[nameIndexOpenSSL]; |
| 131 | } |
| 132 | |
| 133 | bool QTlsBackendOpenSSL::isValid() const |
| 134 | { |
| 135 | return ensureLibraryLoaded(); |
| 136 | } |
| 137 | |
| 138 | long QTlsBackendOpenSSL::tlsLibraryVersionNumber() const |
| 139 | { |
| 140 | return q_OpenSSL_version_num(); |
| 141 | } |
| 142 | |
| 143 | QString QTlsBackendOpenSSL::tlsLibraryVersionString() const |
| 144 | { |
| 145 | const char *versionString = q_OpenSSL_version(OPENSSL_VERSION); |
| 146 | if (!versionString) |
| 147 | return QString(); |
| 148 | |
| 149 | return QString::fromLatin1(ba: versionString); |
| 150 | } |
| 151 | |
| 152 | long QTlsBackendOpenSSL::tlsLibraryBuildVersionNumber() const |
| 153 | { |
| 154 | return OPENSSL_VERSION_NUMBER; |
| 155 | } |
| 156 | |
| 157 | QString QTlsBackendOpenSSL::tlsLibraryBuildVersionString() const |
| 158 | { |
| 159 | // Using QStringLiteral to store the version string as unicode and |
| 160 | // avoid false positives from Google searching the playstore for old |
| 161 | // SSL versions. See QTBUG-46265 |
| 162 | return QStringLiteral(OPENSSL_VERSION_TEXT); |
| 163 | } |
| 164 | |
| 165 | void QTlsBackendOpenSSL::ensureInitialized() const |
| 166 | { |
| 167 | // Old qsslsocket_openssl calls supportsSsl() (which means |
| 168 | // library found and symbols resolved, this already assured |
| 169 | // by the fact we end up in this function (isValid() returned |
| 170 | // true for the backend, see its code). The qsslsocket_openssl |
| 171 | // proceedes with loading certificate, ciphers and elliptic |
| 172 | // curves. |
| 173 | ensureCiphersAndCertsLoaded(); |
| 174 | } |
| 175 | |
| 176 | void QTlsBackendOpenSSL::ensureCiphersAndCertsLoaded() const |
| 177 | { |
| 178 | Q_CONSTINIT static bool initializationStarted = false; |
| 179 | Q_CONSTINIT static QAtomicInt initialized = Q_BASIC_ATOMIC_INITIALIZER(0); |
| 180 | Q_CONSTINIT static QRecursiveMutex initMutex; |
| 181 | |
| 182 | if (initialized.loadAcquire()) |
| 183 | return; |
| 184 | |
| 185 | const QMutexLocker locker(&initMutex); |
| 186 | |
| 187 | if (initializationStarted || initialized.loadAcquire()) |
| 188 | return; |
| 189 | |
| 190 | // Indicate that the initialization has already started in the current |
| 191 | // thread in case of recursive calls. The atomic variable cannot be used |
| 192 | // for this because it is checked without holding the init mutex. |
| 193 | initializationStarted = true; |
| 194 | |
| 195 | auto guard = qScopeGuard(f: [] { initialized.storeRelease(newValue: 1); }); |
| 196 | |
| 197 | resetDefaultCiphers(); |
| 198 | resetDefaultEllipticCurves(); |
| 199 | |
| 200 | #if QT_CONFIG(library) |
| 201 | //load symbols needed to receive certificates from system store |
| 202 | #if defined(Q_OS_QNX) |
| 203 | QSslSocketPrivate::setRootCertOnDemandLoadingSupported(true); |
| 204 | #elif defined(Q_OS_UNIX) && !defined(Q_OS_DARWIN) |
| 205 | // check whether we can enable on-demand root-cert loading (i.e. check whether the sym links are there) |
| 206 | const QList<QByteArray> dirs = QSslSocketPrivate::unixRootCertDirectories(); |
| 207 | const QStringList symLinkFilter{ |
| 208 | u"[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f].[0-9]"_s}; |
| 209 | for (const auto &dir : dirs) { |
| 210 | QDirListing dirList(QString::fromLatin1(ba: dir), symLinkFilter, |
| 211 | QDirListing::IteratorFlag::FilesOnly); |
| 212 | if (dirList.cbegin() != dirList.cend()) { // Not empty |
| 213 | QSslSocketPrivate::setRootCertOnDemandLoadingSupported(true); |
| 214 | break; |
| 215 | } |
| 216 | } |
| 217 | #endif |
| 218 | #endif // QT_CONFIG(library) |
| 219 | // if on-demand loading was not enabled, load the certs now |
| 220 | if (!QSslSocketPrivate::rootCertOnDemandLoadingSupported()) |
| 221 | setDefaultCaCertificates(systemCaCertificates()); |
| 222 | #ifdef Q_OS_WIN |
| 223 | //Enabled for fetching additional root certs from windows update on windows. |
| 224 | //This flag is set false by setDefaultCaCertificates() indicating the app uses |
| 225 | //its own cert bundle rather than the system one. |
| 226 | //Same logic that disables the unix on demand cert loading. |
| 227 | //Unlike unix, we do preload the certificates from the cert store. |
| 228 | QSslSocketPrivate::setRootCertOnDemandLoadingSupported(true); |
| 229 | #endif |
| 230 | } |
| 231 | |
| 232 | void QTlsBackendOpenSSL::resetDefaultCiphers() |
| 233 | { |
| 234 | SSL_CTX *myCtx = q_SSL_CTX_new(a: q_TLS_client_method()); |
| 235 | // Note, we assert, not just silently return/bail out early: |
| 236 | // this should never happen and problems with OpenSSL's initialization |
| 237 | // must be caught before this (see supportsSsl()). |
| 238 | Q_ASSERT(myCtx); |
| 239 | SSL *mySsl = q_SSL_new(a: myCtx); |
| 240 | Q_ASSERT(mySsl); |
| 241 | |
| 242 | QList<QSslCipher> ciphers; |
| 243 | QList<QSslCipher> defaultCiphers; |
| 244 | |
| 245 | q_loadCiphersForConnection(connection: mySsl, ciphers, defaultCiphers); |
| 246 | |
| 247 | q_SSL_CTX_free(a: myCtx); |
| 248 | q_SSL_free(a: mySsl); |
| 249 | |
| 250 | setDefaultSupportedCiphers(ciphers); |
| 251 | setDefaultCiphers(defaultCiphers); |
| 252 | |
| 253 | #if QT_CONFIG(dtls) |
| 254 | ciphers.clear(); |
| 255 | defaultCiphers.clear(); |
| 256 | myCtx = q_SSL_CTX_new(a: q_DTLS_client_method()); |
| 257 | if (myCtx) { |
| 258 | mySsl = q_SSL_new(a: myCtx); |
| 259 | if (mySsl) { |
| 260 | q_loadCiphersForConnection(connection: mySsl, ciphers, defaultCiphers); |
| 261 | setDefaultDtlsCiphers(defaultCiphers); |
| 262 | q_SSL_free(a: mySsl); |
| 263 | } |
| 264 | q_SSL_CTX_free(a: myCtx); |
| 265 | } |
| 266 | #endif // dtls |
| 267 | } |
| 268 | |
| 269 | QList<QSsl::SslProtocol> QTlsBackendOpenSSL::supportedProtocols() const |
| 270 | { |
| 271 | QList<QSsl::SslProtocol> protocols; |
| 272 | |
| 273 | protocols << QSsl::AnyProtocol; |
| 274 | protocols << QSsl::SecureProtocols; |
| 275 | QT_WARNING_PUSH |
| 276 | QT_WARNING_DISABLE_DEPRECATED |
| 277 | protocols << QSsl::TlsV1_0; |
| 278 | protocols << QSsl::TlsV1_0OrLater; |
| 279 | protocols << QSsl::TlsV1_1; |
| 280 | protocols << QSsl::TlsV1_1OrLater; |
| 281 | QT_WARNING_POP |
| 282 | protocols << QSsl::TlsV1_2; |
| 283 | protocols << QSsl::TlsV1_2OrLater; |
| 284 | |
| 285 | #ifdef TLS1_3_VERSION |
| 286 | protocols << QSsl::TlsV1_3; |
| 287 | protocols << QSsl::TlsV1_3OrLater; |
| 288 | #endif // TLS1_3_VERSION |
| 289 | |
| 290 | #if QT_CONFIG(dtls) |
| 291 | QT_WARNING_PUSH |
| 292 | QT_WARNING_DISABLE_DEPRECATED |
| 293 | protocols << QSsl::DtlsV1_0; |
| 294 | protocols << QSsl::DtlsV1_0OrLater; |
| 295 | QT_WARNING_POP |
| 296 | protocols << QSsl::DtlsV1_2; |
| 297 | protocols << QSsl::DtlsV1_2OrLater; |
| 298 | #endif // dtls |
| 299 | |
| 300 | return protocols; |
| 301 | } |
| 302 | |
| 303 | QList<QSsl::SupportedFeature> QTlsBackendOpenSSL::supportedFeatures() const |
| 304 | { |
| 305 | QList<QSsl::SupportedFeature> features; |
| 306 | |
| 307 | features << QSsl::SupportedFeature::CertificateVerification; |
| 308 | |
| 309 | #if !defined(OPENSSL_NO_TLSEXT) |
| 310 | features << QSsl::SupportedFeature::ClientSideAlpn; |
| 311 | features << QSsl::SupportedFeature::ServerSideAlpn; |
| 312 | #endif // !OPENSSL_NO_TLSEXT |
| 313 | |
| 314 | features << QSsl::SupportedFeature::Ocsp; |
| 315 | features << QSsl::SupportedFeature::Psk; |
| 316 | features << QSsl::SupportedFeature::SessionTicket; |
| 317 | features << QSsl::SupportedFeature::Alerts; |
| 318 | |
| 319 | return features; |
| 320 | } |
| 321 | |
| 322 | QList<QSsl::ImplementedClass> QTlsBackendOpenSSL::implementedClasses() const |
| 323 | { |
| 324 | QList<QSsl::ImplementedClass> classes; |
| 325 | |
| 326 | classes << QSsl::ImplementedClass::Key; |
| 327 | classes << QSsl::ImplementedClass::Certificate; |
| 328 | classes << QSsl::ImplementedClass::Socket; |
| 329 | #if QT_CONFIG(dtls) |
| 330 | classes << QSsl::ImplementedClass::Dtls; |
| 331 | classes << QSsl::ImplementedClass::DtlsCookie; |
| 332 | #endif |
| 333 | classes << QSsl::ImplementedClass::EllipticCurve; |
| 334 | classes << QSsl::ImplementedClass::DiffieHellman; |
| 335 | |
| 336 | return classes; |
| 337 | } |
| 338 | |
| 339 | QTlsPrivate::TlsKey *QTlsBackendOpenSSL::createKey() const |
| 340 | { |
| 341 | return new QTlsPrivate::TlsKeyOpenSSL; |
| 342 | } |
| 343 | |
| 344 | QTlsPrivate::X509Certificate *QTlsBackendOpenSSL::createCertificate() const |
| 345 | { |
| 346 | return new QTlsPrivate::X509CertificateOpenSSL; |
| 347 | } |
| 348 | |
| 349 | namespace QTlsPrivate { |
| 350 | |
| 351 | #ifdef Q_OS_ANDROID |
| 352 | QList<QByteArray> fetchSslCertificateData(); |
| 353 | #endif |
| 354 | |
| 355 | QList<QSslCertificate> systemCaCertificates(); |
| 356 | |
| 357 | #ifndef Q_OS_DARWIN |
| 358 | QList<QSslCertificate> systemCaCertificates() |
| 359 | { |
| 360 | #ifdef QSSLSOCKET_DEBUG |
| 361 | QElapsedTimer timer; |
| 362 | timer.start(); |
| 363 | #endif |
| 364 | QList<QSslCertificate> systemCerts; |
| 365 | #if defined(Q_OS_WIN) |
| 366 | HCERTSTORE hSystemStore; |
| 367 | hSystemStore = |
| 368 | CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, 0, |
| 369 | CERT_STORE_READONLY_FLAG | CERT_SYSTEM_STORE_CURRENT_USER, L"ROOT"); |
| 370 | if (hSystemStore) { |
| 371 | PCCERT_CONTEXT pc = nullptr; |
| 372 | while (1) { |
| 373 | pc = CertFindCertificateInStore(hSystemStore, X509_ASN_ENCODING, 0, CERT_FIND_ANY, nullptr, pc); |
| 374 | if (!pc) |
| 375 | break; |
| 376 | QByteArray der(reinterpret_cast<const char *>(pc->pbCertEncoded), |
| 377 | static_cast<int>(pc->cbCertEncoded)); |
| 378 | QSslCertificate cert(der, QSsl::Der); |
| 379 | systemCerts.append(cert); |
| 380 | } |
| 381 | CertCloseStore(hSystemStore, 0); |
| 382 | } |
| 383 | #elif defined(Q_OS_ANDROID) |
| 384 | const QList<QByteArray> certData = fetchSslCertificateData(); |
| 385 | for (auto certDatum : certData) |
| 386 | systemCerts.append(QSslCertificate::fromData(certDatum, QSsl::Der)); |
| 387 | #elif defined(Q_OS_UNIX) |
| 388 | { |
| 389 | const QList<QByteArray> directories = QSslSocketPrivate::unixRootCertDirectories(); |
| 390 | QSet<QString> certFiles = { |
| 391 | QStringLiteral("/etc/pki/tls/certs/ca-bundle.crt"), // Fedora, Mandriva |
| 392 | QStringLiteral("/usr/local/share/certs/ca-root-nss.crt") // FreeBSD's ca_root_nss |
| 393 | }; |
| 394 | static const QStringList nameFilters = {u"*.pem"_s, u "*.crt"_s}; |
| 395 | for (const auto &directory : directories) { |
| 396 | for (const auto &dirEntry : QDirListing(directory, nameFilters)) { |
| 397 | // use canonical path here to not load the same certificate twice if symlinked |
| 398 | certFiles.insert(value: dirEntry.canonicalFilePath()); |
| 399 | } |
| 400 | } |
| 401 | for (const QString& file : std::as_const(t&: certFiles)) |
| 402 | systemCerts.append(other: QSslCertificate::fromPath(path: file, format: QSsl::Pem)); |
| 403 | } |
| 404 | #endif // platform |
| 405 | #ifdef QSSLSOCKET_DEBUG |
| 406 | qCDebug(lcTlsBackend) << "systemCaCertificates retrieval time "<< timer.elapsed() << "ms"; |
| 407 | qCDebug(lcTlsBackend) << "imported "<< systemCerts.count() << " certificates"; |
| 408 | #endif |
| 409 | |
| 410 | return systemCerts; |
| 411 | } |
| 412 | #endif // !Q_OS_DARWIN |
| 413 | } // namespace QTlsPrivate |
| 414 | |
| 415 | QList<QSslCertificate> QTlsBackendOpenSSL::systemCaCertificates() const |
| 416 | { |
| 417 | return QTlsPrivate::systemCaCertificates(); |
| 418 | } |
| 419 | |
| 420 | QTlsPrivate::DtlsCookieVerifier *QTlsBackendOpenSSL::createDtlsCookieVerifier() const |
| 421 | { |
| 422 | #if QT_CONFIG(dtls) |
| 423 | return new QDtlsClientVerifierOpenSSL; |
| 424 | #else |
| 425 | qCWarning(lcTlsBackend, "Feature 'dtls' is disabled, cannot verify DTLS cookies"); |
| 426 | return nullptr; |
| 427 | #endif // QT_CONFIG(dtls) |
| 428 | } |
| 429 | |
| 430 | QTlsPrivate::TlsCryptograph *QTlsBackendOpenSSL::createTlsCryptograph() const |
| 431 | { |
| 432 | return new QTlsPrivate::TlsCryptographOpenSSL; |
| 433 | } |
| 434 | |
| 435 | QTlsPrivate::DtlsCryptograph *QTlsBackendOpenSSL::createDtlsCryptograph(QDtls *q, int mode) const |
| 436 | { |
| 437 | #if QT_CONFIG(dtls) |
| 438 | return new QDtlsPrivateOpenSSL(q, QSslSocket::SslMode(mode)); |
| 439 | #else |
| 440 | Q_UNUSED(q); |
| 441 | Q_UNUSED(mode); |
| 442 | qCWarning(lcTlsBackend, "Feature 'dtls' is disabled, cannot encrypt UDP datagrams"); |
| 443 | return nullptr; |
| 444 | #endif // QT_CONFIG(dtls) |
| 445 | } |
| 446 | |
| 447 | QTlsPrivate::X509ChainVerifyPtr QTlsBackendOpenSSL::X509Verifier() const |
| 448 | { |
| 449 | return QTlsPrivate::X509CertificateOpenSSL::verify; |
| 450 | } |
| 451 | |
| 452 | QTlsPrivate::X509PemReaderPtr QTlsBackendOpenSSL::X509PemReader() const |
| 453 | { |
| 454 | return QTlsPrivate::X509CertificateOpenSSL::certificatesFromPem; |
| 455 | } |
| 456 | |
| 457 | QTlsPrivate::X509DerReaderPtr QTlsBackendOpenSSL::X509DerReader() const |
| 458 | { |
| 459 | return QTlsPrivate::X509CertificateOpenSSL::certificatesFromDer; |
| 460 | } |
| 461 | |
| 462 | QTlsPrivate::X509Pkcs12ReaderPtr QTlsBackendOpenSSL::X509Pkcs12Reader() const |
| 463 | { |
| 464 | return QTlsPrivate::X509CertificateOpenSSL::importPkcs12; |
| 465 | } |
| 466 | |
| 467 | QList<int> QTlsBackendOpenSSL::ellipticCurvesIds() const |
| 468 | { |
| 469 | QList<int> ids; |
| 470 | |
| 471 | #ifndef OPENSSL_NO_EC |
| 472 | const size_t curveCount = q_EC_get_builtin_curves(r: nullptr, nitems: 0); |
| 473 | QVarLengthArray<EC_builtin_curve> builtinCurves(static_cast<int>(curveCount)); |
| 474 | |
| 475 | if (q_EC_get_builtin_curves(r: builtinCurves.data(), nitems: curveCount) == curveCount) { |
| 476 | ids.reserve(asize: curveCount); |
| 477 | for (const auto &ec : builtinCurves) |
| 478 | ids.push_back(t: ec.nid); |
| 479 | } |
| 480 | #endif // OPENSSL_NO_EC |
| 481 | |
| 482 | return ids; |
| 483 | } |
| 484 | |
| 485 | int QTlsBackendOpenSSL::curveIdFromShortName(const QString &name) const |
| 486 | { |
| 487 | int nid = 0; |
| 488 | if (name.isEmpty()) |
| 489 | return nid; |
| 490 | |
| 491 | ensureInitialized(); // TLSTODO: check if it's needed! |
| 492 | #ifndef OPENSSL_NO_EC |
| 493 | const QByteArray curveNameLatin1 = name.toLatin1(); |
| 494 | nid = q_OBJ_sn2nid(s: curveNameLatin1.data()); |
| 495 | |
| 496 | if (nid == 0) |
| 497 | nid = q_EC_curve_nist2nid(name: curveNameLatin1.data()); |
| 498 | #endif // !OPENSSL_NO_EC |
| 499 | |
| 500 | return nid; |
| 501 | } |
| 502 | |
| 503 | int QTlsBackendOpenSSL::curveIdFromLongName(const QString &name) const |
| 504 | { |
| 505 | int nid = 0; |
| 506 | if (name.isEmpty()) |
| 507 | return nid; |
| 508 | |
| 509 | ensureInitialized(); |
| 510 | |
| 511 | #ifndef OPENSSL_NO_EC |
| 512 | const QByteArray curveNameLatin1 = name.toLatin1(); |
| 513 | nid = q_OBJ_ln2nid(s: curveNameLatin1.data()); |
| 514 | #endif |
| 515 | |
| 516 | return nid; |
| 517 | } |
| 518 | |
| 519 | QString QTlsBackendOpenSSL::shortNameForId(int id) const |
| 520 | { |
| 521 | QString result; |
| 522 | |
| 523 | #ifndef OPENSSL_NO_EC |
| 524 | if (id != 0) |
| 525 | result = QString::fromLatin1(ba: q_OBJ_nid2sn(a: id)); |
| 526 | #endif |
| 527 | |
| 528 | return result; |
| 529 | } |
| 530 | |
| 531 | QString QTlsBackendOpenSSL::longNameForId(int id) const |
| 532 | { |
| 533 | QString result; |
| 534 | |
| 535 | #ifndef OPENSSL_NO_EC |
| 536 | if (id != 0) |
| 537 | result = QString::fromLatin1(ba: q_OBJ_nid2ln(a: id)); |
| 538 | #endif |
| 539 | |
| 540 | return result; |
| 541 | } |
| 542 | |
| 543 | // NIDs of named curves allowed in TLS as per RFCs 4492 and 7027, |
| 544 | // see also https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 |
| 545 | static const int tlsNamedCurveNIDs[] = { |
| 546 | // RFC 4492 |
| 547 | NID_sect163k1, |
| 548 | NID_sect163r1, |
| 549 | NID_sect163r2, |
| 550 | NID_sect193r1, |
| 551 | NID_sect193r2, |
| 552 | NID_sect233k1, |
| 553 | NID_sect233r1, |
| 554 | NID_sect239k1, |
| 555 | NID_sect283k1, |
| 556 | NID_sect283r1, |
| 557 | NID_sect409k1, |
| 558 | NID_sect409r1, |
| 559 | NID_sect571k1, |
| 560 | NID_sect571r1, |
| 561 | |
| 562 | NID_secp160k1, |
| 563 | NID_secp160r1, |
| 564 | NID_secp160r2, |
| 565 | NID_secp192k1, |
| 566 | NID_X9_62_prime192v1, // secp192r1 |
| 567 | NID_secp224k1, |
| 568 | NID_secp224r1, |
| 569 | NID_secp256k1, |
| 570 | NID_X9_62_prime256v1, // secp256r1 |
| 571 | NID_secp384r1, |
| 572 | NID_secp521r1, |
| 573 | |
| 574 | // RFC 7027 |
| 575 | NID_brainpoolP256r1, |
| 576 | NID_brainpoolP384r1, |
| 577 | NID_brainpoolP512r1 |
| 578 | }; |
| 579 | |
| 580 | const size_t tlsNamedCurveNIDCount = sizeof(tlsNamedCurveNIDs) / sizeof(tlsNamedCurveNIDs[0]); |
| 581 | |
| 582 | bool QTlsBackendOpenSSL::isTlsNamedCurve(int id) const |
| 583 | { |
| 584 | const int *const tlsNamedCurveNIDsEnd = tlsNamedCurveNIDs + tlsNamedCurveNIDCount; |
| 585 | return std::find(first: tlsNamedCurveNIDs, last: tlsNamedCurveNIDsEnd, val: id) != tlsNamedCurveNIDsEnd; |
| 586 | } |
| 587 | |
| 588 | QString QTlsBackendOpenSSL::msgErrorsDuringHandshake() |
| 589 | { |
| 590 | return QSslSocket::tr(s: "Error during SSL handshake: %1").arg(a: getErrorsFromOpenSsl()); |
| 591 | } |
| 592 | |
| 593 | QSslCipher QTlsBackendOpenSSL::qt_OpenSSL_cipher_to_QSslCipher(const SSL_CIPHER *cipher) |
| 594 | { |
| 595 | Q_ASSERT(cipher); |
| 596 | char buf [256] = {}; |
| 597 | const QString desc = QString::fromLatin1(ba: q_SSL_CIPHER_description(a: cipher, b: buf, c: sizeof(buf))); |
| 598 | int supportedBits = 0; |
| 599 | const int bits = q_SSL_CIPHER_get_bits(a: cipher, b: &supportedBits); |
| 600 | return createCiphersuite(description: desc, bits, supportedBits); |
| 601 | } |
| 602 | |
| 603 | void QTlsBackendOpenSSL::forceAutotestSecurityLevel() |
| 604 | { |
| 605 | QSslContext::forceAutoTestSecurityLevel(); |
| 606 | } |
| 607 | |
| 608 | QT_END_NAMESPACE |
| 609 | |
| 610 | #include "moc_qtlsbackend_openssl_p.cpp" |
| 611 |
Definitions
- DefaultWarningLevel
- lcTlsBackend
- q_loadCiphersForConnection
- s_indexForSSLExtraData
- getErrorsFromOpenSsl
- logAndClearErrorQueue
- clearErrorQueue
- ensureLibraryLoaded
- backendName
- isValid
- tlsLibraryVersionNumber
- tlsLibraryVersionString
- tlsLibraryBuildVersionNumber
- tlsLibraryBuildVersionString
- ensureInitialized
- ensureCiphersAndCertsLoaded
- resetDefaultCiphers
- supportedProtocols
- supportedFeatures
- implementedClasses
- createKey
- createCertificate
- systemCaCertificates
- systemCaCertificates
- createDtlsCookieVerifier
- createTlsCryptograph
- createDtlsCryptograph
- X509Verifier
- X509PemReader
- X509DerReader
- X509Pkcs12Reader
- ellipticCurvesIds
- curveIdFromShortName
- curveIdFromLongName
- shortNameForId
- longNameForId
- tlsNamedCurveNIDs
- tlsNamedCurveNIDCount
- isTlsNamedCurve
- msgErrorsDuringHandshake
- qt_OpenSSL_cipher_to_QSslCipher
Learn Advanced QML with KDAB
Find out more