diff options
author | Shane Kearns <shane.kearns@accenture.com> | 2010-11-10 15:19:14 (GMT) |
---|---|---|
committer | Shane Kearns <shane.kearns@accenture.com> | 2010-11-11 12:34:43 (GMT) |
commit | 5feca34327eb661cc84e1d6f79052dcdbc1a09c4 (patch) | |
tree | 73cd32a8e93be0a463ba3e85a162e94af86633ee /src/network/ssl | |
parent | 6d12a816ae6e2ed2d318d783b573f7cf8f0fee0a (diff) | |
download | Qt-5feca34327eb661cc84e1d6f79052dcdbc1a09c4.zip Qt-5feca34327eb661cc84e1d6f79052dcdbc1a09c4.tar.gz Qt-5feca34327eb661cc84e1d6f79052dcdbc1a09c4.tar.bz2 |
SSL: Fix crashes/hangs when retrieving CA certificates
Added error handling to the certificate retrieval thread
Made the certificate retrieval thread process critical (so if it crashes
the process will crash instead of hang)
Filter the certificate list to only fetch CA certificates which are in
X.509 format (symbian also allows WAP formats, but Qt does not support
these).
Put the TPtr8 for asynch function parameter in the class data so it does
not go out of scope while the function is in progress. Previously it was
on the stack so it could be corrupted before the certificate server had
finished using it.
Task-number: QTBUG-15005
Task-number: QTBUG-15126
Reviewed-by: Markus Goetz
Diffstat (limited to 'src/network/ssl')
-rw-r--r-- | src/network/ssl/qsslsocket_openssl.cpp | 75 | ||||
-rw-r--r-- | src/network/ssl/qsslsocket_openssl_p.h | 1 |
2 files changed, 60 insertions, 16 deletions
diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp index 2910538..426b07a 100644 --- a/src/network/ssl/qsslsocket_openssl.cpp +++ b/src/network/ssl/qsslsocket_openssl.cpp @@ -51,6 +51,7 @@ #include <QtCore/qdebug.h> #include <QtCore/qdir.h> #include <QtCore/qdiriterator.h> +#include <QtCore/qelapsedtimer.h> #include <QtCore/qfile.h> #include <QtCore/qfileinfo.h> #include <QtCore/qmutex.h> @@ -574,7 +575,7 @@ void QSslSocketPrivate::resetDefaultCiphers() #if defined(Q_OS_SYMBIAN) CSymbianCertificateRetriever::CSymbianCertificateRetriever() : CActive(CActive::EPriorityStandard), - iSequenceError(KErrNone) + iCertificatePtr(0,0,0), iSequenceError(KErrNone) { } @@ -618,6 +619,11 @@ void CSymbianCertificateRetriever::doThreadEntryL() iCertStore = CUnifiedCertStore::NewLC(qt_s60GetRFs(), EFalse); iCertFilter = CCertAttributeFilter::NewLC(); + // only interested in CA certs + iCertFilter->SetOwnerType(ECACertificate); + // only interested in X.509 format (we don't support WAP formats) + iCertFilter->SetFormat(EX509Certificate); + // Kick off the sequence by initializing the cert store iState = Initializing; iCertStore->Initialize(iStatus); @@ -637,6 +643,7 @@ void CSymbianCertificateRetriever::doThreadEntryL() TInt CSymbianCertificateRetriever::ThreadEntryPoint(TAny* aParams) { + User::SetCritical(User::EProcessCritical); CTrapCleanup* cleanupStack = CTrapCleanup::New(); CSymbianCertificateRetriever* self = (CSymbianCertificateRetriever*) aParams; @@ -658,7 +665,17 @@ void CSymbianCertificateRetriever::ConstructL() void CSymbianCertificateRetriever::DoCancel() { - // We never cancel the sequence + switch(iState) { + case Initializing: + iCertStore->CancelInitialize(); + break; + case Listing: + iCertStore->CancelList(); + break; + case RetrievingCertificates: + iCertStore->CancelGetCert(); + break; + } } TInt CSymbianCertificateRetriever::RunError(TInt aError) @@ -671,37 +688,51 @@ TInt CSymbianCertificateRetriever::RunError(TInt aError) void CSymbianCertificateRetriever::GetCertificateL() { - CCTCertInfo* certInfo = iCertInfos[iCurrentCertIndex]; - iCertificateData.resize(certInfo->Size()); - TPtr8 des((TUint8*)iCertificateData.data(), 0, iCertificateData.size()); - iCertStore->Retrieve(*certInfo, des, iStatus); - iState = RetrievingCertificates; - SetActive(); + if (iCurrentCertIndex < iCertInfos.Count()) { + CCTCertInfo* certInfo = iCertInfos[iCurrentCertIndex++]; + iCertificateData = QByteArray(); + QT_TRYCATCH_LEAVING(iCertificateData.resize(certInfo->Size())); + iCertificatePtr.Set((TUint8*)iCertificateData.data(), 0, iCertificateData.size()); +#ifdef QSSLSOCKET_DEBUG + qDebug() << "getting " << qt_TDesC2QString(certInfo->Label()) << " size=" << certInfo->Size(); + qDebug() << "format=" << certInfo->CertificateFormat(); + qDebug() << "ownertype=" << certInfo->CertificateOwnerType(); + qDebug() << "type=" << hex << certInfo->Type().iUid; +#endif + iCertStore->Retrieve(*certInfo, iCertificatePtr, iStatus); + iState = RetrievingCertificates; + SetActive(); + } else { + //reached end of list + CActiveScheduler::Stop(); + } } void CSymbianCertificateRetriever::RunL() { +#ifdef QSSLSOCKET_DEBUG + qDebug() << "CSymbianCertificateRetriever::RunL status " << iStatus.Int() << " count " << iCertInfos.Count() << " index " << iCurrentCertIndex; +#endif switch (iState) { case Initializing: + User::LeaveIfError(iStatus.Int()); // initialise fail means pointless to continue iState = Listing; iCertStore->List(iCertInfos, *iCertFilter, iStatus); SetActive(); break; case Listing: + User::LeaveIfError(iStatus.Int()); // listing fail means pointless to continue iCurrentCertIndex = 0; GetCertificateL(); break; case RetrievingCertificates: - iCertificates->append(iCertificateData); - iCertificateData = QByteArray(); - iCurrentCertIndex++; - if (iCurrentCertIndex < iCertInfos.Count()) - GetCertificateL(); + if (iStatus.Int() == KErrNone) + iCertificates->append(iCertificateData); else - // Stop the scheduler to return to the thread entry function - CActiveScheduler::Stop(); + qWarning() << "CSymbianCertificateRetriever: failed to retreive a certificate, error " << iStatus.Int(); + GetCertificateL(); break; } } @@ -710,6 +741,10 @@ void CSymbianCertificateRetriever::RunL() QList<QSslCertificate> QSslSocketPrivate::systemCaCertificates() { ensureInitialized(); +#ifdef QSSLSOCKET_DEBUG + QElapsedTimer timer; + timer.start(); +#endif QList<QSslCertificate> systemCerts; #if defined(Q_OS_MAC) CFArrayRef cfCerts; @@ -808,10 +843,18 @@ QList<QSslCertificate> QSslSocketPrivate::systemCaCertificates() retriever->GetCertificates(certs); foreach (const QByteArray &encodedCert, certs) { QSslCertificate cert(encodedCert, QSsl::Der); - if (!cert.isNull()) + if (!cert.isNull()) { +#ifdef QSSLSOCKET_DEBUG + qDebug() << "imported certificate: " << cert.issuerInfo(QSslCertificate::CommonName); +#endif systemCerts.append(cert); + } } #endif +#ifdef QSSLSOCKET_DEBUG + qDebug() << "systemCaCertificates retrieval time " << timer.elapsed() << "ms"; + qDebug() << "imported " << systemCerts.count() << " certificates"; +#endif return systemCerts; } diff --git a/src/network/ssl/qsslsocket_openssl_p.h b/src/network/ssl/qsslsocket_openssl_p.h index dec98ae..b59a6c9 100644 --- a/src/network/ssl/qsslsocket_openssl_p.h +++ b/src/network/ssl/qsslsocket_openssl_p.h @@ -165,6 +165,7 @@ private: CCertAttributeFilter* iCertFilter; TInt iCurrentCertIndex; QByteArray iCertificateData; + TPtr8 iCertificatePtr; QList<QByteArray>* iCertificates; TInt iSequenceError; }; |