diff options
Diffstat (limited to 'src/network/ssl')
| -rw-r--r-- | src/network/ssl/qsslcertificate.cpp | 39 | ||||
| -rw-r--r-- | src/network/ssl/qsslcipher.cpp | 2 | ||||
| -rw-r--r-- | src/network/ssl/qsslkey.cpp | 2 | ||||
| -rw-r--r-- | src/network/ssl/qsslsocket.cpp | 50 | ||||
| -rw-r--r-- | src/network/ssl/qsslsocket.h | 1 | ||||
| -rw-r--r-- | src/network/ssl/qsslsocket_openssl.cpp | 16 | ||||
| -rw-r--r-- | src/network/ssl/qsslsocket_openssl_p.h | 2 | ||||
| -rw-r--r-- | src/network/ssl/qsslsocket_p.h | 4 |
8 files changed, 79 insertions, 37 deletions
diff --git a/src/network/ssl/qsslcertificate.cpp b/src/network/ssl/qsslcertificate.cpp index 7a4b764..9d8cfb0 100644 --- a/src/network/ssl/qsslcertificate.cpp +++ b/src/network/ssl/qsslcertificate.cpp @@ -71,9 +71,10 @@ After loading a certificate, you can find information about the certificate, its subject, and its issuer, by calling one of the many accessor functions, including version(), serialNumber(), - issuerInfo() and subjectInfo(). You can call notValidBefore() and - notValidAfter() to check when the certificate was issued, and when - it expires. The publicKey() function returns the certificate + issuerInfo() and subjectInfo(). You can call effectiveDate() and + expiryDate() to check when the certificate starts being + effective and when it expires. + The publicKey() function returns the certificate subject's public key as a QSslKey. You can call issuerInfo() or subjectInfo() to get detailed information about the certificate issuer and its subject. @@ -125,6 +126,9 @@ QT_BEGIN_NAMESPACE +// forward declaration +static QMap<QString, QString> _q_mapFromOnelineName(char *name); + /*! Constructs a QSslCertificate by reading \a format encoded data from \a device and using the first certificate found. You can @@ -300,6 +304,10 @@ static QString _q_SubjectInfoToString(QSslCertificate::SubjectInfo info) */ QString QSslCertificate::issuerInfo(SubjectInfo info) const { + if (d->issuerInfo.isEmpty() && d->x509) + d->issuerInfo = + _q_mapFromOnelineName(q_X509_NAME_oneline(q_X509_get_issuer_name(d->x509), 0, 0)); + return d->issuerInfo.value(_q_SubjectInfoToString(info)); } @@ -327,6 +335,10 @@ QString QSslCertificate::issuerInfo(const QByteArray &tag) const */ QString QSslCertificate::subjectInfo(SubjectInfo info) const { + if (d->subjectInfo.isEmpty() && d->x509) + d->subjectInfo = + _q_mapFromOnelineName(q_X509_NAME_oneline(q_X509_get_subject_name(d->x509), 0, 0)); + return d->subjectInfo.value(_q_SubjectInfoToString(info)); } @@ -662,11 +674,6 @@ QSslCertificate QSslCertificatePrivate::QSslCertificate_from_X509(X509 *x509) if (!x509 || !QSslSocket::supportsSsl()) return certificate; - certificate.d->issuerInfo = - _q_mapFromOnelineName(q_X509_NAME_oneline(q_X509_get_issuer_name(x509), 0, 0)); - certificate.d->subjectInfo = - _q_mapFromOnelineName(q_X509_NAME_oneline(q_X509_get_subject_name(x509), 0, 0)); - ASN1_TIME *nbef = q_X509_get_notBefore(x509); ASN1_TIME *naft = q_X509_get_notAfter(x509); certificate.d->notValidBefore = q_getTimeFromASN1(nbef); @@ -766,16 +773,16 @@ QDebug operator<<(QDebug debug, const QSslCertificate &certificate) { debug << "QSslCertificate(" << certificate.version() - << "," << certificate.serialNumber() - << "," << certificate.digest().toBase64() - << "," << certificate.issuerInfo(QSslCertificate::Organization) - << "," << certificate.subjectInfo(QSslCertificate::Organization) - << "," << certificate.alternateSubjectNames() + << ',' << certificate.serialNumber() + << ',' << certificate.digest().toBase64() + << ',' << certificate.issuerInfo(QSslCertificate::Organization) + << ',' << certificate.subjectInfo(QSslCertificate::Organization) + << ',' << certificate.alternateSubjectNames() #ifndef QT_NO_TEXTSTREAM - << "," << certificate.effectiveDate() - << "," << certificate.expiryDate() + << ',' << certificate.effectiveDate() + << ',' << certificate.expiryDate() #endif - << ")"; + << ')'; return debug; } QDebug operator<<(QDebug debug, QSslCertificate::SubjectInfo info) diff --git a/src/network/ssl/qsslcipher.cpp b/src/network/ssl/qsslcipher.cpp index 2a11837..504099f 100644 --- a/src/network/ssl/qsslcipher.cpp +++ b/src/network/ssl/qsslcipher.cpp @@ -231,7 +231,7 @@ QDebug operator<<(QDebug debug, const QSslCipher &cipher) debug << "QSslCipher(name=" << qPrintable(cipher.name()) << ", bits=" << cipher.usedBits() << ", proto=" << qPrintable(cipher.protocolString()) - << ")"; + << ')'; return debug; } #endif diff --git a/src/network/ssl/qsslkey.cpp b/src/network/ssl/qsslkey.cpp index 1f3fd66..c7eb692 100644 --- a/src/network/ssl/qsslkey.cpp +++ b/src/network/ssl/qsslkey.cpp @@ -460,7 +460,7 @@ QDebug operator<<(QDebug debug, const QSslKey &key) << (key.type() == QSsl::PublicKey ? "PublicKey" : "PrivateKey") << ", " << (key.algorithm() == QSsl::Rsa ? "RSA" : "DSA") << ", " << key.length() - << ")"; + << ')'; return debug; } #endif diff --git a/src/network/ssl/qsslsocket.cpp b/src/network/ssl/qsslsocket.cpp index 6eba9fb..fc297e4 100644 --- a/src/network/ssl/qsslsocket.cpp +++ b/src/network/ssl/qsslsocket.cpp @@ -113,8 +113,8 @@ readLine(), or getChar() to read decrypted data from QSslSocket's internal buffer, and you can call write() or putChar() to write data back to the peer. QSslSocket will automatically encrypt the - written data for you, and emit bytesWritten() once the data has - been written to the peer. + written data for you, and emit encryptedBytesWritten() once + the data has been written to the peer. As a convenience, QSslSocket supports QTcpSocket's blocking functions waitForConnected(), waitForReadyRead(), @@ -397,6 +397,36 @@ void QSslSocket::connectToHostEncrypted(const QString &hostName, quint16 port, O } /*! + \since 4.6 + \overload + + In addition to the original behaviour of connectToHostEncrypted, + this overloaded method enables the usage of a different hostname + (\a sslPeerName) for the certificate validation instead of + the one used for the TCP connection (\a hostName). + + \sa connectToHostEncrypted() +*/ +void QSslSocket::connectToHostEncrypted(const QString &hostName, quint16 port, + const QString &sslPeerName, OpenMode mode) +{ + Q_D(QSslSocket); + if (d->state == ConnectedState || d->state == ConnectingState) { + qWarning("QSslSocket::connectToHostEncrypted() called when already connecting/connected"); + return; + } + + d->init(); + d->autoStartHandshake = true; + d->initialized = true; + d->verificationPeerName = sslPeerName; + + // Note: When connecting to localhost, some platforms (e.g., HP-UX and some BSDs) + // establish the connection immediately (i.e., first attempt). + connectToHost(hostName, port, mode); +} + +/*! Initializes QSslSocket with the native socket descriptor \a socketDescriptor. Returns true if \a socketDescriptor is accepted as a valid socket descriptor; otherwise returns false. @@ -412,8 +442,8 @@ bool QSslSocket::setSocketDescriptor(int socketDescriptor, SocketState state, Op { Q_D(QSslSocket); #ifdef QSSLSOCKET_DEBUG - qDebug() << "QSslSocket::setSocketDescriptor(" << socketDescriptor << "," - << state << "," << openMode << ")"; + qDebug() << "QSslSocket::setSocketDescriptor(" << socketDescriptor << ',' + << state << ',' << openMode << ')'; #endif if (!d->plainSocket) d->createPlainSocket(openMode); @@ -1578,7 +1608,7 @@ void QSslSocket::connectToHostImplementation(const QString &hostName, quint16 po #ifdef QSSLSOCKET_DEBUG qDebug() << "QSslSocket::connectToHostImplementation(" - << hostName << "," << port << "," << openMode << ")"; + << hostName << ',' << port << ',' << openMode << ')'; #endif if (!d->plainSocket) { #ifdef QSSLSOCKET_DEBUG @@ -1652,7 +1682,7 @@ qint64 QSslSocket::readData(char *data, qint64 maxlen) } while (!d->readBuffer.isEmpty() && readBytes < maxlen); } #ifdef QSSLSOCKET_DEBUG - qDebug() << "QSslSocket::readData(" << (void *)data << "," << maxlen << ") ==" << readBytes; + qDebug() << "QSslSocket::readData(" << (void *)data << ',' << maxlen << ") ==" << readBytes; #endif return readBytes; } @@ -1664,7 +1694,7 @@ qint64 QSslSocket::writeData(const char *data, qint64 len) { Q_D(QSslSocket); #ifdef QSSLSOCKET_DEBUG - qDebug() << "QSslSocket::writeData(" << (void *)data << "," << len << ")"; + qDebug() << "QSslSocket::writeData(" << (void *)data << ',' << len << ')'; #endif if (d->mode == UnencryptedMode && !d->autoStartHandshake) return d->plainSocket->write(data, len); @@ -1969,7 +1999,7 @@ void QSslSocketPrivate::_q_stateChangedSlot(QAbstractSocket::SocketState state) { Q_Q(QSslSocket); #ifdef QSSLSOCKET_DEBUG - qDebug() << "QSslSocket::_q_stateChangedSlot(" << state << ")"; + qDebug() << "QSslSocket::_q_stateChangedSlot(" << state << ')'; #endif q->setSocketState(state); emit q->stateChanged(state); @@ -1982,7 +2012,7 @@ void QSslSocketPrivate::_q_errorSlot(QAbstractSocket::SocketError error) { Q_Q(QSslSocket); #ifdef QSSLSOCKET_DEBUG - qDebug() << "QSslSocket::_q_errorSlot(" << error << ")"; + qDebug() << "QSslSocket::_q_errorSlot(" << error << ')'; qDebug() << "\tstate =" << q->state(); qDebug() << "\terrorString =" << q->errorString(); #endif @@ -2017,7 +2047,7 @@ void QSslSocketPrivate::_q_bytesWrittenSlot(qint64 written) { Q_Q(QSslSocket); #ifdef QSSLSOCKET_DEBUG - qDebug() << "QSslSocket::_q_bytesWrittenSlot(" << written << ")"; + qDebug() << "QSslSocket::_q_bytesWrittenSlot(" << written << ')'; #endif if (mode == QSslSocket::UnencryptedMode) diff --git a/src/network/ssl/qsslsocket.h b/src/network/ssl/qsslsocket.h index f63a4df..785a083 100644 --- a/src/network/ssl/qsslsocket.h +++ b/src/network/ssl/qsslsocket.h @@ -86,6 +86,7 @@ public: // Autostarting the SSL client handshake. void connectToHostEncrypted(const QString &hostName, quint16 port, OpenMode mode = ReadWrite); + void connectToHostEncrypted(const QString &hostName, quint16 port, const QString &sslPeerName, OpenMode mode = ReadWrite); bool setSocketDescriptor(int socketDescriptor, SocketState state = ConnectedState, OpenMode openMode = ReadWrite); diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp index a0eb267..ea62a4d 100644 --- a/src/network/ssl/qsslsocket_openssl.cpp +++ b/src/network/ssl/qsslsocket_openssl.cpp @@ -276,7 +276,7 @@ init_context: if (first) first = false; else - cipherString.append(":"); + cipherString.append(':'); cipherString.append(cipher.name().toLatin1()); } @@ -500,7 +500,7 @@ void QSslSocketBackendPrivate::startClientEncryption() // Start connecting. This will place outgoing data in the BIO, so we // follow up with calling transmit(). - testConnection(); + startHandshake(); transmit(); } @@ -513,7 +513,7 @@ void QSslSocketBackendPrivate::startServerEncryption() // Start connecting. This will place outgoing data in the BIO, so we // follow up with calling transmit(). - testConnection(); + startHandshake(); transmit(); } @@ -601,7 +601,7 @@ void QSslSocketBackendPrivate::transmit() #ifdef QSSLSOCKET_DEBUG qDebug() << "QSslSocketBackendPrivate::transmit: testing encryption"; #endif - if (testConnection()) { + if (startHandshake()) { #ifdef QSSLSOCKET_DEBUG qDebug() << "QSslSocketBackendPrivate::transmit: encryption established"; #endif @@ -620,7 +620,7 @@ void QSslSocketBackendPrivate::transmit() } // If the request is small and the remote host closes the transmission - // after sending, there's a chance that testConnection() will already + // after sending, there's a chance that startHandshake() will already // have triggered a shutdown. if (!ssl) continue; @@ -720,7 +720,7 @@ static QSslError _q_OpenSSL_to_QSslError(int errorCode, const QSslCertificate &c return error; } -bool QSslSocketBackendPrivate::testConnection() +bool QSslSocketBackendPrivate::startHandshake() { Q_Q(QSslSocket); @@ -761,7 +761,7 @@ bool QSslSocketBackendPrivate::testConnection() q->setErrorString(QSslSocket::tr("Error during SSL handshake: %1").arg(SSL_ERRORSTR())); q->setSocketError(QAbstractSocket::SslHandshakeFailedError); #ifdef QSSLSOCKET_DEBUG - qDebug() << "QSslSocketBackendPrivate::testConnection: error!" << q->errorString(); + qDebug() << "QSslSocketBackendPrivate::startHandshake: error!" << q->errorString(); #endif emit q->error(QAbstractSocket::SslHandshakeFailedError); q->abort(); @@ -792,7 +792,7 @@ bool QSslSocketBackendPrivate::testConnection() // but only if we're a client connecting to a server // if we're the server, don't check CN if (mode == QSslSocket::SslClientMode) { - QString peerName = q->peerName(); + QString peerName = (verificationPeerName.isEmpty () ? q->peerName() : verificationPeerName); QString commonName = configuration.peerCertificate.subjectInfo(QSslCertificate::CommonName); QRegExp regexp(commonName, Qt::CaseInsensitive, QRegExp::Wildcard); diff --git a/src/network/ssl/qsslsocket_openssl_p.h b/src/network/ssl/qsslsocket_openssl_p.h index ceb23f0..a38433b 100644 --- a/src/network/ssl/qsslsocket_openssl_p.h +++ b/src/network/ssl/qsslsocket_openssl_p.h @@ -106,7 +106,7 @@ public: void startClientEncryption(); void startServerEncryption(); void transmit(); - bool testConnection(); + bool startHandshake(); void disconnectFromHost(); void disconnected(); QSslCipher sessionCipher() const; diff --git a/src/network/ssl/qsslsocket_p.h b/src/network/ssl/qsslsocket_p.h index af28ff0..dc8e4f5 100644 --- a/src/network/ssl/qsslsocket_p.h +++ b/src/network/ssl/qsslsocket_p.h @@ -88,6 +88,10 @@ public: QSslConfigurationPrivate configuration; QList<QSslError> sslErrors; + // if set, this hostname is used for certificate validation instead of the hostname + // that was used for connecting to. + QString verificationPeerName; + static bool ensureInitialized(); static void deinitialize(); static QList<QSslCipher> defaultCiphers(); |