tristan/kdeconnect-kde
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

De-duplicated socket SSL configuration code

Browse source
This commit is contained in:
Albert Vaca 2016-06-22 14:25:12 +02:00
parent f011191eca
commit 01139d31d1
4 changed files with 41 additions and 59 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
core/backends/lan/downloadjob.cpp
View file

@ -20,6 +20,7 @@
#include <kdeconnectconfig.h> #include <kdeconnectconfig.h>
#include "downloadjob.h" #include "downloadjob.h"
#include "lanlinkprovider.h"
#include <core/core_debug.h> #include <core/core_debug.h>
@ -38,14 +39,7 @@ DownloadJob::DownloadJob(const QHostAddress &address, const QVariantMap &transfe
, mPort(transferInfo["port"].toInt()) , mPort(transferInfo["port"].toInt())
, mSocket(new QSslSocket(this)) , mSocket(new QSslSocket(this))
{ {
// Setting ssl related properties for socket when using ssl LanLinkProvider::configureSslSocket(mSocket.data(), transferInfo.value("deviceId").toString(), true);
mSocket->setLocalCertificate(KdeConnectConfig::instance()->certificate());
mSocket->setPrivateKey(KdeConnectConfig::instance()->privateKeyPath());
mSocket->setProtocol(QSsl::TlsV1_0);
mSocket->setPeerVerifyName(transferInfo.value("deviceId").toString());
mSocket->setPeerVerifyMode(QSslSocket::VerifyPeer);
mSocket->addCaCertificate(QSslCertificate(KdeConnectConfig::instance()->getDeviceProperty(transferInfo.value("deviceId").toString(),"certificate").toLatin1()));
} }
DownloadJob::~DownloadJob() DownloadJob::~DownloadJob()

77
core/backends/lan/lanlinkprovider.cpp
View file

@ -119,7 +119,6 @@ void LanLinkProvider::onNetworkChange()
void LanLinkProvider::broadcastToNetwork() void LanLinkProvider::broadcastToNetwork()
{ {
if (!mServer->isListening()) { if (!mServer->isListening()) {
//Not started //Not started
return; return;
@ -230,26 +229,16 @@ void LanLinkProvider::connected()
// if ssl supported // if ssl supported
if (receivedPackage->get<int>("protocolVersion") >= MIN_VERSION_WITH_SSL_SUPPORT) { if (receivedPackage->get<int>("protocolVersion") >= MIN_VERSION_WITH_SSL_SUPPORT) {
// since I support ssl and remote device support ssl
socket->setPeerVerifyName(deviceId); bool isDeviceTrusted = KdeConnectConfig::instance()->trustedDevices().contains(deviceId);
configureSslSocket(socket, deviceId, isDeviceTrusted);
QString certString = KdeConnectConfig::instance()->getDeviceProperty(deviceId, "certificate", QString());
if (!certString.isEmpty()) {
qCDebug(KDECONNECT_CORE) << "Device trusted";
socket->addCaCertificate(QSslCertificate(certString.toLatin1()));
socket->setPeerVerifyMode(QSslSocket::VerifyPeer);
connect(socket, SIGNAL(sslErrors(QList<QSslError>)), this, SLOT(sslErrors(QList<QSslError>)));
} else {
qCDebug(KDECONNECT_CORE) << "Device untrusted";
// Do not care about ssl errors here, socket will not be closed due to errors because of query peer
socket->setPeerVerifyMode(QSslSocket::QueryPeer);
connect(socket, SIGNAL(sslErrors(QList<QSslError>)), this, SLOT(sslErrorsLogButIgnore(QList<QSslError>)));
}
qCDebug(KDECONNECT_CORE) << "Starting server ssl (I'm the client TCP socket)"; qCDebug(KDECONNECT_CORE) << "Starting server ssl (I'm the client TCP socket)";
connect(socket, SIGNAL(encrypted()), this, SLOT(encrypted()));
connect(socket, SIGNAL(encrypted()), this, SLOT(encrypted()));
connect(socket, SIGNAL(sslErrors(QList<QSslError>)), this, SLOT(sslErrors(QList<QSslError>)));
socket->startServerEncryption(); socket->startServerEncryption();
return; // Return statement prevents from deleting received package, needed in slot "encrypted" return; // Return statement prevents from deleting received package, needed in slot "encrypted"
} else { } else {
qWarning() << receivedPackage->get<QString>("deviceName") << "uses an old protocol version, this won't work"; qWarning() << receivedPackage->get<QString>("deviceName") << "uses an old protocol version, this won't work";
@ -294,7 +283,6 @@ void LanLinkProvider::sslErrors(const QList<QSslError>& errors)
disconnect(socket, SIGNAL(sslErrors(QList<QSslError>)), this, SLOT(sslErrors(QList<QSslError>))); disconnect(socket, SIGNAL(sslErrors(QList<QSslError>)), this, SLOT(sslErrors(QList<QSslError>)));
Q_FOREACH (const QSslError &error, errors) { Q_FOREACH (const QSslError &error, errors) {
qCDebug(KDECONNECT_CORE) << "SSL Error :" << error.errorString();
switch (error.error()) { switch (error.error()) {
case QSslError::CertificateSignatureFailed: case QSslError::CertificateSignatureFailed:
case QSslError::CertificateNotYetValid: case QSslError::CertificateNotYetValid:
@ -311,8 +299,6 @@ void LanLinkProvider::sslErrors(const QList<QSslError>& errors)
} }
default: default:
continue; continue;
// Lots of warnings without this
} }
} }
@ -320,13 +306,6 @@ void LanLinkProvider::sslErrors(const QList<QSslError>& errors)
// Socket disconnects itself on ssl error and will be deleted by deleteLater slot, no need to delete manually // Socket disconnects itself on ssl error and will be deleted by deleteLater slot, no need to delete manually
} }
void LanLinkProvider::sslErrorsLogButIgnore(const QList<QSslError>& errors)
{
Q_FOREACH (const QSslError &error, errors) {
qCDebug(KDECONNECT_CORE) << "SSL Error (ignoring):" << error.errorString();
}
}
//I'm the new device and this is the answer to my UDP identity package (no data received yet). They are connecting to us through TCP, and they should send an identity. //I'm the new device and this is the answer to my UDP identity package (no data received yet). They are connecting to us through TCP, and they should send an identity.
void LanLinkProvider::newConnection() void LanLinkProvider::newConnection()
{ {
@ -379,28 +358,17 @@ void LanLinkProvider::dataReceived()
disconnect(socket, SIGNAL(readyRead()), this, SLOT(dataReceived())); disconnect(socket, SIGNAL(readyRead()), this, SLOT(dataReceived()));
if (np->get<int>("protocolVersion") >= MIN_VERSION_WITH_SSL_SUPPORT) { if (np->get<int>("protocolVersion") >= MIN_VERSION_WITH_SSL_SUPPORT) {
// since I support ssl and remote device support ssl
bool isDeviceTrusted = KdeConnectConfig::instance()->trustedDevices().contains(deviceId); bool isDeviceTrusted = KdeConnectConfig::instance()->trustedDevices().contains(deviceId);
configureSslSocket(socket, deviceId, isDeviceTrusted);
socket->setPeerVerifyName(deviceId);
if (isDeviceTrusted) {
qCDebug(KDECONNECT_CORE) << "Device trusted";
QString certString = KdeConnectConfig::instance()->getDeviceProperty(deviceId, "certificate", QString());
socket->addCaCertificate(QSslCertificate(certString.toLatin1()));
socket->setPeerVerifyMode(QSslSocket::VerifyPeer);
connect(socket, SIGNAL(sslErrors(QList<QSslError>)), this, SLOT(sslErrors(QList<QSslError>)));
} else {
qCDebug(KDECONNECT_CORE) << "Device untrusted";
// Do not care about ssl errors here, socket will not be closed due to errors because of query peer
socket->setPeerVerifyMode(QSslSocket::QueryPeer);
connect(socket, SIGNAL(sslErrors(QList<QSslError>)), this, SLOT(sslErrorsLogButIgnore(QList<QSslError>)));
}
qCDebug(KDECONNECT_CORE) << "Starting client ssl (but I'm the server TCP socket)"; qCDebug(KDECONNECT_CORE) << "Starting client ssl (but I'm the server TCP socket)";
connect(socket, SIGNAL(encrypted()), this, SLOT(encrypted()));
connect(socket, SIGNAL(encrypted()), this, SLOT(encrypted()));
connect(socket, SIGNAL(sslErrors(QList<QSslError>)), this, SLOT(sslErrors(QList<QSslError>)));
socket->startClientEncryption(); socket->startClientEncryption();
} else { } else {
qWarning() << np->get<QString>("deviceName") << "uses an old protocol version, this won't work"; qWarning() << np->get<QString>("deviceName") << "uses an old protocol version, this won't work";
//addLink(deviceId, socket, np, LanDeviceLink::Locally); //addLink(deviceId, socket, np, LanDeviceLink::Locally);
@ -422,7 +390,7 @@ void LanLinkProvider::deviceLinkDestroyed(QObject* destroyedDeviceLink)
} }
void LanLinkProvider::configureSocket(QSslSocket* socket) void LanLinkProvider::configureSslSocket(QSslSocket* socket, const QString& deviceId, bool isDeviceTrusted)
{ {
// Setting supported ciphers manually // Setting supported ciphers manually
// Top 3 ciphers are for new Android devices, botton two are for old Android devices // Top 3 ciphers are for new Android devices, botton two are for old Android devices
@ -442,9 +410,30 @@ void LanLinkProvider::configureSocket(QSslSocket* socket)
socket->setSslConfiguration(sslConfig); socket->setSslConfiguration(sslConfig);
socket->setLocalCertificate(KdeConnectConfig::instance()->certificate()); socket->setLocalCertificate(KdeConnectConfig::instance()->certificate());
socket->setPrivateKey(KdeConnectConfig::instance()->privateKeyPath()); socket->setPrivateKey(KdeConnectConfig::instance()->privateKeyPath());
socket->setPeerVerifyName(deviceId);
if (isDeviceTrusted) {
QString certString = KdeConnectConfig::instance()->getDeviceProperty(deviceId, "certificate", QString());
qCDebug(KDECONNECT_CORE) << "Device trusted";
socket->addCaCertificate(QSslCertificate(certString.toLatin1()));
socket->setPeerVerifyMode(QSslSocket::VerifyPeer);
} else {
qCDebug(KDECONNECT_CORE) << "Device untrusted";
socket->setPeerVerifyMode(QSslSocket::QueryPeer);
}
QObject::connect(socket, static_cast<void (QSslSocket::*)(const QList<QSslError>&)>(&QSslSocket::sslErrors), [](const QList<QSslError>& errors)
{
Q_FOREACH (const QSslError &error, errors) {
qCDebug(KDECONNECT_CORE) << "SSL Error:" << error.errorString();
}
});
}
void LanLinkProvider::configureSocket(QSslSocket* socket) {
socket->setSocketOption(QAbstractSocket::KeepAliveOption, QVariant(1)); socket->setSocketOption(QAbstractSocket::KeepAliveOption, QVariant(1));
#ifdef TCP_KEEPIDLE #ifdef TCP_KEEPIDLE
// time to start sending keepalive packets (seconds) // time to start sending keepalive packets (seconds)
int maxIdle = 10; int maxIdle = 10;

5
core/backends/lan/lanlinkprovider.h
View file

@ -50,6 +50,9 @@ public:
void userRequestsUnpair(const QString &deviceId); void userRequestsUnpair(const QString &deviceId);
void incomingPairPackage(DeviceLink* device, const NetworkPackage& np); void incomingPairPackage(DeviceLink* device, const NetworkPackage& np);
static void configureSslSocket(QSslSocket* socket, const QString& deviceId, bool isDeviceTrusted);
static void configureSocket(QSslSocket* socket);
public Q_SLOTS: public Q_SLOTS:
void onNetworkChange() override; void onNetworkChange() override;
void onStart() override; void onStart() override;
@ -64,11 +67,9 @@ private Q_SLOTS:
void dataReceived(); void dataReceived();
void deviceLinkDestroyed(QObject* destroyedDeviceLink); void deviceLinkDestroyed(QObject* destroyedDeviceLink);
void sslErrors(const QList<QSslError>& errors); void sslErrors(const QList<QSslError>& errors);
void sslErrorsLogButIgnore(const QList<QSslError>& errors);
void broadcastToNetwork(); void broadcastToNetwork();
private: private:
static void configureSocket(QSslSocket* socket);
LanPairingHandler* createPairingHandler(DeviceLink* link); LanPairingHandler* createPairingHandler(DeviceLink* link);
void onNetworkConfigurationChanged(const QNetworkConfiguration &config); void onNetworkConfigurationChanged(const QNetworkConfiguration &config);

8
core/backends/lan/uploadjob.cpp
View file

@ -19,6 +19,7 @@
*/ */
#include "uploadjob.h" #include "uploadjob.h"
#include "lanlinkprovider.h"
#include <qalgorithms.h> #include <qalgorithms.h>
#include <QtGlobal> #include <QtGlobal>
@ -69,11 +70,8 @@ void UploadJob::newConnection()
mSocket = server->nextPendingConnection(); mSocket = server->nextPendingConnection();
connect(mSocket, SIGNAL(disconnected()), mSocket, SLOT(deleteLater())); connect(mSocket, SIGNAL(disconnected()), mSocket, SLOT(deleteLater()));
mSocket->setLocalCertificate(KdeConnectConfig::instance()->certificate()); LanLinkProvider::configureSslSocket(mSocket, mDeviceId, true);
mSocket->setPrivateKey(KdeConnectConfig::instance()->privateKeyPath());
mSocket->setProtocol(QSsl::TlsV1_0);
mSocket->setPeerVerifyName(mDeviceId);
mSocket->addCaCertificate(QSslCertificate(KdeConnectConfig::instance()->getDeviceProperty(mDeviceId, "certificate", QString()).toLatin1()));
mSocket->startServerEncryption(); mSocket->startServerEncryption();
mSocket->waitForEncrypted(); mSocket->waitForEncrypted();