Use SSL callback to verify bound IP for multihomed machines

git-svn-id: https://mumble.svn.sourceforge.net/svnroot/mumble/trunk@900 05730e5d-ab1b-0410-a4ac-84af385074fa
This commit is contained in:
Thorvald Natvig 2007-12-14 15:18:36 +00:00
parent d0c65104ea
commit 0c74573d70
3 changed files with 31 additions and 7 deletions

View File

@ -48,7 +48,7 @@ int add_ext(X509 * crt, int nid, char *value) {
void Server::initializeCert() {
QByteArray crt, key;
if (QSslSocket::supportsSsl()) {
if (! QSslSocket::supportsSsl()) {
qFatal("Qt without SSL Support");
}
@ -59,6 +59,9 @@ void Server::initializeCert() {
qscCert = QSslCertificate(crt);
if (qscCert.isNull()) {
log("Failed to parse certificate.");
} else if (qscCert.issuerInfo(QSslCertificate::CommonName) == QLatin1String("Murmur Autogenerated Certificate")) {
log("Old autogenerated certificate is unusable for registration, invalidating it");
qscCert = QSslCertificate();
}
}
@ -116,12 +119,11 @@ void Server::initializeCert() {
X509_NAME *name=X509_get_subject_name(x509);
X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC, reinterpret_cast<unsigned char *>(const_cast<char *>("Murmur Autogenerated Certificate")), -1, -1, 0);
X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC, reinterpret_cast<unsigned char *>(const_cast<char *>("Murmur Autogenerated Certificate v2")), -1, -1, 0);
X509_set_issuer_name(x509, name);
add_ext(x509, NID_basic_constraints, "critical,CA:FALSE");
add_ext(x509, NID_ext_key_usage, "serverAuth,clientAuth");
add_ext(x509, NID_subject_key_identifier, "hash");
add_ext(x509, NID_netscape_cert_type, "server");
add_ext(x509, NID_netscape_comment, "Generated from murmur");
X509_sign(x509, pkey, EVP_md5());

View File

@ -34,11 +34,13 @@
void Server::initRegister() {
http = NULL;
qssReg = NULL;
connect(&qtTick, SIGNAL(timeout()), this, SLOT(update()));
if (! qsRegName.isEmpty()) {
if ((! qsRegName.isEmpty()) && (! qsRegPassword.isEmpty()) && (qurlRegWeb.isValid()) && (qsPassword.isEmpty()))
qtTick.start(60000);
qtTick.start(60 * 10);
else
log("Registration needs nonempty name, password and url, and the server must not be password protected.");
} else {
@ -48,14 +50,19 @@ void Server::initRegister() {
void Server::abort() {
if (http) {
http->setSocket(NULL);
http->deleteLater();
http = NULL;
}
if (qssReg) {
qssReg->deleteLater();
qssReg = NULL;
}
}
void Server::update() {
abort();
qtTick.start(1000 * 60 * 60);
qtTick.start(10 * 60 * 60);
QDomDocument doc;
QDomElement root=doc.createElement(QLatin1String("server"));
@ -100,9 +107,15 @@ void Server::update() {
t=doc.createTextNode(getDigest());
tag.appendChild(t);
http = new QHttp(this);
qssReg = new QSslSocket(this);
qssReg->setLocalCertificate(qscCert);
qssReg->setPrivateKey(qskKey);
http = new QHttp(QLatin1String("mumble.hive.no"), QHttp::ConnectionModeHttps, 443, this);
http->setSocket(qssReg);
connect(http, SIGNAL(done(bool)), this, SLOT(done(bool)));
http->setHost(QLatin1String("mumble.hive.no"), 80);
connect(http, SIGNAL(sslErrors ( const QList<QSslError> &)), this, SLOT(regSslError(const QList<QSslError> &)));
QHttpRequestHeader h(QLatin1String("POST"), QLatin1String("/register.cgi"));
h.setValue(QLatin1String("Connection"), QLatin1String("Keep-Alive"));
@ -112,6 +125,8 @@ void Server::update() {
}
void Server::done(bool err) {
if (! http || ! qssReg)
return;
if (err) {
log("Regstration failed: %s", qPrintable(http->errorString()));
} else {
@ -120,3 +135,8 @@ void Server::done(bool err) {
}
abort();
}
void Server::regSslError(const QList<QSslError> &errs) {
foreach(const QSslError &e, errs)
log("Registration: SSL Handshake error: %s", qPrintable(e.errorString()));
}

View File

@ -120,8 +120,10 @@ class Server : public QThread, public MessageHandler {
// Registration, implementation in Register.cpp
QTimer qtTick;
QHttp *http;
QSslSocket *qssReg;
void initRegister();
public slots:
void regSslError(const QList<QSslError> &);
void done(bool);
void update();
void abort();