Add SecureTransport based SSL backend for iOS and OS X

Add support for SSL on iOS/OS X by adding a SecureTransport based
backend.

[ChangeLog][QtNetwork][QSslSocket] A new SSL backend for iOS and OS X,
implemented with Apple's Secure Transport (Security Framework).

Change-Id: I7466db471be2a8a2170f9af9d6ad4c7b6425738b
Reviewed-by: Richard J. Moore <rich@kde.org>
This commit is contained in:
Jeremy Lainé 2014-08-22 17:20:49 +02:00 committed by Timur Pocheptsov
parent a7fe3309d6
commit 5382312e5c
10 changed files with 1709 additions and 13 deletions

21
configure vendored
View File

@ -665,6 +665,7 @@ CFG_GLIB=auto
CFG_QGTKSTYLE=auto
CFG_LARGEFILE=auto
CFG_OPENSSL=auto
CFG_SECURETRANSPORT=auto
CFG_PRECOMPILE=auto
CFG_SEPARATE_DEBUG_INFO=no
CFG_REDUCE_EXPORTS=auto
@ -1956,6 +1957,13 @@ while [ "$#" -gt 0 ]; do
UNKNOWN_OPT=yes
fi
;;
securetransport)
if [ "$VAL" = "yes" ] || [ "$VAL" = "no" ]; then
CFG_SECURETRANSPORT="$VAL"
else
UNKNOWN_OPT=yes
fi
;;
qml-debug)
if [ "$VAL" = "yes" ]; then
CFG_QML_DEBUG="yes"
@ -5698,6 +5706,12 @@ if [ "$CFG_OPENSSL" != "no" ]; then
fi
fi
if [ "$CFG_SECURETRANSPORT" != "no" ] && [ "$CFG_OPENSSL" = "no" ] && [ "$XPLATFORM_MAC" = "yes" ]; then
CFG_SECURETRANSPORT=yes
else
CFG_SECURETRANSPORT=no
fi
# detect PCRE
if [ "$CFG_PCRE" != "qt" ]; then
if compileTest unix/pcre "PCRE"; then
@ -5980,6 +5994,7 @@ fi
[ "$CFG_DBUS" = "linked" ] && QT_CONFIG="$QT_CONFIG dbus-linked"
[ "$CFG_OPENSSL" = "yes" ] && QT_CONFIG="$QT_CONFIG openssl"
[ "$CFG_OPENSSL" = "linked" ] && QT_CONFIG="$QT_CONFIG openssl-linked"
[ "$CFG_SECURETRANSPORT" = "yes" ] && QT_CONFIG="$QT_CONFIG ssl securetransport"
[ "$CFG_XCB" != "no" ] && QT_CONFIG="$QT_CONFIG xcb"
[ "$CFG_XINPUT2" = "yes" ] && QT_CONFIG="$QT_CONFIG xinput2"
[ "$CFG_SYSTEM_PROXIES" = "yes" ] && QT_CONFIG="$QT_CONFIG system-proxies"
@ -6387,8 +6402,10 @@ QMakeVar set sql-plugins "$SQL_PLUGINS"
[ "$CFG_INOTIFY" = "no" ] && QCONFIG_FLAGS="$QCONFIG_FLAGS QT_NO_INOTIFY"
[ "$CFG_EVENTFD" = "no" ] && QCONFIG_FLAGS="$QCONFIG_FLAGS QT_NO_EVENTFD"
[ "$CFG_NIS" = "no" ] && QCONFIG_FLAGS="$QCONFIG_FLAGS QT_NO_NIS"
[ "$CFG_OPENSSL" = "no" ] && QCONFIG_FLAGS="$QCONFIG_FLAGS QT_NO_OPENSSL QT_NO_SSL"
[ "$CFG_OPENSSL" = "no" ] && QCONFIG_FLAGS="$QCONFIG_FLAGS QT_NO_OPENSSL"
[ "$CFG_OPENSSL" = "linked" ]&& QCONFIG_FLAGS="$QCONFIG_FLAGS QT_LINKED_OPENSSL"
[ "$CFG_OPENSSL" = "no" ] && [ "$CFG_SECURETRANSPORT" = "no" ] && QCONFIG_FLAGS="$QCONFIG_FLAGS QT_NO_SSL"
[ "$CFG_SECURETRANSPORT" = "yes" ] && QCONFIG_FLAGS="$QCONFIG_FLAGS QT_SECURETRANSPORT"
[ "$CFG_SM" = "no" ] && QCONFIG_FLAGS="$QCONFIG_FLAGS QT_NO_SESSIONMANAGER"
[ "$CFG_TSLIB" = "no" ] && QCONFIG_FLAGS="$QCONFIG_FLAGS QT_NO_TSLIB"
@ -6818,6 +6835,8 @@ report_support " getaddrinfo .........." "$CFG_GETADDRINFO"
report_support " getifaddrs ..........." "$CFG_GETIFADDRS"
report_support " IPv6 ifname .........." "$CFG_IPV6IFNAME"
report_support " OpenSSL .............." "$CFG_OPENSSL" yes "loading libraries at run-time" linked "linked to the libraries"
[ "$XPLATFORM_MAC" = "yes" ] && \
report_support " SecureTransport ......" "$CFG_SECURETRANSPORT"
report_support " NIS ...................." "$CFG_NIS"
report_support " OpenGL / OpenVG:"
report_support " EGL .................." "$CFG_EGL"

View File

@ -105,12 +105,16 @@
\value EmailAddress The email address associated with the certificate
*/
#include <QtCore/qglobal.h>
#ifndef QT_NO_OPENSSL
#include "qsslsocket_openssl_symbols_p.h"
#endif
#ifdef Q_OS_WINRT
#include "qsslsocket_winrt_p.h"
#endif
#ifdef QT_SECURETRANSPORT
#include "qsslsocket_mac_p.h"
#endif
#include "qssl_p.h"
#include "qsslcertificate.h"

View File

@ -0,0 +1,91 @@
/****************************************************************************
**
** Copyright (C) 2014 Jeremy Lainé <jeremy.laine@m4x.org>
** Contact: http://www.qt-project.org/legal
**
** This file is part of the QtNetwork module of the Qt Toolkit.
**
** $QT_BEGIN_LICENSE:LGPL$
** Commercial License Usage
** Licensees holding valid commercial Qt licenses may use this file in
** accordance with the commercial license agreement provided with the
** Software or, alternatively, in accordance with the terms contained in
** a written agreement between you and Digia. For licensing terms and
** conditions see http://qt.digia.com/licensing. For further information
** use the contact form at http://qt.digia.com/contact-us.
**
** GNU Lesser General Public License Usage
** Alternatively, this file may be used under the terms of the GNU Lesser
** General Public License version 2.1 as published by the Free Software
** Foundation and appearing in the file LICENSE.LGPL included in the
** packaging of this file. Please review the following information to
** ensure the GNU Lesser General Public License version 2.1 requirements
** will be met: http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html.
**
** In addition, as a special exception, Digia gives you certain additional
** rights. These rights are described in the Digia Qt LGPL Exception
** version 1.1, included in the file LGPL_EXCEPTION.txt in this package.
**
** GNU General Public License Usage
** Alternatively, this file may be used under the terms of the GNU
** General Public License version 3.0 as published by the Free Software
** Foundation and appearing in the file LICENSE.GPL included in the
** packaging of this file. Please review the following information to
** ensure the GNU General Public License version 3.0 requirements will be
** met: http://www.gnu.org/copyleft/gpl.html.
**
**
** $QT_END_LICENSE$
**
****************************************************************************/
#include "qsslkey.h"
#include "qsslkey_p.h"
#include <CommonCrypto/CommonCrypto.h>
QT_USE_NAMESPACE
static QByteArray wrapCCCrypt(CCOperation ccOp,
QSslKeyPrivate::Cipher cipher,
const QByteArray &data,
const QByteArray &key, const QByteArray &iv)
{
int blockSize;
CCAlgorithm ccAlgorithm;
switch (cipher) {
case QSslKeyPrivate::DesCbc:
blockSize = kCCBlockSizeDES;
ccAlgorithm = kCCAlgorithmDES;
break;
case QSslKeyPrivate::DesEde3Cbc:
blockSize = kCCBlockSize3DES;
ccAlgorithm = kCCAlgorithm3DES;
break;
case QSslKeyPrivate::Rc2Cbc:
blockSize = kCCBlockSizeRC2;
ccAlgorithm = kCCAlgorithmRC2;
break;
};
size_t plainLength = 0;
QByteArray plain(data.size() + blockSize, 0);
CCCryptorStatus status = CCCrypt(
ccOp, ccAlgorithm, kCCOptionPKCS7Padding,
key.constData(), key.size(),
iv.constData(),
data.constData(), data.size(),
plain.data(), plain.size(), &plainLength);
if (status == kCCSuccess)
return plain.left(plainLength);
return QByteArray();
}
QByteArray QSslKeyPrivate::decrypt(Cipher cipher, const QByteArray &data, const QByteArray &key, const QByteArray &iv)
{
return wrapCCCrypt(kCCDecrypt, cipher, data, key, iv);
}
QByteArray QSslKeyPrivate::encrypt(Cipher cipher, const QByteArray &data, const QByteArray &key, const QByteArray &iv)
{
return wrapCCCrypt(kCCEncrypt, cipher, data, key, iv);
}

View File

@ -312,6 +312,9 @@
#ifdef Q_OS_WINRT
#include "qsslsocket_winrt_p.h"
#endif
#ifdef QT_SECURETRANSPORT
#include "qsslsocket_mac_p.h"
#endif
#include "qsslconfiguration_p.h"
#include <QtCore/qdebug.h>

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,125 @@
/****************************************************************************
**
** Copyright (C) 2014 Jeremy Lainé <jeremy.laine@m4x.org>
** Contact: http://www.qt-project.org/legal
**
** This file is part of the QtNetwork module of the Qt Toolkit.
**
** $QT_BEGIN_LICENSE:LGPL$
** Commercial License Usage
** Licensees holding valid commercial Qt licenses may use this file in
** accordance with the commercial license agreement provided with the
** Software or, alternatively, in accordance with the terms contained in
** a written agreement between you and Digia. For licensing terms and
** conditions see http://qt.digia.com/licensing. For further information
** use the contact form at http://qt.digia.com/contact-us.
**
** GNU Lesser General Public License Usage
** Alternatively, this file may be used under the terms of the GNU Lesser
** General Public License version 2.1 as published by the Free Software
** Foundation and appearing in the file LICENSE.LGPL included in the
** packaging of this file. Please review the following information to
** ensure the GNU Lesser General Public License version 2.1 requirements
** will be met: http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html.
**
** In addition, as a special exception, Digia gives you certain additional
** rights. These rights are described in the Digia Qt LGPL Exception
** version 1.1, included in the file LGPL_EXCEPTION.txt in this package.
**
** GNU General Public License Usage
** Alternatively, this file may be used under the terms of the GNU
** General Public License version 3.0 as published by the Free Software
** Foundation and appearing in the file LICENSE.GPL included in the
** packaging of this file. Please review the following information to
** ensure the GNU General Public License version 3.0 requirements will be
** met: http://www.gnu.org/copyleft/gpl.html.
**
**
** $QT_END_LICENSE$
**
****************************************************************************/
#ifndef QSSLSOCKET_MAC_P_H
#define QSSLSOCKET_MAC_P_H
//
// W A R N I N G
// -------------
//
// This file is not part of the Qt API. It exists for the convenience
// of the QtNetwork library. This header file may change from
// version to version without notice, or even be removed.
//
// We mean it.
//
#include <QtCore/private/qcore_mac_p.h>
#include <QtCore/qstring.h>
#include <QtCore/qglobal.h>
#include <QtCore/qlist.h>
#include "qabstractsocket.h"
#include "qsslsocket_p.h"
#include <Security/Security.h>
#include <Security/SecureTransport.h>
QT_BEGIN_NAMESPACE
class QSslSocketBackendPrivate : public QSslSocketPrivate
{
Q_DECLARE_PUBLIC(QSslSocket)
public:
QSslSocketBackendPrivate();
virtual ~QSslSocketBackendPrivate();
// Final-overriders (QSslSocketPrivate):
void continueHandshake() Q_DECL_OVERRIDE;
void disconnected() Q_DECL_OVERRIDE;
void disconnectFromHost() Q_DECL_OVERRIDE;
QSslCipher sessionCipher() const Q_DECL_OVERRIDE;
QSsl::SslProtocol sessionProtocol() const Q_DECL_OVERRIDE;
void startClientEncryption() Q_DECL_OVERRIDE;
void startServerEncryption() Q_DECL_OVERRIDE;
void transmit() Q_DECL_OVERRIDE;
static QList<QSslError> (verify)(QList<QSslCertificate> certificateChain,
const QString &hostName);
static bool importPkcs12(QIODevice *device,
QSslKey *key, QSslCertificate *cert,
QList<QSslCertificate> *caCertificates,
const QByteArray &passPhrase);
static QSslCipher QSslCipher_from_SSLCipherSuite(SSLCipherSuite cipher);
private:
// SSL context management/properties:
bool initSslContext();
void destroySslContext();
bool setSessionCertificate(QString &errorDescription,
QAbstractSocket::SocketError &errorCode);
bool setSessionProtocol();
// Aux. functions to do a verification during handshake phase:
bool verifySessionProtocol() const;
bool verifyPeerTrust();
bool checkSslErrors();
bool startHandshake();
// Aux. function, sets:
//1) socket error code,
//2) error string (description)
//3) emits a signal.
void setError(const QString &errorString,
QAbstractSocket::SocketError errorCode);
mutable QCFType<SSLContextRef> context;
Q_DISABLE_COPY(QSslSocketBackendPrivate);
};
QT_END_NAMESPACE
#endif

View File

@ -53,6 +53,8 @@
#include "qsslconfiguration_p.h"
#ifndef QT_NO_OPENSSL
#include <private/qsslcontext_openssl_p.h>
#else
class QSslContext;
#endif
#include <QtCore/qstringlist.h>

View File

@ -40,6 +40,15 @@ contains(QT_CONFIG, ssl) | contains(QT_CONFIG, openssl) | contains(QT_CONFIG, op
ssl/qsslsocket_winrt.cpp \
ssl/qsslellipticcurve_dummy.cpp
}
contains(QT_CONFIG, securetransport) {
HEADERS += ssl/qsslsocket_mac_p.h
SOURCES += ssl/qsslcertificate_qt.cpp \
ssl/qsslkey_qt.cpp \
ssl/qsslkey_mac.cpp \
ssl/qsslsocket_mac.cpp \
ssl/qsslellipticcurve_dummy.cpp
}
}
contains(QT_CONFIG, openssl) | contains(QT_CONFIG, openssl-linked) {

View File

@ -32,7 +32,7 @@
**
****************************************************************************/
#include <QtCore/qglobal.h>
#include <QtCore/qthread.h>
#include <QtNetwork/qhostaddress.h>
#include <QtNetwork/qhostinfo.h>
@ -992,7 +992,7 @@ void tst_QSslSocket::protocol()
socket->abort();
}
#endif
#ifndef OPENSSL_NO_SSL2
#if !defined(OPENSSL_NO_SSL2) && !defined(QT_SECURETRANSPORT)
{
// qt-test-server allows SSLV2.
socket->setProtocol(QSsl::SslV2);
@ -1129,7 +1129,7 @@ void tst_QSslSocket::protocolServerSide_data()
QTest::addColumn<QSsl::SslProtocol>("clientProtocol");
QTest::addColumn<bool>("works");
#ifndef OPENSSL_NO_SSL2
#if !defined(OPENSSL_NO_SSL2) && !defined(QT_SECURETRANSPORT)
QTest::newRow("ssl2-ssl2") << QSsl::SslV2 << QSsl::SslV2 << false; // no idea why it does not work, but we don't care about SSL 2
#endif
QTest::newRow("ssl3-ssl3") << QSsl::SslV3 << QSsl::SslV3 << true;
@ -1138,7 +1138,7 @@ void tst_QSslSocket::protocolServerSide_data()
QTest::newRow("any-any") << QSsl::AnyProtocol << QSsl::AnyProtocol << true;
QTest::newRow("secure-secure") << QSsl::SecureProtocols << QSsl::SecureProtocols << true;
#ifndef OPENSSL_NO_SSL2
#if !defined(OPENSSL_NO_SSL2) && !defined(QT_SECURETRANSPORT)
QTest::newRow("ssl2-ssl3") << QSsl::SslV2 << QSsl::SslV3 << false;
QTest::newRow("ssl2-tls1.0") << QSsl::SslV2 << QSsl::TlsV1_0 << false;
QTest::newRow("ssl2-tls1ssl3") << QSsl::SslV2 << QSsl::TlsV1SslV3 << false;
@ -1146,33 +1146,33 @@ void tst_QSslSocket::protocolServerSide_data()
QTest::newRow("ssl2-any") << QSsl::SslV2 << QSsl::AnyProtocol << false; // no idea why it does not work, but we don't care about SSL 2
#endif
#ifndef OPENSSL_NO_SSL2
#if !defined(OPENSSL_NO_SSL2) && !defined(QT_SECURETRANSPORT)
QTest::newRow("ssl3-ssl2") << QSsl::SslV3 << QSsl::SslV2 << false;
#endif
QTest::newRow("ssl3-tls1.0") << QSsl::SslV3 << QSsl::TlsV1_0 << false;
QTest::newRow("ssl3-tls1ssl3") << QSsl::SslV3 << QSsl::TlsV1SslV3 << true;
QTest::newRow("ssl3-secure") << QSsl::SslV3 << QSsl::SecureProtocols << false;
#ifndef OPENSSL_NO_SSL2
#if !defined(OPENSSL_NO_SSL2) && !defined(QT_SECURETRANSPORT)
QTest::newRow("ssl3-any") << QSsl::SslV3 << QSsl::AnyProtocol << false; // we won't set a SNI header here because we connect to a
// numerical IP, so OpenSSL will send a SSL 2 handshake
#else
QTest::newRow("ssl3-any") << QSsl::SslV3 << QSsl::AnyProtocol << true;
#endif
#ifndef OPENSSL_NO_SSL2
#if !defined(OPENSSL_NO_SSL2) && !defined(QT_SECURETRANSPORT)
QTest::newRow("tls1.0-ssl2") << QSsl::TlsV1_0 << QSsl::SslV2 << false;
#endif
QTest::newRow("tls1.0-ssl3") << QSsl::TlsV1_0 << QSsl::SslV3 << false;
QTest::newRow("tls1-tls1ssl3") << QSsl::TlsV1_0 << QSsl::TlsV1SslV3 << true;
QTest::newRow("tls1.0-secure") << QSsl::TlsV1_0 << QSsl::SecureProtocols << true;
#ifndef OPENSSL_NO_SSL2
#if !defined(OPENSSL_NO_SSL2) && !defined(QT_SECURETRANSPORT)
QTest::newRow("tls1.0-any") << QSsl::TlsV1_0 << QSsl::AnyProtocol << false; // we won't set a SNI header here because we connect to a
// numerical IP, so OpenSSL will send a SSL 2 handshake
#else
QTest::newRow("tls1.0-any") << QSsl::TlsV1_0 << QSsl::AnyProtocol << true;
#endif
#ifndef OPENSSL_NO_SSL2
#if !defined(OPENSSL_NO_SSL2) && !defined(QT_SECURETRANSPORT)
QTest::newRow("tls1ssl3-ssl2") << QSsl::TlsV1SslV3 << QSsl::SslV2 << false;
#endif
QTest::newRow("tls1ssl3-ssl3") << QSsl::TlsV1SslV3 << QSsl::SslV3 << true;
@ -1180,7 +1180,7 @@ void tst_QSslSocket::protocolServerSide_data()
QTest::newRow("tls1ssl3-secure") << QSsl::TlsV1SslV3 << QSsl::SecureProtocols << true;
QTest::newRow("tls1ssl3-any") << QSsl::TlsV1SslV3 << QSsl::AnyProtocol << true;
#ifndef OPENSSL_NO_SSL2
#if !defined(OPENSSL_NO_SSL2) && !defined(QT_SECURETRANSPORT)
QTest::newRow("secure-ssl2") << QSsl::SecureProtocols << QSsl::SslV2 << false;
#endif
QTest::newRow("secure-ssl3") << QSsl::SecureProtocols << QSsl::SslV3 << false;
@ -1188,7 +1188,7 @@ void tst_QSslSocket::protocolServerSide_data()
QTest::newRow("secure-tls1ssl3") << QSsl::SecureProtocols << QSsl::TlsV1SslV3 << true;
QTest::newRow("secure-any") << QSsl::SecureProtocols << QSsl::AnyProtocol << true;
#ifndef OPENSSL_NO_SSL2
#if !defined(OPENSSL_NO_SSL2) && !defined(QT_SECURETRANSPORT)
QTest::newRow("any-ssl2") << QSsl::AnyProtocol << QSsl::SslV2 << false; // no idea why it does not work, but we don't care about SSL 2
#endif
QTest::newRow("any-ssl3") << QSsl::AnyProtocol << QSsl::SslV3 << true;

View File

@ -6,7 +6,7 @@ SUBDIRS=\
qsslerror \
qsslkey \
contains(QT_CONFIG, openssl) | contains(QT_CONFIG, openssl-linked) {
contains(QT_CONFIG, ssl) | contains(QT_CONFIG, openssl) | contains(QT_CONFIG, openssl-linked) {
contains(QT_CONFIG, private_tests) {
SUBDIRS += \
qsslsocket \