Add SecureTransport based SSL backend for iOS and OS X

Add support for SSL on iOS/OS X by adding a SecureTransport based
backend.

[ChangeLog][QtNetwork][QSslSocket] A new SSL backend for iOS and OS X,
implemented with Apple's Secure Transport (Security Framework).

Change-Id: I7466db471be2a8a2170f9af9d6ad4c7b6425738b
Reviewed-by: Richard J. Moore <rich@kde.org>

configure

@@ -665,6 +665,7 @@ CFG_GLIB=auto
 CFG_QGTKSTYLE=auto
 CFG_LARGEFILE=auto
 CFG_OPENSSL=auto
+CFG_SECURETRANSPORT=auto
 CFG_PRECOMPILE=auto
 CFG_SEPARATE_DEBUG_INFO=no
 CFG_REDUCE_EXPORTS=auto
@@ -1956,6 +1957,13 @@ while [ "$#" -gt 0 ]; do
             UNKNOWN_OPT=yes
         fi
         ;;
+    securetransport)
+        if [ "$VAL" = "yes" ] || [ "$VAL" = "no" ]; then
+            CFG_SECURETRANSPORT="$VAL"
+        else
+            UNKNOWN_OPT=yes
+        fi
+        ;;
     qml-debug)
         if [ "$VAL" = "yes" ]; then
             CFG_QML_DEBUG="yes"
@@ -5698,6 +5706,12 @@ if [ "$CFG_OPENSSL" != "no" ]; then
     fi
 fi
 
+if [ "$CFG_SECURETRANSPORT" != "no" ] && [ "$CFG_OPENSSL" = "no" ] && [ "$XPLATFORM_MAC" = "yes" ]; then
+    CFG_SECURETRANSPORT=yes
+else
+    CFG_SECURETRANSPORT=no
+fi
+
 # detect PCRE
 if [ "$CFG_PCRE" != "qt" ]; then
     if compileTest unix/pcre "PCRE"; then
@@ -5980,6 +5994,7 @@ fi
 [ "$CFG_DBUS" = "linked" ] && QT_CONFIG="$QT_CONFIG dbus-linked"
 [ "$CFG_OPENSSL" = "yes" ] && QT_CONFIG="$QT_CONFIG openssl"
 [ "$CFG_OPENSSL" = "linked" ] && QT_CONFIG="$QT_CONFIG openssl-linked"
+[ "$CFG_SECURETRANSPORT" = "yes" ] && QT_CONFIG="$QT_CONFIG ssl securetransport"
 [ "$CFG_XCB" != "no" ] && QT_CONFIG="$QT_CONFIG xcb"
 [ "$CFG_XINPUT2" = "yes" ] && QT_CONFIG="$QT_CONFIG xinput2"
 [ "$CFG_SYSTEM_PROXIES" = "yes" ] && QT_CONFIG="$QT_CONFIG system-proxies"
@@ -6387,8 +6402,10 @@ QMakeVar set sql-plugins "$SQL_PLUGINS"
 [ "$CFG_INOTIFY" = "no" ]    && QCONFIG_FLAGS="$QCONFIG_FLAGS QT_NO_INOTIFY"
 [ "$CFG_EVENTFD" = "no" ]    && QCONFIG_FLAGS="$QCONFIG_FLAGS QT_NO_EVENTFD"
 [ "$CFG_NIS" = "no" ]        && QCONFIG_FLAGS="$QCONFIG_FLAGS QT_NO_NIS"
-[ "$CFG_OPENSSL" = "no" ]    && QCONFIG_FLAGS="$QCONFIG_FLAGS QT_NO_OPENSSL QT_NO_SSL"
+[ "$CFG_OPENSSL" = "no" ]    && QCONFIG_FLAGS="$QCONFIG_FLAGS QT_NO_OPENSSL"
 [ "$CFG_OPENSSL" = "linked" ]&& QCONFIG_FLAGS="$QCONFIG_FLAGS QT_LINKED_OPENSSL"
+[ "$CFG_OPENSSL" = "no" ] && [ "$CFG_SECURETRANSPORT" = "no" ] && QCONFIG_FLAGS="$QCONFIG_FLAGS QT_NO_SSL"
+[ "$CFG_SECURETRANSPORT" = "yes" ] && QCONFIG_FLAGS="$QCONFIG_FLAGS QT_SECURETRANSPORT"
 
 [ "$CFG_SM" = "no" ]         && QCONFIG_FLAGS="$QCONFIG_FLAGS QT_NO_SESSIONMANAGER"
 [ "$CFG_TSLIB" = "no" ]      && QCONFIG_FLAGS="$QCONFIG_FLAGS QT_NO_TSLIB"
@@ -6818,6 +6835,8 @@ report_support "    getaddrinfo .........." "$CFG_GETADDRINFO"
 report_support "    getifaddrs ..........." "$CFG_GETIFADDRS"
 report_support "    IPv6 ifname .........." "$CFG_IPV6IFNAME"
 report_support "    OpenSSL .............." "$CFG_OPENSSL" yes "loading libraries at run-time" linked "linked to the libraries"
+[ "$XPLATFORM_MAC" = "yes" ] && \
+    report_support "    SecureTransport ......" "$CFG_SECURETRANSPORT"
 report_support "  NIS ...................." "$CFG_NIS"
 report_support "  OpenGL / OpenVG:"
 report_support "    EGL .................." "$CFG_EGL"

src/network/ssl/qsslcertificate.cpp

@@ -105,12 +105,16 @@
     \value EmailAddress The email address associated with the certificate
 */
 
+#include <QtCore/qglobal.h>
 #ifndef QT_NO_OPENSSL
 #include "qsslsocket_openssl_symbols_p.h"
 #endif
 #ifdef Q_OS_WINRT
 #include "qsslsocket_winrt_p.h"
 #endif
+#ifdef QT_SECURETRANSPORT
+#include "qsslsocket_mac_p.h"
+#endif
 
 #include "qssl_p.h"
 #include "qsslcertificate.h"

src/network/ssl/qsslkey_mac.cpp

@@ -0,0 +1,91 @@
+/****************************************************************************
+**
+** Copyright (C) 2014 Jeremy Lainé <jeremy.laine@m4x.org>
+** Contact: http://www.qt-project.org/legal
+**
+** This file is part of the QtNetwork module of the Qt Toolkit.
+**
+** $QT_BEGIN_LICENSE:LGPL$
+** Commercial License Usage
+** Licensees holding valid commercial Qt licenses may use this file in
+** accordance with the commercial license agreement provided with the
+** Software or, alternatively, in accordance with the terms contained in
+** a written agreement between you and Digia.  For licensing terms and
+** conditions see http://qt.digia.com/licensing.  For further information
+** use the contact form at http://qt.digia.com/contact-us.
+**
+** GNU Lesser General Public License Usage
+** Alternatively, this file may be used under the terms of the GNU Lesser
+** General Public License version 2.1 as published by the Free Software
+** Foundation and appearing in the file LICENSE.LGPL included in the
+** packaging of this file.  Please review the following information to
+** ensure the GNU Lesser General Public License version 2.1 requirements
+** will be met: http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html.
+**
+** In addition, as a special exception, Digia gives you certain additional
+** rights.  These rights are described in the Digia Qt LGPL Exception
+** version 1.1, included in the file LGPL_EXCEPTION.txt in this package.
+**
+** GNU General Public License Usage
+** Alternatively, this file may be used under the terms of the GNU
+** General Public License version 3.0 as published by the Free Software
+** Foundation and appearing in the file LICENSE.GPL included in the
+** packaging of this file.  Please review the following information to
+** ensure the GNU General Public License version 3.0 requirements will be
+** met: http://www.gnu.org/copyleft/gpl.html.
+**
+**
+** $QT_END_LICENSE$
+**
+****************************************************************************/
+
+#include "qsslkey.h"
+#include "qsslkey_p.h"
+
+#include <CommonCrypto/CommonCrypto.h>
+
+QT_USE_NAMESPACE
+
+static QByteArray wrapCCCrypt(CCOperation ccOp,
+                              QSslKeyPrivate::Cipher cipher,
+                              const QByteArray &data,
+                              const QByteArray &key, const QByteArray &iv)
+{
+    int blockSize;
+    CCAlgorithm ccAlgorithm;
+    switch (cipher) {
+    case QSslKeyPrivate::DesCbc:
+        blockSize = kCCBlockSizeDES;
+        ccAlgorithm = kCCAlgorithmDES;
+        break;
+    case QSslKeyPrivate::DesEde3Cbc:
+        blockSize = kCCBlockSize3DES;
+        ccAlgorithm = kCCAlgorithm3DES;
+        break;
+    case QSslKeyPrivate::Rc2Cbc:
+        blockSize = kCCBlockSizeRC2;
+        ccAlgorithm = kCCAlgorithmRC2;
+        break;
+    };
+    size_t plainLength = 0;
+    QByteArray plain(data.size() + blockSize, 0);
+    CCCryptorStatus status = CCCrypt(
+        ccOp, ccAlgorithm, kCCOptionPKCS7Padding,
+        key.constData(), key.size(),
+        iv.constData(),
+        data.constData(), data.size(),
+        plain.data(), plain.size(), &plainLength);
+    if (status == kCCSuccess)
+        return plain.left(plainLength);
+    return QByteArray();
+}
+
+QByteArray QSslKeyPrivate::decrypt(Cipher cipher, const QByteArray &data, const QByteArray &key, const QByteArray &iv)
+{
+    return wrapCCCrypt(kCCDecrypt, cipher, data, key, iv);
+}
+
+QByteArray QSslKeyPrivate::encrypt(Cipher cipher, const QByteArray &data, const QByteArray &key, const QByteArray &iv)
+{
+    return wrapCCCrypt(kCCEncrypt, cipher, data, key, iv);
+}

src/network/ssl/qsslsocket.cpp

@@ -312,6 +312,9 @@
 #ifdef Q_OS_WINRT
 #include "qsslsocket_winrt_p.h"
 #endif
+#ifdef QT_SECURETRANSPORT
+#include "qsslsocket_mac_p.h"
+#endif
 #include "qsslconfiguration_p.h"
 
 #include <QtCore/qdebug.h>

src/network/ssl/qsslsocket_mac_p.h

@@ -0,0 +1,125 @@
+/****************************************************************************
+**
+** Copyright (C) 2014 Jeremy Lainé <jeremy.laine@m4x.org>
+** Contact: http://www.qt-project.org/legal
+**
+** This file is part of the QtNetwork module of the Qt Toolkit.
+**
+** $QT_BEGIN_LICENSE:LGPL$
+** Commercial License Usage
+** Licensees holding valid commercial Qt licenses may use this file in
+** accordance with the commercial license agreement provided with the
+** Software or, alternatively, in accordance with the terms contained in
+** a written agreement between you and Digia.  For licensing terms and
+** conditions see http://qt.digia.com/licensing.  For further information
+** use the contact form at http://qt.digia.com/contact-us.
+**
+** GNU Lesser General Public License Usage
+** Alternatively, this file may be used under the terms of the GNU Lesser
+** General Public License version 2.1 as published by the Free Software
+** Foundation and appearing in the file LICENSE.LGPL included in the
+** packaging of this file.  Please review the following information to
+** ensure the GNU Lesser General Public License version 2.1 requirements
+** will be met: http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html.
+**
+** In addition, as a special exception, Digia gives you certain additional
+** rights.  These rights are described in the Digia Qt LGPL Exception
+** version 1.1, included in the file LGPL_EXCEPTION.txt in this package.
+**
+** GNU General Public License Usage
+** Alternatively, this file may be used under the terms of the GNU
+** General Public License version 3.0 as published by the Free Software
+** Foundation and appearing in the file LICENSE.GPL included in the
+** packaging of this file.  Please review the following information to
+** ensure the GNU General Public License version 3.0 requirements will be
+** met: http://www.gnu.org/copyleft/gpl.html.
+**
+**
+** $QT_END_LICENSE$
+**
+****************************************************************************/
+
+#ifndef QSSLSOCKET_MAC_P_H
+#define QSSLSOCKET_MAC_P_H
+
+//
+//  W A R N I N G
+//  -------------
+//
+// This file is not part of the Qt API.  It exists for the convenience
+// of the QtNetwork library.  This header file may change from
+// version to version without notice, or even be removed.
+//
+// We mean it.
+//
+
+#include <QtCore/private/qcore_mac_p.h>
+
+#include <QtCore/qstring.h>
+#include <QtCore/qglobal.h>
+#include <QtCore/qlist.h>
+
+#include "qabstractsocket.h"
+#include "qsslsocket_p.h"
+
+#include <Security/Security.h>
+#include <Security/SecureTransport.h>
+
+QT_BEGIN_NAMESPACE
+
+class QSslSocketBackendPrivate : public QSslSocketPrivate
+{
+    Q_DECLARE_PUBLIC(QSslSocket)
+public:
+    QSslSocketBackendPrivate();
+    virtual ~QSslSocketBackendPrivate();
+
+    // Final-overriders (QSslSocketPrivate):
+    void continueHandshake() Q_DECL_OVERRIDE;
+    void disconnected() Q_DECL_OVERRIDE;
+    void disconnectFromHost() Q_DECL_OVERRIDE;
+    QSslCipher sessionCipher() const Q_DECL_OVERRIDE;
+    QSsl::SslProtocol sessionProtocol() const Q_DECL_OVERRIDE;
+    void startClientEncryption() Q_DECL_OVERRIDE;
+    void startServerEncryption() Q_DECL_OVERRIDE;
+    void transmit() Q_DECL_OVERRIDE;
+
+    static QList<QSslError> (verify)(QList<QSslCertificate> certificateChain,
+                                     const QString &hostName);
+
+    static bool importPkcs12(QIODevice *device,
+                             QSslKey *key, QSslCertificate *cert,
+                             QList<QSslCertificate> *caCertificates,
+                             const QByteArray &passPhrase);
+
+    static QSslCipher QSslCipher_from_SSLCipherSuite(SSLCipherSuite cipher);
+
+private:
+    // SSL context management/properties:
+    bool initSslContext();
+    void destroySslContext();
+    bool setSessionCertificate(QString &errorDescription,
+                               QAbstractSocket::SocketError &errorCode);
+    bool setSessionProtocol();
+    // Aux. functions to do a verification during handshake phase:
+    bool verifySessionProtocol() const;
+    bool verifyPeerTrust();
+
+    bool checkSslErrors();
+    bool startHandshake();
+
+    // Aux. function, sets:
+    //1) socket error code,
+    //2) error string (description)
+    //3) emits a signal.
+    void setError(const QString &errorString,
+                  QAbstractSocket::SocketError errorCode);
+
+    mutable QCFType<SSLContextRef> context;
+
+    Q_DISABLE_COPY(QSslSocketBackendPrivate);
+};
+
+QT_END_NAMESPACE
+
+#endif

src/network/ssl/qsslsocket_p.h

@@ -53,6 +53,8 @@
 #include "qsslconfiguration_p.h"
 #ifndef QT_NO_OPENSSL
 #include <private/qsslcontext_openssl_p.h>
+#else
+class QSslContext;
 #endif
 
 #include <QtCore/qstringlist.h>

src/network/ssl/ssl.pri

@@ -40,6 +40,15 @@ contains(QT_CONFIG, ssl) | contains(QT_CONFIG, openssl) | contains(QT_CONFIG, op
                    ssl/qsslsocket_winrt.cpp \
                    ssl/qsslellipticcurve_dummy.cpp
     }
+
+    contains(QT_CONFIG, securetransport) {
+        HEADERS += ssl/qsslsocket_mac_p.h
+        SOURCES += ssl/qsslcertificate_qt.cpp \
+                   ssl/qsslkey_qt.cpp \
+                   ssl/qsslkey_mac.cpp \
+                   ssl/qsslsocket_mac.cpp \
+                   ssl/qsslellipticcurve_dummy.cpp
+    }
 }
 
 contains(QT_CONFIG, openssl) | contains(QT_CONFIG, openssl-linked) {

tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp

@@ -32,7 +32,7 @@
 **
 ****************************************************************************/
 
-
+#include <QtCore/qglobal.h>
 #include <QtCore/qthread.h>
 #include <QtNetwork/qhostaddress.h>
 #include <QtNetwork/qhostinfo.h>
@@ -992,7 +992,7 @@ void tst_QSslSocket::protocol()
         socket->abort();
     }
 #endif
-#ifndef OPENSSL_NO_SSL2
+#if !defined(OPENSSL_NO_SSL2) && !defined(QT_SECURETRANSPORT)
     {
         // qt-test-server allows SSLV2.
         socket->setProtocol(QSsl::SslV2);
@@ -1129,7 +1129,7 @@ void tst_QSslSocket::protocolServerSide_data()
     QTest::addColumn<QSsl::SslProtocol>("clientProtocol");
     QTest::addColumn<bool>("works");
 
-#ifndef OPENSSL_NO_SSL2
+#if !defined(OPENSSL_NO_SSL2) && !defined(QT_SECURETRANSPORT)
     QTest::newRow("ssl2-ssl2") << QSsl::SslV2 << QSsl::SslV2 << false; // no idea why it does not work, but we don't care about SSL 2
 #endif
     QTest::newRow("ssl3-ssl3") << QSsl::SslV3 << QSsl::SslV3 << true;
@@ -1138,7 +1138,7 @@ void tst_QSslSocket::protocolServerSide_data()
     QTest::newRow("any-any") << QSsl::AnyProtocol << QSsl::AnyProtocol << true;
     QTest::newRow("secure-secure") << QSsl::SecureProtocols << QSsl::SecureProtocols << true;
 
-#ifndef OPENSSL_NO_SSL2
+#if !defined(OPENSSL_NO_SSL2) && !defined(QT_SECURETRANSPORT)
     QTest::newRow("ssl2-ssl3") << QSsl::SslV2 << QSsl::SslV3 << false;
     QTest::newRow("ssl2-tls1.0") << QSsl::SslV2 << QSsl::TlsV1_0 << false;
     QTest::newRow("ssl2-tls1ssl3") << QSsl::SslV2 << QSsl::TlsV1SslV3 << false;
@@ -1146,33 +1146,33 @@ void tst_QSslSocket::protocolServerSide_data()
     QTest::newRow("ssl2-any") << QSsl::SslV2 << QSsl::AnyProtocol << false; // no idea why it does not work, but we don't care about SSL 2
 #endif
 
-#ifndef OPENSSL_NO_SSL2
+#if !defined(OPENSSL_NO_SSL2) && !defined(QT_SECURETRANSPORT)
     QTest::newRow("ssl3-ssl2") << QSsl::SslV3 << QSsl::SslV2 << false;
 #endif
     QTest::newRow("ssl3-tls1.0") << QSsl::SslV3 << QSsl::TlsV1_0 << false;
     QTest::newRow("ssl3-tls1ssl3") << QSsl::SslV3 << QSsl::TlsV1SslV3 << true;
     QTest::newRow("ssl3-secure") << QSsl::SslV3 << QSsl::SecureProtocols << false;
-#ifndef OPENSSL_NO_SSL2
+#if !defined(OPENSSL_NO_SSL2) && !defined(QT_SECURETRANSPORT)
     QTest::newRow("ssl3-any") << QSsl::SslV3 << QSsl::AnyProtocol << false; // we won't set a SNI header here because we connect to a
                                                                             // numerical IP, so OpenSSL will send a SSL 2 handshake
 #else
     QTest::newRow("ssl3-any") << QSsl::SslV3 << QSsl::AnyProtocol << true;
 #endif
 
-#ifndef OPENSSL_NO_SSL2
+#if !defined(OPENSSL_NO_SSL2) && !defined(QT_SECURETRANSPORT)
     QTest::newRow("tls1.0-ssl2") << QSsl::TlsV1_0 << QSsl::SslV2 << false;
 #endif
     QTest::newRow("tls1.0-ssl3") << QSsl::TlsV1_0 << QSsl::SslV3 << false;
     QTest::newRow("tls1-tls1ssl3") << QSsl::TlsV1_0 << QSsl::TlsV1SslV3 << true;
     QTest::newRow("tls1.0-secure") << QSsl::TlsV1_0 << QSsl::SecureProtocols << true;
-#ifndef OPENSSL_NO_SSL2
+#if !defined(OPENSSL_NO_SSL2) && !defined(QT_SECURETRANSPORT)
     QTest::newRow("tls1.0-any") << QSsl::TlsV1_0 << QSsl::AnyProtocol << false; // we won't set a SNI header here because we connect to a
                                                                             // numerical IP, so OpenSSL will send a SSL 2 handshake
 #else
     QTest::newRow("tls1.0-any") << QSsl::TlsV1_0 << QSsl::AnyProtocol << true;
 #endif
 
-#ifndef OPENSSL_NO_SSL2
+#if !defined(OPENSSL_NO_SSL2) && !defined(QT_SECURETRANSPORT)
     QTest::newRow("tls1ssl3-ssl2") << QSsl::TlsV1SslV3 << QSsl::SslV2 << false;
 #endif
     QTest::newRow("tls1ssl3-ssl3") << QSsl::TlsV1SslV3 << QSsl::SslV3 << true;
@@ -1180,7 +1180,7 @@ void tst_QSslSocket::protocolServerSide_data()
     QTest::newRow("tls1ssl3-secure") << QSsl::TlsV1SslV3 << QSsl::SecureProtocols << true;
     QTest::newRow("tls1ssl3-any") << QSsl::TlsV1SslV3 << QSsl::AnyProtocol << true;
 
-#ifndef OPENSSL_NO_SSL2
+#if !defined(OPENSSL_NO_SSL2) && !defined(QT_SECURETRANSPORT)
     QTest::newRow("secure-ssl2") << QSsl::SecureProtocols << QSsl::SslV2 << false;
 #endif
     QTest::newRow("secure-ssl3") << QSsl::SecureProtocols << QSsl::SslV3 << false;
@@ -1188,7 +1188,7 @@ void tst_QSslSocket::protocolServerSide_data()
     QTest::newRow("secure-tls1ssl3") << QSsl::SecureProtocols << QSsl::TlsV1SslV3 << true;
     QTest::newRow("secure-any") << QSsl::SecureProtocols << QSsl::AnyProtocol << true;
 
-#ifndef OPENSSL_NO_SSL2
+#if !defined(OPENSSL_NO_SSL2) && !defined(QT_SECURETRANSPORT)
     QTest::newRow("any-ssl2") << QSsl::AnyProtocol << QSsl::SslV2 << false; // no idea why it does not work, but we don't care about SSL 2
 #endif
     QTest::newRow("any-ssl3") << QSsl::AnyProtocol << QSsl::SslV3 << true;

tests/auto/network/ssl/ssl.pro

@@ -6,7 +6,7 @@ SUBDIRS=\
    qsslerror \
    qsslkey \
 
-contains(QT_CONFIG, openssl) | contains(QT_CONFIG, openssl-linked) {
+contains(QT_CONFIG, ssl) | contains(QT_CONFIG, openssl) | contains(QT_CONFIG, openssl-linked) {
     contains(QT_CONFIG, private_tests) {
         SUBDIRS += \
             qsslsocket \