If you do sock->write(data) followed by sock->close() then the data
written is not transmitted unless you flush when using QSslSocket but
is when using QTcpSocket. This change makes QSslSocket work like
QTcpSocket.
Change-Id: Ia2e1c021dc48ac0d573f78da782ea77641c03bc1
Reviewed-by: Peter Hartmann <phartmann@blackberry.com>
Avoid accessing the internals of the SSL_CIPHER struct since this has
changed size etc. over time leading to binary incompatibilities.
Task-number: QTBUG-32423
Task-number: QTBUG-23363
Change-Id: I8cb399484e3a62be7d511f4b8b22c876825c87d4
Reviewed-by: Peter Hartmann <phartmann@blackberry.com>
Reviewed-by: Daniel Molkentin <daniel@molkentin.de>
Discussed with Peter and agreed that it's a slightly better fit there.
Change-Id: If8db777336e2273670a23d75d8542b30c07e0d7b
Reviewed-by: Daniel Molkentin <daniel@molkentin.de>
Reviewed-by: Peter Hartmann <phartmann@blackberry.com>
Add support for loading certificates and keys from PKCS#12 bundles
(also known as pfx files).
Task-number: QTBUG-1565
[ChangeLog][QtNetwork][QSslSocket] Support for loading PKCS#12
bundles was added. These are often used to transport keys and
certificates conveniently, particularly when making use of
client certificates.
Change-Id: Idaeb2cb4dac4b19881a5c99c7c0a7eea00c2b207
Reviewed-by: Daniel Molkentin <daniel@molkentin.de>
OpenSSL has a bug when validating a chain with two certificates.
If a certificate exists twice (which is a valid use case for renewed
CAs), and the first one it hits is expired (which depends on the order
on data structure internal to OpenSSL), it will fail to validate the
chain.
This is only a bandaid fix, which trades improved chain validation
for error reporting accuracy. However given that reissuing of CA certs
is a real problem that is only getting worse, this fix is needed.
See also: https://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html#WARNINGS
[ChangeLog][QtNetwork][QSslSocket] Added a workaround to an OpenSSL problem
that may cause errors when the trust store contains two certificates of the
issuing CA, one of which is expired.
Task-number: QTBUG-38896
Change-Id: I8f17972ac94555648098624e470fff0eff2e7940
Reviewed-by: Richard J. Moore <rich@kde.org>
Reviewed-by: Frederik Gladhorn <frederik.gladhorn@digia.com>
The declaration of q_SSL_ctrl is ifdefed, so ifdef it's usage too.
Change-Id: I99a53af6f4f24ed991d39ab89f18e03b8f38c617
Reviewed-by: Richard J. Moore <rich@kde.org>
Despite supporting DH and ECDH key exchange as a client, Qt did not provide
any default parameters which prevented them being used as a server. A
future change should allow the user to control the parameters used, but
these defaults should be okay for most users.
[ChangeLog][Important Behavior Changes] Support for DH and ECDH key exchange
cipher suites when acting as an SSL server has been made possible. This
change means the you can now implement servers that offer forward-secrecy
using Qt.
Task-number: QTBUG-20666
Change-Id: I469163900e4313da9d2d0c3e1e5e47ef46320b17
Reviewed-by: Daniel Molkentin <daniel@molkentin.de>
Reviewed-by: Peter Hartmann <phartmann@blackberry.com>
Crash occurs after warnings like:
QSslSocket: cannot call unresolved function SSL_get0_next_proto_negotiated
Task-number: QTBUG-37515
Task-number: QTBUG-33208
Change-Id: I18b803e4709b9d5f6b33717c2ac43179676351a4
Reviewed-by: Richard J. Moore <rich@kde.org>
Reviewed-by: Peter Hartmann <phartmann@blackberry.com>
Change-Id: I213ac1fb2733e675f3641441fe6c621bab06c1f0
Reviewed-by: Peter Hartmann <phartmann@blackberry.com>
Reviewed-by: Richard J. Moore <rich@kde.org>
Many bugs originate due to mismatches between the build-time and
run-time versions of openssl but they're hard to debug as we don't
provide access to the build-time info. This addresses that weakness.
[ChangeLog][QtNetwork][QSslSocket] Added accessors for the version
of openssl used at build-time. This will help when debugging
problems caused by a mismatch with the run-time version.
Change-Id: I6a4c21c8f16ab4c90cdf166f38c62fe37bf1f165
Reviewed-by: Peter Hartmann <phartmann@blackberry.com>
Previously we allowed you to specify which version(s) you wanted to use,
but did not provide access to the version that was actually negotiated.
[ChangeLog][QtNetwork][QSslSocket] Add support for finding the version
of SSL/TLS in use by a connection.
Task-number: QTBUG-28471
Change-Id: I6d50d2bc9f1ce7f98192e67992178fe7e41c0575
Reviewed-by: Peter Hartmann <phartmann@blackberry.com>
A QSslCipher is not an equivalent representation of a QString, so
the constructor that takes a QString should be explicit.
Change-Id: I4c1329d1eebf91b212616eb5200450c0861d900f
Reviewed-by: Lars Knoll <lars.knoll@digia.com>
These functions now return a QStringList to reflect the possibility of
there being more than one entry of a given type, but the documentation
did not reflect this.
Task-Number: QTBUG-36304
Change-Id: Iba2eda5e2c3174c8dcea640b5aed9cdc9a432392
Reviewed-by: Peter Hartmann <phartmann@blackberry.com>
... which is needed to negotiate the SPDY protocol.
[ChangeLog][QtNetwork][QSslConfiguration] Added support for the Next
Protocol Negotiation (NPN) TLS extension.
Task-number: QTBUG-33208
Change-Id: I3c945f9b7e2d2ffb0814bfdd3e87de1dae6c20ef
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@digia.com>
The overload used an evil hack to work around a flaw in the QSslCipher
API rather than fixing the API. The hack was broken by the addition of
support for newer versions of TLS. This change solves the issue properly
by fixing the QSslCipher API then using the fixed version.
Task-Number: QTBUG-34688
Change-Id: Ibf677c374f837f705395741e730d40d8f912d7c6
Reviewed-by: Peter Hartmann <phartmann@blackberry.com>
Any cipher that is < 128 bits is excluded from the default SSL
configuration. These ciphers are still included in the list
of availableCiphers() and can be used by applications if required.
Calling QSslSocket::setDefaultCiphers(QSslSocket::availableCiphers())
will restore the old behavior.
Note that in doing so I spotted that calling defaultCiphers() before
doing other actions with SSL had an existing bug that I've addressed
as part of the change.
[ChangeLog][Important Behavior Changes] The default set of
ciphers used by QSslSocket has been changed to exclude ciphers that are
using key lengths smaller than 128 bits. These ciphers are still available
and can be enabled by applications if required.
Change-Id: If2241dda67b624e5febf788efa1369f38c6b1dba
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
Qt since approximately 4.4 has set the verify callback on both the SSL
store and the SSL context. Only the latter is actually needed. This is
normally not a problem, but openssl prior to 1.0.2 uses the verify
code to find the intermediate certificates for any local certificate
that has been set which can lead to verification errors for the local
certificate to be emitted.
Task-number: QTBUG-33228
Task-number: QTBUG-7200
Task-number: QTBUG-24234
Change-Id: Ie4115e7f7faa1267ea9b807c01b1ed6604c4a16c
Reviewed-by: Peter Hartmann <phartmann@blackberry.com>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
the diff -w for this commit is empty.
Started-by: Thiago Macieira <thiago.macieira@intel.com>
Change-Id: I77bb84e71c63ce75e0709e5b94bee18e3ce6ab9e
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
... because it was used to operate a man-in-the-middle proxy.
Task-number: QTBUG-35474
Change-Id: Ic7f19708b278b866e4f06533cbd84e0ff43357e9
Reviewed-by: Richard J. Moore <rich@kde.org>
to reflect the fact that this returns and sets the whole session
ticket, and not just the session ID.
Change-Id: I00fe2bc4197dbcd7a02b3ae4f2f84e3a2a7edad0
Reviewed-by: Richard J. Moore <rich@kde.org>
"windows" only worked more or less by accident (it's the opposite of
"console" and just happens to be the default on windows).
Change-Id: Ib60c8ae5aea04f28207c05cc0005183dd6eb6244
Reviewed-by: Joerg Bornemann <joerg.bornemann@digia.com>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
Default values should have mark-up to denote that they are code.
This commit changes:
-"property is true" to "property is \c true".
-"Returns true" to "Returns \c true".
-"property is false" to "property is \c false".
-"returns true" to "returns \c true".
-"returns false" to "returns \c false".
src/3rdparty and non-documentation instances were ignored.
Task-number: QTBUG-33360
Change-Id: Ie87eaa57af947caa1230602b61c5c46292a4cf4e
Reviewed-by: Oswald Buddenhagen <oswald.buddenhagen@digia.com>
Reviewed-by: Jerome Pasion <jerome.pasion@digia.com>
This was removed by commit 4c8d8a72ec
But without it Playbook OS 2.1.0.1753 could not access ssh properly.
Change-Id: I18e136eaede2a5dffeb10b5fe31023b9aef709cb
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
Reviewed-by: Peter Hartmann <phartmann@blackberry.com>
QPair is documented to initialize members
Change-Id: I1dccfd265521ca3ca1a648b161c0a163c72e2f2e
Reviewed-by: Peter Hartmann <phartmann@blackberry.com>
Reviewed-by: Richard J. Moore <rich@kde.org>
Warning message was repeated multiple times inside the library.
Change-Id: Idcd417dda22de189893db597acfc36c2aa99d078
Reviewed-by: Richard J. Moore <rich@kde.org>
This patch fixes them in many ways:
- use Q_UNLIKELY to mark an error case
- reduce QtNetwork library size by 40315 bytes
- fix DEFINEFUNC9 which had wrong logic, happily it was not used
anywhere
Change-Id: Ic46a569f85aa22a00ecd88158e60c52f4665ec4c
Reviewed-by: Richard J. Moore <rich@kde.org>
Updating the SSL_write code to correctly handle
SSL_ERROR_WANT_WRITE and SSL_ERROR_WANT_READ, which are not actual errors.
Change-Id: Icd7369b438ef402bf438c3fcc64514a1f9f45452
Reviewed-by: Peter Hartmann <phartmann@blackberry.com>
Reviewed-by: Lars Knoll <lars.knoll@digia.com>
Reviewed-by: Richard J. Moore <rich@kde.org>
CSSM_DATA_PTR was deprecated in 10.7. Replace SecCertificateGetData
with SecCertificateCopyData.
Task-number: QTBUG-32715
Change-Id: I762687370689b5b5c032567240667631b1ffde98
Reviewed-by: Jake Petroules <jake.petroules@petroules.com>
Reviewed-by: Gabriel de Dietrich <gabriel.dedietrich@digia.com>
On Android, when not using Ministro, we cannot read certificates
from the file system, so we have to get them through Java APIs instead.
Change-Id: I415329fcb45836735c1112dbe832214b3c73dc9a
Reviewed-by: Eskil Abrahamsen Blomfeldt <eskil.abrahamsen-blomfeldt@digia.com>
I.e. do not try to load file names that are not there anyhow. The
code would search for libcrypto.so.1.0.0 and libssl.so.1.0.0, while
on QNX the libs are called libcrypto.so and libssl.so, and there
are no symlinks with version numbers.
This saves ~ 45 ms in real apps (tested with Facebook, Twitter and
Foursquare), and ~ 24 ms at app startup in an isolated app without
GUI (difference maybe because threads are fighting for CPU or so).
Task-number: QTBUG-32548
Change-Id: I25869538bbfa3c2848541415e8361e0bd7a8fd50
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
The c_rehash'ed symlinks are always there on QNX, so no need to check
at every app start for the feature. This saves ~ 17ms at each app
start.
Task-number: QTBUG-32549
Change-Id: Ia9df60aba9d1bd70868b7004b847867a2128f600
Reviewed-by: Andreas Holzammer <andreas.holzammer@kdab.com>
Reviewed-by: Rafael Roquetto <rafael.roquetto@kdab.com>
We need the same code for both the no-sdk and the sdk case for
the OpenSSL code, since this is not covered by a system library,
but by an external dependency in both cases.
Task-number: QTBUG-32130
Change-Id: I976835556fcb0e6c32cfb3da4dd585e45490061b
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
Incorporate some more of the API changes between OpenSSL versions
0.9.8 and 1.0.0.
Task-number: QTBUG-31140
Change-Id: Ie719b34e3ec8751f0fbc07d315e82816c110762c
Reviewed-by: Shane Kearns <shane.kearns@accenture.com>
Several modules, including DBus, MySQL, and OpenSSL have
configure options of the form <MODULE>_PATH, which is used
on Windows (where pkg-config is not present) to specify the
locations of third-party libraries. These switches had been
implemented by adding extra variables which were referenced
in .pro files, to add the appropriate compiler and linker
switches. This is undesirable because it means there are
two independent paths for adding the switches to the build,
which can get out of sync with each other, and indeed this
had happened for some of the DBus tools.
To remedy the situation, all three of the switches were
reworked so that they added values directly to the principal
variables that are used in the project files. This reduces
maintenance, by ensuring that the pkg-config and non-pkg-config
paths appear the same to the rest of the build system.
Change-Id: Iae342f1d14b79fbcfef9fe38aadc803ad3141799
Reviewed-by: Oswald Buddenhagen <oswald.buddenhagen@digia.com>
Session tickets can be cached on the client side for hours (e.g.
graph.facebook.com: ~ 24 hours, api.twitter.com: 4 hours), because the
server does not need to maintain state.
We need public API for it so an application can cache the session (e.g.
to disk) and resume a session already with the 1st handshake, saving
one network round trip.
Task-number: QTBUG-20668
Change-Id: I10255932dcd528ee1231538cb72b52b97f9f4a3c
Reviewed-by: Richard J. Moore <rich@kde.org>
All occurrences of `#if defined(Q_OS_MAC) && !defined(Q_OS_IOS)` have
been replaced with `#if defined(Q_OS_MACX)`.
Change-Id: I5055d9bd1845136beb8ed1c79a8f0f2c0897751a
Reviewed-by: Oswald Buddenhagen <oswald.buddenhagen@digia.com>
Reviewed-by: Tor Arne Vestbø <tor.arne.vestbo@digia.com>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
... but rather throw an error, so the HTTP layer can recover from a SSL
shutdown gracefully. In case the other side sent us a shutdown, we should
not send one as well, as it results in an error.
Change-Id: Ie7a56cf3008b6ead912aade18dbec67846e2a87e
Reviewed-by: Richard J. Moore <rich@kde.org>
There is already an enum to disable SSL session tickets, which has been
used to disable session sharing for now. However, SSL session sharing
is not the same as SSL session tickets: Session sharing is built into
the SSL protocol, while session tickets is a TLS extension (RFC 5077).
Change-Id: If76b99c94b346cfb00e47366e66098f6334fd9bc
Reviewed-by: Richard J. Moore <rich@kde.org>
We are passing a QSslConfigurationPrivate that is allocated on the stack
(in QSslSocketBackendPrivate::initSslContext()) to
QSslConfiguration::QSslConfiguration(QSslConfigurationPrivate *dd).
When the SSL context is destroyed, this object is not there any more.
So now we create a deep copy of the configuration like we do in
QSslSocket::sslConfiguration().
Task-number: QTBUG-30648
Change-Id: Iaefaa9c00fd6bfb707eba5ac59e9508bf951f8a5
Reviewed-by: Richard J. Moore <rich@kde.org>
... so SSL traffic can be decrypted with e.g. tcpdump / Wireshark.
For this to work, the define needs to be uncommented and QtNetwork
recompiled. This will create a file in /tmp/qt-ssl-keys which can
be fed into Wireshark.
A recent version of Wireshark is needed for this to work.
Change-Id: I4e41fd2e6122260cd96d443b1360edc71b08b5fd
Reviewed-by: Richard J. Moore <rich@kde.org>
Remove all trailing whitespace from the following list of files:
*.cpp *.h *.conf *.qdoc *.pro *.pri *.mm *.rc *.pl *.qps *.xpm *.txt *README
excluding 3rdparty, test-data and auto generated code.
Note A): the only non 3rdparty c++-files that still
have trailing whitespace after this change are:
* src/corelib/codecs/cp949codetbl_p.h
* src/corelib/codecs/qjpunicode.cpp
* src/corelib/codecs/qbig5codec.cpp
* src/corelib/xml/qxmlstream_p.h
* src/tools/qdoc/qmlparser/qqmljsgrammar.cpp
* src/tools/uic/ui4.cpp
* tests/auto/other/qtokenautomaton/tokenizers/*
* tests/benchmarks/corelib/tools/qstring/data.cpp
* util/lexgen/tokenizer.cpp
Note B): in about 30 files some overlapping 'leading tab' and
'TAB character in non-leading whitespace' issues have been fixed
to make the sanity bot happy. Plus some general ws-fixes here
and there as asked for during review.
Change-Id: Ia713113c34d82442d6ce4d93d8b1cf545075d11d
Reviewed-by: Oswald Buddenhagen <oswald.buddenhagen@digia.com>
Introduced Q_OS_ANDROID_NO_SDK which makes more sense than
Q_OS_LINUX_ANDROID when Q_OS_ANDROID also defines Q_OS_LINUX.
Change-Id: Id2aa228b66daffba82776a12c91a264a360afd86
Reviewed-by: Gunnar Sletta <gunnar.sletta@digia.com>
Based on the Necessitas project by Bogdan Vatra.
Contributors to the Qt5 project:
BogDan Vatra <bogdan@kde.org>
Eskil Abrahamsen Blomfeldt <eskil.abrahamsen-blomfeldt@digia.com>
hjk <hjk121@nokiamail.com>
Oswald Buddenhagen <oswald.buddenhagen@digia.com>
Paul Olav Tvete <paul.tvete@digia.com>
Robin Burchell <robin+qt@viroteck.net>
Samuel Rødal <samuel.rodal@digia.com>
Yoann Lopes <yoann.lopes@digia.com>
The full history of the Qt5 port can be found in refs/old-heads/android,
SHA-1 249ca9ca2c7d876b91b31df9434dde47f9065d0d
Change-Id: Iff1a7b2dbb707c986f2639e65e39ed8f22430120
Reviewed-by: Oswald Buddenhagen <oswald.buddenhagen@digia.com>
Reviewed-by: Lars Knoll <lars.knoll@digia.com>
Add intermediate certificates to our server sockets, and to our client
certs.
Change-Id: Ib5aa575473f9e84f337bebe35099506dd7d7e2ba
Task-Number: QTBUG-19825
Task-Number: QTBUG-13281
Reviewed-by: Peter Hartmann <phartmann@rim.com>
Instead of storing a single QSslCertificate for a the local cert, store
a list of them. This will allow us to handle server sockets that use a
certificate that is not issued directly from the CA root in future.
Change-Id: I9a36b9a99daa9c0bdd17f61b4ce1a7da746f2e96
Reviewed-by: Peter Hartmann <phartmann@rim.com>
Qt5 requires Mac OS 10.6, so we can remove checks such as
if MAC_OS_X_VERSION_MAX_ALLOWED >= MAC_OS_X_VERSION_10_6
Change-Id: Iea21727a277291148704ecf9677ed0b68c24920f
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
... because almost everybody gets it wrong almost every time.
Change-Id: I54938ef094323ba8de02186b585b11b9579f3ca4
Reviewed-by: Richard J. Moore <rich@kde.org>
When OpenSSL is built using MSVC then the library names are
named ssleay32.dll and libeay32. However, when OpenSSL is built
with GCC then different library names are used like libssl-10.dll
and libcrypto-10.dll (depending on the version of OpenSSL used)
Change-Id: Icb79a5f82d2a511752bfc904f53a58423ce4b86b
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
Reviewed-by: Peter Hartmann <phartmann@rim.com>
Reviewed-by: Richard J. Moore <rich@kde.org>
This fixes a compilation error with GCC 4.7
which was introduced in b5652df775
In function ‘SSL_SESSION* q_SSL_get1_session(const SSL*)’:
invalid conversion from ‘const SSL* {aka const ssl_st*}’ to ‘SSL* {aka ssl_st*}’ [-fpermissive]
Change-Id: I909f7fb4295b2019283a7af66a038d4711e5f7cb
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
Reviewed-by: Peter Hartmann <phartmann@rim.com>
DER certificates should not be opened as text files, so we
only pass the QIODevice::Text flag when the format is
QSsl::Pem.
Change-Id: I4bad98023c397b967d5beeec0aaa6c414e06fd9c
Reviewed-by: Richard J. Moore <rich@kde.org>
This improves performance since a network round trip can be avoided.
Change-Id: I1aaff7e48ef9638cb137de0f43942c3a4dd2884a
Initial-patch-by: Markus Goetz <markus@woboq.com>
Reviewed-by: Richard J. Moore <rich@kde.org>
The macro was made empty in ba3dc5f3b5
and is no longer necessary or used.
Discussed-on: http://lists.qt-project.org/pipermail/development/2013-January/009284.html
Change-Id: Id2bb2e2cabde059305d4af5f12593344ba30f001
Reviewed-by: Laszlo Papp <lpapp@kde.org>
Reviewed-by: Jędrzej Nowacki <jedrzej.nowacki@digia.com>
Reviewed-by: hjk <hjk121@nokiamail.com>
make sure we keep track of when we can load root certs and when we
cannot (we cannot when the developer set the certs explicitly). This is
implemented the same way for QSslSocket already, and needs to be
duplicated because we have 2 methods for setting CA certificates: one in
QSslSocket and one in QSslConfiguration.
In addition, adapt the auto test which checks whether setting a default
QSslConfiguration works: There is no way to set on demand loading
through the API, so it should be enabled by default.
Task-number: QTBUG-29103
Change-Id: I5146128aaa385dfcc0ad1e0ef81a92d9350ec5f2
Reviewed-by: Richard J. Moore <rich@kde.org>
Currently /etc/openssl/certs is symlinked to
/var/certmgr/web/user_trusted, but this will be changed in the future.
/etc/openssl/certs is the folder to be used to read the root certs.
Change-Id: Ic037e5075ec7ee50c132fe08dc69abbe585e32e4
Reviewed-by: Sean Harmer <sean.harmer@kdab.com>
On Mac if AssertMacros.h has already been included then it defines
verify which conflicts with the verify static function. Therefore we
just undef this if is already defined.
Task-number: QTBUG-27316
Change-Id: I5960e504c4efa4fc4ff65ba66bbd7decb33ffc62
Reviewed-by: Richard Moe Gustavsen <richard.gustavsen@digia.com>
Those certificates have erroneously set the CA attribute to true,
meaning everybody in possesion of their keys can issue certificates on
their own.
Task-number: QTBUG-28937
Change-Id: Iff351e590ad3e6ab802e6fa1d65a9a9a9f7683de
Reviewed-by: Richard J. Moore <rich@kde.org>
Reviewed-by: Shane Kearns <shane.kearns@accenture.com>
Otherwise it is possible to assert if
qRegisterMetaType<QList<QSslError> >("QList<QSslError>")
is called in a TU which does not include the Q_DECLARE_METATYPE
invocation.
Change-Id: Ice1ffbb0f8d0a745d2bffc8b4e13ca31621e8ca4
Reviewed-by: Jędrzej Nowacki <jedrzej.nowacki@digia.com>
Reviewed-by: Richard J. Moore <rich@kde.org>
OpenSSL changed the layout of X509_STORE_CTX between 0.9 and 1.0
So we have to consider this struct as private implementation, and use
the access functions instead.
This bug would cause certificate verification problems if a different
version of openssl is loaded at runtime to the headers Qt was compiled
against.
Task-number: QTBUG-28343
Change-Id: I47fc24336f7d9c80f08f9c8ba6debc51a5591258
Reviewed-by: Richard J. Moore <rich@kde.org>
When doing happy eyeballs style network state lookup, we might have to
close an SSL socket from its connected signal. This can cause the warning:
QSslSocket::startClientEncryption: cannot start handshake when not connected
The signal should be emitted after we called startClientEncryption to
avoid this warning. In that case it will initialize the encryption
and ramp it down right after.
Change-Id: I0c8c79cad7f91f0088b87c5e4ee8aafbc688411c
Reviewed-by: Shane Kearns <shane.kearns@accenture.com>
To fix a compile error when QT_NO_LIBRARY is defined.
Change-Id: Ie72b60b8204641fa05f4cdbf66e908cb3526217e
Reviewed-by: Jing Bai <jing.bai@digia.com>
Reviewed-by: Richard J. Moore <rich@kde.org>
Change copyrights and license headers from Nokia to Digia
Change-Id: If1cc974286d29fd01ec6c19dd4719a67f4c3f00e
Reviewed-by: Lars Knoll <lars.knoll@digia.com>
Reviewed-by: Sergio Ahumada <sergio.ahumada@digia.com>
Change-Id: I3c8c28ba1016af6351afa5118893133d373cb4e6
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
Reviewed-by: Richard J. Moore <rich@kde.org>
Disable SSL compression by default since this appears to be the a likely
cause of the currently hyped CRIME attack.
Change-Id: I515fcc46f5199acf938e9e880a4345f2d405b2a3
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
Reviewed-by: Peter Hartmann <phartmann@rim.com>
Use an include guard in headers to ensure the header is not included
more than once. Make the header guard match its file name.
Also, cpp files should include their own headers first (but below config.h)
Change-Id: Iecf5da23c0f8e6d457f67657b88ef7557bde9669
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
Add SslProtocol enums TlsV1_1 and TlsV1_2 and use the appropriate OpenSSL
methods when they're selected (TLSv1_1_client_method, TLSv1_2_client_method,
TLSv1_1_server_method and TLSv1_2_server_method). This allows us to
explicitly use TLS 1.1 or 1.2.
Task-number: QTBUG-26866
Change-Id: I159da548546fa746c20e9e96bc0e5b785e4e761b
Reviewed-by: Richard J. Moore <rich@kde.org>
Reviewed-by: Shane Kearns <shane.kearns@accenture.com>
These two variables are only ever accessed under mutex protection,
and don't otherwise look like they could be changed by the hardware,
so remove the volatile qualifier.
Change-Id: I714451bb3e80778b971a901d53fe13e1b01dd84f
Reviewed-by: Richard J. Moore <rich@kde.org>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
Fixed some bad camel case, marked some parameters with \a,
and changed a \enum to a \typedef. Removed some obasolete
text.
Change-Id: I1e69dd9f3b74129230770addc80fe1c125faf268
Reviewed-by: Richard J. Moore <rich@kde.org>
Under Windows it's quite possible that OpenSSL, DBUS or MySQL is
not installed into a central place. If -I and -L is
passed at configure time, it is added to all targets,
and if that path contained a conflicting header things would go
wrong.
Change-Id: Ic3338c49aa6eaa91b3abf5341e709ef604bf7aab
Reviewed-by: Oswald Buddenhagen <oswald.buddenhagen@nokia.com>
msvc cannot use the same library for debug and release builds
if openssl libraries are linked statically into the network library.
Change-Id: Ic27ede2d9531b94aff4c50c1699947ce72caf286
Reviewed-by: Shane Kearns <shane.kearns@accenture.com>
Reviewed-by: Oswald Buddenhagen <oswald.buddenhagen@nokia.com>
The Q_DECLARE_METATYPE()s were outside of #ifndef QT_NO_SSL for classes
that are defined inside.
Expand the #ifndef block.
Change-Id: I45b73a24032fb2a79fd80d91282b782daa8a8f68
Reviewed-by: Stephen Kelly <stephen.kelly@kdab.com>
Reviewed-by: Rafael Roquetto <rafael.roquetto@kdab.com>
Using the nullary version has the advantage that multiple calls
during a program run are much more efficient, since an inlined
atomic is used to store the result. It also ensures that
Q_DECLARE_METATYPE(T) has been used, whereas qRegisterMetaType<T>("T")
will happily register anything. So I've added the macro where it
was missing, or moved it to a central place when it existed
hidden.
In tst_qnetworkreply, this became a bit tricky, because a private
header is conditionally included, so moved the Q_DECLARE_METATYPE()
into a conditional section, too.
Change-Id: I71484523e4277f4697b7d4b2ddc3505375162727
Reviewed-by: Stephen Kelly <stephen.kelly@kdab.com>
The reqExp used to handle wildcards in the path was broken. So we
always searched the working directory and not the specified path.
Autotest where passing because of a hack used for Windows paths
where we removed the first two chars in the path string.
This fix will not use nativeSeparators thus removing the Windows hack
and fix the regExp to match wildcard chars.
Task-number: QTBUG-23573
Change-Id: I56fadbb67f25b8ce9c0f17cb6232e0bdb9148b1c
Reviewed-by: Shane Kearns <shane.kearns@accenture.com>
Removes the readBuffer from the QAbstractSocket since data is already
buffered in the QIODevice.
Change-Id: I4e50b791fd2852455e526fa2c07089d4d3f0b2a4
Reviewed-by: Prasanth Ullattil <prasanth.ullattil@nokia.com>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
Change-Id: Ibe7cb1ca9cdcedd3f09dd4f865907e3f0fa6aef3
Reviewed-by: Richard J. Moore <rich@kde.org>
Reviewed-by: Shane Kearns <shane.kearns@accenture.com>
Check for blacklisting in case the application has blacklisted
a cert before windows has (currently unlikely as the blacklist is
hardcoded in Qt)
Don't need to check for time validity because that's already checked
by the windows API.
Change-Id: I34da5c4a8a0f8851b9b7668fc421a93c360c8588
Reviewed-by: Richard J. Moore <rich@kde.org>
A couple of people reviewing the toText() method (which is new in 5.0)
have said that since the string returned is human readable it should
be a QString not a QByteArray. This change follows their advice.
Change-Id: Ibade9a24870805f7fbe2d299abeb9c6e964f0cf4
Reviewed-by: Girish Ramakrishnan <girish.1.ramakrishnan@nokia.com>
Reviewed-by: Lars Knoll <lars.knoll@nokia.com>
Ensure comma between elements (757 missing), single space and curly-
braces around title elements, etc.
Change-Id: Id16c3fda7fc47a12a0682f8720214f4990609a97
Reviewed-by: Giuseppe D'Angelo <giuseppe.dangelo@kdab.com>
Reviewed-by: Casper van Donderen <casper.vandonderen@nokia.com>
This change moves the snippets and imagesto the modularized directories.
Change-Id: If14912692a7f72d7de345eaf88d9ec9752310fca
Reviewed-by: Marius Storm-Olsen <marius.storm-olsen@nokia.com>
This operation should be a no-op anyway, since at this point in time,
the fromAscii and toAscii functions simply call their fromLatin1 and
toLatin1 counterparts.
Task-number: QTBUG-21872
Change-Id: I94cc301ea75cc689bcb6e2d417120cf14e36808d
Reviewed-by: Lars Knoll <lars.knoll@nokia.com>
Reviewed-by: Shane Kearns <shane.kearns@accenture.com>
Reviewed-by: Richard J. Moore <rich@kde.org>
Although we created an enum for pause modes to make 5.x binary
compatible with 5.0, the enum value is not well named.
In 5.1, we propose to add PauseOnProxyAuthentication to the enum.
PauseOnNotify is not clear what it means, while PauseOnSslErrors is.
Any new notification in a minor release would need a new enum value
otherwise applications would get pauses they did not expect.
Task-number: QTBUG-19032
Change-Id: I4dbb7467663b37ca7f0551d24a31bc013968bedc
Reviewed-by: Richard J. Moore <rich@kde.org>
Reviewed-by: Lars Knoll <lars.knoll@nokia.com>
If a website presents the complete certificate chain in the handshake
i.e. site -> intermediate CA -> root CA then openssl gives
a different error (SelfSignedCertificateInChain)
Because of this windows feature, that either means the site is
signed by an untrusted CA, or the CA trust status is unknown because
we don't have the root cert in the cert store.
In any case, calling the windows verification function results
in a trusted chain & the root being added to the cert store.
Task-number: QTBUG-24827
Change-Id: I2663ea2f86cd0b4dfde105d858ec1b39a340c1f6
Reviewed-by: Richard J. Moore <rich@kde.org>
The \since 5.0 directive was missing from many places.
Task-number: QTBUG-24001
Change-Id: I191ba8891ae66d78f923164bcab2fccb16eabef9
Reviewed-by: Casper van Donderen <casper.vandonderen@nokia.com>
With the new functions linked
Task-number: QTBUG-24001
Change-Id: I9fd2de746a6342a1f4f182189e7f2529f092c003
Reviewed-by: Casper van Donderen <casper.vandonderen@nokia.com>
If we're not going to verify the peer, or we know in advance that
windows won't have a CA root then don't ask it to verify the
certificate chain.
The test case started failing in CI when the windows cert fetcher
was integrated due to timing change. I've relaxed the timing
requirement of the test to avoid it being unstable.
Task-number: QTBUG-24827
Change-Id: I694f193f7d96962667f00aa01b9483b326e3e054
Reviewed-by: Martin Petersson <Martin.Petersson@nokia.com>
Q_DECLARE_METATYPE must be outside of the qt namespace.
System headers must be included outside of the qt namespace.
Change-Id: I2f48b1df87e5edae2baee6ce813af08d3e011dc0
Reviewed-by: Sergio Ahumada <sergio.ahumada@nokia.com>
Reviewed-by: Toby Tomkins <toby.tomkins@nokia.com>
Reviewed-by: Shane Kearns <shane.kearns@accenture.com>
The previous solution didn't work on systems where the libraries
aren't in the same location.
Now we search for both libcrypto and libssl and load them if their
versions match, even if they are in different directories.
Task-number: QTBUG-25398
Change-Id: I37164638890586947d07670d8a59fc53a84f9c42
Reviewed-by: Joerg Bornemann <joerg.bornemann@nokia.com>
Reviewed-by: Shane Kearns <shane.kearns@accenture.com>
Reviewed-by: Richard J. Moore <rich@kde.org>
Calling peek() for qsslsocket caused socket data to be copied into
qiodevices buffer and therefore make it unaccessible in qsslsocket.
Cherry picked form 4.8-branch & modified to Qt5 API changes
(int -> qintptr)
Original commits:
commit 621f18955082fc73471e75d1f8c35c2dcd4befeb
Author: Shane Kearns <ext-shane.2.kearns@nokia.com>
commit 68b1d5c17aa38d5921bdade2b0e0cb67c6c90513
Author: Kalle Viironen <kalle.viironen@digia.com>
Task-number: QTBUG-18498
Change-Id: I6be4b19baec2f3197537f5e7b61432040ec84ad2
Reviewed-by: Shane Kearns <shane.kearns@accenture.com>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
Since we are calling q_SSL_load_error_strings to load error strings
we should call ERR_free_strings to free the memory again.
Task-number: QTBUG-15732
Change-Id: Ie41291bb0e1434f82025378edfca51930712a8aa
Reviewed-by: Shane Kearns <shane.kearns@accenture.com>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
Replace "contains(QT_CONFIG, coreservices)" with "!ios" in config files.
Replace "QT_NO_CORESERVICES" with "Q_OS_IOS" in source files.
Change-Id: Id3b02316b245a24ce550e0b47596d18a4a409e4f
Reviewed-by: Morten Johan Sørvig <morten.sorvig@nokia.com>
Put MacOS-specific code into #ifdef blocks to enable compilation on iOS.
Change-Id: I0bb3846f457d1b3a56d99fe182b1718bc8429117
Reviewed-by: Shane Kearns <shane.kearns@accenture.com>
Windows ships with a minimal set of CA roots.
When using windows API to verify a certificate, it will fetch the
root certificate from windows update (assuming it is part of the
Microsoft trust program).
As we are using openssl, this does not happen transparently.
If SSL errors occur which indicate a broken chain then attempt
to fix it using the windows API before emitting sslErrors.
If the system CA certs are not in use (a CA bundle has been set
on the socket or as the global configuration), then this is skipped.
This is so an application can continue to use its own cert bundle
rather than trusting the system certs.
Key usage is specified, so that windows will return not trusted
status if the root is not suitable for SSL (server auth or
client auth OID).
Testability:
- to test, must delete the CA cert(s) from the "third party
root certification authorities" section of the cert store
using mmc.exe.
- If the workaround of installing the windows XP cert bundle was
performed, then you also need to delete certs from the "trusted
root certification authorities" section.
This is dangerous, be careful not to delete the required
certificates which are documented on MS website
- Naturally, modifying these areas of the cert store requires
elevated privilege.
Task-number: QTBUG-24827
Change-Id: I5cfe71c8a10595731f6bbbbabaaefa3313496654
Reviewed-by: Richard J. Moore <rich@kde.org>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
The installed path of libssl may include an element describing the
architecture, e.g. x86_64-linux-gnu or i386-linux-gnu.
In most cases, the libraries already loaded (static dependencies of
Qt, such as libc) will include the path where libssl is installed.
Use dl_iterate_phdr to find the paths. This is a linux specific
function, but it does provide "/lib/<arch>" and "/usr/lib/<arch>"
at the point ssl symbols are being resolved when running the
qsslsocket autotest (which has less dependencies than a typical
Qt app).
Task-number: QTBUG-24694
Change-Id: I9af8081f41bb85c2fcff450a2acda5672a7f7518
Reviewed-by: Harald Fernengel <harald.fernengel@nokia.com>
This is a semi-automatic search, so I'm
reasonably sure that all the exported ones
have been caught.
Change-Id: Ia00eb9194a5f64002bd7e7b894abf6333d1b825e
Reviewed-by: Jonas Gastal <jgastal@profusion.mobi>
Reviewed-by: Shane Kearns <shane.kearns@accenture.com>
If SSL_MODE_RELEASE_BUFFERS is available we should tell OpenSSL
to release memory early.
http://www.openssl.org/docs/ssl/SSL_CTX_set_mode.html
Task-number: QTBUG-14985
Change-Id: Ib6656ebb3c4d67ca868b317ee83ddbf0983953f9
Reviewed-by: Richard J. Moore <rich@kde.org>
Reviewed-by: Shane Kearns <shane.kearns@accenture.com>
Reviewed-by: Markus Goetz <markus@woboq.com>
The comodogate 72:03:21:05:c5:0c:08:57:3d:8e:a5:30:4e:fe:e8:b0
certificate is a test certificate and the MD5 Collisions was created
as a proof of concept deliberately made to be expired at the time
of it's creation.
Task-number: QTBUG-24654
Change-Id: Ic8eb417363569fe50bf19cd229658f5e371862f7
Reviewed-by: Richard J. Moore <rich@kde.org>
QSslCertificate can be copied around into multiple threads,
without detaching. For example, the https worker threads inside
QNetworkAccessManager.
There are const methods, which lazily initialise members of
the private class without detaching (i.e. caching results of
expensive function calls)
These functions now lock the d pointer using QMutexPool to
avoid concurrency related crashes.
autotest crashes 20% of the time in release builds without
the fix, passes 100 times in a row with the fix.
Task-number: QTBUG-20452
Change-Id: I64a01af8159216f2dd6215a08669890f6c029ca8
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
Reviewed-by: Richard J. Moore <rich@kde.org>
QDoc now has support for Doxygen style commands for italics, bold
and list items. This change applies that change in QDoc to the
actual documentation.
Task-number: QTBUG-24578
Change-Id: I519bf9c29b14092e3ab6067612f42bf749eeedf5
Reviewed-by: Shane Kearns <shane.kearns@accenture.com>
Reviewed-by: Lars Knoll <lars.knoll@nokia.com>
This would break a namespaced Qt when QT_NO_DEBUG_STREAM
was in effect. Unlikely to hit, but nevertheless fixworthy.
Change-Id: Ie2a4cf4334a6a610c84233ab1ca89b928386c91a
Reviewed-by: Richard J. Moore <rich@kde.org>
Change the ifdefs in our own code (except openssl backend) to use the
new configure flag.
Change-Id: I8774734771c66b22164b5fae8fdb27814ac3df7b
Reviewed-by: Richard J. Moore <rich@kde.org>
Change-Id: If2471bea27f095352ae8c28604e104b896fd97c7
Reviewed-by: Richard J. Moore <rich@kde.org>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
There was a time when qsslsocket.h declared its private slots as
Q_PRIVATE_SLOT(d, void _q_connectedSlot())
But now they are correctly declared as
Q_PRIVATE_SLOT(d_func(), void _q_connectedSlot())
so the "#define d d_ptr" hack isn't needed.
Specifically, the define would break moc-generated code that refers
to the member d of a structure (which a future moc revision does,
namely QByteArrayData::d).
Change-Id: Ic94fa4d523fb17e8088973cfc0d090d5cce97267
Reviewed-by: Jonas Gastal <jgastal@profusion.mobi>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
QSslSocket overrides one version of QAbstractSocket::connectToHost.
Since these functions were made virtual, this now hides the other
overloads.
Added a using statement to make the other overloads visible.
Change-Id: Ia48fdc9bd67936c75c25bb24dabd26a723bb7a05
Reviewed-by: Stephen Kelly <stephen.kelly@kdab.com>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
This file was removed in commit ba9302b8a9
Change-Id: Ib3a70877f6f6848c8cf072faf13da93abbe186f2
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
SSL context was destroyed on disconnect. This makes it impossible to
decrypt buffered encrypted data. So if there is encrypted data in the
receive buffers, then don't destroy the ssl context until the socket is
destroyed.
Task-Number: QTBUG-23607
Change-Id: I16a7b4fa006647ec73049c90cdbc72686696850f
Reviewed-by: Jonas Gastal <jgastal@profusion.mobi>
Reviewed-by: Richard J. Moore <rich@kde.org>
- Always use <qt_windows.h> as the last file to be included.
- Remove it from some headers, use Qt::HANDLE instead of HANDLE.
- Clean up #ifdef, use Q_OS_WIN for Windows/Windows CE.
- Add NOMINMAX to qt_windows.h to avoid problems with the
min/max macros.
- Remove <windows.h> from qplatformdefs.h (VS2005)
Change-Id: Ic44e2cb3eafce38e1ad645c3bf85745439398e50
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
Reviewed-by: Joerg Bornemann <joerg.bornemann@nokia.com>
Create new QAbstractSocket::SocketError value that denotes a error in
the SSL library: SslInternalError
Create QAbstractSocket::SocketError value that denotes a error in data
provided by user cauding an SSL library error: SslInvalidUserDataError
Change-Id: I466a9389d9d7052efd8eddd1a2d6067ba26dfddb
Reviewed-by: Richard J. Moore <rich@kde.org>
Reviewed-by: Shane Kearns <ext-shane.2.kearns@nokia.com>
Implementating this would cause massive SC breakage and give little
gain.
Change-Id: I56a6d302fdd0e8b53d1f9154f3eaf9e1ee429f9d
Reviewed-by: Giuseppe D'Angelo <dangelog@gmail.com>
Reviewed-by: Richard J. Moore <rich@kde.org>
The intention is to add additional pause modes over time, this will
be easier if we can just test if a particular reason for pausing is
turned on. If we don't do this we'll end up having to check for each
enum value every time we check what is enabled.
Change-Id: I6b08f0e819b5593e3f6463c3dd175eff8625e155
Reviewed-by: Frederik Gladhorn <frederik.gladhorn@nokia.com>
Reviewed-by: Shane Kearns <ext-shane.2.kearns@nokia.com>
As in the past, to avoid rewriting various autotests that contain
line-number information, an extra blank line has been inserted at the
end of the license text to ensure that this commit does not change the
total number of lines in the license header.
Change-Id: I311e001373776812699d6efc045b5f742890c689
Reviewed-by: Rohan McGovern <rohan.mcgovern@nokia.com>
Per ### Qt5 comment and the fact that it was already virtual on
QAbstractSocket.
Change-Id: If2d2b2f9cdec1ef4c5bf625e3ce0d6f2d9a7bdfd
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
pause and resume is currently only supported upon emitting the
QSslSocket::sslErrors() signal. The API was added in QAbstractSocket to
also support QAbstractSocket::proxyAuthenticationRequired() in the
future.
This is the first patch to support that feature on the socket level,
another patch will follow to support sslErrors() and
authenticationRequired() in QNetworkAccessManager / QNetworkReply.
Task-number: QTBUG-19032
Change-Id: Ide2918268590ab9a01454ab26cb7fdca3dc840ab
Reviewed-by: Shane Kearns <ext-shane.2.kearns@nokia.com>
These defines were there to aid in the commercial
licensing scheme we used long ago, and are no longer needed.
Keep a QT_MODULE(x) define so other modules continue compiling.
Change-Id: I8fd76cd5270df8f14aee746b6cf32ebf7c23fec7
Reviewed-by: Lars Knoll <lars.knoll@nokia.com>
It was checked in a few places, but it didn't actually remove QTextStream,
so it was pretty useless.
Change-Id: I8eaf28893cd6c7acbe1c0b69d58de90742aee755
Reviewed-by: João Abecasis <joao.abecasis@nokia.com>
This is to help us debug problems with CA certificates.
Code is not compiled by default, only when QtNetwork is built with
QSSLSOCKET_DEBUG defined
Change-Id: I404c36bf4c6bf1190f480196038197be30b4b5f9
Reviewed-by: Peter Hartmann <peter.hartmann@nokia.com>
Reviewed-by: Richard J. Moore <rich@kde.org>
OpenSSL tries certificates in the order they are added to the store.
There was logic to add the expired certificates after the valid ones
to ensure the valid certificate is checked first if the OS cert store
contains both the expired and renewed version of the same cert (e.g.
the verisign class 3 cert on windows)
However due to a coding error, the ordering was reversed, ensuring the
problem is always encountered instead of always avoided.
Task-number: QTBUG-20012
Change-Id: I7c8dba8a09842540a22b44d33c7dcb22bbbc6a58
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
Reviewed-by: Richard J. Moore <rich@kde.org>
At the moment users of Qt must detect if it was compiled with SSL
support by testing for QT_NO_OPENSSL. This means that any code that is
conditionally compiled this way is tied to the presence of the openssl
backend. This commit makes it possible to implement new SSL backends
during the Qt5 lifetime without breaking this code. People can still
test for QT_NO_OPENSSL if they really need openssl, but if they simply
want to know if there's SSL support at all they should use this define
instead.
In addition, this commit changes the public API headers to use the new
define.
Change-Id: Ib57a71aa65836ac9351f120a487bfeb8009d9515
Reviewed-by: Peter Hartmann <peter.hartmann@nokia.com>
Windows x64 uses 64 bits integer for sockets, to ensure compatibility we
should use ptr sized integers for our socket descriptors.
Task-number: QTBUG-19004
Change-Id: I4b56023874a4f1bad107c66c054fecfedde33d88
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
Reviewed-by: Oswald Buddenhagen <oswald.buddenhagen@nokia.com>
This change makes Qt load the default openssl config always, not just
when compiled with OPENSSL_LOAD_CONF. This means that facilities like
openssl engines (and their configuration) are usable. An alternative
would be to call OPENSSL_config(NULL) ourselves, but that's exactly
what the OPENSSL_add_all_algorithms_conf does for us.
Task-number: QTBUG-16018
Change-Id: I4cda701f82627e0541b6225009f4e1249aec9d47
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
When an ssl socket is closed during connecting, and it is using a proxy
then it is possible for the plain socket to be in pending close state
when transmit() is called.
As errors were not handled, this caused the socket (and https request)
to "hang".
It now propagates the error from plain socket.
Change-Id: I6fb86815a2a63e197cea582f4b153e487543477c
Reviewed-by: Peter Hartmann <peter.hartmann@nokia.com>
Reviewed-by: Richard J. Moore <rich@kde.org>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
OpenSSL's SSL_ctrl() always took a "void *" argument as 4th parameter,
since at least version 0.9.7.
I have no idea why we had "const void *" in there.
Reviewed-by: Richard J. Moore <rich@kde.org>
Task-number: QTBUG-23132
(cherry picked from commit 4db91cbd6147e40f543342f22c05b7baddc52e5a)
Change-Id: Ie570e1cc59b72f13d3e6f3ed6fc1892444a63743
Reviewed-by: Richard J. Moore <rich@kde.org>
Reviewed-by: Robin Burchell <robin+qt@viroteck.net>
Reviewed-by: Martin Petersson <Martin.Petersson@nokia.com>
These aren't used, and so they shouldn't be there.
Change-Id: Id4a08d90836c45c140d811b8eca07756e14c56e5
Reviewed-by: Shane Kearns <shane.kearns@accenture.com>
The docs say this is required, but we don't check it and instead
segfault right now.
Change-Id: I825b00a312a481c5383af127333c0c4698188348
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
Reviewed-by: Peter Hartmann <peter.hartmann@nokia.com>
Centralise the specification of the default ssloptions to make the code
clearer and more testable.
Change-Id: I4f4bae72736dd063ee4cd64c6375e82d0600a105
Reviewed-by: Peter Hartmann <peter.hartmann@nokia.com>
Reviewed-by: Shane Kearns <shane.kearns@accenture.com>
Since recently QSslCertificate::serialNumber() always returns the
hexadecimal format, so we need to adapt to that when checking the
serial numbers for the blacklisted certificates.
Change-Id: I43bdb1be77faad7ad79a835c896fc39477452e75
Reviewed-by: Shane Kearns <shane.kearns@accenture.com>
Reviewed-by: Richard J. Moore <rich@kde.org>
... and only resolve the functions when the methods are available.
SSL 2 functionality is not always available in OpenSSL anymore.
Change-Id: Ia3178685b26c67ac55447476789e06710b596181
Reviewed-by: Richard J. Moore <rich@kde.org>
Reviewed-by: Shane Kearns <shane.kearns@accenture.com>
This property is no longer necessary because we can now set the user
agent directly on the proxy.
Task-number: QTBUG-17223
Change-Id: I27cb126dd401f02525290d2317650f55cae9f4ef
Reviewed-by: Shane Kearns <shane.kearns@accenture.com>
There's no real reason for the typedef here, QtNetwork
will compile without it and it might conflict with
openssl.
Change-Id: Id352ccc98d84ca9ee9ea3c7b4a942382882173f1
Reviewed-by: Peter Hartmann <peter.hartmann@nokia.com>
Reviewed-by: Richard J. Moore <rich@kde.org>
The handling of QSslOptions is complicated not only by the subject, but
also by the fact that some of the openssl directives are negatives. This
commit tries to separate the inherent complexity from the complexity of
the api by allowing us to test them independently.
Change-Id: Ieb9386c69dd9b0b49dc42e26b2878a301f26ded1
Reviewed-by: Peter Hartmann <peter.hartmann@nokia.com>
"qsslconfiguration.cpp:204:73: warning: suggest parentheses around
comparison in operand of ‘|’ [-Wparentheses]"
Change-Id: I887ffdf3ef8263c35a8f391b3fc97faee41b7dab
Reviewed-by: Martin Petersson <Martin.Petersson@nokia.com>
This is a source-incompatible change.
TlsV1 is ambiguous; what is actually meant is TLS version 1.0. There are
also TLS versions 1.1 and 1.2; we might want to add options for these
once OpenSSL supports them (apparently they will be with OpenSSL version
1.0.1).
Change-Id: I940d020b181b5fa528788ef0c3c47e8ef873796a
Reviewed-by: Lars Knoll <lars.knoll@nokia.com>
This commit adds the ability to perform legacy SSL renegotiation as
a fallback via QSsl::SslOptions. This is something that used to work,
but has been disabled by default in newer versions of openssl. The
need for this has been reported by users (eg. in QTBUG-14983).
Change-Id: I5b80f3ffd07e0c5faddc469f6a8f857bac5740f7
Reviewed-by: Corentin Chary <corentin.chary@gmail.com>
Reviewed-by: Peter Hartmann <peter.hartmann@nokia.com>
In Qt 4.x the serial number is reported by a mixture of the hex value
and the number, The hex is what is used by other tools, and we should do
the same.
Change-Id: Ia0361d43fb5b920d053c95e932e0c8a012436e5e
Reviewed-by: Peter Hartmann <peter.hartmann@nokia.com>
removes several files and cleans up the code, removing all Symbian
specific #ifdef's etc.
Change-Id: Ie457e54cb4b3a992f251383320d47822259c38f1
Reviewed-by: Lars Knoll <lars.knoll@nokia.com>
Currently isValid wrongly gives the impression it checks a certificate
for validity - it doesn't. It merely checks if the certificate dates
are valid and if the certificate is blacklisted. Since it's already
easy for users to check the dates, let's just give them access to the
ability to check for blacklisting.
Change-Id: I25be3bde6a01063034702a9574b28469bf4882cd
Reviewed-by: Peter Hartmann <peter.hartmann@nokia.com>
... as did browser vendors.
Tested manually with affected CA certificates.
Reviewed-by: Richard J. Moore <rich@kde.org>
(cherry picked from commit e1d6df4e5931ee49b4b68dd5a33146f5639268b7)
Change-Id: I5bf6c147abf6d2de0f313d65faa2d9a1e9684cea
Reviewed-by: Peter Hartmann <peter.hartmann@nokia.com>
... by adding a new class QSslCertificateExtension and methods in
QSslCertificate to support extensions. This is needed e.g. for OCSP
(checking revocation status of a certificate) or Extended Validation
certificates.
Change-Id: I5c5d9513fa640cd487786bb9a5af734afebd0828
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
(cherry picked from commit 9d5c920bb23b949a0b98f1268679a0a2c06dd1d9)
Change-Id: Id99040051afe97bca3b1a8e4e3ae5a4c7f617cc9
Reviewed-by: Shane Kearns <shane.kearns@accenture.com>
Reviewed-by: Richard J. Moore <rich@kde.org>
There are lots of buggy SSL servers around and to connect to them you
need to disable various features. This commit adds the ability to
disable the SSL ticket extension, the ability to disable the insertion
of empty fragments, and the ability to disable compression.
Task-number: QTBUG-21906
Change-Id: I3e1d0347a46e9030b889bbf15b2aad19b8513b73
Merge-request: 68
Reviewed-by: Peter Hartmann <peter.hartmann@nokia.com>
and do not only check leaf certificates, but all intermediates and
the root. Tested manually with the cross-signed intermediates.
Change-Id: I860dc9b568bc244abc9228486dbb374a1a2b47c4
Reviewed-by: Richard J. Moore <rich@kde.org>
(cherry picked from commit 64adbd0c5775f97343afbe0e7b5fde0d70bdaedd)
Reviewed-on: http://codereview.qt.nokia.com/4291
Reviewed-by: Peter Hartmann <peter.hartmann@nokia.com>
... to reduce the possibility of blacklisting valid certificates that
happen to have the same serial number as a blacklisted one, which is
unlikely, but possible.
Reviewed-by: Richard J. Moore <rich@kde.org>
(cherry picked from commit 6b1a8129623e3716f2fc075608b260ce7c381fe2
and adapted to the source incompatible change)
Change-Id: If714c34f6ce028032eee6d68f34d088b6ad5a0cc
Reviewed-on: http://codereview.qt.nokia.com/3895
Reviewed-by: Qt Sanity Bot <qt_sanity_bot@ovi.com>
Reviewed-by: Peter Hartmann <peter.hartmann@nokia.com>
Also export two symbols for auto tests since opaque keys
need EVP_PKEY * created by openssl.
Change-Id: Ib7801ddfceb259de7291bfaa5940df87f68af97d
Merge-request: 48
Reviewed-by: Peter Hartmann <peter.hartmann@nokia.com>
Reviewed-on: http://codereview.qt.nokia.com/4011
Reviewed-by: Qt Sanity Bot <qt_sanity_bot@ovi.com>
This allow to use directly EVP_PKEY * with QSslKey (for
example comming from a PKCS#11 dongle).
Change-Id: Icb1ba5081506a831ec3d8cfffe13ce70939608ea
Merge-request: 48
Reviewed-by: Peter Hartmann <peter.hartmann@nokia.com>
Reviewed-on: http://codereview.qt.nokia.com/4010
Reviewed-by: Qt Sanity Bot <qt_sanity_bot@ovi.com>
blacklist the leaf certificate for now. There might well be more fake
certificates in the wild, for that either the Diginotar.nl root cert
needs to be disabled on the system or OCSP would need to be enabled
(not supported by Qt yet).
Reviewed-by: Richard J. Moore <rich@kde.org>
(cherry picked from commit 70f6a1b91b242174682c30be976c2aa36c450cc7)
Change-Id: I7cd3fdc4c6e85202914764f983a60d301e54aa35
Reviewed-on: http://codereview.qt.nokia.com/3893
Reviewed-by: Peter Hartmann <peter.hartmann@nokia.com>
... and add a new method subjectAlternativeNames() instead. This was
a typo in the API.
Change-Id: Id8704c387c9ff8e1af2b9a524ff628f5c053a294
Reviewed-on: http://codereview.qt.nokia.com/2618
Reviewed-by: Qt Sanity Bot <qt_sanity_bot@ovi.com>
Reviewed-by: João Abecasis <joao.abecasis@nokia.com>
there are return statements between locking and unlocking, so to not
leave the mutex locked when returning, this commit introduces a
QMutexLocker.
Change-Id: I74e2f329bf116e92250189bf097deb47d460d9dc
Reviewed-on: http://codereview.qt.nokia.com/1656
Reviewed-by: Qt Sanity Bot <qt_sanity_bot@ovi.com>
Reviewed-by: Markus Goetz
Currently it is only possible to verify a certificate chain when
connecting to a server. This change makes it possible to verify a
chain at any time.
Change-Id: Ib70ad7b81418f880e995f391b82ce59561ededb8
Merge-request: 11
Reviewed-by: Peter Hartmann <peter.hartmann@nokia.com>
Reviewed-on: http://codereview.qt.nokia.com/1509
RFC 2459 "Internet X.509 Public Key Infrastructure" uses the word
"attribute" for fields in a certificate like common name, organization
etc.
Change-Id: I51e595acbe3e146acf81af21cf48e554fa9490e4
Reviewed-on: http://codereview.qt.nokia.com/1453
Reviewed-by: Qt Sanity Bot <qt_sanity_bot@ovi.com>
Reviewed-by: Martin Petersson <Martin.Petersson@nokia.com>
Moves the code for extracting the name of an ASN1_OBJECT to a function.
We're going to need this again for implementing support for X509
extensions.
Change-Id: I43276eb375b37f5fef0d981f4003220d7e7b81ba
Merge-request: 18
Reviewed-by: Peter Hartmann <peter.hartmann@nokia.com>
Reviewed-on: http://codereview.qt.nokia.com/1452
Reviewed-by: Qt Sanity Bot <qt_sanity_bot@ovi.com>
Add methods that return a list of the tags in use in a certificate
issuer or subject. This means that unknown elements of these fields can
be accessed.
Change-Id: I588989e34f541b1d31cc9e97f5a85d1624ece1b1
Merge-request: 18
Reviewed-by: Peter Hartmann <peter.hartmann@nokia.com>
Reviewed-on: http://codereview.qt.nokia.com/1451
The internals of QSslCertificate were using QString but the API used
QByteArray, this commit unifies the code. This means that we don't keep
converting things.
Change-Id: I29fc149a85b77e786a6e90e5154c62f713476599
Merge-request: 18
Reviewed-by: Peter Hartmann <peter.hartmann@nokia.com>
Reviewed-on: http://codereview.qt.nokia.com/1450
Reviewed-by: Qt Sanity Bot <qt_sanity_bot@ovi.com>
Previously, x509 name entries that didn't have a shortname would all be
(accidentally) stored with the tag 'UNDEF'. This commit changes things
so that they are stored using the string form of their OID.
Change-Id: I667306cc4f91b1ca84f29b986bc21daadeb089b6
Merge-request: 18
Reviewed-by: Peter Hartmann <peter.hartmann@nokia.com>
Reviewed-on: http://codereview.qt.nokia.com/1449
Reviewed-by: Qt Sanity Bot <qt_sanity_bot@ovi.com>
This commit adds accessors for both the openssl version number and the
version string. The intention here is to aid debugging by making it
possible for applications to know which version of the openssl library
has been found by the runtime linking code.
Since the version of openssl in use will depend on the installation of
the developer, the test cases merely display the version string and
number rather than verifying that any particular version is in use.
Change-Id: Ieec44f0941f99887c85c2858bab0481722d739e5
Merge-request: 12
Reviewed-by: Peter Hartmann <peter.hartmann@nokia.com>
Reviewed-on: http://codereview.qt.nokia.com/1406
Reviewed-by: Qt Sanity Bot <qt_sanity_bot@ovi.com>
In the cases where a DNS lookup will give you both an IPv4 and IPv6
address, this will start two connection channels at the same time.
One trying to connect using IPv4 and one on IPv6. This is done so
that we can use the fastest one for the connection. To do this we
have to do the hostlookup in the connection. The result is then
in the cache for the individual socket so it will not need to do
another lookup.
Task-number: QTBUG-16458
Change-Id: I806c20168d9c5edc2831b80f82a2bd570b36d5fa
Reviewed-on: http://codereview.qt.nokia.com/1003
Reviewed-by: Qt Sanity Bot <qt_sanity_bot@ovi.com>
Reviewed-by: Shane Kearns <shane.kearns@accenture.com>
SSL_ctrl's prototype has changed slightly in openssl 1.0.0x - the 4th
argument is now a void* as opposed to a const void*.
gcc 4.6 doesn't allow this as an implicit cast.
Merge-request: 1239
Reviewed-by: Peter Hartmann <peter.hartmann@nokia.com>
(cherry picked from commit 007f01a7e801d5409708e4b8de8b3ead1481cf7d)
Change-Id: I4f41af981cf0762383b3fc867ec5d726e2b1e5c6
Reviewed-on: http://codereview.qt.nokia.com/821
Reviewed-by: Qt Sanity Bot <qt_sanity_bot@ovi.com>
Reviewed-by: Peter Hartmann <peter.hartmann@nokia.com>
THIS COMMIT BREAKS SOURCE COMPATIBILITY BETWEEN Qt 4 AND Qt 5
Qt4 assumed that there was only one entry of each type in the subject
and issuer of a certificate. This is incorrect (eg. you can have many
common names). In addition, some of the fields required by RFC3280
were not suppport. This change modifiers the API to return a list of
entries of each type and adds support for the missing fields. It also
updates the commonname matching code for SSL connections to handle
multiple entries.
Change-Id: I9457266a205def0a07c13de47094ff56ead42845
Merge-request: 5
Reviewed-on: http://codereview.qt.nokia.com/796
Reviewed-by: Qt Sanity Bot <qt_sanity_bot@ovi.com>
Reviewed-by: Sergio Ahumada <sergio.ahumada@nokia.com>
apparently there are really big certificates around, so 4k might not
always be enough.
Change-Id: I84df82d117469a14b4c6db81e0ceecc1a8ba47b3
Reviewed-on: http://codereview.qt.nokia.com/554
Reviewed-by: Qt Sanity Bot <qt_sanity_bot@ovi.com>
Reviewed-by: Martin Petersson <Martin.Petersson@nokia.com>
Adds a function that will convert a certificate to human readable text
format using the openssl print function. This is useful for debugging
and for displaying the full details of a certificate (including those
parts not supported by the Qt API).
Change-Id: I27238d05df37f8b15ad09f8e761b06344631a9ce
Merge-request: 2
Reviewed-by: Peter Hartmann <peter.hartmann@nokia.com>
Reviewed-on: http://codereview.qt.nokia.com/551
Reviewed-by: Qt Sanity Bot <qt_sanity_bot@ovi.com>
* 'master' of git://scm.dev.nokia.troll.no/qt/qtbase-staging: (21 commits)
Fixed line endings.
Update licenseheader text in source files for qtbase Qt module
New configure.exe binary
Add -qpa option on Windows
Use qglobal.h's VERSION number instead of hardcoded current version
More examples adjusted to Symbian and Maemo5. (cherry picked from commit a97b9620a584c9b1a2e006873183526b3d7e001e)
Doc: Added some details to the accessibility events API documentation.
Doc: Fixed qdoc warnings.
Doc: Fixed qdoc warnings.
Doc: Made an additional change for clarity.
Doc: Noted that the example will not work as expected with a mouse.
Doc: Fixed qdoc warnings.
Doc: Applying a pending change from previous merges.
Doc: Fixed qdoc warning.
Doc: Fixed qdoc warnings.
Doc: Applied pending fixes to API documentation.
Doc: Various fixes to documentation, some based on changes in master.
Doc: Added missing project and desktop files.
Doc: Documented the value returned when no field can be found.
Squashed commit of changes from the 4.8-temp branch.
...
fixes minor coding issues for
"Use OpenSSL X509_NAME_ENTRY API to parse UTF8 subjectName/issuerName"
Task-number: QTBUG-7912
Reviewed-by: Peter Hartmann <peter.hartmann@nokia.com>
(cherry picked from commit 2e8d206fd9f656cd88b797c059ef83ed3df32881)
... to be able to display non-ASCII names from subject and issuerInfo.
Task-number: QTBUG-7912
Merge-request: 922
Reviewed-by: Peter Hartmann <peter.hartmann@nokia.com>
(cherry picked from commit e5d94256be2525c24a8b61edd771662b7f2b8be3)
Some proxies can discriminate based on the User-Agent when sent a
CONNECT command for establishing a HTTPS connection.
With this change, if the User-Agent header is set in the QNetworkRequest
then it will be passed to the http socket engine for use in the connect
command sent to the proxy.
As before, "Mozilla/5.0" will be used by default when no user agent
has been set.
Task-number: QTBUG-17223
Reviewed-by: Markus Goetz
This is the beginning of revision history for this module. If you
want to look at revision history older than this, please refer to the
Qt Git wiki for how to use Git history grafting. At the time of
writing, this wiki is located here:
http://qt.gitorious.org/qt/pages/GitIntroductionWithQt
If you have already performed the grafting and you don't see any
history beyond this commit, try running "git log" with the "--follow"
argument.
Branched from the monolithic repo, Qt master branch, at commit
896db169ea224deb96c59ce8af800d019de63f12
