Certain servers, like smtp.live.com, will send a request for a
certificate even though they don't require one. In Schannel this
manifests as a warning/info status (SEC_I_INCOMPLETE_CREDENTIALS).
In the cases where it's not needed we should suppress the warning and
try to connect anyway, which is done by calling
InitializeSecurityContext again when we get the status.
Pick-to: 5.15
Change-Id: I3c48140f2949d8557251a49a2b66946da9395736
Reviewed-by: Joshua GPBeta <studiocghibli@gmail.com>
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
CentOS it seems not only backported some OpenSSL 3 functions,
but also raised the default security level to 2, making some of
our keys (and MDs?) 'too weak' and failing auto-tests here and
there as a result. For our auto-test we lower the level to 1,
as it is expected to be.
Fixes: QTBUG-86336
Pick-to: 5.15
Change-Id: I7062a1b292e8b60eb9c2b2e82bd002f09f9da603
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
Remove around 1000 compiler warnings about missing overrides
in our auto tests.
This significantly reduce the compiler warning noise in our auto
tests, so that one can actually better see the real problems
inbetween.
Change-Id: Id0c04dba43fcaf55d8cd2b5c6697358857c31bf9
Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
It's not guaranteed that all curves we want to use are supported
by a specific build of OpenSSL library we have to link with. Filter
out files that contain EC, which is not among the curves, reported
by QSslConfiguration::supportedEllipticCurves.
Fixes: QTBUG-46203
Pick-to: 5.15
Change-Id: I70d7e6fcacb3d81f8c771e4a8d6cca06295e7474
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
And put a note about it in the documentation
Change-Id: I29126e4a80f83c256190e03b8fe01f3c869fd46d
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
At the moment it just exposes QTBUG-84676, that is, OpenSSL
and non-OpenSSL backend act differently. Went a bit overkill
in making it data-driven, so if someone wants to add more
samples it should be easier to do so.
Change-Id: I96538c9563d12d69c217415ba85e244dda5e0cd0
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
Use pro2cmake with '--api-version 2' to force regenerate
projects to use the new prefixed qt_foo APIs.
Change-Id: I055c4837860319e93aaa6b09d646dda4fc2a4069
Reviewed-by: Joerg Bornemann <joerg.bornemann@qt.io>
We had such an overloaded version in QSslSocket, it was deprecated without
providing any alternative. Now this function has some use and may be
introduced in Qt6, as QSslConfiguration::setCiphers(const QString &).
Last but not the least - a useless and strange auto-test was removed
(it was creating a list of 5 QSslCiphers each with isNull() == true).
That's becasue '!MD5' or 'ALL' (for example) is not a cipher to be found
in supportedCiphers.
Change-Id: I47eb4c0faa9b52885e883751dd992cd9cb3d26fe
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
Not to pollute the global namespace with rather generic names
(especially in case QT_NAMESPACE is none); also drop the
(now)redundant 'Q' prefix in the names.
Change-Id: I57ea7e3996cced705f7ddbdbc1e0231191b31c43
Reviewed-by: Friedemann Kleint <Friedemann.Kleint@qt.io>
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
They were deprecated with replacements in QSslConfiguration proposed (and
some without alternative, which we'll provide if there is any demand
in such an API). Special thanks to M.N. for a nice hint on how to
amend the test without introducing a new API.
Change-Id: I7841a5b3f30469d8204b61cb65921c34275e0650
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
In Qt 5 we have to work with the esisting API (QSslCertificate::verify),
taking only the peer's chain and the name. We already have a private
API to have a CA's list as an additional parameter, the proper fix
in Qt6 will also introduce a public complement for this.
Pick-to: 5.15
Change-Id: Ib1f75c3056b135c6e6d42f977b5a7034fca658ee
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
Whoever wrote this test, was a PROPER hacker: trying to force a TLS implementation
not to properly compress some data, they generated a sequence of bytes in a very fancy manner,
something like 255 0 0 0 255 0 0 0 123 0 0 0 255 0 0 0 - yeah, it's really a random sequence
of bytes, surely, it's impossible to compress! Meh.
Pick-to: 5.15
Change-Id: Ia10ae18a40b5b8f006c45147b06fe5be6efcb129
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
We deprecated several setters on QSslSocket, no need to test
them then (and I'm removing them in Qt 6 anyway, so changing
the test is the phase 1).
Pick-to: 5.15
Change-Id: I5807abfb280cbacd4fcc19468793f9d1f3b2ff20
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
Macros and the await helper function from qfunctions_winrt(_p).h are
needed in other Qt modules which use UWP APIs on desktop windows.
Task-number: QTBUG-84434
Change-Id: Ice09c11436ad151c17bdccd2c7defadd08c13925
Reviewed-by: Tor Arne Vestbø <tor.arne.vestbo@qt.io>
Use 'errorOccurred' instead of 'error' and 'sslHandshakeErrors'
instead of 'sslErrors'.
Fixes: QTBUG-82605
Change-Id: I19d4845b16c7b636af7b0658d4fbbba4eef9d029
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
Instead of manual string splitting (EW!), use QDateTime parsing.
Moreover, X.509 certificates *must* have a valid start/end date.
In case of parsing failure, reject the certificate. An autotest
for this last case is coming in a separate patch.
Change-Id: I934bf9e6a4a92e4befdb3b0f9450f76f67bad067
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
We end up with an absurd situation:
QSslConfiguration conf;
//we set CA certs so that on demand loading is disabled:
conf.setCaCertificates({...});
QSslSocket s;
s.setSslConfiguration(conf);
Q_ASSERT(conf == s.sslConfiguration); // this assert fails.
Pick-to: 5.15
Change-Id: I272bed145434082acc6ead95fe3640d222b21131
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
Conflicts:
examples/opengl/doc/src/cube.qdoc
src/corelib/global/qlibraryinfo.cpp
src/corelib/text/qbytearray_p.h
src/corelib/text/qlocale_data_p.h
src/corelib/time/qhijricalendar_data_p.h
src/corelib/time/qjalalicalendar_data_p.h
src/corelib/time/qromancalendar_data_p.h
src/network/ssl/qsslcertificate.h
src/widgets/doc/src/graphicsview.qdoc
src/widgets/widgets/qcombobox.cpp
src/widgets/widgets/qcombobox.h
tests/auto/corelib/tools/qscopeguard/tst_qscopeguard.cpp
tests/auto/widgets/widgets/qcombobox/tst_qcombobox.cpp
tests/benchmarks/corelib/io/qdiriterator/qdiriterator.pro
tests/manual/diaglib/debugproxystyle.cpp
tests/manual/diaglib/qwidgetdump.cpp
tests/manual/diaglib/qwindowdump.cpp
tests/manual/diaglib/textdump.cpp
util/locale_database/cldr2qlocalexml.py
util/locale_database/qlocalexml.py
util/locale_database/qlocalexml2cpp.py
Resolution of util/locale_database/ are based on:
https://codereview.qt-project.org/c/qt/qtbase/+/294250
and src/corelib/{text,time}/*_data_p.h were then regenerated by
running those scripts.
Updated CMakeLists.txt in each of
tests/auto/corelib/serialization/qcborstreamreader/
tests/auto/corelib/serialization/qcborvalue/
tests/auto/gui/kernel/
and generated new ones in each of
tests/auto/gui/kernel/qaddpostroutine/
tests/auto/gui/kernel/qhighdpiscaling/
tests/libfuzzer/corelib/text/qregularexpression/optimize/
tests/libfuzzer/gui/painting/qcolorspace/fromiccprofile/
tests/libfuzzer/gui/text/qtextdocument/sethtml/
tests/libfuzzer/gui/text/qtextdocument/setmarkdown/
tests/libfuzzer/gui/text/qtextlayout/beginlayout/
by running util/cmake/pro2cmake.py on their changed .pro files.
Changed target name in
tests/auto/gui/kernel/qaction/qaction.pro
tests/auto/gui/kernel/qaction/qactiongroup.pro
tests/auto/gui/kernel/qshortcut/qshortcut.pro
to ensure unique target names for CMake
Changed tst_QComboBox::currentIndex to not test the
currentIndexChanged(QString), as that one does not exist in Qt 6
anymore.
Change-Id: I9a85705484855ae1dc874a81f49d27a50b0dcff7
[ChangeLog][Deprecation Notice] QAbstractSocket::error() (the signal) is deprecated; superseded by errorOccurred()
Change-Id: I11e9c774d7c6096d1e9b37c451cf0b99188b6aad
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
This reverts commit 94b3dd77f2.
The patch fixes ambiguity between a getter and a signal by changing the
getter name, but we still have to rename the signal to follow the signals
naming convention.
Revert the commit to keep the getter as is and change the signal name instead.
Change-Id: I0dd60cf1ae9d1bd95beeb8ad58661ca4b1fb63b9
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
This is part of the migration of qtbase from QRexExp to
QRegularExpression.
If support for regular expression is disabled, fixed string can
still be used.
[ChangeLog][QtCore][QSslCertificate] Add overload of fromPath that does
not make use of QRegExp and deprecate the QRegExp variant.
Task-number: QTBUG-72587
Change-Id: I507d8941cc7d70166da0948375dc421fe5e7d967
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
We don't know which versions these blacklistings actually apply on
unless we actually get macOS 10.14 and 10.15 into the CI and running
tests, so let's start with that, and then granularize the blacklists
after that.
Task-number: QTBUG-75786
Change-Id: Id79642afa50cb20efa2cd209286b6933918d3a4a
Reviewed-by: Simon Hausmann <simon.hausmann@qt.io>
We were being inconsistent in how we handled this, some tests skipping
while others using QVERIFY. It makes more sense to skip the tests, since
the problem is a missing pre-condition of the test, not the test itself
being bad or exposing real failures in the implementation.
Change-Id: I20eacfe12dbce0b0d926e48cbe2d2772819fa4a5
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
To disambiguate &QSslSocket::sslErrors() expression. Add a new
getter - sslHandshakeErrors().
[ChangeLog][Deprecation Notice] QSslSocket::sslErrors() (the getter) was deprecated and superseded by sslHandshakeErrors()
Task-number: QTBUG-80369
Change-Id: I9dcca3c8499800c122db230753dc19b07654f8a2
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
The one that is a getter for the last error found. This is to disambiguate
the expression '&QAbstractSocket::error'. Introduce a new member-function
socketError as a replacement.
[ChangeLog][Deprecation Notice] QAbstractSocket::error() (the getter) is deprecated; superseded by socketError().
Task-number: QTBUG-80369
Change-Id: Ia2e3d108657aaa7929ab0810babe2ede309740ba
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
1. Add a new verification callback. This gives an option
to report errors directly from this callback (by emitting
handshakeInterruptedOnError()). This allows an application
to explain to its peer why the handshake was interrupted (by
sending a corresponding alert message).
2. This also means we want to notice such alerts (in Qt,
from the application's point of view, they are mostly
informational only, no interaction is required). So we
also introduce a new 'info callback', that can notice alert
messages read or written. We also introduce two new enums
describing the level and type of an alert message. QSslSocket
gets three new signals (for incoming/outgoing alerts and
verification errors found early).
3. In case we requested a certificate, but the peer provided
none, we would previously abruptly close the connection without
a proper alert message (and such a situation is not handled
by any verification callbacks, since there is no certificate(s)
to verify essentially). So we now introduce a new verification
option that maps to what OpenSSL calls 'SSL_VERIFY_FAIL_IF_NO_PEER_CERT'.
This way, the proper alert will be generated.
Fixes: QTBUG-68419
Change-Id: I5d1e9298b4040a2d4f867f5b1a3567a2253927b8
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
