Commit Graph

135 Commits

Author SHA1 Message Date
Frederik Gladhorn
3de7382044 Merge remote-tracking branch 'origin/5.4.0' into 5.4
Conflicts:
	dist/changes-5.4.0

7231e1fbe2 went into 5.4 instead of the
5.4.0 branch, thus the conflict.

Change-Id: I70b8597ab52506490dcaf700427183950d42cbd1
2014-11-27 18:12:10 +01:00
Tony Sarajärvi
aed71b6832 Blacklist one tst_qsslsocket test
Task-number: QTBUG-29941
Change-Id: Ieb3418a2d6d88ebd399964b5df20d9fe4d6ca37b
Reviewed-by: Simo Fält <simo.falt@digia.com>
2014-11-26 10:47:08 +01:00
Alejandro Exojo
f88ab80c8a Use camel case in PKCS#12 function
This makes it follow the coding style, which says to camel case acronyms too,
and makes it consistent with the rest of the class.

Change-Id: I4a1b21de1815530e476fc5aa8a0d41c724fc8021
Reviewed-by: Richard J. Moore <rich@kde.org>
Reviewed-by: hjk <hjk121@nokiamail.com>
2014-11-24 08:50:05 +01:00
Paul Olav Tvete
85a4aaa5ce Fix invalid qmake syntax
Task-number: QTBUG-42549
Change-Id: I57ba3150e3a3b915faf0356d8a3f89801eb4963e
Reviewed-by: Oswald Buddenhagen <oswald.buddenhagen@theqtcompany.com>
Reviewed-by: Timur Pocheptsov <Timur.Pocheptsov@digia.com>
Reviewed-by: Frederik Gladhorn <frederik.gladhorn@theqtcompany.com>
2014-11-19 10:34:24 +01:00
Allan Sandfeld Jensen
3fd2d9eff8 Update QSsl::SecureProtocols to not include Sslv3
After the poodle vulnerability SSLv3 should like SSLv2 no longer be
considered safe, so when a user request a safe protocol we should
only allow TLS versions.

[ChangeLog][QtNetwork][QSsl] QSsl::SecureProtocols now also excludes SSLv3

Change-Id: If825f6beb599294b028d706903b39db6b20be519
Reviewed-by: Richard J. Moore <rich@kde.org>
2014-10-24 12:46:26 +02:00
Marc Mutz
32dfbd6dbf Add qHash(QSslError) overload
qsslsocket_winrt.cpp defined it locally, which runs the risk of
clashes with a potential user-defined qHash(QSslError), so
make it public.

Also included both .error() and .certificate() in the hash, as
both of these are used to determine equality (the WinRT version
only used .error()).

[ChangeLog][QtNetwork][QSslError] Can now be used in QSet/QHash.

Change-Id: Ieb7995bed491ff011d4be9dad544248b56fd4f73
Reviewed-by: Oliver Wolff <oliver.wolff@digia.com>
Reviewed-by: Andrew Knight <andrew.knight@digia.com>
2014-10-19 07:32:41 +02:00
Marc Mutz
e8bdc949fc Add qHash(QSslCertificate) overload
qsslsocket_winrt.cpp defined it locally, which runs the risk of
clashes with a potential user-defined qHash(QSslCertificate), so
make it public.

Also, the implementation in qsslsocket_winrt.cpp simply hashed
the handle(), which violates the principle that equal instances
must hash to the same value. Also, for some platforms, the
implementation returns nullptr unconditionally, which, while not
violating the above-mentioned principle, will make all users of
the hash have worst-case complexity.

To calculate a meaningful hash, therefore, the certificate needs
to be inspected deeper than just the handle.

For OpenSSL, we use X509::sha1_hash, which also X509_cmp uses
internally to determine inequality (it checks more stuff, but
if X059::sha1_hash is different, X509_cmp() returns non-zero,
which is sufficient for the purposes of qHash()). sha1_hash may
not be up-to-date, though, so we call X509_cmp to make it valid.
Ugh.

For WinRT/Qt, we use the DER encoding, as that is the native
storage format used in QSslCertificate. This is not equivalent
to the implementation used in qsslsocket_winrt.cpp before, but
since handle() == handle() => toDer() == toDer(), it should not
be a problem.

[ChangeLog][QtNetwork][QSslCertificate] Can now be used as a key in QSet/QHash.

Change-Id: I10858fe648c70fc9535af6913dd3b7f3b2cf0eba
Reviewed-by: Oliver Wolff <oliver.wolff@digia.com>
2014-10-19 07:32:37 +02:00
Marc Mutz
10e5bcf9d0 tst_QSslError: cleanup unused functions
Change-Id: I4db7399e533805e1dddaa76d5a609d2006a97da6
Reviewed-by: Giuseppe D'Angelo <giuseppe.dangelo@kdab.com>
2014-09-26 00:39:37 +02:00
Matti Paaso
974c210835 Update license headers and add new license files
- Renamed LICENSE.LGPL to LICENSE.LGPLv21
- Added LICENSE.LGPLv3
- Removed LICENSE.GPL

Change-Id: Iec3406e3eb3f133be549092015cefe33d259a3f2
Reviewed-by: Iikka Eklund <iikka.eklund@digia.com>
2014-09-24 12:26:19 +02:00
Jeremy Lainé
070fcf9ce1 ssl: common certificate parser support for extensions
This makes non-OpenSSL backends able to handle to certificate
extensions.

This also converts the Q_OS_WINRT #ifdef's in the unit test to
QT_NO_OPENSSL as the behavior is the same for any non-OpenSSL
backend.

Change-Id: I6a8306dc5c97a659ec96063d5a59cee2ee9a63a9
Reviewed-by: Richard J. Moore <rich@kde.org>
2014-09-05 14:20:44 +02:00
Jeremy Lainé
863f598b65 ssl: make peerVerifyError test agnostic of error order
Currently the peerVerifyError test for QSslSocket makes an assumption
about the order in which SSL errors are emitted by peerVerifyError. This
assumption does not necessarily hold for non-OpenSSL backends.

This change fixes this assumption, and also checks that HostNameMismatch
was found both in the errors emitted by peerVerifyError and by sslErrors.

Change-Id: I856d1ea43b36332db0f178d35fc14a4bb18ad673
Reviewed-by: Richard J. Moore <rich@kde.org>
2014-09-05 12:20:25 +02:00
Jeremy Lainé
7b1dad8021 ssl: enable non-OpenSSL backends to compile QSslSocket tests
Some of the QSslSocket tests use OpenSSL-specific symbols. This
change fixes this issue.

Change-Id: Ib67efa42a15facaf0ad34fc0466341a37d945d1e
Reviewed-by: Andrew Knight <andrew.knight@digia.com>
2014-09-05 12:20:02 +02:00
Jeremy Lainé
bdb30abcd2 ssl: add support for ASN.1 boolean values
This adds support for reading and writing ASN.1 boolean
values. It also adds an operator to test two ASN.1 elements
for equality.

Change-Id: I4a22cbf9808533d593fc59d27b63caaf650b1f57
Reviewed-by: Richard J. Moore <rich@kde.org>
2014-09-03 17:28:02 +02:00
Jeremy Lainé
f750979b70 ssl: check critical certificate extensions
This adds a test for a QSslCertificate containing extensions which
are marked as critical.

Change-Id: I314e1f5c9943bcad5d43129a97f9f834882dc6fb
Reviewed-by: Richard J. Moore <rich@kde.org>
2014-09-03 16:10:45 +02:00
Jeremy Lainé
a02d798bbd ssl: tighten QSslCertificateExtension tests
This tightens tests performed on a certificate's extensions by checking
isCritical() and isSupported() for all extensions. It also explicitly
checks the keys when value() returns a QVariantMap.

Change-Id: If51c55be25bbcd09cc3a6712ddfea2bf9a01360f
Reviewed-by: Richard J. Moore <rich@kde.org>
2014-09-03 15:07:49 +02:00
Jeremy Lainé
cd3dece750 ssl: common key parser support for encrypted keys
This adds the infrastructure for reading and writing encrypted private keys
when using non-OpenSSL backends. Each platform must provide its cryptographic
encrypt / decrypt functions.

As WinRT already uses the common parser, this commit includes an
implementation for that platform.

Done-with: Andrew Knight <andrew.knight@digia.com>
Task-number: QTBUG-40688
Change-Id: I0d153425ce63601ff03b784a111e13962061025f
Reviewed-by: Richard J. Moore <rich@kde.org>
2014-09-02 23:16:25 +02:00
Jeremy Lainé
31938846ae qasn1element: add QAsn1Element::toInteger
This change adds the ability to decode ASN.1 INTEGER fields,
provided they represent a positive number of less than 64-bit.

This is needed for PKCS#12 decoding.

Change-Id: Iafb76f22383278d6773b9e879a8f3ef43c8d2c8f
Reviewed-by: Oliver Wolff <oliver.wolff@digia.com>
2014-09-02 09:52:08 +02:00
Jeremy Lainé
5c3a499c9f ssl: disable (broken) i/o on DER encoded keys
QSslKey currently has methods which supposedly allow decoding and
encoding private keys as DER protected by a passphrase. This is
broken by design as explained in QTBUG-41038, as storing the encrypted
DER data alone makes no sense: such a file lacks the necessary
information about the encryption algorithm and initialization vector.

This change:

- explicitly stops using the passphrase when decoding DER in the
  constructor. The behavior is unchanged, it is not possible to
  read the encrypted DER alone.

- refuses to honor the passphrase to DER encode a private key. The toDer
  method now outputs an empty QByteArray instead of garbage.

Task-number: QTBUG-41038
Change-Id: I4281050cf1104f12d154db201a173633bfe22bd9
Reviewed-by: Richard J. Moore <rich@kde.org>
2014-08-30 17:36:23 +02:00
Jeremy Lainé
2fd0afc1f8 ssl: add a test for 3DES encrypted keys
This adds a test for 3DES encrypted keys in addition to the
current DES encrypted keys.

Change-Id: I229e3ef710e9ee23efa2a3275b89d958491de4a2
Reviewed-by: Richard J. Moore <rich@kde.org>
2014-08-30 17:24:05 +02:00
Oliver Wolff
5328ec7e10 winrt: complete QSslCertificate implementation
The native handle and import functions are now available for use in other
parts of the winrt backend.

Change-Id: I07e6f95b3411c3dc7c1a7a164544b18e5e435d01
Reviewed-by: Maurice Kalinowski <maurice.kalinowski@digia.com>
Reviewed-by: Andrew Knight <andrew.knight@digia.com>
2014-08-30 08:20:51 +02:00
Jeremy Lainé
6a4cb8d62b ssl: Add common key parser for backends
This internal implementation of QSslKey can be used when OpenSSL is not
available. Encrypted keys are not supported, as the cryptography must
be supplied by a separate library.

With this commit, WinRT is migrated to the new implementation,
but qsslkey_winrt.cpp is left in place so that the missing crypto
implementation can be added later. This also means most of the expected
failures for that platform can be removed from the autotest.

Change-Id: I24a3ad1053bb72311613b28b3ae845aa1645a321
Reviewed-by: Andrew Knight <andrew.knight@digia.com>
Reviewed-by: Maurice Kalinowski <maurice.kalinowski@digia.com>
Reviewed-by: Richard J. Moore <rich@kde.org>
2014-08-29 23:18:22 +02:00
Jeremy Lainé
d4dc3159c7 Check certificate nullity instead of handle
This changes tests which use QSslCertificate::handle() to determine
if a certificate is null to use QSslCertificate::isNull() instead.

This is required for non-OpenSSL backends which do not actually
expose a private handle.

Change-Id: I9523ba0dd00d47ba337b543ad34840125db99bfb
Reviewed-by: Andrew Knight <andrew.knight@digia.com>
2014-08-28 13:33:46 +02:00
Andrew Knight
ecbf6dfbf5 ssl: Share the host name matching utilities
This moves the socket backend's host name matching functions up to
QSslSocketPrivate so that they can be shared between backends. This
works, as there is no OpenSSL-specific code here.

Change-Id: I73c2081fdc2e60a44c90e90800d1e1877391a626
Reviewed-by: Richard J. Moore <rich@kde.org>
2014-08-27 15:03:58 +02:00
Jeremy Lainé
4040bc21ab Added QAsn1Element
This element can be used for backends that do not offer all the
information that is needed when implementing a ssl certificate backend.
WinRT and the SecureTransport lack functionality in this area for
example.

The sources and tests are added for ssl and openssl configurations in order
to be tested. The condition for adding these can be changed as soon
as they are used by an actual implementation

Change-Id: I2b836133105afdc178bf3b1ee7d732bea069effa
Reviewed-by: Andrew Knight <andrew.knight@digia.com>
2014-08-24 06:01:05 +02:00
Andrew Knight
8c864ac498 winrt: Add partial SSL key support
This allows for opening of public key files. It does not, however,
support opening private keys (or decrypting/encrypting them). This is
due to limitations in the native API.

Nearly all public key tests pass (the native API doesn't support the
40-bit key in the test set). The private key tests are expected to fail.

Task-number: QTBUG-40688
Change-Id: Id8f2f1ae6526540736ceb2e5371f6a5d80c4ba7b
Reviewed-by: Richard J. Moore <rich@kde.org>
Reviewed-by: Oliver Wolff <oliver.wolff@digia.com>
2014-08-13 21:09:51 +02:00
Frederik Gladhorn
f035786021 Merge remote-tracking branch 'origin/5.3' into dev
Change-Id: Ia12ffdb27ecdf25c2a2bdb0eed1945387502108a
2014-07-10 10:11:11 +02:00
Peter Hartmann
916c9d469b QSslCertificate: blacklist NIC certificates from India
Those intermediate certificates were used to issue "unauthorized"
certificates according to
http://googleonlinesecurity.blogspot.de/2014/07/maintaining-digital-certificate-security.html
, and are by default trusted on Windows, so to be safe we blacklist
them here.

Change-Id: I9891c5bee2dd82c22eb0f45e9b04abd25efeb596
Reviewed-by: Richard J. Moore <rich@kde.org>
2014-07-09 21:30:11 +02:00
Richard J. Moore
1a8788d966 Move the PKCS#12 support from QSslSocket to QSslCertificate.
Discussed with Peter and agreed that it's a slightly better fit there.

Change-Id: If8db777336e2273670a23d75d8542b30c07e0d7b
Reviewed-by: Daniel Molkentin <daniel@molkentin.de>
Reviewed-by: Peter Hartmann <phartmann@blackberry.com>
2014-05-14 11:08:01 +02:00
Frederik Gladhorn
ff334fd574 Merge "Merge remote-tracking branch 'origin/stable' into dev" into refs/staging/dev 2014-05-13 16:08:01 +02:00
Frederik Gladhorn
b5552bab40 Merge remote-tracking branch 'origin/stable' into dev
Manually changed enum to LibGL in
    src/plugins/platforms/xcb/qglxintegration.cpp

Change-Id: If34ee6cce3d1d51fb4bb1fdfa59c30389ea0d207
2014-05-13 14:21:22 +02:00
Richard J. Moore
50e8e95385 Add support for loading PKCS#12 bundles.
Add support for loading certificates and keys from PKCS#12 bundles
(also known as pfx files).

Task-number: QTBUG-1565

[ChangeLog][QtNetwork][QSslSocket] Support for loading PKCS#12
bundles was added. These are often used to transport keys and
certificates conveniently, particularly when making use of
client certificates.

Change-Id: Idaeb2cb4dac4b19881a5c99c7c0a7eea00c2b207
Reviewed-by: Daniel Molkentin <daniel@molkentin.de>
2014-05-11 23:50:03 +02:00
Frederik Gladhorn
1326cd15f7 Merge remote-tracking branch 'origin/stable' into dev
Conflicts:
	mkspecs/qnx-x86-qcc/qplatformdefs.h
	src/corelib/global/qglobal.h
	src/opengl/gl2paintengineex/qpaintengineex_opengl2.cpp
	src/opengl/qgl.cpp
	src/opengl/qglpixelbuffer.cpp
	src/opengl/qglshaderprogram.cpp
	tests/auto/opengl/qglthreads/tst_qglthreads.cpp

Change-Id: Iaba137884d3526a139000ca26fee02bb27b5cdb5
2014-05-06 16:50:03 +02:00
Richard J. Moore
9b1746c499 Add autotest for the QSslCertificate QIODevice constructor.
Change-Id: I92fa083665509932b75ff1037904a6f78a950fd6
Reviewed-by: Jeremy Lainé <jeremy.laine@m4x.org>
Reviewed-by: Peter Hartmann <phartmann@blackberry.com>
2014-05-06 16:35:56 +02:00
Richard J. Moore
1d6695451f Add an autotest the QSslCertificate::version() method works.
Change-Id: Ife5b7206fd3d7af57cfca3c0f28f56bb53ede7a7
Reviewed-by: Jeremy Lainé <jeremy.laine@m4x.org>
Reviewed-by: Peter Hartmann <phartmann@blackberry.com>
2014-05-06 16:35:56 +02:00
Daniel Molkentin
ae7bbe3400 Provide new API: QSslCertificate::isSelfSigned()
Change-Id: I382a017a0b865b849667301aff8b2f87b676ecc6
Reviewed-by: Richard J. Moore <rich@kde.org>
2014-04-30 01:30:08 +02:00
Frederik Gladhorn
dda9b5325f Add missing #ifndef QT_NO_SSL
Change-Id: I2912dcca77270582f6e989b8b3fb72b82f6f70d6
Reviewed-by: Peter Hartmann <phartmann@blackberry.com>
Reviewed-by: Richard J. Moore <rich@kde.org>
2014-04-25 10:55:31 +02:00
Richard J. Moore
814a1c7b2b Support for DH and ECDH key exchange for QSslSocket servers
Despite supporting DH and ECDH key exchange as a client, Qt did not provide
any default parameters which prevented them being used as a server. A
future change should allow the user to control the parameters used, but
these defaults should be okay for most users.

[ChangeLog][Important Behavior Changes] Support for DH and ECDH key exchange
cipher suites when acting as an SSL server has been made possible. This
change means the you can now implement servers that offer forward-secrecy
using Qt.

Task-number: QTBUG-20666
Change-Id: I469163900e4313da9d2d0c3e1e5e47ef46320b17
Reviewed-by: Daniel Molkentin <daniel@molkentin.de>
Reviewed-by: Peter Hartmann <phartmann@blackberry.com>
2014-04-09 20:53:06 +02:00
Friedemann Kleint
5b00bb39f2 Polish tst_qsslsocket a bit.
Output the SSL library version, output socket error string on connection
failure consistently, silence numerous warnings about QIODevice not
being open in tst_QSslSocket::constructing.

Change-Id: Ia23d42de5b2daca55b2f6f50af025d61e99c52a0
Reviewed-by: Peter Hartmann <phartmann@blackberry.com>
2014-03-26 07:22:35 +01:00
Sergio Ahumada
699ba50744 QtNetwork tests: Remove DEFINES += QT_DISABLE_DEPRECATED_BEFORE=0
Change-Id: If1cc5fafddc41ed19dd818caf294c69cd4969216
Reviewed-by: Richard J. Moore <rich@kde.org>
2014-02-25 16:47:13 +01:00
Frederik Gladhorn
46791c08e1 Merge "Merge remote-tracking branch 'origin/stable' into dev" into refs/staging/dev 2014-01-21 17:57:54 +01:00
Richard J. Moore
5c19fad8c1 Ensure weak ciphers are not part of the default SSL configuration.
Any cipher that is < 128 bits is excluded from the default SSL
configuration. These ciphers are still included in the list
of availableCiphers() and can be used by applications if required.
Calling QSslSocket::setDefaultCiphers(QSslSocket::availableCiphers())
will restore the old behavior.

Note that in doing so I spotted that calling defaultCiphers() before
doing other actions with SSL had an existing bug that I've addressed
as part of the change.

[ChangeLog][Important Behavior Changes] The default set of
ciphers used by QSslSocket has been changed to exclude ciphers that are
using key lengths smaller than 128 bits. These ciphers are still available
and can be enabled by applications if required.

Change-Id: If2241dda67b624e5febf788efa1369f38c6b1dba
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
2014-01-21 03:41:34 +01:00
Frederik Gladhorn
9033977d39 Merge remote-tracking branch 'origin/stable' into dev
Conflicts:
	src/corelib/global/qglobal.h
	src/corelib/tools/qstring.cpp
	src/gui/image/image.pri
	src/gui/image/qimage.cpp
	src/plugins/platforms/cocoa/qcocoawindow.h
	src/plugins/platforms/cocoa/qcocoawindow.mm
	src/plugins/platforms/eglfs/qeglfshooks_stub.cpp
	tests/auto/corelib/io/qstandardpaths/tst_qstandardpaths.cpp

Change-Id: I3b9ba029c8f2263b011f204fdf68c3231c6d4ce5
2014-01-20 18:18:59 +01:00
Richard J. Moore
7c8131763d Prevent spurious SSL errors from local certificates.
Qt since approximately 4.4 has set the verify callback on both the SSL
store and the SSL context. Only the latter is actually needed. This is
normally not a problem, but openssl prior to 1.0.2 uses the verify
code to find the intermediate certificates for any local certificate
that has been set which can lead to verification errors for the local
certificate to be emitted.

Task-number: QTBUG-33228
Task-number: QTBUG-7200
Task-number: QTBUG-24234
Change-Id: Ie4115e7f7faa1267ea9b807c01b1ed6604c4a16c
Reviewed-by: Peter Hartmann <phartmann@blackberry.com>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
2014-01-16 21:57:06 +01:00
Frederik Gladhorn
3f3be55835 Merge remote-tracking branch 'origin/stable' into dev
Conflicts:
	src/gui/kernel/qplatformtheme.h
	tests/auto/network/socket/qudpsocket/tst_qudpsocket.cpp
	tests/auto/widgets/widgets/qspinbox/tst_qspinbox.cpp

Change-Id: Iecd3343d6a050b8764f78d809c4a1532aeba69e5
2013-12-16 16:59:33 +01:00
Peter Hartmann
7eecbb0718 SSL: blacklist ANSSI intermediate certificate
... because it was used to operate a man-in-the-middle proxy.

Task-number: QTBUG-35474
Change-Id: Ic7f19708b278b866e4f06533cbd84e0ff43357e9
Reviewed-by: Richard J. Moore <rich@kde.org>
2013-12-10 15:14:22 +01:00
Oliver Wolff
1efe5d4b41 WinRT: Fixed compilation of network autotests and benchmarks
Change-Id: Id689f199cfb22dce231cec36faba57ab958b1bac
Reviewed-by: Maurice Kalinowski <maurice.kalinowski@digia.com>
2013-12-06 15:06:47 +01:00
Sergio Ahumada
7978cef796 tests: Make the QT assignments more explicit
Remove unused 'QT -= gui' and replace some others with
'QT = core ...'

Change-Id: I2d14fae963afc21dbd21a4acdbba2c30cdf8fa61
Reviewed-by: Oswald Buddenhagen <oswald.buddenhagen@digia.com>
2013-08-21 19:05:52 +02:00
Sergio Ahumada
b0b754632e test: Skip some more qsslsocket flaky tests [part 2]
Task-number: QTBUG-29941
Change-Id: I28e71f952fcade6ab0aa76db71a1e2f408952830
Reviewed-by: Richard J. Moore <rich@kde.org>
2013-08-16 17:08:24 +02:00
Sergio Ahumada
983fa9b5cb test: Skip some more qsslsocket flaky tests
Task-number: QTBUG-29941
Change-Id: Iaf1c4834ef36db284464184639a1ab00928510cf
Reviewed-by: Peter Hartmann <phartmann@blackberry.com>
2013-08-13 17:08:13 +02:00
Sergio Ahumada
d6522b70ad test: Skip some flaky tests, but only if they are expected to fail
Task-number: QTBUG-29941
Change-Id: Ieca736c26711fa292855b3281229282628dce608
Reviewed-by: Richard J. Moore <rich@kde.org>
2013-08-10 22:31:42 +02:00