Move these types to QAsn1Element so that they can use the toString()
method which guards against malicious ASN.1.
Change-Id: I7d6155147a6fc2d41da6f3ae87551b6cb75aa9ce
Reviewed-by: Oliver Wolff <oliver.wolff@theqtcompany.com>
Reviewed-by: Daniel Molkentin <daniel@molkentin.de>
We don't currently use this class for critical things like hostname
verification however we still want to ensure that it is not possible
to trick it using ASN.1 strings with embedded NUL characters. This will
avoid problems in the future.
Change-Id: Ibf3bc142a94fc9cad5f06db50f375399a087f9dc
Reviewed-by: Jeremy Lainé <jeremy.laine@m4x.org>
Reviewed-by: Oliver Wolff <oliver.wolff@theqtcompany.com>
Reviewed-by: Daniel Molkentin <daniel@molkentin.de>
Add support for SSL on iOS/OS X by adding a SecureTransport based
backend.
[ChangeLog][QtNetwork][QSslSocket] A new SSL backend for iOS and OS X,
implemented with Apple's Secure Transport (Security Framework).
Change-Id: I7466db471be2a8a2170f9af9d6ad4c7b6425738b
Reviewed-by: Richard J. Moore <rich@kde.org>
Mainly because of a change in certificates which is causing failing
tests.
Change-Id: I8304e5ac4107428a250b71be5df7b5399a811017
Reviewed-by: Tony Sarajärvi <tony.sarajarvi@digia.com>
[ChangeLog][QtNetwork][QSslSocket] It is now possible to use TLS PSK
ciphersuites in client sockets.
Task-number: QTBUG-39077
Change-Id: I5523a2be33d46230c6f4106c322fab8a5afa37b4
Reviewed-by: Richard J. Moore <rich@kde.org>
Since the conversion to a long name was already there, also support
creation from a long name.
Change-Id: Iad712db7447fb0a0a18f600b7db54da5b5b87154
Reviewed-by: Marc Mutz <marc.mutz@kdab.com>
Add possibility to get length and other information of EC based
certificates. Also it is possible to parse those public/private
keys from PEM and DER encoded files.
Based on patch by Remco Bloemen
[ChangeLog][QtNetwork][SSL/TLS support] It is now possible to
parse elliptic curve certificates.
Change-Id: I4b11f726296aecda89c3cbd195d7c817ae6fc47b
Task-number: QTBUG-18972
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
tst_collections.cpp
tst_collections.cpp(3138) : warning C4305: 'argument' : truncation from 'size_t' to 'bool'
tst_collections.cpp(3190) : see reference to function template instantiation 'void testContainerTypedefs<QVector<int>>(Container)' being compiled
with[Container=QVector<int>]
(repeated)
tst_qringbuffer.cpp(297) : warning C4267: 'argument' : conversion from 'size_t' to 'int', possible loss of data
tst_qringbuffer.cpp(300) : warning C4309: '=' : truncation of constant value
tst_qringbuffer.cpp(306) : warning C4267: 'argument' : conversion from 'size_t' to 'int', possible loss of data
tst_qrawfont.cpp(947) : warning C4309: 'argument' : truncation of constant value
tst_qsslsocket_onDemandCertificates_member.cpp(217) : warning C4189: 'rootCertLoadingAllowed' : local variable is initialized but not referenced
Change-Id: I6143d4ad121088a0d5bdd6dd2637eb3641a26096
Reviewed-by: Kai Koehne <kai.koehne@theqtcompany.com>
Some of these tests are verifying things that are not supported
on Android, so we XFAIL these cases when we see the appropriate
error message.
Change-Id: I8245266f061c902515bb12251521159a8e19bfb7
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
Linux gracefully allows us to do that and treat the v6 socket as if it
were v4. Other OS (notably OS X) aren't so forgiving.
Change-Id: I13dd3274be2a4b13e8b1eef93cbc2dd17b648f96
Reviewed-by: Richard J. Moore <rich@kde.org>
We want to use "localhost" if the server's address is "any", as some OS
can't send datagrams to "any" (e.g., OS X and FreeBSD).
Change-Id: I1004bc2282e7f930cdb7ed394aa9f4b5a1cfcf82
Reviewed-by: Richard J. Moore <rich@kde.org>
On my Mac Mini, port 5000 is in use, which means the broadcasting test
fails.
Change-Id: Ifb0883263e277f388342430349ea7315d42f324a
Reviewed-by: Richard J. Moore <rich@kde.org>
It was unconditional. Someone forgot to check for IPv6 support before
skipping IPv6 tests.
Change-Id: I7b11528ad02560f0db9defde3c64f76f48a6c1f8
Reviewed-by: Richard J. Moore <rich@kde.org>
QUdpSocket doesn't support binding to QHostAddress::Any and then joining
an IPv4 multicat group since QHostAddress::Any is really an IPv6 socket
with v6only = false. The test did check this case, but failed to ignore
the warning.
Change-Id: I62d782408319a6e566e0ff1a6081b706ac1f669c
Reviewed-by: Richard J. Moore <rich@kde.org>
With IPv6, you cannot bind to a multicast address. You need to bind to a
local address only. The previous tests either checked this or didn't
check the result of bind().
Change-Id: Ief70887d8988fc1bc4394cf6ff34b5d560e5748e
Reviewed-by: Richard J. Moore <rich@kde.org>
Sending 100*8 packets of each type of message is WAY overkill. That's a
stress test without limiting. My Linux system starts reporting EAGAIN on
the socket, so reduce the amount of data sent.
Change-Id: I153f44cf3b91d37526dac580b400114cc80b1769
Reviewed-by: Richard J. Moore <rich@kde.org>
IPv6 has no such thing, so don't try to bind to an IPv6 address to send
broadcasts (even though that works) and it's a poor idea to bind to IPv6
to receive broadcasts. Moreover, skip any IPv6 network addresses
(broadcast() is invalid).
Change-Id: I2829b042c000158565adfd92db682f37d67dacae
Reviewed-by: Richard J. Moore <rich@kde.org>
If you don't have /etc/lsb-release, you'd get
sh: line 0: [: =: unary operator expected
Change-Id: Idb5c79f799879e4d32cd640ef74fb388227f831e
Reviewed-by: Richard J. Moore <rich@kde.org>
It doesn't make sense because there is no command to ask the proxy
server to join a multicast group. At best, we could write a datagram via
proxy without joining, but we definitely can't receive.
Change-Id: Icc6b54572a053fb7821dfca1f4111f2046ff8686
Reviewed-by: Richard J. Moore <rich@kde.org>
The Qt bug tracker URL changes as part of the qt.io transition
Change-Id: Icb4ab198943b93639b5e3a8d99262303785c6459
Reviewed-by: Kai Koehne <kai.koehne@theqtcompany.com>
The setEmptyDefaultConfiguration test creates a socket and connects its
sslErrors signal to tst_QSslSocket's ignoreErrorSlot slot. This slot
expects the socket to have been stored in tst_QsslSocket's "socket"
member, which was not being done. This patch fixes this problem.
It does beg the question of whether having a "socket" member in the
tst_QSslSocket class is a good idea as it is error prone.
Change-Id: Ic59d1789c5f1ed240c3f0c37981f6ecc35572f0d
Reviewed-by: Richard J. Moore <rich@kde.org>
The sslErrors and peerVerifyError test the same situation: connect to a
server which is using the fluke certificate, using the incorrect host name.
They connect respectively to qt-test-server:993 and the.server.ip.address:443.
The sslErrors is prone to backend-dependent failures concerning the order
in which SSL errors are received, just like the peerVerifyError test was
until recently.
This change merges these two tests into one, which is run against the same
two servers as previously. It also adds a check to ensure that sslErrors
and peerVerifyError emit the same SSL errors (regardless of order).
This also fixes the included headers for non-OpenSSL backends.
Change-Id: Ibd5f60d24f1682989378e87729389e4b8f9efac5
Reviewed-by: Richard J. Moore <rich@kde.org>
Conflicts:
dist/changes-5.4.0
7231e1fbe2 went into 5.4 instead of the
5.4.0 branch, thus the conflict.
Change-Id: I70b8597ab52506490dcaf700427183950d42cbd1
[ChangeLog][QtNetwork][QtSSL] It is now possible to choose which elliptic
curves should be used by an elliptic curve cipher.
Change-Id: If5d0d58922768b6f1375836489180e576f5a015a
Done-with: Marc Mutz <marc.mutz@kdab.com>
Reviewed-by: Richard J. Moore <rich@kde.org>
This makes it follow the coding style, which says to camel case acronyms too,
and makes it consistent with the rest of the class.
Change-Id: I4a1b21de1815530e476fc5aa8a0d41c724fc8021
Reviewed-by: Richard J. Moore <rich@kde.org>
Reviewed-by: hjk <hjk121@nokiamail.com>
This patch is cherry-picked from
c38f1f19b8 and
d29d727d72
Task-number: QTBUG-32435
Change-Id: I6dbbb668b96737a5791bc688949a00bc09f1357f
Reviewed-by: Frederik Gladhorn <frederik.gladhorn@theqtcompany.com>
This patch is cherry-picked from
63ae74f365 and
07f234d2a8
Task-number: QTBUG-42528
Change-Id: I5f86679e62a4be48ce25afa5a4987a2b6678a357
Reviewed-by: Frederik Gladhorn <frederik.gladhorn@theqtcompany.com>
After the poodle vulnerability SSLv3 should like SSLv2 no longer be
considered safe, so when a user request a safe protocol we should
only allow TLS versions.
[ChangeLog][QtNetwork][QSsl] QSsl::SecureProtocols now also excludes SSLv3
Change-Id: If825f6beb599294b028d706903b39db6b20be519
Reviewed-by: Richard J. Moore <rich@kde.org>
QNetworkDiskCache don't handle to set CookieHeader. so All Set-Cookie's value is invalid.
The root of cause is that metaDataChanged() don't work because of no slot for it.
Add the slot for it and renamed to _q_metaDataChanged.
Task-number: QTBUG-41514
Change-Id: I5cec017e59a1de69c6e89c0bc7209a73dcdc11da
Reviewed-by: Jeongmin Kim <jm86.kim@lge.com>
Reviewed-by: Jung Dong-Heon <clamp03@gmail.com>
Reviewed-by: Peter Hartmann <phartmann@blackberry.com>
qsslsocket_winrt.cpp defined it locally, which runs the risk of
clashes with a potential user-defined qHash(QSslError), so
make it public.
Also included both .error() and .certificate() in the hash, as
both of these are used to determine equality (the WinRT version
only used .error()).
[ChangeLog][QtNetwork][QSslError] Can now be used in QSet/QHash.
Change-Id: Ieb7995bed491ff011d4be9dad544248b56fd4f73
Reviewed-by: Oliver Wolff <oliver.wolff@digia.com>
Reviewed-by: Andrew Knight <andrew.knight@digia.com>
qsslsocket_winrt.cpp defined it locally, which runs the risk of
clashes with a potential user-defined qHash(QSslCertificate), so
make it public.
Also, the implementation in qsslsocket_winrt.cpp simply hashed
the handle(), which violates the principle that equal instances
must hash to the same value. Also, for some platforms, the
implementation returns nullptr unconditionally, which, while not
violating the above-mentioned principle, will make all users of
the hash have worst-case complexity.
To calculate a meaningful hash, therefore, the certificate needs
to be inspected deeper than just the handle.
For OpenSSL, we use X509::sha1_hash, which also X509_cmp uses
internally to determine inequality (it checks more stuff, but
if X059::sha1_hash is different, X509_cmp() returns non-zero,
which is sufficient for the purposes of qHash()). sha1_hash may
not be up-to-date, though, so we call X509_cmp to make it valid.
Ugh.
For WinRT/Qt, we use the DER encoding, as that is the native
storage format used in QSslCertificate. This is not equivalent
to the implementation used in qsslsocket_winrt.cpp before, but
since handle() == handle() => toDer() == toDer(), it should not
be a problem.
[ChangeLog][QtNetwork][QSslCertificate] Can now be used as a key in QSet/QHash.
Change-Id: I10858fe648c70fc9535af6913dd3b7f3b2cf0eba
Reviewed-by: Oliver Wolff <oliver.wolff@digia.com>
