All TLS (and non-TLS) backends that QSsl classes rely
on are now in plugins/tls (as openssl, securetransport,
schannel and certonly plugins).
For now, I have to disable some tests that were using OpenSSL
calls - this to be refactored/re-thought. These include:
qsslsocket auto-test (test-case where we work with private keys),
qsslkey auto-test (similar to qsslsocket - test-case working with
keys using OpenSSL calls).
qasn1element moved to plugins too, so its auto-test have to
be re-thought.
Since now we can have more than one working TLS-backend on a given
platform, the presence of OpenSSL also means I force this backend
as active before running tests, to make sure features implemented
only in OpenSSL-backend are tested.
OCSP auto test is disabled for now, since it heavily relies on
OpenSSL symbols (to be refactored).
[ChangeLog][QtNetwork][QSslSocket] QSslSocket by default prefers 'openssl' backend
if it is available.
[ChangeLog][QtNetwork][QSslSocket] TLS-backends are not mutually exclusive anymore,
depending on a platform, more than one TLS backend can be built. E.g., configuring
Qt with -openssl does not prevent SecureTransport or Schannel plugin from being
built.
Fixes: QTBUG-91928
Change-Id: I4c05e32f10179066bee3a518bdfdd6c4b15320c3
Reviewed-by: Qt CI Bot <qt_ci_bot@qt-project.org>
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
It was more complex than needed in a few places.
Change-Id: I0609423f82420f72c65637cf398ccd7694ee85e5
Reviewed-by: Qt CI Bot <qt_ci_bot@qt-project.org>
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
All backend-specific code is now separated and removed
from QSslSocket(Private) code. The original code is mostly
preserved to avoid (as much as possible) regressions (and
to simplify code-review).
Fixes: QTBUG-91173
Task-number: QTBUG-65922
Change-Id: I3ac4ba35d952162c8d6dc62d747cbd62dca0ef78
Reviewed-by: Qt CI Bot <qt_ci_bot@qt-project.org>
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
(cherry picked from commit 9391ba55149336c395b866b24dc9b844334d50da)
Renamed the private part of the namespace to QTlsPrivate.
Fixes: QTBUG-91531
Change-Id: Id2d9c458d8d958b35e437eee42889177dad0a7a7
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
(cherry picked from commit e4efa00c72c7011f4e5c27722c2a522b30274610)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
It's a bit weird to calculate timeout in milliseconds and then pass
it as number of seconds ...
Pick-to: 6.1 5.15
Change-Id: I1127163ea06e49ac1b53eea6f60ee8590319bfa1
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
The idea is to have QSslKey(Private) backend-neutral and hide
all library-specific code inside plugins.
Fixes: QTBUG-90953
Task-number: QTBUG-65922
Change-Id: I2eeee3b2b72c78c2e24f2fb914abce3caa913be8
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
(cherry picked from commit 0352cf8e1bf57615b9faf3f6f383896444e762ac)
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
QTlsBackend is a factory itself - it creates TLS/X509 objects. Having
an intermediary between Factory->Backend->TLS primitive does not look
very natural thus let's squash the first two parts. Backend is a factory
creating TLS primitives, but its static functions also provide information
about backends availablei and give access to those backends.
Fixes: QTBUG-90606
Task-number: QTBUG-65922
Change-Id: I8409d81fd11fb46e6ab4465b4937a7680a8c2447
Reviewed-by: Alex Blasche <alexander.blasche@qt.io>
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
This is an abstraction for TLS backend and its factory, preparing to transition
to plugin-based design.
Task-number: QTBUG-65922
Change-Id: Ibe810e77fd1b715a6bea66cd3f44312b015ac274
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
This API gives the names of available backends and provides a basic
information about features/protocols supported by those backends.
Also, it has the 'loadBackend' functions which allow to select
a particular backend (which are becoming plugins).
At the moment, the implementation is still 'hardcoded', the
follow-up patch will allow to select different backends in runtime.
Task-number: QTBUG-65922
Change-Id: I05877de9c02857594e76b24d52e7578bdb01df69
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
Those serve no purpose anymore, now that the .pro files are gone.
Task-number: QTBUG-88742
Change-Id: I39943327b8c9871785b58e9973e4e7602371793e
Reviewed-by: Cristian Adam <cristian.adam@qt.io>
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
Reviewed-by: Kai Koehne <kai.koehne@qt.io>
SecureTransport does not allow deprecated digest algorithms, and
(depending on ST version) it may or may not accept our server's
certificate.
Funnily enough, they 'fluctuate' between versions again and again.
Fixes: QTBUG-89922
Change-Id: Ie5fbfca316806bd5000ce2d128b81b718bb36624
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
Remove the qmake project files for most of Qt.
Leave the qmake project files for examples, because we still test those
in the CI to ensure qmake does not regress.
Also leave the qmake project files for utils and other minor parts that
lack CMake project files.
Task-number: QTBUG-88742
Change-Id: I6cdf059e6204816f617f9624f3ea9822703f73cc
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
Reviewed-by: Qt CI Bot <qt_ci_bot@qt-project.org>
Reviewed-by: Kai Koehne <kai.koehne@qt.io>
Complete search and replace of QtTest and QtTest/QtTest with QTest, as
QtTest includes the whole module. Replace all such instances with
correct header includes. See Jira task for more discussion.
Fixes: QTBUG-88831
Change-Id: I981cfae18a1cabcabcabee376016b086d9d01f44
Pick-to: 6.0
Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
And also, reduce the utter sloppiness, weirdness of the test and
make it more a test and not a joke. Since the test itself depends
on !QT_NO_SSL, why bother building and running its main, to create
a useless tst_QSslError and do nothing then? Exclude test from
no-ssl build.
Pick-to: 5.15
Pick-to: 6.0
Change-Id: I67879b0de036cbc8c2f75a18f4cf94e6c43c5af0
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
QSslCertificate::verify() has an undocumented and not very desirable property -
on some platorms it updates the default configuration, which can be surprising.
For example, we deprecated QSslSocket::setDefaultCaCertificates() and recommend
using QSslConfiguration::defaultConfiguration(), QSslConfiguration::setDefaultConfiguration(),
and QSslConfiguration::setCaCertificates(). If an application does this to select
CA roots it trusts explicitly, and then for some reason is calling verify, the
application can have its QSslSockets successfully connecting to a host, whose
root was not trusted by the application. Also, on Windows, defaultCaCertificates()
include system roots already, no need to have them twice.
[ChangeLog][QtCore][QtNetwork] QSslSocket::verify - do not change the default configuration
Pick-to: 5.15
Pick-to: 6.0
Pick-to: 6.0.0
Fixes: QTBUG-88639
Change-Id: I1cd40b259d0a6dcd15c78d1e7c027ff10859595c
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
And extend an auto-test for this. When a cookie verification mechanism is
enabled, and verifier, indeed, verifies that some datagram is a 'Client Hello'
message with a proper cookie attached, we start a real DTLS handshake creating a
QDtls object and calling 'doHandshake'. In case cookie verification
was enabled, we need parameters from the verifier (it's a crypto-strong
'number' and hash algorithm) to 'lock and load' the TLS state machine in
a freshly created TLS session object. This code path previously was only
tested manually and was found by LCOV as untested.
Pick-to: 5.15
Pick-to: 6.0
Change-Id: Ieacb8c989997999ea10e15bda6ae106a0338b698
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
And do not run the test with QSslSocket::supportsSsl() returns false -
this may mean unresolved symbols and thus missing functionality,
like i2d_X509 etc. This also makes cases more like other, that already
had those checks.
Fixes: QTBUG-87386
Change-Id: If4e9a650ca325b6f70956f532891a4c1d50465c0
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
Some code-paths were never executed by auto-test, thus giving us LCOV's
diagnostic. Extend existing tests and add new ones.
Pick-to: 5.15
Change-Id: I648747547f0525a482216b1e1972fcc698c73f65
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
By extending (a bit) an auto-test to cover paths found by LCOV. All of them
is just to trigger the code that checks input parameters.
Pick-to: 5.15
Pick-to: 6.0
Change-Id: I62f9a9045038ff8d123fd1396f4bfd85e75c6d8f
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
By adding auto-tests that were missing/not triggering the paths found
by LCOV.
Pick-to: 5.15
Pick-to: 6.0
Change-Id: I472f59e8e7292786c80d7c8dcebde53a2982e1ec
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
By simply extending the basic test to trigger qHash, isEqual and
a bunch of getters.
Pick-to: 6.0
Pick-to: 5.15
Change-Id: Ib1d88fc6d2ad623743cea77ac286ae6ac819dfd1
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
tst_qsslcipher was quite useless - now we test that default constructed
QSslCipher reports expected values. Test the non-default from the
different auto-test, where we are sure we have really useful
ciphersuites (with different parameters obtained from a TLS backend,
where it's possible).
Pick-to: 6.0
Pick-to: 5.15
Change-Id: Iff14a0580fed889cf9e0873bee01d968773626db
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
The recent change handling missing elliptic curves introduced a problem
for '-no-ssl' configuration/build. The first version had some protection,
but it was openssl-specific and required a private feature, thus was
removed. Now the real ifdef must be with QT_NO_SSL
Fixes: QTBUG-88238
Pick-to: 5.15
Change-Id: I6fba26d6ab63850e1468e76f8b234703255a026c
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
We want to re-enable Android tests in QTQAINFRA-3867. However,
many tests are failing already preventing that from happening.
QTBUG-87025 is currently keeping track (links) to all of those
failing tests.
The current proposal is to hide those failing tests, and enable
Android test running in COIN for other tests. After, that try
to fix them one by one, and at the same time we can make sure
no more failing tests go unnoticed.
Task-number: QTBUG-87025
Change-Id: Ic1fe9fdd167cbcfd99efce9a09c69c344a36bbe4
Reviewed-by: Alexandru Croitor <alexandru.croitor@qt.io>
Move it to the section requiring SSL tests since it
requires QSslConfiguration.
Change-Id: I5c807976ce75fa5967bddb8edd7788dbfbb89375
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
Interesting, it only exploded now - initially we were too fast (faster than
500 ms) so never noticed. Now that more tests with the similar event loop
handling were introduced, the last one was catching a single-shot timer
signal, accessing long dead object).
Fixes: QTBUG-87612
Change-Id: I52446fa7b08ef90a4742af3662da7837a8602941
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
It's not possible to connect to microsoft.com with Schannel TLS 1.3 for
some reason (also tested with Internet Explorer), but other sites work
fine. Must be something they have to iron out for later.
In my experience this needs a preview release of Windows. One of my
machines is opted into the dev channel of Windows where they enabled TLS
1.3 by default, and it works well in my tests except for the part above.
On my other machine, after enabling TLS 1.3 through the registry, I fail
to complete the handshake with any site. So around March/April next year
is when this code would activate for most people.
MinGW apparently defines NTDDI_VERSION as the one for Windows Server
2003, so it currently doesn't build the new TLS 1.3 code. In Qt (as a
project) we could consider setting this higher, but that's out of scope
for this patch!
Fixes: QTBUG-81294
Change-Id: If329959c3a30ecbfbb8c0d335cc39ccb6d012890
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
This time based on grepping to also include documentation, tests and
examples previously missed by the automatic tool.
Change-Id: Ied1703f4bcc470fbc275f759ed5b7c588a5c4e9f
Reviewed-by: Qt CI Bot <qt_ci_bot@qt-project.org>
Reviewed-by: Friedemann Kleint <Friedemann.Kleint@qt.io>
Modify special case locations to use the new API as well.
Clean up some stale .prev files that are not needed anymore.
Clean up some project files that are not used anymore.
Task-number: QTBUG-86815
Change-Id: I9947da921f98686023c6bb053dfcc101851276b5
Reviewed-by: Joerg Bornemann <joerg.bornemann@qt.io>
Reviewed-by: Qt CI Bot <qt_ci_bot@qt-project.org>
Clean up the state of the projects,
before changing the internal CMake API function names.
Task-number: QTBUG-86815
Change-Id: I90f1b21b8ae4439a4a293872c3bb728dab44a50d
Reviewed-by: Joerg Bornemann <joerg.bornemann@qt.io>
qt_add_test supports now QT_TEST_SERVER_LIST, which will add the test
servers as docker test fixtures.
The docker server will be started before the test is run, and stopped
after the test is run.
Running the tests in parallel is not supported.
Docker tests are currently only supported on Linux hosts.
Task-number: QTBUG-85034
Change-Id: If3cefe05c5dec19c14b05d2fa8b01a0b6d95e259
Reviewed-by: Alexandru Croitor <alexandru.croitor@qt.io>
Certain servers, like smtp.live.com, will send a request for a
certificate even though they don't require one. In Schannel this
manifests as a warning/info status (SEC_I_INCOMPLETE_CREDENTIALS).
In the cases where it's not needed we should suppress the warning and
try to connect anyway, which is done by calling
InitializeSecurityContext again when we get the status.
Pick-to: 5.15
Change-Id: I3c48140f2949d8557251a49a2b66946da9395736
Reviewed-by: Joshua GPBeta <studiocghibli@gmail.com>
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
CentOS it seems not only backported some OpenSSL 3 functions,
but also raised the default security level to 2, making some of
our keys (and MDs?) 'too weak' and failing auto-tests here and
there as a result. For our auto-test we lower the level to 1,
as it is expected to be.
Fixes: QTBUG-86336
Pick-to: 5.15
Change-Id: I7062a1b292e8b60eb9c2b2e82bd002f09f9da603
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
Remove around 1000 compiler warnings about missing overrides
in our auto tests.
This significantly reduce the compiler warning noise in our auto
tests, so that one can actually better see the real problems
inbetween.
Change-Id: Id0c04dba43fcaf55d8cd2b5c6697358857c31bf9
Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
It's not guaranteed that all curves we want to use are supported
by a specific build of OpenSSL library we have to link with. Filter
out files that contain EC, which is not among the curves, reported
by QSslConfiguration::supportedEllipticCurves.
Fixes: QTBUG-46203
Pick-to: 5.15
Change-Id: I70d7e6fcacb3d81f8c771e4a8d6cca06295e7474
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
And put a note about it in the documentation
Change-Id: I29126e4a80f83c256190e03b8fe01f3c869fd46d
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
At the moment it just exposes QTBUG-84676, that is, OpenSSL
and non-OpenSSL backend act differently. Went a bit overkill
in making it data-driven, so if someone wants to add more
samples it should be easier to do so.
Change-Id: I96538c9563d12d69c217415ba85e244dda5e0cd0
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
Use pro2cmake with '--api-version 2' to force regenerate
projects to use the new prefixed qt_foo APIs.
Change-Id: I055c4837860319e93aaa6b09d646dda4fc2a4069
Reviewed-by: Joerg Bornemann <joerg.bornemann@qt.io>
We had such an overloaded version in QSslSocket, it was deprecated without
providing any alternative. Now this function has some use and may be
introduced in Qt6, as QSslConfiguration::setCiphers(const QString &).
Last but not the least - a useless and strange auto-test was removed
(it was creating a list of 5 QSslCiphers each with isNull() == true).
That's becasue '!MD5' or 'ALL' (for example) is not a cipher to be found
in supportedCiphers.
Change-Id: I47eb4c0faa9b52885e883751dd992cd9cb3d26fe
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
Not to pollute the global namespace with rather generic names
(especially in case QT_NAMESPACE is none); also drop the
(now)redundant 'Q' prefix in the names.
Change-Id: I57ea7e3996cced705f7ddbdbc1e0231191b31c43
Reviewed-by: Friedemann Kleint <Friedemann.Kleint@qt.io>
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
They were deprecated with replacements in QSslConfiguration proposed (and
some without alternative, which we'll provide if there is any demand
in such an API). Special thanks to M.N. for a nice hint on how to
amend the test without introducing a new API.
Change-Id: I7841a5b3f30469d8204b61cb65921c34275e0650
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
In Qt 5 we have to work with the esisting API (QSslCertificate::verify),
taking only the peer's chain and the name. We already have a private
API to have a CA's list as an additional parameter, the proper fix
in Qt6 will also introduce a public complement for this.
Pick-to: 5.15
Change-Id: Ib1f75c3056b135c6e6d42f977b5a7034fca658ee
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
Whoever wrote this test, was a PROPER hacker: trying to force a TLS implementation
not to properly compress some data, they generated a sequence of bytes in a very fancy manner,
something like 255 0 0 0 255 0 0 0 123 0 0 0 255 0 0 0 - yeah, it's really a random sequence
of bytes, surely, it's impossible to compress! Meh.
Pick-to: 5.15
Change-Id: Ia10ae18a40b5b8f006c45147b06fe5be6efcb129
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
We deprecated several setters on QSslSocket, no need to test
them then (and I'm removing them in Qt 6 anyway, so changing
the test is the phase 1).
Pick-to: 5.15
Change-Id: I5807abfb280cbacd4fcc19468793f9d1f3b2ff20
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
