Commit Graph

215 Commits (ae7bbe34005d704f0c1fd3ca0335095c1df48cde)

Author SHA1 Message Date
Daniel Molkentin ae7bbe3400 Provide new API: QSslCertificate::isSelfSigned()
Change-Id: I382a017a0b865b849667301aff8b2f87b676ecc6
Reviewed-by: Richard J. Moore <rich@kde.org>
2014-04-30 01:30:08 +02:00
Frederik Gladhorn 98d3e40fb7 Merge remote-tracking branch 'origin/stable' into dev
Conflicts:
	mkspecs/qnx-armv7le-qcc/qplatformdefs.h
	src/printsupport/kernel/qcups.cpp
	src/widgets/styles/qstyle.h
	tests/auto/widgets/itemviews/qlistwidget/tst_qlistwidget.cpp

Change-Id: Ia41e13051169a6d4a8a1267548e7d47b859bb267
2014-04-11 14:36:55 +02:00
Richard J. Moore 814a1c7b2b Support for DH and ECDH key exchange for QSslSocket servers
Despite supporting DH and ECDH key exchange as a client, Qt did not provide
any default parameters which prevented them being used as a server. A
future change should allow the user to control the parameters used, but
these defaults should be okay for most users.

[ChangeLog][Important Behavior Changes] Support for DH and ECDH key exchange
cipher suites when acting as an SSL server has been made possible. This
change means the you can now implement servers that offer forward-secrecy
using Qt.

Task-number: QTBUG-20666
Change-Id: I469163900e4313da9d2d0c3e1e5e47ef46320b17
Reviewed-by: Daniel Molkentin <daniel@molkentin.de>
Reviewed-by: Peter Hartmann <phartmann@blackberry.com>
2014-04-09 20:53:06 +02:00
Richard J. Moore f41418aeb2 Ensure we initialize things before checking the openssl version.
Task-number: QTBUG-37783
Change-Id: Ie276e597062d8bfc74ef57251ed21a94020e030f
Reviewed-by: Friedemann Kleint <Friedemann.Kleint@digia.com>
2014-04-08 10:40:50 +02:00
Frederik Gladhorn 3b5c0bc078 Merge remote-tracking branch 'origin/stable' into dev
Conflicts:
	src/gui/image/qjpeghandler.cpp

Change-Id: I9db3acea7d5c82f5da679c8eaeb29431136665f0
2014-03-24 16:10:15 +01:00
Friedemann Kleint baa3d329ac Fix crash if SSL_get0_next_proto_negotiated() cannot be resolved.
Crash occurs after warnings like:

QSslSocket: cannot call unresolved function SSL_get0_next_proto_negotiated

Task-number: QTBUG-37515
Task-number: QTBUG-33208

Change-Id: I18b803e4709b9d5f6b33717c2ac43179676351a4
Reviewed-by: Richard J. Moore <rich@kde.org>
Reviewed-by: Peter Hartmann <phartmann@blackberry.com>
2014-03-20 13:15:14 +01:00
Sergio Ahumada 27016b89ae Merge remote-tracking branch 'origin/stable' into dev
Change-Id: Idec54e19963e8d88c711cb179cffc81596323899
2014-03-13 15:57:11 +01:00
Kurt Pattyn 1f4cda9a70 Replace Note: with \note in documentation
Change-Id: I213ac1fb2733e675f3641441fe6c621bab06c1f0
Reviewed-by: Peter Hartmann <phartmann@blackberry.com>
Reviewed-by: Richard J. Moore <rich@kde.org>
2014-03-13 13:25:58 +01:00
Richard J. Moore 3683bc97d2 Add accessors for the build-time version of openssl.
Many bugs originate due to mismatches between the build-time and
run-time versions of openssl but they're hard to debug as we don't
provide access to the build-time info. This addresses that weakness.

[ChangeLog][QtNetwork][QSslSocket] Added accessors for the version
of openssl used at build-time. This will help when debugging
problems caused by a mismatch with the run-time version.

Change-Id: I6a4c21c8f16ab4c90cdf166f38c62fe37bf1f165
Reviewed-by: Peter Hartmann <phartmann@blackberry.com>
2014-03-10 22:18:35 +01:00
Richard J. Moore 233a2f37bf Add support for finding the version of SSL/TLS in use.
Previously we allowed you to specify which version(s) you wanted to use,
but did not provide access to the version that was actually negotiated.

[ChangeLog][QtNetwork][QSslSocket] Add support for finding the version
of SSL/TLS in use by a connection.

Task-number: QTBUG-28471
Change-Id: I6d50d2bc9f1ce7f98192e67992178fe7e41c0575
Reviewed-by: Peter Hartmann <phartmann@blackberry.com>
2014-03-10 22:18:23 +01:00
Sergio Ahumada 7e872de76e Fix some typos
Change-Id: I7dbe938bff5ac3ab50a0197f94bdb2f6c22fbd16
Reviewed-by: Kevin Krammer <kevin.krammer@kdab.com>
Reviewed-by: Mitch Curtis <mitch.curtis@digia.com>
2014-03-03 18:24:29 +01:00
Marc Mutz d9ce5c35df QSslCipher: make QString constructor explicit
A QSslCipher is not an equivalent representation of a QString, so
the constructor that takes a QString should be explicit.

Change-Id: I4c1329d1eebf91b212616eb5200450c0861d900f
Reviewed-by: Lars Knoll <lars.knoll@digia.com>
2014-02-21 20:33:10 +01:00
Frederik Gladhorn a9c88c1f39 Merge remote-tracking branch 'origin/stable' into dev
Conflicts:
	src/gui/image/qimage.cpp
	src/gui/text/qtextengine.cpp
	src/plugins/platforms/linuxfb/qlinuxfbscreen.cpp
	src/printsupport/kernel/qprintengine_win.cpp

Change-Id: I09ce991a57f39bc7b1ad6978d0e0d858df0cd444
2014-02-12 16:28:07 +01:00
Richard J. Moore fd00bfc788 Correct the documentation of the return types of subjectInfo and issuerInfo.
These functions now return a QStringList to reflect the possibility of
there being more than one entry of a given type, but the documentation
did not reflect this.

Task-Number: QTBUG-36304
Change-Id: Iba2eda5e2c3174c8dcea640b5aed9cdc9a432392
Reviewed-by: Peter Hartmann <phartmann@blackberry.com>
2014-02-12 01:41:34 +01:00
Peter Hartmann 42cfb5fe4d SSL: add support for the Next Protocol Negotiation extension
... which is needed to negotiate the SPDY protocol.

[ChangeLog][QtNetwork][QSslConfiguration] Added support for the Next
Protocol Negotiation (NPN) TLS extension.

Task-number: QTBUG-33208

Change-Id: I3c945f9b7e2d2ffb0814bfdd3e87de1dae6c20ef
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@digia.com>
2014-02-11 15:37:10 +01:00
Richard J. Moore 30d199a76c Fix the QSslSocket::setCiphers(const QString &) overload.
The overload used an evil hack to work around a flaw in the QSslCipher
API rather than fixing the API. The hack was broken by the addition of
support for newer versions of TLS. This change solves the issue properly
by fixing the QSslCipher API then using the fixed version.

Task-Number: QTBUG-34688
Change-Id: Ibf677c374f837f705395741e730d40d8f912d7c6
Reviewed-by: Peter Hartmann <phartmann@blackberry.com>
2014-02-02 12:18:23 +01:00
Frederik Gladhorn 46791c08e1 Merge "Merge remote-tracking branch 'origin/stable' into dev" into refs/staging/dev 2014-01-21 17:57:54 +01:00
Richard J. Moore 5c19fad8c1 Ensure weak ciphers are not part of the default SSL configuration.
Any cipher that is < 128 bits is excluded from the default SSL
configuration. These ciphers are still included in the list
of availableCiphers() and can be used by applications if required.
Calling QSslSocket::setDefaultCiphers(QSslSocket::availableCiphers())
will restore the old behavior.

Note that in doing so I spotted that calling defaultCiphers() before
doing other actions with SSL had an existing bug that I've addressed
as part of the change.

[ChangeLog][Important Behavior Changes] The default set of
ciphers used by QSslSocket has been changed to exclude ciphers that are
using key lengths smaller than 128 bits. These ciphers are still available
and can be enabled by applications if required.

Change-Id: If2241dda67b624e5febf788efa1369f38c6b1dba
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
2014-01-21 03:41:34 +01:00
Frederik Gladhorn 9033977d39 Merge remote-tracking branch 'origin/stable' into dev
Conflicts:
	src/corelib/global/qglobal.h
	src/corelib/tools/qstring.cpp
	src/gui/image/image.pri
	src/gui/image/qimage.cpp
	src/plugins/platforms/cocoa/qcocoawindow.h
	src/plugins/platforms/cocoa/qcocoawindow.mm
	src/plugins/platforms/eglfs/qeglfshooks_stub.cpp
	tests/auto/corelib/io/qstandardpaths/tst_qstandardpaths.cpp

Change-Id: I3b9ba029c8f2263b011f204fdf68c3231c6d4ce5
2014-01-20 18:18:59 +01:00
Richard J. Moore 7c8131763d Prevent spurious SSL errors from local certificates.
Qt since approximately 4.4 has set the verify callback on both the SSL
store and the SSL context. Only the latter is actually needed. This is
normally not a problem, but openssl prior to 1.0.2 uses the verify
code to find the intermediate certificates for any local certificate
that has been set which can lead to verification errors for the local
certificate to be emitted.

Task-number: QTBUG-33228
Task-number: QTBUG-7200
Task-number: QTBUG-24234
Change-Id: Ie4115e7f7faa1267ea9b807c01b1ed6604c4a16c
Reviewed-by: Peter Hartmann <phartmann@blackberry.com>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
2014-01-16 21:57:06 +01:00
Oswald Buddenhagen 882bf3475c expand tabs and related whitespace fixes in *.{cpp,h,qdoc}
the diff -w for this commit is empty.

Started-by: Thiago Macieira <thiago.macieira@intel.com>
Change-Id: I77bb84e71c63ce75e0709e5b94bee18e3ce6ab9e
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
2014-01-13 22:46:50 +01:00
Peter Hartmann 7eecbb0718 SSL: blacklist ANSSI intermediate certificate
... because it was used to operate a man-in-the-middle proxy.

Task-number: QTBUG-35474
Change-Id: Ic7f19708b278b866e4f06533cbd84e0ff43357e9
Reviewed-by: Richard J. Moore <rich@kde.org>
2013-12-10 15:14:22 +01:00
Peter Hartmann becdfa6fab QSslConfiguration: rename [get]session() to [get]sessionTicket()
to reflect the fact that this returns and sets the whole session
ticket, and not just the session ID.

Change-Id: I00fe2bc4197dbcd7a02b3ae4f2f84e3a2a7edad0
Reviewed-by: Richard J. Moore <rich@kde.org>
2013-11-08 18:58:27 +01:00
Oswald Buddenhagen 43684a20d0 use private linkage where possible
Change-Id: Ie8eaa71bee87654c21218a23efd7e9d65b71f022
Reviewed-by: Joerg Bornemann <joerg.bornemann@digia.com>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
2013-10-31 19:49:32 +01:00
Oswald Buddenhagen e469e667e3 use the right scope
"windows" only worked more or less by accident (it's the opposite of
"console" and just happens to be the default on windows).

Change-Id: Ib60c8ae5aea04f28207c05cc0005183dd6eb6244
Reviewed-by: Joerg Bornemann <joerg.bornemann@digia.com>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
2013-10-31 19:49:19 +01:00
Jerome Pasion 4533cc9944 Doc: Adding mark-up to boolean default values.
Default values should have mark-up to denote that they are code.
This commit changes:
-"property is true" to "property is \c true".
-"Returns true" to "Returns \c true".
-"property is false" to "property is \c false".
-"returns true" to "returns \c true".
-"returns false" to "returns \c false".

src/3rdparty and non-documentation instances were ignored.

Task-number: QTBUG-33360
Change-Id: Ie87eaa57af947caa1230602b61c5c46292a4cf4e
Reviewed-by: Oswald Buddenhagen <oswald.buddenhagen@digia.com>
Reviewed-by: Jerome Pasion <jerome.pasion@digia.com>
2013-10-08 00:46:27 +02:00
sfabry 1c1771effc Fix ssh root certificates path for Blackberry playbook OS.
This was removed by commit 4c8d8a72ec
But without it Playbook OS 2.1.0.1753 could not access ssh properly.

Change-Id: I18e136eaede2a5dffeb10b5fe31023b9aef709cb
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
Reviewed-by: Peter Hartmann <phartmann@blackberry.com>
2013-10-03 23:32:16 +02:00
Jędrzej Nowacki 0f3315a4dd Remove redundant code.
QPair is documented to initialize members

Change-Id: I1dccfd265521ca3ca1a648b161c0a163c72e2f2e
Reviewed-by: Peter Hartmann <phartmann@blackberry.com>
Reviewed-by: Richard J. Moore <rich@kde.org>
2013-09-29 14:14:42 +02:00
Jędrzej Nowacki bb26e087bd Reduce QtNetwork lib size by 16111 bytes.
Warning message was repeated multiple times inside the library.

Change-Id: Idcd417dda22de189893db597acfc36c2aa99d078
Reviewed-by: Richard J. Moore <rich@kde.org>
2013-09-27 18:31:23 +02:00
Jędrzej Nowacki 4aca7847be Fix open ssl forwarding macros.
This patch fixes them in many ways:
- use Q_UNLIKELY to mark an error case
- reduce QtNetwork library size by 40315 bytes
- fix DEFINEFUNC9 which had wrong logic, happily it was not used
anywhere

Change-Id: Ic46a569f85aa22a00ecd88158e60c52f4665ec4c
Reviewed-by: Richard J. Moore <rich@kde.org>
2013-09-27 18:31:23 +02:00
Scott Deboy af61b7312e Resolve error caused by server-initiated TLS renegotiation
Updating the SSL_write code to correctly handle
SSL_ERROR_WANT_WRITE and SSL_ERROR_WANT_READ, which are not actual errors.

Change-Id: Icd7369b438ef402bf438c3fcc64514a1f9f45452
Reviewed-by: Peter Hartmann <phartmann@blackberry.com>
Reviewed-by: Lars Knoll <lars.knoll@digia.com>
Reviewed-by: Richard J. Moore <rich@kde.org>
2013-09-17 23:13:05 +02:00
Frederik Gladhorn 5c23199d4e Merge remote-tracking branch 'origin/stable' into dev
Conflicts:
	configure
	mkspecs/macx-xcode/Info.plist.app
	mkspecs/macx-xcode/Info.plist.lib
	qmake/doc/qmake.qdocconf
	src/corelib/global/qglobal.h
	tests/auto/other/exceptionsafety/exceptionsafety.pro
	tests/auto/widgets/widgets/qcombobox/tst_qcombobox.cpp

Change-Id: I3c769a4a82dc2e99a12c69123fbf17613fd2ac2a
2013-08-14 09:06:31 +02:00
Liang Qi c207724c9b OSX: Make QSslSocket compile on 10.9
CSSM_DATA_PTR was deprecated in 10.7. Replace SecCertificateGetData
with SecCertificateCopyData.

Task-number: QTBUG-32715
Change-Id: I762687370689b5b5c032567240667631b1ffde98
Reviewed-by: Jake Petroules <jake.petroules@petroules.com>
Reviewed-by: Gabriel de Dietrich <gabriel.dedietrich@digia.com>
2013-08-06 08:10:27 +02:00
Paul Olav Tvete 591584d9a9 Android: Get SSL root certificates from TrustManager
On Android, when not using Ministro, we cannot read certificates
from the file system, so we have to get them through Java APIs instead.

Change-Id: I415329fcb45836735c1112dbe832214b3c73dc9a
Reviewed-by: Eskil Abrahamsen Blomfeldt <eskil.abrahamsen-blomfeldt@digia.com>
2013-07-29 15:38:51 +02:00
Peter Hartmann 69b31f7b65 QNX: adapt SSL lib file name lookup heuristics
I.e. do not try to load file names that are not there anyhow. The
code would search for libcrypto.so.1.0.0 and libssl.so.1.0.0, while
on QNX the libs are called libcrypto.so and libssl.so, and there
are no symlinks with version numbers.

This saves ~ 45 ms in real apps (tested with Facebook, Twitter and
Foursquare), and ~ 24 ms at app startup in an isolated app without
GUI (difference maybe because threads are fighting for CPU or so).

Task-number: QTBUG-32548
Change-Id: I25869538bbfa3c2848541415e8361e0bd7a8fd50
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
2013-07-26 17:14:44 +02:00
Peter Hartmann 28ff65f4dc QNX: hardcode on-demand SSL root cert loading
The c_rehash'ed symlinks are always there on QNX, so no need to check
at every app start for the feature. This saves ~ 17ms at each app
start.

Task-number: QTBUG-32549
Change-Id: Ia9df60aba9d1bd70868b7004b847867a2128f600
Reviewed-by: Andreas Holzammer <andreas.holzammer@kdab.com>
Reviewed-by: Rafael Roquetto <rafael.roquetto@kdab.com>
2013-07-26 09:52:29 +02:00
Frederik Gladhorn 084c5b3db7 Merge remote-tracking branch 'origin/stable' into dev
Conflicts:
	tests/auto/dbus/qdbusabstractinterface/tst_qdbusabstractinterface.cpp

Change-Id: I18a9d83fc14f4a9afdb1e40523ec51e3fa1d7754
2013-07-23 11:18:11 +02:00
Eskil Abrahamsen Blomfeldt 61fbdc00fb Fix compilation of run-time-resolved SSL on Android
We need the same code for both the no-sdk and the sdk case for
the OpenSSL code, since this is not covered by a system library,
but by an external dependency in both cases.

Task-number: QTBUG-32130
Change-Id: I976835556fcb0e6c32cfb3da4dd585e45490061b
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
2013-07-19 12:32:14 +02:00
Frederik Gladhorn 80604a0786 Merge remote-tracking branch 'origin/stable' into dev
Conflicts:
	src/corelib/global/qglobal.h
	src/plugins/platforms/cocoa/qnsview.mm

Change-Id: I6fe345df5c417cb7a55a3f91285d9b47a22c04fa
2013-06-04 19:34:36 +02:00
aavit a3a43abc04 Fixes: QtNetwork compilation for OpenSSL < 1.0.0
Incorporate some more of the API changes between OpenSSL versions
0.9.8 and 1.0.0.

Task-number: QTBUG-31140

Change-Id: Ie719b34e3ec8751f0fbc07d315e82816c110762c
Reviewed-by: Shane Kearns <shane.kearns@accenture.com>
2013-05-23 22:00:46 +02:00
Frederik Gladhorn d3a8bc803c Merge remote-tracking branch 'origin/stable' into dev
Conflicts:
	src/corelib/io/qdatastream.cpp
	src/corelib/io/qdatastream.h
	src/corelib/json/qjsonwriter.cpp
	src/plugins/platforms/cocoa/qcocoawindow.mm
	src/plugins/platforms/xcb/qxcbkeyboard.cpp

Change-Id: I46fef1455f5a9f2ce1ec394a3c65881093c51b62
2013-05-23 21:27:07 +02:00
Matt Fischer d37dc75116 Improve support for <MODULE>_PATH options
Several modules, including DBus, MySQL, and OpenSSL have
configure options of the form <MODULE>_PATH, which is used
on Windows (where pkg-config is not present) to specify the
locations of third-party libraries.  These switches had been
implemented by adding extra variables which were referenced
in .pro files, to add the appropriate compiler and linker
switches.  This is undesirable because it means there are
two independent paths for adding the switches to the build,
which can get out of sync with each other, and indeed this
had happened for some of the DBus tools.

To remedy the situation, all three of the switches were
reworked so that they added values directly to the principal
variables that are used in the project files.  This reduces
maintenance, by ensuring that the pkg-config and non-pkg-config
paths appear the same to the rest of the build system.

Change-Id: Iae342f1d14b79fbcfef9fe38aadc803ad3141799
Reviewed-by: Oswald Buddenhagen <oswald.buddenhagen@digia.com>
2013-05-10 19:39:53 +02:00
Peter Hartmann 3be197881f QSslConfiguration: add API to persist and resume SSL sessions
Session tickets can be cached on the client side for hours (e.g.
graph.facebook.com: ~ 24 hours, api.twitter.com: 4 hours), because the
server does not need to maintain state.
We need public API for it so an application can cache the session (e.g.
to disk) and resume a session already with the 1st handshake, saving
one network round trip.

Task-number: QTBUG-20668
Change-Id: I10255932dcd528ee1231538cb72b52b97f9f4a3c
Reviewed-by: Richard J. Moore <rich@kde.org>
2013-05-10 09:15:55 +02:00
Jake Petroules f7eea69a2a Utilize the new Q_OS_MACX define.
All occurrences of `#if defined(Q_OS_MAC) && !defined(Q_OS_IOS)` have
been replaced with `#if defined(Q_OS_MACX)`.

Change-Id: I5055d9bd1845136beb8ed1c79a8f0f2c0897751a
Reviewed-by: Oswald Buddenhagen <oswald.buddenhagen@digia.com>
Reviewed-by: Tor Arne Vestbø <tor.arne.vestbo@digia.com>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
2013-05-09 12:17:59 +02:00
Frederik Gladhorn 85e3c53e5c Merge remote-tracking branch 'origin/stable' into dev
Change-Id: I2a54058b64ac69c78b4120fdaf09b96e025a4c6c
2013-04-29 14:17:09 +02:00
Peter Hartmann e145b67fbd SSL internals: do not write after shutting down the socket
... but rather throw an error, so the HTTP layer can recover from a SSL
shutdown gracefully. In case the other side sent us a shutdown, we should
not send one as well, as it results in an error.

Change-Id: Ie7a56cf3008b6ead912aade18dbec67846e2a87e
Reviewed-by: Richard J. Moore <rich@kde.org>
2013-04-23 23:22:43 +02:00
Frederik Gladhorn 4c231d5df3 Merge remote-tracking branch 'origin/stable' into dev
Change-Id: I059725e3b7d7ffd5a16a0931e6c17200917172b5
2013-04-22 16:35:43 +02:00
Peter Hartmann 7df16fb4cc SSL namespace: Add enum to disable SSL session sharing
There is already an enum to disable SSL session tickets, which has been
used to disable session sharing for now. However, SSL session sharing
is not the same as SSL session tickets: Session sharing is built into
the SSL protocol, while session tickets is a TLS extension (RFC 5077).

Change-Id: If76b99c94b346cfb00e47366e66098f6334fd9bc
Reviewed-by: Richard J. Moore <rich@kde.org>
2013-04-22 10:58:14 +02:00
Peter Hartmann 835e720c7e SSL internals: fix memory corruption using QSslConfigurationPrivate
We are passing a QSslConfigurationPrivate that is allocated on the stack
(in QSslSocketBackendPrivate::initSslContext()) to
QSslConfiguration::QSslConfiguration(QSslConfigurationPrivate *dd).
When the SSL context is destroyed, this object is not there any more.
So now we create a deep copy of the configuration like we do in
QSslSocket::sslConfiguration().

Task-number: QTBUG-30648
Change-Id: Iaefaa9c00fd6bfb707eba5ac59e9508bf951f8a5
Reviewed-by: Richard J. Moore <rich@kde.org>
2013-04-18 22:02:18 +02:00
Peter Hartmann 1f180e9690 SSL code: store SSL parameters for debugging, guarded by define
... so SSL traffic can be decrypted with e.g. tcpdump / Wireshark.
For this to work, the define needs to be uncommented and QtNetwork
recompiled. This will create a file in /tmp/qt-ssl-keys which can
be fed into Wireshark.
A recent version of Wireshark is needed for this to work.

Change-Id: I4e41fd2e6122260cd96d443b1360edc71b08b5fd
Reviewed-by: Richard J. Moore <rich@kde.org>
2013-03-22 19:52:26 +01:00