diff options
author | Frederik Gladhorn <frederik.gladhorn@digia.com> | 2014-05-13 22:18:43 +0200 |
---|---|---|
committer | Frederik Gladhorn <frederik.gladhorn@digia.com> | 2014-05-13 22:19:10 +0200 |
commit | 3d4aeb791990f359e277efbfb0a1f1793945b55d (patch) | |
tree | e877b7b4ad76d554aa3dbe6131d03b98a7447c63 /src/network | |
parent | b861c43395b17d5df34f24853faa21b9824a53af (diff) | |
parent | c8de2a8b5f5d0b9b3bc1d8ed8d3027ac40b00ee3 (diff) |
Merge remote-tracking branch 'origin/stable' into dev
Conflicts:
src/gui/kernel/qguiapplication.cpp
Change-Id: Ibe75603dc8a51769db6550ea3f07bc8d19b0be85
Diffstat (limited to 'src/network')
-rw-r--r-- | src/network/access/qspdyprotocolhandler.cpp | 6 | ||||
-rw-r--r-- | src/network/ssl/qsslcontext.cpp | 23 | ||||
-rw-r--r-- | src/network/ssl/qsslsocket_openssl.cpp | 24 |
3 files changed, 27 insertions, 26 deletions
diff --git a/src/network/access/qspdyprotocolhandler.cpp b/src/network/access/qspdyprotocolhandler.cpp index d204d498bf..ab703981ee 100644 --- a/src/network/access/qspdyprotocolhandler.cpp +++ b/src/network/access/qspdyprotocolhandler.cpp @@ -580,7 +580,7 @@ void QSpdyProtocolHandler::sendControlFrame(FrameType type, { // frame type and stream ID char header[8]; - header[0] = 0x80; // leftmost bit == 1 -> is a control frame + header[0] = 0x80u; // leftmost bit == 1 -> is a control frame header[1] = 0x03; // 3 bit == version 3 header[2] = 0; switch (type) { @@ -653,10 +653,10 @@ void QSpdyProtocolHandler::sendSYN_STREAM(HttpMessagePair messagePair, prioAndSlot[0] = 0x00; // == prio 0 (highest) break; case QHttpNetworkRequest::NormalPriority: - prioAndSlot[0] = 0x80; // == prio 4 + prioAndSlot[0] = 0x80u; // == prio 4 break; case QHttpNetworkRequest::LowPriority: - prioAndSlot[0] = 0xe0; // == prio 7 (lowest) + prioAndSlot[0] = 0xe0u; // == prio 7 (lowest) break; } prioAndSlot[1] = 0x00; // slot in client certificates (not supported currently) diff --git a/src/network/ssl/qsslcontext.cpp b/src/network/ssl/qsslcontext.cpp index 9c68218062..f5e5352d5e 100644 --- a/src/network/ssl/qsslcontext.cpp +++ b/src/network/ssl/qsslcontext.cpp @@ -214,22 +214,23 @@ init_context: } // Add all our CAs to this store. - QList<QSslCertificate> expiredCerts; foreach (const QSslCertificate &caCertificate, sslContext->sslConfiguration.caCertificates()) { - // add expired certs later, so that the - // valid ones are used before the expired ones - if (caCertificate.expiryDate() < QDateTime::currentDateTime()) { - expiredCerts.append(caCertificate); - } else { + // From https://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html: + // + // If several CA certificates matching the name, key identifier, and + // serial number condition are available, only the first one will be + // examined. This may lead to unexpected results if the same CA + // certificate is available with different expiration dates. If a + // ``certificate expired'' verification error occurs, no other + // certificate will be searched. Make sure to not have expired + // certificates mixed with valid ones. + // + // See also: QSslSocketBackendPrivate::verify() + if (caCertificate.expiryDate() >= QDateTime::currentDateTime()) { q_X509_STORE_add_cert(sslContext->ctx->cert_store, (X509 *)caCertificate.handle()); } } - // now add the expired certs - foreach (const QSslCertificate &caCertificate, expiredCerts) { - q_X509_STORE_add_cert(sslContext->ctx->cert_store, reinterpret_cast<X509 *>(caCertificate.handle())); - } - if (QSslSocketPrivate::s_loadRootCertsOnDemand && allowRootCertOnDemandLoading) { // tell OpenSSL the directories where to look up the root certs on demand QList<QByteArray> unixDirs = QSslSocketPrivate::unixRootCertDirectories(); diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp index b0d1ed2c4f..173d8eaa89 100644 --- a/src/network/ssl/qsslsocket_openssl.cpp +++ b/src/network/ssl/qsslsocket_openssl.cpp @@ -1633,23 +1633,23 @@ QList<QSslError> QSslSocketBackendPrivate::verify(QList<QSslCertificate> certifi setDefaultCaCertificates(defaultCaCertificates() + systemCaCertificates()); } - QList<QSslCertificate> expiredCerts; - foreach (const QSslCertificate &caCertificate, QSslSocket::defaultCaCertificates()) { - // add expired certs later, so that the - // valid ones are used before the expired ones - if (caCertificate.expiryDate() < QDateTime::currentDateTime()) { - expiredCerts.append(caCertificate); - } else { + // From https://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html: + // + // If several CA certificates matching the name, key identifier, and + // serial number condition are available, only the first one will be + // examined. This may lead to unexpected results if the same CA + // certificate is available with different expiration dates. If a + // ``certificate expired'' verification error occurs, no other + // certificate will be searched. Make sure to not have expired + // certificates mixed with valid ones. + // + // See also: QSslContext::fromConfiguration() + if (caCertificate.expiryDate() >= QDateTime::currentDateTime()) { q_X509_STORE_add_cert(certStore, reinterpret_cast<X509 *>(caCertificate.handle())); } } - // now add the expired certs - foreach (const QSslCertificate &caCertificate, expiredCerts) { - q_X509_STORE_add_cert(certStore, reinterpret_cast<X509 *>(caCertificate.handle())); - } - QMutexLocker sslErrorListMutexLocker(&_q_sslErrorList()->mutex); // Register a custom callback to get all verification errors. |