diff options
-rw-r--r-- | src/network/CMakeLists.txt | 71 | ||||
-rw-r--r-- | src/network/configure.cmake | 9 | ||||
-rw-r--r-- | src/network/configure.json | 8 | ||||
-rw-r--r-- | src/network/ssl/qopenssl.cpp | 71 | ||||
-rw-r--r-- | src/network/ssl/qsslkey_p.cpp | 4 | ||||
-rw-r--r-- | src/network/ssl/qsslkey_p.h | 4 | ||||
-rw-r--r-- | src/network/ssl/qsslsocket.cpp | 2 | ||||
-rw-r--r-- | src/network/ssl/qsslsocket_p.h | 5 | ||||
-rw-r--r-- | src/network/ssl/qtlsbackend.cpp | 47 | ||||
-rw-r--r-- | src/network/ssl/qtlsbackend_p.h | 6 | ||||
-rw-r--r-- | src/plugins/CMakeLists.txt | 1 | ||||
-rw-r--r-- | src/plugins/tls/CMakeLists.txt | 13 | ||||
-rw-r--r-- | src/plugins/tls/certonly/CMakeLists.txt | 16 | ||||
-rw-r--r-- | src/plugins/tls/certonly/qtlsbackend_cert.cpp (renamed from src/network/ssl/qtlsbackend_cert.cpp) | 8 | ||||
-rw-r--r-- | src/plugins/tls/certonly/qtlsbackend_cert_p.h (renamed from src/network/ssl/qtlsbackend_cert_p.h) | 12 | ||||
-rw-r--r-- | src/plugins/tls/openssl/CMakeLists.txt | 51 | ||||
-rw-r--r-- | src/plugins/tls/openssl/qdtls_openssl.cpp (renamed from src/network/ssl/qdtls_openssl.cpp) | 43 | ||||
-rw-r--r-- | src/plugins/tls/openssl/qdtls_openssl_p.h (renamed from src/network/ssl/qdtls_openssl_p.h) | 19 | ||||
-rw-r--r-- | src/plugins/tls/openssl/qopenssl_p.h (renamed from src/network/ssl/qopenssl_p.h) | 5 | ||||
-rw-r--r-- | src/plugins/tls/openssl/qsslcontext_openssl.cpp (renamed from src/network/ssl/qsslcontext_openssl.cpp) | 41 | ||||
-rw-r--r-- | src/plugins/tls/openssl/qsslcontext_openssl_p.h (renamed from src/network/ssl/qsslcontext_openssl_p.h) | 2 | ||||
-rw-r--r-- | src/plugins/tls/openssl/qssldiffiehellmanparameters_openssl.cpp (renamed from src/network/ssl/qssldiffiehellmanparameters_openssl.cpp) | 3 | ||||
-rw-r--r-- | src/plugins/tls/openssl/qsslsocket_openssl_android.cpp (renamed from src/network/ssl/qsslsocket_openssl_android.cpp) | 1 | ||||
-rw-r--r-- | src/plugins/tls/openssl/qsslsocket_openssl_symbols.cpp (renamed from src/network/ssl/qsslsocket_openssl_symbols.cpp) | 31 | ||||
-rw-r--r-- | src/plugins/tls/openssl/qsslsocket_openssl_symbols_p.h (renamed from src/network/ssl/qsslsocket_openssl_symbols_p.h) | 76 | ||||
-rw-r--r-- | src/plugins/tls/openssl/qtls_openssl.cpp (renamed from src/network/ssl/qtls_openssl.cpp) | 98 | ||||
-rw-r--r-- | src/plugins/tls/openssl/qtls_openssl_p.h (renamed from src/network/ssl/qtls_openssl_p.h) | 7 | ||||
-rw-r--r-- | src/plugins/tls/openssl/qtlsbackend_openssl.cpp (renamed from src/network/ssl/qtlsbackend_openssl.cpp) | 29 | ||||
-rw-r--r-- | src/plugins/tls/openssl/qtlsbackend_openssl_p.h (renamed from src/network/ssl/qtlsbackend_openssl_p.h) | 15 | ||||
-rw-r--r-- | src/plugins/tls/openssl/qtlskey_openssl.cpp (renamed from src/network/ssl/qtlskey_openssl.cpp) | 8 | ||||
-rw-r--r-- | src/plugins/tls/openssl/qtlskey_openssl_p.h (renamed from src/network/ssl/qtlskey_openssl_p.h) | 9 | ||||
-rw-r--r-- | src/plugins/tls/openssl/qwindowscarootfetcher.cpp (renamed from src/network/ssl/qwindowscarootfetcher.cpp) | 19 | ||||
-rw-r--r-- | src/plugins/tls/openssl/qwindowscarootfetcher_p.h (renamed from src/network/ssl/qwindowscarootfetcher_p.h) | 8 | ||||
-rw-r--r-- | src/plugins/tls/openssl/qx509_openssl.cpp (renamed from src/network/ssl/qx509_openssl.cpp) | 34 | ||||
-rw-r--r-- | src/plugins/tls/openssl/qx509_openssl_p.h (renamed from src/network/ssl/qx509_openssl_p.h) | 17 | ||||
-rw-r--r-- | src/plugins/tls/schannel/CMakeLists.txt | 30 | ||||
-rw-r--r-- | src/plugins/tls/schannel/qtls_schannel.cpp (renamed from src/network/ssl/qtls_schannel.cpp) | 154 | ||||
-rw-r--r-- | src/plugins/tls/schannel/qtls_schannel_p.h (renamed from src/network/ssl/qtls_schannel_p.h) | 5 | ||||
-rw-r--r-- | src/plugins/tls/schannel/qtlsbackend_schannel_p.h (renamed from src/network/ssl/qtlsbackend_schannel_p.h) | 6 | ||||
-rw-r--r-- | src/plugins/tls/schannel/qtlskey_schannel.cpp (renamed from src/network/ssl/qtlskey_schannel.cpp) | 16 | ||||
-rw-r--r-- | src/plugins/tls/schannel/qtlskey_schannel_p.h (renamed from src/network/ssl/qtlskey_schannel_p.h) | 4 | ||||
-rw-r--r-- | src/plugins/tls/schannel/qx509_schannel.cpp (renamed from src/network/ssl/qx509_schannel.cpp) | 3 | ||||
-rw-r--r-- | src/plugins/tls/schannel/qx509_schannel_p.h (renamed from src/network/ssl/qx509_schannel_p.h) | 8 | ||||
-rw-r--r-- | src/plugins/tls/securetransport/CMakeLists.txt | 33 | ||||
-rw-r--r-- | src/plugins/tls/securetransport/qtls_st.cpp (renamed from src/network/ssl/qtls_st.cpp) | 83 | ||||
-rw-r--r-- | src/plugins/tls/securetransport/qtls_st_p.h (renamed from src/network/ssl/qtls_st_p.h) | 4 | ||||
-rw-r--r-- | src/plugins/tls/securetransport/qtlsbackend_st.cpp (renamed from src/network/ssl/qtlsbackend_st.cpp) | 0 | ||||
-rw-r--r-- | src/plugins/tls/securetransport/qtlsbackend_st_p.h (renamed from src/network/ssl/qtlsbackend_st_p.h) | 8 | ||||
-rw-r--r-- | src/plugins/tls/securetransport/qtlskey_st.cpp (renamed from src/network/ssl/qtlskey_st.cpp) | 5 | ||||
-rw-r--r-- | src/plugins/tls/securetransport/qtlskey_st_p.h (renamed from src/network/ssl/qtlskey_st_p.h) | 4 | ||||
-rw-r--r-- | src/plugins/tls/securetransport/qx509_st.cpp (renamed from src/network/ssl/qx509_st.cpp) | 0 | ||||
-rw-r--r-- | src/plugins/tls/securetransport/qx509_st_p.h (renamed from src/network/ssl/qx509_st_p.h) | 4 | ||||
-rw-r--r-- | src/plugins/tls/shared/qasn1element.cpp (renamed from src/network/ssl/qasn1element.cpp) | 0 | ||||
-rw-r--r-- | src/plugins/tls/shared/qasn1element_p.h (renamed from src/network/ssl/qasn1element_p.h) | 2 | ||||
-rw-r--r-- | src/plugins/tls/shared/qdtls_base.cpp (renamed from src/network/ssl/qdtls_base.cpp) | 0 | ||||
-rw-r--r-- | src/plugins/tls/shared/qdtls_base_p.h (renamed from src/network/ssl/qdtls_base_p.h) | 13 | ||||
-rw-r--r-- | src/plugins/tls/shared/qsslsocket_mac_shared.cpp (renamed from src/network/ssl/qsslsocket_mac_shared.cpp) | 16 | ||||
-rw-r--r-- | src/plugins/tls/shared/qsslsocket_qt.cpp (renamed from src/network/ssl/qsslsocket_qt.cpp) | 8 | ||||
-rw-r--r-- | src/plugins/tls/shared/qtlskey_base.cpp (renamed from src/network/ssl/qtlskey_base.cpp) | 0 | ||||
-rw-r--r-- | src/plugins/tls/shared/qtlskey_base_p.h (renamed from src/network/ssl/qtlskey_base_p.h) | 12 | ||||
-rw-r--r-- | src/plugins/tls/shared/qtlskey_generic.cpp (renamed from src/network/ssl/qtlskey_generic.cpp) | 3 | ||||
-rw-r--r-- | src/plugins/tls/shared/qtlskey_generic_p.h (renamed from src/network/ssl/qtlskey_generic_p.h) | 8 | ||||
-rw-r--r-- | src/plugins/tls/shared/qwincrypt_p.h (renamed from src/network/ssl/qwincrypt_p.h) | 0 | ||||
-rw-r--r-- | src/plugins/tls/shared/qx509_base.cpp (renamed from src/network/ssl/qx509_base.cpp) | 0 | ||||
-rw-r--r-- | src/plugins/tls/shared/qx509_base_p.h (renamed from src/network/ssl/qx509_base_p.h) | 6 | ||||
-rw-r--r-- | src/plugins/tls/shared/qx509_generic.cpp (renamed from src/network/ssl/qx509_generic.cpp) | 13 | ||||
-rw-r--r-- | src/plugins/tls/shared/qx509_generic_p.h (renamed from src/network/ssl/qx509_generic_p.h) | 8 | ||||
-rw-r--r-- | tests/auto/network/access/http2/tst_http2.cpp | 6 | ||||
-rw-r--r-- | tests/auto/network/access/qnetworkreply/tst_qnetworkreply.cpp | 109 | ||||
-rw-r--r-- | tests/auto/network/ssl/CMakeLists.txt | 2 | ||||
-rw-r--r-- | tests/auto/network/ssl/qocsp/tst_qocsp.cpp | 20 | ||||
-rw-r--r-- | tests/auto/network/ssl/qsslcertificate/tst_qsslcertificate.cpp | 31 | ||||
-rw-r--r-- | tests/auto/network/ssl/qsslkey/tst_qsslkey.cpp | 74 | ||||
-rw-r--r-- | tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp | 246 |
74 files changed, 913 insertions, 824 deletions
diff --git a/src/network/CMakeLists.txt b/src/network/CMakeLists.txt index f3802e37e9..9cdfa729a7 100644 --- a/src/network/CMakeLists.txt +++ b/src/network/CMakeLists.txt @@ -5,7 +5,7 @@ ##################################################################### qt_internal_add_module(Network - PLUGIN_TYPES networkaccessbackends networkinformationbackends + PLUGIN_TYPES networkaccessbackends networkinformationbackends tls SOURCES access/qabstractnetworkcache.cpp access/qabstractnetworkcache.h access/qabstractnetworkcache_p.h access/qhsts.cpp access/qhsts_p.h @@ -41,15 +41,11 @@ qt_internal_add_module(Network socket/qtcpserver.cpp socket/qtcpserver.h socket/qtcpserver_p.h socket/qtcpsocket.cpp socket/qtcpsocket.h socket/qtcpsocket_p.h socket/qudpsocket.cpp socket/qudpsocket.h - ssl/qasn1element.cpp ssl/qasn1element_p.h ssl/qpassworddigestor.cpp ssl/qpassworddigestor.h ssl/qssl.cpp ssl/qssl.h ssl/qssl_p.h ssl/qsslcertificate.cpp ssl/qsslcertificate.h ssl/qsslcertificate_p.h ssl/qsslcertificateextension.cpp ssl/qsslcertificateextension.h ssl/qsslcertificateextension_p.h ssl/qtlsbackend.cpp ssl/qtlsbackend_p.h - ssl/qtlsbackend_cert.cpp ssl/qtlsbackend_cert_p.h - ssl/qx509_base.cpp ssl/qx509_base_p.h - ssl/qx509_generic.cpp ssl/qx509_generic_p.h DEFINES QT_NO_FOREACH QT_NO_USING_NAMESPACE @@ -324,59 +320,11 @@ qt_internal_extend_target(Network CONDITION QT_FEATURE_ssl ssl/qsslkey.h ssl/qsslkey_p.cpp ssl/qsslkey_p.h ssl/qsslpresharedkeyauthenticator.cpp ssl/qsslpresharedkeyauthenticator.h ssl/qsslpresharedkeyauthenticator_p.h ssl/qsslsocket.cpp ssl/qsslsocket.h ssl/qsslsocket_p.h - ssl/qtlskey_base.cpp ssl/qtlskey_base_p.h -) - -qt_internal_extend_target(Network CONDITION QT_FEATURE_schannel AND QT_FEATURE_ssl - SOURCES - ssl/qsslsocket_qt.cpp - ssl/qwincrypt_p.h - ssl/qtls_schannel.cpp ssl/qtls_schannel_p.h - ssl/qtlsbackend_schannel_p.h - ssl/qtlskey_generic.cpp ssl/qtlskey_generic_p.h - ssl/qtlskey_schannel.cpp ssl/qtlskey_schannel_p.h - ssl/qx509_schannel.cpp ssl/qx509_schannel_p.h - LIBRARIES - Crypt32 - Secur32 - bcrypt - ncrypt -) - -qt_internal_extend_target(Network CONDITION QT_FEATURE_securetransport AND QT_FEATURE_ssl - SOURCES - ssl/qtls_st.cpp ssl/qtls_st_p.h - ssl/qsslsocket_mac_shared.cpp - ssl/qsslsocket_qt.cpp - ssl/qtlskey_generic.cpp ssl/qtlskey_generic_p.h - ssl/qtlskey_st.cpp ssl/qtlskey_st_p.h - ssl/qtlsbackend_st.cpp ssl/qtlsbackend_st_p.h - ssl/qx509_st.cpp ssl/qx509_st_p.h ) qt_internal_extend_target(Network CONDITION QT_FEATURE_dtls AND QT_FEATURE_ssl SOURCES ssl/qdtls.cpp ssl/qdtls.h ssl/qdtls_p.h - ssl/qdtls_base.cpp ssl/qdtls_base_p.h -) - -qt_internal_extend_target(Network CONDITION QT_FEATURE_openssl AND QT_FEATURE_ssl - SOURCES - ssl/qsslcontext_openssl.cpp ssl/qsslcontext_openssl_p.h - ssl/qssldiffiehellmanparameters_openssl.cpp - ssl/qopenssl.cpp ssl/qopenssl_p.h - ssl/qsslsocket_openssl_symbols.cpp ssl/qsslsocket_openssl_symbols_p.h - ssl/qtls_openssl.cpp ssl/qtls_openssl_p.h - ssl/qtlskey_openssl.cpp ssl/qtlskey_openssl_p.h - ssl/qtlsbackend_openssl.cpp ssl/qtlsbackend_openssl_p.h - ssl/qx509_openssl.cpp ssl/qx509_openssl_p.h - DEFINES - OPENSSL_API_COMPAT=0x10100000L -) - -qt_internal_extend_target(Network CONDITION QT_FEATURE_dtls AND QT_FEATURE_openssl AND QT_FEATURE_ssl - SOURCES - ssl/qdtls_openssl.cpp ssl/qdtls_openssl_p.h ) qt_internal_extend_target(Network CONDITION QT_FEATURE_ocsp AND QT_FEATURE_openssl AND QT_FEATURE_ssl @@ -384,16 +332,6 @@ qt_internal_extend_target(Network CONDITION QT_FEATURE_ocsp AND QT_FEATURE_opens ssl/qocsp_p.h ) -qt_internal_extend_target(Network CONDITION APPLE AND QT_FEATURE_openssl AND QT_FEATURE_ssl - SOURCES - ssl/qsslsocket_mac_shared.cpp -) - -qt_internal_extend_target(Network CONDITION ANDROID AND QT_FEATURE_openssl AND QT_FEATURE_ssl AND NOT ANDROID_EMBEDDED - SOURCES - ssl/qsslsocket_openssl_android.cpp -) - qt_internal_extend_target(Network CONDITION QT_FEATURE_openssl AND QT_FEATURE_openssl_linked AND QT_FEATURE_ssl LIBRARIES WrapOpenSSL::WrapOpenSSL @@ -408,13 +346,6 @@ qt_internal_extend_target(Network CONDITION QT_FEATURE_openssl AND QT_FEATURE_ss WrapOpenSSLHeaders::WrapOpenSSLHeaders ) -qt_internal_extend_target(Network CONDITION QT_FEATURE_openssl AND QT_FEATURE_ssl AND WIN32 - SOURCES - ssl/qwindowscarootfetcher.cpp ssl/qwindowscarootfetcher_p.h - LIBRARIES - crypt32 -) - qt_internal_extend_target(Network CONDITION QT_FEATURE_dnslookup AND UNIX AND NOT ANDROID AND NOT INTEGRITY SOURCES kernel/qdnslookup_unix.cpp diff --git a/src/network/configure.cmake b/src/network/configure.cmake index f1885a6ff8..37f17ad4bd 100644 --- a/src/network/configure.cmake +++ b/src/network/configure.cmake @@ -263,27 +263,26 @@ qt_feature_definition("openssl" "QT_NO_OPENSSL" NEGATE) qt_feature_config("openssl" QMAKE_PUBLIC_QT_CONFIG) qt_feature("openssl-runtime" AUTODETECT NOT WASM - CONDITION NOT QT_FEATURE_securetransport AND NOT QT_FEATURE_schannel AND TEST_openssl_headers + CONDITION TEST_openssl_headers ENABLE INPUT_openssl STREQUAL 'yes' OR INPUT_openssl STREQUAL 'runtime' DISABLE INPUT_openssl STREQUAL 'no' OR INPUT_openssl STREQUAL 'linked' OR INPUT_ssl STREQUAL 'no' ) qt_feature("openssl-linked" PRIVATE LABEL " Qt directly linked to OpenSSL" AUTODETECT OFF - CONDITION NOT QT_FEATURE_securetransport AND NOT QT_FEATURE_schannel AND TEST_openssl + CONDITION TEST_openssl ENABLE INPUT_openssl STREQUAL 'linked' ) qt_feature_definition("openssl-linked" "QT_LINKED_OPENSSL") qt_feature("securetransport" PUBLIC LABEL "SecureTransport" - CONDITION APPLE AND ( INPUT_openssl STREQUAL '' OR INPUT_openssl STREQUAL 'no' ) + CONDITION APPLE DISABLE INPUT_ssl STREQUAL 'no' ) qt_feature_definition("securetransport" "QT_SECURETRANSPORT") qt_feature("schannel" PUBLIC LABEL "Schannel" - AUTODETECT OFF - CONDITION WIN32 AND ( INPUT_openssl STREQUAL '' OR INPUT_openssl STREQUAL 'no' ) + CONDITION WIN32 DISABLE INPUT_ssl STREQUAL 'no' ) qt_feature_definition("schannel" "QT_SCHANNEL") diff --git a/src/network/configure.json b/src/network/configure.json index d1ee15d80b..01dd855a1c 100644 --- a/src/network/configure.json +++ b/src/network/configure.json @@ -284,13 +284,13 @@ "autoDetect": "!config.wasm", "enable": "input.openssl == 'yes' || input.openssl == 'runtime'", "disable": "input.openssl == 'no' || input.openssl == 'linked' || input.ssl == 'no'", - "condition": "!features.securetransport && !features.schannel && libs.openssl_headers" + "condition": "libs.openssl_headers" }, "openssl-linked": { "label": " Qt directly linked to OpenSSL", "autoDetect": false, "enable": "input.openssl == 'linked'", - "condition": "!features.securetransport && !features.schannel && libs.openssl", + "condition": "libs.openssl", "output": [ "privateFeature", { "type": "define", "name": "QT_LINKED_OPENSSL" } @@ -299,7 +299,7 @@ "securetransport": { "label": "SecureTransport", "disable": "input.ssl == 'no'", - "condition": "config.darwin && (input.openssl == '' || input.openssl == 'no')", + "condition": "config.darwin", "output": [ "publicFeature", { "type": "define", "name": "QT_SECURETRANSPORT" } @@ -309,7 +309,7 @@ "label": "Schannel", "autoDetect": false, "disable": "input.ssl == 'no'", - "condition": "config.win32 && (input.openssl == '' || input.openssl == 'no')", + "condition": "config.win32", "output": [ "publicFeature", { "type": "define", "name": "QT_SCHANNEL" } diff --git a/src/network/ssl/qopenssl.cpp b/src/network/ssl/qopenssl.cpp deleted file mode 100644 index 1453b4d881..0000000000 --- a/src/network/ssl/qopenssl.cpp +++ /dev/null @@ -1,71 +0,0 @@ -/**************************************************************************** -** -** Copyright (C) 2021 The Qt Company Ltd. -** Copyright (C) 2014 Governikus GmbH & Co. KG -** Contact: https://www.qt.io/licensing/ -** -** This file is part of the QtNetwork module of the Qt Toolkit. -** -** $QT_BEGIN_LICENSE:LGPL$ -** Commercial License Usage -** Licensees holding valid commercial Qt licenses may use this file in -** accordance with the commercial license agreement provided with the -** Software or, alternatively, in accordance with the terms contained in -** a written agreement between you and The Qt Company. For licensing terms -** and conditions see https://www.qt.io/terms-conditions. For further -** information use the contact form at https://www.qt.io/contact-us. -** -** GNU Lesser General Public License Usage -** Alternatively, this file may be used under the terms of the GNU Lesser -** General Public License version 3 as published by the Free Software -** Foundation and appearing in the file LICENSE.LGPL3 included in the -** packaging of this file. Please review the following information to -** ensure the GNU Lesser General Public License version 3 requirements -** will be met: https://www.gnu.org/licenses/lgpl-3.0.html. -** -** GNU General Public License Usage -** Alternatively, this file may be used under the terms of the GNU -** General Public License version 2.0 or (at your option) the GNU General -** Public license version 3 or any later version approved by the KDE Free -** Qt Foundation. The licenses are as published by the Free Software -** Foundation and appearing in the file LICENSE.GPL2 and LICENSE.GPL3 -** included in the packaging of this file. Please review the following -** information to ensure the GNU General Public License requirements will -** be met: https://www.gnu.org/licenses/gpl-2.0.html and -** https://www.gnu.org/licenses/gpl-3.0.html. -** -** $QT_END_LICENSE$ -** -****************************************************************************/ - -/**************************************************************************** -** -** In addition, as a special exception, the copyright holders listed above give -** permission to link the code of its release of Qt with the OpenSSL project's -** "OpenSSL" library (or modified versions of the "OpenSSL" library that use the -** same license as the original version), and distribute the linked executables. -** -** You must comply with the GNU General Public License version 2 in all -** respects for all of the code used other than the "OpenSSL" code. If you -** modify this file, you may extend this exception to your version of the file, -** but you are not obligated to do so. If you do not wish to do so, delete -** this exception statement from your version of this file. -** -****************************************************************************/ - -#include "qtlsbackend_openssl_p.h" -#include "qopenssl_p.h" - -QT_BEGIN_NAMESPACE - -Q_GLOBAL_STATIC(QTlsBackendOpenSSL, backendOpenSsl) - -void QSslSocketPrivate::registerAdHocFactory() -{ - // TLSTODO: this is a temporary solution, waiting for - // backends to move to ... plugins. - if (!backendOpenSsl()) - qCWarning(lcSsl, "Failed to create backend factory"); -} - -QT_END_NAMESPACE diff --git a/src/network/ssl/qsslkey_p.cpp b/src/network/ssl/qsslkey_p.cpp index 010f45fca9..8a5af25e75 100644 --- a/src/network/ssl/qsslkey_p.cpp +++ b/src/network/ssl/qsslkey_p.cpp @@ -57,12 +57,8 @@ #include "qssl_p.h" #include "qsslkey.h" #include "qsslkey_p.h" -#ifndef QT_NO_OPENSSL -#include "qsslsocket_openssl_symbols_p.h" -#endif #include "qsslsocket.h" #include "qsslsocket_p.h" -#include "qasn1element_p.h" #include "qtlsbackend_p.h" #include <QtCore/qatomic.h> diff --git a/src/network/ssl/qsslkey_p.h b/src/network/ssl/qsslkey_p.h index f5895561b4..6fea1ad66a 100644 --- a/src/network/ssl/qsslkey_p.h +++ b/src/network/ssl/qsslkey_p.h @@ -73,8 +73,8 @@ public: using Cipher = QTlsPrivate::Cipher; - Q_AUTOTEST_EXPORT static QByteArray decrypt(Cipher cipher, const QByteArray &data, const QByteArray &key, const QByteArray &iv); - Q_AUTOTEST_EXPORT static QByteArray encrypt(Cipher cipher, const QByteArray &data, const QByteArray &key, const QByteArray &iv); + Q_NETWORK_EXPORT static QByteArray decrypt(Cipher cipher, const QByteArray &data, const QByteArray &key, const QByteArray &iv); + Q_NETWORK_EXPORT static QByteArray encrypt(Cipher cipher, const QByteArray &data, const QByteArray &key, const QByteArray &iv); std::unique_ptr<QTlsPrivate::TlsKey> backend; QAtomicInt ref; diff --git a/src/network/ssl/qsslsocket.cpp b/src/network/ssl/qsslsocket.cpp index 546c26272d..003bbf0787 100644 --- a/src/network/ssl/qsslsocket.cpp +++ b/src/network/ssl/qsslsocket.cpp @@ -1573,7 +1573,7 @@ QList<QString> QSslSocket::availableBackends() from the list of available backends. \note When selecting a default backend implicitly, QSslSocket prefers - native backends, such as SecureTransport on Darwin, or Schannel on Windows. + the OpenSSL backend if available. \sa setActiveBackend(), availableBackends() */ diff --git a/src/network/ssl/qsslsocket_p.h b/src/network/ssl/qsslsocket_p.h index c90dfc8883..2816e62381 100644 --- a/src/network/ssl/qsslsocket_p.h +++ b/src/network/ssl/qsslsocket_p.h @@ -103,7 +103,7 @@ public: static bool s_loadRootCertsOnDemand; static bool supportsSsl(); - static void ensureInitialized(); + Q_NETWORK_EXPORT static void ensureInitialized(); static QList<QSslCipher> defaultCiphers(); static QList<QSslCipher> defaultDtlsCiphers(); @@ -117,7 +117,7 @@ public: static void resetDefaultEllipticCurves(); static QList<QSslCertificate> defaultCaCertificates(); - static QList<QSslCertificate> systemCaCertificates(); + Q_NETWORK_EXPORT static QList<QSslCertificate> systemCaCertificates(); static void setDefaultCaCertificates(const QList<QSslCertificate> &certs); static void addDefaultCaCertificate(const QSslCertificate &cert); static void addDefaultCaCertificates(const QList<QSslCertificate> &certs); @@ -168,7 +168,6 @@ public: Q_NETWORK_PRIVATE_EXPORT static void setRootCertOnDemandLoadingSupported(bool supported); static QTlsBackend *tlsBackendInUse(); - static void registerAdHocFactory(); // Needed by TlsCryptograph: Q_NETWORK_PRIVATE_EXPORT QSslSocket::SslMode tlsMode() const; diff --git a/src/network/ssl/qtlsbackend.cpp b/src/network/ssl/qtlsbackend.cpp index 079cbccbc0..4c412d436f 100644 --- a/src/network/ssl/qtlsbackend.cpp +++ b/src/network/ssl/qtlsbackend.cpp @@ -46,8 +46,6 @@ #include "qsslcipher_p.h" #include "qsslkey_p.h" #include "qsslkey.h" -#else -#include "qtlsbackend_cert_p.h" #endif #include "qssl_p.h" @@ -63,7 +61,7 @@ QT_BEGIN_NAMESPACE Q_GLOBAL_STATIC_WITH_ARGS(QFactoryLoader, loader, - (QTlsBackend_iid, QStringLiteral("/tlsbackends"))) + (QTlsBackend_iid, QStringLiteral("/tls"))) namespace { @@ -104,14 +102,6 @@ public: while (loader->instance(index)) ++index; - // TLSTODO: obviously, these two below should - // disappear as soon as plugins are in place. -#if QT_CONFIG(ssl) - QSslSocketPrivate::registerAdHocFactory(); -#else - static QTlsBackendCertOnly certGenerator; -#endif // QT_CONFIG(ssl) - return loaded = true; } @@ -244,6 +234,13 @@ bool TlsCryptograph::isMatchingHostname(const QString &cn, const QString &hostna return QSslSocketPrivate::isMatchingHostname(cn, hostname); } +void TlsCryptograph::setErrorAndEmit(QSslSocketPrivate *d, QAbstractSocket::SocketError errorCode, + const QString &errorDescription) const +{ + Q_ASSERT(d); + d->setErrorAndEmit(errorCode, errorDescription); +} + #endif // QT_CONFIG(ssl) #if QT_CONFIG(dtls) @@ -255,7 +252,8 @@ DtlsBase::~DtlsBase() = default; const QString QTlsBackend::builtinBackendNames[] = { QStringLiteral("schannel"), QStringLiteral("securetransport"), - QStringLiteral("openssl") + QStringLiteral("openssl"), + QStringLiteral("cert-only") }; QTlsBackend::QTlsBackend() @@ -436,18 +434,25 @@ QList<QString> QTlsBackend::availableBackendNames() QString QTlsBackend::defaultBackendName() { - // We prefer native as default: + // We prefer OpenSSL as default: const auto names = availableBackendNames(); - auto name = builtinBackendNames[nameIndexSchannel]; + auto name = builtinBackendNames[nameIndexOpenSSL]; if (names.contains(name)) return name; - name = builtinBackendNames[nameIndexSecureTransport]; + name = builtinBackendNames[nameIndexSchannel]; if (names.contains(name)) return name; - name = builtinBackendNames[nameIndexOpenSSL]; + name = builtinBackendNames[nameIndexSecureTransport]; if (names.contains(name)) return name; + const auto pos = std::find_if(names.begin(), names.end(), [](const auto &name) { + return name != builtinBackendNames[nameIndexCertOnly]; + }); + + if (pos != names.end()) + return *pos; + if (names.size()) return names[0]; @@ -787,6 +792,16 @@ void QTlsBackend::setEphemeralKey(QSslSocketPrivate *d, const QSslKey &key) d->configuration.ephemeralServerKey = key; } +void QTlsBackend::forceAutotestSecurityLevel() +{ +} + +Q_NETWORK_EXPORT void qt_ForceTlsSecurityLevel() +{ + if (auto *backend = QSslSocketPrivate::tlsBackendInUse()) + backend->forceAutotestSecurityLevel(); +} + #endif // QT_CONFIG(ssl) QT_END_NAMESPACE diff --git a/src/network/ssl/qtlsbackend_p.h b/src/network/ssl/qtlsbackend_p.h index 4d2bc25300..1a6110b17b 100644 --- a/src/network/ssl/qtlsbackend_p.h +++ b/src/network/ssl/qtlsbackend_p.h @@ -226,6 +226,9 @@ public: static bool isMatchingHostname(const QSslCertificate &cert, const QString &peerName); static bool isMatchingHostname(const QString &cn, const QString &hostname); + + void setErrorAndEmit(QSslSocketPrivate *d, QAbstractSocket::SocketError errorCode, + const QString &errorDescription) const; }; #else class TlsCryptograph; @@ -371,6 +374,7 @@ public: static constexpr const int nameIndexSchannel = 0; static constexpr const int nameIndexSecureTransport = 1; static constexpr const int nameIndexOpenSSL = 2; + static constexpr const int nameIndexCertOnly = 3; static const QString builtinBackendNames[]; @@ -428,6 +432,8 @@ public: static void addTustedRoot(QSslSocketPrivate *d, const QSslCertificate &rootCert); // The next one - is a "very important" feature! Kidding ... static void setEphemeralKey(QSslSocketPrivate *d, const QSslKey &key); + + virtual void forceAutotestSecurityLevel(); #endif // QT_CONFIG(ssl) Q_DISABLE_COPY_MOVE(QTlsBackend) diff --git a/src/plugins/CMakeLists.txt b/src/plugins/CMakeLists.txt index 4aea4aad94..92aeafb768 100644 --- a/src/plugins/CMakeLists.txt +++ b/src/plugins/CMakeLists.txt @@ -22,4 +22,5 @@ if(TARGET Qt::PrintSupport) endif() if (TARGET Qt::Network) add_subdirectory(networkinformationbackends) + add_subdirectory(tls) endif() diff --git a/src/plugins/tls/CMakeLists.txt b/src/plugins/tls/CMakeLists.txt new file mode 100644 index 0000000000..a17cda9594 --- /dev/null +++ b/src/plugins/tls/CMakeLists.txt @@ -0,0 +1,13 @@ +if(QT_FEATURE_securetransport) + add_subdirectory(securetransport) +endif() + +if (QT_FEATURE_openssl OR QT_FEATURE_openssl_linked) + add_subdirectory(openssl) +endif() + +if (QT_FEATURE_schannel) + add_subdirectory(schannel) +endif() + +add_subdirectory(certonly) diff --git a/src/plugins/tls/certonly/CMakeLists.txt b/src/plugins/tls/certonly/CMakeLists.txt new file mode 100644 index 0000000000..8a1a5c0691 --- /dev/null +++ b/src/plugins/tls/certonly/CMakeLists.txt @@ -0,0 +1,16 @@ +qt_internal_add_plugin(QTlsBackendCertOnly + OUTPUT_NAME certonlybackend + CLASS_NAME QTlsBackendCertOnly + TYPE tls + SOURCES + ../shared/qx509_base_p.h + ../shared/qx509_base.cpp + ../shared/qx509_generic_p.h + ../shared/qx509_generic.cpp + ../shared/qasn1element_p.h + ../shared/qasn1element.cpp + qtlsbackend_cert.cpp + qtlsbackend_cert_p.h + PUBLIC_LIBRARIES + Qt::NetworkPrivate +) diff --git a/src/network/ssl/qtlsbackend_cert.cpp b/src/plugins/tls/certonly/qtlsbackend_cert.cpp index f541381ecb..c81eb0252e 100644 --- a/src/network/ssl/qtlsbackend_cert.cpp +++ b/src/plugins/tls/certonly/qtlsbackend_cert.cpp @@ -39,9 +39,7 @@ #include "qtlsbackend_cert_p.h" -#ifdef QT_NO_SSL - -#include "qx509_generic_p.h" +#include "../shared/qx509_generic_p.h" #include <qssl.h> @@ -53,7 +51,7 @@ Q_LOGGING_CATEGORY(lcTlsBackend, "qt.tlsbackend.cert-only"); QString QTlsBackendCertOnly::backendName() const { - return QStringLiteral("cert-only"); + return builtinBackendNames[nameIndexCertOnly]; } @@ -92,5 +90,3 @@ QTlsPrivate::X509DerReaderPtr QTlsBackendCertOnly::X509DerReader() const QT_END_NAMESPACE -#endif // QT_NO_SSL - diff --git a/src/network/ssl/qtlsbackend_cert_p.h b/src/plugins/tls/certonly/qtlsbackend_cert_p.h index 4a010dbf79..ddbe02e5a9 100644 --- a/src/network/ssl/qtlsbackend_cert_p.h +++ b/src/plugins/tls/certonly/qtlsbackend_cert_p.h @@ -51,19 +51,19 @@ // We mean it. // -#include <private/qtnetworkglobal_p.h> +#include <QtNetwork/private/qtnetworkglobal_p.h> -#include "qtlsbackend_p.h" +#include <QtNetwork/private/qtlsbackend_p.h> #include <QtCore/qglobal.h> -#ifdef QT_NO_SSL - QT_BEGIN_NAMESPACE class QTlsBackendCertOnly final : public QTlsBackend { -public: + Q_OBJECT + Q_PLUGIN_METADATA(IID QTlsBackend_iid) + Q_INTERFACES(QTlsBackend) private: QString backendName() const override; @@ -78,6 +78,4 @@ private: QT_END_NAMESPACE -#endif // QT_NO_SSL - #endif // QTLSBACKEND_CERT_P_H diff --git a/src/plugins/tls/openssl/CMakeLists.txt b/src/plugins/tls/openssl/CMakeLists.txt new file mode 100644 index 0000000000..3bcad2752e --- /dev/null +++ b/src/plugins/tls/openssl/CMakeLists.txt @@ -0,0 +1,51 @@ +qt_internal_add_plugin(QTlsBackendOpenSSL + OUTPUT_NAME opensslbackend + CLASS_NAME QTlsBackendOpenSSL + TYPE tls + SOURCES + ../shared/qx509_base.cpp ../shared/qx509_base_p.h + ../shared/qtlskey_base.cpp ../shared/qtlskey_base_p.h + ../shared/qasn1element.cpp ../shared/qasn1element_p.h + qtlsbackend_openssl.cpp qtlsbackend_openssl_p.h + qx509_openssl.cpp qx509_openssl_p.h + qtlskey_openssl.cpp qtlskey_openssl_p.h + qtls_openssl.cpp qtls_openssl_p.h + qssldiffiehellmanparameters_openssl.cpp + qsslcontext_openssl.cpp qsslcontext_openssl_p.h + qsslsocket_openssl_symbols.cpp qsslsocket_openssl_symbols_p.h + qopenssl_p.h + PUBLIC_LIBRARIES + Qt::NetworkPrivate + Qt::CorePrivate + DEFINES + OPENSSL_API_COMPAT=0x10100000L +) + +qt_internal_extend_target(QTlsBackendOpenSSL CONDITION QT_FEATURE_dtls + SOURCES + qdtls_openssl.cpp qdtls_openssl_p.h + ../shared/qdtls_base.cpp ../shared/qdtls_base_p.h +) + +qt_internal_extend_target(QTlsBackendOpenSSL CONDITION APPLE + SOURCES + ../shared/qsslsocket_mac_shared.cpp + LIBRARIES + ${FWCoreFoundation} + ${FWSecurity} +) + +qt_internal_extend_target(QTlsBackendOpenSSL CONDITION ANDROID AND NOT ANDROID_EMBEDDED + SOURCES + qsslsocket_openssl_android.cpp +) + +qt_internal_extend_target(QTlsBackendOpenSSL CONDITION QT_FEATURE_openssl + AND QT_FEATURE_ssl AND WIN32 + SOURCES + qwindowscarootfetcher.cpp qwindowscarootfetcher_p.h + ../shared/qwincrypt_p.h + LIBRARIES + crypt32 +) + diff --git a/src/network/ssl/qdtls_openssl.cpp b/src/plugins/tls/openssl/qdtls_openssl.cpp index fe6c8013c7..55a82f7fd4 100644 --- a/src/network/ssl/qdtls_openssl.cpp +++ b/src/plugins/tls/openssl/qdtls_openssl.cpp @@ -40,20 +40,23 @@ #ifndef NOMINMAX #define NOMINMAX #endif // NOMINMAX -#include "private/qnativesocketengine_p.h" -#include "qsslpresharedkeyauthenticator_p.h" +#include <QtNetwork/private/qnativesocketengine_p.h> + #include "qsslsocket_openssl_symbols_p.h" -#include "qsslcertificate_p.h" #include "qdtls_openssl_p.h" #include "qx509_openssl_p.h" -#include "qudpsocket.h" -#include "qssl_p.h" -#include "qmessageauthenticationcode.h" -#include "qcryptographichash.h" +#include <QtNetwork/private/qsslpresharedkeyauthenticator_p.h> +#include <QtNetwork/private/qsslcertificate_p.h> +#include <QtNetwork/private/qssl_p.h> + +#include <QtNetwork/qudpsocket.h> + +#include <QtCore/qmessageauthenticationcode.h> +#include <QtCore/qcryptographichash.h> -#include "qdebug.h" +#include <QtCore/qdebug.h> #include <cstring> #include <cstddef> @@ -84,13 +87,13 @@ QByteArray cookie_for_peer(SSL *ssl) // SSL_get_rbio does not increment the reference count BIO *readBIO = q_SSL_get_rbio(ssl); if (!readBIO) { - qCWarning(lcSsl, "No BIO (dgram) found in SSL object"); + qCWarning(lcTlsBackend, "No BIO (dgram) found in SSL object"); return {}; } auto listener = static_cast<dtlsopenssl::DtlsState *>(q_BIO_get_app_data(readBIO)); if (!listener) { - qCWarning(lcSsl, "BIO_get_app_data returned invalid (nullptr) value"); + qCWarning(lcTlsBackend, "BIO_get_app_data returned invalid (nullptr) value"); return {}; } @@ -192,14 +195,14 @@ extern "C" int q_generate_cookie_callback(SSL *ssl, unsigned char *dst, unsigned *cookieLength) { if (!ssl || !dst || !cookieLength) { - qCWarning(lcSsl, + qCWarning(lcTlsBackend, "Failed to generate cookie - invalid (nullptr) parameter(s)"); return 0; } void *generic = q_SSL_get_ex_data(ssl, QTlsBackendOpenSSL::s_indexForSSLExtraData); if (!generic) { - qCWarning(lcSsl, "SSL_get_ex_data returned nullptr, cannot generate cookie"); + qCWarning(lcTlsBackend, "SSL_get_ex_data returned nullptr, cannot generate cookie"); return 0; } @@ -228,7 +231,7 @@ extern "C" int q_verify_cookie_callback(SSL *ssl, const unsigned char *cookie, unsigned cookieLength) { if (!ssl || !cookie || !cookieLength) { - qCWarning(lcSsl, "Could not verify cookie, invalid (nullptr or zero) parameters"); + qCWarning(lcTlsBackend, "Could not verify cookie, invalid (nullptr or zero) parameters"); return 0; } @@ -247,13 +250,13 @@ extern "C" int q_X509DtlsCallback(int ok, X509_STORE_CTX *ctx) // Store the error and at which depth the error was detected. SSL *ssl = static_cast<SSL *>(q_X509_STORE_CTX_get_ex_data(ctx, q_SSL_get_ex_data_X509_STORE_CTX_idx())); if (!ssl) { - qCWarning(lcSsl, "X509_STORE_CTX_get_ex_data returned nullptr, handshake failure"); + qCWarning(lcTlsBackend, "X509_STORE_CTX_get_ex_data returned nullptr, handshake failure"); return 0; } void *generic = q_SSL_get_ex_data(ssl, QTlsBackendOpenSSL::s_indexForSSLExtraData); if (!generic) { - qCWarning(lcSsl, "SSL_get_ex_data returned nullptr, handshake failure"); + qCWarning(lcTlsBackend, "SSL_get_ex_data returned nullptr, handshake failure"); return 0; } @@ -300,7 +303,7 @@ namespace dtlsbio extern "C" int q_dgram_read(BIO *bio, char *dst, int bytesToRead) { if (!bio || !dst || bytesToRead <= 0) { - qCWarning(lcSsl, "invalid input parameter(s)"); + qCWarning(lcTlsBackend, "invalid input parameter(s)"); return 0; } @@ -330,7 +333,7 @@ extern "C" int q_dgram_read(BIO *bio, char *dst, int bytesToRead) extern "C" int q_dgram_write(BIO *bio, const char *src, int bytesToWrite) { if (!bio || !src || bytesToWrite <= 0) { - qCWarning(lcSsl, "invalid input parameter(s)"); + qCWarning(lcTlsBackend, "invalid input parameter(s)"); return 0; } @@ -365,7 +368,7 @@ extern "C" int q_dgram_write(BIO *bio, const char *src, int bytesToWrite) extern "C" int q_dgram_puts(BIO *bio, const char *src) { if (!bio || !src) { - qCWarning(lcSsl, "invalid input parameter(s)"); + qCWarning(lcTlsBackend, "invalid input parameter(s)"); return 0; } @@ -390,7 +393,7 @@ extern "C" long q_dgram_ctrl(BIO *bio, int cmd, long num, void *ptr) // command. if (!bio) { - qDebug(lcSsl, "invalid 'bio' parameter (nullptr)"); + qDebug(lcTlsBackend, "invalid 'bio' parameter (nullptr)"); return -1; } @@ -1425,7 +1428,7 @@ void QDtlsPrivateOpenSSL::fetchNegotiatedParameters() sessionProtocol = QSsl::DtlsV1_2; break; default: - qCWarning(lcSsl, "unknown protocol version"); + qCWarning(lcTlsBackend, "unknown protocol version"); sessionProtocol = QSsl::UnknownProtocol; } } diff --git a/src/network/ssl/qdtls_openssl_p.h b/src/plugins/tls/openssl/qdtls_openssl_p.h index 281e1133cd..d10d4ce584 100644 --- a/src/network/ssl/qdtls_openssl_p.h +++ b/src/plugins/tls/openssl/qdtls_openssl_p.h @@ -40,27 +40,26 @@ #ifndef QDTLS_OPENSSL_P_H #define QDTLS_OPENSSL_P_H -#include <private/qtnetworkglobal_p.h> - -#include <QtCore/qglobal.h> - -#include <openssl/ossl_typ.h> +#include <QtNetwork/private/qtnetworkglobal_p.h> +#include "qsslcontext_openssl_p.h" #include "qtlsbackend_openssl_p.h" #include "qtls_openssl_p.h" -#include "qdtls_base_p.h" -#include "qdtls_p.h" +#include "qopenssl_p.h" + +#include "../shared/qdtls_base_p.h" -#include <private/qsslcontext_openssl_p.h> -#include <private/qopenssl_p.h> +#include <QtNetwork/private/qdtls_p.h> #include <QtNetwork/qsslpresharedkeyauthenticator.h> #include <QtNetwork/qhostaddress.h> +#include <QtCore/qsharedpointer.h> #include <QtCore/qbytearray.h> #include <QtCore/qglobal.h> #include <QtCore/qlist.h> -#include <QtCore/qsharedpointer.h> + +#include <openssl/ossl_typ.h> // // W A R N I N G diff --git a/src/network/ssl/qopenssl_p.h b/src/plugins/tls/openssl/qopenssl_p.h index fa3efb2c28..6daf72a2f8 100644 --- a/src/network/ssl/qopenssl_p.h +++ b/src/plugins/tls/openssl/qopenssl_p.h @@ -68,8 +68,9 @@ #include <QtNetwork/private/qtnetworkglobal_p.h> -#include "qsslsocket_p.h" -#include "qsslcipher.h" +#include <QtNetwork/private/qsslsocket_p.h> + +#include <QtNetwork/qsslcipher.h> #ifdef Q_OS_WIN #include <qt_windows.h> diff --git a/src/network/ssl/qsslcontext_openssl.cpp b/src/plugins/tls/openssl/qsslcontext_openssl.cpp index de7ef15d10..c0afc32e47 100644 --- a/src/network/ssl/qsslcontext_openssl.cpp +++ b/src/plugins/tls/openssl/qsslcontext_openssl.cpp @@ -43,13 +43,16 @@ #include <QtNetwork/qsslsocket.h> #include <QtNetwork/qssldiffiehellmanparameters.h> -#include "private/qopenssl_p.h" -#include "private/qssl_p.h" -#include "private/qsslsocket_p.h" -#include "private/qsslcontext_openssl_p.h" -#include "private/qsslsocket_openssl_symbols_p.h" -#include "private/qssldiffiehellmanparameters_p.h" -#include "private/qtlsbackend_openssl_p.h" +#include "qsslsocket_openssl_symbols_p.h" +#include "qsslcontext_openssl_p.h" +#include "qtlsbackend_openssl_p.h" +#include "qopenssl_p.h" + +#include <QtNetwork/private/qssl_p.h> +#include <QtNetwork/private/qsslsocket_p.h> +#include <QtNetwork/private/qtlsbackend_p.h> + +#include <QtNetwork/private/qssldiffiehellmanparameters_p.h> #include <vector> @@ -57,11 +60,6 @@ QT_BEGIN_NAMESPACE Q_GLOBAL_STATIC(bool, forceSecurityLevel) -Q_NETWORK_EXPORT void qt_ForceTlsSecurityLevel() -{ - *forceSecurityLevel() = true; -} - namespace QTlsPrivate { // These callback functions are defined in qtls_openssl.cpp. @@ -218,7 +216,7 @@ static int next_proto_cb(SSL *, unsigned char **out, unsigned char *outlen, ctx->status = QSslConfiguration::NextProtocolNegotiationUnsupported; break; default: - qCWarning(lcSsl, "OpenSSL sent unknown NPN status"); + qCWarning(lcTlsBackend, "OpenSSL sent unknown NPN status"); } return SSL_TLSEXT_ERR_OK; @@ -248,7 +246,7 @@ SSL* QSslContext::createSsl() if (session) { // Try to resume the last session we cached if (!q_SSL_set_session(ssl, session)) { - qCWarning(lcSsl, "could not set SSL session"); + qCWarning(lcTlsBackend, "could not set SSL session"); q_SSL_SESSION_free(session); session = nullptr; } @@ -260,7 +258,7 @@ SSL* QSslContext::createSsl() m_supportedNPNVersions.clear(); for (int a = 0; a < protocols.count(); ++a) { if (protocols.at(a).size() > 255) { - qCWarning(lcSsl) << "TLS NPN extension" << protocols.at(a) + qCWarning(lcTlsBackend) << "TLS NPN extension" << protocols.at(a) << "is too long and will be ignored."; continue; } else if (protocols.at(a).isEmpty()) { @@ -313,7 +311,7 @@ bool QSslContext::cacheSession(SSL* ssl) m_sessionASN1.resize(sessionSize); unsigned char *data = reinterpret_cast<unsigned char *>(m_sessionASN1.data()); if (!q_i2d_SSL_SESSION(session, &data)) - qCWarning(lcSsl, "could not store persistent version of SSL session"); + qCWarning(lcTlsBackend, "could not store persistent version of SSL session"); m_sessionTicketLifeTimeHint = q_SSL_SESSION_get_ticket_lifetime_hint(session); } } @@ -336,6 +334,11 @@ int QSslContext::sessionTicketLifeTimeHint() const return m_sessionTicketLifeTimeHint; } +void QSslContext::forceAutoTestSecurityLevel() +{ + *forceSecurityLevel() = true; +} + QSslError::SslError QSslContext::error() const { return errorCode; @@ -370,13 +373,13 @@ init_context: #else // dtls sslContext->ctx = nullptr; unsupportedProtocol = true; - qCWarning(lcSsl, "DTLS protocol requested, but feature 'dtls' is disabled"); + qCWarning(lcTlsBackend, "DTLS protocol requested, but feature 'dtls' is disabled"); #endif // dtls break; case QSsl::TlsV1_3: case QSsl::TlsV1_3OrLater: #if !defined(TLS1_3_VERSION) - qCWarning(lcSsl, "TLS 1.3 is not supported"); + qCWarning(lcTlsBackend, "TLS 1.3 is not supported"); sslContext->ctx = nullptr; unsupportedProtocol = true; break; @@ -591,7 +594,7 @@ init_context: #endif // OPENSSL_VERSION_MAJOR if (success != 1) { const auto qtErrors = QTlsBackendOpenSSL::getErrorsFromOpenSsl(); - qCWarning(lcSsl) << "An error encountered while to set root certificates location:" + qCWarning(lcTlsBackend) << "An error encountered while to set root certificates location:" << qtErrors; } } diff --git a/src/network/ssl/qsslcontext_openssl_p.h b/src/plugins/tls/openssl/qsslcontext_openssl_p.h index 4b343e7842..c350a93f5e 100644 --- a/src/network/ssl/qsslcontext_openssl_p.h +++ b/src/plugins/tls/openssl/qsslcontext_openssl_p.h @@ -87,6 +87,8 @@ public: void setSessionASN1(const QByteArray &sessionASN1); int sessionTicketLifeTimeHint() const; + static void forceAutoTestSecurityLevel(); + #ifndef OPENSSL_NO_NEXTPROTONEG // must be public because we want to use it from an OpenSSL callback struct NPNContext { diff --git a/src/network/ssl/qssldiffiehellmanparameters_openssl.cpp b/src/plugins/tls/openssl/qssldiffiehellmanparameters_openssl.cpp index 8e0458de4e..a917a20744 100644 --- a/src/network/ssl/qssldiffiehellmanparameters_openssl.cpp +++ b/src/plugins/tls/openssl/qssldiffiehellmanparameters_openssl.cpp @@ -40,7 +40,8 @@ #include "qsslsocket_openssl_symbols_p.h" #include "qtlsbackend_openssl_p.h" -#include "qsslsocket_p.h" + +#include <QtNetwork/private/qsslsocket_p.h> #include <QtCore/qscopeguard.h> #include <QtCore/qbytearray.h> diff --git a/src/network/ssl/qsslsocket_openssl_android.cpp b/src/plugins/tls/openssl/qsslsocket_openssl_android.cpp index 22884cb819..7f7f067fa2 100644 --- a/src/network/ssl/qsslsocket_openssl_android.cpp +++ b/src/plugins/tls/openssl/qsslsocket_openssl_android.cpp @@ -52,7 +52,6 @@ ** ****************************************************************************/ -#include "qsslsocket_p.h" #include <QtCore/QJniEnvironment> #include <QtCore/QJniObject> diff --git a/src/network/ssl/qsslsocket_openssl_symbols.cpp b/src/plugins/tls/openssl/qsslsocket_openssl_symbols.cpp index 82429800f8..6b4601163b 100644 --- a/src/network/ssl/qsslsocket_openssl_symbols.cpp +++ b/src/plugins/tls/openssl/qsslsocket_openssl_symbols.cpp @@ -54,11 +54,12 @@ ** ****************************************************************************/ -#include "qssl_p.h" #include "qsslsocket_openssl_symbols_p.h" +#include <QtNetwork/private/qssl_p.h> + #ifdef Q_OS_WIN -# include <private/qsystemlibrary_p.h> +# include <QtCore/private/qsystemlibrary_p.h> #elif QT_CONFIG(library) # include <QtCore/qlibrary.h> #endif @@ -72,7 +73,7 @@ #include <link.h> #endif #ifdef Q_OS_DARWIN -#include "private/qcore_mac_p.h" +#include <QtCore/private/qcore_mac_p.h> #endif #include <algorithm> @@ -123,13 +124,13 @@ QT_BEGIN_NAMESPACE namespace { void qsslSocketUnresolvedSymbolWarning(const char *functionName) { - qCWarning(lcSsl, "QSslSocket: cannot call unresolved function %s", functionName); + qCWarning(lcTlsBackend, "QSslSocket: cannot call unresolved function %s", functionName); } #if QT_CONFIG(library) void qsslSocketCannotResolveSymbolWarning(const char *functionName) { - qCWarning(lcSsl, "QSslSocket: cannot resolve %s", functionName); + qCWarning(lcTlsBackend, "QSslSocket: cannot resolve %s", functionName); } #endif @@ -522,9 +523,9 @@ DEFINEFUNC(void, PKCS12_free, PKCS12 *pkcs12, pkcs12, return, DUMMYARG) #if !QT_CONFIG(library) bool q_resolveOpenSslSymbols() { - qCWarning(lcSsl, "QSslSocket: unable to resolve symbols. Qt is configured without the " + qCWarning(lcTlsBackend, "QSslSocket: unable to resolve symbols. Qt is configured without the " "'library' feature, which means runtime resolving of libraries won't work."); - qCWarning(lcSsl, "Either compile Qt statically or with support for runtime resolving " + qCWarning(lcTlsBackend, "Either compile Qt statically or with support for runtime resolving " "of libraries."); return false; } @@ -904,7 +905,7 @@ bool q_resolveOpenSslSymbols() if (!_q_OpenSSL_version) { // Apparently, we were built with OpenSSL 1.1 enabled but are now using // a wrong library. - qCWarning(lcSsl, "Incompatible version of OpenSSL"); + qCWarning(lcTlsBackend, "Incompatible version of OpenSSL"); return false; } @@ -1217,18 +1218,4 @@ bool q_resolveOpenSslSymbols() } #endif // !defined QT_LINKED_OPENSSL -QDateTime q_getTimeFromASN1(const ASN1_TIME *aTime) -{ - QDateTime result; - tm lTime; - - if (q_ASN1_TIME_to_tm(aTime, &lTime)) { - QDate resDate(lTime.tm_year + 1900, lTime.tm_mon + 1, lTime.tm_mday); - QTime resTime(lTime.tm_hour, lTime.tm_min, lTime.tm_sec); - result = QDateTime(resDate, resTime, Qt::UTC); - } - - return result; -} - QT_END_NAMESPACE diff --git a/src/network/ssl/qsslsocket_openssl_symbols_p.h b/src/plugins/tls/openssl/qsslsocket_openssl_symbols_p.h index f733c64fe3..1eb6387c23 100644 --- a/src/network/ssl/qsslsocket_openssl_symbols_p.h +++ b/src/plugins/tls/openssl/qsslsocket_openssl_symbols_p.h @@ -69,11 +69,13 @@ // #include <QtNetwork/private/qtnetworkglobal_p.h> + #include "qopenssl_p.h" + #include <QtCore/qglobal.h> #if QT_CONFIG(ocsp) -#include "qocsp_p.h" +#include <QtNetwork/private/qocsp_p.h> #endif QT_BEGIN_NAMESPACE @@ -227,23 +229,23 @@ QT_BEGIN_NAMESPACE const unsigned char * q_ASN1_STRING_get0_data(const ASN1_STRING *x); -Q_AUTOTEST_EXPORT BIO *q_BIO_new(const BIO_METHOD *a); -Q_AUTOTEST_EXPORT const BIO_METHOD *q_BIO_s_mem(); +BIO *q_BIO_new(const BIO_METHOD *a); +const BIO_METHOD *q_BIO_s_mem(); int q_DSA_bits(DSA *a); int q_EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *c); -Q_AUTOTEST_EXPORT int q_EVP_PKEY_up_ref(EVP_PKEY *a); +int q_EVP_PKEY_up_ref(EVP_PKEY *a); EVP_PKEY_CTX *q_EVP_PKEY_CTX_new(EVP_PKEY *pkey, ENGINE *e); void q_EVP_PKEY_CTX_free(EVP_PKEY_CTX *ctx); int q_EVP_PKEY_param_check(EVP_PKEY_CTX *ctx); int q_EVP_PKEY_base_id(EVP_PKEY *a); int q_RSA_bits(RSA *a); -Q_AUTOTEST_EXPORT int q_OPENSSL_sk_num(OPENSSL_STACK *a); -Q_AUTOTEST_EXPORT void q_OPENSSL_sk_pop_free(OPENSSL_STACK *a, void (*b)(void *)); -Q_AUTOTEST_EXPORT OPENSSL_STACK *q_OPENSSL_sk_new_null(); -Q_AUTOTEST_EXPORT void q_OPENSSL_sk_push(OPENSSL_STACK *st, void *data); -Q_AUTOTEST_EXPORT void q_OPENSSL_sk_free(OPENSSL_STACK *a); -Q_AUTOTEST_EXPORT void * q_OPENSSL_sk_value(OPENSSL_STACK *a, int b); +int q_OPENSSL_sk_num(OPENSSL_STACK *a); +void q_OPENSSL_sk_pop_free(OPENSSL_STACK *a, void (*b)(void *)); +OPENSSL_STACK *q_OPENSSL_sk_new_null(); +void q_OPENSSL_sk_push(OPENSSL_STACK *st, void *data); +void q_OPENSSL_sk_free(OPENSSL_STACK *a); +void * q_OPENSSL_sk_value(OPENSSL_STACK *a, int b); int q_SSL_session_reused(SSL *a); unsigned long q_SSL_CTX_set_options(SSL_CTX *ctx, unsigned long op); int q_OPENSSL_init_ssl(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings); @@ -256,7 +258,7 @@ const SSL_METHOD *q_TLS_server_method(); ASN1_TIME *q_X509_getm_notBefore(X509 *a); ASN1_TIME *q_X509_getm_notAfter(X509 *a); -Q_AUTOTEST_EXPORT void q_X509_up_ref(X509 *a); +void q_X509_up_ref(X509 *a); long q_X509_get_version(X509 *a); EVP_PKEY *q_X509_get_pubkey(X509 *a); void q_X509_STORE_set_verify_cb(X509_STORE *ctx, X509_STORE_CTX_verify_cb verify_cb); @@ -370,10 +372,10 @@ int q_ASN1_STRING_length(ASN1_STRING *a); int q_ASN1_STRING_to_UTF8(unsigned char **a, ASN1_STRING *b); int q_ASN1_TIME_to_tm(const ASN1_TIME *s, struct tm *tm); long q_BIO_ctrl(BIO *a, int b, long c, void *d); -Q_AUTOTEST_EXPORT int q_BIO_free(BIO *a); +int q_BIO_free(BIO *a); BIO *q_BIO_new_mem_buf(void *a, int b); int q_BIO_read(BIO *a, void *b, int c); -Q_AUTOTEST_EXPORT int q_BIO_write(BIO *a, const void *b, int c); +int q_BIO_write(BIO *a, const void *b, int c); int q_BN_num_bits(const BIGNUM *a); int q_BN_is_word(BIGNUM *a, BN_ULONG w); BN_ULONG q_BN_mod_word(const BIGNUM *a, BN_ULONG w); @@ -414,18 +416,18 @@ const EVP_CIPHER *q_EVP_aes_192_cbc(); const EVP_CIPHER *q_EVP_aes_256_cbc(); #endif // OPENSSL_NO_AES -Q_AUTOTEST_EXPORT const EVP_MD *q_EVP_sha1(); +const EVP_MD *q_EVP_sha1(); int q_EVP_PKEY_assign(EVP_PKEY *a, int b, void *r); -Q_AUTOTEST_EXPORT int q_EVP_PKEY_set1_RSA(EVP_PKEY *a, RSA *b); -Q_AUTOTEST_EXPORT int q_EVP_PKEY_set1_DSA(EVP_PKEY *a, DSA *b); -Q_AUTOTEST_EXPORT int q_EVP_PKEY_set1_DH(EVP_PKEY *a, DH *b); +int q_EVP_PKEY_set1_RSA(EVP_PKEY *a, RSA *b); +int q_EVP_PKEY_set1_DSA(EVP_PKEY *a, DSA *b); +int q_EVP_PKEY_set1_DH(EVP_PKEY *a, DH *b); #ifndef OPENSSL_NO_EC -Q_AUTOTEST_EXPORT int q_EVP_PKEY_set1_EC_KEY(EVP_PKEY *a, EC_KEY *b); +int q_EVP_PKEY_set1_EC_KEY(EVP_PKEY *a, EC_KEY *b); #endif -Q_AUTOTEST_EXPORT int q_EVP_PKEY_cmp(const EVP_PKEY *a, const EVP_PKEY *b); -Q_AUTOTEST_EXPORT void q_EVP_PKEY_free(EVP_PKEY *a); +int q_EVP_PKEY_cmp(const EVP_PKEY *a, const EVP_PKEY *b); +void q_EVP_PKEY_free(EVP_PKEY *a); RSA *q_EVP_PKEY_get1_RSA(EVP_PKEY *a); DSA *q_EVP_PKEY_get1_DSA(EVP_PKEY *a); DH *q_EVP_PKEY_get1_DH(EVP_PKEY *a); @@ -433,7 +435,7 @@ DH *q_EVP_PKEY_get1_DH(EVP_PKEY *a); EC_KEY *q_EVP_PKEY_get1_EC_KEY(EVP_PKEY *a); #endif int q_EVP_PKEY_type(int a); -Q_AUTOTEST_EXPORT EVP_PKEY *q_EVP_PKEY_new(); +EVP_PKEY *q_EVP_PKEY_new(); int q_i2d_X509(X509 *a, unsigned char **b); const char *q_OBJ_nid2sn(int a); const char *q_OBJ_nid2ln(int a); @@ -443,7 +445,7 @@ int q_i2t_ASN1_OBJECT(char *buf, int buf_len, ASN1_OBJECT *obj); int q_OBJ_obj2txt(char *buf, int buf_len, ASN1_OBJECT *obj, int no_name); int q_OBJ_obj2nid(const ASN1_OBJECT *a); #define q_EVP_get_digestbynid(a) q_EVP_get_digestbyname(q_OBJ_nid2sn(a)) -Q_AUTOTEST_EXPORT EVP_PKEY *q_PEM_read_bio_PrivateKey(BIO *a, EVP_PKEY **b, pem_password_cb *c, void *d); +EVP_PKEY *q_PEM_read_bio_PrivateKey(BIO *a, EVP_PKEY **b, pem_password_cb *c, void *d); DSA *q_PEM_read_bio_DSAPrivateKey(BIO *a, DSA **b, pem_password_cb *c, void *d); RSA *q_PEM_read_bio_RSAPrivateKey(BIO *a, RSA **b, pem_password_cb *c, void *d); @@ -462,7 +464,7 @@ int q_PEM_write_bio_RSAPrivateKey(BIO *a, RSA *b, const EVP_CIPHER *c, unsigned int e, pem_password_cb *f, void *g); int q_PEM_write_bio_PrivateKey(BIO *a, EVP_PKEY *b, const EVP_CIPHER *c, unsigned char *d, int e, pem_password_cb *f, void *g); -Q_AUTOTEST_EXPORT EVP_PKEY *q_PEM_read_bio_PUBKEY(BIO *a, EVP_PKEY **b, pem_password_cb *c, void *d); +EVP_PKEY *q_PEM_read_bio_PUBKEY(BIO *a, EVP_PKEY **b, pem_password_cb *c, void *d); DSA *q_PEM_read_bio_DSA_PUBKEY(BIO *a, DSA **b, pem_password_cb *c, void *d); RSA *q_PEM_read_bio_RSA_PUBKEY(BIO *a, RSA **b, pem_password_cb *c, void *d); int q_PEM_write_bio_DSA_PUBKEY(BIO *a, DSA *b); @@ -541,9 +543,9 @@ X509 *q_X509_dup(X509 *a); void q_X509_print(BIO *a, X509*b); int q_X509_digest(const X509 *x509, const EVP_MD *type, unsigned char *md, unsigned int *len); ASN1_OBJECT *q_X509_EXTENSION_get_object(X509_EXTENSION *a); -Q_AUTOTEST_EXPORT void q_X509_free(X509 *a); -Q_AUTOTEST_EXPORT ASN1_TIME *q_X509_gmtime_adj(ASN1_TIME *s, long adj); -Q_AUTOTEST_EXPORT void q_ASN1_TIME_free(ASN1_TIME *t); +void q_X509_free(X509 *a); +ASN1_TIME *q_X509_gmtime_adj(ASN1_TIME *s, long adj); +void q_ASN1_TIME_free(ASN1_TIME *t); X509_EXTENSION *q_X509_get_ext(X509 *a, int b); int q_X509_get_ext_count(X509 *a); void *q_X509_get_ext_d2i(X509 *a, int b, int *c, int *d); @@ -698,28 +700,24 @@ int q_BIO_set_ex_data(BIO *b, int idx, void *data); #define q_BIO_set_app_data(s,arg) q_BIO_set_ex_data(s,0,arg) #define q_BIO_get_app_data(s) q_BIO_get_ex_data(s,0) -// Helper function -class QDateTime; -QDateTime q_getTimeFromASN1(const ASN1_TIME *aTime); - #define q_SSL_set_tlsext_status_type(ssl, type) \ q_SSL_ctrl((ssl), SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE, (type), nullptr) #if QT_CONFIG(ocsp) OCSP_RESPONSE *q_d2i_OCSP_RESPONSE(OCSP_RESPONSE **a, const unsigned char **in, long len); -Q_AUTOTEST_EXPORT int q_i2d_OCSP_RESPONSE(OCSP_RESPONSE *r, unsigned char **ppout); -Q_AUTOTEST_EXPORT OCSP_RESPONSE *q_OCSP_response_create(int status, OCSP_BASICRESP *bs); -Q_AUTOTEST_EXPORT void q_OCSP_RESPONSE_free(OCSP_RESPONSE *rs); +int q_i2d_OCSP_RESPONSE(OCSP_RESPONSE *r, unsigned char **ppout); +OCSP_RESPONSE *q_OCSP_response_create(int status, OCSP_BASICRESP *bs); +void q_OCSP_RESPONSE_free(OCSP_RESPONSE *rs); int q_OCSP_response_status(OCSP_RESPONSE *resp); OCSP_BASICRESP *q_OCSP_response_get1_basic(OCSP_RESPONSE *resp); -Q_AUTOTEST_EXPORT OCSP_SINGLERESP *q_OCSP_basic_add1_status(OCSP_BASICRESP *rsp, OCSP_CERTID *cid, +OCSP_SINGLERESP *q_OCSP_basic_add1_status(OCSP_BASICRESP *rsp, OCSP_CERTID *cid, int status, int reason, ASN1_TIME *revtime, ASN1_TIME *thisupd, ASN1_TIME *nextupd); -Q_AUTOTEST_EXPORT int q_OCSP_basic_sign(OCSP_BASICRESP *brsp, X509 *signer, EVP_PKEY *key, const EVP_MD *dgst, +int q_OCSP_basic_sign(OCSP_BASICRESP *brsp, X509 *signer, EVP_PKEY *key, const EVP_MD *dgst, STACK_OF(X509) *certs, unsigned long flags); -Q_AUTOTEST_EXPORT OCSP_BASICRESP *q_OCSP_BASICRESP_new(); -Q_AUTOTEST_EXPORT void q_OCSP_BASICRESP_free(OCSP_BASICRESP *bs); +OCSP_BASICRESP *q_OCSP_BASICRESP_new(); +void q_OCSP_BASICRESP_free(OCSP_BASICRESP *bs); int q_OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509_STORE *st, unsigned long flags); int q_OCSP_resp_count(OCSP_BASICRESP *bs); OCSP_SINGLERESP *q_OCSP_resp_get0(OCSP_BASICRESP *bs, int idx); @@ -730,8 +728,8 @@ int q_OCSP_id_get0_info(ASN1_OCTET_STRING **piNameHash, ASN1_OBJECT **pmd, ASN1_ ASN1_INTEGER **pserial, OCSP_CERTID *cid); const STACK_OF(X509) *q_OCSP_resp_get0_certs(const OCSP_BASICRESP *bs); -Q_AUTOTEST_EXPORT OCSP_CERTID *q_OCSP_cert_to_id(const EVP_MD *dgst, X509 *subject, X509 *issuer); -Q_AUTOTEST_EXPORT void q_OCSP_CERTID_free(OCSP_CERTID *cid); +OCSP_CERTID *q_OCSP_cert_to_id(const EVP_MD *dgst, X509 *subject, X509 *issuer); +void q_OCSP_CERTID_free(OCSP_CERTID *cid); int q_OCSP_id_cmp(OCSP_CERTID *a, OCSP_CERTID *b); #define q_SSL_get_tlsext_status_ocsp_resp(ssl, arg) \ diff --git a/src/network/ssl/qtls_openssl.cpp b/src/plugins/tls/openssl/qtls_openssl.cpp index 90561943f5..9ed9ab7538 100644 --- a/src/network/ssl/qtls_openssl.cpp +++ b/src/plugins/tls/openssl/qtls_openssl.cpp @@ -37,19 +37,21 @@ ** ****************************************************************************/ -#include "qsslpresharedkeyauthenticator_p.h" -#include "qsslpresharedkeyauthenticator.h" #include "qsslsocket_openssl_symbols_p.h" -#include "qsslcertificate_p.h" #include "qx509_openssl_p.h" -#include "qocspresponse_p.h" #include "qtls_openssl_p.h" -#include "qsslsocket_p.h" #ifdef Q_OS_WIN #include "qwindowscarootfetcher_p.h" #endif +#include <QtNetwork/private/qsslpresharedkeyauthenticator_p.h> +#include <QtNetwork/private/qsslcertificate_p.h> +#include <QtNetwork/private/qocspresponse_p.h> +#include <QtNetwork/private/qsslsocket_p.h> + +#include <QtNetwork/qsslpresharedkeyauthenticator.h> + #include <QtCore/qscopedvaluerollback.h> #include <QtCore/qscopeguard.h> @@ -195,7 +197,7 @@ int q_X509CallbackDirect(int ok, X509_STORE_CTX *ctx) // errors immediately and returning 0 or 1 depending on an application // either ignoring or not ignoring verification errors as they come. if (!ctx) { - qCWarning(lcSsl, "Invalid store context (nullptr)"); + qCWarning(lcTlsBackend, "Invalid store context (nullptr)"); return 0; } @@ -430,7 +432,7 @@ bool qt_OCSP_certificate_match(OCSP_SINGLERESP *singleResponse, X509 *peerCert, const OCSP_CERTID *certId = q_OCSP_SINGLERESP_get0_id(singleResponse); // Does not increment refcount. if (!certId) { - qCWarning(lcSsl, "A SingleResponse without CertID"); + qCWarning(lcTlsBackend, "A SingleResponse without CertID"); return false; } @@ -438,7 +440,7 @@ bool qt_OCSP_certificate_match(OCSP_SINGLERESP *singleResponse, X509 *peerCert, ASN1_INTEGER *reportedSerialNumber = nullptr; const int result = q_OCSP_id_get0_info(nullptr, &md, nullptr, &reportedSerialNumber, const_cast<OCSP_CERTID *>(certId)); if (result != 1 || !md || !reportedSerialNumber) { - qCWarning(lcSsl, "Failed to extract a hash and serial number from CertID structure"); + qCWarning(lcTlsBackend, "Failed to extract a hash and serial number from CertID structure"); return false; } @@ -446,31 +448,31 @@ bool qt_OCSP_certificate_match(OCSP_SINGLERESP *singleResponse, X509 *peerCert, // Is this possible at all? But we have to check this, // ASN1_INTEGER_cmp (called from OCSP_id_cmp) dereferences // without any checks at all. - qCWarning(lcSsl, "No serial number in peer's ceritificate"); + qCWarning(lcTlsBackend, "No serial number in peer's ceritificate"); return false; } const int nid = q_OBJ_obj2nid(md); if (nid == NID_undef) { - qCWarning(lcSsl, "Unknown hash algorithm in CertID"); + qCWarning(lcTlsBackend, "Unknown hash algorithm in CertID"); return false; } const EVP_MD *digest = q_EVP_get_digestbynid(nid); // Does not increment refcount. if (!digest) { - qCWarning(lcSsl) << "No digest for nid" << nid; + qCWarning(lcTlsBackend) << "No digest for nid" << nid; return false; } OCSP_CERTID *recreatedId = q_OCSP_cert_to_id(digest, peerCert, issuer); if (!recreatedId) { - qCWarning(lcSsl, "Failed to re-create CertID"); + qCWarning(lcTlsBackend, "Failed to re-create CertID"); return false; } const QSharedPointer<OCSP_CERTID> guard(recreatedId, q_OCSP_CERTID_free); if (q_OCSP_id_cmp(const_cast<OCSP_CERTID *>(certId), recreatedId)) { - qDebug(lcSsl, "Certificate ID mismatch"); + qDebug(lcTlsBackend, "Certificate ID mismatch"); return false; } // Bingo! @@ -522,8 +524,8 @@ void TlsCryptographOpenSSL::startClientEncryption() { if (!initSslContext()) { Q_ASSERT(d); - d->setErrorAndEmit(QAbstractSocket::SslInternalError, - QSslSocket::tr("Unable to init SSL Context: %1").arg(QTlsBackendOpenSSL::getErrorsFromOpenSsl())); + setErrorAndEmit(d, QAbstractSocket::SslInternalError, + QSslSocket::tr("Unable to init SSL Context: %1").arg(QTlsBackendOpenSSL::getErrorsFromOpenSsl())); return; } @@ -537,8 +539,8 @@ void TlsCryptographOpenSSL::startServerEncryption() { if (!initSslContext()) { Q_ASSERT(d); - d->setErrorAndEmit(QAbstractSocket::SslInternalError, - QSslSocket::tr("Unable to init SSL Context: %1").arg(QTlsBackendOpenSSL::getErrorsFromOpenSsl())); + setErrorAndEmit(d, QAbstractSocket::SslInternalError, + QSslSocket::tr("Unable to init SSL Context: %1").arg(QTlsBackendOpenSSL::getErrorsFromOpenSsl())); return; } @@ -614,7 +616,7 @@ bool TlsCryptographOpenSSL::startHandshake() #endif { const ScopedBool bg(inSetAndEmitError, true); - d->setErrorAndEmit(QAbstractSocket::SslHandshakeFailedError, errorString); + setErrorAndEmit(d, QAbstractSocket::SslHandshakeFailedError, errorString); if (pendingFatalAlert) { trySendFatalAlert(); pendingFatalAlert = false; @@ -657,7 +659,7 @@ bool TlsCryptographOpenSSL::startHandshake() if (ocspErrors.isEmpty()) { { const ScopedBool bg(inSetAndEmitError, true); - d->setErrorAndEmit(QAbstractSocket::SslHandshakeFailedError, ocspErrorDescription); + setErrorAndEmit(d, QAbstractSocket::SslHandshakeFailedError, ocspErrorDescription); } q->abort(); return false; @@ -800,9 +802,9 @@ void TlsCryptographOpenSSL::continueHandshake() QString sslKeyFile = QDir::tempPath() + QLatin1String("/qt-ssl-keys"); QFile file(sslKeyFile); if (!file.open(QIODevice::Append)) - qCWarning(lcSsl) << "could not open file" << sslKeyFile << "for appending"; + qCWarning(lcTlsBackend) << "could not open file" << sslKeyFile << "for appending"; if (!file.write(debugLineClientRandom)) - qCWarning(lcSsl) << "could not write to file" << sslKeyFile; + qCWarning(lcTlsBackend) << "could not write to file" << sslKeyFile; file.close(); } else { qCWarning(lcTlsBackend, "could not decrypt SSL traffic"); @@ -911,9 +913,9 @@ void TlsCryptographOpenSSL::transmit() } else { // ### Better error handling. const ScopedBool bg(inSetAndEmitError, true); - d->setErrorAndEmit(QAbstractSocket::SslInternalError, - QSslSocket::tr("Unable to write data: %1").arg( - QTlsBackendOpenSSL::getErrorsFromOpenSsl())); + setErrorAndEmit(d, QAbstractSocket::SslInternalError, + QSslSocket::tr("Unable to write data: %1").arg( + QTlsBackendOpenSSL::getErrorsFromOpenSsl())); return; } } @@ -959,7 +961,7 @@ void TlsCryptographOpenSSL::transmit() if (actualWritten < 0) { //plain socket write fails if it was in the pending close state. const ScopedBool bg(inSetAndEmitError, true); - d->setErrorAndEmit(plainSocket->error(), plainSocket->errorString()); + setErrorAndEmit(d, plainSocket->error(), plainSocket->errorString()); return; } transmitting = true; @@ -985,9 +987,9 @@ void TlsCryptographOpenSSL::transmit() } else { // ### Better error handling. const ScopedBool bg(inSetAndEmitError, true); - d->setErrorAndEmit(QAbstractSocket::SslInternalError, - QSslSocket::tr("Unable to decrypt data: %1") - .arg(QTlsBackendOpenSSL::getErrorsFromOpenSsl())); + setErrorAndEmit(d, QAbstractSocket::SslInternalError, + QSslSocket::tr("Unable to decrypt data: %1") + .arg(QTlsBackendOpenSSL::getErrorsFromOpenSsl())); return; } @@ -1068,8 +1070,8 @@ void TlsCryptographOpenSSL::transmit() shutdown = true; // the other side shut down, make sure we do not send shutdown ourselves { const ScopedBool bg(inSetAndEmitError, true); - d->setErrorAndEmit(QAbstractSocket::RemoteHostClosedError, - QSslSocket::tr("The TLS/SSL connection has been closed")); + setErrorAndEmit(d, QAbstractSocket::RemoteHostClosedError, + QSslSocket::tr("The TLS/SSL connection has been closed")); } return; case SSL_ERROR_SYSCALL: // some IO error @@ -1079,9 +1081,9 @@ void TlsCryptographOpenSSL::transmit() systemOrSslErrorDetected = true; { const ScopedBool bg(inSetAndEmitError, true); - d->setErrorAndEmit(QAbstractSocket::SslInternalError, - QSslSocket::tr("Error while reading: %1") - .arg(QTlsBackendOpenSSL::getErrorsFromOpenSsl())); + setErrorAndEmit(d, QAbstractSocket::SslInternalError, + QSslSocket::tr("Error while reading: %1") + .arg(QTlsBackendOpenSSL::getErrorsFromOpenSsl())); } return; default: @@ -1092,9 +1094,9 @@ void TlsCryptographOpenSSL::transmit() // So this default case should never be triggered. { const ScopedBool bg(inSetAndEmitError, true); - d->setErrorAndEmit(QAbstractSocket::SslInternalError, - QSslSocket::tr("Error while reading: %1") - .arg(QTlsBackendOpenSSL::getErrorsFromOpenSsl())); + setErrorAndEmit(d, QAbstractSocket::SslInternalError, + QSslSocket::tr("Error while reading: %1") + .arg(QTlsBackendOpenSSL::getErrorsFromOpenSsl())); } break; } @@ -1196,7 +1198,7 @@ bool TlsCryptographOpenSSL::checkSslErrors() QSslSocketPrivate::pauseSocketNotifiers(q); d->setPaused(true); } else { - d->setErrorAndEmit(QAbstractSocket::SslHandshakeFailedError, sslErrors.constFirst().errorString()); + setErrorAndEmit(d, QAbstractSocket::SslHandshakeFailedError, sslErrors.constFirst().errorString()); auto *plainSocket = d->plainTcpSocket(); Q_ASSERT(plainSocket); plainSocket->disconnectFromHost(); @@ -1360,15 +1362,15 @@ bool TlsCryptographOpenSSL::initSslContext() sslContextPointer = QSslContext::sharedFromConfiguration(mode, configuration, d->isRootsOnDemandAllowed()); if (sslContextPointer->error() != QSslError::NoError) { - d->setErrorAndEmit(QAbstractSocket::SslInvalidUserDataError, sslContextPointer->errorString()); + setErrorAndEmit(d, QAbstractSocket::SslInvalidUserDataError, sslContextPointer->errorString()); sslContextPointer.clear(); // deletes the QSslContext return false; } // Create and initialize SSL session if (!(ssl = sslContextPointer->createSsl())) { - d->setErrorAndEmit(QAbstractSocket::SslInternalError, - QSslSocket::tr("Error creating SSL session, %1").arg(QTlsBackendOpenSSL::getErrorsFromOpenSsl())); + setErrorAndEmit(d, QAbstractSocket::SslInternalError, + QSslSocket::tr("Error creating SSL session, %1").arg(QTlsBackendOpenSSL::getErrorsFromOpenSsl())); return false; } @@ -1399,8 +1401,8 @@ bool TlsCryptographOpenSSL::initSslContext() readBio = q_BIO_new(q_BIO_s_mem()); writeBio = q_BIO_new(q_BIO_s_mem()); if (!readBio || !writeBio) { - d->setErrorAndEmit(QAbstractSocket::SslInternalError, - QSslSocket::tr("Error creating SSL session: %1").arg(QTlsBackendOpenSSL::getErrorsFromOpenSsl())); + setErrorAndEmit(d, QAbstractSocket::SslInternalError, + QSslSocket::tr("Error creating SSL session: %1").arg(QTlsBackendOpenSSL::getErrorsFromOpenSsl())); if (readBio) q_BIO_free(readBio); if (writeBio) @@ -1438,13 +1440,13 @@ bool TlsCryptographOpenSSL::initSslContext() #if QT_CONFIG(ocsp) if (configuration.ocspStaplingEnabled()) { if (mode == QSslSocket::SslServerMode) { - d->setErrorAndEmit(QAbstractSocket::SslInvalidUserDataError, - QSslSocket::tr("Server-side QSslSocket does not support OCSP stapling")); + setErrorAndEmit(d, QAbstractSocket::SslInvalidUserDataError, + QSslSocket::tr("Server-side QSslSocket does not support OCSP stapling")); return false; } if (q_SSL_set_tlsext_status_type(ssl, TLSEXT_STATUSTYPE_ocsp) != 1) { - d->setErrorAndEmit(QAbstractSocket::SslInternalError, - QSslSocket::tr("Failed to enable OCSP stapling")); + setErrorAndEmit(d, QAbstractSocket::SslInternalError, + QSslSocket::tr("Failed to enable OCSP stapling")); return false; } } @@ -1463,8 +1465,8 @@ bool TlsCryptographOpenSSL::initSslContext() if (ocspResponseDer.size()) { if (mode != QSslSocket::SslServerMode) { - d->setErrorAndEmit(QAbstractSocket::SslInvalidUserDataError, - QSslSocket::tr("Client-side sockets do not send OCSP responses")); + setErrorAndEmit(d, QAbstractSocket::SslInvalidUserDataError, + QSslSocket::tr("Client-side sockets do not send OCSP responses")); return false; } } diff --git a/src/network/ssl/qtls_openssl_p.h b/src/plugins/tls/openssl/qtls_openssl_p.h index 1def93831d..48c9223f99 100644 --- a/src/network/ssl/qtls_openssl_p.h +++ b/src/plugins/tls/openssl/qtls_openssl_p.h @@ -51,14 +51,15 @@ // We mean it. // -#include <private/qtnetworkglobal_p.h> +#include <QtNetwork/private/qtnetworkglobal_p.h> #include "qtlsbackend_openssl_p.h" #include "qsslcontext_openssl_p.h" -#include "qsslcertificate.h" -#include "qocspresponse.h" #include "qopenssl_p.h" +#include <QtNetwork/qsslcertificate.h> +#include <QtNetwork/qocspresponse.h> + #include <QtCore/qsharedpointer.h> #include <QtCore/qbytearray.h> #include <QtCore/qglobal.h> diff --git a/src/network/ssl/qtlsbackend_openssl.cpp b/src/plugins/tls/openssl/qtlsbackend_openssl.cpp index ef4aab6283..60052f3a2f 100644 --- a/src/network/ssl/qtlsbackend_openssl.cpp +++ b/src/plugins/tls/openssl/qtlsbackend_openssl.cpp @@ -37,28 +37,28 @@ ** ****************************************************************************/ +#include "qsslsocket_openssl_symbols_p.h" #include "qtlsbackend_openssl_p.h" #include "qtlskey_openssl_p.h" #include "qx509_openssl_p.h" #include "qtls_openssl_p.h" -#include "qsslcipher_p.h" -//#include "qsslsocket_p.h" -#include "qsslcipher.h" #if QT_CONFIG(dtls) #include "qdtls_openssl_p.h" #endif // QT_CONFIG(dtls) -#include "qsslsocket_openssl_symbols_p.h" -#include "qopenssl_p.h" +#include <QtNetwork/private/qsslcipher_p.h> -#include <qssl.h> +#include <QtNetwork/qsslcipher.h> +#include <QtNetwork/qssl.h> -#include <qdir.h> -#include <qdiriterator.h> -#include <qlist.h> -#include <qmutex.h> -#include <qscopeguard.h> +#include <QtCore/qdir.h> +#include <QtCore/qdiriterator.h> +#include <QtCore/qlist.h> +#include <QtCore/qmutex.h> +#include <QtCore/qscopeguard.h> + +#include "qopenssl_p.h" #include <algorithm> @@ -335,7 +335,9 @@ QList<QSsl::ImplementedClass> QTlsBackendOpenSSL::implementedClasses() const classes << QSsl::ImplementedClass::Key; classes << QSsl::ImplementedClass::Certificate; classes << QSsl::ImplementedClass::Socket; +#if QT_CONFIG(dtls) classes << QSsl::ImplementedClass::Dtls; +#endif classes << QSsl::ImplementedClass::EllipticCurve; classes << QSsl::ImplementedClass::DiffieHellman; @@ -627,4 +629,9 @@ QSslCipher QTlsBackendOpenSSL::qt_OpenSSL_cipher_to_QSslCipher(const SSL_CIPHER return createCiphersuite(desc, bits, supportedBits); } +void QTlsBackendOpenSSL::forceAutotestSecurityLevel() +{ + QSslContext::forceAutoTestSecurityLevel(); +} + QT_END_NAMESPACE diff --git a/src/network/ssl/qtlsbackend_openssl_p.h b/src/plugins/tls/openssl/qtlsbackend_openssl_p.h index 1a02bf5bed..93b6442a59 100644 --- a/src/network/ssl/qtlsbackend_openssl_p.h +++ b/src/plugins/tls/openssl/qtlsbackend_openssl_p.h @@ -51,11 +51,12 @@ // We mean it. // -#include <private/qtnetworkglobal_p.h> +#include <QtNetwork/private/qtnetworkglobal_p.h> -#include "qssldiffiehellmanparameters.h" -#include "qsslcertificate.h" -#include "qtlsbackend_p.h" +#include <QtNetwork/qssldiffiehellmanparameters.h> +#include <QtNetwork/qsslcertificate.h> + +#include <QtNetwork/private/qtlsbackend_p.h> #include <QtCore/qglobal.h> #include <QtCore/qlist.h> @@ -66,6 +67,10 @@ QT_BEGIN_NAMESPACE class QTlsBackendOpenSSL final : public QTlsBackend { + Q_OBJECT + Q_PLUGIN_METADATA(IID QTlsBackend_iid) + Q_INTERFACES(QTlsBackend) + public: static QString getErrorsFromOpenSsl(); @@ -125,6 +130,8 @@ private: using DHParams = QSslDiffieHellmanParameters; int dhParametersFromDer(const QByteArray &derData, QByteArray *data) const override; int dhParametersFromPem(const QByteArray &pemData, QByteArray *data) const override; + + void forceAutotestSecurityLevel() override; }; QT_END_NAMESPACE diff --git a/src/network/ssl/qtlskey_openssl.cpp b/src/plugins/tls/openssl/qtlskey_openssl.cpp index 6d75dfd5b4..5333623d70 100644 --- a/src/network/ssl/qtlskey_openssl.cpp +++ b/src/plugins/tls/openssl/qtlskey_openssl.cpp @@ -39,10 +39,12 @@ #include "qsslsocket_openssl_symbols_p.h" #include "qtlskey_openssl_p.h" -#include "qsslsocket.h" -#include "qsslkey_p.h" -#include <qscopeguard.h> +#include <QtNetwork/private/qsslkey_p.h> + +#include <QtNetwork/qsslsocket.h> + +#include <QtCore/qscopeguard.h> QT_BEGIN_NAMESPACE diff --git a/src/network/ssl/qtlskey_openssl_p.h b/src/plugins/tls/openssl/qtlskey_openssl_p.h index 5ef51dfd56..815770112f 100644 --- a/src/network/ssl/qtlskey_openssl_p.h +++ b/src/plugins/tls/openssl/qtlskey_openssl_p.h @@ -51,11 +51,12 @@ // We mean it. // -#include <private/qtnetworkglobal_p.h> +#include <QtNetwork/private/qtnetworkglobal_p.h> -#include "qtlskey_base_p.h" -#include "qtlsbackend_p.h" -#include "qsslkey_p.h" +#include "../shared/qtlskey_base_p.h" + +#include <QtNetwork/private/qtlsbackend_p.h> +#include <QtNetwork/private/qsslkey_p.h> #include <QtNetwork/qssl.h> diff --git a/src/network/ssl/qwindowscarootfetcher.cpp b/src/plugins/tls/openssl/qwindowscarootfetcher.cpp index b675ac8d4e..45ecbce258 100644 --- a/src/network/ssl/qwindowscarootfetcher.cpp +++ b/src/plugins/tls/openssl/qwindowscarootfetcher.cpp @@ -38,6 +38,8 @@ ****************************************************************************/ #include "qwindowscarootfetcher_p.h" +#include "qx509_openssl_p.h" +#include "qopenssl_p.h" #include <QtCore/QThread> #include <QtGlobal> @@ -45,17 +47,10 @@ #include <QtCore/qscopeguard.h> #ifdef QSSLSOCKET_DEBUG -#include "qssl_p.h" // for debug categories +#include <QtNetwork/private/qtlsbackend_p.h> // for debug categories #include <QtCore/QElapsedTimer> #endif -#include "qsslsocket_p.h" // Transitively includes Wincrypt.h - -#if QT_CONFIG(openssl) -#include "qopenssl_p.h" -#include "qx509_openssl_p.h" -#endif - QT_BEGIN_NAMESPACE class QWindowsCaRootFetcherThread : public QThread @@ -76,11 +71,8 @@ public: Q_GLOBAL_STATIC(QWindowsCaRootFetcherThread, windowsCaRootFetcherThread); -#if QT_CONFIG(openssl) namespace { -// TLSTODO: we have to ask the currently active TLS backend about verification -// support and get a function pointer. QT_CONFIG(openssl) check is becoming useless -// as soon as we have several plugins. + const QList<QSslCertificate> buildVerifiedChain(const QList<QSslCertificate> &caCertificates, PCCERT_CHAIN_CONTEXT chainContext, const QString &peerVerifyName) @@ -134,7 +126,6 @@ const QList<QSslCertificate> buildVerifiedChain(const QList<QSslCertificate> &ca } } // unnamed namespace -#endif // QT_CONFIG(openssl) QWindowsCaRootFetcher::QWindowsCaRootFetcher(const QSslCertificate &certificate, QSslSocket::SslMode sslMode, const QList<QSslCertificate> &caCertificates, const QString &hostName) @@ -153,7 +144,7 @@ void QWindowsCaRootFetcher::start() PCCERT_CONTEXT wincert = CertCreateCertificateContext(X509_ASN_ENCODING, (const BYTE *)der.constData(), der.length()); if (!wincert) { #ifdef QSSLSOCKET_DEBUG - qCDebug(lcSsl, "QWindowsCaRootFetcher failed to convert certificate to windows form"); + qCDebug(lcTlsBackend, "QWindowsCaRootFetcher failed to convert certificate to windows form"); #endif emit finished(cert, QSslCertificate()); deleteLater(); diff --git a/src/network/ssl/qwindowscarootfetcher_p.h b/src/plugins/tls/openssl/qwindowscarootfetcher_p.h index ee0d07c1e0..ed649b0936 100644 --- a/src/network/ssl/qwindowscarootfetcher_p.h +++ b/src/plugins/tls/openssl/qwindowscarootfetcher_p.h @@ -42,13 +42,13 @@ #include <QtNetwork/private/qtnetworkglobal_p.h> +#include <QtNetwork/qsslcertificate.h> +#include <QtNetwork/qsslsocket.h> + #include <QtCore/QtGlobal> #include <QtCore/QObject> -#include "qsslcertificate.h" -#include "qsslsocket.h" - -#include "qwincrypt_p.h" +#include "../shared/qwincrypt_p.h" // // W A R N I N G diff --git a/src/network/ssl/qx509_openssl.cpp b/src/plugins/tls/openssl/qx509_openssl.cpp index 6c4a83be0b..bf52c9345c 100644 --- a/src/network/ssl/qx509_openssl.cpp +++ b/src/plugins/tls/openssl/qx509_openssl.cpp @@ -37,16 +37,15 @@ ** ****************************************************************************/ +#include "qsslsocket_openssl_symbols_p.h" #include "qtlsbackend_openssl_p.h" -#include "qsslcertificate_p.h" #include "qtlskey_openssl_p.h" #include "qx509_openssl_p.h" - -#include "qsslsocket_openssl_symbols_p.h" -#include "qtlsbackend_openssl_p.h" #include "qtls_openssl_p.h" -#include "qsslsocket.h" +#include <QtNetwork/private/qsslcertificate_p.h> + +#include <QtNetwork/qsslsocket.h> #include <QtNetwork/qhostaddress.h> #include <QtCore/qvarlengtharray.h> @@ -62,10 +61,6 @@ namespace QTlsPrivate { namespace { -// TLSTODO: These helper functions below were static member-functions of -// QSslCertificatePrivate, if-defed with !QT_NO_OPENSSL, no need -// for them to be exposed this way anymore. Remove this comment when -// plugins are ready. QByteArray asn1ObjectId(ASN1_OBJECT *object) { if (!object) @@ -108,6 +103,21 @@ QMultiMap<QByteArray, QString> mapFromX509Name(X509_NAME *name) return info; } +QDateTime dateTimeFromASN1(const ASN1_TIME *aTime) +{ + QDateTime result; + tm lTime; + + if (q_ASN1_TIME_to_tm(aTime, &lTime)) { + QDate resDate(lTime.tm_year + 1900, lTime.tm_mon + 1, lTime.tm_mday); + QTime resTime(lTime.tm_hour, lTime.tm_min, lTime.tm_sec); + result = QDateTime(resDate, resTime, Qt::UTC); + } + + return result; +} + + #define BEGINCERTSTRING "-----BEGIN CERTIFICATE-----" #define ENDCERTSTRING "-----END CERTIFICATE-----" @@ -528,11 +538,11 @@ QSslCertificate X509CertificateOpenSSL::certificateFromX509(X509 *x509) ASN1_TIME *nbef = q_X509_getm_notBefore(x509); if (nbef) - backend->notValidBefore = q_getTimeFromASN1(nbef); + backend->notValidBefore = dateTimeFromASN1(nbef); ASN1_TIME *naft = q_X509_getm_notAfter(x509); if (naft) - backend->notValidAfter = q_getTimeFromASN1(naft); + backend->notValidAfter = dateTimeFromASN1(naft); backend->null = false; backend->x509 = q_X509_dup(x509); @@ -685,7 +695,7 @@ QList<QSslError> X509CertificateOpenSSL::verify(const QList<QSslCertificate> &ca errors << QSslError(QSslError::CertificateBlacklisted, certificateChain[0]); // Check the certificate name against the hostname if one was specified - if (!hostName.isEmpty() && !QSslSocketPrivate::isMatchingHostname(certificateChain[0], hostName)) { + if (!hostName.isEmpty() && !TlsCryptograph::isMatchingHostname(certificateChain[0], hostName)) { // No matches in common names or alternate names. QSslError error(QSslError::HostNameMismatch, certificateChain[0]); errors << error; diff --git a/src/network/ssl/qx509_openssl_p.h b/src/plugins/tls/openssl/qx509_openssl_p.h index 5bc5ad63f5..19f2f7614e 100644 --- a/src/network/ssl/qx509_openssl_p.h +++ b/src/plugins/tls/openssl/qx509_openssl_p.h @@ -51,18 +51,17 @@ // We mean it. // -#include <private/qtnetworkglobal_p.h> +#include <QtNetwork/private/qtnetworkglobal_p.h> -#include <private/qopenssl_p.h> +#include "../shared/qx509_base_p.h" -#include <private/qtlsbackend_p.h> -#include <private/qx509_base_p.h> +#include <QtNetwork/private/qtlsbackend_p.h> #include <QtCore/qvariant.h> #include <QtCore/qglobal.h> #include <QtCore/qstring.h> -#include <openssl/x509.h> +#include "qopenssl_p.h" #include <algorithm> @@ -70,9 +69,6 @@ QT_BEGIN_NAMESPACE namespace QTlsPrivate { -// TLSTODO: This class is essentially what qsslcertificate_openssl.cpp -// contains - OpenSSL-based version of QSslCertificatePrivate. Remove -// this comment when plugins are ready. class X509CertificateOpenSSL final : public X509CertificateBase { public: @@ -94,15 +90,10 @@ public: size_t hash(size_t seed) const noexcept override; - // TLSTODO: these are needed by qsslsocket_openssl and later, by - // TLS code inside OpenSSL plugin. Remove this comment when - // plugins are ready. static QSslCertificate certificateFromX509(X509 *x); static QList<QSslCertificate> stackOfX509ToQSslCertificates(STACK_OF(X509) *x509); static QSslErrorEntry errorEntryFromStoreContext(X509_STORE_CTX *ctx); - // TLSTODO: remove this comment when plugins are in place. This is what QSslSocketPrivate::verify() - // in qsslsocket_openssl.cpp is (was) doing (in the past). static QList<QSslError> verify(const QList<QSslCertificate> &chain, const QString &hostName); static QList<QSslError> verify(const QList<QSslCertificate> &caCertificates, const QList<QSslCertificate> &certificateChain, diff --git a/src/plugins/tls/schannel/CMakeLists.txt b/src/plugins/tls/schannel/CMakeLists.txt new file mode 100644 index 0000000000..d3caca92df --- /dev/null +++ b/src/plugins/tls/schannel/CMakeLists.txt @@ -0,0 +1,30 @@ +qt_internal_add_plugin(QSchannelBackend + OUTPUT_NAME schannelbackend + CLASS_NAME QSchannelBackend + TYPE tls + DEFAULT_IF WINDOWS + SOURCES + ../shared/qtlskey_base_p.h + ../shared/qtlskey_base.cpp + ../shared/qtlskey_generic_p.h + ../shared/qtlskey_generic.cpp + ../shared/qx509_base_p.h + ../shared/qx509_base.cpp + ../shared/qx509_generic_p.h + ../shared/qx509_generic.cpp + ../shared/qsslsocket_qt.cpp + ../shared/qwincrypt_p.h + ../shared/qasn1element_p.h + ../shared/qasn1element.cpp + qtls_schannel.cpp qtls_schannel_p.h + qtlsbackend_schannel_p.h + qtlskey_schannel.cpp qtlskey_schannel_p.h + qx509_schannel.cpp qx509_schannel_p.h + LIBRARIES + Crypt32 + Secur32 + bcrypt + ncrypt + PUBLIC_LIBRARIES + Qt::NetworkPrivate +) diff --git a/src/network/ssl/qtls_schannel.cpp b/src/plugins/tls/schannel/qtls_schannel.cpp index cb4b9ce79d..83e9cb1c6c 100644 --- a/src/network/ssl/qtls_schannel.cpp +++ b/src/plugins/tls/schannel/qtls_schannel.cpp @@ -39,16 +39,18 @@ // #define QSSLSOCKET_DEBUG -#include "qssl_p.h" -#include "qsslsocket.h" -#include "qtls_schannel_p.h" -#include "qsslcertificate.h" -#include "qsslcertificateextension.h" -#include "qsslcertificate_p.h" -#include "qsslcipher_p.h" #include "qtlsbackend_schannel_p.h" #include "qtlskey_schannel_p.h" #include "qx509_schannel_p.h" +#include "qtls_schannel_p.h" + +#include <QtNetwork/private/qsslcertificate_p.h> +#include <QtNetwork/private/qsslcipher_p.h> +#include <QtNetwork/private/qssl_p.h> + +#include <QtNetwork/qsslcertificate.h> +#include <QtNetwork/qsslcertificateextension.h> +#include <QtNetwork/qsslsocket.h> #include <QtCore/qscopeguard.h> #include <QtCore/qoperatingsystemversion.h> @@ -347,8 +349,6 @@ QTlsPrivate::X509DerReaderPtr QSchannelBackend::X509DerReader() const return QTlsPrivate::X509CertificateGeneric::certificatesFromDer; } -Q_GLOBAL_STATIC(QSchannelBackend, backendSchannel) - namespace { SecBuffer createSecBuffer(void *ptr, unsigned long length, unsigned long bufferType) @@ -573,7 +573,7 @@ bool matchesContextRequirements(DWORD attributes, DWORD requirements, bool isClient) { #ifdef QSSLSOCKET_DEBUG -#define DEBUG_WARN(message) qCWarning(lcSsl, message) +#define DEBUG_WARN(message) qCWarning(lcTlsBackend, message) #else #define DEBUG_WARN(message) #endif @@ -630,8 +630,8 @@ QByteArray createAlpnString(const QByteArrayList &nextAllowedProtocols) QByteArray protocolString; for (QByteArray proto : nextAllowedProtocols) { if (proto.size() > 255) { - qCWarning(lcSsl) << "TLS ALPN extension" << proto - << "is too long and will be ignored."; + qCWarning(lcTlsBackend) << "TLS ALPN extension" << proto + << "is too long and will be ignored."; continue; } else if (proto.isEmpty()) { continue; @@ -684,7 +684,7 @@ void retainExtraData(QByteArray &buffer, const SecBuffer &secBuffer) return; #ifdef QSSLSOCKET_DEBUG - qCDebug(lcSsl, "We got SECBUFFER_EXTRA, will retain %lu bytes", secBuffer.cbBuffer); + qCDebug(lcTlsBackend, "We got SECBUFFER_EXTRA, will retain %lu bytes", secBuffer.cbBuffer); #endif std::move(buffer.end() - secBuffer.cbBuffer, buffer.end(), buffer.begin()); buffer.resize(secBuffer.cbBuffer); @@ -694,7 +694,7 @@ qint64 checkIncompleteData(const SecBuffer &secBuffer) { if (secBuffer.BufferType == SECBUFFER_MISSING) { #ifdef QSSLSOCKET_DEBUG - qCDebug(lcSsl, "Need %lu more bytes.", secBuffer.cbBuffer); + qCDebug(lcTlsBackend, "Need %lu more bytes.", secBuffer.cbBuffer); #endif return secBuffer.cbBuffer; } @@ -745,7 +745,7 @@ bool TlsCryptographSchannel::sendToken(void *token, unsigned long tokenLength, b if (written != qint64(tokenLength)) { // Failed to write/buffer everything or an error occurred if (emitError) - d->setErrorAndEmit(plainSocket->error(), plainSocket->errorString()); + setErrorAndEmit(d, plainSocket->error(), plainSocket->errorString()); return false; } return true; @@ -804,8 +804,8 @@ bool TlsCryptographSchannel::acquireCredentialsHandle() const bool isClient = d->tlsMode() == QSslSocket::SslClientMode; const DWORD protocols = toSchannelProtocol(configuration.protocol()); if (protocols == DWORD(-1)) { - d->setErrorAndEmit(QAbstractSocket::SslInvalidUserDataError, - QSslSocket::tr("Invalid protocol chosen")); + setErrorAndEmit(d, QAbstractSocket::SslInvalidUserDataError, + QSslSocket::tr("Invalid protocol chosen")); return false; } @@ -842,7 +842,7 @@ bool TlsCryptographSchannel::acquireCredentialsHandle() const QString message = isClient ? QSslSocket::tr("The certificate provided cannot be used for a client.") : QSslSocket::tr("The certificate provided cannot be used for a server."); - d->setErrorAndEmit(QAbstractSocket::SocketError::SslInvalidUserDataError, message); + setErrorAndEmit(d, QAbstractSocket::SocketError::SslInvalidUserDataError, message); return false; } Q_ASSERT(chainContext->cChain == 1); @@ -931,7 +931,7 @@ bool TlsCryptographSchannel::acquireCredentialsHandle() } if (status != SEC_E_OK) { - d->setErrorAndEmit(QAbstractSocket::SslInternalError, schannelErrorToString(status)); + setErrorAndEmit(d, QAbstractSocket::SslInternalError, schannelErrorToString(status)); return false; } return true; @@ -964,7 +964,6 @@ bool TlsCryptographSchannel::createContext() { Q_ASSERT(q); Q_ASSERT(d); - const auto &configuration = q->sslConfiguration(); Q_ASSERT(SecIsValidHandle(&credentialHandle)); Q_ASSERT(schannelState == SchannelState::InitializeHandshake); @@ -993,7 +992,7 @@ bool TlsCryptographSchannel::createContext() bool useAlpn = false; #ifdef SUPPORTS_ALPN QTlsBackend::setAlpnStatus(d, QSslConfiguration::NextProtocolNegotiationNone); - QByteArray alpnString = createAlpnString(configuration.allowedNextProtocols()); + QByteArray alpnString = createAlpnString(q->sslConfiguration().allowedNextProtocols()); useAlpn = !alpnString.isEmpty(); SecBuffer alpnBuffers[1]; alpnBuffers[0] = createSecBuffer(alpnString, SECBUFFER_APPLICATION_PROTOCOLS); @@ -1021,8 +1020,8 @@ bool TlsCryptographSchannel::createContext() // This is the first call to InitializeSecurityContext, so theoretically "CONTINUE_NEEDED" // should be the only non-error return-code here. if (status != SEC_I_CONTINUE_NEEDED) { - d->setErrorAndEmit(QAbstractSocket::SslInternalError, - QSslSocket::tr("Error creating SSL context (%1)").arg(schannelErrorToString(status))); + setErrorAndEmit(d, QAbstractSocket::SslInternalError, + QSslSocket::tr("Error creating SSL context (%1)").arg(schannelErrorToString(status))); return false; } @@ -1036,8 +1035,9 @@ bool TlsCryptographSchannel::acceptContext() { Q_ASSERT(d); Q_ASSERT(q); - const auto &configuration = q->sslConfiguration(); + auto *plainSocket = d->plainTcpSocket(); + Q_ASSERT(plainSocket); Q_ASSERT(SecIsValidHandle(&credentialHandle)); Q_ASSERT(schannelState == SchannelState::InitializeHandshake); @@ -1058,7 +1058,7 @@ bool TlsCryptographSchannel::acceptContext() #ifdef SUPPORTS_ALPN QTlsBackend::setAlpnStatus(d, QSslConfiguration::NextProtocolNegotiationNone); // The string must be alive when we call AcceptSecurityContext - QByteArray alpnString = createAlpnString(configuration.allowedNextProtocols()); + QByteArray alpnString = createAlpnString(q->sslConfiguration().allowedNextProtocols()); if (!alpnString.isEmpty()) { inBuffers[1] = createSecBuffer(alpnString, SECBUFFER_APPLICATION_PROTOCOLS); } else @@ -1118,8 +1118,8 @@ bool TlsCryptographSchannel::acceptContext() } if (status != SEC_I_CONTINUE_NEEDED) { - d->setErrorAndEmit(QAbstractSocket::SslHandshakeFailedError, - QSslSocket::tr("Error creating SSL context (%1)").arg(schannelErrorToString(status))); + setErrorAndEmit(d, QAbstractSocket::SslHandshakeFailedError, + QSslSocket::tr("Error creating SSL context (%1)").arg(schannelErrorToString(status))); return false; } if (!sendToken(outBuffers[0].pvBuffer, outBuffers[0].cbBuffer)) @@ -1135,8 +1135,8 @@ bool TlsCryptographSchannel::performHandshake() Q_ASSERT(plainSocket); if (plainSocket->state() == QAbstractSocket::UnconnectedState) { - d->setErrorAndEmit(QAbstractSocket::RemoteHostClosedError, - QSslSocket::tr("The TLS/SSL connection has been closed")); + setErrorAndEmit(d, QAbstractSocket::RemoteHostClosedError, + QSslSocket::tr("The TLS/SSL connection has been closed")); return false; } Q_ASSERT(SecIsValidHandle(&credentialHandle)); @@ -1144,8 +1144,8 @@ bool TlsCryptographSchannel::performHandshake() Q_ASSERT(schannelState == SchannelState::PerformHandshake); #ifdef QSSLSOCKET_DEBUG - qCDebug(lcSsl, "Bytes available from socket: %lld", plainSocket->bytesAvailable()); - qCDebug(lcSsl, "intermediateBuffer size: %d", intermediateBuffer.size()); + qCDebug(lcTlsBackend, "Bytes available from socket: %lld", plainSocket->bytesAvailable()); + qCDebug(lcTlsBackend, "intermediateBuffer size: %d", intermediateBuffer.size()); #endif if (missingData > plainSocket->bytesAvailable()) @@ -1236,8 +1236,8 @@ bool TlsCryptographSchannel::performHandshake() case SEC_I_INCOMPLETE_CREDENTIALS: // Schannel takes care of picking certificate to send (other than the one we can specify), // so if we get here then that means we don't have a certificate the server accepts. - d->setErrorAndEmit(QAbstractSocket::SslHandshakeFailedError, - QSslSocket::tr("Server did not accept any certificate we could present.")); + setErrorAndEmit(d, QAbstractSocket::SslHandshakeFailedError, + QSslSocket::tr("Server did not accept any certificate we could present.")); return false; case SEC_I_CONTEXT_EXPIRED: // "The message sender has finished using the connection and has initiated a shutdown." @@ -1246,8 +1246,8 @@ bool TlsCryptographSchannel::performHandshake() return false; } if (!shutdown) { // we did not initiate this - d->setErrorAndEmit(QAbstractSocket::RemoteHostClosedError, - QSslSocket::tr("The TLS/SSL connection has been closed")); + setErrorAndEmit(d, QAbstractSocket::RemoteHostClosedError, + QSslSocket::tr("The TLS/SSL connection has been closed")); } return true; case SEC_E_INCOMPLETE_MESSAGE: @@ -1255,8 +1255,8 @@ bool TlsCryptographSchannel::performHandshake() missingData = checkIncompleteData(outBuffers[0]); return true; case SEC_E_ALGORITHM_MISMATCH: - d->setErrorAndEmit(QAbstractSocket::SslHandshakeFailedError, - QSslSocket::tr("Algorithm mismatch")); + setErrorAndEmit(d, QAbstractSocket::SslHandshakeFailedError, + QSslSocket::tr("Algorithm mismatch")); shutdown = true; // skip sending the "Shutdown" alert return false; } @@ -1264,8 +1264,8 @@ bool TlsCryptographSchannel::performHandshake() // Note: We can get here if the connection is using TLS 1.2 and the server certificate uses // MD5, which is not allowed in Schannel. This causes an "invalid token" error during handshake. // (If you came here investigating an error: md5 is insecure, update your certificate) - d->setErrorAndEmit(QAbstractSocket::SslHandshakeFailedError, - QSslSocket::tr("Handshake failed: %1").arg(schannelErrorToString(status))); + setErrorAndEmit(d, QAbstractSocket::SslHandshakeFailedError, + QSslSocket::tr("Handshake failed: %1").arg(schannelErrorToString(status))); return false; } @@ -1280,7 +1280,7 @@ bool TlsCryptographSchannel::verifyHandshake() const bool isClient = d->tlsMode() == QSslSocket::SslClientMode; #define CHECK_STATUS(status) \ if (status != SEC_E_OK) { \ - d->setErrorAndEmit(QAbstractSocket::SslInternalError, \ + setErrorAndEmit(d, QAbstractSocket::SslInternalError, \ QSslSocket::tr("Failed to query the TLS context: %1") \ .arg(schannelErrorToString(status))); \ return false; \ @@ -1289,8 +1289,8 @@ bool TlsCryptographSchannel::verifyHandshake() // Everything is set up, now make sure there's nothing wrong and query some attributes... if (!matchesContextRequirements(contextAttributes, getContextRequirements(), configuration.peerVerifyMode(), isClient)) { - d->setErrorAndEmit(QAbstractSocket::SslHandshakeFailedError, - QSslSocket::tr("Did not get the required attributes for the connection.")); + setErrorAndEmit(d, QAbstractSocket::SslHandshakeFailedError, + QSslSocket::tr("Did not get the required attributes for the connection.")); return false; } @@ -1318,7 +1318,7 @@ bool TlsCryptographSchannel::verifyHandshake() QByteArray negotiatedProto = QByteArray((const char *)alpn.ProtocolId, alpn.ProtocolIdSize); if (!allowedProtos.contains(negotiatedProto)) { - d->setErrorAndEmit(QAbstractSocket::SslHandshakeFailedError, + setErrorAndEmit(d, QAbstractSocket::SslHandshakeFailedError, QSslSocket::tr("Unwanted protocol was negotiated")); return false; } @@ -1353,8 +1353,8 @@ bool TlsCryptographSchannel::verifyHandshake() && configuration.peerVerifyMode() != QSslSocket::PeerVerifyMode::QueryPeer)) { if (status != SEC_E_OK) { #ifdef QSSLSOCKET_DEBUG - qCDebug(lcSsl) << "Couldn't retrieve peer certificate, status:" - << schannelErrorToString(status); + qCDebug(lcTlsBackend) << "Couldn't retrieve peer certificate, status:" + << schannelErrorToString(status); #endif const QSslError error{ QSslError::NoPeerCertificate }; sslErrors += error; @@ -1370,7 +1370,7 @@ bool TlsCryptographSchannel::verifyHandshake() if (!checkSslErrors() || q->state() != QAbstractSocket::ConnectedState) { #ifdef QSSLSOCKET_DEBUG - qCDebug(lcSsl) << __func__ << "was unsuccessful. Paused:" << paused; + qCDebug(lcTlsBackend) << __func__ << "was unsuccessful. Paused:" << paused; #endif // If we're paused then checkSslErrors returned false, but it's not an error return d->isPaused() && q->state() == QAbstractSocket::ConnectedState; @@ -1437,7 +1437,7 @@ bool TlsCryptographSchannel::renegotiate() schannelState = SchannelState::PerformHandshake; return true; } - d->setErrorAndEmit(QAbstractSocket::SslHandshakeFailedError, + setErrorAndEmit(d, QAbstractSocket::SslHandshakeFailedError, QSslSocket::tr("Renegotiation was unsuccessful: %1").arg(schannelErrorToString(status))); return false; } @@ -1541,7 +1541,7 @@ void TlsCryptographSchannel::transmit() }; auto status = EncryptMessage(&contextHandle, 0, &message, 0); if (status != SEC_E_OK) { - d->setErrorAndEmit(QAbstractSocket::SslInternalError, + setErrorAndEmit(d, QAbstractSocket::SslInternalError, QSslSocket::tr("Schannel failed to encrypt data: %1") .arg(schannelErrorToString(status))); return; @@ -1553,12 +1553,12 @@ void TlsCryptographSchannel::transmit() fullMessage.resize(inputBuffers[0].cbBuffer + inputBuffers[1].cbBuffer + inputBuffers[2].cbBuffer); const qint64 bytesWritten = plainSocket->write(fullMessage); #ifdef QSSLSOCKET_DEBUG - qCDebug(lcSsl, "Wrote %lld of total %d bytes", bytesWritten, fullMessage.length()); + qCDebug(lcTlsBackend, "Wrote %lld of total %d bytes", bytesWritten, fullMessage.length()); #endif if (bytesWritten >= 0) { totalBytesWritten += bytesWritten; } else { - d->setErrorAndEmit(plainSocket->error(), plainSocket->errorString()); + setErrorAndEmit(d, plainSocket->error(), plainSocket->errorString()); return; } } @@ -1583,7 +1583,7 @@ void TlsCryptographSchannel::transmit() if (missingData > plainSocket->bytesAvailable() && (!readBufferMaxSize || readBufferMaxSize >= missingData)) { #ifdef QSSLSOCKET_DEBUG - qCDebug(lcSsl, "We're still missing %lld bytes, will check later.", missingData); + qCDebug(lcTlsBackend, "We're still missing %lld bytes, will check later.", missingData); #endif break; } @@ -1591,18 +1591,18 @@ void TlsCryptographSchannel::transmit() missingData = 0; const qint64 bytesRead = readToBuffer(intermediateBuffer, plainSocket); #ifdef QSSLSOCKET_DEBUG - qCDebug(lcSsl, "Read %lld encrypted bytes from the socket", bytesRead); + qCDebug(lcTlsBackend, "Read %lld encrypted bytes from the socket", bytesRead); #endif if (intermediateBuffer.length() == 0 || (hadIncompleteData && bytesRead == 0)) { #ifdef QSSLSOCKET_DEBUG - qCDebug(lcSsl, (hadIncompleteData ? "No new data received, leaving loop!" - : "Nothing to decrypt, leaving loop!")); + qCDebug(lcTlsBackend, (hadIncompleteData ? "No new data received, leaving loop!" + : "Nothing to decrypt, leaving loop!")); #endif break; } hadIncompleteData = false; #ifdef QSSLSOCKET_DEBUG - qCDebug(lcSsl, "Total amount of bytes to decrypt: %d", intermediateBuffer.length()); + qCDebug(lcTlsBackend, "Total amount of bytes to decrypt: %d", intermediateBuffer.length()); #endif SecBuffer dataBuffer[4]{ @@ -1627,7 +1627,7 @@ void TlsCryptographSchannel::transmit() dataBuffer[1].cbBuffer); totalRead += dataBuffer[1].cbBuffer; #ifdef QSSLSOCKET_DEBUG - qCDebug(lcSsl, "Decrypted %lu bytes. New read buffer size: %d", + qCDebug(lcTlsBackend, "Decrypted %lu bytes. New read buffer size: %d", dataBuffer[1].cbBuffer, buffer.size()); #endif } @@ -1644,22 +1644,22 @@ void TlsCryptographSchannel::transmit() if (status == SEC_E_INCOMPLETE_MESSAGE) { missingData = checkIncompleteData(dataBuffer[0]); #ifdef QSSLSOCKET_DEBUG - qCDebug(lcSsl, "We didn't have enough data to decrypt anything, will try again!"); + qCDebug(lcTlsBackend, "We didn't have enough data to decrypt anything, will try again!"); #endif // We try again, but if we don't get any more data then we leave hadIncompleteData = true; } else if (status == SEC_E_INVALID_HANDLE) { // I don't think this should happen, if it does we're done... - qCWarning(lcSsl, "The internal SSPI handle is invalid!"); + qCWarning(lcTlsBackend, "The internal SSPI handle is invalid!"); Q_UNREACHABLE(); } else if (status == SEC_E_INVALID_TOKEN) { - qCWarning(lcSsl, "Got SEC_E_INVALID_TOKEN!"); + qCWarning(lcTlsBackend, "Got SEC_E_INVALID_TOKEN!"); Q_UNREACHABLE(); // Happened once due to a bug, but shouldn't generally happen(?) } else if (status == SEC_E_MESSAGE_ALTERED) { // The message has been altered, disconnect now. shutdown = true; // skips sending the shutdown alert disconnectFromHost(); - d->setErrorAndEmit(QAbstractSocket::SslInternalError, + setErrorAndEmit(d, QAbstractSocket::SslInternalError, schannelErrorToString(status)); break; } else if (status == SEC_E_OUT_OF_SEQUENCE) { @@ -1668,19 +1668,19 @@ void TlsCryptographSchannel::transmit() // while SEC_E_MESSAGE_ALTERED is for stream-oriented ones (what we use). shutdown = true; // skips sending the shutdown alert disconnectFromHost(); - d->setErrorAndEmit(QAbstractSocket::SslInternalError, + setErrorAndEmit(d, QAbstractSocket::SslInternalError, schannelErrorToString(status)); break; } else if (status == SEC_I_CONTEXT_EXPIRED) { // 'remote' has initiated a shutdown disconnectFromHost(); - d->setErrorAndEmit(QAbstractSocket::RemoteHostClosedError, + setErrorAndEmit(d, QAbstractSocket::RemoteHostClosedError, schannelErrorToString(status)); break; } else if (status == SEC_I_RENEGOTIATE) { // 'remote' wants to renegotiate #ifdef QSSLSOCKET_DEBUG - qCDebug(lcSsl, "The peer wants to renegotiate."); + qCDebug(lcTlsBackend, "The peer wants to renegotiate."); #endif schannelState = SchannelState::Renegotiate; renegotiating = true; @@ -1716,7 +1716,7 @@ void TlsCryptographSchannel::sendShutdown() if (status != SEC_E_OK) { #ifdef QSSLSOCKET_DEBUG - qCDebug(lcSsl) << "Failed to apply shutdown control token:" << schannelErrorToString(status); + qCDebug(lcTlsBackend) << "Failed to apply shutdown control token:" << schannelErrorToString(status); #endif return; } @@ -1774,7 +1774,7 @@ void TlsCryptographSchannel::sendShutdown() } } else { #ifdef QSSLSOCKET_DEBUG - qCDebug(lcSsl) << "Failed to initialize shutdown:" << schannelErrorToString(status); + qCDebug(lcTlsBackend) << "Failed to initialize shutdown:" << schannelErrorToString(status); #endif } } @@ -1929,7 +1929,7 @@ bool TlsCryptographSchannel::checkSslErrors() QSslSocketPrivate::pauseSocketNotifiers(q); d->setPaused(true); } else { - d->setErrorAndEmit(QAbstractSocket::SslHandshakeFailedError, + setErrorAndEmit(d, QAbstractSocket::SslHandshakeFailedError, sslErrors.constFirst().errorString()); plainSocket->disconnectFromHost(); } @@ -1960,7 +1960,7 @@ void TlsCryptographSchannel::initializeCertificateStores() if (!configuration.localCertificateChain().isEmpty()) { if (configuration.privateKey().isNull()) { - d->setErrorAndEmit(QAbstractSocket::SslInvalidUserDataError, + setErrorAndEmit(d, QAbstractSocket::SslInvalidUserDataError, QSslSocket::tr("Cannot provide a certificate with no key")); return; } @@ -1968,7 +1968,7 @@ void TlsCryptographSchannel::initializeCertificateStores() localCertificateStore = createStoreFromCertificateChain(configuration.localCertificateChain(), configuration.privateKey()); if (localCertificateStore == nullptr) - qCWarning(lcSsl, "Failed to load certificate chain!"); + qCWarning(lcTlsBackend, "Failed to load certificate chain!"); } } @@ -1995,7 +1995,7 @@ bool TlsCryptographSchannel::verifyCertContext(CERT_CONTEXT *certContext) nullptr)); if (!tempCertCollection) { #ifdef QSSLSOCKET_DEBUG - qCWarning(lcSsl, "Failed to create certificate store collection!"); + qCWarning(lcTlsBackend, "Failed to create certificate store collection!"); #endif return false; } @@ -2008,12 +2008,12 @@ bool TlsCryptographSchannel::verifyCertContext(CERT_CONTEXT *certContext) auto rootStore = QHCertStorePointer(CertOpenSystemStore(0, L"ROOT")); if (!rootStore) { #ifdef QSSLSOCKET_DEBUG - qCWarning(lcSsl, "Failed to open the system root CA certificate store!"); + qCWarning(lcTlsBackend, "Failed to open the system root CA certificate store!"); #endif return false; } else if (!CertAddStoreToCollection(tempCertCollection.get(), rootStore.get(), 0, 1)) { #ifdef QSSLSOCKET_DEBUG - qCWarning(lcSsl, "Failed to add the system root CA certificate store to the certificate store collection!"); + qCWarning(lcTlsBackend, "Failed to add the system root CA certificate store to the certificate store collection!"); #endif return false; } @@ -2021,7 +2021,7 @@ bool TlsCryptographSchannel::verifyCertContext(CERT_CONTEXT *certContext) if (caCertificateStore) { if (!CertAddStoreToCollection(tempCertCollection.get(), caCertificateStore.get(), 0, 1)) { #ifdef QSSLSOCKET_DEBUG - qCWarning(lcSsl, "Failed to add the user's CA certificate store to the certificate store collection!"); + qCWarning(lcTlsBackend, "Failed to add the user's CA certificate store to the certificate store collection!"); #endif return false; } @@ -2029,7 +2029,7 @@ bool TlsCryptographSchannel::verifyCertContext(CERT_CONTEXT *certContext) if (!CertAddStoreToCollection(tempCertCollection.get(), certContext->hCertStore, 0, 0)) { #ifdef QSSLSOCKET_DEBUG - qCWarning(lcSsl, "Failed to add certificate's origin store to the certificate store collection!"); + qCWarning(lcTlsBackend, "Failed to add certificate's origin store to the certificate store collection!"); #endif return false; } @@ -2311,12 +2311,4 @@ bool TlsCryptographSchannel::rootCertOnDemandLoadingAllowed() } // namespace QTlsPrivate -void QSslSocketPrivate::registerAdHocFactory() -{ - // TLSTODO: this is a temporary solution, waiting for - // backends to move to ... plugins. - if (!backendSchannel()) - qCWarning(lcTlsBackend, "Failed to create backend factory"); -} - QT_END_NAMESPACE diff --git a/src/network/ssl/qtls_schannel_p.h b/src/plugins/tls/schannel/qtls_schannel_p.h index e4ac15206c..08ba80c543 100644 --- a/src/network/ssl/qtls_schannel_p.h +++ b/src/plugins/tls/schannel/qtls_schannel_p.h @@ -55,12 +55,11 @@ QT_REQUIRE_CONFIG(schannel); -#include <QtCore/qt_windows.h> +#include "../shared/qwincrypt_p.h" #include "qtlsbackend_schannel_p.h" -#include "qsslsocket_p.h" -#include "qwincrypt_p.h" +#include <QtNetwork/private/qsslsocket_p.h> #define SECURITY_WIN32 #define SCHANNEL_USE_BLACKLISTS 1 diff --git a/src/network/ssl/qtlsbackend_schannel_p.h b/src/plugins/tls/schannel/qtlsbackend_schannel_p.h index ca1cb9e621..e53cf17f13 100644 --- a/src/network/ssl/qtlsbackend_schannel_p.h +++ b/src/plugins/tls/schannel/qtlsbackend_schannel_p.h @@ -53,7 +53,7 @@ #include <private/qtnetworkglobal_p.h> -#include "qtlsbackend_p.h" +#include <QtNetwork/private/qtlsbackend_p.h> #include <QtCore/qglobal.h> @@ -62,6 +62,10 @@ QT_BEGIN_NAMESPACE class QSchannelBackend : public QTlsBackend { + Q_OBJECT + Q_PLUGIN_METADATA(IID QTlsBackend_iid) + Q_INTERFACES(QTlsBackend) + public: static void ensureInitializedImplementation(); diff --git a/src/network/ssl/qtlskey_schannel.cpp b/src/plugins/tls/schannel/qtlskey_schannel.cpp index e788eac03a..e407da2ed3 100644 --- a/src/network/ssl/qtlskey_schannel.cpp +++ b/src/plugins/tls/schannel/qtlskey_schannel.cpp @@ -37,18 +37,20 @@ ** ****************************************************************************/ -#include "qssl_p.h" +#include <QtNetwork/private/qssl_p.h> + #include "qtlskey_schannel_p.h" -#include "qtlsbackend_p.h" -#include "qsslkey_p.h" -#include "qsslkey.h" + +#include "../shared/qwincrypt_p.h" + +#include <QtNetwork/private/qtlsbackend_p.h> +#include <QtNetwork/private/qsslkey_p.h> + +#include <QtNetwork/qsslkey.h> #include <QtCore/qscopeguard.h> #include <QtCore/qbytearray.h> -#include <QtCore/qt_windows.h> -#include <wincrypt.h> - QT_BEGIN_NAMESPACE namespace { diff --git a/src/network/ssl/qtlskey_schannel_p.h b/src/plugins/tls/schannel/qtlskey_schannel_p.h index 72747e7fa6..53c3b447ce 100644 --- a/src/network/ssl/qtlskey_schannel_p.h +++ b/src/plugins/tls/schannel/qtlskey_schannel_p.h @@ -51,9 +51,9 @@ // We mean it. // -#include <private/qtnetworkglobal_p.h> +#include <QtNetwork/private/qtnetworkglobal_p.h> -#include <private/qtlskey_generic_p.h> +#include "../shared/qtlskey_generic_p.h" #include <QtCore/qglobal.h> diff --git a/src/network/ssl/qx509_schannel.cpp b/src/plugins/tls/schannel/qx509_schannel.cpp index a7371e0d97..01a21c69f5 100644 --- a/src/network/ssl/qx509_schannel.cpp +++ b/src/plugins/tls/schannel/qx509_schannel.cpp @@ -38,9 +38,10 @@ ****************************************************************************/ #include "qtlskey_schannel_p.h" -#include "qsslcertificate_p.h" #include "qx509_schannel_p.h" +#include <QtNetwork/private/qsslcertificate_p.h> + #include <memory> QT_BEGIN_NAMESPACE diff --git a/src/network/ssl/qx509_schannel_p.h b/src/plugins/tls/schannel/qx509_schannel_p.h index 3b5d567c7b..bf39229e96 100644 --- a/src/network/ssl/qx509_schannel_p.h +++ b/src/plugins/tls/schannel/qx509_schannel_p.h @@ -51,15 +51,13 @@ // We mean it. // -#include <private/qtnetworkglobal_p.h> +#include <QtNetwork/private/qtnetworkglobal_p.h> -#include <private/qx509_generic_p.h> +#include "../shared/qx509_generic_p.h" +#include "../shared/qwincrypt_p.h" #include <QtCore/qglobal.h> -#include <QtCore/qt_windows.h> -#include <wincrypt.h> - QT_BEGIN_NAMESPACE namespace QTlsPrivate { diff --git a/src/plugins/tls/securetransport/CMakeLists.txt b/src/plugins/tls/securetransport/CMakeLists.txt new file mode 100644 index 0000000000..db9101f43c --- /dev/null +++ b/src/plugins/tls/securetransport/CMakeLists.txt @@ -0,0 +1,33 @@ +qt_internal_add_plugin(QSecureTransportBackend + OUTPUT_NAME securetransportbackend + CLASS_NAME QSecureTransportBackend + TYPE tls + DEFAULT_IF APPLE + SOURCES + ../shared/qsslsocket_mac_shared.cpp + ../shared/qtlskey_generic_p.h + ../shared/qtlskey_generic.cpp + ../shared/qx509_base_p.h + ../shared/qx509_base.cpp + ../shared/qx509_generic_p.h + ../shared/qx509_generic.cpp + ../shared/qtlskey_base_p.h + ../shared/qtlskey_base.cpp + ../shared/qsslsocket_qt.cpp + ../shared/qasn1element_p.h + ../shared/qasn1element.cpp + qtlsbackend_st.cpp + qtlsbackend_st_p.h + qx509_st.cpp + qtlskey_st.cpp + qtlskey_st_p.h + qx509_st_p.h + qtls_st.cpp + qtls_st_p.h + PUBLIC_LIBRARIES + Qt::NetworkPrivate + Qt::CorePrivate + LIBRARIES + ${FWCoreFoundation} + ${FWSecurity} +) diff --git a/src/network/ssl/qtls_st.cpp b/src/plugins/tls/securetransport/qtls_st.cpp index e4f5c71c02..306f184f25 100644 --- a/src/network/ssl/qtls_st.cpp +++ b/src/plugins/tls/securetransport/qtls_st.cpp @@ -38,16 +38,17 @@ ** ****************************************************************************/ -#include "qsslsocket.h" - -#include "qssl_p.h" #include "qtls_st_p.h" -#include "qasn1element_p.h" -#include "qsslcertificate_p.h" #include "qtlsbackend_st_p.h" -#include "qsslcipher_p.h" #include "qtlskey_st_p.h" -#include "qsslkey_p.h" + +#include <QtNetwork/private/qssl_p.h> + +#include <QtNetwork/private/qsslcertificate_p.h> +#include <QtNetwork/private/qsslcipher_p.h> +#include <QtNetwork/private/qsslkey_p.h> + +#include <QtNetwork/qsslsocket.h> #include <QtCore/qmessageauthenticationcode.h> #include <QtCore/qoperatingsystemversion.h> @@ -75,8 +76,6 @@ QT_BEGIN_NAMESPACE -Q_GLOBAL_STATIC(QSecureTransportBackend, backendSecureTransport) - // Defined in qsslsocket_qt.cpp. QByteArray _q_makePkcs12(const QList<QSslCertificate> &certs, const QSslKey &key, const QString &passPhrase); @@ -205,7 +204,7 @@ SSLContextRef qt_createSecureTransportContext(QSslSocket::SslMode mode) // We never use kSSLDatagramType, so it's kSSLStreamType unconditionally. SSLContextRef context = SSLCreateContext(nullptr, side, kSSLStreamType); if (!context) - qCWarning(lcSsl) << "SSLCreateContext failed"; + qCWarning(lcTlsBackend) << "SSLCreateContext failed"; return context; } @@ -457,9 +456,9 @@ void TlsCryptographSecureTransport::startClientEncryption() if (!initSslContext()) { Q_ASSERT(d); // Error description/code were set, 'error' emitted - // by initSslContext, but OpenSSL socket also sets error + // by initSslContext, but OpenSSL socket also sets error, // emits a signal twice, so ... - d->setErrorAndEmit(QAbstractSocket::SslInternalError, QStringLiteral("Unable to init SSL Context")); + setErrorAndEmit(d, QAbstractSocket::SslInternalError, QStringLiteral("Unable to init SSL Context")); return; } @@ -472,7 +471,7 @@ void TlsCryptographSecureTransport::startServerEncryption() // Error description/code were set, 'error' emitted // by initSslContext, but OpenSSL socket also sets error // emits a signal twice, so ... - d->setErrorAndEmit(QAbstractSocket::SslInternalError, QStringLiteral("Unable to init SSL Context")); + setErrorAndEmit(d, QAbstractSocket::SslInternalError, QStringLiteral("Unable to init SSL Context")); return; } @@ -503,8 +502,8 @@ void TlsCryptographSecureTransport::transmit() qCDebug(lcTlsBackend) << d->plainTcpSocket() << "SSLWrite returned" << err; #endif if (err != errSecSuccess && err != errSSLWouldBlock) { - d->setErrorAndEmit(QAbstractSocket::SslInternalError, - QStringLiteral("SSLWrite failed: %1").arg(err)); + setErrorAndEmit(d, QAbstractSocket::SslInternalError, + QStringLiteral("SSLWrite failed: %1").arg(err)); break; } @@ -542,12 +541,12 @@ void TlsCryptographSecureTransport::transmit() #endif if (err == errSSLClosedGraceful) { shutdown = true; // the other side shut down, make sure we do not send shutdown ourselves - d->setErrorAndEmit(QAbstractSocket::RemoteHostClosedError, - QSslSocket::tr("The TLS/SSL connection has been closed")); + setErrorAndEmit(d, QAbstractSocket::RemoteHostClosedError, + QSslSocket::tr("The TLS/SSL connection has been closed")); break; } else if (err != errSecSuccess && err != errSSLWouldBlock) { - d->setErrorAndEmit(QAbstractSocket::SslInternalError, - QStringLiteral("SSLRead failed: %1").arg(err)); + setErrorAndEmit(d, QAbstractSocket::SslInternalError, + QStringLiteral("SSLRead failed: %1").arg(err)); break; } @@ -662,7 +661,7 @@ bool TlsCryptographSecureTransport::initSslContext() context.reset(qt_createSecureTransportContext(mode)); if (!context) { - d->setErrorAndEmit(QAbstractSocket::SslInternalError, QStringLiteral("SSLCreateContext failed")); + setErrorAndEmit(d, QAbstractSocket::SslInternalError, QStringLiteral("SSLCreateContext failed")); return false; } @@ -671,8 +670,8 @@ bool TlsCryptographSecureTransport::initSslContext() reinterpret_cast<SSLWriteFunc>(&TlsCryptographSecureTransport::WriteCallback)); if (err != errSecSuccess) { destroySslContext(); - d->setErrorAndEmit(QAbstractSocket::SslInternalError, - QStringLiteral("SSLSetIOFuncs failed: %1").arg(err)); + setErrorAndEmit(d, QAbstractSocket::SslInternalError, + QStringLiteral("SSLSetIOFuncs failed: %1").arg(err)); return false; } @@ -685,14 +684,14 @@ bool TlsCryptographSecureTransport::initSslContext() QAbstractSocket::SocketError errorCode = QAbstractSocket::UnknownSocketError; if (!setSessionCertificate(errorDescription, errorCode)) { destroySslContext(); - d->setErrorAndEmit(errorCode, errorDescription); + setErrorAndEmit(d, errorCode, errorDescription); return false; } } if (!setSessionProtocol()) { destroySslContext(); - d->setErrorAndEmit(QAbstractSocket::SslInternalError, QStringLiteral("Failed to set protocol version")); + setErrorAndEmit(d, QAbstractSocket::SslInternalError, QStringLiteral("Failed to set protocol version")); return false; } @@ -742,8 +741,8 @@ bool TlsCryptographSecureTransport::initSslContext() if (err != errSecSuccess) { destroySslContext(); - d->setErrorAndEmit(QSslSocket::SslInternalError, - QStringLiteral("SSLSetSessionOption failed: %1").arg(err)); + setErrorAndEmit(d, QSslSocket::SslInternalError, + QStringLiteral("SSLSetSessionOption failed: %1").arg(err)); return false; } // @@ -759,8 +758,8 @@ bool TlsCryptographSecureTransport::initSslContext() if (err != errSecSuccess) { destroySslContext(); - d->setErrorAndEmit(QAbstractSocket::SslInternalError, - QStringLiteral("failed to set SSL context option in server mode: %1").arg(err)); + setErrorAndEmit(d, QAbstractSocket::SslInternalError, + QStringLiteral("failed to set SSL context option in server mode: %1").arg(err)); return false; } } @@ -1033,8 +1032,8 @@ bool TlsCryptographSecureTransport::verifyPeerTrust() // !trust - SSLCopyPeerTrust can return errSecSuccess but null trust. if (err != errSecSuccess || !trust) { if (!canIgnoreVerify) { - d->setErrorAndEmit(QAbstractSocket::SslHandshakeFailedError, - QStringLiteral("Failed to obtain peer trust: %1").arg(err)); + setErrorAndEmit(d, QAbstractSocket::SslHandshakeFailedError, + QStringLiteral("Failed to obtain peer trust: %1").arg(err)); plainSocket->disconnectFromHost(); return false; } else { @@ -1055,8 +1054,8 @@ bool TlsCryptographSecureTransport::verifyPeerTrust() if (err != errSecSuccess) { // We can not ignore this, it's not even about trust verification // probably ... - d->setErrorAndEmit(QAbstractSocket::SslHandshakeFailedError, - QStringLiteral("SecTrustEvaluate failed: %1").arg(err)); + setErrorAndEmit(d, QAbstractSocket::SslHandshakeFailedError, + QStringLiteral("SecTrustEvaluate failed: %1").arg(err)); plainSocket->disconnectFromHost(); return false; } @@ -1214,8 +1213,8 @@ bool TlsCryptographSecureTransport::checkSslErrors() QSslSocketPrivate::pauseSocketNotifiers(q); d->setPaused(true); } else { - d->setErrorAndEmit(QAbstractSocket::SslHandshakeFailedError, - sslErrors.constFirst().errorString()); + setErrorAndEmit(d, QAbstractSocket::SslHandshakeFailedError, + sslErrors.constFirst().errorString()); Q_ASSERT(d->plainTcpSocket()); d->plainTcpSocket()->disconnectFromHost(); } @@ -1258,7 +1257,7 @@ bool TlsCryptographSecureTransport::startHandshake() // setSessionCertificate does not fail if we have no certificate. // Failure means a real error (invalid certificate, no private key, etc). if (!setSessionCertificate(errorDescription, errorCode)) { - d->setErrorAndEmit(errorCode, errorDescription); + setErrorAndEmit(d, errorCode, errorDescription); renegotiating = false; return false; } else { @@ -1275,8 +1274,8 @@ bool TlsCryptographSecureTransport::startHandshake() } renegotiating = false; - d->setErrorAndEmit(QAbstractSocket::SslHandshakeFailedError, - QStringLiteral("SSLHandshake failed: %1").arg(err)); + setErrorAndEmit(d, QAbstractSocket::SslHandshakeFailedError, + QStringLiteral("SSLHandshake failed: %1").arg(err)); plainSocket->disconnectFromHost(); return false; } @@ -1291,7 +1290,7 @@ bool TlsCryptographSecureTransport::startHandshake() // check protocol version ourselves, as Secure Transport does not enforce // the requested min / max versions. if (!verifySessionProtocol()) { - d->setErrorAndEmit(QAbstractSocket::SslHandshakeFailedError, QStringLiteral("Protocol version mismatch")); + setErrorAndEmit(d, QAbstractSocket::SslHandshakeFailedError, QStringLiteral("Protocol version mismatch")); plainSocket->disconnectFromHost(); renegotiating = false; return false; @@ -1320,12 +1319,4 @@ QList<QSslError> TlsCryptographSecureTransport::tlsErrors() const } // namespace QTlsPrivate -void QSslSocketPrivate::registerAdHocFactory() -{ - // TLSTODO: this is a temporary solution, waiting for - // backends to move to ... plugins. - if (!backendSecureTransport()) - qCWarning(lcTlsBackend, "Failed to create backend factory"); -} - QT_END_NAMESPACE diff --git a/src/network/ssl/qtls_st_p.h b/src/plugins/tls/securetransport/qtls_st_p.h index 42c0ad622f..3dad24f348 100644 --- a/src/network/ssl/qtls_st_p.h +++ b/src/plugins/tls/securetransport/qtls_st_p.h @@ -60,8 +60,8 @@ #include <QtCore/qglobal.h> #include <QtCore/qlist.h> -#include "qabstractsocket.h" -#include "qsslsocket_p.h" +#include <QtNetwork/qabstractsocket.h> +#include <QtNetwork/private/qsslsocket_p.h> #include <Security/Security.h> #include <Security/SecureTransport.h> diff --git a/src/network/ssl/qtlsbackend_st.cpp b/src/plugins/tls/securetransport/qtlsbackend_st.cpp index 7fc7692350..7fc7692350 100644 --- a/src/network/ssl/qtlsbackend_st.cpp +++ b/src/plugins/tls/securetransport/qtlsbackend_st.cpp diff --git a/src/network/ssl/qtlsbackend_st_p.h b/src/plugins/tls/securetransport/qtlsbackend_st_p.h index b0f3050674..ebce859db3 100644 --- a/src/network/ssl/qtlsbackend_st_p.h +++ b/src/plugins/tls/securetransport/qtlsbackend_st_p.h @@ -51,9 +51,9 @@ // We mean it. // -#include <private/qtnetworkglobal_p.h> +#include <QtNetwork/private/qtnetworkglobal_p.h> -#include "qtlsbackend_p.h" +#include <QtNetwork/private/qtlsbackend_p.h> #include <QtCore/qglobal.h> @@ -62,6 +62,10 @@ QT_BEGIN_NAMESPACE class QSecureTransportBackend : public QTlsBackend { + Q_OBJECT + Q_PLUGIN_METADATA(IID QTlsBackend_iid) + Q_INTERFACES(QTlsBackend) + private: QString tlsLibraryVersionString() const override; diff --git a/src/network/ssl/qtlskey_st.cpp b/src/plugins/tls/securetransport/qtlskey_st.cpp index c551729c24..85f86c7bf8 100644 --- a/src/network/ssl/qtlskey_st.cpp +++ b/src/plugins/tls/securetransport/qtlskey_st.cpp @@ -39,9 +39,10 @@ ****************************************************************************/ #include "qtlskey_st_p.h" -#include "qsslkey_p.h" -#include <qbytearray.h> +#include <QtNetwork/private/qsslkey_p.h> + +#include <QtCore/qbytearray.h> #include <CommonCrypto/CommonCrypto.h> diff --git a/src/network/ssl/qtlskey_st_p.h b/src/plugins/tls/securetransport/qtlskey_st_p.h index 7088daf39a..c9dcc4e3ec 100644 --- a/src/network/ssl/qtlskey_st_p.h +++ b/src/plugins/tls/securetransport/qtlskey_st_p.h @@ -51,9 +51,9 @@ // We mean it. // -#include <private/qtnetworkglobal_p.h> +#include <QtNetwork/private/qtnetworkglobal_p.h> -#include <private/qtlskey_generic_p.h> +#include "../shared/qtlskey_generic_p.h" #include <QtCore/qglobal.h> diff --git a/src/network/ssl/qx509_st.cpp b/src/plugins/tls/securetransport/qx509_st.cpp index 737b15cef8..737b15cef8 100644 --- a/src/network/ssl/qx509_st.cpp +++ b/src/plugins/tls/securetransport/qx509_st.cpp diff --git a/src/network/ssl/qx509_st_p.h b/src/plugins/tls/securetransport/qx509_st_p.h index 8c3969442c..5e5b42e791 100644 --- a/src/network/ssl/qx509_st_p.h +++ b/src/plugins/tls/securetransport/qx509_st_p.h @@ -51,9 +51,9 @@ // We mean it. // -#include <private/qtnetworkglobal_p.h> +#include <QtNetwork/private/qtnetworkglobal_p.h> -#include <private/qx509_generic_p.h> +#include "../shared/qx509_generic_p.h" #include <QtCore/qglobal.h> diff --git a/src/network/ssl/qasn1element.cpp b/src/plugins/tls/shared/qasn1element.cpp index 3df76c3774..3df76c3774 100644 --- a/src/network/ssl/qasn1element.cpp +++ b/src/plugins/tls/shared/qasn1element.cpp diff --git a/src/network/ssl/qasn1element_p.h b/src/plugins/tls/shared/qasn1element_p.h index 48fe45c9a5..ac74937802 100644 --- a/src/network/ssl/qasn1element_p.h +++ b/src/plugins/tls/shared/qasn1element_p.h @@ -115,7 +115,7 @@ QT_BEGIN_NAMESPACE #define AES192_CBC_ENCRYPTION_OID QByteArrayLiteral(AES_OID "22") // Not (yet) implemented #define AES256_CBC_ENCRYPTION_OID QByteArrayLiteral(AES_OID "42") // Not (yet) implemented -class Q_AUTOTEST_EXPORT QAsn1Element +class QAsn1Element { public: enum ElementType { diff --git a/src/network/ssl/qdtls_base.cpp b/src/plugins/tls/shared/qdtls_base.cpp index 6a5979eb9e..6a5979eb9e 100644 --- a/src/network/ssl/qdtls_base.cpp +++ b/src/plugins/tls/shared/qdtls_base.cpp diff --git a/src/network/ssl/qdtls_base_p.h b/src/plugins/tls/shared/qdtls_base_p.h index df35f514a2..ca3db50c84 100644 --- a/src/network/ssl/qdtls_base_p.h +++ b/src/plugins/tls/shared/qdtls_base_p.h @@ -51,15 +51,16 @@ // We mean it. // -#include <private/qtnetworkglobal_p.h> +#include <QtNetwork/private/qtnetworkglobal_p.h> QT_REQUIRE_CONFIG(dtls); -#include "qsslconfiguration.h" -#include "qtlsbackend_p.h" -#include "qsslcipher.h" -#include "qsslsocket.h" -#include "qssl.h" +#include <QtNetwork/private/qtlsbackend_p.h> + +#include <QtNetwork/qsslconfiguration.h> +#include <QtNetwork/qsslcipher.h> +#include <QtNetwork/qsslsocket.h> +#include <QtNetwork/qssl.h> #include <QtNetwork/qhostaddress.h> diff --git a/src/network/ssl/qsslsocket_mac_shared.cpp b/src/plugins/tls/shared/qsslsocket_mac_shared.cpp index 837ac4a4f6..b808c9e83b 100644 --- a/src/network/ssl/qsslsocket_mac_shared.cpp +++ b/src/plugins/tls/shared/qsslsocket_mac_shared.cpp @@ -38,17 +38,17 @@ ** ****************************************************************************/ -#include "qsslcertificate.h" +#include <QtNetwork/private/qtlsbackend_p.h> -#include <QtCore/qglobal.h> +#include <QtNetwork/qsslcertificate.h> -#ifdef Q_OS_MACOS +#include <QtCore/qglobal.h> +#include <QtCore/qdebug.h> -#include "qtlsbackend_p.h" -#include <private/qcore_mac_p.h> +#ifdef Q_OS_MACOS -#include <QtCore/qdebug.h> +#include <QtCore/private/qcore_mac_p.h> #include <CoreFoundation/CFArray.h> #include <Security/Security.h> @@ -57,6 +57,8 @@ QT_BEGIN_NAMESPACE +Q_DECLARE_LOGGING_CATEGORY(lcTlsBackend) + #ifdef Q_OS_MACOS namespace { @@ -132,7 +134,7 @@ QList<QSslCertificate> systemCaCertificates() QCFType<CFDataRef> derData = SecCertificateCopyData(cfCert); if (isCaCertificateTrusted(cfCert, dom)) { if (derData == nullptr) { - qCWarning(lcSsl, "Error retrieving a CA certificate from the system store"); + qCWarning(lcTlsBackend, "Error retrieving a CA certificate from the system store"); } else { systemCerts << QSslCertificate(QByteArray::fromCFData(derData), QSsl::Der); } diff --git a/src/network/ssl/qsslsocket_qt.cpp b/src/plugins/tls/shared/qsslsocket_qt.cpp index 13bbb76367..128459ea19 100644 --- a/src/network/ssl/qsslsocket_qt.cpp +++ b/src/plugins/tls/shared/qsslsocket_qt.cpp @@ -36,14 +36,16 @@ ** $QT_END_LICENSE$ ** ****************************************************************************/ + +#include "qasn1element_p.h" + #include <QtCore/qbytearray.h> #include <QtCore/qdatastream.h> #include <QtCore/qmessageauthenticationcode.h> #include <QtCore/qrandom.h> -#include "qsslsocket_p.h" -#include "qasn1element_p.h" -#include "qsslkey_p.h" +#include <QtNetwork/private/qsslsocket_p.h> +#include <QtNetwork/private/qsslkey_p.h> QT_BEGIN_NAMESPACE diff --git a/src/network/ssl/qtlskey_base.cpp b/src/plugins/tls/shared/qtlskey_base.cpp index 13ce063f30..13ce063f30 100644 --- a/src/network/ssl/qtlskey_base.cpp +++ b/src/plugins/tls/shared/qtlskey_base.cpp diff --git a/src/network/ssl/qtlskey_base_p.h b/src/plugins/tls/shared/qtlskey_base_p.h index 6befed876c..61bd67119b 100644 --- a/src/network/ssl/qtlskey_base_p.h +++ b/src/plugins/tls/shared/qtlskey_base_p.h @@ -51,11 +51,11 @@ // We mean it. // -#include <private/qtnetworkglobal_p.h> +#include <QtNetwork/private/qtnetworkglobal_p.h> -#include <private/qtlsbackend_p.h> +#include <QtNetwork/private/qtlsbackend_p.h> -#include <qssl.h> +#include <QtNetwork/qssl.h> #include <QtCore/qglobal.h> @@ -63,8 +63,6 @@ QT_BEGIN_NAMESPACE namespace QTlsPrivate { -// TLSTODO: Note, 'base' is supposed to move to plugins together with -// 'generic' and 'backendXXX'. class TlsKeyBase : public TlsKey { public: @@ -97,9 +95,7 @@ protected: static QByteArray pkcs8Header(bool encrypted); static QByteArray pkcs8Footer(bool encrypted); static bool isEncryptedPkcs8(const QByteArray &der); -public: - // TLSTODO: this public is quick fix needed by old _openssl classes - // will become non-public as soon as those classes fixed. + bool keyIsNull = true; KeyType keyType = QSsl::PublicKey; KeyAlgorithm keyAlgorithm = QSsl::Opaque; diff --git a/src/network/ssl/qtlskey_generic.cpp b/src/plugins/tls/shared/qtlskey_generic.cpp index b0ab0bfa96..b9eaf3c1f6 100644 --- a/src/network/ssl/qtlskey_generic.cpp +++ b/src/plugins/tls/shared/qtlskey_generic.cpp @@ -40,7 +40,8 @@ #include "qtlskey_generic_p.h" #include "qasn1element_p.h" -#include "qsslkey_p.h" + +#include <QtNetwork/private/qsslkey_p.h> #include <QtNetwork/qpassworddigestor.h> diff --git a/src/network/ssl/qtlskey_generic_p.h b/src/plugins/tls/shared/qtlskey_generic_p.h index 4c409f5f51..beb3d410a6 100644 --- a/src/network/ssl/qtlskey_generic_p.h +++ b/src/plugins/tls/shared/qtlskey_generic_p.h @@ -51,10 +51,12 @@ // We mean it. // -#include <private/qtnetworkglobal_p.h> +#include <QtNetwork/private/qtnetworkglobal_p.h> + +#include <QtNetwork/private/qtlsbackend_p.h> + +#include "qtlskey_base_p.h" -#include <private/qtlskey_base_p.h> -#include <private/qtlsbackend_p.h> #include <QtCore/qnamespace.h> #include <QtCore/qglobal.h> diff --git a/src/network/ssl/qwincrypt_p.h b/src/plugins/tls/shared/qwincrypt_p.h index 2a7bd1fae2..2a7bd1fae2 100644 --- a/src/network/ssl/qwincrypt_p.h +++ b/src/plugins/tls/shared/qwincrypt_p.h diff --git a/src/network/ssl/qx509_base.cpp b/src/plugins/tls/shared/qx509_base.cpp index d7b7b81606..d7b7b81606 100644 --- a/src/network/ssl/qx509_base.cpp +++ b/src/plugins/tls/shared/qx509_base.cpp diff --git a/src/network/ssl/qx509_base_p.h b/src/plugins/tls/shared/qx509_base_p.h index 6905848e46..b86b573512 100644 --- a/src/network/ssl/qx509_base_p.h +++ b/src/plugins/tls/shared/qx509_base_p.h @@ -51,11 +51,11 @@ // We mean it. // -#include <private/qtnetworkglobal_p.h> +#include <QtNetwork/private/qtnetworkglobal_p.h> -#include <private/qtlsbackend_p.h> +#include <QtNetwork/private/qtlsbackend_p.h> -#include <qssl.h> +#include <QtNetwork/qssl.h> #include <QtCore/qbytearray.h> #include <QtCore/qstring.h> diff --git a/src/network/ssl/qx509_generic.cpp b/src/plugins/tls/shared/qx509_generic.cpp index 40178f5e7c..9265498c4e 100644 --- a/src/network/ssl/qx509_generic.cpp +++ b/src/plugins/tls/shared/qx509_generic.cpp @@ -37,15 +37,16 @@ ** ****************************************************************************/ -#include "qsslcertificate_p.h" -#include "qx509_generic_p.h" +#include <QtNetwork/private/qsslcertificate_p.h> +#include <QtNetwork/private/qssl_p.h> + #include "qasn1element_p.h" +#include "qx509_generic_p.h" -#include "qssl_p.h" +#include <QtNetwork/qhostaddress.h> -#include <qhostaddress.h> -#include <qendian.h> -#include <qhash.h> +#include <QtCore/qendian.h> +#include <QtCore/qhash.h> #include <memory> diff --git a/src/network/ssl/qx509_generic_p.h b/src/plugins/tls/shared/qx509_generic_p.h index b0dd3ec4b5..3e99dcde62 100644 --- a/src/network/ssl/qx509_generic_p.h +++ b/src/plugins/tls/shared/qx509_generic_p.h @@ -50,10 +50,11 @@ // We mean it. // -#include <private/qtnetworkglobal_p.h> +#include <QtNetwork/private/qtnetworkglobal_p.h> -#include <private/qtlsbackend_p.h> -#include <private/qx509_base_p.h> +#include <QtNetwork/private/qtlsbackend_p.h> + +#include "qx509_base_p.h" #include <QtCore/qbytearray.h> #include <QtCore/qglobal.h> @@ -62,7 +63,6 @@ QT_BEGIN_NAMESPACE namespace QTlsPrivate { -// TLSTODO: This class is what previously was known as qsslcertificate_qt. // A part of SecureTransport and Schannel plugin. class X509CertificateGeneric : public X509CertificateBase { diff --git a/tests/auto/network/access/http2/tst_http2.cpp b/tests/auto/network/access/http2/tst_http2.cpp index 1aa012c6ac..834ec064d4 100644 --- a/tests/auto/network/access/http2/tst_http2.cpp +++ b/tests/auto/network/access/http2/tst_http2.cpp @@ -45,12 +45,6 @@ #include <QtCore/qthread.h> #include <QtCore/qurl.h> -#ifndef QT_NO_SSL -#ifndef QT_NO_OPENSSL -#include <QtNetwork/private/qsslsocket_openssl_symbols_p.h> -#endif // NO_OPENSSL -#endif // NO_SSL - #include <cstdlib> #include <memory> #include <string> diff --git a/tests/auto/network/access/qnetworkreply/tst_qnetworkreply.cpp b/tests/auto/network/access/qnetworkreply/tst_qnetworkreply.cpp index 5e8a5420e1..6a326f8c5a 100644 --- a/tests/auto/network/access/qnetworkreply/tst_qnetworkreply.cpp +++ b/tests/auto/network/access/qnetworkreply/tst_qnetworkreply.cpp @@ -26,6 +26,7 @@ ** ****************************************************************************/ +#include <QtNetwork/qtnetworkglobal.h> #include <QTest> #include <QSemaphore> @@ -71,6 +72,7 @@ #ifndef QT_NO_SSL #include <QtNetwork/qsslerror.h> #include <QtNetwork/qsslconfiguration.h> +#include <QtNetwork/qsslsocket.h> #ifdef QT_BUILD_INTERNAL #include <QtNetwork/private/qsslconfiguration_p.h> #endif @@ -105,11 +107,10 @@ Q_DECLARE_METATYPE(QNetworkProxyQuery) typedef QSharedPointer<QNetworkReply> QNetworkReplyPtr; -#ifndef QT_NO_OPENSSL QT_BEGIN_NAMESPACE +// Technically, a workaround, and only needed for OpenSSL: void qt_ForceTlsSecurityLevel(); QT_END_NAMESPACE -#endif class MyCookieJar; class tst_QNetworkReply: public QObject @@ -163,11 +164,14 @@ class tst_QNetworkReply: public QObject #endif QNetworkAccessManager manager; MyCookieJar *cookieJar; -#ifndef QT_NO_SSL +#if QT_CONFIG(ssl) QSslConfiguration storedSslConfiguration; QList<QSslError> storedExpectedSslErrors; static const QString certsFilePath; -#endif +#endif // QT_CONFIG(ssl) + + bool isSecureTransport = false; + bool isSchannel = false; using QObject::connect; static bool connect(const QNetworkReplyPtr &ptr, const char *signal, const QObject *receiver, const char *slot, Qt::ConnectionType ct = Qt::AutoConnection) @@ -1289,9 +1293,14 @@ tst_QNetworkReply::tst_QNetworkReply() #ifndef QT_NO_NETWORKPROXY qRegisterMetaType<QNetworkProxy>(); #endif -#ifndef QT_NO_SSL + +#if QT_CONFIG(ssl) qRegisterMetaType<QList<QSslError> >(); + isSecureTransport = QSslSocket::activeBackend() == QStringLiteral("securetransport"); + if (!isSecureTransport) + isSchannel = QSslSocket::activeBackend() == QStringLiteral("schannel"); #endif + qRegisterMetaType<QNetworkReply::NetworkError>(); uniqueExtension = createUniqueExtension(); @@ -1577,10 +1586,8 @@ void tst_QNetworkReply::initTestCase() QString::fromLatin1("Couldn't find echo dir starting from %1.").arg(QDir::currentPath()))); cleanupTestData(); -#ifndef QT_NO_OPENSSL - QT_PREPEND_NAMESPACE(qt_ForceTlsSecurityLevel)(); -#endif // QT_NO_OPENSSL + QT_PREPEND_NAMESPACE(qt_ForceTlsSecurityLevel)(); } void tst_QNetworkReply::cleanupTestCase() @@ -2781,9 +2788,9 @@ void tst_QNetworkReply::putToHttpMultipart() #ifndef QT_NO_SSL void tst_QNetworkReply::putToHttps_data() { -#if QT_CONFIG(securetransport) - QSKIP("SecTrustEvaluate() returns recoverable error, update the certificate on server"); -#endif + if (isSecureTransport) + QSKIP("SecTrustEvaluate() returns recoverable error, update the certificate on server"); + uniqueExtension = createUniqueExtension(); putToFile_data(); } @@ -2825,9 +2832,9 @@ void tst_QNetworkReply::putToHttps() void tst_QNetworkReply::putToHttpsSynchronous_data() { -#if QT_CONFIG(securetransport) - QSKIP("SecTrustEvalueate() retruns recoverable error, update the server's certificate"); -#endif + if (isSecureTransport) + QSKIP("SecTrustEvalueate() retruns recoverable error, update the server's certificate"); + uniqueExtension = createUniqueExtension(); putToFile_data(); } @@ -2873,9 +2880,9 @@ void tst_QNetworkReply::putToHttpsSynchronous() void tst_QNetworkReply::postToHttps_data() { -#if QT_CONFIG(securetransport) - QSKIP("SecTrustEvaluate() returns recoverable error, update the certificate on server"); -#endif + if (isSecureTransport) + QSKIP("SecTrustEvaluate() returns recoverable error, update the certificate on server"); + putToFile_data(); } @@ -2907,9 +2914,9 @@ void tst_QNetworkReply::postToHttps() void tst_QNetworkReply::postToHttpsSynchronous_data() { -#if QT_CONFIG(securetransport) - QSKIP("SecTrustEvaluate() returns recoverable error, update the certificate on server"); -#endif + if (isSecureTransport) + QSKIP("SecTrustEvaluate() returns recoverable error, update the certificate on server"); + putToFile_data(); } @@ -2946,9 +2953,9 @@ void tst_QNetworkReply::postToHttpsSynchronous() void tst_QNetworkReply::postToHttpsMultipart_data() { -#if QT_CONFIG(securetransport) - QSKIP("SecTrustEvaluate() returns recoverable error, update the certificate on server"); -#endif + if (isSecureTransport) + QSKIP("SecTrustEvaluate() returns recoverable error, update the certificate on server"); + postToHttpMultipart_data(); } @@ -6467,23 +6474,23 @@ void tst_QNetworkReply::sslConfiguration_data() QTest::newRow("empty") << QSslConfiguration() << false; QSslConfiguration conf = QSslConfiguration::defaultConfiguration(); QTest::newRow("default") << conf << false; // does not contain test server cert -#if QT_CONFIG(securetransport) - qWarning("SecTrustEvaluate() will fail, update the certificate on server"); -#else - QList<QSslCertificate> testServerCert = QSslCertificate::fromPath(testDataDir + certsFilePath); - conf.setCaCertificates(testServerCert); + if (isSecureTransport) { + qWarning("SecTrustEvaluate() will fail, update the certificate on server"); + } else { + QList<QSslCertificate> testServerCert = QSslCertificate::fromPath(testDataDir + certsFilePath); + conf.setCaCertificates(testServerCert); - QTest::newRow("set-root-cert") << conf << true; - conf.setProtocol(QSsl::SecureProtocols); - QTest::newRow("secure") << conf << true; -#endif + QTest::newRow("set-root-cert") << conf << true; + conf.setProtocol(QSsl::SecureProtocols); + QTest::newRow("secure") << conf << true; + } } void tst_QNetworkReply::encrypted() { -#if QT_CONFIG(securetransport) - QSKIP("SecTrustEvalute() fails with old server certificate"); -#endif + if (isSecureTransport) + QSKIP("SecTrustEvalute() fails with old server certificate"); + QUrl url("https://" + QtNetworkSettings::httpServerName()); QNetworkRequest request(url); QNetworkReply *reply = manager.get(request); @@ -6556,9 +6563,8 @@ void tst_QNetworkReply::sslSessionSharing_data() void tst_QNetworkReply::sslSessionSharing() { -#if QT_CONFIG(schannel) || defined(QT_SECURETRANSPORT) - QSKIP("Not implemented with SecureTransport/Schannel"); -#endif + if (isSchannel || isSecureTransport) + QSKIP("Not implemented with SecureTransport/Schannel"); QString urlString("https://" + QtNetworkSettings::httpServerName()); QList<QNetworkReplyPtr> replies; @@ -6627,9 +6633,8 @@ void tst_QNetworkReply::sslSessionSharingFromPersistentSession_data() void tst_QNetworkReply::sslSessionSharingFromPersistentSession() { -#if QT_CONFIG(schannel) || defined(QT_SECURETRANSPORT) - QSKIP("Not implemented with SecureTransport/Schannel"); -#endif + if (isSchannel || isSecureTransport) + QSKIP("Not implemented with SecureTransport/Schannel"); QString urlString("https://" + QtNetworkSettings::httpServerName()); @@ -7752,17 +7757,17 @@ void tst_QNetworkReply::synchronousRequest_data() // ### we would need to enflate (un-deflate) the file content and compare the sizes << QString("text/plain"); -#ifndef QT_NO_SSL -#if QT_CONFIG(securetransport) - qWarning("Skipping https scheme, SecTrustEvalue() fails, update the certificate on server"); -#else - QTest::newRow("https") - << QUrl("https://" + QtNetworkSettings::httpServerName() + "/qtest/rfc3252.txt") - << QString("file:" + testDataDir + "/rfc3252.txt") - << true - << QString("text/plain"); -#endif -#endif +#if QT_CONFIG(ssl) + if (isSecureTransport) { + qWarning("Skipping https scheme, SecTrustEvalue() fails, update the certificate on server"); + } else { + QTest::newRow("https") + << QUrl("https://" + QtNetworkSettings::httpServerName() + "/qtest/rfc3252.txt") + << QString("file:" + testDataDir + "/rfc3252.txt") + << true + << QString("text/plain"); + } +#endif // QT_CONFIG(ssl) QTest::newRow("data") << QUrl(QString::fromLatin1("data:text/plain,hello world")) diff --git a/tests/auto/network/ssl/CMakeLists.txt b/tests/auto/network/ssl/CMakeLists.txt index 54287e5e71..9c44e5c375 100644 --- a/tests/auto/network/ssl/CMakeLists.txt +++ b/tests/auto/network/ssl/CMakeLists.txt @@ -12,7 +12,7 @@ if(QT_FEATURE_private_tests AND QT_FEATURE_ssl) add_subdirectory(qsslsocket) add_subdirectory(qsslsocket_onDemandCertificates_member) add_subdirectory(qsslsocket_onDemandCertificates_static) - add_subdirectory(qasn1element) +# add_subdirectory(qasn1element) add_subdirectory(qssldiffiehellmanparameters) endif() if(QT_FEATURE_dtls AND QT_FEATURE_private_tests AND QT_FEATURE_ssl) diff --git a/tests/auto/network/ssl/qocsp/tst_qocsp.cpp b/tests/auto/network/ssl/qocsp/tst_qocsp.cpp index 37ce9a4f6d..5c28f5a8ec 100644 --- a/tests/auto/network/ssl/qocsp/tst_qocsp.cpp +++ b/tests/auto/network/ssl/qocsp/tst_qocsp.cpp @@ -31,8 +31,6 @@ #include <QtNetwork/private/qtnetworkglobal_p.h> -#include <QtNetwork/private/qsslsocket_openssl_symbols_p.h> - #include <QtNetwork/qsslcertificate.h> #include <QtNetwork/qtcpserver.h> #include <QtNetwork/qsslerror.h> @@ -66,6 +64,9 @@ QT_BEGIN_NAMESPACE namespace { +// TLSTODO: the test is temporarily disabled due to openssl code +// moved into plugin and not in QtNetwork anymore. +#if 0 using OcspResponse = QSharedPointer<OCSP_RESPONSE>; using BasicResponse = QSharedPointer<OCSP_BASICRESP>; using SingleResponse = QSharedPointer<OCSP_SINGLERESP>; @@ -74,6 +75,9 @@ using EvpKey = QSharedPointer<EVP_PKEY>; using Asn1Time = QSharedPointer<ASN1_TIME>; using CertificateChain = QList<QSslCertificate>; +// TLSTODO: test temporarily disabled due to openssl code moved +// into plugin and not in QtNetwork anymore. + using NativeX509Ptr = X509 *; class X509Stack { @@ -372,12 +376,16 @@ void OcspServer::incomingConnection(qintptr socketDescriptor) serverSocket.startServerEncryption(); } +#endif // if 0 + } // unnamed namespace class tst_QOcsp : public QObject { Q_OBJECT - +// TLSTODO: test temporarily disabled due to openssl code moved +// into plugin and not in QtNetwork anymore. +#if 0 public slots: void initTestCase(); @@ -426,6 +434,7 @@ private: QSslError::OcspResponseCertIdUnknown, QSslError::OcspResponseExpired, QSslError::OcspStatusUnknown}; +#endif // if 0 }; #define QCOMPARE_SINGLE_ERROR(sslSocket, expectedError) \ @@ -446,6 +455,9 @@ private: QSslKey key; \ QVERIFY(loadPrivateKey(QLatin1String(keyFileName), key)) +// TLSTODO: test temporarily disabled due to openssl code moved +// into plugin and not in QtNetwork anymore. +#if 0 QString tst_QOcsp::certDirPath; void tst_QOcsp::initTestCase() @@ -827,6 +839,8 @@ CertificateChain tst_QOcsp::subjectToChain(const CertificateChain &chain) return CertificateChain() << chain[0]; } +#endif // if 0 + QT_END_NAMESPACE QTEST_MAIN(tst_QOcsp) diff --git a/tests/auto/network/ssl/qsslcertificate/tst_qsslcertificate.cpp b/tests/auto/network/ssl/qsslcertificate/tst_qsslcertificate.cpp index 53729abe3d..ed90bd3509 100644 --- a/tests/auto/network/ssl/qsslcertificate/tst_qsslcertificate.cpp +++ b/tests/auto/network/ssl/qsslcertificate/tst_qsslcertificate.cpp @@ -28,6 +28,7 @@ #include <QTest> + #include <qsslcertificate.h> #include <qsslkey.h> #include <qsslsocket.h> @@ -120,6 +121,7 @@ private slots: #endif private: QString testDataDir; + bool isNonOpenSslTls = false; }; void tst_QSslCertificate::initTestCase() @@ -129,6 +131,13 @@ void tst_QSslCertificate::initTestCase() testDataDir = QCoreApplication::applicationDirPath(); if (!testDataDir.endsWith(QLatin1String("/"))) testDataDir += QLatin1String("/"); +#if QT_CONFIG(opensslv11) + // In the presence of 'openssl' backend, QSslSocket will + // select 'openssl' as the default one. + isNonOpenSslTls = false; +#else + isNonOpenSslTls = true; +#endif // QT_CONFIG(ssl) QDir dir(testDataDir + "certificates"); QFileInfoList fileInfoList = dir.entryInfoList(QDir::Files | QDir::Readable); @@ -889,9 +898,9 @@ void tst_QSslCertificate::task256066toPem() void tst_QSslCertificate::nulInCN() { -#if QT_CONFIG(securetransport) || QT_CONFIG(schannel) - QSKIP("Generic QSslCertificatePrivate fails this test"); -#endif + if (isNonOpenSslTls) + QSKIP("Generic QSslCertificatePrivate fails this test"); + QList<QSslCertificate> certList = QSslCertificate::fromPath(testDataDir + "more-certificates/badguy-nul-cn.crt", QSsl::Pem, QSslCertificate::PatternSyntax::FixedString); QCOMPARE(certList.size(), 1); @@ -908,9 +917,10 @@ void tst_QSslCertificate::nulInCN() void tst_QSslCertificate::nulInSan() { -#if QT_CONFIG(securetransport) || QT_CONFIG(schannel) - QSKIP("Generic QSslCertificatePrivate fails this test"); -#endif + + if (isNonOpenSslTls) + QSKIP("Generic QSslCertificatePrivate fails this test"); + QList<QSslCertificate> certList = QSslCertificate::fromPath(testDataDir + "more-certificates/badguy-nul-san.crt", QSsl::Pem, QSslCertificate::PatternSyntax::FixedString); QCOMPARE(certList.size(), 1); @@ -1047,9 +1057,9 @@ void tst_QSslCertificate::subjectAndIssuerAttributes() void tst_QSslCertificate::verify() { -#if QT_CONFIG(securetransport) - QSKIP("Not implemented in SecureTransport"); -#endif + if (isNonOpenSslTls) + QSKIP("Not implemented in SecureTransport or Schannel"); + QList<QSslError> errors; QList<QSslCertificate> toVerify; @@ -1059,9 +1069,6 @@ void tst_QSslCertificate::verify() qPrintable(QString("errors: %1").arg(toString(errors))) \ ) -#ifdef QT_NO_OPENSSL - QEXPECT_FAIL("", "Verifying a chain is not supported without openssl", Abort); // TODO? -#endif // Empty chain is unspecified error errors = QSslCertificate::verify(toVerify); VERIFY_VERBOSE(errors.count() == 1); diff --git a/tests/auto/network/ssl/qsslkey/tst_qsslkey.cpp b/tests/auto/network/ssl/qsslkey/tst_qsslkey.cpp index e86dcb83e8..2845d9c59d 100644 --- a/tests/auto/network/ssl/qsslkey/tst_qsslkey.cpp +++ b/tests/auto/network/ssl/qsslkey/tst_qsslkey.cpp @@ -26,7 +26,6 @@ ** ****************************************************************************/ - #include <QTest> #include <qsslkey.h> #include <qsslsocket.h> @@ -46,11 +45,18 @@ #include "private/qsslkey_p.h" #define TEST_CRYPTO #endif - #ifndef QT_NO_OPENSSL - #include "private/qsslsocket_openssl_symbols_p.h" - #endif + // TLSTODO: find another solution, for now this code + // (OpenSSL specific) is a part of plugin, not in + // QtNetwork anymore. + //#ifndef QT_NO_OPENSSL + // #include "private/qsslsocket_openssl_symbols_p.h" + //#endif #endif +#if QT_CONFIG(ssl) +#include <QtNetwork/qsslsocket.h> +#endif // QT_CONFIG(ssl) + #include <algorithm> class tst_QSslKey : public QObject @@ -113,11 +119,15 @@ private: bool fileContainsUnsupportedEllipticCurve(const QString &fileName) const; QVector<QString> unsupportedCurves; + + bool isOpenSsl = false; + bool isSecureTransport = false; + bool isSchannel = false; }; tst_QSslKey::tst_QSslKey() { -#ifndef QT_NO_SSL +#if QT_CONFIG(ssl) const QString expectedCurves[] = { // See how we generate them in keys/genkey.sh. QStringLiteral("secp224r1"), @@ -140,6 +150,13 @@ tst_QSslKey::tst_QSslKey() unsupportedCurves.push_back(requestedEc); } } + // Alas, we don't use network-private (and why?). + const auto backendName = QSslSocket::activeBackend(); + isOpenSsl = backendName == QStringLiteral("openssl"); + if (!isOpenSsl) + isSecureTransport = backendName == QStringLiteral("securetransport"); + if (!isOpenSsl && !isSecureTransport) + isSchannel = backendName == QStringLiteral("schannel"); #else unsupportedCurves = {}; // not unsued anymore. #endif @@ -221,10 +238,12 @@ void tst_QSslKey::createPlainTestRows(bool pemOnly) foreach (KeyInfo keyInfo, keyInfoList) { if (pemOnly && keyInfo.format != QSsl::EncodingFormat::Pem) continue; -#if QT_CONFIG(schannel) - if (keyInfo.fileInfo.fileName().contains("RC2-64")) - continue; // Schannel treats RC2 as 128 bit -#endif + + if (isSchannel) { + if (keyInfo.fileInfo.fileName().contains("RC2-64")) + continue; // Schannel treats RC2 as 128 bit + } + #if QT_CONFIG(ssl) && defined(QT_NO_OPENSSL) // generic backend if (keyInfo.fileInfo.fileName().contains(QRegularExpression("-aes\\d\\d\\d-"))) continue; // No AES support in the generic back-end @@ -272,7 +291,12 @@ void tst_QSslKey::constructorHandle() { #ifndef QT_BUILD_INTERNAL QSKIP("This test requires -developer-build."); -#else +#endif // previously, else, see if 0 below. + +// TLSTODO: OpenSSL-specific code and symbols are now +// part of 'openssl' plugin, not in QtNetwork anymore. +// For now - disabling. +#if 0 if (!QSslSocket::supportsSsl()) return; @@ -328,7 +352,8 @@ void tst_QSslKey::constructorHandle() QCOMPARE(key.type(), type); QCOMPARE(key.length(), length); QCOMPARE(q_EVP_PKEY_cmp(origin, handle), 1); -#endif + +#endif // if 0 } #endif // !QT_NO_OPENSSL @@ -419,13 +444,13 @@ void tst_QSslKey::toPemOrDer() QByteArray dataTag = QByteArray(QTest::currentDataTag()); if (dataTag.contains("-pkcs8-")) // these are encrypted QSKIP("Encrypted PKCS#8 keys gets decrypted when loaded. So we can't compare it to the encrypted version."); -#ifndef QT_NO_OPENSSL - if (dataTag.contains("pkcs8")) - QSKIP("OpenSSL converts PKCS#8 keys to other formats, invalidating comparisons."); -#else // !openssl - if (dataTag.contains("pkcs8") && dataTag.contains("rsa")) - QSKIP("PKCS#8 RSA keys are changed into a different format in the generic back-end, meaning the comparison fails."); -#endif // openssl + + if (dataTag.contains("pkcs8")) { + if (isOpenSsl) + QSKIP("OpenSSL converts PKCS#8 keys to other formats, invalidating comparisons."); + else if (dataTag.contains("rsa")) + QSKIP("PKCS#8 RSA keys are changed into a different format in the generic back-end, meaning the comparison fails."); + } QByteArray encoded = readFile(absFilePath); QSslKey key(encoded, algorithm, format, type); @@ -759,12 +784,13 @@ void tst_QSslKey::encrypt() QFETCH(QByteArray, cipherText); QFETCH(QByteArray, iv); -#if QT_CONFIG(schannel) - QEXPECT_FAIL("RC2-40-CBC, length 0", "Schannel treats RC2 as 128-bit", Abort); - QEXPECT_FAIL("RC2-40-CBC, length 8", "Schannel treats RC2 as 128-bit", Abort); - QEXPECT_FAIL("RC2-64-CBC, length 0", "Schannel treats RC2 as 128-bit", Abort); - QEXPECT_FAIL("RC2-64-CBC, length 8", "Schannel treats RC2 as 128-bit", Abort); -#endif + if (isSchannel) { + QEXPECT_FAIL("RC2-40-CBC, length 0", "Schannel treats RC2 as 128-bit", Abort); + QEXPECT_FAIL("RC2-40-CBC, length 8", "Schannel treats RC2 as 128-bit", Abort); + QEXPECT_FAIL("RC2-64-CBC, length 0", "Schannel treats RC2 as 128-bit", Abort); + QEXPECT_FAIL("RC2-64-CBC, length 8", "Schannel treats RC2 as 128-bit", Abort); + } + QByteArray encrypted = QSslKeyPrivate::encrypt(cipher, plainText, key, iv); QCOMPARE(encrypted, cipherText); diff --git a/tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp b/tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp index d982368086..79cb26c075 100644 --- a/tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp +++ b/tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp @@ -59,7 +59,10 @@ #include "private/qtlsbackend_p.h" #ifndef QT_NO_OPENSSL -#include "private/qsslsocket_openssl_symbols_p.h" +// TLSTODO: +// Disabling tests requiring this - moving OpenSSL code into plugins, +// find a workaround if needed. +//#include "private/qsslsocket_openssl_symbols_p.h" #endif // QT_NO_OPENSSL #include "private/qsslsocket_p.h" @@ -110,12 +113,12 @@ static const QByteArray PSK_CLIENT_PRESHAREDKEY = QByteArrayLiteral("\x1a\x2b\x3 static const QByteArray PSK_SERVER_IDENTITY_HINT = QByteArrayLiteral("QtTestServerHint"); static const QByteArray PSK_CLIENT_IDENTITY = QByteArrayLiteral("Client_identity"); +#endif // !QT_NO_OPENSSL + QT_BEGIN_NAMESPACE void qt_ForceTlsSecurityLevel(); QT_END_NAMESPACE -#endif // !QT_NO_OPENSSL - class tst_QSslSocket : public QObject { Q_OBJECT @@ -319,11 +322,36 @@ protected slots: private: QSslSocket *socket; QList<QSslError> storedExpectedSslErrors; + bool isTestingOpenSsl = false; + bool isTestingSecureTransport = false; + bool isTestingSchannel = false; #endif // QT_NO_SSL private: static int loopLevel; public: static QString testDataDir; + + bool supportsTls13() const + { + if (isTestingOpenSsl) { +#ifdef TLS1_3_VERSION + return true; +#endif + } + if (isTestingSchannel) { + // Copied from qtls_schannel.cpp #supportsTls13() + static bool supported = []() { + const auto current = QOperatingSystemVersion::current(); + const auto minimum = + QOperatingSystemVersion(QOperatingSystemVersion::Windows, 10, 0, 20221); + return current >= minimum; + }(); + return supported; + } + + return false; + } + }; QString tst_QSslSocket::testDataDir; @@ -348,24 +376,6 @@ QString httpServerCertChainPath() #endif // QT_TEST_SERVER } -bool supportsTls13() -{ -#ifdef TLS1_3_VERSION - return true; -#elif QT_CONFIG(schannel) - // Copied from qsslsocket_schannel.cpp #supportsTls13() - static bool supported = []() { - const auto current = QOperatingSystemVersion::current(); - const auto minimum = - QOperatingSystemVersion(QOperatingSystemVersion::Windows, 10, 0, 20221); - return current >= minimum; - }(); - return supported; -#else - return false; -#endif -} - } // unnamed namespace tst_QSslSocket::tst_QSslSocket() @@ -417,6 +427,20 @@ void tst_QSslSocket::initTestCase() testDataDir = QCoreApplication::applicationDirPath(); if (!testDataDir.endsWith(QLatin1String("/"))) testDataDir += QLatin1String("/"); + + // Several plugins (TLS-backends) can co-exist. QSslSocket would implicitly + // select 'openssl' if available, and if not: 'securetransport' (Darwin) or + // 'schannel' (Windows). Check what we actually have: + const auto &tlsBackends = QSslSocket::availableBackends(); + if (tlsBackends.contains(QTlsBackend::builtinBackendNames[QTlsBackend::nameIndexOpenSSL])) { + isTestingOpenSsl = true; + } else if (tlsBackends.contains(QTlsBackend::builtinBackendNames[QTlsBackend::nameIndexSchannel])) { + isTestingSchannel = true; + } else { + QVERIFY(tlsBackends.contains(QTlsBackend::builtinBackendNames[QTlsBackend::nameIndexSecureTransport])); + isTestingSecureTransport = true; + } + #ifndef QT_NO_SSL qDebug("Using SSL library %s (%ld)", qPrintable(QSslSocket::sslLibraryVersionString()), @@ -474,9 +498,7 @@ void tst_QSslSocket::init() #endif // QT_NO_NETWORKPROXY } -#ifndef QT_NO_OPENSSL QT_PREPEND_NAMESPACE(qt_ForceTlsSecurityLevel)(); -#endif // QT_NO_OPENSSL qt_qhostinfo_clear_cache(); } @@ -519,8 +541,6 @@ void tst_QSslSocket::activeBackend() if (setProxy) // Not interesting for backend test. return; - QCOMPARE(QSslSocket::activeBackend(), QTlsBackend::defaultBackendName()); - // We cannot set non-existing as active: const QString nonExistingBackend = QStringLiteral("TheQtTLS"); QCOMPARE(QSslSocket::setActiveBackend(nonExistingBackend), false); @@ -609,17 +629,21 @@ void tst_QSslSocket::backends() const auto sizeBefore = backendNames.size(); QVERIFY(sizeBefore > 0); - const auto builtinBackend = backendNames.first(); - const auto builtinProtocols = QSslSocket::supportedProtocols(builtinBackend); + const QString tlsBackend = QSslSocket::activeBackend(); + QVERIFY(tlsBackend == QTlsBackend::builtinBackendNames[QTlsBackend::nameIndexOpenSSL] + || tlsBackend == QTlsBackend::builtinBackendNames[QTlsBackend::nameIndexSchannel] + || tlsBackend == QTlsBackend::builtinBackendNames[QTlsBackend::nameIndexSecureTransport]); + + const auto builtinProtocols = QSslSocket::supportedProtocols(tlsBackend); QVERIFY(builtinProtocols.contains(QSsl::SecureProtocols)); // Socket and ALPN are supported by all our backends: - const auto builtinClasses = QSslSocket::implementedClasses(builtinBackend); + const auto builtinClasses = QSslSocket::implementedClasses(tlsBackend); QVERIFY(builtinClasses.contains(QSsl::ImplementedClass::Socket)); - const auto builtinFeatures = QSslSocket::supportedFeatures(builtinBackend); + const auto builtinFeatures = QSslSocket::supportedFeatures(tlsBackend); QVERIFY(builtinFeatures.contains(QSsl::SupportedFeature::ClientSideAlpn)); - // Verify that non-dummy backend can be created (and delete it): - auto *systemBackend = QTlsBackend::findBackend(builtinBackend); + // Verify that non-dummy backend can be found: + auto *systemBackend = QTlsBackend::findBackend(tlsBackend); QVERIFY(systemBackend); const auto protocols = QList<QSsl::SslProtocol>{QSsl::SecureProtocols}; @@ -913,10 +937,11 @@ void tst_QSslSocket::sslErrors() QFETCH(int, port); QSslSocketPtr socket = newSocket(); -#if QT_CONFIG(schannel) - // Needs to be < 1.2 because of the old certificate and <= 1.0 because of the mail server - socket->setProtocol(QSsl::SslProtocol::TlsV1_0); -#endif + if (isTestingSchannel) { + // Needs to be < 1.2 because of the old certificate and <= 1.0 because of the mail server + socket->setProtocol(QSsl::SslProtocol::TlsV1_0); + } + QSignalSpy sslErrorsSpy(socket.data(), SIGNAL(sslErrors(QList<QSslError>))); QSignalSpy peerVerifyErrorSpy(socket.data(), SIGNAL(peerVerifyError(QSslError))); @@ -1013,26 +1038,28 @@ void tst_QSslSocket::ciphers() if (!ciphers.size()) QSKIP("No proper ciphersuite was found to test 'setCiphers'"); -#if QT_CONFIG(schannel) - qWarning("Schannel doesn't support setting ciphers from a cipher-string."); -#else - sslConfig.setCiphers(ciphersAsString); - socket.setSslConfiguration(sslConfig); - QCOMPARE(ciphers, socket.sslConfiguration().ciphers()); -#endif + + if (isTestingSchannel) { + qWarning("Schannel doesn't support setting ciphers from a cipher-string."); + } else { + sslConfig.setCiphers(ciphersAsString); + socket.setSslConfiguration(sslConfig); + QCOMPARE(ciphers, socket.sslConfiguration().ciphers()); + } + sslConfig.setCiphers(ciphers); socket.setSslConfiguration(sslConfig); QCOMPARE(ciphers, socket.sslConfiguration().ciphers()); -#ifndef QT_NO_OPENSSL - for (const auto &cipher : ciphers) { - if (cipher.name().size() && cipher.protocol() != QSsl::UnknownProtocol) { - const QSslCipher aCopy(cipher.name(), cipher.protocol()); - QCOMPARE(aCopy, cipher); - break; + if (isTestingOpenSsl) { + for (const auto &cipher : ciphers) { + if (cipher.name().size() && cipher.protocol() != QSsl::UnknownProtocol) { + const QSslCipher aCopy(cipher.name(), cipher.protocol()); + QCOMPARE(aCopy, cipher); + break; + } } } -#endif // QT_NO_OPENSSL } void tst_QSslSocket::connectToHostEncrypted() @@ -1041,9 +1068,9 @@ void tst_QSslSocket::connectToHostEncrypted() return; QSslSocketPtr socket = newSocket(); -#if QT_CONFIG(schannel) // old certificate not supported with TLS 1.2 - socket->setProtocol(QSsl::SslProtocol::TlsV1_1); -#endif + if (isTestingSchannel) // old certificate not supported with TLS 1.2 + socket->setProtocol(QSsl::SslProtocol::TlsV1_1); + this->socket = socket.data(); auto config = socket->sslConfiguration(); QVERIFY(config.addCaCertificates(httpServerCertChainPath())); @@ -1079,9 +1106,9 @@ void tst_QSslSocket::connectToHostEncryptedWithVerificationPeerName() return; QSslSocketPtr socket = newSocket(); -#if QT_CONFIG(schannel) // old certificate not supported with TLS 1.2 - socket->setProtocol(QSsl::SslProtocol::TlsV1_1); -#endif + if (isTestingSchannel) // old certificate not supported with TLS 1.2 + socket->setProtocol(QSsl::SslProtocol::TlsV1_1); + this->socket = socket.data(); auto config = socket->sslConfiguration(); @@ -1250,7 +1277,9 @@ void tst_QSslSocket::privateKeyOpaque() { if (!QSslSocket::supportsSsl()) return; - + // TLSTODO: OpenSSL symbols are now a part of 'openssl' plugin, + // not QtNetwork anymore. +#if 0 QFile file(testDataDir + "certs/fluke.key"); QVERIFY(file.open(QIODevice::ReadOnly)); QSslKey key(file.readAll(), QSsl::Rsa, QSsl::Pem, QSsl::PrivateKey); @@ -1278,6 +1307,7 @@ void tst_QSslSocket::privateKeyOpaque() QFETCH_GLOBAL(bool, setProxy); if (setProxy && !socket->waitForEncrypted(10000)) QSKIP("Skipping flaky test - See QTBUG-29941"); +#endif // if 0 } #endif @@ -1745,11 +1775,12 @@ void tst_QSslSocket::setLocalCertificateChain() loop.exec(); QList<QSslCertificate> chain = socket->peerCertificateChain(); -#if QT_CONFIG(schannel) - QEXPECT_FAIL("", "Schannel cannot send intermediate certificates not " - "located in a system certificate store", - Abort); -#endif + if (isTestingSchannel) { + QEXPECT_FAIL("", "Schannel cannot send intermediate certificates not " + "located in a system certificate store", + Abort); + } + QCOMPARE(chain.size(), 2); QCOMPARE(chain[0].serialNumber(), QByteArray("10:a0:ad:77:58:f6:6e:ae:46:93:a3:43:f9:59:8a:9e")); QCOMPARE(chain[1].serialNumber(), QByteArray("3b:eb:99:c5:ea:d8:0b:5d:0b:97:5d:4f:06:75:4b:e1")); @@ -1824,15 +1855,16 @@ void tst_QSslSocket::setSslConfiguration_data() QTest::newRow("empty") << QSslConfiguration() << false; QSslConfiguration conf = QSslConfiguration::defaultConfiguration(); QTest::newRow("default") << conf << false; // does not contain test server cert -#if !QT_CONFIG(securetransport) - QList<QSslCertificate> testServerCert = QSslCertificate::fromPath(httpServerCertChainPath()); - conf.setCaCertificates(testServerCert); - QTest::newRow("set-root-cert") << conf << true; - conf.setProtocol(QSsl::SecureProtocols); - QTest::newRow("secure") << conf << true; -#else - qWarning("Skipping the cases with certificate, SecureTransport does not like old certificate on the test server"); -#endif + + if (!isTestingSecureTransport) { + QList<QSslCertificate> testServerCert = QSslCertificate::fromPath(httpServerCertChainPath()); + conf.setCaCertificates(testServerCert); + QTest::newRow("set-root-cert") << conf << true; + conf.setProtocol(QSsl::SecureProtocols); + QTest::newRow("secure") << conf << true; + } else { + qWarning("Skipping the cases with certificate, SecureTransport does not like old certificate on the test server"); + } } void tst_QSslSocket::setSslConfiguration() @@ -1843,9 +1875,9 @@ void tst_QSslSocket::setSslConfiguration() QSslSocketPtr socket = newSocket(); QFETCH(QSslConfiguration, configuration); socket->setSslConfiguration(configuration); -#if QT_CONFIG(schannel) // old certificate not supported with TLS 1.2 - socket->setProtocol(QSsl::SslProtocol::TlsV1_1); -#endif + if (isTestingSchannel) // old certificate not supported with TLS 1.2 + socket->setProtocol(QSsl::SslProtocol::TlsV1_1); + this->socket = socket.data(); socket->connectToHostEncrypted(QtNetworkSettings::httpServerName(), 443); QFETCH(bool, works); @@ -2545,9 +2577,9 @@ void tst_QSslSocket::verifyMode() return; QSslSocket socket; -#if QT_CONFIG(schannel) // old certificate not supported with TLS 1.2 - socket.setProtocol(QSsl::SslProtocol::TlsV1_1); -#endif + if (isTestingSchannel) // old certificate not supported with TLS 1.2 + socket.setProtocol(QSsl::SslProtocol::TlsV1_1); + QCOMPARE(socket.peerVerifyMode(), QSslSocket::AutoVerifyPeer); socket.setPeerVerifyMode(QSslSocket::VerifyNone); QCOMPARE(socket.peerVerifyMode(), QSslSocket::VerifyNone); @@ -2884,9 +2916,9 @@ void tst_QSslSocket::abortOnSslErrors() void tst_QSslSocket::readFromClosedSocket() { QSslSocketPtr socket = newSocket(); -#if QT_CONFIG(schannel) // old certificate not supported with TLS 1.2 - socket->setProtocol(QSsl::SslProtocol::TlsV1_1); -#endif + if (isTestingSchannel) // old certificate not supported with TLS 1.2 + socket->setProtocol(QSsl::SslProtocol::TlsV1_1); + socket->ignoreSslErrors(); socket->connectToHostEncrypted(QtNetworkSettings::httpServerName(), 443); socket->ignoreSslErrors(); @@ -3547,14 +3579,15 @@ void tst_QSslSocket::verifyClientCertificate_data() void tst_QSslSocket::verifyClientCertificate() { -#if QT_CONFIG(securetransport) - // We run both client and server on the same machine, - // this means, client can update keychain with client's certificates, - // and server later will use the same certificates from the same - // keychain thus making tests fail (wrong number of certificates, - // success instead of failure etc.). - QSKIP("This test can not work with Secure Transport"); -#endif // QT_CONFIG(securetransport) + if (isTestingSecureTransport) { + // We run both client and server on the same machine, + // this means, client can update keychain with client's certificates, + // and server later will use the same certificates from the same + // keychain thus making tests fail (wrong number of certificates, + // success instead of failure etc.). + QSKIP("This test can not work with Secure Transport"); + } + if (!QSslSocket::supportsSsl()) { qWarning("SSL not supported, skipping test"); return; @@ -3565,10 +3598,10 @@ void tst_QSslSocket::verifyClientCertificate() return; QFETCH(QSslSocket::PeerVerifyMode, peerVerifyMode); -#if QT_CONFIG(schannel) - if (peerVerifyMode == QSslSocket::QueryPeer || peerVerifyMode == QSslSocket::AutoVerifyPeer) - QSKIP("Schannel doesn't tackle requesting a certificate and not receiving one."); -#endif + if (isTestingSchannel) { + if (peerVerifyMode == QSslSocket::QueryPeer || peerVerifyMode == QSslSocket::AutoVerifyPeer) + QSKIP("Schannel doesn't tackle requesting a certificate and not receiving one."); + } SslServer server; server.addCaCertificates = testDataDir + "certs/bogus-ca.crt"; @@ -3608,13 +3641,13 @@ void tst_QSslSocket::verifyClientCertificate() QVERIFY(server.socket->peerCertificateChain().isEmpty()); } else { QCOMPARE(server.socket->peerCertificate(), clientCerts.first()); -#if QT_CONFIG(schannel) - if (clientCerts.count() == 1 && server.socket->peerCertificateChain().count() == 2) { - QEXPECT_FAIL("", - "Schannel includes the entire chain, not just the leaf and intermediates", - Continue); + if (isTestingSchannel) { + if (clientCerts.count() == 1 && server.socket->peerCertificateChain().count() == 2) { + QEXPECT_FAIL("", + "Schannel includes the entire chain, not just the leaf and intermediates", + Continue); + } } -#endif QCOMPARE(server.socket->peerCertificateChain(), clientCerts); } @@ -3625,7 +3658,6 @@ void tst_QSslSocket::verifyClientCertificate() void tst_QSslSocket::readBufferMaxSize() { -#if QT_CONFIG(securetransport) || QT_CONFIG(schannel) // QTBUG-55170: // SecureTransport back-end was ignoring read-buffer // size limit, resulting (potentially) in a constantly @@ -3680,9 +3712,6 @@ void tst_QSslSocket::readBufferMaxSize() loop.exec(); QCOMPARE(client->bytesAvailable() + readSoFar, message.size()); -#else - // Not needed, QSslSocket works correctly with other back-ends. -#endif // QT_CONFIG(securetransport) || QT_CONFIG(schannel) } void tst_QSslSocket::setEmptyDefaultConfiguration() // this test should be last, as it has some side effects @@ -3711,16 +3740,15 @@ void tst_QSslSocket::allowedProtocolNegotiation() QSKIP("ALPN is unsupported, skipping test"); #endif -#if QT_CONFIG(schannel) - if (QOperatingSystemVersion::current() < QOperatingSystemVersion::Windows8_1) - QSKIP("ALPN is not supported on this version of Windows using Schannel."); -#endif + if (isTestingSchannel) { + if (QOperatingSystemVersion::current() < QOperatingSystemVersion::Windows8_1) + QSKIP("ALPN is not supported on this version of Windows using Schannel."); + } QFETCH_GLOBAL(bool, setProxy); if (setProxy) return; - const QByteArray expectedNegotiated("cool-protocol"); QList<QByteArray> serverProtos; serverProtos << expectedNegotiated << "not-so-cool-protocol"; @@ -4158,9 +4186,9 @@ void tst_QSslSocket::ephemeralServerKey() void tst_QSslSocket::pskServer() { -#if QT_CONFIG(schannel) - QSKIP("Schannel does not have PSK support implemented."); -#endif + if (!isTestingOpenSsl) + QSKIP("The active TLS-backend does not have PSK support implemented."); + QFETCH_GLOBAL(bool, setProxy); if (!QSslSocket::supportsSsl() || setProxy) return; |