1 files changed, 43 insertions, 69 deletions

diff --git a/src/network/ssl/qsslconfiguration.cpp b/src/network/ssl/qsslconfiguration.cpp
index 8f8773ebaa..fd308d7037 100644
--- a/src/network/ssl/qsslconfiguration.cpp
+++ b/src/network/ssl/qsslconfiguration.cpp
@@ -1,42 +1,6 @@
-/****************************************************************************
-**
-** Copyright (C) 2016 The Qt Company Ltd.
-** Copyright (C) 2014 BlackBerry Limited. All rights reserved.
-** Contact: https://www.qt.io/licensing/
-**
-** This file is part of the QtNetwork module of the Qt Toolkit.
-**
-** $QT_BEGIN_LICENSE:LGPL$
-** Commercial License Usage
-** Licensees holding valid commercial Qt licenses may use this file in
-** accordance with the commercial license agreement provided with the
-** Software or, alternatively, in accordance with the terms contained in
-** a written agreement between you and The Qt Company. For licensing terms
-** and conditions see https://www.qt.io/terms-conditions. For further
-** information use the contact form at https://www.qt.io/contact-us.
-**
-** GNU Lesser General Public License Usage
-** Alternatively, this file may be used under the terms of the GNU Lesser
-** General Public License version 3 as published by the Free Software
-** Foundation and appearing in the file LICENSE.LGPL3 included in the
-** packaging of this file. Please review the following information to
-** ensure the GNU Lesser General Public License version 3 requirements
-** will be met: https://www.gnu.org/licenses/lgpl-3.0.html.
-**
-** GNU General Public License Usage
-** Alternatively, this file may be used under the terms of the GNU
-** General Public License version 2.0 or (at your option) the GNU General
-** Public license version 3 or any later version approved by the KDE Free
-** Qt Foundation. The licenses are as published by the Free Software
-** Foundation and appearing in the file LICENSE.GPL2 and LICENSE.GPL3
-** included in the packaging of this file. Please review the following
-** information to ensure the GNU General Public License requirements will
-** be met: https://www.gnu.org/licenses/gpl-2.0.html and
-** https://www.gnu.org/licenses/gpl-3.0.html.
-**
-** $QT_END_LICENSE$
-**
-****************************************************************************/
+// Copyright (C) 2016 The Qt Company Ltd.
+// Copyright (C) 2014 BlackBerry Limited. All rights reserved.
+// SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only
 
 #include "qssl_p.h"
 #include "qsslconfiguration.h"
@@ -48,6 +12,8 @@
 
 QT_BEGIN_NAMESPACE
 
+QT_IMPL_METATYPE_EXTERN(QSslConfiguration)
+
 const QSsl::SslOptions QSslConfigurationPrivate::defaultSslOptions = QSsl::SslOptionDisableEmptyFragments
                                                                     |QSsl::SslOptionDisableLegacyRenegotiation
                                                                     |QSsl::SslOptionDisableCompression
@@ -107,7 +73,7 @@ const char QSslConfiguration::NextProtocolHttp1_1[] = "http/1.1";
     change the settings in the related SSL connection. You must call
     setSslConfiguration on a modified QSslConfiguration object to
     achieve that. The following example illustrates how to change the
-    protocol to TLSv1_0 in a QSslSocket object:
+    protocol to TLSv1_2 in a QSslSocket object:
 
     \snippet code/src_network_ssl_qsslconfiguration.cpp 0
 
@@ -139,6 +105,12 @@ const char QSslConfiguration::NextProtocolHttp1_1[] = "http/1.1";
 */
 
 /*!
+    \variable QSslConfiguration::ALPNProtocolHTTP2
+    \brief The value used for negotiating HTTP 2 during the Application-Layer
+    Protocol Negotiation.
+*/
+
+/*!
     Constructs an empty SSL configuration. This configuration contains
     no valid settings and the state will be empty. isNull() will
     return true after this constructor is called.
@@ -252,15 +224,15 @@ bool QSslConfiguration::isNull() const
             d->peerVerifyMode == QSslSocket::AutoVerifyPeer &&
             d->peerVerifyDepth == 0 &&
             d->allowRootCertOnDemandLoading == true &&
-            d->caCertificates.count() == 0 &&
-            d->ciphers.count() == 0 &&
+            d->caCertificates.size() == 0 &&
+            d->ciphers.size() == 0 &&
             d->ellipticCurves.isEmpty() &&
             d->ephemeralServerKey.isNull() &&
             d->dhParams == QSslDiffieHellmanParameters::defaultParameters() &&
             d->localCertificateChain.isEmpty() &&
             d->privateKey.isNull() &&
             d->peerCertificate.isNull() &&
-            d->peerCertificateChain.count() == 0 &&
+            d->peerCertificateChain.size() == 0 &&
             d->backendConfig.isEmpty() &&
             d->sslOptions == QSslConfigurationPrivate::defaultSslOptions &&
             d->sslSession.isNull() &&
@@ -518,7 +490,7 @@ QList<QSslCertificate> QSslConfiguration::peerCertificateChain() const
     eventually select the session cipher. This ordered list must be in
     place before the handshake phase begins.
 
-    \sa ciphers(), setCiphers(), QSslSocket::supportedCiphers()
+    \sa ciphers(), setCiphers(), supportedCiphers()
 */
 QSslCipher QSslConfiguration::sessionCipher() const
 {
@@ -578,15 +550,13 @@ void QSslConfiguration::setPrivateKey(const QSslKey &key)
     By default, the handshake phase can choose any of the ciphers
     supported by this system's SSL libraries, which may vary from
     system to system. The list of ciphers supported by this system's
-    SSL libraries is returned by QSslSocket::supportedCiphers(). You can restrict
+    SSL libraries is returned by supportedCiphers(). You can restrict
     the list of ciphers used for choosing the session cipher for this
     socket by calling setCiphers() with a subset of the supported
     ciphers. You can revert to using the entire set by calling
-    setCiphers() with the list returned by QSslSocket::supportedCiphers().
-
-    \note This is not currently supported in the Schannel backend.
+    setCiphers() with the list returned by supportedCiphers().
 
-    \sa setCiphers(), QSslSocket::supportedCiphers()
+    \sa setCiphers(), supportedCiphers()
 */
 QList<QSslCipher> QSslConfiguration::ciphers() const
 {
@@ -601,9 +571,7 @@ QList<QSslCipher> QSslConfiguration::ciphers() const
     Restricting the cipher suite must be done before the handshake
     phase, where the session cipher is chosen.
 
-    \note This is not currently supported in the Schannel backend.
-
-    \sa ciphers(), QSslSocket::supportedCiphers()
+    \sa ciphers(), supportedCiphers()
 */
 void QSslConfiguration::setCiphers(const QList<QSslCipher> &ciphers)
 {
@@ -615,27 +583,26 @@ void QSslConfiguration::setCiphers(const QList<QSslCipher> &ciphers)
 
     Sets the cryptographic cipher suite for this configuration to \a ciphers,
     which is a colon-separated list of cipher suite names. The ciphers are listed
-    in order of preference, starting with the most preferred cipher. For example:
-
-    \snippet code/src_network_ssl_qsslconfiguration.cpp 1
-
+    in order of preference, starting with the most preferred cipher.
     Each cipher name in \a ciphers must be the name of a cipher in the
     list returned by supportedCiphers().  Restricting the cipher suite
     must be done before the handshake phase, where the session cipher
     is chosen.
 
-    \note This is not currently supported in the Schannel backend.
+    \note With the Schannel backend the order of the ciphers is ignored and Schannel
+          picks the most secure one during the handshake.
 
     \sa ciphers()
 */
 void QSslConfiguration::setCiphers(const QString &ciphers)
 {
-    d->ciphers.clear();
-    const auto cipherNames = ciphers.split(QLatin1Char(':'), Qt::SkipEmptyParts);
+    auto *p = d.data();
+    p->ciphers.clear();
+    const auto cipherNames = ciphers.split(u':', Qt::SkipEmptyParts);
     for (const QString &cipherName : cipherNames) {
         QSslCipher cipher(cipherName);
         if (!cipher.isNull())
-            d->ciphers << cipher;
+            p->ciphers << cipher;
     }
 }
 
@@ -955,7 +922,11 @@ void QSslConfiguration::setPreSharedKeyIdentityHint(const QByteArray &hint)
     Retrieves the current set of Diffie-Hellman parameters.
 
     If no Diffie-Hellman parameters have been set, the QSslConfiguration object
-    defaults to using the 1024-bit MODP group from RFC 2409.
+    defaults to using the 2048-bit MODP group from RFC 3526.
+
+    \note The default parameters may change in future Qt versions.
+    Please check the documentation of the \e{exact Qt version} that you
+    are using in order to know what defaults that version uses.
  */
 QSslDiffieHellmanParameters QSslConfiguration::diffieHellmanParameters() const
 {
@@ -969,7 +940,14 @@ QSslDiffieHellmanParameters QSslConfiguration::diffieHellmanParameters() const
     a server to \a dhparams.
 
     If no Diffie-Hellman parameters have been set, the QSslConfiguration object
-    defaults to using the 1024-bit MODP group from RFC 2409.
+    defaults to using the 2048-bit MODP group from RFC 3526.
+
+    Since 6.7 you can provide an empty Diffie-Hellman parameter to use auto selection
+    (see SSL_CTX_set_dh_auto of openssl) if the tls backend supports it.
+
+    \note The default parameters may change in future Qt versions.
+    Please check the documentation of the \e{exact Qt version} that you
+    are using in order to know what defaults that version uses.
  */
 void QSslConfiguration::setDiffieHellmanParameters(const QSslDiffieHellmanParameters &dhparams)
 {
@@ -1063,11 +1041,7 @@ QByteArray QSslConfiguration::nextNegotiatedProtocol() const
 
   \sa nextNegotiatedProtocol(), nextProtocolNegotiationStatus(), allowedNextProtocols(), QSslConfiguration::NextProtocolHttp1_1
  */
-#if QT_VERSION >= QT_VERSION_CHECK(6,0,0)
 void QSslConfiguration::setAllowedNextProtocols(const QList<QByteArray> &protocols)
-#else
-void QSslConfiguration::setAllowedNextProtocols(QList<QByteArray> protocols)
-#endif
 {
     d->nextAllowedProtocols = protocols;
 }
@@ -1116,7 +1090,7 @@ QSslConfiguration::NextProtocolNegotiationStatus QSslConfiguration::nextProtocol
          supported SSL ciphers that are 128 bits or more
     \endlist
 
-    \sa QSslSocket::supportedCiphers(), setDefaultConfiguration()
+    \sa supportedCiphers(), setDefaultConfiguration()
 */
 QSslConfiguration QSslConfiguration::defaultConfiguration()
 {
@@ -1128,14 +1102,14 @@ QSslConfiguration QSslConfiguration::defaultConfiguration()
     connections to be \a configuration. Existing connections are not
     affected by this call.
 
-    \sa QSslSocket::supportedCiphers(), defaultConfiguration()
+    \sa supportedCiphers(), defaultConfiguration()
 */
 void QSslConfiguration::setDefaultConfiguration(const QSslConfiguration &configuration)
 {
     QSslConfigurationPrivate::setDefaultConfiguration(configuration);
 }
 
-#if QT_CONFIG(dtls) || defined(Q_CLANG_QDOC)
+#if QT_CONFIG(dtls) || defined(Q_QDOC)
 
 /*!
   This function returns true if DTLS cookie verification was enabled on a