1 files changed, 87 insertions, 10 deletions
diff --git a/src/network/ssl/qsslsocket.cpp b/src/network/ssl/qsslsocket.cpp
index 4f49a71e8a..e164217e4e 100644
--- a/src/network/ssl/qsslsocket.cpp
+++ b/src/network/ssl/qsslsocket.cpp
@@ -133,7 +133,8 @@
 
     \list
     \li The socket's cryptographic cipher suite can be customized before
-    the handshake phase with setCiphers() and setDefaultCiphers().
+    the handshake phase with QSslConfiguration::setCiphers()
+    and QSslConfiguration::setDefaultCiphers().
     \li The socket's local certificate and private key can be customized
     before the handshake phase with setLocalCertificate() and
     setPrivateKey().
@@ -202,6 +203,7 @@
     does not require this certificate to be valid. This is useful when you
     want to display peer certificate details to the user without affecting the
     actual SSL handshake. This mode is the default for servers.
+    Note: In Schannel this value acts the same as VerifyNone.
 
     \value VerifyPeer QSslSocket will request a certificate from the peer
     during the SSL handshake phase, and requires that this certificate is
@@ -312,6 +314,7 @@
 #include "qssl_p.h"
 #include "qsslsocket.h"
 #include "qsslcipher.h"
+#include "qocspresponse.h"
 #ifndef QT_NO_OPENSSL
 #include "qsslsocket_openssl_p.h"
 #endif
@@ -321,6 +324,9 @@
 #ifdef QT_SECURETRANSPORT
 #include "qsslsocket_mac_p.h"
 #endif
+#if QT_CONFIG(schannel)
+#include "qsslsocket_schannel_p.h"
+#endif
 #include "qsslconfiguration_p.h"
 
 #include <QtCore/qdebug.h>
@@ -459,6 +465,9 @@ void QSslSocket::connectToHostEncrypted(const QString &hostName, quint16 port, O
         return;
     }
 
+    if (!d->verifyProtocolSupported("QSslSocket::connectToHostEncrypted:"))
+        return;
+
     d->init();
     d->autoStartHandshake = true;
     d->initialized = true;
@@ -906,7 +915,8 @@ void QSslSocket::abort()
     time without notice.
 
     \sa localCertificate(), peerCertificate(), peerCertificateChain(),
-        sessionCipher(), privateKey(), ciphers(), caCertificates()
+        sessionCipher(), privateKey(), QSslConfiguration::ciphers(),
+        QSslConfiguration::caCertificates()
 */
 QSslConfiguration QSslSocket::sslConfiguration() const
 {
@@ -930,7 +940,8 @@ QSslConfiguration QSslSocket::sslConfiguration() const
 
     It is not possible to set the SSL-state related fields.
 
-    \sa setLocalCertificate(), setPrivateKey(), setCaCertificates(), setCiphers()
+    \sa setLocalCertificate(), setPrivateKey(), QSslConfiguration::setCaCertificates(),
+        QSslConfiguration::setCiphers()
 */
 void QSslSocket::setSslConfiguration(const QSslConfiguration &configuration)
 {
@@ -952,6 +963,9 @@ void QSslSocket::setSslConfiguration(const QSslConfiguration &configuration)
     d->configuration.nextAllowedProtocols = configuration.allowedNextProtocols();
     d->configuration.nextNegotiatedProtocol = configuration.nextNegotiatedProtocol();
     d->configuration.nextProtocolNegotiationStatus = configuration.nextProtocolNegotiationStatus();
+#if QT_CONFIG(ocsp)
+    d->configuration.ocspStaplingEnabled = configuration.ocspStaplingEnabled();
+#endif
 
     // if the CA certificates were set explicitly (either via
     // QSslConfiguration::setCaCertificates() or QSslSocket::setCaCertificates(),
@@ -1113,8 +1127,10 @@ QList<QSslCertificate> QSslSocket::peerCertificateChain() const
     session cipher. This ordered list must be in place before the
     handshake phase begins.
 
-    \sa ciphers(), setCiphers(), setDefaultCiphers(), defaultCiphers(),
-    supportedCiphers()
+    \sa QSslConfiguration::ciphers(), QSslConfiguration::setCiphers(),
+        QSslConfiguration::setCiphers(),
+        QSslConfiguration::ciphers(),
+        QSslConfiguration::supportedCiphers()
 */
 QSslCipher QSslSocket::sessionCipher() const
 {
@@ -1136,6 +1152,20 @@ QSsl::SslProtocol QSslSocket::sessionProtocol() const
     return d->sessionProtocol();
 }
 
+/*!
+    \since 5.13
+
+    This function returns Online Certificate Status Protocol responses that
+    a server may send during a TLS handshake using OCSP stapling. The vector
+    is empty if no definitive response or no response at all was received.
+
+    \sa QSslConfiguration::setOcspStaplingEnabled()
+*/
+QVector<QOcspResponse> QSslSocket::ocspResponses() const
+{
+    Q_D(const QSslSocket);
+    return d->ocspResponses;
+}
 
 /*!
     Sets the socket's private \l {QSslKey} {key} to \a key. The
@@ -1198,6 +1228,7 @@ QSslKey QSslSocket::privateKey() const
     return d->configuration.privateKey;
 }
 
+#if QT_DEPRECATED_SINCE(5, 5)
 /*!
     \deprecated
 
@@ -1341,6 +1372,7 @@ QList<QSslCipher> QSslSocket::supportedCiphers()
 {
     return QSslSocketPrivate::supportedCiphers();
 }
+#endif  // #if QT_DEPRECATED_SINCE(5, 5)
 
 /*!
   Searches all files in the \a path for certificates encoded in the
@@ -1376,7 +1408,8 @@ bool QSslSocket::addCaCertificates(const QString &path, QSsl::EncodingFormat for
 
   To add multiple certificates, use addCaCertificates().
 
-  \sa caCertificates(), setCaCertificates()
+  \sa QSslConfiguration::caCertificates(),
+      QSslConfiguration::setCaCertificates()
 */
 void QSslSocket::addCaCertificate(const QSslCertificate &certificate)
 {
@@ -1391,7 +1424,7 @@ void QSslSocket::addCaCertificate(const QSslCertificate &certificate)
 
   For more precise control, use addCaCertificate().
 
-  \sa caCertificates(), addDefaultCaCertificate()
+  \sa QSslConfiguration::caCertificates(), addDefaultCaCertificate()
 */
 void QSslSocket::addCaCertificates(const QList<QSslCertificate> &certificates)
 {
@@ -1399,6 +1432,7 @@ void QSslSocket::addCaCertificates(const QList<QSslCertificate> &certificates)
     d->configuration.caCertificates += certificates;
 }
 
+#if QT_DEPRECATED_SINCE(5, 5)
 /*!
   \deprecated
 
@@ -1443,6 +1477,7 @@ QList<QSslCertificate> QSslSocket::caCertificates() const
     Q_D(const QSslSocket);
     return d->configuration.caCertificates;
 }
+#endif  // #if QT_DEPRECATED_SINCE(5, 5)
 
 /*!
     Searches all files in the \a path for certificates with the
@@ -1454,7 +1489,8 @@ QList<QSslCertificate> QSslSocket::caCertificates() const
     Each SSL socket's CA certificate database is initialized to the
     default CA certificate database.
 
-    \sa defaultCaCertificates(), addCaCertificates(), addDefaultCaCertificate()
+    \sa QSslConfiguration::caCertificates(), addCaCertificates(),
+        addDefaultCaCertificate()
 */
 bool QSslSocket::addDefaultCaCertificates(const QString &path, QSsl::EncodingFormat encoding,
                                           QRegExp::PatternSyntax syntax)
@@ -1467,7 +1503,7 @@ bool QSslSocket::addDefaultCaCertificates(const QString &path, QSsl::EncodingFor
     SSL socket's CA certificate database is initialized to the default
     CA certificate database.
 
-    \sa defaultCaCertificates(), addCaCertificates()
+    \sa QSslConfiguration::defaultCaCertificates(), addCaCertificates()
 */
 void QSslSocket::addDefaultCaCertificate(const QSslCertificate &certificate)
 {
@@ -1479,13 +1515,14 @@ void QSslSocket::addDefaultCaCertificate(const QSslCertificate &certificate)
     SSL socket's CA certificate database is initialized to the default
     CA certificate database.
 
-    \sa defaultCaCertificates(), addCaCertificates()
+    \sa QSslConfiguration::caCertificates(), addCaCertificates()
 */
 void QSslSocket::addDefaultCaCertificates(const QList<QSslCertificate> &certificates)
 {
     QSslSocketPrivate::addDefaultCaCertificates(certificates);
 }
 
+#if QT_DEPRECATED_SINCE(5, 5)
 /*!
     \deprecated
 
@@ -1553,6 +1590,7 @@ QList<QSslCertificate> QSslSocket::systemCaCertificates()
     // we are calling ensureInitialized() in the method below
     return QSslSocketPrivate::systemCaCertificates();
 }
+#endif  // #if QT_DEPRECATED_SINCE(5, 5)
 
 /*!
     Waits until the socket is connected, or \a msecs milliseconds,
@@ -1597,6 +1635,8 @@ bool QSslSocket::waitForEncrypted(int msecs)
         return false;
     if (d->mode == UnencryptedMode && !d->autoStartHandshake)
         return false;
+    if (!d->verifyProtocolSupported("QSslSocket::waitForEncrypted:"))
+        return false;
 
     QElapsedTimer stopWatch;
     stopWatch.start();
@@ -1846,6 +1886,10 @@ void QSslSocket::startClientEncryption()
         d->setErrorAndEmit(QAbstractSocket::SslInternalError, tr("TLS initialization failed"));
         return;
     }
+
+    if (!d->verifyProtocolSupported("QSslSocket::startClientEncryption:"))
+        return;
+
 #ifdef QSSLSOCKET_DEBUG
     qCDebug(lcSsl) << "QSslSocket::startClientEncryption()";
 #endif
@@ -1889,6 +1933,9 @@ void QSslSocket::startServerEncryption()
         d->setErrorAndEmit(QAbstractSocket::SslInternalError, tr("TLS initialization failed"));
         return;
     }
+    if (!d->verifyProtocolSupported("QSslSocket::startServerEncryption"))
+        return;
+
     d->mode = SslServerMode;
     emit modeChanged(d->mode);
     d->startServerEncryption();
@@ -1974,6 +2021,7 @@ void QSslSocket::connectToHost(const QString &hostName, quint16 port, OpenMode o
         d->createPlainSocket(openMode);
     }
 #ifndef QT_NO_NETWORKPROXY
+    d->plainSocket->setProtocolTag(d->protocolTag);
     d->plainSocket->setProxy(proxy());
 #endif
     QIODevice::open(openMode);
@@ -2108,6 +2156,7 @@ void QSslSocketPrivate::init()
     shutdown = false;
     pendingClose = false;
     flushTriggered = false;
+    ocspResponses.clear();
 
     // we don't want to clear the ignoreErrorsList, so
     // that it is possible setting it before connecting
@@ -2122,6 +2171,20 @@ void QSslSocketPrivate::init()
 /*!
     \internal
 */
+bool QSslSocketPrivate::verifyProtocolSupported(const char *where)
+{
+    if (configuration.protocol == QSsl::SslV2 || configuration.protocol == QSsl::SslV3) {
+        qCWarning(lcSsl) << where << "Attempted to use an unsupported protocol.";
+        setErrorAndEmit(QAbstractSocket::SslInvalidUserDataError,
+                        QSslSocket::tr("Attempted to use an unsupported protocol."));
+        return false;
+    }
+    return true;
+}
+
+/*!
+    \internal
+*/
 QList<QSslCipher> QSslSocketPrivate::defaultCiphers()
 {
     QSslSocketPrivate::ensureInitialized();
@@ -2324,6 +2387,9 @@ void QSslConfigurationPrivate::deepCopyDefaultConfiguration(QSslConfigurationPri
 #if QT_CONFIG(dtls)
     ptr->dtlsCookieEnabled = global->dtlsCookieEnabled;
 #endif
+#if QT_CONFIG(ocsp)
+    ptr->ocspStaplingEnabled = global->ocspStaplingEnabled;
+#endif
 }
 
 /*!
@@ -2822,6 +2888,17 @@ QSharedPointer<QSslContext> QSslSocketPrivate::sslContext(QSslSocket *socket)
 
 bool QSslSocketPrivate::isMatchingHostname(const QSslCertificate &cert, const QString &peerName)
 {
+    QHostAddress hostAddress(peerName);
+    if (!hostAddress.isNull()) {
+        const auto subjectAlternativeNames = cert.subjectAlternativeNames();
+        const auto ipAddresses = subjectAlternativeNames.equal_range(QSsl::AlternativeNameEntryType::IpAddressEntry);
+
+        for (auto it = ipAddresses.first; it != ipAddresses.second; it++) {
+            if (QHostAddress(*it).isEqual(hostAddress, QHostAddress::StrictConversion))
+                return true;
+        }
+    }
+
     const QString lowerPeerName = QString::fromLatin1(QUrl::toAce(peerName));
     const QStringList commonNames = cert.subjectInfo(QSslCertificate::CommonName);