1 files changed, 150 insertions, 87 deletions

diff --git a/src/network/ssl/qsslsocket.cpp b/src/network/ssl/qsslsocket.cpp
index 8f1d5d377d..c455f70d55 100644
--- a/src/network/ssl/qsslsocket.cpp
+++ b/src/network/ssl/qsslsocket.cpp
@@ -228,6 +228,74 @@
 */
 
 /*!
+    \enum QAlertLevel
+    \brief Describes the level of an alert message
+    \relates QSslSocket
+    \since 6.0
+
+    \ingroup network
+    \ingroup ssl
+    \inmodule QtNetwork
+
+    This enum describes the level of an alert message that was sent
+    or received.
+
+    \value Warning Non-fatal alert message
+    \value Fatal Fatal alert message, the underlying backend will
+           handle such an alert properly and close the connection.
+    \value Unknown An alert of unknown level of severity.
+*/
+
+/*!
+    \enum QAlertType
+    \brief Enumerates possible codes that an alert message can have
+    \relates QSslSocket
+    \since 6.0
+
+    \ingroup network
+    \ingroup ssl
+    \inmodule QtNetwork
+
+    See \l{https://tools.ietf.org/html/rfc8446#page-85}{RFC 8446, section 6}
+    for the possible values and their meaning.
+
+    \value CloseNotify,
+    \value UnexpectedMessage
+    \value BadRecordMac
+    \value RecordOverflow
+    \value DecompressionFailure
+    \value HandshakeFailure
+    \value NoCertificate
+    \value BadCertificate
+    \value UnsupportedCertificate
+    \value CertificateRevoked
+    \value CertificateExpired
+    \value CertificateUnknown
+    \value IllegalParameter
+    \value UnknownCa
+    \value AccessDenied
+    \value DecodeError
+    \value DecryptError
+    \value ExportRestriction
+    \value ProtocolVersion
+    \value InsufficientSecurity
+    \value InternalError
+    \value InappropriateFallback
+    \value UserCancelled
+    \value NoRenegotiation
+    \value MissingExtension
+    \value UnsupportedExtension
+    \value CertificateUnobtainable
+    \value UnrecognizedName
+    \value BadCertificateStatusResponse
+    \value BadCertificateHashValue
+    \value UnknownPskIdentity
+    \value CertificateRequired
+    \value NoApplicationProtocol
+    \value UnknownAlertMessage
+*/
+
+/*!
     \fn void QSslSocket::encrypted()
 
     This signal is emitted when QSslSocket enters encrypted mode. After this
@@ -323,6 +391,49 @@
 */
 
 /*!
+    \fn void QSslSocket::alertSent(QAlertLevel level, QAlertType type, const QString &description)
+
+    QSslSocket emits this signal if an alert message was sent to a peer. \a level
+    describes if it was a warning or a fatal error. \a type gives the code
+    of the alert message. When a textual description of the alert message is
+    available, it is supplied in \a description.
+
+    \note This signal is mostly informational and can be used for debugging
+    purposes, normally it does not require any actions from the application.
+    \note Not all backends support this functionality.
+
+    \sa alertReceived(), QAlertLevel, QAlertType
+*/
+
+/*!
+    \fn void QSslSocket::alertReceived(QAlertLevel level, QAlertType type, const QString &description)
+
+    QSslSocket emits this signal if an alert message was received from a peer.
+    \a level tells if the alert was fatal or it was a warning. \a type is the
+    code explaining why the alert was sent. When a textual description of
+    the alert message is available, it is supplied in \a description.
+
+    \note The signal is mostly for informational and debugging purposes and does not
+    require any handling in the application. If the alert was fatal, underlying
+    backend will handle it and close the connection.
+    \note Not all backends support this functionality.
+
+    \sa alertSent(), QAlertLevel, QAlertType
+*/
+
+/*!
+    \fn void QSslSocket::handshakeInterruptedOnError(const QSslError &error)
+
+    QSslSocket emits this signal if a certificate verification error was
+    found and if early error reporting was enabled in QSslConfiguration.
+    An application is expected to inspect the \a error and decide if
+    it wants to continue the handshake, or abort it and send an alert message
+    to the peer. The signal-slot connection must be direct.
+
+    \sa continueInterruptedHandshake(), sslErrors(), QSslConfiguration::setHandshakeMustInterruptOnError()
+*/
+
+/*!
     \fn void QSslSocket::newSessionTicketReceived()
     \since 5.15
 
@@ -993,7 +1104,10 @@ void QSslSocket::setSslConfiguration(const QSslConfiguration &configuration)
 #if QT_CONFIG(ocsp)
     d->configuration.ocspStaplingEnabled = configuration.ocspStaplingEnabled();
 #endif
-
+#if QT_CONFIG(openssl)
+    d->configuration.reportFromCallback = configuration.handshakeMustInterruptOnError();
+    d->configuration.missingCertIsFatal = configuration.missingCertificateIsFatal();
+#endif // openssl
     // if the CA certificates were set explicitly (either via
     // QSslConfiguration::setCaCertificates() or QSslSocket::setCaCertificates(),
     // we cannot load the certificates on demand
@@ -1413,40 +1527,6 @@ QList<QSslCipher> QSslSocket::supportedCiphers()
 /*!
   \deprecated
 
-  Use QSslConfiguration::addCaCertificates() instead.
-
-  Searches all files in the \a path for certificates encoded in the
-  specified \a format and adds them to this socket's CA certificate
-  database. \a path must be a file or a pattern matching one or more
-  files, as specified by \a syntax. Returns \c true if one or more
-  certificates are added to the socket's CA certificate database;
-  otherwise returns \c false.
-
-  The CA certificate database is used by the socket during the
-  handshake phase to validate the peer's certificate.
-
-  For more precise control, use addCaCertificate().
-
-  \sa addCaCertificate(), QSslCertificate::fromPath()
-*/
-bool QSslSocket::addCaCertificates(const QString &path, QSsl::EncodingFormat format,
-                                   QRegExp::PatternSyntax syntax)
-{
-    Q_D(QSslSocket);
-QT_WARNING_PUSH
-QT_WARNING_DISABLE_DEPRECATED
-    QList<QSslCertificate> certs = QSslCertificate::fromPath(path, format, syntax);
-QT_WARNING_POP
-    if (certs.isEmpty())
-        return false;
-
-    d->configuration.caCertificates += certs;
-    return true;
-}
-
-/*!
-  \deprecated
-
   Use QSslConfiguration::addCaCertificate() instead.
 
   Adds the \a certificate to this socket's CA certificate database.
@@ -1533,29 +1613,6 @@ QList<QSslCertificate> QSslSocket::caCertificates() const
 /*!
     \deprecated
 
-    Use QSslConfiguration::addCaCertificates() on the default QSslConfiguration instead.
-
-    Searches all files in the \a path for certificates with the
-    specified \a encoding and adds them to the default CA certificate
-    database. \a path can be an explicit file, or it can contain
-    wildcards in the format specified by \a syntax. Returns \c true if
-    any CA certificates are added to the default database.
-
-    Each SSL socket's CA certificate database is initialized to the
-    default CA certificate database.
-
-    \sa QSslConfiguration::caCertificates(), QSslConfiguration::addCaCertificates(),
-        QSslConfiguration::addCaCertificate()
-*/
-bool QSslSocket::addDefaultCaCertificates(const QString &path, QSsl::EncodingFormat encoding,
-                                          QRegExp::PatternSyntax syntax)
-{
-    return QSslSocketPrivate::addDefaultCaCertificates(path, encoding, syntax);
-}
-
-/*!
-    \deprecated
-
     Use QSslConfiguration::addCaCertificate() on the default QSslConfiguration instead.
 
     Adds \a certificate to the default CA certificate database.  Each
@@ -2083,6 +2140,23 @@ void QSslSocket::ignoreSslErrors(const QList<QSslError> &errors)
     d->ignoreErrorsList = errors;
 }
 
+
+/*!
+    \since 6.0
+
+    If an application wants to conclude a handshake even after receiving
+    handshakeInterruptedOnError() signal, it must call this function.
+    This call must be done from a slot function attached to the signal.
+    The signal-slot connection must be direct.
+
+    \sa handshakeInterruptedOnError(), QSslConfiguration::setHandshakeMustInterruptOnError()
+*/
+void QSslSocket::continueInterruptedHandshake()
+{
+    Q_D(QSslSocket);
+    d->handshakeInterrupted = false;
+}
+
 /*!
     \internal
 */
@@ -2257,13 +2331,24 @@ void QSslSocketPrivate::init()
 */
 bool QSslSocketPrivate::verifyProtocolSupported(const char *where)
 {
-    if (configuration.protocol == QSsl::SslV2 || configuration.protocol == QSsl::SslV3) {
-        qCWarning(lcSsl) << where << "Attempted to use an unsupported protocol.";
+    QLatin1String protocolName("DTLS");
+    switch (configuration.protocol) {
+    case QSsl::UnknownProtocol:
+        // UnknownProtocol, according to our docs, is for cipher whose protocol is unknown.
+        // Should not be used when configuring QSslSocket.
+        protocolName = QLatin1String("UnknownProtocol");
+        Q_FALLTHROUGH();
+    case QSsl::DtlsV1_0:
+    case QSsl::DtlsV1_2:
+    case QSsl::DtlsV1_0OrLater:
+    case QSsl::DtlsV1_2OrLater:
+        qCWarning(lcSsl) << where << "QSslConfiguration with unexpected protocol" << protocolName;
         setErrorAndEmit(QAbstractSocket::SslInvalidUserDataError,
                         QSslSocket::tr("Attempted to use an unsupported protocol."));
         return false;
+    default:
+        return true;
     }
-    return true;
 }
 
 /*!
@@ -2376,28 +2461,6 @@ void QSslSocketPrivate::setDefaultCaCertificates(const QList<QSslCertificate> &c
 /*!
     \internal
 */
-bool QSslSocketPrivate::addDefaultCaCertificates(const QString &path, QSsl::EncodingFormat format,
-                                                 QRegExp::PatternSyntax syntax)
-{
-    QSslSocketPrivate::ensureInitialized();
-QT_WARNING_PUSH
-QT_WARNING_DISABLE_DEPRECATED
-    QList<QSslCertificate> certs = QSslCertificate::fromPath(path, format, syntax);
-QT_WARNING_POP
-    if (certs.isEmpty())
-        return false;
-
-    QMutexLocker locker(&globalData()->mutex);
-    globalData()->config.detach();
-    globalData()->config->caCertificates += certs;
-    globalData()->dtlsConfig.detach();
-    globalData()->dtlsConfig->caCertificates += certs;
-    return true;
-}
-
-/*!
-    \internal
-*/
 void QSslSocketPrivate::addDefaultCaCertificate(const QSslCertificate &cert)
 {
     QSslSocketPrivate::ensureInitialized();
@@ -2477,6 +2540,10 @@ void QSslConfigurationPrivate::deepCopyDefaultConfiguration(QSslConfigurationPri
 #if QT_CONFIG(ocsp)
     ptr->ocspStaplingEnabled = global->ocspStaplingEnabled;
 #endif
+#if QT_CONFIG(openssl)
+    ptr->reportFromCallback = global->reportFromCallback;
+    ptr->missingCertIsFatal = global->missingCertIsFatal;
+#endif
 }
 
 /*!
@@ -2519,10 +2586,6 @@ void QSslSocketPrivate::createPlainSocket(QIODevice::OpenMode openMode)
     q->setPeerName(QString());
 
     plainSocket = new QTcpSocket(q);
-#ifndef QT_NO_BEARERMANAGEMENT // ### Qt6: Remove section
-    //copy network session down to the plain socket (if it has been set)
-    plainSocket->setProperty("_q_networksession", q->property("_q_networksession"));
-#endif
     q->connect(plainSocket, SIGNAL(connected()),
                q, SLOT(_q_connectedSlot()),
                Qt::DirectConnection);