diff options
Diffstat (limited to 'src/network/ssl/qsslsocket_openssl.cpp')
| -rw-r--r-- | src/network/ssl/qsslsocket_openssl.cpp | 44 |
1 files changed, 16 insertions, 28 deletions
diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp index 049666b70b..3bcb8925c1 100644 --- a/src/network/ssl/qsslsocket_openssl.cpp +++ b/src/network/ssl/qsslsocket_openssl.cpp @@ -344,6 +344,9 @@ long QSslSocketBackendPrivate::setupOpenSslOptions(QSsl::SslProtocol protocol, Q options |= SSL_OP_NO_COMPRESSION; #endif + if (!(sslOptions & QSsl::SslOptionDisableServerCipherPreference)) + options |= SSL_OP_CIPHER_SERVER_PREFERENCE; + return options; } @@ -491,30 +494,8 @@ bool QSslSocketPrivate::ensureLibraryLoaded() // Initialize OpenSSL's random seed. if (!q_RAND_status()) { - struct { - int msec; - int sec; - void *stack; - } randomish; - - int attempts = 500; - do { - if (attempts < 500) { -#ifdef Q_OS_UNIX - struct timespec ts = {0, 33333333}; - nanosleep(&ts, 0); -#else - Sleep(3); -#endif - randomish.msec = attempts; - } - randomish.stack = (void *)&randomish; - randomish.msec = QTime::currentTime().msec(); - randomish.sec = QTime::currentTime().second(); - q_RAND_seed((const char *)&randomish, sizeof(randomish)); - } while (!q_RAND_status() && --attempts); - if (!attempts) - return false; + qWarning("Random number generator not seeded, disabling SSL support"); + return false; } } return true; @@ -662,8 +643,10 @@ void QSslSocketPrivate::resetDefaultCiphers() if (SSL_CIPHER *cipher = q_sk_SSL_CIPHER_value(supportedCiphers, i)) { QSslCipher ciph = QSslSocketBackendPrivate::QSslCipher_from_SSL_CIPHER(cipher); if (!ciph.isNull()) { - // Unconditionally exclude ADH ciphers since they offer no MITM protection - if (!ciph.name().toLower().startsWith(QLatin1String("adh"))) + // Unconditionally exclude ADH and AECDH ciphers since they offer no MITM protection + if (!ciph.name().toLower().startsWith(QLatin1String("adh")) && + !ciph.name().toLower().startsWith(QLatin1String("exp-adh")) && + !ciph.name().toLower().startsWith(QLatin1String("aecdh"))) ciphers << ciph; if (ciph.usedBits() >= 128) defaultCiphers << ciph; @@ -688,6 +671,7 @@ void QSslSocketPrivate::resetDefaultEllipticCurves() QVarLengthArray<EC_builtin_curve> builtinCurves(static_cast<int>(curveCount)); if (q_EC_get_builtin_curves(builtinCurves.data(), curveCount) == curveCount) { + curves.reserve(int(curveCount)); for (size_t i = 0; i < curveCount; ++i) { QSslEllipticCurve curve; curve.id = builtinCurves[int(i)].nid; @@ -1216,7 +1200,9 @@ bool QSslSocketBackendPrivate::startHandshake() } // Translate errors from the error list into QSslErrors. - for (int i = 0; i < errorList.size(); ++i) { + const int numErrors = errorList.size(); + errors.reserve(errors.size() + numErrors); + for (int i = 0; i < numErrors; ++i) { const QPair<int, int> &errorAndDepth = errorList.at(i); int err = errorAndDepth.first; int depth = errorAndDepth.second; @@ -1778,7 +1764,9 @@ QList<QSslError> QSslSocketBackendPrivate::verify(const QList<QSslCertificate> & } // Translate errors from the error list into QSslErrors. - for (int i = 0; i < errorList.size(); ++i) { + const int numErrors = errorList.size(); + errors.reserve(errors.size() + numErrors); + for (int i = 0; i < numErrors; ++i) { const QPair<int, int> &errorAndDepth = errorList.at(i); int err = errorAndDepth.first; int depth = errorAndDepth.second; |