diff options
Diffstat (limited to 'src/network/ssl')
| -rw-r--r-- | src/network/ssl/qssl.cpp | 4 | ||||
| -rw-r--r-- | src/network/ssl/qssl.h | 3 | ||||
| -rw-r--r-- | src/network/ssl/qsslcertificate.h | 5 | ||||
| -rw-r--r-- | src/network/ssl/qsslcertificate_openssl.cpp | 3 | ||||
| -rw-r--r-- | src/network/ssl/qsslcertificateextension.h | 8 | ||||
| -rw-r--r-- | src/network/ssl/qsslcipher.h | 7 | ||||
| -rw-r--r-- | src/network/ssl/qsslconfiguration.h | 5 | ||||
| -rw-r--r-- | src/network/ssl/qsslellipticcurve.h | 3 | ||||
| -rw-r--r-- | src/network/ssl/qsslerror.h | 5 | ||||
| -rw-r--r-- | src/network/ssl/qsslkey.h | 7 | ||||
| -rw-r--r-- | src/network/ssl/qsslpresharedkeyauthenticator.h | 8 | ||||
| -rw-r--r-- | src/network/ssl/qsslsocket_openssl.cpp | 44 | ||||
| -rw-r--r-- | src/network/ssl/qsslsocket_openssl_symbols.cpp | 7 | ||||
| -rw-r--r-- | src/network/ssl/qsslsocket_openssl_symbols_p.h | 16 |
14 files changed, 79 insertions, 46 deletions
diff --git a/src/network/ssl/qssl.cpp b/src/network/ssl/qssl.cpp index 26381fcb8e..84aa9d7dca 100644 --- a/src/network/ssl/qssl.cpp +++ b/src/network/ssl/qssl.cpp @@ -166,6 +166,10 @@ Q_LOGGING_CATEGORY(lcSsl, "qt.network.ssl"); in ASN.1 format as returned by QSslConfiguration::sessionTicket(). Enabling this feature adds memory overhead of approximately 1K per used session ticket. + \value SslOptionDisableServerCipherPreference Disables selecting the cipher + chosen based on the servers preferences rather than the order ciphers were + sent by the client. This option is only relevant to server sockets, and is + only honored by the OpenSSL backend. By default, SslOptionDisableEmptyFragments is turned on since this causes problems with a large number of servers. SslOptionDisableLegacyRenegotiation diff --git a/src/network/ssl/qssl.h b/src/network/ssl/qssl.h index f56c36b219..03497ecf76 100644 --- a/src/network/ssl/qssl.h +++ b/src/network/ssl/qssl.h @@ -95,7 +95,8 @@ namespace QSsl { SslOptionDisableServerNameIndication = 0x08, SslOptionDisableLegacyRenegotiation = 0x10, SslOptionDisableSessionSharing = 0x20, - SslOptionDisableSessionPersistence = 0x40 + SslOptionDisableSessionPersistence = 0x40, + SslOptionDisableServerCipherPreference = 0x80 }; Q_DECLARE_FLAGS(SslOptions, SslOption) } diff --git a/src/network/ssl/qsslcertificate.h b/src/network/ssl/qsslcertificate.h index ef0767ae8f..bd8dcb6c7f 100644 --- a/src/network/ssl/qsslcertificate.h +++ b/src/network/ssl/qsslcertificate.h @@ -83,9 +83,12 @@ public: explicit QSslCertificate(const QByteArray &data = QByteArray(), QSsl::EncodingFormat format = QSsl::Pem); QSslCertificate(const QSslCertificate &other); ~QSslCertificate(); +#ifdef Q_COMPILER_RVALUE_REFS + QSslCertificate &operator=(QSslCertificate &&other) Q_DECL_NOTHROW { swap(other); return *this; } +#endif QSslCertificate &operator=(const QSslCertificate &other); - inline void swap(QSslCertificate &other) + void swap(QSslCertificate &other) Q_DECL_NOTHROW { qSwap(d, other.d); } bool operator==(const QSslCertificate &other) const; diff --git a/src/network/ssl/qsslcertificate_openssl.cpp b/src/network/ssl/qsslcertificate_openssl.cpp index ad88ea5d56..3324587821 100644 --- a/src/network/ssl/qsslcertificate_openssl.cpp +++ b/src/network/ssl/qsslcertificate_openssl.cpp @@ -464,8 +464,9 @@ QList<QSslCertificateExtension> QSslCertificate::extensions() const return result; int count = q_X509_get_ext_count(d->x509); + result.reserve(count); - for (int i=0; i < count; i++) { + for (int i = 0; i < count; i++) { X509_EXTENSION *ext = q_X509_get_ext(d->x509, i); result << QSslCertificatePrivate::convertExtension(ext); } diff --git a/src/network/ssl/qsslcertificateextension.h b/src/network/ssl/qsslcertificateextension.h index 7c958eff30..8dd0e8eb4b 100644 --- a/src/network/ssl/qsslcertificateextension.h +++ b/src/network/ssl/qsslcertificateextension.h @@ -51,11 +51,13 @@ class Q_NETWORK_EXPORT QSslCertificateExtension public: QSslCertificateExtension(); QSslCertificateExtension(const QSslCertificateExtension &other); - ~QSslCertificateExtension(); - +#ifdef Q_COMPILER_RVALUE_REFS + QSslCertificateExtension &operator=(QSslCertificateExtension &&other) Q_DECL_NOTHROW { swap(other); return *this; } +#endif QSslCertificateExtension &operator=(const QSslCertificateExtension &other); + ~QSslCertificateExtension(); - void swap(QSslCertificateExtension &other) { qSwap(d, other.d); } + void swap(QSslCertificateExtension &other) Q_DECL_NOTHROW { qSwap(d, other.d); } QString oid() const; QString name() const; diff --git a/src/network/ssl/qsslcipher.h b/src/network/ssl/qsslcipher.h index dc65e32111..64122cdd53 100644 --- a/src/network/ssl/qsslcipher.h +++ b/src/network/ssl/qsslcipher.h @@ -52,10 +52,13 @@ public: explicit QSslCipher(const QString &name); QSslCipher(const QString &name, QSsl::SslProtocol protocol); QSslCipher(const QSslCipher &other); - ~QSslCipher(); +#ifdef Q_COMPILER_RVALUE_REFS + QSslCipher &operator=(QSslCipher &&other) Q_DECL_NOTHROW { swap(other); return *this; } +#endif QSslCipher &operator=(const QSslCipher &other); + ~QSslCipher(); - inline void swap(QSslCipher &other) + void swap(QSslCipher &other) Q_DECL_NOTHROW { qSwap(d, other.d); } bool operator==(const QSslCipher &other) const; diff --git a/src/network/ssl/qsslconfiguration.h b/src/network/ssl/qsslconfiguration.h index 960aec60ce..2cbc31b032 100644 --- a/src/network/ssl/qsslconfiguration.h +++ b/src/network/ssl/qsslconfiguration.h @@ -71,9 +71,12 @@ public: QSslConfiguration(); QSslConfiguration(const QSslConfiguration &other); ~QSslConfiguration(); +#ifdef Q_COMPILER_RVALUE_REFS + QSslConfiguration &operator=(QSslConfiguration &&other) Q_DECL_NOTHROW { swap(other); return *this; } +#endif QSslConfiguration &operator=(const QSslConfiguration &other); - inline void swap(QSslConfiguration &other) + void swap(QSslConfiguration &other) Q_DECL_NOTHROW { qSwap(d, other.d); } bool operator==(const QSslConfiguration &other) const; diff --git a/src/network/ssl/qsslellipticcurve.h b/src/network/ssl/qsslellipticcurve.h index 63ab2f3c37..a4dc4517ff 100644 --- a/src/network/ssl/qsslellipticcurve.h +++ b/src/network/ssl/qsslellipticcurve.h @@ -37,7 +37,10 @@ #include <QtCore/QtGlobal> #include <QtCore/QString> #include <QtCore/QMetaType> +#if QT_DEPRECATED_SINCE(5, 5) #include <QtCore/QHash> +#endif +#include <QtCore/qhashfunctions.h> QT_BEGIN_NAMESPACE diff --git a/src/network/ssl/qsslerror.h b/src/network/ssl/qsslerror.h index b149f86d9e..bc2a2d5220 100644 --- a/src/network/ssl/qsslerror.h +++ b/src/network/ssl/qsslerror.h @@ -84,10 +84,13 @@ public: QSslError(const QSslError &other); - inline void swap(QSslError &other) + void swap(QSslError &other) Q_DECL_NOTHROW { qSwap(d, other.d); } ~QSslError(); +#ifdef Q_COMPILER_RVALUE_REFS + QSslError &operator=(QSslError &&other) Q_DECL_NOTHROW { swap(other); return *this; } +#endif QSslError &operator=(const QSslError &other); bool operator==(const QSslError &other) const; inline bool operator!=(const QSslError &other) const diff --git a/src/network/ssl/qsslkey.h b/src/network/ssl/qsslkey.h index b89069e4cb..d02c031015 100644 --- a/src/network/ssl/qsslkey.h +++ b/src/network/ssl/qsslkey.h @@ -64,10 +64,13 @@ public: const QByteArray &passPhrase = QByteArray()); explicit QSslKey(Qt::HANDLE handle, QSsl::KeyType type = QSsl::PrivateKey); QSslKey(const QSslKey &other); - ~QSslKey(); +#ifdef Q_COMPILER_RVALUE_REFS + QSslKey &operator=(QSslKey &&other) Q_DECL_NOTHROW { swap(other); return *this; } +#endif QSslKey &operator=(const QSslKey &other); + ~QSslKey(); - inline void swap(QSslKey &other) { qSwap(d, other.d); } + void swap(QSslKey &other) Q_DECL_NOTHROW { qSwap(d, other.d); } bool isNull() const; void clear(); diff --git a/src/network/ssl/qsslpresharedkeyauthenticator.h b/src/network/ssl/qsslpresharedkeyauthenticator.h index 159b16d563..34e5d6fd50 100644 --- a/src/network/ssl/qsslpresharedkeyauthenticator.h +++ b/src/network/ssl/qsslpresharedkeyauthenticator.h @@ -52,14 +52,10 @@ public: Q_NETWORK_EXPORT QSslPreSharedKeyAuthenticator &operator=(const QSslPreSharedKeyAuthenticator &authenticator); #ifdef Q_COMPILER_RVALUE_REFS - inline QSslPreSharedKeyAuthenticator &operator=(QSslPreSharedKeyAuthenticator &&authenticator) - { d.swap(authenticator.d); return *this; } + QSslPreSharedKeyAuthenticator &operator=(QSslPreSharedKeyAuthenticator &&other) Q_DECL_NOTHROW { swap(other); return *this; } #endif - void swap(QSslPreSharedKeyAuthenticator &authenticator) - { - d.swap(authenticator.d); - } + void swap(QSslPreSharedKeyAuthenticator &other) Q_DECL_NOTHROW { qSwap(d, other.d); } Q_NETWORK_EXPORT QByteArray identityHint() const; diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp index 049666b70b..3bcb8925c1 100644 --- a/src/network/ssl/qsslsocket_openssl.cpp +++ b/src/network/ssl/qsslsocket_openssl.cpp @@ -344,6 +344,9 @@ long QSslSocketBackendPrivate::setupOpenSslOptions(QSsl::SslProtocol protocol, Q options |= SSL_OP_NO_COMPRESSION; #endif + if (!(sslOptions & QSsl::SslOptionDisableServerCipherPreference)) + options |= SSL_OP_CIPHER_SERVER_PREFERENCE; + return options; } @@ -491,30 +494,8 @@ bool QSslSocketPrivate::ensureLibraryLoaded() // Initialize OpenSSL's random seed. if (!q_RAND_status()) { - struct { - int msec; - int sec; - void *stack; - } randomish; - - int attempts = 500; - do { - if (attempts < 500) { -#ifdef Q_OS_UNIX - struct timespec ts = {0, 33333333}; - nanosleep(&ts, 0); -#else - Sleep(3); -#endif - randomish.msec = attempts; - } - randomish.stack = (void *)&randomish; - randomish.msec = QTime::currentTime().msec(); - randomish.sec = QTime::currentTime().second(); - q_RAND_seed((const char *)&randomish, sizeof(randomish)); - } while (!q_RAND_status() && --attempts); - if (!attempts) - return false; + qWarning("Random number generator not seeded, disabling SSL support"); + return false; } } return true; @@ -662,8 +643,10 @@ void QSslSocketPrivate::resetDefaultCiphers() if (SSL_CIPHER *cipher = q_sk_SSL_CIPHER_value(supportedCiphers, i)) { QSslCipher ciph = QSslSocketBackendPrivate::QSslCipher_from_SSL_CIPHER(cipher); if (!ciph.isNull()) { - // Unconditionally exclude ADH ciphers since they offer no MITM protection - if (!ciph.name().toLower().startsWith(QLatin1String("adh"))) + // Unconditionally exclude ADH and AECDH ciphers since they offer no MITM protection + if (!ciph.name().toLower().startsWith(QLatin1String("adh")) && + !ciph.name().toLower().startsWith(QLatin1String("exp-adh")) && + !ciph.name().toLower().startsWith(QLatin1String("aecdh"))) ciphers << ciph; if (ciph.usedBits() >= 128) defaultCiphers << ciph; @@ -688,6 +671,7 @@ void QSslSocketPrivate::resetDefaultEllipticCurves() QVarLengthArray<EC_builtin_curve> builtinCurves(static_cast<int>(curveCount)); if (q_EC_get_builtin_curves(builtinCurves.data(), curveCount) == curveCount) { + curves.reserve(int(curveCount)); for (size_t i = 0; i < curveCount; ++i) { QSslEllipticCurve curve; curve.id = builtinCurves[int(i)].nid; @@ -1216,7 +1200,9 @@ bool QSslSocketBackendPrivate::startHandshake() } // Translate errors from the error list into QSslErrors. - for (int i = 0; i < errorList.size(); ++i) { + const int numErrors = errorList.size(); + errors.reserve(errors.size() + numErrors); + for (int i = 0; i < numErrors; ++i) { const QPair<int, int> &errorAndDepth = errorList.at(i); int err = errorAndDepth.first; int depth = errorAndDepth.second; @@ -1778,7 +1764,9 @@ QList<QSslError> QSslSocketBackendPrivate::verify(const QList<QSslCertificate> & } // Translate errors from the error list into QSslErrors. - for (int i = 0; i < errorList.size(); ++i) { + const int numErrors = errorList.size(); + errors.reserve(errors.size() + numErrors); + for (int i = 0; i < numErrors; ++i) { const QPair<int, int> &errorAndDepth = errorList.at(i); int err = errorAndDepth.first; int depth = errorAndDepth.second; diff --git a/src/network/ssl/qsslsocket_openssl_symbols.cpp b/src/network/ssl/qsslsocket_openssl_symbols.cpp index e2700df3cc..042c593e62 100644 --- a/src/network/ssl/qsslsocket_openssl_symbols.cpp +++ b/src/network/ssl/qsslsocket_openssl_symbols.cpp @@ -119,10 +119,13 @@ void qsslSocketUnresolvedSymbolWarning(const char *functionName) qCWarning(lcSsl, "QSslSocket: cannot call unresolved function %s", functionName); } +#ifndef QT_NO_LIBRARY void qsslSocketCannotResolveSymbolWarning(const char *functionName) { qCWarning(lcSsl, "QSslSocket: cannot resolve %s", functionName); } +#endif + } #endif // QT_LINKED_OPENSSL @@ -309,13 +312,17 @@ DEFINEFUNC(const SSL_METHOD *, TLSv1_1_server_method, DUMMYARG, DUMMYARG, return DEFINEFUNC(const SSL_METHOD *, TLSv1_2_server_method, DUMMYARG, DUMMYARG, return 0, return) #endif #else +#ifndef OPENSSL_NO_SSL2 DEFINEFUNC(SSL_METHOD *, SSLv2_client_method, DUMMYARG, DUMMYARG, return 0, return) +#endif #ifndef OPENSSL_NO_SSL3_METHOD DEFINEFUNC(SSL_METHOD *, SSLv3_client_method, DUMMYARG, DUMMYARG, return 0, return) #endif DEFINEFUNC(SSL_METHOD *, SSLv23_client_method, DUMMYARG, DUMMYARG, return 0, return) DEFINEFUNC(SSL_METHOD *, TLSv1_client_method, DUMMYARG, DUMMYARG, return 0, return) +#ifndef OPENSSL_NO_SSL2 DEFINEFUNC(SSL_METHOD *, SSLv2_server_method, DUMMYARG, DUMMYARG, return 0, return) +#endif #ifndef OPENSSL_NO_SSL3_METHOD DEFINEFUNC(SSL_METHOD *, SSLv3_server_method, DUMMYARG, DUMMYARG, return 0, return) #endif diff --git a/src/network/ssl/qsslsocket_openssl_symbols_p.h b/src/network/ssl/qsslsocket_openssl_symbols_p.h index 626c049629..a15bf4b87d 100644 --- a/src/network/ssl/qsslsocket_openssl_symbols_p.h +++ b/src/network/ssl/qsslsocket_openssl_symbols_p.h @@ -363,27 +363,43 @@ typedef unsigned int (*q_psk_client_callback_t)(SSL *ssl, const char *hint, char void q_SSL_set_psk_client_callback(SSL *ssl, q_psk_client_callback_t callback); #endif // OPENSSL_NO_PSK #if OPENSSL_VERSION_NUMBER >= 0x10000000L +#ifndef OPENSSL_NO_SSL2 const SSL_METHOD *q_SSLv2_client_method(); +#endif +#ifndef OPENSSL_NO_SSL3_METHOD const SSL_METHOD *q_SSLv3_client_method(); +#endif const SSL_METHOD *q_SSLv23_client_method(); const SSL_METHOD *q_TLSv1_client_method(); const SSL_METHOD *q_TLSv1_1_client_method(); const SSL_METHOD *q_TLSv1_2_client_method(); +#ifndef OPENSSL_NO_SSL2 const SSL_METHOD *q_SSLv2_server_method(); +#endif +#ifndef OPENSSL_NO_SSL3_METHOD const SSL_METHOD *q_SSLv3_server_method(); +#endif const SSL_METHOD *q_SSLv23_server_method(); const SSL_METHOD *q_TLSv1_server_method(); const SSL_METHOD *q_TLSv1_1_server_method(); const SSL_METHOD *q_TLSv1_2_server_method(); #else +#ifndef OPENSSL_NO_SSL2 SSL_METHOD *q_SSLv2_client_method(); +#endif +#ifndef OPENSSL_NO_SSL3_METHOD SSL_METHOD *q_SSLv3_client_method(); +#endif SSL_METHOD *q_SSLv23_client_method(); SSL_METHOD *q_TLSv1_client_method(); SSL_METHOD *q_TLSv1_1_client_method(); SSL_METHOD *q_TLSv1_2_client_method(); +#ifndef OPENSSL_NO_SSL2 SSL_METHOD *q_SSLv2_server_method(); +#endif +#ifndef OPENSSL_NO_SSL3_METHOD SSL_METHOD *q_SSLv3_server_method(); +#endif SSL_METHOD *q_SSLv23_server_method(); SSL_METHOD *q_TLSv1_server_method(); SSL_METHOD *q_TLSv1_1_server_method(); |