12 files changed, 74 insertions, 61 deletions

diff --git a/src/network/ssl/qsslcertificate.h b/src/network/ssl/qsslcertificate.h
index 8b051a5c88..6cd66fd20f 100644
--- a/src/network/ssl/qsslcertificate.h
+++ b/src/network/ssl/qsslcertificate.h
@@ -154,7 +154,7 @@ public:
 
     static bool importPkcs12(QIODevice *device,
                              QSslKey *key, QSslCertificate *cert,
-                             QList<QSslCertificate> *caCertificates = Q_NULLPTR,
+                             QList<QSslCertificate> *caCertificates = nullptr,
                              const QByteArray &passPhrase=QByteArray());
 
     Qt::HANDLE handle() const;
diff --git a/src/network/ssl/qssldiffiehellmanparameters_openssl.cpp b/src/network/ssl/qssldiffiehellmanparameters_openssl.cpp
index 5ebad822f1..00e9be91d8 100644
--- a/src/network/ssl/qssldiffiehellmanparameters_openssl.cpp
+++ b/src/network/ssl/qssldiffiehellmanparameters_openssl.cpp
@@ -161,12 +161,12 @@ void QSslDiffieHellmanParametersPrivate::decodePem(const QByteArray &pem)
         return;
     }
 
-    DH *dh = Q_NULLPTR;
+    DH *dh = nullptr;
     q_PEM_read_bio_DHparams(bio, &dh, 0, 0);
 
     if (dh) {
         if (isSafeDH(dh)) {
-            char *buf = Q_NULLPTR;
+            char *buf = nullptr;
             int len = q_i2d_DHparams(dh, reinterpret_cast<unsigned char **>(&buf));
             if (len > 0)
                 derData = QByteArray(buf, len);
diff --git a/src/network/ssl/qsslkey_qt.cpp b/src/network/ssl/qsslkey_qt.cpp
index 3c5dc830d3..6716c0158b 100644
--- a/src/network/ssl/qsslkey_qt.cpp
+++ b/src/network/ssl/qsslkey_qt.cpp
@@ -43,6 +43,7 @@
 
 #include <QtCore/qdatastream.h>
 #include <QtCore/qcryptographichash.h>
+#include <QtCore/qrandom.h>
 
 QT_USE_NAMESPACE
 
@@ -286,10 +287,8 @@ QByteArray QSslKeyPrivate::toPem(const QByteArray &passPhrase) const
 
     if (type == QSsl::PrivateKey && !passPhrase.isEmpty()) {
         // ### use a cryptographically secure random number generator
-        QByteArray iv;
-        iv.resize(8);
-        for (int i = 0; i < iv.size(); ++i)
-            iv[i] = (qrand() & 0xff);
+        quint64 random = QRandomGenerator::generate64();
+        QByteArray iv = QByteArray::fromRawData(reinterpret_cast<const char *>(&random), sizeof(random));
 
         Cipher cipher = DesEde3Cbc;
         const QByteArray key = deriveKey(cipher, passPhrase, iv);
diff --git a/src/network/ssl/qsslsocket.cpp b/src/network/ssl/qsslsocket.cpp
index 5c9ebac283..84c814cca4 100644
--- a/src/network/ssl/qsslsocket.cpp
+++ b/src/network/ssl/qsslsocket.cpp
@@ -2647,6 +2647,20 @@ QByteArray QSslSocketPrivate::peek(qint64 maxSize)
 /*!
     \internal
 */
+qint64 QSslSocketPrivate::skip(qint64 maxSize)
+{
+    if (mode == QSslSocket::UnencryptedMode && !autoStartHandshake)
+        return plainSocket->skip(maxSize);
+
+    // In encrypted mode, the SSL backend writes decrypted data directly into the
+    // QIODevice's read buffer. As this buffer is always emptied by the caller,
+    // we need to wait for more incoming data.
+    return (state == QAbstractSocket::ConnectedState) ? Q_INT64_C(0) : Q_INT64_C(-1);
+}
+
+/*!
+    \internal
+*/
 bool QSslSocketPrivate::flush()
 {
 #ifdef QSSLSOCKET_DEBUG
diff --git a/src/network/ssl/qsslsocket.h b/src/network/ssl/qsslsocket.h
index 39e70bccda..c66ebdde54 100644
--- a/src/network/ssl/qsslsocket.h
+++ b/src/network/ssl/qsslsocket.h
@@ -79,22 +79,22 @@ public:
         AutoVerifyPeer
     };
 
-    explicit QSslSocket(QObject *parent = Q_NULLPTR);
+    explicit QSslSocket(QObject *parent = nullptr);
     ~QSslSocket();
-    void resume() Q_DECL_OVERRIDE; // to continue after proxy authentication required, SSL errors etc.
+    void resume() override; // to continue after proxy authentication required, SSL errors etc.
 
     // Autostarting the SSL client handshake.
     void connectToHostEncrypted(const QString &hostName, quint16 port, OpenMode mode = ReadWrite, NetworkLayerProtocol protocol = AnyIPProtocol);
     void connectToHostEncrypted(const QString &hostName, quint16 port, const QString &sslPeerName, OpenMode mode = ReadWrite, NetworkLayerProtocol protocol = AnyIPProtocol);
     bool setSocketDescriptor(qintptr socketDescriptor, SocketState state = ConnectedState,
-                             OpenMode openMode = ReadWrite) Q_DECL_OVERRIDE;
+                             OpenMode openMode = ReadWrite) override;
 
     using QAbstractSocket::connectToHost;
-    void connectToHost(const QString &hostName, quint16 port, OpenMode openMode = ReadWrite, NetworkLayerProtocol protocol = AnyIPProtocol) Q_DECL_OVERRIDE;
-    void disconnectFromHost() Q_DECL_OVERRIDE;
+    void connectToHost(const QString &hostName, quint16 port, OpenMode openMode = ReadWrite, NetworkLayerProtocol protocol = AnyIPProtocol) override;
+    void disconnectFromHost() override;
 
-    virtual void setSocketOption(QAbstractSocket::SocketOption option, const QVariant &value) Q_DECL_OVERRIDE;
-    virtual QVariant socketOption(QAbstractSocket::SocketOption option) Q_DECL_OVERRIDE;
+    virtual void setSocketOption(QAbstractSocket::SocketOption option, const QVariant &value) override;
+    virtual QVariant socketOption(QAbstractSocket::SocketOption option) override;
 
     SslMode mode() const;
     bool isEncrypted() const;
@@ -112,16 +112,16 @@ public:
     void setPeerVerifyName(const QString &hostName);
 
     // From QIODevice
-    qint64 bytesAvailable() const Q_DECL_OVERRIDE;
-    qint64 bytesToWrite() const Q_DECL_OVERRIDE;
-    bool canReadLine() const Q_DECL_OVERRIDE;
-    void close() Q_DECL_OVERRIDE;
-    bool atEnd() const Q_DECL_OVERRIDE;
+    qint64 bytesAvailable() const override;
+    qint64 bytesToWrite() const override;
+    bool canReadLine() const override;
+    void close() override;
+    bool atEnd() const override;
     bool flush(); // ### Qt6: remove me (implementation moved to private flush())
     void abort();
 
     // From QAbstractSocket:
-    void setReadBufferSize(qint64 size) Q_DECL_OVERRIDE;
+    void setReadBufferSize(qint64 size) override;
 
     // Similar to QIODevice's:
     qint64 encryptedBytesAvailable() const;
@@ -179,11 +179,11 @@ public:
     QT_DEPRECATED_X("Use QSslConfiguration::systemCaCertificates()") static QList<QSslCertificate> systemCaCertificates();
 #endif // QT_DEPRECATED_SINCE(5, 5)
 
-    bool waitForConnected(int msecs = 30000) Q_DECL_OVERRIDE;
+    bool waitForConnected(int msecs = 30000) override;
     bool waitForEncrypted(int msecs = 30000);
-    bool waitForReadyRead(int msecs = 30000) Q_DECL_OVERRIDE;
-    bool waitForBytesWritten(int msecs = 30000) Q_DECL_OVERRIDE;
-    bool waitForDisconnected(int msecs = 30000) Q_DECL_OVERRIDE;
+    bool waitForReadyRead(int msecs = 30000) override;
+    bool waitForBytesWritten(int msecs = 30000) override;
+    bool waitForDisconnected(int msecs = 30000) override;
 
     QList<QSslError> sslErrors() const;
 
@@ -209,8 +209,8 @@ Q_SIGNALS:
     void preSharedKeyAuthenticationRequired(QSslPreSharedKeyAuthenticator *authenticator);
 
 protected:
-    qint64 readData(char *data, qint64 maxlen) Q_DECL_OVERRIDE;
-    qint64 writeData(const char *data, qint64 len) Q_DECL_OVERRIDE;
+    qint64 readData(char *data, qint64 maxlen) override;
+    qint64 writeData(const char *data, qint64 len) override;
 
 private:
     Q_DECLARE_PRIVATE(QSslSocket)
diff --git a/src/network/ssl/qsslsocket_mac.cpp b/src/network/ssl/qsslsocket_mac.cpp
index 68c8ccff89..a8d09feb31 100644
--- a/src/network/ssl/qsslsocket_mac.cpp
+++ b/src/network/ssl/qsslsocket_mac.cpp
@@ -167,7 +167,7 @@ static SSLContextRef qt_createSecureTransportContext(QSslSocket::SslMode mode)
     const bool isServer = mode == QSslSocket::SslServerMode;
     const SSLProtocolSide side = isServer ? kSSLServerSide : kSSLClientSide;
     // We never use kSSLDatagramType, so it's kSSLStreamType unconditionally.
-    SSLContextRef context = SSLCreateContext(Q_NULLPTR, side, kSSLStreamType);
+    SSLContextRef context = SSLCreateContext(nullptr, side, kSSLStreamType);
     if (!context)
         qCWarning(lcSsl) << "SSLCreateContext failed";
     return context;
@@ -356,7 +356,7 @@ void QSslSocketPrivate::resetDefaultEllipticCurves()
 }
 
 QSslSocketBackendPrivate::QSslSocketBackendPrivate()
-    : context(Q_NULLPTR)
+    : context(nullptr)
 {
 }
 
@@ -885,7 +885,7 @@ bool QSslSocketBackendPrivate::initSslContext()
 
 void QSslSocketBackendPrivate::destroySslContext()
 {
-    context.reset(Q_NULLPTR);
+    context.reset(nullptr);
 }
 
 static QByteArray _q_makePkcs12(const QList<QSslCertificate> &certs, const QSslKey &key, const QString &passPhrase);
diff --git a/src/network/ssl/qsslsocket_mac_p.h b/src/network/ssl/qsslsocket_mac_p.h
index 9e1d18981e..34e30ebb16 100644
--- a/src/network/ssl/qsslsocket_mac_p.h
+++ b/src/network/ssl/qsslsocket_mac_p.h
@@ -86,14 +86,14 @@ public:
     virtual ~QSslSocketBackendPrivate();
 
     // Final-overriders (QSslSocketPrivate):
-    void continueHandshake() Q_DECL_OVERRIDE;
-    void disconnected() Q_DECL_OVERRIDE;
-    void disconnectFromHost() Q_DECL_OVERRIDE;
-    QSslCipher sessionCipher() const Q_DECL_OVERRIDE;
-    QSsl::SslProtocol sessionProtocol() const Q_DECL_OVERRIDE;
-    void startClientEncryption() Q_DECL_OVERRIDE;
-    void startServerEncryption() Q_DECL_OVERRIDE;
-    void transmit() Q_DECL_OVERRIDE;
+    void continueHandshake() override;
+    void disconnected() override;
+    void disconnectFromHost() override;
+    QSslCipher sessionCipher() const override;
+    QSsl::SslProtocol sessionProtocol() const override;
+    void startClientEncryption() override;
+    void startServerEncryption() override;
+    void transmit() override;
 
     static QList<QSslError> verify(QList<QSslCertificate> certificateChain,
                                    const QString &hostName);
diff --git a/src/network/ssl/qsslsocket_openssl_p.h b/src/network/ssl/qsslsocket_openssl_p.h
index 7f9e884045..2a800cdc34 100644
--- a/src/network/ssl/qsslsocket_openssl_p.h
+++ b/src/network/ssl/qsslsocket_openssl_p.h
@@ -132,22 +132,22 @@ public:
 #endif
 
     // Platform specific functions
-    void startClientEncryption() Q_DECL_OVERRIDE;
-    void startServerEncryption() Q_DECL_OVERRIDE;
-    void transmit() Q_DECL_OVERRIDE;
+    void startClientEncryption() override;
+    void startServerEncryption() override;
+    void transmit() override;
     bool startHandshake();
-    void disconnectFromHost() Q_DECL_OVERRIDE;
-    void disconnected() Q_DECL_OVERRIDE;
-    QSslCipher sessionCipher() const Q_DECL_OVERRIDE;
-    QSsl::SslProtocol sessionProtocol() const Q_DECL_OVERRIDE;
-    void continueHandshake() Q_DECL_OVERRIDE;
+    void disconnectFromHost() override;
+    void disconnected() override;
+    QSslCipher sessionCipher() const override;
+    QSsl::SslProtocol sessionProtocol() const override;
+    void continueHandshake() override;
     bool checkSslErrors();
     void storePeerCertificates();
     unsigned int tlsPskClientCallback(const char *hint, char *identity, unsigned int max_identity_len, unsigned char *psk, unsigned int max_psk_len);
     unsigned int tlsPskServerCallback(const char *identity, unsigned char *psk, unsigned int max_psk_len);
 #ifdef Q_OS_WIN
     void fetchCaRootForCert(const QSslCertificate &cert);
-    void _q_caRootLoaded(QSslCertificate,QSslCertificate) Q_DECL_OVERRIDE;
+    void _q_caRootLoaded(QSslCertificate,QSslCertificate) override;
 #endif
 
     Q_AUTOTEST_EXPORT static long setupOpenSslOptions(QSsl::SslProtocol protocol, QSsl::SslOptions sslOptions);
diff --git a/src/network/ssl/qsslsocket_opensslpre11.cpp b/src/network/ssl/qsslsocket_opensslpre11.cpp
index e51888c5f2..8ad4d5b521 100644
--- a/src/network/ssl/qsslsocket_opensslpre11.cpp
+++ b/src/network/ssl/qsslsocket_opensslpre11.cpp
@@ -290,8 +290,7 @@ void QSslSocketPrivate::ensureCiphersAndCertsLoaded()
     //its own cert bundle rather than the system one.
     //Same logic that disables the unix on demand cert loading.
     //Unlike unix, we do preload the certificates from the cert store.
-    if ((QSysInfo::windowsVersion() & QSysInfo::WV_NT_based) >= QSysInfo::WV_6_0)
-        s_loadRootCertsOnDemand = true;
+    s_loadRootCertsOnDemand = true;
 #endif
 }
 
diff --git a/src/network/ssl/qsslsocket_p.h b/src/network/ssl/qsslsocket_p.h
index 00fda43b7e..ced861805b 100644
--- a/src/network/ssl/qsslsocket_p.h
+++ b/src/network/ssl/qsslsocket_p.h
@@ -170,7 +170,7 @@ public:
     static void checkSettingSslContext(QSslSocket*, QSharedPointer<QSslContext>);
     static QSharedPointer<QSslContext> sslContext(QSslSocket *socket);
     bool isPaused() const;
-    bool bind(const QHostAddress &address, quint16, QAbstractSocket::BindMode) Q_DECL_OVERRIDE;
+    bool bind(const QHostAddress &address, quint16, QAbstractSocket::BindMode) override;
     void _q_connectedSlot();
     void _q_hostFoundSlot();
     void _q_disconnectedSlot();
@@ -190,9 +190,10 @@ public:
 
     static QList<QByteArray> unixRootCertDirectories(); // used also by QSslContext
 
-    virtual qint64 peek(char *data, qint64 maxSize) Q_DECL_OVERRIDE;
-    virtual QByteArray peek(qint64 maxSize) Q_DECL_OVERRIDE;
-    bool flush() Q_DECL_OVERRIDE;
+    virtual qint64 peek(char *data, qint64 maxSize) override;
+    virtual QByteArray peek(qint64 maxSize) override;
+    qint64 skip(qint64 maxSize) override;
+    bool flush() override;
 
     // Platform specific functions
     virtual void startClientEncryption() = 0;
diff --git a/src/network/ssl/qsslsocket_winrt.cpp b/src/network/ssl/qsslsocket_winrt.cpp
index ca65f8a015..6c5a09962b 100644
--- a/src/network/ssl/qsslsocket_winrt.cpp
+++ b/src/network/ssl/qsslsocket_winrt.cpp
@@ -518,7 +518,7 @@ HRESULT QSslSocketBackendPrivate::onSslUpgrade(IAsyncAction *action, AsyncStatus
     QList<QSslCertificate> peerCertificateChain;
     if (certificate) {
         ComPtr<IAsyncOperation<CertificateChain *>> op;
-        hr = certificate->BuildChainAsync(Q_NULLPTR, &op);
+        hr = certificate->BuildChainAsync(nullptr, &op);
         Q_ASSERT_SUCCEEDED(hr);
         ComPtr<ICertificateChain> certificateChain;
         hr = QWinRTFunctions::await(op, certificateChain.GetAddressOf());
diff --git a/src/network/ssl/qsslsocket_winrt_p.h b/src/network/ssl/qsslsocket_winrt_p.h
index 1043aeee11..030db6d4fa 100644
--- a/src/network/ssl/qsslsocket_winrt_p.h
+++ b/src/network/ssl/qsslsocket_winrt_p.h
@@ -80,14 +80,14 @@ public:
     ~QSslSocketBackendPrivate();
 
     // Platform specific functions
-    void startClientEncryption() Q_DECL_OVERRIDE;
-    void startServerEncryption() Q_DECL_OVERRIDE;
-    void transmit() Q_DECL_OVERRIDE;
-    void disconnectFromHost() Q_DECL_OVERRIDE;
-    void disconnected() Q_DECL_OVERRIDE;
-    QSslCipher sessionCipher() const Q_DECL_OVERRIDE;
-    QSsl::SslProtocol sessionProtocol() const Q_DECL_OVERRIDE;
-    void continueHandshake() Q_DECL_OVERRIDE;
+    void startClientEncryption() override;
+    void startServerEncryption() override;
+    void transmit() override;
+    void disconnectFromHost() override;
+    void disconnected() override;
+    QSslCipher sessionCipher() const override;
+    QSsl::SslProtocol sessionProtocol() const override;
+    void continueHandshake() override;
 
     static QList<QSslCipher> defaultCiphers();
     static QList<QSslError> verify(const QList<QSslCertificate> &certificateChain, const QString &hostName);