10 files changed, 112 insertions, 40 deletions

diff --git a/src/network/access/qhttpnetworkrequest.cpp b/src/network/access/qhttpnetworkrequest.cpp
index cf4be3df95..8de9760710 100644
--- a/src/network/access/qhttpnetworkrequest.cpp
+++ b/src/network/access/qhttpnetworkrequest.cpp
@@ -133,6 +133,8 @@ QByteArray QHttpNetworkRequest::uri(bool throughProxy) const
     QUrl copy = d->url;
     if (copy.path().isEmpty())
         copy.setPath(QStringLiteral("/"));
+    else
+        format |= QUrl::NormalizePathSegments;
     QByteArray uri = copy.toEncoded(format);
     return uri;
 }
diff --git a/src/network/configure.json b/src/network/configure.json
index 0215ad73c5..32fcfb499f 100644
--- a/src/network/configure.json
+++ b/src/network/configure.json
@@ -263,6 +263,7 @@
             "label": "HTTP",
             "purpose": "Provides support for the Hypertext Transfer Protocol in QNetworkAccessManager.",
             "section": "Networking",
+            "condition": "features.thread",
             "output": [ "publicFeature", "feature" ]
         },
         "udpsocket": {
@@ -301,7 +302,7 @@
             "label": "Bearer management",
             "purpose": "Provides bearer management for the network stack.",
             "section": "Networking",
-            "condition": "features.library && features.networkinterface && features.properties",
+            "condition": "features.thread && features.library && features.networkinterface && features.properties",
             "output": [ "publicFeature", "feature" ]
         },
         "localserver": {
diff --git a/src/network/ssl/qdtls.cpp b/src/network/ssl/qdtls.cpp
index e27bca51b9..da37951de2 100644
--- a/src/network/ssl/qdtls.cpp
+++ b/src/network/ssl/qdtls.cpp
@@ -277,6 +277,12 @@
 */
 
 /*!
+    \typedef QDtls::GeneratorParameters
+
+    This is a synonym for QDtlsClientVerifier::GeneratorParameters.
+*/
+
+/*!
     \fn void QDtls::handshakeTimeout()
 
     Packet loss can result in timeouts during the handshake phase. In this case
@@ -363,6 +369,7 @@ void QDtlsBasePrivate::setConfiguration(const QSslConfiguration &configuration)
     dtlsConfiguration.nextNegotiatedProtocol = configuration.nextNegotiatedProtocol();
     dtlsConfiguration.nextProtocolNegotiationStatus = configuration.nextProtocolNegotiationStatus();
     dtlsConfiguration.dtlsCookieEnabled = configuration.dtlsCookieVerificationEnabled();
+    dtlsConfiguration.allowRootCertOnDemandLoading = configuration.d->allowRootCertOnDemandLoading;
 
     clearDtlsError();
 }
@@ -447,9 +454,10 @@ QDtlsClientVerifier::QDtlsClientVerifier(QObject *parent)
 }
 
 /*!
-    Sets the secret and cryptographic hash algorithm that this QDtlsClientVerifier
-    will use to generate cookies. If the new secret has size zero, this function
-    returns \c false and does not change the previous generator parameters.
+    Sets the secret and the cryptographic hash algorithm from \a params. This
+    QDtlsClientVerifier will use these to generate cookies. If the new secret
+    has size zero, this function returns \c false and does not change the
+    cookie generator parameters.
 
     \note The secret is supposed to be a cryptographically secure sequence of bytes.
 
@@ -481,11 +489,12 @@ QDtlsClientVerifier::GeneratorParameters QDtlsClientVerifier::cookieGeneratorPar
 }
 
 /*!
-    \a socket must be a valid pointer, \a dgram must be a non-empty datagram,
-    \a address cannot be null, broadcast, or multicast. This function returns
-    \c true if \a dgram contains a ClientHello message with a valid cookie.
-    If no matching cookie is found, verifyClient() will send a HelloVerifyRequest
-    message using \a socket and will return \c false.
+    \a socket must be a valid pointer, \a dgram must be a non-empty
+    datagram, \a address cannot be null, broadcast, or multicast.
+    \a port is the remote peer's port. This function returns \c true
+    if \a dgram contains a ClientHello message with a valid cookie.
+    If no matching cookie is found, verifyClient() will send a
+    HelloVerifyRequest message using \a socket and return \c false.
 
     The following snippet shows how a server application may check for errors:
 
@@ -556,7 +565,7 @@ QString QDtlsClientVerifier::dtlsErrorString() const
     \a mode is QSslSocket::SslServerMode for a server-side DTLS connection or
     QSslSocket::SslClientMode for a client.
 
-    \sa sslMode(), QSslSocket::SslSocket
+    \sa sslMode(), QSslSocket::SslMode
 */
 QDtls::QDtls(QSslSocket::SslMode mode, QObject *parent)
     : QObject(*new QDtlsPrivateOpenSSL, parent)
@@ -568,9 +577,9 @@ QDtls::QDtls(QSslSocket::SslMode mode, QObject *parent)
 }
 
 /*!
-    Sets the peer's address, \a port, and host name. \a address must not be
-    null, multicast, or broadcast. \a verificationName is the host name used
-    for the certificate validation.
+    Sets the peer's address, \a port, and host name and returns \c true
+    if successful. \a address must not be null, multicast, or broadcast.
+    \a verificationName is the host name used for the certificate validation.
 
     \sa peerAddress(), peerPort(), peerVerificationName()
  */
@@ -607,7 +616,9 @@ bool QDtls::setPeer(const QHostAddress &address, quint16 port,
 }
 
 /*!
-    Sets the host name that will be used for the certificate validation.
+    Sets the host \a name that will be used for the certificate validation
+    and returns \c true if successful.
+
     \note This function must be called before the handshake starts.
 
     \sa peerVerificationName(), setPeer()
@@ -704,8 +715,9 @@ quint16 QDtls::mtuHint() const
 }
 
 /*!
-    Sets the cryptographic hash algorithm and the secret. This function is only
-    needed for a server-side QDtls connection.
+    Sets the cryptographic hash algorithm and the secret from \a params.
+    This function is only needed for a server-side QDtls connection.
+    Returns \c true if successful.
 
     \note This function must be called before the handshake starts.
 
@@ -738,7 +750,8 @@ QDtls::GeneratorParameters QDtls::cookieGeneratorParameters() const
 }
 
 /*!
-    Sets the connection's TLS configuration from \a configuration.
+    Sets the connection's TLS configuration from \a configuration
+    and returns \c true if successful.
 
     \note This function must be called before the handshake starts.
 
@@ -892,8 +905,10 @@ bool QDtls::continueHandshake(QUdpSocket *socket, const QByteArray &datagram)
 }
 
 /*!
-    If peer verification errors were ignored during the handshake, resumeHandshake()
-    resumes and completes the handshake. \a socket must be a valid pointer.
+    If peer verification errors were ignored during the handshake,
+    resumeHandshake() resumes and completes the handshake and returns
+    \c true. \a socket must be a valid pointer. Returns \c false if
+    the handshake could not be resumed.
 
     \sa doHandshake(), abortHandshake() peerVerificationErrors(), ignoreVerificationErrors()
 */
@@ -916,10 +931,10 @@ bool QDtls::resumeHandshake(QUdpSocket *socket)
 }
 
 /*!
-    Aborts the handshake in case peer verification errors could not be ignored.
-    \a socket must be a valid pointer.
+    Aborts the ongoing handshake. Returns true if one was on-going on \a socket;
+    otherwise, sets a suitable error and returns false.
 
-    \sa doHandshake(), resumeHandshakeAfterError()
+    \sa doHandshake(), resumeHandshake()
  */
 bool QDtls::abortHandshake(QUdpSocket *socket)
 {
@@ -930,9 +945,9 @@ bool QDtls::abortHandshake(QUdpSocket *socket)
         return false;
     }
 
-    if (d->handshakeState != PeerVerificationFailed) {
+    if (d->handshakeState != PeerVerificationFailed && d->handshakeState != HandshakeInProgress) {
         d->setDtlsError(QDtlsError::InvalidOperation,
-                        tr("Not in VerificationError state, nothing to abort"));
+                        tr("No handshake in progress, nothing to abort"));
         return false;
     }
 
@@ -1021,7 +1036,7 @@ QSsl::SslProtocol QDtls::sessionProtocol() const
     before writing encrypted data. \a socket must be a valid
     pointer.
 
-    \sa doHandshake(), handshakeState(), connectionEncrypted(), dtlsError()
+    \sa doHandshake(), handshakeState(), isConnectionEncrypted(), dtlsError()
 */
 qint64 QDtls::writeDatagramEncrypted(QUdpSocket *socket, const QByteArray &dgram)
 {
@@ -1107,7 +1122,7 @@ QVector<QSslError> QDtls::peerVerificationErrors() const
 }
 
 /*!
-    This method tells QDtls to ignore only the errors given in \a errors.
+    This method tells QDtls to ignore only the errors given in \a errorsToIgnore.
 
     If, for instance, you want to connect to a server that uses a self-signed
     certificate, consider the following snippet:
diff --git a/src/network/ssl/qdtls_openssl.cpp b/src/network/ssl/qdtls_openssl.cpp
index 9b11f58f2f..8be53df24f 100644
--- a/src/network/ssl/qdtls_openssl.cpp
+++ b/src/network/ssl/qdtls_openssl.cpp
@@ -732,11 +732,9 @@ bool DtlsState::initCtxAndConnection(QDtlsBasePrivate *dtlsBase)
     configurationCopy->ref.store(0); // the QSslConfiguration constructor refs up
 
     // DTLSTODO: check we do not set something DTLS-incompatible there ...
-    // 'true' - means load root certs on-demand loading - double check how this
-    // expected to be done (QSslSocket).
     TlsContext newContext(QSslContext::sharedFromConfiguration(dtlsBase->mode,
                                                                configurationCopy,
-                                                               true));
+                                                               dtlsBase->dtlsConfiguration.allowRootCertOnDemandLoading));
 
     if (newContext->error() != QSslError::NoError) {
         dtlsBase->setDtlsError(QDtlsError::TlsInitializationError, newContext->errorString());
@@ -1115,13 +1113,18 @@ bool QDtlsPrivateOpenSSL::resumeHandshake(QUdpSocket *socket)
 void QDtlsPrivateOpenSSL::abortHandshake(QUdpSocket *socket)
 {
     Q_ASSERT(socket);
-    Q_ASSERT(handshakeState == QDtls::PeerVerificationFailed);
+    Q_ASSERT(handshakeState == QDtls::PeerVerificationFailed
+             || handshakeState == QDtls::HandshakeInProgress);
 
     clearDtlsError();
 
-    // Yes, while peer verification failed, we were actually encrypted.
-    // Let's play it nice - inform our peer about connection shut down.
-    sendShutdownAlert(socket);
+    if (handshakeState == QDtls::PeerVerificationFailed) {
+        // Yes, while peer verification failed, we were actually encrypted.
+        // Let's play it nice - inform our peer about connection shut down.
+        sendShutdownAlert(socket);
+    } else {
+        resetDtls();
+    }
 }
 
 void QDtlsPrivateOpenSSL::sendShutdownAlert(QUdpSocket *socket)
diff --git a/src/network/ssl/qssl.h b/src/network/ssl/qssl.h
index 8ab24d89e1..dd268cd86d 100644
--- a/src/network/ssl/qssl.h
+++ b/src/network/ssl/qssl.h
@@ -91,7 +91,7 @@ namespace QSsl {
         TlsV1_1OrLater,
         TlsV1_2OrLater,
 
-#if QT_CONFIG(dtls)
+#if QT_CONFIG(dtls) || defined(Q_CLANG_QDOC)
         DtlsV1_0,
         DtlsV1_0OrLater,
         DtlsV1_2,
diff --git a/src/network/ssl/qsslcertificate.cpp b/src/network/ssl/qsslcertificate.cpp
index 6cb07c46e1..31ff296480 100644
--- a/src/network/ssl/qsslcertificate.cpp
+++ b/src/network/ssl/qsslcertificate.cpp
@@ -692,6 +692,56 @@ QByteArray QSslCertificatePrivate::subjectInfoToString(QSslCertificate::SubjectI
 }
 
 /*!
+    \since 5.12
+
+    Returns a name that describes the issuer. It returns the QSslCertificate::CommonName
+    if available, otherwise falls back to the first QSslCertificate::Organization or the
+    first QSslCertificate::OrganizationalUnitName.
+
+    \sa issuerInfo()
+*/
+QString QSslCertificate::issuerDisplayName() const
+{
+    QStringList names;
+    names = issuerInfo(QSslCertificate::CommonName);
+    if (!names.isEmpty())
+        return names.first();
+    names = issuerInfo(QSslCertificate::Organization);
+    if (!names.isEmpty())
+        return names.first();
+    names = issuerInfo(QSslCertificate::OrganizationalUnitName);
+    if (!names.isEmpty())
+        return names.first();
+
+    return QString();
+}
+
+/*!
+    \since 5.12
+
+    Returns a name that describes the subject. It returns the QSslCertificate::CommonName
+    if available, otherwise falls back to the first QSslCertificate::Organization or the
+    first QSslCertificate::OrganizationalUnitName.
+
+    \sa subjectInfo()
+*/
+QString QSslCertificate::subjectDisplayName() const
+{
+    QStringList names;
+    names = subjectInfo(QSslCertificate::CommonName);
+    if (!names.isEmpty())
+        return names.first();
+    names = subjectInfo(QSslCertificate::Organization);
+    if (!names.isEmpty())
+        return names.first();
+    names = subjectInfo(QSslCertificate::OrganizationalUnitName);
+    if (!names.isEmpty())
+        return names.first();
+
+    return QString();
+}
+
+/*!
     \fn uint qHash(const QSslCertificate &key, uint seed)
 
     Returns the hash value for the \a key, using \a seed to seed the calculation.
@@ -708,8 +758,8 @@ QDebug operator<<(QDebug debug, const QSslCertificate &certificate)
           << certificate.version()
           << ", " << certificate.serialNumber()
           << ", " << certificate.digest().toBase64()
-          << ", " << certificate.issuerInfo(QSslCertificate::Organization)
-          << ", " << certificate.subjectInfo(QSslCertificate::Organization)
+          << ", " << certificate.issuerDisplayName()
+          << ", " << certificate.subjectDisplayName()
           << ", " << certificate.subjectAlternativeNames()
 #ifndef QT_NO_DATESTRING
           << ", " << certificate.effectiveDate()
diff --git a/src/network/ssl/qsslcertificate.h b/src/network/ssl/qsslcertificate.h
index 553fb8884d..266fcdacb4 100644
--- a/src/network/ssl/qsslcertificate.h
+++ b/src/network/ssl/qsslcertificate.h
@@ -120,6 +120,9 @@ public:
     QStringList issuerInfo(const QByteArray &attribute) const;
     QStringList subjectInfo(SubjectInfo info) const;
     QStringList subjectInfo(const QByteArray &attribute) const;
+    QString issuerDisplayName() const;
+    QString subjectDisplayName() const;
+
     QList<QByteArray> subjectInfoAttributes() const;
     QList<QByteArray> issuerInfoAttributes() const;
 #if QT_DEPRECATED_SINCE(5,0)
diff --git a/src/network/ssl/qsslconfiguration.cpp b/src/network/ssl/qsslconfiguration.cpp
index 12fbb9a8e4..df5660d4c3 100644
--- a/src/network/ssl/qsslconfiguration.cpp
+++ b/src/network/ssl/qsslconfiguration.cpp
@@ -1031,7 +1031,7 @@ void QSslConfiguration::setDefaultConfiguration(const QSslConfiguration &configu
     QSslConfigurationPrivate::setDefaultConfiguration(configuration);
 }
 
-#if QT_CONFIG(dtls)
+#if QT_CONFIG(dtls) || defined(Q_CLANG_QDOC)
 
 /*!
   This function returns true if DTLS cookie verification was enabled on a
diff --git a/src/network/ssl/qsslconfiguration.h b/src/network/ssl/qsslconfiguration.h
index 7f6028db27..454ac0cee3 100644
--- a/src/network/ssl/qsslconfiguration.h
+++ b/src/network/ssl/qsslconfiguration.h
@@ -162,7 +162,7 @@ public:
     static QSslConfiguration defaultConfiguration();
     static void setDefaultConfiguration(const QSslConfiguration &configuration);
 
-#if QT_CONFIG(dtls)
+#if QT_CONFIG(dtls) || defined(Q_CLANG_QDOC)
     bool dtlsCookieVerificationEnabled() const;
     void setDtlsCookieVerificationEnabled(bool enable);
 
diff --git a/src/network/ssl/qsslsocket_openssl_symbols.cpp b/src/network/ssl/qsslsocket_openssl_symbols.cpp
index 8812912c18..63cb276d54 100644
--- a/src/network/ssl/qsslsocket_openssl_symbols.cpp
+++ b/src/network/ssl/qsslsocket_openssl_symbols.cpp
@@ -903,13 +903,11 @@ bool q_resolveOpenSslSymbols()
 {
     static bool symbolsResolved = false;
     static bool triedToResolveSymbols = false;
-#ifndef QT_NO_THREAD
 #if QT_CONFIG(opensslv11)
     QMutexLocker locker(QMutexPool::globalInstanceGet((void *)&q_OPENSSL_init_ssl));
 #else
     QMutexLocker locker(QMutexPool::globalInstanceGet((void *)&q_SSL_library_init));
 #endif
-#endif
     if (symbolsResolved)
         return true;
     if (triedToResolveSymbols)