diff options
Diffstat (limited to 'src/network')
75 files changed, 3546 insertions, 1670 deletions
diff --git a/src/network/access/access.pri b/src/network/access/access.pri index 5806262ac2..e8669dcec8 100644 --- a/src/network/access/access.pri +++ b/src/network/access/access.pri @@ -37,7 +37,8 @@ HEADERS += \ access/qnetworkfile_p.h \ access/qhttp2protocolhandler_p.h \ access/qhsts_p.h \ - access/qhstspolicy.h + access/qhstspolicy.h \ + access/qhstsstore_p.h SOURCES += \ access/qhttpnetworkheader.cpp \ @@ -69,7 +70,8 @@ SOURCES += \ access/qnetworkfile.cpp \ access/qhttp2protocolhandler.cpp \ access/qhsts.cpp \ - access/qhstspolicy.cpp + access/qhstspolicy.cpp \ + access/qhstsstore.cpp qtConfig(ftp) { HEADERS += \ diff --git a/src/network/access/http2/http2frames.cpp b/src/network/access/http2/http2frames.cpp index 5a684c2f41..e695b4dd9e 100644 --- a/src/network/access/http2/http2frames.cpp +++ b/src/network/access/http2/http2frames.cpp @@ -361,6 +361,12 @@ FrameWriter::FrameWriter(FrameType type, FrameFlags flags, quint32 streamID) start(type, flags, streamID); } +void FrameWriter::setOutboundFrame(Frame &&newFrame) +{ + frame = std::move(newFrame); + updatePayloadSize(); +} + void FrameWriter::start(FrameType type, FrameFlags flags, quint32 streamID) { auto &buffer = frame.buffer; diff --git a/src/network/access/http2/http2frames_p.h b/src/network/access/http2/http2frames_p.h index e5f6d46c67..4bdc775806 100644 --- a/src/network/access/http2/http2frames_p.h +++ b/src/network/access/http2/http2frames_p.h @@ -129,6 +129,8 @@ public: return frame; } + void setOutboundFrame(Frame &&newFrame); + // Frame 'builders': void start(FrameType type, FrameFlags flags, quint32 streamID); void setPayloadSize(quint32 size); diff --git a/src/network/access/http2/http2protocol.cpp b/src/network/access/http2/http2protocol.cpp index 7f788a6f42..f51af4be5c 100644 --- a/src/network/access/http2/http2protocol.cpp +++ b/src/network/access/http2/http2protocol.cpp @@ -37,9 +37,14 @@ ** ****************************************************************************/ -#include <QtCore/qstring.h> - #include "http2protocol_p.h" +#include "http2frames_p.h" + +#include "private/qhttpnetworkrequest_p.h" +#include "private/qhttpnetworkreply_p.h" + +#include <QtCore/qbytearray.h> +#include <QtCore/qstring.h> QT_BEGIN_NAMESPACE @@ -57,6 +62,131 @@ const char Http2clientPreface[clientPrefaceLength] = 0x2e, 0x30, 0x0d, 0x0a, 0x0d, 0x0a, 0x53, 0x4d, 0x0d, 0x0a, 0x0d, 0x0a}; +// TODO: (in 5.11) - remove it! +const char *http2ParametersPropertyName = "QT_HTTP2_PARAMETERS_PROPERTY"; + +ProtocolParameters::ProtocolParameters() +{ + settingsFrameData[Settings::INITIAL_WINDOW_SIZE_ID] = qtDefaultStreamReceiveWindowSize; + settingsFrameData[Settings::ENABLE_PUSH_ID] = 0; +} + +bool ProtocolParameters::validate() const +{ + // 0. Huffman/indexing: any values are valid and allowed. + + // 1. Session receive window size (client side): HTTP/2 starts from the + // default value of 64Kb, if a client code tries to set lesser value, + // the delta would become negative, but this is not allowed. + if (maxSessionReceiveWindowSize < qint32(defaultSessionWindowSize)) { + qCWarning(QT_HTTP2, "Session receive window must be at least 65535 bytes"); + return false; + } + + // 2. HEADER_TABLE_SIZE: we do not validate HEADER_TABLE_SIZE, considering + // all values as valid. RFC 7540 and 7541 do not provide any lower/upper + // limits. If it's 0 - we do not index anything, if it's too huge - a user + // who provided such a value can potentially have a huge memory footprint, + // up to them to decide. + + // 3. SETTINGS_ENABLE_PUSH: RFC 7540, 6.5.2, a value other than 0 or 1 will + // be treated by our peer as a PROTOCOL_ERROR. + if (settingsFrameData.contains(Settings::ENABLE_PUSH_ID) + && settingsFrameData[Settings::ENABLE_PUSH_ID] > 1) { + qCWarning(QT_HTTP2, "SETTINGS_ENABLE_PUSH can be only 0 or 1"); + return false; + } + + // 4. SETTINGS_MAX_CONCURRENT_STREAMS : RFC 7540 recommends 100 as the lower + // limit, says nothing about the upper limit. The RFC allows 0, but this makes + // no sense to us at all: there is no way a user can change this later and + // we'll not be able to get any responses on such a connection. + if (settingsFrameData.contains(Settings::MAX_CONCURRENT_STREAMS_ID) + && !settingsFrameData[Settings::MAX_CONCURRENT_STREAMS_ID]) { + qCWarning(QT_HTTP2, "MAX_CONCURRENT_STREAMS must be a positive number"); + return false; + } + + // 5. SETTINGS_INITIAL_WINDOW_SIZE. + if (settingsFrameData.contains(Settings::INITIAL_WINDOW_SIZE_ID)) { + const quint32 value = settingsFrameData[Settings::INITIAL_WINDOW_SIZE_ID]; + // RFC 7540, 6.5.2 (the upper limit). The lower limit is our own - we send + // SETTINGS frame only once and will not be able to change this 0, thus + // we'll suspend all streams. + if (!value || value > quint32(maxSessionReceiveWindowSize)) { + qCWarning(QT_HTTP2, "INITIAL_WINDOW_SIZE must be in the range " + "(0, 2^31-1]"); + return false; + } + } + + // 6. SETTINGS_MAX_FRAME_SIZE: RFC 7540, 6.5.2, a value outside of the range + // [2^14-1, 2^24-1] will be treated by our peer as a PROTOCOL_ERROR. + if (settingsFrameData.contains(Settings::MAX_FRAME_SIZE_ID)) { + const quint32 value = settingsFrameData[Settings::INITIAL_WINDOW_SIZE_ID]; + if (value < maxFrameSize || value > maxPayloadSize) { + qCWarning(QT_HTTP2, "MAX_FRAME_SIZE must be in the range [2^14, 2^24-1]"); + return false; + } + } + + // For SETTINGS_MAX_HEADER_LIST_SIZE RFC 7540 does not provide any specific + // numbers. It's clear, if a value is too small, no header can ever be sent + // by our peer at all. The default value is unlimited and we normally do not + // change this. + // + // Note: the size is calculated as the length of uncompressed (no HPACK) + // name + value + 32 bytes. + + return true; +} + +QByteArray ProtocolParameters::settingsFrameToBase64() const +{ + Frame frame(settingsFrame()); + // SETTINGS frame's payload consists of pairs: + // 2-byte-identifier | 4-byte-value == multiple of 6. + Q_ASSERT(frame.payloadSize() && !(frame.payloadSize() % 6)); + const char *src = reinterpret_cast<const char *>(frame.dataBegin()); + const QByteArray wrapper(QByteArray::fromRawData(src, int(frame.dataSize()))); + // 3.2.1 + // The content of the HTTP2-Settings header field is the payload + // of a SETTINGS frame (Section 6.5), encoded as a base64url string + // (that is, the URL- and filename-safe Base64 encoding described in + // Section 5 of [RFC4648], with any trailing '=' characters omitted). + return wrapper.toBase64(QByteArray::Base64UrlEncoding | QByteArray::OmitTrailingEquals); +} + +Frame ProtocolParameters::settingsFrame() const +{ + // 6.5 SETTINGS + FrameWriter builder(FrameType::SETTINGS, FrameFlag::EMPTY, connectionStreamID); + for (auto it = settingsFrameData.cbegin(), end = settingsFrameData.cend(); + it != end; ++it) { + builder.append(it.key()); + builder.append(it.value()); + } + + return builder.outboundFrame(); +} + +void ProtocolParameters::addProtocolUpgradeHeaders(QHttpNetworkRequest *request) const +{ + Q_ASSERT(request); + // RFC 2616, 14.10 + // RFC 7540, 3.2 + QByteArray value(request->headerField("Connection")); + // We _append_ 'Upgrade': + if (value.size()) + value += ", "; + + value += "Upgrade, HTTP2-Settings"; + request->setHeaderField("Connection", value); + // This we just (re)write. + request->setHeaderField("Upgrade", "h2c"); + // This we just (re)write. + request->setHeaderField("HTTP2-Settings", settingsFrameToBase64()); +} void qt_error(quint32 errorCode, QNetworkReply::NetworkError &error, QString &errorMessage) @@ -151,6 +281,20 @@ QNetworkReply::NetworkError qt_error(quint32 errorCode) return error; } +bool is_protocol_upgraded(const QHttpNetworkReply &reply) +{ + if (reply.statusCode() == 101) { + // Do some minimal checks here - we expect 'Upgrade: h2c' to be found. + const auto &header = reply.header(); + for (const QPair<QByteArray, QByteArray> &field : header) { + if (field.first.toLower() == "upgrade" && field.second.toLower() == "h2c") + return true; + } + } + + return false; } +} // namespace Http2 + QT_END_NAMESPACE diff --git a/src/network/access/http2/http2protocol_p.h b/src/network/access/http2/http2protocol_p.h index 5d730404bb..f7a89859d3 100644 --- a/src/network/access/http2/http2protocol_p.h +++ b/src/network/access/http2/http2protocol_p.h @@ -53,12 +53,16 @@ #include <QtNetwork/qnetworkreply.h> #include <QtCore/qloggingcategory.h> +#include <QtCore/qmetatype.h> #include <QtCore/qglobal.h> // Different HTTP/2 constants/values as defined by RFC 7540. QT_BEGIN_NAMESPACE +class QHttpNetworkRequest; +class QHttpNetworkReply; +class QByteArray; class QString; namespace Http2 @@ -127,10 +131,61 @@ enum Http2PredefinedParameters maxConcurrentStreams = 100 // HTTP/2, 6.5.2 }; -// It's int, it has internal linkage, it's ok to have it in headers - -// no ODR violation is possible. +// These are ints, const, they have internal linkage, it's ok to have them in +// headers - no ODR violation. const quint32 lastValidStreamID((quint32(1) << 31) - 1); // HTTP/2, 5.1.1 +// The default size of 64K is too small and limiting: if we use it, we end up +// sending WINDOW_UPDATE frames on a stream/session all the time, for each +// 2 DATE frames of size 16K (also default) we'll send a WINDOW_UPDATE frame +// for a given stream and have a download speed order of magnitude lower than +// our own HTTP/1.1 protocol handler. We choose a bigger window size: normally, +// HTTP/2 servers are not afraid to immediately set it to the possible max, +// we do the same and split this window size between our concurrent streams. +const qint32 maxSessionReceiveWindowSize((quint32(1) << 31) - 1); +const qint32 qtDefaultStreamReceiveWindowSize = maxSessionReceiveWindowSize / maxConcurrentStreams; + +// The class ProtocolParameters allows client code to customize HTTP/2 protocol +// handler, if needed. Normally, we use our own default parameters (see below). +// In 5.10 we can also use setProperty/property on a QNAM object to pass the +// non-default values to the protocol handler. In 5.11 this will probably become +// a public API. + +using RawSettings = QMap<Settings, quint32>; + +struct Q_AUTOTEST_EXPORT ProtocolParameters +{ + ProtocolParameters(); + + bool validate() const; + QByteArray settingsFrameToBase64() const; + struct Frame settingsFrame() const; + void addProtocolUpgradeHeaders(QHttpNetworkRequest *request) const; + + // HPACK: + // TODO: for now we ignore them (fix it for 5.11, would require changes in HPACK) + bool useHuffman = true; + bool indexStrings = true; + + // This parameter is not negotiated via SETTINGS frames, so we have it + // as a member and will convey it to our peer as a WINDOW_UPDATE frame: + qint32 maxSessionReceiveWindowSize = Http2::maxSessionReceiveWindowSize; + + // This is our default SETTINGS frame: + // + // SETTINGS_INITIAL_WINDOW_SIZE: (2^31 - 1) / 100 + // SETTINGS_ENABLE_PUSH: 0. + // + // Note, whenever we skip some value in our SETTINGS frame, our peer + // will assume the defaults recommended by RFC 7540, which in general + // are good enough, although we (and most browsers) prefer to work + // with larger window sizes. + RawSettings settingsFrameData; +}; + +// TODO: remove in 5.11 +extern const Q_AUTOTEST_EXPORT char *http2ParametersPropertyName; + extern const Q_AUTOTEST_EXPORT char Http2clientPreface[clientPrefaceLength]; enum class FrameStatus @@ -169,11 +224,15 @@ enum Http2Error void qt_error(quint32 errorCode, QNetworkReply::NetworkError &error, QString &errorString); QString qt_error_string(quint32 errorCode); QNetworkReply::NetworkError qt_error(quint32 errorCode); +bool is_protocol_upgraded(const QHttpNetworkReply &reply); -} +} // namespace Http2 Q_DECLARE_LOGGING_CATEGORY(QT_HTTP2) QT_END_NAMESPACE +Q_DECLARE_METATYPE(Http2::Settings) +Q_DECLARE_METATYPE(Http2::ProtocolParameters) + #endif diff --git a/src/network/access/qhsts.cpp b/src/network/access/qhsts.cpp index ca9f3b977b..6a731afc2f 100644 --- a/src/network/access/qhsts.cpp +++ b/src/network/access/qhsts.cpp @@ -37,6 +37,7 @@ ** ****************************************************************************/ +#include "qhstsstore_p.h" #include "qhsts_p.h" #include "QtCore/private/qipaddress_p.h" @@ -80,14 +81,24 @@ void QHstsCache::updateFromHeaders(const QList<QPair<QByteArray, QByteArray>> &h return; QHstsHeaderParser parser; - if (parser.parse(headers)) + if (parser.parse(headers)) { updateKnownHost(url.host(), parser.expirationDate(), parser.includeSubDomains()); + if (hstsStore) + hstsStore->synchronize(); + } } void QHstsCache::updateFromPolicies(const QVector<QHstsPolicy> &policies) { for (const auto &policy : policies) updateKnownHost(policy.host(), policy.expiry(), policy.includesSubDomains()); + + if (hstsStore && policies.size()) { + // These policies are coming either from store or from QNAM's setter + // function. As a result we can notice expired or new policies, time + // to sync ... + hstsStore->synchronize(); + } } void QHstsCache::updateKnownHost(const QUrl &url, const QDateTime &expires, @@ -97,6 +108,8 @@ void QHstsCache::updateKnownHost(const QUrl &url, const QDateTime &expires, return; updateKnownHost(url.host(), expires, includeSubDomains); + if (hstsStore) + hstsStore->synchronize(); } void QHstsCache::updateKnownHost(const QString &host, const QDateTime &expires, @@ -124,13 +137,20 @@ void QHstsCache::updateKnownHost(const QString &host, const QDateTime &expires, } knownHosts.insert(pos, hostName, newPolicy); + if (hstsStore) + hstsStore->addToObserved(newPolicy); return; } if (newPolicy.isExpired()) knownHosts.erase(pos); - else + else if (*pos != newPolicy) *pos = std::move(newPolicy); + else + return; + + if (hstsStore) + hstsStore->addToObserved(newPolicy); } bool QHstsCache::isKnownHost(const QUrl &url) const @@ -165,10 +185,15 @@ bool QHstsCache::isKnownHost(const QUrl &url) const while (nameToTest.fragment.size()) { auto const pos = knownHosts.find(nameToTest); if (pos != knownHosts.end()) { - if (pos.value().isExpired()) + if (pos.value().isExpired()) { knownHosts.erase(pos); - else if (!superDomainMatch || pos.value().includesSubDomains()) + if (hstsStore) { + // Inform our store that this policy has expired. + hstsStore->addToObserved(pos.value()); + } + } else if (!superDomainMatch || pos.value().includesSubDomains()) { return true; + } } const int dot = nameToTest.fragment.indexOf(QLatin1Char('.')); @@ -196,6 +221,34 @@ QVector<QHstsPolicy> QHstsCache::policies() const return values; } +void QHstsCache::setStore(QHstsStore *store) +{ + // Caller retains ownership of store, which must outlive this cache. + if (store != hstsStore) { + hstsStore = store; + + if (!hstsStore) + return; + + // First we augment our store with the policies we already know about + // (and thus the cached policy takes priority over whatever policy we + // had in the store for the same host, if any). + if (knownHosts.size()) { + const QVector<QHstsPolicy> observed(policies()); + for (const auto &policy : observed) + hstsStore->addToObserved(policy); + hstsStore->synchronize(); + } + + // Now we update the cache with anything we have not observed yet, but + // the store knows about (well, it can happen we synchronize again as a + // result if some policies managed to expire or if we add a new one + // from the store to cache): + const QVector<QHstsPolicy> restored(store->readPolicies()); + updateFromPolicies(restored); + } +} + // The parser is quite simple: 'nextToken' knowns exactly what kind of tokens // are valid and it will return false if something else was found; then // we immediately stop parsing. 'parseDirective' knows how these tokens can diff --git a/src/network/access/qhsts_p.h b/src/network/access/qhsts_p.h index ab3ca536fb..2feb73b446 100644 --- a/src/network/access/qhsts_p.h +++ b/src/network/access/qhsts_p.h @@ -51,6 +51,8 @@ // We mean it. // +#include <QtNetwork/private/qtnetworkglobal_p.h> + #include <QtNetwork/qhstspolicy.h> #include <QtCore/qbytearray.h> @@ -66,6 +68,8 @@ QT_BEGIN_NAMESPACE template<typename T> class QList; template <typename T> class QVector; +class QHstsStore; + class Q_AUTOTEST_EXPORT QHstsCache { public: @@ -80,6 +84,8 @@ public: QVector<QHstsPolicy> policies() const; + void setStore(QHstsStore *store); + private: void updateKnownHost(const QString &hostName, const QDateTime &expires, @@ -112,6 +118,7 @@ private: }; mutable QMap<HostName, QHstsPolicy> knownHosts; + QHstsStore *hstsStore = nullptr; }; class Q_AUTOTEST_EXPORT QHstsHeaderParser diff --git a/src/network/access/qhstsstore.cpp b/src/network/access/qhstsstore.cpp new file mode 100644 index 0000000000..6d7f60ba8d --- /dev/null +++ b/src/network/access/qhstsstore.cpp @@ -0,0 +1,202 @@ +/**************************************************************************** +** +** Copyright (C) 2017 The Qt Company Ltd. +** Contact: https://www.qt.io/licensing/ +** +** This file is part of the QtNetwork module of the Qt Toolkit. +** +** $QT_BEGIN_LICENSE:LGPL$ +** Commercial License Usage +** Licensees holding valid commercial Qt licenses may use this file in +** accordance with the commercial license agreement provided with the +** Software or, alternatively, in accordance with the terms contained in +** a written agreement between you and The Qt Company. For licensing terms +** and conditions see https://www.qt.io/terms-conditions. For further +** information use the contact form at https://www.qt.io/contact-us. +** +** GNU Lesser General Public License Usage +** Alternatively, this file may be used under the terms of the GNU Lesser +** General Public License version 3 as published by the Free Software +** Foundation and appearing in the file LICENSE.LGPL3 included in the +** packaging of this file. Please review the following information to +** ensure the GNU Lesser General Public License version 3 requirements +** will be met: https://www.gnu.org/licenses/lgpl-3.0.html. +** +** GNU General Public License Usage +** Alternatively, this file may be used under the terms of the GNU +** General Public License version 2.0 or (at your option) the GNU General +** Public license version 3 or any later version approved by the KDE Free +** Qt Foundation. The licenses are as published by the Free Software +** Foundation and appearing in the file LICENSE.GPL2 and LICENSE.GPL3 +** included in the packaging of this file. Please review the following +** information to ensure the GNU General Public License requirements will +** be met: https://www.gnu.org/licenses/gpl-2.0.html and +** https://www.gnu.org/licenses/gpl-3.0.html. +** +** $QT_END_LICENSE$ +** +****************************************************************************/ + +#include "qhstsstore_p.h" +#include "qhstspolicy.h" + +#include "qstandardpaths.h" +#include "qdatastream.h" +#include "qbytearray.h" +#include "qdatetime.h" +#include "qvariant.h" +#include "qstring.h" +#include "qdir.h" + +#include <utility> + +QT_BEGIN_NAMESPACE + +static QString host_name_to_settings_key(const QString &hostName) +{ + const QByteArray hostNameAsHex(hostName.toUtf8().toHex()); + return QString::fromLatin1(hostNameAsHex); +} + +static QString settings_key_to_host_name(const QString &key) +{ + const QByteArray hostNameAsUtf8(QByteArray::fromHex(key.toLatin1())); + return QString::fromUtf8(hostNameAsUtf8); +} + +QHstsStore::QHstsStore(const QString &dirName) + : store(absoluteFilePath(dirName), QSettings::IniFormat) +{ + // Disable fallbacks, we do not want to use anything but our own ini file. + store.setFallbacksEnabled(false); +} + +QHstsStore::~QHstsStore() +{ + synchronize(); +} + +QVector<QHstsPolicy> QHstsStore::readPolicies() +{ + // This function only attempts to read policies, making no decision about + // expired policies. It's up to a user (QHstsCache) to mark these policies + // for deletion and sync the store later. But we immediately remove keys/values + // (if the store isWritable) for the policies that we fail to read. + QVector<QHstsPolicy> policies; + + beginHstsGroups(); + + const QStringList keys = store.childKeys(); + for (const auto &key : keys) { + QHstsPolicy restoredPolicy; + if (deserializePolicy(key, restoredPolicy)) { + restoredPolicy.setHost(settings_key_to_host_name(key)); + policies.push_back(std::move(restoredPolicy)); + } else if (isWritable()) { + evictPolicy(key); + } + } + + endHstsGroups(); + + return policies; +} + +void QHstsStore::addToObserved(const QHstsPolicy &policy) +{ + observedPolicies.push_back(policy); +} + +void QHstsStore::synchronize() +{ + if (!isWritable()) + return; + + if (observedPolicies.size()) { + beginHstsGroups(); + for (const QHstsPolicy &policy : qAsConst(observedPolicies)) { + const QString key(host_name_to_settings_key(policy.host())); + // If we fail to write a new, updated policy, we also remove the old one. + if (policy.isExpired() || !serializePolicy(key, policy)) + evictPolicy(key); + } + observedPolicies.clear(); + endHstsGroups(); + } + + store.sync(); +} + +bool QHstsStore::isWritable() const +{ + return store.isWritable(); +} + +QString QHstsStore::absoluteFilePath(const QString &dirName) +{ + const QDir dir(dirName.isEmpty() ? QStandardPaths::writableLocation(QStandardPaths::CacheLocation) + : dirName); + return dir.absoluteFilePath(QLatin1String("hstsstore")); +} + +void QHstsStore::beginHstsGroups() +{ + store.beginGroup(QLatin1String("StrictTransportSecurity")); + store.beginGroup(QLatin1String("Policies")); +} + +void QHstsStore::endHstsGroups() +{ + store.endGroup(); + store.endGroup(); +} + +bool QHstsStore::deserializePolicy(const QString &key, QHstsPolicy &policy) +{ + Q_ASSERT(store.contains(key)); + + const QVariant data(store.value(key)); + if (data.isNull() || !data.canConvert<QByteArray>()) + return false; + + const QByteArray serializedData(data.toByteArray()); + QDataStream streamer(serializedData); + qint64 expiryInMS = 0; + streamer >> expiryInMS; + if (streamer.status() != QDataStream::Ok) + return false; + bool includesSubDomains = false; + streamer >> includesSubDomains; + if (streamer.status() != QDataStream::Ok) + return false; + + policy.setExpiry(QDateTime::fromMSecsSinceEpoch(expiryInMS)); + policy.setIncludesSubDomains(includesSubDomains); + + return true; +} + +bool QHstsStore::serializePolicy(const QString &key, const QHstsPolicy &policy) +{ + Q_ASSERT(store.isWritable()); + + QByteArray serializedData; + QDataStream streamer(&serializedData, QIODevice::WriteOnly); + streamer << policy.expiry().toMSecsSinceEpoch(); + streamer << policy.includesSubDomains(); + + if (streamer.status() != QDataStream::Ok) + return false; + + store.setValue(key, serializedData); + return true; +} + +void QHstsStore::evictPolicy(const QString &key) +{ + Q_ASSERT(store.isWritable()); + if (store.contains(key)) + store.remove(key); +} + +QT_END_NAMESPACE diff --git a/src/network/access/qhstsstore_p.h b/src/network/access/qhstsstore_p.h new file mode 100644 index 0000000000..13042839c4 --- /dev/null +++ b/src/network/access/qhstsstore_p.h @@ -0,0 +1,93 @@ +/**************************************************************************** +** +** Copyright (C) 2017 The Qt Company Ltd. +** Contact: https://www.qt.io/licensing/ +** +** This file is part of the QtNetwork module of the Qt Toolkit. +** +** $QT_BEGIN_LICENSE:LGPL$ +** Commercial License Usage +** Licensees holding valid commercial Qt licenses may use this file in +** accordance with the commercial license agreement provided with the +** Software or, alternatively, in accordance with the terms contained in +** a written agreement between you and The Qt Company. For licensing terms +** and conditions see https://www.qt.io/terms-conditions. For further +** information use the contact form at https://www.qt.io/contact-us. +** +** GNU Lesser General Public License Usage +** Alternatively, this file may be used under the terms of the GNU Lesser +** General Public License version 3 as published by the Free Software +** Foundation and appearing in the file LICENSE.LGPL3 included in the +** packaging of this file. Please review the following information to +** ensure the GNU Lesser General Public License version 3 requirements +** will be met: https://www.gnu.org/licenses/lgpl-3.0.html. +** +** GNU General Public License Usage +** Alternatively, this file may be used under the terms of the GNU +** General Public License version 2.0 or (at your option) the GNU General +** Public license version 3 or any later version approved by the KDE Free +** Qt Foundation. The licenses are as published by the Free Software +** Foundation and appearing in the file LICENSE.GPL2 and LICENSE.GPL3 +** included in the packaging of this file. Please review the following +** information to ensure the GNU General Public License requirements will +** be met: https://www.gnu.org/licenses/gpl-2.0.html and +** https://www.gnu.org/licenses/gpl-3.0.html. +** +** $QT_END_LICENSE$ +** +****************************************************************************/ + +#ifndef QHSTSSTORE_P_H +#define QHSTSSTORE_P_H + +// +// W A R N I N G +// ------------- +// +// This file is not part of the Qt API. It exists for the convenience +// of the Network Access API. This header file may change from +// version to version without notice, or even be removed. +// +// We mean it. +// + +#include <QtNetwork/private/qtnetworkglobal_p.h> + +#include <QtCore/qsettings.h> +#include <QtCore/qvector.h> + +QT_BEGIN_NAMESPACE + +class QHstsPolicy; +class QByteArray; +class QString; + +class Q_AUTOTEST_EXPORT QHstsStore +{ +public: + explicit QHstsStore(const QString &dirName); + ~QHstsStore(); + + QVector<QHstsPolicy> readPolicies(); + void addToObserved(const QHstsPolicy &policy); + void synchronize(); + + bool isWritable() const; + + static QString absoluteFilePath(const QString &dirName); +private: + void beginHstsGroups(); + bool serializePolicy(const QString &key, const QHstsPolicy &policy); + bool deserializePolicy(const QString &key, QHstsPolicy &policy); + void evictPolicy(const QString &key); + void endHstsGroups(); + + QVector<QHstsPolicy> observedPolicies; + QSettings store; + + Q_DISABLE_COPY(QHstsStore) +}; + +QT_END_NAMESPACE + +#endif // QHSTSSTORE_P_H diff --git a/src/network/access/qhttp2protocolhandler.cpp b/src/network/access/qhttp2protocolhandler.cpp index 9dfcec8311..42f1343c52 100644 --- a/src/network/access/qhttp2protocolhandler.cpp +++ b/src/network/access/qhttp2protocolhandler.cpp @@ -161,8 +161,6 @@ bool sum_will_overflow(qint32 windowSize, qint32 delta) using namespace Http2; const std::deque<quint32>::size_type QHttp2ProtocolHandler::maxRecycledStreams = 10000; -const qint32 QHttp2ProtocolHandler::sessionMaxRecvWindowSize; -const qint32 QHttp2ProtocolHandler::streamInitialRecvWindowSize; const quint32 QHttp2ProtocolHandler::maxAcceptableTableSize; QHttp2ProtocolHandler::QHttp2ProtocolHandler(QHttpNetworkConnectionChannel *channel) @@ -170,10 +168,47 @@ QHttp2ProtocolHandler::QHttp2ProtocolHandler(QHttpNetworkConnectionChannel *chan decoder(HPack::FieldLookupTable::DefaultSize), encoder(HPack::FieldLookupTable::DefaultSize, true) { + Q_ASSERT(channel && m_connection); + continuedFrames.reserve(20); - bool ok = false; - const int env = qEnvironmentVariableIntValue("QT_HTTP2_ENABLE_PUSH_PROMISE", &ok); - pushPromiseEnabled = ok && env; + + const ProtocolParameters params(m_connection->http2Parameters()); + Q_ASSERT(params.validate()); + + maxSessionReceiveWindowSize = params.maxSessionReceiveWindowSize; + + const RawSettings &data = params.settingsFrameData; + for (auto param = data.cbegin(), end = data.cend(); param != end; ++param) { + switch (param.key()) { + case Settings::INITIAL_WINDOW_SIZE_ID: + streamInitialReceiveWindowSize = param.value(); + break; + case Settings::ENABLE_PUSH_ID: + pushPromiseEnabled = param.value(); + break; + case Settings::HEADER_TABLE_SIZE_ID: + case Settings::MAX_CONCURRENT_STREAMS_ID: + case Settings::MAX_FRAME_SIZE_ID: + case Settings::MAX_HEADER_LIST_SIZE_ID: + // These other settings are just recommendations to our peer. We + // only check they are not crazy in ProtocolParameters::validate(). + default: + break; + } + } + + if (!channel->ssl) { + // We upgraded from HTTP/1.1 to HTTP/2. channel->request was already sent + // as HTTP/1.1 request. The response with status code 101 triggered + // protocol switch and now we are waiting for the real response, sent + // as HTTP/2 frames. + Q_ASSERT(channel->reply); + const quint32 initialStreamID = createNewStream(HttpMessagePair(channel->request, channel->reply), + true /* uploaded by HTTP/1.1 */); + Q_ASSERT(initialStreamID == 1); + Stream &stream = activeStreams[initialStreamID]; + stream.state = Stream::halfClosedLocal; + } } void QHttp2ProtocolHandler::_q_uploadDataReadyRead() @@ -350,28 +385,27 @@ bool QHttp2ProtocolHandler::sendClientPreface() if (prefaceSent) return true; - const qint64 written = m_socket->write(Http2clientPreface, + const qint64 written = m_socket->write(Http2::Http2clientPreface, Http2::clientPrefaceLength); if (written != Http2::clientPrefaceLength) return false; // 6.5 SETTINGS - frameWriter.start(FrameType::SETTINGS, FrameFlag::EMPTY, Http2::connectionStreamID); - // MAX frame size (16 kb), enable/disable PUSH - frameWriter.append(Settings::MAX_FRAME_SIZE_ID); - frameWriter.append(quint32(Http2::maxFrameSize)); - frameWriter.append(Settings::ENABLE_PUSH_ID); - frameWriter.append(quint32(pushPromiseEnabled)); + const ProtocolParameters params(m_connection->http2Parameters()); + Q_ASSERT(params.validate()); + frameWriter.setOutboundFrame(params.settingsFrame()); + Q_ASSERT(frameWriter.outboundFrame().payloadSize()); if (!frameWriter.write(*m_socket)) return false; - sessionRecvWindowSize = sessionMaxRecvWindowSize; - if (defaultSessionWindowSize < sessionMaxRecvWindowSize) { - const auto delta = sessionMaxRecvWindowSize - defaultSessionWindowSize; - if (!sendWINDOW_UPDATE(connectionStreamID, delta)) - return false; - } + sessionReceiveWindowSize = maxSessionReceiveWindowSize; + // ProtocolParameters::validate does not allow maxSessionReceiveWindowSize + // to be smaller than defaultSessionWindowSize, so everything is OK here with + // 'delta': + const auto delta = maxSessionReceiveWindowSize - Http2::defaultSessionWindowSize; + if (!sendWINDOW_UPDATE(Http2::connectionStreamID, delta)) + return false; prefaceSent = true; waitingForSettingsACK = true; @@ -519,10 +553,10 @@ void QHttp2ProtocolHandler::handleDATA() if (!activeStreams.contains(streamID) && !streamWasReset(streamID)) return connectionError(ENHANCE_YOUR_CALM, "DATA on invalid stream"); - if (qint32(inboundFrame.payloadSize()) > sessionRecvWindowSize) + if (qint32(inboundFrame.payloadSize()) > sessionReceiveWindowSize) return connectionError(FLOW_CONTROL_ERROR, "Flow control error"); - sessionRecvWindowSize -= inboundFrame.payloadSize(); + sessionReceiveWindowSize -= inboundFrame.payloadSize(); if (activeStreams.contains(streamID)) { auto &stream = activeStreams[streamID]; @@ -541,20 +575,20 @@ void QHttp2ProtocolHandler::handleDATA() if (inboundFrame.flags().testFlag(FrameFlag::END_STREAM)) { finishStream(stream); deleteActiveStream(stream.streamID); - } else if (stream.recvWindow < streamInitialRecvWindowSize / 2) { + } else if (stream.recvWindow < streamInitialReceiveWindowSize / 2) { QMetaObject::invokeMethod(this, "sendWINDOW_UPDATE", Qt::QueuedConnection, Q_ARG(quint32, stream.streamID), - Q_ARG(quint32, streamInitialRecvWindowSize - stream.recvWindow)); - stream.recvWindow = streamInitialRecvWindowSize; + Q_ARG(quint32, streamInitialReceiveWindowSize - stream.recvWindow)); + stream.recvWindow = streamInitialReceiveWindowSize; } } } - if (sessionRecvWindowSize < sessionMaxRecvWindowSize / 2) { + if (sessionReceiveWindowSize < maxSessionReceiveWindowSize / 2) { QMetaObject::invokeMethod(this, "sendWINDOW_UPDATE", Qt::QueuedConnection, Q_ARG(quint32, connectionStreamID), - Q_ARG(quint32, sessionMaxRecvWindowSize - sessionRecvWindowSize)); - sessionRecvWindowSize = sessionMaxRecvWindowSize; + Q_ARG(quint32, maxSessionReceiveWindowSize - sessionReceiveWindowSize)); + sessionReceiveWindowSize = maxSessionReceiveWindowSize; } } @@ -1176,7 +1210,7 @@ void QHttp2ProtocolHandler::finishStreamWithError(Stream &stream, QNetworkReply: << "finished with error:" << message; } -quint32 QHttp2ProtocolHandler::createNewStream(const HttpMessagePair &message) +quint32 QHttp2ProtocolHandler::createNewStream(const HttpMessagePair &message, bool uploadDone) { const qint32 newStreamID = allocateStreamID(); if (!newStreamID) @@ -1195,12 +1229,14 @@ quint32 QHttp2ProtocolHandler::createNewStream(const HttpMessagePair &message) const Stream newStream(message, newStreamID, streamInitialSendWindowSize, - streamInitialRecvWindowSize); + streamInitialReceiveWindowSize); - if (auto src = newStream.data()) { - connect(src, SIGNAL(readyRead()), this, - SLOT(_q_uploadDataReadyRead()), Qt::QueuedConnection); - src->setProperty("HTTP2StreamID", newStreamID); + if (!uploadDone) { + if (auto src = newStream.data()) { + connect(src, SIGNAL(readyRead()), this, + SLOT(_q_uploadDataReadyRead()), Qt::QueuedConnection); + src->setProperty("HTTP2StreamID", newStreamID); + } } activeStreams.insert(newStreamID, newStream); @@ -1388,7 +1424,7 @@ bool QHttp2ProtocolHandler::tryReserveStream(const Http2::Frame &pushPromiseFram promise.reservedID = reservedID; promise.pushHeader = requestHeader; - activeStreams.insert(reservedID, Stream(urlKey, reservedID, streamInitialRecvWindowSize)); + activeStreams.insert(reservedID, Stream(urlKey, reservedID, streamInitialReceiveWindowSize)); return true; } @@ -1422,7 +1458,7 @@ void QHttp2ProtocolHandler::initReplyFromPushPromise(const HttpMessagePair &mess // Let's pretent we're sending a request now: Stream closedStream(message, promise.reservedID, streamInitialSendWindowSize, - streamInitialRecvWindowSize); + streamInitialReceiveWindowSize); closedStream.state = Stream::halfClosedLocal; activeStreams.insert(promise.reservedID, closedStream); promisedStream = &activeStreams[promise.reservedID]; diff --git a/src/network/access/qhttp2protocolhandler_p.h b/src/network/access/qhttp2protocolhandler_p.h index 5e04c79376..dd209bd0ef 100644 --- a/src/network/access/qhttp2protocolhandler_p.h +++ b/src/network/access/qhttp2protocolhandler_p.h @@ -98,7 +98,7 @@ private: using Stream = Http2::Stream; void _q_readyRead() override; - void _q_receiveReply() override; + Q_INVOKABLE void _q_receiveReply() override; Q_INVOKABLE bool sendRequest() override; bool sendClientPreface(); @@ -136,7 +136,7 @@ private: const QString &message); // Stream's lifecycle management: - quint32 createNewStream(const HttpMessagePair &message); + quint32 createNewStream(const HttpMessagePair &message, bool uploadDone = false); void addToSuspended(Stream &stream); void markAsReset(quint32 streamID); quint32 popStreamToResume(); @@ -172,24 +172,38 @@ private: bool continuationExpected = false; std::vector<Http2::Frame> continuedFrames; - // Peer's max number of streams ... - quint32 maxConcurrentStreams = Http2::maxConcurrentStreams; - // Control flow: - static const qint32 sessionMaxRecvWindowSize = Http2::defaultSessionWindowSize * 10; - // Signed integer, it can become negative (it's still a valid window size): - qint32 sessionRecvWindowSize = sessionMaxRecvWindowSize; - // We do not negotiate this window size - // We have to send WINDOW_UPDATE frames to our peer also. - static const qint32 streamInitialRecvWindowSize = Http2::defaultSessionWindowSize; - - // Updated by SETTINGS and WINDOW_UPDATE. + // This is how many concurrent streams our peer expects from us: + // 100 is the default value, can be updated by the server's SETTINGS + // frame(s): + quint32 maxConcurrentStreams = Http2::maxConcurrentStreams; + // While we allow sending SETTTINGS_MAX_CONCURRENT_STREAMS to limit our peer, + // it's just a hint and we do not actually enforce it (and we can continue + // sending requests and creating streams while maxConcurrentStreams allows). + + // This is the max value, we set it in a ctor from Http2::ProtocolParameters, + // it does not change after that. + qint32 maxSessionReceiveWindowSize = Http2::defaultSessionWindowSize; + + // Our session receive window size, default is 64Kb. We'll update it from QNAM's + // Http2::ProtocolParameters. Signed integer since it can become negative + // (it's still a valid window size). + qint32 sessionReceiveWindowSize = Http2::defaultSessionWindowSize; + // Our per-stream receive window size, default is 64 Kb, will be updated + // from QNAM's Http2::ProtocolParameters. Again, signed - can become negative. + qint32 streamInitialReceiveWindowSize = Http2::defaultSessionWindowSize; + + // These are our peer's receive window sizes, they will be updated by the + // peer's SETTINGS and WINDOW_UPDATE frames. qint32 sessionSendWindowSize = Http2::defaultSessionWindowSize; qint32 streamInitialSendWindowSize = Http2::defaultSessionWindowSize; - // It's unlimited by default, but can be changed via SETTINGS. + // Our peer's header size limitations. It's unlimited by default, but can + // be changed via peer's SETTINGS frame. quint32 maxHeaderListSize = (std::numeric_limits<quint32>::max)(); + // While we can send SETTINGS_MAX_HEADER_LIST_SIZE value (our limit on + // the headers size), we never enforce it, it's just a hint to our peer. Q_INVOKABLE void resumeSuspendedStreams(); // Our stream IDs (all odd), the first valid will be 1. diff --git a/src/network/access/qhttpmultipart.cpp b/src/network/access/qhttpmultipart.cpp index 870e71ba1e..c59df9d8b8 100644 --- a/src/network/access/qhttpmultipart.cpp +++ b/src/network/access/qhttpmultipart.cpp @@ -41,7 +41,7 @@ #include "qhttpmultipart_p.h" #include "QtCore/qdatetime.h" // for initializing the random number generator with QTime #include "QtCore/qmutex.h" -#include "QtCore/qthreadstorage.h" +#include "QtCore/qrandom.h" QT_BEGIN_NAMESPACE @@ -431,23 +431,16 @@ void QHttpPartPrivate::checkHeaderCreated() const } } -Q_GLOBAL_STATIC(QThreadStorage<bool *>, seedCreatedStorage); - QHttpMultiPartPrivate::QHttpMultiPartPrivate() : contentType(QHttpMultiPart::MixedType), device(new QHttpMultiPartIODevice(this)) { - if (!seedCreatedStorage()->hasLocalData()) { - qsrand(QTime(0,0,0).msecsTo(QTime::currentTime()) ^ reinterpret_cast<quintptr>(this)); - seedCreatedStorage()->setLocalData(new bool(true)); - } - - boundary = QByteArray("boundary_.oOo._") - + QByteArray::number(qrand()).toBase64() - + QByteArray::number(qrand()).toBase64() - + QByteArray::number(qrand()).toBase64(); + // 24 random bytes, becomes 32 characters when encoded to Base64 + quint32 random[6]; + QRandomGenerator::global()->fillRange(random); + boundary = "boundary_.oOo._" + + QByteArray::fromRawData(reinterpret_cast<char *>(random), sizeof(random)).toBase64(); // boundary must not be longer than 70 characters, see RFC 2046, section 5.1.1 - if (boundary.count() > 70) - boundary = boundary.left(70); + Q_ASSERT(boundary.count() <= 70); } qint64 QHttpMultiPartIODevice::size() const diff --git a/src/network/access/qhttpnetworkconnection.cpp b/src/network/access/qhttpnetworkconnection.cpp index da055de2da..e6a15ccfc4 100644 --- a/src/network/access/qhttpnetworkconnection.cpp +++ b/src/network/access/qhttpnetworkconnection.cpp @@ -627,7 +627,8 @@ QHttpNetworkReply* QHttpNetworkConnectionPrivate::queueRequest(const QHttpNetwor if (request.isPreConnect()) preConnectRequests++; - if (connectionType == QHttpNetworkConnection::ConnectionTypeHTTP) { + if (connectionType == QHttpNetworkConnection::ConnectionTypeHTTP + || (!encrypt && connectionType == QHttpNetworkConnection::ConnectionTypeHTTP2 && !channels[0].switchedToHttp2)) { switch (request.priority()) { case QHttpNetworkRequest::HighPriority: highPriorityQueue.prepend(pair); @@ -638,12 +639,13 @@ QHttpNetworkReply* QHttpNetworkConnectionPrivate::queueRequest(const QHttpNetwor break; } } - else { // SPDY, HTTP/2 + else { // SPDY, HTTP/2 ('h2' mode) if (!pair.second->d_func()->requestIsPrepared) prepareRequest(pair); channels[0].spdyRequestsToSend.insertMulti(request.priority(), pair); } +#ifndef Q_OS_WINRT // For Happy Eyeballs the networkLayerState is set to Unknown // untill we have started the first connection attempt. So no // request will be started untill we know if IPv4 or IPv6 @@ -651,6 +653,13 @@ QHttpNetworkReply* QHttpNetworkConnectionPrivate::queueRequest(const QHttpNetwor if (networkLayerState == Unknown || networkLayerState == HostLookupPending) { startHostInfoLookup(); } else if ( networkLayerState == IPv4 || networkLayerState == IPv6 ) { +#else // !Q_OS_WINRT + { + // Skip the host lookup part for winrt. Host lookup and proxy handling are done by Windows + // internally and networkLayerPreference is ignored on this platform. Instead of refactoring + // the whole approach we just pretend that everything important is known here. + networkLayerState = IPv4; +#endif // this used to be called via invokeMethod and a QueuedConnection // It is the only place _q_startNextRequest is called directly without going // through the event loop using a QueuedConnection. @@ -664,6 +673,25 @@ QHttpNetworkReply* QHttpNetworkConnectionPrivate::queueRequest(const QHttpNetwor return reply; } +void QHttpNetworkConnectionPrivate::fillHttp2Queue() +{ + for (auto &pair : highPriorityQueue) { + if (!pair.second->d_func()->requestIsPrepared) + prepareRequest(pair); + channels[0].spdyRequestsToSend.insertMulti(QHttpNetworkRequest::HighPriority, pair); + } + + highPriorityQueue.clear(); + + for (auto &pair : lowPriorityQueue) { + if (!pair.second->d_func()->requestIsPrepared) + prepareRequest(pair); + channels[0].spdyRequestsToSend.insertMulti(pair.first.priority(), pair); + } + + lowPriorityQueue.clear(); +} + void QHttpNetworkConnectionPrivate::requeueRequest(const HttpMessagePair &pair) { Q_Q(QHttpNetworkConnection); @@ -1039,8 +1067,7 @@ void QHttpNetworkConnectionPrivate::_q_startNextRequest() } case QHttpNetworkConnection::ConnectionTypeHTTP2: case QHttpNetworkConnection::ConnectionTypeSPDY: { - - if (channels[0].spdyRequestsToSend.isEmpty()) + if (channels[0].spdyRequestsToSend.isEmpty() && channels[0].switchedToHttp2) return; if (networkLayerState == IPv4) @@ -1049,7 +1076,7 @@ void QHttpNetworkConnectionPrivate::_q_startNextRequest() channels[0].networkLayerPreference = QAbstractSocket::IPv6Protocol; channels[0].ensureConnection(); if (channels[0].socket && channels[0].socket->state() == QAbstractSocket::ConnectedState - && !channels[0].pendingEncrypt) + && !channels[0].pendingEncrypt && channels[0].spdyRequestsToSend.size()) channels[0].sendRequest(); break; } @@ -1347,6 +1374,12 @@ QHttpNetworkReply* QHttpNetworkConnection::sendRequest(const QHttpNetworkRequest return d->queueRequest(request); } +void QHttpNetworkConnection::fillHttp2Queue() +{ + Q_D(QHttpNetworkConnection); + d->fillHttp2Queue(); +} + bool QHttpNetworkConnection::isSsl() const { Q_D(const QHttpNetworkConnection); @@ -1404,6 +1437,23 @@ void QHttpNetworkConnection::setConnectionType(ConnectionType type) d->connectionType = type; } +Http2::ProtocolParameters QHttpNetworkConnection::http2Parameters() const +{ + Q_D(const QHttpNetworkConnection); + return d->http2Parameters; +} + +void QHttpNetworkConnection::setHttp2Parameters(const Http2::ProtocolParameters ¶ms) +{ + Q_D(QHttpNetworkConnection); + if (params.validate()) { + d->http2Parameters = params; + } else { + qCWarning(QT_HTTP2) + << "invalid HTTP/2 parameters, falling back to defaults instead"; + } +} + // SSL support below #ifndef QT_NO_SSL void QHttpNetworkConnection::setSslConfiguration(const QSslConfiguration &config) diff --git a/src/network/access/qhttpnetworkconnection_p.h b/src/network/access/qhttpnetworkconnection_p.h index 3dd9bde9bd..d3450417aa 100644 --- a/src/network/access/qhttpnetworkconnection_p.h +++ b/src/network/access/qhttpnetworkconnection_p.h @@ -67,6 +67,7 @@ #include <private/qhttpnetworkheader_p.h> #include <private/qhttpnetworkrequest_p.h> #include <private/qhttpnetworkreply_p.h> +#include <private/http2protocol_p.h> #include <private/qhttpnetworkconnectionchannel_p.h> @@ -122,6 +123,7 @@ public: //add a new HTTP request through this connection QHttpNetworkReply* sendRequest(const QHttpNetworkRequest &request); + void fillHttp2Queue(); #ifndef QT_NO_NETWORKPROXY //set the proxy for this connection @@ -138,6 +140,9 @@ public: ConnectionType connectionType(); void setConnectionType(ConnectionType type); + Http2::ProtocolParameters http2Parameters() const; + void setHttp2Parameters(const Http2::ProtocolParameters ¶ms); + #ifndef QT_NO_SSL void setSslConfiguration(const QSslConfiguration &config); void ignoreSslErrors(int channel = -1); @@ -208,6 +213,7 @@ public: QHttpNetworkReply *queueRequest(const QHttpNetworkRequest &request); void requeueRequest(const HttpMessagePair &pair); // e.g. after pipeline broke + void fillHttp2Queue(); bool dequeueRequest(QAbstractSocket *socket); void prepareRequest(HttpMessagePair &request); void updateChannel(int i, const HttpMessagePair &messagePair); @@ -280,6 +286,8 @@ public: QSharedPointer<QNetworkSession> networkSession; #endif + Http2::ProtocolParameters http2Parameters; + friend class QHttpNetworkConnectionChannel; }; diff --git a/src/network/access/qhttpnetworkconnectionchannel.cpp b/src/network/access/qhttpnetworkconnectionchannel.cpp index 17520d0f4c..094a48a603 100644 --- a/src/network/access/qhttpnetworkconnectionchannel.cpp +++ b/src/network/access/qhttpnetworkconnectionchannel.cpp @@ -55,7 +55,6 @@ # include <private/qsslsocket_p.h> # include <QtNetwork/qsslkey.h> # include <QtNetwork/qsslcipher.h> -# include <QtNetwork/qsslconfiguration.h> #endif #ifndef QT_NO_BEARERMANAGEMENT @@ -64,6 +63,20 @@ QT_BEGIN_NAMESPACE +namespace +{ + +class ProtocolHandlerDeleter : public QObject +{ +public: + explicit ProtocolHandlerDeleter(QAbstractProtocolHandler *h) : handler(h) {} + ~ProtocolHandlerDeleter() { delete handler; } +private: + QAbstractProtocolHandler *handler = nullptr; +}; + +} + // TODO: Put channel specific stuff here so it does not polute qhttpnetworkconnection.cpp // Because in-flight when sending a request, the server might close our connection (because the persistent HTTP @@ -176,8 +189,8 @@ void QHttpNetworkConnectionChannel::init() if (!ignoreSslErrorsList.isEmpty()) sslSocket->ignoreSslErrors(ignoreSslErrorsList); - if (!sslConfiguration.isNull()) - sslSocket->setSslConfiguration(sslConfiguration); + if (sslConfiguration.data() && !sslConfiguration->isNull()) + sslSocket->setSslConfiguration(*sslConfiguration); } else { #endif // !QT_NO_SSL if (connection->connectionType() != QHttpNetworkConnection::ConnectionTypeHTTP2) @@ -425,6 +438,40 @@ void QHttpNetworkConnectionChannel::allDone() return; } + if (connection->connectionType() == QHttpNetworkConnection::ConnectionTypeHTTP2 + && !ssl && !switchedToHttp2) { + if (Http2::is_protocol_upgraded(*reply)) { + switchedToHttp2 = true; + protocolHandler->setReply(nullptr); + + // As allDone() gets called from the protocol handler, it's not yet + // safe to delete it. There is no 'deleteLater', since + // QAbstractProtocolHandler is not a QObject. Instead we do this + // trick with ProtocolHandlerDeleter, a QObject-derived class. + // These dances below just make it somewhat exception-safe. + // 1. Create a new owner: + QAbstractProtocolHandler *oldHandler = protocolHandler.data(); + QScopedPointer<ProtocolHandlerDeleter> deleter(new ProtocolHandlerDeleter(oldHandler)); + // 2. Retire the old one: + protocolHandler.take(); + // 3. Call 'deleteLater': + deleter->deleteLater(); + // 3. Give up the ownerthip: + deleter.take(); + + connection->fillHttp2Queue(); + protocolHandler.reset(new QHttp2ProtocolHandler(this)); + QHttp2ProtocolHandler *h2c = static_cast<QHttp2ProtocolHandler *>(protocolHandler.data()); + QMetaObject::invokeMethod(h2c, "_q_receiveReply", Qt::QueuedConnection); + QMetaObject::invokeMethod(connection, "_q_startNextRequest", Qt::QueuedConnection); + return; + } else { + // Ok, whatever happened, we do not try HTTP/2 anymore ... + connection->setConnectionType(QHttpNetworkConnection::ConnectionTypeHTTP); + connection->d_func()->activeChannelCount = connection->d_func()->channelCount; + } + } + // while handling 401 & 407, we might reset the status code, so save this. bool emitFinished = reply->d_func()->shouldEmitSignals(); bool connectionCloseEnabled = reply->d_func()->isConnectionCloseEnabled(); @@ -663,7 +710,10 @@ void QHttpNetworkConnectionChannel::setSslConfiguration(const QSslConfiguration if (socket) static_cast<QSslSocket *>(socket)->setSslConfiguration(config); - sslConfiguration = config; + if (sslConfiguration.data()) + *sslConfiguration = config; + else + sslConfiguration.reset(new QSslConfiguration(config)); } #endif @@ -843,19 +893,25 @@ void QHttpNetworkConnectionChannel::_q_connected() #endif } else { state = QHttpNetworkConnectionChannel::IdleState; - if (connection->connectionType() == QHttpNetworkConnection::ConnectionTypeHTTP2) { - // We have to reset QHttp2ProtocolHandler's state machine, it's a new - // connection and the handler's state is unique per connection. - protocolHandler.reset(new QHttp2ProtocolHandler(this)); - if (spdyRequestsToSend.count() > 0) { - // wait for data from the server first (e.g. initial window, max concurrent requests) - QMetaObject::invokeMethod(connection, "_q_startNextRequest", Qt::QueuedConnection); + const bool tryProtocolUpgrade = connection->connectionType() == QHttpNetworkConnection::ConnectionTypeHTTP2; + if (tryProtocolUpgrade) { + // For HTTP/1.1 it's already created and never reset. + protocolHandler.reset(new QHttpProtocolHandler(this)); + } + switchedToHttp2 = false; + + if (!reply) + connection->d_func()->dequeueRequest(socket); + + if (reply) { + if (tryProtocolUpgrade) { + // Let's augment our request with some magic headers and try to + // switch to HTTP/2. + const Http2::ProtocolParameters params(connection->http2Parameters()); + Q_ASSERT(params.validate()); + params.addProtocolUpgradeHeaders(&request); } - } else { - if (!reply) - connection->d_func()->dequeueRequest(socket); - if (reply) - sendRequest(); + sendRequest(); } } } @@ -1083,6 +1139,7 @@ void QHttpNetworkConnectionChannel::_q_encrypted() // has gone to the SPDY queue already break; } else if (nextProtocol == QSslConfiguration::ALPNProtocolHTTP2) { + switchedToHttp2 = true; protocolHandler.reset(new QHttp2ProtocolHandler(this)); connection->setConnectionType(QHttpNetworkConnection::ConnectionTypeHTTP2); break; @@ -1095,8 +1152,15 @@ void QHttpNetworkConnectionChannel::_q_encrypted() Q_FALLTHROUGH(); case QSslConfiguration::NextProtocolNegotiationNone: { protocolHandler.reset(new QHttpProtocolHandler(this)); + if (!sslConfiguration.data()) { + // Our own auto-tests bypass the normal initialization (done by + // QHttpThreadDelegate), this means in the past we'd have here + // the default constructed QSslConfiguration without any protocols + // to negotiate. Let's create it now: + sslConfiguration.reset(new QSslConfiguration); + } - QList<QByteArray> protocols = sslConfiguration.allowedNextProtocols(); + QList<QByteArray> protocols = sslConfiguration->allowedNextProtocols(); const int nProtocols = protocols.size(); // Clear the protocol that we failed to negotiate, so we do not try // it again on other channels that our connection can create/open. @@ -1106,10 +1170,10 @@ void QHttpNetworkConnectionChannel::_q_encrypted() protocols.removeAll(QSslConfiguration::NextProtocolSpdy3_0); if (nProtocols > protocols.size()) { - sslConfiguration.setAllowedNextProtocols(protocols); + sslConfiguration->setAllowedNextProtocols(protocols); const int channelCount = connection->d_func()->channelCount; for (int i = 0; i < channelCount; ++i) - connection->d_func()->channels[i].setSslConfiguration(sslConfiguration); + connection->d_func()->channels[i].setSslConfiguration(*sslConfiguration); } connection->setConnectionType(QHttpNetworkConnection::ConnectionTypeHTTP); diff --git a/src/network/access/qhttpnetworkconnectionchannel_p.h b/src/network/access/qhttpnetworkconnectionchannel_p.h index 61aea9d35d..844a7d5d15 100644 --- a/src/network/access/qhttpnetworkconnectionchannel_p.h +++ b/src/network/access/qhttpnetworkconnectionchannel_p.h @@ -78,6 +78,8 @@ # include <QtNetwork/qtcpsocket.h> #endif +#include <QtCore/qscopedpointer.h> + QT_BEGIN_NAMESPACE class QHttpNetworkRequest; @@ -125,10 +127,11 @@ public: // HTTP/2 can be cleartext also, that's why it's // outside of QT_NO_SSL section. Sorted by priority: QMultiMap<int, HttpMessagePair> spdyRequestsToSend; + bool switchedToHttp2 = false; #ifndef QT_NO_SSL bool ignoreAllSslErrors; QList<QSslError> ignoreSslErrorsList; - QSslConfiguration sslConfiguration; + QScopedPointer<QSslConfiguration> sslConfiguration; void ignoreSslErrors(); void ignoreSslErrors(const QList<QSslError> &errors); void setSslConfiguration(const QSslConfiguration &config); diff --git a/src/network/access/qhttpnetworkheader_p.h b/src/network/access/qhttpnetworkheader_p.h index 89169b9331..46aec1dd8c 100644 --- a/src/network/access/qhttpnetworkheader_p.h +++ b/src/network/access/qhttpnetworkheader_p.h @@ -78,7 +78,7 @@ public: virtual void setHeaderField(const QByteArray &name, const QByteArray &data) = 0; }; -class QHttpNetworkHeaderPrivate : public QSharedData +class Q_AUTOTEST_EXPORT QHttpNetworkHeaderPrivate : public QSharedData { public: QUrl url; diff --git a/src/network/access/qhttpthreaddelegate.cpp b/src/network/access/qhttpthreaddelegate.cpp index 9d874b4d94..3204f8da33 100644 --- a/src/network/access/qhttpthreaddelegate.cpp +++ b/src/network/access/qhttpthreaddelegate.cpp @@ -44,6 +44,7 @@ #include <QTimer> #include <QAuthenticator> #include <QEventLoop> +#include <QCryptographicHash> #include "private/qhttpnetworkreply_p.h" #include "private/qnetworkaccesscache_p.h" @@ -158,7 +159,10 @@ static QByteArray makeCacheKey(QUrl &url, QNetworkProxy *proxy) } if (!key.scheme().isEmpty()) { + const QByteArray obfuscatedPassword = QCryptographicHash::hash(proxy->password().toUtf8(), + QCryptographicHash::Sha1).toHex(); key.setUserName(proxy->user()); + key.setPassword(QString::fromUtf8(obfuscatedPassword)); key.setHost(proxy->hostName()); key.setPort(proxy->port()); key.setQuery(result); @@ -288,20 +292,22 @@ void QHttpThreadDelegate::startRequest() QHttpNetworkConnection::ConnectionType connectionType = httpRequest.isHTTP2Allowed() ? QHttpNetworkConnection::ConnectionTypeHTTP2 : QHttpNetworkConnection::ConnectionTypeHTTP; - #ifndef QT_NO_SSL + if (ssl && !incomingSslConfiguration.data()) + incomingSslConfiguration.reset(new QSslConfiguration); + if (httpRequest.isHTTP2Allowed() && ssl) { QList<QByteArray> protocols; protocols << QSslConfiguration::ALPNProtocolHTTP2 << QSslConfiguration::NextProtocolHttp1_1; - incomingSslConfiguration.setAllowedNextProtocols(protocols); + incomingSslConfiguration->setAllowedNextProtocols(protocols); } else if (httpRequest.isSPDYAllowed() && ssl) { connectionType = QHttpNetworkConnection::ConnectionTypeSPDY; urlCopy.setScheme(QStringLiteral("spdy")); // to differentiate SPDY requests from HTTPS requests QList<QByteArray> nextProtocols; nextProtocols << QSslConfiguration::NextProtocolSpdy3_0 << QSslConfiguration::NextProtocolHttp1_1; - incomingSslConfiguration.setAllowedNextProtocols(nextProtocols); + incomingSslConfiguration->setAllowedNextProtocols(nextProtocols); } #endif // QT_NO_SSL @@ -327,12 +333,15 @@ void QHttpThreadDelegate::startRequest() httpConnection = new QNetworkAccessCachedHttpConnection(urlCopy.host(), urlCopy.port(), ssl, connectionType, networkSession); -#endif +#endif // QT_NO_BEARERMANAGEMENT + if (connectionType == QHttpNetworkConnection::ConnectionTypeHTTP2 + && http2Parameters.validate()) { + httpConnection->setHttp2Parameters(http2Parameters); + } // else we ignore invalid parameters and use our own defaults. #ifndef QT_NO_SSL // Set the QSslConfiguration from this QNetworkRequest. - if (ssl && incomingSslConfiguration != QSslConfiguration::defaultConfiguration()) { - httpConnection->setSslConfiguration(incomingSslConfiguration); - } + if (ssl) + httpConnection->setSslConfiguration(*incomingSslConfiguration); #endif #ifndef QT_NO_NETWORKPROXY @@ -354,7 +363,6 @@ void QHttpThreadDelegate::startRequest() } } - // Send the request to the connection httpReply = httpConnection->sendRequest(httpRequest); httpReply->setParent(this); diff --git a/src/network/access/qhttpthreaddelegate_p.h b/src/network/access/qhttpthreaddelegate_p.h index 6d1ea11f29..da115d6710 100644 --- a/src/network/access/qhttpthreaddelegate_p.h +++ b/src/network/access/qhttpthreaddelegate_p.h @@ -63,9 +63,10 @@ #include "qhttpnetworkrequest_p.h" #include "qhttpnetworkconnection_p.h" #include <QSharedPointer> -#include "qsslconfiguration.h" +#include <QScopedPointer> #include "private/qnoncontiguousbytedevice_p.h" #include "qnetworkaccessauthenticationmanager_p.h" +#include <QtNetwork/private/http2protocol_p.h> #ifndef QT_NO_HTTP @@ -88,7 +89,7 @@ public: // incoming bool ssl; #ifndef QT_NO_SSL - QSslConfiguration incomingSslConfiguration; + QScopedPointer<QSslConfiguration> incomingSslConfiguration; #endif QHttpNetworkRequest httpRequest; qint64 downloadBufferMaximumSize; @@ -115,6 +116,7 @@ public: qint64 removedContentLength; QNetworkReply::NetworkError incomingErrorCode; QString incomingErrorDetail; + Http2::ProtocolParameters http2Parameters; #ifndef QT_NO_BEARERMANAGEMENT QSharedPointer<QNetworkSession> networkSession; #endif diff --git a/src/network/access/qnetworkaccessbackend.cpp b/src/network/access/qnetworkaccessbackend.cpp index 9c223dd32f..272dd22097 100644 --- a/src/network/access/qnetworkaccessbackend.cpp +++ b/src/network/access/qnetworkaccessbackend.cpp @@ -396,30 +396,8 @@ bool QNetworkAccessBackend::start() #endif #ifndef QT_NO_NETWORKPROXY -#ifndef QT_NO_BEARERMANAGEMENT - // Get the proxy settings from the network session (in the case of service networks, - // the proxy settings change depending which AP was activated) - QNetworkSession *session = networkSession.data(); - QNetworkConfiguration config; - if (session) { - QNetworkConfigurationManager configManager; - // The active configuration tells us what IAP is in use - QVariant v = session->sessionProperty(QLatin1String("ActiveConfiguration")); - if (v.isValid()) - config = configManager.configurationFromIdentifier(qvariant_cast<QString>(v)); - // Fallback to using the configuration if no active configuration - if (!config.isValid()) - config = session->configuration(); - // or unspecified configuration if that is no good either - if (!config.isValid()) - config = QNetworkConfiguration(); - } - reply->proxyList = manager->queryProxy(QNetworkProxyQuery(config, url())); -#else // QT_NO_BEARERMANAGEMENT - // Without bearer management, the proxy depends only on the url reply->proxyList = manager->queryProxy(QNetworkProxyQuery(url())); #endif -#endif // now start the request open(); diff --git a/src/network/access/qnetworkaccessmanager.cpp b/src/network/access/qnetworkaccessmanager.cpp index fba5755b77..67b765d9e6 100644 --- a/src/network/access/qnetworkaccessmanager.cpp +++ b/src/network/access/qnetworkaccessmanager.cpp @@ -735,9 +735,51 @@ bool QNetworkAccessManager::isStrictTransportSecurityEnabled() const } /*! + \since 5.10 + + If \a enabled is \c true, the internal HSTS cache will use a persistent store + to read and write HSTS policies. \a storeDir defines where this store will be + located. The default location is defined by QStandardPaths::CacheLocation. + If there is no writable QStandartPaths::CacheLocation and \a storeDir is an + empty string, the store will be located in the program's working directory. + + \note If HSTS cache already contains HSTS policies by the time persistent + store is enabled, these policies will be preserved in the store. In case both + cache and store contain the same known hosts, policies from cache are considered + to be more up-to-date (and thus will overwrite the previous values in the store). + If this behavior is undesired, enable HSTS store before enabling Strict Tranport + Security. By default, the persistent store of HSTS policies is disabled. + + \sa isStrictTransportSecurityStoreEnabled(), setStrictTransportSecurityEnabled(), + QStandardPaths::standardLocations() +*/ + +void QNetworkAccessManager::enableStrictTransportSecurityStore(bool enabled, const QString &storeDir) +{ + Q_D(QNetworkAccessManager); + d->stsStore.reset(enabled ? new QHstsStore(storeDir) : nullptr); + d->stsCache.setStore(d->stsStore.data()); +} + +/*! + \since 5.10 + + Returns true if HSTS cache uses a permanent store to load and store HSTS + policies. + + \sa enableStrictTransportSecurityStore() +*/ + +bool QNetworkAccessManager::isStrictTransportSecurityStoreEnabled() const +{ + Q_D(const QNetworkAccessManager); + return bool(d->stsStore.data()); +} + +/*! \since 5.9 - Adds HTTP Strict Transport Security policies into HSTS cache. + Adds HTTP Strict Transport Security policies contained in \a knownHosts into HSTS cache. \note An expired policy will remove a known host from the cache, if previously present. @@ -749,7 +791,7 @@ bool QNetworkAccessManager::isStrictTransportSecurityEnabled() const policies, but this information can be overridden by "Strict-Transport-Security" response headers. - \sa addStrictTransportSecurityHosts(), QHstsPolicy + \sa addStrictTransportSecurityHosts(), enableStrictTransportSecurityStore(), QHstsPolicy */ void QNetworkAccessManager::addStrictTransportSecurityHosts(const QVector<QHstsPolicy> &knownHosts) diff --git a/src/network/access/qnetworkaccessmanager.h b/src/network/access/qnetworkaccessmanager.h index f035ac5b00..4806ec0475 100644 --- a/src/network/access/qnetworkaccessmanager.h +++ b/src/network/access/qnetworkaccessmanager.h @@ -42,6 +42,7 @@ #include <QtNetwork/qtnetworkglobal.h> #include <QtNetwork/qnetworkrequest.h> +#include <QtCore/QString> #include <QtCore/QVector> #include <QtCore/QObject> #ifndef QT_NO_SSL @@ -124,6 +125,8 @@ public: void setStrictTransportSecurityEnabled(bool enabled); bool isStrictTransportSecurityEnabled() const; + void enableStrictTransportSecurityStore(bool enabled, const QString &storeDir = QString()); + bool isStrictTransportSecurityStoreEnabled() const; void addStrictTransportSecurityHosts(const QVector<QHstsPolicy> &knownHosts); QVector<QHstsPolicy> strictTransportSecurityHosts() const; diff --git a/src/network/access/qnetworkaccessmanager_p.h b/src/network/access/qnetworkaccessmanager_p.h index 13a26a54f1..e5257251a4 100644 --- a/src/network/access/qnetworkaccessmanager_p.h +++ b/src/network/access/qnetworkaccessmanager_p.h @@ -56,6 +56,7 @@ #include "qnetworkaccesscache_p.h" #include "qnetworkaccessbackend_p.h" #include "qnetworkrequest.h" +#include "qhstsstore_p.h" #include "qhsts_p.h" #include "private/qobject_p.h" #include "QtNetwork/qnetworkproxy.h" @@ -211,6 +212,7 @@ public: Q_AUTOTEST_EXPORT static void clearConnectionCache(QNetworkAccessManager *manager); QHstsCache stsCache; + QScopedPointer<QHstsStore> stsStore; bool stsEnabled = false; #ifndef QT_NO_BEARERMANAGEMENT diff --git a/src/network/access/qnetworkdiskcache.cpp b/src/network/access/qnetworkdiskcache.cpp index fca880d9b3..c9d658225e 100644 --- a/src/network/access/qnetworkdiskcache.cpp +++ b/src/network/access/qnetworkdiskcache.cpp @@ -537,7 +537,9 @@ qint64 QNetworkDiskCache::expire() QFileInfo info = it.fileInfo(); QString fileName = info.fileName(); if (fileName.endsWith(CACHE_POSTFIX)) { - cacheItems.insert(info.created(), path); + const QDateTime birthTime = info.fileTime(QFile::FileBirthTime); + cacheItems.insert(birthTime.isValid() ? birthTime + : info.fileTime(QFile::FileMetadataChangeTime), path); totalSize += info.size(); } } diff --git a/src/network/access/qnetworkreply.cpp b/src/network/access/qnetworkreply.cpp index abe952cd08..11d8f0e3f7 100644 --- a/src/network/access/qnetworkreply.cpp +++ b/src/network/access/qnetworkreply.cpp @@ -311,9 +311,11 @@ QNetworkReplyPrivate::QNetworkReplyPrivate() When client code handling the redirected() signal has verified the new URL, it emits this signal to allow the redirect to go ahead. This protocol applies to network requests whose redirects policy is set to - QNetworkRequest::UserVerifiedRedirectsPolicy. + QNetworkRequest::UserVerifiedRedirectPolicy - \sa QNetworkRequest::UserVerifiedRedirectPolicy, QNetworkAccessManager::setRedirectPolicy(), QNetworkRequest::RedirectPolicyAttribute + \sa QNetworkRequest::UserVerifiedRedirectPolicy, + QNetworkAccessManager::setRedirectPolicy(), + QNetworkRequest::RedirectPolicyAttribute */ /*! diff --git a/src/network/access/qnetworkreplyhttpimpl.cpp b/src/network/access/qnetworkreplyhttpimpl.cpp index 73f88025ac..382da0db5a 100644 --- a/src/network/access/qnetworkreplyhttpimpl.cpp +++ b/src/network/access/qnetworkreplyhttpimpl.cpp @@ -191,7 +191,8 @@ QNetworkReplyHttpImpl::QNetworkReplyHttpImpl(QNetworkAccessManager* const manage d->outgoingData = outgoingData; d->url = request.url(); #ifndef QT_NO_SSL - d->sslConfiguration = request.sslConfiguration(); + if (request.url().scheme() == QLatin1String("https")) + d->sslConfiguration.reset(new QSslConfiguration(request.sslConfiguration())); #endif // FIXME Later maybe set to Unbuffered, especially if it is zerocopy or from cache? @@ -430,7 +431,10 @@ void QNetworkReplyHttpImpl::setSslConfigurationImplementation(const QSslConfigur void QNetworkReplyHttpImpl::sslConfigurationImplementation(QSslConfiguration &configuration) const { Q_D(const QNetworkReplyHttpImpl); - configuration = d->sslConfiguration; + if (d->sslConfiguration.data()) + configuration = *d->sslConfiguration; + else + configuration = request().sslConfiguration(); } #endif @@ -780,6 +784,10 @@ void QNetworkReplyHttpImplPrivate::postRequest(const QNetworkRequest &newHttpReq // Create the HTTP thread delegate QHttpThreadDelegate *delegate = new QHttpThreadDelegate; + // Propagate Http/2 settings if any + const QVariant blob(manager->property(Http2::http2ParametersPropertyName)); + if (blob.isValid() && blob.canConvert<Http2::ProtocolParameters>()) + delegate->http2Parameters = blob.value<Http2::ProtocolParameters>(); #ifndef QT_NO_BEARERMANAGEMENT delegate->networkSession = managerPrivate->getNetworkSession(); #endif @@ -797,7 +805,7 @@ void QNetworkReplyHttpImplPrivate::postRequest(const QNetworkRequest &newHttpReq delegate->ssl = ssl; #ifndef QT_NO_SSL if (ssl) - delegate->incomingSslConfiguration = newHttpRequest.sslConfiguration(); + delegate->incomingSslConfiguration.reset(new QSslConfiguration(newHttpRequest.sslConfiguration())); #endif // Do we use synchronous HTTP? @@ -1456,10 +1464,13 @@ void QNetworkReplyHttpImplPrivate::replySslErrors( *toBeIgnored = pendingIgnoreSslErrorsList; } -void QNetworkReplyHttpImplPrivate::replySslConfigurationChanged(const QSslConfiguration &sslConfiguration) +void QNetworkReplyHttpImplPrivate::replySslConfigurationChanged(const QSslConfiguration &newSslConfiguration) { // Receiving the used SSL configuration from the HTTP thread - this->sslConfiguration = sslConfiguration; + if (sslConfiguration.data()) + *sslConfiguration = newSslConfiguration; + else + sslConfiguration.reset(new QSslConfiguration(newSslConfiguration)); } void QNetworkReplyHttpImplPrivate::replyPreSharedKeyAuthenticationRequiredSlot(QSslPreSharedKeyAuthenticator *authenticator) diff --git a/src/network/access/qnetworkreplyhttpimpl_p.h b/src/network/access/qnetworkreplyhttpimpl_p.h index 1eedfa5a5d..9d47f65ce7 100644 --- a/src/network/access/qnetworkreplyhttpimpl_p.h +++ b/src/network/access/qnetworkreplyhttpimpl_p.h @@ -58,6 +58,7 @@ #include "QtCore/qpointer.h" #include "QtCore/qdatetime.h" #include "QtCore/qsharedpointer.h" +#include "QtCore/qscopedpointer.h" #include "qatomic.h" #include <QtNetwork/QNetworkCacheMetaData> @@ -264,7 +265,7 @@ public: #ifndef QT_NO_SSL - QSslConfiguration sslConfiguration; + QScopedPointer<QSslConfiguration> sslConfiguration; bool pendingIgnoreAllSslErrors; QList<QSslError> pendingIgnoreSslErrorsList; #endif @@ -294,7 +295,7 @@ public: #ifndef QT_NO_SSL void replyEncrypted(); void replySslErrors(const QList<QSslError> &, bool *, QList<QSslError> *); - void replySslConfigurationChanged(const QSslConfiguration&); + void replySslConfigurationChanged(const QSslConfiguration &newSslConfiguration); void replyPreSharedKeyAuthenticationRequiredSlot(QSslPreSharedKeyAuthenticator *); #endif #ifndef QT_NO_NETWORKPROXY diff --git a/src/network/bearer/qnetworkconfiguration.cpp b/src/network/bearer/qnetworkconfiguration.cpp index f1619ab7c0..3367de80c8 100644 --- a/src/network/bearer/qnetworkconfiguration.cpp +++ b/src/network/bearer/qnetworkconfiguration.cpp @@ -111,7 +111,7 @@ QT_BEGIN_NAMESPACE Depending on the type of configuration some states are transient in nature. A GPRS/UMTS connection may almost always be \l Discovered if the GSM/UMTS network is available. - However if the GSM/UMTS network looses the connection the associated configuration may change its state + However if the GSM/UMTS network loses the connection the associated configuration may change its state from \l Discovered to \l Defined as well. A similar use case might be triggered by WLAN availability. QNetworkConfigurationManager::updateConfigurations() can be used to manually trigger updates of states. Note that some platforms do not require such updates diff --git a/src/network/configure.json b/src/network/configure.json index 916448a727..d46fbfc101 100644 --- a/src/network/configure.json +++ b/src/network/configure.json @@ -89,31 +89,6 @@ }, "tests": { - "getaddrinfo": { - "label": "getaddrinfo()", - "type": "compile", - "test": { - "head": [ - "#include <stdio.h>", - "#include <stdlib.h>", - "#ifdef __MINGW32__", - "# include <winsock2.h>", - "# include <ws2tcpip.h>", - "#else", - "# include <sys/types.h>", - "# include <sys/socket.h>", - "# include <netdb.h>", - "#endif" - ], - "main": [ - "addrinfo *res = 0;", - "(void) getaddrinfo(\"foo\", 0, 0, &res);", - "freeaddrinfo(res);", - "gai_strerror(0);" - ] - }, - "use": "network" - }, "getifaddrs": { "label": "getifaddrs()", "type": "compile", @@ -154,6 +129,12 @@ ] }, "use": "network" + }, + "openssl11": { + "label": "OpenSSL v. 1.1 support", + "type": "compile", + "test": "unix/openssl11", + "use": "network" } }, @@ -164,11 +145,6 @@ "emitIf": "config.darwin", "output": [ "feature", "privateFeature" ] }, - "getaddrinfo": { - "label": "getaddrinfo()", - "condition": "tests.getaddrinfo", - "output": [ "feature" ] - }, "getifaddrs": { "label": "getifaddrs()", "condition": "tests.getifaddrs", @@ -221,6 +197,11 @@ "condition": "config.winrt || features.securetransport || features.openssl", "output": [ "publicFeature", "feature" ] }, + "opensslv11": { + "label": "OpenSSL v. 1.1", + "condition": "tests.openssl11", + "output": ["publicFeature", "feature"] + }, "sctp": { "label": "SCTP", "autoDetect": false, @@ -254,14 +235,13 @@ "label": "QNetworkProxy", "purpose": "Provides network proxy support.", "section": "Networking", - "condition": "!config.winrt", "output": [ "publicFeature", "feature" ] }, "socks5": { "label": "SOCKS5", "purpose": "Provides SOCKS5 support in QNetworkProxy.", "section": "Networking", - "condition": "!config.winrt && features.networkproxy", + "condition": "features.networkproxy", "output": [ "publicFeature", "feature" ] }, "networkinterface": { @@ -327,7 +307,7 @@ For example: "args": "corewlan", "condition": "config.darwin" }, - "getaddrinfo", "getifaddrs", "ipv6ifname", "libproxy", + "getifaddrs", "ipv6ifname", "libproxy", { "type": "feature", "args": "securetransport", diff --git a/src/network/kernel/kernel.pri b/src/network/kernel/kernel.pri index 1b62892c9f..b822a70e88 100644 --- a/src/network/kernel/kernel.pri +++ b/src/network/kernel/kernel.pri @@ -49,8 +49,6 @@ win32: { SOURCES += kernel/qdnslookup_win.cpp \ kernel/qnetworkinterface_win.cpp LIBS_PRIVATE += -ldnsapi -liphlpapi - DEFINES += WINVER=0x0600 _WIN32_WINNT=0x0600 - } else { SOURCES += kernel/qdnslookup_winrt.cpp \ kernel/qnetworkinterface_winrt.cpp @@ -63,7 +61,7 @@ mac { } osx:SOURCES += kernel/qnetworkproxy_mac.cpp -else:win32:SOURCES += kernel/qnetworkproxy_win.cpp +else:win32:!winrt: SOURCES += kernel/qnetworkproxy_win.cpp else: qtConfig(libproxy) { SOURCES += kernel/qnetworkproxy_libproxy.cpp QMAKE_USE_PRIVATE += libproxy libdl diff --git a/src/network/kernel/qauthenticator.cpp b/src/network/kernel/qauthenticator.cpp index 099d9586d2..a3ccf13e82 100644 --- a/src/network/kernel/qauthenticator.cpp +++ b/src/network/kernel/qauthenticator.cpp @@ -48,6 +48,7 @@ #include <qendian.h> #include <qstring.h> #include <qdatetime.h> +#include <qrandom.h> #ifdef Q_OS_WIN #include <qmutex.h> @@ -357,7 +358,7 @@ QAuthenticatorPrivate::QAuthenticatorPrivate() , phase(Start) , nonceCount(0) { - cnonce = QCryptographicHash::hash(QByteArray::number(qrand(), 16) + QByteArray::number(qrand(), 16), + cnonce = QCryptographicHash::hash(QByteArray::number(QRandomGenerator::system()->generate64(), 16), QCryptographicHash::Md5).toHex(); nonceCount = 0; } diff --git a/src/network/kernel/qdnslookup.cpp b/src/network/kernel/qdnslookup.cpp index 6203ba37b3..10ff35b72c 100644 --- a/src/network/kernel/qdnslookup.cpp +++ b/src/network/kernel/qdnslookup.cpp @@ -42,7 +42,7 @@ #include <qcoreapplication.h> #include <qdatetime.h> -#include <qthreadstorage.h> +#include <qrandom.h> #include <qurl.h> #include <algorithm> @@ -50,7 +50,6 @@ QT_BEGIN_NAMESPACE Q_GLOBAL_STATIC(QDnsLookupThreadPool, theDnsLookupThreadPool); -Q_GLOBAL_STATIC(QThreadStorage<bool *>, theDnsLookupSeedStorage); static bool qt_qdnsmailexchangerecord_less_than(const QDnsMailExchangeRecord &r1, const QDnsMailExchangeRecord &r2) { @@ -85,7 +84,7 @@ static void qt_qdnsmailexchangerecord_sort(QList<QDnsMailExchangeRecord> &record // Randomize the slice of records. while (!slice.isEmpty()) { - const unsigned int pos = qrand() % slice.size(); + const unsigned int pos = QRandomGenerator::global()->bounded(slice.size()); records[i++] = slice.takeAt(pos); } } @@ -134,7 +133,7 @@ static void qt_qdnsservicerecord_sort(QList<QDnsServiceRecord> &records) // Order the slice of records. while (!slice.isEmpty()) { - const unsigned int weightThreshold = qrand() % (sliceWeight + 1); + const unsigned int weightThreshold = QRandomGenerator::global()->bounded(sliceWeight + 1); unsigned int summedWeight = 0; for (int j = 0; j < slice.size(); ++j) { summedWeight += slice.at(j).weight(); @@ -1011,10 +1010,6 @@ void QDnsLookupRunnable::run() query(requestType, requestName, nameserver, &reply); // Sort results. - if (!theDnsLookupSeedStorage()->hasLocalData()) { - qsrand(QTime(0,0,0).msecsTo(QTime::currentTime()) ^ reinterpret_cast<quintptr>(this)); - theDnsLookupSeedStorage()->setLocalData(new bool(true)); - } qt_qdnsmailexchangerecord_sort(reply.mailExchangeRecords); qt_qdnsservicerecord_sort(reply.serviceRecords); diff --git a/src/network/kernel/qhostaddress.cpp b/src/network/kernel/qhostaddress.cpp index a8d3a0bf98..a1adc61c4c 100644 --- a/src/network/kernel/qhostaddress.cpp +++ b/src/network/kernel/qhostaddress.cpp @@ -44,6 +44,7 @@ #include "qdebug.h" #if defined(Q_OS_WIN) # include <winsock2.h> +# include <ws2tcpip.h> #else # include <netinet/in.h> #endif @@ -63,36 +64,6 @@ QT_BEGIN_NAMESPACE -#ifdef Q_OS_WIN -// sockaddr_in6 size changed between old and new SDK -// Only the new version is the correct one, so always -// use this structure. -#if defined(Q_OS_WINRT) -# if !defined(u_char) -# define u_char unsigned char -# endif -# if !defined(u_short) -# define u_short unsigned short -# endif -# if !defined(u_long) -# define u_long unsigned long -# endif -#endif -struct qt_in6_addr { - u_char qt_s6_addr[16]; -}; -typedef struct { - short sin6_family; /* AF_INET6 */ - u_short sin6_port; /* Transport level port number */ - u_long sin6_flowinfo; /* IPv6 flow information */ - struct qt_in6_addr sin6_addr; /* IPv6 address */ - u_long sin6_scope_id; /* set of interfaces for a scope */ -} qt_sockaddr_in6; -#else -#define qt_sockaddr_in6 sockaddr_in6 -#define qt_s6_addr s6_addr -#endif - class QHostAddressPrivate : public QSharedData { @@ -235,18 +206,8 @@ void QHostAddressPrivate::clear() } -bool QNetmaskAddress::setAddress(const QString &address) -{ - d.detach(); - length = -1; - QHostAddress other; - return other.setAddress(address) && setAddress(other); -} - -bool QNetmaskAddress::setAddress(const QHostAddress &address) +bool QNetmask::setAddress(const QHostAddress &address) { - d.detach(); - static const quint8 zeroes[16] = { 0 }; union { quint32 v4; @@ -258,16 +219,13 @@ bool QNetmaskAddress::setAddress(const QHostAddress &address) quint8 *end; length = -1; - QHostAddress::operator=(address); - - if (d->protocol == QAbstractSocket::IPv4Protocol) { - ip.v4 = qToBigEndian(d->a); + if (address.protocol() == QAbstractSocket::IPv4Protocol) { + ip.v4 = qToBigEndian(address.toIPv4Address()); end = ptr + 4; - } else if (d->protocol == QAbstractSocket::IPv6Protocol) { - memcpy(ip.v6, d->a6.c, 16); + } else if (address.protocol() == QAbstractSocket::IPv6Protocol) { + memcpy(ip.v6, address.toIPv6Address().c, 16); end = ptr + 16; } else { - d->clear(); return false; } @@ -279,7 +237,6 @@ bool QNetmaskAddress::setAddress(const QHostAddress &address) continue; default: - d->clear(); return false; // invalid IP-style netmask case 254: @@ -310,10 +267,8 @@ bool QNetmaskAddress::setAddress(const QHostAddress &address) } // confirm that the rest is only zeroes - if (ptr < end && memcmp(ptr + 1, zeroes, end - ptr - 1) != 0) { - d->clear(); + if (ptr < end && memcmp(ptr + 1, zeroes, end - ptr - 1) != 0) return false; - } length = netmask; return true; @@ -333,35 +288,25 @@ static void clearBits(quint8 *where, int start, int end) memset(where + (start + 7) / 8, 0, end / 8 - (start + 7) / 8); } -int QNetmaskAddress::prefixLength() const +QHostAddress QNetmask::address(QAbstractSocket::NetworkLayerProtocol protocol) const { - return length; -} - -void QNetmaskAddress::setPrefixLength(QAbstractSocket::NetworkLayerProtocol proto, int newLength) -{ - d.detach(); - length = newLength; - if (length < 0 || length > (proto == QAbstractSocket::IPv4Protocol ? 32 : - proto == QAbstractSocket::IPv6Protocol ? 128 : -1)) { - // invalid information, reject - d->protocol = QAbstractSocket::UnknownNetworkLayerProtocol; - length = -1; - return; - } - - d->protocol = proto; - if (d->protocol == QAbstractSocket::IPv4Protocol) { - if (length == 0) { - d->a = 0; - } else if (length == 32) { - d->a = quint32(0xffffffff); - } else { - d->a = quint32(0xffffffff) >> (32 - length) << (32 - length); - } + if (length == 255 || protocol == QAbstractSocket::AnyIPProtocol || + protocol == QAbstractSocket::UnknownNetworkLayerProtocol) { + return QHostAddress(); + } else if (protocol == QAbstractSocket::IPv4Protocol) { + quint32 a; + if (length == 0) + a = 0; + else if (length == 32) + a = quint32(0xffffffff); + else + a = quint32(0xffffffff) >> (32 - length) << (32 - length); + return QHostAddress(a); } else { - memset(d->a6.c, 0xFF, sizeof(d->a6)); - clearBits(d->a6.c, length, 128); + Q_IPV6ADDR a6; + memset(a6.c, 0xFF, sizeof(a6)); + clearBits(a6.c, length, 128); + return QHostAddress(a6); } } @@ -495,7 +440,7 @@ QHostAddress::QHostAddress(const struct sockaddr *sockaddr) if (sockaddr->sa_family == AF_INET) setAddress(htonl(((const sockaddr_in *)sockaddr)->sin_addr.s_addr)); else if (sockaddr->sa_family == AF_INET6) - setAddress(((const qt_sockaddr_in6 *)sockaddr)->sin6_addr.qt_s6_addr); + setAddress(((const sockaddr_in6 *)sockaddr)->sin6_addr.s6_addr); #else Q_UNUSED(sockaddr) #endif @@ -675,7 +620,7 @@ void QHostAddress::setAddress(const struct sockaddr *sockaddr) if (sockaddr->sa_family == AF_INET) setAddress(htonl(((const sockaddr_in *)sockaddr)->sin_addr.s_addr)); else if (sockaddr->sa_family == AF_INET6) - setAddress(((const qt_sockaddr_in6 *)sockaddr)->sin6_addr.qt_s6_addr); + setAddress(((const sockaddr_in6 *)sockaddr)->sin6_addr.s6_addr); #else Q_UNUSED(sockaddr) #endif @@ -1133,8 +1078,11 @@ QPair<QHostAddress, int> QHostAddress::parseSubnet(const QString &subnet) // is the netmask given in IP-form or in bit-count form? if (!isIpv6 && subnet.indexOf(QLatin1Char('.'), slash + 1) != -1) { // IP-style, convert it to bit-count form - QNetmaskAddress parser; - if (!parser.setAddress(subnet.mid(slash + 1))) + QHostAddress mask; + QNetmask parser; + if (!mask.setAddress(subnet.mid(slash + 1))) + return invalid; + if (!parser.setAddress(mask)) return invalid; netmask = parser.prefixLength(); } else { diff --git a/src/network/kernel/qhostaddress_p.h b/src/network/kernel/qhostaddress_p.h index 55c3e5afde..5106760ed9 100644 --- a/src/network/kernel/qhostaddress_p.h +++ b/src/network/kernel/qhostaddress_p.h @@ -57,17 +57,32 @@ QT_BEGIN_NAMESPACE -class QNetmaskAddress: public QHostAddress +class QNetmask { - int length; + // stores 0-32 for IPv4, 0-128 for IPv6, or 255 for invalid + quint8 length; public: - QNetmaskAddress() : QHostAddress(), length(-1) { } + Q_DECL_CONSTEXPR QNetmask() : length(255) {} - bool setAddress(const QString &address); bool setAddress(const QHostAddress &address); + QHostAddress address(QAbstractSocket::NetworkLayerProtocol protocol) const; - int prefixLength() const; - void setPrefixLength(QAbstractSocket::NetworkLayerProtocol proto, int len); + int prefixLength() const { return length == 255 ? -1 : length; } + void setPrefixLength(QAbstractSocket::NetworkLayerProtocol proto, int len) + { + int maxlen = -1; + if (proto == QAbstractSocket::IPv4Protocol) + maxlen = 32; + else if (proto == QAbstractSocket::IPv6Protocol) + maxlen = 128; + if (len > maxlen || len < 0) + length = 255U; + else + length = unsigned(len); + } + + friend bool operator==(QNetmask n1, QNetmask n2) + { return n1.length == n2.length; } }; QT_END_NAMESPACE diff --git a/src/network/kernel/qhostinfo.cpp b/src/network/kernel/qhostinfo.cpp index 46123eb8a7..0156e22d41 100644 --- a/src/network/kernel/qhostinfo.cpp +++ b/src/network/kernel/qhostinfo.cpp @@ -279,6 +279,27 @@ int QHostInfo::lookupHost(const QString &name, QObject *receiver, } /*! + \fn QHostInfo &QHostInfo::operator=(QHostInfo &&other) + + Move-assigns \a other to this QHostInfo instance. + + \note The moved-from object \a other is placed in a + partially-formed state, in which the only valid operations are + destruction and assignment of a new value. + + \since 5.10 +*/ + +/*! + \fn void QHostInfo::swap(QHostInfo &other) + + Swaps host-info \a other with this host-info. This operation is + very fast and never fails. + + \since 5.10 +*/ + +/*! \fn int QHostInfo::lookupHost(const QString &name, const QObject *receiver, PointerToMemberFunction function) \since 5.9 diff --git a/src/network/kernel/qhostinfo.h b/src/network/kernel/qhostinfo.h index 4484d718bd..c5727bb6eb 100644 --- a/src/network/kernel/qhostinfo.h +++ b/src/network/kernel/qhostinfo.h @@ -63,8 +63,11 @@ public: explicit QHostInfo(int lookupId = -1); QHostInfo(const QHostInfo &d); QHostInfo &operator=(const QHostInfo &d); + QHostInfo &operator=(QHostInfo &&other) Q_DECL_NOTHROW { swap(other); return *this; } ~QHostInfo(); + void swap(QHostInfo &other) Q_DECL_NOTHROW { qSwap(d, other.d); } + QString hostName() const; void setHostName(const QString &name); @@ -125,7 +128,7 @@ public: !std::is_same<const char *, Func>::value, int>::type lookupHost(const QString &name, Func slot) { - return lookupHost(name, nullptr, slot); + return lookupHost(name, nullptr, std::move(slot)); } // lookupHost to a functor or function pointer (with context) @@ -141,7 +144,7 @@ public: auto slotObj = new QtPrivate::QFunctorSlotObject<Func1, 1, typename QtPrivate::List<QHostInfo>, - void>(slot); + void>(std::move(slot)); return lookupHostImpl(name, context, slotObj); } #endif // Q_QDOC @@ -154,6 +157,8 @@ private: QtPrivate::QSlotObjectBase *slotObj); }; +Q_DECLARE_SHARED_NOT_MOVABLE_UNTIL_QT6(QHostInfo) + QT_END_NAMESPACE Q_DECLARE_METATYPE(QHostInfo) diff --git a/src/network/kernel/qhostinfo_unix.cpp b/src/network/kernel/qhostinfo_unix.cpp index 9a24938284..8d2cffc304 100644 --- a/src/network/kernel/qhostinfo_unix.cpp +++ b/src/network/kernel/qhostinfo_unix.cpp @@ -66,10 +66,6 @@ # include <gnu/lib-names.h> #endif -#if defined (QT_NO_GETADDRINFO) -static QBasicMutex getHostByNameMutex; -#endif - QT_BEGIN_NAMESPACE // Almost always the same. If not, specify in qplatformdefs.h. @@ -150,7 +146,6 @@ QHostInfo QHostInfoAgent::fromName(const QString &hostName) QHostAddress address; if (address.setAddress(hostName)) { // Reverse lookup -#if !defined (QT_NO_GETADDRINFO) sockaddr_in sa4; sockaddr_in6 sa6; sockaddr *sa = 0; @@ -173,12 +168,6 @@ QHostInfo QHostInfoAgent::fromName(const QString &hostName) char hbuf[NI_MAXHOST]; if (sa && getnameinfo(sa, saSize, hbuf, sizeof(hbuf), 0, 0, 0) == 0) results.setHostName(QString::fromLatin1(hbuf)); -#else - in_addr_t inetaddr = qt_safe_inet_addr(hostName.toLatin1().constData()); - struct hostent *ent = gethostbyaddr((const char *)&inetaddr, sizeof(inetaddr), AF_INET); - if (ent) - results.setHostName(QString::fromLatin1(ent->h_name)); -#endif if (results.hostName().isEmpty()) results.setHostName(address.toString()); @@ -197,7 +186,6 @@ QHostInfo QHostInfoAgent::fromName(const QString &hostName) return results; } -#if !defined (QT_NO_GETADDRINFO) // Call getaddrinfo, and place all IPv4 addresses at the start and // the IPv6 addresses at the end of the address list in results. addrinfo *res = 0; @@ -264,39 +252,6 @@ QHostInfo QHostInfoAgent::fromName(const QString &hostName) results.setErrorString(QString::fromLocal8Bit(gai_strerror(result))); } -#else - // Fall back to gethostbyname for platforms that don't define - // getaddrinfo. gethostbyname does not support IPv6, and it's not - // reentrant on all platforms. For now this is okay since we only - // use one QHostInfoAgent, but if more agents are introduced, locking - // must be provided. - QMutexLocker locker(&getHostByNameMutex); - hostent *result = gethostbyname(aceHostname.constData()); - if (result) { - if (result->h_addrtype == AF_INET) { - QList<QHostAddress> addresses; - for (char **p = result->h_addr_list; *p != 0; p++) { - QHostAddress addr; - addr.setAddress(ntohl(*((quint32 *)*p))); - if (!addresses.contains(addr)) - addresses.prepend(addr); - } - results.setAddresses(addresses); - } else { - results.setError(QHostInfo::UnknownError); - results.setErrorString(tr("Unknown address type")); - } -#if !defined(Q_OS_VXWORKS) - } else if (h_errno == HOST_NOT_FOUND || h_errno == NO_DATA - || h_errno == NO_ADDRESS) { - results.setError(QHostInfo::HostNotFound); - results.setErrorString(tr("Host not found")); -#endif - } else { - results.setError(QHostInfo::UnknownError); - results.setErrorString(tr("Unknown error")); - } -#endif // !defined (QT_NO_GETADDRINFO) #if defined(QHOSTINFO_DEBUG) if (results.error() != QHostInfo::NoError) { @@ -339,11 +294,6 @@ QString QHostInfo::localDomainName() if (local_res_init && local_res) { // using thread-unsafe version -#if defined(QT_NO_GETADDRINFO) - // We have to call res_init to be sure that _res was initialized - // So, for systems without getaddrinfo (which is thread-safe), we lock the mutex too - QMutexLocker locker(&getHostByNameMutex); -#endif local_res_init(); QString domainName = QUrl::fromAce(local_res->defdname); if (domainName.isEmpty()) diff --git a/src/network/kernel/qhostinfo_win.cpp b/src/network/kernel/qhostinfo_win.cpp index 9e5d556f2b..bea24b0af2 100644 --- a/src/network/kernel/qhostinfo_win.cpp +++ b/src/network/kernel/qhostinfo_win.cpp @@ -50,50 +50,12 @@ QT_BEGIN_NAMESPACE //#define QHOSTINFO_DEBUG -// Older SDKs do not include the addrinfo struct declaration, so we -// include a copy of it here. -struct qt_addrinfo -{ - int ai_flags; - int ai_family; - int ai_socktype; - int ai_protocol; - size_t ai_addrlen; - char *ai_canonname; - sockaddr *ai_addr; - qt_addrinfo *ai_next; -}; - //### #define QT_SOCKLEN_T int #ifndef NI_MAXHOST // already defined to 1025 in ws2tcpip.h? #define NI_MAXHOST 1024 #endif -typedef int (__stdcall *getnameinfoProto)(const sockaddr *, QT_SOCKLEN_T, const char *, DWORD, const char *, DWORD, int); -typedef int (__stdcall *getaddrinfoProto)(const char *, const char *, const qt_addrinfo *, qt_addrinfo **); -typedef int (__stdcall *freeaddrinfoProto)(qt_addrinfo *); -static getnameinfoProto local_getnameinfo = 0; -static getaddrinfoProto local_getaddrinfo = 0; -static freeaddrinfoProto local_freeaddrinfo = 0; - -static bool resolveLibraryInternal() -{ - // Attempt to resolve getaddrinfo(); without it we'll have to fall - // back to gethostbyname(), which has no IPv6 support. -#if defined (Q_OS_WINRT) - local_getaddrinfo = (getaddrinfoProto) &getaddrinfo; - local_freeaddrinfo = (freeaddrinfoProto) &freeaddrinfo; - local_getnameinfo = (getnameinfoProto) getnameinfo; -#else - local_getaddrinfo = (getaddrinfoProto) QSystemLibrary::resolve(QLatin1String("ws2_32"), "getaddrinfo"); - local_freeaddrinfo = (freeaddrinfoProto) QSystemLibrary::resolve(QLatin1String("ws2_32"), "freeaddrinfo"); - local_getnameinfo = (getnameinfoProto) QSystemLibrary::resolve(QLatin1String("ws2_32"), "getnameinfo"); -#endif - return true; -} -Q_GLOBAL_STATIC_WITH_ARGS(bool, resolveLibrary, (resolveLibraryInternal())) - static void translateWSAError(int error, QHostInfo *results) { switch (error) { @@ -114,49 +76,39 @@ QHostInfo QHostInfoAgent::fromName(const QString &hostName) { QSysInfo::machineHostName(); // this initializes ws2_32.dll - // Load res_init on demand. - resolveLibrary(); - QHostInfo results; #if defined(QHOSTINFO_DEBUG) qDebug("QHostInfoAgent::fromName(): looking up \"%s\" (IPv6 support is %s)", hostName.toLatin1().constData(), - (local_getaddrinfo && local_freeaddrinfo) ? "enabled" : "disabled"); + (getaddrinfo && freeaddrinfo) ? "enabled" : "disabled"); #endif QHostAddress address; if (address.setAddress(hostName)) { // Reverse lookup - if (local_getnameinfo) { - sockaddr_in sa4; - sockaddr_in6 sa6; - sockaddr *sa; - QT_SOCKLEN_T saSize; - if (address.protocol() == QAbstractSocket::IPv4Protocol) { - sa = (sockaddr *)&sa4; - saSize = sizeof(sa4); - memset(&sa4, 0, sizeof(sa4)); - sa4.sin_family = AF_INET; - sa4.sin_addr.s_addr = htonl(address.toIPv4Address()); - } else { - sa = (sockaddr *)&sa6; - saSize = sizeof(sa6); - memset(&sa6, 0, sizeof(sa6)); - sa6.sin6_family = AF_INET6; - memcpy(&sa6.sin6_addr, address.toIPv6Address().c, sizeof(sa6.sin6_addr)); - } - - char hbuf[NI_MAXHOST]; - if (local_getnameinfo(sa, saSize, hbuf, sizeof(hbuf), 0, 0, 0) == 0) - results.setHostName(QString::fromLatin1(hbuf)); + sockaddr_in sa4; + sockaddr_in6 sa6; + sockaddr *sa; + QT_SOCKLEN_T saSize; + if (address.protocol() == QAbstractSocket::IPv4Protocol) { + sa = (sockaddr *)&sa4; + saSize = sizeof(sa4); + memset(&sa4, 0, sizeof(sa4)); + sa4.sin_family = AF_INET; + sa4.sin_addr.s_addr = htonl(address.toIPv4Address()); } else { - unsigned long addr = inet_addr(hostName.toLatin1().constData()); - struct hostent *ent = gethostbyaddr((const char*)&addr, sizeof(addr), AF_INET); - if (ent) - results.setHostName(QString::fromLatin1(ent->h_name)); + sa = (sockaddr *)&sa6; + saSize = sizeof(sa6); + memset(&sa6, 0, sizeof(sa6)); + sa6.sin6_family = AF_INET6; + memcpy(&sa6.sin6_addr, address.toIPv6Address().c, sizeof(sa6.sin6_addr)); } + char hbuf[NI_MAXHOST]; + if (getnameinfo(sa, saSize, hbuf, sizeof(hbuf), 0, 0, 0) == 0) + results.setHostName(QString::fromLatin1(hbuf)); + if (results.hostName().isEmpty()) results.setHostName(address.toString()); results.setAddresses(QList<QHostAddress>() << address); @@ -172,64 +124,35 @@ QHostInfo QHostInfoAgent::fromName(const QString &hostName) return results; } - if (local_getaddrinfo && local_freeaddrinfo) { - // Call getaddrinfo, and place all IPv4 addresses at the start - // and the IPv6 addresses at the end of the address list in - // results. - qt_addrinfo *res; - int err = local_getaddrinfo(aceHostname.constData(), 0, 0, &res); - if (err == 0) { - QList<QHostAddress> addresses; - for (qt_addrinfo *p = res; p != 0; p = p->ai_next) { - switch (p->ai_family) { - case AF_INET: { - QHostAddress addr; - addr.setAddress(ntohl(((sockaddr_in *) p->ai_addr)->sin_addr.s_addr)); - if (!addresses.contains(addr)) - addresses.append(addr); - } - break; - case AF_INET6: { - QHostAddress addr; - addr.setAddress(((sockaddr_in6 *) p->ai_addr)->sin6_addr.s6_addr); - if (!addresses.contains(addr)) - addresses.append(addr); - } - break; - default: - results.setError(QHostInfo::UnknownError); - results.setErrorString(tr("Unknown address type")); - } + addrinfo *res; + int err = getaddrinfo(aceHostname.constData(), 0, 0, &res); + if (err == 0) { + QList<QHostAddress> addresses; + for (addrinfo *p = res; p != 0; p = p->ai_next) { + switch (p->ai_family) { + case AF_INET: { + QHostAddress addr; + addr.setAddress(ntohl(((sockaddr_in *) p->ai_addr)->sin_addr.s_addr)); + if (!addresses.contains(addr)) + addresses.append(addr); + } + break; + case AF_INET6: { + QHostAddress addr; + addr.setAddress(((sockaddr_in6 *) p->ai_addr)->sin6_addr.s6_addr); + if (!addresses.contains(addr)) + addresses.append(addr); } - results.setAddresses(addresses); - local_freeaddrinfo(res); - } else { - translateWSAError(WSAGetLastError(), &results); - } - } else { - // Fall back to gethostbyname, which only supports IPv4. - hostent *ent = gethostbyname(aceHostname.constData()); - if (ent) { - char **p; - QList<QHostAddress> addresses; - switch (ent->h_addrtype) { - case AF_INET: - for (p = ent->h_addr_list; *p != 0; p++) { - long *ip4Addr = (long *) *p; - QHostAddress temp; - temp.setAddress(ntohl(*ip4Addr)); - addresses << temp; - } break; default: results.setError(QHostInfo::UnknownError); results.setErrorString(tr("Unknown address type")); - break; } - results.setAddresses(addresses); - } else { - translateWSAError(WSAGetLastError(), &results); } + results.setAddresses(addresses); + freeaddrinfo(res); + } else { + translateWSAError(WSAGetLastError(), &results); } #if defined(QHOSTINFO_DEBUG) diff --git a/src/network/kernel/qnetworkinterface.cpp b/src/network/kernel/qnetworkinterface.cpp index c5d1adbef0..3857ff87b9 100644 --- a/src/network/kernel/qnetworkinterface.cpp +++ b/src/network/kernel/qnetworkinterface.cpp @@ -257,7 +257,7 @@ void QNetworkAddressEntry::setIp(const QHostAddress &newIp) */ QHostAddress QNetworkAddressEntry::netmask() const { - return d->netmask; + return d->netmask.address(d->address.protocol()); } /*! @@ -270,7 +270,7 @@ QHostAddress QNetworkAddressEntry::netmask() const void QNetworkAddressEntry::setNetmask(const QHostAddress &newNetmask) { if (newNetmask.protocol() != ip().protocol()) { - d->netmask = QNetmaskAddress(); + d->netmask = QNetmask(); return; } @@ -355,9 +355,9 @@ void QNetworkAddressEntry::setBroadcast(const QHostAddress &newBroadcast) contain zero or more IP addresses, each of which is optionally associated with a netmask and/or a broadcast address. The list of such trios can be obtained with addressEntries(). Alternatively, - when the netmask or the broadcast addresses aren't necessary, use - the allAddresses() convenience function to obtain just the IP - addresses. + when the netmask or the broadcast addresses or other information aren't + necessary, use the allAddresses() convenience function to obtain just the + IP addresses of the active interfaces. QNetworkInterface also reports the interface's hardware address with hardwareAddress(). @@ -516,9 +516,9 @@ QString QNetworkInterface::hardwareAddress() const Returns the list of IP addresses that this interface possesses along with their associated netmasks and broadcast addresses. - If the netmask or broadcast address information is not necessary, - you can call the allAddresses() function to obtain just the IP - addresses. + If the netmask or broadcast address or other information is not necessary, + you can call the allAddresses() function to obtain just the IP addresses of + the active interfaces. */ QList<QNetworkAddressEntry> QNetworkInterface::addressEntries() const { @@ -624,16 +624,21 @@ QList<QNetworkInterface> QNetworkInterface::allInterfaces() } /*! - This convenience function returns all IP addresses found on the - host machine. It is equivalent to calling addressEntries() on all the - objects returned by allInterfaces() to obtain lists of QHostAddress - objects then calling QHostAddress::ip() on each of these. + This convenience function returns all IP addresses found on the host + machine. It is equivalent to calling addressEntries() on all the objects + returned by allInterfaces() that are in the QNetworkInterface::IsUp state + to obtain lists of QNetworkAddressEntry objects then calling + QNetworkAddressEntry::ip() on each of these. */ QList<QHostAddress> QNetworkInterface::allAddresses() { const QList<QSharedDataPointer<QNetworkInterfacePrivate> > privs = manager()->allInterfaces(); QList<QHostAddress> result; for (const auto &p : privs) { + // skip addresses if the interface isn't up + if ((p->flags & QNetworkInterface::IsUp) == 0) + continue; + for (const QNetworkAddressEntry &entry : qAsConst(p->addressEntries)) result += entry.ip(); } diff --git a/src/network/kernel/qnetworkinterface_p.h b/src/network/kernel/qnetworkinterface_p.h index ec25fdf37e..51901eeda8 100644 --- a/src/network/kernel/qnetworkinterface_p.h +++ b/src/network/kernel/qnetworkinterface_p.h @@ -68,8 +68,8 @@ class QNetworkAddressEntryPrivate { public: QHostAddress address; - QNetmaskAddress netmask; QHostAddress broadcast; + QNetmask netmask; }; class QNetworkInterfacePrivate: public QSharedData diff --git a/src/network/kernel/qnetworkinterface_win.cpp b/src/network/kernel/qnetworkinterface_win.cpp index 3002b2497b..64c3fa6f83 100644 --- a/src/network/kernel/qnetworkinterface_win.cpp +++ b/src/network/kernel/qnetworkinterface_win.cpp @@ -56,6 +56,7 @@ // (http://sourceforge.net/p/mingw-w64/mailman/message/32935366/) #include <winsock2.h> #include <ws2ipdef.h> +#include <wincrypt.h> #include <iphlpapi.h> #include <ws2tcpip.h> @@ -63,33 +64,6 @@ QT_BEGIN_NAMESPACE -typedef NETIO_STATUS (WINAPI *PtrConvertInterfaceIndexToLuid)(NET_IFINDEX, PNET_LUID); -typedef NETIO_STATUS (WINAPI *PtrConvertInterfaceLuidToName)(const NET_LUID *, PWSTR, SIZE_T); -typedef NETIO_STATUS (WINAPI *PtrConvertInterfaceLuidToIndex)(const NET_LUID *, PNET_IFINDEX); -typedef NETIO_STATUS (WINAPI *PtrConvertInterfaceNameToLuid)(const WCHAR *, PNET_LUID); -static PtrConvertInterfaceIndexToLuid ptrConvertInterfaceIndexToLuid = 0; -static PtrConvertInterfaceLuidToName ptrConvertInterfaceLuidToName = 0; -static PtrConvertInterfaceLuidToIndex ptrConvertInterfaceLuidToIndex = 0; -static PtrConvertInterfaceNameToLuid ptrConvertInterfaceNameToLuid = 0; - -static void resolveLibs() -{ - // try to find the functions we need from Iphlpapi.dll - static bool done = false; - - if (!done) { - HINSTANCE iphlpapiHnd = GetModuleHandle(L"iphlpapi"); - Q_ASSERT(iphlpapiHnd); - - // since Windows Vista - ptrConvertInterfaceIndexToLuid = (PtrConvertInterfaceIndexToLuid)GetProcAddress(iphlpapiHnd, "ConvertInterfaceIndexToLuid"); - ptrConvertInterfaceLuidToName = (PtrConvertInterfaceLuidToName)GetProcAddress(iphlpapiHnd, "ConvertInterfaceLuidToNameW"); - ptrConvertInterfaceLuidToIndex = (PtrConvertInterfaceLuidToIndex)GetProcAddress(iphlpapiHnd, "ConvertInterfaceLuidToIndex"); - ptrConvertInterfaceNameToLuid = (PtrConvertInterfaceNameToLuid)GetProcAddress(iphlpapiHnd, "ConvertInterfaceNameToLuidW"); - done = true; - } -} - static QHostAddress addressFromSockaddr(sockaddr *sa) { QHostAddress address; @@ -111,80 +85,32 @@ static QHostAddress addressFromSockaddr(sockaddr *sa) uint QNetworkInterfaceManager::interfaceIndexFromName(const QString &name) { - resolveLibs(); - if (!ptrConvertInterfaceNameToLuid || !ptrConvertInterfaceLuidToIndex) - return 0; - NET_IFINDEX id; NET_LUID luid; - if (ptrConvertInterfaceNameToLuid(reinterpret_cast<const wchar_t *>(name.constData()), &luid) == NO_ERROR - && ptrConvertInterfaceLuidToIndex(&luid, &id) == NO_ERROR) + if (ConvertInterfaceNameToLuidW(reinterpret_cast<const wchar_t *>(name.constData()), &luid) == NO_ERROR + && ConvertInterfaceLuidToIndex(&luid, &id) == NO_ERROR) return uint(id); return 0; } QString QNetworkInterfaceManager::interfaceNameFromIndex(uint index) { - resolveLibs(); - if (ptrConvertInterfaceIndexToLuid && ptrConvertInterfaceLuidToName) { - NET_LUID luid; - if (ptrConvertInterfaceIndexToLuid(index, &luid) == NO_ERROR) { - WCHAR buf[IF_MAX_STRING_SIZE + 1]; - if (ptrConvertInterfaceLuidToName(&luid, buf, sizeof(buf)/sizeof(buf[0])) == NO_ERROR) - return QString::fromWCharArray(buf); - } + NET_LUID luid; + if (ConvertInterfaceIndexToLuid(index, &luid) == NO_ERROR) { + WCHAR buf[IF_MAX_STRING_SIZE + 1]; + if (ConvertInterfaceLuidToNameW(&luid, buf, sizeof(buf)/sizeof(buf[0])) == NO_ERROR) + return QString::fromWCharArray(buf); } - return QString::number(index); } -static QHash<QHostAddress, QHostAddress> ipv4Netmasks() -{ - //Retrieve all the IPV4 addresses & netmasks - IP_ADAPTER_INFO staticBuf[2]; // 2 is arbitrary - PIP_ADAPTER_INFO pAdapter = staticBuf; - ULONG bufSize = sizeof staticBuf; - QHash<QHostAddress, QHostAddress> ipv4netmasks; - - DWORD retval = GetAdaptersInfo(pAdapter, &bufSize); - if (retval == ERROR_BUFFER_OVERFLOW) { - // need more memory - pAdapter = (IP_ADAPTER_INFO *)malloc(bufSize); - if (!pAdapter) - return ipv4netmasks; - // try again - if (GetAdaptersInfo(pAdapter, &bufSize) != ERROR_SUCCESS) { - free(pAdapter); - return ipv4netmasks; - } - } else if (retval != ERROR_SUCCESS) { - // error - return ipv4netmasks; - } - - // iterate over the list and add the entries to our listing - for (PIP_ADAPTER_INFO ptr = pAdapter; ptr; ptr = ptr->Next) { - for (PIP_ADDR_STRING addr = &ptr->IpAddressList; addr; addr = addr->Next) { - QHostAddress address(QLatin1String(addr->IpAddress.String)); - QHostAddress mask(QLatin1String(addr->IpMask.String)); - ipv4netmasks[address] = mask; - } - } - if (pAdapter != staticBuf) - free(pAdapter); - - return ipv4netmasks; - -} - -static QList<QNetworkInterfacePrivate *> interfaceListingWinXP() +static QList<QNetworkInterfacePrivate *> interfaceListing() { QList<QNetworkInterfacePrivate *> interfaces; IP_ADAPTER_ADDRESSES staticBuf[2]; // 2 is arbitrary PIP_ADAPTER_ADDRESSES pAdapter = staticBuf; ULONG bufSize = sizeof staticBuf; - const QHash<QHostAddress, QHostAddress> &ipv4netmasks = ipv4Netmasks(); ULONG flags = GAA_FLAG_INCLUDE_PREFIX | GAA_FLAG_SKIP_DNS_SERVER | GAA_FLAG_SKIP_MULTICAST; @@ -206,11 +132,17 @@ static QList<QNetworkInterfacePrivate *> interfaceListingWinXP() // iterate over the list and add the entries to our listing for (PIP_ADAPTER_ADDRESSES ptr = pAdapter; ptr; ptr = ptr->Next) { + // the structure grows over time, so let's make sure the fields + // introduced in Windows Vista are present (Luid is the furthest + // field we access from IP_ADAPTER_ADDRESSES_LH) + Q_ASSERT(ptr->Length >= offsetof(IP_ADAPTER_ADDRESSES, Luid)); + Q_ASSERT(ptr->Length >= offsetof(IP_ADAPTER_ADDRESSES, Ipv6IfIndex)); + QNetworkInterfacePrivate *iface = new QNetworkInterfacePrivate; interfaces << iface; iface->index = 0; - if (ptr->Length >= offsetof(IP_ADAPTER_ADDRESSES, Ipv6IfIndex) && ptr->Ipv6IfIndex != 0) + if (ptr->Ipv6IfIndex != 0) iface->index = ptr->Ipv6IfIndex; else if (ptr->IfIndex != 0) iface->index = ptr->IfIndex; @@ -223,13 +155,11 @@ static QList<QNetworkInterfacePrivate *> interfaceListingWinXP() if (ptr->IfType == IF_TYPE_PPP) iface->flags |= QNetworkInterface::IsPointToPoint; - if (ptrConvertInterfaceLuidToName && ptr->Length >= offsetof(IP_ADAPTER_ADDRESSES, Luid)) { - // use ConvertInterfaceLuidToName because that returns a friendlier name, though not - // as friendly as FriendlyName below - WCHAR buf[IF_MAX_STRING_SIZE + 1]; - if (ptrConvertInterfaceLuidToName(&ptr->Luid, buf, sizeof(buf)/sizeof(buf[0])) == NO_ERROR) - iface->name = QString::fromWCharArray(buf); - } + // use ConvertInterfaceLuidToNameW because that returns a friendlier name, though not + // as "friendly" as FriendlyName below + WCHAR buf[IF_MAX_STRING_SIZE + 1]; + if (ConvertInterfaceLuidToNameW(&ptr->Luid, buf, sizeof(buf)/sizeof(buf[0])) == NO_ERROR) + iface->name = QString::fromWCharArray(buf); if (iface->name.isEmpty()) iface->name = QString::fromLocal8Bit(ptr->AdapterName); @@ -241,28 +171,17 @@ static QList<QNetworkInterfacePrivate *> interfaceListingWinXP() // loopback if it has no address iface->flags |= QNetworkInterface::IsLoopBack; - // The GetAdaptersAddresses call has an interesting semantic: - // It can return a number N of addresses and a number M of prefixes. - // But if you have IPv6 addresses, generally N > M. - // I cannot find a way to relate the Address to the Prefix, aside from stopping - // the iteration at the last Prefix entry and assume that it applies to all addresses - // from that point on. - PIP_ADAPTER_PREFIX pprefix = 0; - if (ptr->Length >= offsetof(IP_ADAPTER_ADDRESSES, FirstPrefix)) - pprefix = ptr->FirstPrefix; + // parse the IP (unicast) addresses for (PIP_ADAPTER_UNICAST_ADDRESS addr = ptr->FirstUnicastAddress; addr; addr = addr->Next) { + Q_ASSERT(addr->Length >= offsetof(IP_ADAPTER_UNICAST_ADDRESS, OnLinkPrefixLength)); + + // skip addresses in invalid state + if (addr->DadState == IpDadStateInvalid) + continue; + QNetworkAddressEntry entry; entry.setIp(addressFromSockaddr(addr->Address.lpSockaddr)); - if (pprefix) { - if (entry.ip().protocol() == QAbstractSocket::IPv4Protocol) { - entry.setNetmask(ipv4netmasks[entry.ip()]); - - // broadcast address is set on postProcess() - } else { //IPV6 - entry.setPrefixLength(pprefix->PrefixLength); - } - pprefix = pprefix->Next ? pprefix->Next : pprefix; - } + entry.setPrefixLength(addr->OnLinkPrefixLength); iface->addressEntries << entry; } } @@ -275,14 +194,11 @@ static QList<QNetworkInterfacePrivate *> interfaceListingWinXP() QList<QNetworkInterfacePrivate *> QNetworkInterfaceManager::scan() { - resolveLibs(); - return interfaceListingWinXP(); + return interfaceListing(); } QString QHostInfo::localDomainName() { - resolveLibs(); - FIXED_INFO info, *pinfo; ULONG bufSize = sizeof info; pinfo = &info; diff --git a/src/network/kernel/qnetworkproxy.cpp b/src/network/kernel/qnetworkproxy.cpp index 0ed68042f6..6b53b4b58e 100644 --- a/src/network/kernel/qnetworkproxy.cpp +++ b/src/network/kernel/qnetworkproxy.cpp @@ -917,9 +917,6 @@ public: QUrl remote; int localPort; QNetworkProxyQuery::QueryType type; -#ifndef QT_NO_BEARERMANAGEMENT - QNetworkConfiguration config; -#endif }; template<> void QSharedDataPointer<QNetworkProxyQueryPrivate>::detach() @@ -1131,29 +1128,32 @@ QNetworkProxyQuery::QNetworkProxyQuery(quint16 bindPort, const QString &protocol d->type = queryType; } -#ifndef QT_NO_BEARERMANAGEMENT +#if !defined(QT_NO_BEARERMANAGEMENT) && QT_DEPRECATED_SINCE(5, 10) /*! + \deprecated + Constructs a QNetworkProxyQuery with the URL \a requestUrl and sets the query type to \a queryType. The specified \a networkConfiguration - is used to resolve the proxy settings. + parameter is ignored. \sa protocolTag(), peerHostName(), peerPort(), networkConfiguration() */ QNetworkProxyQuery::QNetworkProxyQuery(const QNetworkConfiguration &networkConfiguration, const QUrl &requestUrl, QueryType queryType) { - d->config = networkConfiguration; + Q_UNUSED(networkConfiguration) d->remote = requestUrl; d->type = queryType; } /*! + \deprecated + Constructs a QNetworkProxyQuery of type \a queryType and sets the protocol tag to be \a protocolTag. This constructor is suitable for QNetworkProxyQuery::TcpSocket queries, because it sets the peer hostname to \a hostname and the peer's port number to \a - port. The specified \a networkConfiguration - is used to resolve the proxy settings. + port. The specified \a networkConfiguration parameter is ignored. \sa networkConfiguration() */ @@ -1162,7 +1162,7 @@ QNetworkProxyQuery::QNetworkProxyQuery(const QNetworkConfiguration &networkConfi const QString &protocolTag, QueryType queryType) { - d->config = networkConfiguration; + Q_UNUSED(networkConfiguration); d->remote.setScheme(protocolTag); d->remote.setHost(hostname); d->remote.setPort(port); @@ -1170,11 +1170,13 @@ QNetworkProxyQuery::QNetworkProxyQuery(const QNetworkConfiguration &networkConfi } /*! + \deprecated + Constructs a QNetworkProxyQuery of type \a queryType and sets the protocol tag to be \a protocolTag. This constructor is suitable for QNetworkProxyQuery::TcpSocket queries because it sets the local port number to \a bindPort. The specified \a networkConfiguration - is used to resolve the proxy settings. + parameter is ignored. Note that \a bindPort is of type quint16 to indicate the exact port number that is requested. The value of -1 (unknown) is not @@ -1186,12 +1188,12 @@ QNetworkProxyQuery::QNetworkProxyQuery(const QNetworkConfiguration &networkConfi quint16 bindPort, const QString &protocolTag, QueryType queryType) { - d->config = networkConfiguration; + Q_UNUSED(networkConfiguration); d->remote.setScheme(protocolTag); d->localPort = bindPort; d->type = queryType; } -#endif +#endif // !defined(QT_NO_BEARERMANAGEMENT) && QT_DEPRECATED_SINCE(5, 10) /*! Constructs a QNetworkProxyQuery object that is a copy of \a other. @@ -1415,34 +1417,32 @@ void QNetworkProxyQuery::setUrl(const QUrl &url) d->remote = url; } -#ifndef QT_NO_BEARERMANAGEMENT +#if !defined(QT_NO_BEARERMANAGEMENT) && QT_DEPRECATED_SINCE(5, 10) /*! - Returns the network configuration component of the query. + \deprecated + + Returns QNetworkConfiguration(). \sa setNetworkConfiguration() */ QNetworkConfiguration QNetworkProxyQuery::networkConfiguration() const { - return d ? d->config : QNetworkConfiguration(); + return QNetworkConfiguration(); } /*! - Sets the network configuration component of this QNetworkProxyQuery - object to be \a networkConfiguration. The network configuration can - be used to return different proxy settings based on the network in - use, for example WLAN vs cellular networks on a mobile phone. + \deprecated - In the case of "user choice" or "service network" configurations, - you should first start the QNetworkSession and obtain the active - configuration from its properties. + This function does nothing. The specified \a networkConfiguration parameter + is ignored. \sa networkConfiguration() */ void QNetworkProxyQuery::setNetworkConfiguration(const QNetworkConfiguration &networkConfiguration) { - d->config = networkConfiguration; + Q_UNUSED(networkConfiguration); } -#endif +#endif // !defined(QT_NO_BEARERMANAGEMENT) && QT_DEPRECATED_SINCE(5, 10) /*! \class QNetworkProxyFactory diff --git a/src/network/kernel/qnetworkproxy.h b/src/network/kernel/qnetworkproxy.h index 8699c313e9..7e3e6906a8 100644 --- a/src/network/kernel/qnetworkproxy.h +++ b/src/network/kernel/qnetworkproxy.h @@ -75,12 +75,15 @@ public: QueryType queryType = TcpSocket); explicit QNetworkProxyQuery(quint16 bindPort, const QString &protocolTag = QString(), QueryType queryType = TcpServer); -#ifndef QT_NO_BEARERMANAGEMENT +#if !defined(QT_NO_BEARERMANAGEMENT) && QT_DEPRECATED_SINCE(5, 10) + Q_DECL_DEPRECATED_X("QNetworkConfiguration support in QNetworkProxy is deprecated") QNetworkProxyQuery(const QNetworkConfiguration &networkConfiguration, const QUrl &requestUrl, QueryType queryType = UrlRequest); + Q_DECL_DEPRECATED_X("QNetworkConfiguration support in QNetworkProxy is deprecated") QNetworkProxyQuery(const QNetworkConfiguration &networkConfiguration, const QString &hostname, int port, const QString &protocolTag = QString(), QueryType queryType = TcpSocket); + Q_DECL_DEPRECATED_X("QNetworkConfiguration support in QNetworkProxy is deprecated") QNetworkProxyQuery(const QNetworkConfiguration &networkConfiguration, quint16 bindPort, const QString &protocolTag = QString(), QueryType queryType = TcpServer); @@ -116,8 +119,10 @@ public: QUrl url() const; void setUrl(const QUrl &url); -#ifndef QT_NO_BEARERMANAGEMENT +#if !defined(QT_NO_BEARERMANAGEMENT) && QT_DEPRECATED_SINCE(5, 10) + Q_DECL_DEPRECATED_X("QNetworkConfiguration support in QNetworkProxy is deprecated") QNetworkConfiguration networkConfiguration() const; + Q_DECL_DEPRECATED_X("QNetworkConfiguration support in QNetworkProxy is deprecated") void setNetworkConfiguration(const QNetworkConfiguration &networkConfiguration); #endif diff --git a/src/network/socket/qabstractsocket.cpp b/src/network/socket/qabstractsocket.cpp index 0f13b1d1b8..7284b124c5 100644 --- a/src/network/socket/qabstractsocket.cpp +++ b/src/network/socket/qabstractsocket.cpp @@ -940,7 +940,9 @@ void QAbstractSocketPrivate::resolveProxy(const QString &hostname, quint16 port) // DefaultProxy here will raise an error proxyInUse = QNetworkProxy(); } +#endif // !QT_NO_NETWORKPROXY +#if !defined(QT_NO_NETWORKPROXY) || defined(Q_OS_WINRT) /*! \internal @@ -982,7 +984,7 @@ void QAbstractSocketPrivate::startConnectingByName(const QString &host) emit q->stateChanged(state); } -#endif +#endif // !QT_NO_NETWORKPROXY || Q_OS_WINRT /*! \internal @@ -1114,10 +1116,6 @@ void QAbstractSocketPrivate::_q_connectToNextAddress() // (localhost address on BSD or any UDP connect), emit // connected() and return. if ( -#if defined(Q_OS_WINRT) && _MSC_VER >= 1900 - !qEnvironmentVariableIsEmpty("QT_WINRT_USE_THREAD_NETWORK_CONTEXT") ? - socketEngine->connectToHostByName(hostName, port) : -#endif socketEngine->connectToHost(host, port)) { //_q_testConnection(); fetchConnectionParameters(); @@ -1704,6 +1702,7 @@ void QAbstractSocket::connectToHost(const QString &hostName, quint16 port, QIODevice::open(openMode); d->readChannelCount = d->writeChannelCount = 0; +#ifndef Q_OS_WINRT d->state = HostLookupState; emit stateChanged(d->state); @@ -1741,6 +1740,10 @@ void QAbstractSocket::connectToHost(const QString &hostName, quint16 port, (d->state == ConnectingState || d->state == HostLookupState) ? " (connection in progress)" : ""); #endif +#else // !Q_OS_WINRT + // On WinRT we should always connect by name. Lookup and proxy handling are done by the API. + d->startConnectingByName(hostName); +#endif } /*! \overload diff --git a/src/network/socket/qlocalserver.cpp b/src/network/socket/qlocalserver.cpp index 3fcec954e7..a9789b7d04 100644 --- a/src/network/socket/qlocalserver.cpp +++ b/src/network/socket/qlocalserver.cpp @@ -41,6 +41,10 @@ #include "qlocalserver_p.h" #include "qlocalsocket.h" +#if defined(Q_OS_WIN) && !defined(QT_LOCALSOCKET_TCP) +#include <QtCore/qt_windows.h> +#endif + QT_BEGIN_NAMESPACE /*! @@ -181,6 +185,42 @@ QLocalServer::SocketOptions QLocalServer::socketOptions() const } /*! + \since 5.10 + Returns the native socket descriptor the server uses to listen + for incoming instructions, or -1 if the server is not listening. + + The type of the descriptor depends on the platform: + \list + \li On Windows, the returned value is a + \l{https://msdn.microsoft.com/en-us/library/windows/desktop/ms740522(v=vs.85).aspx} + {Winsock 2 Socket Handle}. + + \li With WinRT and on INTEGRITY, the returned value is the + QTcpServer socket descriptor and the type is defined by + \l{QTcpServer::socketDescriptor}{socketDescriptor}. + + \li On all other UNIX-like operating systems, the type is + a file descriptor representing a listening socket. + \endlist + + \sa listen() +*/ +qintptr QLocalServer::socketDescriptor() const +{ + Q_D(const QLocalServer); + if (!isListening()) + return -1; +#if defined(QT_LOCALSOCKET_TCP) + return d->tcpServer.socketDescriptor(); +#elif defined(Q_OS_WIN) + const auto handle = d->connectionEventNotifier->handle(); + return handle != INVALID_HANDLE_VALUE ? qintptr(handle) : -1; +#else + return d->socketNotifier->socket(); +#endif +} + +/*! Stop listening for incoming connections. Existing connections are not affected, but any new connections will be refused. diff --git a/src/network/socket/qlocalserver.h b/src/network/socket/qlocalserver.h index 9bd2990389..454ac30c9b 100644 --- a/src/network/socket/qlocalserver.h +++ b/src/network/socket/qlocalserver.h @@ -92,6 +92,8 @@ public: void setSocketOptions(SocketOptions options); SocketOptions socketOptions() const; + qintptr socketDescriptor() const; + protected: virtual void incomingConnection(quintptr socketDescriptor); diff --git a/src/network/socket/qlocalsocket.cpp b/src/network/socket/qlocalsocket.cpp index 090a9e98c6..6fec2fdbd2 100644 --- a/src/network/socket/qlocalsocket.cpp +++ b/src/network/socket/qlocalsocket.cpp @@ -126,6 +126,20 @@ QT_BEGIN_NAMESPACE The socket descriptor is not available when QLocalSocket is in UnconnectedState. + The type of the descriptor depends on the platform: + + \list + \li On Windows, the returned value is a + \l{https://msdn.microsoft.com/en-us/library/windows/desktop/ms740522(v=vs.85).aspx} + {Winsock 2 Socket Handle}. + + \li With WinRT and on INTEGRITY, the returned value is the + QTcpSocket socket descriptor and the type is defined by + \l{QTcpSocket::socketDescriptor}{socketDescriptor}. + + \li On all other UNIX-like operating systems, the type is + a file descriptor representing a socket. + \endlist \sa setSocketDescriptor() */ diff --git a/src/network/socket/qlocalsocket_win.cpp b/src/network/socket/qlocalsocket_win.cpp index 312c934632..ae94cb9d51 100644 --- a/src/network/socket/qlocalsocket_win.cpp +++ b/src/network/socket/qlocalsocket_win.cpp @@ -183,10 +183,8 @@ void QLocalSocket::connectToServer(OpenMode openMode) } // we have a valid handle - if (setSocketDescriptor((qintptr)localSocket, ConnectedState, openMode)) { - d->handle = localSocket; + if (setSocketDescriptor((qintptr)localSocket, ConnectedState, openMode)) emit connected(); - } } // This is reading from the buffer diff --git a/src/network/socket/qnativesocketengine.cpp b/src/network/socket/qnativesocketengine.cpp index 3f7c0d94e1..03395a37f0 100644 --- a/src/network/socket/qnativesocketengine.cpp +++ b/src/network/socket/qnativesocketengine.cpp @@ -1162,6 +1162,7 @@ bool QNativeSocketEngine::waitForReadOrWrite(bool *readyToRead, bool *readyToWri return ret > 0; } +#if 0 // currently unused /*! Returns the size of the operating system's socket receive buffer. Depending on the operating system, this size may be @@ -1220,7 +1221,7 @@ void QNativeSocketEngine::setSendBufferSize(qint64 size) Q_CHECK_VALID_SOCKETLAYER(QNativeSocketEngine::setSendBufferSize(), Q_VOID); setOption(SendBufferSocketOption, size); } - +#endif /*! Sets the option \a option to the value \a value. diff --git a/src/network/socket/qnativesocketengine_p.h b/src/network/socket/qnativesocketengine_p.h index 08e72072ef..d488ce150c 100644 --- a/src/network/socket/qnativesocketengine_p.h +++ b/src/network/socket/qnativesocketengine_p.h @@ -166,11 +166,13 @@ public: qint64 writeDatagram(const char *data, qint64 len, const QIpPacketHeader &) Q_DECL_OVERRIDE; qint64 bytesToWrite() const Q_DECL_OVERRIDE; +#if 0 // currently unused qint64 receiveBufferSize() const; void setReceiveBufferSize(qint64 bufferSize); qint64 sendBufferSize() const; void setSendBufferSize(qint64 bufferSize); +#endif int option(SocketOption option) const Q_DECL_OVERRIDE; bool setOption(SocketOption option, int value) Q_DECL_OVERRIDE; diff --git a/src/network/socket/qnativesocketengine_unix.cpp b/src/network/socket/qnativesocketengine_unix.cpp index 3cf65b3553..cb0a521360 100644 --- a/src/network/socket/qnativesocketengine_unix.cpp +++ b/src/network/socket/qnativesocketengine_unix.cpp @@ -670,8 +670,7 @@ static bool multicastMembershipHelper(QNativeSocketEnginePrivate *d, Q_IPV6ADDR ip6 = groupAddress.toIPv6Address(); memcpy(&mreq6.ipv6mr_multiaddr, &ip6, sizeof(ip6)); mreq6.ipv6mr_interface = interface.index(); - } else - if (groupAddress.protocol() == QAbstractSocket::IPv4Protocol) { + } else if (groupAddress.protocol() == QAbstractSocket::IPv4Protocol) { level = IPPROTO_IP; sockOpt = how4; sockArg = &mreq4; @@ -830,18 +829,10 @@ qint64 QNativeSocketEnginePrivate::nativeBytesAvailable() const bool QNativeSocketEnginePrivate::nativeHasPendingDatagrams() const { - // Create a sockaddr struct and reset its port number. - qt_sockaddr storage; - QT_SOCKLEN_T storageSize = sizeof(storage); - memset(&storage, 0, storageSize); - - // Peek 0 bytes into the next message. The size of the message may - // well be 0, so we can't check recvfrom's return value. + // Peek 1 bytes into the next message. ssize_t readBytes; - do { - char c; - readBytes = ::recvfrom(socketDescriptor, &c, 1, MSG_PEEK, &storage.a, &storageSize); - } while (readBytes == -1 && errno == EINTR); + char c; + EINTR_LOOP(readBytes, ::recv(socketDescriptor, &c, 1, MSG_PEEK)); // If there's no error, or if our buffer was too small, there must be a // pending datagram. @@ -856,24 +847,57 @@ bool QNativeSocketEnginePrivate::nativeHasPendingDatagrams() const qint64 QNativeSocketEnginePrivate::nativePendingDatagramSize() const { - QVarLengthArray<char, 8192> udpMessagePeekBuffer(8192); ssize_t recvResult = -1; +#ifdef Q_OS_LINUX + // Linux can return the actual datagram size if we use MSG_TRUNC + char c; + EINTR_LOOP(recvResult, ::recv(socketDescriptor, &c, 1, MSG_PEEK | MSG_TRUNC)); +#elif defined(SO_NREAD) + // macOS can return the actual datagram size if we use SO_NREAD + int value; + socklen_t valuelen = sizeof(value); + recvResult = getsockopt(socketDescriptor, SOL_SOCKET, SO_NREAD, &value, &valuelen); + if (recvResult != -1) + recvResult = value; +#else + // We need to grow the buffer to fit the entire datagram. + // We start at 1500 bytes (the MTU for Ethernet V2), which should catch + // almost all uses (effective MTU for UDP under IPv4 is 1468), except + // for localhost datagrams and those reassembled by the IP layer. + char udpMessagePeekBuffer[1500]; + struct msghdr msg; + struct iovec vec; + + memset(&msg, 0, sizeof(msg)); + msg.msg_iov = &vec; + msg.msg_iovlen = 1; + vec.iov_base = udpMessagePeekBuffer; + vec.iov_len = sizeof(udpMessagePeekBuffer); for (;;) { // the data written to udpMessagePeekBuffer is discarded, so // this function is still reentrant although it might not look // so. - recvResult = ::recv(socketDescriptor, udpMessagePeekBuffer.data(), - udpMessagePeekBuffer.size(), MSG_PEEK); + recvResult = ::recvmsg(socketDescriptor, &msg, MSG_PEEK); if (recvResult == -1 && errno == EINTR) continue; - if (recvResult != (ssize_t) udpMessagePeekBuffer.size()) + // was the result truncated? + if ((msg.msg_flags & MSG_TRUNC) == 0) break; - udpMessagePeekBuffer.resize(udpMessagePeekBuffer.size() * 2); + // grow by 16 times + msg.msg_iovlen *= 16; + if (msg.msg_iov != &vec) + delete[] msg.msg_iov; + msg.msg_iov = new struct iovec[msg.msg_iovlen]; + std::fill_n(msg.msg_iov, msg.msg_iovlen, vec); } + if (msg.msg_iov != &vec) + delete[] msg.msg_iov; +#endif + #if defined (QNATIVESOCKETENGINE_DEBUG) qDebug("QNativeSocketEnginePrivate::nativePendingDatagramSize() == %zd", recvResult); #endif diff --git a/src/network/socket/qnativesocketengine_win.cpp b/src/network/socket/qnativesocketengine_win.cpp index 3ecfb06411..bd368ac42f 100644 --- a/src/network/socket/qnativesocketengine_win.cpp +++ b/src/network/socket/qnativesocketengine_win.cpp @@ -944,9 +944,7 @@ static bool multicastMembershipHelper(QNativeSocketEnginePrivate *d, Q_IPV6ADDR ip6 = groupAddress.toIPv6Address(); memcpy(&mreq6.ipv6mr_multiaddr, &ip6, sizeof(ip6)); mreq6.ipv6mr_interface = iface.index(); - } else - - if (groupAddress.protocol() == QAbstractSocket::IPv4Protocol) { + } else if (groupAddress.protocol() == QAbstractSocket::IPv4Protocol) { level = IPPROTO_IP; sockOpt = how4; sockArg = reinterpret_cast<char *>(&mreq4); @@ -1148,10 +1146,10 @@ qint64 QNativeSocketEnginePrivate::nativePendingDatagramSize() const DWORD bufferCount = 5; WSABUF * buf = 0; for (;;) { - // the data written to udpMessagePeekBuffer is discarded, so - // this function is still reentrant although it might not look - // so. - static char udpMessagePeekBuffer[8192]; + // We start at 1500 bytes (the MTU for Ethernet V2), which should catch + // almost all uses (effective MTU for UDP under IPv4 is 1468), except + // for localhost datagrams and those reassembled by the IP layer. + char udpMessagePeekBuffer[1500]; buf = new WSABUF[bufferCount]; for (DWORD i=0; i<bufferCount; i++) { diff --git a/src/network/socket/qnet_unix_p.h b/src/network/socket/qnet_unix_p.h index 73d7ec2e77..5359872f96 100644 --- a/src/network/socket/qnet_unix_p.h +++ b/src/network/socket/qnet_unix_p.h @@ -174,16 +174,6 @@ static inline int qt_safe_ioctl(int sockfd, unsigned long request, T arg) #endif } -// VxWorks' headers do not specify any const modifiers -static inline in_addr_t qt_safe_inet_addr(const char *cp) -{ -#ifdef Q_OS_VXWORKS - return ::inet_addr((char *) cp); -#else - return ::inet_addr(cp); -#endif -} - static inline int qt_safe_sendmsg(int sockfd, const struct msghdr *msg, int flags) { #ifdef MSG_NOSIGNAL diff --git a/src/network/socket/qtcpserver_p.h b/src/network/socket/qtcpserver_p.h index 71dc4d985f..b7fae4c105 100644 --- a/src/network/socket/qtcpserver_p.h +++ b/src/network/socket/qtcpserver_p.h @@ -63,7 +63,8 @@ QT_BEGIN_NAMESPACE -class QTcpServerPrivate : public QObjectPrivate, public QAbstractSocketEngineReceiver +class Q_NETWORK_EXPORT QTcpServerPrivate : public QObjectPrivate, + public QAbstractSocketEngineReceiver { Q_DECLARE_PUBLIC(QTcpServer) public: diff --git a/src/network/ssl/qsslcertificate_openssl.cpp b/src/network/ssl/qsslcertificate_openssl.cpp index 28b7eda54a..71e514a025 100644 --- a/src/network/ssl/qsslcertificate_openssl.cpp +++ b/src/network/ssl/qsslcertificate_openssl.cpp @@ -1,6 +1,7 @@ /**************************************************************************** ** -** Copyright (C) 2016 The Qt Company Ltd. +** Copyright (C) 2017 The Qt Company Ltd. +** Copyright (C) 2016 Richard J. Moore <rich@kde.org> ** Contact: https://www.qt.io/licensing/ ** ** This file is part of the QtNetwork module of the Qt Toolkit. @@ -64,12 +65,14 @@ bool QSslCertificate::operator==(const QSslCertificate &other) const uint qHash(const QSslCertificate &key, uint seed) Q_DECL_NOTHROW { if (X509 * const x509 = key.d->x509) { - (void)q_X509_cmp(x509, x509); // populate x509->sha1_hash - // (if someone knows a better way...) - return qHashBits(x509->sha1_hash, SHA_DIGEST_LENGTH, seed); - } else { - return seed; + const EVP_MD *sha1 = q_EVP_sha1(); + unsigned int len = 0; + unsigned char md[EVP_MAX_MD_SIZE]; + q_X509_digest(x509, sha1, md, &len); + return qHashBits(md, len, seed); } + + return seed; } bool QSslCertificate::isNull() const @@ -89,8 +92,7 @@ QByteArray QSslCertificate::version() const { QMutexLocker lock(QMutexPool::globalInstanceGet(d.data())); if (d->versionString.isEmpty() && d->x509) - d->versionString = - QByteArray::number(qlonglong(q_ASN1_INTEGER_get(d->x509->cert_info->version)) + 1); + d->versionString = QByteArray::number(qlonglong(q_X509_get_version(d->x509)) + 1); return d->versionString; } @@ -99,7 +101,7 @@ QByteArray QSslCertificate::serialNumber() const { QMutexLocker lock(QMutexPool::globalInstanceGet(d.data())); if (d->serialNumberString.isEmpty() && d->x509) { - ASN1_INTEGER *serialNumber = d->x509->cert_info->serialNumber; + ASN1_INTEGER *serialNumber = q_X509_get_serialNumber(d->x509); QByteArray hexString; hexString.reserve(serialNumber->length * 3); for (int a = 0; a < serialNumber->length; ++a) { @@ -199,14 +201,15 @@ QMultiMap<QSsl::AlternativeNameEntryType, QString> QSslCertificate::subjectAlter continue; } - const char *altNameStr = reinterpret_cast<const char *>(q_ASN1_STRING_data(genName->d.ia5)); + const char *altNameStr = reinterpret_cast<const char *>(q_ASN1_STRING_get0_data(genName->d.ia5)); const QString altName = QString::fromLatin1(altNameStr, len); if (genName->type == GEN_DNS) result.insert(QSsl::DnsEntry, altName); else if (genName->type == GEN_EMAIL) result.insert(QSsl::EmailEntry, altName); } - q_sk_pop_free((STACK*)altNames, reinterpret_cast<void(*)(void*)>(q_sk_free)); + + q_OPENSSL_sk_pop_free((OPENSSL_STACK*)altNames, reinterpret_cast<void(*)(void*)>(q_OPENSSL_sk_free)); } return result; @@ -235,25 +238,26 @@ QSslKey QSslCertificate::publicKey() const QSslKey key; key.d->type = QSsl::PublicKey; - X509_PUBKEY *xkey = d->x509->cert_info->key; - EVP_PKEY *pkey = q_X509_PUBKEY_get(xkey); + + EVP_PKEY *pkey = q_X509_get_pubkey(d->x509); Q_ASSERT(pkey); + const int keyType = q_EVP_PKEY_type(q_EVP_PKEY_base_id(pkey)); - if (q_EVP_PKEY_type(pkey->type) == EVP_PKEY_RSA) { + if (keyType == EVP_PKEY_RSA) { key.d->rsa = q_EVP_PKEY_get1_RSA(pkey); key.d->algorithm = QSsl::Rsa; key.d->isNull = false; - } else if (q_EVP_PKEY_type(pkey->type) == EVP_PKEY_DSA) { + } else if (keyType == EVP_PKEY_DSA) { key.d->dsa = q_EVP_PKEY_get1_DSA(pkey); key.d->algorithm = QSsl::Dsa; key.d->isNull = false; #ifndef OPENSSL_NO_EC - } else if (q_EVP_PKEY_type(pkey->type) == EVP_PKEY_EC) { + } else if (keyType == EVP_PKEY_EC) { key.d->ec = q_EVP_PKEY_get1_EC_KEY(pkey); key.d->algorithm = QSsl::Ec; key.d->isNull = false; #endif - } else if (q_EVP_PKEY_type(pkey->type) == EVP_PKEY_DH) { + } else if (keyType == EVP_PKEY_DH) { // DH unsupported } else { // error? @@ -275,7 +279,7 @@ static QVariant x509UnknownExtensionToValue(X509_EXTENSION *ext) X509V3_EXT_METHOD *meth = const_cast<X509V3_EXT_METHOD *>(q_X509V3_EXT_get(ext)); if (!meth) { ASN1_OCTET_STRING *value = q_X509_EXTENSION_get_data(ext); - QByteArray result( reinterpret_cast<const char *>(q_ASN1_STRING_data(value)), + QByteArray result( reinterpret_cast<const char *>(q_ASN1_STRING_get0_data(value)), q_ASN1_STRING_length(value)); return result; } @@ -371,7 +375,7 @@ static QVariant x509ExtensionToValue(X509_EXTENSION *ext) continue; } - const char *uriStr = reinterpret_cast<const char *>(q_ASN1_STRING_data(name->d.uniformResourceIdentifier)); + const char *uriStr = reinterpret_cast<const char *>(q_ASN1_STRING_get0_data(name->d.uniformResourceIdentifier)); const QString uri = QString::fromUtf8(uriStr, len); result[QString::fromUtf8(QSslCertificatePrivate::asn1ObjectName(ad->method))] = uri; @@ -380,11 +384,7 @@ static QVariant x509ExtensionToValue(X509_EXTENSION *ext) } } -#if OPENSSL_VERSION_NUMBER >= 0x10000000L - q_sk_pop_free((_STACK*)info, reinterpret_cast<void(*)(void*)>(q_sk_free)); -#else - q_sk_pop_free((STACK*)info, reinterpret_cast<void(*)(void*)>(q_sk_free)); -#endif + q_OPENSSL_sk_pop_free((OPENSSL_STACK*)info, reinterpret_cast<void(*)(void *)>(q_OPENSSL_sk_free)); return result; } break; @@ -607,7 +607,11 @@ static QMap<QByteArray, QString> _q_mapFromX509Name(X509_NAME *name) unsigned char *data = 0; int size = q_ASN1_STRING_to_UTF8(&data, q_X509_NAME_ENTRY_get_data(e)); info.insertMulti(name, QString::fromUtf8((char*)data, size)); +#if QT_CONFIG(opensslv11) + q_CRYPTO_free(data, 0, 0); +#else q_CRYPTO_free(data); +#endif } return info; @@ -619,8 +623,9 @@ QSslCertificate QSslCertificatePrivate::QSslCertificate_from_X509(X509 *x509) if (!x509 || !QSslSocket::supportsSsl()) return certificate; - ASN1_TIME *nbef = q_X509_get_notBefore(x509); - ASN1_TIME *naft = q_X509_get_notAfter(x509); + ASN1_TIME *nbef = q_X509_getm_notBefore(x509); + ASN1_TIME *naft = q_X509_getm_notAfter(x509); + certificate.d->notValidBefore = q_getTimeFromASN1(nbef); certificate.d->notValidAfter = q_getTimeFromASN1(naft); certificate.d->null = false; diff --git a/src/network/ssl/qsslcertificate_qt.cpp b/src/network/ssl/qsslcertificate_qt.cpp index 5e8f4cfac7..1cc2b1f964 100644 --- a/src/network/ssl/qsslcertificate_qt.cpp +++ b/src/network/ssl/qsslcertificate_qt.cpp @@ -272,17 +272,12 @@ QList<QSslCertificate> QSslCertificatePrivate::certificatesFromDer(const QByteAr static QByteArray colonSeparatedHex(const QByteArray &value) { - QByteArray hexString; - hexString.reserve(value.size() * 3); - for (int a = 0; a < value.size(); ++a) { - const quint8 b = value.at(a); - if (b || !hexString.isEmpty()) { // skip leading zeros - hexString += QByteArray::number(b, 16).rightJustified(2, '0'); - hexString += ':'; - } - } - hexString.chop(1); - return hexString; + const int size = value.size(); + int i = 0; + while (i < size && !value.at(i)) // skip leading zeros + ++i; + + return value.mid(i).toHex(':'); } bool QSslCertificatePrivate::parse(const QByteArray &data) diff --git a/src/network/ssl/qsslcontext_openssl.cpp b/src/network/ssl/qsslcontext_openssl.cpp index c92d8fc3f8..cef503710c 100644 --- a/src/network/ssl/qsslcontext_openssl.cpp +++ b/src/network/ssl/qsslcontext_openssl.cpp @@ -1,6 +1,6 @@ /**************************************************************************** ** -** Copyright (C) 2016 The Qt Company Ltd. +** Copyright (C) 2017 The Qt Company Ltd. ** Copyright (C) 2014 BlackBerry Limited. All rights reserved. ** Copyright (C) 2014 Governikus GmbH & Co. KG. ** Contact: https://www.qt.io/licensing/ @@ -41,22 +41,14 @@ #include <QtNetwork/qsslsocket.h> -#include <QtNetwork/qssldiffiehellmanparameters.h> -#include <QtCore/qmutex.h> #include "private/qssl_p.h" #include "private/qsslcontext_openssl_p.h" -#include "private/qsslsocket_p.h" #include "private/qsslsocket_openssl_p.h" #include "private/qsslsocket_openssl_symbols_p.h" -#include "private/qssldiffiehellmanparameters_p.h" QT_BEGIN_NAMESPACE -// defined in qsslsocket_openssl.cpp: -extern int q_X509Callback(int ok, X509_STORE_CTX *ctx); -extern QString getErrorsFromOpenSsl(); - QSslContext::QSslContext() : ctx(0), pkey(0), @@ -78,301 +70,6 @@ QSslContext::~QSslContext() q_SSL_SESSION_free(session); } -static inline QString msgErrorSettingEllipticCurves(const QString &why) -{ - return QSslSocket::tr("Error when setting the elliptic curves (%1)").arg(why); -} - -// static -void QSslContext::initSslContext(QSslContext *sslContext, QSslSocket::SslMode mode, const QSslConfiguration &configuration, bool allowRootCertOnDemandLoading) -{ - sslContext->sslConfiguration = configuration; - sslContext->errorCode = QSslError::NoError; - - bool client = (mode == QSslSocket::SslClientMode); - - bool reinitialized = false; - bool unsupportedProtocol = false; -init_context: - switch (sslContext->sslConfiguration.protocol()) { - case QSsl::SslV2: -#ifndef OPENSSL_NO_SSL2 - sslContext->ctx = q_SSL_CTX_new(client ? q_SSLv2_client_method() : q_SSLv2_server_method()); -#else - // SSL 2 not supported by the system, but chosen deliberately -> error - sslContext->ctx = 0; - unsupportedProtocol = true; -#endif - break; - case QSsl::SslV3: -#ifndef OPENSSL_NO_SSL3_METHOD - sslContext->ctx = q_SSL_CTX_new(client ? q_SSLv3_client_method() : q_SSLv3_server_method()); -#else - // SSL 3 not supported by the system, but chosen deliberately -> error - sslContext->ctx = 0; - unsupportedProtocol = true; -#endif - break; - case QSsl::SecureProtocols: - // SSLv2 and SSLv3 will be disabled by SSL options - // But we need q_SSLv23_server_method() otherwise AnyProtocol will be unable to connect on Win32. - case QSsl::TlsV1SslV3: - // SSLv2 will will be disabled by SSL options - case QSsl::AnyProtocol: - default: - sslContext->ctx = q_SSL_CTX_new(client ? q_SSLv23_client_method() : q_SSLv23_server_method()); - break; - case QSsl::TlsV1_0: - sslContext->ctx = q_SSL_CTX_new(client ? q_TLSv1_client_method() : q_TLSv1_server_method()); - break; - case QSsl::TlsV1_1: -#if OPENSSL_VERSION_NUMBER >= 0x10001000L - sslContext->ctx = q_SSL_CTX_new(client ? q_TLSv1_1_client_method() : q_TLSv1_1_server_method()); -#else - // TLS 1.1 not supported by the system, but chosen deliberately -> error - sslContext->ctx = 0; - unsupportedProtocol = true; -#endif - break; - case QSsl::TlsV1_2: -#if OPENSSL_VERSION_NUMBER >= 0x10001000L - sslContext->ctx = q_SSL_CTX_new(client ? q_TLSv1_2_client_method() : q_TLSv1_2_server_method()); -#else - // TLS 1.2 not supported by the system, but chosen deliberately -> error - sslContext->ctx = 0; - unsupportedProtocol = true; -#endif - break; - case QSsl::TlsV1_0OrLater: - // Specific protocols will be specified via SSL options. - sslContext->ctx = q_SSL_CTX_new(client ? q_SSLv23_client_method() : q_SSLv23_server_method()); - break; - case QSsl::TlsV1_1OrLater: - case QSsl::TlsV1_2OrLater: -#if OPENSSL_VERSION_NUMBER >= 0x10001000L - // Specific protocols will be specified via SSL options. - sslContext->ctx = q_SSL_CTX_new(client ? q_SSLv23_client_method() : q_SSLv23_server_method()); -#else - // TLS 1.1/1.2 not supported by the system, but chosen deliberately -> error - sslContext->ctx = 0; - unsupportedProtocol = true; -#endif - break; - } - - if (!sslContext->ctx) { - // After stopping Flash 10 the SSL library looses its ciphers. Try re-adding them - // by re-initializing the library. - if (!reinitialized) { - reinitialized = true; - if (q_SSL_library_init() == 1) - goto init_context; - } - - sslContext->errorStr = QSslSocket::tr("Error creating SSL context (%1)").arg( - unsupportedProtocol ? QSslSocket::tr("unsupported protocol") : QSslSocketBackendPrivate::getErrorsFromOpenSsl() - ); - sslContext->errorCode = QSslError::UnspecifiedError; - return; - } - - // Enable bug workarounds. - long options = QSslSocketBackendPrivate::setupOpenSslOptions(configuration.protocol(), configuration.d->sslOptions); - q_SSL_CTX_set_options(sslContext->ctx, options); - -#if OPENSSL_VERSION_NUMBER >= 0x10000000L - // Tell OpenSSL to release memory early - // http://www.openssl.org/docs/ssl/SSL_CTX_set_mode.html - if (q_SSLeay() >= 0x10000000L) - q_SSL_CTX_set_mode(sslContext->ctx, SSL_MODE_RELEASE_BUFFERS); -#endif - - // Initialize ciphers - QByteArray cipherString; - bool first = true; - QList<QSslCipher> ciphers = sslContext->sslConfiguration.ciphers(); - if (ciphers.isEmpty()) - ciphers = QSslSocketPrivate::defaultCiphers(); - for (const QSslCipher &cipher : qAsConst(ciphers)) { - if (first) - first = false; - else - cipherString.append(':'); - cipherString.append(cipher.name().toLatin1()); - } - - if (!q_SSL_CTX_set_cipher_list(sslContext->ctx, cipherString.data())) { - sslContext->errorStr = QSslSocket::tr("Invalid or empty cipher list (%1)").arg(QSslSocketBackendPrivate::getErrorsFromOpenSsl()); - sslContext->errorCode = QSslError::UnspecifiedError; - return; - } - - const QDateTime now = QDateTime::currentDateTimeUtc(); - - // Add all our CAs to this store. - const auto caCertificates = sslContext->sslConfiguration.caCertificates(); - for (const QSslCertificate &caCertificate : caCertificates) { - // From https://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html: - // - // If several CA certificates matching the name, key identifier, and - // serial number condition are available, only the first one will be - // examined. This may lead to unexpected results if the same CA - // certificate is available with different expiration dates. If a - // ``certificate expired'' verification error occurs, no other - // certificate will be searched. Make sure to not have expired - // certificates mixed with valid ones. - // - // See also: QSslSocketBackendPrivate::verify() - if (caCertificate.expiryDate() >= now) { - q_X509_STORE_add_cert(q_SSL_CTX_get_cert_store(sslContext->ctx), (X509 *)caCertificate.handle()); - } - } - - if (QSslSocketPrivate::s_loadRootCertsOnDemand && allowRootCertOnDemandLoading) { - // tell OpenSSL the directories where to look up the root certs on demand - const QList<QByteArray> unixDirs = QSslSocketPrivate::unixRootCertDirectories(); - for (const QByteArray &unixDir : unixDirs) - q_SSL_CTX_load_verify_locations(sslContext->ctx, 0, unixDir.constData()); - } - - if (!sslContext->sslConfiguration.localCertificate().isNull()) { - // Require a private key as well. - if (sslContext->sslConfiguration.privateKey().isNull()) { - sslContext->errorStr = QSslSocket::tr("Cannot provide a certificate with no key, %1").arg(QSslSocketBackendPrivate::getErrorsFromOpenSsl()); - sslContext->errorCode = QSslError::UnspecifiedError; - return; - } - - // Load certificate - if (!q_SSL_CTX_use_certificate(sslContext->ctx, (X509 *)sslContext->sslConfiguration.localCertificate().handle())) { - sslContext->errorStr = QSslSocket::tr("Error loading local certificate, %1").arg(QSslSocketBackendPrivate::getErrorsFromOpenSsl()); - sslContext->errorCode = QSslError::UnspecifiedError; - return; - } - - if (configuration.d->privateKey.algorithm() == QSsl::Opaque) { - sslContext->pkey = reinterpret_cast<EVP_PKEY *>(configuration.d->privateKey.handle()); - } else { - // Load private key - sslContext->pkey = q_EVP_PKEY_new(); - // before we were using EVP_PKEY_assign_R* functions and did not use EVP_PKEY_free. - // this lead to a memory leak. Now we use the *_set1_* functions which do not - // take ownership of the RSA/DSA key instance because the QSslKey already has ownership. - if (configuration.d->privateKey.algorithm() == QSsl::Rsa) - q_EVP_PKEY_set1_RSA(sslContext->pkey, reinterpret_cast<RSA *>(configuration.d->privateKey.handle())); - else if (configuration.d->privateKey.algorithm() == QSsl::Dsa) - q_EVP_PKEY_set1_DSA(sslContext->pkey, reinterpret_cast<DSA *>(configuration.d->privateKey.handle())); -#ifndef OPENSSL_NO_EC - else if (configuration.d->privateKey.algorithm() == QSsl::Ec) - q_EVP_PKEY_set1_EC_KEY(sslContext->pkey, reinterpret_cast<EC_KEY *>(configuration.d->privateKey.handle())); -#endif - } - - if (!q_SSL_CTX_use_PrivateKey(sslContext->ctx, sslContext->pkey)) { - sslContext->errorStr = QSslSocket::tr("Error loading private key, %1").arg(QSslSocketBackendPrivate::getErrorsFromOpenSsl()); - sslContext->errorCode = QSslError::UnspecifiedError; - return; - } - if (configuration.d->privateKey.algorithm() == QSsl::Opaque) - sslContext->pkey = 0; // Don't free the private key, it belongs to QSslKey - - // Check if the certificate matches the private key. - if (!q_SSL_CTX_check_private_key(sslContext->ctx)) { - sslContext->errorStr = QSslSocket::tr("Private key does not certify public key, %1").arg(QSslSocketBackendPrivate::getErrorsFromOpenSsl()); - sslContext->errorCode = QSslError::UnspecifiedError; - return; - } - - // If we have any intermediate certificates then we need to add them to our chain - bool first = true; - for (const QSslCertificate &cert : qAsConst(configuration.d->localCertificateChain)) { - if (first) { - first = false; - continue; - } - q_SSL_CTX_ctrl(sslContext->ctx, SSL_CTRL_EXTRA_CHAIN_CERT, 0, - q_X509_dup(reinterpret_cast<X509 *>(cert.handle()))); - } - } - - // Initialize peer verification. - if (sslContext->sslConfiguration.peerVerifyMode() == QSslSocket::VerifyNone) { - q_SSL_CTX_set_verify(sslContext->ctx, SSL_VERIFY_NONE, 0); - } else { - q_SSL_CTX_set_verify(sslContext->ctx, SSL_VERIFY_PEER, q_X509Callback); - } - - // Set verification depth. - if (sslContext->sslConfiguration.peerVerifyDepth() != 0) - q_SSL_CTX_set_verify_depth(sslContext->ctx, sslContext->sslConfiguration.peerVerifyDepth()); - - // set persisted session if the user set it - if (!configuration.sessionTicket().isEmpty()) - sslContext->setSessionASN1(configuration.sessionTicket()); - - // Set temp DH params - QSslDiffieHellmanParameters dhparams = configuration.diffieHellmanParameters(); - - if (!dhparams.isValid()) { - sslContext->errorStr = QSslSocket::tr("Diffie-Hellman parameters are not valid"); - sslContext->errorCode = QSslError::UnspecifiedError; - return; - } - - if (!dhparams.isEmpty()) { - const QByteArray ¶ms = dhparams.d->derData; - const char *ptr = params.constData(); - DH *dh = q_d2i_DHparams(NULL, reinterpret_cast<const unsigned char **>(&ptr), params.length()); - if (dh == NULL) - qFatal("q_d2i_DHparams failed to convert QSslDiffieHellmanParameters to DER form"); - q_SSL_CTX_set_tmp_dh(sslContext->ctx, dh); - q_DH_free(dh); - } - -#ifndef OPENSSL_NO_EC -#if OPENSSL_VERSION_NUMBER >= 0x10002000L - if (q_SSLeay() >= 0x10002000L) { - q_SSL_CTX_ctrl(sslContext->ctx, SSL_CTRL_SET_ECDH_AUTO, 1, NULL); - } else -#endif - { - // Set temp ECDH params - EC_KEY *ecdh = 0; - ecdh = q_EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); - q_SSL_CTX_set_tmp_ecdh(sslContext->ctx, ecdh); - q_EC_KEY_free(ecdh); - } -#endif // OPENSSL_NO_EC - -#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_PSK) - if (!client) - q_SSL_CTX_use_psk_identity_hint(sslContext->ctx, sslContext->sslConfiguration.preSharedKeyIdentityHint().constData()); -#endif // OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_PSK) - - const QVector<QSslEllipticCurve> qcurves = sslContext->sslConfiguration.ellipticCurves(); - if (!qcurves.isEmpty()) { -#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(OPENSSL_NO_EC) - // Set the curves to be used - if (q_SSLeay() >= 0x10002000L) { - // SSL_CTX_ctrl wants a non-const pointer as last argument, - // but let's avoid a copy into a temporary array - if (!q_SSL_CTX_ctrl(sslContext->ctx, - SSL_CTRL_SET_CURVES, - qcurves.size(), - const_cast<int *>(reinterpret_cast<const int *>(qcurves.data())))) { - sslContext->errorStr = msgErrorSettingEllipticCurves(QSslSocketBackendPrivate::getErrorsFromOpenSsl()); - sslContext->errorCode = QSslError::UnspecifiedError; - } - } else -#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(OPENSSL_NO_EC) - { - // specific curves requested, but not possible to set -> error - sslContext->errorStr = msgErrorSettingEllipticCurves(QSslSocket::tr("OpenSSL version too old, need at least v1.0.2")); - sslContext->errorCode = QSslError::UnspecifiedError; - } - } -} - QSslContext* QSslContext::fromConfiguration(QSslSocket::SslMode mode, const QSslConfiguration &configuration, bool allowRootCertOnDemandLoading) { QSslContext *sslContext = new QSslContext(); @@ -463,7 +160,7 @@ SSL* QSslContext::createSsl() m_npnContext.len = m_supportedNPNVersions.count(); m_npnContext.status = QSslConfiguration::NextProtocolNegotiationNone; #if OPENSSL_VERSION_NUMBER >= 0x10002000L - if (q_SSLeay() >= 0x10002000L) { + if (QSslSocket::sslLibraryVersionNumber() >= 0x10002000L) { // Callback's type has a parameter 'const unsigned char ** out' // since it was introduced in 1.0.2. Internally, OpenSSL's own code // (tests/examples) cast it to unsigned char * (since it's 'out'). @@ -508,7 +205,7 @@ bool QSslContext::cacheSession(SSL* ssl) unsigned char *data = reinterpret_cast<unsigned char *>(m_sessionASN1.data()); if (!q_i2d_SSL_SESSION(session, &data)) qCWarning(lcSsl, "could not store persistent version of SSL session"); - m_sessionTicketLifeTimeHint = session->tlsext_tick_lifetime_hint; + m_sessionTicketLifeTimeHint = q_SSL_SESSION_get_ticket_lifetime_hint(session); } } diff --git a/src/network/ssl/qsslcontext_openssl11.cpp b/src/network/ssl/qsslcontext_openssl11.cpp new file mode 100644 index 0000000000..787b6ae3f5 --- /dev/null +++ b/src/network/ssl/qsslcontext_openssl11.cpp @@ -0,0 +1,277 @@ +/**************************************************************************** +** +** Copyright (C) 2017 The Qt Company Ltd. +** Copyright (C) 2014 BlackBerry Limited. All rights reserved. +** Copyright (C) 2014 Governikus GmbH & Co. KG. +** Copyright (C) 2016 Richard J. Moore <rich@kde.org> +** Contact: https://www.qt.io/licensing/ +** +** This file is part of the QtNetwork module of the Qt Toolkit. +** +** $QT_BEGIN_LICENSE:LGPL$ +** Commercial License Usage +** Licensees holding valid commercial Qt licenses may use this file in +** accordance with the commercial license agreement provided with the +** Software or, alternatively, in accordance with the terms contained in +** a written agreement between you and The Qt Company. For licensing terms +** and conditions see https://www.qt.io/terms-conditions. For further +** information use the contact form at https://www.qt.io/contact-us. +** +** GNU Lesser General Public License Usage +** Alternatively, this file may be used under the terms of the GNU Lesser +** General Public License version 3 as published by the Free Software +** Foundation and appearing in the file LICENSE.LGPL3 included in the +** packaging of this file. Please review the following information to +** ensure the GNU Lesser General Public License version 3 requirements +** will be met: https://www.gnu.org/licenses/lgpl-3.0.html. +** +** GNU General Public License Usage +** Alternatively, this file may be used under the terms of the GNU +** General Public License version 2.0 or (at your option) the GNU General +** Public license version 3 or any later version approved by the KDE Free +** Qt Foundation. The licenses are as published by the Free Software +** Foundation and appearing in the file LICENSE.GPL2 and LICENSE.GPL3 +** included in the packaging of this file. Please review the following +** information to ensure the GNU General Public License requirements will +** be met: https://www.gnu.org/licenses/gpl-2.0.html and +** https://www.gnu.org/licenses/gpl-3.0.html. +** +** $QT_END_LICENSE$ +** +****************************************************************************/ + + +#include <QtNetwork/qsslsocket.h> +#include <QtNetwork/qssldiffiehellmanparameters.h> + +#include "private/qssl_p.h" +#include "private/qsslcontext_openssl_p.h" +#include "private/qsslsocket_p.h" +#include "private/qsslsocket_openssl_p.h" +#include "private/qsslsocket_openssl_symbols_p.h" +#include "private/qssldiffiehellmanparameters_p.h" + +#include <vector> + +QT_BEGIN_NAMESPACE + +// defined in qsslsocket_openssl.cpp: +extern int q_X509Callback(int ok, X509_STORE_CTX *ctx); +extern QString getErrorsFromOpenSsl(); + +static inline QString msgErrorSettingEllipticCurves(const QString &why) +{ + return QSslSocket::tr("Error when setting the elliptic curves (%1)").arg(why); +} + +// static +void QSslContext::initSslContext(QSslContext *sslContext, QSslSocket::SslMode mode, const QSslConfiguration &configuration, bool allowRootCertOnDemandLoading) +{ + sslContext->sslConfiguration = configuration; + sslContext->errorCode = QSslError::NoError; + + bool client = (mode == QSslSocket::SslClientMode); + + bool reinitialized = false; + bool unsupportedProtocol = false; +init_context: + if (sslContext->sslConfiguration.protocol() == QSsl::SslV2) { + // SSL 2 is no longer supported, but chosen deliberately -> error + sslContext->ctx = nullptr; + unsupportedProtocol = true; + } else { + // The ssl options will actually control the supported methods + sslContext->ctx = q_SSL_CTX_new(client ? q_TLS_client_method() : q_TLS_server_method()); + } + + if (!sslContext->ctx) { + // After stopping Flash 10 the SSL library loses its ciphers. Try re-adding them + // by re-initializing the library. + if (!reinitialized) { + reinitialized = true; + if (q_OPENSSL_init_ssl(0, nullptr) == 1) + goto init_context; + } + + sslContext->errorStr = QSslSocket::tr("Error creating SSL context (%1)").arg( + unsupportedProtocol ? QSslSocket::tr("unsupported protocol") : QSslSocketBackendPrivate::getErrorsFromOpenSsl() + ); + sslContext->errorCode = QSslError::UnspecifiedError; + return; + } + + // Enable bug workarounds. + long options = QSslSocketBackendPrivate::setupOpenSslOptions(configuration.protocol(), configuration.d->sslOptions); + q_SSL_CTX_set_options(sslContext->ctx, options); + + // Tell OpenSSL to release memory early + // http://www.openssl.org/docs/ssl/SSL_CTX_set_mode.html + q_SSL_CTX_set_mode(sslContext->ctx, SSL_MODE_RELEASE_BUFFERS); + + // Initialize ciphers + QByteArray cipherString; + bool first = true; + QList<QSslCipher> ciphers = sslContext->sslConfiguration.ciphers(); + if (ciphers.isEmpty()) + ciphers = QSslSocketPrivate::defaultCiphers(); + for (const QSslCipher &cipher : qAsConst(ciphers)) { + if (first) + first = false; + else + cipherString.append(':'); + cipherString.append(cipher.name().toLatin1()); + } + + if (!q_SSL_CTX_set_cipher_list(sslContext->ctx, cipherString.data())) { + sslContext->errorStr = QSslSocket::tr("Invalid or empty cipher list (%1)").arg(QSslSocketBackendPrivate::getErrorsFromOpenSsl()); + sslContext->errorCode = QSslError::UnspecifiedError; + return; + } + + const QDateTime now = QDateTime::currentDateTimeUtc(); + + // Add all our CAs to this store. + const auto caCertificates = sslContext->sslConfiguration.caCertificates(); + for (const QSslCertificate &caCertificate : caCertificates) { + // From https://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html: + // + // If several CA certificates matching the name, key identifier, and + // serial number condition are available, only the first one will be + // examined. This may lead to unexpected results if the same CA + // certificate is available with different expiration dates. If a + // ``certificate expired'' verification error occurs, no other + // certificate will be searched. Make sure to not have expired + // certificates mixed with valid ones. + // + // See also: QSslSocketBackendPrivate::verify() + if (caCertificate.expiryDate() >= now) { + q_X509_STORE_add_cert(q_SSL_CTX_get_cert_store(sslContext->ctx), (X509 *)caCertificate.handle()); + } + } + + if (QSslSocketPrivate::s_loadRootCertsOnDemand && allowRootCertOnDemandLoading) { + // tell OpenSSL the directories where to look up the root certs on demand + const QList<QByteArray> unixDirs = QSslSocketPrivate::unixRootCertDirectories(); + for (const QByteArray &unixDir : unixDirs) + q_SSL_CTX_load_verify_locations(sslContext->ctx, nullptr, unixDir.constData()); + } + + if (!sslContext->sslConfiguration.localCertificate().isNull()) { + // Require a private key as well. + if (sslContext->sslConfiguration.privateKey().isNull()) { + sslContext->errorStr = QSslSocket::tr("Cannot provide a certificate with no key, %1").arg(QSslSocketBackendPrivate::getErrorsFromOpenSsl()); + sslContext->errorCode = QSslError::UnspecifiedError; + return; + } + + // Load certificate + if (!q_SSL_CTX_use_certificate(sslContext->ctx, (X509 *)sslContext->sslConfiguration.localCertificate().handle())) { + sslContext->errorStr = QSslSocket::tr("Error loading local certificate, %1").arg(QSslSocketBackendPrivate::getErrorsFromOpenSsl()); + sslContext->errorCode = QSslError::UnspecifiedError; + return; + } + + if (configuration.d->privateKey.algorithm() == QSsl::Opaque) { + sslContext->pkey = reinterpret_cast<EVP_PKEY *>(configuration.d->privateKey.handle()); + } else { + // Load private key + sslContext->pkey = q_EVP_PKEY_new(); + // before we were using EVP_PKEY_assign_R* functions and did not use EVP_PKEY_free. + // this lead to a memory leak. Now we use the *_set1_* functions which do not + // take ownership of the RSA/DSA key instance because the QSslKey already has ownership. + if (configuration.d->privateKey.algorithm() == QSsl::Rsa) + q_EVP_PKEY_set1_RSA(sslContext->pkey, reinterpret_cast<RSA *>(configuration.d->privateKey.handle())); + else if (configuration.d->privateKey.algorithm() == QSsl::Dsa) + q_EVP_PKEY_set1_DSA(sslContext->pkey, reinterpret_cast<DSA *>(configuration.d->privateKey.handle())); +#ifndef OPENSSL_NO_EC + else if (configuration.d->privateKey.algorithm() == QSsl::Ec) + q_EVP_PKEY_set1_EC_KEY(sslContext->pkey, reinterpret_cast<EC_KEY *>(configuration.d->privateKey.handle())); +#endif + } + + if (!q_SSL_CTX_use_PrivateKey(sslContext->ctx, sslContext->pkey)) { + sslContext->errorStr = QSslSocket::tr("Error loading private key, %1").arg(QSslSocketBackendPrivate::getErrorsFromOpenSsl()); + sslContext->errorCode = QSslError::UnspecifiedError; + return; + } + if (configuration.d->privateKey.algorithm() == QSsl::Opaque) + sslContext->pkey = nullptr; // Don't free the private key, it belongs to QSslKey + + // Check if the certificate matches the private key. + if (!q_SSL_CTX_check_private_key(sslContext->ctx)) { + sslContext->errorStr = QSslSocket::tr("Private key does not certify public key, %1").arg(QSslSocketBackendPrivate::getErrorsFromOpenSsl()); + sslContext->errorCode = QSslError::UnspecifiedError; + return; + } + + // If we have any intermediate certificates then we need to add them to our chain + bool first = true; + for (const QSslCertificate &cert : qAsConst(configuration.d->localCertificateChain)) { + if (first) { + first = false; + continue; + } + q_SSL_CTX_ctrl(sslContext->ctx, SSL_CTRL_EXTRA_CHAIN_CERT, 0, + q_X509_dup(reinterpret_cast<X509 *>(cert.handle()))); + } + } + + // Initialize peer verification. + if (sslContext->sslConfiguration.peerVerifyMode() == QSslSocket::VerifyNone) { + q_SSL_CTX_set_verify(sslContext->ctx, SSL_VERIFY_NONE, nullptr); + } else { + q_SSL_CTX_set_verify(sslContext->ctx, SSL_VERIFY_PEER, q_X509Callback); + } + + // Set verification depth. + if (sslContext->sslConfiguration.peerVerifyDepth() != 0) + q_SSL_CTX_set_verify_depth(sslContext->ctx, sslContext->sslConfiguration.peerVerifyDepth()); + + // set persisted session if the user set it + if (!configuration.sessionTicket().isEmpty()) + sslContext->setSessionASN1(configuration.sessionTicket()); + + // Set temp DH params + QSslDiffieHellmanParameters dhparams = configuration.diffieHellmanParameters(); + + if (!dhparams.isValid()) { + sslContext->errorStr = QSslSocket::tr("Diffie-Hellman parameters are not valid"); + sslContext->errorCode = QSslError::UnspecifiedError; + return; + } + + if (!dhparams.isEmpty()) { + const QByteArray ¶ms = dhparams.d->derData; + const char *ptr = params.constData(); + DH *dh = q_d2i_DHparams(NULL, reinterpret_cast<const unsigned char **>(&ptr), params.length()); + if (dh == NULL) + qFatal("q_d2i_DHparams failed to convert QSslDiffieHellmanParameters to DER form"); + q_SSL_CTX_set_tmp_dh(sslContext->ctx, dh); + q_DH_free(dh); + } + +#ifndef OPENSSL_NO_PSK + if (!client) + q_SSL_CTX_use_psk_identity_hint(sslContext->ctx, sslContext->sslConfiguration.preSharedKeyIdentityHint().constData()); +#endif // !OPENSSL_NO_PSK + + const QVector<QSslEllipticCurve> qcurves = sslContext->sslConfiguration.ellipticCurves(); + if (!qcurves.isEmpty()) { +#ifdef OPENSSL_NO_EC + sslContext->errorStr = msgErrorSettingEllipticCurves(QSslSocket::tr("OpenSSL version with disabled elliptic curves")); + sslContext->errorCode = QSslError::UnspecifiedError; +#else + // Set the curves to be used. + std::vector<int> curves; + curves.reserve(qcurves.size()); + for (const auto &sslCurve : qcurves) + curves.push_back(sslCurve.id); + if (!q_SSL_CTX_ctrl(sslContext->ctx, SSL_CTRL_SET_CURVES, long(curves.size()), &curves[0])) { + sslContext->errorStr = msgErrorSettingEllipticCurves(QSslSocketBackendPrivate::getErrorsFromOpenSsl()); + sslContext->errorCode = QSslError::UnspecifiedError; + } +#endif + } +} + +QT_END_NAMESPACE diff --git a/src/network/ssl/qsslcontext_opensslpre11.cpp b/src/network/ssl/qsslcontext_opensslpre11.cpp new file mode 100644 index 0000000000..9c01c2f2dc --- /dev/null +++ b/src/network/ssl/qsslcontext_opensslpre11.cpp @@ -0,0 +1,354 @@ +/**************************************************************************** +** +** Copyright (C) 2017 The Qt Company Ltd. +** Copyright (C) 2014 BlackBerry Limited. All rights reserved. +** Copyright (C) 2014 Governikus GmbH & Co. KG. +** Contact: https://www.qt.io/licensing/ +** +** This file is part of the QtNetwork module of the Qt Toolkit. +** +** $QT_BEGIN_LICENSE:LGPL$ +** Commercial License Usage +** Licensees holding valid commercial Qt licenses may use this file in +** accordance with the commercial license agreement provided with the +** Software or, alternatively, in accordance with the terms contained in +** a written agreement between you and The Qt Company. For licensing terms +** and conditions see https://www.qt.io/terms-conditions. For further +** information use the contact form at https://www.qt.io/contact-us. +** +** GNU Lesser General Public License Usage +** Alternatively, this file may be used under the terms of the GNU Lesser +** General Public License version 3 as published by the Free Software +** Foundation and appearing in the file LICENSE.LGPL3 included in the +** packaging of this file. Please review the following information to +** ensure the GNU Lesser General Public License version 3 requirements +** will be met: https://www.gnu.org/licenses/lgpl-3.0.html. +** +** GNU General Public License Usage +** Alternatively, this file may be used under the terms of the GNU +** General Public License version 2.0 or (at your option) the GNU General +** Public license version 3 or any later version approved by the KDE Free +** Qt Foundation. The licenses are as published by the Free Software +** Foundation and appearing in the file LICENSE.GPL2 and LICENSE.GPL3 +** included in the packaging of this file. Please review the following +** information to ensure the GNU General Public License requirements will +** be met: https://www.gnu.org/licenses/gpl-2.0.html and +** https://www.gnu.org/licenses/gpl-3.0.html. +** +** $QT_END_LICENSE$ +** +****************************************************************************/ + + +#include <QtNetwork/qsslsocket.h> +#include <QtNetwork/qssldiffiehellmanparameters.h> + +#include "private/qssl_p.h" +#include "private/qsslcontext_openssl_p.h" +#include "private/qsslsocket_p.h" +#include "private/qsslsocket_openssl_p.h" +#include "private/qsslsocket_openssl_symbols_p.h" +#include "private/qssldiffiehellmanparameters_p.h" + +QT_BEGIN_NAMESPACE + +// defined in qsslsocket_openssl.cpp: +extern int q_X509Callback(int ok, X509_STORE_CTX *ctx); +extern QString getErrorsFromOpenSsl(); + +static inline QString msgErrorSettingEllipticCurves(const QString &why) +{ + return QSslSocket::tr("Error when setting the elliptic curves (%1)").arg(why); +} + +// static +void QSslContext::initSslContext(QSslContext *sslContext, QSslSocket::SslMode mode, const QSslConfiguration &configuration, bool allowRootCertOnDemandLoading) +{ + sslContext->sslConfiguration = configuration; + sslContext->errorCode = QSslError::NoError; + + bool client = (mode == QSslSocket::SslClientMode); + + bool reinitialized = false; + bool unsupportedProtocol = false; +init_context: + switch (sslContext->sslConfiguration.protocol()) { + case QSsl::SslV2: +#ifndef OPENSSL_NO_SSL2 + sslContext->ctx = q_SSL_CTX_new(client ? q_SSLv2_client_method() : q_SSLv2_server_method()); +#else + // SSL 2 not supported by the system, but chosen deliberately -> error + sslContext->ctx = 0; + unsupportedProtocol = true; +#endif + break; + case QSsl::SslV3: +#ifndef OPENSSL_NO_SSL3_METHOD + sslContext->ctx = q_SSL_CTX_new(client ? q_SSLv3_client_method() : q_SSLv3_server_method()); +#else + // SSL 3 not supported by the system, but chosen deliberately -> error + sslContext->ctx = 0; + unsupportedProtocol = true; +#endif + break; + case QSsl::SecureProtocols: + // SSLv2 and SSLv3 will be disabled by SSL options + // But we need q_SSLv23_server_method() otherwise AnyProtocol will be unable to connect on Win32. + case QSsl::TlsV1SslV3: + // SSLv2 will will be disabled by SSL options + case QSsl::AnyProtocol: + default: + sslContext->ctx = q_SSL_CTX_new(client ? q_SSLv23_client_method() : q_SSLv23_server_method()); + break; + case QSsl::TlsV1_0: + sslContext->ctx = q_SSL_CTX_new(client ? q_TLSv1_client_method() : q_TLSv1_server_method()); + break; + case QSsl::TlsV1_1: +#if OPENSSL_VERSION_NUMBER >= 0x10001000L + sslContext->ctx = q_SSL_CTX_new(client ? q_TLSv1_1_client_method() : q_TLSv1_1_server_method()); +#else + // TLS 1.1 not supported by the system, but chosen deliberately -> error + sslContext->ctx = 0; + unsupportedProtocol = true; +#endif + break; + case QSsl::TlsV1_2: +#if OPENSSL_VERSION_NUMBER >= 0x10001000L + sslContext->ctx = q_SSL_CTX_new(client ? q_TLSv1_2_client_method() : q_TLSv1_2_server_method()); +#else + // TLS 1.2 not supported by the system, but chosen deliberately -> error + sslContext->ctx = 0; + unsupportedProtocol = true; +#endif + break; + case QSsl::TlsV1_0OrLater: + // Specific protocols will be specified via SSL options. + sslContext->ctx = q_SSL_CTX_new(client ? q_SSLv23_client_method() : q_SSLv23_server_method()); + break; + case QSsl::TlsV1_1OrLater: + case QSsl::TlsV1_2OrLater: +#if OPENSSL_VERSION_NUMBER >= 0x10001000L + // Specific protocols will be specified via SSL options. + sslContext->ctx = q_SSL_CTX_new(client ? q_SSLv23_client_method() : q_SSLv23_server_method()); +#else + // TLS 1.1/1.2 not supported by the system, but chosen deliberately -> error + sslContext->ctx = 0; + unsupportedProtocol = true; +#endif + break; + } + + if (!sslContext->ctx) { + // After stopping Flash 10 the SSL library loses its ciphers. Try re-adding them + // by re-initializing the library. + if (!reinitialized) { + reinitialized = true; + if (q_SSL_library_init() == 1) + goto init_context; + } + + sslContext->errorStr = QSslSocket::tr("Error creating SSL context (%1)").arg( + unsupportedProtocol ? QSslSocket::tr("unsupported protocol") : QSslSocketBackendPrivate::getErrorsFromOpenSsl() + ); + sslContext->errorCode = QSslError::UnspecifiedError; + return; + } + + // Enable bug workarounds. + long options = QSslSocketBackendPrivate::setupOpenSslOptions(configuration.protocol(), configuration.d->sslOptions); + q_SSL_CTX_set_options(sslContext->ctx, options); + +#if OPENSSL_VERSION_NUMBER >= 0x10000000L + // Tell OpenSSL to release memory early + // http://www.openssl.org/docs/ssl/SSL_CTX_set_mode.html + if (q_SSLeay() >= 0x10000000L) + q_SSL_CTX_set_mode(sslContext->ctx, SSL_MODE_RELEASE_BUFFERS); +#endif + + // Initialize ciphers + QByteArray cipherString; + bool first = true; + QList<QSslCipher> ciphers = sslContext->sslConfiguration.ciphers(); + if (ciphers.isEmpty()) + ciphers = QSslSocketPrivate::defaultCiphers(); + for (const QSslCipher &cipher : qAsConst(ciphers)) { + if (first) + first = false; + else + cipherString.append(':'); + cipherString.append(cipher.name().toLatin1()); + } + + if (!q_SSL_CTX_set_cipher_list(sslContext->ctx, cipherString.data())) { + sslContext->errorStr = QSslSocket::tr("Invalid or empty cipher list (%1)").arg(QSslSocketBackendPrivate::getErrorsFromOpenSsl()); + sslContext->errorCode = QSslError::UnspecifiedError; + return; + } + + const QDateTime now = QDateTime::currentDateTimeUtc(); + + // Add all our CAs to this store. + const auto caCertificates = sslContext->sslConfiguration.caCertificates(); + for (const QSslCertificate &caCertificate : caCertificates) { + // From https://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html: + // + // If several CA certificates matching the name, key identifier, and + // serial number condition are available, only the first one will be + // examined. This may lead to unexpected results if the same CA + // certificate is available with different expiration dates. If a + // ``certificate expired'' verification error occurs, no other + // certificate will be searched. Make sure to not have expired + // certificates mixed with valid ones. + // + // See also: QSslSocketBackendPrivate::verify() + if (caCertificate.expiryDate() >= now) { + q_X509_STORE_add_cert(q_SSL_CTX_get_cert_store(sslContext->ctx), (X509 *)caCertificate.handle()); + } + } + + if (QSslSocketPrivate::s_loadRootCertsOnDemand && allowRootCertOnDemandLoading) { + // tell OpenSSL the directories where to look up the root certs on demand + const QList<QByteArray> unixDirs = QSslSocketPrivate::unixRootCertDirectories(); + for (const QByteArray &unixDir : unixDirs) + q_SSL_CTX_load_verify_locations(sslContext->ctx, 0, unixDir.constData()); + } + + if (!sslContext->sslConfiguration.localCertificate().isNull()) { + // Require a private key as well. + if (sslContext->sslConfiguration.privateKey().isNull()) { + sslContext->errorStr = QSslSocket::tr("Cannot provide a certificate with no key, %1").arg(QSslSocketBackendPrivate::getErrorsFromOpenSsl()); + sslContext->errorCode = QSslError::UnspecifiedError; + return; + } + + // Load certificate + if (!q_SSL_CTX_use_certificate(sslContext->ctx, (X509 *)sslContext->sslConfiguration.localCertificate().handle())) { + sslContext->errorStr = QSslSocket::tr("Error loading local certificate, %1").arg(QSslSocketBackendPrivate::getErrorsFromOpenSsl()); + sslContext->errorCode = QSslError::UnspecifiedError; + return; + } + + if (configuration.d->privateKey.algorithm() == QSsl::Opaque) { + sslContext->pkey = reinterpret_cast<EVP_PKEY *>(configuration.d->privateKey.handle()); + } else { + // Load private key + sslContext->pkey = q_EVP_PKEY_new(); + // before we were using EVP_PKEY_assign_R* functions and did not use EVP_PKEY_free. + // this lead to a memory leak. Now we use the *_set1_* functions which do not + // take ownership of the RSA/DSA key instance because the QSslKey already has ownership. + if (configuration.d->privateKey.algorithm() == QSsl::Rsa) + q_EVP_PKEY_set1_RSA(sslContext->pkey, reinterpret_cast<RSA *>(configuration.d->privateKey.handle())); + else if (configuration.d->privateKey.algorithm() == QSsl::Dsa) + q_EVP_PKEY_set1_DSA(sslContext->pkey, reinterpret_cast<DSA *>(configuration.d->privateKey.handle())); +#ifndef OPENSSL_NO_EC + else if (configuration.d->privateKey.algorithm() == QSsl::Ec) + q_EVP_PKEY_set1_EC_KEY(sslContext->pkey, reinterpret_cast<EC_KEY *>(configuration.d->privateKey.handle())); +#endif + } + + if (!q_SSL_CTX_use_PrivateKey(sslContext->ctx, sslContext->pkey)) { + sslContext->errorStr = QSslSocket::tr("Error loading private key, %1").arg(QSslSocketBackendPrivate::getErrorsFromOpenSsl()); + sslContext->errorCode = QSslError::UnspecifiedError; + return; + } + if (configuration.d->privateKey.algorithm() == QSsl::Opaque) + sslContext->pkey = 0; // Don't free the private key, it belongs to QSslKey + + // Check if the certificate matches the private key. + if (!q_SSL_CTX_check_private_key(sslContext->ctx)) { + sslContext->errorStr = QSslSocket::tr("Private key does not certify public key, %1").arg(QSslSocketBackendPrivate::getErrorsFromOpenSsl()); + sslContext->errorCode = QSslError::UnspecifiedError; + return; + } + + // If we have any intermediate certificates then we need to add them to our chain + bool first = true; + for (const QSslCertificate &cert : qAsConst(configuration.d->localCertificateChain)) { + if (first) { + first = false; + continue; + } + q_SSL_CTX_ctrl(sslContext->ctx, SSL_CTRL_EXTRA_CHAIN_CERT, 0, + q_X509_dup(reinterpret_cast<X509 *>(cert.handle()))); + } + } + + // Initialize peer verification. + if (sslContext->sslConfiguration.peerVerifyMode() == QSslSocket::VerifyNone) { + q_SSL_CTX_set_verify(sslContext->ctx, SSL_VERIFY_NONE, 0); + } else { + q_SSL_CTX_set_verify(sslContext->ctx, SSL_VERIFY_PEER, q_X509Callback); + } + + // Set verification depth. + if (sslContext->sslConfiguration.peerVerifyDepth() != 0) + q_SSL_CTX_set_verify_depth(sslContext->ctx, sslContext->sslConfiguration.peerVerifyDepth()); + + // set persisted session if the user set it + if (!configuration.sessionTicket().isEmpty()) + sslContext->setSessionASN1(configuration.sessionTicket()); + + // Set temp DH params + QSslDiffieHellmanParameters dhparams = configuration.diffieHellmanParameters(); + + if (!dhparams.isValid()) { + sslContext->errorStr = QSslSocket::tr("Diffie-Hellman parameters are not valid"); + sslContext->errorCode = QSslError::UnspecifiedError; + return; + } + + if (!dhparams.isEmpty()) { + const QByteArray ¶ms = dhparams.d->derData; + const char *ptr = params.constData(); + DH *dh = q_d2i_DHparams(NULL, reinterpret_cast<const unsigned char **>(&ptr), params.length()); + if (dh == NULL) + qFatal("q_d2i_DHparams failed to convert QSslDiffieHellmanParameters to DER form"); + q_SSL_CTX_set_tmp_dh(sslContext->ctx, dh); + q_DH_free(dh); + } + +#ifndef OPENSSL_NO_EC +#if OPENSSL_VERSION_NUMBER >= 0x10002000L + if (q_SSLeay() >= 0x10002000L) { + q_SSL_CTX_ctrl(sslContext->ctx, SSL_CTRL_SET_ECDH_AUTO, 1, NULL); + } else +#endif + { + // Set temp ECDH params + EC_KEY *ecdh = 0; + ecdh = q_EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); + q_SSL_CTX_set_tmp_ecdh(sslContext->ctx, ecdh); + q_EC_KEY_free(ecdh); + } +#endif // OPENSSL_NO_EC + +#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_PSK) + if (!client) + q_SSL_CTX_use_psk_identity_hint(sslContext->ctx, sslContext->sslConfiguration.preSharedKeyIdentityHint().constData()); +#endif // OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_PSK) + + const QVector<QSslEllipticCurve> qcurves = sslContext->sslConfiguration.ellipticCurves(); + if (!qcurves.isEmpty()) { +#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(OPENSSL_NO_EC) + // Set the curves to be used + if (q_SSLeay() >= 0x10002000L) { + // SSL_CTX_ctrl wants a non-const pointer as last argument, + // but let's avoid a copy into a temporary array + if (!q_SSL_CTX_ctrl(sslContext->ctx, + SSL_CTRL_SET_CURVES, + qcurves.size(), + const_cast<int *>(reinterpret_cast<const int *>(qcurves.data())))) { + sslContext->errorStr = msgErrorSettingEllipticCurves(QSslSocketBackendPrivate::getErrorsFromOpenSsl()); + sslContext->errorCode = QSslError::UnspecifiedError; + } + } else +#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(OPENSSL_NO_EC) + { + // specific curves requested, but not possible to set -> error + sslContext->errorStr = msgErrorSettingEllipticCurves(QSslSocket::tr("OpenSSL version too old, need at least v1.0.2")); + sslContext->errorCode = QSslError::UnspecifiedError; + } + } +} + +QT_END_NAMESPACE diff --git a/src/network/ssl/qssldiffiehellmanparameters_openssl.cpp b/src/network/ssl/qssldiffiehellmanparameters_openssl.cpp index 90687b05c5..5ebad822f1 100644 --- a/src/network/ssl/qssldiffiehellmanparameters_openssl.cpp +++ b/src/network/ssl/qssldiffiehellmanparameters_openssl.cpp @@ -1,6 +1,7 @@ /**************************************************************************** ** ** Copyright (C) 2015 Mikkel Krautz <mikkel@krautz.dk> +** Copyright (C) 2016 Richard J. Moore <rich@kde.org> ** Contact: https://www.qt.io/licensing/ ** ** This file is part of the QtNetwork module of the Qt Toolkit. @@ -50,8 +51,8 @@ #include <QtCore/qdebug.h> #endif -// For q_BN_is_word. #include <openssl/bn.h> +#include <openssl/dh.h> QT_BEGIN_NAMESPACE @@ -62,13 +63,6 @@ static bool isSafeDH(DH *dh) QSslSocketPrivate::ensureInitialized(); - // Mark p < 1024 bits as unsafe. - if (q_BN_num_bits(dh->p) < 1024) { - return false; - } - - if (q_DH_check(dh, &status) != 1) - return false; // From https://wiki.openssl.org/index.php/Diffie-Hellman_parameters: // @@ -81,11 +75,39 @@ static bool isSafeDH(DH *dh) // Without the test, the IETF parameters would // fail validation. For details, see Diffie-Hellman // Parameter Check (when g = 2, must p mod 24 == 11?). +#if QT_CONFIG(opensslv11) + // Mark p < 1024 bits as unsafe. + if (q_DH_bits(dh) < 1024) + return false; + + if (q_DH_check(dh, &status) != 1) + return false; + + const BIGNUM *p = nullptr; + const BIGNUM *q = nullptr; + const BIGNUM *g = nullptr; + q_DH_get0_pqg(dh, &p, &q, &g); + + if (q_BN_is_word(const_cast<BIGNUM *>(g), DH_GENERATOR_2)) { + long residue = q_BN_mod_word(p, 24); + if (residue == 11 || residue == 23) + status &= ~DH_NOT_SUITABLE_GENERATOR; + } + +#else + // Mark p < 1024 bits as unsafe. + if (q_BN_num_bits(dh->p) < 1024) + return false; + + if (q_DH_check(dh, &status) != 1) + return false; + if (q_BN_is_word(dh->g, DH_GENERATOR_2)) { long residue = q_BN_mod_word(dh->p, 24); if (residue == 11 || residue == 23) status &= ~DH_NOT_SUITABLE_GENERATOR; } +#endif bad |= DH_CHECK_P_NOT_PRIME; bad |= DH_CHECK_P_NOT_SAFE_PRIME; diff --git a/src/network/ssl/qsslellipticcurve.h b/src/network/ssl/qsslellipticcurve.h index 231566063e..57dda19bad 100644 --- a/src/network/ssl/qsslellipticcurve.h +++ b/src/network/ssl/qsslellipticcurve.h @@ -80,6 +80,7 @@ private: friend Q_DECL_CONSTEXPR bool operator==(QSslEllipticCurve lhs, QSslEllipticCurve rhs) Q_DECL_NOTHROW; friend Q_DECL_CONSTEXPR uint qHash(QSslEllipticCurve curve, uint seed) Q_DECL_NOTHROW; + friend class QSslContext; friend class QSslSocketPrivate; friend class QSslSocketBackendPrivate; }; diff --git a/src/network/ssl/qsslellipticcurve_openssl.cpp b/src/network/ssl/qsslellipticcurve_openssl.cpp index e18197b703..8cd14837f0 100644 --- a/src/network/ssl/qsslellipticcurve_openssl.cpp +++ b/src/network/ssl/qsslellipticcurve_openssl.cpp @@ -1,6 +1,7 @@ /**************************************************************************** ** ** Copyright (C) 2014 Governikus GmbH & Co. KG. +** Copyright (C) 2016 Richard J. Moore <rich@kde.org> ** Contact: https://www.qt.io/licensing/ ** ** This file is part of the QtNetwork module of the Qt Toolkit. @@ -78,17 +79,18 @@ QSslEllipticCurve QSslEllipticCurve::fromShortName(const QString &name) QSslEllipticCurve result; #ifndef OPENSSL_NO_EC - const QByteArray curveNameLatin1 = name.toLatin1(); + const QByteArray curveNameLatin1 = name.toLatin1(); int nid = q_OBJ_sn2nid(curveNameLatin1.data()); #if OPENSSL_VERSION_NUMBER >= 0x10002000L - if (nid == 0 && q_SSLeay() >= 0x10002000L) + if (nid == 0 && QSslSocket::sslLibraryVersionNumber() >= 0x10002000L) nid = q_EC_curve_nist2nid(curveNameLatin1.data()); #endif // OPENSSL_VERSION_NUMBER >= 0x10002000L result.id = nid; -#endif + +#endif // !OPENSSL_NO_EC return result; } diff --git a/src/network/ssl/qsslkey_openssl.cpp b/src/network/ssl/qsslkey_openssl.cpp index 26119023d1..aa81b735b9 100644 --- a/src/network/ssl/qsslkey_openssl.cpp +++ b/src/network/ssl/qsslkey_openssl.cpp @@ -1,6 +1,7 @@ /**************************************************************************** ** -** Copyright (C) 2016 The Qt Company Ltd. +** Copyright (C) 2017 The Qt Company Ltd. +** Copyright (C) 2016 Richard J. Moore <rich@kde.org> ** Contact: https://www.qt.io/licensing/ ** ** This file is part of the QtNetwork module of the Qt Toolkit. @@ -87,33 +88,30 @@ bool QSslKeyPrivate::fromEVP_PKEY(EVP_PKEY *pkey) if (pkey == nullptr) return false; - if (pkey->type == EVP_PKEY_RSA) { +#if QT_CONFIG(opensslv11) + const int keyType = q_EVP_PKEY_type(q_EVP_PKEY_base_id(pkey)); +#else + const int keyType = pkey->type; +#endif + if (keyType == EVP_PKEY_RSA) { isNull = false; algorithm = QSsl::Rsa; type = QSsl::PrivateKey; - - rsa = q_RSA_new(); - memcpy(rsa, q_EVP_PKEY_get1_RSA(pkey), sizeof(RSA)); - + rsa = q_EVP_PKEY_get1_RSA(pkey); return true; - } - else if (pkey->type == EVP_PKEY_DSA) { + } else if (keyType == EVP_PKEY_DSA) { isNull = false; algorithm = QSsl::Dsa; type = QSsl::PrivateKey; - - dsa = q_DSA_new(); - memcpy(dsa, q_EVP_PKEY_get1_DSA(pkey), sizeof(DSA)); - + dsa = q_EVP_PKEY_get1_DSA(pkey); return true; } #ifndef OPENSSL_NO_EC - else if (pkey->type == EVP_PKEY_EC) { + else if (keyType == EVP_PKEY_EC) { isNull = false; algorithm = QSsl::Ec; type = QSsl::PrivateKey; - ec = q_EC_KEY_dup(q_EVP_PKEY_get1_EC_KEY(pkey)); - + ec = q_EVP_PKEY_get1_EC_KEY(pkey); return true; } #endif @@ -181,8 +179,8 @@ int QSslKeyPrivate::length() const return -1; switch (algorithm) { - case QSsl::Rsa: return q_BN_num_bits(rsa->n); - case QSsl::Dsa: return q_BN_num_bits(dsa->p); + case QSsl::Rsa: return q_RSA_bits(rsa); + case QSsl::Dsa: return q_DSA_bits(dsa); #ifndef OPENSSL_NO_EC case QSsl::Ec: return q_EC_GROUP_get_degree(q_EC_KEY_get0_group(ec)); #endif @@ -276,7 +274,13 @@ Qt::HANDLE QSslKeyPrivate::handle() const static QByteArray doCrypt(QSslKeyPrivate::Cipher cipher, const QByteArray &data, const QByteArray &key, const QByteArray &iv, int enc) { - EVP_CIPHER_CTX ctx; +#if QT_CONFIG(opensslv11) + EVP_CIPHER_CTX *ctx = q_EVP_CIPHER_CTX_new(); +#else + EVP_CIPHER_CTX evpCipherContext; + EVP_CIPHER_CTX *ctx = &evpCipherContext; +#endif + const EVP_CIPHER* type = 0; int i = 0, len = 0; @@ -294,21 +298,44 @@ static QByteArray doCrypt(QSslKeyPrivate::Cipher cipher, const QByteArray &data, QByteArray output; output.resize(data.size() + EVP_MAX_BLOCK_LENGTH); - q_EVP_CIPHER_CTX_init(&ctx); - q_EVP_CipherInit(&ctx, type, NULL, NULL, enc); - q_EVP_CIPHER_CTX_set_key_length(&ctx, key.size()); + +#if QT_CONFIG(opensslv11) + q_EVP_CIPHER_CTX_reset(ctx); +#else + q_EVP_CIPHER_CTX_init(ctx); +#endif + + q_EVP_CipherInit(ctx, type, NULL, NULL, enc); + q_EVP_CIPHER_CTX_set_key_length(ctx, key.size()); if (cipher == QSslKeyPrivate::Rc2Cbc) - q_EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_SET_RC2_KEY_BITS, 8 * key.size(), NULL); - q_EVP_CipherInit(&ctx, NULL, + q_EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_SET_RC2_KEY_BITS, 8 * key.size(), NULL); + +#if QT_CONFIG(opensslv11) + // EVP_CipherInit in 1.1 resets the context thus making the calls above useless. + // We call EVP_CipherInit_ex instead. + q_EVP_CipherInit_ex(ctx, nullptr, nullptr, + reinterpret_cast<const unsigned char *>(key.constData()), + reinterpret_cast<const unsigned char *>(iv.constData()), + enc); +#else + q_EVP_CipherInit(ctx, NULL, reinterpret_cast<const unsigned char *>(key.constData()), reinterpret_cast<const unsigned char *>(iv.constData()), enc); - q_EVP_CipherUpdate(&ctx, +#endif // opensslv11 + + q_EVP_CipherUpdate(ctx, reinterpret_cast<unsigned char *>(output.data()), &len, reinterpret_cast<const unsigned char *>(data.constData()), data.size()); - q_EVP_CipherFinal(&ctx, + q_EVP_CipherFinal(ctx, reinterpret_cast<unsigned char *>(output.data()) + len, &i); len += i; - q_EVP_CIPHER_CTX_cleanup(&ctx); + +#if QT_CONFIG(opensslv11) + q_EVP_CIPHER_CTX_reset(ctx); + q_EVP_CIPHER_CTX_free(ctx); +#else + q_EVP_CIPHER_CTX_cleanup(ctx); +#endif return output.left(len); } diff --git a/src/network/ssl/qsslsocket.cpp b/src/network/ssl/qsslsocket.cpp index 8eba5db9fe..adff568f5b 100644 --- a/src/network/ssl/qsslsocket.cpp +++ b/src/network/ssl/qsslsocket.cpp @@ -2005,6 +2005,8 @@ qint64 QSslSocket::readData(char *data, qint64 maxlen) // possibly trigger another transmit() to decrypt more data from the socket if (d->plainSocket->bytesAvailable()) QMetaObject::invokeMethod(this, "_q_flushReadBuffer", Qt::QueuedConnection); + else if (d->state != QAbstractSocket::ConnectedState) + return maxlen ? qint64(-1) : qint64(0); } return readBytes; @@ -2025,7 +2027,10 @@ qint64 QSslSocket::writeData(const char *data, qint64 len) d->writeBuffer.append(data, len); // make sure we flush to the plain socket's buffer - QMetaObject::invokeMethod(this, "_q_flushWriteBuffer", Qt::QueuedConnection); + if (!d->flushTriggered) { + d->flushTriggered = true; + QMetaObject::invokeMethod(this, "_q_flushWriteBuffer", Qt::QueuedConnection); + } return len; } @@ -2044,6 +2049,7 @@ QSslSocketPrivate::QSslSocketPrivate() , allowRootCertOnDemandLoading(true) , plainSocket(0) , paused(false) + , flushTriggered(false) { QSslConfigurationPrivate::deepCopyDefaultConfiguration(&configuration); } @@ -2066,6 +2072,7 @@ void QSslSocketPrivate::init() ignoreAllSslErrors = false; shutdown = false; pendingClose = false; + flushTriggered = false; // we don't want to clear the ignoreErrorsList, so // that it is possible setting it before connecting @@ -2534,6 +2541,10 @@ void QSslSocketPrivate::_q_readChannelFinishedSlot() void QSslSocketPrivate::_q_flushWriteBuffer() { Q_Q(QSslSocket); + + // need to notice if knock-on effects of this flush (e.g. a readReady() via transmit()) + // make another necessary, so clear flag before calling: + flushTriggered = false; if (!writeBuffer.isEmpty()) q->flush(); } diff --git a/src/network/ssl/qsslsocket_mac.cpp b/src/network/ssl/qsslsocket_mac.cpp index 2ba988fb70..8d2efe74be 100644 --- a/src/network/ssl/qsslsocket_mac.cpp +++ b/src/network/ssl/qsslsocket_mac.cpp @@ -96,16 +96,14 @@ EphemeralSecKeychain::EphemeralSecKeychain() return; } - QString uuidAsString(uuid.toString()); - Q_ASSERT(uuidAsString.size() > 2); - Q_ASSERT(uuidAsString.startsWith(QLatin1Char('{')) - && uuidAsString.endsWith(QLatin1Char('}'))); - uuidAsString = uuidAsString.mid(1, uuidAsString.size() - 2); - - QString keychainName(QDir::tempPath()); - keychainName.append(QDir::separator()); - keychainName += uuidAsString; - keychainName += QLatin1String(".keychain"); + const QByteArray uuidAsByteArray = uuid.toByteArray(); + Q_ASSERT(uuidAsByteArray.size() > 2); + Q_ASSERT(uuidAsByteArray.startsWith('{')); + Q_ASSERT(uuidAsByteArray.endsWith('}')); + const auto uuidAsString = QLatin1String(uuidAsByteArray.data(), uuidAsByteArray.size()).mid(1, uuidAsByteArray.size() - 2); + + const QString keychainName + = QDir::tempPath() + QDir::separator() + uuidAsString + QLatin1String(".keychain"); // SecKeychainCreate, pathName parameter: // // "A constant character string representing the POSIX path indicating where diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp index ab82cdcfc9..2d771b5637 100644 --- a/src/network/ssl/qsslsocket_openssl.cpp +++ b/src/network/ssl/qsslsocket_openssl.cpp @@ -1,6 +1,6 @@ /**************************************************************************** ** -** Copyright (C) 2016 The Qt Company Ltd. +** Copyright (C) 2017 The Qt Company Ltd. ** Copyright (C) 2014 Governikus GmbH & Co. KG ** Contact: https://www.qt.io/licensing/ ** @@ -54,7 +54,6 @@ ****************************************************************************/ //#define QSSLSOCKET_DEBUG -//#define QT_DECRYPT_SSL_TRAFFIC #include "qssl_p.h" #include "qsslsocket_openssl_p.h" @@ -97,70 +96,6 @@ bool QSslSocketPrivate::s_loadRootCertsOnDemand = false; int QSslSocketBackendPrivate::s_indexForSSLExtraData = -1; #endif -/* \internal - - From OpenSSL's thread(3) manual page: - - OpenSSL can safely be used in multi-threaded applications provided that at - least two callback functions are set. - - locking_function(int mode, int n, const char *file, int line) is needed to - perform locking on shared data structures. (Note that OpenSSL uses a - number of global data structures that will be implicitly shared - whenever multiple threads use OpenSSL.) Multi-threaded - applications will crash at random if it is not set. ... - ... - id_function(void) is a function that returns a thread ID. It is not - needed on Windows nor on platforms where getpid() returns a different - ID for each thread (most notably Linux) -*/ -class QOpenSslLocks -{ -public: - inline QOpenSslLocks() - : initLocker(QMutex::Recursive), - locksLocker(QMutex::Recursive) - { - QMutexLocker locker(&locksLocker); - int numLocks = q_CRYPTO_num_locks(); - locks = new QMutex *[numLocks]; - memset(locks, 0, numLocks * sizeof(QMutex *)); - } - inline ~QOpenSslLocks() - { - QMutexLocker locker(&locksLocker); - for (int i = 0; i < q_CRYPTO_num_locks(); ++i) - delete locks[i]; - delete [] locks; - - QSslSocketPrivate::deinitialize(); - } - inline QMutex *lock(int num) - { - QMutexLocker locker(&locksLocker); - QMutex *tmp = locks[num]; - if (!tmp) - tmp = locks[num] = new QMutex(QMutex::Recursive); - return tmp; - } - - QMutex *globalLock() - { - return &locksLocker; - } - - QMutex *initLock() - { - return &initLocker; - } - -private: - QMutex initLocker; - QMutex locksLocker; - QMutex **locks; -}; -Q_GLOBAL_STATIC(QOpenSslLocks, openssl_locks) - QString QSslSocketBackendPrivate::getErrorsFromOpenSsl() { QString errorString; @@ -175,20 +110,6 @@ QString QSslSocketBackendPrivate::getErrorsFromOpenSsl() } extern "C" { -static void locking_function(int mode, int lockNumber, const char *, int) -{ - QMutex *mutex = openssl_locks()->lock(lockNumber); - - // Lock or unlock it - if (mode & CRYPTO_LOCK) - mutex->lock(); - else - mutex->unlock(); -} -static unsigned long id_function() -{ - return (quintptr)QThread::currentThreadId(); -} #if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_PSK) static unsigned int q_ssl_psk_client_callback(SSL *ssl, @@ -227,7 +148,7 @@ QSslSocketBackendPrivate::~QSslSocketBackendPrivate() destroySslContext(); } -QSslCipher QSslSocketBackendPrivate::QSslCipher_from_SSL_CIPHER(SSL_CIPHER *cipher) +QSslCipher QSslSocketBackendPrivate::QSslCipher_from_SSL_CIPHER(const SSL_CIPHER *cipher) { QSslCipher ciph; @@ -268,12 +189,12 @@ QSslCipher QSslSocketBackendPrivate::QSslCipher_from_SSL_CIPHER(SSL_CIPHER *ciph } // static -inline QSslErrorEntry QSslErrorEntry::fromStoreContext(X509_STORE_CTX *ctx) { - QSslErrorEntry result = { +inline QSslErrorEntry QSslErrorEntry::fromStoreContext(X509_STORE_CTX *ctx) +{ + return { q_X509_STORE_CTX_get_error(ctx), q_X509_STORE_CTX_get_error_depth(ctx) }; - return result; } // ### This list is shared between all threads, and protected by a @@ -283,6 +204,7 @@ struct QSslErrorList QMutex mutex; QVector<QSslErrorEntry> errors; }; + Q_GLOBAL_STATIC(QSslErrorList, _q_sslErrorList) int q_X509Callback(int ok, X509_STORE_CTX *ctx) @@ -290,6 +212,7 @@ int q_X509Callback(int ok, X509_STORE_CTX *ctx) if (!ok) { // Store the error and at which depth the error was detected. _q_sslErrorList()->errors << QSslErrorEntry::fromStoreContext(ctx); +#if !QT_CONFIG(opensslv11) #ifdef QSSLSOCKET_DEBUG qCDebug(lcSsl) << "verification error: dumping bad certificate"; qCDebug(lcSsl) << QSslCertificatePrivate::QSslCertificate_from_X509(q_X509_STORE_CTX_get_current_cert(ctx)).toPem(); @@ -310,9 +233,10 @@ int q_X509Callback(int ok, X509_STORE_CTX *ctx) << "ST=" << cert.subjectInfo(QSslCertificate::StateOrProvinceName); qCDebug(lcSsl) << "Valid:" << cert.effectiveDate() << '-' << cert.expiryDate(); } -#endif +#endif // QSSLSOCKET_DEBUG +#endif // !QT_CONFIG(opensslv11) } - // Always return OK to allow verification to continue. We're handle the + // Always return OK to allow verification to continue. We handle the // errors gracefully after collecting all errors, after verification has // completed. return 1; @@ -397,7 +321,7 @@ bool QSslSocketBackendPrivate::initSslContext() if (configuration.protocol != QSsl::SslV2 && configuration.protocol != QSsl::SslV3 && configuration.protocol != QSsl::UnknownProtocol && - mode == QSslSocket::SslClientMode && q_SSLeay() >= 0x00090806fL) { + mode == QSslSocket::SslClientMode && QSslSocket::sslLibraryVersionNumber() >= 0x00090806fL) { // Set server hostname on TLS extension. RFC4366 section 3.1 requires it in ACE format. QString tlsHostName = verificationPeerName.isEmpty() ? q->peerName() : verificationPeerName; if (tlsHostName.isEmpty()) @@ -438,13 +362,13 @@ bool QSslSocketBackendPrivate::initSslContext() #if OPENSSL_VERSION_NUMBER >= 0x10001000L // Save a pointer to this object into the SSL structure. - if (q_SSLeay() >= 0x10001000L) + if (QSslSocket::sslLibraryVersionNumber() >= 0x10001000L) q_SSL_set_ex_data(ssl, s_indexForSSLExtraData, this); #endif #if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_PSK) // Set the client callback for PSK - if (q_SSLeay() >= 0x10001000L) { + if (QSslSocket::sslLibraryVersionNumber() >= 0x10001000L) { if (mode == QSslSocket::SslClientMode) q_SSL_set_psk_client_callback(ssl, &q_ssl_psk_client_callback); else if (mode == QSslSocket::SslServerMode) @@ -466,16 +390,6 @@ void QSslSocketBackendPrivate::destroySslContext() /*! \internal -*/ -void QSslSocketPrivate::deinitialize() -{ - q_CRYPTO_set_id_callback(0); - q_CRYPTO_set_locking_callback(0); - q_ERR_free_strings(); -} - -/*! - \internal Does the minimum amount of initialization to determine whether SSL is supported or not. @@ -486,91 +400,6 @@ bool QSslSocketPrivate::supportsSsl() return ensureLibraryLoaded(); } -bool QSslSocketPrivate::ensureLibraryLoaded() -{ - if (!q_resolveOpenSslSymbols()) - return false; - - // Check if the library itself needs to be initialized. - QMutexLocker locker(openssl_locks()->initLock()); - - if (!s_libraryLoaded) { - s_libraryLoaded = true; - - // Initialize OpenSSL. - q_CRYPTO_set_id_callback(id_function); - q_CRYPTO_set_locking_callback(locking_function); - if (q_SSL_library_init() != 1) - return false; - q_SSL_load_error_strings(); - q_OpenSSL_add_all_algorithms(); - -#if OPENSSL_VERSION_NUMBER >= 0x10001000L - if (q_SSLeay() >= 0x10001000L) - QSslSocketBackendPrivate::s_indexForSSLExtraData = q_SSL_get_ex_new_index(0L, NULL, NULL, NULL, NULL); -#endif - - // Initialize OpenSSL's random seed. - if (!q_RAND_status()) { - qWarning("Random number generator not seeded, disabling SSL support"); - return false; - } - } - return true; -} - -void QSslSocketPrivate::ensureCiphersAndCertsLoaded() -{ - QMutexLocker locker(openssl_locks()->initLock()); - if (s_loadedCiphersAndCerts) - return; - s_loadedCiphersAndCerts = true; - - resetDefaultCiphers(); - resetDefaultEllipticCurves(); - -#if QT_CONFIG(library) - //load symbols needed to receive certificates from system store -#if defined(Q_OS_WIN) - HINSTANCE hLib = LoadLibraryW(L"Crypt32"); - if (hLib) { - ptrCertOpenSystemStoreW = (PtrCertOpenSystemStoreW)GetProcAddress(hLib, "CertOpenSystemStoreW"); - ptrCertFindCertificateInStore = (PtrCertFindCertificateInStore)GetProcAddress(hLib, "CertFindCertificateInStore"); - ptrCertCloseStore = (PtrCertCloseStore)GetProcAddress(hLib, "CertCloseStore"); - if (!ptrCertOpenSystemStoreW || !ptrCertFindCertificateInStore || !ptrCertCloseStore) - qCWarning(lcSsl, "could not resolve symbols in crypt32 library"); // should never happen - } else { - qCWarning(lcSsl, "could not load crypt32 library"); // should never happen - } -#elif defined(Q_OS_QNX) - s_loadRootCertsOnDemand = true; -#elif defined(Q_OS_UNIX) && !defined(Q_OS_MAC) - // check whether we can enable on-demand root-cert loading (i.e. check whether the sym links are there) - QList<QByteArray> dirs = unixRootCertDirectories(); - QStringList symLinkFilter; - symLinkFilter << QLatin1String("[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f].[0-9]"); - for (int a = 0; a < dirs.count(); ++a) { - QDirIterator iterator(QLatin1String(dirs.at(a)), symLinkFilter, QDir::Files); - if (iterator.hasNext()) { - s_loadRootCertsOnDemand = true; - break; - } - } -#endif -#endif // QT_CONFIG(library) - // if on-demand loading was not enabled, load the certs now - if (!s_loadRootCertsOnDemand) - setDefaultCaCertificates(systemCaCertificates()); -#ifdef Q_OS_WIN - //Enabled for fetching additional root certs from windows update on windows 6+ - //This flag is set false by setDefaultCaCertificates() indicating the app uses - //its own cert bundle rather than the system one. - //Same logic that disables the unix on demand cert loading. - //Unlike unix, we do preload the certificates from the cert store. - if ((QSysInfo::windowsVersion() & QSysInfo::WV_NT_based) >= QSysInfo::WV_6_0) - s_loadRootCertsOnDemand = true; -#endif -} /*! \internal @@ -587,26 +416,6 @@ void QSslSocketPrivate::ensureInitialized() ensureCiphersAndCertsLoaded(); } -long QSslSocketPrivate::sslLibraryVersionNumber() -{ - if (!supportsSsl()) - return 0; - - return q_SSLeay(); -} - -QString QSslSocketPrivate::sslLibraryVersionString() -{ - if (!supportsSsl()) - return QString(); - - const char *versionString = q_SSLeay_version(SSLEAY_VERSION); - if (!versionString) - return QString(); - - return QString::fromLatin1(versionString); -} - long QSslSocketPrivate::sslLibraryBuildVersionNumber() { return OPENSSL_VERSION_NUMBER; @@ -628,7 +437,11 @@ QString QSslSocketPrivate::sslLibraryBuildVersionString() */ void QSslSocketPrivate::resetDefaultCiphers() { +#if QT_CONFIG(opensslv11) + SSL_CTX *myCtx = q_SSL_CTX_new(q_TLS_client_method()); +#else SSL_CTX *myCtx = q_SSL_CTX_new(q_SSLv23_client_method()); +#endif SSL *mySsl = q_SSL_new(myCtx); QList<QSslCipher> ciphers; @@ -664,7 +477,7 @@ void QSslSocketPrivate::resetDefaultEllipticCurves() QVector<QSslEllipticCurve> curves; #ifndef OPENSSL_NO_EC - const size_t curveCount = q_EC_get_builtin_curves(NULL, 0); + const size_t curveCount = q_EC_get_builtin_curves(nullptr, 0); QVarLengthArray<EC_builtin_curve> builtinCurves(static_cast<int>(curveCount)); @@ -698,13 +511,14 @@ QList<QSslCertificate> QSslSocketPrivate::systemCaCertificates() if (ptrCertOpenSystemStoreW && ptrCertFindCertificateInStore && ptrCertCloseStore) { HCERTSTORE hSystemStore; hSystemStore = ptrCertOpenSystemStoreW(0, L"ROOT"); - if(hSystemStore) { - PCCERT_CONTEXT pc = NULL; - while(1) { - pc = ptrCertFindCertificateInStore( hSystemStore, X509_ASN_ENCODING, 0, CERT_FIND_ANY, NULL, pc); - if(!pc) + if (hSystemStore) { + PCCERT_CONTEXT pc = nullptr; + while (1) { + pc = ptrCertFindCertificateInStore(hSystemStore, X509_ASN_ENCODING, 0, CERT_FIND_ANY, nullptr, pc); + if (!pc) break; - QByteArray der((const char *)(pc->pbCertEncoded), static_cast<int>(pc->cbCertEncoded)); + QByteArray der(reinterpret_cast<const char *>(pc->pbCertEncoded), + static_cast<int>(pc->cbCertEncoded)); QSslCertificate cert(der, QSsl::Der); systemCerts.append(cert); } @@ -891,10 +705,9 @@ void QSslSocketBackendPrivate::transmit() // Write encrypted data from the buffer into the read BIO. int writtenToBio = q_BIO_write(readBio, data.constData(), encryptedBytesRead); - // do the actual read() here and throw away the results. + // Throw away the results. if (writtenToBio > 0) { - // ### TODO: make this cheaper by not making it memcpy. E.g. make it work with data=0x0 or make it work with seek - plainSocket->read(data.data(), writtenToBio); + plainSocket->skip(writtenToBio); } else { // ### Better error handling. setErrorAndEmit(QAbstractSocket::SslInternalError, @@ -943,15 +756,15 @@ void QSslSocketBackendPrivate::transmit() // we have a readBufferMaxSize. There's no point in leaving data there // just so that readBuffer.size() == readBufferMaxSize. int readBytes = 0; - data.resize(4096); - ::memset(data.data(), 0, data.size()); + const int bytesToRead = 4096; do { // Don't use SSL_pending(). It's very unreliable. - if ((readBytes = q_SSL_read(ssl, data.data(), data.size())) > 0) { + readBytes = q_SSL_read(ssl, buffer.reserve(bytesToRead), bytesToRead); + if (readBytes > 0) { #ifdef QSSLSOCKET_DEBUG qCDebug(lcSsl) << "QSslSocketBackendPrivate::transmit: decrypted" << readBytes << "bytes"; #endif - buffer.append(data.constData(), readBytes); + buffer.chop(bytesToRead - readBytes); if (readyReadEmittedPointer) *readyReadEmittedPointer = true; @@ -960,6 +773,7 @@ void QSslSocketBackendPrivate::transmit() transmitting = true; continue; } + buffer.chop(bytesToRead); // Error. switch (q_SSL_get_error(ssl, readBytes)) { @@ -1502,14 +1316,8 @@ QSslCipher QSslSocketBackendPrivate::sessionCipher() const { if (!ssl) return QSslCipher(); -#if OPENSSL_VERSION_NUMBER >= 0x10000000L - // FIXME This is fairly evil, but needed to keep source level compatibility - // with the OpenSSL 0.9.x implementation at maximum -- some other functions - // don't take a const SSL_CIPHER* when they should - SSL_CIPHER *sessionCipher = const_cast<SSL_CIPHER *>(q_SSL_get_current_cipher(ssl)); -#else - SSL_CIPHER *sessionCipher = q_SSL_get_current_cipher(ssl); -#endif + + const SSL_CIPHER *sessionCipher = q_SSL_get_current_cipher(ssl); return sessionCipher ? QSslCipher_from_SSL_CIPHER(sessionCipher) : QSslCipher(); } @@ -1535,112 +1343,6 @@ QSsl::SslProtocol QSslSocketBackendPrivate::sessionProtocol() const return QSsl::UnknownProtocol; } -void QSslSocketBackendPrivate::continueHandshake() -{ - Q_Q(QSslSocket); - // if we have a max read buffer size, reset the plain socket's to match - if (readBufferMaxSize) - plainSocket->setReadBufferSize(readBufferMaxSize); - - if (q_SSL_ctrl((ssl), SSL_CTRL_GET_SESSION_REUSED, 0, NULL)) - configuration.peerSessionShared = true; - -#ifdef QT_DECRYPT_SSL_TRAFFIC - if (ssl->session && ssl->s3) { - const char *mk = reinterpret_cast<const char *>(ssl->session->master_key); - QByteArray masterKey(mk, ssl->session->master_key_length); - const char *random = reinterpret_cast<const char *>(ssl->s3->client_random); - QByteArray clientRandom(random, SSL3_RANDOM_SIZE); - - // different format, needed for e.g. older Wireshark versions: -// const char *sid = reinterpret_cast<const char *>(ssl->session->session_id); -// QByteArray sessionID(sid, ssl->session->session_id_length); -// QByteArray debugLineRSA("RSA Session-ID:"); -// debugLineRSA.append(sessionID.toHex().toUpper()); -// debugLineRSA.append(" Master-Key:"); -// debugLineRSA.append(masterKey.toHex().toUpper()); -// debugLineRSA.append("\n"); - - QByteArray debugLineClientRandom("CLIENT_RANDOM "); - debugLineClientRandom.append(clientRandom.toHex().toUpper()); - debugLineClientRandom.append(" "); - debugLineClientRandom.append(masterKey.toHex().toUpper()); - debugLineClientRandom.append("\n"); - - QString sslKeyFile = QDir::tempPath() + QLatin1String("/qt-ssl-keys"); - QFile file(sslKeyFile); - if (!file.open(QIODevice::Append)) - qCWarning(lcSsl) << "could not open file" << sslKeyFile << "for appending"; - if (!file.write(debugLineClientRandom)) - qCWarning(lcSsl) << "could not write to file" << sslKeyFile; - file.close(); - } else { - qCWarning(lcSsl, "could not decrypt SSL traffic"); - } -#endif - - // Cache this SSL session inside the QSslContext - if (!(configuration.sslOptions & QSsl::SslOptionDisableSessionSharing)) { - if (!sslContextPointer->cacheSession(ssl)) { - sslContextPointer.clear(); // we could not cache the session - } else { - // Cache the session for permanent usage as well - if (!(configuration.sslOptions & QSsl::SslOptionDisableSessionPersistence)) { - if (!sslContextPointer->sessionASN1().isEmpty()) - configuration.sslSession = sslContextPointer->sessionASN1(); - configuration.sslSessionTicketLifeTimeHint = sslContextPointer->sessionTicketLifeTimeHint(); - } - } - } - -#if OPENSSL_VERSION_NUMBER >= 0x1000100fL && !defined(OPENSSL_NO_NEXTPROTONEG) - - configuration.nextProtocolNegotiationStatus = sslContextPointer->npnContext().status; - if (sslContextPointer->npnContext().status == QSslConfiguration::NextProtocolNegotiationUnsupported) { - // we could not agree -> be conservative and use HTTP/1.1 - configuration.nextNegotiatedProtocol = QByteArrayLiteral("http/1.1"); - } else { - const unsigned char *proto = 0; - unsigned int proto_len = 0; -#if OPENSSL_VERSION_NUMBER >= 0x10002000L - if (q_SSLeay() >= 0x10002000L) { - q_SSL_get0_alpn_selected(ssl, &proto, &proto_len); - if (proto_len && mode == QSslSocket::SslClientMode) { - // Client does not have a callback that sets it ... - configuration.nextProtocolNegotiationStatus = QSslConfiguration::NextProtocolNegotiationNegotiated; - } - } - - if (!proto_len) { // Test if NPN was more lucky ... -#else - { -#endif - q_SSL_get0_next_proto_negotiated(ssl, &proto, &proto_len); - } - - if (proto_len) - configuration.nextNegotiatedProtocol = QByteArray(reinterpret_cast<const char *>(proto), proto_len); - else - configuration.nextNegotiatedProtocol.clear(); - } -#endif // OPENSSL_VERSION_NUMBER >= 0x1000100fL ... - -#if OPENSSL_VERSION_NUMBER >= 0x10002000L - if (q_SSLeay() >= 0x10002000L && mode == QSslSocket::SslClientMode) { - EVP_PKEY *key; - if (q_SSL_get_server_tmp_key(ssl, &key)) - configuration.ephemeralServerKey = QSslKey(key, QSsl::PublicKey); - } -#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L ... - - connectionEncrypted = true; - emit q->encrypted(); - if (autoStartHandshake && pendingClose) { - pendingClose = false; - q->disconnectFromHost(); - } -} - QList<QSslCertificate> QSslSocketBackendPrivate::STACKOFX509_to_QSslCertificates(STACK_OF(X509) *x509) { ensureInitialized(); @@ -1694,12 +1396,12 @@ QList<QSslError> QSslSocketBackendPrivate::verify(const QList<QSslCertificate> & QMutexLocker sslErrorListMutexLocker(&_q_sslErrorList()->mutex); // Register a custom callback to get all verification errors. - X509_STORE_set_verify_cb_func(certStore, q_X509Callback); + q_X509_STORE_set_verify_cb(certStore, q_X509Callback); // Build the chain of intermediate certificates STACK_OF(X509) *intermediates = 0; if (certificateChain.length() > 1) { - intermediates = (STACK_OF(X509) *) q_sk_new_null(); + intermediates = (STACK_OF(X509) *) q_OPENSSL_sk_new_null(); if (!intermediates) { q_X509_STORE_free(certStore); @@ -1713,11 +1415,8 @@ QList<QSslError> QSslSocketBackendPrivate::verify(const QList<QSslCertificate> & first = false; continue; } -#if OPENSSL_VERSION_NUMBER >= 0x10000000L - q_sk_push( (_STACK *)intermediates, reinterpret_cast<X509 *>(cert.handle())); -#else - q_sk_push( (STACK *)intermediates, reinterpret_cast<char *>(cert.handle())); -#endif + + q_OPENSSL_sk_push((OPENSSL_STACK *)intermediates, reinterpret_cast<X509 *>(cert.handle())); } } @@ -1741,11 +1440,7 @@ QList<QSslError> QSslSocketBackendPrivate::verify(const QList<QSslCertificate> & (void) q_X509_verify_cert(storeContext); q_X509_STORE_CTX_free(storeContext); -#if OPENSSL_VERSION_NUMBER >= 0x10000000L - q_sk_free( (_STACK *) intermediates); -#else - q_sk_free( (STACK *) intermediates); -#endif + q_OPENSSL_sk_free((OPENSSL_STACK *)intermediates); // Now process the errors const auto errorList = std::move(_q_sslErrorList()->errors); @@ -1819,7 +1514,8 @@ bool QSslSocketBackendPrivate::importPkcs12(QIODevice *device, // Convert to Qt types if (!key->d->fromEVP_PKEY(pkey)) { qCWarning(lcSsl, "Unable to convert private key"); - q_sk_pop_free(reinterpret_cast<STACK *>(ca), reinterpret_cast<void(*)(void*)>(q_sk_free)); + q_OPENSSL_sk_pop_free(reinterpret_cast<OPENSSL_STACK *>(ca), + reinterpret_cast<void (*)(void *)>(q_OPENSSL_sk_free)); q_X509_free(x509); q_EVP_PKEY_free(pkey); q_PKCS12_free(p12); @@ -1834,7 +1530,11 @@ bool QSslSocketBackendPrivate::importPkcs12(QIODevice *device, *caCertificates = QSslSocketBackendPrivate::STACKOFX509_to_QSslCertificates(ca); // Clean up - q_sk_pop_free(reinterpret_cast<STACK *>(ca), reinterpret_cast<void(*)(void*)>(q_sk_free)); + // TODO: verify ASAP, in the past we had sk_pop_free with q_OPENSSL_sk_free + // which seems to be blatantly wrong and even crashes with 1.1. + q_OPENSSL_sk_pop_free(reinterpret_cast<OPENSSL_STACK *>(ca), + reinterpret_cast<void (*)(void *)>(q_X509_free)); + q_X509_free(x509); q_EVP_PKEY_free(pkey); q_PKCS12_free(p12); diff --git a/src/network/ssl/qsslsocket_openssl11.cpp b/src/network/ssl/qsslsocket_openssl11.cpp new file mode 100644 index 0000000000..b6d18943a5 --- /dev/null +++ b/src/network/ssl/qsslsocket_openssl11.cpp @@ -0,0 +1,285 @@ +/**************************************************************************** +** +** Copyright (C) 2017 The Qt Company Ltd. +** Copyright (C) 2014 Governikus GmbH & Co. KG +** Copyright (C) 2016 Richard J. Moore <rich@kde.org> +** Contact: https://www.qt.io/licensing/ +** +** This file is part of the QtNetwork module of the Qt Toolkit. +** +** $QT_BEGIN_LICENSE:LGPL$ +** Commercial License Usage +** Licensees holding valid commercial Qt licenses may use this file in +** accordance with the commercial license agreement provided with the +** Software or, alternatively, in accordance with the terms contained in +** a written agreement between you and The Qt Company. For licensing terms +** and conditions see https://www.qt.io/terms-conditions. For further +** information use the contact form at https://www.qt.io/contact-us. +** +** GNU Lesser General Public License Usage +** Alternatively, this file may be used under the terms of the GNU Lesser +** General Public License version 3 as published by the Free Software +** Foundation and appearing in the file LICENSE.LGPL3 included in the +** packaging of this file. Please review the following information to +** ensure the GNU Lesser General Public License version 3 requirements +** will be met: https://www.gnu.org/licenses/lgpl-3.0.html. +** +** GNU General Public License Usage +** Alternatively, this file may be used under the terms of the GNU +** General Public License version 2.0 or (at your option) the GNU General +** Public license version 3 or any later version approved by the KDE Free +** Qt Foundation. The licenses are as published by the Free Software +** Foundation and appearing in the file LICENSE.GPL2 and LICENSE.GPL3 +** included in the packaging of this file. Please review the following +** information to ensure the GNU General Public License requirements will +** be met: https://www.gnu.org/licenses/gpl-2.0.html and +** https://www.gnu.org/licenses/gpl-3.0.html. +** +** $QT_END_LICENSE$ +** +****************************************************************************/ + +/**************************************************************************** +** +** In addition, as a special exception, the copyright holders listed above give +** permission to link the code of its release of Qt with the OpenSSL project's +** "OpenSSL" library (or modified versions of the "OpenSSL" library that use the +** same license as the original version), and distribute the linked executables. +** +** You must comply with the GNU General Public License version 2 in all +** respects for all of the code used other than the "OpenSSL" code. If you +** modify this file, you may extend this exception to your version of the file, +** but you are not obligated to do so. If you do not wish to do so, delete +** this exception statement from your version of this file. +** +****************************************************************************/ + +//#define QT_DECRYPT_SSL_TRAFFIC + +#include "qssl_p.h" +#include "qsslsocket_openssl_p.h" +#include "qsslsocket_openssl_symbols_p.h" +#include "qsslsocket.h" +#include "qsslkey.h" + +#include <QtCore/qdebug.h> +#include <QtCore/qdir.h> +#include <QtCore/qdiriterator.h> +#include <QtCore/qfile.h> +#include <QtCore/qmutex.h> +#include <QtCore/qlibrary.h> + +QT_BEGIN_NAMESPACE + +Q_GLOBAL_STATIC_WITH_ARGS(QMutex, qt_opensslInitMutex, (QMutex::Recursive)) + +/*! + \internal +*/ +void QSslSocketPrivate::deinitialize() +{ + // This function exists only for compatibility with the pre-11 code, + // where deinitialize() actually does some cleanup. To be discarded + // once we retire < 1.1. +} + +bool QSslSocketPrivate::ensureLibraryLoaded() +{ + if (!q_resolveOpenSslSymbols()) + return false; + + const QMutexLocker locker(qt_opensslInitMutex); + + if (!s_libraryLoaded) { + s_libraryLoaded = true; + + // Initialize OpenSSL. + if (q_OPENSSL_init_ssl(0, nullptr) != 1) + return false; + q_SSL_load_error_strings(); + q_OpenSSL_add_all_algorithms(); + + QSslSocketBackendPrivate::s_indexForSSLExtraData + = q_CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL, 0L, nullptr, nullptr, + nullptr, nullptr); + + // Initialize OpenSSL's random seed. + if (!q_RAND_status()) { + qWarning("Random number generator not seeded, disabling SSL support"); + return false; + } + } + return true; +} + +void QSslSocketPrivate::ensureCiphersAndCertsLoaded() +{ + const QMutexLocker locker(qt_opensslInitMutex); + + if (s_loadedCiphersAndCerts) + return; + s_loadedCiphersAndCerts = true; + + resetDefaultCiphers(); + resetDefaultEllipticCurves(); + +#if QT_CONFIG(library) + //load symbols needed to receive certificates from system store +#if defined(Q_OS_WIN) + HINSTANCE hLib = LoadLibraryW(L"Crypt32"); + if (hLib) { + ptrCertOpenSystemStoreW = (PtrCertOpenSystemStoreW)GetProcAddress(hLib, "CertOpenSystemStoreW"); + ptrCertFindCertificateInStore = (PtrCertFindCertificateInStore)GetProcAddress(hLib, "CertFindCertificateInStore"); + ptrCertCloseStore = (PtrCertCloseStore)GetProcAddress(hLib, "CertCloseStore"); + if (!ptrCertOpenSystemStoreW || !ptrCertFindCertificateInStore || !ptrCertCloseStore) + qCWarning(lcSsl, "could not resolve symbols in crypt32 library"); // should never happen + } else { + qCWarning(lcSsl, "could not load crypt32 library"); // should never happen + } +#elif defined(Q_OS_QNX) + s_loadRootCertsOnDemand = true; +#elif defined(Q_OS_UNIX) && !defined(Q_OS_DARWIN) + // check whether we can enable on-demand root-cert loading (i.e. check whether the sym links are there) + QList<QByteArray> dirs = unixRootCertDirectories(); + QStringList symLinkFilter; + symLinkFilter << QLatin1String("[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f].[0-9]"); + for (int a = 0; a < dirs.count(); ++a) { + QDirIterator iterator(QLatin1String(dirs.at(a)), symLinkFilter, QDir::Files); + if (iterator.hasNext()) { + s_loadRootCertsOnDemand = true; + break; + } + } +#endif +#endif // QT_CONFIG(library) + // if on-demand loading was not enabled, load the certs now + if (!s_loadRootCertsOnDemand) + setDefaultCaCertificates(systemCaCertificates()); +#ifdef Q_OS_WIN + //Enabled for fetching additional root certs from windows update on windows 6+ + //This flag is set false by setDefaultCaCertificates() indicating the app uses + //its own cert bundle rather than the system one. + //Same logic that disables the unix on demand cert loading. + //Unlike unix, we do preload the certificates from the cert store. + if ((QSysInfo::windowsVersion() & QSysInfo::WV_NT_based) >= QSysInfo::WV_6_0) + s_loadRootCertsOnDemand = true; +#endif +} + +long QSslSocketPrivate::sslLibraryVersionNumber() +{ + if (!supportsSsl()) + return 0; + + return q_OpenSSL_version_num(); +} + +QString QSslSocketPrivate::sslLibraryVersionString() +{ + if (!supportsSsl()) + return QString(); + + const char *versionString = q_OpenSSL_version(OPENSSL_VERSION); + if (!versionString) + return QString(); + + return QString::fromLatin1(versionString); +} + +void QSslSocketBackendPrivate::continueHandshake() +{ + Q_Q(QSslSocket); + // if we have a max read buffer size, reset the plain socket's to match + if (readBufferMaxSize) + plainSocket->setReadBufferSize(readBufferMaxSize); + + if (q_SSL_session_reused(ssl)) + configuration.peerSessionShared = true; + +#ifdef QT_DECRYPT_SSL_TRAFFIC + if (q_SSL_get_session(ssl)) { + size_t master_key_len = q_SSL_SESSION_get_master_key(q_SSL_get_session(ssl), 0, 0); + size_t client_random_len = q_SSL_get_client_random(ssl, 0, 0); + QByteArray masterKey(int(master_key_len), 0); // Will not overflow + QByteArray clientRandom(int(client_random_len), 0); // Will not overflow + + q_SSL_SESSION_get_master_key(q_SSL_get_session(ssl), + reinterpret_cast<unsigned char*>(masterKey.data()), + masterKey.size()); + q_SSL_get_client_random(ssl, reinterpret_cast<unsigned char *>(clientRandom.data()), + clientRandom.size()); + + QByteArray debugLineClientRandom("CLIENT_RANDOM "); + debugLineClientRandom.append(clientRandom.toHex().toUpper()); + debugLineClientRandom.append(" "); + debugLineClientRandom.append(masterKey.toHex().toUpper()); + debugLineClientRandom.append("\n"); + + QString sslKeyFile = QDir::tempPath() + QLatin1String("/qt-ssl-keys"); + QFile file(sslKeyFile); + if (!file.open(QIODevice::Append)) + qCWarning(lcSsl) << "could not open file" << sslKeyFile << "for appending"; + if (!file.write(debugLineClientRandom)) + qCWarning(lcSsl) << "could not write to file" << sslKeyFile; + file.close(); + } else { + qCWarning(lcSsl, "could not decrypt SSL traffic"); + } +#endif + + // Cache this SSL session inside the QSslContext + if (!(configuration.sslOptions & QSsl::SslOptionDisableSessionSharing)) { + if (!sslContextPointer->cacheSession(ssl)) { + sslContextPointer.clear(); // we could not cache the session + } else { + // Cache the session for permanent usage as well + if (!(configuration.sslOptions & QSsl::SslOptionDisableSessionPersistence)) { + if (!sslContextPointer->sessionASN1().isEmpty()) + configuration.sslSession = sslContextPointer->sessionASN1(); + configuration.sslSessionTicketLifeTimeHint = sslContextPointer->sessionTicketLifeTimeHint(); + } + } + } + +#if !defined(OPENSSL_NO_NEXTPROTONEG) + + configuration.nextProtocolNegotiationStatus = sslContextPointer->npnContext().status; + if (sslContextPointer->npnContext().status == QSslConfiguration::NextProtocolNegotiationUnsupported) { + // we could not agree -> be conservative and use HTTP/1.1 + configuration.nextNegotiatedProtocol = QByteArrayLiteral("http/1.1"); + } else { + const unsigned char *proto = 0; + unsigned int proto_len = 0; + + q_SSL_get0_alpn_selected(ssl, &proto, &proto_len); + if (proto_len && mode == QSslSocket::SslClientMode) { + // Client does not have a callback that sets it ... + configuration.nextProtocolNegotiationStatus = QSslConfiguration::NextProtocolNegotiationNegotiated; + } + + if (!proto_len) { // Test if NPN was more lucky ... + q_SSL_get0_next_proto_negotiated(ssl, &proto, &proto_len); + } + + if (proto_len) + configuration.nextNegotiatedProtocol = QByteArray(reinterpret_cast<const char *>(proto), proto_len); + else + configuration.nextNegotiatedProtocol.clear(); + } +#endif // !defined(OPENSSL_NO_NEXTPROTONEG) + + if (mode == QSslSocket::SslClientMode) { + EVP_PKEY *key; + if (q_SSL_get_server_tmp_key(ssl, &key)) + configuration.ephemeralServerKey = QSslKey(key, QSsl::PublicKey); + } + + connectionEncrypted = true; + emit q->encrypted(); + if (autoStartHandshake && pendingClose) { + pendingClose = false; + q->disconnectFromHost(); + } +} + +QT_END_NAMESPACE diff --git a/src/network/ssl/qsslsocket_openssl11_symbols_p.h b/src/network/ssl/qsslsocket_openssl11_symbols_p.h new file mode 100644 index 0000000000..2980b3d23e --- /dev/null +++ b/src/network/ssl/qsslsocket_openssl11_symbols_p.h @@ -0,0 +1,132 @@ +/**************************************************************************** +** +** Copyright (C) 2017 The Qt Company Ltd. +** Copyright (C) 2014 BlackBerry Limited. All rights reserved. +** Copyright (C) 2016 Richard J. Moore <rich@kde.org> +** Contact: https://www.qt.io/licensing/ +** +** This file is part of the QtNetwork module of the Qt Toolkit. +** +** $QT_BEGIN_LICENSE:LGPL$ +** Commercial License Usage +** Licensees holding valid commercial Qt licenses may use this file in +** accordance with the commercial license agreement provided with the +** Software or, alternatively, in accordance with the terms contained in +** a written agreement between you and The Qt Company. For licensing terms +** and conditions see https://www.qt.io/terms-conditions. For further +** information use the contact form at https://www.qt.io/contact-us. +** +** GNU Lesser General Public License Usage +** Alternatively, this file may be used under the terms of the GNU Lesser +** General Public License version 3 as published by the Free Software +** Foundation and appearing in the file LICENSE.LGPL3 included in the +** packaging of this file. Please review the following information to +** ensure the GNU Lesser General Public License version 3 requirements +** will be met: https://www.gnu.org/licenses/lgpl-3.0.html. +** +** GNU General Public License Usage +** Alternatively, this file may be used under the terms of the GNU +** General Public License version 2.0 or (at your option) the GNU General +** Public license version 3 or any later version approved by the KDE Free +** Qt Foundation. The licenses are as published by the Free Software +** Foundation and appearing in the file LICENSE.GPL2 and LICENSE.GPL3 +** included in the packaging of this file. Please review the following +** information to ensure the GNU General Public License requirements will +** be met: https://www.gnu.org/licenses/gpl-2.0.html and +** https://www.gnu.org/licenses/gpl-3.0.html. +** +** $QT_END_LICENSE$ +** +****************************************************************************/ + +/**************************************************************************** +** +** In addition, as a special exception, the copyright holders listed above give +** permission to link the code of its release of Qt with the OpenSSL project's +** "OpenSSL" library (or modified versions of the "OpenSSL" library that use the +** same license as the original version), and distribute the linked executables. +** +** You must comply with the GNU General Public License version 2 in all +** respects for all of the code used other than the "OpenSSL" code. If you +** modify this file, you may extend this exception to your version of the file, +** but you are not obligated to do so. If you do not wish to do so, delete +** this exception statement from your version of this file. +** +****************************************************************************/ + +#ifndef QSSLSOCKET_OPENSSL11_SYMBOLS_P_H +#define QSSLSOCKET_OPENSSL11_SYMBOLS_P_H + +// +// W A R N I N G +// ------------- +// +// This file is not part of the Qt API. It exists purely as an +// implementation detail. This header file may change from version to +// version without notice, or even be removed. +// +// We mean it. +// + +// Note: this file does not have QT_BEGIN_NAMESPACE/QT_END_NAMESPACE, it's done +// in qsslsocket_openssl_symbols_p.h. + +#ifndef QSSLSOCKET_OPENSSL_SYMBOLS_P_H +#error "You are not supposed to use this header file, include qsslsocket_openssl_symbols_p.h instead" +#endif + +const unsigned char * q_ASN1_STRING_get0_data(const ASN1_STRING *x); + +Q_AUTOTEST_EXPORT BIO *q_BIO_new(const BIO_METHOD *a); +Q_AUTOTEST_EXPORT const BIO_METHOD *q_BIO_s_mem(); + +int q_DSA_bits(DSA *a); +int q_EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *c); +int q_EVP_PKEY_base_id(EVP_PKEY *a); +int q_RSA_bits(RSA *a); +int q_OPENSSL_sk_num(OPENSSL_STACK *a); +void q_OPENSSL_sk_pop_free(OPENSSL_STACK *a, void (*b)(void *)); +OPENSSL_STACK *q_OPENSSL_sk_new_null(); +void q_OPENSSL_sk_push(OPENSSL_STACK *st, void *data); +void q_OPENSSL_sk_free(OPENSSL_STACK *a); +void * q_OPENSSL_sk_value(OPENSSL_STACK *a, int b); +int q_SSL_session_reused(SSL *a); +unsigned long q_SSL_CTX_set_options(SSL_CTX *ctx, unsigned long op); +int q_OPENSSL_init_ssl(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings); +size_t q_SSL_get_client_random(SSL *a, unsigned char *out, size_t outlen); +size_t q_SSL_SESSION_get_master_key(const SSL_SESSION *session, unsigned char *out, size_t outlen); +int q_CRYPTO_get_ex_new_index(int class_index, long argl, void *argp, CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func); +const SSL_METHOD *q_TLS_method(); +const SSL_METHOD *q_TLS_client_method(); +const SSL_METHOD *q_TLS_server_method(); +ASN1_TIME *q_X509_getm_notBefore(X509 *a); +ASN1_TIME *q_X509_getm_notAfter(X509 *a); + +long q_X509_get_version(X509 *a); +EVP_PKEY *q_X509_get_pubkey(X509 *a); +void q_X509_STORE_set_verify_cb(X509_STORE *ctx, X509_STORE_CTX_verify_cb verify_cb); +STACK_OF(X509) *q_X509_STORE_CTX_get0_chain(X509_STORE_CTX *ctx); +void q_DH_get0_pqg(const DH *dh, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g); +int q_DH_bits(DH *dh); + +# define q_SSL_load_error_strings() q_OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS \ + | OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL) + +#define q_SKM_sk_num(type, st) ((int (*)(const STACK_OF(type) *))q_OPENSSL_sk_num)(st) +#define q_SKM_sk_value(type, st,i) ((type * (*)(const STACK_OF(type) *, int))q_OPENSSL_sk_value)(st, i) + +#define q_OPENSSL_add_all_algorithms_conf() q_OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS \ + | OPENSSL_INIT_ADD_ALL_DIGESTS \ + | OPENSSL_INIT_LOAD_CONFIG, NULL) +#define q_OPENSSL_add_all_algorithms_noconf() q_OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS \ + | OPENSSL_INIT_ADD_ALL_DIGESTS, NULL) + +int q_OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings); +void q_CRYPTO_free(void *str, const char *file, int line); + +long q_OpenSSL_version_num(); +const char *q_OpenSSL_version(int type); + +unsigned long q_SSL_SESSION_get_ticket_lifetime_hint(const SSL_SESSION *session); + +#endif diff --git a/src/network/ssl/qsslsocket_openssl_p.h b/src/network/ssl/qsslsocket_openssl_p.h index b2adb3e547..7f9e884045 100644 --- a/src/network/ssl/qsslsocket_openssl_p.h +++ b/src/network/ssl/qsslsocket_openssl_p.h @@ -1,6 +1,6 @@ /**************************************************************************** ** -** Copyright (C) 2016 The Qt Company Ltd. +** Copyright (C) 2017 The Qt Company Ltd. ** Contact: https://www.qt.io/licensing/ ** ** This file is part of the QtNetwork module of the Qt Toolkit. @@ -98,8 +98,8 @@ #include <openssl/crypto.h> #include <openssl/tls1.h> -#if OPENSSL_VERSION_NUMBER >= 0x10000000L -typedef _STACK STACK; +#if QT_CONFIG(opensslv11) +#include <openssl/dh.h> #endif QT_BEGIN_NAMESPACE @@ -151,7 +151,7 @@ public: #endif Q_AUTOTEST_EXPORT static long setupOpenSslOptions(QSsl::SslProtocol protocol, QSsl::SslOptions sslOptions); - static QSslCipher QSslCipher_from_SSL_CIPHER(SSL_CIPHER *cipher); + static QSslCipher QSslCipher_from_SSL_CIPHER(const SSL_CIPHER *cipher); static QList<QSslCertificate> STACKOFX509_to_QSslCertificates(STACK_OF(X509) *x509); static QList<QSslError> verify(const QList<QSslCertificate> &certificateChain, const QString &hostName); static QString getErrorsFromOpenSsl(); diff --git a/src/network/ssl/qsslsocket_openssl_symbols.cpp b/src/network/ssl/qsslsocket_openssl_symbols.cpp index c344a94427..3a236a1300 100644 --- a/src/network/ssl/qsslsocket_openssl_symbols.cpp +++ b/src/network/ssl/qsslsocket_openssl_symbols.cpp @@ -1,7 +1,8 @@ /**************************************************************************** ** -** Copyright (C) 2016 The Qt Company Ltd. +** Copyright (C) 2017 The Qt Company Ltd. ** Copyright (C) 2014 BlackBerry Limited. All rights reserved. +** Copyright (C) 2016 Richard J. Moore <rich@kde.org> ** Contact: https://www.qt.io/licensing/ ** ** This file is part of the QtNetwork module of the Qt Toolkit. @@ -136,49 +137,195 @@ void qsslSocketCannotResolveSymbolWarning(const char *functionName) #endif // QT_LINKED_OPENSSL +#if QT_CONFIG(opensslv11) + +// Below are the functions first introduced in version 1.1: + +DEFINEFUNC(const unsigned char *, ASN1_STRING_get0_data, const ASN1_STRING *a, a, return 0, return) +DEFINEFUNC2(int, OPENSSL_init_ssl, uint64_t opts, opts, const OPENSSL_INIT_SETTINGS *settings, settings, return 0, return) +DEFINEFUNC2(int, OPENSSL_init_crypto, uint64_t opts, opts, const OPENSSL_INIT_SETTINGS *settings, settings, return 0, return) +DEFINEFUNC(BIO *, BIO_new, const BIO_METHOD *a, a, return 0, return) +DEFINEFUNC(const BIO_METHOD *, BIO_s_mem, void, DUMMYARG, return 0, return) +DEFINEFUNC2(int, BN_is_word, BIGNUM *a, a, BN_ULONG w, w, return 0, return) +DEFINEFUNC(int, EVP_CIPHER_CTX_reset, EVP_CIPHER_CTX *c, c, return 0, return) +DEFINEFUNC(int, EVP_PKEY_base_id, EVP_PKEY *a, a, return NID_undef, return) +DEFINEFUNC(int, RSA_bits, RSA *a, a, return 0, return) +DEFINEFUNC(int, DSA_bits, DSA *a, a, return 0, return) +DEFINEFUNC(int, OPENSSL_sk_num, OPENSSL_STACK *a, a, return -1, return) +DEFINEFUNC2(void, OPENSSL_sk_pop_free, OPENSSL_STACK *a, a, void (*b)(void*), b, return, DUMMYARG) +DEFINEFUNC(OPENSSL_STACK *, OPENSSL_sk_new_null, DUMMYARG, DUMMYARG, return 0, return) +DEFINEFUNC2(void, OPENSSL_sk_push, OPENSSL_STACK *a, a, void *b, b, return, DUMMYARG) +DEFINEFUNC(void, OPENSSL_sk_free, OPENSSL_STACK *a, a, return, DUMMYARG) +DEFINEFUNC2(void *, OPENSSL_sk_value, OPENSSL_STACK *a, a, int b, b, return 0, return) +DEFINEFUNC(int, SSL_session_reused, SSL *a, a, return 0, return) +DEFINEFUNC2(unsigned long, SSL_CTX_set_options, SSL_CTX *ctx, ctx, unsigned long op, op, return 0, return) +DEFINEFUNC3(size_t, SSL_get_client_random, SSL *a, a, unsigned char *out, out, size_t outlen, outlen, return 0, return) +DEFINEFUNC3(size_t, SSL_SESSION_get_master_key, const SSL_SESSION *ses, ses, unsigned char *out, out, size_t outlen, outlen, return 0, return) +DEFINEFUNC6(int, CRYPTO_get_ex_new_index, int class_index, class_index, long argl, argl, void *argp, argp, CRYPTO_EX_new *new_func, new_func, CRYPTO_EX_dup *dup_func, dup_func, CRYPTO_EX_free *free_func, free_func, return -1, return) + +DEFINEFUNC(const SSL_METHOD *, TLS_method, DUMMYARG, DUMMYARG, return 0, return) +DEFINEFUNC(const SSL_METHOD *, TLS_client_method, DUMMYARG, DUMMYARG, return 0, return) +DEFINEFUNC(const SSL_METHOD *, TLS_server_method, DUMMYARG, DUMMYARG, return 0, return) +DEFINEFUNC(ASN1_TIME *, X509_getm_notBefore, X509 *a, a, return 0, return) +DEFINEFUNC(ASN1_TIME *, X509_getm_notAfter, X509 *a, a, return 0, return) +DEFINEFUNC(long, X509_get_version, X509 *a, a, return -1, return) +DEFINEFUNC(EVP_PKEY *, X509_get_pubkey, X509 *a, a, return 0, return) +DEFINEFUNC2(void, X509_STORE_set_verify_cb, X509_STORE *a, a, X509_STORE_CTX_verify_cb verify_cb, verify_cb, return, DUMMYARG) +DEFINEFUNC(STACK_OF(X509) *, X509_STORE_CTX_get0_chain, X509_STORE_CTX *a, a, return 0, return) +DEFINEFUNC3(void, CRYPTO_free, void *str, str, const char *file, file, int line, line, return, DUMMYARG) +DEFINEFUNC(long, OpenSSL_version_num, void, DUMMYARG, return 0, return) +DEFINEFUNC(const char *, OpenSSL_version, int a, a, return 0, return) +DEFINEFUNC(unsigned long, SSL_SESSION_get_ticket_lifetime_hint, const SSL_SESSION *session, session, return 0, return) +DEFINEFUNC4(void, DH_get0_pqg, const DH *dh, dh, const BIGNUM **p, p, const BIGNUM **q, q, const BIGNUM **g, g, return, DUMMYARG) +DEFINEFUNC(int, DH_bits, DH *dh, dh, return 0, return) + +#else // QT_CONFIG(opensslv11) + +// Functions below are either deprecated or removed in OpenSSL >= 1.1: + +DEFINEFUNC(unsigned char *, ASN1_STRING_data, ASN1_STRING *a, a, return 0, return) + #ifdef SSLEAY_MACROS DEFINEFUNC3(void *, ASN1_dup, i2d_of_void *a, a, d2i_of_void *b, b, char *c, c, return 0, return) #endif +DEFINEFUNC2(BIO *, BIO_new_file, const char *filename, filename, const char *mode, mode, return 0, return) +DEFINEFUNC(void, ERR_clear_error, DUMMYARG, DUMMYARG, return, DUMMYARG) +DEFINEFUNC(BIO *, BIO_new, BIO_METHOD *a, a, return 0, return) +DEFINEFUNC(BIO_METHOD *, BIO_s_mem, void, DUMMYARG, return 0, return) +DEFINEFUNC(int, CRYPTO_num_locks, DUMMYARG, DUMMYARG, return 0, return) +DEFINEFUNC(void, CRYPTO_set_locking_callback, void (*a)(int, int, const char *, int), a, return, DUMMYARG) +DEFINEFUNC(void, CRYPTO_set_id_callback, unsigned long (*a)(), a, return, DUMMYARG) +DEFINEFUNC(void, CRYPTO_free, void *a, a, return, DUMMYARG) +DEFINEFUNC(unsigned long, ERR_peek_last_error, DUMMYARG, DUMMYARG, return 0, return) +DEFINEFUNC(void, ERR_free_strings, void, DUMMYARG, return, DUMMYARG) +DEFINEFUNC(void, EVP_CIPHER_CTX_cleanup, EVP_CIPHER_CTX *a, a, return, DUMMYARG) +DEFINEFUNC(void, EVP_CIPHER_CTX_init, EVP_CIPHER_CTX *a, a, return, DUMMYARG) + +#ifdef SSLEAY_MACROS +DEFINEFUNC6(void *, PEM_ASN1_read_bio, d2i_of_void *a, a, const char *b, b, BIO *c, c, void **d, d, pem_password_cb *e, e, void *f, f, return 0, return) +DEFINEFUNC6(void *, PEM_ASN1_write_bio, d2i_of_void *a, a, const char *b, b, BIO *c, c, void **d, d, pem_password_cb *e, e, void *f, f, return 0, return) +#endif // SSLEAY_MACROS + +DEFINEFUNC(int, sk_num, STACK *a, a, return -1, return) +DEFINEFUNC2(void, sk_pop_free, STACK *a, a, void (*b)(void*), b, return, DUMMYARG) + +#if OPENSSL_VERSION_NUMBER >= 0x10000000L +DEFINEFUNC(_STACK *, sk_new_null, DUMMYARG, DUMMYARG, return 0, return) +DEFINEFUNC2(void, sk_push, _STACK *a, a, void *b, b, return, DUMMYARG) +DEFINEFUNC(void, sk_free, _STACK *a, a, return, DUMMYARG) +DEFINEFUNC2(void *, sk_value, STACK *a, a, int b, b, return 0, return) +#else +DEFINEFUNC(STACK *, sk_new_null, DUMMYARG, DUMMYARG, return 0, return) +DEFINEFUNC2(void, sk_push, STACK *a, a, char *b, b, return, DUMMYARG) +DEFINEFUNC(void, sk_free, STACK *a, a, return, DUMMYARG) +DEFINEFUNC2(char *, sk_value, STACK *a, a, int b, b, return 0, return) +#endif // OPENSSL_VERSION_NUMBER >= 0x10000000L + +DEFINEFUNC(int, SSL_library_init, void, DUMMYARG, return -1, return) +DEFINEFUNC(void, SSL_load_error_strings, void, DUMMYARG, return, DUMMYARG) + +#if OPENSSL_VERSION_NUMBER >= 0x10001000L +DEFINEFUNC5(int, SSL_get_ex_new_index, long argl, argl, void *argp, argp, CRYPTO_EX_new *new_func, new_func, CRYPTO_EX_dup *dup_func, dup_func, CRYPTO_EX_free *free_func, free_func, return -1, return) +#endif // OPENSSL_VERSION_NUMBER >= 0x10001000L + +#if OPENSSL_VERSION_NUMBER >= 0x10000000L +#ifndef OPENSSL_NO_SSL2 +DEFINEFUNC(const SSL_METHOD *, SSLv2_client_method, DUMMYARG, DUMMYARG, return 0, return) +#endif +#ifndef OPENSSL_NO_SSL3_METHOD +DEFINEFUNC(const SSL_METHOD *, SSLv3_client_method, DUMMYARG, DUMMYARG, return 0, return) +#endif +DEFINEFUNC(const SSL_METHOD *, SSLv23_client_method, DUMMYARG, DUMMYARG, return 0, return) +DEFINEFUNC(const SSL_METHOD *, TLSv1_client_method, DUMMYARG, DUMMYARG, return 0, return) +#if OPENSSL_VERSION_NUMBER >= 0x10001000L +DEFINEFUNC(const SSL_METHOD *, TLSv1_1_client_method, DUMMYARG, DUMMYARG, return 0, return) +DEFINEFUNC(const SSL_METHOD *, TLSv1_2_client_method, DUMMYARG, DUMMYARG, return 0, return) +#endif +#ifndef OPENSSL_NO_SSL2 +DEFINEFUNC(const SSL_METHOD *, SSLv2_server_method, DUMMYARG, DUMMYARG, return 0, return) +#endif +#ifndef OPENSSL_NO_SSL3_METHOD +DEFINEFUNC(const SSL_METHOD *, SSLv3_server_method, DUMMYARG, DUMMYARG, return 0, return) +#endif +DEFINEFUNC(const SSL_METHOD *, SSLv23_server_method, DUMMYARG, DUMMYARG, return 0, return) +DEFINEFUNC(const SSL_METHOD *, TLSv1_server_method, DUMMYARG, DUMMYARG, return 0, return) +#if OPENSSL_VERSION_NUMBER >= 0x10001000L +DEFINEFUNC(const SSL_METHOD *, TLSv1_1_server_method, DUMMYARG, DUMMYARG, return 0, return) +DEFINEFUNC(const SSL_METHOD *, TLSv1_2_server_method, DUMMYARG, DUMMYARG, return 0, return) +#endif +#else +#ifndef OPENSSL_NO_SSL2 +DEFINEFUNC(SSL_METHOD *, SSLv2_client_method, DUMMYARG, DUMMYARG, return 0, return) +#endif +#ifndef OPENSSL_NO_SSL3_METHOD +DEFINEFUNC(SSL_METHOD *, SSLv3_client_method, DUMMYARG, DUMMYARG, return 0, return) +#endif +DEFINEFUNC(SSL_METHOD *, SSLv23_client_method, DUMMYARG, DUMMYARG, return 0, return) +DEFINEFUNC(SSL_METHOD *, TLSv1_client_method, DUMMYARG, DUMMYARG, return 0, return) +#ifndef OPENSSL_NO_SSL2 +DEFINEFUNC(SSL_METHOD *, SSLv2_server_method, DUMMYARG, DUMMYARG, return 0, return) +#endif +#ifndef OPENSSL_NO_SSL3_METHOD +DEFINEFUNC(SSL_METHOD *, SSLv3_server_method, DUMMYARG, DUMMYARG, return 0, return) +#endif +DEFINEFUNC(SSL_METHOD *, SSLv23_server_method, DUMMYARG, DUMMYARG, return 0, return) +DEFINEFUNC(SSL_METHOD *, TLSv1_server_method, DUMMYARG, DUMMYARG, return 0, return) +#endif + +DEFINEFUNC(STACK_OF(X509) *, X509_STORE_CTX_get_chain, X509_STORE_CTX *a, a, return 0, return) + +#ifdef SSLEAY_MACROS +DEFINEFUNC2(int, i2d_DSAPrivateKey, const DSA *a, a, unsigned char **b, b, return -1, return) +DEFINEFUNC2(int, i2d_RSAPrivateKey, const RSA *a, a, unsigned char **b, b, return -1, return) +#ifndef OPENSSL_NO_EC +DEFINEFUNC2(int, i2d_ECPrivateKey, const EC_KEY *a, a, unsigned char **b, b, return -1, return) +#endif +DEFINEFUNC3(RSA *, d2i_RSAPrivateKey, RSA **a, a, unsigned char **b, b, long c, c, return 0, return) +DEFINEFUNC3(DSA *, d2i_DSAPrivateKey, DSA **a, a, unsigned char **b, b, long c, c, return 0, return) +#ifndef OPENSSL_NO_EC +DEFINEFUNC3(EC_KEY *, d2i_ECPrivateKey, EC_KEY **a, a, unsigned char **b, b, long c, c, return 0, return) +#endif +#endif +DEFINEFUNC(char *, CONF_get1_default_config_file, DUMMYARG, DUMMYARG, return 0, return) +DEFINEFUNC(void, OPENSSL_add_all_algorithms_noconf, void, DUMMYARG, return, DUMMYARG) +DEFINEFUNC(void, OPENSSL_add_all_algorithms_conf, void, DUMMYARG, return, DUMMYARG) +DEFINEFUNC(long, SSLeay, void, DUMMYARG, return 0, return) +DEFINEFUNC(const char *, SSLeay_version, int a, a, return 0, return) + +#endif // QT_CONFIG(opensslv11) + DEFINEFUNC(long, ASN1_INTEGER_get, ASN1_INTEGER *a, a, return 0, return) -DEFINEFUNC(unsigned char *, ASN1_STRING_data, ASN1_STRING *a, a, return 0, return) DEFINEFUNC(int, ASN1_STRING_length, ASN1_STRING *a, a, return 0, return) -DEFINEFUNC2(int, ASN1_STRING_to_UTF8, unsigned char **a, a, ASN1_STRING *b, b, return 0, return); +DEFINEFUNC2(int, ASN1_STRING_to_UTF8, unsigned char **a, a, ASN1_STRING *b, b, return 0, return) DEFINEFUNC4(long, BIO_ctrl, BIO *a, a, int b, b, long c, c, void *d, d, return -1, return) DEFINEFUNC(int, BIO_free, BIO *a, a, return 0, return) -DEFINEFUNC(BIO *, BIO_new, BIO_METHOD *a, a, return 0, return) DEFINEFUNC2(BIO *, BIO_new_mem_buf, void *a, a, int b, b, return 0, return) DEFINEFUNC3(int, BIO_read, BIO *a, a, void *b, b, int c, c, return -1, return) -DEFINEFUNC(BIO_METHOD *, BIO_s_mem, void, DUMMYARG, return 0, return) + DEFINEFUNC3(int, BIO_write, BIO *a, a, const void *b, b, int c, c, return -1, return) DEFINEFUNC(int, BN_num_bits, const BIGNUM *a, a, return 0, return) -#if OPENSSL_VERSION_NUMBER >= 0x10100000L -DEFINEFUNC2(int, BN_is_word, BIGNUM *a, a, BN_ULONG w, w, return 0, return) -#endif DEFINEFUNC2(BN_ULONG, BN_mod_word, const BIGNUM *a, a, BN_ULONG w, w, return static_cast<BN_ULONG>(-1), return) #ifndef OPENSSL_NO_EC DEFINEFUNC(const EC_GROUP*, EC_KEY_get0_group, const EC_KEY* k, k, return 0, return) DEFINEFUNC(int, EC_GROUP_get_degree, const EC_GROUP* g, g, return 0, return) #endif -DEFINEFUNC(int, CRYPTO_num_locks, DUMMYARG, DUMMYARG, return 0, return) -DEFINEFUNC(void, CRYPTO_set_locking_callback, void (*a)(int, int, const char *, int), a, return, DUMMYARG) -DEFINEFUNC(void, CRYPTO_set_id_callback, unsigned long (*a)(), a, return, DUMMYARG) -DEFINEFUNC(void, CRYPTO_free, void *a, a, return, DUMMYARG) DEFINEFUNC(DSA *, DSA_new, DUMMYARG, DUMMYARG, return 0, return) DEFINEFUNC(void, DSA_free, DSA *a, a, return, DUMMYARG) DEFINEFUNC3(X509 *, d2i_X509, X509 **a, a, const unsigned char **b, b, long c, c, return 0, return) DEFINEFUNC2(char *, ERR_error_string, unsigned long a, a, char *b, b, return 0, return) DEFINEFUNC(unsigned long, ERR_get_error, DUMMYARG, DUMMYARG, return 0, return) -DEFINEFUNC(void, ERR_free_strings, void, DUMMYARG, return, DUMMYARG) -DEFINEFUNC(void, EVP_CIPHER_CTX_cleanup, EVP_CIPHER_CTX *a, a, return, DUMMYARG) -DEFINEFUNC(void, EVP_CIPHER_CTX_init, EVP_CIPHER_CTX *a, a, return, DUMMYARG) -DEFINEFUNC4(int, EVP_CIPHER_CTX_ctrl, EVP_CIPHER_CTX *ctx, ctx, int type, type, int arg, arg, void *ptr, ptr, return 0, return); +DEFINEFUNC(EVP_CIPHER_CTX *, EVP_CIPHER_CTX_new, void, DUMMYARG, return 0, return) +DEFINEFUNC(void, EVP_CIPHER_CTX_free, EVP_CIPHER_CTX *a, a, return, DUMMYARG) +DEFINEFUNC4(int, EVP_CIPHER_CTX_ctrl, EVP_CIPHER_CTX *ctx, ctx, int type, type, int arg, arg, void *ptr, ptr, return 0, return) DEFINEFUNC2(int, EVP_CIPHER_CTX_set_key_length, EVP_CIPHER_CTX *ctx, ctx, int keylen, keylen, return 0, return) -DEFINEFUNC5(int, EVP_CipherInit, EVP_CIPHER_CTX *ctx, ctx, const EVP_CIPHER *type, type, const unsigned char *key, key, const unsigned char *iv, iv, int enc, enc, return 0, return); -DEFINEFUNC5(int, EVP_CipherUpdate, EVP_CIPHER_CTX *ctx, ctx, unsigned char *out, out, int *outl, outl, const unsigned char *in, in, int inl, inl, return 0, return); -DEFINEFUNC3(int, EVP_CipherFinal, EVP_CIPHER_CTX *ctx, ctx, unsigned char *out, out, int *outl, outl, return 0, return); +DEFINEFUNC5(int, EVP_CipherInit, EVP_CIPHER_CTX *ctx, ctx, const EVP_CIPHER *type, type, const unsigned char *key, key, const unsigned char *iv, iv, int enc, enc, return 0, return) +DEFINEFUNC6(int, EVP_CipherInit_ex, EVP_CIPHER_CTX *ctx, ctx, const EVP_CIPHER *cipher, cipher, ENGINE *impl, impl, const unsigned char *key, key, const unsigned char *iv, iv, int enc, enc, return 0, return) +DEFINEFUNC5(int, EVP_CipherUpdate, EVP_CIPHER_CTX *ctx, ctx, unsigned char *out, out, int *outl, outl, const unsigned char *in, in, int inl, inl, return 0, return) +DEFINEFUNC3(int, EVP_CipherFinal, EVP_CIPHER_CTX *ctx, ctx, unsigned char *out, out, int *outl, outl, return 0, return) DEFINEFUNC(const EVP_CIPHER *, EVP_des_cbc, DUMMYARG, DUMMYARG, return 0, return) DEFINEFUNC(const EVP_CIPHER *, EVP_des_ede3_cbc, DUMMYARG, DUMMYARG, return 0, return) DEFINEFUNC(const EVP_CIPHER *, EVP_rc2_cbc, DUMMYARG, DUMMYARG, return 0, return) +DEFINEFUNC(const EVP_MD *, EVP_sha1, DUMMYARG, DUMMYARG, return 0, return) DEFINEFUNC3(int, EVP_PKEY_assign, EVP_PKEY *a, a, int b, b, char *c, c, return -1, return) DEFINEFUNC2(int, EVP_PKEY_set1_RSA, EVP_PKEY *a, a, RSA *b, b, return -1, return) DEFINEFUNC2(int, EVP_PKEY_set1_DSA, EVP_PKEY *a, a, DSA *b, b, return -1, return) @@ -202,10 +349,8 @@ DEFINEFUNC3(int, i2t_ASN1_OBJECT, char *a, a, int b, b, ASN1_OBJECT *c, c, retur DEFINEFUNC4(int, OBJ_obj2txt, char *a, a, int b, b, ASN1_OBJECT *c, c, int d, d, return -1, return) DEFINEFUNC(int, OBJ_obj2nid, const ASN1_OBJECT *a, a, return NID_undef, return) -#ifdef SSLEAY_MACROS -DEFINEFUNC6(void *, PEM_ASN1_read_bio, d2i_of_void *a, a, const char *b, b, BIO *c, c, void **d, d, pem_password_cb *e, e, void *f, f, return 0, return) -DEFINEFUNC6(void *, PEM_ASN1_write_bio, d2i_of_void *a, a, const char *b, b, BIO *c, c, void **d, d, pem_password_cb *e, e, void *f, f, return 0, return) -#else + +#ifndef SSLEAY_MACROS DEFINEFUNC4(EVP_PKEY *, PEM_read_bio_PrivateKey, BIO *a, a, EVP_PKEY **b, b, pem_password_cb *c, c, void *d, d, return 0, return) DEFINEFUNC4(DSA *, PEM_read_bio_DSAPrivateKey, BIO *a, a, DSA **b, b, pem_password_cb *c, c, void *d, d, return 0, return) DEFINEFUNC4(RSA *, PEM_read_bio_RSAPrivateKey, BIO *a, a, RSA **b, b, pem_password_cb *c, c, void *d, d, return 0, return) @@ -218,7 +363,7 @@ DEFINEFUNC7(int, PEM_write_bio_RSAPrivateKey, BIO *a, a, RSA *b, b, const EVP_CI #ifndef OPENSSL_NO_EC DEFINEFUNC7(int, PEM_write_bio_ECPrivateKey, BIO *a, a, EC_KEY *b, b, const EVP_CIPHER *c, c, unsigned char *d, d, int e, e, pem_password_cb *f, f, void *g, g, return 0, return) #endif -#endif +#endif // !SSLEAY_MACROS DEFINEFUNC4(EVP_PKEY *, PEM_read_bio_PUBKEY, BIO *a, a, EVP_PKEY **b, b, pem_password_cb *c, c, void *d, d, return 0, return) DEFINEFUNC4(DSA *, PEM_read_bio_DSA_PUBKEY, BIO *a, a, DSA **b, b, pem_password_cb *c, c, void *d, d, return 0, return) DEFINEFUNC4(RSA *, PEM_read_bio_RSA_PUBKEY, BIO *a, a, RSA **b, b, pem_password_cb *c, c, void *d, d, return 0, return) @@ -234,23 +379,10 @@ DEFINEFUNC2(void, RAND_seed, const void *a, a, int b, b, return, DUMMYARG) DEFINEFUNC(int, RAND_status, void, DUMMYARG, return -1, return) DEFINEFUNC(RSA *, RSA_new, DUMMYARG, DUMMYARG, return 0, return) DEFINEFUNC(void, RSA_free, RSA *a, a, return, DUMMYARG) -DEFINEFUNC(int, sk_num, STACK *a, a, return -1, return) -DEFINEFUNC2(void, sk_pop_free, STACK *a, a, void (*b)(void*), b, return, DUMMYARG) -#if OPENSSL_VERSION_NUMBER >= 0x10000000L -DEFINEFUNC(_STACK *, sk_new_null, DUMMYARG, DUMMYARG, return 0, return) -DEFINEFUNC2(void, sk_push, _STACK *a, a, void *b, b, return, DUMMYARG) -DEFINEFUNC(void, sk_free, _STACK *a, a, return, DUMMYARG) -DEFINEFUNC2(void *, sk_value, STACK *a, a, int b, b, return 0, return) -#else -DEFINEFUNC(STACK *, sk_new_null, DUMMYARG, DUMMYARG, return 0, return) -DEFINEFUNC2(void, sk_push, STACK *a, a, char *b, b, return, DUMMYARG) -DEFINEFUNC(void, sk_free, STACK *a, a, return, DUMMYARG) -DEFINEFUNC2(char *, sk_value, STACK *a, a, int b, b, return 0, return) -#endif DEFINEFUNC(int, SSL_accept, SSL *a, a, return -1, return) DEFINEFUNC(int, SSL_clear, SSL *a, a, return -1, return) -DEFINEFUNC3(char *, SSL_CIPHER_description, SSL_CIPHER *a, a, char *b, b, int c, c, return 0, return) -DEFINEFUNC2(int, SSL_CIPHER_get_bits, SSL_CIPHER *a, a, int *b, b, return 0, return) +DEFINEFUNC3(char *, SSL_CIPHER_description, const SSL_CIPHER *a, a, char *b, b, int c, c, return 0, return) +DEFINEFUNC2(int, SSL_CIPHER_get_bits, const SSL_CIPHER *a, a, int *b, b, return 0, return) DEFINEFUNC(int, SSL_connect, SSL *a, a, return -1, return) DEFINEFUNC(int, SSL_CTX_check_private_key, const SSL_CTX *a, a, return -1, return) DEFINEFUNC4(long, SSL_CTX_ctrl, SSL_CTX *a, a, int b, b, long c, c, void *d, d, return -1, return) @@ -287,8 +419,6 @@ DEFINEFUNC(long, SSL_get_verify_result, const SSL *a, a, return -1, return) #else DEFINEFUNC(long, SSL_get_verify_result, SSL *a, a, return -1, return) #endif -DEFINEFUNC(int, SSL_library_init, void, DUMMYARG, return -1, return) -DEFINEFUNC(void, SSL_load_error_strings, void, DUMMYARG, return, DUMMYARG) DEFINEFUNC(SSL *, SSL_new, SSL_CTX *a, a, return 0, return) DEFINEFUNC4(long, SSL_ctrl, SSL *a, a, int cmd, cmd, long larg, larg, void *parg, parg, return -1, return) DEFINEFUNC3(int, SSL_read, SSL *a, a, void *b, b, int c, c, return -1, return) @@ -301,7 +431,6 @@ DEFINEFUNC(void, SSL_SESSION_free, SSL_SESSION *ses, ses, return, DUMMYARG) DEFINEFUNC(SSL_SESSION*, SSL_get1_session, SSL *ssl, ssl, return 0, return) DEFINEFUNC(SSL_SESSION*, SSL_get_session, const SSL *ssl, ssl, return 0, return) #if OPENSSL_VERSION_NUMBER >= 0x10001000L -DEFINEFUNC5(int, SSL_get_ex_new_index, long argl, argl, void *argp, argp, CRYPTO_EX_new *new_func, new_func, CRYPTO_EX_dup *dup_func, dup_func, CRYPTO_EX_free *free_func, free_func, return -1, return) DEFINEFUNC3(int, SSL_set_ex_data, SSL *ssl, ssl, int idx, idx, void *arg, arg, return 0, return) DEFINEFUNC2(void *, SSL_get_ex_data, const SSL *ssl, ssl, int idx, idx, return NULL, return) #endif @@ -310,51 +439,9 @@ DEFINEFUNC2(void, SSL_set_psk_client_callback, SSL* ssl, ssl, q_psk_client_callb DEFINEFUNC2(void, SSL_set_psk_server_callback, SSL* ssl, ssl, q_psk_server_callback_t callback, callback, return, DUMMYARG) DEFINEFUNC2(int, SSL_CTX_use_psk_identity_hint, SSL_CTX* ctx, ctx, const char *hint, hint, return 0, return) #endif -#if OPENSSL_VERSION_NUMBER >= 0x10000000L -#ifndef OPENSSL_NO_SSL2 -DEFINEFUNC(const SSL_METHOD *, SSLv2_client_method, DUMMYARG, DUMMYARG, return 0, return) -#endif -#ifndef OPENSSL_NO_SSL3_METHOD -DEFINEFUNC(const SSL_METHOD *, SSLv3_client_method, DUMMYARG, DUMMYARG, return 0, return) -#endif -DEFINEFUNC(const SSL_METHOD *, SSLv23_client_method, DUMMYARG, DUMMYARG, return 0, return) -DEFINEFUNC(const SSL_METHOD *, TLSv1_client_method, DUMMYARG, DUMMYARG, return 0, return) -#if OPENSSL_VERSION_NUMBER >= 0x10001000L -DEFINEFUNC(const SSL_METHOD *, TLSv1_1_client_method, DUMMYARG, DUMMYARG, return 0, return) -DEFINEFUNC(const SSL_METHOD *, TLSv1_2_client_method, DUMMYARG, DUMMYARG, return 0, return) -#endif -#ifndef OPENSSL_NO_SSL2 -DEFINEFUNC(const SSL_METHOD *, SSLv2_server_method, DUMMYARG, DUMMYARG, return 0, return) -#endif -#ifndef OPENSSL_NO_SSL3_METHOD -DEFINEFUNC(const SSL_METHOD *, SSLv3_server_method, DUMMYARG, DUMMYARG, return 0, return) -#endif -DEFINEFUNC(const SSL_METHOD *, SSLv23_server_method, DUMMYARG, DUMMYARG, return 0, return) -DEFINEFUNC(const SSL_METHOD *, TLSv1_server_method, DUMMYARG, DUMMYARG, return 0, return) -#if OPENSSL_VERSION_NUMBER >= 0x10001000L -DEFINEFUNC(const SSL_METHOD *, TLSv1_1_server_method, DUMMYARG, DUMMYARG, return 0, return) -DEFINEFUNC(const SSL_METHOD *, TLSv1_2_server_method, DUMMYARG, DUMMYARG, return 0, return) -#endif -#else -#ifndef OPENSSL_NO_SSL2 -DEFINEFUNC(SSL_METHOD *, SSLv2_client_method, DUMMYARG, DUMMYARG, return 0, return) -#endif -#ifndef OPENSSL_NO_SSL3_METHOD -DEFINEFUNC(SSL_METHOD *, SSLv3_client_method, DUMMYARG, DUMMYARG, return 0, return) -#endif -DEFINEFUNC(SSL_METHOD *, SSLv23_client_method, DUMMYARG, DUMMYARG, return 0, return) -DEFINEFUNC(SSL_METHOD *, TLSv1_client_method, DUMMYARG, DUMMYARG, return 0, return) -#ifndef OPENSSL_NO_SSL2 -DEFINEFUNC(SSL_METHOD *, SSLv2_server_method, DUMMYARG, DUMMYARG, return 0, return) -#endif -#ifndef OPENSSL_NO_SSL3_METHOD -DEFINEFUNC(SSL_METHOD *, SSLv3_server_method, DUMMYARG, DUMMYARG, return 0, return) -#endif -DEFINEFUNC(SSL_METHOD *, SSLv23_server_method, DUMMYARG, DUMMYARG, return 0, return) -DEFINEFUNC(SSL_METHOD *, TLSv1_server_method, DUMMYARG, DUMMYARG, return 0, return) -#endif DEFINEFUNC3(int, SSL_write, SSL *a, a, const void *b, b, int c, c, return -1, return) DEFINEFUNC2(int, X509_cmp, X509 *a, a, X509 *b, b, return -1, return) +DEFINEFUNC4(int, X509_digest, const X509 *x509, x509, const EVP_MD *type, type, unsigned char *md, md, unsigned int *len, len, return -1, return) #ifndef SSLEAY_MACROS DEFINEFUNC(X509 *, X509_dup, X509 *a, a, return 0, return) #endif @@ -378,6 +465,7 @@ DEFINEFUNC2(int, ASN1_STRING_print, BIO *a, a, ASN1_STRING *b, b, return 0, retu DEFINEFUNC2(int, X509_check_issued, X509 *a, a, X509 *b, b, return -1, return) DEFINEFUNC(X509_NAME *, X509_get_issuer_name, X509 *a, a, return 0, return) DEFINEFUNC(X509_NAME *, X509_get_subject_name, X509 *a, a, return 0, return) +DEFINEFUNC(ASN1_INTEGER *, X509_get_serialNumber, X509 *a, a, return 0, return) DEFINEFUNC(int, X509_verify_cert, X509_STORE_CTX *a, a, return -1, return) DEFINEFUNC(int, X509_NAME_entry_count, X509_NAME *a, a, return 0, return) DEFINEFUNC2(X509_NAME_ENTRY *, X509_NAME_get_entry, X509_NAME *a, a, int b, b, return 0, return) @@ -393,25 +481,8 @@ DEFINEFUNC2(int, X509_STORE_CTX_set_purpose, X509_STORE_CTX *a, a, int b, b, ret DEFINEFUNC(int, X509_STORE_CTX_get_error, X509_STORE_CTX *a, a, return -1, return) DEFINEFUNC(int, X509_STORE_CTX_get_error_depth, X509_STORE_CTX *a, a, return -1, return) DEFINEFUNC(X509 *, X509_STORE_CTX_get_current_cert, X509_STORE_CTX *a, a, return 0, return) -DEFINEFUNC(STACK_OF(X509) *, X509_STORE_CTX_get_chain, X509_STORE_CTX *a, a, return 0, return) DEFINEFUNC(X509_STORE_CTX *, X509_STORE_CTX_new, DUMMYARG, DUMMYARG, return 0, return) -#ifdef SSLEAY_MACROS -DEFINEFUNC2(int, i2d_DSAPrivateKey, const DSA *a, a, unsigned char **b, b, return -1, return) -DEFINEFUNC2(int, i2d_RSAPrivateKey, const RSA *a, a, unsigned char **b, b, return -1, return) -#ifndef OPENSSL_NO_EC -DEFINEFUNC2(int, i2d_ECPrivateKey, const EC_KEY *a, a, unsigned char **b, b, return -1, return) -#endif -DEFINEFUNC3(RSA *, d2i_RSAPrivateKey, RSA **a, a, unsigned char **b, b, long c, c, return 0, return) -DEFINEFUNC3(DSA *, d2i_DSAPrivateKey, DSA **a, a, unsigned char **b, b, long c, c, return 0, return) -#ifndef OPENSSL_NO_EC -DEFINEFUNC3(EC_KEY *, d2i_ECPrivateKey, EC_KEY **a, a, unsigned char **b, b, long c, c, return 0, return) -#endif -#endif -DEFINEFUNC(void, OPENSSL_add_all_algorithms_noconf, void, DUMMYARG, return, DUMMYARG) -DEFINEFUNC(void, OPENSSL_add_all_algorithms_conf, void, DUMMYARG, return, DUMMYARG) DEFINEFUNC3(int, SSL_CTX_load_verify_locations, SSL_CTX *ctx, ctx, const char *CAfile, CAfile, const char *CApath, CApath, return 0, return) -DEFINEFUNC(long, SSLeay, void, DUMMYARG, return 0, return) -DEFINEFUNC(const char *, SSLeay_version, int a, a, return 0, return) DEFINEFUNC2(int, i2d_SSL_SESSION, SSL_SESSION *in, in, unsigned char **pp, pp, return 0, return) DEFINEFUNC3(SSL_SESSION *, d2i_SSL_SESSION, SSL_SESSION **a, a, const unsigned char **pp, pp, long length, length, return 0, return) #if OPENSSL_VERSION_NUMBER >= 0x1000100fL && !defined(OPENSSL_NO_NEXTPROTONEG) @@ -628,6 +699,23 @@ static QPair<QSystemLibrary*, QSystemLibrary*> loadOpenSslWin32() pair.first = 0; pair.second = 0; +#if QT_CONFIG(opensslv11) + // With OpenSSL 1.1 the names have changed to libssl-1_1(-x64) and libcrypto-1_1(-x64), for builds using + // MSVC and GCC, (-x64 suffix for 64-bit builds). + +#ifdef Q_PROCESSOR_X86_64 +#define QT_SSL_SUFFIX "-x64" +#else // !Q_PROCESSOFR_X86_64 +#define QT_SSL_SUFFIX +#endif // !Q_PROCESSOR_x86_64 + + tryToLoadOpenSslWin32Library(QLatin1String("libssl-1_1" QT_SSL_SUFFIX), + QLatin1String("libcrypto-1_1" QT_SSL_SUFFIX), pair); + +#undef QT_SSL_SUFFIX + +#else // QT_CONFIG(opensslv11) + // When OpenSSL is built using MSVC then the libraries are named 'ssleay32.dll' and 'libeay32'dll'. // When OpenSSL is built using GCC then different library names are used (depending on the OpenSSL version) // The oldest version of a GCC-based OpenSSL which can be detected by the code below is 0.9.8g (released in 2007) @@ -638,6 +726,7 @@ static QPair<QSystemLibrary*, QSystemLibrary*> loadOpenSslWin32() } } } +#endif // !QT_CONFIG(opensslv11) return pair; } @@ -694,8 +783,8 @@ static QPair<QLibrary*, QLibrary*> loadOpenSsl() #ifndef Q_OS_DARWIN // second attempt: find the development files libssl.so and libcrypto.so // - // disabled on OS X/iOS: - // OS X's /usr/lib/libssl.dylib, /usr/lib/libcrypto.dylib will be picked up in the third + // disabled on macOS/iOS: + // macOS's /usr/lib/libssl.dylib, /usr/lib/libcrypto.dylib will be picked up in the third // attempt, _after_ <bundle>/Contents/Frameworks has been searched. // iOS does not ship a system libssl.dylib, libcrypto.dylib in the first place. libssl->setFileNameAndVersion(QLatin1String("ssl"), -1); @@ -754,8 +843,12 @@ bool q_resolveOpenSslSymbols() static bool symbolsResolved = false; static bool triedToResolveSymbols = false; #ifndef QT_NO_THREAD +#if QT_CONFIG(opensslv11) + QMutexLocker locker(QMutexPool::globalInstanceGet((void *)&q_OPENSSL_init_ssl)); +#else QMutexLocker locker(QMutexPool::globalInstanceGet((void *)&q_SSL_library_init)); #endif +#endif if (symbolsResolved) return true; if (triedToResolveSymbols) @@ -771,11 +864,145 @@ bool q_resolveOpenSslSymbols() // failed to load them return false; +#if QT_CONFIG(opensslv11) + + RESOLVEFUNC(OPENSSL_init_ssl) + RESOLVEFUNC(OPENSSL_init_crypto) + RESOLVEFUNC(ASN1_STRING_get0_data) + RESOLVEFUNC(EVP_CIPHER_CTX_reset) + RESOLVEFUNC(EVP_PKEY_base_id) + RESOLVEFUNC(RSA_bits) + RESOLVEFUNC(OPENSSL_sk_new_null) + RESOLVEFUNC(OPENSSL_sk_push) + RESOLVEFUNC(OPENSSL_sk_free) + RESOLVEFUNC(OPENSSL_sk_num) + RESOLVEFUNC(OPENSSL_sk_pop_free) + RESOLVEFUNC(OPENSSL_sk_value) + RESOLVEFUNC(DH_get0_pqg) + RESOLVEFUNC(SSL_CTX_set_options) + RESOLVEFUNC(SSL_get_client_random) + RESOLVEFUNC(SSL_SESSION_get_master_key) + RESOLVEFUNC(SSL_session_reused) + RESOLVEFUNC(SSL_get_session) + RESOLVEFUNC(CRYPTO_get_ex_new_index) + RESOLVEFUNC(TLS_method) + RESOLVEFUNC(TLS_client_method) + RESOLVEFUNC(TLS_server_method) + RESOLVEFUNC(X509_STORE_CTX_get0_chain) + RESOLVEFUNC(X509_getm_notBefore) + RESOLVEFUNC(X509_getm_notAfter) + RESOLVEFUNC(X509_get_version) + RESOLVEFUNC(X509_get_pubkey) + RESOLVEFUNC(X509_STORE_set_verify_cb) + RESOLVEFUNC(CRYPTO_free) + RESOLVEFUNC(OpenSSL_version_num) + RESOLVEFUNC(OpenSSL_version) + if (!_q_OpenSSL_version) { + // Apparently, we were built with OpenSSL 1.1 enabled but are now using + // a wrong library. + delete libs.first; + delete libs.second; + qCWarning(lcSsl, "Incompatible version of OpenSSL"); + return false; + } + + RESOLVEFUNC(SSL_SESSION_get_ticket_lifetime_hint) + RESOLVEFUNC(DH_bits) + RESOLVEFUNC(DSA_bits) + +#else // !opensslv11 + + RESOLVEFUNC(ASN1_STRING_data) + #ifdef SSLEAY_MACROS RESOLVEFUNC(ASN1_dup) +#endif // SSLEAY_MACROS + RESOLVEFUNC(BIO_new_file) + RESOLVEFUNC(ERR_clear_error) + RESOLVEFUNC(CRYPTO_free) + RESOLVEFUNC(CRYPTO_num_locks) + RESOLVEFUNC(CRYPTO_set_id_callback) + RESOLVEFUNC(CRYPTO_set_locking_callback) + RESOLVEFUNC(ERR_peek_last_error) + RESOLVEFUNC(ERR_free_strings) + RESOLVEFUNC(EVP_CIPHER_CTX_cleanup) + RESOLVEFUNC(EVP_CIPHER_CTX_init) + +#ifdef SSLEAY_MACROS // ### verify + RESOLVEFUNC(PEM_ASN1_read_bio) +#endif // SSLEAY_MACROS + + RESOLVEFUNC(sk_new_null) + RESOLVEFUNC(sk_push) + RESOLVEFUNC(sk_free) + RESOLVEFUNC(sk_num) + RESOLVEFUNC(sk_pop_free) + RESOLVEFUNC(sk_value) + RESOLVEFUNC(SSL_library_init) + RESOLVEFUNC(SSL_load_error_strings) +#if OPENSSL_VERSION_NUMBER >= 0x10001000L + RESOLVEFUNC(SSL_get_ex_new_index) +#endif +#ifndef OPENSSL_NO_SSL2 + RESOLVEFUNC(SSLv2_client_method) +#endif +#ifndef OPENSSL_NO_SSL3_METHOD + RESOLVEFUNC(SSLv3_client_method) +#endif + RESOLVEFUNC(SSLv23_client_method) + RESOLVEFUNC(TLSv1_client_method) +#if OPENSSL_VERSION_NUMBER >= 0x10001000L + RESOLVEFUNC(TLSv1_1_client_method) + RESOLVEFUNC(TLSv1_2_client_method) #endif +#ifndef OPENSSL_NO_SSL2 + RESOLVEFUNC(SSLv2_server_method) +#endif +#ifndef OPENSSL_NO_SSL3_METHOD + RESOLVEFUNC(SSLv3_server_method) +#endif + RESOLVEFUNC(SSLv23_server_method) + RESOLVEFUNC(TLSv1_server_method) +#if OPENSSL_VERSION_NUMBER >= 0x10001000L + RESOLVEFUNC(TLSv1_1_server_method) + RESOLVEFUNC(TLSv1_2_server_method) +#endif + RESOLVEFUNC(X509_STORE_CTX_get_chain) +#ifdef SSLEAY_MACROS + RESOLVEFUNC(i2d_DSAPrivateKey) + RESOLVEFUNC(i2d_RSAPrivateKey) + RESOLVEFUNC(d2i_DSAPrivateKey) + RESOLVEFUNC(d2i_RSAPrivateKey) +#endif + RESOLVEFUNC(CONF_get1_default_config_file) + RESOLVEFUNC(OPENSSL_add_all_algorithms_noconf) + RESOLVEFUNC(OPENSSL_add_all_algorithms_conf) + RESOLVEFUNC(SSLeay) + + if (!_q_SSLeay || q_SSLeay() >= 0x10100000L) { + // OpenSSL 1.1 has deprecated and removed SSLeay. We consider a failure to + // resolve this symbol as a failure to resolve symbols. + // The right operand of '||' above is ... a bit of paranoia. + delete libs.first; + delete libs.second; + qCWarning(lcSsl, "Incompatible version of OpenSSL"); + return false; + } + + + RESOLVEFUNC(SSLeay_version) + +#ifndef OPENSSL_NO_EC +#if OPENSSL_VERSION_NUMBER >= 0x10002000L + if (q_SSLeay() >= 0x10002000L) + RESOLVEFUNC(EC_curve_nist2nid) +#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L +#endif // OPENSSL_NO_EC + + +#endif // !opensslv11 + RESOLVEFUNC(ASN1_INTEGER_get) - RESOLVEFUNC(ASN1_STRING_data) RESOLVEFUNC(ASN1_STRING_length) RESOLVEFUNC(ASN1_STRING_to_UTF8) RESOLVEFUNC(BIO_ctrl) @@ -794,25 +1021,22 @@ bool q_resolveOpenSslSymbols() RESOLVEFUNC(BN_is_word) #endif RESOLVEFUNC(BN_mod_word) - RESOLVEFUNC(CRYPTO_free) - RESOLVEFUNC(CRYPTO_num_locks) - RESOLVEFUNC(CRYPTO_set_id_callback) - RESOLVEFUNC(CRYPTO_set_locking_callback) RESOLVEFUNC(DSA_new) RESOLVEFUNC(DSA_free) RESOLVEFUNC(ERR_error_string) RESOLVEFUNC(ERR_get_error) - RESOLVEFUNC(ERR_free_strings) - RESOLVEFUNC(EVP_CIPHER_CTX_cleanup) - RESOLVEFUNC(EVP_CIPHER_CTX_init) + RESOLVEFUNC(EVP_CIPHER_CTX_new) + RESOLVEFUNC(EVP_CIPHER_CTX_free) RESOLVEFUNC(EVP_CIPHER_CTX_ctrl) RESOLVEFUNC(EVP_CIPHER_CTX_set_key_length) RESOLVEFUNC(EVP_CipherInit) + RESOLVEFUNC(EVP_CipherInit_ex) RESOLVEFUNC(EVP_CipherUpdate) RESOLVEFUNC(EVP_CipherFinal) RESOLVEFUNC(EVP_des_cbc) RESOLVEFUNC(EVP_des_ede3_cbc) RESOLVEFUNC(EVP_rc2_cbc) + RESOLVEFUNC(EVP_sha1) RESOLVEFUNC(EVP_PKEY_assign) RESOLVEFUNC(EVP_PKEY_set1_RSA) RESOLVEFUNC(EVP_PKEY_set1_DSA) @@ -834,9 +1058,8 @@ bool q_resolveOpenSslSymbols() RESOLVEFUNC(i2t_ASN1_OBJECT) RESOLVEFUNC(OBJ_obj2txt) RESOLVEFUNC(OBJ_obj2nid) -#ifdef SSLEAY_MACROS // ### verify - RESOLVEFUNC(PEM_ASN1_read_bio) -#else + +#ifndef SSLEAY_MACROS RESOLVEFUNC(PEM_read_bio_PrivateKey) RESOLVEFUNC(PEM_read_bio_DSAPrivateKey) RESOLVEFUNC(PEM_read_bio_RSAPrivateKey) @@ -849,7 +1072,8 @@ bool q_resolveOpenSslSymbols() #ifndef OPENSSL_NO_EC RESOLVEFUNC(PEM_write_bio_ECPrivateKey) #endif -#endif +#endif // !SSLEAY_MACROS + RESOLVEFUNC(PEM_read_bio_PUBKEY) RESOLVEFUNC(PEM_read_bio_DSA_PUBKEY) RESOLVEFUNC(PEM_read_bio_RSA_PUBKEY) @@ -865,12 +1089,6 @@ bool q_resolveOpenSslSymbols() RESOLVEFUNC(RAND_status) RESOLVEFUNC(RSA_new) RESOLVEFUNC(RSA_free) - RESOLVEFUNC(sk_new_null) - RESOLVEFUNC(sk_push) - RESOLVEFUNC(sk_free) - RESOLVEFUNC(sk_num) - RESOLVEFUNC(sk_pop_free) - RESOLVEFUNC(sk_value) RESOLVEFUNC(SSL_CIPHER_description) RESOLVEFUNC(SSL_CIPHER_get_bits) RESOLVEFUNC(SSL_CTX_check_private_key) @@ -898,8 +1116,6 @@ bool q_resolveOpenSslSymbols() RESOLVEFUNC(SSL_get_peer_cert_chain) RESOLVEFUNC(SSL_get_peer_certificate) RESOLVEFUNC(SSL_get_verify_result) - RESOLVEFUNC(SSL_library_init) - RESOLVEFUNC(SSL_load_error_strings) RESOLVEFUNC(SSL_new) RESOLVEFUNC(SSL_ctrl) RESOLVEFUNC(SSL_read) @@ -912,7 +1128,6 @@ bool q_resolveOpenSslSymbols() RESOLVEFUNC(SSL_get1_session) RESOLVEFUNC(SSL_get_session) #if OPENSSL_VERSION_NUMBER >= 0x10001000L - RESOLVEFUNC(SSL_get_ex_new_index) RESOLVEFUNC(SSL_set_ex_data) RESOLVEFUNC(SSL_get_ex_data) #endif @@ -922,30 +1137,6 @@ bool q_resolveOpenSslSymbols() RESOLVEFUNC(SSL_CTX_use_psk_identity_hint) #endif RESOLVEFUNC(SSL_write) -#ifndef OPENSSL_NO_SSL2 - RESOLVEFUNC(SSLv2_client_method) -#endif -#ifndef OPENSSL_NO_SSL3_METHOD - RESOLVEFUNC(SSLv3_client_method) -#endif - RESOLVEFUNC(SSLv23_client_method) - RESOLVEFUNC(TLSv1_client_method) -#if OPENSSL_VERSION_NUMBER >= 0x10001000L - RESOLVEFUNC(TLSv1_1_client_method) - RESOLVEFUNC(TLSv1_2_client_method) -#endif -#ifndef OPENSSL_NO_SSL2 - RESOLVEFUNC(SSLv2_server_method) -#endif -#ifndef OPENSSL_NO_SSL3_METHOD - RESOLVEFUNC(SSLv3_server_method) -#endif - RESOLVEFUNC(SSLv23_server_method) - RESOLVEFUNC(TLSv1_server_method) -#if OPENSSL_VERSION_NUMBER >= 0x10001000L - RESOLVEFUNC(TLSv1_1_server_method) - RESOLVEFUNC(TLSv1_2_server_method) -#endif RESOLVEFUNC(X509_NAME_entry_count) RESOLVEFUNC(X509_NAME_get_entry) RESOLVEFUNC(X509_NAME_ENTRY_get_data) @@ -961,12 +1152,12 @@ bool q_resolveOpenSslSymbols() RESOLVEFUNC(X509_STORE_CTX_get_error) RESOLVEFUNC(X509_STORE_CTX_get_error_depth) RESOLVEFUNC(X509_STORE_CTX_get_current_cert) - RESOLVEFUNC(X509_STORE_CTX_get_chain) RESOLVEFUNC(X509_cmp) #ifndef SSLEAY_MACROS RESOLVEFUNC(X509_dup) #endif RESOLVEFUNC(X509_print) + RESOLVEFUNC(X509_digest) RESOLVEFUNC(X509_EXTENSION_get_object) RESOLVEFUNC(X509_free) RESOLVEFUNC(X509_get_ext) @@ -982,20 +1173,11 @@ bool q_resolveOpenSslSymbols() RESOLVEFUNC(X509_check_issued) RESOLVEFUNC(X509_get_issuer_name) RESOLVEFUNC(X509_get_subject_name) + RESOLVEFUNC(X509_get_serialNumber) RESOLVEFUNC(X509_verify_cert) RESOLVEFUNC(d2i_X509) RESOLVEFUNC(i2d_X509) -#ifdef SSLEAY_MACROS - RESOLVEFUNC(i2d_DSAPrivateKey) - RESOLVEFUNC(i2d_RSAPrivateKey) - RESOLVEFUNC(d2i_DSAPrivateKey) - RESOLVEFUNC(d2i_RSAPrivateKey) -#endif - RESOLVEFUNC(OPENSSL_add_all_algorithms_noconf) - RESOLVEFUNC(OPENSSL_add_all_algorithms_conf) RESOLVEFUNC(SSL_CTX_load_verify_locations) - RESOLVEFUNC(SSLeay) - RESOLVEFUNC(SSLeay_version) RESOLVEFUNC(i2d_SSL_SESSION) RESOLVEFUNC(d2i_SSL_SESSION) #if OPENSSL_VERSION_NUMBER >= 0x1000100fL && !defined(OPENSSL_NO_NEXTPROTONEG) @@ -1019,27 +1201,14 @@ bool q_resolveOpenSslSymbols() RESOLVEFUNC(EC_KEY_new_by_curve_name) RESOLVEFUNC(EC_KEY_free) RESOLVEFUNC(EC_get_builtin_curves) -#if OPENSSL_VERSION_NUMBER >= 0x10002000L - if (q_SSLeay() >= 0x10002000L) - RESOLVEFUNC(EC_curve_nist2nid) -#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L #endif // OPENSSL_NO_EC RESOLVEFUNC(PKCS12_parse) RESOLVEFUNC(d2i_PKCS12_bio) RESOLVEFUNC(PKCS12_free) + symbolsResolved = true; delete libs.first; delete libs.second; - if (!_q_SSLeay || q_SSLeay() >= 0x10100000L) { - // OpenSSL 1.1 deprecated and removed SSLeay. We consider a failure to - // resolve this symbol as a failure to resolve symbols. - // The right operand of '||' above ... a bit of paranoia. - qCWarning(lcSsl, "Incompatible version of OpenSSL"); - return false; - } - - symbolsResolved = true; - return true; } #endif // QT_CONFIG(library) diff --git a/src/network/ssl/qsslsocket_openssl_symbols_p.h b/src/network/ssl/qsslsocket_openssl_symbols_p.h index b35a895d38..796bf2d4f5 100644 --- a/src/network/ssl/qsslsocket_openssl_symbols_p.h +++ b/src/network/ssl/qsslsocket_openssl_symbols_p.h @@ -1,6 +1,6 @@ /**************************************************************************** ** -** Copyright (C) 2016 The Qt Company Ltd. +** Copyright (C) 2017 The Qt Company Ltd. ** Copyright (C) 2014 BlackBerry Limited. All rights reserved. ** Contact: https://www.qt.io/licensing/ ** @@ -56,6 +56,7 @@ #ifndef QSSLSOCKET_OPENSSL_SYMBOLS_P_H #define QSSLSOCKET_OPENSSL_SYMBOLS_P_H + // // W A R N I N G // ------------- @@ -215,17 +216,20 @@ QT_BEGIN_NAMESPACE #endif // !defined QT_LINKED_OPENSSL +#if QT_CONFIG(opensslv11) +#include "qsslsocket_openssl11_symbols_p.h" +#else +#include "qsslsocket_opensslpre11_symbols_p.h" +#endif // QT_CONFIG + bool q_resolveOpenSslSymbols(); long q_ASN1_INTEGER_get(ASN1_INTEGER *a); -unsigned char * q_ASN1_STRING_data(ASN1_STRING *a); int q_ASN1_STRING_length(ASN1_STRING *a); int q_ASN1_STRING_to_UTF8(unsigned char **a, ASN1_STRING *b); long q_BIO_ctrl(BIO *a, int b, long c, void *d); Q_AUTOTEST_EXPORT int q_BIO_free(BIO *a); -Q_AUTOTEST_EXPORT BIO *q_BIO_new(BIO_METHOD *a); BIO *q_BIO_new_mem_buf(void *a, int b); int q_BIO_read(BIO *a, void *b, int c); -Q_AUTOTEST_EXPORT BIO_METHOD *q_BIO_s_mem(); Q_AUTOTEST_EXPORT int q_BIO_write(BIO *a, const void *b, int c); int q_BN_num_bits(const BIGNUM *a); #if OPENSSL_VERSION_NUMBER >= 0x10100000L @@ -247,26 +251,23 @@ BN_ULONG q_BN_mod_word(const BIGNUM *a, BN_ULONG w); const EC_GROUP* q_EC_KEY_get0_group(const EC_KEY* k); int q_EC_GROUP_get_degree(const EC_GROUP* g); #endif -int q_CRYPTO_num_locks(); -void q_CRYPTO_set_locking_callback(void (*a)(int, int, const char *, int)); -void q_CRYPTO_set_id_callback(unsigned long (*a)()); -void q_CRYPTO_free(void *a); DSA *q_DSA_new(); void q_DSA_free(DSA *a); X509 *q_d2i_X509(X509 **a, const unsigned char **b, long c); char *q_ERR_error_string(unsigned long a, char *b); unsigned long q_ERR_get_error(); -void q_ERR_free_strings(); -void q_EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *a); -void q_EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *a); +EVP_CIPHER_CTX *q_EVP_CIPHER_CTX_new(); +void q_EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *a); int q_EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr); int q_EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *x, int keylen); int q_EVP_CipherInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, const unsigned char *key, const unsigned char *iv, int enc); +int q_EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *impl, const unsigned char *key, const unsigned char *iv, int enc); int q_EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, const unsigned char *in, int inl); int q_EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl); const EVP_CIPHER *q_EVP_des_cbc(); const EVP_CIPHER *q_EVP_des_ede3_cbc(); const EVP_CIPHER *q_EVP_rc2_cbc(); +const EVP_MD *q_EVP_sha1(); int q_EVP_PKEY_assign(EVP_PKEY *a, int b, char *c); Q_AUTOTEST_EXPORT int q_EVP_PKEY_set1_RSA(EVP_PKEY *a, RSA *b); int q_EVP_PKEY_set1_DSA(EVP_PKEY *a, DSA *b); @@ -310,7 +311,7 @@ int q_PEM_write_bio_RSAPrivateKey(BIO *a, RSA *b, const EVP_CIPHER *c, unsigned int q_PEM_write_bio_ECPrivateKey(BIO *a, EC_KEY *b, const EVP_CIPHER *c, unsigned char *d, int e, pem_password_cb *f, void *g); #endif -#endif +#endif // SSLEAY_MACROS Q_AUTOTEST_EXPORT EVP_PKEY *q_PEM_read_bio_PUBKEY(BIO *a, EVP_PKEY **b, pem_password_cb *c, void *d); DSA *q_PEM_read_bio_DSA_PUBKEY(BIO *a, DSA **b, pem_password_cb *c, void *d); RSA *q_PEM_read_bio_RSA_PUBKEY(BIO *a, RSA **b, pem_password_cb *c, void *d); @@ -326,23 +327,10 @@ void q_RAND_seed(const void *a, int b); int q_RAND_status(); RSA *q_RSA_new(); void q_RSA_free(RSA *a); -int q_sk_num(STACK *a); -void q_sk_pop_free(STACK *a, void (*b)(void *)); -#if OPENSSL_VERSION_NUMBER >= 0x10000000L -_STACK *q_sk_new_null(); -void q_sk_push(_STACK *st, void *data); -void q_sk_free(_STACK *a); -void * q_sk_value(STACK *a, int b); -#else -STACK *q_sk_new_null(); -void q_sk_push(STACK *st, char *data); -void q_sk_free(STACK *a); -char * q_sk_value(STACK *a, int b); -#endif int q_SSL_accept(SSL *a); int q_SSL_clear(SSL *a); -char *q_SSL_CIPHER_description(SSL_CIPHER *a, char *b, int c); -int q_SSL_CIPHER_get_bits(SSL_CIPHER *a, int *b); +char *q_SSL_CIPHER_description(const SSL_CIPHER *a, char *b, int c); +int q_SSL_CIPHER_get_bits(const SSL_CIPHER *a, int *b); int q_SSL_connect(SSL *a); int q_SSL_CTX_check_private_key(const SSL_CTX *a); long q_SSL_CTX_ctrl(SSL_CTX *a, int b, long c, void *d); @@ -374,8 +362,6 @@ int q_SSL_get_error(SSL *a, int b); STACK_OF(X509) *q_SSL_get_peer_cert_chain(SSL *a); X509 *q_SSL_get_peer_certificate(SSL *a); long q_SSL_get_verify_result(const SSL *a); -int q_SSL_library_init(); -void q_SSL_load_error_strings(); SSL *q_SSL_new(SSL_CTX *a); long q_SSL_ctrl(SSL *ssl,int cmd, long larg, void *parg); int q_SSL_read(SSL *a, void *b, int c); @@ -388,7 +374,6 @@ void q_SSL_SESSION_free(SSL_SESSION *ses); SSL_SESSION *q_SSL_get1_session(SSL *ssl); SSL_SESSION *q_SSL_get_session(const SSL *ssl); #if OPENSSL_VERSION_NUMBER >= 0x10001000L -int q_SSL_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func); int q_SSL_set_ex_data(SSL *ssl, int idx, void *arg); void *q_SSL_get_ex_data(const SSL *ssl, int idx); #endif @@ -399,49 +384,6 @@ typedef unsigned int (*q_psk_server_callback_t)(SSL *ssl, const char *identity, void q_SSL_set_psk_server_callback(SSL *ssl, q_psk_server_callback_t callback); int q_SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *hint); #endif // OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_PSK) -#if OPENSSL_VERSION_NUMBER >= 0x10000000L -#ifndef OPENSSL_NO_SSL2 -const SSL_METHOD *q_SSLv2_client_method(); -#endif -#ifndef OPENSSL_NO_SSL3_METHOD -const SSL_METHOD *q_SSLv3_client_method(); -#endif -const SSL_METHOD *q_SSLv23_client_method(); -const SSL_METHOD *q_TLSv1_client_method(); -const SSL_METHOD *q_TLSv1_1_client_method(); -const SSL_METHOD *q_TLSv1_2_client_method(); -#ifndef OPENSSL_NO_SSL2 -const SSL_METHOD *q_SSLv2_server_method(); -#endif -#ifndef OPENSSL_NO_SSL3_METHOD -const SSL_METHOD *q_SSLv3_server_method(); -#endif -const SSL_METHOD *q_SSLv23_server_method(); -const SSL_METHOD *q_TLSv1_server_method(); -const SSL_METHOD *q_TLSv1_1_server_method(); -const SSL_METHOD *q_TLSv1_2_server_method(); -#else -#ifndef OPENSSL_NO_SSL2 -SSL_METHOD *q_SSLv2_client_method(); -#endif -#ifndef OPENSSL_NO_SSL3_METHOD -SSL_METHOD *q_SSLv3_client_method(); -#endif -SSL_METHOD *q_SSLv23_client_method(); -SSL_METHOD *q_TLSv1_client_method(); -SSL_METHOD *q_TLSv1_1_client_method(); -SSL_METHOD *q_TLSv1_2_client_method(); -#ifndef OPENSSL_NO_SSL2 -SSL_METHOD *q_SSLv2_server_method(); -#endif -#ifndef OPENSSL_NO_SSL3_METHOD -SSL_METHOD *q_SSLv3_server_method(); -#endif -SSL_METHOD *q_SSLv23_server_method(); -SSL_METHOD *q_TLSv1_server_method(); -SSL_METHOD *q_TLSv1_1_server_method(); -SSL_METHOD *q_TLSv1_2_server_method(); -#endif int q_SSL_write(SSL *a, const void *b, int c); int q_X509_cmp(X509 *a, X509 *b); #ifdef SSLEAY_MACROS @@ -452,6 +394,7 @@ void *q_ASN1_dup(i2d_of_void *i2d, d2i_of_void *d2i, char *x); X509 *q_X509_dup(X509 *a); #endif void q_X509_print(BIO *a, X509*b); +int q_X509_digest(const X509 *x509, const EVP_MD *type, unsigned char *md, unsigned int *len); ASN1_OBJECT *q_X509_EXTENSION_get_object(X509_EXTENSION *a); void q_X509_free(X509 *a); X509_EXTENSION *q_X509_get_ext(X509 *a, int b); @@ -471,6 +414,7 @@ int q_ASN1_STRING_print(BIO *a, ASN1_STRING *b); int q_X509_check_issued(X509 *a, X509 *b); X509_NAME *q_X509_get_issuer_name(X509 *a); X509_NAME *q_X509_get_subject_name(X509 *a); +ASN1_INTEGER *q_X509_get_serialNumber(X509 *a); int q_X509_verify_cert(X509_STORE_CTX *ctx); int q_X509_NAME_entry_count(X509_NAME *a); X509_NAME_ENTRY *q_X509_NAME_get_entry(X509_NAME *a,int b); @@ -488,7 +432,6 @@ int q_X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose); int q_X509_STORE_CTX_get_error(X509_STORE_CTX *ctx); int q_X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx); X509 *q_X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx); -STACK_OF(X509) *q_X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx); // Diffie-Hellman support DH *q_DH_new(); @@ -522,34 +465,9 @@ int q_PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert, PKCS12 *q_d2i_PKCS12_bio(BIO *bio, PKCS12 **pkcs12); void q_PKCS12_free(PKCS12 *pkcs12); - #define q_BIO_get_mem_data(b, pp) (int)q_BIO_ctrl(b,BIO_CTRL_INFO,0,(char *)pp) #define q_BIO_pending(b) (int)q_BIO_ctrl(b,BIO_CTRL_PENDING,0,NULL) -#ifdef SSLEAY_MACROS -int q_i2d_DSAPrivateKey(const DSA *a, unsigned char **pp); -int q_i2d_RSAPrivateKey(const RSA *a, unsigned char **pp); -RSA *q_d2i_RSAPrivateKey(RSA **a, unsigned char **pp, long length); -DSA *q_d2i_DSAPrivateKey(DSA **a, unsigned char **pp, long length); -#define q_PEM_read_bio_RSAPrivateKey(bp, x, cb, u) \ - (RSA *)q_PEM_ASN1_read_bio( \ - (void *(*)(void**, const unsigned char**, long int))q_d2i_RSAPrivateKey, PEM_STRING_RSA, bp, (void **)x, cb, u) -#define q_PEM_read_bio_DSAPrivateKey(bp, x, cb, u) \ - (DSA *)q_PEM_ASN1_read_bio( \ - (void *(*)(void**, const unsigned char**, long int))q_d2i_DSAPrivateKey, PEM_STRING_DSA, bp, (void **)x, cb, u) -#define q_PEM_write_bio_RSAPrivateKey(bp,x,enc,kstr,klen,cb,u) \ - PEM_ASN1_write_bio((int (*)(void*, unsigned char**))q_i2d_RSAPrivateKey,PEM_STRING_RSA,\ - bp,(char *)x,enc,kstr,klen,cb,u) -#define q_PEM_write_bio_DSAPrivateKey(bp,x,enc,kstr,klen,cb,u) \ - PEM_ASN1_write_bio((int (*)(void*, unsigned char**))q_i2d_DSAPrivateKey,PEM_STRING_DSA,\ - bp,(char *)x,enc,kstr,klen,cb,u) -#define q_PEM_read_bio_DHparams(bp, dh, cb, u) \ - (DH *)q_PEM_ASN1_read_bio( \ - (void *(*)(void**, const unsigned char**, long int))q_d2i_DHparams, PEM_STRING_DHPARAMS, bp, (void **)x, cb, u) -#endif -#define q_SSL_CTX_set_options(ctx,op) q_SSL_CTX_ctrl((ctx),SSL_CTRL_OPTIONS,(op),NULL) #define q_SSL_CTX_set_mode(ctx,op) q_SSL_CTX_ctrl((ctx),SSL_CTRL_MODE,(op),NULL) -#define q_SKM_sk_num(type, st) ((int (*)(const STACK_OF(type) *))q_sk_num)(st) -#define q_SKM_sk_value(type, st,i) ((type * (*)(const STACK_OF(type) *, int))q_sk_value)(st, i) #define q_sk_GENERAL_NAME_num(st) q_SKM_sk_num(GENERAL_NAME, (st)) #define q_sk_GENERAL_NAME_value(st, i) q_SKM_sk_value(GENERAL_NAME, (st), (i)) #define q_sk_X509_num(st) q_SKM_sk_num(X509, (st)) @@ -558,18 +476,12 @@ DSA *q_d2i_DSAPrivateKey(DSA **a, unsigned char **pp, long length); #define q_sk_SSL_CIPHER_value(st, i) q_SKM_sk_value(SSL_CIPHER, (st), (i)) #define q_SSL_CTX_add_extra_chain_cert(ctx,x509) \ q_SSL_CTX_ctrl(ctx,SSL_CTRL_EXTRA_CHAIN_CERT,0,(char *)x509) -#define q_X509_get_notAfter(x) X509_get_notAfter(x) -#define q_X509_get_notBefore(x) X509_get_notBefore(x) #define q_EVP_PKEY_assign_RSA(pkey,rsa) q_EVP_PKEY_assign((pkey),EVP_PKEY_RSA,\ (char *)(rsa)) #define q_EVP_PKEY_assign_DSA(pkey,dsa) q_EVP_PKEY_assign((pkey),EVP_PKEY_DSA,\ (char *)(dsa)) #define q_OpenSSL_add_all_algorithms() q_OPENSSL_add_all_algorithms_conf() -void q_OPENSSL_add_all_algorithms_noconf(); -void q_OPENSSL_add_all_algorithms_conf(); int q_SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, const char *CApath); -long q_SSLeay(); -const char *q_SSLeay_version(int type); int q_i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp); SSL_SESSION *q_d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length); diff --git a/src/network/ssl/qsslsocket_opensslpre11.cpp b/src/network/ssl/qsslsocket_opensslpre11.cpp new file mode 100644 index 0000000000..e51888c5f2 --- /dev/null +++ b/src/network/ssl/qsslsocket_opensslpre11.cpp @@ -0,0 +1,424 @@ +/**************************************************************************** +** +** Copyright (C) 2017 The Qt Company Ltd. +** Copyright (C) 2014 Governikus GmbH & Co. KG +** Contact: https://www.qt.io/licensing/ +** +** This file is part of the QtNetwork module of the Qt Toolkit. +** +** $QT_BEGIN_LICENSE:LGPL$ +** Commercial License Usage +** Licensees holding valid commercial Qt licenses may use this file in +** accordance with the commercial license agreement provided with the +** Software or, alternatively, in accordance with the terms contained in +** a written agreement between you and The Qt Company. For licensing terms +** and conditions see https://www.qt.io/terms-conditions. For further +** information use the contact form at https://www.qt.io/contact-us. +** +** GNU Lesser General Public License Usage +** Alternatively, this file may be used under the terms of the GNU Lesser +** General Public License version 3 as published by the Free Software +** Foundation and appearing in the file LICENSE.LGPL3 included in the +** packaging of this file. Please review the following information to +** ensure the GNU Lesser General Public License version 3 requirements +** will be met: https://www.gnu.org/licenses/lgpl-3.0.html. +** +** GNU General Public License Usage +** Alternatively, this file may be used under the terms of the GNU +** General Public License version 2.0 or (at your option) the GNU General +** Public license version 3 or any later version approved by the KDE Free +** Qt Foundation. The licenses are as published by the Free Software +** Foundation and appearing in the file LICENSE.GPL2 and LICENSE.GPL3 +** included in the packaging of this file. Please review the following +** information to ensure the GNU General Public License requirements will +** be met: https://www.gnu.org/licenses/gpl-2.0.html and +** https://www.gnu.org/licenses/gpl-3.0.html. +** +** $QT_END_LICENSE$ +** +****************************************************************************/ + +/**************************************************************************** +** +** In addition, as a special exception, the copyright holders listed above give +** permission to link the code of its release of Qt with the OpenSSL project's +** "OpenSSL" library (or modified versions of the "OpenSSL" library that use the +** same license as the original version), and distribute the linked executables. +** +** You must comply with the GNU General Public License version 2 in all +** respects for all of the code used other than the "OpenSSL" code. If you +** modify this file, you may extend this exception to your version of the file, +** but you are not obligated to do so. If you do not wish to do so, delete +** this exception statement from your version of this file. +** +****************************************************************************/ + +//#define QT_DECRYPT_SSL_TRAFFIC + +#include "qssl_p.h" +#include "qsslsocket_openssl_p.h" +#include "qsslsocket_openssl_symbols_p.h" +#include "qsslsocket.h" +#include "qsslkey.h" + +#include <QtCore/qdebug.h> +#include <QtCore/qdir.h> +#include <QtCore/qdiriterator.h> +#include <QtCore/qthread.h> +#include <QtCore/qfile.h> +#include <QtCore/qmutex.h> +#include <QtCore/qlibrary.h> + +QT_BEGIN_NAMESPACE + +/* \internal + + From OpenSSL's thread(3) manual page: + + OpenSSL can safely be used in multi-threaded applications provided that at + least two callback functions are set. + + locking_function(int mode, int n, const char *file, int line) is needed to + perform locking on shared data structures. (Note that OpenSSL uses a + number of global data structures that will be implicitly shared + whenever multiple threads use OpenSSL.) Multi-threaded + applications will crash at random if it is not set. ... + ... + id_function(void) is a function that returns a thread ID. It is not + needed on Windows nor on platforms where getpid() returns a different + ID for each thread (most notably Linux) +*/ + +class QOpenSslLocks +{ +public: + QOpenSslLocks() + : initLocker(QMutex::Recursive), + locksLocker(QMutex::Recursive) + { + QMutexLocker locker(&locksLocker); + int numLocks = q_CRYPTO_num_locks(); + locks = new QMutex *[numLocks]; + memset(locks, 0, numLocks * sizeof(QMutex *)); + } + ~QOpenSslLocks() + { + QMutexLocker locker(&locksLocker); + for (int i = 0; i < q_CRYPTO_num_locks(); ++i) + delete locks[i]; + delete [] locks; + + QSslSocketPrivate::deinitialize(); + } + QMutex *lock(int num) + { + QMutexLocker locker(&locksLocker); + QMutex *tmp = locks[num]; + if (!tmp) + tmp = locks[num] = new QMutex(QMutex::Recursive); + return tmp; + } + + QMutex *globalLock() + { + return &locksLocker; + } + + QMutex *initLock() + { + return &initLocker; + } + +private: + QMutex initLocker; + QMutex locksLocker; + QMutex **locks; +}; + +Q_GLOBAL_STATIC(QOpenSslLocks, openssl_locks) + +extern "C" { +static void locking_function(int mode, int lockNumber, const char *, int) +{ + QMutex *mutex = openssl_locks()->lock(lockNumber); + + // Lock or unlock it + if (mode & CRYPTO_LOCK) + mutex->lock(); + else + mutex->unlock(); +} +static unsigned long id_function() +{ + return (quintptr)QThread::currentThreadId(); +} + +} // extern "C" + +static void q_OpenSSL_add_all_algorithms_safe() +{ +#ifdef Q_OS_WIN + // Prior to version 1.0.1m an attempt to call OpenSSL_add_all_algorithms on + // Windows could result in 'exit' call from OPENSSL_config (QTBUG-43843). + // We can predict this and avoid OPENSSL_add_all_algorithms call. + // From OpenSSL docs: + // "An application does not need to add algorithms to use them explicitly, + // for example by EVP_sha1(). It just needs to add them if it (or any of + // the functions it calls) needs to lookup algorithms. + // The cipher and digest lookup functions are used in many parts of the + // library. If the table is not initialized several functions will + // misbehave and complain they cannot find algorithms. This includes the + // PEM, PKCS#12, SSL and S/MIME libraries. This is a common query in + // the OpenSSL mailing lists." + // + // Anyway, as a result, we chose not to call this function if it would exit. + + if (q_SSLeay() < 0x100010DFL) + { + // Now, before we try to call it, check if an attempt to open config file + // will result in exit: + if (char *confFileName = q_CONF_get1_default_config_file()) { + BIO *confFile = q_BIO_new_file(confFileName, "r"); + const auto lastError = q_ERR_peek_last_error(); + q_CRYPTO_free(confFileName); + if (confFile) { + q_BIO_free(confFile); + } else { + q_ERR_clear_error(); + if (ERR_GET_REASON(lastError) == ERR_R_SYS_LIB) { + qCWarning(lcSsl, "failed to open openssl.conf file"); + return; + } + } + } + } +#endif // Q_OS_WIN + + q_OpenSSL_add_all_algorithms(); +} + + +/*! + \internal +*/ +void QSslSocketPrivate::deinitialize() +{ + q_CRYPTO_set_id_callback(0); + q_CRYPTO_set_locking_callback(0); + q_ERR_free_strings(); +} + + +bool QSslSocketPrivate::ensureLibraryLoaded() +{ + if (!q_resolveOpenSslSymbols()) + return false; + + // Check if the library itself needs to be initialized. + QMutexLocker locker(openssl_locks()->initLock()); + + if (!s_libraryLoaded) { + s_libraryLoaded = true; + + // Initialize OpenSSL. + q_CRYPTO_set_id_callback(id_function); + q_CRYPTO_set_locking_callback(locking_function); + if (q_SSL_library_init() != 1) + return false; + q_SSL_load_error_strings(); + q_OpenSSL_add_all_algorithms_safe(); + +#if OPENSSL_VERSION_NUMBER >= 0x10001000L + if (q_SSLeay() >= 0x10001000L) + QSslSocketBackendPrivate::s_indexForSSLExtraData = q_SSL_get_ex_new_index(0L, NULL, NULL, NULL, NULL); +#endif + + // Initialize OpenSSL's random seed. + if (!q_RAND_status()) { + qWarning("Random number generator not seeded, disabling SSL support"); + return false; + } + } + return true; +} + +void QSslSocketPrivate::ensureCiphersAndCertsLoaded() +{ + QMutexLocker locker(openssl_locks()->initLock()); + if (s_loadedCiphersAndCerts) + return; + s_loadedCiphersAndCerts = true; + + resetDefaultCiphers(); + resetDefaultEllipticCurves(); + +#if QT_CONFIG(library) + //load symbols needed to receive certificates from system store +#if defined(Q_OS_WIN) + HINSTANCE hLib = LoadLibraryW(L"Crypt32"); + if (hLib) { + ptrCertOpenSystemStoreW = (PtrCertOpenSystemStoreW)GetProcAddress(hLib, "CertOpenSystemStoreW"); + ptrCertFindCertificateInStore = (PtrCertFindCertificateInStore)GetProcAddress(hLib, "CertFindCertificateInStore"); + ptrCertCloseStore = (PtrCertCloseStore)GetProcAddress(hLib, "CertCloseStore"); + if (!ptrCertOpenSystemStoreW || !ptrCertFindCertificateInStore || !ptrCertCloseStore) + qCWarning(lcSsl, "could not resolve symbols in crypt32 library"); // should never happen + } else { + qCWarning(lcSsl, "could not load crypt32 library"); // should never happen + } +#elif defined(Q_OS_QNX) + s_loadRootCertsOnDemand = true; +#elif defined(Q_OS_UNIX) && !defined(Q_OS_MACOS) + // check whether we can enable on-demand root-cert loading (i.e. check whether the sym links are there) + QList<QByteArray> dirs = unixRootCertDirectories(); + QStringList symLinkFilter; + symLinkFilter << QLatin1String("[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f].[0-9]"); + for (int a = 0; a < dirs.count(); ++a) { + QDirIterator iterator(QLatin1String(dirs.at(a)), symLinkFilter, QDir::Files); + if (iterator.hasNext()) { + s_loadRootCertsOnDemand = true; + break; + } + } +#endif +#endif // QT_CONFIG(library) + // if on-demand loading was not enabled, load the certs now + if (!s_loadRootCertsOnDemand) + setDefaultCaCertificates(systemCaCertificates()); +#ifdef Q_OS_WIN + //Enabled for fetching additional root certs from windows update on windows 6+ + //This flag is set false by setDefaultCaCertificates() indicating the app uses + //its own cert bundle rather than the system one. + //Same logic that disables the unix on demand cert loading. + //Unlike unix, we do preload the certificates from the cert store. + if ((QSysInfo::windowsVersion() & QSysInfo::WV_NT_based) >= QSysInfo::WV_6_0) + s_loadRootCertsOnDemand = true; +#endif +} + +long QSslSocketPrivate::sslLibraryVersionNumber() +{ + if (!supportsSsl()) + return 0; + + return q_SSLeay(); +} + +QString QSslSocketPrivate::sslLibraryVersionString() +{ + if (!supportsSsl()) + return QString(); + + const char *versionString = q_SSLeay_version(SSLEAY_VERSION); + if (!versionString) + return QString(); + + return QString::fromLatin1(versionString); +} + +void QSslSocketBackendPrivate::continueHandshake() +{ + Q_Q(QSslSocket); + // if we have a max read buffer size, reset the plain socket's to match + if (readBufferMaxSize) + plainSocket->setReadBufferSize(readBufferMaxSize); + + if (q_SSL_ctrl((ssl), SSL_CTRL_GET_SESSION_REUSED, 0, NULL)) + configuration.peerSessionShared = true; + +#ifdef QT_DECRYPT_SSL_TRAFFIC + if (ssl->session && ssl->s3) { + const char *mk = reinterpret_cast<const char *>(ssl->session->master_key); + QByteArray masterKey(mk, ssl->session->master_key_length); + const char *random = reinterpret_cast<const char *>(ssl->s3->client_random); + QByteArray clientRandom(random, SSL3_RANDOM_SIZE); + + // different format, needed for e.g. older Wireshark versions: +// const char *sid = reinterpret_cast<const char *>(ssl->session->session_id); +// QByteArray sessionID(sid, ssl->session->session_id_length); +// QByteArray debugLineRSA("RSA Session-ID:"); +// debugLineRSA.append(sessionID.toHex().toUpper()); +// debugLineRSA.append(" Master-Key:"); +// debugLineRSA.append(masterKey.toHex().toUpper()); +// debugLineRSA.append("\n"); + + QByteArray debugLineClientRandom("CLIENT_RANDOM "); + debugLineClientRandom.append(clientRandom.toHex().toUpper()); + debugLineClientRandom.append(" "); + debugLineClientRandom.append(masterKey.toHex().toUpper()); + debugLineClientRandom.append("\n"); + + QString sslKeyFile = QDir::tempPath() + QLatin1String("/qt-ssl-keys"); + QFile file(sslKeyFile); + if (!file.open(QIODevice::Append)) + qCWarning(lcSsl) << "could not open file" << sslKeyFile << "for appending"; + if (!file.write(debugLineClientRandom)) + qCWarning(lcSsl) << "could not write to file" << sslKeyFile; + file.close(); + } else { + qCWarning(lcSsl, "could not decrypt SSL traffic"); + } +#endif + + // Cache this SSL session inside the QSslContext + if (!(configuration.sslOptions & QSsl::SslOptionDisableSessionSharing)) { + if (!sslContextPointer->cacheSession(ssl)) { + sslContextPointer.clear(); // we could not cache the session + } else { + // Cache the session for permanent usage as well + if (!(configuration.sslOptions & QSsl::SslOptionDisableSessionPersistence)) { + if (!sslContextPointer->sessionASN1().isEmpty()) + configuration.sslSession = sslContextPointer->sessionASN1(); + configuration.sslSessionTicketLifeTimeHint = sslContextPointer->sessionTicketLifeTimeHint(); + } + } + } + +#if OPENSSL_VERSION_NUMBER >= 0x1000100fL && !defined(OPENSSL_NO_NEXTPROTONEG) + + configuration.nextProtocolNegotiationStatus = sslContextPointer->npnContext().status; + if (sslContextPointer->npnContext().status == QSslConfiguration::NextProtocolNegotiationUnsupported) { + // we could not agree -> be conservative and use HTTP/1.1 + configuration.nextNegotiatedProtocol = QByteArrayLiteral("http/1.1"); + } else { + const unsigned char *proto = 0; + unsigned int proto_len = 0; +#if OPENSSL_VERSION_NUMBER >= 0x10002000L + if (q_SSLeay() >= 0x10002000L) { + q_SSL_get0_alpn_selected(ssl, &proto, &proto_len); + if (proto_len && mode == QSslSocket::SslClientMode) { + // Client does not have a callback that sets it ... + configuration.nextProtocolNegotiationStatus = QSslConfiguration::NextProtocolNegotiationNegotiated; + } + } + + if (!proto_len) { // Test if NPN was more lucky ... +#else + { +#endif + q_SSL_get0_next_proto_negotiated(ssl, &proto, &proto_len); + } + + if (proto_len) + configuration.nextNegotiatedProtocol = QByteArray(reinterpret_cast<const char *>(proto), proto_len); + else + configuration.nextNegotiatedProtocol.clear(); + } +#endif // OPENSSL_VERSION_NUMBER >= 0x1000100fL ... + +#if OPENSSL_VERSION_NUMBER >= 0x10002000L + if (q_SSLeay() >= 0x10002000L && mode == QSslSocket::SslClientMode) { + EVP_PKEY *key; + if (q_SSL_get_server_tmp_key(ssl, &key)) + configuration.ephemeralServerKey = QSslKey(key, QSsl::PublicKey); + } +#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L ... + + connectionEncrypted = true; + emit q->encrypted(); + if (autoStartHandshake && pendingClose) { + pendingClose = false; + q->disconnectFromHost(); + } +} + +QT_END_NAMESPACE diff --git a/src/network/ssl/qsslsocket_opensslpre11_symbols_p.h b/src/network/ssl/qsslsocket_opensslpre11_symbols_p.h new file mode 100644 index 0000000000..9686d22b98 --- /dev/null +++ b/src/network/ssl/qsslsocket_opensslpre11_symbols_p.h @@ -0,0 +1,230 @@ +/**************************************************************************** +** +** Copyright (C) 2017 The Qt Company Ltd. +** Copyright (C) 2014 BlackBerry Limited. All rights reserved. +** Contact: https://www.qt.io/licensing/ +** +** This file is part of the QtNetwork module of the Qt Toolkit. +** +** $QT_BEGIN_LICENSE:LGPL$ +** Commercial License Usage +** Licensees holding valid commercial Qt licenses may use this file in +** accordance with the commercial license agreement provided with the +** Software or, alternatively, in accordance with the terms contained in +** a written agreement between you and The Qt Company. For licensing terms +** and conditions see https://www.qt.io/terms-conditions. For further +** information use the contact form at https://www.qt.io/contact-us. +** +** GNU Lesser General Public License Usage +** Alternatively, this file may be used under the terms of the GNU Lesser +** General Public License version 3 as published by the Free Software +** Foundation and appearing in the file LICENSE.LGPL3 included in the +** packaging of this file. Please review the following information to +** ensure the GNU Lesser General Public License version 3 requirements +** will be met: https://www.gnu.org/licenses/lgpl-3.0.html. +** +** GNU General Public License Usage +** Alternatively, this file may be used under the terms of the GNU +** General Public License version 2.0 or (at your option) the GNU General +** Public license version 3 or any later version approved by the KDE Free +** Qt Foundation. The licenses are as published by the Free Software +** Foundation and appearing in the file LICENSE.GPL2 and LICENSE.GPL3 +** included in the packaging of this file. Please review the following +** information to ensure the GNU General Public License requirements will +** be met: https://www.gnu.org/licenses/gpl-2.0.html and +** https://www.gnu.org/licenses/gpl-3.0.html. +** +** $QT_END_LICENSE$ +** +****************************************************************************/ + +/**************************************************************************** +** +** In addition, as a special exception, the copyright holders listed above give +** permission to link the code of its release of Qt with the OpenSSL project's +** "OpenSSL" library (or modified versions of the "OpenSSL" library that use the +** same license as the original version), and distribute the linked executables. +** +** You must comply with the GNU General Public License version 2 in all +** respects for all of the code used other than the "OpenSSL" code. If you +** modify this file, you may extend this exception to your version of the file, +** but you are not obligated to do so. If you do not wish to do so, delete +** this exception statement from your version of this file. +** +****************************************************************************/ + + +#ifndef QSSLSOCKET_OPENSSLPRE11_SYMBOLS_P_H +#define QSSLSOCKET_OPENSSLPRE11_SYMBOLS_P_H + +// +// W A R N I N G +// ------------- +// +// This file is not part of the Qt API. It exists purely as an +// implementation detail. This header file may change from version to +// version without notice, or even be removed. +// +// We mean it. +// + +// Note: this file does not have QT_BEGIN_NAMESPACE/QT_END_NAMESPACE, it's done +// in qsslsocket_openssl_symbols_p.h. + +#ifndef QSSLSOCKET_OPENSSL_SYMBOLS_P_H +#error "You are not supposed to use this header file, include qsslsocket_openssl_symbols_p.h instead" +#endif + +unsigned char * q_ASN1_STRING_data(ASN1_STRING *a); +BIO *q_BIO_new_file(const char *filename, const char *mode); +void q_ERR_clear_error(); +Q_AUTOTEST_EXPORT BIO *q_BIO_new(BIO_METHOD *a); +Q_AUTOTEST_EXPORT BIO_METHOD *q_BIO_s_mem(); +int q_CRYPTO_num_locks(); +void q_CRYPTO_set_locking_callback(void (*a)(int, int, const char *, int)); +void q_CRYPTO_set_id_callback(unsigned long (*a)()); +void q_CRYPTO_free(void *a); +unsigned long q_ERR_peek_last_error(); +void q_ERR_free_strings(); +void q_EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *a); +void q_EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *a); + +#if OPENSSL_VERSION_NUMBER >= 0x10000000L +typedef _STACK STACK; +#endif + +// The typedef we use to make our pre 1.1 code look more like 1.1 (less ifdefs). +typedef STACK OPENSSL_STACK; + +// We resolve q_sk_ functions, but use q_OPENSSL_sk_ macros in code to reduce +// the amount of #ifdefs. +int q_sk_num(STACK *a); +#define q_OPENSSL_sk_num(a) q_sk_num(a) +void q_sk_pop_free(STACK *a, void (*b)(void *)); +#define q_OPENSSL_sk_pop_free(a, b) q_sk_pop_free(a, b) +STACK *q_sk_new_null(); +#define q_OPENSSL_sk_new_null() q_sk_new_null() + +void q_sk_free(STACK *a); + +// Just a name alias (not a function call expression) since in code we take an +// address of this: +#define q_OPENSSL_sk_free q_sk_free + +#if OPENSSL_VERSION_NUMBER >= 0x10000000L +void *q_sk_value(STACK *a, int b); +void q_sk_push(STACK *st, void *data); +#else +char *q_sk_value(STACK *a, int b); +void q_sk_push(STACK *st, char *data); +#endif // OPENSSL_VERSION_NUMBER >= 0x10000000L + +#define q_OPENSSL_sk_value(a, b) q_sk_value(a, b) +#define q_OPENSSL_sk_push(st, data) q_sk_push(st, data) + +#if OPENSSL_VERSION_NUMBER >= 0x10000000L +SSL_CTX *q_SSL_CTX_new(const SSL_METHOD *a); +#else +SSL_CTX *q_SSL_CTX_new(SSL_METHOD *a); +#endif + +int q_SSL_library_init(); +void q_SSL_load_error_strings(); + +#if OPENSSL_VERSION_NUMBER >= 0x10001000L +int q_SSL_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func); +#endif + +#if OPENSSL_VERSION_NUMBER >= 0x10000000L +#ifndef OPENSSL_NO_SSL2 +const SSL_METHOD *q_SSLv2_client_method(); +#endif +#ifndef OPENSSL_NO_SSL3_METHOD +const SSL_METHOD *q_SSLv3_client_method(); +#endif +const SSL_METHOD *q_SSLv23_client_method(); +const SSL_METHOD *q_TLSv1_client_method(); +const SSL_METHOD *q_TLSv1_1_client_method(); +const SSL_METHOD *q_TLSv1_2_client_method(); +#ifndef OPENSSL_NO_SSL2 +const SSL_METHOD *q_SSLv2_server_method(); +#endif +#ifndef OPENSSL_NO_SSL3_METHOD +const SSL_METHOD *q_SSLv3_server_method(); +#endif +const SSL_METHOD *q_SSLv23_server_method(); +const SSL_METHOD *q_TLSv1_server_method(); +const SSL_METHOD *q_TLSv1_1_server_method(); +const SSL_METHOD *q_TLSv1_2_server_method(); +#else +#ifndef OPENSSL_NO_SSL2 +SSL_METHOD *q_SSLv2_client_method(); +#endif +#ifndef OPENSSL_NO_SSL3_METHOD +SSL_METHOD *q_SSLv3_client_method(); +#endif +SSL_METHOD *q_SSLv23_client_method(); +SSL_METHOD *q_TLSv1_client_method(); +SSL_METHOD *q_TLSv1_1_client_method(); +SSL_METHOD *q_TLSv1_2_client_method(); +#ifndef OPENSSL_NO_SSL2 +SSL_METHOD *q_SSLv2_server_method(); +#endif +#ifndef OPENSSL_NO_SSL3_METHOD +SSL_METHOD *q_SSLv3_server_method(); +#endif +SSL_METHOD *q_SSLv23_server_method(); +SSL_METHOD *q_TLSv1_server_method(); +SSL_METHOD *q_TLSv1_1_server_method(); +SSL_METHOD *q_TLSv1_2_server_method(); +#endif + +STACK_OF(X509) *q_X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx); + +#ifdef SSLEAY_MACROS +int q_i2d_DSAPrivateKey(const DSA *a, unsigned char **pp); +int q_i2d_RSAPrivateKey(const RSA *a, unsigned char **pp); +RSA *q_d2i_RSAPrivateKey(RSA **a, unsigned char **pp, long length); +DSA *q_d2i_DSAPrivateKey(DSA **a, unsigned char **pp, long length); +#define q_PEM_read_bio_RSAPrivateKey(bp, x, cb, u) \ + (RSA *)q_PEM_ASN1_read_bio( \ + (void *(*)(void**, const unsigned char**, long int))q_d2i_RSAPrivateKey, PEM_STRING_RSA, bp, (void **)x, cb, u) +#define q_PEM_read_bio_DSAPrivateKey(bp, x, cb, u) \ + (DSA *)q_PEM_ASN1_read_bio( \ + (void *(*)(void**, const unsigned char**, long int))q_d2i_DSAPrivateKey, PEM_STRING_DSA, bp, (void **)x, cb, u) +#define q_PEM_write_bio_RSAPrivateKey(bp,x,enc,kstr,klen,cb,u) \ + PEM_ASN1_write_bio((int (*)(void*, unsigned char**))q_i2d_RSAPrivateKey,PEM_STRING_RSA,\ + bp,(char *)x,enc,kstr,klen,cb,u) +#define q_PEM_write_bio_DSAPrivateKey(bp,x,enc,kstr,klen,cb,u) \ + PEM_ASN1_write_bio((int (*)(void*, unsigned char**))q_i2d_DSAPrivateKey,PEM_STRING_DSA,\ + bp,(char *)x,enc,kstr,klen,cb,u) +#define q_PEM_read_bio_DHparams(bp, dh, cb, u) \ + (DH *)q_PEM_ASN1_read_bio( \ + (void *(*)(void**, const unsigned char**, long int))q_d2i_DHparams, PEM_STRING_DHPARAMS, bp, (void **)x, cb, u) +#endif // SSLEAY_MACROS + +#define q_SSL_CTX_set_options(ctx,op) q_SSL_CTX_ctrl((ctx),SSL_CTRL_OPTIONS,(op),NULL) +#define q_SKM_sk_num(type, st) ((int (*)(const STACK_OF(type) *))q_sk_num)(st) +#define q_SKM_sk_value(type, st,i) ((type * (*)(const STACK_OF(type) *, int))q_sk_value)(st, i) +#define q_X509_getm_notAfter(x) X509_get_notAfter(x) +#define q_X509_getm_notBefore(x) X509_get_notBefore(x) + +// "Forward compatibility" with OpenSSL 1.1 (to save on #if-ery elsewhere): +#define q_X509_get_version(x509) q_ASN1_INTEGER_get((x509)->cert_info->version) +#define q_ASN1_STRING_get0_data(x) q_ASN1_STRING_data(x) +#define q_EVP_PKEY_base_id(pkey) ((pkey)->type) +#define q_X509_get_pubkey(x509) q_X509_PUBKEY_get((x509)->cert_info->key) +#define q_SSL_SESSION_get_ticket_lifetime_hint(s) ((s)->tlsext_tick_lifetime_hint) +#define q_RSA_bits(rsa) q_BN_num_bits((rsa)->n) +#define q_DSA_bits(dsa) q_BN_num_bits((dsa)->p) +#define q_X509_STORE_set_verify_cb(s,c) X509_STORE_set_verify_cb_func((s),(c)) + +char *q_CONF_get1_default_config_file(); +void q_OPENSSL_add_all_algorithms_noconf(); +void q_OPENSSL_add_all_algorithms_conf(); + +long q_SSLeay(); +const char *q_SSLeay_version(int type); + + +#endif // QSSLSOCKET_OPENSSL_PRE11_SYMBOLS_P_H diff --git a/src/network/ssl/qsslsocket_p.h b/src/network/ssl/qsslsocket_p.h index 827f27cff1..00fda43b7e 100644 --- a/src/network/ssl/qsslsocket_p.h +++ b/src/network/ssl/qsslsocket_p.h @@ -218,6 +218,7 @@ private: protected: bool verifyErrorsHaveBeenIgnored(); bool paused; + bool flushTriggered; }; QT_END_NAMESPACE diff --git a/src/network/ssl/ssl.pri b/src/network/ssl/ssl.pri index 52ce2eeade..949ebc3d2a 100644 --- a/src/network/ssl/ssl.pri +++ b/src/network/ssl/ssl.pri @@ -60,13 +60,25 @@ qtConfig(ssl) { HEADERS += ssl/qsslcontext_openssl_p.h \ ssl/qsslsocket_openssl_p.h \ ssl/qsslsocket_openssl_symbols_p.h - SOURCES += ssl/qsslcertificate_openssl.cpp \ - ssl/qsslcontext_openssl.cpp \ + SOURCES += ssl/qsslsocket_openssl_symbols.cpp \ ssl/qssldiffiehellmanparameters_openssl.cpp \ + ssl/qsslcertificate_openssl.cpp \ ssl/qsslellipticcurve_openssl.cpp \ ssl/qsslkey_openssl.cpp \ ssl/qsslsocket_openssl.cpp \ - ssl/qsslsocket_openssl_symbols.cpp + ssl/qsslcontext_openssl.cpp + + qtConfig(opensslv11) { + HEADERS += ssl/qsslsocket_openssl11_symbols_p.h + SOURCES += ssl/qsslsocket_openssl11.cpp \ + ssl/qsslcontext_openssl11.cpp + + QMAKE_CXXFLAGS += -DOPENSSL_API_COMPAT=0x10100000L + } else { + HEADERS += ssl/qsslsocket_opensslpre11_symbols_p.h + SOURCES += ssl/qsslsocket_opensslpre11.cpp \ + ssl/qsslcontext_opensslpre11.cpp + } darwin:SOURCES += ssl/qsslsocket_mac_shared.cpp |