| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When using cipher algorithms with forward secrecy an ephemeral key is
used to generate the symmetric session key. Beside the SSL certificate's
key, this ephemeral key is of cryptographic interest.
The ephemeral key is chosen by the server side - currently statically in
the Qt implementation - so it is only of interest on the client side to
check it. Therefore the ephemeral key is the null key if the connection
is set up in server mode or a cipher without forward secrecy is used.
Change-Id: If241247dbb8490a91233ae47f2b38952c6591bf4
Reviewed-by: Markus Goetz (Woboq GmbH) <markus@woboq.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This will make sure that certs in the domainUser (login),
and domainAdmin (per machine) keychain are being picked up
in systemCaCertificates() in addition to the (usually immutable)
DomainSystem keychain.
Also consider the trust settings on OS X: If a certificate
is either fully trusted or trusted for the purpose of SSL,
it will be accepted.
[ChangeLog][Platform Specific Changes] OS X now accepts trusted
certificates from the login and system keychains.
Task-number: QTBUG-32898
Change-Id: Ia23083d5af74388eeee31ba07239735cbbe64368
Reviewed-by: Markus Goetz (Woboq GmbH) <markus@woboq.com>
|
|
|
|
|
|
|
|
|
|
| |
This avoids manual symbol lookups and makes the code more readable.
Mark identical code.
Also use smart pointers instead of manual memory management.
Change-Id: I62820313dce87de6623cdc87b6e1361200ed7822
Reviewed-by: Markus Goetz (Woboq GmbH) <markus@woboq.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The latter is much faster as it doesn't have to deal with
time zones.
This change is safe, because the QDateTimes are only used for
comparison with other QDateTimes, which, from a quick glance around,
seem to be mostly, if not exclusively, in UTC. Comparsions work
across time zones, but the comparison between UTC date-times is
fastest.
Credits to Milian Wolff, from whose QtWS15 talk this advice is
taken.
Change-Id: I6859d886d8dc8e0a52fbe394fbb7b93a87b4739a
Reviewed-by: Milian Wolff <milian.wolff@kdab.com>
Reviewed-by: Friedemann Kleint <Friedemann.Kleint@theqtcompany.com>
Reviewed-by: Lars Knoll <lars.knoll@theqtcompany.com>
|
|
|
|
|
|
|
| |
Use character literals where applicable.
Change-Id: I8e198774c2247c1cc1d852a41b59b301199b7878
Reviewed-by: Marc Mutz <marc.mutz@kdab.com>
|
|
|
|
|
|
|
|
|
| |
Introduce the methods setError(), setErrorAndEmit() to consistently
set the internal error state.
Change-Id: I4ff951d100cf5e9f9a7e27135bb52188cde99853
Reviewed-by: Alex Trotsenko <alex1973tr@gmail.com>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
|
|\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Conflicts:
qmake/doc/snippets/code/doc_src_qmake-manual.pro
qmake/doc/src/qmake-manual.qdoc
src/corelib/io/qstorageinfo_unix.cpp
src/corelib/tools/qbytearray.cpp
src/widgets/kernel/qwidgetwindow.cpp
tests/auto/corelib/io/qprocess/tst_qprocess.cpp
tests/auto/corelib/mimetypes/qmimedatabase/tst_qmimedatabase.cpp
tests/auto/network/access/qnetworkreply/BLACKLIST
Change-Id: I9efcd7e1cce1c394eed425c43aa6fce7d2edf31c
|
| |\ |
|
| | |\
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Conflicts:
doc/global/manifest-meta.qdocconf
src/corelib/global/qnamespace.qdoc
src/corelib/io/qstorageinfo_unix.cpp
src/corelib/tools/qtools_p.h
src/sql/drivers/psql/qsql_psql.cpp
Change-Id: I23a15ac84e03ad61d865e3df872b013eb0752949
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This is a fix-up for cff39fba10ffc10ee4dcfdc66ff6528eb26462d3.
That patch lead to some internal state issues that lead to the QTBUG-47048
or to QNetworkReply objects erroring with "Connection Closed" when
the server closed the Keep-Alive connection.
This patch changes the QNAM socket slot connections to be DirectConnection.
We don't close the socket anymore in slots where it is anyway in a closed state
afterwards. This prevents event/stack recursions.
We also flush QSslSocket/QTcpSocket receive buffers when receiving a disconnect
so that the developer always gets the full decrypted data from the buffers.
[ChangeLog][QtNetwork] Fix HTTP issues with "Unknown Error" and "Connection Closed"
[ChangeLog][QtNetwork][Sockets] Read OS/encrypted read buffers when connection
closed by server.
Change-Id: Ib4d6a2d0d988317e3a5356f36e8dbcee4590beed
Task-number: QTBUG-47048
Reviewed-by: Kai Koehne <kai.koehne@theqtcompany.com>
Reviewed-by: Richard J. Moore <rich@kde.org>
|
|\| | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Conflicts:
doc/global/qt-cpp-defines.qdocconf
src/3rdparty/forkfd/forkfd.c
src/corelib/codecs/qtextcodec.cpp
src/corelib/kernel/qmetatype.cpp
src/corelib/tools/qset.qdoc
src/gui/accessible/qaccessible.cpp
src/gui/image/qpixmapcache.cpp
src/opengl/qgl.cpp
src/tools/qdoc/generator.cpp
src/widgets/kernel/qwidget.cpp
tests/auto/widgets/widgets/qcombobox/tst_qcombobox.cpp
Change-Id: I4fbe1fa756a54c6843aa75f4ef70a1069ba7b085
|
| |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Since SslV3, SslV2 and UnknownProtocol do not support it we can
invert the IF clause here.
Change-Id: I42e942337d01f3a8c97885b268bffa568e40d335
Task-number: QTBUG-47528
Reviewed-by: Mikkel Krautz <mikkel@krautz.dk>
Reviewed-by: Richard J. Moore <rich@kde.org>
|
|\| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Conflicts:
src/corelib/global/qglobal.cpp
src/corelib/global/qglobal.h
src/corelib/global/qsysinfo.h
src/corelib/global/qsystemdetection.h
src/corelib/kernel/qobjectdefs.h
src/plugins/plugins.pro
tests/auto/widgets/itemviews/qlistview/qlistview.pro
Change-Id: Ib55aa79d707c4c1453fb9d697f6cf92211ed665c
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
QSslConfiguration is better suited for these APIs. The ones
in QSslSocket that already have a counterpart have been deprecated.
[ChangeLog][QtNetwork][SSL/TLS Support] Most of the QSslSocket
functions to deal with ciphersuites, certification authorities
as well as elliptic curves have been deprecated in favor of the
corresponding counterparts in QSslConfiguration.
Task-number: QTBUG-46558
Change-Id: I1de03379efcbcab931c20e876e252769fe4279e0
Reviewed-by: Liang Qi <liang.qi@theqtcompany.com>
Reviewed-by: Richard J. Moore <rich@kde.org>
Reviewed-by: Jani Heikkinen <jani.heikkinen@theqtcompany.com>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Reduces internal memory fragmentation.
The search criteria was:
QVector::append(), QVector::push_back(), QVector::operator<<()
and QVector::operator+=() calls inside for, do and while loops.
Statements inside ifs and out of loops weren't considered.
Change-Id: Ie5aaf3cdfac938994e6e5dfa5f51de501ed79a0c
Reviewed-by: Marc Mutz <marc.mutz@kdab.com>
|
| | |
| | |
| | |
| | |
| | |
| | | |
Change-Id: Ie0e8cbd28802826206d7e92584b5d56bb844fb09
Reviewed-by: Marc Mutz <marc.mutz@kdab.com>
Reviewed-by: Olivier Goffart (Woboq GmbH) <ogoffart@woboq.com>
|
|\| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Conflicts:
src/corelib/global/qnamespace.qdoc
src/corelib/io/qwindowspipereader.cpp
src/corelib/io/qwindowspipereader_p.h
src/corelib/statemachine/qstatemachine.cpp
src/corelib/statemachine/qstatemachine_p.h
src/plugins/platforms/xcb/qxcbconnection.h
tests/auto/network/access/qnetworkreply/tst_qnetworkreply.cpp
tests/auto/tools/qmake/tst_qmake.cpp
tests/manual/touch/main.cpp
Change-Id: I917d694890e79ee3da7d65134b5b085e23e0dd62
|
| |\|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Conflicts:
qmake/generators/mac/pbuilder_pbx.cpp
src/corelib/global/qglobal.h
Change-Id: I2c0f7544bf194f2d0f59218fd583c822901487b0
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Google scan play store apps for the openssl version string which leads
to false positives since we record the version we were compiled against
even though we don't link it directly.
Task-number: QTBUG-46265
Change-Id: Iefd0e0954149c17350d49f57f9f374938124d7b8
Reviewed-by: Olivier Goffart (Woboq GmbH) <ogoffart@woboq.com>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
OpenSSL should automatically seed the random number generator, and the
current fallback code does not offer strong guarantees. It should
never actually be used, so let's remove it entirely.
Change-Id: I9a0a70345fe8df5913871bcac644623b687aea01
Reviewed-by: Peter Hartmann <peter-qt@hartmann.tk>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Qt attempted to exclude anonymous ciphers since they offer no MITM
protection, but missed export ADH ciphers and AECDH from the exclude
list.
Change-Id: Icdfa9b31643a0e9927010885c7c1d02c42460d79
Reviewed-by: Peter Hartmann <peter-qt@hartmann.tk>
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Currently the cipher preferred by the client will always be used for SSL
connections. This change makes it so that by default the ciphers
specified by the server will be used (like the Apache SSLHonorCipherOrder
option). This behavior can be disabled using a new SslOption.
[ChangeLog][QtNetwork][QSslSocket] QSslSocket will now default to using
the cipher preferences of the server socket when used as an SSL server.
This can be disabled using the QSslConfiguration.
Change-Id: I2d16d10145cf88a7412f30ef960d87024777de1c
Reviewed-by: Peter Hartmann <peter-qt@hartmann.tk>
|
|\|
| |
| |
| | |
Change-Id: I004854a25ebbf12b1fda88900162fe7878716c58
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
On Windows, we perform an extra certificate lookup for root CAs that
are not in Windows' (minimal) root store. This check can take up to
15 seconds. The SSL context can already be gone once we return. Hence
we now check for a non-null SSL context on Windows before proceeding.
Change-Id: I1951569d9b17da33fa604f7c9d8b33255acf200d
Reviewed-by: Richard J. Moore <rich@kde.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
One of the reasons why we use "int" everywhere: to avoid this annoyance
about different types and having to explicitly cast to silence the
compiler.
qsslsocket_openssl.cpp(690) : warning C4267: 'argument' : conversion from 'size_t' to 'int', possible loss of data
Change-Id: Ia0aac2f09e9245339951ffff13c8bdad334ce108
Reviewed-by: Richard J. Moore <rich@kde.org>
|
| |
| |
| |
| |
| | |
Change-Id: I90b99fb515dcf559824f673d2304081238541c4c
Reviewed-by: Richard J. Moore <rich@kde.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Qt copyrights are now in The Qt Company, so we could update the source
code headers accordingly. In the same go we should also fix the links to
point to qt.io.
Outdated header.LGPL removed (use header.LGPL21 instead)
Old header.LGPL3 renamed to header.LGPL3-COMM to match actual licensing
combination. New header.LGPL-COMM taken in the use file which were
using old header.LGPL3 (src/plugins/platforms/android/extract.cpp)
Added new header.LGPL3 containing Commercial + LGPLv3 + GPLv2 license
combination
Change-Id: I6f49b819a8a20cc4f88b794a8f6726d975e8ffbe
Reviewed-by: Matti Paaso <matti.paaso@theqtcompany.com>
|
|\|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Conflicts:
src/3rdparty/harfbuzz-ng/harfbuzz-ng.pro
src/gui/image/qimage_conversions.cpp
src/gui/opengl/qopenglextensions_p.h
src/gui/text/qtextengine.cpp
src/network/ssl/qsslsocket_openssl.cpp
src/plugins/platforms/eglfs/qeglfshooks_stub.cpp
src/plugins/platforms/eglfs/qeglfsscreen.cpp
src/plugins/platforms/eglfs/qeglfswindow.cpp
src/plugins/platforms/windows/qwindowsfontdatabase.cpp
src/plugins/platforms/windows/qwindowsfontdatabase_ft.cpp
src/plugins/platforms/windows/qwindowsnativeinterface.cpp
src/plugins/platforms/windows/qwindowsscreen.cpp
src/plugins/platforms/windows/qwindowswindow.cpp
src/plugins/platforms/windows/qwindowswindow.h
src/plugins/platforms/xcb/qxcbdrag.h
src/widgets/itemviews/qabstractitemview.cpp
src/widgets/kernel/qwidget.cpp
src/widgets/util/qsystemtrayicon_p.h
tests/auto/corelib/itemmodels/qsortfilterproxymodel/tst_qsortfilterproxymodel.cpp
Thanks to Friedemann Kleint for resolving the qwindowsfontdatabase.cpp
conflicts.
Change-Id: I937232c30523d5121c195d947d92aec6f129b03e
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
... but choose HTTP/1.1 and continue connecting anyhow. According to
the NPN spec, actually we should choose SPDY:
"In the event that the client doesn't support any of server's protocols,
or the server doesn't advertise any, it SHOULD select the first protocol
that it supports."
However, some tested servers did not advertise anything and did not
support SPDY, so blindly trying the newest protocol would fail. We are
conservative in that case and choose HTTP.
Task-number: QTBUG-40714
Change-Id: Ia8aaf01fea74e13d9e4416306f85f1890b25559e
Reviewed-by: Richard J. Moore <rich@kde.org>
|
| |
| |
| |
| |
| |
| |
| | |
The cipher is always valid here, so this check was never needed anyway.
Change-Id: I22be273d166702926b98f0c9443657a1dde65f6e
Reviewed-by: Daniel Molkentin <daniel@molkentin.de>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
There were still ifdefs for openssl 0.9.7 and openssl 0.9.8f.
[ChangeLog][QtNetwork] Some legacy ifdefs for openssl 0.9.7 and openssl 0.9.8f
were removed, Qt will no longer build with these versions. In addition there
is no support for openssl built with NO_TLSEXT.
Change-Id: I9268515c0a125a2f6d79add8ee1cb40768e7e898
Reviewed-by: Daniel Molkentin <daniel@molkentin.de>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The OpenSSL backend for QSslSocket return an incomplete peer certificate
chain when in server mode: it does not include the peer's certificate as
the first element of the chain.
This change fixes this issue.
Change-Id: I2f0815bca2f314a075b48a2d0b5a6d5b7af50722
Reviewed-by: Daniel Molkentin <daniel@molkentin.de>
|
| |
| |
| |
| |
| |
| | |
Change-Id: I9c09a3e2dfb90eb22d4509ac6c450a0bb5da48f6
Reviewed-by: Olivier Goffart (Woboq GmbH) <ogoffart@woboq.com>
Reviewed-by: Richard J. Moore <rich@kde.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
[ChangeLog][QtNetwork][QSslSocket] It is now possible to use TLS PSK
ciphersuites in client sockets.
Task-number: QTBUG-39077
Change-Id: I5523a2be33d46230c6f4106c322fab8a5afa37b4
Reviewed-by: Richard J. Moore <rich@kde.org>
|
|\|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Conflicts:
src/corelib/global/qglobal.h
src/platformsupport/platformcompositor/qopenglcompositor.cpp
src/platformsupport/platformcompositor/qopenglcompositorbackingstore.cpp
tests/auto/gui/kernel/qwindow/tst_qwindow.cpp
Change-Id: I5422868500be695584a496dbbbc719d146bc572d
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Place all debug output into the 'qt.network.ssl' category.
This allows people to disable certain warnings at runtime.
Task-number: QTBUG-43173
Change-Id: Ide731fae3109f9cd7730cc096ee069a5b99d35f1
Reviewed-by: Richard J. Moore <rich@kde.org>
|
|\|
| |
| |
| |
| |
| |
| |
| | |
Conflicts:
doc/global/template/style/online.css
mkspecs/android-g++/qmake.conf
Change-Id: Ib39ea7bd42f5ae12e82a3bc59a66787a16bdfc61
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This makes it follow the coding style, which says to camel case acronyms too,
and makes it consistent with the rest of the class.
Change-Id: I4a1b21de1815530e476fc5aa8a0d41c724fc8021
Reviewed-by: Richard J. Moore <rich@kde.org>
Reviewed-by: hjk <hjk121@nokiamail.com>
|
|/
|
|
|
|
|
|
|
| |
[ChangeLog][QtNetwork][QtSSL] It is now possible to choose which elliptic
curves should be used by an elliptic curve cipher.
Change-Id: If5d0d58922768b6f1375836489180e576f5a015a
Done-with: Marc Mutz <marc.mutz@kdab.com>
Reviewed-by: Richard J. Moore <rich@kde.org>
|
|
|
|
|
|
|
|
|
|
|
| |
After the poodle vulnerability SSLv3 should like SSLv2 no longer be
considered safe, so when a user request a safe protocol we should
only allow TLS versions.
[ChangeLog][QtNetwork][QSsl] QSsl::SecureProtocols now also excludes SSLv3
Change-Id: If825f6beb599294b028d706903b39db6b20be519
Reviewed-by: Richard J. Moore <rich@kde.org>
|
|
|
|
|
|
|
|
|
| |
- Renamed LICENSE.LGPL to LICENSE.LGPLv21
- Added LICENSE.LGPLv3
- Removed LICENSE.GPL
Change-Id: Iec3406e3eb3f133be549092015cefe33d259a3f2
Reviewed-by: Iikka Eklund <iikka.eklund@digia.com>
|
|
|
|
|
|
|
|
|
| |
This moves the socket backend's host name matching functions up to
QSslSocketPrivate so that they can be shared between backends. This
works, as there is no OpenSSL-specific code here.
Change-Id: I73c2081fdc2e60a44c90e90800d1e1877391a626
Reviewed-by: Richard J. Moore <rich@kde.org>
|
|\
| |
| |
| | |
Change-Id: Ia36e93771066d8abcf8123dbe2362c5c9d9260fc
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Avoid accessing the internals of the SSL_CIPHER struct since this has
changed size etc. over time leading to binary incompatibilities.
Task-number: QTBUG-32423
Task-number: QTBUG-23363
Change-Id: I8cb399484e3a62be7d511f4b8b22c876825c87d4
Reviewed-by: Peter Hartmann <phartmann@blackberry.com>
Reviewed-by: Daniel Molkentin <daniel@molkentin.de>
|
|\|
| |
| |
| |
| |
| |
| | |
Conflicts:
src/gui/kernel/qguiapplication.cpp
Change-Id: Ibe75603dc8a51769db6550ea3f07bc8d19b0be85
|
| |\
| | |
| | |
| | | |
Change-Id: I9300572e2b74f0564b2589cbd0fbdf24850f68df
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
OpenSSL has a bug when validating a chain with two certificates.
If a certificate exists twice (which is a valid use case for renewed
CAs), and the first one it hits is expired (which depends on the order
on data structure internal to OpenSSL), it will fail to validate the
chain.
This is only a bandaid fix, which trades improved chain validation
for error reporting accuracy. However given that reissuing of CA certs
is a real problem that is only getting worse, this fix is needed.
See also: https://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html#WARNINGS
[ChangeLog][QtNetwork][QSslSocket] Added a workaround to an OpenSSL problem
that may cause errors when the trust store contains two certificates of the
issuing CA, one of which is expired.
Task-number: QTBUG-38896
Change-Id: I8f17972ac94555648098624e470fff0eff2e7940
Reviewed-by: Richard J. Moore <rich@kde.org>
Reviewed-by: Frederik Gladhorn <frederik.gladhorn@digia.com>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Add support for loading certificates and keys from PKCS#12 bundles
(also known as pfx files).
Task-number: QTBUG-1565
[ChangeLog][QtNetwork][QSslSocket] Support for loading PKCS#12
bundles was added. These are often used to transport keys and
certificates conveniently, particularly when making use of
client certificates.
Change-Id: Idaeb2cb4dac4b19881a5c99c7c0a7eea00c2b207
Reviewed-by: Daniel Molkentin <daniel@molkentin.de>
|
|\| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Conflicts:
mkspecs/qnx-x86-qcc/qplatformdefs.h
src/corelib/global/qglobal.h
src/opengl/gl2paintengineex/qpaintengineex_opengl2.cpp
src/opengl/qgl.cpp
src/opengl/qglpixelbuffer.cpp
src/opengl/qglshaderprogram.cpp
tests/auto/opengl/qglthreads/tst_qglthreads.cpp
Change-Id: Iaba137884d3526a139000ca26fee02bb27b5cdb5
|
| |/
| |
| |
| |
| |
| |
| | |
The declaration of q_SSL_ctrl is ifdefed, so ifdef it's usage too.
Change-Id: I99a53af6f4f24ed991d39ab89f18e03b8f38c617
Reviewed-by: Richard J. Moore <rich@kde.org>
|