| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
| |
Avoid accessing the internals of the SSL_CIPHER struct since this has
changed size etc. over time leading to binary incompatibilities.
Task-number: QTBUG-32423
Task-number: QTBUG-23363
Change-Id: I8cb399484e3a62be7d511f4b8b22c876825c87d4
Reviewed-by: Peter Hartmann <phartmann@blackberry.com>
Reviewed-by: Daniel Molkentin <daniel@molkentin.de>
|
|\
| |
| |
| | |
Change-Id: I9300572e2b74f0564b2589cbd0fbdf24850f68df
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
OpenSSL has a bug when validating a chain with two certificates.
If a certificate exists twice (which is a valid use case for renewed
CAs), and the first one it hits is expired (which depends on the order
on data structure internal to OpenSSL), it will fail to validate the
chain.
This is only a bandaid fix, which trades improved chain validation
for error reporting accuracy. However given that reissuing of CA certs
is a real problem that is only getting worse, this fix is needed.
See also: https://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html#WARNINGS
[ChangeLog][QtNetwork][QSslSocket] Added a workaround to an OpenSSL problem
that may cause errors when the trust store contains two certificates of the
issuing CA, one of which is expired.
Task-number: QTBUG-38896
Change-Id: I8f17972ac94555648098624e470fff0eff2e7940
Reviewed-by: Richard J. Moore <rich@kde.org>
Reviewed-by: Frederik Gladhorn <frederik.gladhorn@digia.com>
|
|/
|
|
|
|
|
| |
The declaration of q_SSL_ctrl is ifdefed, so ifdef it's usage too.
Change-Id: I99a53af6f4f24ed991d39ab89f18e03b8f38c617
Reviewed-by: Richard J. Moore <rich@kde.org>
|
|
|
|
|
|
| |
Task-number: QTBUG-37783
Change-Id: Ie276e597062d8bfc74ef57251ed21a94020e030f
Reviewed-by: Friedemann Kleint <Friedemann.Kleint@digia.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Crash occurs after warnings like:
QSslSocket: cannot call unresolved function SSL_get0_next_proto_negotiated
Task-number: QTBUG-37515
Task-number: QTBUG-33208
Change-Id: I18b803e4709b9d5f6b33717c2ac43179676351a4
Reviewed-by: Richard J. Moore <rich@kde.org>
Reviewed-by: Peter Hartmann <phartmann@blackberry.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
... which is needed to negotiate the SPDY protocol.
[ChangeLog][QtNetwork][QSslConfiguration] Added support for the Next
Protocol Negotiation (NPN) TLS extension.
Task-number: QTBUG-33208
Change-Id: I3c945f9b7e2d2ffb0814bfdd3e87de1dae6c20ef
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@digia.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Any cipher that is < 128 bits is excluded from the default SSL
configuration. These ciphers are still included in the list
of availableCiphers() and can be used by applications if required.
Calling QSslSocket::setDefaultCiphers(QSslSocket::availableCiphers())
will restore the old behavior.
Note that in doing so I spotted that calling defaultCiphers() before
doing other actions with SSL had an existing bug that I've addressed
as part of the change.
[ChangeLog][Important Behavior Changes] The default set of
ciphers used by QSslSocket has been changed to exclude ciphers that are
using key lengths smaller than 128 bits. These ciphers are still available
and can be enabled by applications if required.
Change-Id: If2241dda67b624e5febf788efa1369f38c6b1dba
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
|
|
|
|
|
|
|
|
|
|
| |
Updating the SSL_write code to correctly handle
SSL_ERROR_WANT_WRITE and SSL_ERROR_WANT_READ, which are not actual errors.
Change-Id: Icd7369b438ef402bf438c3fcc64514a1f9f45452
Reviewed-by: Peter Hartmann <phartmann@blackberry.com>
Reviewed-by: Lars Knoll <lars.knoll@digia.com>
Reviewed-by: Richard J. Moore <rich@kde.org>
|
|\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Conflicts:
configure
mkspecs/macx-xcode/Info.plist.app
mkspecs/macx-xcode/Info.plist.lib
qmake/doc/qmake.qdocconf
src/corelib/global/qglobal.h
tests/auto/other/exceptionsafety/exceptionsafety.pro
tests/auto/widgets/widgets/qcombobox/tst_qcombobox.cpp
Change-Id: I3c769a4a82dc2e99a12c69123fbf17613fd2ac2a
|
| |
| |
| |
| |
| |
| |
| |
| | |
On Android, when not using Ministro, we cannot read certificates
from the file system, so we have to get them through Java APIs instead.
Change-Id: I415329fcb45836735c1112dbe832214b3c73dc9a
Reviewed-by: Eskil Abrahamsen Blomfeldt <eskil.abrahamsen-blomfeldt@digia.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The c_rehash'ed symlinks are always there on QNX, so no need to check
at every app start for the feature. This saves ~ 17ms at each app
start.
Task-number: QTBUG-32549
Change-Id: Ia9df60aba9d1bd70868b7004b847867a2128f600
Reviewed-by: Andreas Holzammer <andreas.holzammer@kdab.com>
Reviewed-by: Rafael Roquetto <rafael.roquetto@kdab.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
CSSM_DATA_PTR was deprecated in 10.7. Replace SecCertificateGetData
with SecCertificateCopyData.
Task-number: QTBUG-32715
Change-Id: I762687370689b5b5c032567240667631b1ffde98
Reviewed-by: Jake Petroules <jake.petroules@petroules.com>
Reviewed-by: Gabriel de Dietrich <gabriel.dedietrich@digia.com>
|
|\|
| |
| |
| |
| |
| |
| |
| | |
Conflicts:
src/corelib/global/qglobal.h
src/plugins/platforms/cocoa/qnsview.mm
Change-Id: I6fe345df5c417cb7a55a3f91285d9b47a22c04fa
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Incorporate some more of the API changes between OpenSSL versions
0.9.8 and 1.0.0.
Task-number: QTBUG-31140
Change-Id: Ie719b34e3ec8751f0fbc07d315e82816c110762c
Reviewed-by: Shane Kearns <shane.kearns@accenture.com>
|
|\|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Conflicts:
src/corelib/io/qdatastream.cpp
src/corelib/io/qdatastream.h
src/corelib/json/qjsonwriter.cpp
src/plugins/platforms/cocoa/qcocoawindow.mm
src/plugins/platforms/xcb/qxcbkeyboard.cpp
Change-Id: I46fef1455f5a9f2ce1ec394a3c65881093c51b62
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
All occurrences of `#if defined(Q_OS_MAC) && !defined(Q_OS_IOS)` have
been replaced with `#if defined(Q_OS_MACX)`.
Change-Id: I5055d9bd1845136beb8ed1c79a8f0f2c0897751a
Reviewed-by: Oswald Buddenhagen <oswald.buddenhagen@digia.com>
Reviewed-by: Tor Arne Vestbø <tor.arne.vestbo@digia.com>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Session tickets can be cached on the client side for hours (e.g.
graph.facebook.com: ~ 24 hours, api.twitter.com: 4 hours), because the
server does not need to maintain state.
We need public API for it so an application can cache the session (e.g.
to disk) and resume a session already with the 1st handshake, saving
one network round trip.
Task-number: QTBUG-20668
Change-Id: I10255932dcd528ee1231538cb72b52b97f9f4a3c
Reviewed-by: Richard J. Moore <rich@kde.org>
|
|\|
| |
| |
| | |
Change-Id: I2a54058b64ac69c78b4120fdaf09b96e025a4c6c
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
... but rather throw an error, so the HTTP layer can recover from a SSL
shutdown gracefully. In case the other side sent us a shutdown, we should
not send one as well, as it results in an error.
Change-Id: Ie7a56cf3008b6ead912aade18dbec67846e2a87e
Reviewed-by: Richard J. Moore <rich@kde.org>
|
|\|
| |
| |
| | |
Change-Id: I059725e3b7d7ffd5a16a0931e6c17200917172b5
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
We are passing a QSslConfigurationPrivate that is allocated on the stack
(in QSslSocketBackendPrivate::initSslContext()) to
QSslConfiguration::QSslConfiguration(QSslConfigurationPrivate *dd).
When the SSL context is destroyed, this object is not there any more.
So now we create a deep copy of the configuration like we do in
QSslSocket::sslConfiguration().
Task-number: QTBUG-30648
Change-Id: Iaefaa9c00fd6bfb707eba5ac59e9508bf951f8a5
Reviewed-by: Richard J. Moore <rich@kde.org>
|
|/
|
|
|
|
|
|
|
|
| |
There is already an enum to disable SSL session tickets, which has been
used to disable session sharing for now. However, SSL session sharing
is not the same as SSL session tickets: Session sharing is built into
the SSL protocol, while session tickets is a TLS extension (RFC 5077).
Change-Id: If76b99c94b346cfb00e47366e66098f6334fd9bc
Reviewed-by: Richard J. Moore <rich@kde.org>
|
|
|
|
|
|
|
|
|
|
|
| |
... so SSL traffic can be decrypted with e.g. tcpdump / Wireshark.
For this to work, the define needs to be uncommented and QtNetwork
recompiled. This will create a file in /tmp/qt-ssl-keys which can
be fed into Wireshark.
A recent version of Wireshark is needed for this to work.
Change-Id: I4e41fd2e6122260cd96d443b1360edc71b08b5fd
Reviewed-by: Richard J. Moore <rich@kde.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Based on the Necessitas project by Bogdan Vatra.
Contributors to the Qt5 project:
BogDan Vatra <bogdan@kde.org>
Eskil Abrahamsen Blomfeldt <eskil.abrahamsen-blomfeldt@digia.com>
hjk <hjk121@nokiamail.com>
Oswald Buddenhagen <oswald.buddenhagen@digia.com>
Paul Olav Tvete <paul.tvete@digia.com>
Robin Burchell <robin+qt@viroteck.net>
Samuel Rødal <samuel.rodal@digia.com>
Yoann Lopes <yoann.lopes@digia.com>
The full history of the Qt5 port can be found in refs/old-heads/android,
SHA-1 249ca9ca2c7d876b91b31df9434dde47f9065d0d
Change-Id: Iff1a7b2dbb707c986f2639e65e39ed8f22430120
Reviewed-by: Oswald Buddenhagen <oswald.buddenhagen@digia.com>
Reviewed-by: Lars Knoll <lars.knoll@digia.com>
|
|
|
|
|
|
|
|
| |
Qt5 requires Mac OS 10.6, so we can remove checks such as
if MAC_OS_X_VERSION_MAX_ALLOWED >= MAC_OS_X_VERSION_10_6
Change-Id: Iea21727a277291148704ecf9677ed0b68c24920f
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
|
|\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Conflicts:
src/concurrent/doc/qtconcurrent.qdocconf
src/corelib/doc/qtcore.qdocconf
src/corelib/global/qglobal.h
src/dbus/doc/qtdbus.qdocconf
src/dbus/qdbusmessage.h
src/gui/doc/qtgui.qdocconf
src/gui/image/qimagereader.cpp
src/network/doc/qtnetwork.qdocconf
src/opengl/doc/qtopengl.qdocconf
src/opengl/qgl.h
src/plugins/platforms/windows/qwindowswindow.cpp
src/printsupport/doc/qtprintsupport.qdocconf
src/sql/doc/qtsql.qdocconf
src/testlib/doc/qttestlib.qdocconf
src/tools/qdoc/doc/config/qt-cpp-ignore.qdocconf
src/widgets/doc/qtwidgets.qdocconf
src/xml/doc/qtxml.qdocconf
Change-Id: Ie9a1fa2cc44bec22a0b942e817a1095ca3414629
|
| |
| |
| |
| |
| |
| | |
Change-Id: I559d4dd8789a249af855f6fe9bfe013ba1d77132
Reviewed-by: Richard J. Moore <rich@kde.org>
Reviewed-by: Lars Knoll <lars.knoll@digia.com>
|
|/
|
|
|
|
|
|
| |
This improves performance since a network round trip can be avoided.
Change-Id: I1aaff7e48ef9638cb137de0f43942c3a4dd2884a
Initial-patch-by: Markus Goetz <markus@woboq.com>
Reviewed-by: Richard J. Moore <rich@kde.org>
|
|
|
|
|
| |
Change-Id: Ic804938fc352291d011800d21e549c10acac66fb
Reviewed-by: Lars Knoll <lars.knoll@digia.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
OpenSSL changed the layout of X509_STORE_CTX between 0.9 and 1.0
So we have to consider this struct as private implementation, and use
the access functions instead.
This bug would cause certificate verification problems if a different
version of openssl is loaded at runtime to the headers Qt was compiled
against.
Task-number: QTBUG-28343
Change-Id: I47fc24336f7d9c80f08f9c8ba6debc51a5591258
Reviewed-by: Richard J. Moore <rich@kde.org>
|
|
|
|
|
| |
Change-Id: If72d80979e1d2ea909227785cd691be39d75c8ab
Reviewed-by: Shane Kearns <shane.kearns@accenture.com>
|
|
|
|
|
|
|
|
| |
To fix a compile error when QT_NO_LIBRARY is defined.
Change-Id: Ie72b60b8204641fa05f4cdbf66e908cb3526217e
Reviewed-by: Jing Bai <jing.bai@digia.com>
Reviewed-by: Richard J. Moore <rich@kde.org>
|
|
|
|
|
|
|
|
| |
Change copyrights and license headers from Nokia to Digia
Change-Id: If1cc974286d29fd01ec6c19dd4719a67f4c3f00e
Reviewed-by: Lars Knoll <lars.knoll@digia.com>
Reviewed-by: Sergio Ahumada <sergio.ahumada@digia.com>
|
|
|
|
|
| |
Change-Id: Icfafa00062b442903579dd7993c75fffb60187f9
Reviewed-by: Peter Hartmann <phartmann@rim.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add SslProtocol enums TlsV1_1 and TlsV1_2 and use the appropriate OpenSSL
methods when they're selected (TLSv1_1_client_method, TLSv1_2_client_method,
TLSv1_1_server_method and TLSv1_2_server_method). This allows us to
explicitly use TLS 1.1 or 1.2.
Task-number: QTBUG-26866
Change-Id: I159da548546fa746c20e9e96bc0e5b785e4e761b
Reviewed-by: Richard J. Moore <rich@kde.org>
Reviewed-by: Shane Kearns <shane.kearns@accenture.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Using the nullary version has the advantage that multiple calls
during a program run are much more efficient, since an inlined
atomic is used to store the result. It also ensures that
Q_DECLARE_METATYPE(T) has been used, whereas qRegisterMetaType<T>("T")
will happily register anything. So I've added the macro where it
was missing, or moved it to a central place when it existed
hidden.
In tst_qnetworkreply, this became a bit tricky, because a private
header is conditionally included, so moved the Q_DECLARE_METATYPE()
into a conditional section, too.
Change-Id: I71484523e4277f4697b7d4b2ddc3505375162727
Reviewed-by: Stephen Kelly <stephen.kelly@kdab.com>
|
|
|
|
|
|
|
|
|
| |
Removes the readBuffer from the QAbstractSocket since data is already
buffered in the QIODevice.
Change-Id: I4e50b791fd2852455e526fa2c07089d4d3f0b2a4
Reviewed-by: Prasanth Ullattil <prasanth.ullattil@nokia.com>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
|
|
|
|
|
|
|
|
|
|
| |
Check for blacklisting in case the application has blacklisted
a cert before windows has (currently unlikely as the blacklist is
hardcoded in Qt)
Don't need to check for time validity because that's already checked
by the windows API.
Change-Id: I34da5c4a8a0f8851b9b7668fc421a93c360c8588
Reviewed-by: Richard J. Moore <rich@kde.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This operation should be a no-op anyway, since at this point in time,
the fromAscii and toAscii functions simply call their fromLatin1 and
toLatin1 counterparts.
Task-number: QTBUG-21872
Change-Id: I94cc301ea75cc689bcb6e2d417120cf14e36808d
Reviewed-by: Lars Knoll <lars.knoll@nokia.com>
Reviewed-by: Shane Kearns <shane.kearns@accenture.com>
Reviewed-by: Richard J. Moore <rich@kde.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Although we created an enum for pause modes to make 5.x binary
compatible with 5.0, the enum value is not well named.
In 5.1, we propose to add PauseOnProxyAuthentication to the enum.
PauseOnNotify is not clear what it means, while PauseOnSslErrors is.
Any new notification in a minor release would need a new enum value
otherwise applications would get pauses they did not expect.
Task-number: QTBUG-19032
Change-Id: I4dbb7467663b37ca7f0551d24a31bc013968bedc
Reviewed-by: Richard J. Moore <rich@kde.org>
Reviewed-by: Lars Knoll <lars.knoll@nokia.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If a website presents the complete certificate chain in the handshake
i.e. site -> intermediate CA -> root CA then openssl gives
a different error (SelfSignedCertificateInChain)
Because of this windows feature, that either means the site is
signed by an untrusted CA, or the CA trust status is unknown because
we don't have the root cert in the cert store.
In any case, calling the windows verification function results
in a trusted chain & the root being added to the cert store.
Task-number: QTBUG-24827
Change-Id: I2663ea2f86cd0b4dfde105d858ec1b39a340c1f6
Reviewed-by: Richard J. Moore <rich@kde.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If we're not going to verify the peer, or we know in advance that
windows won't have a CA root then don't ask it to verify the
certificate chain.
The test case started failing in CI when the windows cert fetcher
was integrated due to timing change. I've relaxed the timing
requirement of the test to avoid it being unstable.
Task-number: QTBUG-24827
Change-Id: I694f193f7d96962667f00aa01b9483b326e3e054
Reviewed-by: Martin Petersson <Martin.Petersson@nokia.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Q_DECLARE_METATYPE must be outside of the qt namespace.
System headers must be included outside of the qt namespace.
Change-Id: I2f48b1df87e5edae2baee6ce813af08d3e011dc0
Reviewed-by: Sergio Ahumada <sergio.ahumada@nokia.com>
Reviewed-by: Toby Tomkins <toby.tomkins@nokia.com>
Reviewed-by: Shane Kearns <shane.kearns@accenture.com>
|
|
|
|
|
|
|
|
|
|
| |
Since we are calling q_SSL_load_error_strings to load error strings
we should call ERR_free_strings to free the memory again.
Task-number: QTBUG-15732
Change-Id: Ie41291bb0e1434f82025378edfca51930712a8aa
Reviewed-by: Shane Kearns <shane.kearns@accenture.com>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
|
|
|
|
|
| |
Change-Id: I76269630ebabdf601c2fcb5f65a8dffbd6cdbc5e
Reviewed-by: Shane Kearns <shane.kearns@accenture.com>
|
|
|
|
|
|
|
|
| |
Replace "contains(QT_CONFIG, coreservices)" with "!ios" in config files.
Replace "QT_NO_CORESERVICES" with "Q_OS_IOS" in source files.
Change-Id: Id3b02316b245a24ce550e0b47596d18a4a409e4f
Reviewed-by: Morten Johan Sørvig <morten.sorvig@nokia.com>
|
|
|
|
|
|
|
| |
Put MacOS-specific code into #ifdef blocks to enable compilation on iOS.
Change-Id: I0bb3846f457d1b3a56d99fe182b1718bc8429117
Reviewed-by: Shane Kearns <shane.kearns@accenture.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Windows ships with a minimal set of CA roots.
When using windows API to verify a certificate, it will fetch the
root certificate from windows update (assuming it is part of the
Microsoft trust program).
As we are using openssl, this does not happen transparently.
If SSL errors occur which indicate a broken chain then attempt
to fix it using the windows API before emitting sslErrors.
If the system CA certs are not in use (a CA bundle has been set
on the socket or as the global configuration), then this is skipped.
This is so an application can continue to use its own cert bundle
rather than trusting the system certs.
Key usage is specified, so that windows will return not trusted
status if the root is not suitable for SSL (server auth or
client auth OID).
Testability:
- to test, must delete the CA cert(s) from the "third party
root certification authorities" section of the cert store
using mmc.exe.
- If the workaround of installing the windows XP cert bundle was
performed, then you also need to delete certs from the "trusted
root certification authorities" section.
This is dangerous, be careful not to delete the required
certificates which are documented on MS website
- Naturally, modifying these areas of the cert store requires
elevated privilege.
Task-number: QTBUG-24827
Change-Id: I5cfe71c8a10595731f6bbbbabaaefa3313496654
Reviewed-by: Richard J. Moore <rich@kde.org>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
If SSL_MODE_RELEASE_BUFFERS is available we should tell OpenSSL
to release memory early.
http://www.openssl.org/docs/ssl/SSL_CTX_set_mode.html
Task-number: QTBUG-14985
Change-Id: Ib6656ebb3c4d67ca868b317ee83ddbf0983953f9
Reviewed-by: Richard J. Moore <rich@kde.org>
Reviewed-by: Shane Kearns <shane.kearns@accenture.com>
Reviewed-by: Markus Goetz <markus@woboq.com>
|