| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
| |
Alas, we have to do the job ossl_typ.h failed to - undef macros
coming from wincrypt.h (?) and clashing with identifiers/naming
conventions not exactly very wisely chosen by OpenSSL.
Change-Id: I1725c4f769be64dbb391d040b2c1574b20b65151
Fixes: QTBUG-73322
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
|
| |
|
|
|
|
|
|
| |
Again, 1.0 is required now.
Change-Id: Icca5dc38eb33c1579653d96d6c079b335a401aad
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
|
| |
|
|
|
|
|
|
|
| |
This patch introduces a private 'API' to enable server-side OCSP responses
and implements a simple OCSP responder, tests OCSP status on a client
side (the test is pretty basic, but for now should suffice).
Change-Id: I4c6cacd4a1b949dd0ef5e6b59322fb0967d02120
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch enables OCSP stapling in QSslSocket::SslClientMode (OpenSSL back-end
only). OCSP stapling is described by RFC6066 and based on the original OCSP as
defined by RFC2560. At the moment multiple certificate status protocol is not
supported (not implemented in OpenSSL). SecureTransport does not support OCSP
stapling at the moment.
[ChangeLog][QtNetwork][TLS] Added OCSP-stapling support for OpenSSL backend
Task-number: QTBUG-12812
Task-number: QTBUG-17158
Change-Id: Id2e0f4cc861311d1ece462864e5e30c76184af8c
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This is necessary to provide details for the key too,
when the server is using DHE-RSA-AESxxx-SHAxxx.
Amends 7f77dc84fb434f33ffe96f6633792706b80fb0a3.
Change-Id: I8ab15b6987c17c857f54bc368df3c6c1818f428c
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
Reviewed-by: Qt CI Bot <qt_ci_bot@qt-project.org>
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
OpenSSL has 'no-dtls' configure option (or can be too ancient to properly
support it), we shall respect such builds. This patch extends configure.json
with a 'dtls' test and adds protection against linkage/compile-time
issues in the QtNetwork's code.
Change-Id: I0c0dd94f5c226115cee4285b82c83aa546555aea
Reviewed-by: Oswald Buddenhagen <oswald.buddenhagen@qt.io>
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
|
| |
|
|
|
|
|
|
|
|
| |
These are leftovers from the prototype version of DTLS connection
and no code is using them now.
Change-Id: I3970a56303a59ce95e9c22344fac89e89f6559c8
Reviewed-by: Oswald Buddenhagen <oswald.buddenhagen@qt.io>
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds DTLS support to QtNetwork module (and its OpenSSL
back-end).
DTLS over UDP is defined by RFC 6347.
The new API consists of
1) QDtlsClientVerifier which checks if a client that sent us ClientHello
is a real DTLS client by generating a cookie, sending a HelloVerifyRequest
with this cookie attached, and then verifiying a cookie received back.
To be deployed in combination with a server-side QUdpSocket.
2) QDtls - initiates and proceeds with a TLS handshake (client or server
side), with certificates and/or pre-shared key (PSK), and encrypts/decrypts
datagrams after the handshake has finished.
This patch does not implement yet another UDP socket, instead
it allows use of existing QUdpSocket(s), by adding DTLS support
on top. OpenSSL back-end uses a custom BIO to make it work with
QUdpSocket and give a finer control over IO operations.
On the server side, demultiplexing is left to client code (could
be done either by connecting QUdpSocket or by extracting address/port
for an incoming datagram and then forwarding/dispatching them to
the corresponding QDtls object).
Task-number: QTPM-779
Change-Id: Ifcdf8586c70c3018b0c5549efc722e795f2c1c52
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
|
| |\
| |
| |
| | |
Change-Id: I8d8b03ea46c537b091b72dc7b68aa6aa3a627ba6
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
A custom build of openssl can disable DES or RC2. This
allows to build Qt against those builds.
Change-Id: I9b91c943fab4d217a791381e81a7d87a9ff5031a
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
|
| |\|
| |
| |
| | |
Change-Id: I86f04fc3b2e4291f161a4985adddd6fd6c789d33
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When releasing a STACK_OF(GENERAL_NAME). Actually, GENERAL_NAME_free is
a special function, not the same as OPENSSL_sk_free.
Task-number: QTBUG-57679
Change-Id: I3ed300bb95e8be35bd9cd06b6dbc6e59c7c6a4ee
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
|
| |/
|
|
|
|
|
|
|
| |
This patch adds several macros, functions and typedefs,
needed by DTLS, into our qsslsocket_openssl_symbols.
Change-Id: I9e4dccc0c576b26b3f629cee6e3245e707604674
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
|
| |
|
|
|
|
|
|
| |
With this change it is possible to use all supported
configurations in different backends without any new interfaces.
Change-Id: Ib233539a970681d30ae3907258730e491f8d3531
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
| |
The test OPENSSL_VERSION_NUMBER >= 0x1010000000L was introduced before
1.1 support. Now a couple of conditional inclusions can be converted
into QT_CONFIG(opensslv11).
Task-number: QTBUG-64275
Change-Id: I627e6b06f334deac70c827e463ecbfad879dfc24
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch-set implements a new QSslSocket backend based on OpenSSL 1.1.
1. General.
The code in this patch was organized to achieve these (somewhat contradicting)
objectives:
- keep the new code free of #if-ery, as far as possible;
- make it easy to clean away dead code when we're eventually able to retire
out-dated OpenSSL versions;
- reduce the amount of code duplication.
If changes in some file/component were insignificant (~5 one-liners per file),
we still use pp-checks like: #if QT_CONFIG(opensslv11) ... #else ... #endif -
the logic is simple and it's still easy to clean the code if we remove the legacy
back-end. Where it saved #if-ery, we also introduced 'forward-compatible'
macros implementing equivalents of 1.1 functions using older OpenSSL.
In case some class contains a lot of version-specific ifdefs (particularly where
nested #if-ery was complex) we choose to split code into: "pre11" h/cpp files,
"shared" h/cpp files (they preserve their original names, e.g qsslsocket_openssl.cpp)
and "11" h/cpp files. If in future we remove the legacy back-end, "pre11" should be
removed; "shared" and "11" parts - merged.
2. Configuration.
We introduced a new feature 'opensslv11' which complements the pre-existing
'openssl' and 'openssl-linked' features. The 'opensslv11' feature is enabled
by a simple test which either compiles successfully or ends in a compilation
error, depending on a value of the OPENSSL_VERSION_NUMBER constant. If the
feature was enabled, we also append an additional compilation flag
-DOPENSSL_API_COMPAT=0x10100000L to make sure our new code does not contain
deprecated structures, function calls, macro-invocations from OpenSSL < 1.1.
Change-Id: I2064efbe9685def5d2bb2233a66f7581954fb74a
Reviewed-by: André Klitzing <aklitzing@gmail.com>
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
In old versions of OpenSSL this function can try to access a config file
sometimes resulting in EACCES. While handling ENOENT correctly, OPENSSL_config
unconditionally calls std::exit on EACCES, which is unacceptable, especially if we
have a Qt-app which is not using SSL at all (but, for example, is using QNAM).
To workaround this, we pre-test if this file can be opened and if not and the
last error is ERR_R_SYS_LIB we just skip q_OPENSSL_add_all_algorithms call.
Task-number: QTBUG-43843
Change-Id: I309172d3b5e7847f67a87ba33c406d4751bc60ca
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
|
| |
|
|
|
|
|
| |
Fix the occurrences where the wrong classes are mentioned.
Change-Id: Ia291af77f0f454a39cab93e7376a110c19a07771
Reviewed-by: Lars Knoll <lars.knoll@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
In a TLS handshake the ephemeral server key is saved in the ssl
configuration. Clients who want to get the length or algorithm of the
key only get "Opaque" and "-1" as a result because the key is always
stored as "Opaque". This change converts the key to specific type so
more details are available and the client don't need to convert the
handle by hand.
Change-Id: I60f90fc2c1805e528640d391b20c676b6eeeb49e
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@theqtcompany.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The new modular configuration system requires one global
header per module, that is included by all other files in
this module.
That header will later on #include the configuration file
for Qt Network. For now it defines the Q_NETWORK_EXPORT
macro for this library.
Change-Id: I9c45d425baf881c431ed71fd457c7feb2c123855
Reviewed-by: Oswald Buddenhagen <oswald.buddenhagen@theqtcompany.com>
|
| |\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Conflicts:
mkspecs/common/mac.conf
mkspecs/features/configure_base.prf
mkspecs/features/configure.prf
mkspecs/macx-clang-32/qmake.conf
mkspecs/macx-clang/qmake.conf
mkspecs/macx-ios-clang/qmake.conf
src/network/ssl/qsslsocket_openssl_symbols_p.h
Change-Id: I768b592e8e589662b1fdb9b8cbd633fef26845b6
|
| | |\
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Conflicts:
src/angle/src/libGLESv2/libGLESv2.pro
src/plugins/platforms/eglfs/deviceintegration/eglfs_kms_egldevice/qeglfskmsegldeviceintegration.cpp
Change-Id: If8da4cfe8f57fea9f78e7239f378a6302c01674e
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The declaration and definition of the forwarding functions for PSK
differed which leads to link errors with some versions of openssl.
Change-Id: I40410f62a584c5dbd2acf5c90422e1243514f8fd
Reviewed-by: Richard J. Moore <rich@kde.org>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Only the OpenSSL backend is supported right now.
[ChangeLog][QtNetwork][SSL/TLS support] It is now possible to
set custom Diffie-Hellman parameters for QSslSocket-based servers.
Change-Id: I50148873132cd0ec7e414250b107b6b4cbde02ea
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@theqtcompany.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
[ChangeLog][QtNetwork][QSslSocket] TLS PSK ciphers are possible in server sockets.
Task-number: QTBUG-39077
Change-Id: Iaa854a6f50242deae5492f2e4759c727488995f5
Reviewed-by: Richard J. Moore <rich@kde.org>
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| | |
Application-Layer Protocol Negotiation (ALPN) - is a reworked revision
of Next Protocol Negotiation (NPN) we have in our OpenSSL code.
Can be used as a part of HTTP2 negotiation during TLS handshake.
Change-Id: I484ec528c81d4887a64749095ec292dfaec18330
Reviewed-by: Richard J. Moore <rich@kde.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
From Qt 5.7 -> LGPL v2.1 isn't an option anymore, see
http://blog.qt.io/blog/2016/01/13/new-agreement-with-the-kde-free-qt-foundation/
Updated license headers to use new LGPL header instead of LGPL21 one
(in those files which will be under LGPL v3)
Change-Id: I046ec3e47b1876cd7b4b0353a576b352e3a946d9
Reviewed-by: Lars Knoll <lars.knoll@theqtcompany.com>
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
| |
When using cipher algorithms with forward secrecy an ephemeral key is
used to generate the symmetric session key. Beside the SSL certificate's
key, this ephemeral key is of cryptographic interest.
The ephemeral key is chosen by the server side - currently statically in
the Qt implementation - so it is only of interest on the client side to
check it. Therefore the ephemeral key is the null key if the connection
is set up in server mode or a cipher without forward secrecy is used.
Change-Id: If241247dbb8490a91233ae47f2b38952c6591bf4
Reviewed-by: Markus Goetz (Woboq GmbH) <markus@woboq.com>
|
| |
|
|
|
|
|
|
|
|
| |
This adds an OpenSSL-based implementation of the QSslKeyPrivate encrypt
and decrypt method. This puts both the OpenSSL-based and non-OpenSSL
backends (WinRT for now) on par.
Change-Id: I18a75ee5f1c223601e51ebf0933f4430e7c5c29b
Reviewed-by: Andrew Knight <andrew.knight@intopalo.com>
Reviewed-by: Richard J. Moore <rich@kde.org>
|
| |
|
|
|
|
|
|
| |
So far, this was only supported for dlopen mode. This adds symmetric
defines for the linking case.
Change-Id: I9cbfa18e04d041dde0cbd833929782cada9eb812
Reviewed-by: Richard J. Moore <rich@kde.org>
|
| |
|
|
|
|
|
|
| |
invalid conversion from ‘unsigned char**’ to ‘const unsigned char**’
Task-number: QTBUG-44744
Change-Id: I6263db106fe28c6aa04db8ca79421b3a9fc5adc9
Reviewed-by: Richard J. Moore <rich@kde.org>
|
| |
|
|
|
|
|
|
| |
This change is a step closer to working with openssl 1.2 which makes
this struct opaque.
Change-Id: I3897142657edc0fa4053142b6ef743c2b00c013e
Reviewed-by: Peter Hartmann <peter-qt@hartmann.tk>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Qt copyrights are now in The Qt Company, so we could update the source
code headers accordingly. In the same go we should also fix the links to
point to qt.io.
Outdated header.LGPL removed (use header.LGPL21 instead)
Old header.LGPL3 renamed to header.LGPL3-COMM to match actual licensing
combination. New header.LGPL-COMM taken in the use file which were
using old header.LGPL3 (src/plugins/platforms/android/extract.cpp)
Added new header.LGPL3 containing Commercial + LGPLv3 + GPLv2 license
combination
Change-Id: I6f49b819a8a20cc4f88b794a8f6726d975e8ffbe
Reviewed-by: Matti Paaso <matti.paaso@theqtcompany.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
There were still ifdefs for openssl 0.9.7 and openssl 0.9.8f.
[ChangeLog][QtNetwork] Some legacy ifdefs for openssl 0.9.7 and openssl 0.9.8f
were removed, Qt will no longer build with these versions. In addition there
is no support for openssl built with NO_TLSEXT.
Change-Id: I9268515c0a125a2f6d79add8ee1cb40768e7e898
Reviewed-by: Daniel Molkentin <daniel@molkentin.de>
|
| |
|
|
|
| |
Change-Id: I51733e9a3bb0d5d54dc2f61ac75751d899a84bd1
Reviewed-by: Peter Hartmann <peter-qt@hartmann.tk>
|
| |
|
|
|
|
|
|
|
| |
[ChangeLog][QtNetwork][QSslSocket] It is now possible to use TLS PSK
ciphersuites in client sockets.
Task-number: QTBUG-39077
Change-Id: I5523a2be33d46230c6f4106c322fab8a5afa37b4
Reviewed-by: Richard J. Moore <rich@kde.org>
|
| |
|
|
|
|
|
|
| |
Since the conversion to a long name was already there, also support
creation from a long name.
Change-Id: Iad712db7447fb0a0a18f600b7db54da5b5b87154
Reviewed-by: Marc Mutz <marc.mutz@kdab.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add possibility to get length and other information of EC based
certificates. Also it is possible to parse those public/private
keys from PEM and DER encoded files.
Based on patch by Remco Bloemen
[ChangeLog][QtNetwork][SSL/TLS support] It is now possible to
parse elliptic curve certificates.
Change-Id: I4b11f726296aecda89c3cbd195d7c817ae6fc47b
Task-number: QTBUG-18972
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
|
| |
|
|
|
|
|
|
|
| |
[ChangeLog][QtNetwork][QtSSL] It is now possible to choose which elliptic
curves should be used by an elliptic curve cipher.
Change-Id: If5d0d58922768b6f1375836489180e576f5a015a
Done-with: Marc Mutz <marc.mutz@kdab.com>
Reviewed-by: Richard J. Moore <rich@kde.org>
|
| |
|
|
|
|
|
|
|
| |
- Renamed LICENSE.LGPL to LICENSE.LGPLv21
- Added LICENSE.LGPLv3
- Removed LICENSE.GPL
Change-Id: Iec3406e3eb3f133be549092015cefe33d259a3f2
Reviewed-by: Iikka Eklund <iikka.eklund@digia.com>
|
| |\
| |
| |
| |
| |
| |
| | |
Conflicts:
src/network/ssl/qsslsocket_openssl_symbols.cpp
Change-Id: Ic62419fa1fee5f4de6c372459d72e6e16f9a810b
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Some Linux distributions disable EC by default which causes compile
errors on those platforms.
Task-number: QTBUG-40394
Change-Id: If5816d473bd1d64b1d4977860db662704a83310f
Reviewed-by: Richard J. Moore <rich@kde.org>
|
| |\|
| |
| |
| | |
Change-Id: Ia36e93771066d8abcf8123dbe2362c5c9d9260fc
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Avoid accessing the internals of the SSL_CIPHER struct since this has
changed size etc. over time leading to binary incompatibilities.
Task-number: QTBUG-32423
Task-number: QTBUG-23363
Change-Id: I8cb399484e3a62be7d511f4b8b22c876825c87d4
Reviewed-by: Peter Hartmann <phartmann@blackberry.com>
Reviewed-by: Daniel Molkentin <daniel@molkentin.de>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add support for loading certificates and keys from PKCS#12 bundles
(also known as pfx files).
Task-number: QTBUG-1565
[ChangeLog][QtNetwork][QSslSocket] Support for loading PKCS#12
bundles was added. These are often used to transport keys and
certificates conveniently, particularly when making use of
client certificates.
Change-Id: Idaeb2cb4dac4b19881a5c99c7c0a7eea00c2b207
Reviewed-by: Daniel Molkentin <daniel@molkentin.de>
|
| | |
| |
| |
| |
| | |
Change-Id: I382a017a0b865b849667301aff8b2f87b676ecc6
Reviewed-by: Richard J. Moore <rich@kde.org>
|
| |\|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Conflicts:
mkspecs/qnx-armv7le-qcc/qplatformdefs.h
src/printsupport/kernel/qcups.cpp
src/widgets/styles/qstyle.h
tests/auto/widgets/itemviews/qlistwidget/tst_qlistwidget.cpp
Change-Id: Ia41e13051169a6d4a8a1267548e7d47b859bb267
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Despite supporting DH and ECDH key exchange as a client, Qt did not provide
any default parameters which prevented them being used as a server. A
future change should allow the user to control the parameters used, but
these defaults should be okay for most users.
[ChangeLog][Important Behavior Changes] Support for DH and ECDH key exchange
cipher suites when acting as an SSL server has been made possible. This
change means the you can now implement servers that offer forward-secrecy
using Qt.
Task-number: QTBUG-20666
Change-Id: I469163900e4313da9d2d0c3e1e5e47ef46320b17
Reviewed-by: Daniel Molkentin <daniel@molkentin.de>
Reviewed-by: Peter Hartmann <phartmann@blackberry.com>
|
| |/
|
|
|
|
|
|
|
|
|
|
| |
Previously we allowed you to specify which version(s) you wanted to use,
but did not provide access to the version that was actually negotiated.
[ChangeLog][QtNetwork][QSslSocket] Add support for finding the version
of SSL/TLS in use by a connection.
Task-number: QTBUG-28471
Change-Id: I6d50d2bc9f1ce7f98192e67992178fe7e41c0575
Reviewed-by: Peter Hartmann <phartmann@blackberry.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
... which is needed to negotiate the SPDY protocol.
[ChangeLog][QtNetwork][QSslConfiguration] Added support for the Next
Protocol Negotiation (NPN) TLS extension.
Task-number: QTBUG-33208
Change-Id: I3c945f9b7e2d2ffb0814bfdd3e87de1dae6c20ef
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@digia.com>
|
