| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch-set implements a new QSslSocket backend based on OpenSSL 1.1.
1. General.
The code in this patch was organized to achieve these (somewhat contradicting)
objectives:
- keep the new code free of #if-ery, as far as possible;
- make it easy to clean away dead code when we're eventually able to retire
out-dated OpenSSL versions;
- reduce the amount of code duplication.
If changes in some file/component were insignificant (~5 one-liners per file),
we still use pp-checks like: #if QT_CONFIG(opensslv11) ... #else ... #endif -
the logic is simple and it's still easy to clean the code if we remove the legacy
back-end. Where it saved #if-ery, we also introduced 'forward-compatible'
macros implementing equivalents of 1.1 functions using older OpenSSL.
In case some class contains a lot of version-specific ifdefs (particularly where
nested #if-ery was complex) we choose to split code into: "pre11" h/cpp files,
"shared" h/cpp files (they preserve their original names, e.g qsslsocket_openssl.cpp)
and "11" h/cpp files. If in future we remove the legacy back-end, "pre11" should be
removed; "shared" and "11" parts - merged.
2. Configuration.
We introduced a new feature 'opensslv11' which complements the pre-existing
'openssl' and 'openssl-linked' features. The 'opensslv11' feature is enabled
by a simple test which either compiles successfully or ends in a compilation
error, depending on a value of the OPENSSL_VERSION_NUMBER constant. If the
feature was enabled, we also append an additional compilation flag
-DOPENSSL_API_COMPAT=0x10100000L to make sure our new code does not contain
deprecated structures, function calls, macro-invocations from OpenSSL < 1.1.
Change-Id: I2064efbe9685def5d2bb2233a66f7581954fb74a
Reviewed-by: André Klitzing <aklitzing@gmail.com>
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
don't attempt to hand-craft a library export any more. instead, use the
configure system's built-in mechanism, and refer to it via QMAKE_USE.
this also allows us to rely on transitive dependencies in the autotest.
as a side effect, this makes the openssl-linked feature imply the
openssl one.
Change-Id: I5dd209b63bc8fbbc62852f6ffc472d4452ea2e68
Reviewed-by: Lars Knoll <lars.knoll@qt.io>
|
| |
|
|
|
|
| |
Task-number: QTBUG-55530
Change-Id: Icc5ae9849e41479732eb44d01d9ea37aa3da16f8
Reviewed-by: Oswald Buddenhagen <oswald.buddenhagen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
| |
Use the new qtConfig macro in all pro/pri files.
This required adding some feature entries, and adding
{private,public}Feature to every referenced already existing entry.
Change-Id: I164214dad1154df6ad84e86d99ed14994ef97cf4
Reviewed-by: Lars Knoll <lars.knoll@qt.io>
Reviewed-by: Oswald Buddenhagen <oswald.buddenhagen@theqtcompany.com>
|
| |
|
|
|
|
|
|
| |
Makes things symmetrical with the windows configure and cleans
up the logic in ssl.pri
Change-Id: I4a373afe78e904de7d04baea38c250ff0c9d5062
Reviewed-by: Oswald Buddenhagen <oswald.buddenhagen@theqtcompany.com>
|
| |
|
|
|
|
|
|
|
|
| |
Only the OpenSSL backend is supported right now.
[ChangeLog][QtNetwork][SSL/TLS support] It is now possible to
set custom Diffie-Hellman parameters for QSslSocket-based servers.
Change-Id: I50148873132cd0ec7e414250b107b6b4cbde02ea
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@theqtcompany.com>
|
| |
|
|
|
|
|
|
|
| |
Cleaning out the workarounds for the discontinued "Embedded Android"
platform of Boot2Qt.
Change-Id: I0ff9d770e82a43457fb7e5da0428f4597ead4038
Reviewed-by: Eskil Abrahamsen Blomfeldt <eskil.abrahamsen-blomfeldt@theqtcompany.com>
Reviewed-by: Oswald Buddenhagen <oswald.buddenhagen@theqtcompany.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This will make sure that certs in the domainUser (login),
and domainAdmin (per machine) keychain are being picked up
in systemCaCertificates() in addition to the (usually immutable)
DomainSystem keychain.
Also consider the trust settings on OS X: If a certificate
is either fully trusted or trusted for the purpose of SSL,
it will be accepted.
[ChangeLog][Platform Specific Changes] OS X now accepts trusted
certificates from the login and system keychains.
Task-number: QTBUG-32898
Change-Id: Ia23083d5af74388eeee31ba07239735cbbe64368
Reviewed-by: Markus Goetz (Woboq GmbH) <markus@woboq.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Add support for SSL on iOS/OS X by adding a SecureTransport based
backend.
[ChangeLog][QtNetwork][QSslSocket] A new SSL backend for iOS and OS X,
implemented with Apple's Secure Transport (Security Framework).
Change-Id: I7466db471be2a8a2170f9af9d6ad4c7b6425738b
Reviewed-by: Richard J. Moore <rich@kde.org>
|
| |
|
|
|
|
|
|
|
| |
[ChangeLog][QtNetwork][QSslSocket] It is now possible to use TLS PSK
ciphersuites in client sockets.
Task-number: QTBUG-39077
Change-Id: I5523a2be33d46230c6f4106c322fab8a5afa37b4
Reviewed-by: Richard J. Moore <rich@kde.org>
|
| |\
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Conflicts:
src/corelib/global/qglobal.h
src/platformsupport/platformcompositor/qopenglcompositor.cpp
src/platformsupport/platformcompositor/qopenglcompositorbackingstore.cpp
tests/auto/gui/kernel/qwindow/tst_qwindow.cpp
Change-Id: I5422868500be695584a496dbbbc719d146bc572d
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Place all debug output into the 'qt.network.ssl' category.
This allows people to disable certain warnings at runtime.
Task-number: QTBUG-43173
Change-Id: Ide731fae3109f9cd7730cc096ee069a5b99d35f1
Reviewed-by: Richard J. Moore <rich@kde.org>
|
| |/
|
|
|
|
|
|
|
| |
[ChangeLog][QtNetwork][QtSSL] It is now possible to choose which elliptic
curves should be used by an elliptic curve cipher.
Change-Id: If5d0d58922768b6f1375836489180e576f5a015a
Done-with: Marc Mutz <marc.mutz@kdab.com>
Reviewed-by: Richard J. Moore <rich@kde.org>
|
| |
|
|
|
|
|
|
|
| |
The native handle and import functions are now available for use in other
parts of the winrt backend.
Change-Id: I07e6f95b3411c3dc7c1a7a164544b18e5e435d01
Reviewed-by: Maurice Kalinowski <maurice.kalinowski@digia.com>
Reviewed-by: Andrew Knight <andrew.knight@digia.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This internal implementation of QSslKey can be used when OpenSSL is not
available. Encrypted keys are not supported, as the cryptography must
be supplied by a separate library.
With this commit, WinRT is migrated to the new implementation,
but qsslkey_winrt.cpp is left in place so that the missing crypto
implementation can be added later. This also means most of the expected
failures for that platform can be removed from the autotest.
Change-Id: I24a3ad1053bb72311613b28b3ae845aa1645a321
Reviewed-by: Andrew Knight <andrew.knight@digia.com>
Reviewed-by: Maurice Kalinowski <maurice.kalinowski@digia.com>
Reviewed-by: Richard J. Moore <rich@kde.org>
|
| |
|
|
|
|
|
|
|
|
| |
Having QAsn1Element in place, we can have a common foundation
for the ssl certificate class for upcoming ports like WinRT
and SecureTransport. The only thing that has to be added to
the existing class is the handle() functionality.
Change-Id: I560a8e412b26f350855c7bc456fcdb8e9b750939
Reviewed-by: Richard J. Moore <rich@kde.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This element can be used for backends that do not offer all the
information that is needed when implementing a ssl certificate backend.
WinRT and the SecureTransport lack functionality in this area for
example.
The sources and tests are added for ssl and openssl configurations in order
to be tested. The condition for adding these can be changed as soon
as they are used by an actual implementation
Change-Id: I2b836133105afdc178bf3b1ee7d732bea069effa
Reviewed-by: Andrew Knight <andrew.knight@digia.com>
|
| |
|
|
|
|
|
|
|
|
| |
The change creates a stub implementation for WinRT, adding the needed
files and classes to build SSL support on that platform.
Task-number: QTBUG-37497
Change-Id: Idc3e8aa91c5eb8a938705f2385d1074fe6c1d83e
Reviewed-by: Richard J. Moore <rich@kde.org>
Reviewed-by: Andrew Knight <andrew.knight@digia.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In order to prepare the addition of WinRT and iOS (SecureTransport)
implementations of SSL the structure of some SSL files has to be
redone. Parts of certificate that probably can be reused by other
ports stayed in qsslcertificate.cpp while other parts were moved
to qsslcertificate_openssl.cpp. qsslcontext, qsslkey and qsslsocket
were suffixed by _openssl to show that these are pure openssl
implementations.
Change-Id: I7b022dec49759f882274999c0991bf95788f2a3a
Reviewed-by: Andrew Knight <andrew.knight@digia.com>
Reviewed-by: Oliver Wolff <oliver.wolff@digia.com>
Reviewed-by: Richard J. Moore <rich@kde.org>
|
| |
|
|
|
|
| |
Change-Id: Ie8eaa71bee87654c21218a23efd7e9d65b71f022
Reviewed-by: Joerg Bornemann <joerg.bornemann@digia.com>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
|
| |
|
|
|
|
|
|
|
| |
"windows" only worked more or less by accident (it's the opposite of
"console" and just happens to be the default on windows).
Change-Id: Ib60c8ae5aea04f28207c05cc0005183dd6eb6244
Reviewed-by: Joerg Bornemann <joerg.bornemann@digia.com>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
|
| |
|
|
|
|
|
|
| |
On Android, when not using Ministro, we cannot read certificates
from the file system, so we have to get them through Java APIs instead.
Change-Id: I415329fcb45836735c1112dbe832214b3c73dc9a
Reviewed-by: Eskil Abrahamsen Blomfeldt <eskil.abrahamsen-blomfeldt@digia.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Several modules, including DBus, MySQL, and OpenSSL have
configure options of the form <MODULE>_PATH, which is used
on Windows (where pkg-config is not present) to specify the
locations of third-party libraries. These switches had been
implemented by adding extra variables which were referenced
in .pro files, to add the appropriate compiler and linker
switches. This is undesirable because it means there are
two independent paths for adding the switches to the build,
which can get out of sync with each other, and indeed this
had happened for some of the DBus tools.
To remedy the situation, all three of the switches were
reworked so that they added values directly to the principal
variables that are used in the project files. This reduces
maintenance, by ensuring that the pkg-config and non-pkg-config
paths appear the same to the rest of the build system.
Change-Id: Iae342f1d14b79fbcfef9fe38aadc803ad3141799
Reviewed-by: Oswald Buddenhagen <oswald.buddenhagen@digia.com>
|
| |
|
|
|
|
|
|
| |
This improves performance since a network round trip can be avoided.
Change-Id: I1aaff7e48ef9638cb137de0f43942c3a4dd2884a
Initial-patch-by: Markus Goetz <markus@woboq.com>
Reviewed-by: Richard J. Moore <rich@kde.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Under Windows it's quite possible that OpenSSL, DBUS or MySQL is
not installed into a central place. If -I and -L is
passed at configure time, it is added to all targets,
and if that path contained a conflicting header things would go
wrong.
Change-Id: Ic3338c49aa6eaa91b3abf5341e709ef604bf7aab
Reviewed-by: Oswald Buddenhagen <oswald.buddenhagen@nokia.com>
|
| |
|
|
|
|
|
|
|
| |
msvc cannot use the same library for debug and release builds
if openssl libraries are linked statically into the network library.
Change-Id: Ic27ede2d9531b94aff4c50c1699947ce72caf286
Reviewed-by: Shane Kearns <shane.kearns@accenture.com>
Reviewed-by: Oswald Buddenhagen <oswald.buddenhagen@nokia.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Windows ships with a minimal set of CA roots.
When using windows API to verify a certificate, it will fetch the
root certificate from windows update (assuming it is part of the
Microsoft trust program).
As we are using openssl, this does not happen transparently.
If SSL errors occur which indicate a broken chain then attempt
to fix it using the windows API before emitting sslErrors.
If the system CA certs are not in use (a CA bundle has been set
on the socket or as the global configuration), then this is skipped.
This is so an application can continue to use its own cert bundle
rather than trusting the system certs.
Key usage is specified, so that windows will return not trusted
status if the root is not suitable for SSL (server auth or
client auth OID).
Testability:
- to test, must delete the CA cert(s) from the "third party
root certification authorities" section of the cert store
using mmc.exe.
- If the workaround of installing the windows XP cert bundle was
performed, then you also need to delete certs from the "trusted
root certification authorities" section.
This is dangerous, be careful not to delete the required
certificates which are documented on MS website
- Naturally, modifying these areas of the cert store requires
elevated privilege.
Task-number: QTBUG-24827
Change-Id: I5cfe71c8a10595731f6bbbbabaaefa3313496654
Reviewed-by: Richard J. Moore <rich@kde.org>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
|
| |
|
|
|
|
|
| |
This file was removed in commit ba9302b8a9b6b50f37987261c1ade9af2ade2d3c
Change-Id: Ib3a70877f6f6848c8cf072faf13da93abbe186f2
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
|
| |
|
|
|
|
|
|
| |
removes several files and cleans up the code, removing all Symbian
specific #ifdef's etc.
Change-Id: Ie457e54cb4b3a992f251383320d47822259c38f1
Reviewed-by: Lars Knoll <lars.knoll@nokia.com>
|
| |
|
|
|
|
|
|
|
|
| |
... by adding a new class QSslCertificateExtension and methods in
QSslCertificate to support extensions. This is needed e.g. for OCSP
(checking revocation status of a certificate) or Extended Validation
certificates.
Change-Id: I5c5d9513fa640cd487786bb9a5af734afebd0828
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
|
|
|
This is the beginning of revision history for this module. If you
want to look at revision history older than this, please refer to the
Qt Git wiki for how to use Git history grafting. At the time of
writing, this wiki is located here:
http://qt.gitorious.org/qt/pages/GitIntroductionWithQt
If you have already performed the grafting and you don't see any
history beyond this commit, try running "git log" with the "--follow"
argument.
Branched from the monolithic repo, Qt master branch, at commit
896db169ea224deb96c59ce8af800d019de63f12
|
