| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
| |
As is said in RFC7301 in section 3.1 [1]:
Protocols are named by IANA-registered, opaque, non-empty byte strings
[...]. Empty strings MUST NOT be included and byte strings MUST NOT be
truncated.
[1]: https://tools.ietf.org/html/rfc7301#section-3.1
Change-Id: I2c41fa99984a53cc58803e5a264d06edac964cc6
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
|
|
|
|
|
|
|
|
| |
OpenSSL 1.1.x libs must be suffixed otherwise it will use the system ones which on API-21 are OpenSSL 1.0 not 1.1
Fixes: QTBUG-76884
Change-Id: I7d4052be68cf7dc65f74a48da8e1e37182056a5e
Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When our QSslSocketBackendPrivate (OpenSSL backend) was developed,
the ancient versions of OpenSSL did not have an API needed to pass
an application-specific data into verification callback. Thus the
developers resorted to the use of global variables (a list with errors)
and locks. Some of our auto-tests use QNAM and in-process server.
Whenever the client (essentially qhttpthreadeddelegate) and the server
live in different threads, any use of 'https' is dead-lock prone,
which recent events demonstrated and which were previously observed
but not understood properly (rare occasions, not always easy to
reproduce). Now we fix this for good by removing locking.
There are two places (in 5.12) where these locks are needed:
1. Before calling SSL_connect/SSL_accept (handshake) - here
we reuse the same trick we do in PSK callback ('SSL' has
an external data set, and it's 'this', meaning an object
of type QSslSocketBackendPrivate).
2. The static member function 'verify', here we do not have
'SSL', but we have our temporary 'X509_STORE', to which
we can directly attach an external data - a pointer to
a vector to collect verification errors.
Note, this change assumes that OpenSSL Qt is build/linked
against is at least of version 1.0.1 - we set external data
on SSL unconditionally (no version checks).
Fixes: QTBUG-76157
Change-Id: I05c98e77dfd5fb0c2c260fb6c463732facf53ffc
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If this callback is not set then OpenSSL will call the callback
used for <= TLS 1.2 unconditionally when connecting. If using PSK it
will call it again later once the preshared key is needed.
We don't currently handle the TLSv1.3 PSK, but we definitely should.
But for now we can work around it - when psk_use_session_callback is
called we simply change the PSK callback to a dummy function whose only
purpose is to restore the old callback.
This is mostly done to keep behavior the same as it is now for users
(and to keep our tests running).
Later we can add a new signal and handle this new feature properly.
Task-number: QTBUG-67463
Change-Id: I4aca4ae73ec4be7c4f82a85e8864de103f35a834
Reviewed-by: Simo Fält <simo.falt@qt.io>
|
|
|
|
|
|
|
| |
...for a minor performance gain.
Change-Id: I4bef867055e069926fdc24fa98a6f94b6a0630e2
Reviewed-by: Oliver Wolff <oliver.wolff@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
OpenSSL 1.1.0 and higher requires SSL_shutdown to mark a
session as resumable.
QHttpNetworkConnection/Channel tries to re-use one shared SSL
context (and the session) for its 'channels'. The session is
marked as non-resumable without shutdown sent/received.
This makes it useless for QHttpNetworkConnection.
See: https://github.com/openssl/openssl/issues/1550
Fixes: QTBUG-71967
Change-Id: Iaaceb18c4c5a090f997f9850981a27f04f1f8b06
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is similar to a change we approved recently in OpenSSL back-end.
Similar to OpenSSL, not setting the upper limit on protocols allowed
to negotiate/use, neatly ends up with the highest available, which
is ... TLS 1.2 at the moment, but will silently switch to 1.3 etc.
This was also recommended by Apple's engineer who closed a related
bug report with 'Won't do' - "do not limit the max, you'll always
have the real max supported'. Also, while at the moment we do
not allow QSsl::TlsV1_3 and QSsl::TlsV1_3OrLater, if we managed
to negotiate it - report it properly, not as 'Unknown'.
Task-number: QTBUG-67463
Change-Id: I3f46ea525f06edca03259123809f3b7b1191b1ee
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
|
|\
| |
| |
| |
| |
| |
| | |
Conflicts:
src/widgets/kernel/qtooltip.cpp
Change-Id: Ic2f9a425359050eb56b3a4e5162cf5e3447058c8
|
| |
| |
| |
| |
| |
| |
| |
| | |
When setting dtls configuration, we should also copy
backendConfig, otherwise this setting will be ignored.
Change-Id: I4df53e8e6d8c2bd0eb7dddb9928b7883c401d60a
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
|
|/
|
|
|
| |
Change-Id: I225e59bea0a8eac14fd11ef2b091907ae955c447
Reviewed-by: Topi Reiniö <topi.reinio@qt.io>
|
|\
| |
| |
| | |
Change-Id: If49df791f73e9edf616baa094e0f301a44cb853d
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Turns out that also Debian patches OpenSSL 1.0, changing its soname to "1.0.2".
Therefore, try also to load that one.
Amends 2708c6c11d685ab25c12d558961d924c9a4533d2.
Task-number: QTBUG-68156
Change-Id: I37cc060e90422779a6c29a324ab900f0fb99cfa7
Reviewed-by: Lisandro Damián Nicanor Pérez Meyer <perezmeyer@gmail.com>
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
|
| |
| |
| |
| |
| |
| |
| | |
no need in duplicating DTLS-specific cases.
Change-Id: I475c6fb53daa44d60a5054bf3acc8474355b2186
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
|
| |
| |
| |
| |
| |
| |
| |
| | |
SSL_CTX_set_ciphers is new in 1.1.1.
Task-number: QTBUG-71983
Change-Id: If0ae9f95dcc867c62ed0d3a6a60c22c7f5e1cc9f
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
|
|\ \
| | |
| | |
| | | |
Change-Id: Ic1dd39044e19f50e1068d4ac70dacaad6440e570
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
1. Remove the conditional inclusion of DTLS versions, they made difficult
and unnecessary ugly adding new protocols (something like TlsV1_2OrLater + 4).
2. OpenSSL 1.1.1 first introduced TLS 1.3 support. OpenSSL 1.1 back-end is
compatible with OpenSSL 1.1.1, but would fail to extract/report protocol
versions and set versions like 'TLS 1.3 only' or 'TLS 1.3 or better' on a
new context. Given 1.1.1 is deployed/adapted fast by different distros,
and 5.12 is LTS, we fix this issue by introducing QSsl::Tls1_3 and
QSsl::Tls1_3OrLater.
SecureTransport, WinRT and OpenSSL below 1.1.1 will report an error in case
the application requests this protocol (SecureTransport in future will
probably enable TLS 1.3).
Saying all that, TLS 1.3 support is experimental in QSslSocket.
Done-by: Albert Astals Cid <albert.astals.cid@kdab.com>
Done-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
Change-Id: I4a97cc789b62763763cf41c44157ef0a9fd6cbec
Reviewed-by: Lars Knoll <lars.knoll@qt.io>
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Attempts to use QSslSocket and its OpenSSL 1.1 back-end with OpenSSL 1.1.1
in a very peculiar way (for some reason the reporter calls OPENSSL_no_config())
combined with a bug in OpenSSL 1.1.1 resulted in a QSslSocket dead-locking
in initialization. This was happening because supportsSsl() first reported
false (OpenSSL internally fails to initialize after OPENSSL_no_config()),
but we have s_libraryLoaded set to true too early, thus the first supportsSsl()
returns false, the second - true.
Move setting of s_libraryLoaded later so that we don't claim to support
OpenSSL when an earlier ensureLibraryLoaded() attempt failed.
Task-number: QTBUG-70956
Task-number: QTBUG-71446
Change-Id: I8ad8763d357c84fc38c62e2ce914366367c2b445
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
|
|\|
| |
| |
| | |
Change-Id: Iaf28977e7ecf566b28b9406dcb005d48621169c2
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Some Linux distributions patch OpenSSL's soname, making builds
on such distributions not deployable elsewhere. The problem is that
the code loading OpenSSL symbols would attempt to use the soname
of the build machine, and therefore not finding the OpenSSL
libraries on the deploy system.
The binary builds of Qt for Linux are affected by this problem,
as they build under RHEL7.4 which changes to soname of OpenSSL to
a non-standard string. This makes the binary builds not pick up
OpenSSL 1.0 from the machine where the build gets installed on.
Given that in the pre-1.1 versions only the 1.0 series is supported,
bump the minimum requirement of Qt to that. The 1.0.x releases
(up to 1.0.2, at the time of this writing) have kept binary
compatibility, and advertise a soname of "1.0.0", which is used
by most distributions.
So, if loading of OpenSSL with the build-time soname fails,
try to load them with the "1.0.0" hardcoded soname.
[ChangeLog][QtNetwork][SSL] OpenSSL >= 1.0 is now required to build
Qt with OpenSSL support.
Task-number: QTBUG-68156
Change-Id: Ieff1561a3c1d278b511f09fef06580f034f188c6
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
|
|\|
| |
| |
| |
| |
| |
| |
| | |
Conflicts:
src/plugins/platformthemes/platformthemes.pro
src/printsupport/kernel/qplatformprintdevice.cpp
Change-Id: Iac01729ad954bb1c7af5867d982eb243b2139ee6
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
If you, directly after connecting, call "ignoreSslErrors()" followed by
"resume()" then you will most likely crash.
It is very contrived and there's no reason to do this.
Change-Id: I949a303238f5012296d0e84eb76173764eb9de2e
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
We need to override this snippet for the documentation
we generate for Qt for Python, and it is easier to have
it on a separate file.
Task-number: PYSIDE-801
Task-number: PYSIDE-691
Change-Id: Ideb5b6af25024279f167137d3b65660bb9c96a7e
Reviewed-by: Topi Reiniö <topi.reinio@qt.io>
|
|\|
| |
| |
| |
| |
| |
| | |
Conflicts:
src/corelib/tools/qtimezoneprivate.cpp
Change-Id: Icbb5999d378711ce3786a4fe0aba176a45ac702c
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In iOS, the system certificates cannot be accessed, so this function
will return an empty list for the default configuration.
Task-number: QTBUG-60407
Change-Id: I0d691a0dd5e6367594e71c7ebccfbdc866d4a3f0
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
Reviewed-by: Andy Shaw <andy.shaw@qt.io>
|
|\|
| |
| |
| | |
Change-Id: Iaa438d14357be1bf75bb645cb8d3245947c055b8
|
| |
| |
| |
| |
| |
| | |
Change-Id: I061848ae570b382d640f8e46a1c54aeaeddbd77d
Fixes: QTBUG-61307
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
|
| |
| |
| |
| |
| |
| |
| | |
Task-number: QTBUG-70208
Change-Id: Ib73ca0d3c0736336bf517ffb968cbdbab4610319
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
Reviewed-by: Morten Johan Sørvig <morten.sorvig@qt.io>
|
|\ \
| | |
| | |
| | | |
refs/staging/5.12
|
| |\|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Conflicts:
src/corelib/global/qconfig-bootstrapped.h
src/widgets/util/qcompleter.cpp
Change-Id: I4f44f0f074982530f2f2e750ce696230b2754cf3
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
As it's done (albeit in old-style there) in other public QSsl-classes.
Task-number: QTBUG-70604
Change-Id: If3cd9da0e8f8378fd29a80215cd889e459aa7bce
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
|
| | |
| | |
| | |
| | |
| | |
| | | |
Change-Id: I2236a456fe3758d9054b22e36fe6316f3522d533
Reviewed-by: Lars Knoll <lars.knoll@qt.io>
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
According to the SSL_CTX_set_max_proto_version manpage [1]:
> Setting the minimum or maximum version to 0, will enable protocol
> versions down to the lowest version, or up to the highest version
> supported by the library, respectively.
This should make it possible to use Qt Network with older versions of
libssl than it was compiled against. In particular, use with 1.1.0 when
compiled against 1.1.1.
Also, one of OpenSSL developers is suggesting to remove TLS_MAX_VERSION
from the public header in the future [2].
[1] https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set_max_proto_version.html#DESCRIPTION
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=908567#59
Change-Id: Ie76054b917daa8e54d5c0156e848dbaca7bb8a82
Reviewed-by: Lisandro Damián Nicanor Pérez Meyer <perezmeyer@gmail.com>
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Testing barely 10.13 seems to be insuficcient: we have developers working
on macOS 10.12 with SDK 10.13, but apparently they cannot update to the
latest SDK 10.13. We can try to be more specific and use __MAC_10_13_4.
Task-number: QTBUG-70757
Change-Id: I083d51f1a945f63f0413792387475341ecb96118
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
Reviewed-by: Andy Maloney <asmaloney@gmail.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
While these destructors are essentially trivial and contain no code,
the classes inherit QObject and thus have virtual tables. For such
classes -Wweak-vtable generates a warning: "'Class' has no out-of-line
virtual method definitions; its vtable will be emitted in every translation
unit." Noticed this after updating QtCreator to the latest version.
Change-Id: Iacb5d0cd49353bd35260aff736652542bb1ef197
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Provides two convenient getter for a display name of the subject and
issuer. This simplifies cases where you just want a simple string
describing either of the two.
Change-Id: Ia5d0e058f14dae067b13ac7360e7fec4edd9ec53
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add it to configure.json and replace all occurrences of QT_NO_THREAD
with QT_CONFIG(thread). Add conditions for other features that depend
on thread support. Remove conditions where we can use the QMutex and
QThreadStorage stubs.
Change-Id: I284e5d794fda9a4c6f4a1ab29e55aa686272a0eb
Reviewed-by: Eskil Abrahamsen Blomfeldt <eskil.abrahamsen-blomfeldt@qt.io>
|
| |
| |
| |
| |
| |
| |
| |
| | |
Respect allowRootCertOnDemandLoading, as it's done in QSslSocket (well,
almost as in QSslSocket).
Change-Id: Ic6cbb24a91e92cdb20f5f749553f15a62aae8b02
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Previously, the function had a different name that made its purpose
clear - "abort after peer verification error was encoutered". Since
now it's just 'abort handshake', it also should abort an ongoing
handshake, even if no peer verification error found so that we
now have an API that can reset a QDtls object to its initial
'nothing done yet' state.
Change-Id: Idadfec6f82d65c8f07d1c2afa4467c921c7e85c4
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
|
| |
| |
| |
| |
| |
| |
| |
| | |
This update corrects several minor documentation errors that
were introduced by a recent change to QDtls.
Change-Id: I6ee6b0bf74c82dca86ba8d5f39acbd642829ec44
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This update corrects several minor documentation errors that
cause qdoc warnings. These include incorrect or missing \fn
commands, incorrect uses of \e and \a commands together,
incorrect spellings, etc.
Change-Id: Ib26edef541fa3440025490bcf79cc101623e7f7b
Reviewed-by: Martin Smith <martin.smith@qt.io>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
A weird behavior of the DTLS server example, when linked with 1.0.2,
exposed that client code, requesting an invalid protocol (for example, SSLv3)
can end-up with connection encrypted with DTLS 1.2 (which is not that bad,
but totally surprising). When we check the protocol version early in
setDtlsConfiguration() and find a wrong version, we leave our previous
configuration intact and we will use it later during the handshake.
This is wrong. So now we let our user set whatever wrong configuration they
have and later fail in TLS initialization, saying -
'Unsupported protocol, DTLS was expected'.
Auto-test was reduced - the follow-up patch will introduce a new
'invalidConfiguration' auto-test.
Change-Id: I9be054c6112eea11b7801a1595aaf1d34329e1d2
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
|
| |
| |
| |
| |
| |
| |
| |
| | |
And reflow the text where it exceeds the 100 column limit.
Change-Id: I0d270c6a74a4c6ecba30e4e4d38a5d8f2cf81040
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
As discussed/proposed previously: remove the duplicated code when converting the
native certificate representation into QSslCertificate (configuration.peerCertificate).
Also, use the correct integer type when iterating - CFIndex is actually long, not int.
Change-Id: Ia6f43172e21b5153a93f1ef2589980d68ec2b39f
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
|
| |
| |
| |
| |
| |
| |
| | |
Task-number: QTBUG-68070
Change-Id: Ifd08ecb7c2c1a6dc352952a10ad56259bd1ecf10
Reviewed-by: Paul Wicking <paul.wicking@qt.io>
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
|
|\ \
| | |
| | |
| | | |
refs/staging/dev
|
| |\|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Conflicts:
.qmake.conf
src/corelib/doc/src/objectmodel/signalsandslots.qdoc
src/plugins/platforms/cocoa/qcocoamenuloader.mm
src/plugins/platforms/xcb/qxcbconnection.cpp
src/plugins/platforms/xcb/qxcbconnection.h
src/plugins/platforms/xcb/qxcbconnection_xi2.cpp
src/plugins/platforms/xcb/qxcbwindow.cpp
tests/auto/gui/image/qimage/tst_qimage.cpp
Done-with: Gatis Paeglis <gatis.paeglis@qt.io>
Change-Id: I9bd24ee9b00d4f26c8f344ce3970aa6e93935ff5
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
It appears that by default our keychain auto-locks when the
system sleeps. This makes the keychain totally useless, since
its password is a random 256 bytes our user never has a chance
to know. Thanks to Mårten for the hint about SecKeychainSetSettings,
the way to properly fix it.
Task-number: QTBUG-69677
Change-Id: I2603c26b8422a1bcace3336e9b4ebe0381c952d7
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Also remove unneeded and now wrong check (was marked with TODO)
which was a copy and paste from OpenSSL counterpart. There, testing
if peerCertificateChain.isEmpty() makes sense, since there we
potentially call storePeerCertificates() twice during the handshake.
Change-Id: I946e6876adb3f9504e93c06ac90ff36dd44aca4c
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
That's actually how ignoreVerificationErrors (and QSslSocket::ignoreSslErrors)
are used to set the expected/known verification errors before handshake.
Auto-test updated too.
Change-Id: I9c700302d81ddb383a4a750fafd594373fb38ace
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
As now the feature 'dtls' depends on the feature 'openssl' - ifdefs
are redundant, this code is always 'openssl-only'.
Change-Id: I6a7fe9e3a00ae05656af1626e7de74e813df5d32
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
|