From faeaddc1b92f1000a5a1d9d7cdea9276bdfefe26 Mon Sep 17 00:00:00 2001
From: Timur Pocheptsov <timur.pocheptsov@theqtcompany.com>
Date: Wed, 15 Jun 2016 10:01:14 +0200
Subject: QSslSocket::transmit (macOS/iOS) - do not use invalid context

1. QSslSocketBackendPrivate::transmit can invalidate SSL context
  causing subsequent SSLWrite or SSLRead calls to fail; these report
  errSecParam (as null context is an invalid parameter) spuriously,
  when we should rather report the cause of invalidation.  The OpenSSL
  backend can trigger this when it aborts connection during an SSL
  handshake, on an sslErrors signal.  As transmit() emits readReady(),
  a directly connected slot can trigger the same problem if it aborts or
  closes.

2. If during peer verification (and in checkSslErrors) we disconnect
on sslErrors signal, peer verification must be considered failed and
should not continue handshake/set connectionEncrypted.

Task-number: QTBUG-52975
Task-number: QTBUG-53906
Change-Id: Iacd3b489a4156e25ef3460ace40d21f34a946bed
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
---
 src/network/ssl/qsslsocket_mac.cpp | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

(limited to 'src/network/ssl')

diff --git a/src/network/ssl/qsslsocket_mac.cpp b/src/network/ssl/qsslsocket_mac.cpp
index 4e090f96cb..9f0359aa47 100644
--- a/src/network/ssl/qsslsocket_mac.cpp
+++ b/src/network/ssl/qsslsocket_mac.cpp
@@ -634,7 +634,7 @@ void QSslSocketBackendPrivate::transmit()
 
     if (connectionEncrypted && !writeBuffer.isEmpty()) {
         qint64 totalBytesWritten = 0;
-        while (writeBuffer.nextDataBlockSize() > 0) {
+        while (writeBuffer.nextDataBlockSize() > 0 && context) {
             const size_t nextDataBlockSize = writeBuffer.nextDataBlockSize();
             size_t writtenBytes = 0;
             const OSStatus err = SSLWrite(context, writeBuffer.readPointer(), nextDataBlockSize, &writtenBytes);
@@ -668,7 +668,7 @@ void QSslSocketBackendPrivate::transmit()
 
     if (connectionEncrypted) {
         QVarLengthArray<char, 4096> data;
-        while (true) {
+        while (context) {
             size_t readBytes = 0;
             data.resize(4096);
             const OSStatus err = SSLRead(context, data.data(), data.size(), &readBytes);
@@ -1305,7 +1305,10 @@ bool QSslSocketBackendPrivate::verifyPeerTrust()
     // report errors
     if (!errors.isEmpty() && !canIgnoreVerify) {
         sslErrors = errors;
-        if (!checkSslErrors())
+        // checkSslErrors unconditionally emits sslErrors:
+        // a user's slot can abort/close/disconnect on this
+        // signal, so we also test the socket's state:
+        if (!checkSslErrors() || q->state() != QAbstractSocket::ConnectedState)
             return false;
     } else {
         sslErrors.clear();
-- 
cgit v1.2.3


From 890edc45d897639f0ef99a561ea033d6ae5781e7 Mon Sep 17 00:00:00 2001
From: Giuseppe D'Angelo <giuseppe.dangelo@kdab.com>
Date: Sun, 5 Jun 2016 20:57:38 +0200
Subject: QSslSocket: improve documentation of the supported protocols
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

1) To describe a protocol version we should use an "ordinary" name,
not use the values out of the QSsl::SslProtocol enum.

2) Say that we support the latest stable TLS version (1.2, not 1.0).

3) Fix a statement about which protocol is the default one.

Change-Id: I18732914d55060a0c3920f7082f986c262a71ded
Reviewed-by: André Klitzing <aklitzing@gmail.com>
Reviewed-by: Richard J. Moore <rich@kde.org>
---
 src/network/ssl/qsslsocket.cpp | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'src/network/ssl')

diff --git a/src/network/ssl/qsslsocket.cpp b/src/network/ssl/qsslsocket.cpp
index 25a471dda8..c453606262 100644
--- a/src/network/ssl/qsslsocket.cpp
+++ b/src/network/ssl/qsslsocket.cpp
@@ -49,7 +49,8 @@
     QSslSocket establishes a secure, encrypted TCP connection you can
     use for transmitting encrypted data. It can operate in both client
     and server mode, and it supports modern SSL protocols, including
-    SSLv3 and TLSv1_0. By default, QSslSocket uses TLSv1_0, but you can
+    SSL 3 and TLS 1.2. By default, QSslSocket uses only SSL protocols
+    which are considered to be secure (QSsl::SecureProtocols), but you can
     change the SSL protocol by calling setProtocol() as long as you do
     it before the handshake has started.
 
-- 
cgit v1.2.3


From cddb344f3e24e3a61baf896161618c36a3f0c737 Mon Sep 17 00:00:00 2001
From: Alex Trotsenko <alex1973tr@gmail.com>
Date: Thu, 30 Jun 2016 18:45:41 +0300
Subject: QSslSocket: reset connection parameters on disconnect

Otherwise socketDescriptor(), localPort(), localAddress(), peerPort(),
peerAddress(), and peerName() remain uncleared until close() is called.

This could take place when the connection is closed by the remote
endpoint or the user calls disconnectFromHost(). After disconnecting,
connection parameters are no longer valid, while I/O device is still
opened and may have pending data for reading. Usually, the user reads
all incoming data and closes the device independently.

Change-Id: Ic898851c39137faf64019949910f0d94ebb79df7
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
---
 src/network/ssl/qsslsocket.cpp | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'src/network/ssl')

diff --git a/src/network/ssl/qsslsocket.cpp b/src/network/ssl/qsslsocket.cpp
index 591d635162..ccb11de7e0 100644
--- a/src/network/ssl/qsslsocket.cpp
+++ b/src/network/ssl/qsslsocket.cpp
@@ -2401,6 +2401,13 @@ void QSslSocketPrivate::_q_disconnectedSlot()
 #endif
     disconnected();
     emit q->disconnected();
+
+    q->setLocalPort(0);
+    q->setLocalAddress(QHostAddress());
+    q->setPeerPort(0);
+    q->setPeerAddress(QHostAddress());
+    q->setPeerName(QString());
+    cachedSocketDescriptor = -1;
 }
 
 /*!
-- 
cgit v1.2.3


From 2788fccd29fba84bca7581778f5bc683736f1d0e Mon Sep 17 00:00:00 2001
From: Anton Kudryavtsev <a.kudryavtsev@netris.ru>
Date: Wed, 6 Jul 2016 11:32:54 +0300
Subject: Use QStringLiteral more judiciously

Replace it with QL1S in QStringBuilder expressions
and in overloaded functions.

Replace patterns 'QString::number() + QStringLiteral'
and 'QStringLiteral + QString::number()' with
QString::asprintf.

Saves some text size.

Change-Id: Ib39b2332264dfc3df04e77f2c101b47a1030cef4
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
---
 src/network/ssl/qsslsocket_mac.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src/network/ssl')

diff --git a/src/network/ssl/qsslsocket_mac.cpp b/src/network/ssl/qsslsocket_mac.cpp
index 3845a3d455..ba346f77d1 100644
--- a/src/network/ssl/qsslsocket_mac.cpp
+++ b/src/network/ssl/qsslsocket_mac.cpp
@@ -468,7 +468,7 @@ long QSslSocketPrivate::sslLibraryVersionNumber()
 
 QString QSslSocketPrivate::sslLibraryVersionString()
 {
-    return QStringLiteral("Secure Transport, ") + QSysInfo::prettyProductName();
+    return QLatin1String("Secure Transport, ") + QSysInfo::prettyProductName();
 }
 
 long QSslSocketPrivate::sslLibraryBuildVersionNumber()
-- 
cgit v1.2.3


From 8beddf8328eb65436790e332b5e0c0760ada0c7d Mon Sep 17 00:00:00 2001
From: Gabriel de Dietrich <gabriel.dedietrich@qt.io>
Date: Wed, 29 Jun 2016 16:27:25 -0700
Subject: QSslSocketBackendPrivate: Remove QString warnings

Change-Id: I2ab758fe61ea1ba9b84672ac05ac219b85e3de6a
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@theqtcompany.com>
---
 src/network/ssl/qsslsocket_mac.cpp | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

(limited to 'src/network/ssl')

diff --git a/src/network/ssl/qsslsocket_mac.cpp b/src/network/ssl/qsslsocket_mac.cpp
index 9f0359aa47..8aa9269f4b 100644
--- a/src/network/ssl/qsslsocket_mac.cpp
+++ b/src/network/ssl/qsslsocket_mac.cpp
@@ -600,7 +600,7 @@ void QSslSocketBackendPrivate::startClientEncryption()
         // Error description/code were set, 'error' emitted
         // by initSslContext, but OpenSSL socket also sets error
         // emits a signal twice, so ...
-        setErrorAndEmit(QAbstractSocket::SslInternalError, "Unable to init SSL Context");
+        setErrorAndEmit(QAbstractSocket::SslInternalError, QStringLiteral("Unable to init SSL Context"));
         return;
     }
 
@@ -613,7 +613,7 @@ void QSslSocketBackendPrivate::startServerEncryption()
         // Error description/code were set, 'error' emitted
         // by initSslContext, but OpenSSL socket also sets error
         // emits a signal twice, so ...
-        setErrorAndEmit(QAbstractSocket::SslInternalError, "Unable to init SSL Context");
+        setErrorAndEmit(QAbstractSocket::SslInternalError, QStringLiteral("Unable to init SSL Context"));
         return;
     }
 
@@ -936,7 +936,7 @@ bool QSslSocketBackendPrivate::initSslContext()
 
     context.reset(qt_createSecureTransportContext(mode));
     if (!context) {
-        setErrorAndEmit(QAbstractSocket::SslInternalError, "SSLCreateContext failed");
+        setErrorAndEmit(QAbstractSocket::SslInternalError, QStringLiteral("SSLCreateContext failed"));
         return false;
     }
 
@@ -964,7 +964,7 @@ bool QSslSocketBackendPrivate::initSslContext()
 
     if (!setSessionProtocol()) {
         destroySslContext();
-        setErrorAndEmit(QAbstractSocket::SslInternalError, "Failed to set protocol version");
+        setErrorAndEmit(QAbstractSocket::SslInternalError, QStringLiteral("Failed to set protocol version"));
         return false;
     }
 
@@ -1406,8 +1406,7 @@ bool QSslSocketBackendPrivate::startHandshake()
     // check protocol version ourselves, as Secure Transport does not enforce
     // the requested min / max versions.
     if (!verifySessionProtocol()) {
-        setErrorAndEmit(QAbstractSocket::SslHandshakeFailedError,
-                 "Protocol version mismatch");
+        setErrorAndEmit(QAbstractSocket::SslHandshakeFailedError, QStringLiteral("Protocol version mismatch"));
         plainSocket->disconnectFromHost();
         return false;
     }
-- 
cgit v1.2.3