From faeaddc1b92f1000a5a1d9d7cdea9276bdfefe26 Mon Sep 17 00:00:00 2001 From: Timur Pocheptsov Date: Wed, 15 Jun 2016 10:01:14 +0200 Subject: QSslSocket::transmit (macOS/iOS) - do not use invalid context 1. QSslSocketBackendPrivate::transmit can invalidate SSL context causing subsequent SSLWrite or SSLRead calls to fail; these report errSecParam (as null context is an invalid parameter) spuriously, when we should rather report the cause of invalidation. The OpenSSL backend can trigger this when it aborts connection during an SSL handshake, on an sslErrors signal. As transmit() emits readReady(), a directly connected slot can trigger the same problem if it aborts or closes. 2. If during peer verification (and in checkSslErrors) we disconnect on sslErrors signal, peer verification must be considered failed and should not continue handshake/set connectionEncrypted. Task-number: QTBUG-52975 Task-number: QTBUG-53906 Change-Id: Iacd3b489a4156e25ef3460ace40d21f34a946bed Reviewed-by: Edward Welbourne --- src/network/ssl/qsslsocket_mac.cpp | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) (limited to 'src/network/ssl') diff --git a/src/network/ssl/qsslsocket_mac.cpp b/src/network/ssl/qsslsocket_mac.cpp index 4e090f96cb..9f0359aa47 100644 --- a/src/network/ssl/qsslsocket_mac.cpp +++ b/src/network/ssl/qsslsocket_mac.cpp @@ -634,7 +634,7 @@ void QSslSocketBackendPrivate::transmit() if (connectionEncrypted && !writeBuffer.isEmpty()) { qint64 totalBytesWritten = 0; - while (writeBuffer.nextDataBlockSize() > 0) { + while (writeBuffer.nextDataBlockSize() > 0 && context) { const size_t nextDataBlockSize = writeBuffer.nextDataBlockSize(); size_t writtenBytes = 0; const OSStatus err = SSLWrite(context, writeBuffer.readPointer(), nextDataBlockSize, &writtenBytes); @@ -668,7 +668,7 @@ void QSslSocketBackendPrivate::transmit() if (connectionEncrypted) { QVarLengthArray data; - while (true) { + while (context) { size_t readBytes = 0; data.resize(4096); const OSStatus err = SSLRead(context, data.data(), data.size(), &readBytes); @@ -1305,7 +1305,10 @@ bool QSslSocketBackendPrivate::verifyPeerTrust() // report errors if (!errors.isEmpty() && !canIgnoreVerify) { sslErrors = errors; - if (!checkSslErrors()) + // checkSslErrors unconditionally emits sslErrors: + // a user's slot can abort/close/disconnect on this + // signal, so we also test the socket's state: + if (!checkSslErrors() || q->state() != QAbstractSocket::ConnectedState) return false; } else { sslErrors.clear(); -- cgit v1.2.3 From 890edc45d897639f0ef99a561ea033d6ae5781e7 Mon Sep 17 00:00:00 2001 From: Giuseppe D'Angelo Date: Sun, 5 Jun 2016 20:57:38 +0200 Subject: QSslSocket: improve documentation of the supported protocols MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 1) To describe a protocol version we should use an "ordinary" name, not use the values out of the QSsl::SslProtocol enum. 2) Say that we support the latest stable TLS version (1.2, not 1.0). 3) Fix a statement about which protocol is the default one. Change-Id: I18732914d55060a0c3920f7082f986c262a71ded Reviewed-by: André Klitzing Reviewed-by: Richard J. Moore --- src/network/ssl/qsslsocket.cpp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'src/network/ssl') diff --git a/src/network/ssl/qsslsocket.cpp b/src/network/ssl/qsslsocket.cpp index 25a471dda8..c453606262 100644 --- a/src/network/ssl/qsslsocket.cpp +++ b/src/network/ssl/qsslsocket.cpp @@ -49,7 +49,8 @@ QSslSocket establishes a secure, encrypted TCP connection you can use for transmitting encrypted data. It can operate in both client and server mode, and it supports modern SSL protocols, including - SSLv3 and TLSv1_0. By default, QSslSocket uses TLSv1_0, but you can + SSL 3 and TLS 1.2. By default, QSslSocket uses only SSL protocols + which are considered to be secure (QSsl::SecureProtocols), but you can change the SSL protocol by calling setProtocol() as long as you do it before the handshake has started. -- cgit v1.2.3