Changeset 846 for trunk/src/network/ssl

Timestamp:

May 5, 2011, 5:36:53 AM (14 years ago)

Author:

Dmitry A. Kuminov

Message:

trunk: Merged in qt 4.7.2 sources from branches/vendor/nokia/qt.

Location:

trunk

Files:

• . (modified) (1 prop)
• src/network/ssl/qssl.cpp (modified) (1 diff)
• src/network/ssl/qssl.h (modified) (1 diff)
• src/network/ssl/qsslcertificate.cpp (modified) (4 diffs)
• src/network/ssl/qsslcertificate.h (modified) (1 diff)
• src/network/ssl/qsslcertificate_p.h (modified) (1 diff)
• src/network/ssl/qsslcipher.cpp (modified) (1 diff)
• src/network/ssl/qsslcipher.h (modified) (1 diff)
• src/network/ssl/qsslcipher_p.h (modified) (1 diff)
• src/network/ssl/qsslconfiguration.cpp (modified) (2 diffs)
• src/network/ssl/qsslconfiguration.h (modified) (1 diff)
• src/network/ssl/qsslconfiguration_p.h (modified) (1 diff)
• src/network/ssl/qsslerror.cpp (modified) (1 diff)
• src/network/ssl/qsslerror.h (modified) (1 diff)
• src/network/ssl/qsslkey.cpp (modified) (1 diff)
• src/network/ssl/qsslkey.h (modified) (1 diff)
• src/network/ssl/qsslkey_p.h (modified) (1 diff)
• src/network/ssl/qsslsocket.cpp (modified) (15 diffs)
• src/network/ssl/qsslsocket.h (modified) (1 diff)
• src/network/ssl/qsslsocket_openssl.cpp (modified) (25 diffs)
• src/network/ssl/qsslsocket_openssl_p.h (modified) (3 diffs)
• src/network/ssl/qsslsocket_openssl_symbols.cpp (modified) (12 diffs)
• src/network/ssl/qsslsocket_openssl_symbols_p.h (modified) (2 diffs)
• src/network/ssl/qsslsocket_p.h (modified) (5 diffs)
• src/network/ssl/qt-ca-bundle.crt (deleted)
• src/network/ssl/ssl.pri (modified) (1 diff)

trunk/src/network/ssl/qssl.cpp

@@ -1 +1 @@
 /****************************************************************************
 **
-** Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies).
+** Copyright (C) 201 Nokia Corporation and/or its subsidiary(-ies).
 ** All rights reserved.
 ** Contact: Nokia Corporation ([email protected])

trunk/src/network/ssl/qssl.h

@@ -1 +1 @@
 /****************************************************************************
 **
-** Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies).
+** Copyright (C) 201 Nokia Corporation and/or its subsidiary(-ies).
 ** All rights reserved.
 ** Contact: Nokia Corporation ([email protected])

trunk/src/network/ssl/qsslcertificate.cpp

@@ -1 +1 @@
 /****************************************************************************
 **
-** Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies).
+** Copyright (C) 201 Nokia Corporation and/or its subsidiary(-ies).
 ** All rights reserved.
 ** Contact: Nokia Corporation ([email protected])
@@ -260 +260 @@
 /*!
     Returns the certificate's serial number string in decimal format.
+
+
+
 */
 QByteArray QSslCertificate::serialNumber() const
 {
-    if (d->serialNumberString.isEmpty() && d->x509)
-        d->serialNumberString =
-            QByteArray::number(qlonglong(q_ASN1_INTEGER_get(d->x509->cert_info->serialNumber)));
-
+    if (d->serialNumberString.isEmpty() && d->x509) {
+        ASN1_INTEGER *serialNumber = d->x509->cert_info->serialNumber;
+        // if we cannot convert to a long, just output the hexadecimal number
+        if (serialNumber->length > 4) {
+            QByteArray hexString;
+            hexString.reserve(serialNumber->length * 3);
+            for (int a = 0; a < serialNumber->length; ++a) {
+                hexString += QByteArray::number(serialNumber->data[a], 16).rightJustified(2, '0');
+                hexString += ':';
+            }
+            hexString.chop(1);
+            d->serialNumberString = hexString;
+        } else {
+            d->serialNumberString = QByteArray::number(qlonglong(q_ASN1_INTEGER_get(serialNumber)));
+        }
+    }
     return d->serialNumberString;
 }
@@ -534 +549 @@
     int startIndex = 0;
     if (pathPrefix.trimmed().isEmpty()) {
-        startIndex = 2;
-        pathPrefix = QLatin1String(".");
+        if(path.startsWith(QLatin1Char('/'))) {
+            pathPrefix = path.left(path.indexOf(QRegExp(QLatin1String("[\\*\\?\\[]"))));
+            pathPrefix = path.left(path.lastIndexOf(QLatin1Char('/')));
+        } else {
+            startIndex = 2;
+            pathPrefix = QLatin1String(".");
+        }
     }
 
@@ -697 +717 @@
 static bool matchLineFeed(const QByteArray &pem, int *offset)
 {
-    char ch;
+    char ch;
 
     // ignore extra whitespace at the end of the line

trunk/src/network/ssl/qsslcertificate.h

@@ -1 +1 @@
 /****************************************************************************
 **
-** Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies).
+** Copyright (C) 201 Nokia Corporation and/or its subsidiary(-ies).
 ** All rights reserved.
 ** Contact: Nokia Corporation ([email protected])

trunk/src/network/ssl/qsslcertificate_p.h

@@ -1 +1 @@
 /****************************************************************************
 **
-** Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies).
+** Copyright (C) 201 Nokia Corporation and/or its subsidiary(-ies).
 ** All rights reserved.
 ** Contact: Nokia Corporation ([email protected])

trunk/src/network/ssl/qsslcipher.cpp

@@ -1 +1 @@
 /****************************************************************************
 **
-** Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies).
+** Copyright (C) 201 Nokia Corporation and/or its subsidiary(-ies).
 ** All rights reserved.
 ** Contact: Nokia Corporation ([email protected])

trunk/src/network/ssl/qsslcipher.h

@@ -1 +1 @@
 /****************************************************************************
 **
-** Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies).
+** Copyright (C) 201 Nokia Corporation and/or its subsidiary(-ies).
 ** All rights reserved.
 ** Contact: Nokia Corporation ([email protected])

trunk/src/network/ssl/qsslcipher_p.h

@@ -1 +1 @@
 /****************************************************************************
 **
-** Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies).
+** Copyright (C) 201 Nokia Corporation and/or its subsidiary(-ies).
 ** All rights reserved.
 ** Contact: Nokia Corporation ([email protected])

trunk/src/network/ssl/qsslconfiguration.cpp

@@ -1 +1 @@
 /****************************************************************************
 **
-** Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies).
+** Copyright (C) 201 Nokia Corporation and/or its subsidiary(-ies).
 ** All rights reserved.
 ** Contact: Nokia Corporation ([email protected])
@@ -486 +486 @@
   Returns this connection's CA certificate database. The CA certificate
   database is used by the socket during the handshake phase to
-  validate the peer's certificate. It can be moodified prior to the
-  handshake with addCaCertificate(), addCaCertificates(), and
-  setCaCertificates().
+  validate the peer's certificate. It can be modified prior to the
+  handshake with setCaCertificates(), or with \l{QSslSocket}'s
+  \l{QSslSocket::}{addCaCertificate()} and
+  \l{QSslSocket::}{addCaCertificates()}.
 
   \sa setCaCertificates()

trunk/src/network/ssl/qsslconfiguration.h

@@ -1 +1 @@
 /****************************************************************************
 **
-** Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies).
+** Copyright (C) 201 Nokia Corporation and/or its subsidiary(-ies).
 ** All rights reserved.
 ** Contact: Nokia Corporation ([email protected])

trunk/src/network/ssl/qsslconfiguration_p.h

@@ -1 +1 @@
 /****************************************************************************
 **
-** Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies).
+** Copyright (C) 201 Nokia Corporation and/or its subsidiary(-ies).
 ** All rights reserved.
 ** Contact: Nokia Corporation ([email protected])

trunk/src/network/ssl/qsslerror.cpp

@@ -1 +1 @@
 /****************************************************************************
 **
-** Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies).
+** Copyright (C) 201 Nokia Corporation and/or its subsidiary(-ies).
 ** All rights reserved.
 ** Contact: Nokia Corporation ([email protected])

trunk/src/network/ssl/qsslerror.h

@@ -1 +1 @@
 /****************************************************************************
 **
-** Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies).
+** Copyright (C) 201 Nokia Corporation and/or its subsidiary(-ies).
 ** All rights reserved.
 ** Contact: Nokia Corporation ([email protected])

trunk/src/network/ssl/qsslkey.cpp

@@ -1 +1 @@
 /****************************************************************************
 **
-** Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies).
+** Copyright (C) 201 Nokia Corporation and/or its subsidiary(-ies).
 ** All rights reserved.
 ** Contact: Nokia Corporation ([email protected])

trunk/src/network/ssl/qsslkey.h

@@ -1 +1 @@
 /****************************************************************************
 **
-** Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies).
+** Copyright (C) 201 Nokia Corporation and/or its subsidiary(-ies).
 ** All rights reserved.
 ** Contact: Nokia Corporation ([email protected])

trunk/src/network/ssl/qsslkey_p.h

@@ -1 +1 @@
 /****************************************************************************
 **
-** Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies).
+** Copyright (C) 201 Nokia Corporation and/or its subsidiary(-ies).
 ** All rights reserved.
 ** Contact: Nokia Corporation ([email protected])

trunk/src/network/ssl/qsslsocket.cpp

@@ -1 +1 @@
 /****************************************************************************
 **
-** Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies).
+** Copyright (C) 201 Nokia Corporation and/or its subsidiary(-ies).
 ** All rights reserved.
 ** Contact: Nokia Corporation ([email protected])
@@ -211 +211 @@
     signal. This mode is the default for clients.
 
-    \value AutoVerifyPeer QSslSocket will automaticaly use QueryPeer for
+    \value AutoVerifyPeer QSslSocket will automaticaly use QueryPeer for
     server sockets and VerifyPeer for client sockets.
 
@@ -297 +297 @@
 #include <QtCore/qdebug.h>
 #include <QtCore/qdir.h>
-#include <QtCore/qdatetime.h>
 #include <QtCore/qmutex.h>
+
 #include <QtNetwork/qhostaddress.h>
 #include <QtNetwork/qhostinfo.h>
@@ -575 +575 @@
 
     The default mode is AutoVerifyPeer, which tells QSslSocket to use
-    VerifyPeer for clients, QueryPeer for clients.
+    VerifyPeer for clientss.
 
     \sa setPeerVerifyMode(), peerVerifyDepth(), mode()
@@ -595 +595 @@
 
     The default mode is AutoVerifyPeer, which tells QSslSocket to use
-    VerifyPeer for clients, QueryPeer for clients.
+    VerifyPeer for clientss.
 
     Setting this mode after encryption has started has no effect on the
@@ -1330 +1330 @@
     Returns the current default CA certificate database. This database
     is originally set to your system's default CA certificate database.
-    If no system default database is found, Qt will provide its own
-    default database. You can override the default CA certificate database
+    If no system default database is found, 
+    . You can override the default CA certificate database
     with your own CA certificate database using setDefaultCaCertificates().
 
@@ -1345 +1345 @@
 
 /*!
-    This function provides a default CA certificate database
-    shipped together with Qt. The CA certificate database
+    This function provides  CA certificate database
+    . The CA certificate database
     returned by this function is used to initialize the database
     returned by defaultCaCertificates(). You can replace that database
@@ -1355 +1355 @@
 QList<QSslCertificate> QSslSocket::systemCaCertificates()
 {
-    QSslSocketPrivate::ensureInitialized();
+    
     return QSslSocketPrivate::systemCaCertificates();
 }
@@ -1404 +1404 @@
         return false;
 
-    QTime stopWatch;
+    Q stopWatch;
     stopWatch.start();
 
@@ -1444 +1444 @@
     d->readyReadEmittedPointer = &readyReadEmitted;
 
-    QTime stopWatch;
+    Q stopWatch;
     stopWatch.start();
 
@@ -1481 +1481 @@
         return d->plainSocket->waitForBytesWritten(msecs);
 
-    QTime stopWatch;
+    Q stopWatch;
     stopWatch.start();
 
@@ -1519 +1519 @@
         return d->plainSocket->waitForDisconnected(msecs);
 
-    QTime stopWatch;
+    Q stopWatch;
     stopWatch.start();
 
@@ -1557 +1557 @@
 bool QSslSocket::supportsSsl()
 {
-    return QSslSocketPrivate::ensureInitialized();
+    return QSslSocketPrivate::();
 }
 
@@ -1966 +1966 @@
     QMutexLocker locker(&globalData()->mutex);
     const QSslConfigurationPrivate *global = globalData()->config.constData();
+
+
+
+
+
 
     ptr->ref = 1;
@@ -2031 +2036 @@
 }
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
 /*!
     \internal

trunk/src/network/ssl/qsslsocket.h

@@ -1 +1 @@
 /****************************************************************************
 **
-** Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies).
+** Copyright (C) 201 Nokia Corporation and/or its subsidiary(-ies).
 ** All rights reserved.
 ** Contact: Nokia Corporation ([email protected])

trunk/src/network/ssl/qsslsocket_openssl.cpp

@@ -1 +1 @@
 /****************************************************************************
 **
-** Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies).
+** Copyright (C) 201 Nokia Corporation and/or its subsidiary(-ies).
 ** All rights reserved.
 ** Contact: Nokia Corporation ([email protected])
@@ -52 +52 @@
 #include <QtCore/qdir.h>
 #include <QtCore/qdiriterator.h>
+
 #include <QtCore/qfile.h>
 #include <QtCore/qfileinfo.h>
@@ -58 +59 @@
 #include <QtCore/qurl.h>
 #include <QtCore/qvarlengtharray.h>
-
-static void initNetworkResources()
-{
-    // Initialize resources
-    Q_INIT_RESOURCE(network);
-}
+#include <QLibrary> // for loading the security lib for the CA store
 
 QT_BEGIN_NAMESPACE
 
-// Useful defines
-#define SSL_ERRORSTR() QString::fromLocal8Bit(q_ERR_error_string(q_ERR_get_error(), NULL))
+#if defined(Q_OS_MAC)
+#define kSecTrustSettingsDomainSystem 2 // so we do not need to include the header file
+    PtrSecCertificateGetData QSslSocketPrivate::ptrSecCertificateGetData = 0;
+    PtrSecTrustSettingsCopyCertificates QSslSocketPrivate::ptrSecTrustSettingsCopyCertificates = 0;
+    PtrSecTrustCopyAnchorCertificates QSslSocketPrivate::ptrSecTrustCopyAnchorCertificates = 0;
+#elif defined(Q_OS_WIN)
+    PtrCertOpenSystemStoreW QSslSocketPrivate::ptrCertOpenSystemStoreW = 0;
+    PtrCertFindCertificateInStore QSslSocketPrivate::ptrCertFindCertificateInStore = 0;
+    PtrCertCloseStore QSslSocketPrivate::ptrCertCloseStore = 0;
+#elif defined(Q_OS_SYMBIAN)
+#include <e32base.h>
+#include <e32std.h>
+#include <e32debug.h>
+#include <QtCore/private/qcore_symbian_p.h>
+#endif
+
+bool QSslSocketPrivate::s_libraryLoaded = false;
+bool QSslSocketPrivate::s_loadedCiphersAndCerts = false;
 
 /* \internal
@@ -147 +159 @@
 static unsigned long id_function()
 {
-    return (unsigned long)QThread::currentThreadId();
+    return ()QThread::currentThreadId();
 }
 } // extern "C"
@@ -154 +166 @@
     : ssl(0),
       ctx(0),
+
       readBio(0),
       writeBio(0),
@@ -258 +271 @@
 
         // ### Bad error code
-        q->setErrorString(QSslSocket::tr("Error creating SSL context (%1)").arg(SSL_ERRORSTR()));
+        q->setErrorString(QSslSocket::tr("Error creating SSL context (%1)").arg(()));
         q->setSocketError(QAbstractSocket::UnknownSocketError);
         emit q->error(QAbstractSocket::UnknownSocketError);
@@ -283 +296 @@
     if (!q_SSL_CTX_set_cipher_list(ctx, cipherString.data())) {
         // ### Bad error code
-        q->setErrorString(QSslSocket::tr("Invalid or empty cipher list (%1)").arg(SSL_ERRORSTR()));
+        q->setErrorString(QSslSocket::tr("Invalid or empty cipher list (%1)").arg(()));
         q->setSocketError(QAbstractSocket::UnknownSocketError);
         emit q->error(QAbstractSocket::UnknownSocketError);
@@ -290 +303 @@
 
     // Add all our CAs to this store.
-    foreach (const QSslCertificate &caCertificate, q->caCertificates())
+    QList<QSslCertificate> expiredCerts;
+    foreach (const QSslCertificate &caCertificate, q->caCertificates()) {
+        // add expired certs later, so that the
+        // valid ones are used before the expired ones
+        if (! caCertificate.isValid()) {
+            expiredCerts.append(caCertificate);
+        } else {
+            q_X509_STORE_add_cert(ctx->cert_store, (X509 *)caCertificate.handle());
+        }
+    }
+    // now add the expired certs
+    foreach (const QSslCertificate &caCertificate, expiredCerts) {
         q_X509_STORE_add_cert(ctx->cert_store, (X509 *)caCertificate.handle());
+
 
     // Register a custom callback to get all verification errors.
@@ -299 +324 @@
         // Require a private key as well.
         if (configuration.privateKey.isNull()) {
-            q->setErrorString(QSslSocket::tr("Cannot provide a certificate with no key, %1").arg(SSL_ERRORSTR()));
+            q->setErrorString(QSslSocket::tr("Cannot provide a certificate with no key, %1").arg(()));
             emit q->error(QAbstractSocket::UnknownSocketError);
             return false;
@@ -306 +331 @@
         // Load certificate
         if (!q_SSL_CTX_use_certificate(ctx, (X509 *)configuration.localCertificate.handle())) {
-            q->setErrorString(QSslSocket::tr("Error loading local certificate, %1").arg(SSL_ERRORSTR()));
+            q->setErrorString(QSslSocket::tr("Error loading local certificate, %1").arg(()));
             emit q->error(QAbstractSocket::UnknownSocketError);
             return false;
@@ -312 +337 @@
 
         // Load private key
-        EVP_PKEY *pkey = q_EVP_PKEY_new();
+        pkey = q_EVP_PKEY_new();
+        // before we were using EVP_PKEY_assign_R* functions and did not use EVP_PKEY_free.
+        // this lead to a memory leak. Now we use the *_set1_* functions which do not
+        // take ownership of the RSA/DSA key instance because the QSslKey already has ownership.
         if (configuration.privateKey.algorithm() == QSsl::Rsa)
-            q_EVP_PKEY_assign_RSA(pkey, (RSA *)configuration.privateKey.handle());
+            q_EVP_PKEY__RSA(pkey, (RSA *)configuration.privateKey.handle());
         else
-            q_EVP_PKEY_assign_DSA(pkey, (DSA *)configuration.privateKey.handle());
+            q_EVP_PKEY__DSA(pkey, (DSA *)configuration.privateKey.handle());
         if (!q_SSL_CTX_use_PrivateKey(ctx, pkey)) {
-            q->setErrorString(QSslSocket::tr("Error loading private key, %1").arg(SSL_ERRORSTR()));
+            q->setErrorString(QSslSocket::tr("Error loading private key, %1").arg(()));
             emit q->error(QAbstractSocket::UnknownSocketError);
             return false;
@@ -325 +353 @@
         // Check if the certificate matches the private key.
         if (!q_SSL_CTX_check_private_key(ctx)) {
-            q->setErrorString(QSslSocket::tr("Private key does not certify public key, %1").arg(SSL_ERRORSTR()));
+            q->setErrorString(QSslSocket::tr("Private key does not certify public key, %1").arg(()));
             emit q->error(QAbstractSocket::UnknownSocketError);
             return false;
@@ -345 +373 @@
     if (!(ssl = q_SSL_new(ctx))) {
         // ### Bad error code
-        q->setErrorString(QSslSocket::tr("Error creating SSL session, %1").arg(SSL_ERRORSTR()));
+        q->setErrorString(QSslSocket::tr("Error creating SSL session, %1").arg(()));
         q->setSocketError(QAbstractSocket::UnknownSocketError);
         emit q->error(QAbstractSocket::UnknownSocketError);
@@ -360 +388 @@
     if (!readBio || !writeBio) {
         // ### Bad error code
-        q->setErrorString(QSslSocket::tr("Error creating SSL session: %1").arg(SSL_ERRORSTR()));
+        q->setErrorString(QSslSocket::tr("Error creating SSL session: %1").arg(()));
         q->setSocketError(QAbstractSocket::UnknownSocketError);
         emit q->error(QAbstractSocket::UnknownSocketError);
@@ -389 +417 @@
     \internal
 
-    Declared static in QSslSocketPrivate, makes sure the SSL libraries have
-    been initialized.
+    D
+    .
 */
-bool QSslSocketPrivate::ensureInitialized()
+
+bool QSslSocketPrivate::supportsSsl()
+{
+    return ensureLibraryLoaded();
+}
+
+bool QSslSocketPrivate::ensureLibraryLoaded()
 {
     if (!q_resolveOpenSslSymbols())
@@ -399 +433 @@
     // Check if the library itself needs to be initialized.
     QMutexLocker locker(openssl_locks()->initLock());
-    static int q_initialized = false;
-    if (!q_initialized) {
-        q_initialized = true;
-
-        // Initialize resources
-        initNetworkResources();
+    if (!s_libraryLoaded) {
+        s_libraryLoaded = true;
 
         // Initialize OpenSSL.
@@ -441 +471 @@
                 return false;
         }
-
-        resetDefaultCiphers();
-        setDefaultCaCertificates(systemCaCertificates());
     }
     return true;
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
 }
 
@@ -481 +570 @@
 }
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
 QList<QSslCertificate> QSslSocketPrivate::systemCaCertificates()
 {
-    // Qt provides a default bundle of certificates
-    QFile caBundle(QLatin1String(":/trolltech/network/ssl/qt-ca-bundle.crt"));
-    if (caBundle.open(QIODevice::ReadOnly | QIODevice::Text))
-        return QSslCertificate::fromDevice(&caBundle);
-
-    // Unreachable; return no bundle.
-    return QList<QSslCertificate>();
+    ensureInitialized();
+#ifdef QSSLSOCKET_DEBUG
+    QElapsedTimer timer;
+    timer.start();
+#endif
+    QList<QSslCertificate> systemCerts;
+#if defined(Q_OS_MAC)
+    CFArrayRef cfCerts;
+    OSStatus status = 1;
+
+    OSStatus SecCertificateGetData (
+       SecCertificateRef certificate,
+       CSSM_DATA_PTR data
+    );
+
+    if (ptrSecCertificateGetData) {
+        if (ptrSecTrustSettingsCopyCertificates)
+            status = ptrSecTrustSettingsCopyCertificates(kSecTrustSettingsDomainSystem, &cfCerts);
+        else if (ptrSecTrustCopyAnchorCertificates)
+            status = ptrSecTrustCopyAnchorCertificates(&cfCerts);
+        if (!status) {
+            CFIndex size = CFArrayGetCount(cfCerts);
+            for (CFIndex i = 0; i < size; ++i) {
+                SecCertificateRef cfCert = (SecCertificateRef)CFArrayGetValueAtIndex(cfCerts, i);
+                CSSM_DATA data;
+                CSSM_DATA_PTR dataPtr = &data;
+                if (ptrSecCertificateGetData(cfCert, dataPtr)) {
+                    qWarning("error retrieving a CA certificate from the system store");
+                } else {
+                    int len = data.Length;
+                    char *rawData = reinterpret_cast<char *>(data.Data);
+                    QByteArray rawCert(rawData, len);
+                    systemCerts.append(QSslCertificate::fromData(rawCert, QSsl::Der));
+                }
+            }
+        }
+        else {
+           // no detailed error handling here
+           qWarning("could not retrieve system CA certificates");
+        }
+    }
+#elif defined(Q_OS_WIN)
+    if (ptrCertOpenSystemStoreW && ptrCertFindCertificateInStore && ptrCertCloseStore) {
+        HCERTSTORE hSystemStore;
+#if defined(Q_OS_WINCE)
+        hSystemStore = ptrCertOpenSystemStoreW(CERT_STORE_PROV_SYSTEM_W,
+                                               0,
+                                               0,
+                                               CERT_STORE_NO_CRYPT_RELEASE_FLAG|CERT_SYSTEM_STORE_CURRENT_USER,
+                                               L"ROOT");
+#else
+        hSystemStore = ptrCertOpenSystemStoreW(0, L"ROOT");
+#endif
+        if(hSystemStore) {
+            PCCERT_CONTEXT pc = NULL;
+            while(1) {
+                pc = ptrCertFindCertificateInStore( hSystemStore, X509_ASN_ENCODING, 0, CERT_FIND_ANY, NULL, pc);
+                if(!pc)
+                    break;
+                QByteArray der((const char *)(pc->pbCertEncoded), static_cast<int>(pc->cbCertEncoded));
+                QSslCertificate cert(der, QSsl::Der);
+                systemCerts.append(cert);
+            }
+            ptrCertCloseStore(hSystemStore, 0);
+        }
+    }
+#elif defined(Q_OS_UNIX) && !defined(Q_OS_SYMBIAN)
+    QSet<QString> certFiles;
+    QList<QByteArray> directories;
+    directories << "/etc/ssl/certs/"; // (K)ubuntu, OpenSUSE, Mandriva, MeeGo ...
+    directories << "/usr/lib/ssl/certs/"; // Gentoo, Mandrake
+    directories << "/usr/share/ssl/"; // Centos, Redhat, SuSE
+    directories << "/usr/local/ssl/"; // Normal OpenSSL Tarball
+    directories << "/var/ssl/certs/"; // AIX
+    directories << "/usr/local/ssl/certs/"; // Solaris
+    directories << "/opt/openssl/certs/"; // HP-UX
+
+    QDir currentDir;
+    QStringList nameFilters;
+    nameFilters << QLatin1String("*.pem") << QLatin1String("*.crt");
+    currentDir.setNameFilters(nameFilters);
+    for (int a = 0; a < directories.count(); a++) {
+        currentDir.setPath(QLatin1String(directories.at(a)));
+        QDirIterator it(currentDir);
+        while(it.hasNext()) {
+            it.next();
+            // use canonical path here to not load the same certificate twice if symlinked
+            certFiles.insert(it.fileInfo().canonicalFilePath());
+        }
+    }
+    QSetIterator<QString> it(certFiles);
+    while(it.hasNext()) {
+        systemCerts.append(QSslCertificate::fromPath(it.next()));
+    }
+    systemCerts.append(QSslCertificate::fromPath(QLatin1String("/etc/pki/tls/certs/ca-bundle.crt"), QSsl::Pem)); // Fedora, Mandriva
+    systemCerts.append(QSslCertificate::fromPath(QLatin1String("/usr/local/share/certs/ca-root-nss.crt"), QSsl::Pem)); // FreeBSD's ca_root_nss
+
+#elif defined(Q_OS_SYMBIAN)
+    QList<QByteArray> certs;
+    QScopedPointer<CSymbianCertificateRetriever> retriever(CSymbianCertificateRetriever::NewL());
+
+    retriever->GetCertificates(certs);
+    foreach (const QByteArray &encodedCert, certs) {
+        QSslCertificate cert(encodedCert, QSsl::Der);
+        if (!cert.isNull()) {
+#ifdef QSSLSOCKET_DEBUG
+            qDebug() << "imported certificate: " << cert.issuerInfo(QSslCertificate::CommonName);
+#endif
+            systemCerts.append(cert);
+        }
+    }
+#endif
+#ifdef QSSLSOCKET_DEBUG
+    qDebug() << "systemCaCertificates retrieval time " << timer.elapsed() << "ms";
+    qDebug() << "imported " << systemCerts.count() << " certificates";
+#endif
+
+    return systemCerts;
 }
 
@@ -544 +918 @@
                 if (writtenBytes <= 0) {
                     // ### Better error handling.
-                    q->setErrorString(QSslSocket::tr("Unable to write data: %1").arg(SSL_ERRORSTR()));
+                    q->setErrorString(QSslSocket::tr("Unable to write data: %1").arg(()));
                     q->setSocketError(QAbstractSocket::UnknownSocketError);
                     emit q->error(QAbstractSocket::UnknownSocketError);
@@ -607 +981 @@
                 } else {
                     // ### Better error handling.
-                    q->setErrorString(QSslSocket::tr("Unable to decrypt data: %1").arg(SSL_ERRORSTR()));
+                    q->setErrorString(QSslSocket::tr("Unable to decrypt data: %1").arg(()));
                     q->setSocketError(QAbstractSocket::UnknownSocketError);
                     emit q->error(QAbstractSocket::UnknownSocketError);
@@ -681 +1055 @@
                 plainSocket->disconnectFromHost();
                 break;
+
+
+
+
+
+
+
+
             default:
-                // ### Handle errors better.
-                q->setErrorString(QSslSocket::tr("Error while reading: %1").arg(SSL_ERRORSTR()));
+                // SSL_ERROR_WANT_CONNECT, SSL_ERROR_WANT_ACCEPT: can only happen with a
+                // BIO_s_connect() or BIO_s_accept(), which we do not call.
+                // SSL_ERROR_WANT_X509_LOOKUP: can only happen with a
+                // SSL_CTX_set_client_cert_cb(), which we do not call.
+                // So this default case should never be triggered.
+                q->setErrorString(QSslSocket::tr("Error while reading: %1").arg(getErrorsFromOpenSsl()));
                 q->setSocketError(QAbstractSocket::UnknownSocketError);
                 emit q->error(QAbstractSocket::UnknownSocketError);
@@ -778 +1164 @@
             break;
         default:
-            // ### Handle errors better
-            q->setErrorString(QSslSocket::tr("Error during SSL handshake: %1").arg(SSL_ERRORSTR()));
+            q->setErrorString(QSslSocket::tr("Error during SSL handshake: %1").arg(getErrorsFromOpenSsl()));
             q->setSocketError(QAbstractSocket::SslHandshakeFailedError);
 #ifdef QSSLSOCKET_DEBUG
@@ -816 +1201 @@
             QString commonName = configuration.peerCertificate.subjectInfo(QSslCertificate::CommonName);
 
-            QRegExp regexp(commonName, Qt::CaseInsensitive, QRegExp::Wildcard);
-            if (!regexp.exactMatch(peerName)) {
+            if (!isMatchingHostname(commonName.toLower(), peerName.toLower())) {
                 bool matched = false;
                 foreach (const QString &altName, configuration.peerCertificate
                          .alternateSubjectNames().values(QSsl::DnsEntry)) {
-                    regexp.setPattern(altName);
-                    if (regexp.exactMatch(peerName)) {
+                    if (isMatchingHostname(altName.toLower(), peerName.toLower())) {
                         matched = true;
                         break;
                     }
                 }
+
                 if (!matched) {
                     // No matches in common names or alternate names.
@@ -923 +1307 @@
         ctx = 0;
     }
+
+
+
+
+
 }
 
@@ -951 +1340 @@
 }
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
 QT_END_NAMESPACE

trunk/src/network/ssl/qsslsocket_openssl_p.h

@@ -1 +1 @@
 /****************************************************************************
 **
-** Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies).
+** Copyright (C) 201 Nokia Corporation and/or its subsidiary(-ies).
 ** All rights reserved.
 ** Contact: Nokia Corporation ([email protected])
@@ -98 +98 @@
     SSL *ssl;
     SSL_CTX *ctx;
+
     BIO *readBio;
     BIO *writeBio;
@@ -116 +117 @@
     static QSslCipher QSslCipher_from_SSL_CIPHER(SSL_CIPHER *cipher);
     static QList<QSslCertificate> STACKOFX509_to_QSslCertificates(STACK_OF(X509) *x509);
+
+
 };
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
 
 QT_END_NAMESPACE

trunk/src/network/ssl/qsslsocket_openssl_symbols.cpp

@@ -1 +1 @@
 /****************************************************************************
 **
-** Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies).
+** Copyright (C) 201 Nokia Corporation and/or its subsidiary(-ies).
 ** All rights reserved.
 ** Contact: Nokia Corporation ([email protected])
@@ -43 +43 @@
 #include "qsslsocket_openssl_symbols_p.h"
 
-#include <QtCore/qlibrary.h>
+#ifdef Q_OS_WIN
+# include <private/qsystemlibrary_p.h>
+#else
+# include <QtCore/qlibrary.h>
+#endif
 #include <QtCore/qmutex.h>
 #include <private/qmutexpool_p.h>
@@ -120 +124 @@
 DEFINEFUNC(const EVP_CIPHER *, EVP_des_ede3_cbc, DUMMYARG, DUMMYARG, return 0, return)
 DEFINEFUNC3(int, EVP_PKEY_assign, EVP_PKEY *a, a, int b, b, char *c, c, return -1, return)
+
+
 DEFINEFUNC(void, EVP_PKEY_free, EVP_PKEY *a, a, return, DUMMYARG)
 DEFINEFUNC(DSA *, EVP_PKEY_get1_DSA, EVP_PKEY *a, a, return 0, return)
@@ -333 +339 @@
             .split(QLatin1Char(':'), QString::SkipEmptyParts);
 #  endif
-    paths << QLatin1String("/usr/lib") << QLatin1String("/usr/local/lib");
+    paths << QLatin1String("/usr/lib") << QLatin1String("/usr/local/lib");
 
     QStringList foundSsls;
@@ -348 +354 @@
 }
 # endif
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
 
 static QPair<QLibrary*, QLibrary*> loadOpenSsl()
@@ -355 +388 @@
     pair.second = 0;
 
-# ifdef Q_OS_WIN
-    QLibrary *ssleay32 = new QLibrary(QLatin1String("ssleay32"));
-    if (!ssleay32->load()) {
-        // Cannot find ssleay32.dll
-        delete ssleay32;
-        return pair;
-    }
-
-    QLibrary *libeay32 = new QLibrary(QLatin1String("libeay32"));
-    if (!libeay32->load()) {
-        delete ssleay32;
-        delete libeay32;
-        return pair;
-    }
-
-    pair.first = ssleay32;
-    pair.second = libeay32;
-    return pair;
-# elif defined(Q_OS_SYMBIAN)
+# if defined(Q_OS_SYMBIAN)
      QLibrary *libssl = new QLibrary(QLatin1String("libssl"));
     if (!libssl->load()) {
@@ -506 +521 @@
 # endif
 }
+
 
 bool q_resolveOpenSslSymbols()
@@ -520 +536 @@
     triedToResolveSymbols = true;
 
+
+
+
     QPair<QLibrary *, QLibrary *> libs = loadOpenSsl();
+
     if (!libs.first || !libs.second)
         // failed to load them
@@ -549 +569 @@
     RESOLVEFUNC(EVP_des_ede3_cbc, 919, libs.second )
     RESOLVEFUNC(EVP_PKEY_assign, 859, libs.second )
+
+
     RESOLVEFUNC(EVP_PKEY_free, 867, libs.second )
     RESOLVEFUNC(EVP_PKEY_get1_DSA, 869, libs.second )
@@ -671 +693 @@
     RESOLVEFUNC(EVP_des_ede3_cbc)
     RESOLVEFUNC(EVP_PKEY_assign)
+
+
     RESOLVEFUNC(EVP_PKEY_free)
     RESOLVEFUNC(EVP_PKEY_get1_DSA)
@@ -794 +818 @@
 QDateTime q_getTimeFromASN1(const ASN1_TIME *aTime)
 {
-    char lBuffer[24];
-    char *pBuffer = lBuffer;
-
     size_t lTimeLength = aTime->length;
     char *pString = (char *) aTime->data;
 
     if (aTime->type == V_ASN1_UTCTIME) {
+
+
+
+
         if ((lTimeLength < 11) || (lTimeLength > 17))
             return QDateTime();
@@ -807 +832 @@
         pBuffer += 10;
         pString += 10;
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
     } else {
-        if (lTimeLength < 13)
-            return QDateTime();
-
-        memcpy(pBuffer, pString, 12);
-        pBuffer += 12;
-        pString += 12;
-    }
-
-    if ((*pString == 'Z') || (*pString == '-') || (*pString == '+')) {
-        *pBuffer++ = '0';
-        *pBuffer++ = '0';
-    } else {
-        *pBuffer++ = *pString++;
-        *pBuffer++ = *pString++;
-        // Skip any fractional seconds...
-        if (*pString == '.') {
-            pString++;
-            while ((*pString >= '0') && (*pString <= '9'))
-                pString++;
-        }
-    }
-
-    *pBuffer++ = 'Z';
-    *pBuffer++ = '\0';
-
-    time_t lSecondsFromUCT;
-    if (*pString == 'Z') {
-        lSecondsFromUCT = 0;
-    } else {
-        if ((*pString != '+') && (*pString != '-'))
-            return QDateTime();
-
-        lSecondsFromUCT = ((pString[1] - '0') * 10 + (pString[2] - '0')) * 60;
-        lSecondsFromUCT += (pString[3] - '0') * 10 + (pString[4] - '0');
-        lSecondsFromUCT *= 60;
-        if (*pString == '-')
-            lSecondsFromUCT = -lSecondsFromUCT;
-    }
-
-    tm lTime;
-    lTime.tm_sec = ((lBuffer[10] - '0') * 10) + (lBuffer[11] - '0');
-    lTime.tm_min = ((lBuffer[8] - '0') * 10) + (lBuffer[9] - '0');
-    lTime.tm_hour = ((lBuffer[6] - '0') * 10) + (lBuffer[7] - '0');
-    lTime.tm_mday = ((lBuffer[4] - '0') * 10) + (lBuffer[5] - '0');
-    lTime.tm_mon = (((lBuffer[2] - '0') * 10) + (lBuffer[3] - '0')) - 1;
-    lTime.tm_year = ((lBuffer[0] - '0') * 10) + (lBuffer[1] - '0');
-    if (lTime.tm_year < 50)
-        lTime.tm_year += 100; // RFC 2459
-
-    QDate resDate(lTime.tm_year + 1900, lTime.tm_mon + 1, lTime.tm_mday);
-    QTime resTime(lTime.tm_hour, lTime.tm_min, lTime.tm_sec);
-    QDateTime result(resDate, resTime, Qt::UTC);
-    result = result.addSecs(lSecondsFromUCT);
-    return result;
+        qWarning("unsupported date format detected");
+        return QDateTime();
+    }
+
 }
 

trunk/src/network/ssl/qsslsocket_openssl_symbols_p.h

@@ -1 +1 @@
 /****************************************************************************
 **
-** Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies).
+** Copyright (C) 201 Nokia Corporation and/or its subsidiary(-ies).
 ** All rights reserved.
 ** Contact: Nokia Corporation ([email protected])
@@ -228 +228 @@
 const EVP_CIPHER *q_EVP_des_ede3_cbc();
 int q_EVP_PKEY_assign(EVP_PKEY *a, int b, char *c);
+
+
 void q_EVP_PKEY_free(EVP_PKEY *a);
 RSA *q_EVP_PKEY_get1_RSA(EVP_PKEY *a);

trunk/src/network/ssl/qsslsocket_p.h

@@ -1 +1 @@
 /****************************************************************************
 **
-** Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies).
+** Copyright (C) 201 Nokia Corporation and/or its subsidiary(-ies).
 ** All rights reserved.
 ** Contact: Nokia Corporation ([email protected])
@@ -67 +67 @@
 QT_BEGIN_NAMESPACE
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
 class QSslSocketPrivate : public QTcpSocketPrivate
 {
@@ -91 +113 @@
     QString verificationPeerName;
 
-    static bool ensureInitialized();
+    static bool supportsSsl();
+    static void ensureInitialized();
     static void deinitialize();
     static QList<QSslCipher> defaultCiphers();
@@ -107 +130 @@
     static void addDefaultCaCertificates(const QList<QSslCertificate> &certs);
 
+
+
+
+
+
+
+
+
+
+
     // The socket itself, including private slots.
     QTcpSocket *plainSocket;
     void createPlainSocket(QIODevice::OpenMode openMode);
+
+
     void _q_connectedSlot();
     void _q_hostFoundSlot();
@@ -127 +162 @@
     virtual void disconnected() = 0;
     virtual QSslCipher sessionCipher() const = 0;
+
+
+
+
+
+
+
 };
 

trunk/src/network/ssl/ssl.pri

@@ -32 +32 @@
                ssl/qsslsocket_openssl_symbols.cpp
 
-    # Include Qt's default CA bundle
-    RESOURCES += network.qrc
-
     # Add optional SSL libs
     LIBS_PRIVATE += $$OPENSSL_LIBS