Changeset 846 for trunk/src/network/ssl

Timestamp:

May 5, 2011, 5:36:53 AM (14 years ago)

Author:

Dmitry A. Kuminov

Message:

trunk: Merged in qt 4.7.2 sources from branches/vendor/nokia/qt.

Location:

trunk

Files:

• . (modified) (1 prop)
• src/network/ssl/qssl.cpp (modified) (1 diff)
• src/network/ssl/qssl.h (modified) (1 diff)
• src/network/ssl/qsslcertificate.cpp (modified) (4 diffs)
• src/network/ssl/qsslcertificate.h (modified) (1 diff)
• src/network/ssl/qsslcertificate_p.h (modified) (1 diff)
• src/network/ssl/qsslcipher.cpp (modified) (1 diff)
• src/network/ssl/qsslcipher.h (modified) (1 diff)
• src/network/ssl/qsslcipher_p.h (modified) (1 diff)
• src/network/ssl/qsslconfiguration.cpp (modified) (2 diffs)
• src/network/ssl/qsslconfiguration.h (modified) (1 diff)
• src/network/ssl/qsslconfiguration_p.h (modified) (1 diff)
• src/network/ssl/qsslerror.cpp (modified) (1 diff)
• src/network/ssl/qsslerror.h (modified) (1 diff)
• src/network/ssl/qsslkey.cpp (modified) (1 diff)
• src/network/ssl/qsslkey.h (modified) (1 diff)
• src/network/ssl/qsslkey_p.h (modified) (1 diff)
• src/network/ssl/qsslsocket.cpp (modified) (15 diffs)
• src/network/ssl/qsslsocket.h (modified) (1 diff)
• src/network/ssl/qsslsocket_openssl.cpp (modified) (25 diffs)
• src/network/ssl/qsslsocket_openssl_p.h (modified) (3 diffs)
• src/network/ssl/qsslsocket_openssl_symbols.cpp (modified) (12 diffs)
• src/network/ssl/qsslsocket_openssl_symbols_p.h (modified) (2 diffs)
• src/network/ssl/qsslsocket_p.h (modified) (5 diffs)
• src/network/ssl/qt-ca-bundle.crt (deleted)
• src/network/ssl/ssl.pri (modified) (1 diff)

trunk/src/network/ssl/qssl.cpp

@@ -1 +1 @@
 /****************************************************************************
 **
-** Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies).
+** Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
 ** All rights reserved.
 ** Contact: Nokia Corporation (qt-info@nokia.com)

trunk/src/network/ssl/qssl.h

@@ -1 +1 @@
 /****************************************************************************
 **
-** Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies).
+** Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
 ** All rights reserved.
 ** Contact: Nokia Corporation (qt-info@nokia.com)

trunk/src/network/ssl/qsslcertificate.cpp

@@ -1 +1 @@
 /****************************************************************************
 **
-** Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies).
+** Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
 ** All rights reserved.
 ** Contact: Nokia Corporation (qt-info@nokia.com)
@@ -260 +260 @@
 /*!
     Returns the certificate's serial number string in decimal format.
+    In case the serial number cannot be converted to decimal format
+    (i.e. if it is bigger than 4294967295, which means it does not fit into 4 bytes),
+    its hexadecimal version is returned.
 */
 QByteArray QSslCertificate::serialNumber() const
 {
-    if (d->serialNumberString.isEmpty() && d->x509)
-        d->serialNumberString =
-            QByteArray::number(qlonglong(q_ASN1_INTEGER_get(d->x509->cert_info->serialNumber)));
-
+    if (d->serialNumberString.isEmpty() && d->x509) {
+        ASN1_INTEGER *serialNumber = d->x509->cert_info->serialNumber;
+        // if we cannot convert to a long, just output the hexadecimal number
+        if (serialNumber->length > 4) {
+            QByteArray hexString;
+            hexString.reserve(serialNumber->length * 3);
+            for (int a = 0; a < serialNumber->length; ++a) {
+                hexString += QByteArray::number(serialNumber->data[a], 16).rightJustified(2, '0');
+                hexString += ':';
+            }
+            hexString.chop(1);
+            d->serialNumberString = hexString;
+        } else {
+            d->serialNumberString = QByteArray::number(qlonglong(q_ASN1_INTEGER_get(serialNumber)));
+        }
+    }
     return d->serialNumberString;
 }
@@ -534 +549 @@
     int startIndex = 0;
     if (pathPrefix.trimmed().isEmpty()) {
-        startIndex = 2;
-        pathPrefix = QLatin1String(".");
+        if(path.startsWith(QLatin1Char('/'))) {
+            pathPrefix = path.left(path.indexOf(QRegExp(QLatin1String("[\\*\\?\\[]"))));
+            pathPrefix = path.left(path.lastIndexOf(QLatin1Char('/')));
+        } else {
+            startIndex = 2;
+            pathPrefix = QLatin1String(".");
+        }
     }
 
@@ -697 +717 @@
 static bool matchLineFeed(const QByteArray &pem, int *offset)
 {
-    char ch;
+    char ch = 0;
 
     // ignore extra whitespace at the end of the line

trunk/src/network/ssl/qsslcertificate.h

@@ -1 +1 @@
 /****************************************************************************
 **
-** Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies).
+** Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
 ** All rights reserved.
 ** Contact: Nokia Corporation (qt-info@nokia.com)

trunk/src/network/ssl/qsslcertificate_p.h

@@ -1 +1 @@
 /****************************************************************************
 **
-** Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies).
+** Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
 ** All rights reserved.
 ** Contact: Nokia Corporation (qt-info@nokia.com)

trunk/src/network/ssl/qsslcipher.cpp

@@ -1 +1 @@
 /****************************************************************************
 **
-** Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies).
+** Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
 ** All rights reserved.
 ** Contact: Nokia Corporation (qt-info@nokia.com)

trunk/src/network/ssl/qsslcipher.h

@@ -1 +1 @@
 /****************************************************************************
 **
-** Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies).
+** Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
 ** All rights reserved.
 ** Contact: Nokia Corporation (qt-info@nokia.com)

trunk/src/network/ssl/qsslcipher_p.h

@@ -1 +1 @@
 /****************************************************************************
 **
-** Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies).
+** Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
 ** All rights reserved.
 ** Contact: Nokia Corporation (qt-info@nokia.com)

trunk/src/network/ssl/qsslconfiguration.cpp

@@ -1 +1 @@
 /****************************************************************************
 **
-** Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies).
+** Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
 ** All rights reserved.
 ** Contact: Nokia Corporation (qt-info@nokia.com)
@@ -486 +486 @@
   Returns this connection's CA certificate database. The CA certificate
   database is used by the socket during the handshake phase to
-  validate the peer's certificate. It can be moodified prior to the
-  handshake with addCaCertificate(), addCaCertificates(), and
-  setCaCertificates().
+  validate the peer's certificate. It can be modified prior to the
+  handshake with setCaCertificates(), or with \l{QSslSocket}'s
+  \l{QSslSocket::}{addCaCertificate()} and
+  \l{QSslSocket::}{addCaCertificates()}.
 
   \sa setCaCertificates()

trunk/src/network/ssl/qsslconfiguration.h

@@ -1 +1 @@
 /****************************************************************************
 **
-** Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies).
+** Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
 ** All rights reserved.
 ** Contact: Nokia Corporation (qt-info@nokia.com)

trunk/src/network/ssl/qsslconfiguration_p.h

@@ -1 +1 @@
 /****************************************************************************
 **
-** Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies).
+** Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
 ** All rights reserved.
 ** Contact: Nokia Corporation (qt-info@nokia.com)

trunk/src/network/ssl/qsslerror.cpp

@@ -1 +1 @@
 /****************************************************************************
 **
-** Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies).
+** Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
 ** All rights reserved.
 ** Contact: Nokia Corporation (qt-info@nokia.com)

trunk/src/network/ssl/qsslerror.h

@@ -1 +1 @@
 /****************************************************************************
 **
-** Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies).
+** Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
 ** All rights reserved.
 ** Contact: Nokia Corporation (qt-info@nokia.com)

trunk/src/network/ssl/qsslkey.cpp

@@ -1 +1 @@
 /****************************************************************************
 **
-** Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies).
+** Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
 ** All rights reserved.
 ** Contact: Nokia Corporation (qt-info@nokia.com)

trunk/src/network/ssl/qsslkey.h

@@ -1 +1 @@
 /****************************************************************************
 **
-** Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies).
+** Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
 ** All rights reserved.
 ** Contact: Nokia Corporation (qt-info@nokia.com)

trunk/src/network/ssl/qsslkey_p.h

@@ -1 +1 @@
 /****************************************************************************
 **
-** Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies).
+** Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
 ** All rights reserved.
 ** Contact: Nokia Corporation (qt-info@nokia.com)

trunk/src/network/ssl/qsslsocket.cpp

@@ -1 +1 @@
 /****************************************************************************
 **
-** Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies).
+** Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
 ** All rights reserved.
 ** Contact: Nokia Corporation (qt-info@nokia.com)
@@ -211 +211 @@
     signal. This mode is the default for clients.
 
-    \value AutoVerifyPeer QSslSocket will automaticaly use QueryPeer for
+    \value AutoVerifyPeer QSslSocket will automatically use QueryPeer for
     server sockets and VerifyPeer for client sockets.
 
@@ -297 +297 @@
 #include <QtCore/qdebug.h>
 #include <QtCore/qdir.h>
-#include <QtCore/qdatetime.h>
 #include <QtCore/qmutex.h>
+#include <QtCore/qelapsedtimer.h>
 #include <QtNetwork/qhostaddress.h>
 #include <QtNetwork/qhostinfo.h>
@@ -575 +575 @@
 
     The default mode is AutoVerifyPeer, which tells QSslSocket to use
-    VerifyPeer for clients, QueryPeer for clients.
+    VerifyPeer for clients and QueryPeer for servers.
 
     \sa setPeerVerifyMode(), peerVerifyDepth(), mode()
@@ -595 +595 @@
 
     The default mode is AutoVerifyPeer, which tells QSslSocket to use
-    VerifyPeer for clients, QueryPeer for clients.
+    VerifyPeer for clients and QueryPeer for servers.
 
     Setting this mode after encryption has started has no effect on the
@@ -1330 +1330 @@
     Returns the current default CA certificate database. This database
     is originally set to your system's default CA certificate database.
-    If no system default database is found, Qt will provide its own
-    default database. You can override the default CA certificate database
+    If no system default database is found, an empty database will be
+    returned. You can override the default CA certificate database
     with your own CA certificate database using setDefaultCaCertificates().
 
@@ -1345 +1345 @@
 
 /*!
-    This function provides a default CA certificate database
-    shipped together with Qt. The CA certificate database
+    This function provides the CA certificate database
+    provided by the operating system. The CA certificate database
     returned by this function is used to initialize the database
     returned by defaultCaCertificates(). You can replace that database
@@ -1355 +1355 @@
 QList<QSslCertificate> QSslSocket::systemCaCertificates()
 {
-    QSslSocketPrivate::ensureInitialized();
+    // we are calling ensureInitialized() in the method below
     return QSslSocketPrivate::systemCaCertificates();
 }
@@ -1404 +1404 @@
         return false;
 
-    QTime stopWatch;
+    QElapsedTimer stopWatch;
     stopWatch.start();
 
@@ -1444 +1444 @@
     d->readyReadEmittedPointer = &readyReadEmitted;
 
-    QTime stopWatch;
+    QElapsedTimer stopWatch;
     stopWatch.start();
 
@@ -1481 +1481 @@
         return d->plainSocket->waitForBytesWritten(msecs);
 
-    QTime stopWatch;
+    QElapsedTimer stopWatch;
     stopWatch.start();
 
@@ -1519 +1519 @@
         return d->plainSocket->waitForDisconnected(msecs);
 
-    QTime stopWatch;
+    QElapsedTimer stopWatch;
     stopWatch.start();
 
@@ -1557 +1557 @@
 bool QSslSocket::supportsSsl()
 {
-    return QSslSocketPrivate::ensureInitialized();
+    return QSslSocketPrivate::supportsSsl();
 }
 
@@ -1966 +1966 @@
     QMutexLocker locker(&globalData()->mutex);
     const QSslConfigurationPrivate *global = globalData()->config.constData();
+
+    if (!global) {
+        ptr = 0;
+        return;
+    }
 
     ptr->ref = 1;
@@ -2031 +2036 @@
 }
 
+void QSslSocketPrivate::pauseSocketNotifiers(QSslSocket *socket)
+{
+    if (!socket->d_func()->plainSocket)
+        return;
+    QAbstractSocketPrivate::pauseSocketNotifiers(socket->d_func()->plainSocket);
+}
+
+void QSslSocketPrivate::resumeSocketNotifiers(QSslSocket *socket)
+{
+    if (!socket->d_func()->plainSocket)
+        return;
+    QAbstractSocketPrivate::resumeSocketNotifiers(socket->d_func()->plainSocket);
+}
+
 /*!
     \internal

trunk/src/network/ssl/qsslsocket.h

@@ -1 +1 @@
 /****************************************************************************
 **
-** Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies).
+** Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
 ** All rights reserved.
 ** Contact: Nokia Corporation (qt-info@nokia.com)

trunk/src/network/ssl/qsslsocket_openssl.cpp

@@ -1 +1 @@
 /****************************************************************************
 **
-** Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies).
+** Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
 ** All rights reserved.
 ** Contact: Nokia Corporation (qt-info@nokia.com)
@@ -52 +52 @@
 #include <QtCore/qdir.h>
 #include <QtCore/qdiriterator.h>
+#include <QtCore/qelapsedtimer.h>
 #include <QtCore/qfile.h>
 #include <QtCore/qfileinfo.h>
@@ -58 +59 @@
 #include <QtCore/qurl.h>
 #include <QtCore/qvarlengtharray.h>
-
-static void initNetworkResources()
-{
-    // Initialize resources
-    Q_INIT_RESOURCE(network);
-}
+#include <QLibrary> // for loading the security lib for the CA store
 
 QT_BEGIN_NAMESPACE
 
-// Useful defines
-#define SSL_ERRORSTR() QString::fromLocal8Bit(q_ERR_error_string(q_ERR_get_error(), NULL))
+#if defined(Q_OS_MAC)
+#define kSecTrustSettingsDomainSystem 2 // so we do not need to include the header file
+    PtrSecCertificateGetData QSslSocketPrivate::ptrSecCertificateGetData = 0;
+    PtrSecTrustSettingsCopyCertificates QSslSocketPrivate::ptrSecTrustSettingsCopyCertificates = 0;
+    PtrSecTrustCopyAnchorCertificates QSslSocketPrivate::ptrSecTrustCopyAnchorCertificates = 0;
+#elif defined(Q_OS_WIN)
+    PtrCertOpenSystemStoreW QSslSocketPrivate::ptrCertOpenSystemStoreW = 0;
+    PtrCertFindCertificateInStore QSslSocketPrivate::ptrCertFindCertificateInStore = 0;
+    PtrCertCloseStore QSslSocketPrivate::ptrCertCloseStore = 0;
+#elif defined(Q_OS_SYMBIAN)
+#include <e32base.h>
+#include <e32std.h>
+#include <e32debug.h>
+#include <QtCore/private/qcore_symbian_p.h>
+#endif
+
+bool QSslSocketPrivate::s_libraryLoaded = false;
+bool QSslSocketPrivate::s_loadedCiphersAndCerts = false;
 
 /* \internal
@@ -147 +159 @@
 static unsigned long id_function()
 {
-    return (unsigned long)QThread::currentThreadId();
+    return (quintptr)QThread::currentThreadId();
 }
 } // extern "C"
@@ -154 +166 @@
     : ssl(0),
       ctx(0),
+      pkey(0),
       readBio(0),
       writeBio(0),
@@ -258 +271 @@
 
         // ### Bad error code
-        q->setErrorString(QSslSocket::tr("Error creating SSL context (%1)").arg(SSL_ERRORSTR()));
+        q->setErrorString(QSslSocket::tr("Error creating SSL context (%1)").arg(getErrorsFromOpenSsl()));
         q->setSocketError(QAbstractSocket::UnknownSocketError);
         emit q->error(QAbstractSocket::UnknownSocketError);
@@ -283 +296 @@
     if (!q_SSL_CTX_set_cipher_list(ctx, cipherString.data())) {
         // ### Bad error code
-        q->setErrorString(QSslSocket::tr("Invalid or empty cipher list (%1)").arg(SSL_ERRORSTR()));
+        q->setErrorString(QSslSocket::tr("Invalid or empty cipher list (%1)").arg(getErrorsFromOpenSsl()));
         q->setSocketError(QAbstractSocket::UnknownSocketError);
         emit q->error(QAbstractSocket::UnknownSocketError);
@@ -290 +303 @@
 
     // Add all our CAs to this store.
-    foreach (const QSslCertificate &caCertificate, q->caCertificates())
+    QList<QSslCertificate> expiredCerts;
+    foreach (const QSslCertificate &caCertificate, q->caCertificates()) {
+        // add expired certs later, so that the
+        // valid ones are used before the expired ones
+        if (! caCertificate.isValid()) {
+            expiredCerts.append(caCertificate);
+        } else {
+            q_X509_STORE_add_cert(ctx->cert_store, (X509 *)caCertificate.handle());
+        }
+    }
+    // now add the expired certs
+    foreach (const QSslCertificate &caCertificate, expiredCerts) {
         q_X509_STORE_add_cert(ctx->cert_store, (X509 *)caCertificate.handle());
+    }
 
     // Register a custom callback to get all verification errors.
@@ -299 +324 @@
         // Require a private key as well.
         if (configuration.privateKey.isNull()) {
-            q->setErrorString(QSslSocket::tr("Cannot provide a certificate with no key, %1").arg(SSL_ERRORSTR()));
+            q->setErrorString(QSslSocket::tr("Cannot provide a certificate with no key, %1").arg(getErrorsFromOpenSsl()));
             emit q->error(QAbstractSocket::UnknownSocketError);
             return false;
@@ -306 +331 @@
         // Load certificate
         if (!q_SSL_CTX_use_certificate(ctx, (X509 *)configuration.localCertificate.handle())) {
-            q->setErrorString(QSslSocket::tr("Error loading local certificate, %1").arg(SSL_ERRORSTR()));
+            q->setErrorString(QSslSocket::tr("Error loading local certificate, %1").arg(getErrorsFromOpenSsl()));
             emit q->error(QAbstractSocket::UnknownSocketError);
             return false;
@@ -312 +337 @@
 
         // Load private key
-        EVP_PKEY *pkey = q_EVP_PKEY_new();
+        pkey = q_EVP_PKEY_new();
+        // before we were using EVP_PKEY_assign_R* functions and did not use EVP_PKEY_free.
+        // this lead to a memory leak. Now we use the *_set1_* functions which do not
+        // take ownership of the RSA/DSA key instance because the QSslKey already has ownership.
         if (configuration.privateKey.algorithm() == QSsl::Rsa)
-            q_EVP_PKEY_assign_RSA(pkey, (RSA *)configuration.privateKey.handle());
+            q_EVP_PKEY_set1_RSA(pkey, (RSA *)configuration.privateKey.handle());
         else
-            q_EVP_PKEY_assign_DSA(pkey, (DSA *)configuration.privateKey.handle());
+            q_EVP_PKEY_set1_DSA(pkey, (DSA *)configuration.privateKey.handle());
         if (!q_SSL_CTX_use_PrivateKey(ctx, pkey)) {
-            q->setErrorString(QSslSocket::tr("Error loading private key, %1").arg(SSL_ERRORSTR()));
+            q->setErrorString(QSslSocket::tr("Error loading private key, %1").arg(getErrorsFromOpenSsl()));
             emit q->error(QAbstractSocket::UnknownSocketError);
             return false;
@@ -325 +353 @@
         // Check if the certificate matches the private key.
         if (!q_SSL_CTX_check_private_key(ctx)) {
-            q->setErrorString(QSslSocket::tr("Private key does not certify public key, %1").arg(SSL_ERRORSTR()));
+            q->setErrorString(QSslSocket::tr("Private key does not certify public key, %1").arg(getErrorsFromOpenSsl()));
             emit q->error(QAbstractSocket::UnknownSocketError);
             return false;
@@ -345 +373 @@
     if (!(ssl = q_SSL_new(ctx))) {
         // ### Bad error code
-        q->setErrorString(QSslSocket::tr("Error creating SSL session, %1").arg(SSL_ERRORSTR()));
+        q->setErrorString(QSslSocket::tr("Error creating SSL session, %1").arg(getErrorsFromOpenSsl()));
         q->setSocketError(QAbstractSocket::UnknownSocketError);
         emit q->error(QAbstractSocket::UnknownSocketError);
@@ -360 +388 @@
     if (!readBio || !writeBio) {
         // ### Bad error code
-        q->setErrorString(QSslSocket::tr("Error creating SSL session: %1").arg(SSL_ERRORSTR()));
+        q->setErrorString(QSslSocket::tr("Error creating SSL session: %1").arg(getErrorsFromOpenSsl()));
         q->setSocketError(QAbstractSocket::UnknownSocketError);
         emit q->error(QAbstractSocket::UnknownSocketError);
@@ -389 +417 @@
     \internal
 
-    Declared static in QSslSocketPrivate, makes sure the SSL libraries have
-    been initialized.
+    Does the minimum amount of initialization to determine whether SSL
+    is supported or not.
 */
-bool QSslSocketPrivate::ensureInitialized()
+
+bool QSslSocketPrivate::supportsSsl()
+{
+    return ensureLibraryLoaded();
+}
+
+bool QSslSocketPrivate::ensureLibraryLoaded()
 {
     if (!q_resolveOpenSslSymbols())
@@ -399 +433 @@
     // Check if the library itself needs to be initialized.
     QMutexLocker locker(openssl_locks()->initLock());
-    static int q_initialized = false;
-    if (!q_initialized) {
-        q_initialized = true;
-
-        // Initialize resources
-        initNetworkResources();
+    if (!s_libraryLoaded) {
+        s_libraryLoaded = true;
 
         // Initialize OpenSSL.
@@ -441 +471 @@
                 return false;
         }
-
-        resetDefaultCiphers();
-        setDefaultCaCertificates(systemCaCertificates());
     }
     return true;
+}
+
+void QSslSocketPrivate::ensureCiphersAndCertsLoaded()
+{
+    QMutexLocker locker(openssl_locks()->initLock());
+    if (s_loadedCiphersAndCerts)
+        return;
+    s_loadedCiphersAndCerts = true;
+
+    resetDefaultCiphers();
+
+    //load symbols needed to receive certificates from system store
+#if defined(Q_OS_MAC)
+    QLibrary securityLib("/System/Library/Frameworks/Security.framework/Versions/Current/Security");
+    if (securityLib.load()) {
+        ptrSecCertificateGetData = (PtrSecCertificateGetData) securityLib.resolve("SecCertificateGetData");
+        if (!ptrSecCertificateGetData)
+            qWarning("could not resolve symbols in security library"); // should never happen
+
+        ptrSecTrustSettingsCopyCertificates = (PtrSecTrustSettingsCopyCertificates) securityLib.resolve("SecTrustSettingsCopyCertificates");
+        if (!ptrSecTrustSettingsCopyCertificates) { // method was introduced in Leopard, use legacy method if it's not there
+            ptrSecTrustCopyAnchorCertificates = (PtrSecTrustCopyAnchorCertificates) securityLib.resolve("SecTrustCopyAnchorCertificates");
+            if (!ptrSecTrustCopyAnchorCertificates)
+                qWarning("could not resolve symbols in security library"); // should never happen
+        }
+    } else {
+        qWarning("could not load security library");
+    }
+#elif defined(Q_OS_WIN)
+    HINSTANCE hLib = LoadLibraryW(L"Crypt32");
+    if (hLib) {
+#if defined(Q_OS_WINCE)
+        ptrCertOpenSystemStoreW = (PtrCertOpenSystemStoreW)GetProcAddress(hLib, L"CertOpenStore");
+        ptrCertFindCertificateInStore = (PtrCertFindCertificateInStore)GetProcAddress(hLib, L"CertFindCertificateInStore");
+        ptrCertCloseStore = (PtrCertCloseStore)GetProcAddress(hLib, L"CertCloseStore");
+#else
+        ptrCertOpenSystemStoreW = (PtrCertOpenSystemStoreW)GetProcAddress(hLib, "CertOpenSystemStoreW");
+        ptrCertFindCertificateInStore = (PtrCertFindCertificateInStore)GetProcAddress(hLib, "CertFindCertificateInStore");
+        ptrCertCloseStore = (PtrCertCloseStore)GetProcAddress(hLib, "CertCloseStore");
+#endif
+        if (!ptrCertOpenSystemStoreW || !ptrCertFindCertificateInStore || !ptrCertCloseStore)
+            qWarning("could not resolve symbols in crypt32 library"); // should never happen
+    } else {
+        qWarning("could not load crypt32 library"); // should never happen
+    }
+#endif
+    setDefaultCaCertificates(systemCaCertificates());
+}
+
+/*!
+    \internal
+
+    Declared static in QSslSocketPrivate, makes sure the SSL libraries have
+    been initialized.
+*/
+
+void QSslSocketPrivate::ensureInitialized()
+{
+    if (!supportsSsl())
+        return;
+
+    ensureCiphersAndCertsLoaded();
 }
 
@@ -481 +570 @@
 }
 
+#if defined(Q_OS_SYMBIAN)
+
+CSymbianCertificateRetriever::CSymbianCertificateRetriever() : CActive(CActive::EPriorityStandard),
+    iCertificatePtr(0,0,0), iSequenceError(KErrNone)
+{
+}
+
+CSymbianCertificateRetriever::~CSymbianCertificateRetriever()
+{
+    iThread.Close();
+}
+
+CSymbianCertificateRetriever* CSymbianCertificateRetriever::NewL()
+{
+    CSymbianCertificateRetriever* self = new (ELeave) CSymbianCertificateRetriever();
+    CleanupStack::PushL(self);
+    self->ConstructL();
+    CleanupStack::Pop();
+    return self;
+}
+
+int CSymbianCertificateRetriever::GetCertificates(QList<QByteArray> &certificates)
+{
+    iCertificates = &certificates;
+
+    TRequestStatus status;
+    iThread.Logon(status);
+    iThread.Resume();
+    User::WaitForRequest(status);
+    if (iThread.ExitType() == EExitKill)
+        return KErrDied;
+    else
+        return status.Int();    // Logon() completes with the thread's exit value
+}
+
+void CSymbianCertificateRetriever::doThreadEntryL()
+{
+    CActiveScheduler* activeScheduler = new (ELeave) CActiveScheduler;
+    CleanupStack::PushL(activeScheduler);
+    CActiveScheduler::Install(activeScheduler);
+
+    CActiveScheduler::Add(this);
+
+    // These aren't deleted in the destructor so leaving the to CS is ok
+    iCertStore = CUnifiedCertStore::NewLC(qt_s60GetRFs(), EFalse);
+    iCertFilter = CCertAttributeFilter::NewLC();
+
+    // only interested in CA certs
+    iCertFilter->SetOwnerType(ECACertificate);
+    // only interested in X.509 format (we don't support WAP formats)
+    iCertFilter->SetFormat(EX509Certificate);
+
+    // Kick off the sequence by initializing the cert store
+    iState = Initializing;
+    iCertStore->Initialize(iStatus);
+    SetActive();
+
+    CActiveScheduler::Start();
+
+    // Sequence complete, clean up
+
+    // These MUST be cleaned up before the installed CActiveScheduler is destroyed and can't be left to the
+    // destructor of CSymbianCertificateRetriever. Otherwise the destructor of CActiveScheduler will get
+    // stuck.
+    iCertInfos.Close();
+    CleanupStack::PopAndDestroy(3);     // activeScheduler, iCertStore, iCertFilter
+}
+
+
+TInt CSymbianCertificateRetriever::ThreadEntryPoint(TAny* aParams)
+{
+    User::SetCritical(User::EProcessCritical);
+    CTrapCleanup* cleanupStack = CTrapCleanup::New();
+
+    CSymbianCertificateRetriever* self = (CSymbianCertificateRetriever*) aParams;
+    TRAPD(err, self->doThreadEntryL());
+    delete cleanupStack;
+
+    // doThreadEntryL() can leave only before the retrieval sequence is started
+    if (err)
+        return err;
+    else
+        return self->iSequenceError;    // return any error that occurred during the retrieval
+}
+
+void CSymbianCertificateRetriever::ConstructL()
+{
+    TInt err;
+    int i=0;
+    QString name(QLatin1String("CertWorkerThread-%1"));
+    //recently closed thread names remain in use for a while until all handles have been closed
+    //including users of RUndertaker
+    do {
+        err = iThread.Create(qt_QString2TPtrC(name.arg(i++)),
+            CSymbianCertificateRetriever::ThreadEntryPoint, 16384, NULL, this);
+    } while (err == KErrAlreadyExists);
+    User::LeaveIfError(err);
+}
+
+void CSymbianCertificateRetriever::DoCancel()
+{
+    switch(iState) {
+    case Initializing:
+        iCertStore->CancelInitialize();
+        break;
+    case Listing:
+        iCertStore->CancelList();
+        break;
+    case RetrievingCertificates:
+        iCertStore->CancelGetCert();
+        break;
+    }
+}
+
+TInt CSymbianCertificateRetriever::RunError(TInt aError)
+{
+    // If something goes wrong in the sequence, abort the sequence
+    iSequenceError = aError;    // this gets reported to the client in the TRequestStatus
+    CActiveScheduler::Stop();
+    return KErrNone;
+}
+
+void CSymbianCertificateRetriever::GetCertificateL()
+{
+    if (iCurrentCertIndex < iCertInfos.Count()) {
+        CCTCertInfo* certInfo = iCertInfos[iCurrentCertIndex++];
+        iCertificateData = QByteArray();
+        QT_TRYCATCH_LEAVING(iCertificateData.resize(certInfo->Size()));
+        iCertificatePtr.Set((TUint8*)iCertificateData.data(), 0, iCertificateData.size());
+#ifdef QSSLSOCKET_DEBUG
+        qDebug() << "getting " << qt_TDesC2QString(certInfo->Label()) << " size=" << certInfo->Size();
+        qDebug() << "format=" << certInfo->CertificateFormat();
+        qDebug() << "ownertype=" << certInfo->CertificateOwnerType();
+        qDebug() << "type=" << hex << certInfo->Type().iUid;
+#endif
+        iCertStore->Retrieve(*certInfo, iCertificatePtr, iStatus);
+        iState = RetrievingCertificates;
+        SetActive();
+    } else {
+        //reached end of list
+        CActiveScheduler::Stop();
+    }
+}
+
+void CSymbianCertificateRetriever::RunL()
+{
+#ifdef QSSLSOCKET_DEBUG
+    qDebug() << "CSymbianCertificateRetriever::RunL status " << iStatus.Int() << " count " << iCertInfos.Count() << " index " << iCurrentCertIndex;
+#endif
+    switch (iState) {
+    case Initializing:
+        User::LeaveIfError(iStatus.Int()); // initialise fail means pointless to continue
+        iState = Listing;
+        iCertStore->List(iCertInfos, *iCertFilter, iStatus);
+        SetActive();
+        break;
+
+    case Listing:
+        User::LeaveIfError(iStatus.Int()); // listing fail means pointless to continue
+        iCurrentCertIndex = 0;
+        GetCertificateL();
+        break;
+
+    case RetrievingCertificates:
+        if (iStatus.Int() == KErrNone)
+            iCertificates->append(iCertificateData);
+        else
+            qWarning() << "CSymbianCertificateRetriever: failed to retrieve a certificate, error " << iStatus.Int();
+        GetCertificateL();
+        break;
+    }
+}
+#endif // defined(Q_OS_SYMBIAN)
+
 QList<QSslCertificate> QSslSocketPrivate::systemCaCertificates()
 {
-    // Qt provides a default bundle of certificates
-    QFile caBundle(QLatin1String(":/trolltech/network/ssl/qt-ca-bundle.crt"));
-    if (caBundle.open(QIODevice::ReadOnly | QIODevice::Text))
-        return QSslCertificate::fromDevice(&caBundle);
-
-    // Unreachable; return no bundle.
-    return QList<QSslCertificate>();
+    ensureInitialized();
+#ifdef QSSLSOCKET_DEBUG
+    QElapsedTimer timer;
+    timer.start();
+#endif
+    QList<QSslCertificate> systemCerts;
+#if defined(Q_OS_MAC)
+    CFArrayRef cfCerts;
+    OSStatus status = 1;
+
+    OSStatus SecCertificateGetData (
+       SecCertificateRef certificate,
+       CSSM_DATA_PTR data
+    );
+
+    if (ptrSecCertificateGetData) {
+        if (ptrSecTrustSettingsCopyCertificates)
+            status = ptrSecTrustSettingsCopyCertificates(kSecTrustSettingsDomainSystem, &cfCerts);
+        else if (ptrSecTrustCopyAnchorCertificates)
+            status = ptrSecTrustCopyAnchorCertificates(&cfCerts);
+        if (!status) {
+            CFIndex size = CFArrayGetCount(cfCerts);
+            for (CFIndex i = 0; i < size; ++i) {
+                SecCertificateRef cfCert = (SecCertificateRef)CFArrayGetValueAtIndex(cfCerts, i);
+                CSSM_DATA data;
+                CSSM_DATA_PTR dataPtr = &data;
+                if (ptrSecCertificateGetData(cfCert, dataPtr)) {
+                    qWarning("error retrieving a CA certificate from the system store");
+                } else {
+                    int len = data.Length;
+                    char *rawData = reinterpret_cast<char *>(data.Data);
+                    QByteArray rawCert(rawData, len);
+                    systemCerts.append(QSslCertificate::fromData(rawCert, QSsl::Der));
+                }
+            }
+        }
+        else {
+           // no detailed error handling here
+           qWarning("could not retrieve system CA certificates");
+        }
+    }
+#elif defined(Q_OS_WIN)
+    if (ptrCertOpenSystemStoreW && ptrCertFindCertificateInStore && ptrCertCloseStore) {
+        HCERTSTORE hSystemStore;
+#if defined(Q_OS_WINCE)
+        hSystemStore = ptrCertOpenSystemStoreW(CERT_STORE_PROV_SYSTEM_W,
+                                               0,
+                                               0,
+                                               CERT_STORE_NO_CRYPT_RELEASE_FLAG|CERT_SYSTEM_STORE_CURRENT_USER,
+                                               L"ROOT");
+#else
+        hSystemStore = ptrCertOpenSystemStoreW(0, L"ROOT");
+#endif
+        if(hSystemStore) {
+            PCCERT_CONTEXT pc = NULL;
+            while(1) {
+                pc = ptrCertFindCertificateInStore( hSystemStore, X509_ASN_ENCODING, 0, CERT_FIND_ANY, NULL, pc);
+                if(!pc)
+                    break;
+                QByteArray der((const char *)(pc->pbCertEncoded), static_cast<int>(pc->cbCertEncoded));
+                QSslCertificate cert(der, QSsl::Der);
+                systemCerts.append(cert);
+            }
+            ptrCertCloseStore(hSystemStore, 0);
+        }
+    }
+#elif defined(Q_OS_UNIX) && !defined(Q_OS_SYMBIAN)
+    QSet<QString> certFiles;
+    QList<QByteArray> directories;
+    directories << "/etc/ssl/certs/"; // (K)ubuntu, OpenSUSE, Mandriva, MeeGo ...
+    directories << "/usr/lib/ssl/certs/"; // Gentoo, Mandrake
+    directories << "/usr/share/ssl/"; // Centos, Redhat, SuSE
+    directories << "/usr/local/ssl/"; // Normal OpenSSL Tarball
+    directories << "/var/ssl/certs/"; // AIX
+    directories << "/usr/local/ssl/certs/"; // Solaris
+    directories << "/opt/openssl/certs/"; // HP-UX
+
+    QDir currentDir;
+    QStringList nameFilters;
+    nameFilters << QLatin1String("*.pem") << QLatin1String("*.crt");
+    currentDir.setNameFilters(nameFilters);
+    for (int a = 0; a < directories.count(); a++) {
+        currentDir.setPath(QLatin1String(directories.at(a)));
+        QDirIterator it(currentDir);
+        while(it.hasNext()) {
+            it.next();
+            // use canonical path here to not load the same certificate twice if symlinked
+            certFiles.insert(it.fileInfo().canonicalFilePath());
+        }
+    }
+    QSetIterator<QString> it(certFiles);
+    while(it.hasNext()) {
+        systemCerts.append(QSslCertificate::fromPath(it.next()));
+    }
+    systemCerts.append(QSslCertificate::fromPath(QLatin1String("/etc/pki/tls/certs/ca-bundle.crt"), QSsl::Pem)); // Fedora, Mandriva
+    systemCerts.append(QSslCertificate::fromPath(QLatin1String("/usr/local/share/certs/ca-root-nss.crt"), QSsl::Pem)); // FreeBSD's ca_root_nss
+
+#elif defined(Q_OS_SYMBIAN)
+    QList<QByteArray> certs;
+    QScopedPointer<CSymbianCertificateRetriever> retriever(CSymbianCertificateRetriever::NewL());
+
+    retriever->GetCertificates(certs);
+    foreach (const QByteArray &encodedCert, certs) {
+        QSslCertificate cert(encodedCert, QSsl::Der);
+        if (!cert.isNull()) {
+#ifdef QSSLSOCKET_DEBUG
+            qDebug() << "imported certificate: " << cert.issuerInfo(QSslCertificate::CommonName);
+#endif
+            systemCerts.append(cert);
+        }
+    }
+#endif
+#ifdef QSSLSOCKET_DEBUG
+    qDebug() << "systemCaCertificates retrieval time " << timer.elapsed() << "ms";
+    qDebug() << "imported " << systemCerts.count() << " certificates";
+#endif
+
+    return systemCerts;
 }
 
@@ -544 +918 @@
                 if (writtenBytes <= 0) {
                     // ### Better error handling.
-                    q->setErrorString(QSslSocket::tr("Unable to write data: %1").arg(SSL_ERRORSTR()));
+                    q->setErrorString(QSslSocket::tr("Unable to write data: %1").arg(getErrorsFromOpenSsl()));
                     q->setSocketError(QAbstractSocket::UnknownSocketError);
                     emit q->error(QAbstractSocket::UnknownSocketError);
@@ -607 +981 @@
                 } else {
                     // ### Better error handling.
-                    q->setErrorString(QSslSocket::tr("Unable to decrypt data: %1").arg(SSL_ERRORSTR()));
+                    q->setErrorString(QSslSocket::tr("Unable to decrypt data: %1").arg(getErrorsFromOpenSsl()));
                     q->setSocketError(QAbstractSocket::UnknownSocketError);
                     emit q->error(QAbstractSocket::UnknownSocketError);
@@ -681 +1055 @@
                 plainSocket->disconnectFromHost();
                 break;
+            case SSL_ERROR_SYSCALL: // some IO error
+            case SSL_ERROR_SSL: // error in the SSL library
+                // we do not know exactly what the error is, nor whether we can recover from it,
+                // so just return to prevent an endless loop in the outer "while" statement
+                q->setErrorString(QSslSocket::tr("Error while reading: %1").arg(getErrorsFromOpenSsl()));
+                q->setSocketError(QAbstractSocket::UnknownSocketError);
+                emit q->error(QAbstractSocket::UnknownSocketError);
+                return;
             default:
-                // ### Handle errors better.
-                q->setErrorString(QSslSocket::tr("Error while reading: %1").arg(SSL_ERRORSTR()));
+                // SSL_ERROR_WANT_CONNECT, SSL_ERROR_WANT_ACCEPT: can only happen with a
+                // BIO_s_connect() or BIO_s_accept(), which we do not call.
+                // SSL_ERROR_WANT_X509_LOOKUP: can only happen with a
+                // SSL_CTX_set_client_cert_cb(), which we do not call.
+                // So this default case should never be triggered.
+                q->setErrorString(QSslSocket::tr("Error while reading: %1").arg(getErrorsFromOpenSsl()));
                 q->setSocketError(QAbstractSocket::UnknownSocketError);
                 emit q->error(QAbstractSocket::UnknownSocketError);
@@ -778 +1164 @@
             break;
         default:
-            // ### Handle errors better
-            q->setErrorString(QSslSocket::tr("Error during SSL handshake: %1").arg(SSL_ERRORSTR()));
+            q->setErrorString(QSslSocket::tr("Error during SSL handshake: %1").arg(getErrorsFromOpenSsl()));
             q->setSocketError(QAbstractSocket::SslHandshakeFailedError);
 #ifdef QSSLSOCKET_DEBUG
@@ -816 +1201 @@
             QString commonName = configuration.peerCertificate.subjectInfo(QSslCertificate::CommonName);
 
-            QRegExp regexp(commonName, Qt::CaseInsensitive, QRegExp::Wildcard);
-            if (!regexp.exactMatch(peerName)) {
+            if (!isMatchingHostname(commonName.toLower(), peerName.toLower())) {
                 bool matched = false;
                 foreach (const QString &altName, configuration.peerCertificate
                          .alternateSubjectNames().values(QSsl::DnsEntry)) {
-                    regexp.setPattern(altName);
-                    if (regexp.exactMatch(peerName)) {
+                    if (isMatchingHostname(altName.toLower(), peerName.toLower())) {
                         matched = true;
                         break;
                     }
                 }
+
                 if (!matched) {
                     // No matches in common names or alternate names.
@@ -923 +1307 @@
         ctx = 0;
     }
+    if (pkey) {
+        q_EVP_PKEY_free(pkey);
+        pkey = 0;
+    }
+
 }
 
@@ -951 +1340 @@
 }
 
+QString QSslSocketBackendPrivate::getErrorsFromOpenSsl()
+{
+    QString errorString;
+    unsigned long errNum;
+    while((errNum = q_ERR_get_error())) {
+        if (! errorString.isEmpty())
+            errorString.append(QLatin1String(", "));
+        const char *error = q_ERR_error_string(errNum, NULL);
+        errorString.append(QString::fromAscii(error)); // error is ascii according to man ERR_error_string
+    }
+    return errorString;
+}
+
+bool QSslSocketBackendPrivate::isMatchingHostname(const QString &cn, const QString &hostname)
+{
+    int wildcard = cn.indexOf(QLatin1Char('*'));
+
+    // Check this is a wildcard cert, if not then just compare the strings
+    if (wildcard < 0)
+        return cn == hostname;
+
+    int firstCnDot = cn.indexOf(QLatin1Char('.'));
+    int secondCnDot = cn.indexOf(QLatin1Char('.'), firstCnDot+1);
+
+    // Check at least 3 components
+    if ((-1 == secondCnDot) || (secondCnDot+1 >= cn.length()))
+        return false;
+
+    // Check * is last character of 1st component (ie. there's a following .)
+    if (wildcard+1 != firstCnDot)
+        return false;
+
+    // Check only one star
+    if (cn.lastIndexOf(QLatin1Char('*')) != wildcard)
+        return false;
+
+    // Check characters preceding * (if any) match
+    if (wildcard && (hostname.leftRef(wildcard) != cn.leftRef(wildcard)))
+        return false;
+
+    // Check characters following first . match
+    if (hostname.midRef(hostname.indexOf(QLatin1Char('.'))) != cn.midRef(firstCnDot))
+        return false;
+
+    // Check if the hostname is an IP address, if so then wildcards are not allowed
+    QHostAddress addr(hostname);
+    if (!addr.isNull())
+        return false;
+
+    // Ok, I guess this was a wildcard CN and the hostname matches.
+    return true;
+}
+
 QT_END_NAMESPACE

trunk/src/network/ssl/qsslsocket_openssl_p.h

@@ -1 +1 @@
 /****************************************************************************
 **
-** Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies).
+** Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
 ** All rights reserved.
 ** Contact: Nokia Corporation (qt-info@nokia.com)
@@ -98 +98 @@
     SSL *ssl;
     SSL_CTX *ctx;
+    EVP_PKEY *pkey;
     BIO *readBio;
     BIO *writeBio;
@@ -116 +117 @@
     static QSslCipher QSslCipher_from_SSL_CIPHER(SSL_CIPHER *cipher);
     static QList<QSslCertificate> STACKOFX509_to_QSslCertificates(STACK_OF(X509) *x509);
+    Q_AUTOTEST_EXPORT static bool isMatchingHostname(const QString &cn, const QString &hostname);
+    static QString getErrorsFromOpenSsl();
 };
+
+#if defined(Q_OS_SYMBIAN)
+
+#include <QByteArray>
+#include <e32base.h>
+#include <f32file.h>
+#include <unifiedcertstore.h>     // link against certstore.lib
+#include <ccertattributefilter.h> // link against ctframework.lib
+
+// The purpose of this class is to wrap the asynchronous API of Symbian certificate store to one
+// synchronizable call. The user of this class needs to provide a TRequestStatus object which can
+// be used with User::WaitForRequest() unlike with the calls of the certificate store API.
+// A thread is used instead of a CActiveSchedulerWait scheme, because that would make the call
+// asynchronous (other events might be processed during the call even though the call would be seemingly
+// synchronous).
+
+class CSymbianCertificateRetriever : public CActive
+{
+public:
+    static CSymbianCertificateRetriever* NewL();
+    ~CSymbianCertificateRetriever();
+
+    int GetCertificates(QList<QByteArray> &aCertificates);
+
+private:
+    void ConstructL();
+    CSymbianCertificateRetriever();
+    static TInt ThreadEntryPoint(TAny* aParams);
+    void doThreadEntryL();
+    void GetCertificateL();
+    void DoCancel();
+    void RunL();
+    TInt RunError(TInt aError);
+
+private:
+    enum {
+        Initializing,
+        Listing,
+        RetrievingCertificates
+    } iState;
+
+    RThread iThread;
+    CUnifiedCertStore* iCertStore;
+    RMPointerArray<CCTCertInfo> iCertInfos;
+    CCertAttributeFilter* iCertFilter;
+    TInt iCurrentCertIndex;
+    QByteArray iCertificateData;
+    TPtr8 iCertificatePtr;
+    QList<QByteArray>* iCertificates;
+    TInt iSequenceError;
+};
+
+
+#endif
+
 
 QT_END_NAMESPACE

trunk/src/network/ssl/qsslsocket_openssl_symbols.cpp

@@ -1 +1 @@
 /****************************************************************************
 **
-** Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies).
+** Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
 ** All rights reserved.
 ** Contact: Nokia Corporation (qt-info@nokia.com)
@@ -43 +43 @@
 #include "qsslsocket_openssl_symbols_p.h"
 
-#include <QtCore/qlibrary.h>
+#ifdef Q_OS_WIN
+# include <private/qsystemlibrary_p.h>
+#else
+# include <QtCore/qlibrary.h>
+#endif
 #include <QtCore/qmutex.h>
 #include <private/qmutexpool_p.h>
@@ -120 +124 @@
 DEFINEFUNC(const EVP_CIPHER *, EVP_des_ede3_cbc, DUMMYARG, DUMMYARG, return 0, return)
 DEFINEFUNC3(int, EVP_PKEY_assign, EVP_PKEY *a, a, int b, b, char *c, c, return -1, return)
+DEFINEFUNC2(int, EVP_PKEY_set1_RSA, EVP_PKEY *a, a, RSA *b, b, return -1, return)
+DEFINEFUNC2(int, EVP_PKEY_set1_DSA, EVP_PKEY *a, a, DSA *b, b, return -1, return)
 DEFINEFUNC(void, EVP_PKEY_free, EVP_PKEY *a, a, return, DUMMYARG)
 DEFINEFUNC(DSA *, EVP_PKEY_get1_DSA, EVP_PKEY *a, a, return 0, return)
@@ -333 +339 @@
             .split(QLatin1Char(':'), QString::SkipEmptyParts);
 #  endif
-    paths << QLatin1String("/usr/lib") << QLatin1String("/usr/local/lib");
+    paths << QLatin1String("/lib") << QLatin1String("/usr/lib") << QLatin1String("/usr/local/lib");
 
     QStringList foundSsls;
@@ -348 +354 @@
 }
 # endif
+
+#ifdef Q_OS_WIN
+static QPair<QSystemLibrary*, QSystemLibrary*> loadOpenSslWin32()
+{
+    QPair<QSystemLibrary*,QSystemLibrary*> pair;
+    pair.first = 0;
+    pair.second = 0;
+
+    QSystemLibrary *ssleay32 = new QSystemLibrary(QLatin1String("ssleay32"));
+    if (!ssleay32->load(false)) {
+        // Cannot find ssleay32.dll
+        delete ssleay32;
+        return pair;
+    }
+
+    QSystemLibrary *libeay32 = new QSystemLibrary(QLatin1String("libeay32"));
+    if (!libeay32->load(false)) {
+        delete ssleay32;
+        delete libeay32;
+        return pair;
+    }
+
+    pair.first = ssleay32;
+    pair.second = libeay32;
+    return pair;
+}
+#else
 
 static QPair<QLibrary*, QLibrary*> loadOpenSsl()
@@ -355 +388 @@
     pair.second = 0;
 
-# ifdef Q_OS_WIN
-    QLibrary *ssleay32 = new QLibrary(QLatin1String("ssleay32"));
-    if (!ssleay32->load()) {
-        // Cannot find ssleay32.dll
-        delete ssleay32;
-        return pair;
-    }
-
-    QLibrary *libeay32 = new QLibrary(QLatin1String("libeay32"));
-    if (!libeay32->load()) {
-        delete ssleay32;
-        delete libeay32;
-        return pair;
-    }
-
-    pair.first = ssleay32;
-    pair.second = libeay32;
-    return pair;
-# elif defined(Q_OS_SYMBIAN)
+# if defined(Q_OS_SYMBIAN)
      QLibrary *libssl = new QLibrary(QLatin1String("libssl"));
     if (!libssl->load()) {
@@ -506 +521 @@
 # endif
 }
+#endif
 
 bool q_resolveOpenSslSymbols()
@@ -520 +536 @@
     triedToResolveSymbols = true;
 
+#ifdef Q_OS_WIN
+    QPair<QSystemLibrary *, QSystemLibrary *> libs = loadOpenSslWin32();
+#else
     QPair<QLibrary *, QLibrary *> libs = loadOpenSsl();
+#endif
     if (!libs.first || !libs.second)
         // failed to load them
@@ -549 +569 @@
     RESOLVEFUNC(EVP_des_ede3_cbc, 919, libs.second )
     RESOLVEFUNC(EVP_PKEY_assign, 859, libs.second )
+    RESOLVEFUNC(EVP_PKEY_set1_RSA, 880, libs.second )
+    RESOLVEFUNC(EVP_PKEY_set1_DSA, 879, libs.second )
     RESOLVEFUNC(EVP_PKEY_free, 867, libs.second )
     RESOLVEFUNC(EVP_PKEY_get1_DSA, 869, libs.second )
@@ -671 +693 @@
     RESOLVEFUNC(EVP_des_ede3_cbc)
     RESOLVEFUNC(EVP_PKEY_assign)
+    RESOLVEFUNC(EVP_PKEY_set1_RSA)
+    RESOLVEFUNC(EVP_PKEY_set1_DSA)
     RESOLVEFUNC(EVP_PKEY_free)
     RESOLVEFUNC(EVP_PKEY_get1_DSA)
@@ -794 +818 @@
 QDateTime q_getTimeFromASN1(const ASN1_TIME *aTime)
 {
-    char lBuffer[24];
-    char *pBuffer = lBuffer;
-
     size_t lTimeLength = aTime->length;
     char *pString = (char *) aTime->data;
 
     if (aTime->type == V_ASN1_UTCTIME) {
+
+        char lBuffer[24];
+        char *pBuffer = lBuffer;
+
         if ((lTimeLength < 11) || (lTimeLength > 17))
             return QDateTime();
@@ -807 +832 @@
         pBuffer += 10;
         pString += 10;
+
+        if ((*pString == 'Z') || (*pString == '-') || (*pString == '+')) {
+            *pBuffer++ = '0';
+            *pBuffer++ = '0';
+        } else {
+            *pBuffer++ = *pString++;
+            *pBuffer++ = *pString++;
+            // Skip any fractional seconds...
+            if (*pString == '.') {
+                pString++;
+                while ((*pString >= '0') && (*pString <= '9'))
+                    pString++;
+            }
+        }
+
+        *pBuffer++ = 'Z';
+        *pBuffer++ = '\0';
+
+        time_t lSecondsFromUCT;
+        if (*pString == 'Z') {
+            lSecondsFromUCT = 0;
+        } else {
+            if ((*pString != '+') && (*pString != '-'))
+                return QDateTime();
+
+            lSecondsFromUCT = ((pString[1] - '0') * 10 + (pString[2] - '0')) * 60;
+            lSecondsFromUCT += (pString[3] - '0') * 10 + (pString[4] - '0');
+            lSecondsFromUCT *= 60;
+            if (*pString == '-')
+                lSecondsFromUCT = -lSecondsFromUCT;
+        }
+
+        tm lTime;
+        lTime.tm_sec = ((lBuffer[10] - '0') * 10) + (lBuffer[11] - '0');
+        lTime.tm_min = ((lBuffer[8] - '0') * 10) + (lBuffer[9] - '0');
+        lTime.tm_hour = ((lBuffer[6] - '0') * 10) + (lBuffer[7] - '0');
+        lTime.tm_mday = ((lBuffer[4] - '0') * 10) + (lBuffer[5] - '0');
+        lTime.tm_mon = (((lBuffer[2] - '0') * 10) + (lBuffer[3] - '0')) - 1;
+        lTime.tm_year = ((lBuffer[0] - '0') * 10) + (lBuffer[1] - '0');
+        if (lTime.tm_year < 50)
+            lTime.tm_year += 100; // RFC 2459
+
+        QDate resDate(lTime.tm_year + 1900, lTime.tm_mon + 1, lTime.tm_mday);
+        QTime resTime(lTime.tm_hour, lTime.tm_min, lTime.tm_sec);
+
+        QDateTime result(resDate, resTime, Qt::UTC);
+        result = result.addSecs(lSecondsFromUCT);
+        return result;
+
+    } else if (aTime->type == V_ASN1_GENERALIZEDTIME) {
+
+        if (lTimeLength < 15)
+            return QDateTime(); // hopefully never triggered
+
+        // generalized time is always YYYYMMDDHHMMSSZ (RFC 2459, section 4.1.2.5.2)
+        tm lTime;
+        lTime.tm_sec = ((pString[12] - '0') * 10) + (pString[13] - '0');
+        lTime.tm_min = ((pString[10] - '0') * 10) + (pString[11] - '0');
+        lTime.tm_hour = ((pString[8] - '0') * 10) + (pString[9] - '0');
+        lTime.tm_mday = ((pString[6] - '0') * 10) + (pString[7] - '0');
+        lTime.tm_mon = (((pString[4] - '0') * 10) + (pString[5] - '0'));
+        lTime.tm_year = ((pString[0] - '0') * 1000) + ((pString[1] - '0') * 100) +
+                        ((pString[2] - '0') * 10) + (pString[3] - '0');
+
+        QDate resDate(lTime.tm_year, lTime.tm_mon, lTime.tm_mday);
+        QTime resTime(lTime.tm_hour, lTime.tm_min, lTime.tm_sec);
+
+        QDateTime result(resDate, resTime, Qt::UTC);
+        return result;
+
     } else {
-        if (lTimeLength < 13)
-            return QDateTime();
-
-        memcpy(pBuffer, pString, 12);
-        pBuffer += 12;
-        pString += 12;
-    }
-
-    if ((*pString == 'Z') || (*pString == '-') || (*pString == '+')) {
-        *pBuffer++ = '0';
-        *pBuffer++ = '0';
-    } else {
-        *pBuffer++ = *pString++;
-        *pBuffer++ = *pString++;
-        // Skip any fractional seconds...
-        if (*pString == '.') {
-            pString++;
-            while ((*pString >= '0') && (*pString <= '9'))
-                pString++;
-        }
-    }
-
-    *pBuffer++ = 'Z';
-    *pBuffer++ = '\0';
-
-    time_t lSecondsFromUCT;
-    if (*pString == 'Z') {
-        lSecondsFromUCT = 0;
-    } else {
-        if ((*pString != '+') && (*pString != '-'))
-            return QDateTime();
-
-        lSecondsFromUCT = ((pString[1] - '0') * 10 + (pString[2] - '0')) * 60;
-        lSecondsFromUCT += (pString[3] - '0') * 10 + (pString[4] - '0');
-        lSecondsFromUCT *= 60;
-        if (*pString == '-')
-            lSecondsFromUCT = -lSecondsFromUCT;
-    }
-
-    tm lTime;
-    lTime.tm_sec = ((lBuffer[10] - '0') * 10) + (lBuffer[11] - '0');
-    lTime.tm_min = ((lBuffer[8] - '0') * 10) + (lBuffer[9] - '0');
-    lTime.tm_hour = ((lBuffer[6] - '0') * 10) + (lBuffer[7] - '0');
-    lTime.tm_mday = ((lBuffer[4] - '0') * 10) + (lBuffer[5] - '0');
-    lTime.tm_mon = (((lBuffer[2] - '0') * 10) + (lBuffer[3] - '0')) - 1;
-    lTime.tm_year = ((lBuffer[0] - '0') * 10) + (lBuffer[1] - '0');
-    if (lTime.tm_year < 50)
-        lTime.tm_year += 100; // RFC 2459
-
-    QDate resDate(lTime.tm_year + 1900, lTime.tm_mon + 1, lTime.tm_mday);
-    QTime resTime(lTime.tm_hour, lTime.tm_min, lTime.tm_sec);
-    QDateTime result(resDate, resTime, Qt::UTC);
-    result = result.addSecs(lSecondsFromUCT);
-    return result;
+        qWarning("unsupported date format detected");
+        return QDateTime();
+    }
+
 }
 

trunk/src/network/ssl/qsslsocket_openssl_symbols_p.h

@@ -1 +1 @@
 /****************************************************************************
 **
-** Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies).
+** Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
 ** All rights reserved.
 ** Contact: Nokia Corporation (qt-info@nokia.com)
@@ -228 +228 @@
 const EVP_CIPHER *q_EVP_des_ede3_cbc();
 int q_EVP_PKEY_assign(EVP_PKEY *a, int b, char *c);
+int q_EVP_PKEY_set1_RSA(EVP_PKEY *a, RSA *b);
+int q_EVP_PKEY_set1_DSA(EVP_PKEY *a, DSA *b);
 void q_EVP_PKEY_free(EVP_PKEY *a);
 RSA *q_EVP_PKEY_get1_RSA(EVP_PKEY *a);

trunk/src/network/ssl/qsslsocket_p.h

@@ -1 +1 @@
 /****************************************************************************
 **
-** Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies).
+** Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
 ** All rights reserved.
 ** Contact: Nokia Corporation (qt-info@nokia.com)
@@ -67 +67 @@
 QT_BEGIN_NAMESPACE
 
+#if defined(Q_OS_MAC)
+#include <Security/SecCertificate.h>
+#include <CoreFoundation/CFArray.h>
+    typedef OSStatus (*PtrSecCertificateGetData)(SecCertificateRef, CSSM_DATA_PTR);
+    typedef OSStatus (*PtrSecTrustSettingsCopyCertificates)(int, CFArrayRef*);
+    typedef OSStatus (*PtrSecTrustCopyAnchorCertificates)(CFArrayRef*);
+#elif defined(Q_OS_WIN)
+#include <wincrypt.h>
+#ifndef HCRYPTPROV_LEGACY
+#define HCRYPTPROV_LEGACY HCRYPTPROV
+#endif
+#if defined(Q_OS_WINCE)
+    typedef HCERTSTORE (WINAPI *PtrCertOpenSystemStoreW)(LPCSTR, DWORD, HCRYPTPROV_LEGACY, DWORD, const void*);
+#else
+    typedef HCERTSTORE (WINAPI *PtrCertOpenSystemStoreW)(HCRYPTPROV_LEGACY, LPCWSTR);
+#endif
+    typedef PCCERT_CONTEXT (WINAPI *PtrCertFindCertificateInStore)(HCERTSTORE, DWORD, DWORD, DWORD, const void*, PCCERT_CONTEXT);
+    typedef BOOL (WINAPI *PtrCertCloseStore)(HCERTSTORE, DWORD);
+#endif
+
+
+
 class QSslSocketPrivate : public QTcpSocketPrivate
 {
@@ -91 +113 @@
     QString verificationPeerName;
 
-    static bool ensureInitialized();
+    static bool supportsSsl();
+    static void ensureInitialized();
     static void deinitialize();
     static QList<QSslCipher> defaultCiphers();
@@ -107 +130 @@
     static void addDefaultCaCertificates(const QList<QSslCertificate> &certs);
 
+#if defined(Q_OS_MAC)
+    static PtrSecCertificateGetData ptrSecCertificateGetData;
+    static PtrSecTrustSettingsCopyCertificates ptrSecTrustSettingsCopyCertificates;
+    static PtrSecTrustCopyAnchorCertificates ptrSecTrustCopyAnchorCertificates;
+#elif defined(Q_OS_WIN)
+    static PtrCertOpenSystemStoreW ptrCertOpenSystemStoreW;
+    static PtrCertFindCertificateInStore ptrCertFindCertificateInStore;
+    static PtrCertCloseStore ptrCertCloseStore;
+#endif
+
     // The socket itself, including private slots.
     QTcpSocket *plainSocket;
     void createPlainSocket(QIODevice::OpenMode openMode);
+    static void pauseSocketNotifiers(QSslSocket*);
+    static void resumeSocketNotifiers(QSslSocket*);
     void _q_connectedSlot();
     void _q_hostFoundSlot();
@@ -127 +162 @@
     virtual void disconnected() = 0;
     virtual QSslCipher sessionCipher() const = 0;
+
+private:
+    static bool ensureLibraryLoaded();
+    static void ensureCiphersAndCertsLoaded();
+
+    static bool s_libraryLoaded;
+    static bool s_loadedCiphersAndCerts;
 };
 

trunk/src/network/ssl/ssl.pri

@@ -32 +32 @@
                ssl/qsslsocket_openssl_symbols.cpp
 
-    # Include Qt's default CA bundle
-    RESOURCES += network.qrc
-
     # Add optional SSL libs
     LIBS_PRIVATE += $$OPENSSL_LIBS