14#include <QtNetwork/private/qsslcipher_p.h>
16#include <QtNetwork/qsslcipher.h>
17#include <QtNetwork/qssl.h>
19#include <QtCore/qdir.h>
20#include <QtCore/qdiriterator.h>
21#include <QtCore/qlist.h>
22#include <QtCore/qmutex.h>
23#include <QtCore/qscopeguard.h>
24#include <QtCore/qset.h>
34#if defined(Q_OS_WIN) || defined(Q_OS_MACOS)
53 if (!ciph.name().toLower().startsWith(
"adh"_L1) &&
54 !ciph.name().toLower().startsWith(
"exp-adh"_L1) &&
55 !ciph.name().toLower().startsWith(
"aecdh"_L1)) {
58 if (ciph.usedBits() >= 128)
59 defaultCiphers << ciph;
75 errorString.
append(
", "_L1);
86 qCWarning(lcTlsBackend) <<
"Discarding errors:" << errors;
95bool QTlsBackendOpenSSL::ensureLibraryLoaded()
97 static bool libraryLoaded = []() {
106 qCWarning(lcTlsBackend,
"QSslSocket: OpenSSL >= 1.1.1 is required; %s was found instead",
q_OpenSSL_version(OPENSSL_VERSION));
118 qWarning(
"Random number generator not seeded, disabling SSL support");
125 return libraryLoaded;
135 return ensureLibraryLoaded();
154 return OPENSSL_VERSION_NUMBER;
173 ensureCiphersAndCertsLoaded();
176void QTlsBackendOpenSSL::ensureCiphersAndCertsLoaded()
const
178 Q_CONSTINIT
static bool initializationStarted =
false;
182 if (initialized.loadAcquire())
187 if (initializationStarted || initialized.loadAcquire())
193 initializationStarted =
true;
195 auto guard =
qScopeGuard([] { initialized.storeRelease(1); });
197 resetDefaultCiphers();
198 resetDefaultEllipticCurves();
200#if QT_CONFIG(library)
204#elif defined(Q_OS_UNIX) && !defined(Q_OS_DARWIN)
208 symLinkFilter <<
"[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f].[0-9]"_L1;
209 for (
const auto &
dir : dirs) {
231void QTlsBackendOpenSSL::resetDefaultCiphers()
249 setDefaultSupportedCiphers(ciphers);
250 setDefaultCiphers(defaultCiphers);
260 setDefaultDtlsCiphers(defaultCiphers);
276 protocols << QSsl::TlsV1_0;
277 protocols << QSsl::TlsV1_0OrLater;
278 protocols << QSsl::TlsV1_1;
279 protocols << QSsl::TlsV1_1OrLater;
292 protocols << QSsl::DtlsV1_0;
293 protocols << QSsl::DtlsV1_0OrLater;
308#if !defined(OPENSSL_NO_TLSEXT)
359#ifdef QSSLSOCKET_DEBUG
365 HCERTSTORE hSystemStore;
366 hSystemStore = CertOpenSystemStoreW(0, L
"ROOT");
368 PCCERT_CONTEXT pc =
nullptr;
370 pc = CertFindCertificateInStore(hSystemStore, X509_ASN_ENCODING, 0, CERT_FIND_ANY,
nullptr, pc);
373 QByteArray der(
reinterpret_cast<const char *
>(pc->pbCertEncoded),
374 static_cast<int>(pc->cbCertEncoded));
378 CertCloseStore(hSystemStore, 0);
380#elif defined(Q_OS_ANDROID)
382 for (
auto certDatum : certData)
384#elif defined(Q_OS_UNIX)
393 for (
const auto &
directory : directories) {
396 while (
it.hasNext()) {
398 certFiles.
insert(
it.nextFileInfo().canonicalFilePath());
401 for (
const QString&
file : std::as_const(certFiles))
405#ifdef QSSLSOCKET_DEBUG
406 qCDebug(lcTlsBackend) <<
"systemCaCertificates retrieval time " <<
timer.elapsed() <<
"ms";
407 qCDebug(lcTlsBackend) <<
"imported " << systemCerts.
count() <<
" certificates";
425 qCWarning(lcTlsBackend,
"Feature 'dtls' is disabled, cannot verify DTLS cookies");
442 qCWarning(lcTlsBackend,
"Feature 'dtls' is disabled, cannot encrypt UDP datagrams");
476 ids.reserve(curveCount);
477 for (
const auto &ec : builtinCurves)
478 ids.push_back(ec.nid);
566 NID_X9_62_prime192v1,
570 NID_X9_62_prime256v1,
585 return std::find(
tlsNamedCurveNIDs, tlsNamedCurveNIDsEnd,
id) != tlsNamedCurveNIDsEnd;
598 int supportedBits = 0;
600 return createCiphersuite(
desc,
bits, supportedBits);
610#include "moc_qtlsbackend_openssl_p.cpp"
char * data()
\macro QT_NO_CAST_FROM_BYTEARRAY
The QDirIterator class provides an iterator for directory entrylists.
void setPath(const QString &path)
Sets the path of the directory to path.
void setNameFilters(const QStringList &nameFilters)
Sets the name filters used by entryList() and entryInfoList() to the list of filters specified by nam...
This class provides encryption for UDP sockets.
qsizetype count() const noexcept
void append(parameter_type t)
iterator insert(const T &value)
The QSslCertificate class provides a convenient API for an X509 certificate.
static QList< QSslCertificate > fromData(const QByteArray &data, QSsl::EncodingFormat format=QSsl::Pem)
Searches for and parses all certificates in data that are encoded in the specified format and returns...
static QList< QSslCertificate > fromPath(const QString &path, QSsl::EncodingFormat format=QSsl::Pem, PatternSyntax syntax=PatternSyntax::FixedString)
The QSslCipher class represents an SSL cryptographic cipher.
static void forceAutoTestSecurityLevel()
static void setRootCertOnDemandLoadingSupported(bool supported)
static QList< QByteArray > unixRootCertDirectories()
static bool rootCertOnDemandLoadingSupported()
SslMode
Describes the connection modes available for QSslSocket.
\macro QT_RESTRICTED_CAST_FROM_ASCII
static QString fromLatin1(QByteArrayView ba)
This is an overloaded member function, provided for convenience. It differs from the above function o...
QString arg(qlonglong a, int fieldwidth=0, int base=10, QChar fillChar=u' ') const
bool isEmpty() const
Returns true if the string has no characters; otherwise returns false.
QString & append(QChar c)
void start(int msec)
Starts or restarts the timer with a timeout interval of msec milliseconds.
QTlsPrivate::X509DerReaderPtr X509DerReader() const override
static QSslCipher qt_OpenSSL_cipher_to_QSslCipher(const SSL_CIPHER *cipher)
QString tlsLibraryBuildVersionString() const override
QList< QSsl::SslProtocol > supportedProtocols() const override
QTlsPrivate::X509ChainVerifyPtr X509Verifier() const override
bool isTlsNamedCurve(int cid) const override
long tlsLibraryVersionNumber() const override
long tlsLibraryBuildVersionNumber() const override
QTlsPrivate::DtlsCryptograph * createDtlsCryptograph(QDtls *q, int mode) const override
static void logAndClearErrorQueue()
int curveIdFromShortName(const QString &name) const override
QTlsPrivate::X509PemReaderPtr X509PemReader() const override
int curveIdFromLongName(const QString &name) const override
bool isValid() const override
QList< int > ellipticCurvesIds() const override
static void clearErrorQueue()
QString shortNameForId(int cid) const override
QTlsPrivate::X509Certificate * createCertificate() const override
void forceAutotestSecurityLevel() override
QTlsPrivate::X509Pkcs12ReaderPtr X509Pkcs12Reader() const override
QString longNameForId(int cid) const override
static QString msgErrorsDuringHandshake()
QList< QSslCertificate > systemCaCertificates() const override
QList< QSsl::SupportedFeature > supportedFeatures() const override
QList< QSsl::ImplementedClass > implementedClasses() const override
QTlsPrivate::DtlsCookieVerifier * createDtlsCookieVerifier() const override
void ensureInitialized() const override
QTlsPrivate::TlsKey * createKey() const override
QTlsPrivate::TlsCryptograph * createTlsCryptograph() const override
QString backendName() const override
QString tlsLibraryVersionString() const override
static int s_indexForSSLExtraData
static QString getErrorsFromOpenSsl()
static constexpr const int nameIndexOpenSSL
static const QString builtinBackendNames[]
TlsKey is an abstract class, that allows a TLS plugin to provide an underlying implementation for the...
static bool importPkcs12(QIODevice *device, QSslKey *key, QSslCertificate *cert, QList< QSslCertificate > *caCertificates, const QByteArray &passPhrase)
static QList< QSslCertificate > certificatesFromDer(const QByteArray &der, int count)
static QList< QSslCertificate > certificatesFromPem(const QByteArray &pem, int count)
static QList< QSslError > verify(const QList< QSslCertificate > &chain, const QString &hostName)
X509Certificate is an abstract class that allows a TLS backend to provide an implementation of the QS...
QSet< QString >::iterator it
typename C::iterator iterator
@ CertificateVerification
Combined button and popup list for selecting options.
Namespace containing onternal types that TLS backends implement.
QList< QSslCipher > defaultCiphers()
QList< QByteArray > fetchSslCertificateData()
QList< QSslCertificate > systemCaCertificates()
bool(*)(QIODevice *device, QSslKey *key, QSslCertificate *cert, QList< QSslCertificate > *caCertificates, const QByteArray &passPhrase) X509Pkcs12ReaderPtr
#define Q_BASIC_ATOMIC_INITIALIZER(a)
#define QT_WARNING_DISABLE_DEPRECATED
DBusConnection * connection
#define Q_LOGGING_CATEGORY(name,...)
#define qCWarning(category,...)
#define qCDebug(category,...)
GLenum GLenum GLsizei const GLuint * ids
GLenum GLuint GLenum GLsizei const GLchar * buf
GLenum GLint GLenum GLsizei GLsizei GLsizei GLint GLsizei const void * bits
GLdouble GLdouble GLdouble GLdouble q
QScopeGuard< typename std::decay< F >::type > qScopeGuard(F &&f)
[qScopeGuard]
bool q_resolveOpenSslSymbols()
void q_SSL_CTX_free(SSL_CTX *a)
const char * q_OpenSSL_version(int type)
char * q_SSL_CIPHER_description(const SSL_CIPHER *a, char *b, int c)
#define q_SSL_load_error_strings()
const char * q_OBJ_nid2sn(int a)
int q_OBJ_ln2nid(const char *s)
unsigned long q_ERR_get_error()
void q_ERR_error_string_n(unsigned long e, char *buf, size_t len)
#define q_OpenSSL_add_all_algorithms()
SSL_CTX * q_SSL_CTX_new(const SSL_METHOD *a)
int q_EC_curve_nist2nid(const char *name)
const char * q_OBJ_nid2ln(int a)
STACK_OF(X509) *q_X509_STORE_CTX_get0_chain(X509_STORE_CTX *ctx)
size_t q_EC_get_builtin_curves(EC_builtin_curve *r, size_t nitems)
#define q_sk_SSL_CIPHER_num(st)
const SSL_METHOD * q_TLS_client_method()
SSL * q_SSL_new(SSL_CTX *a)
int q_OBJ_sn2nid(const char *s)
int q_SSL_CIPHER_get_bits(const SSL_CIPHER *a, int *b)
long q_OpenSSL_version_num()
int q_CRYPTO_get_ex_new_index(int class_index, long argl, void *argp, CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
#define q_sk_SSL_CIPHER_value(st, i)
int q_OPENSSL_init_ssl(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings)
#define QStringLiteral(str)
constexpr auto DefaultWarningLevel
const size_t tlsNamedCurveNIDCount
static void q_loadCiphersForConnection(SSL *connection, QList< QSslCipher > &ciphers, QList< QSslCipher > &defaultCiphers)
static const int tlsNamedCurveNIDs[]
QList< QSslCertificate > cert
[0]
1.9.7