Merge branch 'master' of scm.dev.nokia.troll.no:qt/qt-earth-staging into master-integration

* 'master' of scm.dev.nokia.troll.no:qt/qt-earth-staging: (31 commits)
  SSL: give protocol enum SecureProtocols an own value
  QMAKE: Fix post build events for VS2010
  SSL backend: avoid setting SNI hostname for old SSL versions
  SSL: Switch default version to TlsV1SslV3 (i.e. use TLS 1 or SSL 3)
  SSL: introduce new option TlsV1SslV3 for SSL communication
  Mac Style: Compile Fix
  Mac: Center the Window title on Cocoa.
  Fix corner of scroll area so it is stylable on Mac.
  QNAM HTTP: Pair channels with requests at a later state.
  tst_qnetworkreply: fix MiniHttpServer crash
  Windows: Activate the context menu on tray icons when shown.
  SSL backend: check at runtime for the right OpenSSL version for SNI
  QNAM HTTP: Fix the ioPostToHttpFromSocket auto test
  Disable capabilities example for symbian-gcce due to a bug in elf2e32
  Fixed documentation for QByteArray
  Improve handling QByteArray with QStringBuilder
  Do not handle posted events in QSplashScreen.
  SSL tests: Be more verbose in on-demand cert test
  Fix qstringbuilder test.
  Wrap qPrintable inside QString
  ...

10 files changed, 97 insertions, 9 deletions

diff --git a/src/network/ssl/qssl.cpp b/src/network/ssl/qssl.cpp
index e9e7d21..5594296 100644
--- a/src/network/ssl/qssl.cpp
+++ b/src/network/ssl/qssl.cpp
@@ -101,12 +101,17 @@ QT_BEGIN_NAMESPACE
 
     Describes the protocol of the cipher.
 
-    \value SslV3 SSLv3 - the default protocol.
+    \value SslV3 SSLv3
     \value SslV2 SSLv2
     \value TlsV1 TLSv1
     \value UnknownProtocol The cipher's protocol cannot be determined.
     \value AnyProtocol The socket understands SSLv2, SSLv3, and TLSv1. This
     value is used by QSslSocket only.
+    \value TlsV1SslV3 On the client side, this will send
+    a TLS 1.0 Client Hello, enabling TLSv1 and SSLv3 connections.
+    On the server side, this will enable both SSLv3 and TLSv1 connections.
+    \value SecureProtocols The default option, using protocols known to be secure;
+    currently behaves like TlsV1SslV3.
 
     Note: most servers using SSL understand both versions (2 and 3),
     but it is recommended to use the latest version only for security
diff --git a/src/network/ssl/qssl.h b/src/network/ssl/qssl.h
index 4c035fd..24dbb09 100644
--- a/src/network/ssl/qssl.h
+++ b/src/network/ssl/qssl.h
@@ -75,8 +75,10 @@ namespace QSsl {
     enum SslProtocol {
         SslV3,
         SslV2,
-        TlsV1,
+        TlsV1, // ### Qt 5: rename to TlsV1_0 or so
         AnyProtocol,
+        TlsV1SslV3,
+        SecureProtocols,
         UnknownProtocol = -1
     };
 }
diff --git a/src/network/ssl/qsslconfiguration.cpp b/src/network/ssl/qsslconfiguration.cpp
index 3592226..150f77e 100644
--- a/src/network/ssl/qsslconfiguration.cpp
+++ b/src/network/ssl/qsslconfiguration.cpp
@@ -213,7 +213,7 @@ bool QSslConfiguration::isNull() const
 */
 QSsl::SslProtocol QSslConfiguration::protocol() const
 {
-    return d ? d->protocol : QSsl::SslV3;
+    return d ? d->protocol : QSsl::SecureProtocols;
 }
 
 /*!
@@ -518,7 +518,7 @@ void QSslConfiguration::setCaCertificates(const QList<QSslCertificate> &certific
 
     \list
       \o no local certificate and no private key
-      \o protocol SSLv3
+      \o protocol SecureProtocols (meaning either TLS 1.0 or SSL 3 will be used)
       \o the system's default CA certificate list
       \o the cipher list equal to the list of the SSL libraries'
          supported SSL ciphers
diff --git a/src/network/ssl/qsslconfiguration_p.h b/src/network/ssl/qsslconfiguration_p.h
index b039e69..a5af51a 100644
--- a/src/network/ssl/qsslconfiguration_p.h
+++ b/src/network/ssl/qsslconfiguration_p.h
@@ -80,7 +80,7 @@ class QSslConfigurationPrivate: public QSharedData
 {
 public:
     QSslConfigurationPrivate()
-        : protocol(QSsl::SslV3),
+        : protocol(QSsl::SecureProtocols),
           peerVerifyMode(QSslSocket::AutoVerifyPeer),
           peerVerifyDepth(0)
     { }
diff --git a/src/network/ssl/qsslsocket.cpp b/src/network/ssl/qsslsocket.cpp
index 61f27fe..98e2dc5 100644
--- a/src/network/ssl/qsslsocket.cpp
+++ b/src/network/ssl/qsslsocket.cpp
@@ -56,7 +56,7 @@
     QSslSocket establishes a secure, encrypted TCP connection you can
     use for transmitting encrypted data. It can operate in both client
     and server mode, and it supports modern SSL protocols, including
-    SSLv3 and TLSv1. By default, QSslSocket uses SSLv3, but you can
+    SSLv3 and TLSv1. By default, QSslSocket uses TLSv1, but you can
     change the SSL protocol by calling setProtocol() as long as you do
     it before the handshake has started.
 
@@ -552,7 +552,7 @@ bool QSslSocket::isEncrypted() const
 }
 
 /*!
-    Returns the socket's SSL protocol. By default, \l QSsl::SslV3 is used.
+    Returns the socket's SSL protocol. By default, \l QSsl::SecureProtocols is used.
 
     \sa setProtocol()
 */
@@ -659,6 +659,34 @@ void QSslSocket::setPeerVerifyDepth(int depth)
 }
 
 /*!
+    \since 4.8
+
+    Returns the different hostname for the certificate validation, as set by
+    setPeerVerifyName or by connectToHostEncrypted.
+
+    \sa setPeerVerifyName(), connectToHostEncrypted()
+*/
+QString QSslSocket::peerVerifyName() const
+{
+    Q_D(const QSslSocket);
+    return d->verificationPeerName;
+}
+
+/*!
+    \since 4.8
+
+    Sets a different hostname for the certificate validation instead of the one used for the TCP
+    connection.
+
+    \sa connectToHostEncrypted()
+*/
+void QSslSocket::setPeerVerifyName(const QString &hostName)
+{
+    Q_D(QSslSocket);
+    d->verificationPeerName = hostName;
+}
+
+/*!
     \reimp
 
     Returns the number of decrypted bytes that are immediately available for
diff --git a/src/network/ssl/qsslsocket.h b/src/network/ssl/qsslsocket.h
index 703a1fb..648fd8c 100644
--- a/src/network/ssl/qsslsocket.h
+++ b/src/network/ssl/qsslsocket.h
@@ -106,6 +106,9 @@ public:
     int peerVerifyDepth() const;
     void setPeerVerifyDepth(int depth);
 
+    QString peerVerifyName() const;
+    void setPeerVerifyName(const QString &hostName);
+
     // From QIODevice
     qint64 bytesAvailable() const;
     qint64 bytesToWrite() const;
diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp
index 83714ed..3d7612a 100644
--- a/src/network/ssl/qsslsocket_openssl.cpp
+++ b/src/network/ssl/qsslsocket_openssl.cpp
@@ -60,6 +60,12 @@
 #include <QtCore/qvarlengtharray.h>
 #include <QLibrary> // for loading the security lib for the CA store
 
+#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
+// Symbian does not seem to have the symbol for SNI defined
+#ifndef SSL_CTRL_SET_TLSEXT_HOSTNAME
+#define SSL_CTRL_SET_TLSEXT_HOSTNAME 55
+#endif
+#endif
 QT_BEGIN_NAMESPACE
 
 #if defined(Q_OS_MAC)
@@ -253,6 +259,8 @@ init_context:
     case QSsl::SslV3:
         ctx = q_SSL_CTX_new(client ? q_SSLv3_client_method() : q_SSLv3_server_method());
         break;
+    case QSsl::SecureProtocols: // SslV2 will be disabled below
+    case QSsl::TlsV1SslV3: // SslV2 will be disabled below
     case QSsl::AnyProtocol:
     default:
         ctx = q_SSL_CTX_new(client ? q_SSLv23_client_method() : q_SSLv23_server_method());
@@ -278,7 +286,11 @@ init_context:
     }
 
     // Enable all bug workarounds.
-    q_SSL_CTX_set_options(ctx, SSL_OP_ALL);
+    if (configuration.protocol == QSsl::TlsV1SslV3 || configuration.protocol == QSsl::SecureProtocols) {
+        q_SSL_CTX_set_options(ctx, SSL_OP_ALL|SSL_OP_NO_SSLv2);
+    } else {
+        q_SSL_CTX_set_options(ctx, SSL_OP_ALL);
+    }
 
     // Initialize ciphers
     QByteArray cipherString;
@@ -386,6 +398,24 @@ init_context:
         return false;
     }
 
+#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
+    if ((configuration.protocol == QSsl::TlsV1SslV3 ||
+        configuration.protocol == QSsl::TlsV1 ||
+        configuration.protocol == QSsl::SecureProtocols ||
+        configuration.protocol == QSsl::AnyProtocol) &&
+        client && q_SSLeay() >= 0x00090806fL) {
+        // Set server hostname on TLS extension. RFC4366 section 3.1 requires it in ACE format.
+        QString tlsHostName = verificationPeerName.isEmpty() ? q->peerName() : verificationPeerName;
+        if (tlsHostName.isEmpty())
+            tlsHostName = hostName;
+        QByteArray ace = QUrl::toAce(tlsHostName);
+        if (!ace.isEmpty()) {
+            if (!q_SSL_ctrl(ssl, SSL_CTRL_SET_TLSEXT_HOSTNAME, TLSEXT_NAMETYPE_host_name, ace.constData()))
+                qWarning("could not set SSL_CTRL_SET_TLSEXT_HOSTNAME, Server Name Indication disabled");
+        }
+    }
+#endif
+
     // Clear the session.
     q_SSL_clear(ssl);
     errorList.clear();
diff --git a/src/network/ssl/qsslsocket_openssl_p.h b/src/network/ssl/qsslsocket_openssl_p.h
index 5a7963e..ca49fab 100644
--- a/src/network/ssl/qsslsocket_openssl_p.h
+++ b/src/network/ssl/qsslsocket_openssl_p.h
@@ -79,6 +79,10 @@
 #include <openssl/x509_vfy.h>
 #include <openssl/dsa.h>
 #include <openssl/rsa.h>
+#include <openssl/crypto.h>
+#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
+#include <openssl/tls1.h>
+#endif
 
 #if OPENSSL_VERSION_NUMBER >= 0x10000000L
 typedef _STACK STACK;
diff --git a/src/network/ssl/qsslsocket_openssl_symbols.cpp b/src/network/ssl/qsslsocket_openssl_symbols.cpp
index b9a05f3..b1310cc 100644
--- a/src/network/ssl/qsslsocket_openssl_symbols.cpp
+++ b/src/network/ssl/qsslsocket_openssl_symbols.cpp
@@ -208,6 +208,9 @@ DEFINEFUNC(long, SSL_get_verify_result, SSL *a, a, return -1, return)
 DEFINEFUNC(int, SSL_library_init, void, DUMMYARG, return -1, return)
 DEFINEFUNC(void, SSL_load_error_strings, void, DUMMYARG, return, DUMMYARG)
 DEFINEFUNC(SSL *, SSL_new, SSL_CTX *a, a, return 0, return)
+#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
+DEFINEFUNC4(long, SSL_ctrl, SSL *a, a, int cmd, cmd, long larg, larg, const void *parg, parg, return -1, return)
+#endif
 DEFINEFUNC3(int, SSL_read, SSL *a, a, void *b, b, int c, c, return -1, return)
 DEFINEFUNC3(void, SSL_set_bio, SSL *a, a, BIO *b, b, BIO *c, c, return, DUMMYARG)
 DEFINEFUNC(void, SSL_set_accept_state, SSL *a, a, return, DUMMYARG)
@@ -263,6 +266,7 @@ DEFINEFUNC3(DSA *, d2i_DSAPrivateKey, DSA **a, a, unsigned char **b, b, long c,
 DEFINEFUNC(void, OPENSSL_add_all_algorithms_noconf, void, DUMMYARG, return, DUMMYARG)
 DEFINEFUNC(void, OPENSSL_add_all_algorithms_conf, void, DUMMYARG, return, DUMMYARG)
 DEFINEFUNC3(int, SSL_CTX_load_verify_locations, SSL_CTX *ctx, ctx, const char *CAfile, CAfile, const char *CApath, CApath, return 0, return)
+DEFINEFUNC(long, SSLeay, void, DUMMYARG, return 0, return)
 
 #ifdef Q_OS_SYMBIAN
 #define RESOLVEFUNC(func, ordinal, lib) \
@@ -586,6 +590,9 @@ bool q_resolveOpenSslSymbols()
     RESOLVEFUNC(SSL_library_init, 137, libs.first )
     RESOLVEFUNC(SSL_load_error_strings, 139, libs.first )
     RESOLVEFUNC(SSL_new, 140, libs.first )
+#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
+    RESOLVEFUNC(SSL_ctrl, 95, libs.first )
+#endif
     RESOLVEFUNC(SSL_read, 143, libs.first )
     RESOLVEFUNC(SSL_set_accept_state, 148, libs.first )
     RESOLVEFUNC(SSL_set_bio, 149, libs.first )
@@ -600,6 +607,7 @@ bool q_resolveOpenSslSymbols()
     RESOLVEFUNC(SSLv3_server_method, 197, libs.first )
     RESOLVEFUNC(SSLv23_server_method, 191, libs.first )
     RESOLVEFUNC(TLSv1_server_method, 200, libs.first )
+    RESOLVEFUNC(SSL_CTX_load_verify_locations, 34, libs.first )
     RESOLVEFUNC(X509_NAME_oneline, 1830, libs.second )
     RESOLVEFUNC(X509_PUBKEY_get, 1844, libs.second )
     RESOLVEFUNC(X509_STORE_free, 1939, libs.second )
@@ -631,7 +639,7 @@ bool q_resolveOpenSslSymbols()
 #endif
     RESOLVEFUNC(OPENSSL_add_all_algorithms_noconf, 1153, libs.second )
     RESOLVEFUNC(OPENSSL_add_all_algorithms_conf, 1152, libs.second )
-    RESOLVEFUNC(SSL_CTX_load_verify_locations, 34, libs.second )
+    RESOLVEFUNC(SSLeay, 1504, libs.second )
 #else // Q_OS_SYMBIAN
 #ifdef SSLEAY_MACROS
     RESOLVEFUNC(ASN1_dup)
@@ -711,6 +719,9 @@ bool q_resolveOpenSslSymbols()
     RESOLVEFUNC(SSL_library_init)
     RESOLVEFUNC(SSL_load_error_strings)
     RESOLVEFUNC(SSL_new)
+#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
+    RESOLVEFUNC(SSL_ctrl)
+#endif
     RESOLVEFUNC(SSL_read)
     RESOLVEFUNC(SSL_set_accept_state)
     RESOLVEFUNC(SSL_set_bio)
@@ -757,6 +768,7 @@ bool q_resolveOpenSslSymbols()
     RESOLVEFUNC(OPENSSL_add_all_algorithms_noconf)
     RESOLVEFUNC(OPENSSL_add_all_algorithms_conf)
     RESOLVEFUNC(SSL_CTX_load_verify_locations)
+    RESOLVEFUNC(SSLeay)
 #endif // Q_OS_SYMBIAN
     symbolsResolved = true;
     delete libs.first;
diff --git a/src/network/ssl/qsslsocket_openssl_symbols_p.h b/src/network/ssl/qsslsocket_openssl_symbols_p.h
index c05dfe11..49830ac 100644
--- a/src/network/ssl/qsslsocket_openssl_symbols_p.h
+++ b/src/network/ssl/qsslsocket_openssl_symbols_p.h
@@ -316,6 +316,9 @@ long q_SSL_get_verify_result(SSL *a);
 int q_SSL_library_init();
 void q_SSL_load_error_strings();
 SSL *q_SSL_new(SSL_CTX *a);
+#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
+long q_SSL_ctrl(SSL *ssl,int cmd, long larg, const void *parg);
+#endif
 int q_SSL_read(SSL *a, void *b, int c);
 void q_SSL_set_bio(SSL *a, BIO *b, BIO *c);
 void q_SSL_set_accept_state(SSL *a);
@@ -413,6 +416,7 @@ DSA *q_d2i_DSAPrivateKey(DSA **a, unsigned char **pp, long length);
 void q_OPENSSL_add_all_algorithms_noconf();
 void q_OPENSSL_add_all_algorithms_conf();
 int q_SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, const char *CApath);
+long q_SSLeay();
 
 // Helper function
 class QDateTime;