Merge branch 'master' of scm.dev.troll.no:qt/qt-earth-team into symbian-socket-engine

Conflicts: src/s60installs/bwins/QtCoreu.def src/s60installs/bwins/QtGuiu.def src/s60installs/bwins/QtNetworku.def src/s60installs/eabi/QtCoreu.def src/s60installs/eabi/QtGuiu.def src/s60installs/eabi/QtNetworku.def src/s60installs/eabi/QtOpenVGu.def tests/auto/qabstractnetworkcache/tst_qabstractnetworkcache.cpp
author: Shane Kearns <shane.kearns@accenture.com> 2011-04-11 10:48:44 (GMT)
committer: Shane Kearns <shane.kearns@accenture.com> 2011-04-11 10:48:44 (GMT)
commit: 1062da14facb7dd10f0928a4c242549d3626f9ba (patch)
tree: 4462fcaa82b45c47eddcdcb1d89e1cc03de45a85 /src/network/ssl
parent: 847df81a5680fe4d71196d0afe5e68e41ae49700 (diff)
parent: dd60cf7ba8afdf5c84f5793c1e1d08ab18303a74 (diff)
download: Qt-1062da14facb7dd10f0928a4c242549d3626f9ba.zip
Qt-1062da14facb7dd10f0928a4c242549d3626f9ba.tar.gz
Qt-1062da14facb7dd10f0928a4c242549d3626f9ba.tar.bz2
8 files changed, 69 insertions, 37 deletions
diff --git a/src/network/ssl/qsslcertificate.cpp b/src/network/ssl/qsslcertificate.cpp
index 618ac79..a5cdf01 100644
--- a/src/network/ssl/qsslcertificate.cpp
+++ b/src/network/ssl/qsslcertificate.cpp
@@ -219,17 +219,19 @@ bool QSslCertificate::isNull() const
     Returns true if this certificate is valid; otherwise returns
     false.
 
-    Note: Currently, this function only checks that the current
+    Note: Currently, this function checks that the current
     data-time is within the date-time range during which the
-    certificate is considered valid. No other checks are
-    currently performed.
+    certificate is considered valid, and checks that the
+    certificate is not in a blacklist of fraudulent certificates.
 
     \sa isNull()
 */
 bool QSslCertificate::isValid() const
 {
     const QDateTime currentTime = QDateTime::currentDateTime();
-    return currentTime >= d->notValidBefore && currentTime <= d->notValidAfter;
+    return currentTime >= d->notValidBefore &&
+            currentTime <= d->notValidAfter &&
+            ! QSslCertificatePrivate::isBlacklisted(*this);
 }
 
 /*!
@@ -798,6 +800,30 @@ QList<QSslCertificate> QSslCertificatePrivate::certificatesFromDer(const QByteAr
     return certificates;
 }
 
+// These certificates are known to be fraudulent and were created during the comodo
+// compromise. See http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html
+static const char *certificate_blacklist[] = {
+    "04:7e:cb:e9:fc:a5:5f:7b:d0:9e:ae:36:e1:0c:ae:1e",
+    "f5:c8:6a:f3:61:62:f1:3a:64:f5:4f:6d:c9:58:7c:06",
+    "d7:55:8f:da:f5:f1:10:5b:b2:13:28:2b:70:77:29:a3",
+    "39:2a:43:4f:0e:07:df:1f:8a:a3:05:de:34:e0:c2:29",
+    "3e:75:ce:d4:6b:69:30:21:21:88:30:ae:86:a8:2a:71",
+    "e9:02:8b:95:78:e4:15:dc:1a:71:0a:2b:88:15:44:47",
+    "92:39:d5:34:8f:40:d1:69:5a:74:54:70:e1:f2:3f:43",
+    "b0:b7:13:3e:d0:96:f9:b5:6f:ae:91:c8:74:bd:3a:c0",
+    "d8:f3:5f:4e:b7:87:2b:2d:ab:06:92:e3:15:38:2f:b0",
+    0
+};
+
+bool QSslCertificatePrivate::isBlacklisted(const QSslCertificate &certificate)
+{
+    for (int a = 0; certificate_blacklist[a] != 0; a++) {
+        if (certificate.serialNumber() == certificate_blacklist[a])
+            return true;
+    }
+    return false;
+}
+
 #ifndef QT_NO_DEBUG_STREAM
 QDebug operator<<(QDebug debug, const QSslCertificate &certificate)
 {
diff --git a/src/network/ssl/qsslcertificate_p.h b/src/network/ssl/qsslcertificate_p.h
index cdceb0f..1ce33d3 100644
--- a/src/network/ssl/qsslcertificate_p.h
+++ b/src/network/ssl/qsslcertificate_p.h
@@ -96,6 +96,7 @@ public:
     static QSslCertificate QSslCertificate_from_X509(X509 *x509);
     static QList<QSslCertificate> certificatesFromPem(const QByteArray &pem, int count = -1);
     static QList<QSslCertificate> certificatesFromDer(const QByteArray &der, int count = -1);
+    static bool isBlacklisted(const QSslCertificate &certificate);
 
     friend class QSslSocketBackendPrivate;
 
diff --git a/src/network/ssl/qsslconfiguration.cpp b/src/network/ssl/qsslconfiguration.cpp
index 150f77e..c8dbaed 100644
--- a/src/network/ssl/qsslconfiguration.cpp
+++ b/src/network/ssl/qsslconfiguration.cpp
@@ -47,18 +47,6 @@
 
 QT_BEGIN_NAMESPACE
 
-template<> void QSharedDataPointer<QSslConfigurationPrivate>::detach()
-{
-    if (d && d->ref == 1)
-        return;
-    QSslConfigurationPrivate *x = (d ? new QSslConfigurationPrivate(*d)
-                                   : new QSslConfigurationPrivate);
-    x->ref.ref();
-    if (d && !d->ref.deref())
-        delete d;
-    d = x;
-}
-
 /*!
     \class QSslConfiguration
     \brief The QSslConfiguration class holds the configuration and state of an SSL connection
@@ -126,7 +114,7 @@ template<> void QSharedDataPointer<QSslConfigurationPrivate>::detach()
     Once any setter methods are called, isNull() will return false.
 */
 QSslConfiguration::QSslConfiguration()
-    : d(0)
+    : d(new QSslConfigurationPrivate)
 {
 }
 
@@ -203,7 +191,15 @@ bool QSslConfiguration::operator==(const QSslConfiguration &other) const
 */
 bool QSslConfiguration::isNull() const
 {
-    return d == 0;
+    return (d->protocol == QSsl::SecureProtocols &&
+            d->peerVerifyMode == QSslSocket::AutoVerifyPeer &&
+            d->peerVerifyDepth == 0 &&
+            d->caCertificates.count() == 0 &&
+            d->ciphers.count() == 0 &&
+            d->localCertificate.isNull() &&
+            d->privateKey.isNull() &&
+            d->peerCertificate.isNull() &&
+            d->peerCertificateChain.count() == 0);
 }
 
 /*!
@@ -213,7 +209,7 @@ bool QSslConfiguration::isNull() const
 */
 QSsl::SslProtocol QSslConfiguration::protocol() const
 {
-    return d ? d->protocol : QSsl::SecureProtocols;
+    return d->protocol;
 }
 
 /*!
@@ -243,7 +239,7 @@ void QSslConfiguration::setProtocol(QSsl::SslProtocol protocol)
 */
 QSslSocket::PeerVerifyMode QSslConfiguration::peerVerifyMode() const
 {
-    return d ? d->peerVerifyMode : QSslSocket::AutoVerifyPeer;
+    return d->peerVerifyMode;
 }
 
 /*!
@@ -276,7 +272,7 @@ void QSslConfiguration::setPeerVerifyMode(QSslSocket::PeerVerifyMode mode)
 */
 int QSslConfiguration::peerVerifyDepth() const
 {
-    return d ? d->peerVerifyDepth : 0;
+    return d->peerVerifyDepth;
 }
 
 /*!
@@ -307,7 +303,7 @@ void QSslConfiguration::setPeerVerifyDepth(int depth)
 */
 QSslCertificate QSslConfiguration::localCertificate() const
 {
-    return d ? d->localCertificate : QSslCertificate();
+    return d->localCertificate;
 }
 
 /*!
@@ -361,7 +357,7 @@ void QSslConfiguration::setLocalCertificate(const QSslCertificate &certificate)
 */
 QSslCertificate QSslConfiguration::peerCertificate() const
 {
-    return d ? d->peerCertificate : QSslCertificate();
+    return d->peerCertificate;
 }
 
 /*!
@@ -393,7 +389,7 @@ QSslCertificate QSslConfiguration::peerCertificate() const
 */
 QList<QSslCertificate> QSslConfiguration::peerCertificateChain() const
 {
-    return d ? d->peerCertificateChain : QList<QSslCertificate>();
+    return d->peerCertificateChain;
 }
 
 /*!
@@ -411,7 +407,7 @@ QList<QSslCertificate> QSslConfiguration::peerCertificateChain() const
 */
 QSslCipher QSslConfiguration::sessionCipher() const
 {
-    return d ? d->sessionCipher : QSslCipher();
+    return d->sessionCipher;
 }
 
 /*!
@@ -422,7 +418,7 @@ QSslCipher QSslConfiguration::sessionCipher() const
 */
 QSslKey QSslConfiguration::privateKey() const
 {
-    return d ? d->privateKey : QSslKey();
+    return d->privateKey;
 }
 
 /*!
@@ -464,7 +460,7 @@ void QSslConfiguration::setPrivateKey(const QSslKey &key)
 */
 QList<QSslCipher> QSslConfiguration::ciphers() const
 {
-    return d ? d->ciphers : QList<QSslCipher>();
+    return d->ciphers;
 }
 
 /*!
@@ -494,7 +490,7 @@ void QSslConfiguration::setCiphers(const QList<QSslCipher> &ciphers)
 */
 QList<QSslCertificate> QSslConfiguration::caCertificates() const
 {
-    return d ? d->caCertificates : QList<QSslCertificate>();
+    return d->caCertificates;
 }
 
 /*!
diff --git a/src/network/ssl/qsslconfiguration.h b/src/network/ssl/qsslconfiguration.h
index 69dd145..143566b 100644
--- a/src/network/ssl/qsslconfiguration.h
+++ b/src/network/ssl/qsslconfiguration.h
@@ -86,7 +86,7 @@ public:
     inline bool operator!=(const QSslConfiguration &other) const
     { return !(*this == other); }
 
-    bool isNull() const;
+    bool isNull() const; // ### Qt 5: remove; who would need this?
 
     QSsl::SslProtocol protocol() const;
     void setProtocol(QSsl::SslProtocol protocol);
diff --git a/src/network/ssl/qsslerror.cpp b/src/network/ssl/qsslerror.cpp
index 198b1f5..ae18b47 100644
--- a/src/network/ssl/qsslerror.cpp
+++ b/src/network/ssl/qsslerror.cpp
@@ -86,6 +86,7 @@
     \value HostNameMismatch
     \value UnspecifiedError
     \value NoSslSupport
+    \value CertificateBlacklisted
 
     \sa QSslError::errorString()
 */
@@ -281,6 +282,9 @@ QString QSslError::errorString() const
         break;
     case NoSslSupport:
         break;
+    case CertificateBlacklisted:
+        errStr = QSslSocket::tr("The peer certificate is blacklisted");
+        break;
     default:
         errStr = QSslSocket::tr("Unknown error");
         break;
diff --git a/src/network/ssl/qsslerror.h b/src/network/ssl/qsslerror.h
index ce4c749..c30c02a 100644
--- a/src/network/ssl/qsslerror.h
+++ b/src/network/ssl/qsslerror.h
@@ -83,6 +83,7 @@ public:
         NoPeerCertificate,
         HostNameMismatch,
         NoSslSupport,
+        CertificateBlacklisted,
         UnspecifiedError = -1
     };
 
diff --git a/src/network/ssl/qsslsocket.cpp b/src/network/ssl/qsslsocket.cpp
index 5b943ab..0dbf4b5 100644
--- a/src/network/ssl/qsslsocket.cpp
+++ b/src/network/ssl/qsslsocket.cpp
@@ -828,14 +828,8 @@ void QSslSocket::setReadBufferSize(qint64 size)
     Q_D(QSslSocket);
     d->readBufferMaxSize = size;
 
-    // set the plain socket's buffer size to 1k if we have a limit
-    // see also the same logic in QSslSocketPrivate::createPlainSocket
-    if (d->plainSocket) {
-        if (d->mode == UnencryptedMode)
-            d->plainSocket->setReadBufferSize(size);
-        else
-            d->plainSocket->setReadBufferSize(size ? 1024 : 0);
-    }
+    if (d->plainSocket)
+        d->plainSocket->setReadBufferSize(size);
 }
 
 /*!
@@ -902,6 +896,7 @@ void QSslSocket::setSslConfiguration(const QSslConfiguration &configuration)
     d->configuration.peerVerifyDepth = configuration.peerVerifyDepth();
     d->configuration.peerVerifyMode = configuration.peerVerifyMode();
     d->configuration.protocol = configuration.protocol();
+    d->allowRootCertOnDemandLoading = false;
 }
 
 /*!
diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp
index d6967fe..78a78a2 100644
--- a/src/network/ssl/qsslsocket_openssl.cpp
+++ b/src/network/ssl/qsslsocket_openssl.cpp
@@ -1241,6 +1241,15 @@ bool QSslSocketBackendPrivate::startHandshake()
 
     // Start translating errors.
     QList<QSslError> errors;
+
+    if (QSslCertificatePrivate::isBlacklisted(configuration.peerCertificate)) {
+        QSslError error(QSslError::CertificateBlacklisted, configuration.peerCertificate);
+        errors << error;
+        emit q->peerVerifyError(error);
+        if (q->state() != QAbstractSocket::ConnectedState)
+            return false;
+    }
+
     bool doVerifyPeer = configuration.peerVerifyMode == QSslSocket::VerifyPeer
                         || (configuration.peerVerifyMode == QSslSocket::AutoVerifyPeer
                             && mode == QSslSocket::SslClientMode);
author	Shane Kearns <shane.kearns@accenture.com>	2011-04-11 10:48:44 (GMT)
committer	Shane Kearns <shane.kearns@accenture.com>	2011-04-11 10:48:44 (GMT)
commit	1062da14facb7dd10f0928a4c242549d3626f9ba (patch)
tree	4462fcaa82b45c47eddcdcb1d89e1cc03de45a85 /src/network/ssl
parent	847df81a5680fe4d71196d0afe5e68e41ae49700 (diff)
parent	dd60cf7ba8afdf5c84f5793c1e1d08ab18303a74 (diff)
download	Qt-1062da14facb7dd10f0928a4c242549d3626f9ba.zip Qt-1062da14facb7dd10f0928a4c242549d3626f9ba.tar.gz Qt-1062da14facb7dd10f0928a4c242549d3626f9ba.tar.bz2