1	/****************************************************************************
2	**
3	** Copyright (C) 2017 The Qt Company Ltd.
4	** Copyright (C) 2014 Governikus GmbH & Co. KG
5	** Contact: https://www.qt.io/licensing/
6	**
7	** This file is part of the QtNetwork module of the Qt Toolkit.
8	**
9	** $QT_BEGIN_LICENSE:LGPL$
10	** Commercial License Usage
11	** Licensees holding valid commercial Qt licenses may use this file in
12	** accordance with the commercial license agreement provided with the
13	** Software or, alternatively, in accordance with the terms contained in
14	** a written agreement between you and The Qt Company. For licensing terms
15	** and conditions see https://www.qt.io/terms-conditions. For further
16	** information use the contact form at https://www.qt.io/contact-us.
17	**
18	** GNU Lesser General Public License Usage
19	** Alternatively, this file may be used under the terms of the GNU Lesser
20	** General Public License version 3 as published by the Free Software
21	** Foundation and appearing in the file LICENSE.LGPL3 included in the
22	** packaging of this file. Please review the following information to
23	** ensure the GNU Lesser General Public License version 3 requirements
24	** will be met: https://www.gnu.org/licenses/lgpl-3.0.html.
25	**
26	** GNU General Public License Usage
27	** Alternatively, this file may be used under the terms of the GNU
28	** General Public License version 2.0 or (at your option) the GNU General
29	** Public license version 3 or any later version approved by the KDE Free
30	** Qt Foundation. The licenses are as published by the Free Software
31	** Foundation and appearing in the file LICENSE.GPL2 and LICENSE.GPL3
32	** included in the packaging of this file. Please review the following
33	** information to ensure the GNU General Public License requirements will
34	** be met: https://www.gnu.org/licenses/gpl-2.0.html and
35	** https://www.gnu.org/licenses/gpl-3.0.html.
36	**
37	** $QT_END_LICENSE$
38	**
39	****************************************************************************/
40
41	/****************************************************************************
42	**
43	** In addition, as a special exception, the copyright holders listed above give
44	** permission to link the code of its release of Qt with the OpenSSL project's
45	** "OpenSSL" library (or modified versions of the "OpenSSL" library that use the
46	** same license as the original version), and distribute the linked executables.
47	**
48	** You must comply with the GNU General Public License version 2 in all
49	** respects for all of the code used other than the "OpenSSL" code. If you
50	** modify this file, you may extend this exception to your version of the file,
51	** but you are not obligated to do so. If you do not wish to do so, delete
52	** this exception statement from your version of this file.
53	**
54	****************************************************************************/
55
56	//#define QSSLSOCKET_DEBUG
57
58	#include "qssl_p.h"
59	#include "qsslsocket_openssl_p.h"
60	#include "qsslsocket_openssl_symbols_p.h"
61	#include "qsslsocket.h"
62	#include "qsslcertificate_p.h"
63	#include "qsslcipher_p.h"
64	#include "qsslkey_p.h"
65	#include "qsslellipticcurve.h"
66	#include "qsslpresharedkeyauthenticator.h"
67	#include "qsslpresharedkeyauthenticator_p.h"
68	#include "qocspresponse_p.h"
69	#include "qsslkey.h"
70
71	#ifdef Q_OS_WIN
72	#include "qwindowscarootfetcher_p.h"
73	#endif
74
75	#include <QtCore/qdatetime.h>
76	#include <QtCore/qdebug.h>
77	#include <QtCore/qdir.h>
78	#include <QtCore/qdiriterator.h>
79	#include <QtCore/qelapsedtimer.h>
80	#include <QtCore/qfile.h>
81	#include <QtCore/qfileinfo.h>
82	#include <QtCore/qmutex.h>
83	#include <QtCore/qthread.h>
84	#include <QtCore/qurl.h>
85	#include <QtCore/qvarlengtharray.h>
86	#include <QtCore/qscopedvaluerollback.h>
87	#include <QtCore/qscopeguard.h>
88	#include <QtCore/qlibrary.h>
89	#include <QtCore/qoperatingsystemversion.h>
90
91	#if QT_CONFIG(ocsp)
92	#include "qocsp_p.h"
93	#endif
94
95	#include <algorithm>
96	#include <memory>
97
98	#include <string.h>
99
100	QT_BEGIN_NAMESPACE
101
102	#ifdef Q_OS_WIN
103
104	namespace {
105
106	QSslCertificate findCertificateToFetch(const QList<QSslError> &tlsErrors, bool checkAIA)
107	{
108	QSslCertificate certToFetch;
109
110	for (const auto &tlsError : tlsErrors) {
111	switch (tlsError.error()) {
112	case QSslError::UnableToGetLocalIssuerCertificate: // site presented intermediate cert, but root is unknown
113	case QSslError::SelfSignedCertificateInChain: // site presented a complete chain, but root is unknown
114	certToFetch = tlsError.certificate();
115	break;
116	case QSslError::SelfSignedCertificate:
117	case QSslError::CertificateBlacklisted:
118	//With these errors, we know it will be untrusted so save time by not asking windows
119	return QSslCertificate{};
120	default:
121	#ifdef QSSLSOCKET_DEBUG
122	qCDebug(lcSsl) << tlsError.errorString();
123	#endif
124	//TODO - this part is strange.
125	break;
126	}
127	}
128
129	if (checkAIA) {
130	const auto extensions = certToFetch.extensions();
131	for (const auto &ext : extensions) {
132	if (ext.oid() == QStringLiteral("1.3.6.1.5.5.7.1.1")) // See RFC 4325
133	return certToFetch;
134	}
135	//The only reason we check this extensions is because an application set trusted
136	//CA certificates explicitly, thus technically disabling CA fetch. So, if it's
137	//the case and an intermediate certificate is missing, and no extensions is
138	//present on the leaf certificate - we fail the handshake immediately.
139	return QSslCertificate{};
140	}
141
142	return certToFetch;
143	}
144
145	} // Unnamed namespace
146
147	#endif // Q_OS_WIN
148
149	Q_GLOBAL_STATIC(QRecursiveMutex, qt_opensslInitMutex)
150
151	bool QSslSocketPrivate::s_libraryLoaded = false;
152	bool QSslSocketPrivate::s_loadedCiphersAndCerts = false;
153	bool QSslSocketPrivate::s_loadRootCertsOnDemand = false;
154	int QSslSocketBackendPrivate::s_indexForSSLExtraData = -1;
155
156	QString QSslSocketBackendPrivate::getErrorsFromOpenSsl()
157	{
158	QString errorString;
159	char buf[256] = {}; // OpenSSL docs claim both 120 and 256; use the larger.
160	unsigned long errNum;
161	while ((errNum = q_ERR_get_error())) {
162	if (!errorString.isEmpty())
163	errorString.append(s: QLatin1String(", "));
164	q_ERR_error_string_n(e: errNum, buf, len: sizeof buf);
165	errorString.append(s: QString::fromLatin1(str: buf)); // error is ascii according to man ERR_error_string
166	}
167	return errorString;
168	}
169
170	void QSslSocketBackendPrivate::logAndClearErrorQueue()
171	{
172	const auto errors = getErrorsFromOpenSsl();
173	if (errors.size())
174	qCWarning(lcSsl) << "Discarding errors:" << errors;
175	}
176
177	extern "C" {
178
179	#ifndef OPENSSL_NO_PSK
180	static unsigned int q_ssl_psk_client_callback(SSL *ssl,
181	const char *hint,
182	char *identity, unsigned int max_identity_len,
183	unsigned char *psk, unsigned int max_psk_len)
184	{
185	QSslSocketBackendPrivate *d = reinterpret_cast<QSslSocketBackendPrivate *>(q_SSL_get_ex_data(ssl, idx: QSslSocketBackendPrivate::s_indexForSSLExtraData));
186	Q_ASSERT(d);
187	return d->tlsPskClientCallback(hint, identity, max_identity_len, psk, max_psk_len);
188	}
189
190	static unsigned int q_ssl_psk_server_callback(SSL *ssl,
191	const char *identity,
192	unsigned char *psk, unsigned int max_psk_len)
193	{
194	QSslSocketBackendPrivate *d = reinterpret_cast<QSslSocketBackendPrivate *>(q_SSL_get_ex_data(ssl, idx: QSslSocketBackendPrivate::s_indexForSSLExtraData));
195	Q_ASSERT(d);
196	return d->tlsPskServerCallback(identity, psk, max_psk_len);
197	}
198
199	#ifdef TLS1_3_VERSION
200	static unsigned int q_ssl_psk_restore_client(SSL *ssl,
201	const char *hint,
202	char *identity, unsigned int max_identity_len,
203	unsigned char *psk, unsigned int max_psk_len)
204	{
205	Q_UNUSED(hint);
206	Q_UNUSED(identity);
207	Q_UNUSED(max_identity_len);
208	Q_UNUSED(psk);
209	Q_UNUSED(max_psk_len);
210
211	#ifdef QT_DEBUG
212	QSslSocketBackendPrivate *d = reinterpret_cast<QSslSocketBackendPrivate *>(q_SSL_get_ex_data(ssl, idx: QSslSocketBackendPrivate::s_indexForSSLExtraData));
213	Q_ASSERT(d);
214	Q_ASSERT(d->mode == QSslSocket::SslClientMode);
215	#endif
216	unsigned retVal = 0;
217
218	// Let developers opt-in to having the normal PSK callback get called for TLS 1.3
219	// PSK (which works differently in a few ways, and is called at the start of every connection).
220	// When they do opt-in we just call the old callback from here.
221	if (qEnvironmentVariableIsSet(varName: "QT_USE_TLS_1_3_PSK"))
222	retVal = q_ssl_psk_client_callback(ssl, hint, identity, max_identity_len, psk, max_psk_len);
223
224	q_SSL_set_psk_client_callback(ssl, callback: &q_ssl_psk_client_callback);
225
226	return retVal;
227	}
228
229	static int q_ssl_psk_use_session_callback(SSL *ssl, const EVP_MD *md, const unsigned char **id,
230	size_t *idlen, SSL_SESSION **sess)
231	{
232	Q_UNUSED(md);
233	Q_UNUSED(id);
234	Q_UNUSED(idlen);
235	Q_UNUSED(sess);
236
237	#ifdef QT_DEBUG
238	QSslSocketBackendPrivate *d = reinterpret_cast<QSslSocketBackendPrivate *>(q_SSL_get_ex_data(ssl, idx: QSslSocketBackendPrivate::s_indexForSSLExtraData));
239	Q_ASSERT(d);
240	Q_ASSERT(d->mode == QSslSocket::SslClientMode);
241	#endif
242
243	// Temporarily rebind the psk because it will be called next. The function will restore it.
244	q_SSL_set_psk_client_callback(ssl, callback: &q_ssl_psk_restore_client);
245
246	return 1; // need to return 1 or else "the connection setup fails."
247	}
248
249	int q_ssl_sess_set_new_cb(SSL *ssl, SSL_SESSION *session)
250	{
251	if (!ssl) {
252	qCWarning(lcSsl, "Invalid SSL (nullptr)");
253	return 0;
254	}
255	if (!session) {
256	qCWarning(lcSsl, "Invalid SSL_SESSION (nullptr)");
257	return 0;
258	}
259
260	auto socketPrivate = static_cast<QSslSocketBackendPrivate *>(q_SSL_get_ex_data(ssl,
261	idx: QSslSocketBackendPrivate::s_indexForSSLExtraData));
262	return socketPrivate->handleNewSessionTicket(context: ssl);
263	}
264	#endif // TLS1_3_VERSION
265
266	#endif // !OPENSSL_NO_PSK
267
268	#if QT_CONFIG(ocsp)
269
270	int qt_OCSP_status_server_callback(SSL *ssl, void *ocspRequest)
271	{
272	Q_UNUSED(ocspRequest)
273	if (!ssl)
274	return SSL_TLSEXT_ERR_ALERT_FATAL;
275
276	auto d = static_cast<QSslSocketBackendPrivate *>(q_SSL_get_ex_data(ssl, idx: QSslSocketBackendPrivate::s_indexForSSLExtraData));
277	if (!d)
278	return SSL_TLSEXT_ERR_ALERT_FATAL;
279
280	Q_ASSERT(d->mode == QSslSocket::SslServerMode);
281	const QByteArray &response = d->ocspResponseDer;
282	Q_ASSERT(response.size());
283
284	unsigned char *derCopy = static_cast<unsigned char *>(q_OPENSSL_malloc(size_t(response.size())));
285	if (!derCopy)
286	return SSL_TLSEXT_ERR_ALERT_FATAL;
287
288	std::copy(first: response.data(), last: response.data() + response.size(), result: derCopy);
289	// We don't check the return value: internally OpenSSL simply assignes the
290	// pointer (it assumes it now owns this memory btw!) and the length.
291	q_SSL_set_tlsext_status_ocsp_resp(ssl, derCopy, response.size());
292
293	return SSL_TLSEXT_ERR_OK;
294	}
295
296	#endif // ocsp
297
298	} // extern "C"
299
300	QSslSocketBackendPrivate::QSslSocketBackendPrivate()
301	: ssl(nullptr),
302	readBio(nullptr),
303	writeBio(nullptr),
304	session(nullptr)
305	{
306	// Calls SSL_library_init().
307	ensureInitialized();
308	}
309
310	QSslSocketBackendPrivate::~QSslSocketBackendPrivate()
311	{
312	destroySslContext();
313	}
314
315	QSslCipher QSslSocketBackendPrivate::QSslCipher_from_SSL_CIPHER(const SSL_CIPHER *cipher)
316	{
317	QSslCipher ciph;
318
319	char buf [256];
320	QString descriptionOneLine = QString::fromLatin1(str: q_SSL_CIPHER_description(a: cipher, b: buf, c: sizeof(buf)));
321
322	const auto descriptionList = descriptionOneLine.splitRef(sep: QLatin1Char(' '), behavior: Qt::SkipEmptyParts);
323	if (descriptionList.size() > 5) {
324	// ### crude code.
325	ciph.d->isNull = false;
326	ciph.d->name = descriptionList.at(i: 0).toString();
327
328	QString protoString = descriptionList.at(i: 1).toString();
329	ciph.d->protocolString = protoString;
330	ciph.d->protocol = QSsl::UnknownProtocol;
331	if (protoString == QLatin1String("SSLv3"))
332	ciph.d->protocol = QSsl::SslV3;
333	else if (protoString == QLatin1String("SSLv2"))
334	ciph.d->protocol = QSsl::SslV2;
335	else if (protoString == QLatin1String("TLSv1"))
336	ciph.d->protocol = QSsl::TlsV1_0;
337	else if (protoString == QLatin1String("TLSv1.1"))
338	ciph.d->protocol = QSsl::TlsV1_1;
339	else if (protoString == QLatin1String("TLSv1.2"))
340	ciph.d->protocol = QSsl::TlsV1_2;
341	else if (protoString == QLatin1String("TLSv1.3"))
342	ciph.d->protocol = QSsl::TlsV1_3;
343
344	if (descriptionList.at(i: 2).startsWith(s: QLatin1String("Kx=")))
345	ciph.d->keyExchangeMethod = descriptionList.at(i: 2).mid(pos: 3).toString();
346	if (descriptionList.at(i: 3).startsWith(s: QLatin1String("Au=")))
347	ciph.d->authenticationMethod = descriptionList.at(i: 3).mid(pos: 3).toString();
348	if (descriptionList.at(i: 4).startsWith(s: QLatin1String("Enc=")))
349	ciph.d->encryptionMethod = descriptionList.at(i: 4).mid(pos: 4).toString();
350	ciph.d->exportable = (descriptionList.size() > 6 && descriptionList.at(i: 6) == QLatin1String("export"));
351
352	ciph.d->bits = q_SSL_CIPHER_get_bits(a: cipher, b: &ciph.d->supportedBits);
353	}
354	return ciph;
355	}
356
357	QSslErrorEntry QSslErrorEntry::fromStoreContext(X509_STORE_CTX *ctx)
358	{
359	return {
360	.code: q_X509_STORE_CTX_get_error(ctx),
361	.depth: q_X509_STORE_CTX_get_error_depth(ctx)
362	};
363	}
364
365	#if QT_CONFIG(ocsp)
366
367	QSslError qt_OCSP_response_status_to_QSslError(long code)
368	{
369	switch (code) {
370	case OCSP_RESPONSE_STATUS_MALFORMEDREQUEST:
371	return QSslError::OcspMalformedRequest;
372	case OCSP_RESPONSE_STATUS_INTERNALERROR:
373	return QSslError::OcspInternalError;
374	case OCSP_RESPONSE_STATUS_TRYLATER:
375	return QSslError::OcspTryLater;
376	case OCSP_RESPONSE_STATUS_SIGREQUIRED:
377	return QSslError::OcspSigRequred;
378	case OCSP_RESPONSE_STATUS_UNAUTHORIZED:
379	return QSslError::OcspUnauthorized;
380	case OCSP_RESPONSE_STATUS_SUCCESSFUL:
381	default:
382	return {};
383	}
384	Q_UNREACHABLE();
385	}
386
387	QOcspRevocationReason qt_OCSP_revocation_reason(int reason)
388	{
389	switch (reason) {
390	case OCSP_REVOKED_STATUS_NOSTATUS:
391	return QOcspRevocationReason::None;
392	case OCSP_REVOKED_STATUS_UNSPECIFIED:
393	return QOcspRevocationReason::Unspecified;
394	case OCSP_REVOKED_STATUS_KEYCOMPROMISE:
395	return QOcspRevocationReason::KeyCompromise;
396	case OCSP_REVOKED_STATUS_CACOMPROMISE:
397	return QOcspRevocationReason::CACompromise;
398	case OCSP_REVOKED_STATUS_AFFILIATIONCHANGED:
399	return QOcspRevocationReason::AffiliationChanged;
400	case OCSP_REVOKED_STATUS_SUPERSEDED:
401	return QOcspRevocationReason::Superseded;
402	case OCSP_REVOKED_STATUS_CESSATIONOFOPERATION:
403	return QOcspRevocationReason::CessationOfOperation;
404	case OCSP_REVOKED_STATUS_CERTIFICATEHOLD:
405	return QOcspRevocationReason::CertificateHold;
406	case OCSP_REVOKED_STATUS_REMOVEFROMCRL:
407	return QOcspRevocationReason::RemoveFromCRL;
408	default:
409	return QOcspRevocationReason::None;
410	}
411
412	Q_UNREACHABLE();
413	}
414
415	bool qt_OCSP_certificate_match(OCSP_SINGLERESP *singleResponse, X509 *peerCert, X509 *issuer)
416	{
417	// OCSP_basic_verify does verify that the responder is legit, the response is
418	// correctly signed, CertID is correct. But it does not know which certificate
419	// we were presented with by our peer, so it does not check if it's a response
420	// for our peer's certificate.
421	Q_ASSERT(singleResponse && peerCert && issuer);
422
423	const OCSP_CERTID *certId = q_OCSP_SINGLERESP_get0_id(x: singleResponse); // Does not increment refcount.
424	if (!certId) {
425	qCWarning(lcSsl, "A SingleResponse without CertID");
426	return false;
427	}
428
429	ASN1_OBJECT *md = nullptr;
430	ASN1_INTEGER *reportedSerialNumber = nullptr;
431	const int result = q_OCSP_id_get0_info(piNameHash: nullptr, pmd: &md, pikeyHash: nullptr, pserial: &reportedSerialNumber, cid: const_cast<OCSP_CERTID *>(certId));
432	if (result != 1 || !md || !reportedSerialNumber) {
433	qCWarning(lcSsl, "Failed to extract a hash and serial number from CertID structure");
434	return false;
435	}
436
437	if (!q_X509_get_serialNumber(a: peerCert)) {
438	// Is this possible at all? But we have to check this,
439	// ASN1_INTEGER_cmp (called from OCSP_id_cmp) dereferences
440	// without any checks at all.
441	qCWarning(lcSsl, "No serial number in peer's ceritificate");
442	return false;
443	}
444
445	const int nid = q_OBJ_obj2nid(a: md);
446	if (nid == NID_undef) {
447	qCWarning(lcSsl, "Unknown hash algorithm in CertID");
448	return false;
449	}
450
451	const EVP_MD *digest = q_EVP_get_digestbynid(nid); // Does not increment refcount.
452	if (!digest) {
453	qCWarning(lcSsl) << "No digest for nid" << nid;
454	return false;
455	}
456
457	OCSP_CERTID *recreatedId = q_OCSP_cert_to_id(dgst: digest, subject: peerCert, issuer);
458	if (!recreatedId) {
459	qCWarning(lcSsl, "Failed to re-create CertID");
460	return false;
461	}
462	const QSharedPointer<OCSP_CERTID> guard(recreatedId, q_OCSP_CERTID_free);
463
464	if (q_OCSP_id_cmp(a: const_cast<OCSP_CERTID *>(certId), b: recreatedId)) {
465	qCDebug(lcSsl, "Certificate ID mismatch");
466	return false;
467	}
468	// Bingo!
469	return true;
470	}
471
472	#endif // ocsp
473
474	int q_X509Callback(int ok, X509_STORE_CTX *ctx)
475	{
476	if (!ok) {
477	// Store the error and at which depth the error was detected.
478
479	using ErrorListPtr = QVector<QSslErrorEntry>*;
480	ErrorListPtr errors = nullptr;
481
482	// Error list is attached to either 'SSL' or 'X509_STORE'.
483	if (X509_STORE *store = q_X509_STORE_CTX_get0_store(ctx)) // We try store first:
484	errors = ErrorListPtr(q_X509_STORE_get_ex_data(r: store, idx: 0));
485
486	if (!errors) {
487	// Not found on store? Try SSL and its external data then. According to the OpenSSL's
488	// documentation:
489	//
490	// "Whenever a X509_STORE_CTX object is created for the verification of the peers certificate
491	// during a handshake, a pointer to the SSL object is stored into the X509_STORE_CTX object
492	// to identify the connection affected. To retrieve this pointer the X509_STORE_CTX_get_ex_data()
493	// function can be used with the correct index."
494	if (SSL *ssl = static_cast<SSL *>(q_X509_STORE_CTX_get_ex_data(
495	ctx, idx: q_SSL_get_ex_data_X509_STORE_CTX_idx()))) {
496
497	// We may be in a renegotiation, check if we are inside a call to SSL_read:
498	const auto tlsOffset = QSslSocketBackendPrivate::s_indexForSSLExtraData;
499	auto tls = static_cast<QSslSocketBackendPrivate *>(q_SSL_get_ex_data(ssl, idx: tlsOffset));
500	Q_ASSERT(tls);
501	if (tls->isInSslRead()) {
502	// We are in a renegotiation, make a note of this for later.
503	// We'll check that the certificate is the same as the one we got during
504	// the initial handshake
505	tls->setRenegotiated(true);
506	return 1;
507	}
508
509	errors = ErrorListPtr(q_SSL_get_ex_data(ssl, idx: QSslSocketBackendPrivate::s_indexForSSLExtraData + 1));
510	}
511	}
512
513	if (!errors) {
514	qCWarning(lcSsl, "Neither X509_STORE, nor SSL contains error list, handshake failure");
515	return 0;
516	}
517
518	errors->append(t: QSslErrorEntry::fromStoreContext(ctx));
519	}
520	// Always return OK to allow verification to continue. We handle the
521	// errors gracefully after collecting all errors, after verification has
522	// completed.
523	return 1;
524	}
525
526	static void q_loadCiphersForConnection(SSL *connection, QList<QSslCipher> &ciphers,
527	QList<QSslCipher> &defaultCiphers)
528	{
529	Q_ASSERT(connection);
530
531	STACK_OF(SSL_CIPHER) *supportedCiphers = q_SSL_get_ciphers(a: connection);
532	for (int i = 0; i < q_sk_SSL_CIPHER_num(supportedCiphers); ++i) {
533	if (SSL_CIPHER *cipher = q_sk_SSL_CIPHER_value(supportedCiphers, i)) {
534	QSslCipher ciph = QSslSocketBackendPrivate::QSslCipher_from_SSL_CIPHER(cipher);
535	if (!ciph.isNull()) {
536	// Unconditionally exclude ADH and AECDH ciphers since they offer no MITM protection
537	if (!ciph.name().toLower().startsWith(s: QLatin1String("adh")) &&
538	!ciph.name().toLower().startsWith(s: QLatin1String("exp-adh")) &&
539	!ciph.name().toLower().startsWith(s: QLatin1String("aecdh"))) {
540	ciphers << ciph;
541
542	if (ciph.usedBits() >= 128)
543	defaultCiphers << ciph;
544	}
545	}
546	}
547	}
548	}
549
550	// Defined in qsslsocket.cpp
551	void q_setDefaultDtlsCiphers(const QList<QSslCipher> &ciphers);
552
553	long QSslSocketBackendPrivate::setupOpenSslOptions(QSsl::SslProtocol protocol, QSsl::SslOptions sslOptions)
554	{
555	long options;
556	if (protocol == QSsl::TlsV1SslV3)
557	options = SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3;
558	else if (protocol == QSsl::SecureProtocols)
559	options = SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3;
560	else if (protocol == QSsl::TlsV1_0OrLater)
561	options = SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3;
562	else if (protocol == QSsl::TlsV1_1OrLater)
563	options = SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1;
564	else if (protocol == QSsl::TlsV1_2OrLater)
565	options = SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1;
566	else if (protocol == QSsl::TlsV1_3OrLater)
567	options = SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1|SSL_OP_NO_TLSv1_2;
568	else
569	options = SSL_OP_ALL;
570
571	// This option is disabled by default, so we need to be able to clear it
572	if (sslOptions & QSsl::SslOptionDisableEmptyFragments)
573	options |= SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
574	else
575	options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
576
577	#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
578	// This option is disabled by default, so we need to be able to clear it
579	if (sslOptions & QSsl::SslOptionDisableLegacyRenegotiation)
580	options &= ~SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
581	else
582	options |= SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
583	#endif
584
585	#ifdef SSL_OP_NO_TICKET
586	if (sslOptions & QSsl::SslOptionDisableSessionTickets)
587	options |= SSL_OP_NO_TICKET;
588	#endif
589	#ifdef SSL_OP_NO_COMPRESSION
590	if (sslOptions & QSsl::SslOptionDisableCompression)
591	options |= SSL_OP_NO_COMPRESSION;
592	#endif
593
594	if (!(sslOptions & QSsl::SslOptionDisableServerCipherPreference))
595	options |= SSL_OP_CIPHER_SERVER_PREFERENCE;
596
597	return options;
598	}
599
600	bool QSslSocketBackendPrivate::initSslContext()
601	{
602	Q_Q(QSslSocket);
603
604	// If no external context was set (e.g. by QHttpNetworkConnection) we will
605	// create a default context
606	if (!sslContextPointer) {
607	// create a deep copy of our configuration
608	QSslConfigurationPrivate *configurationCopy = new QSslConfigurationPrivate(configuration);
609	configurationCopy->ref.storeRelaxed(newValue: 0); // the QSslConfiguration constructor refs up
610	sslContextPointer = QSslContext::sharedFromConfiguration(mode, configuration: configurationCopy, allowRootCertOnDemandLoading);
611	}
612
613	if (sslContextPointer->error() != QSslError::NoError) {
614	setErrorAndEmit(errorCode: QAbstractSocket::SslInvalidUserDataError, errorString: sslContextPointer->errorString());
615	sslContextPointer.clear(); // deletes the QSslContext
616	return false;
617	}
618
619	// Create and initialize SSL session
620	if (!(ssl = sslContextPointer->createSsl())) {
621	// ### Bad error code
622	setErrorAndEmit(errorCode: QAbstractSocket::SslInternalError,
623	errorString: QSslSocket::tr(s: "Error creating SSL session, %1").arg(a: getErrorsFromOpenSsl()));
624	return false;
625	}
626
627	if (configuration.protocol != QSsl::SslV2 &&
628	configuration.protocol != QSsl::SslV3 &&
629	configuration.protocol != QSsl::UnknownProtocol &&
630	mode == QSslSocket::SslClientMode) {
631	// Set server hostname on TLS extension. RFC4366 section 3.1 requires it in ACE format.
632	QString tlsHostName = verificationPeerName.isEmpty() ? q->peerName() : verificationPeerName;
633	if (tlsHostName.isEmpty())
634	tlsHostName = hostName;
635	QByteArray ace = QUrl::toAce(tlsHostName);
636	// only send the SNI header if the URL is valid and not an IP
637	if (!ace.isEmpty()
638	&& !QHostAddress().setAddress(tlsHostName)
639	&& !(configuration.sslOptions & QSsl::SslOptionDisableServerNameIndication)) {
640	// We don't send the trailing dot from the host header if present see
641	// https://tools.ietf.org/html/rfc6066#section-3
642	if (ace.endsWith(c: '.'))
643	ace.chop(n: 1);
644	if (!q_SSL_ctrl(ssl, SSL_CTRL_SET_TLSEXT_HOSTNAME, TLSEXT_NAMETYPE_host_name, parg: ace.data()))
645	qCWarning(lcSsl, "could not set SSL_CTRL_SET_TLSEXT_HOSTNAME, Server Name Indication disabled");
646	}
647	}
648
649	// Clear the session.
650	errorList.clear();
651
652	// Initialize memory BIOs for encryption and decryption.
653	readBio = q_BIO_new(a: q_BIO_s_mem());
654	writeBio = q_BIO_new(a: q_BIO_s_mem());
655	if (!readBio || !writeBio) {
656	setErrorAndEmit(errorCode: QAbstractSocket::SslInternalError,
657	errorString: QSslSocket::tr(s: "Error creating SSL session: %1").arg(a: getErrorsFromOpenSsl()));
658	return false;
659	}
660
661	// Assign the bios.
662	q_SSL_set_bio(a: ssl, b: readBio, c: writeBio);
663
664	if (mode == QSslSocket::SslClientMode)
665	q_SSL_set_connect_state(a: ssl);
666	else
667	q_SSL_set_accept_state(a: ssl);
668
669	q_SSL_set_ex_data(ssl, idx: s_indexForSSLExtraData, arg: this);
670
671	#ifndef OPENSSL_NO_PSK
672	// Set the client callback for PSK
673	if (mode == QSslSocket::SslClientMode)
674	q_SSL_set_psk_client_callback(ssl, callback: &q_ssl_psk_client_callback);
675	else if (mode == QSslSocket::SslServerMode)
676	q_SSL_set_psk_server_callback(ssl, callback: &q_ssl_psk_server_callback);
677
678	#if OPENSSL_VERSION_NUMBER >= 0x10101006L
679	// Set the client callback for TLSv1.3 PSK
680	if (mode == QSslSocket::SslClientMode
681	&& QSslSocket::sslLibraryBuildVersionNumber() >= 0x10101006L) {
682	q_SSL_set_psk_use_session_callback(s: ssl, &q_ssl_psk_use_session_callback);
683	}
684	#endif // openssl version >= 0x10101006L
685
686	#endif // OPENSSL_NO_PSK
687
688
689	#if QT_CONFIG(ocsp)
690	if (configuration.ocspStaplingEnabled) {
691	if (mode == QSslSocket::SslServerMode) {
692	setErrorAndEmit(errorCode: QAbstractSocket::SslInvalidUserDataError,
693	errorString: QSslSocket::tr(s: "Server-side QSslSocket does not support OCSP stapling"));
694	return false;
695	}
696	if (q_SSL_set_tlsext_status_type(ssl, TLSEXT_STATUSTYPE_ocsp) != 1) {
697	setErrorAndEmit(errorCode: QAbstractSocket::SslInternalError,
698	errorString: QSslSocket::tr(s: "Failed to enable OCSP stapling"));
699	return false;
700	}
701	}
702
703	ocspResponseDer.clear();
704	auto responsePos = configuration.backendConfig.find(akey: "Qt-OCSP-response");
705	if (responsePos != configuration.backendConfig.end()) {
706	// This is our private, undocumented 'API' we use for the auto-testing of
707	// OCSP-stapling. It must be a der-encoded OCSP response, presumably set
708	// by tst_QOcsp.
709	const QVariant data(responsePos.value());
710	if (data.canConvert<QByteArray>())
711	ocspResponseDer = data.toByteArray();
712	}
713
714	if (ocspResponseDer.size()) {
715	if (mode != QSslSocket::SslServerMode) {
716	setErrorAndEmit(errorCode: QAbstractSocket::SslInvalidUserDataError,
717	errorString: QSslSocket::tr(s: "Client-side sockets do not send OCSP responses"));
718	return false;
719	}
720	}
721	#endif // ocsp
722
723	return true;
724	}
725
726	void QSslSocketBackendPrivate::destroySslContext()
727	{
728	if (ssl) {
729	if (!q_SSL_in_init(s: ssl) && !systemOrSslErrorDetected) {
730	// We do not send a shutdown alert here. Just mark the session as
731	// resumable for qhttpnetworkconnection's "optimization", otherwise
732	// OpenSSL won't start a session resumption.
733	if (q_SSL_shutdown(a: ssl) != 1) {
734	// Some error may be queued, clear it.
735	const auto errors = getErrorsFromOpenSsl();
736	Q_UNUSED(errors);
737	}
738	}
739	q_SSL_free(a: ssl);
740	ssl = nullptr;
741	}
742	sslContextPointer.clear();
743	}
744
745	/*!
746	\internal
747
748	Does the minimum amount of initialization to determine whether SSL
749	is supported or not.
750	*/
751
752	bool QSslSocketPrivate::supportsSsl()
753	{
754	return ensureLibraryLoaded();
755	}
756
757
758	/*!
759	\internal
760
761	Returns the version number of the SSL library in use. Note that
762	this is the version of the library in use at run-time, not compile
763	time.
764	*/
765	long QSslSocketPrivate::sslLibraryVersionNumber()
766	{
767	if (!supportsSsl())
768	return 0;
769
770	return q_OpenSSL_version_num();
771	}
772
773	/*!
774	\internal
775
776	Returns the version string of the SSL library in use. Note that
777	this is the version of the library in use at run-time, not compile
778	time. If no SSL support is available then this will return an empty value.
779	*/
780	QString QSslSocketPrivate::sslLibraryVersionString()
781	{
782	if (!supportsSsl())
783	return QString();
784
785	const char *versionString = q_OpenSSL_version(OPENSSL_VERSION);
786	if (!versionString)
787	return QString();
788
789	return QString::fromLatin1(str: versionString);
790	}
791
792	/*!
793	\internal
794
795	Declared static in QSslSocketPrivate, makes sure the SSL libraries have
796	been initialized.
797	*/
798	void QSslSocketPrivate::ensureInitialized()
799	{
800	if (!supportsSsl())
801	return;
802
803	ensureCiphersAndCertsLoaded();
804	}
805
806	/*!
807	\internal
808
809	Returns the version number of the SSL library in use at compile
810	time.
811	*/
812	long QSslSocketPrivate::sslLibraryBuildVersionNumber()
813	{
814	return OPENSSL_VERSION_NUMBER;
815	}
816
817	/*!
818	\internal
819
820	Returns the version string of the SSL library in use at compile
821	time.
822	*/
823	QString QSslSocketPrivate::sslLibraryBuildVersionString()
824	{
825	// Using QStringLiteral to store the version string as unicode and
826	// avoid false positives from Google searching the playstore for old
827	// SSL versions. See QTBUG-46265
828	return QStringLiteral(OPENSSL_VERSION_TEXT);
829	}
830
831	/*!
832	\internal
833
834	Declared static in QSslSocketPrivate, backend-dependent loading of
835	application-wide global ciphers.
836	*/
837	void QSslSocketPrivate::resetDefaultCiphers()
838	{
839	SSL_CTX *myCtx = q_SSL_CTX_new(a: q_TLS_client_method());
840	// Note, we assert, not just silently return/bail out early:
841	// this should never happen and problems with OpenSSL's initialization
842	// must be caught before this (see supportsSsl()).
843	Q_ASSERT(myCtx);
844	SSL *mySsl = q_SSL_new(a: myCtx);
845	Q_ASSERT(mySsl);
846
847	QList<QSslCipher> ciphers;
848	QList<QSslCipher> defaultCiphers;
849
850	q_loadCiphersForConnection(connection: mySsl, ciphers, defaultCiphers);
851
852	q_SSL_CTX_free(a: myCtx);
853	q_SSL_free(a: mySsl);
854
855	setDefaultSupportedCiphers(ciphers);
856	setDefaultCiphers(defaultCiphers);
857
858	#if QT_CONFIG(dtls)
859	ciphers.clear();
860	defaultCiphers.clear();
861	myCtx = q_SSL_CTX_new(a: q_DTLS_client_method());
862	if (myCtx) {
863	mySsl = q_SSL_new(a: myCtx);
864	if (mySsl) {
865	q_loadCiphersForConnection(connection: mySsl, ciphers, defaultCiphers);
866	q_setDefaultDtlsCiphers(ciphers: defaultCiphers);
867	q_SSL_free(a: mySsl);
868	}
869	q_SSL_CTX_free(a: myCtx);
870	}
871	#endif // dtls
872	}
873
874	void QSslSocketPrivate::resetDefaultEllipticCurves()
875	{
876	QVector<QSslEllipticCurve> curves;
877
878	#ifndef OPENSSL_NO_EC
879	const size_t curveCount = q_EC_get_builtin_curves(r: nullptr, nitems: 0);
880
881	QVarLengthArray<EC_builtin_curve> builtinCurves(static_cast<int>(curveCount));
882
883	if (q_EC_get_builtin_curves(r: builtinCurves.data(), nitems: curveCount) == curveCount) {
884	curves.reserve(asize: int(curveCount));
885	for (size_t i = 0; i < curveCount; ++i) {
886	QSslEllipticCurve curve;
887	curve.id = builtinCurves[int(i)].nid;
888	curves.append(t: curve);
889	}
890	}
891	#endif // OPENSSL_NO_EC
892
893	// set the list of supported ECs, but not the list
894	// of *default* ECs. OpenSSL doesn't like forcing an EC for the wrong
895	// ciphersuite, so don't try it -- leave the empty list to mean
896	// "the implementation will choose the most suitable one".
897	setDefaultSupportedEllipticCurves(curves);
898	}
899
900	#ifndef Q_OS_DARWIN // Apple implementation in qsslsocket_mac_shared.cpp
901	QList<QSslCertificate> QSslSocketPrivate::systemCaCertificates()
902	{
903	ensureInitialized();
904	#ifdef QSSLSOCKET_DEBUG
905	QElapsedTimer timer;
906	timer.start();
907	#endif
908	QList<QSslCertificate> systemCerts;
909	#if defined(Q_OS_WIN)
910	HCERTSTORE hSystemStore;
911	hSystemStore = CertOpenSystemStoreW(0, L"ROOT");
912	if (hSystemStore) {
913	PCCERT_CONTEXT pc = nullptr;
914	while (1) {
915	pc = CertFindCertificateInStore(hSystemStore, X509_ASN_ENCODING, 0, CERT_FIND_ANY, nullptr, pc);
916	if (!pc)
917	break;
918	QByteArray der(reinterpret_cast<const char *>(pc->pbCertEncoded),
919	static_cast<int>(pc->cbCertEncoded));
920	QSslCertificate cert(der, QSsl::Der);
921	systemCerts.append(cert);
922	}
923	CertCloseStore(hSystemStore, 0);
924	}
925	#elif defined(Q_OS_UNIX)
926	QSet<QString> certFiles;
927	QDir currentDir;
928	QStringList nameFilters;
929	QList<QByteArray> directories;
930	QSsl::EncodingFormat platformEncodingFormat;
931	# ifndef Q_OS_ANDROID
932	directories = unixRootCertDirectories();
933	nameFilters << QLatin1String("*.pem") << QLatin1String("*.crt");
934	platformEncodingFormat = QSsl::Pem;
935	# else
936	// Q_OS_ANDROID
937	QByteArray ministroPath = qgetenv("MINISTRO_SSL_CERTS_PATH"); // Set by Ministro
938	directories << ministroPath;
939	nameFilters << QLatin1String("*.der");
940	platformEncodingFormat = QSsl::Der;
941	# ifndef Q_OS_ANDROID_EMBEDDED
942	if (ministroPath.isEmpty()) {
943	QList<QByteArray> certificateData = fetchSslCertificateData();
944	for (int i = 0; i < certificateData.size(); ++i) {
945	systemCerts.append(QSslCertificate::fromData(certificateData.at(i), QSsl::Der));
946	}
947	} else
948	# endif //Q_OS_ANDROID_EMBEDDED
949	# endif //Q_OS_ANDROID
950	{
951	currentDir.setNameFilters(nameFilters);
952	for (int a = 0; a < directories.count(); a++) {
953	currentDir.setPath(QLatin1String(directories.at(i: a)));
954	QDirIterator it(currentDir);
955	while (it.hasNext()) {
956	it.next();
957	// use canonical path here to not load the same certificate twice if symlinked
958	certFiles.insert(value: it.fileInfo().canonicalFilePath());
959	}
960	}
961	for (const QString& file : qAsConst(t&: certFiles))
962	systemCerts.append(t: QSslCertificate::fromPath(path: file, format: platformEncodingFormat));
963	# ifndef Q_OS_ANDROID
964	systemCerts.append(t: QSslCertificate::fromPath(path: QLatin1String("/etc/pki/tls/certs/ca-bundle.crt"), format: QSsl::Pem)); // Fedora, Mandriva
965	systemCerts.append(t: QSslCertificate::fromPath(path: QLatin1String("/usr/local/share/certs/ca-root-nss.crt"), format: QSsl::Pem)); // FreeBSD's ca_root_nss
966	# endif
967	}
968	#endif
969	#ifdef QSSLSOCKET_DEBUG
970	qCDebug(lcSsl) << "systemCaCertificates retrieval time " << timer.elapsed() << "ms";
971	qCDebug(lcSsl) << "imported " << systemCerts.count() << " certificates";
972	#endif
973
974	return systemCerts;
975	}
976	#endif // Q_OS_DARWIN
977
978	void QSslSocketBackendPrivate::startClientEncryption()
979	{
980	if (!initSslContext()) {
981	setErrorAndEmit(errorCode: QAbstractSocket::SslInternalError,
982	errorString: QSslSocket::tr(s: "Unable to init SSL Context: %1").arg(a: getErrorsFromOpenSsl()));
983	return;
984	}
985
986	// Start connecting. This will place outgoing data in the BIO, so we
987	// follow up with calling transmit().
988	startHandshake();
989	transmit();
990	}
991
992	void QSslSocketBackendPrivate::startServerEncryption()
993	{
994	if (!initSslContext()) {
995	setErrorAndEmit(errorCode: QAbstractSocket::SslInternalError,
996	errorString: QSslSocket::tr(s: "Unable to init SSL Context: %1").arg(a: getErrorsFromOpenSsl()));
997	return;
998	}
999
1000	// Start connecting. This will place outgoing data in the BIO, so we
1001	// follow up with calling transmit().
1002	startHandshake();
1003	transmit();
1004	}
1005
1006	/*!
1007	\internal
1008
1009	Transmits encrypted data between the BIOs and the socket.
1010	*/
1011	void QSslSocketBackendPrivate::transmit()
1012	{
1013	Q_Q(QSslSocket);
1014
1015	using ScopedBool = QScopedValueRollback<bool>;
1016
1017	if (inSetAndEmitError)
1018	return;
1019
1020	// If we don't have any SSL context, don't bother transmitting.
1021	if (!ssl)
1022	return;
1023
1024	bool transmitting;
1025	do {
1026	transmitting = false;
1027
1028	// If the connection is secure, we can transfer data from the write
1029	// buffer (in plain text) to the write BIO through SSL_write.
1030	if (connectionEncrypted && !writeBuffer.isEmpty()) {
1031	qint64 totalBytesWritten = 0;
1032	int nextDataBlockSize;
1033	while ((nextDataBlockSize = writeBuffer.nextDataBlockSize()) > 0) {
1034	int writtenBytes = q_SSL_write(a: ssl, b: writeBuffer.readPointer(), c: nextDataBlockSize);
1035	if (writtenBytes <= 0) {
1036	int error = q_SSL_get_error(a: ssl, b: writtenBytes);
1037	//write can result in a want_write_error - not an error - continue transmitting
1038	if (error == SSL_ERROR_WANT_WRITE) {
1039	transmitting = true;
1040	break;
1041	} else if (error == SSL_ERROR_WANT_READ) {
1042	//write can result in a want_read error, possibly due to renegotiation - not an error - stop transmitting
1043	transmitting = false;
1044	break;
1045	} else {
1046	// ### Better error handling.
1047	const ScopedBool bg(inSetAndEmitError, true);
1048	setErrorAndEmit(errorCode: QAbstractSocket::SslInternalError,
1049	errorString: QSslSocket::tr(s: "Unable to write data: %1").arg(
1050	a: getErrorsFromOpenSsl()));
1051	return;
1052	}
1053	}
1054	#ifdef QSSLSOCKET_DEBUG
1055	qCDebug(lcSsl) << "QSslSocketBackendPrivate::transmit: encrypted" << writtenBytes << "bytes";
1056	#endif
1057	writeBuffer.free(bytes: writtenBytes);
1058	totalBytesWritten += writtenBytes;
1059
1060	if (writtenBytes < nextDataBlockSize) {
1061	// break out of the writing loop and try again after we had read
1062	transmitting = true;
1063	break;
1064	}
1065	}
1066
1067	if (totalBytesWritten > 0) {
1068	// Don't emit bytesWritten() recursively.
1069	if (!emittedBytesWritten) {
1070	emittedBytesWritten = true;
1071	emit q->bytesWritten(bytes: totalBytesWritten);
1072	emittedBytesWritten = false;
1073	}
1074	emit q->channelBytesWritten(channel: 0, bytes: totalBytesWritten);
1075	}
1076	}
1077
1078	// Check if we've got any data to be written to the socket.
1079	QVarLengthArray<char, 4096> data;
1080	int pendingBytes;
1081	while (plainSocket->isValid() && (pendingBytes = q_BIO_pending(writeBio)) > 0
1082	&& plainSocket->openMode() != QIODevice::NotOpen) {
1083	// Read encrypted data from the write BIO into a buffer.
1084	data.resize(asize: pendingBytes);
1085	int encryptedBytesRead = q_BIO_read(a: writeBio, b: data.data(), c: pendingBytes);
1086
1087	// Write encrypted data from the buffer to the socket.
1088	qint64 actualWritten = plainSocket->write(data: data.constData(), len: encryptedBytesRead);
1089	#ifdef QSSLSOCKET_DEBUG
1090	qCDebug(lcSsl) << "QSslSocketBackendPrivate::transmit: wrote" << encryptedBytesRead << "encrypted bytes to the socket" << actualWritten << "actual.";
1091	#endif
1092	if (actualWritten < 0) {
1093	//plain socket write fails if it was in the pending close state.
1094	const ScopedBool bg(inSetAndEmitError, true);
1095	setErrorAndEmit(errorCode: plainSocket->error(), errorString: plainSocket->errorString());
1096	return;
1097	}
1098	transmitting = true;
1099	}
1100
1101	// Check if we've got any data to be read from the socket.
1102	if (!connectionEncrypted || !readBufferMaxSize || buffer.size() < readBufferMaxSize)
1103	while ((pendingBytes = plainSocket->bytesAvailable()) > 0) {
1104	// Read encrypted data from the socket into a buffer.
1105	data.resize(asize: pendingBytes);
1106	// just peek() here because q_BIO_write could write less data than expected
1107	int encryptedBytesRead = plainSocket->peek(data: data.data(), maxlen: pendingBytes);
1108
1109	#ifdef QSSLSOCKET_DEBUG
1110	qCDebug(lcSsl) << "QSslSocketBackendPrivate::transmit: read" << encryptedBytesRead << "encrypted bytes from the socket";
1111	#endif
1112	// Write encrypted data from the buffer into the read BIO.
1113	int writtenToBio = q_BIO_write(a: readBio, b: data.constData(), c: encryptedBytesRead);
1114
1115	// Throw away the results.
1116	if (writtenToBio > 0) {
1117	plainSocket->skip(maxSize: writtenToBio);
1118	} else {
1119	// ### Better error handling.
1120	const ScopedBool bg(inSetAndEmitError, true);
1121	setErrorAndEmit(errorCode: QAbstractSocket::SslInternalError,
1122	errorString: QSslSocket::tr(s: "Unable to decrypt data: %1").arg(
1123	a: getErrorsFromOpenSsl()));
1124	return;
1125	}
1126
1127	transmitting = true;
1128	}
1129
1130	// If the connection isn't secured yet, this is the time to retry the
1131	// connect / accept.
1132	if (!connectionEncrypted) {
1133	#ifdef QSSLSOCKET_DEBUG
1134	qCDebug(lcSsl) << "QSslSocketBackendPrivate::transmit: testing encryption";
1135	#endif
1136	if (startHandshake()) {
1137	#ifdef QSSLSOCKET_DEBUG
1138	qCDebug(lcSsl) << "QSslSocketBackendPrivate::transmit: encryption established";
1139	#endif
1140	connectionEncrypted = true;
1141	transmitting = true;
1142	} else if (plainSocket->state() != QAbstractSocket::ConnectedState) {
1143	#ifdef QSSLSOCKET_DEBUG
1144	qCDebug(lcSsl) << "QSslSocketBackendPrivate::transmit: connection lost";
1145	#endif
1146	break;
1147	} else if (paused) {
1148	// just wait until the user continues
1149	return;
1150	} else {
1151	#ifdef QSSLSOCKET_DEBUG
1152	qCDebug(lcSsl) << "QSslSocketBackendPrivate::transmit: encryption not done yet";
1153	#endif
1154	}
1155	}
1156
1157	// If the request is small and the remote host closes the transmission
1158	// after sending, there's a chance that startHandshake() will already
1159	// have triggered a shutdown.
1160	if (!ssl)
1161	continue;
1162
1163	// We always read everything from the SSL decryption buffers, even if
1164	// we have a readBufferMaxSize. There's no point in leaving data there
1165	// just so that readBuffer.size() == readBufferMaxSize.
1166	int readBytes = 0;
1167	const int bytesToRead = 4096;
1168	do {
1169	if (readChannelCount == 0) {
1170	// The read buffer is deallocated, don't try resize or write to it.
1171	break;
1172	}
1173	// Don't use SSL_pending(). It's very unreliable.
1174	inSslRead = true;
1175	readBytes = q_SSL_read(a: ssl, b: buffer.reserve(bytes: bytesToRead), c: bytesToRead);
1176	inSslRead = false;
1177	if (renegotiated) {
1178	renegotiated = false;
1179	X509 *x509 = q_SSL_get_peer_certificate(a: ssl);
1180	const auto peerCertificate =
1181	QSslCertificatePrivate::QSslCertificate_from_X509(x509);
1182	// Fail the renegotiate if the certificate has changed, else: continue.
1183	if (peerCertificate != q->peerCertificate()) {
1184	const ScopedBool bg(inSetAndEmitError, true);
1185	setErrorAndEmit(
1186	errorCode: QAbstractSocket::RemoteHostClosedError,
1187	errorString: QSslSocket::tr(
1188	s: "TLS certificate unexpectedly changed during renegotiation!"));
1189	q->abort();
1190	return;
1191	}
1192	}
1193	if (readBytes > 0) {
1194	#ifdef QSSLSOCKET_DEBUG
1195	qCDebug(lcSsl) << "QSslSocketBackendPrivate::transmit: decrypted" << readBytes << "bytes";
1196	#endif
1197	buffer.chop(bytes: bytesToRead - readBytes);
1198
1199	if (readyReadEmittedPointer)
1200	*readyReadEmittedPointer = true;
1201	emit q->readyRead();
1202	emit q->channelReadyRead(channel: 0);
1203	transmitting = true;
1204	continue;
1205	}
1206	buffer.chop(bytes: bytesToRead);
1207
1208	// Error.
1209	switch (q_SSL_get_error(a: ssl, b: readBytes)) {
1210	case SSL_ERROR_WANT_READ:
1211	case SSL_ERROR_WANT_WRITE:
1212	// Out of data.
1213	break;
1214	case SSL_ERROR_ZERO_RETURN:
1215	// The remote host closed the connection.
1216	#ifdef QSSLSOCKET_DEBUG
1217	qCDebug(lcSsl) << "QSslSocketBackendPrivate::transmit: remote disconnect";
1218	#endif
1219	shutdown = true; // the other side shut down, make sure we do not send shutdown ourselves
1220	{
1221	const ScopedBool bg(inSetAndEmitError, true);
1222	setErrorAndEmit(errorCode: QAbstractSocket::RemoteHostClosedError,
1223	errorString: QSslSocket::tr(s: "The TLS/SSL connection has been closed"));
1224	}
1225	return;
1226	case SSL_ERROR_SYSCALL: // some IO error
1227	case SSL_ERROR_SSL: // error in the SSL library
1228	// we do not know exactly what the error is, nor whether we can recover from it,
1229	// so just return to prevent an endless loop in the outer "while" statement
1230	systemOrSslErrorDetected = true;
1231	{
1232	const ScopedBool bg(inSetAndEmitError, true);
1233	setErrorAndEmit(errorCode: QAbstractSocket::SslInternalError,
1234	errorString: QSslSocket::tr(s: "Error while reading: %1").arg(a: getErrorsFromOpenSsl()));
1235	}
1236	return;
1237	default:
1238	// SSL_ERROR_WANT_CONNECT, SSL_ERROR_WANT_ACCEPT: can only happen with a
1239	// BIO_s_connect() or BIO_s_accept(), which we do not call.
1240	// SSL_ERROR_WANT_X509_LOOKUP: can only happen with a
1241	// SSL_CTX_set_client_cert_cb(), which we do not call.
1242	// So this default case should never be triggered.
1243	{
1244	const ScopedBool bg(inSetAndEmitError, true);
1245	setErrorAndEmit(errorCode: QAbstractSocket::SslInternalError,
1246	errorString: QSslSocket::tr(s: "Error while reading: %1").arg(a: getErrorsFromOpenSsl()));
1247	}
1248	break;
1249	}
1250	} while (ssl && readBytes > 0);
1251	} while (ssl && transmitting);
1252	}
1253
1254	QSslError _q_OpenSSL_to_QSslError(int errorCode, const QSslCertificate &cert)
1255	{
1256	QSslError error;
1257	switch (errorCode) {
1258	case X509_V_OK:
1259	// X509_V_OK is also reported if the peer had no certificate.
1260	break;
1261	case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
1262	error = QSslError(QSslError::UnableToGetIssuerCertificate, cert); break;
1263	case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
1264	error = QSslError(QSslError::UnableToDecryptCertificateSignature, cert); break;
1265	case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:
1266	error = QSslError(QSslError::UnableToDecodeIssuerPublicKey, cert); break;
1267	case X509_V_ERR_CERT_SIGNATURE_FAILURE:
1268	error = QSslError(QSslError::CertificateSignatureFailed, cert); break;
1269	case X509_V_ERR_CERT_NOT_YET_VALID:
1270	error = QSslError(QSslError::CertificateNotYetValid, cert); break;
1271	case X509_V_ERR_CERT_HAS_EXPIRED:
1272	error = QSslError(QSslError::CertificateExpired, cert); break;
1273	case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
1274	error = QSslError(QSslError::InvalidNotBeforeField, cert); break;
1275	case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
1276	error = QSslError(QSslError::InvalidNotAfterField, cert); break;
1277	case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
1278	error = QSslError(QSslError::SelfSignedCertificate, cert); break;
1279	case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
1280	error = QSslError(QSslError::SelfSignedCertificateInChain, cert); break;
1281	case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
1282	error = QSslError(QSslError::UnableToGetLocalIssuerCertificate, cert); break;
1283	case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
1284	error = QSslError(QSslError::UnableToVerifyFirstCertificate, cert); break;
1285	case X509_V_ERR_CERT_REVOKED:
1286	error = QSslError(QSslError::CertificateRevoked, cert); break;
1287	case X509_V_ERR_INVALID_CA:
1288	error = QSslError(QSslError::InvalidCaCertificate, cert); break;
1289	case X509_V_ERR_PATH_LENGTH_EXCEEDED:
1290	error = QSslError(QSslError::PathLengthExceeded, cert); break;
1291	case X509_V_ERR_INVALID_PURPOSE:
1292	error = QSslError(QSslError::InvalidPurpose, cert); break;
1293	case X509_V_ERR_CERT_UNTRUSTED:
1294	error = QSslError(QSslError::CertificateUntrusted, cert); break;
1295	case X509_V_ERR_CERT_REJECTED:
1296	error = QSslError(QSslError::CertificateRejected, cert); break;
1297	default:
1298	error = QSslError(QSslError::UnspecifiedError, cert); break;
1299	}
1300	return error;
1301	}
1302
1303	QString QSslSocketBackendPrivate::msgErrorsDuringHandshake()
1304	{
1305	return QSslSocket::tr(s: "Error during SSL handshake: %1")
1306	.arg(a: QSslSocketBackendPrivate::getErrorsFromOpenSsl());
1307	}
1308
1309	bool QSslSocketBackendPrivate::startHandshake()
1310	{
1311	Q_Q(QSslSocket);
1312
1313	// Check if the connection has been established. Get all errors from the
1314	// verification stage.
1315
1316	using ScopedBool = QScopedValueRollback<bool>;
1317
1318	if (inSetAndEmitError)
1319	return false;
1320
1321	QVector<QSslErrorEntry> lastErrors;
1322	q_SSL_set_ex_data(ssl, idx: s_indexForSSLExtraData + 1, arg: &lastErrors);
1323	int result = (mode == QSslSocket::SslClientMode) ? q_SSL_connect(a: ssl) : q_SSL_accept(a: ssl);
1324	q_SSL_set_ex_data(ssl, idx: s_indexForSSLExtraData + 1, arg: nullptr);
1325
1326	if (!lastErrors.isEmpty())
1327	storePeerCertificates();
1328	for (const auto &currentError : qAsConst(t&: lastErrors)) {
1329	emit q->peerVerifyError(error: _q_OpenSSL_to_QSslError(errorCode: currentError.code,
1330	cert: configuration.peerCertificateChain.value(i: currentError.depth)));
1331	if (q->state() != QAbstractSocket::ConnectedState)
1332	break;
1333	}
1334
1335	errorList << lastErrors;
1336
1337	// Connection aborted during handshake phase.
1338	if (q->state() != QAbstractSocket::ConnectedState)
1339	return false;
1340
1341	// Check if we're encrypted or not.
1342	if (result <= 0) {
1343	switch (q_SSL_get_error(a: ssl, b: result)) {
1344	case SSL_ERROR_WANT_READ:
1345	case SSL_ERROR_WANT_WRITE:
1346	// The handshake is not yet complete.
1347	break;
1348	default:
1349	QString errorString = QSslSocketBackendPrivate::msgErrorsDuringHandshake();
1350	#ifdef QSSLSOCKET_DEBUG
1351	qCDebug(lcSsl) << "QSslSocketBackendPrivate::startHandshake: error!" << errorString;
1352	#endif
1353	{
1354	const ScopedBool bg(inSetAndEmitError, true);
1355	setErrorAndEmit(errorCode: QAbstractSocket::SslHandshakeFailedError, errorString);
1356	}
1357	q->abort();
1358	}
1359	return false;
1360	}
1361
1362	// store peer certificate chain
1363	storePeerCertificates();
1364
1365	// Start translating errors.
1366	QList<QSslError> errors;
1367
1368	// check the whole chain for blacklisting (including root, as we check for subjectInfo and issuer)
1369	for (const QSslCertificate &cert : qAsConst(t&: configuration.peerCertificateChain)) {
1370	if (QSslCertificatePrivate::isBlacklisted(certificate: cert)) {
1371	QSslError error(QSslError::CertificateBlacklisted, cert);
1372	errors << error;
1373	emit q->peerVerifyError(error);
1374	if (q->state() != QAbstractSocket::ConnectedState)
1375	return false;
1376	}
1377	}
1378
1379	const bool doVerifyPeer = configuration.peerVerifyMode == QSslSocket::VerifyPeer
1380	|| (configuration.peerVerifyMode == QSslSocket::AutoVerifyPeer
1381	&& mode == QSslSocket::SslClientMode);
1382
1383	#if QT_CONFIG(ocsp)
1384	// For now it's always QSslSocket::SslClientMode - initSslContext() will bail out early,
1385	// if it's enabled in QSslSocket::SslServerMode. This can change.
1386	if (!configuration.peerCertificate.isNull() && configuration.ocspStaplingEnabled && doVerifyPeer) {
1387	if (!checkOcspStatus()) {
1388	if (ocspErrors.isEmpty()) {
1389	{
1390	const ScopedBool bg(inSetAndEmitError, true);
1391	setErrorAndEmit(errorCode: QAbstractSocket::SslHandshakeFailedError, errorString: ocspErrorDescription);
1392	}
1393	q->abort();
1394	return false;
1395	}
1396
1397	for (const QSslError &error : ocspErrors) {
1398	errors << error;
1399	emit q->peerVerifyError(error);
1400	if (q->state() != QAbstractSocket::ConnectedState)
1401	return false;
1402	}
1403	}
1404	}
1405	#endif // ocsp
1406
1407	// Check the peer certificate itself. First try the subject's common name
1408	// (CN) as a wildcard, then try all alternate subject name DNS entries the
1409	// same way.
1410	if (!configuration.peerCertificate.isNull()) {
1411	// but only if we're a client connecting to a server
1412	// if we're the server, don't check CN
1413	if (mode == QSslSocket::SslClientMode) {
1414	QString peerName = (verificationPeerName.isEmpty () ? q->peerName() : verificationPeerName);
1415
1416	if (!isMatchingHostname(cert: configuration.peerCertificate, peerName)) {
1417	// No matches in common names or alternate names.
1418	QSslError error(QSslError::HostNameMismatch, configuration.peerCertificate);
1419	errors << error;
1420	emit q->peerVerifyError(error);
1421	if (q->state() != QAbstractSocket::ConnectedState)
1422	return false;
1423	}
1424	}
1425	} else {
1426	// No peer certificate presented. Report as error if the socket
1427	// expected one.
1428	if (doVerifyPeer) {
1429	QSslError error(QSslError::NoPeerCertificate);
1430	errors << error;
1431	emit q->peerVerifyError(error);
1432	if (q->state() != QAbstractSocket::ConnectedState)
1433	return false;
1434	}
1435	}
1436
1437	// Translate errors from the error list into QSslErrors.
1438	errors.reserve(alloc: errors.size() + errorList.size());
1439	for (const auto &error : qAsConst(t&: errorList))
1440	errors << _q_OpenSSL_to_QSslError(errorCode: error.code, cert: configuration.peerCertificateChain.value(i: error.depth));
1441
1442	if (!errors.isEmpty()) {
1443	sslErrors = errors;
1444
1445	#ifdef Q_OS_WIN
1446	const bool fetchEnabled = s_loadRootCertsOnDemand
1447	&& allowRootCertOnDemandLoading;
1448	// !fetchEnabled is a special case scenario, when we potentially have a missing
1449	// intermediate certificate and a recoverable chain, but on demand cert loading
1450	// was disabled by setCaCertificates call. For this scenario we check if "Authority
1451	// Information Access" is present - wincrypt can deal with such certificates.
1452	QSslCertificate certToFetch;
1453	if (doVerifyPeer && !verifyErrorsHaveBeenIgnored())
1454	certToFetch = findCertificateToFetch(sslErrors, !fetchEnabled);
1455
1456	//Skip this if not using system CAs, or if the SSL errors are configured in advance to be ignorable
1457	if (!certToFetch.isNull()) {
1458	fetchAuthorityInformation = !fetchEnabled;
1459	//Windows desktop versions starting from vista ship with minimal set of roots and download on demand
1460	//from the windows update server CA roots that are trusted by MS. It also can fetch a missing intermediate
1461	//in case "Authority Information Access" extension is present.
1462	//
1463	//However, this is only transparent if using WinINET - we have to trigger it
1464	//ourselves.
1465	fetchCaRootForCert(certToFetch);
1466	return false;
1467	}
1468	#endif
1469	if (!checkSslErrors())
1470	return false;
1471	// A slot, attached to sslErrors signal can call
1472	// abort/close/disconnetFromHost/etc; no need to
1473	// continue handshake then.
1474	if (q->state() != QAbstractSocket::ConnectedState)
1475	return false;
1476	} else {
1477	sslErrors.clear();
1478	}
1479
1480	continueHandshake();
1481	return true;
1482	}
1483
1484	void QSslSocketBackendPrivate::storePeerCertificates()
1485	{
1486	// Store the peer certificate and chain. For clients, the peer certificate
1487	// chain includes the peer certificate; for servers, it doesn't. Both the
1488	// peer certificate and the chain may be empty if the peer didn't present
1489	// any certificate.
1490	X509 *x509 = q_SSL_get_peer_certificate(a: ssl);
1491	configuration.peerCertificate = QSslCertificatePrivate::QSslCertificate_from_X509(x509);
1492	q_X509_free(a: x509);
1493	if (configuration.peerCertificateChain.isEmpty()) {
1494	configuration.peerCertificateChain = STACKOFX509_to_QSslCertificates(x509: q_SSL_get_peer_cert_chain(a: ssl));
1495	if (!configuration.peerCertificate.isNull() && mode == QSslSocket::SslServerMode)
1496	configuration.peerCertificateChain.prepend(t: configuration.peerCertificate);
1497	}
1498	}
1499
1500	int QSslSocketBackendPrivate::handleNewSessionTicket(SSL *connection)
1501	{
1502	// If we return 1, this means we own the session, but we don't.
1503	// 0 would tell OpenSSL to deref (but they still have it in the
1504	// internal cache).
1505	Q_Q(QSslSocket);
1506
1507	Q_ASSERT(connection);
1508
1509	if (q->sslConfiguration().testSslOption(option: QSsl::SslOptionDisableSessionPersistence)) {
1510	// We silently ignore, do nothing, remove from cache.
1511	return 0;
1512	}
1513
1514	SSL_SESSION *currentSession = q_SSL_get_session(ssl: connection);
1515	if (!currentSession) {
1516	qCWarning(lcSsl,
1517	"New session ticket callback, the session is invalid (nullptr)");
1518	return 0;
1519	}
1520
1521	if (q_SSL_version(a: connection) < 0x304) {
1522	// We only rely on this mechanics with TLS >= 1.3
1523	return 0;
1524	}
1525
1526	#ifdef TLS1_3_VERSION
1527	if (!q_SSL_SESSION_is_resumable(s: currentSession)) {
1528	qCDebug(lcSsl, "New session ticket, but the session is non-resumable");
1529	return 0;
1530	}
1531	#endif // TLS1_3_VERSION
1532
1533	const int sessionSize = q_i2d_SSL_SESSION(in: currentSession, pp: nullptr);
1534	if (sessionSize <= 0) {
1535	qCWarning(lcSsl, "could not store persistent version of SSL session");
1536	return 0;
1537	}
1538
1539	// We have somewhat perverse naming, it's not a ticket, it's a session.
1540	QByteArray sessionTicket(sessionSize, 0);
1541	auto data = reinterpret_cast<unsigned char *>(sessionTicket.data());
1542	if (!q_i2d_SSL_SESSION(in: currentSession, pp: &data)) {
1543	qCWarning(lcSsl, "could not store persistent version of SSL session");
1544	return 0;
1545	}
1546
1547	configuration.sslSession = sessionTicket;
1548	configuration.sslSessionTicketLifeTimeHint = int(q_SSL_SESSION_get_ticket_lifetime_hint(session: currentSession));
1549
1550	emit q->newSessionTicketReceived();
1551	return 0;
1552	}
1553
1554	bool QSslSocketBackendPrivate::checkSslErrors()
1555	{
1556	Q_Q(QSslSocket);
1557	if (sslErrors.isEmpty())
1558	return true;
1559
1560	emit q->sslErrors(errors: sslErrors);
1561
1562	bool doVerifyPeer = configuration.peerVerifyMode == QSslSocket::VerifyPeer
1563	|| (configuration.peerVerifyMode == QSslSocket::AutoVerifyPeer
1564	&& mode == QSslSocket::SslClientMode);
1565	bool doEmitSslError = !verifyErrorsHaveBeenIgnored();
1566	// check whether we need to emit an SSL handshake error
1567	if (doVerifyPeer && doEmitSslError) {
1568	if (q->pauseMode() & QAbstractSocket::PauseOnSslErrors) {
1569	pauseSocketNotifiers(q);
1570	paused = true;
1571	} else {
1572	setErrorAndEmit(errorCode: QAbstractSocket::SslHandshakeFailedError, errorString: sslErrors.constFirst().errorString());
1573	plainSocket->disconnectFromHost();
1574	}
1575	return false;
1576	}
1577	return true;
1578	}
1579
1580	unsigned int QSslSocketBackendPrivate::tlsPskClientCallback(const char *hint,
1581	char *identity, unsigned int max_identity_len,
1582	unsigned char *psk, unsigned int max_psk_len)
1583	{
1584	QSslPreSharedKeyAuthenticator authenticator;
1585
1586	// Fill in some read-only fields (for the user)
1587	if (hint)
1588	authenticator.d->identityHint = QByteArray::fromRawData(hint, size: int(::strlen(s: hint))); // it's NUL terminated, but do not include the NUL
1589
1590	authenticator.d->maximumIdentityLength = int(max_identity_len) - 1; // needs to be NUL terminated
1591	authenticator.d->maximumPreSharedKeyLength = int(max_psk_len);
1592
1593	// Let the client provide the remaining bits...
1594	Q_Q(QSslSocket);
1595	emit q->preSharedKeyAuthenticationRequired(authenticator: &authenticator);
1596
1597	// No PSK set? Return now to make the handshake fail
1598	if (authenticator.preSharedKey().isEmpty())
1599	return 0;
1600
1601	// Copy data back into OpenSSL
1602	const int identityLength = qMin(a: authenticator.identity().length(), b: authenticator.maximumIdentityLength());
1603	::memcpy(dest: identity, src: authenticator.identity().constData(), n: identityLength);
1604	identity[identityLength] = 0;
1605
1606	const int pskLength = qMin(a: authenticator.preSharedKey().length(), b: authenticator.maximumPreSharedKeyLength());
1607	::memcpy(dest: psk, src: authenticator.preSharedKey().constData(), n: pskLength);
1608	return pskLength;
1609	}
1610
1611	unsigned int QSslSocketBackendPrivate::tlsPskServerCallback(const char *identity,
1612	unsigned char *psk, unsigned int max_psk_len)
1613	{
1614	QSslPreSharedKeyAuthenticator authenticator;
1615
1616	// Fill in some read-only fields (for the user)
1617	authenticator.d->identityHint = configuration.preSharedKeyIdentityHint;
1618	authenticator.d->identity = identity;
1619	authenticator.d->maximumIdentityLength = 0; // user cannot set an identity
1620	authenticator.d->maximumPreSharedKeyLength = int(max_psk_len);
1621
1622	// Let the client provide the remaining bits...
1623	Q_Q(QSslSocket);
1624	emit q->preSharedKeyAuthenticationRequired(authenticator: &authenticator);
1625
1626	// No PSK set? Return now to make the handshake fail
1627	if (authenticator.preSharedKey().isEmpty())
1628	return 0;
1629
1630	// Copy data back into OpenSSL
1631	const int pskLength = qMin(a: authenticator.preSharedKey().length(), b: authenticator.maximumPreSharedKeyLength());
1632	::memcpy(dest: psk, src: authenticator.preSharedKey().constData(), n: pskLength);
1633	return pskLength;
1634	}
1635
1636	bool QSslSocketBackendPrivate::isInSslRead() const
1637	{
1638	return inSslRead;
1639	}
1640
1641	void QSslSocketBackendPrivate::setRenegotiated(bool renegotiated)
1642	{
1643	this->renegotiated = renegotiated;
1644	}
1645
1646	#ifdef Q_OS_WIN
1647
1648	void QSslSocketBackendPrivate::fetchCaRootForCert(const QSslCertificate &cert)
1649	{
1650	Q_Q(QSslSocket);
1651	//The root certificate is downloaded from windows update, which blocks for 15 seconds in the worst case
1652	//so the request is done in a worker thread.
1653	QList<QSslCertificate> customRoots;
1654	if (fetchAuthorityInformation)
1655	customRoots = configuration.caCertificates;
1656
1657	QWindowsCaRootFetcher *fetcher = new QWindowsCaRootFetcher(cert, mode, customRoots, q->peerVerifyName());
1658	QObject::connect(fetcher, SIGNAL(finished(QSslCertificate,QSslCertificate)), q, SLOT(_q_caRootLoaded(QSslCertificate,QSslCertificate)), Qt::QueuedConnection);
1659	QMetaObject::invokeMethod(fetcher, "start", Qt::QueuedConnection);
1660	pauseSocketNotifiers(q);
1661	paused = true;
1662	}
1663
1664	//This is the callback from QWindowsCaRootFetcher, trustedRoot will be invalid (default constructed) if it failed.
1665	void QSslSocketBackendPrivate::_q_caRootLoaded(QSslCertificate cert, QSslCertificate trustedRoot)
1666	{
1667	if (fetchAuthorityInformation) {
1668	if (!configuration.caCertificates.contains(trustedRoot))
1669	trustedRoot = QSslCertificate{};
1670	fetchAuthorityInformation = false;
1671	}
1672
1673	if (!trustedRoot.isNull() && !trustedRoot.isBlacklisted()) {
1674	if (s_loadRootCertsOnDemand) {
1675	//Add the new root cert to default cert list for use by future sockets
1676	QSslSocket::addDefaultCaCertificate(trustedRoot);
1677	}
1678	//Add the new root cert to this socket for future connections
1679	if (!configuration.caCertificates.contains(trustedRoot))
1680	configuration.caCertificates += trustedRoot;
1681	//Remove the broken chain ssl errors (as chain is verified by windows)
1682	for (int i=sslErrors.count() - 1; i >= 0; --i) {
1683	if (sslErrors.at(i).certificate() == cert) {
1684	switch (sslErrors.at(i).error()) {
1685	case QSslError::UnableToGetLocalIssuerCertificate:
1686	case QSslError::CertificateUntrusted:
1687	case QSslError::UnableToVerifyFirstCertificate:
1688	case QSslError::SelfSignedCertificateInChain:
1689	// error can be ignored if OS says the chain is trusted
1690	sslErrors.removeAt(i);
1691	break;
1692	default:
1693	// error cannot be ignored
1694	break;
1695	}
1696	}
1697	}
1698	}
1699
1700	// Continue with remaining errors
1701	if (plainSocket)
1702	plainSocket->resume();
1703	paused = false;
1704	if (checkSslErrors() && ssl) {
1705	bool willClose = (autoStartHandshake && pendingClose);
1706	continueHandshake();
1707	if (!willClose)
1708	transmit();
1709	}
1710	}
1711
1712	#endif
1713
1714	#if QT_CONFIG(ocsp)
1715
1716	bool QSslSocketBackendPrivate::checkOcspStatus()
1717	{
1718	Q_ASSERT(ssl);
1719	Q_ASSERT(mode == QSslSocket::SslClientMode); // See initSslContext() for SslServerMode
1720	Q_ASSERT(configuration.peerVerifyMode != QSslSocket::VerifyNone);
1721
1722	const auto clearErrorQueue = qScopeGuard(f: [] {
1723	logAndClearErrorQueue();
1724	});
1725
1726	ocspResponses.clear();
1727	ocspErrorDescription.clear();
1728	ocspErrors.clear();
1729
1730	const unsigned char *responseData = nullptr;
1731	const long responseLength = q_SSL_get_tlsext_status_ocsp_resp(ssl, &responseData);
1732	if (responseLength <= 0 || !responseData) {
1733	ocspErrors.push_back(t: QSslError::OcspNoResponseFound);
1734	return false;
1735	}
1736
1737	OCSP_RESPONSE *response = q_d2i_OCSP_RESPONSE(a: nullptr, in: &responseData, len: responseLength);
1738	if (!response) {
1739	// Treat this as a fatal SslHandshakeError.
1740	ocspErrorDescription = QSslSocket::tr(s: "Failed to decode OCSP response");
1741	return false;
1742	}
1743	const QSharedPointer<OCSP_RESPONSE> responseGuard(response, q_OCSP_RESPONSE_free);
1744
1745	const int ocspStatus = q_OCSP_response_status(resp: response);
1746	if (ocspStatus != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
1747	// It's not a definitive response, it's an error message (not signed by the responder).
1748	ocspErrors.push_back(t: qt_OCSP_response_status_to_QSslError(code: ocspStatus));
1749	return false;
1750	}
1751
1752	OCSP_BASICRESP *basicResponse = q_OCSP_response_get1_basic(resp: response);
1753	if (!basicResponse) {
1754	// SslHandshakeError.
1755	ocspErrorDescription = QSslSocket::tr(s: "Failed to extract basic OCSP response");
1756	return false;
1757	}
1758	const QSharedPointer<OCSP_BASICRESP> basicResponseGuard(basicResponse, q_OCSP_BASICRESP_free);
1759
1760	SSL_CTX *ctx = q_SSL_get_SSL_CTX(a: ssl); // Does not increment refcount.
1761	Q_ASSERT(ctx);
1762	X509_STORE *store = q_SSL_CTX_get_cert_store(a: ctx); // Does not increment refcount.
1763	if (!store) {
1764	// SslHandshakeError.
1765	ocspErrorDescription = QSslSocket::tr(s: "No certificate verification store, cannot verify OCSP response");
1766	return false;
1767	}
1768
1769	STACK_OF(X509) *peerChain = q_SSL_get_peer_cert_chain(a: ssl); // Does not increment refcount.
1770	X509 *peerX509 = q_SSL_get_peer_certificate(a: ssl);
1771	Q_ASSERT(peerChain || peerX509);
1772	const QSharedPointer<X509> peerX509Guard(peerX509, q_X509_free);
1773	// OCSP_basic_verify with 0 as verificationFlags:
1774	//
1775	// 0) Tries to find the OCSP responder's certificate in either peerChain
1776	// or basicResponse->certs. If not found, verification fails.
1777	// 1) It checks the signature using the responder's public key.
1778	// 2) Then it tries to validate the responder's cert (building a chain
1779	// etc.)
1780	// 3) It checks CertID in response.
1781	// 4) Ensures the responder is authorized to sign the status respond.
1782	//
1783	// Note, OpenSSL prior to 1.0.2b would only use bs->certs to
1784	// verify the responder's chain (see their commit 4ba9a4265bd).
1785	// Working this around - is too much fuss for ancient versions we
1786	// are dropping quite soon anyway.
1787	const unsigned long verificationFlags = 0;
1788	const int success = q_OCSP_basic_verify(bs: basicResponse, certs: peerChain, st: store, flags: verificationFlags);
1789	if (success <= 0)
1790	ocspErrors.push_back(t: QSslError::OcspResponseCannotBeTrusted);
1791
1792	if (q_OCSP_resp_count(bs: basicResponse) != 1) {
1793	ocspErrors.push_back(t: QSslError::OcspMalformedResponse);
1794	return false;
1795	}
1796
1797	OCSP_SINGLERESP *singleResponse = q_OCSP_resp_get0(bs: basicResponse, idx: 0);
1798	if (!singleResponse) {
1799	ocspErrors.clear();
1800	// A fatal problem -> SslHandshakeError.
1801	ocspErrorDescription = QSslSocket::tr(s: "Failed to decode a SingleResponse from OCSP status response");
1802	return false;
1803	}
1804
1805	// Let's make sure the response is for the correct certificate - we
1806	// can re-create this CertID using our peer's certificate and its
1807	// issuer's public key.
1808	ocspResponses.push_back(t: QOcspResponse());
1809	QOcspResponsePrivate *dResponse = ocspResponses.back().d.data();
1810	dResponse->subjectCert = configuration.peerCertificate;
1811	bool matchFound = false;
1812	if (configuration.peerCertificate.isSelfSigned()) {
1813	dResponse->signerCert = configuration.peerCertificate;
1814	matchFound = qt_OCSP_certificate_match(singleResponse, peerCert: peerX509, issuer: peerX509);
1815	} else {
1816	const STACK_OF(X509) *certs = q_SSL_get_peer_cert_chain(a: ssl);
1817	if (!certs) // Oh, what a cataclysm! Last try:
1818	certs = q_OCSP_resp_get0_certs(bs: basicResponse);
1819	if (certs) {
1820	// It could be the first certificate in 'certs' is our peer's
1821	// certificate. Since it was not captured by the 'self-signed' branch
1822	// above, the CertID will not match and we'll just iterate on to the
1823	// next certificate. So we start from 0, not 1.
1824	for (int i = 0, e = q_sk_X509_num(certs); i < e; ++i) {
1825	X509 *issuer = q_sk_X509_value(certs, i);
1826	matchFound = qt_OCSP_certificate_match(singleResponse, peerCert: peerX509, issuer);
1827	if (matchFound) {
1828	if (q_X509_check_issued(a: issuer, b: peerX509) == X509_V_OK) {
1829	dResponse->signerCert = QSslCertificatePrivate::QSslCertificate_from_X509(x509: issuer);
1830	break;
1831	}
1832	matchFound = false;
1833	}
1834	}
1835	}
1836	}
1837
1838	if (!matchFound) {
1839	dResponse->signerCert.clear();
1840	ocspErrors.push_back(t: {QSslError::OcspResponseCertIdUnknown, configuration.peerCertificate});
1841	}
1842
1843	// Check if the response is valid time-wise:
1844	ASN1_GENERALIZEDTIME *revTime = nullptr;
1845	ASN1_GENERALIZEDTIME *thisUpdate = nullptr;
1846	ASN1_GENERALIZEDTIME *nextUpdate = nullptr;
1847	int reason;
1848	const int certStatus = q_OCSP_single_get0_status(single: singleResponse, reason: &reason, revtime: &revTime, thisupd: &thisUpdate, nextupd: &nextUpdate);
1849	if (!thisUpdate) {
1850	// This is unexpected, treat as SslHandshakeError, OCSP_check_validity assumes this pointer
1851	// to be != nullptr.
1852	ocspErrors.clear();
1853	ocspResponses.clear();
1854	ocspErrorDescription = QSslSocket::tr(s: "Failed to extract 'this update time' from the SingleResponse");
1855	return false;
1856	}
1857
1858	// OCSP_check_validity(this, next, nsec, maxsec) does this check:
1859	// this <= now <= next. They allow some freedom to account
1860	// for delays/time inaccuracy.
1861	// this > now + nsec ? -> NOT_YET_VALID
1862	// if maxsec >= 0:
1863	// now - maxsec > this ? -> TOO_OLD
1864	// now - nsec > next ? -> EXPIRED
1865	// next < this ? -> NEXT_BEFORE_THIS
1866	// OK.
1867	if (!q_OCSP_check_validity(thisupd: thisUpdate, nextupd: nextUpdate, nsec: 60, maxsec: -1))
1868	ocspErrors.push_back(t: {QSslError::OcspResponseExpired, configuration.peerCertificate});
1869
1870	// And finally, the status:
1871	switch (certStatus) {
1872	case V_OCSP_CERTSTATUS_GOOD:
1873	// This certificate was not found among the revoked ones.
1874	dResponse->certificateStatus = QOcspCertificateStatus::Good;
1875	break;
1876	case V_OCSP_CERTSTATUS_REVOKED:
1877	dResponse->certificateStatus = QOcspCertificateStatus::Revoked;
1878	dResponse->revocationReason = qt_OCSP_revocation_reason(reason);
1879	ocspErrors.push_back(t: {QSslError::CertificateRevoked, configuration.peerCertificate});
1880	break;
1881	case V_OCSP_CERTSTATUS_UNKNOWN:
1882	dResponse->certificateStatus = QOcspCertificateStatus::Unknown;
1883	ocspErrors.push_back(t: {QSslError::OcspStatusUnknown, configuration.peerCertificate});
1884	}
1885
1886	return !ocspErrors.size();
1887	}
1888
1889	#endif // ocsp
1890
1891	void QSslSocketBackendPrivate::disconnectFromHost()
1892	{
1893	if (ssl) {
1894	if (!shutdown && !q_SSL_in_init(s: ssl) && !systemOrSslErrorDetected) {
1895	if (q_SSL_shutdown(a: ssl) != 1) {
1896	// Some error may be queued, clear it.
1897	const auto errors = getErrorsFromOpenSsl();
1898	Q_UNUSED(errors);
1899	}
1900	shutdown = true;
1901	transmit();
1902	}
1903	}
1904	plainSocket->disconnectFromHost();
1905	}
1906
1907	void QSslSocketBackendPrivate::disconnected()
1908	{
1909	if (plainSocket->bytesAvailable() <= 0)
1910	destroySslContext();
1911	else {
1912	// Move all bytes into the plain buffer
1913	qint64 tmpReadBufferMaxSize = readBufferMaxSize;
1914	readBufferMaxSize = 0; // reset temporarily so the plain socket buffer is completely drained
1915	transmit();
1916	readBufferMaxSize = tmpReadBufferMaxSize;
1917	}
1918	//if there is still buffered data in the plain socket, don't destroy the ssl context yet.
1919	//it will be destroyed when the socket is deleted.
1920	}
1921
1922	QSslCipher QSslSocketBackendPrivate::sessionCipher() const
1923	{
1924	if (!ssl)
1925	return QSslCipher();
1926
1927	const SSL_CIPHER *sessionCipher = q_SSL_get_current_cipher(a: ssl);
1928	return sessionCipher ? QSslCipher_from_SSL_CIPHER(cipher: sessionCipher) : QSslCipher();
1929	}
1930
1931	QSsl::SslProtocol QSslSocketBackendPrivate::sessionProtocol() const
1932	{
1933	if (!ssl)
1934	return QSsl::UnknownProtocol;
1935	int ver = q_SSL_version(a: ssl);
1936
1937	switch (ver) {
1938	case 0x2:
1939	return QSsl::SslV2;
1940	case 0x300:
1941	return QSsl::SslV3;
1942	case 0x301:
1943	return QSsl::TlsV1_0;
1944	case 0x302:
1945	return QSsl::TlsV1_1;
1946	case 0x303:
1947	return QSsl::TlsV1_2;
1948	case 0x304:
1949	return QSsl::TlsV1_3;
1950	}
1951
1952	return QSsl::UnknownProtocol;
1953	}
1954
1955
1956	void QSslSocketBackendPrivate::continueHandshake()
1957	{
1958	Q_Q(QSslSocket);
1959	// if we have a max read buffer size, reset the plain socket's to match
1960	if (readBufferMaxSize)
1961	plainSocket->setReadBufferSize(readBufferMaxSize);
1962
1963	if (q_SSL_session_reused(a: ssl))
1964	configuration.peerSessionShared = true;
1965
1966	#ifdef QT_DECRYPT_SSL_TRAFFIC
1967	if (q_SSL_get_session(ssl)) {
1968	size_t master_key_len = q_SSL_SESSION_get_master_key(q_SSL_get_session(ssl), 0, 0);
1969	size_t client_random_len = q_SSL_get_client_random(ssl, 0, 0);
1970	QByteArray masterKey(int(master_key_len), 0); // Will not overflow
1971	QByteArray clientRandom(int(client_random_len), 0); // Will not overflow
1972
1973	q_SSL_SESSION_get_master_key(q_SSL_get_session(ssl),
1974	reinterpret_cast<unsigned char*>(masterKey.data()),
1975	masterKey.size());
1976	q_SSL_get_client_random(ssl, reinterpret_cast<unsigned char *>(clientRandom.data()),
1977	clientRandom.size());
1978
1979	QByteArray debugLineClientRandom("CLIENT_RANDOM ");
1980	debugLineClientRandom.append(clientRandom.toHex().toUpper());
1981	debugLineClientRandom.append(" ");
1982	debugLineClientRandom.append(masterKey.toHex().toUpper());
1983	debugLineClientRandom.append("\n");
1984
1985	QString sslKeyFile = QDir::tempPath() + QLatin1String("/qt-ssl-keys");
1986	QFile file(sslKeyFile);
1987	if (!file.open(QIODevice::Append))
1988	qCWarning(lcSsl) << "could not open file" << sslKeyFile << "for appending";
1989	if (!file.write(debugLineClientRandom))
1990	qCWarning(lcSsl) << "could not write to file" << sslKeyFile;
1991	file.close();
1992	} else {
1993	qCWarning(lcSsl, "could not decrypt SSL traffic");
1994	}
1995	#endif
1996
1997	// Cache this SSL session inside the QSslContext
1998	if (!(configuration.sslOptions & QSsl::SslOptionDisableSessionSharing)) {
1999	if (!sslContextPointer->cacheSession(ssl)) {
2000	sslContextPointer.clear(); // we could not cache the session
2001	} else {
2002	// Cache the session for permanent usage as well
2003	if (!(configuration.sslOptions & QSsl::SslOptionDisableSessionPersistence)) {
2004	if (!sslContextPointer->sessionASN1().isEmpty())
2005	configuration.sslSession = sslContextPointer->sessionASN1();
2006	configuration.sslSessionTicketLifeTimeHint = sslContextPointer->sessionTicketLifeTimeHint();
2007	}
2008	}
2009	}
2010
2011	#if !defined(OPENSSL_NO_NEXTPROTONEG)
2012
2013	configuration.nextProtocolNegotiationStatus = sslContextPointer->npnContext().status;
2014	if (sslContextPointer->npnContext().status == QSslConfiguration::NextProtocolNegotiationUnsupported) {
2015	// we could not agree -> be conservative and use HTTP/1.1
2016	configuration.nextNegotiatedProtocol = QByteArrayLiteral("http/1.1");
2017	} else {
2018	const unsigned char *proto = nullptr;
2019	unsigned int proto_len = 0;
2020
2021	q_SSL_get0_alpn_selected(ssl, data: &proto, len: &proto_len);
2022	if (proto_len && mode == QSslSocket::SslClientMode) {
2023	// Client does not have a callback that sets it ...
2024	configuration.nextProtocolNegotiationStatus = QSslConfiguration::NextProtocolNegotiationNegotiated;
2025	}
2026
2027	if (!proto_len) { // Test if NPN was more lucky ...
2028	q_SSL_get0_next_proto_negotiated(s: ssl, data: &proto, len: &proto_len);
2029	}
2030
2031	if (proto_len)
2032	configuration.nextNegotiatedProtocol = QByteArray(reinterpret_cast<const char *>(proto), proto_len);
2033	else
2034	configuration.nextNegotiatedProtocol.clear();
2035	}
2036	#endif // !defined(OPENSSL_NO_NEXTPROTONEG)
2037
2038	if (mode == QSslSocket::SslClientMode) {
2039	EVP_PKEY *key;
2040	if (q_SSL_get_server_tmp_key(ssl, &key))
2041	configuration.ephemeralServerKey = QSslKey(key, QSsl::PublicKey);
2042	}
2043
2044	connectionEncrypted = true;
2045	emit q->encrypted();
2046	if (autoStartHandshake && pendingClose) {
2047	pendingClose = false;
2048	q->disconnectFromHost();
2049	}
2050	}
2051
2052	bool QSslSocketPrivate::ensureLibraryLoaded()
2053	{
2054	if (!q_resolveOpenSslSymbols())
2055	return false;
2056
2057	const QMutexLocker locker(qt_opensslInitMutex);
2058
2059	if (!s_libraryLoaded) {
2060	// Initialize OpenSSL.
2061	if (q_OPENSSL_init_ssl(opts: 0, settings: nullptr) != 1)
2062	return false;
2063
2064	if (q_OpenSSL_version_num() < 0x10101000L) {
2065	qCWarning(lcSsl, "QSslSocket: OpenSSL >= 1.1.1 is required; %s was found instead", q_OpenSSL_version(OPENSSL_VERSION));
2066	return false;
2067	}
2068
2069	q_SSL_load_error_strings();
2070	q_OpenSSL_add_all_algorithms();
2071
2072	QSslSocketBackendPrivate::s_indexForSSLExtraData
2073	= q_CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL, argl: 0L, argp: nullptr, new_func: nullptr,
2074	dup_func: nullptr, free_func: nullptr);
2075
2076	// Initialize OpenSSL's random seed.
2077	if (!q_RAND_status()) {
2078	qWarning(msg: "Random number generator not seeded, disabling SSL support");
2079	return false;
2080	}
2081
2082	s_libraryLoaded = true;
2083	}
2084	return true;
2085	}
2086
2087	void QSslSocketPrivate::ensureCiphersAndCertsLoaded()
2088	{
2089	const QMutexLocker locker(qt_opensslInitMutex);
2090
2091	if (s_loadedCiphersAndCerts)
2092	return;
2093	s_loadedCiphersAndCerts = true;
2094
2095	resetDefaultCiphers();
2096	resetDefaultEllipticCurves();
2097
2098	#if QT_CONFIG(library)
2099	//load symbols needed to receive certificates from system store
2100	#if defined(Q_OS_QNX)
2101	s_loadRootCertsOnDemand = true;
2102	#elif defined(Q_OS_UNIX) && !defined(Q_OS_DARWIN)
2103	// check whether we can enable on-demand root-cert loading (i.e. check whether the sym links are there)
2104	QList<QByteArray> dirs = unixRootCertDirectories();
2105	QStringList symLinkFilter;
2106	symLinkFilter << QLatin1String("[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f].[0-9]");
2107	for (int a = 0; a < dirs.count(); ++a) {
2108	QDirIterator iterator(QLatin1String(dirs.at(i: a)), symLinkFilter, QDir::Files);
2109	if (iterator.hasNext()) {
2110	s_loadRootCertsOnDemand = true;
2111	break;
2112	}
2113	}
2114	#endif
2115	#endif // QT_CONFIG(library)
2116	// if on-demand loading was not enabled, load the certs now
2117	if (!s_loadRootCertsOnDemand)
2118	setDefaultCaCertificates(systemCaCertificates());
2119	#ifdef Q_OS_WIN
2120	//Enabled for fetching additional root certs from windows update on windows.
2121	//This flag is set false by setDefaultCaCertificates() indicating the app uses
2122	//its own cert bundle rather than the system one.
2123	//Same logic that disables the unix on demand cert loading.
2124	//Unlike unix, we do preload the certificates from the cert store.
2125	s_loadRootCertsOnDemand = true;
2126	#endif
2127	}
2128
2129	QList<QSslCertificate> QSslSocketBackendPrivate::STACKOFX509_to_QSslCertificates(STACK_OF(X509) *x509)
2130	{
2131	ensureInitialized();
2132	QList<QSslCertificate> certificates;
2133	for (int i = 0; i < q_sk_X509_num(x509); ++i) {
2134	if (X509 *entry = q_sk_X509_value(x509, i))
2135	certificates << QSslCertificatePrivate::QSslCertificate_from_X509(x509: entry);
2136	}
2137	return certificates;
2138	}
2139
2140	QList<QSslError> QSslSocketBackendPrivate::verify(const QList<QSslCertificate> &certificateChain,
2141	const QString &hostName)
2142	{
2143	auto roots = QSslConfiguration::defaultConfiguration().caCertificates();
2144	#ifndef Q_OS_WIN
2145	// On Windows, system CA certificates are already set as default ones.
2146	// No need to add them again (and again) and also, if the default configuration
2147	// has its own set of CAs, this probably should not be amended by the ones
2148	// from the 'ROOT' store, since it's not what an application chose to trust.
2149	if (s_loadRootCertsOnDemand)
2150	roots.append(t: systemCaCertificates());
2151	#endif // Q_OS_WIN
2152	return verify(cas: roots, certificateChain, hostName);
2153	}
2154
2155	QList<QSslError> QSslSocketBackendPrivate::verify(const QList<QSslCertificate> &caCertificates,
2156	const QList<QSslCertificate> &certificateChain,
2157	const QString &hostName)
2158	{
2159	if (certificateChain.count() <= 0)
2160	return {QSslError(QSslError::UnspecifiedError)};
2161
2162	QList<QSslError> errors;
2163	// Setup the store with the default CA certificates
2164	X509_STORE *certStore = q_X509_STORE_new();
2165	if (!certStore) {
2166	qCWarning(lcSsl) << "Unable to create certificate store";
2167	errors << QSslError(QSslError::UnspecifiedError);
2168	return errors;
2169	}
2170	const std::unique_ptr<X509_STORE, decltype(&q_X509_STORE_free)> storeGuard(certStore, q_X509_STORE_free);
2171
2172	const QDateTime now = QDateTime::currentDateTimeUtc();
2173	for (const QSslCertificate &caCertificate : caCertificates) {
2174	// From https://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html:
2175	//
2176	// If several CA certificates matching the name, key identifier, and
2177	// serial number condition are available, only the first one will be
2178	// examined. This may lead to unexpected results if the same CA
2179	// certificate is available with different expiration dates. If a
2180	// ``certificate expired'' verification error occurs, no other
2181	// certificate will be searched. Make sure to not have expired
2182	// certificates mixed with valid ones.
2183	//
2184	// See also: QSslContext::fromConfiguration()
2185	if (caCertificate.expiryDate() >= now) {
2186	q_X509_STORE_add_cert(ctx: certStore, x: reinterpret_cast<X509 *>(caCertificate.handle()));
2187	}
2188	}
2189
2190	QVector<QSslErrorEntry> lastErrors;
2191	if (!q_X509_STORE_set_ex_data(ctx: certStore, idx: 0, data: &lastErrors)) {
2192	qCWarning(lcSsl) << "Unable to attach external data (error list) to a store";
2193	errors << QSslError(QSslError::UnspecifiedError);
2194	return errors;
2195	}
2196
2197	// Register a custom callback to get all verification errors.
2198	q_X509_STORE_set_verify_cb(ctx: certStore, verify_cb: q_X509Callback);
2199
2200	// Build the chain of intermediate certificates
2201	STACK_OF(X509) *intermediates = nullptr;
2202	if (certificateChain.length() > 1) {
2203	intermediates = (STACK_OF(X509) *) q_OPENSSL_sk_new_null();
2204
2205	if (!intermediates) {
2206	errors << QSslError(QSslError::UnspecifiedError);
2207	return errors;
2208	}
2209
2210	bool first = true;
2211	for (const QSslCertificate &cert : certificateChain) {
2212	if (first) {
2213	first = false;
2214	continue;
2215	}
2216
2217	q_OPENSSL_sk_push(st: (OPENSSL_STACK *)intermediates, data: reinterpret_cast<X509 *>(cert.handle()));
2218	}
2219	}
2220
2221	X509_STORE_CTX *storeContext = q_X509_STORE_CTX_new();
2222	if (!storeContext) {
2223	errors << QSslError(QSslError::UnspecifiedError);
2224	return errors;
2225	}
2226	std::unique_ptr<X509_STORE_CTX, decltype(&q_X509_STORE_CTX_free)> ctxGuard(storeContext, q_X509_STORE_CTX_free);
2227
2228	if (!q_X509_STORE_CTX_init(ctx: storeContext, store: certStore, x509: reinterpret_cast<X509 *>(certificateChain[0].handle()), chain: intermediates)) {
2229	errors << QSslError(QSslError::UnspecifiedError);
2230	return errors;
2231	}
2232
2233	// Now we can actually perform the verification of the chain we have built.
2234	// We ignore the result of this function since we process errors via the
2235	// callback.
2236	(void) q_X509_verify_cert(ctx: storeContext);
2237	ctxGuard.reset();
2238	q_OPENSSL_sk_free(a: (OPENSSL_STACK *)intermediates);
2239
2240	// Now process the errors
2241
2242	if (QSslCertificatePrivate::isBlacklisted(certificate: certificateChain[0])) {
2243	QSslError error(QSslError::CertificateBlacklisted, certificateChain[0]);
2244	errors << error;
2245	}
2246
2247	// Check the certificate name against the hostname if one was specified
2248	if ((!hostName.isEmpty()) && (!isMatchingHostname(cert: certificateChain[0], peerName: hostName))) {
2249	// No matches in common names or alternate names.
2250	QSslError error(QSslError::HostNameMismatch, certificateChain[0]);
2251	errors << error;
2252	}
2253
2254	// Translate errors from the error list into QSslErrors.
2255	errors.reserve(alloc: errors.size() + lastErrors.size());
2256	for (const auto &error : qAsConst(t&: lastErrors))
2257	errors << _q_OpenSSL_to_QSslError(errorCode: error.code, cert: certificateChain.value(i: error.depth));
2258
2259	return errors;
2260	}
2261
2262	bool QSslSocketBackendPrivate::importPkcs12(QIODevice *device,
2263	QSslKey *key, QSslCertificate *cert,
2264	QList<QSslCertificate> *caCertificates,
2265	const QByteArray &passPhrase)
2266	{
2267	if (!supportsSsl())
2268	return false;
2269
2270	// These are required
2271	Q_ASSERT(device);
2272	Q_ASSERT(key);
2273	Q_ASSERT(cert);
2274
2275	// Read the file into a BIO
2276	QByteArray pkcs12data = device->readAll();
2277	if (pkcs12data.size() == 0)
2278	return false;
2279
2280	BIO *bio = q_BIO_new_mem_buf(a: const_cast<char *>(pkcs12data.constData()), b: pkcs12data.size());
2281
2282	// Create the PKCS#12 object
2283	PKCS12 *p12 = q_d2i_PKCS12_bio(bio, pkcs12: nullptr);
2284	if (!p12) {
2285	qCWarning(lcSsl, "Unable to read PKCS#12 structure, %s",
2286	q_ERR_error_string(q_ERR_get_error(), nullptr));
2287	q_BIO_free(a: bio);
2288	return false;
2289	}
2290
2291	// Extract the data
2292	EVP_PKEY *pkey = nullptr;
2293	X509 *x509;
2294	STACK_OF(X509) *ca = nullptr;
2295
2296	if (!q_PKCS12_parse(p12, pass: passPhrase.constData(), pkey: &pkey, cert: &x509, ca: &ca)) {
2297	qCWarning(lcSsl, "Unable to parse PKCS#12 structure, %s",
2298	q_ERR_error_string(q_ERR_get_error(), nullptr));
2299	q_PKCS12_free(pkcs12: p12);
2300	q_BIO_free(a: bio);
2301	return false;
2302	}
2303
2304	// Convert to Qt types
2305	if (!key->d->fromEVP_PKEY(pkey)) {
2306	qCWarning(lcSsl, "Unable to convert private key");
2307	q_OPENSSL_sk_pop_free(a: reinterpret_cast<OPENSSL_STACK *>(ca),
2308	b: reinterpret_cast<void (*)(void *)>(q_X509_free));
2309	q_X509_free(a: x509);
2310	q_EVP_PKEY_free(a: pkey);
2311	q_PKCS12_free(pkcs12: p12);
2312	q_BIO_free(a: bio);
2313
2314	return false;
2315	}
2316
2317	*cert = QSslCertificatePrivate::QSslCertificate_from_X509(x509);
2318
2319	if (caCertificates)
2320	*caCertificates = QSslSocketBackendPrivate::STACKOFX509_to_QSslCertificates(x509: ca);
2321
2322	// Clean up
2323	q_OPENSSL_sk_pop_free(a: reinterpret_cast<OPENSSL_STACK *>(ca),
2324	b: reinterpret_cast<void (*)(void *)>(q_X509_free));
2325
2326	q_X509_free(a: x509);
2327	q_EVP_PKEY_free(a: pkey);
2328	q_PKCS12_free(pkcs12: p12);
2329	q_BIO_free(a: bio);
2330
2331	return true;
2332	}
2333
2334
2335	QT_END_NAMESPACE
2336