qtbase/src/plugins/tls/openssl/qtls_openssl.cpp

// Copyright (C) 2021 The Qt Company Ltd.
// SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only

#include "qsslsocket_openssl_symbols_p.h"
#include "qx509_openssl_p.h"
#include "qtls_openssl_p.h"

#ifdef Q_OS_WIN
#include "qwindowscarootfetcher_p.h"
#endif

#include <QtNetwork/private/qsslpresharedkeyauthenticator_p.h>
#include <QtNetwork/private/qsslcertificate_p.h>
#include <QtNetwork/private/qocspresponse_p.h>
#include <QtNetwork/private/qsslsocket_p.h>

#include <QtNetwork/qsslpresharedkeyauthenticator.h>

#include <QtCore/qscopedvaluerollback.h>
#include <QtCore/qscopeguard.h>

#include <algorithm>
#include <cstring>

QT_BEGIN_NAMESPACE

using namespace Qt::StringLiterals;

namespace  {

QSsl::AlertLevel tlsAlertLevel(int value)
{
    using QSsl::AlertLevel;

    if (const char *typeString = q_SSL_alert_type_string(value)) {
        // Documented to return 'W' for warning, 'F' for fatal,
        // 'U' for unknown.
        switch (typeString[0]) {
        case 'W':
            return AlertLevel::Warning;
        case 'F':
            return AlertLevel::Fatal;
        default:;
        }
    }

    return AlertLevel::Unknown;
}

QString tlsAlertDescription(int value)
{
    QString description = QLatin1StringView(q_SSL_alert_desc_string_long(value));
    if (!description.size())
        description = "no description provided"_L1;
    return description;
}

QSsl::AlertType tlsAlertType(int value)
{
    // In case for some reason openssl gives us a value,
    // which is not in our enum actually, we leave it to
    // an application to handle (supposedly they have
    // if or switch-statements).
    return QSsl::AlertType(value & 0xff);
}

#ifdef Q_OS_WIN

QSslCertificate findCertificateToFetch(const QList<QSslError> &tlsErrors, bool checkAIA)
{
    QSslCertificate certToFetch;

    for (const auto &tlsError : tlsErrors) {
        switch (tlsError.error()) {
        case QSslError::UnableToGetLocalIssuerCertificate: // site presented intermediate cert, but root is unknown
        case QSslError::SelfSignedCertificateInChain: // site presented a complete chain, but root is unknown
            certToFetch = tlsError.certificate();
            break;
        case QSslError::SelfSignedCertificate:
        case QSslError::CertificateBlacklisted:
            //With these errors, we know it will be untrusted so save time by not asking windows
            return QSslCertificate{};
        default:
#ifdef QSSLSOCKET_DEBUG
            qCDebug(lcTlsBackend) << tlsError.errorString();
#endif
            //TODO - this part is strange.
            break;
        }
    }

    if (checkAIA) {
        const auto extensions = certToFetch.extensions();
        for (const auto &ext : extensions) {
            if (ext.oid() == QStringLiteral("1.3.6.1.5.5.7.1.1")) // See RFC 4325
                return certToFetch;
        }
        //The only reason we check this extensions is because an application set trusted
        //CA certificates explicitly, thus technically disabling CA fetch. So, if it's
        //the case and an intermediate certificate is missing, and no extensions is
        //present on the leaf certificate - we fail the handshake immediately.
        return QSslCertificate{};
    }

    return certToFetch;
}

#endif // Q_OS_WIN

} // unnamed namespace

namespace QTlsPrivate {

extern "C" {

int q_X509Callback(int ok, X509_STORE_CTX *ctx)
{
    if (!ok) {
        // Store the error and at which depth the error was detected.

        using ErrorListPtr = QList<QSslErrorEntry> *;
        ErrorListPtr errors = nullptr;

        // Error list is attached to either 'SSL' or 'X509_STORE'.
        if (X509_STORE *store = q_X509_STORE_CTX_get0_store(ctx)) // We try store first:
            errors = ErrorListPtr(q_X509_STORE_get_ex_data(store, 0));

        if (!errors) {
            // Not found on store? Try SSL and its external data then. According to the OpenSSL's
            // documentation:
            //
            // "Whenever a X509_STORE_CTX object is created for the verification of the
            // peer's certificate during a handshake, a pointer to the SSL object is
            // stored into the X509_STORE_CTX object to identify the connection affected.
            // To retrieve this pointer the X509_STORE_CTX_get_ex_data() function can be
            // used with the correct index."
            const auto offset = QTlsBackendOpenSSL::s_indexForSSLExtraData
                    + TlsCryptographOpenSSL::errorOffsetInExData;
            if (SSL *ssl = static_cast<SSL *>(q_X509_STORE_CTX_get_ex_data(
                        ctx, q_SSL_get_ex_data_X509_STORE_CTX_idx()))) {

                // We may be in a renegotiation, check if we are inside a call to SSL_read:
                const auto tlsOffset = QTlsBackendOpenSSL::s_indexForSSLExtraData
                        + TlsCryptographOpenSSL::socketOffsetInExData;
                auto tls = static_cast<TlsCryptographOpenSSL *>(q_SSL_get_ex_data(ssl, tlsOffset));
                Q_ASSERT(tls);
                if (tls->isInSslRead()) {
                    // We are in a renegotiation, make a note of this for later.
                    // We'll check that the certificate is the same as the one we got during
                    // the initial handshake
                    tls->setRenegotiated(true);
                    return 1;
                }

                errors = ErrorListPtr(q_SSL_get_ex_data(ssl, offset));
            }
        }

        if (!errors) {
            qCWarning(lcTlsBackend, "Neither X509_STORE, nor SSL contains error list, handshake failure");
            return 0;
        }

        errors->append(X509CertificateOpenSSL::errorEntryFromStoreContext(ctx));
    }
    // Always return OK to allow verification to continue. We handle the
    // errors gracefully after collecting all errors, after verification has
    // completed.
    return 1;
}

int q_X509CallbackDirect(int ok, X509_STORE_CTX *ctx)
{
    // Passed to SSL_CTX_set_verify()
    // https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_verify.html
    // Returns 0 to abort verification, 1 to continue.

    // This is a new, experimental verification callback, reporting
    // errors immediately and returning 0 or 1 depending on an application
    // either ignoring or not ignoring verification errors as they come.
    if (!ctx) {
        qCWarning(lcTlsBackend, "Invalid store context (nullptr)");
        return 0;
    }

    if (!ok) {
        // "Whenever a X509_STORE_CTX object is created for the verification of the
        // peer's certificate during a handshake, a pointer to the SSL object is
        // stored into the X509_STORE_CTX object to identify the connection affected.
        // To retrieve this pointer the X509_STORE_CTX_get_ex_data() function can be
        // used with the correct index."
        SSL *ssl = static_cast<SSL *>(q_X509_STORE_CTX_get_ex_data(ctx, q_SSL_get_ex_data_X509_STORE_CTX_idx()));
        if (!ssl) {
            qCWarning(lcTlsBackend, "No external data (SSL) found in X509 store object");
            return 0;
        }

        const auto offset = QTlsBackendOpenSSL::s_indexForSSLExtraData
                            + TlsCryptographOpenSSL::socketOffsetInExData;
        auto crypto = static_cast<TlsCryptographOpenSSL *>(q_SSL_get_ex_data(ssl, offset));
        if (!crypto) {
            qCWarning(lcTlsBackend, "No external data (TlsCryptographOpenSSL) found in SSL object");
            return 0;
        }

        return crypto->emitErrorFromCallback(ctx);
    }
    return 1;
}

#ifndef OPENSSL_NO_PSK
static unsigned q_ssl_psk_client_callback(SSL *ssl, const char *hint, char *identity, unsigned max_identity_len,
                                          unsigned char *psk, unsigned max_psk_len)
{
    auto *tls = static_cast<TlsCryptographOpenSSL *>(q_SSL_get_ex_data(ssl, QTlsBackendOpenSSL::s_indexForSSLExtraData));
    return tls->pskClientTlsCallback(hint, identity, max_identity_len, psk, max_psk_len);
}

static unsigned int q_ssl_psk_server_callback(SSL *ssl, const char *identity, unsigned char *psk,
                                              unsigned int max_psk_len)
{
    auto *tls = static_cast<TlsCryptographOpenSSL *>(q_SSL_get_ex_data(ssl, QTlsBackendOpenSSL::s_indexForSSLExtraData));
    Q_ASSERT(tls);
    return tls->pskServerTlsCallback(identity, psk, max_psk_len);
}

#ifdef TLS1_3_VERSION
static unsigned q_ssl_psk_restore_client(SSL *ssl, const char *hint, char *identity, unsigned max_identity_len,
                                         unsigned char *psk, unsigned max_psk_len)
{
    Q_UNUSED(hint);
    Q_UNUSED(identity);
    Q_UNUSED(max_identity_len);
    Q_UNUSED(psk);
    Q_UNUSED(max_psk_len);

#ifdef QT_DEBUG
    auto tls = static_cast<TlsCryptographOpenSSL *>(q_SSL_get_ex_data(ssl, QTlsBackendOpenSSL::s_indexForSSLExtraData));
    Q_ASSERT(tls);
    Q_ASSERT(tls->d);
    Q_ASSERT(tls->d->tlsMode() == QSslSocket::SslClientMode);
#endif
    unsigned retVal = 0;

    // Let developers opt-in to having the normal PSK callback get called for TLS 1.3
    // PSK (which works differently in a few ways, and is called at the start of every connection).
    // When they do opt-in we just call the old callback from here.
    if (qEnvironmentVariableIsSet("QT_USE_TLS_1_3_PSK"))
        retVal = q_ssl_psk_client_callback(ssl, hint, identity, max_identity_len, psk, max_psk_len);

    q_SSL_set_psk_client_callback(ssl, &q_ssl_psk_client_callback);

    return retVal;
}

static int q_ssl_psk_use_session_callback(SSL *ssl, const EVP_MD *md, const unsigned char **id,
                                          size_t *idlen, SSL_SESSION **sess)
{
    Q_UNUSED(md);
    Q_UNUSED(id);
    Q_UNUSED(idlen);
    Q_UNUSED(sess);

#ifdef QT_DEBUG
    auto *tls = static_cast<TlsCryptographOpenSSL *>(q_SSL_get_ex_data(ssl, QTlsBackendOpenSSL::s_indexForSSLExtraData));
    Q_ASSERT(tls);
    Q_ASSERT(tls->d);
    Q_ASSERT(tls->d->tlsMode() == QSslSocket::SslClientMode);
#endif

    // Temporarily rebind the psk because it will be called next. The function will restore it.
    q_SSL_set_psk_client_callback(ssl, &q_ssl_psk_restore_client);

    return 1; // need to return 1 or else "the connection setup fails."
}

int q_ssl_sess_set_new_cb(SSL *ssl, SSL_SESSION *session)
{
    if (!ssl) {
        qCWarning(lcTlsBackend, "Invalid SSL (nullptr)");
        return 0;
    }
    if (!session) {
        qCWarning(lcTlsBackend, "Invalid SSL_SESSION (nullptr)");
        return 0;
    }

    auto *tls = static_cast<TlsCryptographOpenSSL *>(q_SSL_get_ex_data(ssl, QTlsBackendOpenSSL::s_indexForSSLExtraData));
    Q_ASSERT(tls);
    return tls->handleNewSessionTicket(ssl);
}
#endif // TLS1_3_VERSION

#endif // !OPENSSL_NO_PSK

#if QT_CONFIG(ocsp)

int qt_OCSP_status_server_callback(SSL *ssl, void *ocspRequest)
{
    Q_UNUSED(ocspRequest);
    if (!ssl)
        return SSL_TLSEXT_ERR_ALERT_FATAL;

    auto crypto = static_cast<TlsCryptographOpenSSL *>(q_SSL_get_ex_data(ssl, QTlsBackendOpenSSL::s_indexForSSLExtraData));
    if (!crypto)
        return SSL_TLSEXT_ERR_ALERT_FATAL;

    Q_ASSERT(crypto->d);
    Q_ASSERT(crypto->d->tlsMode() == QSslSocket::SslServerMode);
    const QByteArray &response = crypto->ocspResponseDer;
    Q_ASSERT(response.size());

    unsigned char *derCopy = static_cast<unsigned char *>(q_OPENSSL_malloc(size_t(response.size())));
    if (!derCopy)
        return SSL_TLSEXT_ERR_ALERT_FATAL;

    std::copy(response.data(), response.data() + response.size(), derCopy);
    // We don't check the return value: internally OpenSSL simply assigns the
    // pointer (it assumes it now owns this memory btw!) and the length.
    q_SSL_set_tlsext_status_ocsp_resp(ssl, derCopy, response.size());

    return SSL_TLSEXT_ERR_OK;
}

#endif // ocsp

void qt_AlertInfoCallback(const SSL *connection, int from, int value)
{
    // Passed to SSL_set_info_callback()
    // https://www.openssl.org/docs/man1.1.1/man3/SSL_set_info_callback.html

    if (!connection) {
#ifdef QSSLSOCKET_DEBUG
        qCWarning(lcTlsBackend, "Invalid 'connection' parameter (nullptr)");
#endif // QSSLSOCKET_DEBUG
        return;
    }

    const auto offset = QTlsBackendOpenSSL::s_indexForSSLExtraData
                        + TlsCryptographOpenSSL::socketOffsetInExData;
    auto crypto = static_cast<TlsCryptographOpenSSL *>(q_SSL_get_ex_data(connection, offset));
    if (!crypto) {
        // SSL_set_ex_data can fail:
#ifdef QSSLSOCKET_DEBUG
        qCWarning(lcTlsBackend, "No external data (socket backend) found for parameter 'connection'");
#endif // QSSLSOCKET_DEBUG
        return;
    }

    if (!(from & SSL_CB_ALERT)) {
        // We only want to know about alerts (at least for now).
        return;
    }

    if (from & SSL_CB_WRITE)
        crypto->alertMessageSent(value);
    else
        crypto->alertMessageReceived(value);
}

} // extern "C"

#if QT_CONFIG(ocsp)
namespace {

QSslError::SslError qt_OCSP_response_status_to_SslError(long code)
{
    switch (code) {
    case OCSP_RESPONSE_STATUS_MALFORMEDREQUEST:
        return QSslError::OcspMalformedRequest;
    case OCSP_RESPONSE_STATUS_INTERNALERROR:
        return QSslError::OcspInternalError;
    case OCSP_RESPONSE_STATUS_TRYLATER:
        return QSslError::OcspTryLater;
    case OCSP_RESPONSE_STATUS_SIGREQUIRED:
        return QSslError::OcspSigRequred;
    case OCSP_RESPONSE_STATUS_UNAUTHORIZED:
        return QSslError::OcspUnauthorized;
    case OCSP_RESPONSE_STATUS_SUCCESSFUL:
    default:
        return {};
    }
    Q_UNREACHABLE();
}

QOcspRevocationReason qt_OCSP_revocation_reason(int reason)
{
    switch (reason) {
    case OCSP_REVOKED_STATUS_NOSTATUS:
        return QOcspRevocationReason::None;
    case OCSP_REVOKED_STATUS_UNSPECIFIED:
        return QOcspRevocationReason::Unspecified;
    case OCSP_REVOKED_STATUS_KEYCOMPROMISE:
        return QOcspRevocationReason::KeyCompromise;
    case OCSP_REVOKED_STATUS_CACOMPROMISE:
        return QOcspRevocationReason::CACompromise;
    case OCSP_REVOKED_STATUS_AFFILIATIONCHANGED:
        return QOcspRevocationReason::AffiliationChanged;
    case OCSP_REVOKED_STATUS_SUPERSEDED:
        return QOcspRevocationReason::Superseded;
    case OCSP_REVOKED_STATUS_CESSATIONOFOPERATION:
        return QOcspRevocationReason::CessationOfOperation;
    case OCSP_REVOKED_STATUS_CERTIFICATEHOLD:
        return QOcspRevocationReason::CertificateHold;
    case OCSP_REVOKED_STATUS_REMOVEFROMCRL:
        return QOcspRevocationReason::RemoveFromCRL;
    default:
        return QOcspRevocationReason::None;
    }

    Q_UNREACHABLE();
}

bool qt_OCSP_certificate_match(OCSP_SINGLERESP *singleResponse, X509 *peerCert, X509 *issuer)
{
    // OCSP_basic_verify does verify that the responder is legit, the response is
    // correctly signed, CertID is correct. But it does not know which certificate
    // we were presented with by our peer, so it does not check if it's a response
    // for our peer's certificate.
    Q_ASSERT(singleResponse && peerCert && issuer);

    const OCSP_CERTID *certId = q_OCSP_SINGLERESP_get0_id(singleResponse); // Does not increment refcount.
    if (!certId) {
        qCWarning(lcTlsBackend, "A SingleResponse without CertID");
        return false;
    }

    ASN1_OBJECT *md = nullptr;
    ASN1_INTEGER *reportedSerialNumber = nullptr;
    const int result =  q_OCSP_id_get0_info(nullptr, &md, nullptr, &reportedSerialNumber, const_cast<OCSP_CERTID *>(certId));
    if (result != 1 || !md || !reportedSerialNumber) {
        qCWarning(lcTlsBackend, "Failed to extract a hash and serial number from CertID structure");
        return false;
    }

    if (!q_X509_get_serialNumber(peerCert)) {
        // Is this possible at all? But we have to check this,
        // ASN1_INTEGER_cmp (called from OCSP_id_cmp) dereferences
        // without any checks at all.
        qCWarning(lcTlsBackend, "No serial number in peer's ceritificate");
        return false;
    }

    const int nid = q_OBJ_obj2nid(md);
    if (nid == NID_undef) {
        qCWarning(lcTlsBackend, "Unknown hash algorithm in CertID");
        return false;
    }

    const EVP_MD *digest = q_EVP_get_digestbynid(nid); // Does not increment refcount.
    if (!digest) {
        qCWarning(lcTlsBackend) << "No digest for nid" << nid;
        return false;
    }

    OCSP_CERTID *recreatedId = q_OCSP_cert_to_id(digest, peerCert, issuer);
    if (!recreatedId) {
        qCWarning(lcTlsBackend, "Failed to re-create CertID");
        return false;
    }
    const QSharedPointer<OCSP_CERTID> guard(recreatedId, q_OCSP_CERTID_free);

    if (q_OCSP_id_cmp(const_cast<OCSP_CERTID *>(certId), recreatedId)) {
        qCDebug(lcTlsBackend, "Certificate ID mismatch");
        return false;
    }
    // Bingo!
    return true;
}

} // unnamed namespace
#endif // ocsp

TlsCryptographOpenSSL::~TlsCryptographOpenSSL()
{
    destroySslContext();
}

void TlsCryptographOpenSSL::init(QSslSocket *qObj, QSslSocketPrivate *dObj)
{
    Q_ASSERT(qObj);
    Q_ASSERT(dObj);
    q = qObj;
    d = dObj;

    ocspResponses.clear();
    ocspResponseDer.clear();

    systemOrSslErrorDetected = false;
    handshakeInterrupted = false;

    fetchAuthorityInformation = false;
    caToFetch = QSslCertificate{};
}

void TlsCryptographOpenSSL::checkSettingSslContext(std::shared_ptr<QSslContext> tlsContext)
{
    if (!sslContextPointer)
        sslContextPointer = std::move(tlsContext);
}

std::shared_ptr<QSslContext> TlsCryptographOpenSSL::sslContext() const
{
    return sslContextPointer;
}

QList<QSslError> TlsCryptographOpenSSL::tlsErrors() const
{
    return sslErrors;
}

void TlsCryptographOpenSSL::startClientEncryption()
{
    if (!initSslContext()) {
        Q_ASSERT(d);
        setErrorAndEmit(d, QAbstractSocket::SslInternalError,
                        QSslSocket::tr("Unable to init SSL Context: %1").arg(QTlsBackendOpenSSL::getErrorsFromOpenSsl()));
        return;
    }

    // Start connecting. This will place outgoing data in the BIO, so we
    // follow up with calling transmit().
    startHandshake();
    transmit();
}

void TlsCryptographOpenSSL::startServerEncryption()
{
    if (!initSslContext()) {
        Q_ASSERT(d);
        setErrorAndEmit(d, QAbstractSocket::SslInternalError,
                        QSslSocket::tr("Unable to init SSL Context: %1").arg(QTlsBackendOpenSSL::getErrorsFromOpenSsl()));
        return;
    }

    // Start connecting. This will place outgoing data in the BIO, so we
    // follow up with calling transmit().
    startHandshake();
    transmit();
}

bool TlsCryptographOpenSSL::startHandshake()
{
    // Check if the connection has been established. Get all errors from the
    // verification stage.
    Q_ASSERT(q);
    Q_ASSERT(d);

    using ScopedBool = QScopedValueRollback<bool>;

    if (inSetAndEmitError)
        return false;

    const auto mode = d->tlsMode();

    pendingFatalAlert = false;
    errorsReportedFromCallback = false;
    QList<QSslErrorEntry> lastErrors;
    q_SSL_set_ex_data(ssl, QTlsBackendOpenSSL::s_indexForSSLExtraData + errorOffsetInExData, &lastErrors);

    // SSL_set_ex_data can fail, but see the callback's code - we handle this there.
    q_SSL_set_ex_data(ssl, QTlsBackendOpenSSL::s_indexForSSLExtraData + socketOffsetInExData, this);
    q_SSL_set_info_callback(ssl, qt_AlertInfoCallback);

    int result = (mode == QSslSocket::SslClientMode) ? q_SSL_connect(ssl) : q_SSL_accept(ssl);
    q_SSL_set_ex_data(ssl, QTlsBackendOpenSSL::s_indexForSSLExtraData + errorOffsetInExData, nullptr);
    // Note, unlike errors as external data on SSL object, we do not unset
    // a callback/ex-data if alert notifications are enabled: an alert can
    // arrive after the handshake, for example, this happens when the server
    // does not find a ClientCert or does not like it.

    if (!lastErrors.isEmpty() || errorsReportedFromCallback)
        storePeerCertificates();

    // storePeerCertificate() if called above - would update the
    // configuration with peer's certificates.
    auto configuration = q->sslConfiguration();
    if (!errorsReportedFromCallback) {
        const auto &peerCertificateChain = configuration.peerCertificateChain();
        for (const auto &currentError : qAsConst(lastErrors)) {
            emit q->peerVerifyError(QTlsPrivate::X509CertificateOpenSSL::openSSLErrorToQSslError(currentError.code,
                                    peerCertificateChain.value(currentError.depth)));
            if (q->state() != QAbstractSocket::ConnectedState)
                break;
        }
    }

    errorList << lastErrors;

    // Connection aborted during handshake phase.
    if (q->state() != QAbstractSocket::ConnectedState)
        return false;

    // Check if we're encrypted or not.
    if (result <= 0) {
        switch (q_SSL_get_error(ssl, result)) {
        case SSL_ERROR_WANT_READ:
        case SSL_ERROR_WANT_WRITE:
            // The handshake is not yet complete.
            break;
        default:
            QString errorString = QTlsBackendOpenSSL::msgErrorsDuringHandshake();
#ifdef QSSLSOCKET_DEBUG
            qCDebug(lcTlsBackend) << "TlsCryptographOpenSSL::startHandshake: error!" << errorString;
#endif
            {
                const ScopedBool bg(inSetAndEmitError, true);
                setErrorAndEmit(d, QAbstractSocket::SslHandshakeFailedError, errorString);
                if (pendingFatalAlert) {
                    trySendFatalAlert();
                    pendingFatalAlert = false;
                }
            }
            q->abort();
        }
        return false;
    }

    // store peer certificate chain
    storePeerCertificates();

    // Start translating errors.
    QList<QSslError> errors;

    // Note, the storePeerCerificates() probably updated the configuration at this point.
    configuration = q->sslConfiguration();
    // Check the whole chain for blacklisting (including root, as we check for subjectInfo and issuer)
    const auto &peerCertificateChain = configuration.peerCertificateChain();
    for (const QSslCertificate &cert : peerCertificateChain) {
        if (QSslCertificatePrivate::isBlacklisted(cert)) {
            QSslError error(QSslError::CertificateBlacklisted, cert);
            errors << error;
            emit q->peerVerifyError(error);
            if (q->state() != QAbstractSocket::ConnectedState)
                return false;
        }
    }

    const bool doVerifyPeer = configuration.peerVerifyMode() == QSslSocket::VerifyPeer
                              || (configuration.peerVerifyMode() == QSslSocket::AutoVerifyPeer
                                  && mode == QSslSocket::SslClientMode);

#if QT_CONFIG(ocsp)
    // For now it's always QSslSocket::SslClientMode - initSslContext() will bail out early,
    // if it's enabled in QSslSocket::SslServerMode. This can change.
    if (!configuration.peerCertificate().isNull() && configuration.ocspStaplingEnabled() && doVerifyPeer) {
        if (!checkOcspStatus()) {
            if (ocspErrors.isEmpty()) {
                {
                    const ScopedBool bg(inSetAndEmitError, true);
                    setErrorAndEmit(d, QAbstractSocket::SslHandshakeFailedError, ocspErrorDescription);
                }
                q->abort();
                return false;
            }

            for (const QSslError &error : ocspErrors) {
                errors << error;
                emit q->peerVerifyError(error);
                if (q->state() != QAbstractSocket::ConnectedState)
                    return false;
            }
        }
    }
#endif // ocsp

    // Check the peer certificate itself. First try the subject's common name
    // (CN) as a wildcard, then try all alternate subject name DNS entries the
    // same way.
    if (!configuration.peerCertificate().isNull()) {
        // but only if we're a client connecting to a server
        // if we're the server, don't check CN
        const auto verificationPeerName = d->verificationName();
        if (mode == QSslSocket::SslClientMode) {
            QString peerName = (verificationPeerName.isEmpty () ? q->peerName() : verificationPeerName);

            if (!isMatchingHostname(configuration.peerCertificate(), peerName)) {
                // No matches in common names or alternate names.
                QSslError error(QSslError::HostNameMismatch, configuration.peerCertificate());
                errors << error;
                emit q->peerVerifyError(error);
                if (q->state() != QAbstractSocket::ConnectedState)
                    return false;
            }
        }
    } else {
        // No peer certificate presented. Report as error if the socket
        // expected one.
        if (doVerifyPeer) {
            QSslError error(QSslError::NoPeerCertificate);
            errors << error;
            emit q->peerVerifyError(error);
            if (q->state() != QAbstractSocket::ConnectedState)
                return false;
        }
    }

    // Translate errors from the error list into QSslErrors.
    errors.reserve(errors.size() + errorList.size());
    for (const auto &error : qAsConst(errorList))
        errors << X509CertificateOpenSSL::openSSLErrorToQSslError(error.code, peerCertificateChain.value(error.depth));

    if (!errors.isEmpty()) {
        sslErrors = errors;
#ifdef Q_OS_WIN
        const bool fetchEnabled = QSslSocketPrivate::rootCertOnDemandLoadingSupported()
                                  && d->isRootsOnDemandAllowed();
        // !fetchEnabled is a special case scenario, when we potentially have a missing
        // intermediate certificate and a recoverable chain, but on demand cert loading
        // was disabled by setCaCertificates call. For this scenario we check if "Authority
        // Information Access" is present - wincrypt can deal with such certificates.
        QSslCertificate certToFetch;
        if (doVerifyPeer && !d->verifyErrorsHaveBeenIgnored())
            certToFetch = findCertificateToFetch(sslErrors, !fetchEnabled);

        //Skip this if not using system CAs, or if the SSL errors are configured in advance to be ignorable
        if (!certToFetch.isNull()) {
            fetchAuthorityInformation = !fetchEnabled;
            //Windows desktop versions starting from vista ship with minimal set of roots and download on demand
            //from the windows update server CA roots that are trusted by MS. It also can fetch a missing intermediate
            //in case "Authority Information Access" extension is present.
            //
            //However, this is only transparent if using WinINET - we have to trigger it
            //ourselves.
            fetchCaRootForCert(certToFetch);
            return false;
        }
#endif // Q_OS_WIN
        if (!checkSslErrors())
            return false;
        // A slot, attached to sslErrors signal can call
        // abort/close/disconnetFromHost/etc; no need to
        // continue handshake then.
        if (q->state() != QAbstractSocket::ConnectedState)
            return false;
    } else {
        sslErrors.clear();
    }

    continueHandshake();
    return true;
}

void TlsCryptographOpenSSL::enableHandshakeContinuation()
{
    handshakeInterrupted = false;
}

void TlsCryptographOpenSSL::cancelCAFetch()
{
    fetchAuthorityInformation = false;
    caToFetch = QSslCertificate{};
}

void TlsCryptographOpenSSL::continueHandshake()
{
    Q_ASSERT(q);
    Q_ASSERT(d);

    auto *plainSocket = d->plainTcpSocket();
    Q_ASSERT(plainSocket);

    const auto mode = d->tlsMode();

    // if we have a max read buffer size, reset the plain socket's to match
    if (const auto maxSize = d->maxReadBufferSize())
        plainSocket->setReadBufferSize(maxSize);

    if (q_SSL_session_reused(ssl))
        QTlsBackend::setPeerSessionShared(d, true);

#ifdef QT_DECRYPT_SSL_TRAFFIC
    if (q_SSL_get_session(ssl)) {
        size_t master_key_len = q_SSL_SESSION_get_master_key(q_SSL_get_session(ssl), nullptr, 0);
        size_t client_random_len = q_SSL_get_client_random(ssl, nullptr, 0);
        QByteArray masterKey(int(master_key_len), Qt::Uninitialized); // Will not overflow
        QByteArray clientRandom(int(client_random_len), Qt::Uninitialized); // Will not overflow

        q_SSL_SESSION_get_master_key(q_SSL_get_session(ssl),
                                     reinterpret_cast<unsigned char*>(masterKey.data()),
                                     masterKey.size());
        q_SSL_get_client_random(ssl, reinterpret_cast<unsigned char *>(clientRandom.data()),
                                clientRandom.size());

        QByteArray debugLineClientRandom("CLIENT_RANDOM ");
        debugLineClientRandom.append(clientRandom.toHex().toUpper());
        debugLineClientRandom.append(" ");
        debugLineClientRandom.append(masterKey.toHex().toUpper());
        debugLineClientRandom.append("\n");

        QString sslKeyFile = QDir::tempPath() + "/qt-ssl-keys"_L1;
        QFile file(sslKeyFile);
        if (!file.open(QIODevice::Append))
            qCWarning(lcTlsBackend) << "could not open file" << sslKeyFile << "for appending";
        if (!file.write(debugLineClientRandom))
            qCWarning(lcTlsBackend) << "could not write to file" << sslKeyFile;
        file.close();
    } else {
        qCWarning(lcTlsBackend, "could not decrypt SSL traffic");
    }
#endif // QT_DECRYPT_SSL_TRAFFIC

    const auto &configuration = q->sslConfiguration();
    // Cache this SSL session inside the QSslContext
    if (!(configuration.testSslOption(QSsl::SslOptionDisableSessionSharing))) {
        if (!sslContextPointer->cacheSession(ssl)) {
            sslContextPointer.reset(); // we could not cache the session
        } else {
            // Cache the session for permanent usage as well
            if (!(configuration.testSslOption(QSsl::SslOptionDisableSessionPersistence))) {
                if (!sslContextPointer->sessionASN1().isEmpty())
                    QTlsBackend::setSessionAsn1(d, sslContextPointer->sessionASN1());
                QTlsBackend::setSessionLifetimeHint(d, sslContextPointer->sessionTicketLifeTimeHint());
            }
        }
    }

#if !defined(OPENSSL_NO_NEXTPROTONEG)

    QTlsBackend::setAlpnStatus(d, sslContextPointer->npnContext().status);
    if (sslContextPointer->npnContext().status == QSslConfiguration::NextProtocolNegotiationUnsupported) {
        // we could not agree -> be conservative and use HTTP/1.1
        // T.P.: I have to admit, this is a really strange notion of 'conservative',
        // given the protocol-neutral nature of ALPN/NPN.
        QTlsBackend::setNegotiatedProtocol(d, QByteArrayLiteral("http/1.1"));
    } else {
        const unsigned char *proto = nullptr;
        unsigned int proto_len = 0;

        q_SSL_get0_alpn_selected(ssl, &proto, &proto_len);
        if (proto_len && mode == QSslSocket::SslClientMode) {
            // Client does not have a callback that sets it ...
            QTlsBackend::setAlpnStatus(d, QSslConfiguration::NextProtocolNegotiationNegotiated);
        }

        if (!proto_len) { // Test if NPN was more lucky ...
            q_SSL_get0_next_proto_negotiated(ssl, &proto, &proto_len);
        }

        if (proto_len)
            QTlsBackend::setNegotiatedProtocol(d, QByteArray(reinterpret_cast<const char *>(proto), proto_len));
        else
            QTlsBackend::setNegotiatedProtocol(d,{});
    }
#endif // !defined(OPENSSL_NO_NEXTPROTONEG)

    if (mode == QSslSocket::SslClientMode) {
        EVP_PKEY *key;
        if (q_SSL_get_server_tmp_key(ssl, &key))
            QTlsBackend::setEphemeralKey(d, QSslKey(key, QSsl::PublicKey));
    }

    d->setEncrypted(true);
    emit q->encrypted();
    if (d->isAutoStartingHandshake() && d->isPendingClose()) {
        d->setPendingClose(false);
        q->disconnectFromHost();
    }
}

void TlsCryptographOpenSSL::transmit()
{
    Q_ASSERT(q);
    Q_ASSERT(d);

    using ScopedBool = QScopedValueRollback<bool>;

    if (inSetAndEmitError)
        return;

    // If we don't have any SSL context, don't bother transmitting.
    if (!ssl)
        return;

    auto &writeBuffer = d->tlsWriteBuffer();
    auto &buffer = d->tlsBuffer();
    auto *plainSocket = d->plainTcpSocket();
    Q_ASSERT(plainSocket);
    bool &emittedBytesWritten = d->tlsEmittedBytesWritten();

    bool transmitting;
    do {
        transmitting = false;

        // If the connection is secure, we can transfer data from the write
        // buffer (in plain text) to the write BIO through SSL_write.
        if (q->isEncrypted() && !writeBuffer.isEmpty()) {
            qint64 totalBytesWritten = 0;
            int nextDataBlockSize;
            while ((nextDataBlockSize = writeBuffer.nextDataBlockSize()) > 0) {
                int writtenBytes = q_SSL_write(ssl, writeBuffer.readPointer(), nextDataBlockSize);
                if (writtenBytes <= 0) {
                    int error = q_SSL_get_error(ssl, writtenBytes);
                    //write can result in a want_write_error - not an error - continue transmitting
                    if (error == SSL_ERROR_WANT_WRITE) {
                        transmitting = true;
                        break;
                    } else if (error == SSL_ERROR_WANT_READ) {
                        //write can result in a want_read error, possibly due to renegotiation - not an error - stop transmitting
                        transmitting = false;
                        break;
                    } else {
                        // ### Better error handling.
                        const ScopedBool bg(inSetAndEmitError, true);
                        setErrorAndEmit(d, QAbstractSocket::SslInternalError,
                                        QSslSocket::tr("Unable to write data: %1").arg(
                                        QTlsBackendOpenSSL::getErrorsFromOpenSsl()));
                        return;
                    }
                }
#ifdef QSSLSOCKET_DEBUG
                qCDebug(lcTlsBackend) << "TlsCryptographOpenSSL::transmit: encrypted" << writtenBytes << "bytes";
#endif
                writeBuffer.free(writtenBytes);
                totalBytesWritten += writtenBytes;

                if (writtenBytes < nextDataBlockSize) {
                    // break out of the writing loop and try again after we had read
                    transmitting = true;
                    break;
                }
            }

            if (totalBytesWritten > 0) {
                // Don't emit bytesWritten() recursively.
                if (!emittedBytesWritten) {
                    emittedBytesWritten = true;
                    emit q->bytesWritten(totalBytesWritten);
                    emittedBytesWritten = false;
                }
                emit q->channelBytesWritten(0, totalBytesWritten);
            }
        }

        // Check if we've got any data to be written to the socket.
        QVarLengthArray<char, 4096> data;
        int pendingBytes;
        while (plainSocket->isValid() && (pendingBytes = q_BIO_pending(writeBio)) > 0
                && plainSocket->openMode() != QIODevice::NotOpen) {
            // Read encrypted data from the write BIO into a buffer.
            data.resize(pendingBytes);
            int encryptedBytesRead = q_BIO_read(writeBio, data.data(), pendingBytes);

            // Write encrypted data from the buffer to the socket.
            qint64 actualWritten = plainSocket->write(data.constData(), encryptedBytesRead);
#ifdef QSSLSOCKET_DEBUG
            qCDebug(lcTlsBackend) << "TlsCryptographOpenSSL::transmit: wrote" << encryptedBytesRead
                                  << "encrypted bytes to the socket" << actualWritten << "actual.";
#endif
            if (actualWritten < 0) {
                //plain socket write fails if it was in the pending close state.
                const ScopedBool bg(inSetAndEmitError, true);
                setErrorAndEmit(d, plainSocket->error(), plainSocket->errorString());
                return;
            }
            transmitting = true;
        }

        // Check if we've got any data to be read from the socket.
        if (!q->isEncrypted() || !d->maxReadBufferSize() || buffer.size() < d->maxReadBufferSize())
            while ((pendingBytes = plainSocket->bytesAvailable()) > 0) {
                // Read encrypted data from the socket into a buffer.
                data.resize(pendingBytes);
                // just peek() here because q_BIO_write could write less data than expected
                int encryptedBytesRead = plainSocket->peek(data.data(), pendingBytes);

#ifdef QSSLSOCKET_DEBUG
                qCDebug(lcTlsBackend) << "TlsCryptographOpenSSL::transmit: read" << encryptedBytesRead << "encrypted bytes from the socket";
#endif
                // Write encrypted data from the buffer into the read BIO.
                int writtenToBio = q_BIO_write(readBio, data.constData(), encryptedBytesRead);

                // Throw away the results.
                if (writtenToBio > 0) {
                    plainSocket->skip(writtenToBio);
                } else {
                    // ### Better error handling.
                    const ScopedBool bg(inSetAndEmitError, true);
                    setErrorAndEmit(d, QAbstractSocket::SslInternalError,
                                    QSslSocket::tr("Unable to decrypt data: %1")
                                    .arg(QTlsBackendOpenSSL::getErrorsFromOpenSsl()));
                    return;
                }

                transmitting = true;
            }

        // If the connection isn't secured yet, this is the time to retry the
        // connect / accept.
        if (!q->isEncrypted()) {
#ifdef QSSLSOCKET_DEBUG
            qCDebug(lcTlsBackend) << "TlsCryptographOpenSSL::transmit: testing encryption";
#endif
            if (startHandshake()) {
#ifdef QSSLSOCKET_DEBUG
                qCDebug(lcTlsBackend) << "TlsCryptographOpenSSL::transmit: encryption established";
#endif
                d->setEncrypted(true);
                transmitting = true;
            } else if (plainSocket->state() != QAbstractSocket::ConnectedState) {
#ifdef QSSLSOCKET_DEBUG
                qCDebug(lcTlsBackend) << "TlsCryptographOpenSSL::transmit: connection lost";
#endif
                break;
            } else if (d->isPaused()) {
                // just wait until the user continues
                return;
            } else {
#ifdef QSSLSOCKET_DEBUG
                qCDebug(lcTlsBackend) << "TlsCryptographOpenSSL::transmit: encryption not done yet";
#endif
            }
        }

        // If the request is small and the remote host closes the transmission
        // after sending, there's a chance that startHandshake() will already
        // have triggered a shutdown.
        if (!ssl)
            continue;

        // We always read everything from the SSL decryption buffers, even if
        // we have a readBufferMaxSize. There's no point in leaving data there
        // just so that readBuffer.size() == readBufferMaxSize.
        int readBytes = 0;
        const int bytesToRead = 4096;
        do {
            if (q->readChannelCount() == 0) {
                // The read buffer is deallocated, don't try resize or write to it.
                break;
            }
            // Don't use SSL_pending(). It's very unreliable.
            inSslRead = true;
            readBytes = q_SSL_read(ssl, buffer.reserve(bytesToRead), bytesToRead);
            inSslRead = false;
            if (renegotiated) {
                renegotiated = false;
                X509 *x509 = q_SSL_get_peer_certificate(ssl);
                const auto peerCertificate =
                        QTlsPrivate::X509CertificateOpenSSL::certificateFromX509(x509);
                // Fail the renegotiate if the certificate has changed, else: continue.
                if (peerCertificate != q->peerCertificate()) {
                    const ScopedBool bg(inSetAndEmitError, true);
                    setErrorAndEmit(
                            d, QAbstractSocket::RemoteHostClosedError,
                            QSslSocket::tr(
                                    "TLS certificate unexpectedly changed during renegotiation!"));
                    q->abort();
                    return;
                }
            }
            if (readBytes > 0) {
#ifdef QSSLSOCKET_DEBUG
                qCDebug(lcTlsBackend) << "TlsCryptographOpenSSL::transmit: decrypted" << readBytes << "bytes";
#endif
                buffer.chop(bytesToRead - readBytes);

                if (bool *readyReadEmittedPointer = d->readyReadPointer())
                    *readyReadEmittedPointer = true;
                emit q->readyRead();
                emit q->channelReadyRead(0);
                transmitting = true;
                continue;
            }
            buffer.chop(bytesToRead);

            // Error.
            switch (q_SSL_get_error(ssl, readBytes)) {
            case SSL_ERROR_WANT_READ:
            case SSL_ERROR_WANT_WRITE:
                // Out of data.
                break;
            case SSL_ERROR_ZERO_RETURN:
                // The remote host closed the connection.
#ifdef QSSLSOCKET_DEBUG
                qCDebug(lcTlsBackend) << "TlsCryptographOpenSSL::transmit: remote disconnect";
#endif
                shutdown = true; // the other side shut down, make sure we do not send shutdown ourselves
                {
                    const ScopedBool bg(inSetAndEmitError, true);
                    setErrorAndEmit(d, QAbstractSocket::RemoteHostClosedError,
                                    QSslSocket::tr("The TLS/SSL connection has been closed"));
                }
                return;
            case SSL_ERROR_SYSCALL: // some IO error
            case SSL_ERROR_SSL: // error in the SSL library
                // we do not know exactly what the error is, nor whether we can recover from it,
                // so just return to prevent an endless loop in the outer "while" statement
                systemOrSslErrorDetected = true;
                {
                    const ScopedBool bg(inSetAndEmitError, true);
                    setErrorAndEmit(d, QAbstractSocket::SslInternalError,
                                    QSslSocket::tr("Error while reading: %1")
                                    .arg(QTlsBackendOpenSSL::getErrorsFromOpenSsl()));
                }
                return;
            default:
                // SSL_ERROR_WANT_CONNECT, SSL_ERROR_WANT_ACCEPT: can only happen with a
                // BIO_s_connect() or BIO_s_accept(), which we do not call.
                // SSL_ERROR_WANT_X509_LOOKUP: can only happen with a
                // SSL_CTX_set_client_cert_cb(), which we do not call.
                // So this default case should never be triggered.
                {
                    const ScopedBool bg(inSetAndEmitError, true);
                    setErrorAndEmit(d, QAbstractSocket::SslInternalError,
                                    QSslSocket::tr("Error while reading: %1")
                                    .arg(QTlsBackendOpenSSL::getErrorsFromOpenSsl()));
                }
                break;
            }
        } while (ssl && readBytes > 0);
    } while (ssl && transmitting);
}

void TlsCryptographOpenSSL::disconnectFromHost()
{
    if (ssl) {
        if (!shutdown && !q_SSL_in_init(ssl) && !systemOrSslErrorDetected) {
            if (q_SSL_shutdown(ssl) != 1) {
                // Some error may be queued, clear it.
                QTlsBackendOpenSSL::clearErrorQueue();
            }
            shutdown = true;
            transmit();
        }
    }
    Q_ASSERT(d);
    auto *plainSocket = d->plainTcpSocket();
    Q_ASSERT(plainSocket);
    plainSocket->disconnectFromHost();
}

void TlsCryptographOpenSSL::disconnected()
{
    Q_ASSERT(d);
    auto *plainSocket = d->plainTcpSocket();
    Q_ASSERT(plainSocket);
    d->setEncrypted(false);

    if (plainSocket->bytesAvailable() <= 0) {
        destroySslContext();
    } else {
        // Move all bytes into the plain buffer.
        const qint64 tmpReadBufferMaxSize = d->maxReadBufferSize();
        // Reset temporarily, so the plain socket buffer is completely drained:
        d->setMaxReadBufferSize(0);
        transmit();
        d->setMaxReadBufferSize(tmpReadBufferMaxSize);
    }
    //if there is still buffered data in the plain socket, don't destroy the ssl context yet.
    //it will be destroyed when the socket is deleted.
}

QSslCipher TlsCryptographOpenSSL::sessionCipher() const
{
    if (!ssl)
        return {};

    const SSL_CIPHER *sessionCipher = q_SSL_get_current_cipher(ssl);
    return sessionCipher ? QTlsBackendOpenSSL::qt_OpenSSL_cipher_to_QSslCipher(sessionCipher) : QSslCipher{};
}

QSsl::SslProtocol TlsCryptographOpenSSL::sessionProtocol() const
{
    if (!ssl)
        return QSsl::UnknownProtocol;

    const int ver = q_SSL_version(ssl);
    switch (ver) {
QT_WARNING_PUSH
QT_WARNING_DISABLE_DEPRECATED
    case 0x301:
        return QSsl::TlsV1_0;
    case 0x302:
        return QSsl::TlsV1_1;
QT_WARNING_POP
    case 0x303:
        return QSsl::TlsV1_2;
    case 0x304:
        return QSsl::TlsV1_3;
    }

    return QSsl::UnknownProtocol;
}

QList<QOcspResponse> TlsCryptographOpenSSL::ocsps() const
{
    return ocspResponses;
}

bool TlsCryptographOpenSSL::checkSslErrors()
{
    Q_ASSERT(q);
    Q_ASSERT(d);

    if (sslErrors.isEmpty())
        return true;

    emit q->sslErrors(sslErrors);

    const auto vfyMode = q->peerVerifyMode();
    const auto mode = d->tlsMode();

    bool doVerifyPeer = vfyMode == QSslSocket::VerifyPeer || (vfyMode == QSslSocket::AutoVerifyPeer
                                                               && mode == QSslSocket::SslClientMode);
    bool doEmitSslError = !d->verifyErrorsHaveBeenIgnored();
    // check whether we need to emit an SSL handshake error
    if (doVerifyPeer && doEmitSslError) {
        if (q->pauseMode() & QAbstractSocket::PauseOnSslErrors) {
            QSslSocketPrivate::pauseSocketNotifiers(q);
            d->setPaused(true);
        } else {
            setErrorAndEmit(d, QAbstractSocket::SslHandshakeFailedError, sslErrors.constFirst().errorString());
            auto *plainSocket = d->plainTcpSocket();
            Q_ASSERT(plainSocket);
            plainSocket->disconnectFromHost();
        }
        return false;
    }
    return true;
}

int TlsCryptographOpenSSL::handleNewSessionTicket(SSL *connection)
{
    // If we return 1, this means we own the session, but we don't.
    // 0 would tell OpenSSL to deref (but they still have it in the
    // internal cache).
    Q_ASSERT(connection);

    Q_ASSERT(q);
    Q_ASSERT(d);

    if (q->sslConfiguration().testSslOption(QSsl::SslOptionDisableSessionPersistence)) {
        // We silently ignore, do nothing, remove from cache.
        return 0;
    }

    SSL_SESSION *currentSession = q_SSL_get_session(connection);
    if (!currentSession) {
        qCWarning(lcTlsBackend,
                  "New session ticket callback, the session is invalid (nullptr)");
        return 0;
    }

    if (q_SSL_version(connection) < 0x304) {
        // We only rely on this mechanics with TLS >= 1.3
        return 0;
    }

#ifdef TLS1_3_VERSION
    if (!q_SSL_SESSION_is_resumable(currentSession)) {
        qCDebug(lcTlsBackend, "New session ticket, but the session is non-resumable");
        return 0;
    }
#endif // TLS1_3_VERSION

    const int sessionSize = q_i2d_SSL_SESSION(currentSession, nullptr);
    if (sessionSize <= 0) {
        qCWarning(lcTlsBackend, "could not store persistent version of SSL session");
        return 0;
    }

    // We have somewhat perverse naming, it's not a ticket, it's a session.
    QByteArray sessionTicket(sessionSize, 0);
    auto data = reinterpret_cast<unsigned char *>(sessionTicket.data());
    if (!q_i2d_SSL_SESSION(currentSession, &data)) {
        qCWarning(lcTlsBackend, "could not store persistent version of SSL session");
        return 0;
    }

    QTlsBackend::setSessionAsn1(d, sessionTicket);
    QTlsBackend::setSessionLifetimeHint(d, q_SSL_SESSION_get_ticket_lifetime_hint(currentSession));

    emit q->newSessionTicketReceived();
    return 0;
}

void TlsCryptographOpenSSL::alertMessageSent(int value)
{
    Q_ASSERT(q);
    Q_ASSERT(d);

    const auto level = tlsAlertLevel(value);
    if (level == QSsl::AlertLevel::Fatal && !q->isEncrypted()) {
        // Note, this logic is handshake-time only:
        pendingFatalAlert = true;
    }

    emit q->alertSent(level, tlsAlertType(value), tlsAlertDescription(value));

}

void TlsCryptographOpenSSL::alertMessageReceived(int value)
{
    Q_ASSERT(q);

    emit q->alertReceived(tlsAlertLevel(value), tlsAlertType(value), tlsAlertDescription(value));
}

int TlsCryptographOpenSSL::emitErrorFromCallback(X509_STORE_CTX *ctx)
{
    // Returns 0 to abort verification, 1 to continue despite error (as
    // OpenSSL expects from the verification callback).
    Q_ASSERT(q);
    Q_ASSERT(ctx);

    using ScopedBool = QScopedValueRollback<bool>;
    // While we are not setting, we are emitting and in general -
    // we want to prevent accidental recursive startHandshake()
    // calls:
    const ScopedBool bg(inSetAndEmitError, true);

    X509 *x509 = q_X509_STORE_CTX_get_current_cert(ctx);
    if (!x509) {
        qCWarning(lcTlsBackend, "Could not obtain the certificate (that failed to verify)");
        return 0;
    }

    const QSslCertificate certificate = QTlsPrivate::X509CertificateOpenSSL::certificateFromX509(x509);
    const auto errorAndDepth = QTlsPrivate::X509CertificateOpenSSL::errorEntryFromStoreContext(ctx);
    const QSslError tlsError = QTlsPrivate::X509CertificateOpenSSL::openSSLErrorToQSslError(errorAndDepth.code, certificate);

    errorsReportedFromCallback = true;
    handshakeInterrupted = true;
    emit q->handshakeInterruptedOnError(tlsError);

    // Conveniently so, we also can access 'lastErrors' external data set
    // in startHandshake, we store it for the case an application later
    // wants to check errors (ignored or not):
    const auto offset = QTlsBackendOpenSSL::s_indexForSSLExtraData
                        + TlsCryptographOpenSSL::errorOffsetInExData;
    if (auto errorList = static_cast<QList<QSslErrorEntry> *>(q_SSL_get_ex_data(ssl, offset)))
        errorList->append(errorAndDepth);

    // An application is expected to ignore this error (by calling ignoreSslErrors)
    // in its directly connected slot:
    return !handshakeInterrupted;
}

void TlsCryptographOpenSSL::trySendFatalAlert()
{
    Q_ASSERT(pendingFatalAlert);
    Q_ASSERT(d);

    auto *plainSocket = d->plainTcpSocket();

    pendingFatalAlert = false;
    QVarLengthArray<char, 4096> data;
    int pendingBytes = 0;
    while (plainSocket->isValid() && (pendingBytes = q_BIO_pending(writeBio)) > 0
           && plainSocket->openMode() != QIODevice::NotOpen) {
        // Read encrypted data from the write BIO into a buffer.
        data.resize(pendingBytes);
        const int bioReadBytes = q_BIO_read(writeBio, data.data(), pendingBytes);

        // Write encrypted data from the buffer to the socket.
        qint64 actualWritten = plainSocket->write(data.constData(), bioReadBytes);
        if (actualWritten < 0)
            return;
        plainSocket->flush();
    }
}

bool TlsCryptographOpenSSL::initSslContext()
{
    Q_ASSERT(q);
    Q_ASSERT(d);

    // If no external context was set (e.g. by QHttpNetworkConnection) we will
    // create a new one.
    const auto mode = d->tlsMode();
    const auto configuration = q->sslConfiguration();
    if (!sslContextPointer)
        sslContextPointer = QSslContext::sharedFromConfiguration(mode, configuration, d->isRootsOnDemandAllowed());

    if (sslContextPointer->error() != QSslError::NoError) {
        setErrorAndEmit(d, QAbstractSocket::SslInvalidUserDataError, sslContextPointer->errorString());
        sslContextPointer.reset();
        return false;
    }

    // Create and initialize SSL session
    if (!(ssl = sslContextPointer->createSsl())) {
        setErrorAndEmit(d, QAbstractSocket::SslInternalError,
                        QSslSocket::tr("Error creating SSL session, %1").arg(QTlsBackendOpenSSL::getErrorsFromOpenSsl()));
        return false;
    }

    if (configuration.protocol() != QSsl::UnknownProtocol && mode == QSslSocket::SslClientMode) {
        const auto verificationPeerName = d->verificationName();
        // Set server hostname on TLS extension. RFC4366 section 3.1 requires it in ACE format.
        QString tlsHostName = verificationPeerName.isEmpty() ? q->peerName() : verificationPeerName;
        if (tlsHostName.isEmpty())
            tlsHostName = d->tlsHostName();
        QByteArray ace = QUrl::toAce(tlsHostName);
        // only send the SNI header if the URL is valid and not an IP
        if (!ace.isEmpty()
            && !QHostAddress().setAddress(tlsHostName)
            && !(configuration.testSslOption(QSsl::SslOptionDisableServerNameIndication))) {
            // We don't send the trailing dot from the host header if present see
            // https://tools.ietf.org/html/rfc6066#section-3
            if (ace.endsWith('.'))
                ace.chop(1);
            if (!q_SSL_ctrl(ssl, SSL_CTRL_SET_TLSEXT_HOSTNAME, TLSEXT_NAMETYPE_host_name, ace.data()))
                qCWarning(lcTlsBackend, "could not set SSL_CTRL_SET_TLSEXT_HOSTNAME, Server Name Indication disabled");
        }
    }

    // Clear the session.
    errorList.clear();

    // Initialize memory BIOs for encryption and decryption.
    readBio = q_BIO_new(q_BIO_s_mem());
    writeBio = q_BIO_new(q_BIO_s_mem());
    if (!readBio || !writeBio) {
        setErrorAndEmit(d, QAbstractSocket::SslInternalError,
                        QSslSocket::tr("Error creating SSL session: %1").arg(QTlsBackendOpenSSL::getErrorsFromOpenSsl()));
        if (readBio)
            q_BIO_free(readBio);
        if (writeBio)
            q_BIO_free(writeBio);
        return false;
    }

    // Assign the bios.
    q_SSL_set_bio(ssl, readBio, writeBio);

    if (mode == QSslSocket::SslClientMode)
        q_SSL_set_connect_state(ssl);
    else
        q_SSL_set_accept_state(ssl);

    q_SSL_set_ex_data(ssl, QTlsBackendOpenSSL::s_indexForSSLExtraData, this);

#ifndef OPENSSL_NO_PSK
    // Set the client callback for PSK
    if (mode == QSslSocket::SslClientMode)
        q_SSL_set_psk_client_callback(ssl, &q_ssl_psk_client_callback);
    else if (mode == QSslSocket::SslServerMode)
        q_SSL_set_psk_server_callback(ssl, &q_ssl_psk_server_callback);

#if OPENSSL_VERSION_NUMBER >= 0x10101006L
    // Set the client callback for TLSv1.3 PSK
    if (mode == QSslSocket::SslClientMode
        && QSslSocket::sslLibraryBuildVersionNumber() >= 0x10101006L) {
        q_SSL_set_psk_use_session_callback(ssl, &q_ssl_psk_use_session_callback);
    }
#endif // openssl version >= 0x10101006L

#endif // OPENSSL_NO_PSK

#if QT_CONFIG(ocsp)
    if (configuration.ocspStaplingEnabled()) {
        if (mode == QSslSocket::SslServerMode) {
            setErrorAndEmit(d, QAbstractSocket::SslInvalidUserDataError,
                            QSslSocket::tr("Server-side QSslSocket does not support OCSP stapling"));
            return false;
        }
        if (q_SSL_set_tlsext_status_type(ssl, TLSEXT_STATUSTYPE_ocsp) != 1) {
            setErrorAndEmit(d, QAbstractSocket::SslInternalError,
                            QSslSocket::tr("Failed to enable OCSP stapling"));
            return false;
        }
    }

    ocspResponseDer.clear();
    const auto backendConfig = configuration.backendConfiguration();
    auto responsePos = backendConfig.find("Qt-OCSP-response");
    if (responsePos != backendConfig.end()) {
        // This is our private, undocumented 'API' we use for the auto-testing of
        // OCSP-stapling. It must be a der-encoded OCSP response, presumably set
        // by tst_QOcsp.
        const QVariant data(responsePos.value());
        if (data.canConvert<QByteArray>())
            ocspResponseDer = data.toByteArray();
    }

    if (ocspResponseDer.size()) {
        if (mode != QSslSocket::SslServerMode) {
            setErrorAndEmit(d, QAbstractSocket::SslInvalidUserDataError,
                            QSslSocket::tr("Client-side sockets do not send OCSP responses"));
            return false;
        }
    }
#endif // ocsp

    return true;
}

void TlsCryptographOpenSSL::destroySslContext()
{
    if (ssl) {
        if (!q_SSL_in_init(ssl) && !systemOrSslErrorDetected) {
            // We do not send a shutdown alert here. Just mark the session as
            // resumable for qhttpnetworkconnection's "optimization", otherwise
            // OpenSSL won't start a session resumption.
            if (q_SSL_shutdown(ssl) != 1) {
                // Some error may be queued, clear it.
                const auto errors = QTlsBackendOpenSSL::getErrorsFromOpenSsl();
                Q_UNUSED(errors);
            }
        }
        q_SSL_free(ssl);
        ssl = nullptr;
    }
    sslContextPointer.reset();
}

void TlsCryptographOpenSSL::storePeerCertificates()
{
    Q_ASSERT(d);

    // Store the peer certificate and chain. For clients, the peer certificate
    // chain includes the peer certificate; for servers, it doesn't. Both the
    // peer certificate and the chain may be empty if the peer didn't present
    // any certificate.
    X509 *x509 = q_SSL_get_peer_certificate(ssl);

    const auto peerCertificate = QTlsPrivate::X509CertificateOpenSSL::certificateFromX509(x509);
    QTlsBackend::storePeerCertificate(d, peerCertificate);
    q_X509_free(x509);
    auto peerCertificateChain = q->peerCertificateChain();
    if (peerCertificateChain.isEmpty()) {
        peerCertificateChain = QTlsPrivate::X509CertificateOpenSSL::stackOfX509ToQSslCertificates(q_SSL_get_peer_cert_chain(ssl));
        if (!peerCertificate.isNull() && d->tlsMode() == QSslSocket::SslServerMode)
            peerCertificateChain.prepend(peerCertificate);
        QTlsBackend::storePeerCertificateChain(d, peerCertificateChain);
    }
}

#if QT_CONFIG(ocsp)

bool TlsCryptographOpenSSL::checkOcspStatus()
{
    Q_ASSERT(ssl);
    Q_ASSERT(d);

    const auto &configuration = q->sslConfiguration();
    Q_ASSERT(d->tlsMode() == QSslSocket::SslClientMode); // See initSslContext() for SslServerMode
    Q_ASSERT(configuration.peerVerifyMode() != QSslSocket::VerifyNone);

    const auto clearErrorQueue = qScopeGuard([] {
        QTlsBackendOpenSSL::logAndClearErrorQueue();
    });

    ocspResponses.clear();
    ocspErrorDescription.clear();
    ocspErrors.clear();

    const unsigned char *responseData = nullptr;
    const long responseLength = q_SSL_get_tlsext_status_ocsp_resp(ssl, &responseData);
    if (responseLength <= 0 || !responseData) {
        ocspErrors.push_back(QSslError(QSslError::OcspNoResponseFound));
        return false;
    }

    OCSP_RESPONSE *response = q_d2i_OCSP_RESPONSE(nullptr, &responseData, responseLength);
    if (!response) {
        // Treat this as a fatal SslHandshakeError.
        ocspErrorDescription = QSslSocket::tr("Failed to decode OCSP response");
        return false;
    }
    const QSharedPointer<OCSP_RESPONSE> responseGuard(response, q_OCSP_RESPONSE_free);

    const int ocspStatus = q_OCSP_response_status(response);
    if (ocspStatus != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
        // It's not a definitive response, it's an error message (not signed by the responder).
        ocspErrors.push_back(QSslError(qt_OCSP_response_status_to_SslError(ocspStatus)));
        return false;
    }

    OCSP_BASICRESP *basicResponse = q_OCSP_response_get1_basic(response);
    if (!basicResponse) {
        // SslHandshakeError.
        ocspErrorDescription = QSslSocket::tr("Failed to extract basic OCSP response");
        return false;
    }
    const QSharedPointer<OCSP_BASICRESP> basicResponseGuard(basicResponse, q_OCSP_BASICRESP_free);

    SSL_CTX *ctx = q_SSL_get_SSL_CTX(ssl); // Does not increment refcount.
    Q_ASSERT(ctx);
    X509_STORE *store = q_SSL_CTX_get_cert_store(ctx); // Does not increment refcount.
    if (!store) {
        // SslHandshakeError.
        ocspErrorDescription = QSslSocket::tr("No certificate verification store, cannot verify OCSP response");
        return false;
    }

    STACK_OF(X509) *peerChain = q_SSL_get_peer_cert_chain(ssl); // Does not increment refcount.
    X509 *peerX509 = q_SSL_get_peer_certificate(ssl);
    Q_ASSERT(peerChain || peerX509);
    const QSharedPointer<X509> peerX509Guard(peerX509, q_X509_free);
    // OCSP_basic_verify with 0 as verificationFlags:
    //
    // 0) Tries to find the OCSP responder's certificate in either peerChain
    // or basicResponse->certs. If not found, verification fails.
    // 1) It checks the signature using the responder's public key.
    // 2) Then it tries to validate the responder's cert (building a chain
    //    etc.)
    // 3) It checks CertID in response.
    // 4) Ensures the responder is authorized to sign the status respond.
    //
    // Note, OpenSSL prior to 1.0.2b would only use bs->certs to
    // verify the responder's chain (see their commit 4ba9a4265bd).
    // Working this around - is too much fuss for ancient versions we
    // are dropping quite soon anyway.
    const unsigned long verificationFlags = 0;
    const int success = q_OCSP_basic_verify(basicResponse, peerChain, store, verificationFlags);
    if (success <= 0)
        ocspErrors.push_back(QSslError(QSslError::OcspResponseCannotBeTrusted));

    if (q_OCSP_resp_count(basicResponse) != 1) {
        ocspErrors.push_back(QSslError(QSslError::OcspMalformedResponse));
        return false;
    }

    OCSP_SINGLERESP *singleResponse = q_OCSP_resp_get0(basicResponse, 0);
    if (!singleResponse) {
        ocspErrors.clear();
        // A fatal problem -> SslHandshakeError.
        ocspErrorDescription = QSslSocket::tr("Failed to decode a SingleResponse from OCSP status response");
        return false;
    }

    // Let's make sure the response is for the correct certificate - we
    // can re-create this CertID using our peer's certificate and its
    // issuer's public key.
    ocspResponses.push_back(QOcspResponse());
    QOcspResponsePrivate *dResponse = ocspResponses.back().d.data();
    dResponse->subjectCert = configuration.peerCertificate();
    bool matchFound = false;
    if (dResponse->subjectCert.isSelfSigned()) {
        dResponse->signerCert = configuration.peerCertificate();
        matchFound = qt_OCSP_certificate_match(singleResponse, peerX509, peerX509);
    } else {
        const STACK_OF(X509) *certs = q_SSL_get_peer_cert_chain(ssl);
        if (!certs) // Oh, what a cataclysm! Last try:
            certs = q_OCSP_resp_get0_certs(basicResponse);
        if (certs) {
            // It could be the first certificate in 'certs' is our peer's
            // certificate. Since it was not captured by the 'self-signed' branch
            // above, the CertID will not match and we'll just iterate on to the
            // next certificate. So we start from 0, not 1.
            for (int i = 0, e = q_sk_X509_num(certs); i < e; ++i) {
                X509 *issuer = q_sk_X509_value(certs, i);
                matchFound = qt_OCSP_certificate_match(singleResponse, peerX509, issuer);
                if (matchFound) {
                    if (q_X509_check_issued(issuer, peerX509) == X509_V_OK) {
                        dResponse->signerCert =  QTlsPrivate::X509CertificateOpenSSL::certificateFromX509(issuer);
                        break;
                    }
                    matchFound = false;
                }
            }
        }
    }

    if (!matchFound) {
        dResponse->signerCert.clear();
        ocspErrors.push_back({QSslError::OcspResponseCertIdUnknown, configuration.peerCertificate()});
    }

    // Check if the response is valid time-wise:
    ASN1_GENERALIZEDTIME *revTime = nullptr;
    ASN1_GENERALIZEDTIME *thisUpdate = nullptr;
    ASN1_GENERALIZEDTIME *nextUpdate = nullptr;
    int reason;
    const int certStatus = q_OCSP_single_get0_status(singleResponse, &reason, &revTime, &thisUpdate, &nextUpdate);
    if (!thisUpdate) {
        // This is unexpected, treat as SslHandshakeError, OCSP_check_validity assumes this pointer
        // to be != nullptr.
        ocspErrors.clear();
        ocspResponses.clear();
        ocspErrorDescription = QSslSocket::tr("Failed to extract 'this update time' from the SingleResponse");
        return false;
    }

    // OCSP_check_validity(this, next, nsec, maxsec) does this check:
    // this <= now <= next. They allow some freedom to account
    // for delays/time inaccuracy.
    // this > now + nsec ? -> NOT_YET_VALID
    // if maxsec >= 0:
    //     now - maxsec > this ? -> TOO_OLD
    // now - nsec > next ? -> EXPIRED
    // next < this ? -> NEXT_BEFORE_THIS
    // OK.
    if (!q_OCSP_check_validity(thisUpdate, nextUpdate, 60, -1))
        ocspErrors.push_back({QSslError::OcspResponseExpired, configuration.peerCertificate()});

    // And finally, the status:
    switch (certStatus) {
    case V_OCSP_CERTSTATUS_GOOD:
        // This certificate was not found among the revoked ones.
        dResponse->certificateStatus = QOcspCertificateStatus::Good;
        break;
    case V_OCSP_CERTSTATUS_REVOKED:
        dResponse->certificateStatus = QOcspCertificateStatus::Revoked;
        dResponse->revocationReason = qt_OCSP_revocation_reason(reason);
        ocspErrors.push_back({QSslError::CertificateRevoked, configuration.peerCertificate()});
        break;
    case V_OCSP_CERTSTATUS_UNKNOWN:
        dResponse->certificateStatus = QOcspCertificateStatus::Unknown;
        ocspErrors.push_back({QSslError::OcspStatusUnknown, configuration.peerCertificate()});
    }

    return !ocspErrors.size();
}

#endif // QT_CONFIG(ocsp)


unsigned TlsCryptographOpenSSL::pskClientTlsCallback(const char *hint, char *identity,
                                                     unsigned max_identity_len,
                                                     unsigned char *psk, unsigned max_psk_len)
{
    Q_ASSERT(q);

    QSslPreSharedKeyAuthenticator authenticator;
    // Fill in some read-only fields (for the user)
    const int hintLength = hint ? int(std::strlen(hint)) : 0;
    QTlsBackend::setupClientPskAuth(&authenticator, hint, hintLength, max_identity_len, max_psk_len);
    // Let the client provide the remaining bits...
    emit q->preSharedKeyAuthenticationRequired(&authenticator);

    // No PSK set? Return now to make the handshake fail
    if (authenticator.preSharedKey().isEmpty())
        return 0;

    // Copy data back into OpenSSL
    const int identityLength = qMin(authenticator.identity().length(), authenticator.maximumIdentityLength());
    std::memcpy(identity, authenticator.identity().constData(), identityLength);
    identity[identityLength] = 0;

    const int pskLength = qMin(authenticator.preSharedKey().length(), authenticator.maximumPreSharedKeyLength());
    std::memcpy(psk, authenticator.preSharedKey().constData(), pskLength);
    return pskLength;
}

unsigned TlsCryptographOpenSSL::pskServerTlsCallback(const char *identity, unsigned char *psk,
                                                     unsigned max_psk_len)
{
    Q_ASSERT(q);

    QSslPreSharedKeyAuthenticator authenticator;

    // Fill in some read-only fields (for the user)
    QTlsBackend::setupServerPskAuth(&authenticator, identity, q->sslConfiguration().preSharedKeyIdentityHint(),
                                    max_psk_len);
    emit q->preSharedKeyAuthenticationRequired(&authenticator);

    // No PSK set? Return now to make the handshake fail
    if (authenticator.preSharedKey().isEmpty())
        return 0;

    // Copy data back into OpenSSL
    const int pskLength = qMin(authenticator.preSharedKey().length(), authenticator.maximumPreSharedKeyLength());
    std::memcpy(psk, authenticator.preSharedKey().constData(), pskLength);
    return pskLength;
}

bool TlsCryptographOpenSSL::isInSslRead() const
{
    return inSslRead;
}

void TlsCryptographOpenSSL::setRenegotiated(bool renegotiated)
{
    this->renegotiated = renegotiated;
}

#ifdef Q_OS_WIN

void TlsCryptographOpenSSL::fetchCaRootForCert(const QSslCertificate &cert)
{
    Q_ASSERT(d);
    Q_ASSERT(q);

    //The root certificate is downloaded from windows update, which blocks for 15 seconds in the worst case
    //so the request is done in a worker thread.
    QList<QSslCertificate> customRoots;
    if (fetchAuthorityInformation)
        customRoots = q->sslConfiguration().caCertificates();

    //Remember we are fetching and what we are fetching:
    caToFetch = cert;

    QWindowsCaRootFetcher *fetcher = new QWindowsCaRootFetcher(cert, d->tlsMode(), customRoots,
                                                               q->peerVerifyName());
    connect(fetcher,  &QWindowsCaRootFetcher::finished, this, &TlsCryptographOpenSSL::caRootLoaded,
            Qt::QueuedConnection);
    QMetaObject::invokeMethod(fetcher, "start", Qt::QueuedConnection);
    QSslSocketPrivate::pauseSocketNotifiers(q);
    d->setPaused(true);
}

void TlsCryptographOpenSSL::caRootLoaded(QSslCertificate cert, QSslCertificate trustedRoot)
{
    if (caToFetch != cert) {
        //Ooops, something from the previous connection attempt, ignore!
        return;
    }

    Q_ASSERT(d);
    Q_ASSERT(q);

    //Done, fetched already:
    caToFetch = QSslCertificate{};

    if (fetchAuthorityInformation) {
        if (!q->sslConfiguration().caCertificates().contains(trustedRoot))
            trustedRoot = QSslCertificate{};
        fetchAuthorityInformation = false;
    }

    if (!trustedRoot.isNull() && !trustedRoot.isBlacklisted()) {
        if (QSslSocketPrivate::rootCertOnDemandLoadingSupported()) {
            //Add the new root cert to default cert list for use by future sockets
            auto defaultConfig = QSslConfiguration::defaultConfiguration();
            defaultConfig.addCaCertificate(trustedRoot);
            QSslConfiguration::setDefaultConfiguration(defaultConfig);
        }
        //Add the new root cert to this socket for future connections
        QTlsBackend::addTustedRoot(d, trustedRoot);
        //Remove the broken chain ssl errors (as chain is verified by windows)
        for (int i=sslErrors.count() - 1; i >= 0; --i) {
            if (sslErrors.at(i).certificate() == cert) {
                switch (sslErrors.at(i).error()) {
                case QSslError::UnableToGetLocalIssuerCertificate:
                case QSslError::CertificateUntrusted:
                case QSslError::UnableToVerifyFirstCertificate:
                case QSslError::SelfSignedCertificateInChain:
                    // error can be ignored if OS says the chain is trusted
                    sslErrors.removeAt(i);
                    break;
                default:
                    // error cannot be ignored
                    break;
                }
            }
        }
    }

    auto *plainSocket = d->plainTcpSocket();
    Q_ASSERT(plainSocket);
    // Continue with remaining errors
    if (plainSocket)
        plainSocket->resume();
    d->setPaused(false);
    if (checkSslErrors() && ssl) {
        bool willClose = (d->isAutoStartingHandshake() && d->isPendingClose());
        continueHandshake();
        if (!willClose)
            transmit();
    }
}

#endif // Q_OS_WIN

} // namespace QTlsPrivate

QT_END_NAMESPACE