Enable OCSP stapling in QSslSocket

This patch enables OCSP stapling in QSslSocket::SslClientMode (OpenSSL back-end
only). OCSP stapling is described by RFC6066 and based on the original OCSP as
defined by RFC2560. At the moment multiple certificate status protocol is not
supported (not implemented in OpenSSL). SecureTransport does not support OCSP
stapling at the moment.

[ChangeLog][QtNetwork][TLS] Added OCSP-stapling support for OpenSSL backend

Task-number: QTBUG-12812
Task-number: QTBUG-17158
Change-Id: Id2e0f4cc861311d1ece462864e5e30c76184af8c
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>

1 files changed, 35 insertions, 2 deletions

diff --git a/src/network/ssl/qsslconfiguration.cpp b/src/network/ssl/qsslconfiguration.cpp
index 3f732b4646..4697a5f90f 100644
--- a/src/network/ssl/qsslconfiguration.cpp
+++ b/src/network/ssl/qsslconfiguration.cpp
@@ -228,7 +228,8 @@ bool QSslConfiguration::operator==(const QSslConfiguration &other) const
         d->nextAllowedProtocols == other.d->nextAllowedProtocols &&
         d->nextNegotiatedProtocol == other.d->nextNegotiatedProtocol &&
         d->nextProtocolNegotiationStatus == other.d->nextProtocolNegotiationStatus &&
-        d->dtlsCookieEnabled == other.d->dtlsCookieEnabled;
+        d->dtlsCookieEnabled == other.d->dtlsCookieEnabled &&
+        d->ocspStaplingEnabled == other.d->ocspStaplingEnabled;
 }
 
 /*!
@@ -272,7 +273,8 @@ bool QSslConfiguration::isNull() const
             d->preSharedKeyIdentityHint.isNull() &&
             d->nextAllowedProtocols.isEmpty() &&
             d->nextNegotiatedProtocol.isNull() &&
-            d->nextProtocolNegotiationStatus == QSslConfiguration::NextProtocolNegotiationNone);
+            d->nextProtocolNegotiationStatus == QSslConfiguration::NextProtocolNegotiationNone &&
+            d->ocspStaplingEnabled == false);
 }
 
 /*!
@@ -1094,6 +1096,37 @@ void QSslConfiguration::setDefaultDtlsConfiguration(const QSslConfiguration &con
 
 #endif // dtls
 
+/*!
+    \since 5.13
+    If \a enabled is true, client QSslSocket will send a certificate status request
+    to its peer when initiating a handshake. During the handshake QSslSocket will
+    verify the server's response. This value must be set before the handshake
+    starts.
+
+    \sa ocspStaplingEnabled()
+*/
+void QSslConfiguration::setOcspStaplingEnabled(bool enabled)
+{
+#if QT_CONFIG(ocsp)
+    d->ocspStaplingEnabled = enabled;
+#else
+    if (enabled)
+        qCWarning(lcSsl, "Enabling OCSP-stapling requires the feature 'ocsp'");
+#endif // ocsp
+}
+
+/*!
+    \since 5.13
+    Returns true if OCSP stapling was enabled by setOCSPStaplingEnabled(),
+    otherwise false (which is the default value).
+
+    \sa setOcspStaplingEnabled()
+*/
+bool QSslConfiguration::ocspStaplingEnabled() const
+{
+    return d->ocspStaplingEnabled;
+}
+
 /*! \internal
 */
 bool QSslConfigurationPrivate::peerSessionWasShared(const QSslConfiguration &configuration) {