Add tst_QOcsp auto-test

This patch introduces a private 'API' to enable server-side OCSP responses and implements a simple OCSP responder, tests OCSP status on a client side (the test is pretty basic, but for now should suffice). Change-Id: I4c6cacd4a1b949dd0ef5e6b59322fb0967d02120 Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
author: Timur Pocheptsov <timur.pocheptsov@qt.io> 2018-11-13 15:25:25 +0100
committer: Timur Pocheptsov <timur.pocheptsov@qt.io> 2018-12-06 05:14:45 +0000
commit: 6a28f6767754f427eb29a266f38252bdf23123c6 (patch)
tree: cc45c99369385859defed024192ceea41a0a02c4 /src/network/ssl/qsslcontext_openssl.cpp
parent: a8dae3ad0bc6377c695326e48d3c0db9f73107db (diff)
1 files changed, 21 insertions, 3 deletions
diff --git a/src/network/ssl/qsslcontext_openssl.cpp b/src/network/ssl/qsslcontext_openssl.cpp
index 35cca9f01a..e81e5582f4 100644
--- a/src/network/ssl/qsslcontext_openssl.cpp
+++ b/src/network/ssl/qsslcontext_openssl.cpp
@@ -243,12 +243,28 @@ QString QSslContext::errorString() const
     return errorStr;
 }
 
+#if QT_CONFIG(ocsp)
+extern "C" int qt_OCSP_status_server_callback(SSL *ssl, void *); // Defined in qsslsocket_openssl.cpp.
+#endif // ocsp
 // static
 void QSslContext::applyBackendConfig(QSslContext *sslContext)
 {
-    if (sslContext->sslConfiguration.backendConfiguration().isEmpty())
+    const QMap<QByteArray, QVariant> &conf = sslContext->sslConfiguration.backendConfiguration();
+    if (conf.isEmpty())
         return;
 
+#if QT_CONFIG(ocsp)
+    auto ocspResponsePos = conf.find("Qt-OCSP-response");
+    if (ocspResponsePos != conf.end()) {
+        // This is our private, undocumented configuration option, existing only for
+        // the purpose of testing OCSP status responses. We don't even check this
+        // callback was set. If no - the test must fail.
+        q_SSL_CTX_set_tlsext_status_cb(sslContext->ctx, qt_OCSP_status_server_callback);
+        if (conf.size() == 1)
+            return;
+    }
+#endif // ocsp
+
 #if OPENSSL_VERSION_NUMBER >= 0x10002000L
     if (QSslSocket::sslLibraryVersionNumber() >= 0x10002000L) {
         QSharedPointer<SSL_CONF_CTX> cctx(q_SSL_CONF_CTX_new(), &q_SSL_CONF_CTX_free);
@@ -256,8 +272,10 @@ void QSslContext::applyBackendConfig(QSslContext *sslContext)
             q_SSL_CONF_CTX_set_ssl_ctx(cctx.data(), sslContext->ctx);
             q_SSL_CONF_CTX_set_flags(cctx.data(), SSL_CONF_FLAG_FILE);
 
-            const auto &backendConfig = sslContext->sslConfiguration.backendConfiguration();
-            for (auto i = backendConfig.constBegin(); i != backendConfig.constEnd(); ++i) {
+            for (auto i = conf.constBegin(); i != conf.constEnd(); ++i) {
+                if (i.key() == "Qt-OCSP-response") // This never goes to SSL_CONF_cmd().
+                    continue;
+
                 if (!i.value().canConvert(QMetaType::QByteArray)) {
                     sslContext->errorCode = QSslError::UnspecifiedError;
                     sslContext->errorStr = msgErrorSettingBackendConfig(
author	Timur Pocheptsov <timur.pocheptsov@qt.io>	2018-11-13 15:25:25 +0100
committer	Timur Pocheptsov <timur.pocheptsov@qt.io>	2018-12-06 05:14:45 +0000
commit	6a28f6767754f427eb29a266f38252bdf23123c6 (patch)
tree	cc45c99369385859defed024192ceea41a0a02c4 /src/network/ssl/qsslcontext_openssl.cpp
parent	a8dae3ad0bc6377c695326e48d3c0db9f73107db (diff)