diff options
author | Richard Moore <rich@kde.org> | 2011-06-18 09:22:11 +0100 |
---|---|---|
committer | Qt by Nokia <qt-info@nokia.com> | 2011-06-27 20:44:36 +0200 |
commit | 2cf935b43e41c6589159536652412dab443ff1f8 (patch) | |
tree | 95bcd7638f509c48d2b139920e3936a9d4e7e60c /src/network/ssl/qsslsocket_openssl.cpp | |
parent | cadbfc07b68513920bb877e2e0212988c43f1fa4 (diff) |
Certificates can have each issuer and subject field many times
THIS COMMIT BREAKS SOURCE COMPATIBILITY BETWEEN Qt 4 AND Qt 5
Qt4 assumed that there was only one entry of each type in the subject
and issuer of a certificate. This is incorrect (eg. you can have many
common names). In addition, some of the fields required by RFC3280
were not suppport. This change modifiers the API to return a list of
entries of each type and adds support for the missing fields. It also
updates the commonname matching code for SSL connections to handle
multiple entries.
Change-Id: I9457266a205def0a07c13de47094ff56ead42845
Merge-request: 5
Reviewed-on: http://codereview.qt.nokia.com/796
Reviewed-by: Qt Sanity Bot <qt_sanity_bot@ovi.com>
Reviewed-by: Sergio Ahumada <sergio.ahumada@nokia.com>
Diffstat (limited to 'src/network/ssl/qsslsocket_openssl.cpp')
-rw-r--r-- | src/network/ssl/qsslsocket_openssl.cpp | 29 |
1 files changed, 18 insertions, 11 deletions
diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp index fb41b7c9e9..1221db98c9 100644 --- a/src/network/ssl/qsslsocket_openssl.cpp +++ b/src/network/ssl/qsslsocket_openssl.cpp @@ -1262,10 +1262,17 @@ bool QSslSocketBackendPrivate::startHandshake() // if we're the server, don't check CN if (mode == QSslSocket::SslClientMode) { QString peerName = (verificationPeerName.isEmpty () ? q->peerName() : verificationPeerName); - QString commonName = configuration.peerCertificate.subjectInfo(QSslCertificate::CommonName); + QStringList commonNameList = configuration.peerCertificate.subjectInfo(QSslCertificate::CommonName); + bool matched = false; - if (!isMatchingHostname(commonName.toLower(), peerName.toLower())) { - bool matched = false; + foreach (const QString &commonName, commonNameList) { + if (isMatchingHostname(commonName.toLower(), peerName.toLower())) { + matched = true; + break; + } + } + + if (!matched) { foreach (const QString &altName, configuration.peerCertificate .alternateSubjectNames().values(QSsl::DnsEntry)) { if (isMatchingHostname(altName.toLower(), peerName.toLower())) { @@ -1273,15 +1280,15 @@ bool QSslSocketBackendPrivate::startHandshake() break; } } + } - if (!matched) { - // No matches in common names or alternate names. - QSslError error(QSslError::HostNameMismatch, configuration.peerCertificate); - errors << error; - emit q->peerVerifyError(error); - if (q->state() != QAbstractSocket::ConnectedState) - return false; - } + if (!matched) { + // No matches in common names or alternate names. + QSslError error(QSslError::HostNameMismatch, configuration.peerCertificate); + errors << error; + emit q->peerVerifyError(error); + if (q->state() != QAbstractSocket::ConnectedState) + return false; } } } else { |