Improve the testability of QSslOptions.

The handling of QSslOptions is complicated not only by the subject, but
also by the fact that some of the openssl directives are negatives. This
commit tries to separate the inherent complexity from the complexity of
the api by allowing us to test them independently.

Change-Id: Ieb9386c69dd9b0b49dc42e26b2878a301f26ded1
Reviewed-by: Peter Hartmann <peter.hartmann@nokia.com>

2 files changed, 36 insertions, 29 deletions

diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp
index 70893afcde..d8f291b9c7 100644
--- a/src/network/ssl/qsslsocket_openssl.cpp
+++ b/src/network/ssl/qsslsocket_openssl.cpp
@@ -232,6 +232,40 @@ static int q_X509Callback(int ok, X509_STORE_CTX *ctx)
     return 1;
 }
 
+long QSslSocketBackendPrivate::setupOpenSslOptions(QSsl::SslProtocol protocol, QSsl::SslOptions sslOptions)
+{
+    long options;
+    if (protocol == QSsl::TlsV1SslV3 || protocol == QSsl::SecureProtocols)
+        options = SSL_OP_ALL|SSL_OP_NO_SSLv2;
+    else
+        options = SSL_OP_ALL;
+
+    // This option is disabled by default, so we need to be able to clear it
+    if (sslOptions & QSsl::SslOptionDisableEmptyFragments)
+        options |= SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
+    else
+        options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
+
+#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
+    // This option is disabled by default, so we need to be able to clear it
+    if (sslOptions & QSsl::SslOptionDisableLegacyRenegotiation)
+        options &= ~SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
+    else
+        options |= SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
+#endif
+
+#ifdef SSL_OP_NO_TICKET
+    if (sslOptions & QSsl::SslOptionDisableSessionTickets)
+        options |= SSL_OP_NO_TICKET;
+#endif
+#ifdef SSL_OP_NO_COMPRESSION
+    if (sslOptions & QSsl::SslOptionDisableCompression)
+        options |= SSL_OP_NO_COMPRESSION;
+#endif
+
+    return options;
+}
+
 bool QSslSocketBackendPrivate::initSslContext()
 {
     Q_Q(QSslSocket);
@@ -275,35 +309,7 @@ init_context:
     }
 
     // Enable bug workarounds.
-    long options;
-    if (configuration.protocol == QSsl::TlsV1SslV3 || configuration.protocol == QSsl::SecureProtocols)
-        options = SSL_OP_ALL|SSL_OP_NO_SSLv2;
-    else
-        options = SSL_OP_ALL;
-
-    // This option is disabled by default, so we need to be able to clear it
-    if (configuration.sslOptions & QSsl::SslOptionDisableEmptyFragments)
-        options |= SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
-    else
-        options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
-
-#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
-    // This option is disabled by default, so we need to be able to clear it
-    if (configuration.sslOptions & QSsl::SslOptionDisableLegacyRenegotiation)
-        options &= ~SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
-    else
-        options |= SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
-#endif
-
-#ifdef SSL_OP_NO_TICKET
-    if (configuration.sslOptions & QSsl::SslOptionDisableSessionTickets)
-        options |= SSL_OP_NO_TICKET;
-#endif
-#ifdef SSL_OP_NO_COMPRESSION
-    if (configuration.sslOptions & QSsl::SslOptionDisableCompression)
-        options |= SSL_OP_NO_COMPRESSION;
-#endif
-
+    long options = setupOpenSslOptions(configuration.protocol, configuration.sslOptions);
     q_SSL_CTX_set_options(ctx, options);
 
     // Initialize ciphers
diff --git a/src/network/ssl/qsslsocket_openssl_p.h b/src/network/ssl/qsslsocket_openssl_p.h
index c4b9018db7..ef00b0998d 100644
--- a/src/network/ssl/qsslsocket_openssl_p.h
+++ b/src/network/ssl/qsslsocket_openssl_p.h
@@ -118,6 +118,7 @@ public:
     void disconnected();
     QSslCipher sessionCipher() const;
 
+    Q_AUTOTEST_EXPORT static long setupOpenSslOptions(QSsl::SslProtocol protocol, QSsl::SslOptions sslOptions);
     static QSslCipher QSslCipher_from_SSL_CIPHER(SSL_CIPHER *cipher);
     static QList<QSslCertificate> STACKOFX509_to_QSslCertificates(STACK_OF(X509) *x509);
     static bool isMatchingHostname(const QSslCertificate &cert, const QString &peerName);