diff options
author | Peter Hartmann <phartmann@rim.com> | 2013-01-14 14:43:52 +0100 |
---|---|---|
committer | The Qt Project <gerrit-noreply@qt-project.org> | 2013-01-23 19:36:07 +0100 |
commit | ce35c0db0d9dd849c736eabaeb57d597186aaa13 (patch) | |
tree | 3089c5bf64dbb89e1be2648138f9db52bafcde70 /src | |
parent | 786a6466e88faf25c55c626a17f5296bce564daa (diff) |
QSslConfiguration: toggle on demand loading of root certs properly
make sure we keep track of when we can load root certs and when we
cannot (we cannot when the developer set the certs explicitly). This is
implemented the same way for QSslSocket already, and needs to be
duplicated because we have 2 methods for setting CA certificates: one in
QSslSocket and one in QSslConfiguration.
In addition, adapt the auto test which checks whether setting a default
QSslConfiguration works: There is no way to set on demand loading
through the API, so it should be enabled by default.
Task-number: QTBUG-29103
Change-Id: I5146128aaa385dfcc0ad1e0ef81a92d9350ec5f2
Reviewed-by: Richard J. Moore <rich@kde.org>
Diffstat (limited to 'src')
-rw-r--r-- | src/network/ssl/qsslconfiguration.cpp | 3 | ||||
-rw-r--r-- | src/network/ssl/qsslconfiguration_p.h | 2 | ||||
-rw-r--r-- | src/network/ssl/qsslsocket.cpp | 15 | ||||
-rw-r--r-- | src/network/ssl/qsslsocket_p.h | 2 |
4 files changed, 21 insertions, 1 deletions
diff --git a/src/network/ssl/qsslconfiguration.cpp b/src/network/ssl/qsslconfiguration.cpp index 46aa1a1eb5..0ae67b3c1f 100644 --- a/src/network/ssl/qsslconfiguration.cpp +++ b/src/network/ssl/qsslconfiguration.cpp @@ -181,6 +181,7 @@ bool QSslConfiguration::operator==(const QSslConfiguration &other) const d->protocol == other.d->protocol && d->peerVerifyMode == other.d->peerVerifyMode && d->peerVerifyDepth == other.d->peerVerifyDepth && + d->allowRootCertOnDemandLoading == other.d->allowRootCertOnDemandLoading && d->sslOptions == other.d->sslOptions; } @@ -208,6 +209,7 @@ bool QSslConfiguration::isNull() const return (d->protocol == QSsl::SecureProtocols && d->peerVerifyMode == QSslSocket::AutoVerifyPeer && d->peerVerifyDepth == 0 && + d->allowRootCertOnDemandLoading == true && d->caCertificates.count() == 0 && d->ciphers.count() == 0 && d->localCertificate.isNull() && @@ -519,6 +521,7 @@ QList<QSslCertificate> QSslConfiguration::caCertificates() const void QSslConfiguration::setCaCertificates(const QList<QSslCertificate> &certificates) { d->caCertificates = certificates; + d->allowRootCertOnDemandLoading = false; } /*! diff --git a/src/network/ssl/qsslconfiguration_p.h b/src/network/ssl/qsslconfiguration_p.h index 841641d6aa..3e6e43361d 100644 --- a/src/network/ssl/qsslconfiguration_p.h +++ b/src/network/ssl/qsslconfiguration_p.h @@ -83,6 +83,7 @@ public: : protocol(QSsl::SecureProtocols), peerVerifyMode(QSslSocket::AutoVerifyPeer), peerVerifyDepth(0), + allowRootCertOnDemandLoading(true), sslOptions(QSslConfigurationPrivate::defaultSslOptions) { } @@ -98,6 +99,7 @@ public: QSsl::SslProtocol protocol; QSslSocket::PeerVerifyMode peerVerifyMode; int peerVerifyDepth; + bool allowRootCertOnDemandLoading; QSsl::SslOptions sslOptions; diff --git a/src/network/ssl/qsslsocket.cpp b/src/network/ssl/qsslsocket.cpp index 87ea975bec..cfc3c19bba 100644 --- a/src/network/ssl/qsslsocket.cpp +++ b/src/network/ssl/qsslsocket.cpp @@ -903,7 +903,12 @@ void QSslSocket::setSslConfiguration(const QSslConfiguration &configuration) d->configuration.peerVerifyMode = configuration.peerVerifyMode(); d->configuration.protocol = configuration.protocol(); d->configuration.sslOptions = configuration.d->sslOptions; - d->allowRootCertOnDemandLoading = false; + + // if the CA certificates were set explicitly (either via + // QSslConfiguration::setCaCertificates() or QSslSocket::setCaCertificates(), + // we cannot load the certificates on demand + if (!configuration.d->allowRootCertOnDemandLoading) + d->allowRootCertOnDemandLoading = false; } /*! @@ -2381,6 +2386,14 @@ QByteArray QSslSocketPrivate::peek(qint64 maxSize) /*! \internal */ +bool QSslSocketPrivate::rootCertOnDemandLoadingSupported() +{ + return s_loadRootCertsOnDemand; +} + +/*! + \internal +*/ QList<QByteArray> QSslSocketPrivate::unixRootCertDirectories() { return QList<QByteArray>() << "/etc/ssl/certs/" // (K)ubuntu, OpenSUSE, Mandriva, MeeGo ... diff --git a/src/network/ssl/qsslsocket_p.h b/src/network/ssl/qsslsocket_p.h index 3dc80ea22a..851dec5840 100644 --- a/src/network/ssl/qsslsocket_p.h +++ b/src/network/ssl/qsslsocket_p.h @@ -182,6 +182,8 @@ public: virtual QSslCipher sessionCipher() const = 0; virtual void continueHandshake() = 0; + Q_AUTOTEST_EXPORT static bool rootCertOnDemandLoadingSupported(); + private: static bool ensureLibraryLoaded(); static void ensureCiphersAndCertsLoaded(); |