Introduce QSslConfiguration::backendConfig

With this change it is possible to use all supported configurations in different backends without any new interfaces. Change-Id: Ib233539a970681d30ae3907258730e491f8d3531 Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
author: Lars Schmertmann <Lars.Schmertmann@governikus.de> 2017-05-23 14:47:14 +0200
committer: Lars Schmertmann <lars.schmertmann@governikus.de> 2018-01-26 11:34:02 +0000
commit: f55c73ede28d4455f555a28e401407326ac9b954 (patch)
tree: c6c0836be78ba465051225cd38e7ec602aeeec8b /tests/auto/network/ssl/qsslsocket
parent: dcfb6f9d18beb397517ecc31ad462f1f4ebb8859 (diff)
1 files changed, 130 insertions, 0 deletions
diff --git a/tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp b/tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp
index 01a7465564..f77afd2364 100644
--- a/tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp
+++ b/tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp
@@ -238,6 +238,8 @@ private slots:
     void allowedProtocolNegotiation();
     void pskServer();
     void forwardReadChannelFinished();
+    void signatureAlgorithm_data();
+    void signatureAlgorithm();
 #endif
 
     void setEmptyDefaultConfiguration(); // this test should be last
@@ -3908,6 +3910,134 @@ void tst_QSslSocket::pskServer()
     QCOMPARE(disconnectedSpy.count(), 1);
 }
 
+void tst_QSslSocket::signatureAlgorithm_data()
+{
+    if (!QSslSocket::supportsSsl())
+        QSKIP("Signature algorithms cannot be tested without SSL support");
+
+    if (QSslSocket::sslLibraryVersionNumber() < 0x10002000L)
+        QSKIP("Signature algorithms cannot be tested with OpenSSL < 1.0.2");
+
+    QTest::addColumn<QByteArrayList>("serverSigAlgPairs");
+    QTest::addColumn<QSsl::SslProtocol>("serverProtocol");
+    QTest::addColumn<QByteArrayList>("clientSigAlgPairs");
+    QTest::addColumn<QSsl::SslProtocol>("clientProtocol");
+    QTest::addColumn<QAbstractSocket::SocketState>("state");
+
+    const QByteArray dsaSha1("DSA+SHA1");
+    const QByteArray ecdsaSha1("ECDSA+SHA1");
+    const QByteArray ecdsaSha512("ECDSA+SHA512");
+    const QByteArray rsaSha256("RSA+SHA256");
+    const QByteArray rsaSha384("RSA+SHA384");
+    const QByteArray rsaSha512("RSA+SHA512");
+
+    QTest::newRow("match_TlsV1_2")
+        << QByteArrayList({rsaSha256})
+        << QSsl::TlsV1_2
+        << QByteArrayList({rsaSha256})
+        << QSsl::AnyProtocol
+        << QAbstractSocket::ConnectedState;
+    QTest::newRow("no_hashalg_match_TlsV1_2")
+        << QByteArrayList({rsaSha256})
+        << QSsl::TlsV1_2
+        << QByteArrayList({rsaSha512})
+        << QSsl::AnyProtocol
+        << QAbstractSocket::UnconnectedState;
+    QTest::newRow("no_sigalg_match_TlsV1_2")
+        << QByteArrayList({ecdsaSha512})
+        << QSsl::TlsV1_2
+        << QByteArrayList({rsaSha512})
+        << QSsl::AnyProtocol
+        << QAbstractSocket::UnconnectedState;
+    QTest::newRow("no_cipher_match_AnyProtocol")
+        << QByteArrayList({rsaSha512})
+        << QSsl::AnyProtocol
+        << QByteArrayList({ecdsaSha512})
+        << QSsl::AnyProtocol
+        << QAbstractSocket::UnconnectedState;
+    QTest::newRow("match_multiple-choice")
+        << QByteArrayList({dsaSha1, rsaSha256, rsaSha384, rsaSha512})
+        << QSsl::AnyProtocol
+        << QByteArrayList({ecdsaSha1, rsaSha384, rsaSha512, ecdsaSha512})
+        << QSsl::AnyProtocol
+        << QAbstractSocket::ConnectedState;
+    QTest::newRow("match_client_longer")
+        << QByteArrayList({dsaSha1, rsaSha256})
+        << QSsl::AnyProtocol
+        << QByteArrayList({ecdsaSha1, ecdsaSha512, rsaSha256})
+        << QSsl::AnyProtocol
+        << QAbstractSocket::ConnectedState;
+    QTest::newRow("match_server_longer")
+        << QByteArrayList({ecdsaSha1, ecdsaSha512, rsaSha256})
+        << QSsl::AnyProtocol
+        << QByteArrayList({dsaSha1, rsaSha256})
+        << QSsl::AnyProtocol
+        << QAbstractSocket::ConnectedState;
+
+    // signature algorithms do not match, but are ignored because the tls version is not v1.2
+    QTest::newRow("client_ignore_TlsV1_1")
+        << QByteArrayList({rsaSha256})
+        << QSsl::TlsV1_1
+        << QByteArrayList({rsaSha512})
+        << QSsl::AnyProtocol
+        << QAbstractSocket::ConnectedState;
+    QTest::newRow("server_ignore_TlsV1_1")
+        << QByteArrayList({rsaSha256})
+        << QSsl::AnyProtocol
+        << QByteArrayList({rsaSha512})
+        << QSsl::TlsV1_1
+        << QAbstractSocket::ConnectedState;
+    QTest::newRow("client_ignore_TlsV1_0")
+        << QByteArrayList({rsaSha256})
+        << QSsl::TlsV1_0
+        << QByteArrayList({rsaSha512})
+        << QSsl::AnyProtocol
+        << QAbstractSocket::ConnectedState;
+    QTest::newRow("server_ignore_TlsV1_0")
+        << QByteArrayList({rsaSha256})
+        << QSsl::AnyProtocol
+        << QByteArrayList({rsaSha512})
+        << QSsl::TlsV1_0
+        << QAbstractSocket::ConnectedState;
+}
+
+void tst_QSslSocket::signatureAlgorithm()
+{
+    QFETCH_GLOBAL(bool, setProxy);
+    if (setProxy)
+        QSKIP("Test not adapted for use with proxying");
+
+    QFETCH(QByteArrayList, serverSigAlgPairs);
+    QFETCH(QSsl::SslProtocol, serverProtocol);
+    QFETCH(QByteArrayList, clientSigAlgPairs);
+    QFETCH(QSsl::SslProtocol, clientProtocol);
+    QFETCH(QAbstractSocket::SocketState, state);
+
+    SslServer server;
+    server.protocol = serverProtocol;
+    server.config.setCiphers({QSslCipher("ECDHE-RSA-AES256-SHA")});
+    server.config.setBackendConfigOption(QByteArrayLiteral("SignatureAlgorithms"), serverSigAlgPairs.join(':'));
+    QVERIFY(server.listen());
+
+    QSslConfiguration clientConfig = QSslConfiguration::defaultConfiguration();
+    clientConfig.setProtocol(clientProtocol);
+    clientConfig.setBackendConfigOption(QByteArrayLiteral("SignatureAlgorithms"), clientSigAlgPairs.join(':'));
+    QSslSocket client;
+    client.setSslConfiguration(clientConfig);
+    socket = &client;
+
+    QEventLoop loop;
+    QTimer::singleShot(5000, &loop, &QEventLoop::quit);
+    connect(socket, QOverload<QAbstractSocket::SocketError>::of(&QAbstractSocket::error), &loop, &QEventLoop::quit);
+    connect(socket, QOverload<const QList<QSslError> &>::of(&QSslSocket::sslErrors), this, &tst_QSslSocket::ignoreErrorSlot);
+    connect(socket, &QSslSocket::encrypted, &loop, &QEventLoop::quit);
+
+    client.connectToHostEncrypted(QHostAddress(QHostAddress::LocalHost).toString(), server.serverPort());
+    loop.exec();
+    socket = nullptr;
+    QCOMPARE(client.state(), state);
+}
+
 void tst_QSslSocket::forwardReadChannelFinished()
 {
     if (!QSslSocket::supportsSsl())
author	Lars Schmertmann <Lars.Schmertmann@governikus.de>	2017-05-23 14:47:14 +0200
committer	Lars Schmertmann <lars.schmertmann@governikus.de>	2018-01-26 11:34:02 +0000
commit	f55c73ede28d4455f555a28e401407326ac9b954 (patch)
tree	c6c0836be78ba465051225cd38e7ec602aeeec8b /tests/auto/network/ssl/qsslsocket
parent	dcfb6f9d18beb397517ecc31ad462f1f4ebb8859 (diff)