diff options
Diffstat (limited to 'src/network/ssl/qsslconfiguration.cpp')
-rw-r--r-- | src/network/ssl/qsslconfiguration.cpp | 102 |
1 files changed, 91 insertions, 11 deletions
diff --git a/src/network/ssl/qsslconfiguration.cpp b/src/network/ssl/qsslconfiguration.cpp index a2e694ec92..b6199a2b16 100644 --- a/src/network/ssl/qsslconfiguration.cpp +++ b/src/network/ssl/qsslconfiguration.cpp @@ -54,7 +54,6 @@ const QSsl::SslOptions QSslConfigurationPrivate::defaultSslOptions = QSsl::SslOp |QSsl::SslOptionDisableSessionPersistence; const char QSslConfiguration::ALPNProtocolHTTP2[] = "h2"; -const char QSslConfiguration::NextProtocolSpdy3_0[] = "spdy/3"; const char QSslConfiguration::NextProtocolHttp1_1[] = "http/1.1"; /*! @@ -134,12 +133,6 @@ const char QSslConfiguration::NextProtocolHttp1_1[] = "http/1.1"; */ /*! - \variable QSslConfiguration::NextProtocolSpdy3_0 - \brief The value used for negotiating SPDY 3.0 during the Next - Protocol Negotiation. -*/ - -/*! \variable QSslConfiguration::NextProtocolHttp1_1 \brief The value used for negotiating HTTP 1.1 during the Next Protocol Negotiation. @@ -229,7 +222,9 @@ bool QSslConfiguration::operator==(const QSslConfiguration &other) const d->nextNegotiatedProtocol == other.d->nextNegotiatedProtocol && d->nextProtocolNegotiationStatus == other.d->nextProtocolNegotiationStatus && d->dtlsCookieEnabled == other.d->dtlsCookieEnabled && - d->ocspStaplingEnabled == other.d->ocspStaplingEnabled; + d->ocspStaplingEnabled == other.d->ocspStaplingEnabled && + d->reportFromCallback == other.d->reportFromCallback && + d->missingCertIsFatal == other.d->missingCertIsFatal; } /*! @@ -274,7 +269,9 @@ bool QSslConfiguration::isNull() const d->nextAllowedProtocols.isEmpty() && d->nextNegotiatedProtocol.isNull() && d->nextProtocolNegotiationStatus == QSslConfiguration::NextProtocolNegotiationNone && - d->ocspStaplingEnabled == false); + d->ocspStaplingEnabled == false && + d->reportFromCallback == false && + d->missingCertIsFatal == false); } /*! @@ -1033,7 +1030,7 @@ QByteArray QSslConfiguration::nextNegotiatedProtocol() const Whether or not the negotiation succeeded can be queried through nextProtocolNegotiationStatus(). - \sa nextNegotiatedProtocol(), nextProtocolNegotiationStatus(), allowedNextProtocols(), QSslConfiguration::NextProtocolSpdy3_0, QSslConfiguration::NextProtocolHttp1_1 + \sa nextNegotiatedProtocol(), nextProtocolNegotiationStatus(), allowedNextProtocols(), QSslConfiguration::NextProtocolHttp1_1 */ #if QT_VERSION >= QT_VERSION_CHECK(6,0,0) void QSslConfiguration::setAllowedNextProtocols(const QList<QByteArray> &protocols) @@ -1051,7 +1048,7 @@ void QSslConfiguration::setAllowedNextProtocols(QList<QByteArray> protocols) server through the Next Protocol Negotiation (NPN) or Application-Layer Protocol Negotiation (ALPN) TLS extension, as set by setAllowedNextProtocols(). - \sa nextNegotiatedProtocol(), nextProtocolNegotiationStatus(), setAllowedNextProtocols(), QSslConfiguration::NextProtocolSpdy3_0, QSslConfiguration::NextProtocolHttp1_1 + \sa nextNegotiatedProtocol(), nextProtocolNegotiationStatus(), setAllowedNextProtocols(), QSslConfiguration::NextProtocolHttp1_1 */ QList<QByteArray> QSslConfiguration::allowedNextProtocols() const { @@ -1197,6 +1194,89 @@ bool QSslConfiguration::ocspStaplingEnabled() const return d->ocspStaplingEnabled; } +/*! + \since 6.0 + + Returns true if a verification callback will emit QSslSocket::handshakeInterruptedOnError() + early, before concluding the handshake. + + \note This function always returns false for all backends but OpenSSL. + + \sa setHandshakeMustInterruptOnError(), QSslSocket::handshakeInterruptedOnError(), QSslSocket::continueInterruptedHandshake() +*/ +bool QSslConfiguration::handshakeMustInterruptOnError() const +{ + return d->reportFromCallback; +} + +/*! + \since 6.0 + + If \a interrupt is true and the underlying backend supports this option, + errors found during certificate verification are reported immediately + by emitting QSslSocket::handshakeInterruptedOnError(). This allows + to stop the unfinished handshake and send a proper alert message to + a peer. No special action is required from the application in this case. + QSslSocket will close the connection after sending the alert message. + If the application after inspecting the error wants to continue the + handshake, it must call QSslSocket::continueInterruptedHandshake() + from its slot function. The signal-slot connection must be direct. + + \note When interrupting handshake is enabled, errors that would otherwise + be reported by QSslSocket::peerVerifyError() are instead only reported by + QSslSocket::handshakeInterruptedOnError(). + \note Even if the handshake was continued, these errors will be + reported when emitting QSslSocket::sslErrors() signal (and thus must + be ignored in the corresponding function slot). + + \sa handshakeMustInterruptOnError(), QSslSocket::handshakeInterruptedOnError(), QSslSocket::continueInterruptedHandshake() +*/ +void QSslConfiguration::setHandshakeMustInterruptOnError(bool interrupt) +{ +#if QT_CONFIG(openssl) + d->reportFromCallback = interrupt; +#else + qCWarning(lcSsl, "This operation requires OpenSSL as TLS backend"); +#endif +} + +/*! + \since 6.0 + + Returns true if errors with code QSslError::NoPeerCertificate + cannot be ignored. + + \note Always returns false for all TLS backends but OpenSSL. + + \sa QSslSocket::ignoreSslErrors(), setMissingCertificateIsFatal() +*/ +bool QSslConfiguration::missingCertificateIsFatal() const +{ + return d->missingCertIsFatal; +} + +/*! + \since 6.0 + + If \a cannotRecover is true, and verification mode in use is + QSslSocket::VerifyPeer or QSslSocket::AutoVerifyPeer (for a + client-side socket), the missing peer's certificate would be + treated as an unrecoverable error that cannot be ignored. A proper + alert message will be sent to the peer before closing the connection. + + \note Only available if Qt was configured and built with OpenSSL backend. + + \sa QSslSocket::ignoreSslErrors(), QSslSocket::PeerVerifyMode, missingCertificateIsFatal() +*/ +void QSslConfiguration::setMissingCertificateIsFatal(bool cannotRecover) +{ +#if QT_CONFIG(openssl) + d->missingCertIsFatal = cannotRecover; +#else + qCWarning(lcSsl, "Handling a missing certificate as a fatal error requires an OpenSSL backend"); +#endif // openssl +} + /*! \internal */ bool QSslConfigurationPrivate::peerSessionWasShared(const QSslConfiguration &configuration) { |