diff options
Diffstat (limited to 'tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp')
-rw-r--r-- | tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp | 340 |
1 files changed, 196 insertions, 144 deletions
diff --git a/tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp b/tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp index 8af83b3972..b45d6b5d8f 100644 --- a/tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp +++ b/tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp @@ -1,6 +1,6 @@ // Copyright (C) 2021 The Qt Company Ltd. // Copyright (C) 2014 Governikus GmbH & Co. KG. -// SPDX-License-Identifier: LicenseRef-Qt-Commercial OR GPL-3.0-only WITH Qt-GPL-exception-1.0 +// SPDX-License-Identifier: LicenseRef-Qt-Commercial OR GPL-3.0-only #include <QtNetwork/private/qtnetworkglobal_p.h> @@ -19,6 +19,8 @@ #include <QtNetwork/qtcpserver.h> #include <QtNetwork/qsslpresharedkeyauthenticator.h> +#include <QtTest/private/qemulationdetector_p.h> + #include <QTest> #include <QNetworkProxy> #include <QAuthenticator> @@ -41,6 +43,8 @@ #include "private/qsslsocket_p.h" #include "private/qsslconfiguration_p.h" +using namespace std::chrono_literals; + QT_WARNING_PUSH QT_WARNING_DISABLE_DEPRECATED // make these enum values available without causing deprecation warnings: @@ -162,9 +166,7 @@ private slots: void protocol(); void protocolServerSide_data(); void protocolServerSide(); -#if QT_CONFIG(openssl) void serverCipherPreferences(); -#endif void setCaCertificates(); void setLocalCertificate(); void localCertificateChain(); @@ -289,6 +291,7 @@ private: QSslSocket *socket; QList<QSslError> storedExpectedSslErrors; bool isTestingOpenSsl = false; + bool isSecurityLevel0Required = false; bool opensslResolved = false; bool isTestingSecureTransport = false; bool isTestingSchannel = false; @@ -408,6 +411,9 @@ void tst_QSslSocket::initTestCase() flukeCertificateError = QSslError::SelfSignedCertificate; #if QT_CONFIG(openssl) opensslResolved = qt_auto_test_resolve_OpenSSL_symbols(); + // This is where OpenSSL moved several protocols under + // non-default (0) security level (the default is 1). + isSecurityLevel0Required = OPENSSL_VERSION_NUMBER >= 0x30100010; #else opensslResolved = false; // Not 'unused variable' anymore. #endif @@ -806,6 +812,10 @@ void tst_QSslSocket::simpleConnect() if (!QSslSocket::supportsSsl()) return; + // Starting from OpenSSL v 3.1.1 deprecated protocol versions (we want to use when connecting) are not available by default. + if (isSecurityLevel0Required) + QSKIP("Testing with OpenSSL backend, but security level 0 is required for TLS v1.1 or earlier"); + QFETCH_GLOBAL(bool, setProxy); if (setProxy) return; @@ -834,30 +844,30 @@ void tst_QSslSocket::simpleConnect() // Entered connecting state QCOMPARE(socket.state(), QAbstractSocket::ConnectingState); - QCOMPARE(connectedSpy.count(), 0); - QCOMPARE(hostFoundSpy.count(), 1); - QCOMPARE(disconnectedSpy.count(), 0); + QCOMPARE(connectedSpy.size(), 0); + QCOMPARE(hostFoundSpy.size(), 1); + QCOMPARE(disconnectedSpy.size(), 0); enterLoop(10); // Entered connected state QCOMPARE(socket.state(), QAbstractSocket::ConnectedState); QCOMPARE(socket.mode(), QSslSocket::UnencryptedMode); QVERIFY(!socket.isEncrypted()); - QCOMPARE(connectedSpy.count(), 1); - QCOMPARE(hostFoundSpy.count(), 1); - QCOMPARE(disconnectedSpy.count(), 0); + QCOMPARE(connectedSpy.size(), 1); + QCOMPARE(hostFoundSpy.size(), 1); + QCOMPARE(disconnectedSpy.size(), 0); // Enter encrypted mode socket.startClientEncryption(); QCOMPARE(socket.mode(), QSslSocket::SslClientMode); QVERIFY(!socket.isEncrypted()); - QCOMPARE(connectionEncryptedSpy.count(), 0); - QCOMPARE(sslErrorsSpy.count(), 0); + QCOMPARE(connectionEncryptedSpy.size(), 0); + QCOMPARE(sslErrorsSpy.size(), 0); // Starting handshake enterLoop(10); - QCOMPARE(sslErrorsSpy.count(), 1); - QCOMPARE(connectionEncryptedSpy.count(), 0); + QCOMPARE(sslErrorsSpy.size(), 1); + QCOMPARE(connectionEncryptedSpy.size(), 0); QVERIFY(!socket.isEncrypted()); QCOMPARE(socket.state(), QAbstractSocket::UnconnectedState); } @@ -867,6 +877,10 @@ void tst_QSslSocket::simpleConnectWithIgnore() if (!QSslSocket::supportsSsl()) return; + // Starting from OpenSSL v 3.1.1 deprecated protocol versions (we want to use when connecting) are not available by default. + if (isSecurityLevel0Required) + QSKIP("Testing with OpenSSL backend, but security level 0 is required for TLS v1.1 or earlier"); + QFETCH_GLOBAL(bool, setProxy); if (setProxy) return; @@ -895,10 +909,10 @@ void tst_QSslSocket::simpleConnectWithIgnore() enterLoop(10); // Done; encryption should be enabled. - QCOMPARE(sslErrorsSpy.count(), 1); + QCOMPARE(sslErrorsSpy.size(), 1); QVERIFY(socket.isEncrypted()); QCOMPARE(socket.state(), QAbstractSocket::ConnectedState); - QCOMPARE(encryptedSpy.count(), 1); + QCOMPARE(encryptedSpy.size(), 1); // Wait for incoming data if (!socket.canReadLine()) @@ -911,6 +925,10 @@ void tst_QSslSocket::simpleConnectWithIgnore() void tst_QSslSocket::sslErrors_data() { + // Starting from OpenSSL v 3.1.1 deprecated protocol versions (we want to use in 'sslErrors' test) are not available by default. + if (isSecurityLevel0Required) + QSKIP("Testing with OpenSSL backend, but security level 0 is required for TLS v1.1 or earlier"); + QTest::addColumn<QString>("host"); QTest::addColumn<int>("port"); @@ -968,7 +986,7 @@ void tst_QSslSocket::sslErrors() // check the same errors were emitted by sslErrors QVERIFY(!sslErrorsSpy.isEmpty()); SslErrorList emittedErrors; - const auto sslErrorsSpyErrors = qvariant_cast<QList<QSslError> >(qAsConst(sslErrorsSpy).first().first()); + const auto sslErrorsSpyErrors = qvariant_cast<QList<QSslError> >(std::as_const(sslErrorsSpy).first().first()); for (const QSslError &err : sslErrorsSpyErrors) emittedErrors << err.error(); std::sort(emittedErrors.begin(), emittedErrors.end()); @@ -1017,7 +1035,7 @@ void tst_QSslSocket::ciphers() QString ciphersAsString; const auto &supported = sslConfig.supportedCiphers(); for (const auto &cipher : supported) { - if (cipher.isNull() || !cipher.name().length()) + if (cipher.isNull() || !cipher.name().size()) continue; if (ciphers.size() > 0) ciphersAsString += QStringLiteral(":"); @@ -1096,8 +1114,6 @@ void tst_QSslSocket::connectToHostEncrypted() return; QSslSocketPtr socket = newSocket(); - if (isTestingSchannel) // old certificate not supported with TLS 1.2 - socket->setProtocol(Test::TlsV1_1); this->socket = socket.data(); auto config = socket->sslConfiguration(); @@ -1135,8 +1151,6 @@ void tst_QSslSocket::connectToHostEncryptedWithVerificationPeerName() return; QSslSocketPtr socket = newSocket(); - if (isTestingSchannel) // old certificate not supported with TLS 1.2 - socket->setProtocol(Test::TlsV1_1); this->socket = socket.data(); @@ -1235,7 +1249,7 @@ void tst_QSslSocket::peerCertificateChain() QSslSocketPtr socket = newSocket(); this->socket = socket.data(); QList<QSslCertificate> caCertificates = QSslCertificate::fromPath(httpServerCertChainPath()); - QCOMPARE(caCertificates.count(), 1); + QCOMPARE(caCertificates.size(), 1); auto config = socket->sslConfiguration(); config.addCaCertificates(caCertificates); socket->setSslConfiguration(config); @@ -1252,7 +1266,7 @@ void tst_QSslSocket::peerCertificateChain() QSKIP("Skipping flaky test - See QTBUG-29941"); QList<QSslCertificate> certChain = socket->peerCertificateChain(); - QVERIFY(certChain.count() > 0); + QVERIFY(certChain.size() > 0); QCOMPARE(certChain.first(), socket->peerCertificate()); socket->disconnectFromHost(); @@ -1296,6 +1310,7 @@ void tst_QSslSocket::privateKey() #if QT_CONFIG(openssl) void tst_QSslSocket::privateKeyOpaque() { +#ifndef OPENSSL_NO_DEPRECATED_3_0 if (!isTestingOpenSsl) QSKIP("The active TLS backend does not support private opaque keys"); @@ -1329,6 +1344,7 @@ void tst_QSslSocket::privateKeyOpaque() QFETCH_GLOBAL(bool, setProxy); if (setProxy && !socket->waitForEncrypted(10000)) QSKIP("Skipping flaky test - See QTBUG-29941"); +#endif // OPENSSL_NO_DEPRECATED_3_0 } #endif // Feature 'openssl'. @@ -1561,24 +1577,18 @@ void tst_QSslSocket::protocolServerSide_data() QTest::addColumn<QSsl::SslProtocol>("clientProtocol"); QTest::addColumn<bool>("works"); - QTest::newRow("tls1.0-tls1.0") << Test::TlsV1_0 << Test::TlsV1_0 << true; QTest::newRow("any-any") << QSsl::AnyProtocol << QSsl::AnyProtocol << true; QTest::newRow("secure-secure") << QSsl::SecureProtocols << QSsl::SecureProtocols << true; QTest::newRow("tls1.0-secure") << Test::TlsV1_0 << QSsl::SecureProtocols << false; - QTest::newRow("tls1.0-any") << Test::TlsV1_0 << QSsl::AnyProtocol << true; - QTest::newRow("secure-tls1.0") << QSsl::SecureProtocols << Test::TlsV1_0 << false; QTest::newRow("secure-any") << QSsl::SecureProtocols << QSsl::AnyProtocol << true; - QTest::newRow("tls1.0orlater-tls1.0") << Test::TlsV1_0OrLater << Test::TlsV1_0 << true; - QTest::newRow("tls1.0orlater-tls1.1") << Test::TlsV1_0OrLater << Test::TlsV1_1 << true; QTest::newRow("tls1.0orlater-tls1.2") << Test::TlsV1_0OrLater << QSsl::TlsV1_2 << true; if (supportsTls13()) QTest::newRow("tls1.0orlater-tls1.3") << Test::TlsV1_0OrLater << QSsl::TlsV1_3 << true; QTest::newRow("tls1.1orlater-tls1.0") << Test::TlsV1_1OrLater << Test::TlsV1_0 << false; - QTest::newRow("tls1.1orlater-tls1.1") << Test::TlsV1_1OrLater << Test::TlsV1_1 << true; QTest::newRow("tls1.1orlater-tls1.2") << Test::TlsV1_1OrLater << QSsl::TlsV1_2 << true; if (supportsTls13()) @@ -1595,7 +1605,6 @@ void tst_QSslSocket::protocolServerSide_data() QTest::newRow("tls1.3orlater-tls1.3") << QSsl::TlsV1_3OrLater << QSsl::TlsV1_3 << true; } - QTest::newRow("any-tls1.0") << QSsl::AnyProtocol << Test::TlsV1_0 << true; QTest::newRow("any-secure") << QSsl::AnyProtocol << QSsl::SecureProtocols << true; } @@ -1652,8 +1661,6 @@ void tst_QSslSocket::protocolServerSide() QCOMPARE(client.isEncrypted(), works); } -#if QT_CONFIG(openssl) - void tst_QSslSocket::serverCipherPreferences() { if (!isTestingOpenSsl) @@ -1663,11 +1670,28 @@ void tst_QSslSocket::serverCipherPreferences() if (setProxy) return; - // First using the default (server preference) + QSslCipher testedCiphers[2]; { + // First using the default (server preference) + const auto supportedCiphers = QSslConfiguration::supportedCiphers(); + int nSet = 0; + for (const auto &cipher : supportedCiphers) { + // Ciphersuites from TLS 1.2 and 1.3 are set separately, + // let's select 1.3 or above explicitly. + if (cipher.protocol() < QSsl::TlsV1_3) + continue; + + testedCiphers[nSet++] = cipher; + if (nSet == 2) + break; + } + + if (nSet != 2) + QSKIP("Failed to find two proper ciphersuites to test, bailing out."); + SslServer server; - server.protocol = Test::TlsV1_0; - server.ciphers = {QSslCipher("AES128-SHA"), QSslCipher("AES256-SHA")}; + server.protocol = QSsl::TlsV1_2OrLater; + server.ciphers = {testedCiphers[0], testedCiphers[1]}; QVERIFY(server.listen()); QEventLoop loop; @@ -1677,8 +1701,8 @@ void tst_QSslSocket::serverCipherPreferences() socket = &client; auto sslConfig = socket->sslConfiguration(); - sslConfig.setProtocol(Test::TlsV1_0OrLater); - sslConfig.setCiphers({QSslCipher("AES256-SHA"), QSslCipher("AES128-SHA")}); + sslConfig.setProtocol(QSsl::TlsV1_2OrLater); + sslConfig.setCiphers({testedCiphers[1], testedCiphers[0]}); socket->setSslConfiguration(sslConfig); // upon SSL wrong version error, errorOccurred will be triggered, not sslErrors @@ -1691,17 +1715,19 @@ void tst_QSslSocket::serverCipherPreferences() loop.exec(); QVERIFY(client.isEncrypted()); - QCOMPARE(client.sessionCipher().name(), QString("AES128-SHA")); + QCOMPARE(client.sessionCipher().name(), testedCiphers[0].name()); } { + if (QTestPrivate::isRunningArmOnX86()) + QSKIP("This test is known to crash on QEMU emulation for no good reason."); // Now using the client preferences SslServer server; QSslConfiguration config = QSslConfiguration::defaultConfiguration(); config.setSslOption(QSsl::SslOptionDisableServerCipherPreference, true); server.config = config; - server.protocol = Test::TlsV1_0OrLater; - server.ciphers = {QSslCipher("AES128-SHA"), QSslCipher("AES256-SHA")}; + server.protocol = QSsl::TlsV1_2OrLater; + server.ciphers = {testedCiphers[0], testedCiphers[1]}; QVERIFY(server.listen()); QEventLoop loop; @@ -1711,8 +1737,8 @@ void tst_QSslSocket::serverCipherPreferences() socket = &client; auto sslConfig = socket->sslConfiguration(); - sslConfig.setProtocol(Test::TlsV1_0); - sslConfig.setCiphers({QSslCipher("AES256-SHA"), QSslCipher("AES128-SHA")}); + sslConfig.setProtocol(QSsl::TlsV1_2OrLater); + sslConfig.setCiphers({testedCiphers[1], testedCiphers[0]}); socket->setSslConfiguration(sslConfig); // upon SSL wrong version error, errorOccurred will be triggered, not sslErrors @@ -1725,12 +1751,10 @@ void tst_QSslSocket::serverCipherPreferences() loop.exec(); QVERIFY(client.isEncrypted()); - QCOMPARE(client.sessionCipher().name(), QString("AES256-SHA")); + QCOMPARE(client.sessionCipher().name(), testedCiphers[1].name()); } } -#endif // Feature 'openssl'. - void tst_QSslSocket::setCaCertificates() { @@ -1807,8 +1831,10 @@ void tst_QSslSocket::setLocalCertificateChain() } QCOMPARE(chain.size(), 2); - QCOMPARE(chain[0].serialNumber(), QByteArray("10:a0:ad:77:58:f6:6e:ae:46:93:a3:43:f9:59:8a:9e")); - QCOMPARE(chain[1].serialNumber(), QByteArray("3b:eb:99:c5:ea:d8:0b:5d:0b:97:5d:4f:06:75:4b:e1")); + QCOMPARE(chain[0].serialNumber(), + QByteArray("58:df:33:c1:9b:bc:c5:51:7a:00:86:64:43:94:41:e2:26:ef:3f:89")); + QCOMPARE(chain[1].serialNumber(), + QByteArray("11:72:34:bc:21:e6:ca:04:24:13:f8:35:48:84:a6:e9:de:96:22:15")); } void tst_QSslSocket::tlsConfiguration() @@ -1900,8 +1926,6 @@ void tst_QSslSocket::setSslConfiguration() QSslSocketPtr socket = newSocket(); QFETCH(QSslConfiguration, configuration); socket->setSslConfiguration(configuration); - if (isTestingSchannel) // old certificate not supported with TLS 1.2 - socket->setProtocol(Test::TlsV1_1); this->socket = socket.data(); socket->connectToHostEncrypted(QtNetworkSettings::httpServerName(), 443); @@ -1955,6 +1979,10 @@ void tst_QSslSocket::waitForConnectedEncryptedReadyRead() if (!QSslSocket::supportsSsl()) return; + // Starting from OpenSSL v 3.1.1 deprecated protocol versions (we want to use here) are not available by default. + if (isSecurityLevel0Required) + QSKIP("Testing with OpenSSL backend, but security level 0 is required for TLS v1.1 or earlier"); + QSslSocketPtr socket = newSocket(); this->socket = socket.data(); @@ -2629,8 +2657,6 @@ void tst_QSslSocket::verifyMode() return; QSslSocket socket; - if (isTestingSchannel) // old certificate not supported with TLS 1.2 - socket.setProtocol(Test::TlsV1_1); QCOMPARE(socket.peerVerifyMode(), QSslSocket::AutoVerifyPeer); socket.setPeerVerifyMode(QSslSocket::VerifyNone); @@ -2810,10 +2836,10 @@ void tst_QSslSocket::closeWhileEmittingSocketError() // Make sure we have some data buffered so that close will try to flush: clientSocket.write(QByteArray(1000000, Qt::Uninitialized)); - QTestEventLoop::instance().enterLoopMSecs(1000); + QTestEventLoop::instance().enterLoop(1s); QVERIFY(!QTestEventLoop::instance().timeout()); - QCOMPARE(socketErrorSpy.count(), 1); + QCOMPARE(socketErrorSpy.size(), 1); } #endif // Feature 'openssl'. @@ -2910,7 +2936,7 @@ void tst_QSslSocket::ignoreSslErrorsList() bool expectEncryptionSuccess = (expectedSslErrorSignalCount == 0); if (socket.waitForEncrypted(10000) != expectEncryptionSuccess) QSKIP("Skipping flaky test - See QTBUG-29941"); - QCOMPARE(sslErrorsSpy.count(), expectedSslErrorSignalCount); + QCOMPARE(sslErrorsSpy.size(), expectedSslErrorSignalCount); } void tst_QSslSocket::ignoreSslErrorsListWithSlot_data() @@ -2971,8 +2997,6 @@ void tst_QSslSocket::abortOnSslErrors() void tst_QSslSocket::readFromClosedSocket() { QSslSocketPtr socket = newSocket(); - if (isTestingSchannel) // old certificate not supported with TLS 1.2 - socket->setProtocol(Test::TlsV1_1); socket->ignoreSslErrors(); socket->connectToHostEncrypted(QtNetworkSettings::httpServerName(), 443); @@ -3070,9 +3094,16 @@ void tst_QSslSocket::blacklistedCertificates() connect(receiver, SIGNAL(encrypted()), SLOT(exitLoop())); enterLoop(1); QList<QSslError> sslErrors = receiver->sslHandshakeErrors(); - QVERIFY(sslErrors.count() > 0); + QVERIFY(sslErrors.size() > 0); // there are more errors (self signed cert and hostname mismatch), but we only care about the blacklist error - QCOMPARE(sslErrors.at(0).error(), QSslError::CertificateBlacklisted); + std::optional<QSslError> blacklistedError; + for (const QSslError &error : sslErrors) { + if (error.error() == QSslError::CertificateBlacklisted) { + blacklistedError = error; + break; + } + } + QVERIFY2(blacklistedError, "CertificateBlacklisted error not found!"); } void tst_QSslSocket::versionAccessors() @@ -3098,6 +3129,10 @@ void tst_QSslSocket::encryptWithoutConnecting() void tst_QSslSocket::resume_data() { + // Starting from OpenSSL v 3.1.1 deprecated protocol versions (we want to use in 'resume' test) are not available by default. + if (isSecurityLevel0Required) + QSKIP("Testing with OpenSSL backend, but security level 0 is required for TLS v1.1 or earlier"); + QTest::addColumn<bool>("ignoreErrorsAfterPause"); QTest::addColumn<QList<QSslError> >("errorsToIgnore"); QTest::addColumn<bool>("expectSuccess"); @@ -3154,9 +3189,9 @@ void tst_QSslSocket::resume() QFETCH_GLOBAL(bool, setProxy); if (setProxy && QTestEventLoop::instance().timeout()) QSKIP("Skipping flaky test - See QTBUG-29941"); - QCOMPARE(sslErrorSpy.count(), 1); - QCOMPARE(errorSpy.count(), 0); - QCOMPARE(encryptedSpy.count(), 0); + QCOMPARE(sslErrorSpy.size(), 1); + QCOMPARE(errorSpy.size(), 0); + QCOMPARE(encryptedSpy.size(), 0); QVERIFY(!socket.isEncrypted()); if (ignoreErrorsAfterPause) { if (errorsToIgnore.empty()) @@ -3168,15 +3203,15 @@ void tst_QSslSocket::resume() QTestEventLoop::instance().enterLoop(10); QVERIFY(!QTestEventLoop::instance().timeout()); // quit by encrypted() or error() signal if (expectSuccess) { - QCOMPARE(encryptedSpy.count(), 1); + QCOMPARE(encryptedSpy.size(), 1); QVERIFY(socket.isEncrypted()); - QCOMPARE(errorSpy.count(), 0); + QCOMPARE(errorSpy.size(), 0); socket.disconnectFromHost(); QVERIFY(socket.waitForDisconnected(10000)); } else { - QCOMPARE(encryptedSpy.count(), 0); + QCOMPARE(encryptedSpy.size(), 0); QVERIFY(!socket.isEncrypted()); - QCOMPARE(errorSpy.count(), 1); + QCOMPARE(errorSpy.size(), 1); QCOMPARE(socket.error(), QAbstractSocket::SslHandshakeFailedError); } } @@ -3363,17 +3398,17 @@ void tst_QSslSocket::qtbug18498_peek2() bigblock.fill('#', QIODEVICE_BUFFERSIZE + 1024); QVERIFY(client->write(QByteArray("head"))); QVERIFY(client->write(bigblock)); - QTRY_COMPARE(server->bytesAvailable(), bigblock.length() + 4); + QTRY_COMPARE(server->bytesAvailable(), bigblock.size() + 4); QCOMPARE(server->read(4), QByteArray("head")); - QCOMPARE(server->peek(bigblock.length()), bigblock); - b.reserve(bigblock.length()); - b.resize(server->peek(b.data(), bigblock.length())); + QCOMPARE(server->peek(bigblock.size()), bigblock); + b.reserve(bigblock.size()); + b.resize(server->peek(b.data(), bigblock.size())); QCOMPARE(b, bigblock); //check oversized peek - QCOMPARE(server->peek(bigblock.length() * 3), bigblock); - b.reserve(bigblock.length() * 3); - b.resize(server->peek(b.data(), bigblock.length() * 3)); + QCOMPARE(server->peek(bigblock.size() * 3), bigblock); + b.reserve(bigblock.size() * 3); + b.resize(server->peek(b.data(), bigblock.size() * 3)); QCOMPARE(b, bigblock); QCOMPARE(server->readAll(), bigblock); @@ -3441,7 +3476,13 @@ void tst_QSslSocket::dhServer() return; SslServer server; - server.ciphers = {QSslCipher("DHE-RSA-AES256-SHA"), QSslCipher("DHE-DSS-AES256-SHA")}; + QSslCipher rsaCipher("DHE-RSA-AES256-SHA"); + QSslCipher dssCipher("DHE-DSS-AES256-SHA"); + if (rsaCipher.isNull()) + QSKIP("The current backend doesn't support DHE-RSA-AES256-SHA"); + if (dssCipher.isNull()) + QSKIP("The current backend doesn't support DHE-DSS-AES256-SHA"); + server.ciphers = { rsaCipher, dssCipher }; QVERIFY(server.listen()); QEventLoop loop; @@ -3469,9 +3510,10 @@ void tst_QSslSocket::dhServerCustomParamsNull() if (setProxy) return; + const QSslCipher cipherWithDH("DHE-RSA-AES256-SHA256"); SslServer server; - server.ciphers = {QSslCipher("DHE-RSA-AES256-SHA"), QSslCipher("DHE-DSS-AES256-SHA")}; - server.protocol = Test::TlsV1_0; + server.ciphers = {cipherWithDH}; + server.protocol = QSsl::TlsV1_2; QSslConfiguration cfg = server.config; cfg.setDiffieHellmanParameters(QSslDiffieHellmanParameters()); @@ -3484,7 +3526,6 @@ void tst_QSslSocket::dhServerCustomParamsNull() QSslSocket client; QSslConfiguration config = client.sslConfiguration(); - config.setProtocol(Test::TlsV1_0); client.setSslConfiguration(config); socket = &client; connect(socket, SIGNAL(errorOccurred(QAbstractSocket::SocketError)), &loop, SLOT(quit())); @@ -3495,20 +3536,25 @@ void tst_QSslSocket::dhServerCustomParamsNull() loop.exec(); - QVERIFY(client.state() != QAbstractSocket::ConnectedState); + QCOMPARE(client.state(), QAbstractSocket::ConnectedState); + QCOMPARE(client.sessionCipher(), cipherWithDH); } void tst_QSslSocket::dhServerCustomParams() { if (!QSslSocket::supportsSsl()) QSKIP("No SSL support"); + if (!QSslSocket::isClassImplemented(QSsl::ImplementedClass::DiffieHellman)) + QSKIP("The current backend doesn't support diffie hellman parameters"); QFETCH_GLOBAL(bool, setProxy); if (setProxy) return; SslServer server; - server.ciphers = {QSslCipher("DHE-RSA-AES256-SHA"), QSslCipher("DHE-DSS-AES256-SHA")}; + const QSslCipher cipherWithDH("DHE-RSA-AES256-SHA256"); + server.ciphers = {cipherWithDH}; + server.protocol = QSsl::TlsV1_2; QSslConfiguration cfg = server.config; @@ -3538,7 +3584,8 @@ void tst_QSslSocket::dhServerCustomParams() loop.exec(); - QVERIFY(client.state() == QAbstractSocket::ConnectedState); + QCOMPARE(client.state(), QAbstractSocket::ConnectedState); + QCOMPARE(client.sessionCipher(), cipherWithDH); } #endif // QT_CONFIG(openssl) @@ -3554,7 +3601,10 @@ void tst_QSslSocket::ecdhServer() return; SslServer server; - server.ciphers = {QSslCipher("ECDHE-RSA-AES128-SHA")}; + QSslCipher cipher("ECDHE-RSA-AES128-SHA"); + if (cipher.isNull()) + QSKIP("The current backend doesn't support ECDHE-RSA-AES128-SHA"); + server.ciphers = {cipher}; QVERIFY(server.listen()); QEventLoop loop; @@ -3667,7 +3717,7 @@ void tst_QSslSocket::verifyClientCertificate() } SslServer server; - server.protocol = Test::TlsV1_0; + server.protocol = QSsl::TlsV1_2; server.addCaCertificates = testDataDir + "certs/bogus-ca.crt"; server.ignoreSslErrors = false; server.peerVerifyMode = peerVerifyMode; @@ -3709,7 +3759,7 @@ void tst_QSslSocket::verifyClientCertificate() } else { QCOMPARE(server.socket->peerCertificate(), clientCerts.first()); if (isTestingSchannel) { - if (clientCerts.count() == 1 && server.socket->peerCertificateChain().count() == 2) { + if (clientCerts.size() == 1 && server.socket->peerCertificateChain().size() == 2) { QEXPECT_FAIL("", "Schannel includes the entire chain, not just the leaf and intermediates", Continue); @@ -4069,14 +4119,14 @@ void tst_QSslSocket::simplePskConnect() case PskConnectWrongCredentials: // provide totally wrong credentials - provider.setIdentity(PSK_CLIENT_IDENTITY.left(PSK_CLIENT_IDENTITY.length() - 1)); - provider.setPreSharedKey(PSK_CLIENT_PRESHAREDKEY.left(PSK_CLIENT_PRESHAREDKEY.length() - 1)); + provider.setIdentity(PSK_CLIENT_IDENTITY.left(PSK_CLIENT_IDENTITY.size() - 1)); + provider.setPreSharedKey(PSK_CLIENT_PRESHAREDKEY.left(PSK_CLIENT_PRESHAREDKEY.size() - 1)); connect(&socket, SIGNAL(preSharedKeyAuthenticationRequired(QSslPreSharedKeyAuthenticator*)), &provider, SLOT(providePsk(QSslPreSharedKeyAuthenticator*))); break; case PskConnectWrongIdentity: // right PSK, wrong identity - provider.setIdentity(PSK_CLIENT_IDENTITY.left(PSK_CLIENT_IDENTITY.length() - 1)); + provider.setIdentity(PSK_CLIENT_IDENTITY.left(PSK_CLIENT_IDENTITY.size() - 1)); provider.setPreSharedKey(PSK_CLIENT_PRESHAREDKEY); connect(&socket, SIGNAL(preSharedKeyAuthenticationRequired(QSslPreSharedKeyAuthenticator*)), &provider, SLOT(providePsk(QSslPreSharedKeyAuthenticator*))); break; @@ -4084,7 +4134,7 @@ void tst_QSslSocket::simplePskConnect() case PskConnectWrongPreSharedKey: // right identity, wrong PSK provider.setIdentity(PSK_CLIENT_IDENTITY); - provider.setPreSharedKey(PSK_CLIENT_PRESHAREDKEY.left(PSK_CLIENT_PRESHAREDKEY.length() - 1)); + provider.setPreSharedKey(PSK_CLIENT_PRESHAREDKEY.left(PSK_CLIENT_PRESHAREDKEY.size() - 1)); connect(&socket, SIGNAL(preSharedKeyAuthenticationRequired(QSslPreSharedKeyAuthenticator*)), &provider, SLOT(providePsk(QSslPreSharedKeyAuthenticator*))); break; @@ -4136,32 +4186,32 @@ void tst_QSslSocket::simplePskConnect() // Entered connecting state QCOMPARE(socket.state(), QAbstractSocket::ConnectingState); - QCOMPARE(connectedSpy.count(), 0); - QCOMPARE(hostFoundSpy.count(), 1); - QCOMPARE(disconnectedSpy.count(), 0); + QCOMPARE(connectedSpy.size(), 0); + QCOMPARE(hostFoundSpy.size(), 1); + QCOMPARE(disconnectedSpy.size(), 0); enterLoop(10); // Entered connected state QCOMPARE(socket.state(), QAbstractSocket::ConnectedState); QCOMPARE(socket.mode(), QSslSocket::UnencryptedMode); QVERIFY(!socket.isEncrypted()); - QCOMPARE(connectedSpy.count(), 1); - QCOMPARE(hostFoundSpy.count(), 1); - QCOMPARE(disconnectedSpy.count(), 0); + QCOMPARE(connectedSpy.size(), 1); + QCOMPARE(hostFoundSpy.size(), 1); + QCOMPARE(disconnectedSpy.size(), 0); // Enter encrypted mode socket.startClientEncryption(); QCOMPARE(socket.mode(), QSslSocket::SslClientMode); QVERIFY(!socket.isEncrypted()); - QCOMPARE(connectionEncryptedSpy.count(), 0); - QCOMPARE(sslErrorsSpy.count(), 0); - QCOMPARE(peerVerifyErrorSpy.count(), 0); + QCOMPARE(connectionEncryptedSpy.size(), 0); + QCOMPARE(sslErrorsSpy.size(), 0); + QCOMPARE(peerVerifyErrorSpy.size(), 0); // Start handshake. enterLoop(10); // We must get the PSK signal in all cases - QCOMPARE(pskAuthenticationRequiredSpy.count(), 1); + QCOMPARE(pskAuthenticationRequiredSpy.size(), 1); switch (pskTestType) { case PskConnectDoNotHandlePsk: @@ -4170,40 +4220,40 @@ void tst_QSslSocket::simplePskConnect() case PskConnectWrongIdentity: case PskConnectWrongPreSharedKey: // Handshake failure - QCOMPARE(socketErrorsSpy.count(), 1); + QCOMPARE(socketErrorsSpy.size(), 1); QCOMPARE(qvariant_cast<QAbstractSocket::SocketError>(socketErrorsSpy.at(0).at(0)), QAbstractSocket::SslHandshakeFailedError); - QCOMPARE(sslErrorsSpy.count(), 0); - QCOMPARE(peerVerifyErrorSpy.count(), 0); - QCOMPARE(connectionEncryptedSpy.count(), 0); + QCOMPARE(sslErrorsSpy.size(), 0); + QCOMPARE(peerVerifyErrorSpy.size(), 0); + QCOMPARE(connectionEncryptedSpy.size(), 0); QVERIFY(!socket.isEncrypted()); break; case PskConnectRightCredentialsPeerVerifyFailure: // Peer verification failure - QCOMPARE(socketErrorsSpy.count(), 1); + QCOMPARE(socketErrorsSpy.size(), 1); QCOMPARE(qvariant_cast<QAbstractSocket::SocketError>(socketErrorsSpy.at(0).at(0)), QAbstractSocket::SslHandshakeFailedError); - QCOMPARE(sslErrorsSpy.count(), 1); - QCOMPARE(peerVerifyErrorSpy.count(), 1); - QCOMPARE(connectionEncryptedSpy.count(), 0); + QCOMPARE(sslErrorsSpy.size(), 1); + QCOMPARE(peerVerifyErrorSpy.size(), 1); + QCOMPARE(connectionEncryptedSpy.size(), 0); QVERIFY(!socket.isEncrypted()); break; case PskConnectRightCredentialsVerifyPeer: // Peer verification failure, but ignore it and keep connecting - QCOMPARE(socketErrorsSpy.count(), 0); - QCOMPARE(sslErrorsSpy.count(), 1); - QCOMPARE(peerVerifyErrorSpy.count(), 1); - QCOMPARE(connectionEncryptedSpy.count(), 1); + QCOMPARE(socketErrorsSpy.size(), 0); + QCOMPARE(sslErrorsSpy.size(), 1); + QCOMPARE(peerVerifyErrorSpy.size(), 1); + QCOMPARE(connectionEncryptedSpy.size(), 1); QVERIFY(socket.isEncrypted()); QCOMPARE(socket.state(), QAbstractSocket::ConnectedState); break; case PskConnectRightCredentialsDoNotVerifyPeer: // No peer verification => no failure - QCOMPARE(socketErrorsSpy.count(), 0); - QCOMPARE(sslErrorsSpy.count(), 0); - QCOMPARE(peerVerifyErrorSpy.count(), 0); - QCOMPARE(connectionEncryptedSpy.count(), 1); + QCOMPARE(socketErrorsSpy.size(), 0); + QCOMPARE(sslErrorsSpy.size(), 0); + QCOMPARE(peerVerifyErrorSpy.size(), 0); + QCOMPARE(connectionEncryptedSpy.size(), 1); QVERIFY(socket.isEncrypted()); QCOMPARE(socket.state(), QAbstractSocket::ConnectedState); break; @@ -4244,7 +4294,7 @@ void tst_QSslSocket::simplePskConnect() } QCOMPARE(socket.state(), QAbstractSocket::UnconnectedState); - QCOMPARE(disconnectedSpy.count(), 1); + QCOMPARE(disconnectedSpy.size(), 1); } void tst_QSslSocket::ephemeralServerKey_data() @@ -4277,7 +4327,7 @@ void tst_QSslSocket::ephemeralServerKey() client->connectToHostEncrypted(QHostAddress(QHostAddress::LocalHost).toString(), server.serverPort()); spy.wait(); - QCOMPARE(spy.count(), 1); + QCOMPARE(spy.size(), 1); QVERIFY(server.config.ephemeralServerKey().isNull()); QCOMPARE(client->sslConfiguration().ephemeralServerKey().isNull(), emptyKey); } @@ -4340,22 +4390,22 @@ void tst_QSslSocket::pskServer() QCOMPARE(socket.state(), QAbstractSocket::ConnectedState); QCOMPARE(socket.mode(), QSslSocket::UnencryptedMode); QVERIFY(!socket.isEncrypted()); - QCOMPARE(connectedSpy.count(), 1); - QCOMPARE(disconnectedSpy.count(), 0); + QCOMPARE(connectedSpy.size(), 1); + QCOMPARE(disconnectedSpy.size(), 0); // Enter encrypted mode socket.startClientEncryption(); QCOMPARE(socket.mode(), QSslSocket::SslClientMode); QVERIFY(!socket.isEncrypted()); - QCOMPARE(connectionEncryptedSpy.count(), 0); + QCOMPARE(connectionEncryptedSpy.size(), 0); // Start handshake. enterLoop(10); // We must get the PSK signal in all cases - QCOMPARE(pskAuthenticationRequiredSpy.count(), 1); + QCOMPARE(pskAuthenticationRequiredSpy.size(), 1); - QCOMPARE(connectionEncryptedSpy.count(), 1); + QCOMPARE(connectionEncryptedSpy.size(), 1); QVERIFY(socket.isEncrypted()); QCOMPARE(socket.state(), QAbstractSocket::ConnectedState); @@ -4368,7 +4418,7 @@ void tst_QSslSocket::pskServer() enterLoop(10); QCOMPARE(socket.state(), QAbstractSocket::UnconnectedState); - QCOMPARE(disconnectedSpy.count(), 1); + QCOMPARE(disconnectedSpy.size(), 1); } void tst_QSslSocket::signatureAlgorithm_data() @@ -4521,7 +4571,7 @@ void tst_QSslSocket::forwardReadChannelFinished() &QTestEventLoop::instance(), &QTestEventLoop::exitLoop); socket.connectToHostEncrypted(QtNetworkSettings::httpServerName(), 443); enterLoop(10); - QVERIFY(readChannelFinishedSpy.count()); + QVERIFY(readChannelFinishedSpy.size()); } #endif // QT_CONFIG(openssl) @@ -4543,7 +4593,7 @@ void tst_QSslSocket::unsupportedProtocols() return; QFETCH(const QSsl::SslProtocol, unsupportedProtocol); - const int timeoutMS = 500; + constexpr auto timeout = 500ms; // Test a client socket. { // 0. connectToHostEncrypted: client-side, non-blocking API, error is discovered @@ -4565,7 +4615,7 @@ void tst_QSslSocket::unsupportedProtocols() QCOMPARE(socket.error(), QAbstractSocket::UnknownSocketError); socket.connectToHost(QHostAddress::LocalHost, server.serverPort()); - QVERIFY(socket.waitForConnected(timeoutMS)); + QVERIFY(socket.waitForConnected(int(timeout.count()))); socket.setProtocol(unsupportedProtocol); socket.startClientEncryption(); @@ -4590,7 +4640,7 @@ void tst_QSslSocket::unsupportedProtocols() QTcpSocket client; client.connectToHost(QHostAddress::LocalHost, server.serverPort()); - loop.enterLoopMSecs(timeoutMS); + loop.enterLoop(timeout); QVERIFY(!loop.timeout()); QVERIFY(server.socket); QCOMPARE(server.socket->error(), QAbstractSocket::SslInvalidUserDataError); @@ -4603,13 +4653,15 @@ void tst_QSslSocket::oldErrorsOnSocketReuse() if (setProxy) return; // not relevant SslServer server; - server.protocol = Test::TlsV1_1; + if (!isTestingOpenSsl) + server.protocol = Test::TlsV1_1; server.m_certFile = testDataDir + "certs/fluke.cert"; server.m_keyFile = testDataDir + "certs/fluke.key"; QVERIFY(server.listen(QHostAddress::SpecialAddress::LocalHost)); QSslSocket socket; - socket.setProtocol(Test::TlsV1_1); + if (!isTestingOpenSsl) + socket.setProtocol(Test::TlsV1_1); QList<QSslError> errorList; auto connection = connect(&socket, QOverload<const QList<QSslError> &>::of(&QSslSocket::sslErrors), [&socket, &errorList](const QList<QSslError> &errors) { @@ -4695,7 +4747,7 @@ void tst_QSslSocket::alertMissingCertificate() connect(&clientSocket, &QAbstractSocket::errorOccurred, earlyQuitter); connect(&server, &SslServer::socketError, earlyQuitter); - runner.enterLoopMSecs(1000); + runner.enterLoop(1s); if (clientSocket.isEncrypted()) { // When using TLS 1.3 the client side thinks it is connected very @@ -4703,11 +4755,11 @@ void tst_QSslSocket::alertMissingCertificate() // inevitable disconnect. QCOMPARE(clientSocket.sessionProtocol(), QSsl::TlsV1_3); connect(&clientSocket, &QSslSocket::disconnected, &runner, &QTestEventLoop::exitLoop); - runner.enterLoopMSecs(10000); + runner.enterLoop(10s); } - QVERIFY(serverSpy.count() > 0); - QVERIFY(clientSpy.count() > 0); + QVERIFY(serverSpy.size() > 0); + QVERIFY(clientSpy.size() > 0); QVERIFY(server.socket && !server.socket->isEncrypted()); QVERIFY(!clientSocket.isEncrypted()); } @@ -4758,11 +4810,11 @@ void tst_QSslSocket::alertInvalidCertificate() connect(&clientSocket, &QAbstractSocket::errorOccurred, earlyQuitter); connect(&server, &SslServer::socketError, earlyQuitter); - runner.enterLoopMSecs(1000); + runner.enterLoop(1s); - QVERIFY(serverSpy.count() > 0); - QVERIFY(clientSpy.count() > 0); - QVERIFY(interruptedSpy.count() > 0); + QVERIFY(serverSpy.size() > 0); + QVERIFY(clientSpy.size() > 0); + QVERIFY(interruptedSpy.size() > 0); QVERIFY(server.socket && !server.socket->isEncrypted()); QVERIFY(!clientSocket.isEncrypted()); } @@ -4886,17 +4938,17 @@ void tst_QSslSocket::selfSignedCertificates() connect(&clientSocket, &QAbstractSocket::errorOccurred, earlyQuitter); connect(&server, &SslServer::socketError, earlyQuitter); - runner.enterLoopMSecs(1000); + runner.enterLoop(1s); if (clientKnown) { - QCOMPARE(serverSpy.count(), 0); - QCOMPARE(clientSpy.count(), 0); + QCOMPARE(serverSpy.size(), 0); + QCOMPARE(clientSpy.size(), 0); QVERIFY(server.socket && server.socket->isEncrypted()); QVERIFY(clientSocket.isEncrypted()); } else { - QVERIFY(serverSpy.count() > 0); + QVERIFY(serverSpy.size() > 0); QEXPECT_FAIL("", "Failing to trigger signal, QTBUG-81661", Continue); - QVERIFY(clientSpy.count() > 0); + QVERIFY(clientSpy.size() > 0); QVERIFY(server.socket && !server.socket->isEncrypted()); QVERIFY(!clientSocket.isEncrypted()); } @@ -5024,18 +5076,18 @@ void tst_QSslSocket::pskHandshake() connect(&clientSocket, &QAbstractSocket::errorOccurred, earlyQuitter); connect(&server, &SslServer::socketError, earlyQuitter); - runner.enterLoopMSecs(1000); + runner.enterLoop(1s); if (pskRight) { - QCOMPARE(serverSpy.count(), 0); - QCOMPARE(clientSpy.count(), 0); + QCOMPARE(serverSpy.size(), 0); + QCOMPARE(clientSpy.size(), 0); QVERIFY(server.socket && server.socket->isEncrypted()); QVERIFY(clientSocket.isEncrypted()); } else { - QVERIFY(serverSpy.count() > 0); + QVERIFY(serverSpy.size() > 0); QCOMPARE(serverSpy.first().at(0).toInt(), static_cast<int>(QSsl::AlertLevel::Fatal)); QCOMPARE(serverSpy.first().at(1).toInt(), static_cast<int>(QSsl::AlertType::BadRecordMac)); - QVERIFY(clientSpy.count() > 0); + QVERIFY(clientSpy.size() > 0); QCOMPARE(clientSpy.first().at(0).toInt(), static_cast<int>(QSsl::AlertLevel::Fatal)); QCOMPARE(clientSpy.first().at(1).toInt(), static_cast<int>(QSsl::AlertType::BadRecordMac)); QVERIFY(server.socket && !server.socket->isEncrypted()); |