1 files changed, 275 insertions, 10 deletions
diff --git a/tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp b/tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp
index 17a3f3a4d0..c1ed865d02 100644
--- a/tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp
+++ b/tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp
@@ -219,6 +219,10 @@ private slots:
     void qtbug18498_peek();
     void qtbug18498_peek2();
     void dhServer();
+#ifndef QT_NO_OPENSSL
+    void dhServerCustomParamsNull();
+    void dhServerCustomParams();
+#endif
     void ecdhServer();
     void verifyClientCertificate_data();
     void verifyClientCertificate();
@@ -228,6 +232,8 @@ private slots:
     void simplePskConnect();
     void ephemeralServerKey_data();
     void ephemeralServerKey();
+    void allowedProtocolNegotiation();
+    void pskServer();
 #endif
 
     void setEmptyDefaultConfiguration(); // this test should be last
@@ -2819,10 +2825,8 @@ void tst_QSslSocket::qtbug18498_peek2()
 
 void tst_QSslSocket::dhServer()
 {
-    if (!QSslSocket::supportsSsl()) {
-        qWarning("SSL not supported, skipping test");
-        return;
-    }
+    if (!QSslSocket::supportsSsl())
+        QSKIP("No SSL support");
 
     QFETCH_GLOBAL(bool, setProxy);
     if (setProxy)
@@ -2847,6 +2851,87 @@ void tst_QSslSocket::dhServer()
     QCOMPARE(client->state(), QAbstractSocket::ConnectedState);
 }
 
+#ifndef QT_NO_OPENSSL
+void tst_QSslSocket::dhServerCustomParamsNull()
+{
+    if (!QSslSocket::supportsSsl())
+        QSKIP("No SSL support");
+
+    QFETCH_GLOBAL(bool, setProxy);
+    if (setProxy)
+        return;
+
+    SslServer server;
+    server.ciphers = QLatin1String("DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA");
+
+    QSslConfiguration cfg = server.config;
+    cfg.setDiffieHellmanParameters(QSslDiffieHellmanParameters());
+    server.config = cfg;
+
+    QVERIFY(server.listen());
+
+    QEventLoop loop;
+    QTimer::singleShot(5000, &loop, SLOT(quit()));
+
+    QSslSocketPtr client(new QSslSocket);
+    socket = client.data();
+    connect(socket, SIGNAL(error(QAbstractSocket::SocketError)), &loop, SLOT(quit()));
+    connect(socket, SIGNAL(sslErrors(QList<QSslError>)), this, SLOT(ignoreErrorSlot()));
+    connect(socket, SIGNAL(encrypted()), &loop, SLOT(quit()));
+
+    client->connectToHostEncrypted(QHostAddress(QHostAddress::LocalHost).toString(), server.serverPort());
+
+    loop.exec();
+
+    QVERIFY(client->state() != QAbstractSocket::ConnectedState);
+}
+#endif // QT_NO_OPENSSL
+
+#ifndef QT_NO_OPENSSL
+void tst_QSslSocket::dhServerCustomParams()
+{
+    if (!QSslSocket::supportsSsl())
+        QSKIP("No SSL support");
+
+    QFETCH_GLOBAL(bool, setProxy);
+    if (setProxy)
+        return;
+
+    SslServer server;
+    server.ciphers = QLatin1String("DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA");
+
+    QSslConfiguration cfg = server.config;
+
+    // Custom 2048-bit DH parameters generated with 'openssl dhparam -outform DER -out out.der -check -2 2048'
+    QSslDiffieHellmanParameters dh(QByteArray::fromBase64(QByteArrayLiteral(
+        "MIIBCAKCAQEAvVA7b8keTfjFutCtTJmP/pnQfw/prKa+GMed/pBWjrC4N1YwnI8h/A861d9WE/VWY7XMTjvjX3/0"
+        "aaU8wEe0EXNpFdlTH+ZMQctQTSJOyQH0RCTwJfDGPCPT9L+c9GKwEKWORH38Earip986HJc0w3UbnfIwXUdsWHiXi"
+        "Z6r3cpyBmTKlsXTFiDVAOUXSiO8d/zOb6zHZbDfyB/VbtZRmnA7TXVn9oMzC0g9+FXHdrV4K+XfdvNZdCegvoAZiy"
+        "R6ZQgNG9aZ36/AQekhg060hp55f9HDPgXqYeNeXBiferjUtU7S9b3s83XhOJAr01/0Tf5dENwCfg2gK36TM8cC4wI"
+        "BAg==")), QSsl::Der);
+    cfg.setDiffieHellmanParameters(dh);
+
+    server.config = cfg;
+
+    QVERIFY(server.listen());
+
+    QEventLoop loop;
+    QTimer::singleShot(5000, &loop, SLOT(quit()));
+
+    QSslSocketPtr client(new QSslSocket);
+    socket = client.data();
+    connect(socket, SIGNAL(error(QAbstractSocket::SocketError)), &loop, SLOT(quit()));
+    connect(socket, SIGNAL(sslErrors(QList<QSslError>)), this, SLOT(ignoreErrorSlot()));
+    connect(socket, SIGNAL(encrypted()), &loop, SLOT(quit()));
+
+    client->connectToHostEncrypted(QHostAddress(QHostAddress::LocalHost).toString(), server.serverPort());
+
+    loop.exec();
+
+    QVERIFY(client->state() == QAbstractSocket::ConnectedState);
+}
+#endif // QT_NO_OPENSSL
+
 void tst_QSslSocket::ecdhServer()
 {
     if (!QSslSocket::supportsSsl()) {
@@ -3037,8 +3122,12 @@ class PskProvider : public QObject
     Q_OBJECT
 
 public:
+    bool m_server;
+    QByteArray m_identity;
+    QByteArray m_psk;
+
     explicit PskProvider(QObject *parent = 0)
-        : QObject(parent)
+        : QObject(parent), m_server(false)
     {
     }
 
@@ -3057,7 +3146,11 @@ public slots:
     {
         QVERIFY(authenticator);
         QCOMPARE(authenticator->identityHint(), PSK_SERVER_IDENTITY_HINT);
-        QVERIFY(authenticator->maximumIdentityLength() > 0);
+        if (m_server)
+            QCOMPARE(authenticator->maximumIdentityLength(), 0);
+        else
+            QVERIFY(authenticator->maximumIdentityLength() > 0);
+
         QVERIFY(authenticator->maximumPreSharedKeyLength() > 0);
 
         if (!m_identity.isEmpty()) {
@@ -3070,12 +3163,61 @@ public slots:
             QCOMPARE(authenticator->preSharedKey(), m_psk);
         }
     }
-
-private:
-    QByteArray m_identity;
-    QByteArray m_psk;
 };
 
+class PskServer : public QTcpServer
+{
+    Q_OBJECT
+public:
+    PskServer()
+        : socket(0),
+          config(QSslConfiguration::defaultConfiguration()),
+          ignoreSslErrors(true),
+          peerVerifyMode(QSslSocket::AutoVerifyPeer),
+          protocol(QSsl::TlsV1_0),
+          m_pskProvider()
+    {
+        m_pskProvider.m_server = true;
+    }
+    QSslSocket *socket;
+    QSslConfiguration config;
+    bool ignoreSslErrors;
+    QSslSocket::PeerVerifyMode peerVerifyMode;
+    QSsl::SslProtocol protocol;
+    QString ciphers;
+    PskProvider m_pskProvider;
+
+protected:
+    void incomingConnection(qintptr socketDescriptor)
+    {
+        socket = new QSslSocket(this);
+        socket->setSslConfiguration(config);
+        socket->setPeerVerifyMode(peerVerifyMode);
+        socket->setProtocol(protocol);
+        if (ignoreSslErrors)
+            connect(socket, SIGNAL(sslErrors(QList<QSslError>)), this, SLOT(ignoreErrorSlot()));
+
+        if (!ciphers.isEmpty()) {
+            socket->setCiphers(ciphers);
+        }
+
+        QVERIFY(socket->setSocketDescriptor(socketDescriptor, QAbstractSocket::ConnectedState));
+        QVERIFY(!socket->peerAddress().isNull());
+        QVERIFY(socket->peerPort() != 0);
+        QVERIFY(!socket->localAddress().isNull());
+        QVERIFY(socket->localPort() != 0);
+
+        connect(socket, &QSslSocket::preSharedKeyAuthenticationRequired, &m_pskProvider, &PskProvider::providePsk);
+
+        socket->startServerEncryption();
+    }
+
+protected slots:
+    void ignoreErrorSlot()
+    {
+        socket->ignoreSslErrors();
+    }
+};
 void tst_QSslSocket::simplePskConnect_data()
 {
     QTest::addColumn<PskConnectTestType>("pskTestType");
@@ -3377,6 +3519,129 @@ void tst_QSslSocket::ephemeralServerKey()
     QCOMPARE(client->sslConfiguration().ephemeralServerKey().isNull(), emptyKey);
 }
 
+void tst_QSslSocket::allowedProtocolNegotiation()
+{
+#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(OPENSSL_NO_TLSEXT)
+
+    QFETCH_GLOBAL(bool, setProxy);
+    if (setProxy)
+        return;
+
+    const QByteArray expectedNegotiated("cool-protocol");
+    QList<QByteArray> serverProtos;
+    serverProtos << expectedNegotiated << "not-so-cool-protocol";
+    QList<QByteArray> clientProtos;
+    clientProtos << "uber-cool-protocol" << expectedNegotiated << "not-so-cool-protocol";
+
+
+    SslServer server;
+    server.config.setAllowedNextProtocols(serverProtos);
+    QVERIFY(server.listen());
+
+    QSslSocket clientSocket;
+    auto configuration = clientSocket.sslConfiguration();
+    configuration.setAllowedNextProtocols(clientProtos);
+    clientSocket.setSslConfiguration(configuration);
+
+    clientSocket.connectToHostEncrypted("127.0.0.1", server.serverPort());
+    clientSocket.ignoreSslErrors();
+
+    QEventLoop loop;
+    QTimer::singleShot(5000, &loop, SLOT(quit()));
+    connect(&clientSocket, SIGNAL(encrypted()), &loop, SLOT(quit()));
+    loop.exec();
+
+    QVERIFY(server.socket->sslConfiguration().nextNegotiatedProtocol() ==
+            clientSocket.sslConfiguration().nextNegotiatedProtocol());
+    QVERIFY(server.socket->sslConfiguration().nextNegotiatedProtocol() == expectedNegotiated);
+
+#endif // OPENSSL_VERSION_NUMBER
+}
+
+void tst_QSslSocket::pskServer()
+{
+    QFETCH_GLOBAL(bool, setProxy);
+    if (!QSslSocket::supportsSsl() || setProxy)
+        return;
+
+    QSslSocket socket;
+    this->socket = &socket;
+
+    QSignalSpy connectedSpy(&socket, SIGNAL(connected()));
+    QVERIFY(connectedSpy.isValid());
+
+    QSignalSpy disconnectedSpy(&socket, SIGNAL(disconnected()));
+    QVERIFY(disconnectedSpy.isValid());
+
+    QSignalSpy connectionEncryptedSpy(&socket, SIGNAL(encrypted()));
+    QVERIFY(connectionEncryptedSpy.isValid());
+
+    QSignalSpy pskAuthenticationRequiredSpy(&socket, SIGNAL(preSharedKeyAuthenticationRequired(QSslPreSharedKeyAuthenticator*)));
+    QVERIFY(pskAuthenticationRequiredSpy.isValid());
+
+    connect(&socket, SIGNAL(connected()), this, SLOT(exitLoop()));
+    connect(&socket, SIGNAL(disconnected()), this, SLOT(exitLoop()));
+    connect(&socket, SIGNAL(modeChanged(QSslSocket::SslMode)), this, SLOT(exitLoop()));
+    connect(&socket, SIGNAL(encrypted()), this, SLOT(exitLoop()));
+    connect(&socket, SIGNAL(sslErrors(QList<QSslError>)), this, SLOT(exitLoop()));
+    connect(&socket, SIGNAL(error(QAbstractSocket::SocketError)), this, SLOT(exitLoop()));
+    connect(&socket, SIGNAL(peerVerifyError(QSslError)), this, SLOT(exitLoop()));
+    connect(&socket, SIGNAL(stateChanged(QAbstractSocket::SocketState)), this, SLOT(exitLoop()));
+
+    // force a PSK cipher w/o auth
+    socket.setCiphers(PSK_CIPHER_WITHOUT_AUTH);
+
+    PskProvider provider;
+    provider.setIdentity(PSK_CLIENT_IDENTITY);
+    provider.setPreSharedKey(PSK_CLIENT_PRESHAREDKEY);
+    connect(&socket, SIGNAL(preSharedKeyAuthenticationRequired(QSslPreSharedKeyAuthenticator*)), &provider, SLOT(providePsk(QSslPreSharedKeyAuthenticator*)));
+    socket.setPeerVerifyMode(QSslSocket::VerifyNone);
+
+    PskServer server;
+    server.m_pskProvider.setIdentity(provider.m_identity);
+    server.m_pskProvider.setPreSharedKey(provider.m_psk);
+    server.config.setPreSharedKeyIdentityHint(PSK_SERVER_IDENTITY_HINT);
+    QVERIFY(server.listen());
+
+    // Start connecting
+    socket.connectToHost(QHostAddress(QHostAddress::LocalHost).toString(), server.serverPort());
+    enterLoop(5);
+
+    // Entered connected state
+    QCOMPARE(socket.state(), QAbstractSocket::ConnectedState);
+    QCOMPARE(socket.mode(), QSslSocket::UnencryptedMode);
+    QVERIFY(!socket.isEncrypted());
+    QCOMPARE(connectedSpy.count(), 1);
+    QCOMPARE(disconnectedSpy.count(), 0);
+
+    // Enter encrypted mode
+    socket.startClientEncryption();
+    QCOMPARE(socket.mode(), QSslSocket::SslClientMode);
+    QVERIFY(!socket.isEncrypted());
+    QCOMPARE(connectionEncryptedSpy.count(), 0);
+
+    // Start handshake.
+    enterLoop(10);
+
+    // We must get the PSK signal in all cases
+    QCOMPARE(pskAuthenticationRequiredSpy.count(), 1);
+
+    QCOMPARE(connectionEncryptedSpy.count(), 1);
+    QVERIFY(socket.isEncrypted());
+    QCOMPARE(socket.state(), QAbstractSocket::ConnectedState);
+
+    // check writing
+    socket.write("Hello from Qt TLS/PSK!");
+    QVERIFY(socket.waitForBytesWritten());
+
+    // disconnect
+    socket.disconnectFromHost();
+    enterLoop(10);
+
+    QCOMPARE(socket.state(), QAbstractSocket::UnconnectedState);
+    QCOMPARE(disconnectedSpy.count(), 1);
+}
+
 #endif // QT_NO_OPENSSL
 
 #endif // QT_NO_SSL