diff options
Diffstat (limited to 'tests/auto/network/ssl')
41 files changed, 1861 insertions, 285 deletions
diff --git a/tests/auto/network/ssl/qocsp/certs/alice.crt b/tests/auto/network/ssl/qocsp/certs/alice.crt new file mode 100644 index 0000000000..02df86a517 --- /dev/null +++ b/tests/auto/network/ssl/qocsp/certs/alice.crt @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEGDCCAwCgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBjjELMAkGA1UEBhMCTk8x +DTALBgNVBAgMBE9zbG8xEjAQBgNVBAcMCU9zbG8gQ2l0eTETMBEGA1UECgwKVGhl +IFF0IENBMTENMAsGA1UECwwEUVRDTjERMA8GA1UEAwwIY2ExcXQuaW8xJTAjBgkq +hkiG9w0BCQEWFnRpbXVyLnBvY2hlcHRzb3ZAcXQuaW8wHhcNMTgxMTIyMTEwNjE4 +WhcNMjgxMTE5MTEwNjE4WjCBkjELMAkGA1UEBhMCTk8xDTALBgNVBAgMBE9zbG8x +EjAQBgNVBAcMCU9zbG8gQ2l0eTEdMBsGA1UECgwUVGhlIEZhbW91cyBBbGljZSBM +dGQxDTALBgNVBAsMBEdPQUExEjAQBgNVBAMMCWFsaWNlLm9yZzEeMBwGCSqGSIb3 +DQEJARYPYWxpY2VAYWxpY2Uub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEAtuGDR9oIEkK57xlxq/xc3u7B1ni4pdoyhf9r+pkgmu591qp2kl3Xcq3W +Ve5Z553orAUCAExPlKfFV+CYYAedSgsDYlKk8DN+f/n+hkG6Wl2qyFzHgl+mvPwa +eDqdVMIcDHGhSljALi9AqsN4lbrUhSxiyuPhAwl82WB0EIucmBs1NxSSZgFPRBLG +Uzy9WvtQFq1qtn795PVIUsNg68qZQ9BvRduOQAr3bg3anoYqytthWnzLWKri2QR4 +Z4Y0mvcbT/PZwhtcFZzDXG3Hvc7k3AroAbWoSghMEgok9TW9grKYkW2d5cpQTP+l +ptkB6yZ06MY9/uCdYzhm8eu2RgVndwIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCG +SAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4E +FgQUQz2PuE4VuqHtZYTvVLr4+0IuHTUwHwYDVR0jBBgwFoAUeBcnAkU7sTqm7i2Q +vTxwgr0nQ0QwDQYJKoZIhvcNAQELBQADggEBABGGmo1vUAXKQm9kowvUtjDpEIIY +TpT+KqiUBOgJg5fGn6a63vBn5GMA6eT948ywi9ZU2M9dIXJCM+bdqjXeOtt4bBPZ +xz6DcBPW9CoTR4CV1muNa95WIXzAHatq3XYG041ddMf41WG7QIdQsojBYEG0IYlv +PQx+B+m2cu7A04aI2tCS8aUh7Xc9wRilJ+h/FlYFFQzgyEKsd7CFgkyxG/sLyFNH +skYYk/DLlmaWa+YScHYB5kAk8StoETeMI2LLs7rgJmchi8eAxjLroYDUhQclUjqz +vlNM+4GvcF5RluyuEXFOZVdmQahkXcyu0Q3yxvsBbnDglmbb2YHPl/blB7w= +-----END CERTIFICATE----- diff --git a/tests/auto/network/ssl/qocsp/certs/alice.key b/tests/auto/network/ssl/qocsp/certs/alice.key new file mode 100644 index 0000000000..6f2666ebde --- /dev/null +++ b/tests/auto/network/ssl/qocsp/certs/alice.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC24YNH2ggSQrnv +GXGr/Fze7sHWeLil2jKF/2v6mSCa7n3WqnaSXddyrdZV7lnnneisBQIATE+Up8VX +4JhgB51KCwNiUqTwM35/+f6GQbpaXarIXMeCX6a8/Bp4Op1UwhwMcaFKWMAuL0Cq +w3iVutSFLGLK4+EDCXzZYHQQi5yYGzU3FJJmAU9EEsZTPL1a+1AWrWq2fv3k9UhS +w2DryplD0G9F245ACvduDdqehirK22FafMtYquLZBHhnhjSa9xtP89nCG1wVnMNc +bce9zuTcCugBtahKCEwSCiT1Nb2CspiRbZ3lylBM/6Wm2QHrJnToxj3+4J1jOGbx +67ZGBWd3AgMBAAECggEADbzU+sHDF3QRuYdExbGYXFq9DtpUrIi+gNhWCSYVj+3Y +YBa//3CzLXcngZ78++wdvUZHBzS0SatspJRHffc0doprP6iLoUuM9hoWZ4lqcT1W +BeUKS53ZzZp2do+Yn/RQ3RJwFkCidxWvmuRCG6VEL5jM9wa1MWA2E7IuJcwHAFny +WIByosje5Qrd7eXDuVoqr1hjJ2UxIjIJ8Zgg3EE9wVUyJE3PU1HLz2AefonYRwbL +XlzNgnj0c9Ti9ejfyon+jTnpslLKtPal2kxyGoKPAngadAhCzqSaCWggACm7R8Ge +pZ0Y0pV7QReEgjfFd4D3qOqLRQZVJOMDb3vJu2/rsQKBgQDfKjfSpUweBM9li7GS +xXbDpC3Y8zQ2VY+2SvgYoYiYU/Y6YenxhKM1XDbWZxhxS8GVfCUAESFDOTZcMvdi +QEbG1uEmuCn1ksvrC2y54rtd8WDppcS0vJxCrU4nZG0v9IjVKp67B8EpBpAQeNb1 +tR6ByT2fLJu5+WU2S7OxqX7uLwKBgQDRyfKvrCQgdJOQlJlHOv1y1hN8WY51A8P/ +JbDXoun3PCPd+JczvFXCUh3ZLXqUEAX2qDOBD1pBM62EN6/A9ukO4mcMd8uYIet6 +nR4nVqXUjWuzXe6eo913lTDQrIOGWpViTc8fnvFlwBPfwzxbZNx38HZbw0L0nT7d +8TE/JxLROQKBgQC4Kzo4b8vadjPGZLueGbICkQp5IXR0ZrYcRdBrW1vEAn6Q/d84 +PzMFxV1IIXrNfSx8NiC+5mQh+yQ+gJ0iC1OdoxXag1+1V3lMN3h6C4B/bcWB7Rjh +40m9yRJXdgyZ59/Is8ydIzAosE7SGTelPNy5VR+yrfiySPxbC6x3MR8cZwKBgQCq +PVTg1bIjXDZ7NvsDYI1XaP07BXmi30FnhXByLFPsOzNn51jbtNNq8zQhjtRP3ojY +VjolWw4EpykBiCbpUfRiDbtN1NC0TaJHR8S2a4v6ZiCl123R8mu/pKOOUtAQcOWU +dkvD/zkpNqtqA4axK7H06n9Bi7yDwC7J7/Xkp5KPkQKBgFDprXrXg4zvIsxbXYZ3 +2bCaxyhBXNKcGwtWbbLfJcOwHJPns/abGkYIJ0NbMZX1LwTDfQWmC+8YKKvIlbKG +S2uk5H4qzupR4XN6YJ7SCHlGv2z0vxVjV7aWc1TME2iZQoBuO1urxPZwHd/euruo +kluWh1KV5XnWjBSYjZpiXxWl +-----END PRIVATE KEY----- diff --git a/tests/auto/network/ssl/qocsp/certs/ca1.crt b/tests/auto/network/ssl/qocsp/certs/ca1.crt new file mode 100644 index 0000000000..b5ae194fab --- /dev/null +++ b/tests/auto/network/ssl/qocsp/certs/ca1.crt @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIID9DCCAtygAwIBAgIJAMQbE3657KDYMA0GCSqGSIb3DQEBCwUAMIGOMQswCQYD +VQQGEwJOTzENMAsGA1UECAwET3NsbzESMBAGA1UEBwwJT3NsbyBDaXR5MRMwEQYD +VQQKDApUaGUgUXQgQ0ExMQ0wCwYDVQQLDARRVENOMREwDwYDVQQDDAhjYTFxdC5p +bzElMCMGCSqGSIb3DQEJARYWdGltdXIucG9jaGVwdHNvdkBxdC5pbzAeFw0xODEx +MjIxMDIxMTNaFw0yODExMTkxMDIxMTNaMIGOMQswCQYDVQQGEwJOTzENMAsGA1UE +CAwET3NsbzESMBAGA1UEBwwJT3NsbyBDaXR5MRMwEQYDVQQKDApUaGUgUXQgQ0Ex +MQ0wCwYDVQQLDARRVENOMREwDwYDVQQDDAhjYTFxdC5pbzElMCMGCSqGSIb3DQEJ +ARYWdGltdXIucG9jaGVwdHNvdkBxdC5pbzCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBAOCs3AV7sDKHJUJcm7a0OqnShIvoB1qv6UcOmlBmUzGl5GzX90Jz +7jYJoOPjxjNyRxMOsOReB1ZcSuIAjkdAEfFMaVe6j7qKTJ5ycTVY/fVoxyxsSNuI +xOJ6RCEjLHcxONEbkN/xI8LMdVko3m4P10r5GxwrgyPvpa87Yq5+XJ1BPWJyKbD7 +Tqpn3dvZUj0/POsMUTT7Q7VXOfDlZj58XWAC6ECTqJauhGFMhiwgqOn2Qo1W0QjV +DkGqRTdgIAM6Rv2cSRxgnflwW5QZ8kWUV81h/yx4cck/D9TcVxjr3Pvy6aJ/U41u +d4XJQgwCj4LJi4msw1S0CvZWmz+2BKxcbRsCAwEAAaNTMFEwHQYDVR0OBBYEFHgX +JwJFO7E6pu4tkL08cIK9J0NEMB8GA1UdIwQYMBaAFHgXJwJFO7E6pu4tkL08cIK9 +J0NEMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBADp1kqDRcyVG +BdMge+Il10IjbpzzSjAoZiqiw69V99LiHW9ePbxG4AmliE6Za60GE5PCXOLjJh/5 +efgnIbybbyIOIT9iK4TXWLw2XW+rMY51c0RAxp2h/sc+5CZ0F0I811F5VUHXg2qR +U7C2zbzqAimN8TBm6FRe7NFQfqLCrsuFJjSc3obrqKQcpvRwxMk6NpkdoemzqLmY +lrBrTaeVbZ4ix3srVPvXRm9TdiC+JuuFmvulMfe+/wwnhb+dwT3JUC+EIq/Uf5Wb +g8lvB4ntitL8NLQ2hFGqYuoFNIGs6tRN71ohk+/ONqe9wJhcI9QAruPOvsg+8J0H +uGooX7PUNHg= +-----END CERTIFICATE----- diff --git a/tests/auto/network/ssl/qocsp/certs/ca1.key b/tests/auto/network/ssl/qocsp/certs/ca1.key new file mode 100644 index 0000000000..4ee080f706 --- /dev/null +++ b/tests/auto/network/ssl/qocsp/certs/ca1.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDgrNwFe7AyhyVC +XJu2tDqp0oSL6Adar+lHDppQZlMxpeRs1/dCc+42CaDj48YzckcTDrDkXgdWXEri +AI5HQBHxTGlXuo+6ikyecnE1WP31aMcsbEjbiMTiekQhIyx3MTjRG5Df8SPCzHVZ +KN5uD9dK+RscK4Mj76WvO2KuflydQT1icimw+06qZ93b2VI9PzzrDFE0+0O1Vznw +5WY+fF1gAuhAk6iWroRhTIYsIKjp9kKNVtEI1Q5BqkU3YCADOkb9nEkcYJ35cFuU +GfJFlFfNYf8seHHJPw/U3FcY69z78umif1ONbneFyUIMAo+CyYuJrMNUtAr2Vps/ +tgSsXG0bAgMBAAECggEBAL1RCwjXw42gEUZM8KzQS0pD6IpXVrMU3ZWReXhb8Kg6 +KDOK+3+UXlpMXLUKfj1lgvxM+cNEdBxSIoszerARDc1s3KseufOui4dL2ZbhSQVc +Z9BH4lCSe4x3CCeAEvzQjhatirMY51BCpnMdm+fUE07KfwyKobNLQSpZ+Pod4f5i +oQbOiZYfRfU2quaWIsVb/a5IiUD0gG0KS9O5wX6VigVeFRpOPHT4YCQ1qds4HqQq +PKQtkLq0mo6beXCfXWrJ5Nc0QOIFlgSAHkeRR7zLK8MlaerwZ5YdeJIWuPM9l9H+ +34FVkHle1rPN6dJf7EPwWxn1PceFe3QYn1GHoiMmXfkCgYEA/U6iQypbLEKLmLbt +XTvhV1FVDQM42BX+ATNQ8Wro0ybdyzM+d4271uAUGTF1Zvxndv22p+JOmldWveAR +0iVK4mvrs25ACg27Bz3LiUaQB2OyYrj9M7TLgQ47gYEhwgnsSniFyrMcptNyIfW5 +GoB1N00EKiCvHyWo5LK6kRZt5QcCgYEA4xBOC/Otc9lTp24iSVA8Y7XJ+nlypFtc +pehf262jH11wEkWskmc9aP/kpxt9fUrDxf3YIOqITR4mMNn184P1WywHAQF7Adfd +3r5YBMVaanuaMsSuAZOJGyvuk2BE6328IKdE+3emndzXuQdDf0X2TUznwdKe9AzZ +qadCBLfUpk0CgYAgDKbzIJTQkMrg06RMu5rTVXMRZmr2zDGLLVb8dK5oqO4/G4i3 +z7MIiOmCFoPoN99PauKFc1jGpm5PL96RXC6RX14/IZ/wpbQYQnVSNR9cD/0uCIHg +3OsytP5KcHA5ANBoy78B2o+xe+dg7JozBDXQfWodem0t37Hy3bpFSTU2WQKBgETY +qcFn9hydNYcblpvCDz1wXjhq4H7DENlhFseF42LcMuHnbEbLtMwEYrDkXe1CYQ/E +QubgFcnELXI8dB2M0jT9qXX9m+1YJXanIgr4R8zngz6HcfcaY8TwUhsvYlZAvmzs +KrdQdR2CW4pHkIijjuWrPs3+7aEz0D9nblX94yU1AoGATVCfQOwmEMFHg33luMMt +0lTOHsar6g1O5vz0ZPZ1NjJF9Qe3+T7B4n4gq9pLwfi7Ohoa4CDmt0nKmy56dBha +5LM8mzw+PaH9a3pP93caS6k/X68TLOp7fwvnzP6HTjtis2sdYzVma6ghEF0zRdQr +6nWMI6Kx2kFaNdzKSHzxP5A= +-----END PRIVATE KEY----- diff --git a/tests/auto/network/ssl/qocsp/certs/infbob.key b/tests/auto/network/ssl/qocsp/certs/infbob.key new file mode 100644 index 0000000000..7878339151 --- /dev/null +++ b/tests/auto/network/ssl/qocsp/certs/infbob.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDkF2BuPlkQa3Ox +JxnbQ+gy1mAxaGGzfnmGocraxVSKSssX3zSkeIrWB1kW3diOtIZ1jovYftHGsqoB +F5k6fN9dr37mFIZnilF6Bq0seYjNUl6I0d7Cf3NJSf7TG5+P+dAyNLN8aXILctY8 +krlSe4ysb++9xgawt2DYL3I0LBd+W27hd2BlfcmB4g2X3zOasjZM8F5HSBxF5e7f +fVaUmCC8S4jdXUQEbUNFk6HufDwDhP1gMtoGKHusWOdI5O6cQAfUUmRLSfi/jWoe +KLPafbj7KIcA8+YojOvub2guNpO42h9fc83/gCkkBJhwXNdIQjRUnz6Lu05kDTG9 +X28gbX9TAgMBAAECggEBAN9xCxVUXJmaOb6ciFblIi3TFm6wS62zw0chbgB8eQH0 +nRoonYBVWeSrVBnzf7bkoCe/Wb3fFo+o7KOfQ4spUwOK7SxlhPkfZgu9SJ4d/Obu +vw8XUTqF8iEkrM6P6/L2DX9xYzcIcSFIARlbvtJPmBJAocHtoRYyvltpt13mp6kt +/LVYR4qFAWRpPR6rnjlXEjfrE9taHWgIJEjwMj+IcTjnGiS1rX1T/JNhjRxsRJwU +qxqhYmeenNymyUJxS2B806EcG3UAJu63dK61VXN1dtPhS3FqjeR//GRlmy14n7RW +ZQAuT9dPB/WzUZVzEcOgTwe/+XsPTSfz7gpaoffgMJECgYEA/43xZRi48Dfp3tdq +qwwLf6Ya9pB2zb3XE8MUQhxsrygzL5ngZhmr2m0LgGCf5fXa983G6wzA6sOdpvve +jFAlBZYbWaYnvog9QIFcTj0S6PahGTBaR7PSNzK0UzoHYexYVCkyzQl1O2hktazd +Cankh/6IlAFkKbUSDqAwc07jNCkCgYEA5H0tNXpcDN6JTgKNe8YHM0GjZB+qGEoL +7YZbFlANjO9pOPY6JMQ3+DbOoruIH97CIyVYokuH0qRAfjm5LNiVYECFVFZRnGFb +BNPOPAnPJPISDF66zjW0KLMYCykJAHQ4SpHUPcJ6JnfBr76s/xSbNI9qnhpy3QYI +ATkqOrP25xsCgYEAy3pjmJGEv5BloM942VSv2yWRFn2UeuELXWrYuIMVbqndh6tH +50PNeA+XNtK4vktx3Bl2pzTybnrvDkRBwQsXT0lj4Y/Q2X509uWJb6plYiTtxLah +S7I8UUMIHbR4qFmdQvXCw0sikvjeJ2HKZaVml3ntmZs5+5N3GzolGcrYUXECgYEA +pPsBnsCoIJ66s7pCIKIfZtI5QT1f20P0EuDVemn5Ls9bwcaAuzV3WGFymKwiISj+ +MtRviFhTTTROYRYa8Be+3A4ad4gQS4M8bmLlYhKPIJUtlQL9jZHXcR/H9578ofhJ +AQcFIkb/XjFQiC58yX4+hxgbGufsEk2dkAyPwm1ZlQsCgYBTjnraJbYSz1v3MQKx +fHm9eHki/ODR3lWiCYYnnW3AwRa7AXS4ZiSw78wzkUX2XTJbE6JlEUH4M9DMzr4y +QBwKmx+3u+Im4WcZ889jo6XrF0X9mXRmY25+gr2ypTbKZjT8FCYcXIgiOxITLXZh +Bmn7KZcsdaPxSFn05ASEanLNqA== +-----END PRIVATE KEY----- diff --git a/tests/auto/network/ssl/qocsp/certs/infbobchain.crt b/tests/auto/network/ssl/qocsp/certs/infbobchain.crt new file mode 100644 index 0000000000..7ed13c2856 --- /dev/null +++ b/tests/auto/network/ssl/qocsp/certs/infbobchain.crt @@ -0,0 +1,49 @@ +-----BEGIN CERTIFICATE----- +MIIEHjCCAwagAwIBAgIBATANBgkqhkiG9w0BAQsFADCBjjELMAkGA1UEBhMCTk8x +DTALBgNVBAgMBE9zbG8xEjAQBgNVBAcMCU9zbG8gQ2l0eTETMBEGA1UECgwKVGhl +IFF0IENBMTENMAsGA1UECwwEUVRDTjERMA8GA1UEAwwIY2ExcXQuaW8xJTAjBgkq +hkiG9w0BCQEWFnRpbXVyLnBvY2hlcHRzb3ZAcXQuaW8wHhcNMTgxMTIyMTAyOTM3 +WhcNMjgxMTE5MTAyOTM3WjCBmDELMAkGA1UEBhMCTk8xDTALBgNVBAgMBE9zbG8x +EjAQBgNVBAcMCU9zbG8gQ2l0eTEkMCIGA1UECgwbVGhlIEluZmFtb3VzIFNuZWFr +eSBCb2IgTHRkMQwwCgYDVQQLDANCREExEzARBgNVBAMMCmluZmJvYi5jb20xHTAb +BgkqhkiG9w0BCQEWDmJvYkBpbmZib2IuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEA5Bdgbj5ZEGtzsScZ20PoMtZgMWhhs355hqHK2sVUikrLF980 +pHiK1gdZFt3YjrSGdY6L2H7RxrKqAReZOnzfXa9+5hSGZ4pRegatLHmIzVJeiNHe +wn9zSUn+0xufj/nQMjSzfGlyC3LWPJK5UnuMrG/vvcYGsLdg2C9yNCwXfltu4Xdg +ZX3JgeINl98zmrI2TPBeR0gcReXu331WlJggvEuI3V1EBG1DRZOh7nw8A4T9YDLa +Bih7rFjnSOTunEAH1FJkS0n4v41qHiiz2n24+yiHAPPmKIzr7m9oLjaTuNofX3PN +/4ApJASYcFzXSEI0VJ8+i7tOZA0xvV9vIG1/UwIDAQABo3sweTAJBgNVHRMEAjAA +MCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAd +BgNVHQ4EFgQUloqk6Iihkkcxp85jAzeUPGVmapkwHwYDVR0jBBgwFoAUeBcnAkU7 +sTqm7i2QvTxwgr0nQ0QwDQYJKoZIhvcNAQELBQADggEBAGCdYFNskTzMilRtmw+v +oJQM3mc6LdYYuADCuh8O/GKaqUnE7V2XnMBYWMN93eeN9VXmK2yAZaQU1J6ruP1S +pLMzJ8hbQej+sm+XAHVxAtr34KmEC50gIn1cB/sRKxHMombbNl7EK44puFU7q58P +zBz5lTXXTfA954D/ijEMMSDvIZ25me6vrGPMj1LX/wC6CWadSr9IxAO9HQVQQqwv +AbbqrCvMSMv633/f1EYU8Q6jhUCTlnin4pXtriOnqi+6MZICaYRCUgV224Rs3OUS +jmrbOeoaZUpmOVmuoYXWeexe229G2KGiEIgnSBEk5OLFHCeZ8++WJ5/SLHt8MBLc +O0w= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIID9DCCAtygAwIBAgIJAMQbE3657KDYMA0GCSqGSIb3DQEBCwUAMIGOMQswCQYD +VQQGEwJOTzENMAsGA1UECAwET3NsbzESMBAGA1UEBwwJT3NsbyBDaXR5MRMwEQYD +VQQKDApUaGUgUXQgQ0ExMQ0wCwYDVQQLDARRVENOMREwDwYDVQQDDAhjYTFxdC5p +bzElMCMGCSqGSIb3DQEJARYWdGltdXIucG9jaGVwdHNvdkBxdC5pbzAeFw0xODEx +MjIxMDIxMTNaFw0yODExMTkxMDIxMTNaMIGOMQswCQYDVQQGEwJOTzENMAsGA1UE +CAwET3NsbzESMBAGA1UEBwwJT3NsbyBDaXR5MRMwEQYDVQQKDApUaGUgUXQgQ0Ex +MQ0wCwYDVQQLDARRVENOMREwDwYDVQQDDAhjYTFxdC5pbzElMCMGCSqGSIb3DQEJ +ARYWdGltdXIucG9jaGVwdHNvdkBxdC5pbzCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBAOCs3AV7sDKHJUJcm7a0OqnShIvoB1qv6UcOmlBmUzGl5GzX90Jz +7jYJoOPjxjNyRxMOsOReB1ZcSuIAjkdAEfFMaVe6j7qKTJ5ycTVY/fVoxyxsSNuI +xOJ6RCEjLHcxONEbkN/xI8LMdVko3m4P10r5GxwrgyPvpa87Yq5+XJ1BPWJyKbD7 +Tqpn3dvZUj0/POsMUTT7Q7VXOfDlZj58XWAC6ECTqJauhGFMhiwgqOn2Qo1W0QjV +DkGqRTdgIAM6Rv2cSRxgnflwW5QZ8kWUV81h/yx4cck/D9TcVxjr3Pvy6aJ/U41u +d4XJQgwCj4LJi4msw1S0CvZWmz+2BKxcbRsCAwEAAaNTMFEwHQYDVR0OBBYEFHgX +JwJFO7E6pu4tkL08cIK9J0NEMB8GA1UdIwQYMBaAFHgXJwJFO7E6pu4tkL08cIK9 +J0NEMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBADp1kqDRcyVG +BdMge+Il10IjbpzzSjAoZiqiw69V99LiHW9ePbxG4AmliE6Za60GE5PCXOLjJh/5 +efgnIbybbyIOIT9iK4TXWLw2XW+rMY51c0RAxp2h/sc+5CZ0F0I811F5VUHXg2qR +U7C2zbzqAimN8TBm6FRe7NFQfqLCrsuFJjSc3obrqKQcpvRwxMk6NpkdoemzqLmY +lrBrTaeVbZ4ix3srVPvXRm9TdiC+JuuFmvulMfe+/wwnhb+dwT3JUC+EIq/Uf5Wb +g8lvB4ntitL8NLQ2hFGqYuoFNIGs6tRN71ohk+/ONqe9wJhcI9QAruPOvsg+8J0H +uGooX7PUNHg= +-----END CERTIFICATE----- diff --git a/tests/auto/network/ssl/qocsp/certs/ss1-private.key b/tests/auto/network/ssl/qocsp/certs/ss1-private.key new file mode 100644 index 0000000000..1c42daaf9f --- /dev/null +++ b/tests/auto/network/ssl/qocsp/certs/ss1-private.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC4bXcfIjweShLx +6jBTKu/i5sXmlwTH9Z4PTzQ1VteKyEIDlnW5ocVWqRgBrvz3NlTFkDKkQXshkXyE +JyVZFbAPCfGsroZVISpFhUmJbPMBNn3SyGEU+sxWIpOZOKmG5tel6B4Bt5TWsRHL +mtU8Pv/APsz+i9JhgE25ksGhx16MqvdRv/xNGleF8qe+hDOeiNF3/lNv2hYb/MvD +1F73FBoDVnqty/VXXOJFb7elLE4ArXsTN/hip42Lbl1guYvnqnTZFhCHwMzRu4qc +3FTlemumfJpacpRnqVw2TURA5SdpTp9NYIxygEGNY201meNEjAEyg8GeFkAgu99R +LPQT+rTNAgMBAAECggEAPQEIfCXo2OQLrDWY0onLW7SWFZYyoKngJJRAYrxdA60G +GQW13zdhfS7ln/jv+B3ioI74EVkPj6T+GQCR3AvOdssFQ+dey93yi5hxIKIHJ4mM +ySI66qOi34MEa5RQjyzgfCJxeoPtGa7sgfqvOgRkuISNbk11w4abLx0aK5c08TY0 +JdeoWWhATaFZXl782Aw2FwGPTwOIf7GB09BJS3qUqlMT9fowLmWO10jOKkNtvcnT +2mAqT5cdZG1ffT5+f0JETPCbBPhhyE7VyYEVQfqTkRnEoz3hcZvjx91jD527+CSL +Qhg7zZu2oakyJQvpHETZ6cgrs7uDEiol7ARANezwyQKBgQDmapxV/qIOd5WFDVXw +lGt+dsELBBdMhvzr4A9eZdIZiXu48rdFG0XoECo5BKpXa1+ISr2od0U0YODrJrws +OHxHhlxGjJFs8kFteUPHyEZv6/rvkbA+xc0Uw04NnDRHBLK8VvX7MBWfvTqLN4bK +sZsMblscRBtEpFpN1fiJgnNASwKBgQDM56lBugtueBV9M4C/JF2is96d14ue3Y4i +SgMnHY18D3ru+KDuxPYoIs5Yos2vDWK2k8754WZ+WNXokjRoYPiFbeBPpI9NudJs +BUJz/sLJHjs3a4HrQs3hCuufczNxq9wQnALQHCMEqeBUTYCu/1+zYgwAu3Z/R8rJ +jKgexl+gRwKBgGrLCNCWpze7VzKGvsk1kSjZE5nueHoAqqMMgzMGUD2DyjMrU6QV +Au6O53Lr5aOE4Y9CzOqS9SFUsYprtpVsTLW94XDVX+W11ntN1At5mKPxJKn6xUwi +022HI9sNBfHQjKLcTz/vxmX2B3dU8gVqEenOEC5mppjG8A/ZV0ssigxHAoGAfGsG +OSSwoElGMxm8yVNZj9vMBufEnZhGH8f1FiE5seTsboKFpbXvCfvoc6WXYv2rvNUP +TmdxBrMGYAu2ytJm1Q4cr/9qDHYSsQiYizpcKCa1KjebUbDktgsde1pGGHWUUHmK +s7cCBGjqEAZnZtslzxRv2Vn639pF5hAEXXtywS0CgYAUIjhp43qgtbQdZMX7xbVR +lT26aq7NguCtt7njpgkhqc0HThb3I8ImrhNSDcS0/T9dPU70vt0ceruyRXmwX5hA +l28i5GzF5ufaRQdcsSR9u+P67nD5sTZBesbejXFySis5EC/97A4XZvkSfY4DQSZ+ +u8JJPZUlb2kGAHRpmxvpDA== +-----END PRIVATE KEY----- diff --git a/tests/auto/network/ssl/qocsp/certs/ss1.crt b/tests/auto/network/ssl/qocsp/certs/ss1.crt new file mode 100644 index 0000000000..43ca8316c2 --- /dev/null +++ b/tests/auto/network/ssl/qocsp/certs/ss1.crt @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEKzCCAxOgAwIBAgIJAOO/b5uLSmT8MA0GCSqGSIb3DQEBBQUAMIGqMQswCQYD +VQQGEwJOTzENMAsGA1UECAwET3NsbzENMAsGA1UEBwwET3NsbzESMBAGA1UECgwJ +VGhlIFF0IENBMScwJQYDVQQLDB5SJkQgKGZha2UgY2VydGlmaWNhdGVzIGlzc3Vl +cikxGTAXBgNVBAMMEFRpbXVyIFBvY2hlcHRzb3YxJTAjBgkqhkiG9w0BCQEWFnRp +bXVyLnBvY2hlcHRzb3ZAcXQuaW8wIBcNMTgxMTE3MDUxNDA1WhgPMjExODEwMjQw +NTE0MDVaMIGqMQswCQYDVQQGEwJOTzENMAsGA1UECAwET3NsbzENMAsGA1UEBwwE +T3NsbzESMBAGA1UECgwJVGhlIFF0IENBMScwJQYDVQQLDB5SJkQgKGZha2UgY2Vy +dGlmaWNhdGVzIGlzc3VlcikxGTAXBgNVBAMMEFRpbXVyIFBvY2hlcHRzb3YxJTAj +BgkqhkiG9w0BCQEWFnRpbXVyLnBvY2hlcHRzb3ZAcXQuaW8wggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQC4bXcfIjweShLx6jBTKu/i5sXmlwTH9Z4PTzQ1 +VteKyEIDlnW5ocVWqRgBrvz3NlTFkDKkQXshkXyEJyVZFbAPCfGsroZVISpFhUmJ +bPMBNn3SyGEU+sxWIpOZOKmG5tel6B4Bt5TWsRHLmtU8Pv/APsz+i9JhgE25ksGh +x16MqvdRv/xNGleF8qe+hDOeiNF3/lNv2hYb/MvD1F73FBoDVnqty/VXXOJFb7el +LE4ArXsTN/hip42Lbl1guYvnqnTZFhCHwMzRu4qc3FTlemumfJpacpRnqVw2TURA +5SdpTp9NYIxygEGNY201meNEjAEyg8GeFkAgu99RLPQT+rTNAgMBAAGjUDBOMB0G +A1UdDgQWBBSyHPlJr6BrpwMY7Sxg2R3CpQR7UzAfBgNVHSMEGDAWgBSyHPlJr6Br +pwMY7Sxg2R3CpQR7UzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQBD +o86xp1WwvX6mYzF94ifZlkq1aDN6/njj2B9fvJCtygfqq6b9BrQJ0hNeqRh8OaIh +v2YmjbdUaoYguHmUxL+SeS67Sp8QBoSwdU5x0i8ygrigBrbb3myNqN6hGvpGy9E0 +B8PnVDt9DaOCunaMyGNPMLNPVGYULmberGtxV9wilcH4Q6WZrk9IhuyfqeBZtBYM +IcjV3OKdUv/ggu2IZSN7njKcgr+uyPt0Ymo9GozJSTdnN/E4hsRgzcgzCMf2fxzj +nGcsDRQ4L1R8p1zDlduxmmk42zGCGz3duFX7dijAxJWirS8Zsea4aooLgDQYT/zI +8hKd3KC3knLhPcxFKiUg +-----END CERTIFICATE----- diff --git a/tests/auto/network/ssl/qocsp/qocsp.pro b/tests/auto/network/ssl/qocsp/qocsp.pro new file mode 100644 index 0000000000..f4e846f39b --- /dev/null +++ b/tests/auto/network/ssl/qocsp/qocsp.pro @@ -0,0 +1,15 @@ +CONFIG += testcase + +SOURCES += tst_qocsp.cpp +QT = core network network-private testlib + +TARGET = tst_qocsp + +win32 { + CONFIG(debug, debug|release) { + DESTDIR = debug + } else { + DESTDIR = release + } +} + diff --git a/tests/auto/network/ssl/qocsp/tst_qocsp.cpp b/tests/auto/network/ssl/qocsp/tst_qocsp.cpp new file mode 100644 index 0000000000..9716c04bbb --- /dev/null +++ b/tests/auto/network/ssl/qocsp/tst_qocsp.cpp @@ -0,0 +1,823 @@ +/**************************************************************************** + ** + ** Copyright (C) 2018 The Qt Company Ltd. + ** Contact: https://www.qt.io/licensing/ + ** + ** This file is part of the test suite of the Qt Toolkit. + ** + ** $QT_BEGIN_LICENSE:GPL-EXCEPT$ + ** Commercial License Usage + ** Licensees holding valid commercial Qt licenses may use this file in + ** accordance with the commercial license agreement provided with the + ** Software or, alternatively, in accordance with the terms contained in + ** a written agreement between you and The Qt Company. For licensing terms + ** and conditions see https://www.qt.io/terms-conditions. For further + ** information use the contact form at https://www.qt.io/contact-us. + ** + ** GNU General Public License Usage + ** Alternatively, this file may be used under the terms of the GNU + ** General Public License version 3 as published by the Free Software + ** Foundation with exceptions as appearing in the file LICENSE.GPL3-EXCEPT + ** included in the packaging of this file. Please review the following + ** information to ensure the GNU General Public License requirements will + ** be met: https://www.gnu.org/licenses/gpl-3.0.html. + ** + ** $QT_END_LICENSE$ + ** + ****************************************************************************/ + +#include <QtTest/QtTest> + +#include <QtNetwork/private/qtnetworkglobal_p.h> + +#include <QtNetwork/private/qsslsocket_openssl_symbols_p.h> +#include <QtNetwork/private/qsslsocket_openssl_p.h> + +#include <QtNetwork/qsslcertificate.h> +#include <QtNetwork/qtcpserver.h> +#include <QtNetwork/qsslerror.h> +#include <QtNetwork/qsslkey.h> +#include <QtNetwork/qssl.h> + +#include <QtCore/qsharedpointer.h> +#include <QtCore/qbytearray.h> +#include <QtCore/qfileinfo.h> +#include <QtCore/qstring.h> +#include <QtCore/qfile.h> +#include <QtCore/qlist.h> +#include <QtCore/qdir.h> + +#include <openssl/ocsp.h> + +#include <algorithm> +#include <utility> + +// NOTE: the word 'subject' in the code below means the subject of a status request, +// so in general it's our peer's certificate we are asking about. + +using SslError = QT_PREPEND_NAMESPACE(QSslError); +using VectorOfErrors = QT_PREPEND_NAMESPACE(QVector<SslError>); +using Latin1String = QT_PREPEND_NAMESPACE(QLatin1String); + +Q_DECLARE_METATYPE(SslError) +Q_DECLARE_METATYPE(VectorOfErrors) +Q_DECLARE_METATYPE(Latin1String) + +QT_BEGIN_NAMESPACE + +namespace { + +using OcspResponse = QSharedPointer<OCSP_RESPONSE>; +using BasicResponse = QSharedPointer<OCSP_BASICRESP>; +using SingleResponse = QSharedPointer<OCSP_SINGLERESP>; +using CertId = QSharedPointer<OCSP_CERTID>; +using EvpKey = QSharedPointer<EVP_PKEY>; +using Asn1Time = QSharedPointer<ASN1_TIME>; +using CertificateChain = QList<QSslCertificate>; + +using NativeX509Ptr = X509 *; + +class X509Stack { +public: + explicit X509Stack(const QList<QSslCertificate> &chain); + + ~X509Stack(); + + int size() const; + X509 *operator[](int index) const; + operator STACK_OF(X509) *() const; + +private: + OPENSSL_STACK *stack = nullptr; + + Q_DISABLE_COPY(X509Stack) +}; + +X509Stack::X509Stack(const QList<QSslCertificate> &chain) +{ + if (!chain.size()) + return; + + stack = q_OPENSSL_sk_new_null(); + if (!stack) + return; + + for (const QSslCertificate &cert : chain) { + X509 *nativeCert = NativeX509Ptr(cert.handle()); + if (!nativeCert) + continue; + q_OPENSSL_sk_push(stack, nativeCert); + q_X509_up_ref(nativeCert); + } +} + +X509Stack::~X509Stack() +{ + if (stack) + q_OPENSSL_sk_pop_free(stack, reinterpret_cast<void(*)(void*)>(q_X509_free)); +} + +int X509Stack::size() const +{ + if (stack) + return q_OPENSSL_sk_num(stack); + return 0; +} + +X509 *X509Stack::operator[](int index) const +{ + return NativeX509Ptr(q_OPENSSL_sk_value(stack, index)); +} + +X509Stack::operator STACK_OF(X509) *() const +{ + return reinterpret_cast<STACK_OF(X509)*>(stack); +} + +struct OcspTimeStamp +{ + OcspTimeStamp() = default; + OcspTimeStamp(long secondsBeforeNow, long secondsAfterNow); + + static Asn1Time timeToAsn1Time(long adjustment); + + Asn1Time thisUpdate; + Asn1Time nextUpdate; +}; + +OcspTimeStamp::OcspTimeStamp(long secondsBeforeNow, long secondsAfterNow) +{ + Asn1Time start = timeToAsn1Time(secondsBeforeNow); + Asn1Time end = timeToAsn1Time(secondsAfterNow); + if (start.data() && end.data()) { + thisUpdate.swap(start); + nextUpdate.swap(end); + } +} + +Asn1Time OcspTimeStamp::timeToAsn1Time(long adjustment) +{ + if (ASN1_TIME *adjusted = q_X509_gmtime_adj(nullptr, adjustment)) + return Asn1Time(adjusted, q_ASN1_TIME_free); + return Asn1Time{}; +} + +struct OcspResponder +{ + OcspResponder(const OcspTimeStamp &stamp, const CertificateChain &subjs, + const CertificateChain &respChain, const QSslKey &respPKey); + + QByteArray buildResponse(int responseStatus, int certificateStatus) const; + static EvpKey privateKeyToEVP_PKEY(const QSslKey &privateKey); + static CertId certificateToCertId(X509 *subject, X509 *issuer); + static QByteArray responseToDer(OCSP_RESPONSE *response); + + OcspTimeStamp timeStamp; + // Plural, we can send a 'wrong' BasicResponse containing more than + // 1 SingleResponse. + X509Stack subjects; + X509Stack responderChain; + QSslKey responderKey; +}; + +OcspResponder::OcspResponder(const OcspTimeStamp &stamp, const CertificateChain &subjs, + const CertificateChain &respChain, const QSslKey &respPKey) + : timeStamp(stamp), + subjects(subjs), + responderChain(respChain), + responderKey(respPKey) +{ +} + +QByteArray OcspResponder::buildResponse(int responseStatus, int certificateStatus) const +{ + if (responseStatus != OCSP_RESPONSE_STATUS_SUCCESSFUL) { + OCSP_RESPONSE *response = q_OCSP_response_create(responseStatus, nullptr); + if (!response) + return {}; + const OcspResponse rGuard(response, q_OCSP_RESPONSE_free); + return responseToDer(response); + } + + Q_ASSERT(subjects.size() && responderChain.size() && responderKey.handle()); + + const EvpKey nativeKey = privateKeyToEVP_PKEY(responderKey); + if (!nativeKey.data()) + return {}; + + OCSP_BASICRESP *basicResponse = q_OCSP_BASICRESP_new(); + if (!basicResponse) + return {}; + const BasicResponse brGuard(basicResponse, q_OCSP_BASICRESP_free); + + for (int i = 0, e = subjects.size(); i < e; ++i) { + X509 *subject = subjects[i]; + Q_ASSERT(subject); + CertId certId = certificateToCertId(subject, responderChain[0]); + if (!certId.data()) + return {}; + + // NOTE: we do not own this 'singleResponse': + ASN1_TIME *revisionTime = certificateStatus == V_OCSP_CERTSTATUS_REVOKED ? + timeStamp.thisUpdate.data() : nullptr; + + if (!q_OCSP_basic_add1_status(basicResponse, certId.data(), certificateStatus, 0, revisionTime, + timeStamp.thisUpdate.data(), timeStamp.nextUpdate.data())) { + return {}; + } + } + + if (q_OCSP_basic_sign(basicResponse, responderChain[0], nativeKey.data(), q_EVP_sha1(), + responderChain, 0) != 1) { + return {}; + } + + OCSP_RESPONSE *ocspResponse = q_OCSP_response_create(OCSP_RESPONSE_STATUS_SUCCESSFUL, basicResponse); + if (!ocspResponse) + return {}; + const OcspResponse rGuard(ocspResponse, q_OCSP_RESPONSE_free); + return responseToDer(ocspResponse); +} + +EvpKey OcspResponder::privateKeyToEVP_PKEY(const QSslKey &privateKey) +{ + const EvpKey nullKey; + if (privateKey.isNull() || privateKey.algorithm() != QSsl::Rsa) { + // We use only RSA keys in this auto-test, since we test OCSP only, + // not handshake/TLS in general. + return nullKey; + } + + EVP_PKEY *nativeKey = q_EVP_PKEY_new(); + if (!nativeKey) + return nullKey; + + const EvpKey keyGuard(nativeKey, q_EVP_PKEY_free); + if (!q_EVP_PKEY_set1_RSA(nativeKey, reinterpret_cast<RSA *>(privateKey.handle()))) + return nullKey; + + return keyGuard; +} + +CertId OcspResponder::certificateToCertId(X509 *subject, X509 *issuer) +{ + const CertId nullId; + if (!subject || !issuer) + return nullId; + + const EVP_MD *digest = q_EVP_sha1(); + if (!digest) + return nullId; + + OCSP_CERTID *certId = q_OCSP_cert_to_id(digest, subject, issuer); + if (!certId) + return nullId; + + return CertId(certId, q_OCSP_CERTID_free); +} + +QByteArray OcspResponder::responseToDer(OCSP_RESPONSE *response) +{ + if (!response) + return {}; + + const int derSize = q_i2d_OCSP_RESPONSE(response, nullptr); + if (derSize <= 0) + return {}; + + QByteArray derData(derSize, Qt::Uninitialized); + unsigned char *pData = reinterpret_cast<unsigned char *>(derData.data()); + const int serializedSize = q_i2d_OCSP_RESPONSE(response, &pData); + if (serializedSize != derSize) + return {}; + + return derData; +} + +// The QTcpServer capable of sending OCSP status responses. +class OcspServer : public QTcpServer +{ + Q_OBJECT + +public: + OcspServer(const CertificateChain &serverChain, const QSslKey &privateKey); + + void configureResponse(const QByteArray &responseDer); + QString hostName() const; + QString peerVerifyName() const; + +Q_SIGNALS: + void internalServerError(); + +private: + void incomingConnection(qintptr descriptor) override; + +public: + QSslConfiguration serverConfig; + QSslSocket serverSocket; +}; + +OcspServer::OcspServer(const CertificateChain &serverChain, const QSslKey &privateKey) +{ + Q_ASSERT(serverChain.size()); + Q_ASSERT(!privateKey.isNull()); + + serverConfig = QSslConfiguration::defaultConfiguration(); + serverConfig.setLocalCertificateChain(serverChain); + serverConfig.setPrivateKey(privateKey); +} + +void OcspServer::configureResponse(const QByteArray &responseDer) +{ + serverConfig.setBackendConfigurationOption("Qt-OCSP-response", responseDer); +} + +QString OcspServer::hostName() const +{ + // It's 'name' and not 'address' to be consistent with QSslSocket's naming style, + // where it's connectToHostEncrypted(hostName, ...) + const QHostAddress &addr = serverAddress(); + if (addr == QHostAddress::Any || addr == QHostAddress::AnyIPv4) + return QStringLiteral("127.0.0.1"); + if (addr == QHostAddress::AnyIPv6) + return QStringLiteral("::1"); + return addr.toString(); +} + +QString OcspServer::peerVerifyName() const +{ + const CertificateChain &localChain = serverConfig.localCertificateChain(); + if (localChain.isEmpty()) + return {}; + const auto cert = localChain.first(); + if (cert.isNull()) + return {}; + + const QStringList &names = cert.subjectInfo(QSslCertificate::CommonName); + return names.isEmpty() ? QString{} : names.first(); +} + +void OcspServer::incomingConnection(qintptr socketDescriptor) +{ + close(); + + if (!serverSocket.setSocketDescriptor(socketDescriptor)) { + emit internalServerError(); + return; + } + + serverSocket.setSslConfiguration(serverConfig); + // Since we test a client, not a server, we don't care about any + // possible errors on the server (QAbstractSocket or QSslSocket-related). + // Thus, we don't connect to any error signal. + serverSocket.startServerEncryption(); +} + +} // unnamed namespace + +class tst_QOcsp : public QObject +{ + Q_OBJECT + +public slots: + void initTestCase(); + +private slots: + void connectSelfSigned(); + void badStatus_data(); + void badStatus(); + void multipleSingleResponses(); + void malformedResponse(); + void expiredResponse_data(); + void expiredResponse(); + void noNextUpdate(); + void wrongCertificateInResponse_data(); + void wrongCertificateInResponse(); + void untrustedResponder(); + + // OCSPTODO: more tests in future ... + +private: + void setupOcspClient(QSslSocket &clientSocket, const CertificateChain &trustedCAs, + const QString &peerName); + bool containsOcspErrors(const QList<QSslError> &errorsFound) const; + static bool containsError(const QList<QSslError> &errors, QSslError::SslError code); + static QByteArray goodResponse(const CertificateChain &subject, const CertificateChain &responder, + const QSslKey &privateKey, long beforeNow = -1000, long afterNow = 1000); + static bool loadPrivateKey(const QString &keyName, QSslKey &key); + static CertificateChain issuerToChain(const CertificateChain &chain); + static CertificateChain subjectToChain(const CertificateChain &chain); + + static QString certDirPath; + + void (QSslSocket::*socketErrorSignal)(QAbstractSocket::SocketError) = &QAbstractSocket::error; + void (QSslSocket::*tlsErrorsSignal)(const QList<QSslError> &) = &QSslSocket::sslErrors; + void (QTestEventLoop::*exitLoopSlot)() = &QTestEventLoop::exitLoop; + + const int handshakeTimeoutMS = 500; + QTestEventLoop loop; + + std::vector<QSslError::SslError> ocspErrorCodes = {QSslError::OcspNoResponseFound, + QSslError::OcspMalformedRequest, + QSslError::OcspMalformedResponse, + QSslError::OcspInternalError, + QSslError::OcspTryLater, + QSslError::OcspSigRequred, + QSslError::OcspUnauthorized, + QSslError::OcspResponseCannotBeTrusted, + QSslError::OcspResponseCertIdUnknown, + QSslError::OcspResponseExpired, + QSslError::OcspStatusUnknown}; +}; + +#define QCOMPARE_SINGLE_ERROR(sslSocket, expectedError) \ + const auto &tlsErrors = sslSocket.sslErrors(); \ + QCOMPARE(tlsErrors.size(), 1); \ + QCOMPARE(tlsErrors[0].error(), expectedError) + +#define QVERIFY_HANDSHAKE_WITHOUT_ERRORS(sslSocket) \ + QVERIFY(sslSocket.isEncrypted()); \ + QCOMPARE(sslSocket.state(), QAbstractSocket::ConnectedState); \ + QVERIFY(sslSocket.sslErrors().isEmpty()) + +#define QDECLARE_CHAIN(object, chainFileName) \ + CertificateChain object = QSslCertificate::fromPath(certDirPath + QLatin1String(chainFileName)); \ + QVERIFY(object.size()) + +#define QDECLARE_PRIVATE_KEY(key, keyFileName) \ + QSslKey key; \ + QVERIFY(loadPrivateKey(QLatin1String(keyFileName), key)) + +QString tst_QOcsp::certDirPath; + +void tst_QOcsp::initTestCase() +{ + QVERIFY(QSslSocket::supportsSsl()); + + certDirPath = QFileInfo(QFINDTESTDATA("certs")).absolutePath(); + QVERIFY(certDirPath.size() > 0); + certDirPath += QDir::separator() + QStringLiteral("certs") + QDir::separator(); +} + +void tst_QOcsp::connectSelfSigned() +{ + // This test may look a bit confusing, since we have essentially 1 + // self-signed certificate, which we trust for the purpose of this test, + // but we also request its (the certificate's) status and then we sign + // the status response using the same certificate and the corresponding + // private key. Anyway, we test the very basic things here: we send + // an OCSP status request, we verify the response (if server has sent it), + // and detect errors (if any). + QDECLARE_CHAIN(subjectChain, "ss1.crt"); + QDECLARE_CHAIN(responderChain, "ss1.crt"); + QDECLARE_PRIVATE_KEY(privateKey, "ss1-private.key"); + { + // This server ignores our status request: + const QSslError::SslError expectedError = QSslError::OcspNoResponseFound; + + OcspServer server(subjectChain, privateKey); + QVERIFY(server.listen()); + connect(&server, &OcspServer::internalServerError, &loop, exitLoopSlot); + + QSslSocket clientSocket; + QSslConfiguration clientConfig = QSslConfiguration::defaultConfiguration(); + auto roots = clientConfig.caCertificates(); + setupOcspClient(clientSocket, issuerToChain(subjectChain), server.peerVerifyName()); + clientSocket.connectToHostEncrypted(server.hostName(), server.serverPort()); + loop.enterLoopMSecs(handshakeTimeoutMS); + + QVERIFY(!clientSocket.isEncrypted()); + QCOMPARE_SINGLE_ERROR(clientSocket, expectedError); + } + { + // Now the server will send a valid 'status: good' response. + OcspServer server(subjectChain, privateKey); + const QByteArray response(goodResponse(subjectChain, responderChain, privateKey)); + QVERIFY(response.size()); + server.configureResponse(response); + QVERIFY(server.listen()); + + QSslSocket clientSocket; + setupOcspClient(clientSocket, issuerToChain(subjectChain), server.peerVerifyName()); + clientSocket.connectToHostEncrypted(server.hostName(), server.serverPort()); + loop.enterLoopMSecs(handshakeTimeoutMS); + + QVERIFY_HANDSHAKE_WITHOUT_ERRORS(clientSocket); + } +} + +void tst_QOcsp::badStatus_data() +{ + QTest::addColumn<int>("responseStatus"); + QTest::addColumn<int>("certificateStatus"); + QTest::addColumn<QSslError>("expectedError"); + + QTest::addRow("malformed-request") << OCSP_RESPONSE_STATUS_MALFORMEDREQUEST << 1 << QSslError(QSslError::OcspMalformedRequest); + QTest::addRow("internal-error") << OCSP_RESPONSE_STATUS_INTERNALERROR << 2 << QSslError(QSslError::OcspInternalError); + QTest::addRow("try-later") << OCSP_RESPONSE_STATUS_TRYLATER << 3 << QSslError(QSslError::OcspTryLater); + QTest::addRow("signed-request-require") << OCSP_RESPONSE_STATUS_SIGREQUIRED << 2 << QSslError(QSslError::OcspSigRequred); + QTest::addRow("unauthorized-request") << OCSP_RESPONSE_STATUS_UNAUTHORIZED << 1 <<QSslError(QSslError::OcspUnauthorized); + + QTest::addRow("certificate-revoked") << OCSP_RESPONSE_STATUS_SUCCESSFUL << V_OCSP_CERTSTATUS_REVOKED + << QSslError(QSslError::CertificateRevoked); + QTest::addRow("status-unknown") << OCSP_RESPONSE_STATUS_SUCCESSFUL << V_OCSP_CERTSTATUS_UNKNOWN + << QSslError(QSslError::OcspStatusUnknown); +} + +void tst_QOcsp::badStatus() +{ + // This test works with two types of 'bad' responses: + // 1. 'Error messages' (the response's status is anything but SUCCESSFUL, + // no information about the certificate itself, no signature); + // 2. 'REVOKED' or 'UNKNOWN' status for a certificate in question. + QFETCH(const int, responseStatus); + QFETCH(const int, certificateStatus); + QFETCH(const QSslError, expectedError); + + QDECLARE_CHAIN(subjectChain, "infbobchain.crt"); + QCOMPARE(subjectChain.size(), 2); + QDECLARE_CHAIN(responderChain, "ca1.crt"); + QDECLARE_PRIVATE_KEY(subjPrivateKey, "infbob.key"); + QDECLARE_PRIVATE_KEY(respPrivateKey, "ca1.key"); + + OcspServer server(subjectChain, subjPrivateKey); + const OcspTimeStamp stamp(-1000, 1000); + OcspResponder builder(stamp, subjectToChain(subjectChain), responderChain, respPrivateKey); + const QByteArray response(builder.buildResponse(responseStatus, certificateStatus)); + QVERIFY(response.size()); + server.configureResponse(response); + QVERIFY(server.listen()); + connect(&server, &OcspServer::internalServerError, &loop, exitLoopSlot); + + QSslSocket clientSocket; + setupOcspClient(clientSocket, issuerToChain(subjectChain), server.peerVerifyName()); + clientSocket.connectToHostEncrypted(server.hostName(), server.serverPort()); + loop.enterLoopMSecs(handshakeTimeoutMS); + + QVERIFY(!clientSocket.isEncrypted()); + QCOMPARE_SINGLE_ERROR(clientSocket, expectedError.error()); +} + +void tst_QOcsp::multipleSingleResponses() +{ + // We handle a response with more than one SingleResponse as malformed: + const QSslError::SslError expectedError = QSslError::OcspMalformedResponse; + + // Here we use subjectChain only to generate a response, the server + // is configured with the responder chain (it's the same cert after all). + QDECLARE_CHAIN(subjectChain, "ss1.crt"); + QDECLARE_CHAIN(responderChain, "ss1.crt"); + QDECLARE_PRIVATE_KEY(privateKey, "ss1-private.key"); + + // Let's have more than 1 certificate in a chain: + subjectChain.append(subjectChain[0]); + + OcspServer server(responderChain, privateKey); + // Generate a BasicOCSPResponse containing 2 SingleResponses: + const QByteArray response(goodResponse(subjectChain, responderChain, privateKey)); + QVERIFY(response.size()); + server.configureResponse(response); + QVERIFY(server.listen()); + connect(&server, &OcspServer::internalServerError, &loop, exitLoopSlot); + + QSslSocket clientSocket; + setupOcspClient(clientSocket, issuerToChain(responderChain), server.peerVerifyName()); + clientSocket.connectToHostEncrypted(server.hostName(), server.serverPort()); + loop.enterLoopMSecs(handshakeTimeoutMS); + + QVERIFY(!clientSocket.isEncrypted()); + QCOMPARE_SINGLE_ERROR(clientSocket, expectedError); +} + +void tst_QOcsp::malformedResponse() +{ + QDECLARE_CHAIN(serverChain, "ss1.crt"); + QDECLARE_PRIVATE_KEY(privateKey, "ss1-private.key"); + + OcspServer server(serverChain, privateKey); + // Let's send some arbitrary bytes instead of DER and see what happens next: + server.configureResponse("Sure, you can trust me, this cert was not revoked (I don't say it was issued at all)!"); + QVERIFY(server.listen()); + connect(&server, &OcspServer::internalServerError, &loop, exitLoopSlot); + + QSslSocket clientSocket; + setupOcspClient(clientSocket, issuerToChain(serverChain), server.peerVerifyName()); + clientSocket.connectToHostEncrypted(server.hostName(), server.serverPort()); + loop.enterLoopMSecs(handshakeTimeoutMS); + + QVERIFY(!clientSocket.isEncrypted()); + QCOMPARE(clientSocket.error(), QAbstractSocket::SslHandshakeFailedError); +} + +void tst_QOcsp::expiredResponse_data() +{ + QTest::addColumn<long>("beforeNow"); + QTest::addColumn<long>("afterNow"); + + QTest::addRow("expired") << -2000L << -1000L; + QTest::addRow("not-valid-yet") << 5000L << 10000L; + QTest::addRow("next-before-this") << -1000L << -2000L; +} + +void tst_QOcsp::expiredResponse() +{ + // We report different kinds of problems with [thisUpdate, nextUpdate] + // as 'expired' (to keep it simple): + const QSslError::SslError expectedError = QSslError::OcspResponseExpired; + + QFETCH(const long, beforeNow); + QFETCH(const long, afterNow); + + QDECLARE_CHAIN(subjectChain, "ss1.crt"); + QDECLARE_CHAIN(responderChain, "ss1.crt"); + QDECLARE_PRIVATE_KEY(privateKey, "ss1-private.key"); + + OcspServer server(subjectChain, privateKey); + const QByteArray response(goodResponse(subjectChain, responderChain, privateKey, beforeNow, afterNow)); + QVERIFY(response.size()); + server.configureResponse(response); + QVERIFY(server.listen()); + connect(&server, &OcspServer::internalServerError, &loop, exitLoopSlot); + + QSslSocket clientSocket; + setupOcspClient(clientSocket, issuerToChain(subjectChain), server.peerVerifyName()); + clientSocket.connectToHostEncrypted(server.hostName(), server.serverPort()); + loop.enterLoopMSecs(handshakeTimeoutMS); + + QVERIFY(!clientSocket.isEncrypted()); + QCOMPARE_SINGLE_ERROR(clientSocket, expectedError); +} + +void tst_QOcsp::noNextUpdate() +{ + // RFC2560, 2.4: + // "If nextUpdate is not set, the responder is indicating that newer + // revocation information is available all the time." + // + // This test is just to verify that we correctly handle such responses. + QDECLARE_CHAIN(subjectChain, "ss1.crt"); + QDECLARE_CHAIN(responderChain, "ss1.crt"); + QDECLARE_PRIVATE_KEY(privateKey, "ss1-private.key"); + + OcspServer server(subjectChain, privateKey); + OcspTimeStamp openRange(-1000, 0); + openRange.nextUpdate.clear(); + const OcspResponder responder(openRange, subjectChain, responderChain, privateKey); + const QByteArray response(responder.buildResponse(OCSP_RESPONSE_STATUS_SUCCESSFUL, + V_OCSP_CERTSTATUS_GOOD)); + QVERIFY(response.size()); + server.configureResponse(response); + QVERIFY(server.listen()); + connect(&server, &OcspServer::internalServerError, &loop, exitLoopSlot); + + QSslSocket clientSocket; + setupOcspClient(clientSocket, issuerToChain(subjectChain), server.peerVerifyName()); + clientSocket.connectToHostEncrypted(server.hostName(), server.serverPort()); + loop.enterLoopMSecs(handshakeTimeoutMS); + + QVERIFY_HANDSHAKE_WITHOUT_ERRORS(clientSocket); +} + +void tst_QOcsp::wrongCertificateInResponse_data() +{ + QTest::addColumn<QLatin1String>("respChainName"); + QTest::addColumn<QLatin1String>("respKeyName"); + QTest::addColumn<QLatin1String>("wrongChainName"); + + QTest::addRow("same-CA-wrong-subject") << QLatin1String("ca1.crt") << QLatin1String("ca1.key") + << QLatin1String("alice.crt"); + QTest::addRow("wrong-CA-same-subject") << QLatin1String("ss1.crt") << QLatin1String("ss1-private.key") + << QLatin1String("alice.crt"); + QTest::addRow("wrong-CA-wrong-subject") << QLatin1String("ss1.crt") << QLatin1String("ss1-private.key") + << QLatin1String("ss1.crt"); +} + +void tst_QOcsp::wrongCertificateInResponse() +{ + QFETCH(const QLatin1String, respChainName); + QFETCH(const QLatin1String, respKeyName); + QFETCH(const QLatin1String, wrongChainName); + // In this test, the server will send a valid response (correctly signed + // by a trusted key/cert) but for a wrong certificate (not the one the + // server presented to the client in the server's 'Certificate' message). + const QSslError::SslError expectedError = QSslError::OcspResponseCertIdUnknown; + + QDECLARE_CHAIN(subjectChain, "infbobchain.crt"); + QDECLARE_PRIVATE_KEY(subjectKey, "infbob.key"); + QDECLARE_CHAIN(responderChain, respChainName); + QDECLARE_PRIVATE_KEY(responderKey, respKeyName); + + QDECLARE_CHAIN(wrongChain, wrongChainName); + + OcspServer server(subjectToChain(subjectChain), subjectKey); + const QByteArray wrongResponse(goodResponse(wrongChain, responderChain, responderKey)); + QVERIFY(wrongResponse.size()); + server.configureResponse(wrongResponse); + QVERIFY(server.listen()); + connect(&server, &OcspServer::internalServerError, &loop, exitLoopSlot); + + QSslSocket clientSocket; + setupOcspClient(clientSocket, issuerToChain(subjectChain), server.peerVerifyName()); + clientSocket.connectToHostEncrypted(server.hostName(), server.serverPort()); + loop.enterLoopMSecs(handshakeTimeoutMS); + + QVERIFY(!clientSocket.isEncrypted()); + QVERIFY(containsError(clientSocket.sslErrors(), expectedError)); +} + +void tst_QOcsp::untrustedResponder() +{ + const QSslError::SslError expectedError = QSslError::OcspResponseCannotBeTrusted; + + QDECLARE_CHAIN(subjectChain, "infbobchain.crt"); + QDECLARE_PRIVATE_KEY(subjectKey, "infbob.key"); + QDECLARE_CHAIN(responderChain, "ca1.crt"); + QDECLARE_PRIVATE_KEY(responderKey, "ca1.key"); + + OcspServer server(subjectChain, subjectKey); + const QByteArray response(goodResponse(subjectToChain(subjectChain), responderChain, responderKey)); + QVERIFY(response.size()); + server.configureResponse(response); + QVERIFY(server.listen()); + connect(&server, &OcspServer::internalServerError, &loop, exitLoopSlot); + + QSslSocket clientSocket; + setupOcspClient(clientSocket, {}, server.peerVerifyName()); + clientSocket.connectToHostEncrypted(server.hostName(), server.serverPort()); + loop.enterLoopMSecs(handshakeTimeoutMS); + + QVERIFY(!clientSocket.isEncrypted()); + QVERIFY(containsError(clientSocket.sslErrors(), expectedError)); +} + +void tst_QOcsp::setupOcspClient(QSslSocket &clientSocket, const CertificateChain &caCerts, const QString &name) +{ + QSslConfiguration clientConfig = QSslConfiguration::defaultConfiguration(); + clientConfig.setOcspStaplingEnabled(true); + + if (caCerts.size()) { + auto roots = clientConfig.caCertificates(); + roots.append(caCerts); + clientConfig.setCaCertificates(roots); + } + + clientSocket.setSslConfiguration(clientConfig); + clientSocket.setPeerVerifyName(name); + + connect(&clientSocket, socketErrorSignal, &loop, exitLoopSlot); + connect(&clientSocket, tlsErrorsSignal, &loop, exitLoopSlot); + connect(&clientSocket, &QSslSocket::encrypted, &loop, exitLoopSlot); +} + +bool tst_QOcsp::containsOcspErrors(const QList<QSslError> &errorsFound) const +{ + for (auto code : ocspErrorCodes) { + if (containsError(errorsFound, code)) + return true; + } + return false; +} + +bool tst_QOcsp::containsError(const QList<QSslError> &errors, QSslError::SslError code) +{ + const auto it = std::find_if(errors.begin(), errors.end(), + [&code](const QSslError &other){return other.error() == code;}); + return it != errors.end(); +} + +QByteArray tst_QOcsp::goodResponse(const CertificateChain &subject, const CertificateChain &responder, + const QSslKey &privateKey, long beforeNow, long afterNow) +{ + const OcspResponder builder(OcspTimeStamp(beforeNow, afterNow), subject, responder, privateKey); + return builder.buildResponse(OCSP_RESPONSE_STATUS_SUCCESSFUL, V_OCSP_CERTSTATUS_GOOD); +} + +bool tst_QOcsp::loadPrivateKey(const QString &keyFileName, QSslKey &key) +{ + QFile keyFile(certDirPath + keyFileName); + if (!keyFile.open(QIODevice::ReadOnly)) + return false; + key = QSslKey(keyFile.readAll(), QSsl::Rsa, QSsl::Pem, QSsl::PrivateKey); + return !key.isNull(); +} + +CertificateChain tst_QOcsp::issuerToChain(const CertificateChain &chain) +{ + // Here we presume that, if the chain isn't a single self-signed certificate, its second + // entry is the issuer. + const int length = chain.size(); + Q_ASSERT(length > 0); + return CertificateChain() << chain[length > 1 ? 1 : 0]; +} + +CertificateChain tst_QOcsp::subjectToChain(const CertificateChain &chain) +{ + Q_ASSERT(chain.size()); + return CertificateChain() << chain[0]; +} + +QT_END_NAMESPACE + +QTEST_MAIN(tst_QOcsp) + +#include "tst_qocsp.moc" diff --git a/tests/auto/network/ssl/qsslcertificate/tst_qsslcertificate.cpp b/tests/auto/network/ssl/qsslcertificate/tst_qsslcertificate.cpp index 7f8580ddd6..0c8535f2de 100644 --- a/tests/auto/network/ssl/qsslcertificate/tst_qsslcertificate.cpp +++ b/tests/auto/network/ssl/qsslcertificate/tst_qsslcertificate.cpp @@ -814,7 +814,7 @@ void tst_QSslCertificate::task256066toPem() void tst_QSslCertificate::nulInCN() { -#if defined(QT_SECURETRANSPORT) || defined(Q_OS_WINRT) +#if QT_CONFIG(securetransport) || defined(Q_OS_WINRT) || QT_CONFIG(schannel) QSKIP("Generic QSslCertificatePrivate fails this test"); #endif QList<QSslCertificate> certList = @@ -833,7 +833,7 @@ void tst_QSslCertificate::nulInCN() void tst_QSslCertificate::nulInSan() { -#if defined(QT_SECURETRANSPORT) || defined(Q_OS_WINRT) +#if QT_CONFIG(securetransport) || defined(Q_OS_WINRT) || QT_CONFIG(schannel) QSKIP("Generic QSslCertificatePrivate fails this test"); #endif QList<QSslCertificate> certList = @@ -968,7 +968,7 @@ void tst_QSslCertificate::subjectAndIssuerAttributes() void tst_QSslCertificate::verify() { -#ifdef QT_SECURETRANSPORT +#if QT_CONFIG(securetransport) QSKIP("Not implemented in SecureTransport"); #endif QList<QSslError> errors; diff --git a/tests/auto/network/ssl/qsslkey/BLACKLIST b/tests/auto/network/ssl/qsslkey/BLACKLIST index c0dfe5eb86..f9bc0af6de 100644 --- a/tests/auto/network/ssl/qsslkey/BLACKLIST +++ b/tests/auto/network/ssl/qsslkey/BLACKLIST @@ -1,2 +1,2 @@ -redhatenterpriselinuxworkstation-6.6 -rhel-7.4 +redhatenterpriselinuxworkstation +rhel diff --git a/tests/auto/network/ssl/qsslkey/keys/dh-pri-1024.der b/tests/auto/network/ssl/qsslkey/keys/dh-pri-1024.der Binary files differnew file mode 100644 index 0000000000..687009e087 --- /dev/null +++ b/tests/auto/network/ssl/qsslkey/keys/dh-pri-1024.der diff --git a/tests/auto/network/ssl/qsslkey/keys/dh-pri-1024.pem b/tests/auto/network/ssl/qsslkey/keys/dh-pri-1024.pem new file mode 100644 index 0000000000..233e0dfb37 --- /dev/null +++ b/tests/auto/network/ssl/qsslkey/keys/dh-pri-1024.pem @@ -0,0 +1,9 @@ +-----BEGIN PRIVATE KEY----- +MIIBIQIBADCBlQYJKoZIhvcNAQMBMIGHAoGBAIlk2YX0TJzfQ18ZzZroQoE5Nyjt +bWxWRxBriG/c+JWhBwttVDb6lzLN+GVJxXVPfc6JJmDORVRxdxAlMqu++2Vqpsnl +/H8xIXsxjuTcTjq8sXagGRa0LfeggkUD64tEhO4iZ8Q2TIdb3OHkAF0Sn+06b/0e +iIz323Kywq0CsspTAgECBIGDAoGAQCo39UHP4s2ZVH4nOmWgNlb4JsHPX4EzqDBr +ig46hvMLAFrILYnsCbqqD/+GNAUl1PV/nfEQoAk/HvtACqLFLG5/3jK2w6dVHGEo +JnVOGz9vZpWUx+SCslHJRFaeE+6AAbbvrTr0lci29Ta4IesHlamRsj+ZaUrVX6k/ +/9OTGAo= +-----END PRIVATE KEY----- diff --git a/tests/auto/network/ssl/qsslkey/keys/dh-pri-2048.der b/tests/auto/network/ssl/qsslkey/keys/dh-pri-2048.der Binary files differnew file mode 100644 index 0000000000..e193f25f07 --- /dev/null +++ b/tests/auto/network/ssl/qsslkey/keys/dh-pri-2048.der diff --git a/tests/auto/network/ssl/qsslkey/keys/dh-pri-2048.pem b/tests/auto/network/ssl/qsslkey/keys/dh-pri-2048.pem new file mode 100644 index 0000000000..32299b2b6c --- /dev/null +++ b/tests/auto/network/ssl/qsslkey/keys/dh-pri-2048.pem @@ -0,0 +1,14 @@ +-----BEGIN PRIVATE KEY----- +MIICJgIBADCCARcGCSqGSIb3DQEDATCCAQgCggEBAJsiReJxBjkC7Hy99AJATusq +YsNQHhjoeTLPeHhsBuLtJK18Krk736V09efX6qeAEmvgMQbvbHqtrOaY3q6dut6C +UTGVW+oVg3d/Y8qakkanvEnIlliaTIyWIz0JMjO2prC6AuU/QEzZcQVUS6bxyn3D +iYFxCE6+7cJJpEH9HVbcrl+J6Ch6ax5rQGUyxpSMkmItLJx92upRxOnaxJMHR+ZF +OSdDPfrkINpEzahnhteLszddyLasnE0or6ZnXYLvKsT1Uu6QwDc4EO1FJHScoeep +zsK/VRcXzMpj/1Rl+F9E/AikCqHRrnvISt25wrK0Mwy854P2T7dJlBNewc6vE6MC +AQIEggEEAoIBAGIctO30MoZ9DiuKbOBpqM9rl2bNH/I46GGcfEiSsO/zOw2V9WFC +MxkjF0I1ilDfPY+Ag3bLB2n89DPcfXliYH9MFolehPTc1fWplhX3+ImdC6y95uXO +FV5xtcEQCbPktnUtkUdcAT5831p9lu1QJo+DzMPrQa7axMLj8heBAi4VqAi+8Q31 +dpGKuhCUlgs+pLENx1o0QY2kui6Z5uR0YhmA547lwBWA4XEv5OV9ExmxytiatvOv +PZKT1ID76LrL9bnnZvOEGczWLQvJ9VaaZSpoP+2QisRANWW4w57d+PIR1WR/FTSH +F6xocElUoTzuiSPzRz60aw/KkisImBBKERQ= +-----END PRIVATE KEY----- diff --git a/tests/auto/network/ssl/qsslkey/keys/dh-pri-512.der b/tests/auto/network/ssl/qsslkey/keys/dh-pri-512.der Binary files differnew file mode 100644 index 0000000000..42ddbaaae2 --- /dev/null +++ b/tests/auto/network/ssl/qsslkey/keys/dh-pri-512.der diff --git a/tests/auto/network/ssl/qsslkey/keys/dh-pri-512.pem b/tests/auto/network/ssl/qsslkey/keys/dh-pri-512.pem new file mode 100644 index 0000000000..d2c3170b16 --- /dev/null +++ b/tests/auto/network/ssl/qsslkey/keys/dh-pri-512.pem @@ -0,0 +1,6 @@ +-----BEGIN PRIVATE KEY----- +MIGcAgEAMFMGCSqGSIb3DQEDATBGAkEAvXx0QxJvIGA2ig8Je55R2rmeO4Ta2Esj +ANLuyVIFRbtuLFsdhU+amUc8bs9RUQmkUNzS92jkpAfqtCv+mQ06EwIBAgRCAkBJ +rDM0BTevOPIHpJzMtSQhw3e7Dr38HUfTn8zF3uYi1RCxjkTUukmzRLPTf0aqPgpd +8dSldjG/11aZORl8/mXO +-----END PRIVATE KEY----- diff --git a/tests/auto/network/ssl/qsslkey/keys/dh-pub-1024.der b/tests/auto/network/ssl/qsslkey/keys/dh-pub-1024.der Binary files differnew file mode 100644 index 0000000000..2805a67633 --- /dev/null +++ b/tests/auto/network/ssl/qsslkey/keys/dh-pub-1024.der diff --git a/tests/auto/network/ssl/qsslkey/keys/dh-pub-1024.pem b/tests/auto/network/ssl/qsslkey/keys/dh-pub-1024.pem new file mode 100644 index 0000000000..da4e327ac9 --- /dev/null +++ b/tests/auto/network/ssl/qsslkey/keys/dh-pub-1024.pem @@ -0,0 +1,9 @@ +-----BEGIN PUBLIC KEY----- +MIIBHzCBlQYJKoZIhvcNAQMBMIGHAoGBAIlk2YX0TJzfQ18ZzZroQoE5NyjtbWxW +RxBriG/c+JWhBwttVDb6lzLN+GVJxXVPfc6JJmDORVRxdxAlMqu++2Vqpsnl/H8x +IXsxjuTcTjq8sXagGRa0LfeggkUD64tEhO4iZ8Q2TIdb3OHkAF0Sn+06b/0eiIz3 +23Kywq0CsspTAgECA4GEAAKBgA8pxU1sMDvRWKpvJKNs3jNhZPQWFf4Tszu/cMcb +1qAQ/q0DRb41VvsUoMaCfef/plZleV4MG26owb574AJeC86wX5MbRDTPS4CzAn+I +an92AZl3vlYRQ2sSo3ktkyhw6LV1iewi08Ky7J4rqvG0Oo335QGEZlK1OgwBsyh0 +FKLe +-----END PUBLIC KEY----- diff --git a/tests/auto/network/ssl/qsslkey/keys/dh-pub-2048.der b/tests/auto/network/ssl/qsslkey/keys/dh-pub-2048.der Binary files differnew file mode 100644 index 0000000000..9e749d8a41 --- /dev/null +++ b/tests/auto/network/ssl/qsslkey/keys/dh-pub-2048.der diff --git a/tests/auto/network/ssl/qsslkey/keys/dh-pub-2048.pem b/tests/auto/network/ssl/qsslkey/keys/dh-pub-2048.pem new file mode 100644 index 0000000000..f751157c87 --- /dev/null +++ b/tests/auto/network/ssl/qsslkey/keys/dh-pub-2048.pem @@ -0,0 +1,14 @@ +-----BEGIN PUBLIC KEY----- +MIICJDCCARcGCSqGSIb3DQEDATCCAQgCggEBAJsiReJxBjkC7Hy99AJATusqYsNQ +HhjoeTLPeHhsBuLtJK18Krk736V09efX6qeAEmvgMQbvbHqtrOaY3q6dut6CUTGV +W+oVg3d/Y8qakkanvEnIlliaTIyWIz0JMjO2prC6AuU/QEzZcQVUS6bxyn3DiYFx +CE6+7cJJpEH9HVbcrl+J6Ch6ax5rQGUyxpSMkmItLJx92upRxOnaxJMHR+ZFOSdD +PfrkINpEzahnhteLszddyLasnE0or6ZnXYLvKsT1Uu6QwDc4EO1FJHScoeepzsK/ +VRcXzMpj/1Rl+F9E/AikCqHRrnvISt25wrK0Mwy854P2T7dJlBNewc6vE6MCAQID +ggEFAAKCAQAUeWRuqjl7F84USogxJOM1M4y8yKtBYY2KLs5iIVhzV4UZ+9+cMNZA +otLXJ/e8BH0diR0yk7tjxD6hjjqd+nyafIkJGPElDMnTbRPHg5zZYMmI5L/efdSm +OPbM7QsodrYH5aoF4c7hjMb/cttYVG2Yupsy4tfORuDbwL70upqOo6rkVq55eOGS +6pseEume/SD+7e3xIPJTkrMMzBFHG6H7bVHikT4O7yWV1iVzElj919yi+4Zy6TK8 +0hG6l31D5bsJpOduhHYZtN1yQpw+sGT6Yiepkjgt+1YkGFiiRs5vDl4DHeYHyAhL +oH9uKcm3q4lhaOeT5ml765g87qQD6+vr +-----END PUBLIC KEY----- diff --git a/tests/auto/network/ssl/qsslkey/keys/dh-pub-512.der b/tests/auto/network/ssl/qsslkey/keys/dh-pub-512.der Binary files differnew file mode 100644 index 0000000000..8a75babb6d --- /dev/null +++ b/tests/auto/network/ssl/qsslkey/keys/dh-pub-512.der diff --git a/tests/auto/network/ssl/qsslkey/keys/dh-pub-512.pem b/tests/auto/network/ssl/qsslkey/keys/dh-pub-512.pem new file mode 100644 index 0000000000..1f4e5c9a47 --- /dev/null +++ b/tests/auto/network/ssl/qsslkey/keys/dh-pub-512.pem @@ -0,0 +1,6 @@ +-----BEGIN PUBLIC KEY----- +MIGaMFMGCSqGSIb3DQEDATBGAkEAvXx0QxJvIGA2ig8Je55R2rmeO4Ta2EsjANLu +yVIFRbtuLFsdhU+amUc8bs9RUQmkUNzS92jkpAfqtCv+mQ06EwIBAgNDAAJARGBh +9FmRRZZAxBtXZmS8wIgDwWvjB63GQ+E1pDLtZPztvPQ2eqUjTgSuGKV5cDankAV1 +Pkj/IA0Xl+SuFhLLew== +-----END PUBLIC KEY----- diff --git a/tests/auto/network/ssl/qsslkey/keys/genkeys.sh b/tests/auto/network/ssl/qsslkey/keys/genkeys.sh index 6210b42ab4..0106953bff 100755 --- a/tests/auto/network/ssl/qsslkey/keys/genkeys.sh +++ b/tests/auto/network/ssl/qsslkey/keys/genkeys.sh @@ -88,6 +88,27 @@ do openssl ec -in ec-pri-$size-$curve.pem -pubout -out ec-pub-$size-$curve.der -outform DER done +#--- DH ---------------------------------------------------------------------------- +for size in 512 1024 2048 +do + echo -e "\ngenerating DH parameters to PEM file ..." + openssl dhparam -out dhpar-$size.pem $size + + echo -e "\ngenerating DH private key to PEM file ..." + openssl genpkey -paramfile dhpar-$size.pem -out dh-pri-$size.pem + + /bin/rm dhpar-$size.pem + + echo -e "\ngenerating DH private key to DER file ..." + openssl pkey -in dh-pri-$size.pem -out dh-pri-$size.der -outform DER + + echo -e "\ngenerating DH public key to PEM file ..." + openssl pkey -in dh-pri-$size.pem -pubout -out dh-pub-$size.pem + + echo -e "\ngenerating DH public key to DER file ..." + openssl pkey -in dh-pri-$size.pem -pubout -out dh-pub-$size.der -outform DER +done + #--- PKCS#8 ------------------------------------------------------------------------ # Note: We'll just grab some of the keys generated earlier and convert those # https://www.openssl.org/docs/manmaster/man1/pkcs8.html#PKCS-5-v1.5-and-PKCS-12-algorithms diff --git a/tests/auto/network/ssl/qsslkey/rsa-with-passphrase-aes128.pem b/tests/auto/network/ssl/qsslkey/rsa-with-passphrase-aes128.pem new file mode 100644 index 0000000000..1a8751874e --- /dev/null +++ b/tests/auto/network/ssl/qsslkey/rsa-with-passphrase-aes128.pem @@ -0,0 +1,30 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-128-CBC,A2A6F6BA67CFB2A992BA4FD3A0984B59 + +L5G1mwcXwW30lFty1HaEHlswFXAGk9+qf0TdYYNAAvVrsTMgfMq/6xM5XWo3IgbN +gG4K6T57gQkAywn+upqMHobB+7qc3DRzYlrm89gb74gHOe95l/iUJp4ii+ROLcmY +fg/vNmDSB/D0eM91WfwId7ticYD29+BUbbnqSYyY2S7K7DytYLpXqg3u335GYCdT +JwOsgcgbOICytkgK6c9ZDF3IrkzvWospVuiG5IfpLQkUXlJO3YGJ/oGf1BXnRd/b +kTzUiimUVunX62muHaUXKkAmXS8FCdB0puI+52pzLJ5FHdFxCcnwSG09TmoXbwwa +KoNM+IshNHPBGM7QxflVbSDxDaF1FWLwWSb8+Fhb2fTpfEGMxRCQ8HB1ZeMV4E5W +DSiNhih8ziC0k957ZYv8iuLanoM1YYIdToHeBwjyBJA836eIcq/ElY2QtKUq5PRw ++sU1BdG+f9rf4iAPHpgWZAKFmJ42ya71bEEVAmfysAOPuc4hpn3SsDTtihm9RKc9 +l7LWJHaTnTu6yJA+vMJwAmPWg+IdG5vntbb93X4cgl5ZadBySRtv37wWyQPnQcFh +ytX8z2CJNIFJb0ik8bXc39zOxExoTu/o86IuVJ87jFdS1wz3PRek6dJdl15icx76 +yAT0YB2/ZlRcRrO9hSm0D6P+sLOh//dyhhFAlUrDxqrKngI3KF4kgIrSlva3wmx2 +t16SiUKu6FGQZk6/KYOV27Cy+8UJEqlrNJzy+wSFi26d6e6xWTIR2ItzQCxhYDmq +Tpx0Mh0ml2+bgrKRoDAL5z6UNy0Pc6bYQjvMznIeiuGvL8bAKTDUFwbmrZqNScsl +tW7yNZG9iSJnAZGMTxuOhSvJRpQkxIcLICd+lsUxWZ2YvFxtSORuRNSwaC7oxtTD +gIXV08ayoDbDmcguqTXWuCxtguxNANjhsUOetNHL8iP8QFrzAd5Ith9FgASCIBJJ +3X7vL2YGc3E6DlAJE01loqySU/cnu6/zQapLB9BIzdtoLliwdrJ7PS8FSsBDfZ2X +i6/7gb1jxYkJAS1NqrUMJw6BphRAwF8ny+FtPJ23Oaf+1vRIGiHsh8qw6XBfwFw9 +vtsUUL19r+8zMpvIB6gf34TLuM7AW7idu3c/486EWgZBDL3mOTd3fsyADKv/HCk7 +c8M2dsafxI6QkTlWsB8G5vkZ8lCGKHjrmPWjfD7NXi+CvXIrDY+gOeVN3PlQCU/2 +zF2vIxKtR0CXuxLzIjFhIgTYR5G5ZnddMmHeVkZdPRl7szGtrxOA4QGJQ6ZT4W2e +O1whVU2KB0aBYskhClimapM5ypRkcNQ97cUR6/iNgdgSLqxGHCGeMR9bEyLl7/wr +M0XeDjdVfm/Tj548oHgb0SKLsfL6nnKwqB2viKj81moK9A/wO1Ec9RNaw0jtp2j3 +VIUnPj0GqEjnkHc2jWY2yt4SD6e2AZHwLyWi1q3pixZo1CFiEgFXxwNyYwyeJ6jV +CJHPRzoNjZ8dkvgRjsXdnWwN316JBNVcH8k7CCmg/8Gq3yAojXG1z8VJZ06GHckd +meCL1t89OgwIAmIsysKu7+DrKtSlhkQclZmdG6IrQzuPKaHzTPTDgg3ef3jQ4YQO +-----END RSA PRIVATE KEY----- diff --git a/tests/auto/network/ssl/qsslkey/rsa-with-passphrase-aes192.pem b/tests/auto/network/ssl/qsslkey/rsa-with-passphrase-aes192.pem new file mode 100644 index 0000000000..db74877a5a --- /dev/null +++ b/tests/auto/network/ssl/qsslkey/rsa-with-passphrase-aes192.pem @@ -0,0 +1,30 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-192-CBC,B408346ADE790F8CF0C902A4F0712B34 + +SwzPBGxmwW2JddOyug1LrWjlZn8siSp5yezjK1x/z2+J2r/vvH8OjGnA387tFtae +WVTmhT1ixQXMDI1UJuKx0gzrG2449c+BUVe2VXFPLZ2ocSgoXbBpVkfhEqtLAn91 +MSOpQMxvobQKltKhxgXGvuBJwhwfT7yK5HamohFGbxLUh4Dh+NBXwoYH4Qt+kM7C +kV8VIKvkr/QAL/SRxNoY8rVResPgYvUjdtiGSNZ6CZhNRu42Q2FqbH817cE0NDsN +il/xvWu4T/6VY1KpwMad/v6BhO45EeKz7YjbF/3Y5jj2JV9r45uf79lM9htMBw0d +L+Cc3YHeFffgU8NZo0+iUoroXcb7mjWNmgYksbkaZPbLG383YXAXwbkQS7zDMVIx +QhXn9w+78hNmEV/7PQ8mGXHEFwnfSR05phXoj8IyL5v0grRMA2dsjfxCgfQjH+kc +Miwr5pD/Flw175OpPFCb2qladdTKoIWiVShspbteoRC0EuiWHzkl5z6Tneyb/sam +yduLmSYD+RA6OBgUPY95Xm4AowlFFsuV/fxYZ53rFf4cZn9Z6VBVmvIEmapV7CtB +JzyIVclocwM0ag5u/esdEt/jndJq9chZlIsDS30y3gP6Rlqk5mj90DAs98l28FVG +WY9jP0babk8mxjYCcnAy7ikUc0D+vJVO6OTmfO3dkGjLpMBM6OlvfhN/0qeXrMDI +nU2qOshUrVna2kRe6FrcvosFTD8wvQ1/BjmCp1iWWsGdc/q1BqI3pgOlgq3TYfl6 +iUJoji3V2iexH+GPkHsrs+kii1clsO2tgIP7doIooSVkcTsRTHHxKeeHn3qL2028 +pTvieIFD/T4biLZ9Q8sX3XWiHNmXZlCx8lX8MDjTavWES8gY4H5Sr6FjRMy1qpZY +5w1aAyJ9YZ0J/jLPmFxt8mWgqHPiPlrQkryBBE3l1MSQ/hCEwlf9dP8a+ayINfd7 +3yNkHKjZ5fuoA+TZUQb/fyVM5o1zJ8ML01PaXWrMEgr3b36QL+Ivo2Rpnp9FpwuH +E405cwCEy5fNSyhHFqqatCbsPl80nkP8OpW6jdWvNy9u0Ap9PS+MbHGq/pfkaazl +fbKGOckrENzEXi6Uj/yY/0sMtbTJuC70n09X3edHyhl/RJPPUoNnwDM5W1FHfS3r +qqSOl/r3y5pEErRdBpR4wEgB7DCLBALGDPfXNAAga4ez/Z2X9Zj234+4ZbUzWoLN +1ER0QYyxLN7oz1qMA15J7nRyRIhDXNlXjyISOqy26T6/d4X0M+6RhNWfT/MHAjJ8 +6ogoGlQUITV3gPO4R6+FGZMF4R6zZXuKVtOXyzRwWnCLfo4gzBHmq+5mmCjGWRq8 +rSSkc6334bYuZOaEoR5EM5sh6ewkjSDPRrKR7EHO02YbiscyT/99TwT5pdIOPK3u +2T6/40fSmCWQyBLuWxV9CMD+rB/q8Ja5KisEseck7PgI2pMmHfiD5yQXhKR9eDrB +sRqZxjgRYxup+/0CIBshL8s1R88xelhXyIKyqFfVudM09yAZxEJLQhpDZ27g45ea +FMX2Ve+ah2NjYBgzAhwKouWg5RyWb6X99NsrCEU75fn/ek86LGs3FxRgB4Uv7Udv +-----END RSA PRIVATE KEY----- diff --git a/tests/auto/network/ssl/qsslkey/rsa-with-passphrase-aes256.pem b/tests/auto/network/ssl/qsslkey/rsa-with-passphrase-aes256.pem new file mode 100644 index 0000000000..3d96b3166e --- /dev/null +++ b/tests/auto/network/ssl/qsslkey/rsa-with-passphrase-aes256.pem @@ -0,0 +1,30 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-256-CBC,0F2F4695C8FFA35F4076FA0273A3A4E3 + +GCnMcAhhGuNkJ7SSMBrgNOaDfRtG22J0mdf/0VbrMOJF40P13YBjN3Kd6LpTqBya +TCIaxQqtfjH1ffhJk8qhwG7uJFGgcY9i0dkrEYklgThzTVqHp7FsQ2jjgJs5HKpc +euuVD1bxtuc9qI2hq4miA7Z/uDe3M34n+3xcpqccWS1dLFNFZ+fIDwIazfDCu3ah +fUQHDeWLwOqYiQxhUjjrHpZkI1FE2JYZFaf4zIagIIgzI2O+33fgbrTSoeN5meRs +F7V2fhDpyEoIlchwAmp6HE6ngtKP4Ecju00yn99AO42fn097yEVwvGFClQTaIzur +aPEtuKZ4kdc/lmzL2tqNcZckq28ZxpeMq0Fgdcpeg5sDcut811scOjQLFs551On1 +j3E1WfiLoBLKgd9cgmCrZb8hMO+UjcCaV7Jv3T9vDrbvhWs/YhTTwo8UFVplh7Vx +R1h3cKfzlbtOC5WHXGNK5dBu7SnpEk0+pscY5cxTrzN0odjMbbsjZQmKDZXbmZON +USzG3Qtafm6Nw/jwQeIjeqaxSho6xGdadTteGaURw6iGio3h0c6/dHayCsxye4tk +vODa0ZdJASwVh1605qDk9n/iYUT5B46KJCYwO/iN2kUmOcUcZeBqEfV1GfRmepZJ +bwM4sipzE15hOJ5DKSkHWnSlByRMAdSrMxZWraKUczn5frEBAqEFLlBAvf/FnjWa +yZJitgryCI2Y2bww1DEMnTCX345kUQIFmmjbzTIXnM28gW+fR3Br9dCf2FAsLNKr +tru1cYXocPaCUHEqS+XZqVb6BQVQ11YAAde0+x9RknJgsBc9Y7TLobaDBvrV5/nK +T3vm8el08upum6qPTPh6Z0zBbjx4sp6DYT977N1dYeH4n+0JqcSwIeZg/VAdG0RL +GzgZVADpiRlStmy65W95KExBjbO0tRTVk/nB1U1nfLbsswp9EKxXgwtpE/ECeTOi +hzeJBSsXGZ/ZXu/y+NlIu0B/GasFbfrHKslSSrUPTjGEtaEbLNiOEu2Etu3lRcMZ +oDtMxgNR0TUgCS5nte8lLauYYfB6IuxZXpvJdcI5ushqdOJvvYgJ9Yb2ZPlY8Bt5 +C92Ga69aPcMYk24BPpe15eBbXMsFF8RF+CprVoUPCc+PcuROtxdt+rqoqjQeZPmV +WQqq+pT2bychpwD7U5jxQnu4u2m+zeBXyk80euBbwEld9BCgfk9mFj6CdBJSEiGV +qL0ivxd3mDaIKPGd5tcbrOMK2uD7duZY7FrQpAYgryoQJoUHccL7cr9fDC75akHg +AbrG1+vAYEla/y+SlOg5VTHhiuIl17ZGMViXSqh7iqnnD0dNsZ/HDvk3XouhNxQy +RQmfdqyIqLuAcfWwQxCQ2E/oMUIHjNhyYmfLVLVGsfxuevMa1eJv7rZ5vIkD2Vpe +4VveZkNDSpCCNqnvub8+bMW+UXyzbxEZbK5PLkRp7cvtKdA5CUbTlT4060IV0YZ1 +vfMtzXRw8JDD9c1F1WF14afk+y9kvZN88XOH12bSKj+Re06Xx7OzuYU8fclq/pZB +UZVtRETFnLgb8neMuz3vCoPWK/DSHDZGAAicxq7vTljyoU/QP71Dw7UJIAuYx6Mc +-----END RSA PRIVATE KEY----- diff --git a/tests/auto/network/ssl/qsslkey/tst_qsslkey.cpp b/tests/auto/network/ssl/qsslkey/tst_qsslkey.cpp index ddfe52c5e4..f94756ed73 100644 --- a/tests/auto/network/ssl/qsslkey/tst_qsslkey.cpp +++ b/tests/auto/network/ssl/qsslkey/tst_qsslkey.cpp @@ -30,6 +30,7 @@ #include <QtTest/QtTest> #include <qsslkey.h> #include <qsslsocket.h> +#include <QScopeGuard> #include <QtNetwork/qhostaddress.h> #include <QtNetwork/qnetworkproxy.h> @@ -63,7 +64,7 @@ class tst_QSslKey : public QObject QList<KeyInfo> keyInfoList; - void createPlainTestRows(bool filter = false, QSsl::EncodingFormat format = QSsl::EncodingFormat::Pem); + void createPlainTestRows(bool pemOnly = false); public slots: void initTestCase(); @@ -111,13 +112,14 @@ void tst_QSslKey::initTestCase() QDir dir(testDataDir + "keys"); const QFileInfoList fileInfoList = dir.entryInfoList(QDir::Files | QDir::Readable); - QRegExp rx(QLatin1String("^(rsa|dsa|ec)-(pub|pri)-(\\d+)-?[\\w-]*\\.(pem|der)$")); + QRegExp rx(QLatin1String("^(rsa|dsa|dh|ec)-(pub|pri)-(\\d+)-?[\\w-]*\\.(pem|der)$")); for (const QFileInfo &fileInfo : fileInfoList) { if (rx.indexIn(fileInfo.fileName()) >= 0) { keyInfoList << KeyInfo( fileInfo, rx.cap(1) == QLatin1String("rsa") ? QSsl::Rsa : - (rx.cap(1) == QLatin1String("dsa") ? QSsl::Dsa : QSsl::Ec), + rx.cap(1) == QLatin1String("dsa") ? QSsl::Dsa : + rx.cap(1) == QLatin1String("dh") ? QSsl::Dh : QSsl::Ec, rx.cap(2) == QLatin1String("pub") ? QSsl::PublicKey : QSsl::PrivateKey, rx.cap(3).toInt(), rx.cap(4) == QLatin1String("pem") ? QSsl::Pem : QSsl::Der); @@ -154,7 +156,7 @@ Q_DECLARE_METATYPE(QSsl::KeyAlgorithm) Q_DECLARE_METATYPE(QSsl::KeyType) Q_DECLARE_METATYPE(QSsl::EncodingFormat) -void tst_QSslKey::createPlainTestRows(bool filter, QSsl::EncodingFormat format) +void tst_QSslKey::createPlainTestRows(bool pemOnly) { QTest::addColumn<QString>("absFilePath"); QTest::addColumn<QSsl::KeyAlgorithm>("algorithm"); @@ -162,11 +164,11 @@ void tst_QSslKey::createPlainTestRows(bool filter, QSsl::EncodingFormat format) QTest::addColumn<int>("length"); QTest::addColumn<QSsl::EncodingFormat>("format"); foreach (KeyInfo keyInfo, keyInfoList) { - if (filter && keyInfo.format != format) + if (pemOnly && keyInfo.format != QSsl::EncodingFormat::Pem) continue; -#ifdef Q_OS_WINRT +#if defined(Q_OS_WINRT) || QT_CONFIG(schannel) if (keyInfo.fileInfo.fileName().contains("RC2-64")) - continue; // WinRT treats RC2 as 128 bit + continue; // WinRT/Schannel treats RC2 as 128 bit #endif #if !defined(QT_NO_SSL) && defined(QT_NO_OPENSSL) // generic backend if (keyInfo.fileInfo.fileName().contains(QRegularExpression("-aes\\d\\d\\d-"))) @@ -232,15 +234,50 @@ void tst_QSslKey::constructorHandle() QByteArray passphrase; if (QByteArray(QTest::currentDataTag()).contains("-pkcs8-")) passphrase = "1234"; + BIO* bio = q_BIO_new(q_BIO_s_mem()); q_BIO_write(bio, pem.constData(), pem.length()); - QSslKey key(func(bio, nullptr, nullptr, static_cast<void *>(passphrase.data())), type); + EVP_PKEY *origin = func(bio, nullptr, nullptr, static_cast<void *>(passphrase.data())); +#if QT_CONFIG(opensslv11) + q_EVP_PKEY_up_ref(origin); +#endif + QSslKey key(origin, type); +#if !QT_CONFIG(opensslv11) + q_BIO_write(bio, pem.constData(), pem.length()); + origin = func(bio, nullptr, nullptr, static_cast<void *>(passphrase.data())); +#endif q_BIO_free(bio); + EVP_PKEY *handle = q_EVP_PKEY_new(); + switch (algorithm) { + case QSsl::Rsa: + q_EVP_PKEY_set1_RSA(handle, static_cast<RSA *>(key.handle())); + break; + case QSsl::Dsa: + q_EVP_PKEY_set1_DSA(handle, static_cast<DSA *>(key.handle())); + break; + case QSsl::Dh: + q_EVP_PKEY_set1_DH(handle, static_cast<DH *>(key.handle())); + break; +#ifndef OPENSSL_NO_EC + case QSsl::Ec: + q_EVP_PKEY_set1_EC_KEY(handle, static_cast<EC_KEY *>(key.handle())); + break; +#endif + default: + break; + } + + auto cleanup = qScopeGuard([origin, handle] { + q_EVP_PKEY_free(origin); + q_EVP_PKEY_free(handle); + }); + QVERIFY(!key.isNull()); QCOMPARE(key.algorithm(), algorithm); QCOMPARE(key.type(), type); QCOMPARE(key.length(), length); + QCOMPARE(q_EVP_PKEY_cmp(origin, handle), 1); #endif } @@ -429,15 +466,25 @@ void tst_QSslKey::toEncryptedPemOrDer() void tst_QSslKey::passphraseChecks_data() { QTest::addColumn<QString>("fileName"); - - QTest::newRow("DES") << (testDataDir + "rsa-with-passphrase-des.pem"); - QTest::newRow("3DES") << (testDataDir + "rsa-with-passphrase-3des.pem"); - QTest::newRow("RC2") << (testDataDir + "rsa-with-passphrase-rc2.pem"); + QTest::addColumn<QByteArray>("passphrase"); + + const QByteArray pass("123"); + const QByteArray aesPass("1234"); + + QTest::newRow("DES") << QString(testDataDir + "rsa-with-passphrase-des.pem") << pass; + QTest::newRow("3DES") << QString(testDataDir + "rsa-with-passphrase-3des.pem") << pass; + QTest::newRow("RC2") << QString(testDataDir + "rsa-with-passphrase-rc2.pem") << pass; +#if (!defined(QT_NO_OPENSSL) && !defined(OPENSSL_NO_AES)) || (defined(QT_NO_OPENSSL) && QT_CONFIG(ssl)) + QTest::newRow("AES128") << QString(testDataDir + "rsa-with-passphrase-aes128.pem") << aesPass; + QTest::newRow("AES192") << QString(testDataDir + "rsa-with-passphrase-aes192.pem") << aesPass; + QTest::newRow("AES256") << QString(testDataDir + "rsa-with-passphrase-aes256.pem") << aesPass; +#endif // (OpenSSL && AES) || generic backend } void tst_QSslKey::passphraseChecks() { QFETCH(QString, fileName); + QFETCH(QByteArray, passphrase); QFile keyFile(fileName); QVERIFY(keyFile.exists()); @@ -470,7 +517,7 @@ void tst_QSslKey::passphraseChecks() keyFile.open(QIODevice::ReadOnly); else keyFile.reset(); - QSslKey key(&keyFile,QSsl::Rsa,QSsl::Pem, QSsl::PrivateKey, "123"); + QSslKey key(&keyFile,QSsl::Rsa,QSsl::Pem, QSsl::PrivateKey, passphrase); QVERIFY(!key.isNull()); // correct passphrase } } @@ -515,79 +562,135 @@ void tst_QSslKey::encrypt_data() QTest::addColumn<QByteArray>("key"); QTest::addColumn<QByteArray>("plainText"); QTest::addColumn<QByteArray>("cipherText"); + QTest::addColumn<QByteArray>("iv"); + QByteArray iv("abcdefgh"); QTest::newRow("DES-CBC, length 0") << QSslKeyPrivate::DesCbc << QByteArray("01234567") << QByteArray() - << QByteArray::fromHex("956585228BAF9B1F"); + << QByteArray::fromHex("956585228BAF9B1F") + << iv; QTest::newRow("DES-CBC, length 1") << QSslKeyPrivate::DesCbc << QByteArray("01234567") << QByteArray(1, 'a') - << QByteArray::fromHex("E6880AF202BA3C12"); + << QByteArray::fromHex("E6880AF202BA3C12") + << iv; QTest::newRow("DES-CBC, length 2") << QSslKeyPrivate::DesCbc << QByteArray("01234567") << QByteArray(2, 'a') - << QByteArray::fromHex("A82492386EED6026"); + << QByteArray::fromHex("A82492386EED6026") + << iv; QTest::newRow("DES-CBC, length 3") << QSslKeyPrivate::DesCbc << QByteArray("01234567") << QByteArray(3, 'a') - << QByteArray::fromHex("90B76D5B79519CBA"); + << QByteArray::fromHex("90B76D5B79519CBA") + << iv; QTest::newRow("DES-CBC, length 4") << QSslKeyPrivate::DesCbc << QByteArray("01234567") << QByteArray(4, 'a') - << QByteArray::fromHex("63E3DD6FED87052A"); + << QByteArray::fromHex("63E3DD6FED87052A") + << iv; QTest::newRow("DES-CBC, length 5") << QSslKeyPrivate::DesCbc << QByteArray("01234567") << QByteArray(5, 'a') - << QByteArray::fromHex("03ACDB0EACBDFA94"); + << QByteArray::fromHex("03ACDB0EACBDFA94") + << iv; QTest::newRow("DES-CBC, length 6") << QSslKeyPrivate::DesCbc << QByteArray("01234567") << QByteArray(6, 'a') - << QByteArray::fromHex("7D95024E42A3A88A"); + << QByteArray::fromHex("7D95024E42A3A88A") + << iv; QTest::newRow("DES-CBC, length 7") << QSslKeyPrivate::DesCbc << QByteArray("01234567") << QByteArray(7, 'a') - << QByteArray::fromHex("5003436B8A8E42E9"); + << QByteArray::fromHex("5003436B8A8E42E9") + << iv; QTest::newRow("DES-CBC, length 8") << QSslKeyPrivate::DesCbc << QByteArray("01234567") << QByteArray(8, 'a') - << QByteArray::fromHex("E4C1F054BF5521C0A4A0FD4A2BC6C1B1"); + << QByteArray::fromHex("E4C1F054BF5521C0A4A0FD4A2BC6C1B1") + << iv; QTest::newRow("DES-EDE3-CBC, length 0") << QSslKeyPrivate::DesEde3Cbc << QByteArray("0123456789abcdefghijklmn") << QByteArray() - << QByteArray::fromHex("3B2B4CD0B0FD495F"); + << QByteArray::fromHex("3B2B4CD0B0FD495F") + << iv; QTest::newRow("DES-EDE3-CBC, length 8") << QSslKeyPrivate::DesEde3Cbc << QByteArray("0123456789abcdefghijklmn") << QByteArray(8, 'a') - << QByteArray::fromHex("F2A5A87763C54A72A3224103D90CDB03"); + << QByteArray::fromHex("F2A5A87763C54A72A3224103D90CDB03") + << iv; QTest::newRow("RC2-40-CBC, length 0") << QSslKeyPrivate::Rc2Cbc << QByteArray("01234") << QByteArray() - << QByteArray::fromHex("6D05D52392FF6E7A"); + << QByteArray::fromHex("6D05D52392FF6E7A") + << iv; QTest::newRow("RC2-40-CBC, length 8") << QSslKeyPrivate::Rc2Cbc << QByteArray("01234") << QByteArray(8, 'a') - << QByteArray::fromHex("75768E64C5749072A5D168F3AFEB0005"); + << QByteArray::fromHex("75768E64C5749072A5D168F3AFEB0005") + << iv; QTest::newRow("RC2-64-CBC, length 0") << QSslKeyPrivate::Rc2Cbc << QByteArray("01234567") << QByteArray() - << QByteArray::fromHex("ADAE6BF70F420130"); + << QByteArray::fromHex("ADAE6BF70F420130") + << iv; QTest::newRow("RC2-64-CBC, length 8") << QSslKeyPrivate::Rc2Cbc << QByteArray("01234567") << QByteArray(8, 'a') - << QByteArray::fromHex("C7BF5C80AFBE9FBEFBBB9FD935F6D0DF"); + << QByteArray::fromHex("C7BF5C80AFBE9FBEFBBB9FD935F6D0DF") + << iv; QTest::newRow("RC2-128-CBC, length 0") << QSslKeyPrivate::Rc2Cbc << QByteArray("012345679abcdefg") << QByteArray() - << QByteArray::fromHex("1E965D483A13C8FB"); + << QByteArray::fromHex("1E965D483A13C8FB") + << iv; QTest::newRow("RC2-128-CBC, length 8") << QSslKeyPrivate::Rc2Cbc << QByteArray("012345679abcdefg") << QByteArray(8, 'a') - << QByteArray::fromHex("5AEC1A5B295660B02613454232F7DECE"); + << QByteArray::fromHex("5AEC1A5B295660B02613454232F7DECE") + << iv; + +#if (!defined(QT_NO_OPENSSL) && !defined(OPENSSL_NO_AES)) || (defined(QT_NO_OPENSSL) && QT_CONFIG(ssl)) + // AES needs a longer IV + iv = QByteArray("abcdefghijklmnop"); + QTest::newRow("AES-128-CBC, length 0") + << QSslKeyPrivate::Aes128Cbc << QByteArray("012345679abcdefg") + << QByteArray() + << QByteArray::fromHex("28DE1A9AA26601C30DD2527407121D1A") + << iv; + QTest::newRow("AES-128-CBC, length 8") + << QSslKeyPrivate::Aes128Cbc << QByteArray("012345679abcdefg") + << QByteArray(8, 'a') + << QByteArray::fromHex("08E880B1BA916F061C1E801D7F44D0EC") + << iv; + + QTest::newRow("AES-192-CBC, length 0") + << QSslKeyPrivate::Aes192Cbc << QByteArray("0123456789abcdefghijklmn") + << QByteArray() + << QByteArray::fromHex("E169E0E205CDC2BA895B7CF6097673B1") + << iv; + QTest::newRow("AES-192-CBC, length 8") + << QSslKeyPrivate::Aes192Cbc << QByteArray("0123456789abcdefghijklmn") + << QByteArray(8, 'a') + << QByteArray::fromHex("3A227D6A3A13237316D30AA17FF9B0A7") + << iv; + + QTest::newRow("AES-256-CBC, length 0") + << QSslKeyPrivate::Aes256Cbc << QByteArray("0123456789abcdefghijklmnopqrstuv") + << QByteArray() + << QByteArray::fromHex("4BAACAA0D22199C97DE206C465B7B14A") + << iv; + QTest::newRow("AES-256-CBC, length 8") + << QSslKeyPrivate::Aes256Cbc << QByteArray("0123456789abcdefghijklmnopqrstuv") + << QByteArray(8, 'a') + << QByteArray::fromHex("879C8C25EC135CDF0B14490A0A7C2F67") + << iv; +#endif // (OpenSSL && AES) || generic backend } void tst_QSslKey::encrypt() @@ -596,13 +699,13 @@ void tst_QSslKey::encrypt() QFETCH(QByteArray, key); QFETCH(QByteArray, plainText); QFETCH(QByteArray, cipherText); - QByteArray iv("abcdefgh"); + QFETCH(QByteArray, iv); -#ifdef Q_OS_WINRT - QEXPECT_FAIL("RC2-40-CBC, length 0", "WinRT treats RC2 as 128-bit", Abort); - QEXPECT_FAIL("RC2-40-CBC, length 8", "WinRT treats RC2 as 128-bit", Abort); - QEXPECT_FAIL("RC2-64-CBC, length 0", "WinRT treats RC2 as 128-bit", Abort); - QEXPECT_FAIL("RC2-64-CBC, length 8", "WinRT treats RC2 as 128-bit", Abort); +#if defined(Q_OS_WINRT) || QT_CONFIG(schannel) + QEXPECT_FAIL("RC2-40-CBC, length 0", "WinRT/Schannel treats RC2 as 128-bit", Abort); + QEXPECT_FAIL("RC2-40-CBC, length 8", "WinRT/Schannel treats RC2 as 128-bit", Abort); + QEXPECT_FAIL("RC2-64-CBC, length 0", "WinRT/Schannel treats RC2 as 128-bit", Abort); + QEXPECT_FAIL("RC2-64-CBC, length 8", "WinRT/Schannel treats RC2 as 128-bit", Abort); #endif QByteArray encrypted = QSslKeyPrivate::encrypt(cipher, plainText, key, iv); QCOMPARE(encrypted, cipherText); diff --git a/tests/auto/network/ssl/qsslsocket/BLACKLIST b/tests/auto/network/ssl/qsslsocket/BLACKLIST index 8e1a55995e..555822d1e6 100644 --- a/tests/auto/network/ssl/qsslsocket/BLACKLIST +++ b/tests/auto/network/ssl/qsslsocket/BLACKLIST @@ -1 +1,7 @@ windows +[connectToHostEncrypted] +osx-10.13 +[setSslConfiguration] +osx-10.13 +[connectToHostEncryptedWithVerificationPeerName] +osx-10.13 diff --git a/tests/auto/network/ssl/qsslsocket/certs/127-0-0-1-as-CN.crt b/tests/auto/network/ssl/qsslsocket/certs/127-0-0-1-as-CN.crt new file mode 100644 index 0000000000..2253469392 --- /dev/null +++ b/tests/auto/network/ssl/qsslsocket/certs/127-0-0-1-as-CN.crt @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIC/jCCAeagAwIBAgIJALBykhTMGxyEMA0GCSqGSIb3DQEBCwUAMBQxEjAQBgNV +BAMMCTEyNy4wLjAuMTAeFw0xOTAxMjUyMjU5NDFaFw0xOTAyMjQyMjU5NDFaMBQx +EjAQBgNVBAMMCTEyNy4wLjAuMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBALMEo10Xd6e5ot4Rg99VejDV/WNdAhY6+2Ilzuc+1XdzDpEQCuqWY2hAGX9m +QXyFSR+UcpJWoUFUtJLsArXgRnxT+seHuemrLZGZOkDStUhKNpxfwOmhIT+sLocw +qXCwNf9oG4//3evGwGqJhLDpGUhTNVCAMaalb1yrcXskYEkWdelzCTMzoirVvbS2 +6PH3kE+WPaBehMFruLtp+v7btnVIA305DwFy4CLq+HHFq59BbxRWxhRSkfXM8w+d +g05P3VNpEb8Apn4rQ+n/xRz7oZs0Aou4GZG5JAgiLOibbVBK+xnD/UW/txeFWfRZ +1dzIi4yAKkdwIhPAg+pP1G6tgZMCAwEAAaNTMFEwHQYDVR0OBBYEFNGZZgb9dbVY +FKkkoQp/oAQ2/B51MB8GA1UdIwQYMBaAFNGZZgb9dbVYFKkkoQp/oAQ2/B51MA8G +A1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAFvHy0RE96TDw6Q2pfCY +aMz/X8dMAEMz5XqC7ImcztVg6VTRHpiw+QFQGqCLwNNuwkD9/pZ3IgVzSbRQw3oW +HO7wD30NFl17LQMONBdcmR9FO5ruBh8G0Q1tmeKNtuwjzF3LAkj/J3tAn6eVmHi5 +75WEK/vQgy9XElN6EC6TgC/4B5/DPdZuEMdL7AP8ADLq9UVf8JC9c4QjU9G1Ce2R +PzNwkhkLvtLlcxFcXciuc+oGhLENoJ2ZYHctT/ReOuBoRWEwIB1AeCWxitxjBZ6t +lmZ+UewuzJ7y1X5maQZr7w3o8f6DwqwYrmMd45tS6jkHHAJlaCs/yCfVnLBwZ1l4 +NeM= +-----END CERTIFICATE----- diff --git a/tests/auto/network/ssl/qsslsocket/certs/qt-test-server-cert.pem b/tests/auto/network/ssl/qsslsocket/certs/qt-test-server-cert.pem new file mode 100644 index 0000000000..43c8794ce2 --- /dev/null +++ b/tests/auto/network/ssl/qsslsocket/certs/qt-test-server-cert.pem @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE----- +MIIClTCCAf4CCQC2xMhNhwvATDANBgkqhkiG9w0BAQQFADCBjjELMAkGA1UEChMC +UXQxGTAXBgNVBAsTEENvcmUgQW5kIE5ldHdvcmsxGzAZBgkqhkiG9w0BCQEWDG5v +Ym9keS5xdC5pbzENMAsGA1UEBxMET3NsbzENMAsGA1UECBMET3NsbzELMAkGA1UE +BhMCTk8xHDAaBgNVBAMUEyoudGVzdC1uZXQucXQubG9jYWwwHhcNMTgwNzAxMTgz +NjI3WhcNNDgwNjIzMTgzNjI3WjCBjjELMAkGA1UEChMCUXQxGTAXBgNVBAsTEENv +cmUgQW5kIE5ldHdvcmsxGzAZBgkqhkiG9w0BCQEWDG5vYm9keS5xdC5pbzENMAsG +A1UEBxMET3NsbzENMAsGA1UECBMET3NsbzELMAkGA1UEBhMCTk8xHDAaBgNVBAMU +EyoudGVzdC1uZXQucXQubG9jYWwwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB +AM2q22/WNMmn8cC+5EEYGeICySLmp9W6Ay6eKHr0Xxp3X3epETuPfvAuxp7rOtkS +18EMUegkUj8jw0IMEcbyHKFC/rTCaYOt93CxGBXMIChiMPAsFeYzGa/D6xzAkfcR +aJRQ+Ek3CDLXPnXfo7xpABXezYcPXAJrgsgBfWrwHdxzAgMBAAEwDQYJKoZIhvcN +AQEEBQADgYEAZu/lQPy8PXeyyYGamOVms/FZKJ48BH1y8KC3BeBU5FYnhvgG7pz8 +Wz9JKvt2t/r45wQeAkNL6HnGUBhPJsHMjPHl5KktqN+db3D+FQygBeS2V1+zmC0X +UZNRE4aWiHvt1Lq+pTx89SOMOpfqWfh4qTQKiE5jC2V4DeCNQ3u7uI8= +-----END CERTIFICATE----- diff --git a/tests/auto/network/ssl/qsslsocket/certs/subjectAltNameIP.crt b/tests/auto/network/ssl/qsslsocket/certs/subjectAltNameIP.crt new file mode 100644 index 0000000000..1377fbbabb --- /dev/null +++ b/tests/auto/network/ssl/qsslsocket/certs/subjectAltNameIP.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDMDCCAhigAwIBAgIURWaTvdnvU+Y+gPSONs61cMCH8JUwDQYJKoZIhvcNAQEL +BQAwFjEUMBIGA1UEAwwLZXhhbXBsZS5vcmcwHhcNMTkwMTA4MTExMDMxWhcNMTkw +MjA3MTExMDMxWjAWMRQwEgYDVQQDDAtleGFtcGxlLm9yZzCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBALf0qv9vl8RqvDHpEWfjum7DMrY8qrQnD77C/9f/ +Jl0Jo4UZiSBr1OYYVbiWJyodw8LpQQsKE+fQCo2STb5X9BldJpwpQvvVi6ygxdzN +erJnB15G7xhUkGzDI2xhIJw3e6NGqf1PMB4CTNna6eN2cKYAxPfsWo5Pyh1YtU4s +5h+B3+43ol32ccBiRo4YXagbYMELjspEf0AvObvMWSxZQoBHcJ5JGEApxcgvFu8i +FBSALVy1IrYE3gXAv8TB0AK7IpuNIL48v5JXCA6JOGYbXFljj6aLFTzfrV3lzhQ0 +kqBVnQNqVfOUQNUhNT93bnEWVf911j/af5zuFtmr1kbMzucCAwEAAaN2MHQwHQYD +VR0OBBYEFHZOtGQHV3roaj3nlQ1XRU0O+05TMB8GA1UdIwQYMBaAFHZOtGQHV3ro +aj3nlQ1XRU0O+05TMA8GA1UdEwEB/wQFMAMBAf8wIQYDVR0RBBowGIcEwAUIEIcQ +/oAAAAAAAAA8KS+h3UQHZTANBgkqhkiG9w0BAQsFAAOCAQEAcvqvtUSJ2JM3rrWj +XjCOhosKY/cow4oDAVdn8AvI/Z4FJfcQZ1vA+ZM533/TaJStG4ThfjyX9t1Ej08M +UzP4ZUyXJTv8o6C6j5e9ggEwo/cFp1iWP+xr2SXLJ2cabnu8db5FN5J75HjNsuVs +PM95LYY9VlTm9W7JxMwkPEIG+wH5zu6Hj45UAAamwwjOKT1hJYumxdmLAp1oyG1p +u86b8iVUjiHG+K6qr4hAKXhuSXE1s/pYqcn1feyk2SbkKvGFR6ad+gmdT4ZaiNYT +nL8+t2wim/fRkV0CNdWrrJpWtLzjPq1al7g2eIopdLufSlqanouVpnzwuKGN5QC/ +MuDohA== +-----END CERTIFICATE----- diff --git a/tests/auto/network/ssl/qsslsocket/qsslsocket.pro b/tests/auto/network/ssl/qsslsocket/qsslsocket.pro index 1260dc9410..03fbe89002 100644 --- a/tests/auto/network/ssl/qsslsocket/qsslsocket.pro +++ b/tests/auto/network/ssl/qsslsocket/qsslsocket.pro @@ -18,3 +18,10 @@ TESTDATA += certs DEFINES += SRCDIR=\\\"$$PWD/\\\" requires(qtConfig(private_tests)) + +# DOCKERTODO: it's 'linux' because it requires cyrus, which +# is linux-only for now ... +linux { + QT_TEST_SERVER_LIST = squid danted cyrus apache2 echo + include($$dirname(_QMAKE_CONF_)/tests/auto/testserver.pri) +} diff --git a/tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp b/tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp index 72b5d06dd5..7912063bc8 100644 --- a/tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp +++ b/tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp @@ -74,6 +74,16 @@ typedef QSharedPointer<QSslSocket> QSslSocketPtr; #endif #endif // QT_NO_SSL +// Detect ALPN (Application-Layer Protocol Negotiation) support +#undef ALPN_SUPPORTED // Undef the variable first to be safe +#if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(OPENSSL_NO_TLSEXT) +#define ALPN_SUPPORTED 1 +#endif + +#if QT_CONFIG(schannel) && !defined(Q_CC_MINGW) +#define ALPN_SUPPORTED 1 +#endif + #if defined Q_OS_HPUX && defined Q_CC_GNU // This error is delivered every time we try to use the fluke CA // certificate. For now we work around this bug. Task 202317. @@ -233,18 +243,22 @@ private slots: void verifyClientCertificate(); void readBufferMaxSize(); + void allowedProtocolNegotiation(); + #ifndef QT_NO_OPENSSL void simplePskConnect_data(); void simplePskConnect(); void ephemeralServerKey_data(); void ephemeralServerKey(); - void allowedProtocolNegotiation(); void pskServer(); void forwardReadChannelFinished(); void signatureAlgorithm_data(); void signatureAlgorithm(); #endif + void disabledProtocols_data(); + void disabledProtocols(); + void setEmptyDefaultConfiguration(); // this test should be last protected slots: @@ -296,6 +310,21 @@ Q_DECLARE_METATYPE(tst_QSslSocket::PskConnectTestType) int tst_QSslSocket::loopLevel = 0; +namespace { + +QString httpServerCertChainPath() +{ + // DOCKERTODO: note how we use CA certificate on the real server. The docker container + // is using a different cert with a "special" CN. Check if it's important! +#ifdef QT_TEST_SERVER + return tst_QSslSocket::testDataDir + QStringLiteral("certs/qt-test-server-cert.pem"); +#else + return tst_QSslSocket::testDataDir + QStringLiteral("certs/qt-test-server-cacert.pem"); +#endif // QT_TEST_SERVER +} + +} // unnamed namespace + tst_QSslSocket::tst_QSslSocket() { #ifndef QT_NO_SSL @@ -349,8 +378,19 @@ void tst_QSslSocket::initTestCase() qDebug("Using SSL library %s (%ld)", qPrintable(QSslSocket::sslLibraryVersionString()), QSslSocket::sslLibraryVersionNumber()); +#ifdef QT_TEST_SERVER + QVERIFY(QtNetworkSettings::verifyConnection(QtNetworkSettings::socksProxyServerName(), 1080)); + QVERIFY(QtNetworkSettings::verifyConnection(QtNetworkSettings::socksProxyServerName(), 1081)); + QVERIFY(QtNetworkSettings::verifyConnection(QtNetworkSettings::httpProxyServerName(), 3128)); + QVERIFY(QtNetworkSettings::verifyConnection(QtNetworkSettings::httpProxyServerName(), 3129)); + QVERIFY(QtNetworkSettings::verifyConnection(QtNetworkSettings::httpProxyServerName(), 3130)); + QVERIFY(QtNetworkSettings::verifyConnection(QtNetworkSettings::httpServerName(), 443)); + QVERIFY(QtNetworkSettings::verifyConnection(QtNetworkSettings::imapServerName(), 993)); + QVERIFY(QtNetworkSettings::verifyConnection(QtNetworkSettings::echoServerName(), 13)); +#else QVERIFY(QtNetworkSettings::verifyTestNetworkSettings()); -#endif +#endif // QT_TEST_SERVER +#endif // QT_NO_SSL } void tst_QSslSocket::init() @@ -359,28 +399,29 @@ void tst_QSslSocket::init() if (setProxy) { #ifndef QT_NO_NETWORKPROXY QFETCH_GLOBAL(int, proxyType); - QString fluke = QHostInfo::fromName(QtNetworkSettings::serverName()).addresses().first().toString(); + const QString socksProxyAddr = QtNetworkSettings::socksProxyServerIp().toString(); + const QString httpProxyAddr = QtNetworkSettings::httpProxyServerIp().toString(); QNetworkProxy proxy; switch (proxyType) { case Socks5Proxy: - proxy = QNetworkProxy(QNetworkProxy::Socks5Proxy, fluke, 1080); + proxy = QNetworkProxy(QNetworkProxy::Socks5Proxy, socksProxyAddr, 1080); break; case Socks5Proxy | AuthBasic: - proxy = QNetworkProxy(QNetworkProxy::Socks5Proxy, fluke, 1081); + proxy = QNetworkProxy(QNetworkProxy::Socks5Proxy, socksProxyAddr, 1081); break; case HttpProxy | NoAuth: - proxy = QNetworkProxy(QNetworkProxy::HttpProxy, fluke, 3128); + proxy = QNetworkProxy(QNetworkProxy::HttpProxy, httpProxyAddr, 3128); break; case HttpProxy | AuthBasic: - proxy = QNetworkProxy(QNetworkProxy::HttpProxy, fluke, 3129); + proxy = QNetworkProxy(QNetworkProxy::HttpProxy, httpProxyAddr, 3129); break; case HttpProxy | AuthNtlm: - proxy = QNetworkProxy(QNetworkProxy::HttpProxy, fluke, 3130); + proxy = QNetworkProxy(QNetworkProxy::HttpProxy, httpProxyAddr, 3130); break; } QNetworkProxy::setApplicationProxy(proxy); @@ -541,7 +582,7 @@ void tst_QSslSocket::simpleConnect() connect(&socket, SIGNAL(sslErrors(QList<QSslError>)), this, SLOT(exitLoop())); // Start connecting - socket.connectToHost(QtNetworkSettings::serverName(), 993); + socket.connectToHost(QtNetworkSettings::imapServerName(), 993); QCOMPARE(socket.state(), QAbstractSocket::HostLookupState); enterLoop(10); @@ -596,7 +637,7 @@ void tst_QSslSocket::simpleConnectWithIgnore() connect(&socket, SIGNAL(sslErrors(QList<QSslError>)), this, SLOT(exitLoop())); // Start connecting - socket.connectToHost(QtNetworkSettings::serverName(), 993); + socket.connectToHost(QtNetworkSettings::imapServerName(), 993); QVERIFY(socket.state() != QAbstractSocket::UnconnectedState); // something must be in progress enterLoop(10); @@ -628,7 +669,7 @@ void tst_QSslSocket::sslErrors_data() QString name = QtNetworkSettings::serverLocalName(); QTest::newRow(qPrintable(name)) << name << 993; - name = QHostInfo::fromName(QtNetworkSettings::serverName()).addresses().first().toString(); + name = QtNetworkSettings::httpServerIp().toString(); QTest::newRow(qPrintable(name)) << name << 443; } @@ -638,10 +679,27 @@ void tst_QSslSocket::sslErrors() QFETCH(int, port); QSslSocketPtr socket = newSocket(); +#if QT_CONFIG(schannel) + // Needs to be < 1.2 because of the old certificate and <= 1.0 because of the mail server + socket->setProtocol(QSsl::SslProtocol::TlsV1_0); +#endif QSignalSpy sslErrorsSpy(socket.data(), SIGNAL(sslErrors(QList<QSslError>))); QSignalSpy peerVerifyErrorSpy(socket.data(), SIGNAL(peerVerifyError(QSslError))); - socket->connectToHostEncrypted(host, port); +#ifdef QT_TEST_SERVER + // On the old test server we had the same certificate on different services. + // The idea of this test is to fail with 'HostNameMismatch', when we're using + // either serverLocalName() or IP address directly. With Docker we connect + // to IMAP server, and we have to connect using imapServerName() and passing + // 'host' as peerVerificationName to the overload of connectToHostEncrypted(). + if (port == 993) { + socket->connectToHostEncrypted(QtNetworkSettings::imapServerName(), port, host); + } else +#endif // QT_TEST_SERVER + { + socket->connectToHostEncrypted(host, port); + } + if (!socket->waitForConnected()) QSKIP("Skipping flaky test - See QTBUG-29941"); socket->waitForEncrypted(10000); @@ -717,14 +775,17 @@ void tst_QSslSocket::connectToHostEncrypted() return; QSslSocketPtr socket = newSocket(); +#if QT_CONFIG(schannel) // old certificate not supported with TLS 1.2 + socket->setProtocol(QSsl::SslProtocol::TlsV1_1); +#endif this->socket = socket.data(); - QVERIFY(socket->addCaCertificates(testDataDir + "certs/qt-test-server-cacert.pem")); + QVERIFY(socket->addCaCertificates(httpServerCertChainPath())); #ifdef QSSLSOCKET_CERTUNTRUSTED_WORKAROUND connect(socket.data(), SIGNAL(sslErrors(QList<QSslError>)), this, SLOT(untrustedWorkaroundSlot(QList<QSslError>))); #endif - socket->connectToHostEncrypted(QtNetworkSettings::serverName(), 443); + socket->connectToHostEncrypted(QtNetworkSettings::httpServerName(), 443); // This should pass unconditionally when using fluke's CA certificate. // or use untrusted certificate workaround @@ -737,7 +798,7 @@ void tst_QSslSocket::connectToHostEncrypted() QCOMPARE(socket->mode(), QSslSocket::SslClientMode); - socket->connectToHost(QtNetworkSettings::serverName(), 13); + socket->connectToHost(QtNetworkSettings::echoServerName(), 13); QCOMPARE(socket->mode(), QSslSocket::UnencryptedMode); @@ -750,16 +811,23 @@ void tst_QSslSocket::connectToHostEncryptedWithVerificationPeerName() return; QSslSocketPtr socket = newSocket(); +#if QT_CONFIG(schannel) // old certificate not supported with TLS 1.2 + socket->setProtocol(QSsl::SslProtocol::TlsV1_1); +#endif this->socket = socket.data(); - socket->addCaCertificates(testDataDir + "certs/qt-test-server-cacert.pem"); + socket->addCaCertificates(httpServerCertChainPath()); #ifdef QSSLSOCKET_CERTUNTRUSTED_WORKAROUND connect(socket.data(), SIGNAL(sslErrors(QList<QSslError>)), this, SLOT(untrustedWorkaroundSlot(QList<QSslError>))); #endif - // connect to the server with its local name, but use the full name for verification. - socket->connectToHostEncrypted(QtNetworkSettings::serverLocalName(), 443, QtNetworkSettings::serverName()); +#ifdef QT_TEST_SERVER + socket->connectToHostEncrypted(QtNetworkSettings::httpServerName(), 443, QtNetworkSettings::httpServerName()); +#else + // Connect to the server with its local name, but use the full name for verification. + socket->connectToHostEncrypted(QtNetworkSettings::serverLocalName(), 443, QtNetworkSettings::httpServerName()); +#endif // This should pass unconditionally when using fluke's CA certificate. QFETCH_GLOBAL(bool, setProxy); @@ -781,7 +849,7 @@ void tst_QSslSocket::sessionCipher() this->socket = socket.data(); connect(socket.data(), SIGNAL(sslErrors(QList<QSslError>)), this, SLOT(ignoreErrorSlot())); QVERIFY(socket->sessionCipher().isNull()); - socket->connectToHost(QtNetworkSettings::serverName(), 443 /* https */); + socket->connectToHost(QtNetworkSettings::httpServerName(), 443 /* https */); QVERIFY2(socket->waitForConnected(10000), qPrintable(socket->errorString())); QVERIFY(socket->sessionCipher().isNull()); socket->startClientEncryption(); @@ -816,12 +884,12 @@ void tst_QSslSocket::localCertificate() // values. This test should just run the codepath inside qsslsocket_openssl.cpp QSslSocketPtr socket = newSocket(); - QList<QSslCertificate> localCert = QSslCertificate::fromPath(testDataDir + "certs/qt-test-server-cacert.pem"); + QList<QSslCertificate> localCert = QSslCertificate::fromPath(httpServerCertChainPath()); socket->setCaCertificates(localCert); socket->setLocalCertificate(testDataDir + "certs/fluke.cert"); socket->setPrivateKey(testDataDir + "certs/fluke.key"); - socket->connectToHostEncrypted(QtNetworkSettings::serverName(), 443); + socket->connectToHostEncrypted(QtNetworkSettings::httpServerName(), 443); QFETCH_GLOBAL(bool, setProxy); if (setProxy && !socket->waitForEncrypted(10000)) QSKIP("Skipping flaky test - See QTBUG-29941"); @@ -844,8 +912,7 @@ void tst_QSslSocket::peerCertificateChain() QSslSocketPtr socket = newSocket(); this->socket = socket.data(); - - QList<QSslCertificate> caCertificates = QSslCertificate::fromPath(testDataDir + "certs/qt-test-server-cacert.pem"); + QList<QSslCertificate> caCertificates = QSslCertificate::fromPath(httpServerCertChainPath()); QCOMPARE(caCertificates.count(), 1); socket->addCaCertificates(caCertificates); #ifdef QSSLSOCKET_CERTUNTRUSTED_WORKAROUND @@ -853,7 +920,7 @@ void tst_QSslSocket::peerCertificateChain() this, SLOT(untrustedWorkaroundSlot(QList<QSslError>))); #endif - socket->connectToHostEncrypted(QtNetworkSettings::serverName(), 443); + socket->connectToHostEncrypted(QtNetworkSettings::httpServerName(), 443); QCOMPARE(socket->mode(), QSslSocket::UnencryptedMode); QVERIFY(socket->peerCertificateChain().isEmpty()); QFETCH_GLOBAL(bool, setProxy); @@ -882,7 +949,7 @@ void tst_QSslSocket::peerCertificateChain() QVERIFY(socket->waitForDisconnected()); // now do it again back to the original server - socket->connectToHost(QtNetworkSettings::serverName(), 443); + socket->connectToHost(QtNetworkSettings::httpServerName(), 443); QCOMPARE(socket->mode(), QSslSocket::UnencryptedMode); QVERIFY(socket->peerCertificateChain().isEmpty()); QVERIFY2(socket->waitForConnected(10000), qPrintable(socket->errorString())); @@ -921,13 +988,13 @@ void tst_QSslSocket::privateKeyOpaque() // values. This test should just run the codepath inside qsslsocket_openssl.cpp QSslSocketPtr socket = newSocket(); - QList<QSslCertificate> localCert = QSslCertificate::fromPath(testDataDir + "certs/qt-test-server-cacert.pem"); + QList<QSslCertificate> localCert = QSslCertificate::fromPath(httpServerCertChainPath()); socket->setCaCertificates(localCert); socket->setLocalCertificate(testDataDir + "certs/fluke.cert"); socket->setPrivateKey(QSslKey(reinterpret_cast<Qt::HANDLE>(pkey))); socket->setPeerVerifyMode(QSslSocket::QueryPeer); - socket->connectToHostEncrypted(QtNetworkSettings::serverName(), 443); + socket->connectToHostEncrypted(QtNetworkSettings::httpServerName(), 443); QFETCH_GLOBAL(bool, setProxy); if (setProxy && !socket->waitForEncrypted(10000)) QSKIP("Skipping flaky test - See QTBUG-29941"); @@ -941,7 +1008,7 @@ void tst_QSslSocket::protocol() QSslSocketPtr socket = newSocket(); this->socket = socket.data(); - QList<QSslCertificate> certs = QSslCertificate::fromPath(testDataDir + "certs/qt-test-server-cacert.pem"); + QList<QSslCertificate> certs = QSslCertificate::fromPath(httpServerCertChainPath()); socket->setCaCertificates(certs); #ifdef QSSLSOCKET_CERTUNTRUSTED_WORKAROUND @@ -952,34 +1019,16 @@ void tst_QSslSocket::protocol() QCOMPARE(socket->protocol(), QSsl::SecureProtocols); QFETCH_GLOBAL(bool, setProxy); { - // qt-test-server allows SSLv3. - socket->setProtocol(QSsl::SslV3); - QCOMPARE(socket->protocol(), QSsl::SslV3); - socket->connectToHostEncrypted(QtNetworkSettings::serverName(), 443); - if (setProxy && !socket->waitForEncrypted()) - QSKIP("Skipping flaky test - See QTBUG-29941"); - QCOMPARE(socket->protocol(), QSsl::SslV3); - socket->abort(); - QCOMPARE(socket->protocol(), QSsl::SslV3); - socket->connectToHost(QtNetworkSettings::serverName(), 443); - QVERIFY2(socket->waitForConnected(), qPrintable(socket->errorString())); - socket->startClientEncryption(); - if (setProxy && !socket->waitForEncrypted()) - QSKIP("Skipping flaky test - See QTBUG-29941"); - QCOMPARE(socket->protocol(), QSsl::SslV3); - socket->abort(); - } - { // qt-test-server allows TLSV1. socket->setProtocol(QSsl::TlsV1_0); QCOMPARE(socket->protocol(), QSsl::TlsV1_0); - socket->connectToHostEncrypted(QtNetworkSettings::serverName(), 443); + socket->connectToHostEncrypted(QtNetworkSettings::httpServerName(), 443); if (setProxy && !socket->waitForEncrypted()) QSKIP("Skipping flaky test - See QTBUG-29941"); QCOMPARE(socket->protocol(), QSsl::TlsV1_0); socket->abort(); QCOMPARE(socket->protocol(), QSsl::TlsV1_0); - socket->connectToHost(QtNetworkSettings::serverName(), 443); + socket->connectToHost(QtNetworkSettings::httpServerName(), 443); QVERIFY2(socket->waitForConnected(), qPrintable(socket->errorString())); socket->startClientEncryption(); if (setProxy && !socket->waitForEncrypted()) @@ -992,13 +1041,13 @@ void tst_QSslSocket::protocol() // qt-test-server probably doesn't allow TLSV1.1 socket->setProtocol(QSsl::TlsV1_1); QCOMPARE(socket->protocol(), QSsl::TlsV1_1); - socket->connectToHostEncrypted(QtNetworkSettings::serverName(), 443); + socket->connectToHostEncrypted(QtNetworkSettings::httpServerName(), 443); if (setProxy && !socket->waitForEncrypted()) QSKIP("Skipping flaky test - See QTBUG-29941"); QCOMPARE(socket->protocol(), QSsl::TlsV1_1); socket->abort(); QCOMPARE(socket->protocol(), QSsl::TlsV1_1); - socket->connectToHost(QtNetworkSettings::serverName(), 443); + socket->connectToHost(QtNetworkSettings::httpServerName(), 443); QVERIFY2(socket->waitForConnected(), qPrintable(socket->errorString())); socket->startClientEncryption(); if (setProxy && !socket->waitForEncrypted()) @@ -1010,13 +1059,13 @@ void tst_QSslSocket::protocol() // qt-test-server probably doesn't allows TLSV1.2 socket->setProtocol(QSsl::TlsV1_2); QCOMPARE(socket->protocol(), QSsl::TlsV1_2); - socket->connectToHostEncrypted(QtNetworkSettings::serverName(), 443); + socket->connectToHostEncrypted(QtNetworkSettings::httpServerName(), 443); if (setProxy && !socket->waitForEncrypted()) QSKIP("Skipping flaky test - See QTBUG-29941"); QCOMPARE(socket->protocol(), QSsl::TlsV1_2); socket->abort(); QCOMPARE(socket->protocol(), QSsl::TlsV1_2); - socket->connectToHost(QtNetworkSettings::serverName(), 443); + socket->connectToHost(QtNetworkSettings::httpServerName(), 443); QVERIFY2(socket->waitForConnected(), qPrintable(socket->errorString())); socket->startClientEncryption(); if (setProxy && !socket->waitForEncrypted()) @@ -1025,37 +1074,37 @@ void tst_QSslSocket::protocol() socket->abort(); } #endif -#if !defined(OPENSSL_NO_SSL2) && !defined(QT_SECURETRANSPORT) +#ifdef TLS1_3_VERSION { - // qt-test-server allows SSLV2. - socket->setProtocol(QSsl::SslV2); - QCOMPARE(socket->protocol(), QSsl::SslV2); - socket->connectToHostEncrypted(QtNetworkSettings::serverName(), 443); + // qt-test-server probably doesn't allow TLSV1.3 + socket->setProtocol(QSsl::TlsV1_3); + QCOMPARE(socket->protocol(), QSsl::TlsV1_3); + socket->connectToHostEncrypted(QtNetworkSettings::httpServerName(), 443); if (setProxy && !socket->waitForEncrypted()) - QSKIP("Skipping flaky test - See QTBUG-29941"); - QCOMPARE(socket->protocol(), QSsl::SslV2); + QSKIP("TLS 1.3 is not supported by the test server or the test is flaky - see QTBUG-29941"); + QCOMPARE(socket->protocol(), QSsl::TlsV1_3); socket->abort(); - QCOMPARE(socket->protocol(), QSsl::SslV2); - socket->connectToHost(QtNetworkSettings::serverName(), 443); - if (setProxy && !socket->waitForConnected()) - QSKIP("Skipping flaky test - See QTBUG-29941"); + QCOMPARE(socket->protocol(), QSsl::TlsV1_3); + socket->connectToHost(QtNetworkSettings::httpServerName(), 443); + QVERIFY2(socket->waitForConnected(), qPrintable(socket->errorString())); socket->startClientEncryption(); if (setProxy && !socket->waitForEncrypted()) - QSKIP("Skipping flaky test - See QTBUG-29941"); + QSKIP("TLS 1.3 is not supported by the test server or the test is flaky - see QTBUG-29941"); + QCOMPARE(socket->sessionProtocol(), QSsl::TlsV1_3); socket->abort(); } -#endif +#endif // TLS1_3_VERSION { // qt-test-server allows SSLV3, so it allows AnyProtocol. socket->setProtocol(QSsl::AnyProtocol); QCOMPARE(socket->protocol(), QSsl::AnyProtocol); - socket->connectToHostEncrypted(QtNetworkSettings::serverName(), 443); + socket->connectToHostEncrypted(QtNetworkSettings::httpServerName(), 443); if (setProxy && !socket->waitForEncrypted()) QSKIP("Skipping flaky test - See QTBUG-29941"); QCOMPARE(socket->protocol(), QSsl::AnyProtocol); socket->abort(); QCOMPARE(socket->protocol(), QSsl::AnyProtocol); - socket->connectToHost(QtNetworkSettings::serverName(), 443); + socket->connectToHost(QtNetworkSettings::httpServerName(), 443); QVERIFY2(socket->waitForConnected(), qPrintable(socket->errorString())); socket->startClientEncryption(); if (setProxy && !socket->waitForEncrypted()) @@ -1064,16 +1113,16 @@ void tst_QSslSocket::protocol() socket->abort(); } { - // qt-test-server allows SSLV3, so it allows NoSslV2 + // qt-test-server allows TlsV1, so it allows TlsV1SslV3 socket->setProtocol(QSsl::TlsV1SslV3); QCOMPARE(socket->protocol(), QSsl::TlsV1SslV3); - socket->connectToHostEncrypted(QtNetworkSettings::serverName(), 443); + socket->connectToHostEncrypted(QtNetworkSettings::httpServerName(), 443); if (setProxy && !socket->waitForEncrypted()) QSKIP("Skipping flaky test - See QTBUG-29941"); QCOMPARE(socket->protocol(), QSsl::TlsV1SslV3); socket->abort(); QCOMPARE(socket->protocol(), QSsl::TlsV1SslV3); - socket->connectToHost(QtNetworkSettings::serverName(), 443); + socket->connectToHost(QtNetworkSettings::httpServerName(), 443); if (setProxy && !socket->waitForConnected()) QSKIP("Skipping flaky test - See QTBUG-29941"); socket->startClientEncryption(); @@ -1187,119 +1236,50 @@ void tst_QSslSocket::protocolServerSide_data() QTest::addColumn<QSsl::SslProtocol>("clientProtocol"); QTest::addColumn<bool>("works"); -#if QT_CONFIG(opensslv11) -#if !defined(OPENSSL_NO_SSL2) - // OpenSSL 1.1 has removed SSL2 support. But there is no OPENSSL_NO_SSL2 macro ... -#define OPENSSL_NO_SSL2 -#endif // OPENSSL_NO_SSL2 -#endif // opensslv11 - -#if !defined(OPENSSL_NO_SSL2) && !defined(QT_SECURETRANSPORT) - QTest::newRow("ssl2-ssl2") << QSsl::SslV2 << QSsl::SslV2 << false; // no idea why it does not work, but we don't care about SSL 2 -#endif -#if !defined(OPENSSL_NO_SSL3) - QTest::newRow("ssl3-ssl3") << QSsl::SslV3 << QSsl::SslV3 << true; -#endif QTest::newRow("tls1.0-tls1.0") << QSsl::TlsV1_0 << QSsl::TlsV1_0 << true; QTest::newRow("tls1ssl3-tls1ssl3") << QSsl::TlsV1SslV3 << QSsl::TlsV1SslV3 << true; QTest::newRow("any-any") << QSsl::AnyProtocol << QSsl::AnyProtocol << true; QTest::newRow("secure-secure") << QSsl::SecureProtocols << QSsl::SecureProtocols << true; -#if !defined(OPENSSL_NO_SSL2) && !defined(QT_SECURETRANSPORT) - QTest::newRow("ssl2-ssl3") << QSsl::SslV2 << QSsl::SslV3 << false; - QTest::newRow("ssl2-tls1.0") << QSsl::SslV2 << QSsl::TlsV1_0 << false; - QTest::newRow("ssl2-tls1ssl3") << QSsl::SslV2 << QSsl::TlsV1SslV3 << false; - QTest::newRow("ssl2-secure") << QSsl::SslV2 << QSsl::SecureProtocols << false; - QTest::newRow("ssl2-any") << QSsl::SslV2 << QSsl::AnyProtocol << false; // no idea why it does not work, but we don't care about SSL 2 -#endif - -#if !defined(OPENSSL_NO_SSL2) && !defined(QT_SECURETRANSPORT) && !defined(OPENSSL_NO_SSL3) - QTest::newRow("ssl3-ssl2") << QSsl::SslV3 << QSsl::SslV2 << false; -#endif -#if !defined(OPENSSL_NO_SSL3) - QTest::newRow("ssl3-tls1.0") << QSsl::SslV3 << QSsl::TlsV1_0 << false; - QTest::newRow("ssl3-tls1ssl3") << QSsl::SslV3 << QSsl::TlsV1SslV3 << true; - QTest::newRow("ssl3-secure") << QSsl::SslV3 << QSsl::SecureProtocols << false; -#endif -#if !defined(OPENSSL_NO_SSL2) && !defined(QT_SECURETRANSPORT) && !defined(OPENSSL_NO_SSL3) - QTest::newRow("ssl3-any") << QSsl::SslV3 << QSsl::AnyProtocol << false; // we won't set a SNI header here because we connect to a - // numerical IP, so OpenSSL will send a SSL 2 handshake -#elif !defined(OPENSSL_NO_SSL3) - QTest::newRow("ssl3-any") << QSsl::SslV3 << QSsl::AnyProtocol << true; -#endif - -#if !defined(OPENSSL_NO_SSL2) && !defined(QT_SECURETRANSPORT) - QTest::newRow("tls1.0-ssl2") << QSsl::TlsV1_0 << QSsl::SslV2 << false; -#endif -#if !defined(OPENSSL_NO_SSL3) - QTest::newRow("tls1.0-ssl3") << QSsl::TlsV1_0 << QSsl::SslV3 << false; -#endif QTest::newRow("tls1-tls1ssl3") << QSsl::TlsV1_0 << QSsl::TlsV1SslV3 << true; QTest::newRow("tls1.0-secure") << QSsl::TlsV1_0 << QSsl::SecureProtocols << true; -#if !defined(OPENSSL_NO_SSL2) && !defined(QT_SECURETRANSPORT) - QTest::newRow("tls1.0-any") << QSsl::TlsV1_0 << QSsl::AnyProtocol << false; // we won't set a SNI header here because we connect to a - // numerical IP, so OpenSSL will send a SSL 2 handshake -#else QTest::newRow("tls1.0-any") << QSsl::TlsV1_0 << QSsl::AnyProtocol << true; -#endif -#if !defined(OPENSSL_NO_SSL2) && !defined(QT_SECURETRANSPORT) - QTest::newRow("tls1ssl3-ssl2") << QSsl::TlsV1SslV3 << QSsl::SslV2 << false; -#endif -#if !defined(OPENSSL_NO_SSL3) - QTest::newRow("tls1ssl3-ssl3") << QSsl::TlsV1SslV3 << QSsl::SslV3 << true; -#endif QTest::newRow("tls1ssl3-tls1.0") << QSsl::TlsV1SslV3 << QSsl::TlsV1_0 << true; QTest::newRow("tls1ssl3-secure") << QSsl::TlsV1SslV3 << QSsl::SecureProtocols << true; QTest::newRow("tls1ssl3-any") << QSsl::TlsV1SslV3 << QSsl::AnyProtocol << true; -#if !defined(OPENSSL_NO_SSL2) && !defined(QT_SECURETRANSPORT) - QTest::newRow("secure-ssl2") << QSsl::SecureProtocols << QSsl::SslV2 << false; -#endif -#if !defined(OPENSSL_NO_SSL3) - QTest::newRow("secure-ssl3") << QSsl::SecureProtocols << QSsl::SslV3 << false; -#endif QTest::newRow("secure-tls1.0") << QSsl::SecureProtocols << QSsl::TlsV1_0 << true; QTest::newRow("secure-tls1ssl3") << QSsl::SecureProtocols << QSsl::TlsV1SslV3 << true; QTest::newRow("secure-any") << QSsl::SecureProtocols << QSsl::AnyProtocol << true; -#if !defined(OPENSSL_NO_SSL2) && !defined(QT_SECURETRANSPORT) - QTest::newRow("any-ssl2") << QSsl::AnyProtocol << QSsl::SslV2 << false; // no idea why it does not work, but we don't care about SSL 2 -#endif -#if !defined(OPENSSL_NO_SSL3) - QTest::newRow("any-ssl3") << QSsl::AnyProtocol << QSsl::SslV3 << true; -#endif - -#if !defined(OPENSSL_NO_SSL2) && !defined(QT_SECURETRANSPORT) - QTest::newRow("tls1.0orlater-ssl2") << QSsl::TlsV1_0OrLater << QSsl::SslV2 << false; -#endif -#if !defined(OPENSSL_NO_SSL3) - QTest::newRow("tls1.0orlater-ssl3") << QSsl::TlsV1_0OrLater << QSsl::SslV3 << false; -#endif QTest::newRow("tls1.0orlater-tls1.0") << QSsl::TlsV1_0OrLater << QSsl::TlsV1_0 << true; QTest::newRow("tls1.0orlater-tls1.1") << QSsl::TlsV1_0OrLater << QSsl::TlsV1_1 << true; QTest::newRow("tls1.0orlater-tls1.2") << QSsl::TlsV1_0OrLater << QSsl::TlsV1_2 << true; - -#if !defined(OPENSSL_NO_SSL2) && !defined(QT_SECURETRANSPORT) - QTest::newRow("tls1.1orlater-ssl2") << QSsl::TlsV1_1OrLater << QSsl::SslV2 << false; -#endif -#if !defined(OPENSSL_NO_SSL3) - QTest::newRow("tls1.1orlater-ssl3") << QSsl::TlsV1_1OrLater << QSsl::SslV3 << false; +#ifdef TLS1_3_VERSION + QTest::newRow("tls1.0orlater-tls1.3") << QSsl::TlsV1_0OrLater << QSsl::TlsV1_3 << true; #endif QTest::newRow("tls1.1orlater-tls1.0") << QSsl::TlsV1_1OrLater << QSsl::TlsV1_0 << false; QTest::newRow("tls1.1orlater-tls1.1") << QSsl::TlsV1_1OrLater << QSsl::TlsV1_1 << true; QTest::newRow("tls1.1orlater-tls1.2") << QSsl::TlsV1_1OrLater << QSsl::TlsV1_2 << true; -#if !defined(OPENSSL_NO_SSL2) && !defined(QT_SECURETRANSPORT) - QTest::newRow("tls1.2orlater-ssl2") << QSsl::TlsV1_2OrLater << QSsl::SslV2 << false; -#endif -#if !defined(OPENSSL_NO_SSL3) - QTest::newRow("tls1.2orlater-ssl3") << QSsl::TlsV1_2OrLater << QSsl::SslV3 << false; +#ifdef TLS1_3_VERSION + QTest::newRow("tls1.1orlater-tls1.3") << QSsl::TlsV1_1OrLater << QSsl::TlsV1_3 << true; #endif + QTest::newRow("tls1.2orlater-tls1.0") << QSsl::TlsV1_2OrLater << QSsl::TlsV1_0 << false; QTest::newRow("tls1.2orlater-tls1.1") << QSsl::TlsV1_2OrLater << QSsl::TlsV1_1 << false; QTest::newRow("tls1.2orlater-tls1.2") << QSsl::TlsV1_2OrLater << QSsl::TlsV1_2 << true; +#ifdef TLS1_3_VERSION + QTest::newRow("tls1.2orlater-tls1.3") << QSsl::TlsV1_2OrLater << QSsl::TlsV1_3 << true; +#endif +#ifdef TLS1_3_VERSION + QTest::newRow("tls1.3orlater-tls1.0") << QSsl::TlsV1_3OrLater << QSsl::TlsV1_0 << false; + QTest::newRow("tls1.3orlater-tls1.1") << QSsl::TlsV1_3OrLater << QSsl::TlsV1_1 << false; + QTest::newRow("tls1.3orlater-tls1.2") << QSsl::TlsV1_3OrLater << QSsl::TlsV1_2 << false; + QTest::newRow("tls1.3orlater-tls1.3") << QSsl::TlsV1_3OrLater << QSsl::TlsV1_3 << true; +#endif // TLS1_3_VERSION QTest::newRow("any-tls1.0") << QSsl::AnyProtocol << QSsl::TlsV1_0 << true; QTest::newRow("any-tls1ssl3") << QSsl::AnyProtocol << QSsl::TlsV1SslV3 << true; @@ -1343,13 +1323,19 @@ void tst_QSslSocket::protocolServerSide() QAbstractSocket::SocketState expectedState = (works) ? QAbstractSocket::ConnectedState : QAbstractSocket::UnconnectedState; // Determine whether the client or the server caused the event loop // to quit due to a socket error, and investigate the culprit. - if (server.socket->error() != QAbstractSocket::UnknownSocketError) { + if (client.error() != QAbstractSocket::UnknownSocketError) { + // It can happen that the client, after TCP connection established, before + // incomingConnection() slot fired, hits TLS initialization error and stops + // the loop, so the server socket is not created yet. + if (server.socket) + QVERIFY(server.socket->error() == QAbstractSocket::UnknownSocketError); + + QCOMPARE(client.state(), expectedState); + } else if (server.socket->error() != QAbstractSocket::UnknownSocketError) { QVERIFY(client.error() == QAbstractSocket::UnknownSocketError); QCOMPARE(server.socket->state(), expectedState); - } else if (client.error() != QAbstractSocket::UnknownSocketError) { - QVERIFY(server.socket->error() == QAbstractSocket::UnknownSocketError); - QCOMPARE(client.state(), expectedState); } + QCOMPARE(client.isEncrypted(), works); } @@ -1491,6 +1477,11 @@ void tst_QSslSocket::setLocalCertificateChain() loop.exec(); QList<QSslCertificate> chain = socket->peerCertificateChain(); +#if QT_CONFIG(schannel) + QEXPECT_FAIL("", "Schannel cannot send intermediate certificates not " + "located in a system certificate store", + Abort); +#endif QCOMPARE(chain.size(), 2); QCOMPARE(chain[0].serialNumber(), QByteArray("10:a0:ad:77:58:f6:6e:ae:46:93:a3:43:f9:59:8a:9e")); QCOMPARE(chain[1].serialNumber(), QByteArray("3b:eb:99:c5:ea:d8:0b:5d:0b:97:5d:4f:06:75:4b:e1")); @@ -1543,7 +1534,7 @@ void tst_QSslSocket::setSslConfiguration_data() QTest::newRow("empty") << QSslConfiguration() << false; QSslConfiguration conf = QSslConfiguration::defaultConfiguration(); QTest::newRow("default") << conf << false; // does not contain test server cert - QList<QSslCertificate> testServerCert = QSslCertificate::fromPath(testDataDir + "certs/qt-test-server-cacert.pem"); + QList<QSslCertificate> testServerCert = QSslCertificate::fromPath(httpServerCertChainPath()); conf.setCaCertificates(testServerCert); QTest::newRow("set-root-cert") << conf << true; conf.setProtocol(QSsl::SecureProtocols); @@ -1558,8 +1549,11 @@ void tst_QSslSocket::setSslConfiguration() QSslSocketPtr socket = newSocket(); QFETCH(QSslConfiguration, configuration); socket->setSslConfiguration(configuration); +#if QT_CONFIG(schannel) // old certificate not supported with TLS 1.2 + socket->setProtocol(QSsl::SslProtocol::TlsV1_1); +#endif this->socket = socket.data(); - socket->connectToHostEncrypted(QtNetworkSettings::serverName(), 443); + socket->connectToHostEncrypted(QtNetworkSettings::httpServerName(), 443); QFETCH(bool, works); QFETCH_GLOBAL(bool, setProxy); if (setProxy && (socket->waitForEncrypted(10000) != works)) @@ -1579,7 +1573,7 @@ void tst_QSslSocket::waitForEncrypted() this->socket = socket.data(); connect(this->socket, SIGNAL(sslErrors(QList<QSslError>)), this, SLOT(ignoreErrorSlot())); - socket->connectToHostEncrypted(QtNetworkSettings::serverName(), 443); + socket->connectToHostEncrypted(QtNetworkSettings::httpServerName(), 443); QFETCH_GLOBAL(bool, setProxy); if (setProxy && !socket->waitForEncrypted(10000)) @@ -1598,7 +1592,7 @@ void tst_QSslSocket::waitForEncryptedMinusOne() this->socket = socket.data(); connect(this->socket, SIGNAL(sslErrors(QList<QSslError>)), this, SLOT(ignoreErrorSlot())); - socket->connectToHostEncrypted(QtNetworkSettings::serverName(), 443); + socket->connectToHostEncrypted(QtNetworkSettings::httpServerName(), 443); QFETCH_GLOBAL(bool, setProxy); if (setProxy && !socket->waitForEncrypted(-1)) @@ -1614,7 +1608,7 @@ void tst_QSslSocket::waitForConnectedEncryptedReadyRead() this->socket = socket.data(); connect(this->socket, SIGNAL(sslErrors(QList<QSslError>)), this, SLOT(ignoreErrorSlot())); - socket->connectToHostEncrypted(QtNetworkSettings::serverName(), 993); + socket->connectToHostEncrypted(QtNetworkSettings::imapServerName(), 993); QVERIFY2(socket->waitForConnected(10000), qPrintable(socket->errorString())); QFETCH_GLOBAL(bool, setProxy); @@ -1646,7 +1640,7 @@ void tst_QSslSocket::addDefaultCaCertificate() // Reset the global CA chain QSslSocket::setDefaultCaCertificates(QSslSocket::systemCaCertificates()); - QList<QSslCertificate> flukeCerts = QSslCertificate::fromPath(testDataDir + "certs/qt-test-server-cacert.pem"); + QList<QSslCertificate> flukeCerts = QSslCertificate::fromPath(httpServerCertChainPath()); QCOMPARE(flukeCerts.size(), 1); QList<QSslCertificate> globalCerts = QSslSocket::defaultCaCertificates(); QVERIFY(!globalCerts.contains(flukeCerts.first())); @@ -1770,6 +1764,25 @@ void tst_QSslSocket::isMatchingHostname() QCOMPARE(QSslSocketPrivate::isMatchingHostname(cert, QString::fromUtf8("foo.foo.xn--schufele-2za.de")), false); QCOMPARE(QSslSocketPrivate::isMatchingHostname(cert, QString::fromUtf8("www.schaufele.de")), false); QCOMPARE(QSslSocketPrivate::isMatchingHostname(cert, QString::fromUtf8("www.schufele.de")), false); + + /* Generated with the following command (only valid with openssl >= 1.1.1 due to "-addext"): + openssl req -x509 -nodes -subj "/CN=example.org" \ + -addext "subjectAltName = IP:192.5.8.16, IP:fe80::3c29:2fa1:dd44:765" \ + -newkey rsa:2048 -keyout /dev/null -out subjectAltNameIP.crt + */ + certs = QSslCertificate::fromPath(testDataDir + "certs/subjectAltNameIP.crt"); + QVERIFY(!certs.isEmpty()); + cert = certs.first(); + QCOMPARE(QSslSocketPrivate::isMatchingHostname(cert, QString::fromUtf8("192.5.8.16")), true); + QCOMPARE(QSslSocketPrivate::isMatchingHostname(cert, QString::fromUtf8("fe80::3c29:2fa1:dd44:765")), true); + + /* openssl req -x509 -nodes -new -newkey rsa -keyout /dev/null -out 127-0-0-1-as-CN.crt \ + -subj "/CN=127.0.0.1" + */ + certs = QSslCertificate::fromPath(testDataDir + "certs/127-0-0-1-as-CN.crt"); + QVERIFY(!certs.isEmpty()); + cert = certs.first(); + QCOMPARE(QSslSocketPrivate::isMatchingHostname(cert, QString::fromUtf8("127.0.0.1")), true); } void tst_QSslSocket::wildcard() @@ -1998,7 +2011,7 @@ void tst_QSslSocket::setReadBufferSize_task_250027() QSslSocketPtr socket = newSocket(); socket->setReadBufferSize(1000); // limit to 1 kb/sec socket->ignoreSslErrors(); - socket->connectToHostEncrypted(QtNetworkSettings::serverName(), 443); + socket->connectToHostEncrypted(QtNetworkSettings::httpServerName(), 443); socket->ignoreSslErrors(); QVERIFY2(socket->waitForConnected(10*1000), qPrintable(socket->errorString())); if (setProxy && !socket->waitForEncrypted(10*1000)) @@ -2011,7 +2024,7 @@ void tst_QSslSocket::setReadBufferSize_task_250027() // provoke a response by sending a request socket->write("GET /qtest/fluke.gif HTTP/1.0\n"); // this file is 27 KB socket->write("Host: "); - socket->write(QtNetworkSettings::serverName().toLocal8Bit().constData()); + socket->write(QtNetworkSettings::httpServerName().toLocal8Bit().constData()); socket->write("\n"); socket->write("Connection: close\n"); socket->write("\n"); @@ -2126,7 +2139,7 @@ protected: // delayed reading data QTest::qSleep(100); - if (!socket->waitForReadyRead(2000)) + if (!socket->waitForReadyRead(2000) && socket->bytesAvailable() == 0) return; // error socket->readAll(); dataReadSemaphore.release(); @@ -2197,7 +2210,7 @@ void tst_QSslSocket::waitForMinusOne() socket.write("How are you doing?"); QVERIFY(socket.bytesToWrite() != 0); QVERIFY(socket.waitForBytesWritten(-1)); - QVERIFY(server.dataReadSemaphore.tryAcquire(1, 2000)); + QVERIFY(server.dataReadSemaphore.tryAcquire(1, 2500)); // third verification: it should wait for 100 ms: QVERIFY(socket.waitForReadyRead(-1)); @@ -2252,6 +2265,9 @@ void tst_QSslSocket::verifyMode() return; QSslSocket socket; +#if QT_CONFIG(schannel) // old certificate not supported with TLS 1.2 + socket.setProtocol(QSsl::SslProtocol::TlsV1_1); +#endif QCOMPARE(socket.peerVerifyMode(), QSslSocket::AutoVerifyPeer); socket.setPeerVerifyMode(QSslSocket::VerifyNone); QCOMPARE(socket.peerVerifyMode(), QSslSocket::VerifyNone); @@ -2259,7 +2275,7 @@ void tst_QSslSocket::verifyMode() socket.setPeerVerifyMode(QSslSocket::VerifyPeer); QCOMPARE(socket.peerVerifyMode(), QSslSocket::VerifyPeer); - socket.connectToHostEncrypted(QtNetworkSettings::serverName(), 443); + socket.connectToHostEncrypted(QtNetworkSettings::httpServerName(), 443); if (socket.waitForEncrypted()) QSKIP("Skipping flaky test - See QTBUG-29941"); @@ -2298,7 +2314,7 @@ void tst_QSslSocket::verifyDepth() void tst_QSslSocket::disconnectFromHostWhenConnecting() { QSslSocketPtr socket = newSocket(); - socket->connectToHostEncrypted(QtNetworkSettings::serverName(), 993); + socket->connectToHostEncrypted(QtNetworkSettings::imapServerName(), 993); socket->ignoreSslErrors(); socket->write("XXXX LOGOUT\r\n"); QAbstractSocket::SocketState state = socket->state(); @@ -2327,7 +2343,7 @@ void tst_QSslSocket::disconnectFromHostWhenConnecting() void tst_QSslSocket::disconnectFromHostWhenConnected() { QSslSocketPtr socket = newSocket(); - socket->connectToHostEncrypted(QtNetworkSettings::serverName(), 993); + socket->connectToHostEncrypted(QtNetworkSettings::imapServerName(), 993); socket->ignoreSslErrors(); if (!socket->waitForEncrypted(5000)) QSKIP("Skipping flaky test - See QTBUG-29941"); @@ -2414,13 +2430,13 @@ void tst_QSslSocket::resetProxy() // make sure the connection works, and then set a nonsense proxy, and then // make sure it does not work anymore QSslSocket socket; - socket.addCaCertificates(testDataDir + "certs/qt-test-server-cacert.pem"); + socket.addCaCertificates(httpServerCertChainPath()); socket.setProxy(goodProxy); - socket.connectToHostEncrypted(QtNetworkSettings::serverName(), 443); + socket.connectToHostEncrypted(QtNetworkSettings::httpServerName(), 443); QVERIFY2(socket.waitForConnected(10000), qPrintable(socket.errorString())); socket.abort(); socket.setProxy(badProxy); - socket.connectToHostEncrypted(QtNetworkSettings::serverName(), 443); + socket.connectToHostEncrypted(QtNetworkSettings::httpServerName(), 443); QVERIFY(! socket.waitForConnected(10000)); // don't forget to login @@ -2433,13 +2449,13 @@ void tst_QSslSocket::resetProxy() // set the nonsense proxy and make sure the connection does not work, // and then set the right proxy and make sure it works QSslSocket socket2; - socket2.addCaCertificates(testDataDir + "certs/qt-test-server-cacert.pem"); + socket2.addCaCertificates(httpServerCertChainPath()); socket2.setProxy(badProxy); - socket2.connectToHostEncrypted(QtNetworkSettings::serverName(), 443); + socket2.connectToHostEncrypted(QtNetworkSettings::httpServerName(), 443); QVERIFY(! socket2.waitForConnected(10000)); socket2.abort(); socket2.setProxy(goodProxy); - socket2.connectToHostEncrypted(QtNetworkSettings::serverName(), 443); + socket2.connectToHostEncrypted(QtNetworkSettings::httpServerName(), 443); QVERIFY2(socket2.waitForConnected(10000), qPrintable(socket.errorString())); #endif // QT_NO_NETWORKPROXY } @@ -2452,7 +2468,7 @@ void tst_QSslSocket::ignoreSslErrorsList_data() // construct the list of errors that we will get with the SSL handshake and that we will ignore QList<QSslError> expectedSslErrors; // fromPath gives us a list of certs, but it actually only contains one - QList<QSslCertificate> certs = QSslCertificate::fromPath(testDataDir + "certs/qt-test-server-cacert.pem"); + QList<QSslCertificate> certs = QSslCertificate::fromPath(httpServerCertChainPath()); QSslError rightError(FLUKE_CERTIFICATE_ERROR, certs.at(0)); QSslError wrongError(FLUKE_CERTIFICATE_ERROR); @@ -2483,7 +2499,7 @@ void tst_QSslSocket::ignoreSslErrorsList() QFETCH(int, expectedSslErrorSignalCount); QSignalSpy sslErrorsSpy(&socket, SIGNAL(error(QAbstractSocket::SocketError))); - socket.connectToHostEncrypted(QtNetworkSettings::serverName(), 443); + socket.connectToHostEncrypted(QtNetworkSettings::httpServerName(), 443); bool expectEncryptionSuccess = (expectedSslErrorSignalCount == 0); if (socket.waitForEncrypted(10000) != expectEncryptionSuccess) @@ -2514,7 +2530,7 @@ void tst_QSslSocket::ignoreSslErrorsListWithSlot() this, SLOT(proxyAuthenticationRequired(QNetworkProxy,QAuthenticator*))); connect(&socket, SIGNAL(sslErrors(QList<QSslError>)), this, SLOT(ignoreErrorListSlot(QList<QSslError>))); - socket.connectToHostEncrypted(QtNetworkSettings::serverName(), 443); + socket.connectToHostEncrypted(QtNetworkSettings::httpServerName(), 443); QFETCH(int, expectedSslErrorSignalCount); bool expectEncryptionSuccess = (expectedSslErrorSignalCount == 0); @@ -2552,15 +2568,18 @@ void tst_QSslSocket::abortOnSslErrors() void tst_QSslSocket::readFromClosedSocket() { QSslSocketPtr socket = newSocket(); +#if QT_CONFIG(schannel) // old certificate not supported with TLS 1.2 + socket->setProtocol(QSsl::SslProtocol::TlsV1_1); +#endif socket->ignoreSslErrors(); - socket->connectToHostEncrypted(QtNetworkSettings::serverName(), 443); + socket->connectToHostEncrypted(QtNetworkSettings::httpServerName(), 443); socket->ignoreSslErrors(); socket->waitForConnected(); socket->waitForEncrypted(); // provoke a response by sending a request socket->write("GET /qtest/fluke.gif HTTP/1.1\n"); socket->write("Host: "); - socket->write(QtNetworkSettings::serverName().toLocal8Bit().constData()); + socket->write(QtNetworkSettings::httpServerName().toLocal8Bit().constData()); socket->write("\n"); socket->write("\n"); socket->waitForBytesWritten(); @@ -2584,7 +2603,7 @@ void tst_QSslSocket::writeBigChunk() this->socket = socket.data(); connect(this->socket, SIGNAL(sslErrors(QList<QSslError>)), this, SLOT(ignoreErrorSlot())); - socket->connectToHostEncrypted(QtNetworkSettings::serverName(), 443); + socket->connectToHostEncrypted(QtNetworkSettings::httpServerName(), 443); QByteArray data; data.resize(1024*1024*10); // 10 MB @@ -2743,7 +2762,9 @@ void tst_QSslSocket::resume_data() QTest::newRow("DoNotIgnoreErrors") << false << QList<QSslError>() << false; QTest::newRow("ignoreAllErrors") << true << QList<QSslError>() << true; - QList<QSslCertificate> certs = QSslCertificate::fromPath(testDataDir + "certs/qt-test-server-cacert.pem"); + // Note, httpServerCertChainPath() it's ... because we use the same certificate on + // different services. We'll be actually connecting to IMAP server. + QList<QSslCertificate> certs = QSslCertificate::fromPath(httpServerCertChainPath()); QSslError rightError(FLUKE_CERTIFICATE_ERROR, certs.at(0)); QSslError wrongError(FLUKE_CERTIFICATE_ERROR); errorsList.append(wrongError); @@ -2776,7 +2797,7 @@ void tst_QSslSocket::resume() this, SLOT(proxyAuthenticationRequired(QNetworkProxy,QAuthenticator*))); connect(&socket, SIGNAL(error(QAbstractSocket::SocketError)), &QTestEventLoop::instance(), SLOT(exitLoop())); - socket.connectToHostEncrypted(QtNetworkSettings::serverName(), 993); + socket.connectToHostEncrypted(QtNetworkSettings::imapServerName(), 993); QTestEventLoop::instance().enterLoop(10); QFETCH_GLOBAL(bool, setProxy); if (setProxy && QTestEventLoop::instance().timeout()) @@ -3279,14 +3300,14 @@ void tst_QSslSocket::verifyClientCertificate_data() void tst_QSslSocket::verifyClientCertificate() { -#ifdef QT_SECURETRANSPORT +#if QT_CONFIG(securetransport) // We run both client and server on the same machine, // this means, client can update keychain with client's certificates, // and server later will use the same certificates from the same // keychain thus making tests fail (wrong number of certificates, // success instead of failure etc.). QSKIP("This test can not work with Secure Transport"); -#endif +#endif // QT_CONFIG(securetransport) #ifdef Q_OS_WINRT QSKIP("Server-side encryption is not implemented on WinRT."); #endif @@ -3300,6 +3321,11 @@ void tst_QSslSocket::verifyClientCertificate() return; QFETCH(QSslSocket::PeerVerifyMode, peerVerifyMode); +#if QT_CONFIG(schannel) + if (peerVerifyMode == QSslSocket::QueryPeer || peerVerifyMode == QSslSocket::AutoVerifyPeer) + QSKIP("Schannel doesn't tackle requesting a certificate and not receiving one."); +#endif + SslServer server; server.addCaCertificates = testDataDir + "certs/bogus-ca.crt"; server.ignoreSslErrors = false; @@ -3330,6 +3356,14 @@ void tst_QSslSocket::verifyClientCertificate() // check server socket QVERIFY(server.socket); +#if QT_CONFIG(schannel) + // As additional info to the QEXPECT_FAIL below: + // This is because schannel treats it as an error (client side) if you don't have a certificate + // when asked for one. + QEXPECT_FAIL("NoCert:VerifyPeer", + "The client disconnects first, which causes the event " + "loop to quit before the server disconnects.", Continue); +#endif QCOMPARE(server.socket->state(), expectedState); QCOMPARE(server.socket->isEncrypted(), works); @@ -3338,6 +3372,13 @@ void tst_QSslSocket::verifyClientCertificate() QVERIFY(server.socket->peerCertificateChain().isEmpty()); } else { QCOMPARE(server.socket->peerCertificate(), clientCerts.first()); +#if QT_CONFIG(schannel) + if (clientCerts.count() == 1 && server.socket->peerCertificateChain().count() == 2) { + QEXPECT_FAIL("", + "Schannel includes the entire chain, not just the leaf and intermediates", + Continue); + } +#endif QCOMPARE(server.socket->peerCertificateChain(), clientCerts); } @@ -3348,7 +3389,7 @@ void tst_QSslSocket::verifyClientCertificate() void tst_QSslSocket::readBufferMaxSize() { -#ifdef QT_SECURETRANSPORT +#if QT_CONFIG(securetransport) || QT_CONFIG(schannel) // QTBUG-55170: // SecureTransport back-end was ignoring read-buffer // size limit, resulting (potentially) in a constantly @@ -3405,7 +3446,7 @@ void tst_QSslSocket::readBufferMaxSize() QCOMPARE(client->bytesAvailable() + readSoFar, message.size()); #else // Not needed, QSslSocket works correctly with other back-ends. -#endif +#endif // QT_CONFIG(securetransport) || QT_CONFIG(schannel) } void tst_QSslSocket::setEmptyDefaultConfiguration() // this test should be last, as it has some side effects @@ -3422,12 +3463,57 @@ void tst_QSslSocket::setEmptyDefaultConfiguration() // this test should be last, socket = client.data(); connect(socket, SIGNAL(sslErrors(QList<QSslError>)), this, SLOT(ignoreErrorSlot())); - socket->connectToHostEncrypted(QtNetworkSettings::serverName(), 443); + socket->connectToHostEncrypted(QtNetworkSettings::httpServerName(), 443); QFETCH_GLOBAL(bool, setProxy); if (setProxy && socket->waitForEncrypted(4000)) QSKIP("Skipping flaky test - See QTBUG-29941"); } +void tst_QSslSocket::allowedProtocolNegotiation() +{ +#ifndef ALPN_SUPPORTED + QSKIP("ALPN is unsupported, skipping test"); +#endif + +#if QT_CONFIG(schannel) + if (QOperatingSystemVersion::current() < QOperatingSystemVersion::Windows8_1) + QSKIP("ALPN is not supported on this version of Windows using Schannel."); +#endif + + QFETCH_GLOBAL(bool, setProxy); + if (setProxy) + return; + + + const QByteArray expectedNegotiated("cool-protocol"); + QList<QByteArray> serverProtos; + serverProtos << expectedNegotiated << "not-so-cool-protocol"; + QList<QByteArray> clientProtos; + clientProtos << "uber-cool-protocol" << expectedNegotiated << "not-so-cool-protocol"; + + + SslServer server; + server.config.setAllowedNextProtocols(serverProtos); + QVERIFY(server.listen()); + + QSslSocket clientSocket; + auto configuration = clientSocket.sslConfiguration(); + configuration.setAllowedNextProtocols(clientProtos); + clientSocket.setSslConfiguration(configuration); + + clientSocket.connectToHostEncrypted("127.0.0.1", server.serverPort()); + clientSocket.ignoreSslErrors(); + + QEventLoop loop; + QTimer::singleShot(5000, &loop, SLOT(quit())); + connect(&clientSocket, SIGNAL(encrypted()), &loop, SLOT(quit())); + loop.exec(); + + QVERIFY(server.socket->sslConfiguration().nextNegotiatedProtocol() == + clientSocket.sslConfiguration().nextNegotiatedProtocol()); + QVERIFY(server.socket->sslConfiguration().nextNegotiatedProtocol() == expectedNegotiated); +} + #ifndef QT_NO_OPENSSL class PskProvider : public QObject { @@ -3505,7 +3591,12 @@ protected: socket = new QSslSocket(this); socket->setSslConfiguration(config); socket->setPeerVerifyMode(peerVerifyMode); - socket->setProtocol(protocol); + if (QSslSocket::sslLibraryVersionNumber() > 0x10101000L) { + // FIXME. With OpenSSL 1.1.1 and TLS 1.3 PSK auto-test is broken. + socket->setProtocol(QSsl::TlsV1_2); + } else { + socket->setProtocol(protocol); + } if (ignoreSslErrors) connect(socket, SIGNAL(sslErrors(QList<QSslError>)), this, SLOT(ignoreErrorSlot())); @@ -3836,55 +3927,24 @@ void tst_QSslSocket::ephemeralServerKey() QCOMPARE(client->sslConfiguration().ephemeralServerKey().isNull(), emptyKey); } -void tst_QSslSocket::allowedProtocolNegotiation() -{ -#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(OPENSSL_NO_TLSEXT) - - QFETCH_GLOBAL(bool, setProxy); - if (setProxy) - return; - - const QByteArray expectedNegotiated("cool-protocol"); - QList<QByteArray> serverProtos; - serverProtos << expectedNegotiated << "not-so-cool-protocol"; - QList<QByteArray> clientProtos; - clientProtos << "uber-cool-protocol" << expectedNegotiated << "not-so-cool-protocol"; - - - SslServer server; - server.config.setAllowedNextProtocols(serverProtos); - QVERIFY(server.listen()); - - QSslSocket clientSocket; - auto configuration = clientSocket.sslConfiguration(); - configuration.setAllowedNextProtocols(clientProtos); - clientSocket.setSslConfiguration(configuration); - - clientSocket.connectToHostEncrypted("127.0.0.1", server.serverPort()); - clientSocket.ignoreSslErrors(); - - QEventLoop loop; - QTimer::singleShot(5000, &loop, SLOT(quit())); - connect(&clientSocket, SIGNAL(encrypted()), &loop, SLOT(quit())); - loop.exec(); - - QVERIFY(server.socket->sslConfiguration().nextNegotiatedProtocol() == - clientSocket.sslConfiguration().nextNegotiatedProtocol()); - QVERIFY(server.socket->sslConfiguration().nextNegotiatedProtocol() == expectedNegotiated); - -#endif // OPENSSL_VERSION_NUMBER -} - void tst_QSslSocket::pskServer() { #ifdef Q_OS_WINRT QSKIP("Server-side encryption is not implemented on WinRT."); #endif +#if QT_CONFIG(schannel) + QSKIP("Schannel does not have PSK support implemented."); +#endif QFETCH_GLOBAL(bool, setProxy); if (!QSslSocket::supportsSsl() || setProxy) return; QSslSocket socket; +#ifdef TLS1_3_VERSION + // FIXME: with OpenSSL 1.1.1 (thus TLS 1.3) test is known to fail + // due to the different PSK mechanism (?) - to be investigated ASAP. + socket.setProtocol(QSsl::TlsV1_2); +#endif this->socket = &socket; QSignalSpy connectedSpy(&socket, SIGNAL(connected())); @@ -3970,6 +4030,11 @@ void tst_QSslSocket::signatureAlgorithm_data() if (QSslSocket::sslLibraryVersionNumber() < 0x10002000L) QSKIP("Signature algorithms cannot be tested with OpenSSL < 1.0.2"); + if (QSslSocket::sslLibraryVersionNumber() >= 0x10101000L) { + // FIXME: investigate if this test makes any sense with TLS 1.3. + QSKIP("Test is not valid for TLS 1.3/OpenSSL 1.1.1"); + } + QTest::addColumn<QByteArrayList>("serverSigAlgPairs"); QTest::addColumn<QSsl::SslProtocol>("serverProtocol"); QTest::addColumn<QByteArrayList>("clientSigAlgPairs"); @@ -4107,13 +4172,81 @@ void tst_QSslSocket::forwardReadChannelFinished() }); connect(&socket, &QSslSocket::readChannelFinished, &QTestEventLoop::instance(), &QTestEventLoop::exitLoop); - socket.connectToHostEncrypted(QtNetworkSettings::serverLocalName(), 443); + socket.connectToHostEncrypted(QtNetworkSettings::httpServerName(), 443); enterLoop(10); QVERIFY(readChannelFinishedSpy.count()); } #endif // QT_NO_OPENSSL +void tst_QSslSocket::disabledProtocols_data() +{ + QTest::addColumn<QSsl::SslProtocol>("disabledProtocol"); + QTest::newRow("SslV2") << QSsl::SslV2; + QTest::newRow("SslV3") << QSsl::SslV3; +} + +void tst_QSslSocket::disabledProtocols() +{ + QFETCH_GLOBAL(const bool, setProxy); + if (setProxy) + return; + + QFETCH(const QSsl::SslProtocol, disabledProtocol); + const int timeoutMS = 500; + // Test a client socket. + { + // 0. connectToHostEncrypted: client-side, non-blocking API, error is discovered + // early, preventing any real connection from ever starting. + QSslSocket socket; + socket.setProtocol(disabledProtocol); + QCOMPARE(socket.error(), QAbstractSocket::UnknownSocketError); + socket.connectToHostEncrypted(QStringLiteral("doesnotmatter.org"), 1010); + QCOMPARE(socket.error(), QAbstractSocket::SslInvalidUserDataError); + QCOMPARE(socket.state(), QAbstractSocket::UnconnectedState); + } + { + // 1. startClientEncryption: client-side, non blocking API, but wants a socket in + // the 'connected' state (otherwise just returns false not setting any error code). + SslServer server; + QVERIFY(server.listen()); + + QSslSocket socket; + QCOMPARE(socket.error(), QAbstractSocket::UnknownSocketError); + + socket.connectToHost(QHostAddress::LocalHost, server.serverPort()); + QVERIFY(socket.waitForConnected(timeoutMS)); + + socket.setProtocol(disabledProtocol); + socket.startClientEncryption(); + QCOMPARE(socket.error(), QAbstractSocket::SslInvalidUserDataError); + } + { + // 2. waitForEncrypted: client-side, blocking API plus requires from us + // to call ... connectToHostEncrypted(), which will notice an error and + // will prevent any connect at all. Nothing to test. + } + + // Test a server side, relatively simple: server does not connect, it listens/accepts + // and then calls startServerEncryption() (which must fall). + { + SslServer server; + server.protocol = disabledProtocol; + QVERIFY(server.listen()); + + QTestEventLoop loop; + connect(&server, &SslServer::socketError, [&loop](QAbstractSocket::SocketError) + {loop.exitLoop();}); + + QTcpSocket client; + client.connectToHost(QHostAddress::LocalHost, server.serverPort()); + loop.enterLoopMSecs(timeoutMS); + QVERIFY(!loop.timeout()); + QVERIFY(server.socket); + QCOMPARE(server.socket->error(), QAbstractSocket::SslInvalidUserDataError); + } +} + #endif // QT_NO_SSL QTEST_MAIN(tst_QSslSocket) diff --git a/tests/auto/network/ssl/qsslsocket_onDemandCertificates_member/BLACKLIST b/tests/auto/network/ssl/qsslsocket_onDemandCertificates_member/BLACKLIST deleted file mode 100644 index c9b628d79b..0000000000 --- a/tests/auto/network/ssl/qsslsocket_onDemandCertificates_member/BLACKLIST +++ /dev/null @@ -1,2 +0,0 @@ -[onDemandRootCertLoadingMemberMethods] -linux diff --git a/tests/auto/network/ssl/qsslsocket_onDemandCertificates_member/qsslsocket_onDemandCertificates_member.pro b/tests/auto/network/ssl/qsslsocket_onDemandCertificates_member/qsslsocket_onDemandCertificates_member.pro index 05755ff606..3e3ebeb358 100644 --- a/tests/auto/network/ssl/qsslsocket_onDemandCertificates_member/qsslsocket_onDemandCertificates_member.pro +++ b/tests/auto/network/ssl/qsslsocket_onDemandCertificates_member/qsslsocket_onDemandCertificates_member.pro @@ -17,3 +17,9 @@ win32 { DEFINES += SRCDIR=\\\"$$PWD/\\\" requires(qtConfig(private_tests)) + +# DOCKERTODO: linux, docker is disabled on macOS/Windows. +linux { + QT_TEST_SERVER_LIST = squid danted + include($$dirname(_QMAKE_CONF_)/tests/auto/testserver.pri) +} diff --git a/tests/auto/network/ssl/qsslsocket_onDemandCertificates_member/tst_qsslsocket_onDemandCertificates_member.cpp b/tests/auto/network/ssl/qsslsocket_onDemandCertificates_member/tst_qsslsocket_onDemandCertificates_member.cpp index 25c2701f69..4199c0f465 100644 --- a/tests/auto/network/ssl/qsslsocket_onDemandCertificates_member/tst_qsslsocket_onDemandCertificates_member.cpp +++ b/tests/auto/network/ssl/qsslsocket_onDemandCertificates_member/tst_qsslsocket_onDemandCertificates_member.cpp @@ -102,7 +102,15 @@ void tst_QSslSocket_onDemandCertificates_member::initTestCase_data() void tst_QSslSocket_onDemandCertificates_member::initTestCase() { +#ifdef QT_TEST_SERVER + QVERIFY(QtNetworkSettings::verifyConnection(QtNetworkSettings::socksProxyServerName(), 1080)); + QVERIFY(QtNetworkSettings::verifyConnection(QtNetworkSettings::socksProxyServerName(), 1081)); + QVERIFY(QtNetworkSettings::verifyConnection(QtNetworkSettings::httpProxyServerName(), 3128)); + QVERIFY(QtNetworkSettings::verifyConnection(QtNetworkSettings::httpProxyServerName(), 3129)); + QVERIFY(QtNetworkSettings::verifyConnection(QtNetworkSettings::httpProxyServerName(), 3130)); +#else QVERIFY(QtNetworkSettings::verifyTestNetworkSettings()); +#endif // QT_TEST_SERVER } void tst_QSslSocket_onDemandCertificates_member::init() @@ -110,28 +118,29 @@ void tst_QSslSocket_onDemandCertificates_member::init() QFETCH_GLOBAL(bool, setProxy); if (setProxy) { QFETCH_GLOBAL(int, proxyType); - QString testServer = QHostInfo::fromName(QtNetworkSettings::serverName()).addresses().first().toString(); + const auto socksAddr = QtNetworkSettings::socksProxyServerIp().toString(); + const auto squidAddr = QtNetworkSettings::httpProxyServerIp().toString(); QNetworkProxy proxy; switch (proxyType) { case Socks5Proxy: - proxy = QNetworkProxy(QNetworkProxy::Socks5Proxy, testServer, 1080); + proxy = QNetworkProxy(QNetworkProxy::Socks5Proxy, socksAddr, 1080); break; case Socks5Proxy | AuthBasic: - proxy = QNetworkProxy(QNetworkProxy::Socks5Proxy, testServer, 1081); + proxy = QNetworkProxy(QNetworkProxy::Socks5Proxy, socksAddr, 1081); break; case HttpProxy | NoAuth: - proxy = QNetworkProxy(QNetworkProxy::HttpProxy, testServer, 3128); + proxy = QNetworkProxy(QNetworkProxy::HttpProxy, squidAddr, 3128); break; case HttpProxy | AuthBasic: - proxy = QNetworkProxy(QNetworkProxy::HttpProxy, testServer, 3129); + proxy = QNetworkProxy(QNetworkProxy::HttpProxy, squidAddr, 3129); break; case HttpProxy | AuthNtlm: - proxy = QNetworkProxy(QNetworkProxy::HttpProxy, testServer, 3130); + proxy = QNetworkProxy(QNetworkProxy::HttpProxy, squidAddr, 3130); break; } QNetworkProxy::setApplicationProxy(proxy); diff --git a/tests/auto/network/ssl/qsslsocket_onDemandCertificates_static/qsslsocket_onDemandCertificates_static.pro b/tests/auto/network/ssl/qsslsocket_onDemandCertificates_static/qsslsocket_onDemandCertificates_static.pro index c345d7379f..1ad42b309e 100644 --- a/tests/auto/network/ssl/qsslsocket_onDemandCertificates_static/qsslsocket_onDemandCertificates_static.pro +++ b/tests/auto/network/ssl/qsslsocket_onDemandCertificates_static/qsslsocket_onDemandCertificates_static.pro @@ -16,3 +16,9 @@ win32 { DEFINES += SRCDIR=\\\"$$PWD/\\\" requires(qtConfig(private_tests)) + +#DOCKERTODO Linux, docker is disabled on macOS and Windows. +linux { + QT_TEST_SERVER_LIST = squid danted + include($$dirname(_QMAKE_CONF_)/tests/auto/testserver.pri) +} diff --git a/tests/auto/network/ssl/qsslsocket_onDemandCertificates_static/tst_qsslsocket_onDemandCertificates_static.cpp b/tests/auto/network/ssl/qsslsocket_onDemandCertificates_static/tst_qsslsocket_onDemandCertificates_static.cpp index 503edc0bff..671a21b1c2 100644 --- a/tests/auto/network/ssl/qsslsocket_onDemandCertificates_static/tst_qsslsocket_onDemandCertificates_static.cpp +++ b/tests/auto/network/ssl/qsslsocket_onDemandCertificates_static/tst_qsslsocket_onDemandCertificates_static.cpp @@ -98,7 +98,15 @@ void tst_QSslSocket_onDemandCertificates_static::initTestCase_data() void tst_QSslSocket_onDemandCertificates_static::initTestCase() { +#ifdef QT_TEST_SERVER + QVERIFY(QtNetworkSettings::verifyConnection(QtNetworkSettings::socksProxyServerName(), 1080)); + QVERIFY(QtNetworkSettings::verifyConnection(QtNetworkSettings::socksProxyServerName(), 1081)); + QVERIFY(QtNetworkSettings::verifyConnection(QtNetworkSettings::httpProxyServerName(), 3128)); + QVERIFY(QtNetworkSettings::verifyConnection(QtNetworkSettings::httpProxyServerName(), 3129)); + QVERIFY(QtNetworkSettings::verifyConnection(QtNetworkSettings::httpProxyServerName(), 3130)); +#else QVERIFY(QtNetworkSettings::verifyTestNetworkSettings()); +#endif // QT_TEST_SERVER } void tst_QSslSocket_onDemandCertificates_static::init() @@ -106,28 +114,30 @@ void tst_QSslSocket_onDemandCertificates_static::init() QFETCH_GLOBAL(bool, setProxy); if (setProxy) { QFETCH_GLOBAL(int, proxyType); - QString testServer = QHostInfo::fromName(QtNetworkSettings::serverName()).addresses().first().toString(); + const auto socksAddr = QtNetworkSettings::socksProxyServerIp().toString(); + const auto squidAddr = QtNetworkSettings::httpProxyServerIp().toString(); + QNetworkProxy proxy; switch (proxyType) { case Socks5Proxy: - proxy = QNetworkProxy(QNetworkProxy::Socks5Proxy, testServer, 1080); + proxy = QNetworkProxy(QNetworkProxy::Socks5Proxy, socksAddr, 1080); break; case Socks5Proxy | AuthBasic: - proxy = QNetworkProxy(QNetworkProxy::Socks5Proxy, testServer, 1081); + proxy = QNetworkProxy(QNetworkProxy::Socks5Proxy, socksAddr, 1081); break; case HttpProxy | NoAuth: - proxy = QNetworkProxy(QNetworkProxy::HttpProxy, testServer, 3128); + proxy = QNetworkProxy(QNetworkProxy::HttpProxy, squidAddr, 3128); break; case HttpProxy | AuthBasic: - proxy = QNetworkProxy(QNetworkProxy::HttpProxy, testServer, 3129); + proxy = QNetworkProxy(QNetworkProxy::HttpProxy, squidAddr, 3129); break; case HttpProxy | AuthNtlm: - proxy = QNetworkProxy(QNetworkProxy::HttpProxy, testServer, 3130); + proxy = QNetworkProxy(QNetworkProxy::HttpProxy, squidAddr, 3130); break; } QNetworkProxy::setApplicationProxy(proxy); diff --git a/tests/auto/network/ssl/ssl.pro b/tests/auto/network/ssl/ssl.pro index e89443ef4e..169e9bce83 100644 --- a/tests/auto/network/ssl/ssl.pro +++ b/tests/auto/network/ssl/ssl.pro @@ -21,6 +21,8 @@ qtConfig(ssl) { qdtlscookie \ qdtls } + + qtConfig(ocsp): SUBDIRS += qocsp } } |