From a8412dc020e82b45b54b0b6637b8b88b255c413a Mon Sep 17 00:00:00 2001
From: Timur Pocheptsov <timur.pocheptsov@qt.io>
Date: Thu, 25 Oct 2018 10:44:16 +0200
Subject: Enable OCSP stapling in QSslSocket
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This patch enables OCSP stapling in QSslSocket::SslClientMode (OpenSSL back-end
only). OCSP stapling is described by RFC6066 and based on the original OCSP as
defined by RFC2560. At the moment multiple certificate status protocol is not
supported (not implemented in OpenSSL). SecureTransport does not support OCSP
stapling at the moment.

[ChangeLog][QtNetwork][TLS] Added OCSP-stapling support for OpenSSL backend

Task-number: QTBUG-12812
Task-number: QTBUG-17158
Change-Id: Id2e0f4cc861311d1ece462864e5e30c76184af8c
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
---
 src/network/configure.json | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

(limited to 'src/network/configure.json')

diff --git a/src/network/configure.json b/src/network/configure.json
index 327131ba11..368209cd3f 100644
--- a/src/network/configure.json
+++ b/src/network/configure.json
@@ -15,6 +15,7 @@
             "openssl-linked": { "type": "void", "name": "openssl", "value": "linked" },
             "openssl-runtime": { "type": "void", "name": "openssl", "value": "runtime" },
             "dtls": "boolean",
+            "ocsp": "boolean",
             "sctp": "boolean",
             "securetransport": "boolean",
             "ssl": "boolean",
@@ -163,6 +164,23 @@
                 ]
             },
             "use": "openssl"
+        },
+        "ocsp": {
+            "label": "OCSP stapling support in OpenSSL",
+            "type": "compile",
+            "test": {
+                "include": ["openssl/ssl.h", "openssl/ocsp.h"],
+                "tail": [
+                    "#if defined(OPENSSL_NO_OCSP) || defined(OPENSSL_NO_TLSEXT)",
+                    "#  error OpenSSL without OCSP stapling",
+                    "#endif"
+                ],
+                "main": [
+                    "(void)SSL_get_tlsext_status_ocsp_resp(nullptr, nullptr);",
+                    "(void)d2i_OCSP_RESPONSE(nullptr, nullptr, 0);"
+                ]
+            },
+            "use": "openssl"
         }
     },
 
@@ -237,6 +255,13 @@
             "condition": "features.openssl && tests.dtls",
             "output": [ "publicFeature" ]
         },
+        "ocsp": {
+            "label": "OCSP-stapling",
+            "purpose": "Provides OCSP stapling support",
+            "section": "Networking",
+            "condition": "features.opensslv11 && tests.ocsp",
+            "output": [ "publicFeature" ]
+        },
         "opensslv11": {
             "label": "OpenSSL 1.1",
             "condition": "features.openssl && tests.openssl11",
@@ -370,6 +395,7 @@ For example:
                 "openssl-linked",
                 "opensslv11",
                 "dtls",
+                "ocsp",
                 "sctp",
                 "system-proxies"
             ]
-- 
cgit v1.2.3