SSL code: introduce new error value for blacklisted certificates

improve error reporting by introducing a new enum value in case the peer certificate is blacklisted. Reviewed-by: Markus Goetz Task-number: QTBUG-18338
author: Peter Hartmann <peter.hartmann@nokia.com> 2011-03-28 13:06:25 (GMT)
committer: Peter Hartmann <peter.hartmann@nokia.com> 2011-04-07 13:19:00 (GMT)
commit: 4d67ecf8a40ad0669c269091a6e15b157b4090a6 (patch)
tree: 61a1f0a9e0d186ee169c27adc82c3e0bc8a14351
parent: 2310cbe07b8f7de64d47fe825e0f5a49359923d8 (diff)
download: Qt-4d67ecf8a40ad0669c269091a6e15b157b4090a6.zip
Qt-4d67ecf8a40ad0669c269091a6e15b157b4090a6.tar.gz
Qt-4d67ecf8a40ad0669c269091a6e15b157b4090a6.tar.bz2
4 files changed, 21 insertions, 13 deletions
diff --git a/src/network/ssl/qsslerror.cpp b/src/network/ssl/qsslerror.cpp
index 198b1f5..ae18b47 100644
--- a/src/network/ssl/qsslerror.cpp
+++ b/src/network/ssl/qsslerror.cpp
@@ -86,6 +86,7 @@
     \value HostNameMismatch
     \value UnspecifiedError
     \value NoSslSupport
+    \value CertificateBlacklisted
 
     \sa QSslError::errorString()
 */
@@ -281,6 +282,9 @@ QString QSslError::errorString() const
         break;
     case NoSslSupport:
         break;
+    case CertificateBlacklisted:
+        errStr = QSslSocket::tr("The peer certificate is blacklisted");
+        break;
     default:
         errStr = QSslSocket::tr("Unknown error");
         break;
diff --git a/src/network/ssl/qsslerror.h b/src/network/ssl/qsslerror.h
index ce4c749..c30c02a 100644
--- a/src/network/ssl/qsslerror.h
+++ b/src/network/ssl/qsslerror.h
@@ -83,6 +83,7 @@ public:
         NoPeerCertificate,
         HostNameMismatch,
         NoSslSupport,
+        CertificateBlacklisted,
         UnspecifiedError = -1
     };
 
diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp
index 1abb295..78a78a2 100644
--- a/src/network/ssl/qsslsocket_openssl.cpp
+++ b/src/network/ssl/qsslsocket_openssl.cpp
@@ -1238,16 +1238,18 @@ bool QSslSocketBackendPrivate::startHandshake()
     X509 *x509 = q_SSL_get_peer_certificate(ssl);
     configuration.peerCertificate = QSslCertificatePrivate::QSslCertificate_from_X509(x509);
     q_X509_free(x509);
-    if (QSslCertificatePrivate::isBlacklisted(configuration.peerCertificate)) {
-        q->setErrorString(QSslSocket::tr("The peer certificate is blacklisted"));
-        q->setSocketError(QAbstractSocket::SslHandshakeFailedError);
-        emit q->error(QAbstractSocket::SslHandshakeFailedError);
-        plainSocket->disconnectFromHost();
-        return false;
-    }
 
     // Start translating errors.
     QList<QSslError> errors;
+
+    if (QSslCertificatePrivate::isBlacklisted(configuration.peerCertificate)) {
+        QSslError error(QSslError::CertificateBlacklisted, configuration.peerCertificate);
+        errors << error;
+        emit q->peerVerifyError(error);
+        if (q->state() != QAbstractSocket::ConnectedState)
+            return false;
+    }
+
     bool doVerifyPeer = configuration.peerVerifyMode == QSslSocket::VerifyPeer
                         || (configuration.peerVerifyMode == QSslSocket::AutoVerifyPeer
                             && mode == QSslSocket::SslClientMode);
diff --git a/tests/auto/qsslsocket/tst_qsslsocket.cpp b/tests/auto/qsslsocket/tst_qsslsocket.cpp
index 9c32c2b..5b30a39 100644
--- a/tests/auto/qsslsocket/tst_qsslsocket.cpp
+++ b/tests/auto/qsslsocket/tst_qsslsocket.cpp
@@ -188,7 +188,7 @@ private slots:
     void ignoreSslErrorsListWithSlot();
     void readFromClosedSocket();
     void writeBigChunk();
-    void blacklist();
+    void blacklistedCertificates();
     void setEmptyDefaultConfiguration();
 
     static void exitLoop()
@@ -1983,7 +1983,7 @@ void tst_QSslSocket::writeBigChunk()
     socket->close();
 }
 
-void tst_QSslSocket::blacklist()
+void tst_QSslSocket::blacklistedCertificates()
 {
     QFETCH_GLOBAL(bool, setProxy);
     if (setProxy)
@@ -2004,14 +2004,15 @@ void tst_QSslSocket::blacklist()
     QVERIFY(sender->state() == QAbstractSocket::ConnectedState);
     receiver->setObjectName("receiver");
     sender->setObjectName("sender");
-    receiver->ignoreSslErrors();
     receiver->startClientEncryption();
 
-    connect(receiver, SIGNAL(error(QAbstractSocket::SocketError)), SLOT(exitLoop()));
+    connect(receiver, SIGNAL(sslErrors(QList<QSslError>)), SLOT(exitLoop()));
     connect(receiver, SIGNAL(encrypted()), SLOT(exitLoop()));
     enterLoop(1);
-    QCOMPARE(receiver->error(), QAbstractSocket::SslHandshakeFailedError);
-    QCOMPARE(receiver->errorString(), QString("The peer certificate is blacklisted"));
+    QList<QSslError> sslErrors = receiver->sslErrors();
+    QVERIFY(sslErrors.count() > 0);
+    // there are more errors (self signed cert and hostname mismatch), but we only care about the blacklist error
+    QCOMPARE(sslErrors.at(0).error(), QSslError::CertificateBlacklisted);
 }
 
 void tst_QSslSocket::setEmptyDefaultConfiguration()
author	Peter Hartmann <peter.hartmann@nokia.com>	2011-03-28 13:06:25 (GMT)
committer	Peter Hartmann <peter.hartmann@nokia.com>	2011-04-07 13:19:00 (GMT)
commit	4d67ecf8a40ad0669c269091a6e15b157b4090a6 (patch)
tree	61a1f0a9e0d186ee169c27adc82c3e0bc8a14351
parent	2310cbe07b8f7de64d47fe825e0f5a49359923d8 (diff)
download	Qt-4d67ecf8a40ad0669c269091a6e15b157b4090a6.zip Qt-4d67ecf8a40ad0669c269091a6e15b157b4090a6.tar.gz Qt-4d67ecf8a40ad0669c269091a6e15b157b4090a6.tar.bz2