summaryrefslogtreecommitdiffstats
path: root/src/network
diff options
context:
space:
mode:
authorPeter Hartmann <phartmann@rim.com>2013-01-14 13:43:52 (GMT)
committerThe Qt Project <gerrit-noreply@qt-project.org>2013-03-04 08:54:44 (GMT)
commit7d3bae1292ee3adfc4bcba4827d2a456c703627e (patch)
tree7d06479b936b1aba209c5f8623f5eff07657762a /src/network
parente80d7bb8bb7fcecab8f98a614e34d4e3929d5ec4 (diff)
downloadQt-7d3bae1292ee3adfc4bcba4827d2a456c703627e.zip
Qt-7d3bae1292ee3adfc4bcba4827d2a456c703627e.tar.gz
Qt-7d3bae1292ee3adfc4bcba4827d2a456c703627e.tar.bz2
QSslConfiguration: toggle on demand loading of root certs properly
make sure we keep track of when we can load root certs and when we cannot (we cannot when the developer set the certs explicitly). This is implemented the same way for QSslSocket already, and needs to be duplicated because we have 2 methods for setting CA certificates: one in QSslSocket and one in QSslConfiguration. In addition, adapt the auto test which checks whether setting a default QSslConfiguration works: There is no way to set on demand loading through the API, so it should be enabled by default. Task-number: QTBUG-29103 (backport of commit ce35c0db0d9dd849c736eabaeb57d597186aaa13) Change-Id: Idf15c21092c7727e1080b1c261ce055f30dbcf63 Reviewed-by: Richard J. Moore <rich@kde.org>
Diffstat (limited to 'src/network')
-rw-r--r--src/network/ssl/qsslconfiguration.cpp3
-rw-r--r--src/network/ssl/qsslconfiguration_p.h2
-rw-r--r--src/network/ssl/qsslsocket.cpp15
-rw-r--r--src/network/ssl/qsslsocket_p.h2
4 files changed, 21 insertions, 1 deletions
diff --git a/src/network/ssl/qsslconfiguration.cpp b/src/network/ssl/qsslconfiguration.cpp
index 9eb09d7..4e7bc4d 100644
--- a/src/network/ssl/qsslconfiguration.cpp
+++ b/src/network/ssl/qsslconfiguration.cpp
@@ -168,6 +168,7 @@ bool QSslConfiguration::operator==(const QSslConfiguration &other) const
d->protocol == other.d->protocol &&
d->peerVerifyMode == other.d->peerVerifyMode &&
d->peerVerifyDepth == other.d->peerVerifyDepth &&
+ d->allowRootCertOnDemandLoading == other.d->allowRootCertOnDemandLoading &&
d->sslOptions == other.d->sslOptions;
}
@@ -195,6 +196,7 @@ bool QSslConfiguration::isNull() const
return (d->protocol == QSsl::SecureProtocols &&
d->peerVerifyMode == QSslSocket::AutoVerifyPeer &&
d->peerVerifyDepth == 0 &&
+ d->allowRootCertOnDemandLoading == true &&
d->caCertificates.count() == 0 &&
d->ciphers.count() == 0 &&
d->localCertificate.isNull() &&
@@ -508,6 +510,7 @@ QList<QSslCertificate> QSslConfiguration::caCertificates() const
void QSslConfiguration::setCaCertificates(const QList<QSslCertificate> &certificates)
{
d->caCertificates = certificates;
+ d->allowRootCertOnDemandLoading = false;
}
/*!
diff --git a/src/network/ssl/qsslconfiguration_p.h b/src/network/ssl/qsslconfiguration_p.h
index 3449ceb..dff6ba0 100644
--- a/src/network/ssl/qsslconfiguration_p.h
+++ b/src/network/ssl/qsslconfiguration_p.h
@@ -83,6 +83,7 @@ public:
: protocol(QSsl::SecureProtocols),
peerVerifyMode(QSslSocket::AutoVerifyPeer),
peerVerifyDepth(0),
+ allowRootCertOnDemandLoading(true),
sslOptions(QSsl::SslOptionDisableEmptyFragments
|QSsl::SslOptionDisableLegacyRenegotiation
|QSsl::SslOptionDisableCompression)
@@ -100,6 +101,7 @@ public:
QSsl::SslProtocol protocol;
QSslSocket::PeerVerifyMode peerVerifyMode;
int peerVerifyDepth;
+ bool allowRootCertOnDemandLoading;
QSsl::SslOptions sslOptions;
diff --git a/src/network/ssl/qsslsocket.cpp b/src/network/ssl/qsslsocket.cpp
index 230e50f..6ec8f6e 100644
--- a/src/network/ssl/qsslsocket.cpp
+++ b/src/network/ssl/qsslsocket.cpp
@@ -897,7 +897,12 @@ void QSslSocket::setSslConfiguration(const QSslConfiguration &configuration)
d->configuration.peerVerifyMode = configuration.peerVerifyMode();
d->configuration.protocol = configuration.protocol();
d->configuration.sslOptions = configuration.d->sslOptions;
- d->allowRootCertOnDemandLoading = false;
+
+ // if the CA certificates were set explicitly (either via
+ // QSslConfiguration::setCaCertificates() or QSslSocket::setCaCertificates(),
+ // we cannot load the certificates on demand
+ if (!configuration.d->allowRootCertOnDemandLoading)
+ d->allowRootCertOnDemandLoading = false;
}
/*!
@@ -2301,6 +2306,14 @@ QByteArray QSslSocketPrivate::peek(qint64 maxSize)
/*!
\internal
*/
+bool QSslSocketPrivate::rootCertOnDemandLoadingSupported()
+{
+ return s_loadRootCertsOnDemand;
+}
+
+/*!
+ \internal
+*/
QList<QByteArray> QSslSocketPrivate::unixRootCertDirectories()
{
return QList<QByteArray>() << "/etc/ssl/certs/" // (K)ubuntu, OpenSUSE, Mandriva, MeeGo ...
diff --git a/src/network/ssl/qsslsocket_p.h b/src/network/ssl/qsslsocket_p.h
index f19409b..5044c72 100644
--- a/src/network/ssl/qsslsocket_p.h
+++ b/src/network/ssl/qsslsocket_p.h
@@ -174,6 +174,8 @@ public:
virtual void disconnected() = 0;
virtual QSslCipher sessionCipher() const = 0;
+ Q_AUTOTEST_EXPORT static bool rootCertOnDemandLoadingSupported();
+
private:
static bool ensureLibraryLoaded();
static void ensureCiphersAndCertsLoaded();
generated by cgit v0.12 at 2025-08-30 17:52:21 (GMT)