SSL backend: loat root certificates on demand on Unix (excluding Mac)

Previously, on initializing the first QSslSocket, we read all root
certificates into memory (~ 150 files).
Now, we tell OpenSSL where to find the root certificates, so that they
can be loaded on demand (if supported, see 'man c_rehash' for details).

Reviewed-by: Markus Goetz
Task-number: QTBUG-14016

2 files changed, 262 insertions, 0 deletions

diff --git a/tests/auto/qsslsocket_onDemandCertificates_static/qsslsocket_onDemandCertificates_static.pro b/tests/auto/qsslsocket_onDemandCertificates_static/qsslsocket_onDemandCertificates_static.pro
new file mode 100644
index 0000000..13990cb
--- /dev/null
+++ b/tests/auto/qsslsocket_onDemandCertificates_static/qsslsocket_onDemandCertificates_static.pro
@@ -0,0 +1,36 @@
+load(qttest_p4)
+
+SOURCES += tst_qsslsocket_onDemandCertificates_static.cpp
+!wince*:win32:LIBS += -lws2_32
+QT += network
+QT -= gui
+
+TARGET = tst_qsslsocket_onDemandCertificates_static
+
+win32 {
+  CONFIG(debug, debug|release) {
+    DESTDIR = debug
+} else {
+    DESTDIR = release
+  }
+}
+
+wince* {
+    DEFINES += SRCDIR=\\\"./\\\"
+
+    certFiles.files = certs ssl.tar.gz
+    certFiles.path    = .
+    DEPLOYMENT += certFiles
+} else:symbian {
+    TARGET.EPOCHEAPSIZE="0x100 0x1000000"
+    TARGET.CAPABILITY=NetworkServices
+
+    certFiles.files = certs ssl.tar.gz
+    certFiles.path    = .
+    DEPLOYMENT += certFiles
+    INCLUDEPATH *= $$MW_LAYER_SYSTEMINCLUDE  # Needed for e32svr.h in S^3 envs
+} else {
+    DEFINES += SRCDIR=\\\"$$PWD/\\\"
+}
+
+requires(contains(QT_CONFIG,private_tests))
diff --git a/tests/auto/qsslsocket_onDemandCertificates_static/tst_qsslsocket_onDemandCertificates_static.cpp b/tests/auto/qsslsocket_onDemandCertificates_static/tst_qsslsocket_onDemandCertificates_static.cpp
new file mode 100644
index 0000000..8259977
--- /dev/null
+++ b/tests/auto/qsslsocket_onDemandCertificates_static/tst_qsslsocket_onDemandCertificates_static.cpp
@@ -0,0 +1,226 @@
+/****************************************************************************
+**
+** Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
+** All rights reserved.
+** Contact: Nokia Corporation (qt-info@nokia.com)
+**
+** This file is part of the test suite of the Qt Toolkit.
+**
+** $QT_BEGIN_LICENSE:LGPL$
+** No Commercial Usage
+** This file contains pre-release code and may not be distributed.
+** You may use this file in accordance with the terms and conditions
+** contained in the Technology Preview License Agreement accompanying
+** this package.
+**
+** GNU Lesser General Public License Usage
+** Alternatively, this file may be used under the terms of the GNU Lesser
+** General Public License version 2.1 as published by the Free Software
+** Foundation and appearing in the file LICENSE.LGPL included in the
+** packaging of this file.  Please review the following information to
+** ensure the GNU Lesser General Public License version 2.1 requirements
+** will be met: http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html.
+**
+** In addition, as a special exception, Nokia gives you certain additional
+** rights.  These rights are described in the Nokia Qt LGPL Exception
+** version 1.1, included in the file LGPL_EXCEPTION.txt in this package.
+**
+** If you have questions regarding the use of this file, please contact
+** Nokia at qt-info@nokia.com.
+**
+**
+**
+**
+**
+**
+**
+**
+** $QT_END_LICENSE$
+**
+****************************************************************************/
+
+
+#include <QtNetwork>
+#include <QtTest/QtTest>
+
+#include <QNetworkProxy>
+#include <QAuthenticator>
+
+#include "private/qhostinfo_p.h"
+
+#include "../network-settings.h"
+
+#ifdef Q_OS_SYMBIAN
+#define SRCDIR ""
+#endif
+
+#ifndef QT_NO_OPENSSL
+class QSslSocketPtr: public QSharedPointer<QSslSocket>
+{
+public:
+    inline QSslSocketPtr(QSslSocket *ptr = 0)
+        : QSharedPointer<QSslSocket>(ptr)
+    { }
+
+    inline operator QSslSocket *() const { return data(); }
+};
+#endif
+
+class tst_QSslSocket_onDemandCertificates_static : public QObject
+{
+    Q_OBJECT
+
+    int proxyAuthCalled;
+
+public:
+    tst_QSslSocket_onDemandCertificates_static();
+    virtual ~tst_QSslSocket_onDemandCertificates_static();
+
+#ifndef QT_NO_OPENSSL
+    QSslSocketPtr newSocket();
+#endif
+
+public slots:
+    void initTestCase_data();
+    void init();
+    void cleanup();
+    void proxyAuthenticationRequired(const QNetworkProxy &, QAuthenticator *auth);
+
+#ifndef QT_NO_OPENSSL
+private slots:
+    void onDemandRootCertLoadingStaticMethods();
+
+private:
+    QSslSocket *socket;
+#endif // QT_NO_OPENSSL
+};
+
+tst_QSslSocket_onDemandCertificates_static::tst_QSslSocket_onDemandCertificates_static()
+{
+    Q_SET_DEFAULT_IAP
+}
+
+tst_QSslSocket_onDemandCertificates_static::~tst_QSslSocket_onDemandCertificates_static()
+{
+}
+
+enum ProxyTests {
+    NoProxy = 0x00,
+    Socks5Proxy = 0x01,
+    HttpProxy = 0x02,
+    TypeMask = 0x0f,
+
+    NoAuth = 0x00,
+    AuthBasic = 0x10,
+    AuthNtlm = 0x20,
+    AuthMask = 0xf0
+};
+
+void tst_QSslSocket_onDemandCertificates_static::initTestCase_data()
+{
+    QTest::addColumn<bool>("setProxy");
+    QTest::addColumn<int>("proxyType");
+
+    QTest::newRow("WithoutProxy") << false << 0;
+    QTest::newRow("WithSocks5Proxy") << true << int(Socks5Proxy);
+    QTest::newRow("WithSocks5ProxyAuth") << true << int(Socks5Proxy | AuthBasic);
+
+    QTest::newRow("WithHttpProxy") << true << int(HttpProxy);
+    QTest::newRow("WithHttpProxyBasicAuth") << true << int(HttpProxy | AuthBasic);
+    // uncomment the line below when NTLM works
+//    QTest::newRow("WithHttpProxyNtlmAuth") << true << int(HttpProxy | AuthNtlm);
+}
+
+void tst_QSslSocket_onDemandCertificates_static::init()
+{
+    QFETCH_GLOBAL(bool, setProxy);
+    if (setProxy) {
+        QFETCH_GLOBAL(int, proxyType);
+        QString testServer = QHostInfo::fromName(QtNetworkSettings::serverName()).addresses().first().toString();
+        QNetworkProxy proxy;
+
+        switch (proxyType) {
+        case Socks5Proxy:
+            proxy = QNetworkProxy(QNetworkProxy::Socks5Proxy, testServer, 1080);
+            break;
+
+        case Socks5Proxy | AuthBasic:
+            proxy = QNetworkProxy(QNetworkProxy::Socks5Proxy, testServer, 1081);
+            break;
+
+        case HttpProxy | NoAuth:
+            proxy = QNetworkProxy(QNetworkProxy::HttpProxy, testServer, 3128);
+            break;
+
+        case HttpProxy | AuthBasic:
+            proxy = QNetworkProxy(QNetworkProxy::HttpProxy, testServer, 3129);
+            break;
+
+        case HttpProxy | AuthNtlm:
+            proxy = QNetworkProxy(QNetworkProxy::HttpProxy, testServer, 3130);
+            break;
+        }
+        QNetworkProxy::setApplicationProxy(proxy);
+    }
+
+    qt_qhostinfo_clear_cache();
+}
+
+void tst_QSslSocket_onDemandCertificates_static::cleanup()
+{
+    QNetworkProxy::setApplicationProxy(QNetworkProxy::DefaultProxy);
+}
+
+#ifndef QT_NO_OPENSSL
+QSslSocketPtr tst_QSslSocket_onDemandCertificates_static::newSocket()
+{
+    QSslSocket *socket = new QSslSocket;
+
+    proxyAuthCalled = 0;
+    connect(socket, SIGNAL(proxyAuthenticationRequired(QNetworkProxy,QAuthenticator*)),
+            SLOT(proxyAuthenticationRequired(QNetworkProxy,QAuthenticator*)),
+            Qt::DirectConnection);
+
+    return QSslSocketPtr(socket);
+}
+#endif
+
+void tst_QSslSocket_onDemandCertificates_static::proxyAuthenticationRequired(const QNetworkProxy &, QAuthenticator *auth)
+{
+    ++proxyAuthCalled;
+    auth->setUser("qsockstest");
+    auth->setPassword("password");
+}
+
+#ifndef QT_NO_OPENSSL
+
+void tst_QSslSocket_onDemandCertificates_static::onDemandRootCertLoadingStaticMethods()
+{
+    QString host("qt.nokia.com");
+
+    // not using any root certs -> should not work
+    QSslSocket::setDefaultCaCertificates(QList<QSslCertificate>());
+    QSslSocketPtr socket = newSocket();
+    this->socket = socket;
+    socket->connectToHostEncrypted(host, 443);
+    QVERIFY(!socket->waitForEncrypted());
+
+    // using system root certs -> should work
+    QSslSocket::setDefaultCaCertificates(QSslSocket::systemCaCertificates());
+    QSslSocketPtr socket2 = newSocket();
+    this->socket = socket2;
+    socket2->connectToHostEncrypted(host, 443);
+    QVERIFY(socket2->waitForEncrypted());
+
+    // not using any root certs again -> should not work
+    QSslSocket::setDefaultCaCertificates(QList<QSslCertificate>());
+    QSslSocketPtr socket3 = newSocket();
+    this->socket = socket3;
+    socket3->connectToHostEncrypted(host, 443);
+    QVERIFY(!socket3->waitForEncrypted());
+}
+
+#endif // QT_NO_OPENSSL
+
+QTEST_MAIN(tst_QSslSocket_onDemandCertificates_static)
+#include "tst_qsslsocket_onDemandCertificates_static.moc"