QSslSocket (OpenSSL, Windows) - make sure we ignore stale fetch results

The CA fetcher on Windows works on a separate thread, it can take
quite some time to finish its job and if a connection was meanwhile
closed (via 'abort', 'close' or 'disconnectFromHost') but the socket
is still alive/re-used - we don't want to be fooled by the previous
fetch 'finished' signal, only if it's fetching for the same certificate.

Change-Id: Ibd0a70000ad10cff10207d37d7b47c38e615d0f1
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>

1 files changed, 13 insertions, 0 deletions

diff --git a/src/network/ssl/qsslsocket.cpp b/src/network/ssl/qsslsocket.cpp
index e294a45157..66bcb79c4c 100644
--- a/src/network/ssl/qsslsocket.cpp
+++ b/src/network/ssl/qsslsocket.cpp
@@ -898,6 +898,10 @@ void QSslSocket::close()
     qCDebug(lcSsl) << "QSslSocket::close()";
 #endif
     Q_D(QSslSocket);
+
+    // We don't want any CA roots fetched anymore.
+    d->caToFetch = QSslCertificate{};
+
     if (encryptedBytesToWrite() || !d->writeBuffer.isEmpty())
         flush();
     if (d->plainSocket)
@@ -947,6 +951,11 @@ void QSslSocket::abort()
 #ifdef QSSLSOCKET_DEBUG
     qCDebug(lcSsl) << "QSslSocket::abort()";
 #endif
+    // On Windows, CertGetCertificateChain is probably still doing its
+    // job, if the socket is re-used, we want to ignore its reported
+    // root CA.
+    d->caToFetch = QSslCertificate{};
+
     if (d->plainSocket)
         d->plainSocket->abort();
     close();
@@ -1768,6 +1777,9 @@ void QSslSocket::disconnectFromHost()
         d->pendingClose = true;
         return;
     }
+    // Make sure we don't process any signal from the CA fetcher
+    // (Windows):
+    d->caToFetch = QSslCertificate{};
 
     // Perhaps emit closing()
     if (d->state != ClosingState) {
@@ -1884,6 +1896,7 @@ void QSslSocketPrivate::init()
     configuration.peerCertificate.clear();
     configuration.peerCertificateChain.clear();
     fetchAuthorityInformation = false;
+    caToFetch = QSslCertificate{};
 }
 
 /*!