diff options
author | Timur Pocheptsov <timur.pocheptsov@qt.io> | 2018-12-03 15:40:53 +0100 |
---|---|---|
committer | Timur Pocheptsov <timur.pocheptsov@qt.io> | 2018-12-21 03:28:47 +0000 |
commit | 3e1758e35d14e6ee16e30ae2f6f6bd92d29d57f0 (patch) | |
tree | 8bd5e17931e4088bbd7eaecb2a6785fbb98d4190 /src/network/ssl | |
parent | 50d53533e5ab1923865a9f80cb8b093ab477ae81 (diff) |
QSsl: do not wait for 'connected'/'encrypted' if a protocol is disabled
since we'll refuse to continue with a handshake, failing in initSslContext()
on a disabled protocol versions. Then, functions like waitForEncrypted,
connectToHostEncrypted, startServerEncryption and startClientEncryption
should either bail out early (who needs a TCP connection which we'll
abort anyway?) or bail out whenever we can, as soon as a disabled protocol
was found in a configuration. This change also makes the behavior
of different back-ends consistent, since it's a general code-path
that reports the same SslInvalidUserData error. Update auto-test to
... actually test what it claims it tests.
Task-number: QTBUG-72196
Task-number: QTBUG-72179
Change-Id: I548468993410f10c07ce5773b78f38132be8e3e0
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
Diffstat (limited to 'src/network/ssl')
-rw-r--r-- | src/network/ssl/qsslsocket.cpp | 26 | ||||
-rw-r--r-- | src/network/ssl/qsslsocket_p.h | 1 |
2 files changed, 27 insertions, 0 deletions
diff --git a/src/network/ssl/qsslsocket.cpp b/src/network/ssl/qsslsocket.cpp index 068dfb9f2d..a6c86837ea 100644 --- a/src/network/ssl/qsslsocket.cpp +++ b/src/network/ssl/qsslsocket.cpp @@ -460,6 +460,9 @@ void QSslSocket::connectToHostEncrypted(const QString &hostName, quint16 port, O return; } + if (!d->verifyProtocolSupported("QSslSocket::connectToHostEncrypted:")) + return; + d->init(); d->autoStartHandshake = true; d->initialized = true; @@ -1607,6 +1610,8 @@ bool QSslSocket::waitForEncrypted(int msecs) return false; if (d->mode == UnencryptedMode && !d->autoStartHandshake) return false; + if (!d->verifyProtocolSupported("QSslSocket::waitForEncrypted:")) + return false; QElapsedTimer stopWatch; stopWatch.start(); @@ -1856,6 +1861,10 @@ void QSslSocket::startClientEncryption() d->setErrorAndEmit(QAbstractSocket::SslInternalError, tr("TLS initialization failed")); return; } + + if (!d->verifyProtocolSupported("QSslSocket::startClientEncryption:")) + return; + #ifdef QSSLSOCKET_DEBUG qCDebug(lcSsl) << "QSslSocket::startClientEncryption()"; #endif @@ -1899,6 +1908,9 @@ void QSslSocket::startServerEncryption() d->setErrorAndEmit(QAbstractSocket::SslInternalError, tr("TLS initialization failed")); return; } + if (!d->verifyProtocolSupported("QSslSocket::startServerEncryption")) + return; + d->mode = SslServerMode; emit modeChanged(d->mode); d->startServerEncryption(); @@ -2133,6 +2145,20 @@ void QSslSocketPrivate::init() /*! \internal */ +bool QSslSocketPrivate::verifyProtocolSupported(const char *where) +{ + if (configuration.protocol == QSsl::SslV2 || configuration.protocol == QSsl::SslV3) { + qCWarning(lcSsl) << where << "Attempted to use an unsupported protocol."; + setErrorAndEmit(QAbstractSocket::SslInvalidUserDataError, + QSslSocket::tr("Attempted to use an unsupported protocol.")); + return false; + } + return true; +} + +/*! + \internal +*/ QList<QSslCipher> QSslSocketPrivate::defaultCiphers() { QSslSocketPrivate::ensureInitialized(); diff --git a/src/network/ssl/qsslsocket_p.h b/src/network/ssl/qsslsocket_p.h index 2f394f013b..5115613695 100644 --- a/src/network/ssl/qsslsocket_p.h +++ b/src/network/ssl/qsslsocket_p.h @@ -97,6 +97,7 @@ public: virtual ~QSslSocketPrivate(); void init(); + bool verifyProtocolSupported(const char *where); bool initialized; QSslSocket::SslMode mode; |