QSsl: do not wait for 'connected'/'encrypted' if a protocol is disabled

since we'll refuse to continue with a handshake, failing in initSslContext()
on a disabled protocol versions. Then, functions like waitForEncrypted,
connectToHostEncrypted, startServerEncryption and startClientEncryption
should either bail out early (who needs a TCP connection which we'll
abort anyway?) or bail out whenever we can, as soon as a disabled protocol
was found in a configuration. This change also makes the behavior
of different back-ends consistent, since it's a general code-path
that reports the same SslInvalidUserData error. Update auto-test to
... actually test what it claims it tests.

Task-number: QTBUG-72196
Task-number: QTBUG-72179
Change-Id: I548468993410f10c07ce5773b78f38132be8e3e0
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>

2 files changed, 27 insertions, 0 deletions

diff --git a/src/network/ssl/qsslsocket.cpp b/src/network/ssl/qsslsocket.cpp
index 068dfb9f2d..a6c86837ea 100644
--- a/src/network/ssl/qsslsocket.cpp
+++ b/src/network/ssl/qsslsocket.cpp
@@ -460,6 +460,9 @@ void QSslSocket::connectToHostEncrypted(const QString &hostName, quint16 port, O
         return;
     }
 
+    if (!d->verifyProtocolSupported("QSslSocket::connectToHostEncrypted:"))
+        return;
+
     d->init();
     d->autoStartHandshake = true;
     d->initialized = true;
@@ -1607,6 +1610,8 @@ bool QSslSocket::waitForEncrypted(int msecs)
         return false;
     if (d->mode == UnencryptedMode && !d->autoStartHandshake)
         return false;
+    if (!d->verifyProtocolSupported("QSslSocket::waitForEncrypted:"))
+        return false;
 
     QElapsedTimer stopWatch;
     stopWatch.start();
@@ -1856,6 +1861,10 @@ void QSslSocket::startClientEncryption()
         d->setErrorAndEmit(QAbstractSocket::SslInternalError, tr("TLS initialization failed"));
         return;
     }
+
+    if (!d->verifyProtocolSupported("QSslSocket::startClientEncryption:"))
+        return;
+
 #ifdef QSSLSOCKET_DEBUG
     qCDebug(lcSsl) << "QSslSocket::startClientEncryption()";
 #endif
@@ -1899,6 +1908,9 @@ void QSslSocket::startServerEncryption()
         d->setErrorAndEmit(QAbstractSocket::SslInternalError, tr("TLS initialization failed"));
         return;
     }
+    if (!d->verifyProtocolSupported("QSslSocket::startServerEncryption"))
+        return;
+
     d->mode = SslServerMode;
     emit modeChanged(d->mode);
     d->startServerEncryption();
@@ -2133,6 +2145,20 @@ void QSslSocketPrivate::init()
 /*!
     \internal
 */
+bool QSslSocketPrivate::verifyProtocolSupported(const char *where)
+{
+    if (configuration.protocol == QSsl::SslV2 || configuration.protocol == QSsl::SslV3) {
+        qCWarning(lcSsl) << where << "Attempted to use an unsupported protocol.";
+        setErrorAndEmit(QAbstractSocket::SslInvalidUserDataError,
+                        QSslSocket::tr("Attempted to use an unsupported protocol."));
+        return false;
+    }
+    return true;
+}
+
+/*!
+    \internal
+*/
 QList<QSslCipher> QSslSocketPrivate::defaultCiphers()
 {
     QSslSocketPrivate::ensureInitialized();
diff --git a/src/network/ssl/qsslsocket_p.h b/src/network/ssl/qsslsocket_p.h
index 2f394f013b..5115613695 100644
--- a/src/network/ssl/qsslsocket_p.h
+++ b/src/network/ssl/qsslsocket_p.h
@@ -97,6 +97,7 @@ public:
     virtual ~QSslSocketPrivate();
 
     void init();
+    bool verifyProtocolSupported(const char *where);
     bool initialized;
 
     QSslSocket::SslMode mode;