Add input check for QSslSocket::setPrivateKey

[ChangeLog][QtNetwork][QSslSocket] Added runtime validation of the SSL
private key when it is loaded through a file path.

Task-number: QTBUG-72016
Change-Id: Ie92c3a2fbf3ba896c4c838e03d677426be56a5db
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
Reviewed-by: Samuel Gaist <samuel.gaist@idiap.ch>
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>

1 files changed, 13 insertions, 4 deletions

diff --git a/src/network/ssl/qsslsocket.cpp b/src/network/ssl/qsslsocket.cpp
index cf8a472606..fa012866e6 100644
--- a/src/network/ssl/qsslsocket.cpp
+++ b/src/network/ssl/qsslsocket.cpp
@@ -1209,12 +1209,21 @@ void QSslSocket::setPrivateKey(const QSslKey &key)
 void QSslSocket::setPrivateKey(const QString &fileName, QSsl::KeyAlgorithm algorithm,
                                QSsl::EncodingFormat format, const QByteArray &passPhrase)
 {
-    Q_D(QSslSocket);
     QFile file(fileName);
-    if (file.open(QIODevice::ReadOnly)) {
-        d->configuration.privateKey = QSslKey(file.readAll(), algorithm,
-                                              format, QSsl::PrivateKey, passPhrase);
+    if (!file.open(QIODevice::ReadOnly)) {
+        qCWarning(lcSsl, "QSslSocket::setPrivateKey: Couldn't open file for reading");
+        return;
+    }
+
+    QSslKey key(file.readAll(), algorithm, format, QSsl::PrivateKey, passPhrase);
+    if (key.isNull()) {
+        qCWarning(lcSsl, "QSslSocket::setPrivateKey: "
+                         "The specified file does not contain a valid key");
+        return;
     }
+
+    Q_D(QSslSocket);
+    d->configuration.privateKey = key;
 }
 
 /*!