From c212128a676aa906fdef79c3e5ccecf0d942e68c Mon Sep 17 00:00:00 2001
From: Konstantin Shegunov <kshegunov@gmail.com>
Date: Tue, 19 Feb 2019 23:53:58 +0200
Subject: Add input check for QSslSocket::setPrivateKey
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

[ChangeLog][QtNetwork][QSslSocket] Added runtime validation of the SSL
private key when it is loaded through a file path.

Task-number: QTBUG-72016
Change-Id: Ie92c3a2fbf3ba896c4c838e03d677426be56a5db
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
Reviewed-by: Samuel Gaist <samuel.gaist@idiap.ch>
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
---
 src/network/ssl/qsslsocket.cpp | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

(limited to 'src/network/ssl')

diff --git a/src/network/ssl/qsslsocket.cpp b/src/network/ssl/qsslsocket.cpp
index cf8a472606..fa012866e6 100644
--- a/src/network/ssl/qsslsocket.cpp
+++ b/src/network/ssl/qsslsocket.cpp
@@ -1209,12 +1209,21 @@ void QSslSocket::setPrivateKey(const QSslKey &key)
 void QSslSocket::setPrivateKey(const QString &fileName, QSsl::KeyAlgorithm algorithm,
                                QSsl::EncodingFormat format, const QByteArray &passPhrase)
 {
-    Q_D(QSslSocket);
     QFile file(fileName);
-    if (file.open(QIODevice::ReadOnly)) {
-        d->configuration.privateKey = QSslKey(file.readAll(), algorithm,
-                                              format, QSsl::PrivateKey, passPhrase);
+    if (!file.open(QIODevice::ReadOnly)) {
+        qCWarning(lcSsl, "QSslSocket::setPrivateKey: Couldn't open file for reading");
+        return;
+    }
+
+    QSslKey key(file.readAll(), algorithm, format, QSsl::PrivateKey, passPhrase);
+    if (key.isNull()) {
+        qCWarning(lcSsl, "QSslSocket::setPrivateKey: "
+                         "The specified file does not contain a valid key");
+        return;
     }
+
+    Q_D(QSslSocket);
+    d->configuration.privateKey = key;
 }
 
 /*!
-- 
cgit v1.2.3