117 lines
5.5 KiB
Diff
117 lines
5.5 KiB
Diff
From 99a9f2eccb5de9843dc956dd380dcf7515cbce27 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?M=C3=A5rten=20Nordheim?= <marten.nordheim@qt.io>
|
|
Date: Thu, 25 May 2023 14:40:29 +0200
|
|
Subject: [PATCH] Ssl: Copy the on-demand cert loading bool from default config
|
|
|
|
Otherwise individual sockets will still load system certificates when
|
|
a chain doesn't match against the configured CA certificates.
|
|
That's not intended behavior, since specifically setting the CA
|
|
certificates means you don't want the system certificates to be used.
|
|
|
|
Follow-up to/amends ada2c573c1a25f8d96577734968fe317ddfa292a
|
|
|
|
This is potentially a breaking change because now, if you ever add a
|
|
CA to the default config, it will disable loading system certificates
|
|
on demand for all sockets. And the only way to re-enable it is to
|
|
create a null-QSslConfiguration and set it as the new default.
|
|
|
|
Pick-to: 6.5 6.2 5.15
|
|
Change-Id: Ic3b2ab125c0cdd58ad654af1cb36173960ce2d1e
|
|
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
|
|
|
|
Fixes: https://security-tracker.debian.org/tracker/CVE-2023-34410
|
|
Upstream: https://codereview.qt-project.org/gitweb?p=qt%2Fqtbase.git;a=commit;h=57ba6260c0801055b7188fdaa1818b940590f5f1
|
|
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
|
|
---
|
|
src/network/ssl/qsslsocket.cpp | 5 ++++
|
|
.../tst_manual_ssl_client_auth.cpp | 24 ++++++++++++++++---
|
|
2 files changed, 26 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/src/network/ssl/qsslsocket.cpp b/src/network/ssl/qsslsocket.cpp
|
|
index 4eefe439293..0563fd06634 100644
|
|
--- a/src/network/ssl/qsslsocket.cpp
|
|
+++ b/src/network/ssl/qsslsocket.cpp
|
|
@@ -1973,6 +1973,10 @@ QSslSocketPrivate::QSslSocketPrivate()
|
|
, flushTriggered(false)
|
|
{
|
|
QSslConfigurationPrivate::deepCopyDefaultConfiguration(&configuration);
|
|
+ // If the global configuration doesn't allow root certificates to be loaded
|
|
+ // on demand then we have to disable it for this socket as well.
|
|
+ if (!configuration.allowRootCertOnDemandLoading)
|
|
+ allowRootCertOnDemandLoading = false;
|
|
|
|
const auto *tlsBackend = tlsBackendInUse();
|
|
if (!tlsBackend) {
|
|
@@ -2281,6 +2285,7 @@ void QSslConfigurationPrivate::deepCopyDefaultConfiguration(QSslConfigurationPri
|
|
ptr->sessionProtocol = global->sessionProtocol;
|
|
ptr->ciphers = global->ciphers;
|
|
ptr->caCertificates = global->caCertificates;
|
|
+ ptr->allowRootCertOnDemandLoading = global->allowRootCertOnDemandLoading;
|
|
ptr->protocol = global->protocol;
|
|
ptr->peerVerifyMode = global->peerVerifyMode;
|
|
ptr->peerVerifyDepth = global->peerVerifyDepth;
|
|
diff --git a/tests/manual/network/ssl/client-auth/tst_manual_ssl_client_auth.cpp b/tests/manual/network/ssl/client-auth/tst_manual_ssl_client_auth.cpp
|
|
index 2307cbb1911..4d4aaca7e34 100644
|
|
--- a/tests/manual/network/ssl/client-auth/tst_manual_ssl_client_auth.cpp
|
|
+++ b/tests/manual/network/ssl/client-auth/tst_manual_ssl_client_auth.cpp
|
|
@@ -16,6 +16,9 @@
|
|
// but the other side presents a certificate signed by a different CA.
|
|
constexpr bool TestServerPresentsIncorrectCa = false;
|
|
constexpr bool TestClientPresentsIncorrectCa = true;
|
|
+// Decides whether or not to put the root CA into the global ssl configuration
|
|
+// or into the socket's specific ssl configuration.
|
|
+constexpr bool UseGlobalConfiguration = true;
|
|
|
|
class ServerThread : public QThread
|
|
{
|
|
@@ -26,8 +29,10 @@ public:
|
|
QSslServer server;
|
|
|
|
QSslConfiguration config = server.sslConfiguration();
|
|
- QList<QSslCertificate> certs = QSslCertificate::fromPath(QStringLiteral(":/rootCA.pem"));
|
|
- config.setCaCertificates(certs);
|
|
+ if (!UseGlobalConfiguration) {
|
|
+ QList<QSslCertificate> certs = QSslCertificate::fromPath(QStringLiteral(":/rootCA.pem"));
|
|
+ config.setCaCertificates(certs);
|
|
+ }
|
|
config.setLocalCertificate(QSslCertificate::fromPath(QStringLiteral(":/127.0.0.1.pem"))
|
|
.first());
|
|
QFile keyFile(QStringLiteral(":/127.0.0.1-key.pem"));
|
|
@@ -73,6 +78,12 @@ int main(int argc, char **argv)
|
|
if (!QFileInfo(u":/rootCA.pem"_s).exists())
|
|
qFatal("rootCA.pem not found. Did you run generate.sh in the certs directory?");
|
|
|
|
+ if (UseGlobalConfiguration) {
|
|
+ QSslConfiguration config = QSslConfiguration::defaultConfiguration();
|
|
+ config.setCaCertificates(QSslCertificate::fromPath(u":/rootCA.pem"_s));
|
|
+ QSslConfiguration::setDefaultConfiguration(config);
|
|
+ }
|
|
+
|
|
ServerThread serverThread;
|
|
serverThread.start();
|
|
|
|
@@ -88,12 +99,19 @@ int main(int argc, char **argv)
|
|
keyFileName = u":/accepted-client-key.pem"_s;
|
|
}
|
|
config.setLocalCertificate(QSslCertificate::fromPath(certificatePath).first());
|
|
- if (TestServerPresentsIncorrectCa) // true: Verify server using incorrect CA: should fail
|
|
+ if (!UseGlobalConfiguration && TestServerPresentsIncorrectCa) {
|
|
+ // Verify server using incorrect CA: should fail
|
|
config.setCaCertificates(QSslCertificate::fromPath(u":/rootCA.pem"_s));
|
|
+ } else if (UseGlobalConfiguration && !TestServerPresentsIncorrectCa) {
|
|
+ // Verify server using correct CA, we need to explicitly set the
|
|
+ // system CAs when the global config is overridden.
|
|
+ config.setCaCertificates(QSslConfiguration::systemCaCertificates());
|
|
+ }
|
|
QFile keyFile(keyFileName);
|
|
if (!keyFile.open(QIODevice::ReadOnly))
|
|
qFatal("Failed to open key file");
|
|
config.setPrivateKey(QSslKey(&keyFile, QSsl::Rsa));
|
|
+
|
|
socket.setSslConfiguration(config);
|
|
|
|
QObject::connect(&socket, &QSslSocket::encrypted, []() { qDebug() << "[c] encrypted"; });
|
|
--
|
|
2.46.0
|
|
|