summaryrefslogtreecommitdiff
path: root/dev-qt/qtnetwork/files/qtnetwork-5.15.9-CVE-2023-34410.patch
diff options
context:
space:
mode:
Diffstat (limited to 'dev-qt/qtnetwork/files/qtnetwork-5.15.9-CVE-2023-34410.patch')
-rw-r--r--dev-qt/qtnetwork/files/qtnetwork-5.15.9-CVE-2023-34410.patch113
1 files changed, 113 insertions, 0 deletions
diff --git a/dev-qt/qtnetwork/files/qtnetwork-5.15.9-CVE-2023-34410.patch b/dev-qt/qtnetwork/files/qtnetwork-5.15.9-CVE-2023-34410.patch
new file mode 100644
index 000000000000..3c9145256328
--- /dev/null
+++ b/dev-qt/qtnetwork/files/qtnetwork-5.15.9-CVE-2023-34410.patch
@@ -0,0 +1,113 @@
+From 51a3c8d7b8140f0bf6912d14a58bcd0092b868a1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?M=C3=A5rten=20Nordheim?= <marten.nordheim@qt.io>
+Date: Wed, 10 May 2023 16:43:41 +0200
+Subject: [PATCH 1/2] Schannel: Reject certificate not signed by a configured
+ CA certificate
+
+Not entirely clear why, but when building the certificate chain for a
+peer the system certificate store is searched for root certificates.
+General expectation is that after calling
+`sslConfiguration.setCaCertificates()` the system certificates will
+not be taken into consideration.
+
+To work around this behavior, we do a manual check that the root of the
+chain is part of the configured CA certificates.
+
+Pick-to: 6.5 6.2 5.15
+Change-Id: I03666a4d9b0eac39ae97e150b4743120611a11b3
+Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
+Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
+(cherry picked from commit ada2c573c1a25f8d96577734968fe317ddfa292a)
+---
+ src/network/ssl/qsslsocket_schannel.cpp | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+diff --git a/src/network/ssl/qsslsocket_schannel.cpp b/src/network/ssl/qsslsocket_schannel.cpp
+index c956ce3c2b..d1b23af29b 100644
+--- a/src/network/ssl/qsslsocket_schannel.cpp
++++ b/src/network/ssl/qsslsocket_schannel.cpp
+@@ -1880,6 +1880,28 @@ bool QSslSocketBackendPrivate::verifyCertContext(CERT_CONTEXT *certContext)
+ if (configuration.peerVerifyDepth > 0 && DWORD(configuration.peerVerifyDepth) < verifyDepth)
+ verifyDepth = DWORD(configuration.peerVerifyDepth);
+
++ const auto &caCertificates = q->sslConfiguration().caCertificates();
++
++ if (!rootCertOnDemandLoadingAllowed()
++ && !(chain->TrustStatus.dwErrorStatus & CERT_TRUST_IS_PARTIAL_CHAIN)
++ && (q->peerVerifyMode() == QSslSocket::VerifyPeer
++ || (isClient && q->peerVerifyMode() == QSslSocket::AutoVerifyPeer))) {
++ // When verifying a peer Windows "helpfully" builds a chain that
++ // may include roots from the system store. But we don't want that if
++ // the user has set their own CA certificates.
++ // Since Windows claims this is not a partial chain the root is included
++ // and we have to check that it is one of our configured CAs.
++ CERT_CHAIN_ELEMENT *element = chain->rgpElement[chain->cElement - 1];
++ QSslCertificate certificate = getCertificateFromChainElement(element);
++ if (!caCertificates.contains(certificate)) {
++ auto error = QSslError(QSslError::CertificateUntrusted, certificate);
++ sslErrors += error;
++ emit q->peerVerifyError(error);
++ if (q->state() != QAbstractSocket::ConnectedState)
++ return false;
++ }
++ }
++
+ for (DWORD i = 0; i < verifyDepth; i++) {
+ CERT_CHAIN_ELEMENT *element = chain->rgpElement[i];
+ QSslCertificate certificate = getCertificateFromChainElement(element);
+--
+2.41.0
+
+
+From a933f89e1f69b97ccb9d1e5f82d9a619c02afcd2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?M=C3=A5rten=20Nordheim?= <marten.nordheim@qt.io>
+Date: Thu, 25 May 2023 14:40:29 +0200
+Subject: [PATCH 2/2] Ssl: Copy the on-demand cert loading bool from default
+ config
+
+Otherwise individual sockets will still load system certificates when
+a chain doesn't match against the configured CA certificates.
+That's not intended behavior, since specifically setting the CA
+certificates means you don't want the system certificates to be used.
+
+Follow-up to/amends ada2c573c1a25f8d96577734968fe317ddfa292a
+
+This is potentially a breaking change because now, if you ever add a
+CA to the default config, it will disable loading system certificates
+on demand for all sockets. And the only way to re-enable it is to
+create a null-QSslConfiguration and set it as the new default.
+
+Pick-to: 6.5 6.2 5.15
+Change-Id: Ic3b2ab125c0cdd58ad654af1cb36173960ce2d1e
+Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
+(cherry picked from commit 57ba6260c0801055b7188fdaa1818b940590f5f1)
+---
+ src/network/ssl/qsslsocket.cpp | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/network/ssl/qsslsocket.cpp b/src/network/ssl/qsslsocket.cpp
+index 5bb6e7ee4a..2a0b3a4f1d 100644
+--- a/src/network/ssl/qsslsocket.cpp
++++ b/src/network/ssl/qsslsocket.cpp
+@@ -2221,6 +2221,10 @@ QSslSocketPrivate::QSslSocketPrivate()
+ , flushTriggered(false)
+ {
+ QSslConfigurationPrivate::deepCopyDefaultConfiguration(&configuration);
++ // If the global configuration doesn't allow root certificates to be loaded
++ // on demand then we have to disable it for this socket as well.
++ if (!configuration.allowRootCertOnDemandLoading)
++ allowRootCertOnDemandLoading = false;
+ }
+
+ /*!
+@@ -2470,6 +2474,7 @@ void QSslConfigurationPrivate::deepCopyDefaultConfiguration(QSslConfigurationPri
+ ptr->sessionProtocol = global->sessionProtocol;
+ ptr->ciphers = global->ciphers;
+ ptr->caCertificates = global->caCertificates;
++ ptr->allowRootCertOnDemandLoading = global->allowRootCertOnDemandLoading;
+ ptr->protocol = global->protocol;
+ ptr->peerVerifyMode = global->peerVerifyMode;
+ ptr->peerVerifyDepth = global->peerVerifyDepth;
+--
+2.41.0
+
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-30 23:32:23 +0000