mirror of
https://github.com/feather-wallet/feather.git
synced 2025-01-10 04:44:52 +00:00
53 lines
2.6 KiB
Diff
53 lines
2.6 KiB
Diff
|
--- a/src/plugins/tls/schannel/qtls_schannel.cpp
|
||
|
+++ b/src/plugins/tls/schannel/qtls_schannel.cpp
|
||
|
@@ -2106,6 +2106,27 @@ bool TlsCryptographSchannel::verifyCertContext(CERT_CONTEXT *certContext)
|
||
|
verifyDepth = DWORD(q->peerVerifyDepth());
|
||
|
|
||
|
const auto &caCertificates = q->sslConfiguration().caCertificates();
|
||
|
+
|
||
|
+ if (!rootCertOnDemandLoadingAllowed()
|
||
|
+ && !(chain->TrustStatus.dwErrorStatus & CERT_TRUST_IS_PARTIAL_CHAIN)
|
||
|
+ && (q->peerVerifyMode() == QSslSocket::VerifyPeer
|
||
|
+ || (isClient && q->peerVerifyMode() == QSslSocket::AutoVerifyPeer))) {
|
||
|
+ // When verifying a peer Windows "helpfully" builds a chain that
|
||
|
+ // may include roots from the system store. But we don't want that if
|
||
|
+ // the user has set their own CA certificates.
|
||
|
+ // Since Windows claims this is not a partial chain the root is included
|
||
|
+ // and we have to check that it is one of our configured CAs.
|
||
|
+ CERT_CHAIN_ELEMENT *element = chain->rgpElement[chain->cElement - 1];
|
||
|
+ QSslCertificate certificate = getCertificateFromChainElement(element);
|
||
|
+ if (!caCertificates.contains(certificate)) {
|
||
|
+ auto error = QSslError(QSslError::CertificateUntrusted, certificate);
|
||
|
+ sslErrors += error;
|
||
|
+ emit q->peerVerifyError(error);
|
||
|
+ if (q->state() != QAbstractSocket::ConnectedState)
|
||
|
+ return false;
|
||
|
+ }
|
||
|
+ }
|
||
|
+
|
||
|
QList<QSslCertificate> peerCertificateChain;
|
||
|
for (DWORD i = 0; i < verifyDepth; i++) {
|
||
|
CERT_CHAIN_ELEMENT *element = chain->rgpElement[i];
|
||
|
|
||
|
--- a/src/network/ssl/qsslsocket.cpp
|
||
|
+++ b/src/network/ssl/qsslsocket.cpp
|
||
|
@@ -1973,6 +1973,10 @@ QSslSocketPrivate::QSslSocketPrivate()
|
||
|
, flushTriggered(false)
|
||
|
{
|
||
|
QSslConfigurationPrivate::deepCopyDefaultConfiguration(&configuration);
|
||
|
+ // If the global configuration doesn't allow root certificates to be loaded
|
||
|
+ // on demand then we have to disable it for this socket as well.
|
||
|
+ if (!configuration.allowRootCertOnDemandLoading)
|
||
|
+ allowRootCertOnDemandLoading = false;
|
||
|
|
||
|
const auto *tlsBackend = tlsBackendInUse();
|
||
|
if (!tlsBackend) {
|
||
|
@@ -2281,6 +2285,7 @@ void QSslConfigurationPrivate::deepCopyDefaultConfiguration(QSslConfigurationPri
|
||
|
ptr->sessionProtocol = global->sessionProtocol;
|
||
|
ptr->ciphers = global->ciphers;
|
||
|
ptr->caCertificates = global->caCertificates;
|
||
|
+ ptr->allowRootCertOnDemandLoading = global->allowRootCertOnDemandLoading;
|
||
|
ptr->protocol = global->protocol;
|
||
|
ptr->peerVerifyMode = global->peerVerifyMode;
|
||
|
ptr->peerVerifyDepth = global->peerVerifyDepth;
|