From f183b5447bad47655c21af87214579f03bf3a163 Mon Sep 17 00:00:00 2001 From: Albert Vaca Cintora Date: Thu, 24 Sep 2020 16:59:22 +0200 Subject: [PATCH] Do not ignore SSL errors, except for self-signed cert errors. Thanks Matthias Gerstner for reporting this. --- core/backends/lan/lanlinkprovider.cpp | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/core/backends/lan/lanlinkprovider.cpp b/core/backends/lan/lanlinkprovider.cpp index d9a7d8fa3..fc005cee7 100644 --- a/core/backends/lan/lanlinkprovider.cpp +++ b/core/backends/lan/lanlinkprovider.cpp @@ -297,9 +297,7 @@ void LanLinkProvider::tcpSocketConnected() connect(socket, &QSslSocket::encrypted, this, &LanLinkProvider::encrypted); - if (isDeviceTrusted) { - connect(socket, QOverload &>::of(&QSslSocket::sslErrors), this, &LanLinkProvider::sslErrors); - } + connect(socket, QOverload &>::of(&QSslSocket::sslErrors), this, &LanLinkProvider::sslErrors); socket->startServerEncryption(); @@ -326,8 +324,6 @@ void LanLinkProvider::encrypted() QSslSocket* socket = qobject_cast(sender()); if (!socket) return; - // TODO delete me? - disconnect(socket, QOverload &>::of(&QSslSocket::sslErrors), this, &LanLinkProvider::sslErrors); Q_ASSERT(socket->mode() != QSslSocket::UnencryptedMode); LanDeviceLink::ConnectionStarted connectionOrigin = (socket->mode() == QSslSocket::SslClientMode)? LanDeviceLink::Locally : LanDeviceLink::Remotely; @@ -346,14 +342,20 @@ void LanLinkProvider::sslErrors(const QList& errors) QSslSocket* socket = qobject_cast(sender()); if (!socket) return; - qCDebug(KDECONNECT_CORE) << "Failing due to " << errors; - Device* device = Daemon::instance()->getDevice(socket->peerVerifyName()); - if (device) { - device->unpair(); + bool fatal = false; + for (const QSslError& error : errors) { + if (error.error() != QSslError::SelfSignedCertificate) { + qCCritical(KDECONNECT_CORE) << "Disconnecting due to fatal SSL Error: " << error; + fatal = true; + } else { + qCDebug(KDECONNECT_CORE) << "Ignoring self-signed cert error"; + } } - delete m_receivedIdentityPackets.take(socket).np; - // Socket disconnects itself on ssl error and will be deleted by deleteLater slot, no need to delete manually + if (fatal) { + socket->disconnectFromHost(); + delete m_receivedIdentityPackets.take(socket).np; + } } //I'm the new device and this is the answer to my UDP identity packet (no data received yet). They are connecting to us through TCP, and they should send an identity.