Control: tags -1 patch Hi,
attached is the patch that I have come up with. I think that most of the changes are quite straightforward, but I'm not quite sure whether "DSA_security_bits" is really a proper replacement for "BN_num_bits(d->dsa->p)", likewise RSA_bits versus BN_num_bits(d->rsa->n). The package builds against openssl-1.1.0 (haven't tested the old version yet). I don't know whether the test suite actually covers this or whether is it even run (there is a ".PHONY: override_dh_auto_test" in the d/rules file but no override_dh_auto_test target defined. Obviously the patch will need some review by people who are more knowledgeable then me with respect to Qt and openssl. Best, Gert PS: Applying this patch to qt5 mostly fails.
Description: Compile with openssl-1.1.0 * Most changes are related to openssl structures are now opaque. * The network/ssl threading setup ishas been disabled because the old openssl threading model has been removed and is apparently no longer needed. * A number of new functions had to be imported (see changes to src/network/ssl/qsslsocket_openssl_symbols.cpp) Author: Gert Wollny <gw.foss...@gmail.com> Last-Update: 2016-06-28 Bug-Debian: http://bugs.debian.org/828522 --- a/src/network/ssl/qsslcertificate.cpp +++ b/src/network/ssl/qsslcertificate.cpp @@ -259,10 +259,15 @@ QByteArray QSslCertificate::version() const { QMutexLocker lock(QMutexPool::globalInstanceGet(d.data())); - if (d->versionString.isEmpty() && d->x509) + if (d->versionString.isEmpty() && d->x509) { +#if OPENSSL_VERSION_NUMBER < 0x10100000L d->versionString = - QByteArray::number(qlonglong(q_ASN1_INTEGER_get(d->x509->cert_info->version)) + 1); - + QByteArray::number(qlonglong(q_ASN1_INTEGER_get(d->x509->cert_info->version)) + 1); +#else + d->versionString = + QByteArray::number(qlonglong(q_X509_get_version(d->x509)) + 1); +#endif + } return d->versionString; } @@ -276,7 +281,11 @@ { QMutexLocker lock(QMutexPool::globalInstanceGet(d.data())); if (d->serialNumberString.isEmpty() && d->x509) { +#if OPENSSL_VERSION_NUMBER < 0x10100000L ASN1_INTEGER *serialNumber = d->x509->cert_info->serialNumber; +#else + ASN1_INTEGER *serialNumber = q_X509_get_serialNumber(d->x509); +#endif // if we cannot convert to a long, just output the hexadecimal number if (serialNumber->length > 4) { QByteArray hexString; @@ -489,24 +498,33 @@ QSslKey key; key.d->type = QSsl::PublicKey; +#if OPENSSL_VERSION_NUMBER < 0x10100000L X509_PUBKEY *xkey = d->x509->cert_info->key; +#else + X509_PUBKEY *xkey = q_X509_get_X509_PUBKEY(d->x509); +#endif EVP_PKEY *pkey = q_X509_PUBKEY_get(xkey); Q_ASSERT(pkey); - if (q_EVP_PKEY_type(pkey->type) == EVP_PKEY_RSA) { + int key_id; +#if OPENSSL_VERSION_NUMBER < 0x10100000L + key_id = q_EVP_PKEY_type(pkey->type); +#else + key_id = q_EVP_PKEY_id(pkey); +#endif + if (key_id == EVP_PKEY_RSA) { key.d->rsa = q_EVP_PKEY_get1_RSA(pkey); key.d->algorithm = QSsl::Rsa; key.d->isNull = false; - } else if (q_EVP_PKEY_type(pkey->type) == EVP_PKEY_DSA) { + } else if (key_id == EVP_PKEY_DSA) { key.d->dsa = q_EVP_PKEY_get1_DSA(pkey); key.d->algorithm = QSsl::Dsa; key.d->isNull = false; - } else if (q_EVP_PKEY_type(pkey->type) == EVP_PKEY_DH) { + } else if (key_id == EVP_PKEY_DH) { // DH unsupported } else { // error? } - q_EVP_PKEY_free(pkey); return key; } --- a/src/network/ssl/qsslkey.cpp +++ b/src/network/ssl/qsslkey.cpp @@ -321,8 +321,15 @@ { if (d->isNull) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L return (d->algorithm == QSsl::Rsa) ? q_BN_num_bits(d->rsa->n) : q_BN_num_bits(d->dsa->p); +#else + // not sure whether DSA_securirty_bits is correct + return (d->algorithm == QSsl::Rsa) + ? q_RSA_bits(d->rsa) : q_DSA_security_bits(d->dsa); +#endif + } /*! --- a/src/network/ssl/qsslsocket_openssl.cpp +++ b/src/network/ssl/qsslsocket_openssl.cpp @@ -93,6 +93,7 @@ bool QSslSocketPrivate::s_loadedCiphersAndCerts = false; bool QSslSocketPrivate::s_loadRootCertsOnDemand = false; +#if OPENSSL_VERSION_NUMBER < 0x10100000L /* \internal From OpenSSL's thread(3) manual page: @@ -174,6 +175,8 @@ } } // extern "C" +#endif //OPENSSL_VERSION_NUMBER >= 0x10100000L + QSslSocketBackendPrivate::QSslSocketBackendPrivate() : ssl(0), ctx(0), @@ -222,9 +225,12 @@ ciph.d->encryptionMethod = descriptionList.at(4).mid(4); ciph.d->exportable = (descriptionList.size() > 6 && descriptionList.at(6) == QLatin1String("export")); +#if OPENSSL_VERSION_NUMBER < 0x10100000L ciph.d->bits = cipher->strength_bits; ciph.d->supportedBits = cipher->alg_bits; - +#else + ciph.d->bits = q_SSL_CIPHER_get_bits(cipher, &ciph.d->supportedBits); +#endif } return ciph; } @@ -367,7 +373,11 @@ // // See also: QSslContext::fromConfiguration() if (caCertificate.expiryDate() >= QDateTime::currentDateTime()) { - q_X509_STORE_add_cert(ctx->cert_store, (X509 *)caCertificate.handle()); +#if OPENSSL_VERSION_NUMBER < 0x10100000L + q_X509_STORE_add_cert(ctx->cert_store, (X509 *)caCertificate.handle()); +#else + q_X509_STORE_add_cert(q_SSL_CTX_get_cert_store(ctx), (X509 *)caCertificate.handle()); +#endif } } @@ -504,8 +514,10 @@ */ void QSslSocketPrivate::deinitialize() { +#if OPENSSL_VERSION_NUMBER < 0x10100000L q_CRYPTO_set_id_callback(0); q_CRYPTO_set_locking_callback(0); +#endif } /*! @@ -526,13 +538,17 @@ return false; // Check if the library itself needs to be initialized. +#if OPENSSL_VERSION_NUMBER < 0x10100000L QMutexLocker locker(openssl_locks()->initLock()); +#endif if (!s_libraryLoaded) { s_libraryLoaded = true; // Initialize OpenSSL. +#if OPENSSL_VERSION_NUMBER < 0x10100000L q_CRYPTO_set_id_callback(id_function); q_CRYPTO_set_locking_callback(locking_function); +#endif if (q_SSL_library_init() != 1) return false; q_SSL_load_error_strings(); @@ -571,7 +587,9 @@ void QSslSocketPrivate::ensureCiphersAndCertsLoaded() { - QMutexLocker locker(openssl_locks()->initLock()); +#if OPENSSL_VERSION_NUMBER < 0x10100000L + QMutexLocker locker(openssl_locks()->initLock()); +#endif if (s_loadedCiphersAndCerts) return; s_loadedCiphersAndCerts = true; @@ -663,13 +681,18 @@ STACK_OF(SSL_CIPHER) *supportedCiphers = q_SSL_get_ciphers(mySsl); for (int i = 0; i < q_sk_SSL_CIPHER_num(supportedCiphers); ++i) { if (SSL_CIPHER *cipher = q_sk_SSL_CIPHER_value(supportedCiphers, i)) { - if (cipher->valid) { + +#if OPENSSL_VERSION_NUMBER < 0x10100000L + if (cipher->valid) { +#endif QSslCipher ciph = QSslSocketBackendPrivate::QSslCipher_from_SSL_CIPHER(cipher); if (!ciph.isNull()) { if (!ciph.name().toLower().startsWith(QLatin1String("adh"))) ciphers << ciph; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L } +#endif } } --- a/src/network/ssl/qsslsocket_openssl_symbols_p.h +++ b/src/network/ssl/qsslsocket_openssl_symbols_p.h @@ -399,7 +399,21 @@ PEM_ASN1_write_bio((int (*)(void*, unsigned char**))q_i2d_DSAPrivateKey,PEM_STRING_DSA,\ bp,(char *)x,enc,kstr,klen,cb,u) #endif + +#if OPENSSL_VERSION_NUMBER < 0x10100000L #define q_SSL_CTX_set_options(ctx,op) q_SSL_CTX_ctrl((ctx),SSL_CTRL_OPTIONS,(op),NULL) +#else +X509_STORE * q_SSL_CTX_get_cert_store(const SSL_CTX *ctx); +int q_EVP_PKEY_id(const EVP_PKEY *pkey); +int q_SSL_CIPHER_get_bits(const SSL_CIPHER *cipher, int *alg_bits); +long q_SSL_CTX_set_options(SSL_CTX *ctx, long options); +long q_X509_get_version(X509 *x); +ASN1_INTEGER * q_X509_get_serialNumber(X509 *x); +X509_PUBKEY * q_X509_get_X509_PUBKEY(X509 *x); +int q_RSA_bits(const RSA *rsa); +int q_DSA_security_bits(const DSA *dsa); +#endif + #define q_SKM_sk_num(type, st) ((int (*)(const STACK_OF(type) *))q_sk_num)(st) #define q_SKM_sk_value(type, st,i) ((type * (*)(const STACK_OF(type) *, int))q_sk_value)(st, i) #define q_sk_GENERAL_NAME_num(st) q_SKM_sk_num(GENERAL_NAME, (st)) @@ -410,8 +424,15 @@ #define q_sk_SSL_CIPHER_value(st, i) q_SKM_sk_value(SSL_CIPHER, (st), (i)) #define q_SSL_CTX_add_extra_chain_cert(ctx,x509) \ q_SSL_CTX_ctrl(ctx,SSL_CTRL_EXTRA_CHAIN_CERT,0,(char *)x509) + +#if OPENSSL_VERSION_NUMBER < 0x10100000L #define q_X509_get_notAfter(x) X509_get_notAfter(x) #define q_X509_get_notBefore(x) X509_get_notBefore(x) +#else +ASN1_TIME *q_X509_get_notAfter(X509 *x); +ASN1_TIME *q_X509_get_notBefore(X509 *x); +#endif + #define q_EVP_PKEY_assign_RSA(pkey,rsa) q_EVP_PKEY_assign((pkey),EVP_PKEY_RSA,\ (char *)(rsa)) #define q_EVP_PKEY_assign_DSA(pkey,dsa) q_EVP_PKEY_assign((pkey),EVP_PKEY_DSA,\ --- a/src/network/ssl/qsslsocket_openssl_symbols.cpp +++ b/src/network/ssl/qsslsocket_openssl_symbols.cpp @@ -291,6 +291,20 @@ DEFINEFUNC3(int, SSL_CTX_load_verify_locations, SSL_CTX *ctx, ctx, const char *CAfile, CAfile, const char *CApath, CApath, return 0, return) DEFINEFUNC(long, SSLeay, void, DUMMYARG, return 0, return) +#if OPENSSL_VERSION_NUMBER >= 0x10100000L +DEFINEFUNC(X509_STORE *, SSL_CTX_get_cert_store, const SSL_CTX *ctx, ctx, return 0, return) +DEFINEFUNC(int, EVP_PKEY_id, const EVP_PKEY *pkey, pkey, return 0, return) +DEFINEFUNC2(int, SSL_CIPHER_get_bits, const SSL_CIPHER *cipher, cipher, int *alg_bits, alg_bits, return 0, return) +DEFINEFUNC2(long, SSL_CTX_set_options, SSL_CTX *ctx, ctx, long options, options, return 0, return) +DEFINEFUNC(long, X509_get_version, X509 *x, x, return 0, return) +DEFINEFUNC(ASN1_INTEGER *, X509_get_serialNumber, X509 *x, x, return 0, return) +DEFINEFUNC(X509_PUBKEY *, X509_get_X509_PUBKEY, X509 *x, x, return 0, return) +DEFINEFUNC(int, RSA_bits, const RSA *rsa, rsa, return 0, return) +DEFINEFUNC(int, DSA_security_bits, const DSA *dsa, dsa, return 0, return) +DEFINEFUNC(ASN1_TIME *, X509_get_notAfter, X509 *x, x, return 0, return) +DEFINEFUNC(ASN1_TIME *, X509_get_notBefore, X509 *x, x, return 0, return) +#endif + #ifdef Q_OS_SYMBIAN #define RESOLVEFUNC(func, ordinal, lib) \ if (!(_q_##func = _q_PTR_##func(lib->resolve(#ordinal)))) \ @@ -823,6 +837,21 @@ RESOLVEFUNC(SSL_set_connect_state) RESOLVEFUNC(SSL_shutdown) RESOLVEFUNC(SSL_write) +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + RESOLVEFUNC(SSL_CTX_ctrl) + RESOLVEFUNC(SSL_CTX_get_cert_store) + RESOLVEFUNC(EVP_PKEY_id) + RESOLVEFUNC(SSL_CIPHER_get_bits) + RESOLVEFUNC(SSL_CTX_set_options) + RESOLVEFUNC(X509_get_version) + RESOLVEFUNC(X509_get_serialNumber) + RESOLVEFUNC(X509_get_X509_PUBKEY) + RESOLVEFUNC(RSA_bits) + RESOLVEFUNC(DSA_security_bits) + RESOLVEFUNC(X509_get_notAfter) + RESOLVEFUNC(X509_get_notBefore) +#endif + #ifndef OPENSSL_NO_SSL2 RESOLVEFUNC(SSLv2_client_method) #endif
