Re: Bug#828522: QT4 and OpenSSL 1.1.0: [was Re: OpenSSL 1.1.0]

Tue, 28 Jun 2016 11:45:46 -0700 

On Tue, Jun 28, 2016 at 07:36:27PM +0200, Gert Wollny wrote:
> Okay, the attached patch corrects this. 

I had a quick look at the patch and have some comments.

> --- a/src/network/ssl/qsslcertificate.cpp
> +++ b/src/network/ssl/qsslcertificate.cpp
> @@ -259,10 +259,15 @@
>  QByteArray QSslCertificate::version() const
>  {
>      QMutexLocker lock(QMutexPool::globalInstanceGet(d.data()));
> -    if (d->versionString.isEmpty() && d->x509)
> +    if (d->versionString.isEmpty() && d->x509) {
> +#if OPENSSL_VERSION_NUMBER < 0x10100000L
>          d->versionString =
> -            
> QByteArray::number(qlonglong(q_ASN1_INTEGER_get(d->x509->cert_info->version)) 
> + 1);
> -
> +         
> QByteArray::number(qlonglong(q_ASN1_INTEGER_get(d->x509->cert_info->version)) 
> + 1);
> +#else
> +        d->versionString =
> +         QByteArray::number(qlonglong(q_X509_get_version(d->x509)) + 1);
> +#endif

X509_get_version() exist in old versions (as macro), there is no
reason to have the version check, just always use it.

> @@ -276,7 +281,11 @@
>  {
>      QMutexLocker lock(QMutexPool::globalInstanceGet(d.data()));
>      if (d->serialNumberString.isEmpty() && d->x509) {
> +#if OPENSSL_VERSION_NUMBER < 0x10100000L
>          ASN1_INTEGER *serialNumber = d->x509->cert_info->serialNumber;
> +#else
> +        ASN1_INTEGER *serialNumber = q_X509_get_serialNumber(d->x509);
> +#endif

Same as above.


> @@ -489,24 +498,33 @@
>      QSslKey key;
>  
>      key.d->type = QSsl::PublicKey;
> +#if OPENSSL_VERSION_NUMBER < 0x10100000L
>      X509_PUBKEY *xkey = d->x509->cert_info->key;
> +#else
> +    X509_PUBKEY *xkey = q_X509_get_X509_PUBKEY(d->x509);
> +#endif
>      EVP_PKEY *pkey = q_X509_PUBKEY_get(xkey);
>      Q_ASSERT(pkey);
>  
> -    if (q_EVP_PKEY_type(pkey->type) == EVP_PKEY_RSA) {
> +    int key_id;
> +#if OPENSSL_VERSION_NUMBER < 0x10100000L
> +    key_id = q_EVP_PKEY_type(pkey->type);
> +#else
> +    key_id = q_EVP_PKEY_id(pkey);
> +#endif

You probably want EVP_PKEY_base_id here, look at the manpage.

> +    if (key_id == EVP_PKEY_RSA) {
>          key.d->rsa = q_EVP_PKEY_get1_RSA(pkey);
>          key.d->algorithm = QSsl::Rsa;
>          key.d->isNull = false;
> -    } else if (q_EVP_PKEY_type(pkey->type) == EVP_PKEY_DSA) {
> +    } else if (key_id == EVP_PKEY_DSA) {
>          key.d->dsa = q_EVP_PKEY_get1_DSA(pkey);
>          key.d->algorithm = QSsl::Dsa;
>          key.d->isNull = false;
> -    } else if (q_EVP_PKEY_type(pkey->type) == EVP_PKEY_DH) {
> +    } else if (key_id == EVP_PKEY_DH) {
>          // DH unsupported
>      } else {
>          // error?
>      }

As already explain, you want to have EC support.

>  
> +#if OPENSSL_VERSION_NUMBER < 0x10100000L
> +       q_X509_STORE_add_cert(ctx->cert_store, (X509 
> *)caCertificate.handle());
> +#else
> +       q_X509_STORE_add_cert(q_SSL_CTX_get_cert_store(ctx), (X509 
> *)caCertificate.handle());
> +#endif

SSL_CTX_get_cert_store should exist in old version.


Kurt

Reply via email to