diff options
author | Marianne Yrjänä <marianne.yrjana@qt.io> | 2023-11-30 10:24:41 +0000 |
---|---|---|
committer | Marianne Yrjänä <marianne.yrjana@qt.io> | 2023-12-08 06:10:51 +0000 |
commit | 65081c67f3d65b1c6e7e051a1b9d008eca3381e5 (patch) | |
tree | 1e7794400b87e55943f29092eaf5559e57179927 /src/plugins/tls | |
parent | e240f559e4a3b1a122c3bd0c4dc743487189ccfd (diff) |
Revert "OpenSSL: remove support for 1.1"
This reverts commit d201c0a2184881a226bce76528047707e9062856.
Reason for revert: QNX have support only for OpenSSL1.1.
QNX will start supporting OpenSSL3 with upcoming QNX8.0 but as long as we want to support QNX7.1 (and even QNX7.0) removing OpenSSL1.1 support from Qt is not an option.
Change-Id: Ia2083eda318779968eb6ee84fff2f56ebe3dadf7
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
Diffstat (limited to 'src/plugins/tls')
-rw-r--r-- | src/plugins/tls/openssl/qsslcontext_openssl.cpp | 7 | ||||
-rw-r--r-- | src/plugins/tls/openssl/qsslsocket_openssl_symbols.cpp | 29 | ||||
-rw-r--r-- | src/plugins/tls/openssl/qsslsocket_openssl_symbols_p.h | 14 | ||||
-rw-r--r-- | src/plugins/tls/openssl/qtls_openssl.cpp | 3 |
4 files changed, 52 insertions, 1 deletions
diff --git a/src/plugins/tls/openssl/qsslcontext_openssl.cpp b/src/plugins/tls/openssl/qsslcontext_openssl.cpp index a06d2ff65b..75c192bd01 100644 --- a/src/plugins/tls/openssl/qsslcontext_openssl.cpp +++ b/src/plugins/tls/openssl/qsslcontext_openssl.cpp @@ -555,10 +555,17 @@ QT_WARNING_POP // tell OpenSSL the directories where to look up the root certs on demand const QList<QByteArray> unixDirs = QSslSocketPrivate::unixRootCertDirectories(); int success = 1; +#if OPENSSL_VERSION_MAJOR < 3 + for (const QByteArray &unixDir : unixDirs) { + if ((success = q_SSL_CTX_load_verify_locations(sslContext->ctx, nullptr, unixDir.constData())) != 1) + break; + } +#else for (const QByteArray &unixDir : unixDirs) { if ((success = q_SSL_CTX_load_verify_dir(sslContext->ctx, unixDir.constData())) != 1) break; } +#endif // OPENSSL_VERSION_MAJOR if (success != 1) { const auto qtErrors = QTlsBackendOpenSSL::getErrorsFromOpenSsl(); qCWarning(lcTlsBackend) << "An error encountered while to set root certificates location:" diff --git a/src/plugins/tls/openssl/qsslsocket_openssl_symbols.cpp b/src/plugins/tls/openssl/qsslsocket_openssl_symbols.cpp index 13d3b0cee9..4aa9ca6fb1 100644 --- a/src/plugins/tls/openssl/qsslsocket_openssl_symbols.cpp +++ b/src/plugins/tls/openssl/qsslsocket_openssl_symbols.cpp @@ -302,9 +302,14 @@ DEFINEFUNC(int, SSL_version, const SSL *a, a, return 0, return) DEFINEFUNC2(int, SSL_get_error, SSL *a, a, int b, b, return -1, return) DEFINEFUNC(STACK_OF(X509) *, SSL_get_peer_cert_chain, SSL *a, a, return nullptr, return) +#if defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3 DEFINEFUNC(X509 *, SSL_get1_peer_certificate, SSL *a, a, return nullptr, return) DEFINEFUNC(int, EVP_PKEY_get_bits, const EVP_PKEY *pkey, pkey, return -1, return) DEFINEFUNC(int, EVP_PKEY_get_base_id, const EVP_PKEY *pkey, pkey, return -1, return) +#else +DEFINEFUNC(X509 *, SSL_get_peer_certificate, SSL *a, a, return nullptr, return) +DEFINEFUNC(int, EVP_PKEY_base_id, EVP_PKEY *a, a, return NID_undef, return) +#endif // OPENSSL_VERSION_MAJOR >= 3 DEFINEFUNC(long, SSL_get_verify_result, const SSL *a, a, return -1, return) DEFINEFUNC(SSL *, SSL_new, SSL_CTX *a, a, return nullptr, return) @@ -375,7 +380,11 @@ DEFINEFUNC(X509_STORE_CTX *, X509_STORE_CTX_new, DUMMYARG, DUMMYARG, return null DEFINEFUNC2(void *, X509_STORE_CTX_get_ex_data, X509_STORE_CTX *ctx, ctx, int idx, idx, return nullptr, return) DEFINEFUNC(int, SSL_get_ex_data_X509_STORE_CTX_idx, DUMMYARG, DUMMYARG, return -1, return) +#if OPENSSL_VERSION_MAJOR < 3 +DEFINEFUNC3(int, SSL_CTX_load_verify_locations, SSL_CTX *ctx, ctx, const char *CAfile, CAfile, const char *CApath, CApath, return 0, return) +#else DEFINEFUNC2(int, SSL_CTX_load_verify_dir, SSL_CTX *ctx, ctx, const char *CApath, CApath, return 0, return) +#endif // OPENSSL_VERSION_MAJOR DEFINEFUNC2(int, i2d_SSL_SESSION, SSL_SESSION *in, in, unsigned char **pp, pp, return 0, return) DEFINEFUNC3(SSL_SESSION *, d2i_SSL_SESSION, SSL_SESSION **a, a, const unsigned char **pp, pp, long length, length, return nullptr, return) @@ -637,7 +646,9 @@ static QStringList findAllLibCrypto() } # endif -#if OPENSSL_VERSION_MAJOR == 3 // Starting with 3.0 this define is available +#if (OPENSSL_VERSION_NUMBER >> 28) < 3 +#define QT_OPENSSL_VERSION "1_1" +#elif OPENSSL_VERSION_MAJOR == 3 // Starting with 3.0 this define is available #define QT_OPENSSL_VERSION "3" #endif // > 3 intentionally left undefined @@ -908,10 +919,17 @@ bool q_resolveOpenSslSymbols() return false; } +#if OPENSSL_VERSION_NUMBER >= 0x30000000 if (q_OpenSSL_version_num() < 0x30000000) { qCWarning(lcTlsBackend, "Incompatible version of OpenSSL (built with OpenSSL >= 3.x, runtime version is < 3.x)"); return false; } +#else + if (q_OpenSSL_version_num() >= 0x30000000) { + qCWarning(lcTlsBackend, "Incompatible version of OpenSSL (built with OpenSSL 1.x, runtime version is >= 3.x)"); + return false; + } +#endif // OPENSSL_VERSION_NUMBER RESOLVEFUNC(SSL_SESSION_get_ticket_lifetime_hint) @@ -1054,9 +1072,14 @@ bool q_resolveOpenSslSymbols() RESOLVEFUNC(SSL_get_error) RESOLVEFUNC(SSL_get_peer_cert_chain) +#if defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3 RESOLVEFUNC(SSL_get1_peer_certificate) RESOLVEFUNC(EVP_PKEY_get_bits) RESOLVEFUNC(EVP_PKEY_get_base_id) +#else + RESOLVEFUNC(SSL_get_peer_certificate) + RESOLVEFUNC(EVP_PKEY_base_id) +#endif // OPENSSL_VERSION_MAJOR >= 3 #ifndef OPENSSL_NO_DEPRECATED_3_0 RESOLVEFUNC(DH_new) @@ -1188,7 +1211,11 @@ bool q_resolveOpenSslSymbols() RESOLVEFUNC(X509_verify_cert) RESOLVEFUNC(d2i_X509) RESOLVEFUNC(i2d_X509) +#if OPENSSL_VERSION_MAJOR < 3 + RESOLVEFUNC(SSL_CTX_load_verify_locations) +#else RESOLVEFUNC(SSL_CTX_load_verify_dir) +#endif // OPENSSL_VERSION_MAJOR RESOLVEFUNC(i2d_SSL_SESSION) RESOLVEFUNC(d2i_SSL_SESSION) diff --git a/src/plugins/tls/openssl/qsslsocket_openssl_symbols_p.h b/src/plugins/tls/openssl/qsslsocket_openssl_symbols_p.h index 7d7ce57371..a93c110b3f 100644 --- a/src/plugins/tls/openssl/qsslsocket_openssl_symbols_p.h +++ b/src/plugins/tls/openssl/qsslsocket_openssl_symbols_p.h @@ -185,7 +185,11 @@ QT_BEGIN_NAMESPACE // **************** Static declarations ****************** #endif // !defined QT_LINKED_OPENSSL +#if defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3 typedef uint64_t qssloptions; +#else +typedef unsigned long qssloptions; +#endif // TODO: the following lines previously were a part of 1.1 - specific header. // To reduce the amount of the change, I'm directly copying and pasting the // content of the header here. Later, can be better sorted/split into groups, @@ -546,7 +550,11 @@ void q_GENERAL_NAME_free(GENERAL_NAME *a); q_SSL_CTX_ctrl(ctx,SSL_CTRL_EXTRA_CHAIN_CERT,0,(char *)x509) #define q_OpenSSL_add_all_algorithms() q_OPENSSL_add_all_algorithms_conf() +#if OPENSSL_VERSION_MAJOR < 3 +int q_SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, const char *CApath); +#else int q_SSL_CTX_load_verify_dir(SSL_CTX *ctx, const char *CApath); +#endif // OPENSSL_VERSION_MAJOR int q_i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp); SSL_SESSION *q_d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length); @@ -668,11 +676,17 @@ const char *q_SSL_alert_desc_string_long(int value); int q_SSL_CTX_get_security_level(const SSL_CTX *ctx); void q_SSL_CTX_set_security_level(SSL_CTX *ctx, int level); +// Here we have the ones that make difference between OpenSSL pre/post v3: +#if defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3 X509 *q_SSL_get1_peer_certificate(SSL *a); #define q_SSL_get_peer_certificate q_SSL_get1_peer_certificate int q_EVP_PKEY_get_bits(const EVP_PKEY *pkey); int q_EVP_PKEY_get_base_id(const EVP_PKEY *pkey); #define q_EVP_PKEY_base_id q_EVP_PKEY_get_base_id +#else +X509 *q_SSL_get_peer_certificate(SSL *a); +int q_EVP_PKEY_base_id(EVP_PKEY *a); +#endif // OPENSSL_VERSION_MAJOR >= 3 #ifndef OPENSSL_NO_DEPRECATED_3_0 diff --git a/src/plugins/tls/openssl/qtls_openssl.cpp b/src/plugins/tls/openssl/qtls_openssl.cpp index ed5211150d..57d09a649b 100644 --- a/src/plugins/tls/openssl/qtls_openssl.cpp +++ b/src/plugins/tls/openssl/qtls_openssl.cpp @@ -1438,11 +1438,14 @@ bool TlsCryptographOpenSSL::initSslContext() else if (mode == QSslSocket::SslServerMode) q_SSL_set_psk_server_callback(ssl, &q_ssl_psk_server_callback); +#if OPENSSL_VERSION_NUMBER >= 0x10101006L // Set the client callback for TLSv1.3 PSK if (mode == QSslSocket::SslClientMode && QSslSocket::sslLibraryBuildVersionNumber() >= 0x10101006L) { q_SSL_set_psk_use_session_callback(ssl, &q_ssl_psk_use_session_callback); } +#endif // openssl version >= 0x10101006L + #endif // OPENSSL_NO_PSK #if QT_CONFIG(ocsp) |