Revert "OpenSSL: remove support for 1.1"

This reverts commit d201c0a2184881a226bce76528047707e9062856. Reason for revert: QNX have support only for OpenSSL1.1. QNX will start supporting OpenSSL3 with upcoming QNX8.0 but as long as we want to support QNX7.1 (and even QNX7.0) removing OpenSSL1.1 support from Qt is not an option. Change-Id: Ia2083eda318779968eb6ee84fff2f56ebe3dadf7 Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
author: Marianne Yrjänä <marianne.yrjana@qt.io> 2023-11-30 10:24:41 +0000
committer: Marianne Yrjänä <marianne.yrjana@qt.io> 2023-12-08 06:10:51 +0000
commit: 65081c67f3d65b1c6e7e051a1b9d008eca3381e5 (patch)
tree: 1e7794400b87e55943f29092eaf5559e57179927 /src/plugins/tls
parent: e240f559e4a3b1a122c3bd0c4dc743487189ccfd (diff)
4 files changed, 52 insertions, 1 deletions
diff --git a/src/plugins/tls/openssl/qsslcontext_openssl.cpp b/src/plugins/tls/openssl/qsslcontext_openssl.cpp
index a06d2ff65b..75c192bd01 100644
--- a/src/plugins/tls/openssl/qsslcontext_openssl.cpp
+++ b/src/plugins/tls/openssl/qsslcontext_openssl.cpp
@@ -555,10 +555,17 @@ QT_WARNING_POP
         // tell OpenSSL the directories where to look up the root certs on demand
         const QList<QByteArray> unixDirs = QSslSocketPrivate::unixRootCertDirectories();
         int success = 1;
+#if OPENSSL_VERSION_MAJOR < 3
+        for (const QByteArray &unixDir : unixDirs) {
+            if ((success = q_SSL_CTX_load_verify_locations(sslContext->ctx, nullptr, unixDir.constData())) != 1)
+                break;
+        }
+#else
         for (const QByteArray &unixDir : unixDirs) {
             if ((success = q_SSL_CTX_load_verify_dir(sslContext->ctx, unixDir.constData())) != 1)
                 break;
         }
+#endif // OPENSSL_VERSION_MAJOR
         if (success != 1) {
             const auto qtErrors = QTlsBackendOpenSSL::getErrorsFromOpenSsl();
             qCWarning(lcTlsBackend) << "An error encountered while to set root certificates location:"
diff --git a/src/plugins/tls/openssl/qsslsocket_openssl_symbols.cpp b/src/plugins/tls/openssl/qsslsocket_openssl_symbols.cpp
index 13d3b0cee9..4aa9ca6fb1 100644
--- a/src/plugins/tls/openssl/qsslsocket_openssl_symbols.cpp
+++ b/src/plugins/tls/openssl/qsslsocket_openssl_symbols.cpp
@@ -302,9 +302,14 @@ DEFINEFUNC(int, SSL_version, const SSL *a, a, return 0, return)
 DEFINEFUNC2(int, SSL_get_error, SSL *a, a, int b, b, return -1, return)
 DEFINEFUNC(STACK_OF(X509) *, SSL_get_peer_cert_chain, SSL *a, a, return nullptr, return)
 
+#if defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3
 DEFINEFUNC(X509 *, SSL_get1_peer_certificate, SSL *a, a, return nullptr, return)
 DEFINEFUNC(int, EVP_PKEY_get_bits, const EVP_PKEY *pkey, pkey, return -1, return)
 DEFINEFUNC(int, EVP_PKEY_get_base_id, const EVP_PKEY *pkey, pkey, return -1, return)
+#else
+DEFINEFUNC(X509 *, SSL_get_peer_certificate, SSL *a, a, return nullptr, return)
+DEFINEFUNC(int, EVP_PKEY_base_id, EVP_PKEY *a, a, return NID_undef, return)
+#endif // OPENSSL_VERSION_MAJOR >= 3
 
 DEFINEFUNC(long, SSL_get_verify_result, const SSL *a, a, return -1, return)
 DEFINEFUNC(SSL *, SSL_new, SSL_CTX *a, a, return nullptr, return)
@@ -375,7 +380,11 @@ DEFINEFUNC(X509_STORE_CTX *, X509_STORE_CTX_new, DUMMYARG, DUMMYARG, return null
 DEFINEFUNC2(void *, X509_STORE_CTX_get_ex_data, X509_STORE_CTX *ctx, ctx, int idx, idx, return nullptr, return)
 DEFINEFUNC(int, SSL_get_ex_data_X509_STORE_CTX_idx, DUMMYARG, DUMMYARG, return -1, return)
 
+#if OPENSSL_VERSION_MAJOR < 3
+DEFINEFUNC3(int, SSL_CTX_load_verify_locations, SSL_CTX *ctx, ctx, const char *CAfile, CAfile, const char *CApath, CApath, return 0, return)
+#else
 DEFINEFUNC2(int, SSL_CTX_load_verify_dir, SSL_CTX *ctx, ctx, const char *CApath, CApath, return 0, return)
+#endif // OPENSSL_VERSION_MAJOR
 
 DEFINEFUNC2(int, i2d_SSL_SESSION, SSL_SESSION *in, in, unsigned char **pp, pp, return 0, return)
 DEFINEFUNC3(SSL_SESSION *, d2i_SSL_SESSION, SSL_SESSION **a, a, const unsigned char **pp, pp, long length, length, return nullptr, return)
@@ -637,7 +646,9 @@ static QStringList findAllLibCrypto()
 }
 # endif
 
-#if OPENSSL_VERSION_MAJOR == 3 // Starting with 3.0 this define is available
+#if (OPENSSL_VERSION_NUMBER >> 28) < 3
+#define QT_OPENSSL_VERSION "1_1"
+#elif OPENSSL_VERSION_MAJOR == 3 // Starting with 3.0 this define is available
 #define QT_OPENSSL_VERSION "3"
 #endif // > 3 intentionally left undefined
 
@@ -908,10 +919,17 @@ bool q_resolveOpenSslSymbols()
             return false;
         }
 
+#if OPENSSL_VERSION_NUMBER >= 0x30000000
         if (q_OpenSSL_version_num() < 0x30000000) {
             qCWarning(lcTlsBackend, "Incompatible version of OpenSSL (built with OpenSSL >= 3.x, runtime version is < 3.x)");
             return false;
         }
+#else
+        if (q_OpenSSL_version_num() >= 0x30000000) {
+            qCWarning(lcTlsBackend, "Incompatible version of OpenSSL (built with OpenSSL 1.x, runtime version is >= 3.x)");
+            return false;
+        }
+#endif // OPENSSL_VERSION_NUMBER
 
         RESOLVEFUNC(SSL_SESSION_get_ticket_lifetime_hint)
 
@@ -1054,9 +1072,14 @@ bool q_resolveOpenSslSymbols()
         RESOLVEFUNC(SSL_get_error)
         RESOLVEFUNC(SSL_get_peer_cert_chain)
 
+#if defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3
         RESOLVEFUNC(SSL_get1_peer_certificate)
         RESOLVEFUNC(EVP_PKEY_get_bits)
         RESOLVEFUNC(EVP_PKEY_get_base_id)
+#else
+        RESOLVEFUNC(SSL_get_peer_certificate)
+        RESOLVEFUNC(EVP_PKEY_base_id)
+#endif // OPENSSL_VERSION_MAJOR >= 3
 
 #ifndef OPENSSL_NO_DEPRECATED_3_0
         RESOLVEFUNC(DH_new)
@@ -1188,7 +1211,11 @@ bool q_resolveOpenSslSymbols()
         RESOLVEFUNC(X509_verify_cert)
         RESOLVEFUNC(d2i_X509)
         RESOLVEFUNC(i2d_X509)
+#if OPENSSL_VERSION_MAJOR < 3
+        RESOLVEFUNC(SSL_CTX_load_verify_locations)
+#else
         RESOLVEFUNC(SSL_CTX_load_verify_dir)
+#endif // OPENSSL_VERSION_MAJOR
         RESOLVEFUNC(i2d_SSL_SESSION)
         RESOLVEFUNC(d2i_SSL_SESSION)
 
diff --git a/src/plugins/tls/openssl/qsslsocket_openssl_symbols_p.h b/src/plugins/tls/openssl/qsslsocket_openssl_symbols_p.h
index 7d7ce57371..a93c110b3f 100644
--- a/src/plugins/tls/openssl/qsslsocket_openssl_symbols_p.h
+++ b/src/plugins/tls/openssl/qsslsocket_openssl_symbols_p.h
@@ -185,7 +185,11 @@ QT_BEGIN_NAMESPACE
 // **************** Static declarations ******************
 
 #endif // !defined QT_LINKED_OPENSSL
+#if defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3
 typedef uint64_t qssloptions;
+#else
+typedef unsigned long qssloptions;
+#endif
 // TODO: the following lines previously were a part of 1.1 - specific header.
 // To reduce the amount of the change, I'm directly copying and pasting the
 // content of the header here. Later, can be better sorted/split into groups,
@@ -546,7 +550,11 @@ void q_GENERAL_NAME_free(GENERAL_NAME *a);
         q_SSL_CTX_ctrl(ctx,SSL_CTRL_EXTRA_CHAIN_CERT,0,(char *)x509)
 #define q_OpenSSL_add_all_algorithms() q_OPENSSL_add_all_algorithms_conf()
 
+#if OPENSSL_VERSION_MAJOR < 3
+int q_SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, const char *CApath);
+#else
 int q_SSL_CTX_load_verify_dir(SSL_CTX *ctx, const char *CApath);
+#endif // OPENSSL_VERSION_MAJOR
 
 int q_i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp);
 SSL_SESSION *q_d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length);
@@ -668,11 +676,17 @@ const char *q_SSL_alert_desc_string_long(int value);
 int q_SSL_CTX_get_security_level(const SSL_CTX *ctx);
 void q_SSL_CTX_set_security_level(SSL_CTX *ctx, int level);
 
+// Here we have the ones that make difference between OpenSSL pre/post v3:
+#if defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3
 X509 *q_SSL_get1_peer_certificate(SSL *a);
 #define q_SSL_get_peer_certificate q_SSL_get1_peer_certificate
 int q_EVP_PKEY_get_bits(const EVP_PKEY *pkey);
 int q_EVP_PKEY_get_base_id(const EVP_PKEY *pkey);
 #define q_EVP_PKEY_base_id q_EVP_PKEY_get_base_id
+#else
+X509 *q_SSL_get_peer_certificate(SSL *a);
+int q_EVP_PKEY_base_id(EVP_PKEY *a);
+#endif // OPENSSL_VERSION_MAJOR >= 3
 
 #ifndef OPENSSL_NO_DEPRECATED_3_0
 
diff --git a/src/plugins/tls/openssl/qtls_openssl.cpp b/src/plugins/tls/openssl/qtls_openssl.cpp
index ed5211150d..57d09a649b 100644
--- a/src/plugins/tls/openssl/qtls_openssl.cpp
+++ b/src/plugins/tls/openssl/qtls_openssl.cpp
@@ -1438,11 +1438,14 @@ bool TlsCryptographOpenSSL::initSslContext()
     else if (mode == QSslSocket::SslServerMode)
         q_SSL_set_psk_server_callback(ssl, &q_ssl_psk_server_callback);
 
+#if OPENSSL_VERSION_NUMBER >= 0x10101006L
     // Set the client callback for TLSv1.3 PSK
     if (mode == QSslSocket::SslClientMode
         && QSslSocket::sslLibraryBuildVersionNumber() >= 0x10101006L) {
         q_SSL_set_psk_use_session_callback(ssl, &q_ssl_psk_use_session_callback);
     }
+#endif // openssl version >= 0x10101006L
+
 #endif // OPENSSL_NO_PSK
 
 #if QT_CONFIG(ocsp)
author	Marianne Yrjänä <marianne.yrjana@qt.io>	2023-11-30 10:24:41 +0000
committer	Marianne Yrjänä <marianne.yrjana@qt.io>	2023-12-08 06:10:51 +0000
commit	65081c67f3d65b1c6e7e051a1b9d008eca3381e5 (patch)
tree	1e7794400b87e55943f29092eaf5559e57179927 /src/plugins/tls
parent	e240f559e4a3b1a122c3bd0c4dc743487189ccfd (diff)