diff options
-rw-r--r-- | configure.cmake | 58 | ||||
-rw-r--r-- | src/plugins/tls/openssl/qsslcontext_openssl.cpp | 7 | ||||
-rw-r--r-- | src/plugins/tls/openssl/qsslsocket_openssl_symbols.cpp | 29 | ||||
-rw-r--r-- | src/plugins/tls/openssl/qsslsocket_openssl_symbols_p.h | 14 | ||||
-rw-r--r-- | src/plugins/tls/openssl/qtls_openssl.cpp | 3 |
5 files changed, 108 insertions, 3 deletions
diff --git a/configure.cmake b/configure.cmake index 2213ce233c..72e331c01b 100644 --- a/configure.cmake +++ b/configure.cmake @@ -19,7 +19,55 @@ if(TARGET ZLIB::ZLIB) endif() qt_find_package(WrapOpenSSLHeaders PROVIDED_TARGETS WrapOpenSSLHeaders::WrapOpenSSLHeaders MODULE_NAME core) +# openssl_headers +# OPENSSL_VERSION_MAJOR is not defined for OpenSSL 1.1.1 +qt_config_compile_test(opensslv11_headers + LABEL "opensslv11_headers" + LIBRARIES + WrapOpenSSLHeaders::WrapOpenSSLHeaders + CODE +"#include <openssl/ssl.h> +#include <openssl/opensslv.h> +#if !defined(OPENSSL_VERSION_NUMBER) || defined(OPENSSL_VERSION_MAJOR) || OPENSSL_VERSION_NUMBER-0 < 0x10101000L +# error OpenSSL >= 1.1.1 is required +#endif +#if !defined(OPENSSL_NO_EC) && !defined(SSL_CTRL_SET_CURVES) +# error OpenSSL was reported as >= 1.1.1 but is missing required features, possibly it is libressl which is unsupported +#endif + +int main(void) +{ + /* BEGIN TEST: */ + /* END TEST: */ + return 0; +} +") + qt_find_package(WrapOpenSSL PROVIDED_TARGETS WrapOpenSSL::WrapOpenSSL MODULE_NAME core QMAKE_LIB openssl) +# openssl +# OPENSSL_VERSION_MAJOR is not defined for OpenSSL 1.1.1 +qt_config_compile_test(opensslv11 + LABEL "opensslv11" + LIBRARIES + WrapOpenSSL::WrapOpenSSL + CODE +"#include <openssl/ssl.h> +#include <openssl/opensslv.h> +#if !defined(OPENSSL_VERSION_NUMBER) || defined(OPENSSL_VERSION_MAJOR) || OPENSSL_VERSION_NUMBER-0 < 0x10101000L +# error OpenSSL >= 1.1.1 is required +#endif +#if !defined(OPENSSL_NO_EC) && !defined(SSL_CTRL_SET_CURVES) +# error OpenSSL was reported as >= 1.1.1 but is missing required features, possibly it is libressl which is unsupported +#endif + +int main(void) +{ + /* BEGIN TEST: */ +SSL_free(SSL_new(0)); + /* END TEST: */ + return 0; +} +") # opensslv30 # openssl_headers @@ -952,17 +1000,22 @@ qt_feature_definition("openssl" "QT_NO_OPENSSL" NEGATE) qt_feature_config("openssl" QMAKE_PUBLIC_QT_CONFIG) qt_feature("openssl-runtime" AUTODETECT NOT WASM - CONDITION TEST_opensslv30_headers + CONDITION TEST_opensslv11_headers OR TEST_opensslv30_headers ENABLE INPUT_openssl STREQUAL 'yes' OR INPUT_openssl STREQUAL 'runtime' DISABLE INPUT_openssl STREQUAL 'no' OR INPUT_openssl STREQUAL 'linked' OR INPUT_ssl STREQUAL 'no' ) qt_feature("openssl-linked" PUBLIC LABEL " Qt directly linked to OpenSSL" AUTODETECT OFF - CONDITION TEST_opensslv30 + CONDITION TEST_opensslv11 OR TEST_opensslv30 ENABLE INPUT_openssl STREQUAL 'linked' ) qt_feature_definition("openssl-linked" "QT_LINKED_OPENSSL") +qt_feature("opensslv11" PUBLIC + LABEL "OpenSSL 1.1" + CONDITION TEST_opensslv11 OR TEST_opensslv11_headers + DISABLE INPUT_openssl STREQUAL 'no' OR INPUT_ssl STREQUAL 'no' +) qt_feature("opensslv30" PUBLIC LABEL "OpenSSL 3.0" CONDITION TEST_opensslv30 OR TEST_opensslv30_headers @@ -1148,6 +1201,7 @@ qt_configure_add_summary_entry(ARGS "Using vcpkg" TYPE "message" MESSAGE "${_vcp qt_configure_add_summary_entry(ARGS "libudev") qt_configure_add_summary_entry(ARGS "openssl") qt_configure_add_summary_entry(ARGS "openssl-linked") +qt_configure_add_summary_entry(ARGS "opensslv11") qt_configure_add_summary_entry(ARGS "opensslv30") qt_configure_add_summary_entry(ARGS "system-zlib") qt_configure_add_summary_entry(ARGS "zstd") diff --git a/src/plugins/tls/openssl/qsslcontext_openssl.cpp b/src/plugins/tls/openssl/qsslcontext_openssl.cpp index a06d2ff65b..75c192bd01 100644 --- a/src/plugins/tls/openssl/qsslcontext_openssl.cpp +++ b/src/plugins/tls/openssl/qsslcontext_openssl.cpp @@ -555,10 +555,17 @@ QT_WARNING_POP // tell OpenSSL the directories where to look up the root certs on demand const QList<QByteArray> unixDirs = QSslSocketPrivate::unixRootCertDirectories(); int success = 1; +#if OPENSSL_VERSION_MAJOR < 3 + for (const QByteArray &unixDir : unixDirs) { + if ((success = q_SSL_CTX_load_verify_locations(sslContext->ctx, nullptr, unixDir.constData())) != 1) + break; + } +#else for (const QByteArray &unixDir : unixDirs) { if ((success = q_SSL_CTX_load_verify_dir(sslContext->ctx, unixDir.constData())) != 1) break; } +#endif // OPENSSL_VERSION_MAJOR if (success != 1) { const auto qtErrors = QTlsBackendOpenSSL::getErrorsFromOpenSsl(); qCWarning(lcTlsBackend) << "An error encountered while to set root certificates location:" diff --git a/src/plugins/tls/openssl/qsslsocket_openssl_symbols.cpp b/src/plugins/tls/openssl/qsslsocket_openssl_symbols.cpp index 13d3b0cee9..4aa9ca6fb1 100644 --- a/src/plugins/tls/openssl/qsslsocket_openssl_symbols.cpp +++ b/src/plugins/tls/openssl/qsslsocket_openssl_symbols.cpp @@ -302,9 +302,14 @@ DEFINEFUNC(int, SSL_version, const SSL *a, a, return 0, return) DEFINEFUNC2(int, SSL_get_error, SSL *a, a, int b, b, return -1, return) DEFINEFUNC(STACK_OF(X509) *, SSL_get_peer_cert_chain, SSL *a, a, return nullptr, return) +#if defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3 DEFINEFUNC(X509 *, SSL_get1_peer_certificate, SSL *a, a, return nullptr, return) DEFINEFUNC(int, EVP_PKEY_get_bits, const EVP_PKEY *pkey, pkey, return -1, return) DEFINEFUNC(int, EVP_PKEY_get_base_id, const EVP_PKEY *pkey, pkey, return -1, return) +#else +DEFINEFUNC(X509 *, SSL_get_peer_certificate, SSL *a, a, return nullptr, return) +DEFINEFUNC(int, EVP_PKEY_base_id, EVP_PKEY *a, a, return NID_undef, return) +#endif // OPENSSL_VERSION_MAJOR >= 3 DEFINEFUNC(long, SSL_get_verify_result, const SSL *a, a, return -1, return) DEFINEFUNC(SSL *, SSL_new, SSL_CTX *a, a, return nullptr, return) @@ -375,7 +380,11 @@ DEFINEFUNC(X509_STORE_CTX *, X509_STORE_CTX_new, DUMMYARG, DUMMYARG, return null DEFINEFUNC2(void *, X509_STORE_CTX_get_ex_data, X509_STORE_CTX *ctx, ctx, int idx, idx, return nullptr, return) DEFINEFUNC(int, SSL_get_ex_data_X509_STORE_CTX_idx, DUMMYARG, DUMMYARG, return -1, return) +#if OPENSSL_VERSION_MAJOR < 3 +DEFINEFUNC3(int, SSL_CTX_load_verify_locations, SSL_CTX *ctx, ctx, const char *CAfile, CAfile, const char *CApath, CApath, return 0, return) +#else DEFINEFUNC2(int, SSL_CTX_load_verify_dir, SSL_CTX *ctx, ctx, const char *CApath, CApath, return 0, return) +#endif // OPENSSL_VERSION_MAJOR DEFINEFUNC2(int, i2d_SSL_SESSION, SSL_SESSION *in, in, unsigned char **pp, pp, return 0, return) DEFINEFUNC3(SSL_SESSION *, d2i_SSL_SESSION, SSL_SESSION **a, a, const unsigned char **pp, pp, long length, length, return nullptr, return) @@ -637,7 +646,9 @@ static QStringList findAllLibCrypto() } # endif -#if OPENSSL_VERSION_MAJOR == 3 // Starting with 3.0 this define is available +#if (OPENSSL_VERSION_NUMBER >> 28) < 3 +#define QT_OPENSSL_VERSION "1_1" +#elif OPENSSL_VERSION_MAJOR == 3 // Starting with 3.0 this define is available #define QT_OPENSSL_VERSION "3" #endif // > 3 intentionally left undefined @@ -908,10 +919,17 @@ bool q_resolveOpenSslSymbols() return false; } +#if OPENSSL_VERSION_NUMBER >= 0x30000000 if (q_OpenSSL_version_num() < 0x30000000) { qCWarning(lcTlsBackend, "Incompatible version of OpenSSL (built with OpenSSL >= 3.x, runtime version is < 3.x)"); return false; } +#else + if (q_OpenSSL_version_num() >= 0x30000000) { + qCWarning(lcTlsBackend, "Incompatible version of OpenSSL (built with OpenSSL 1.x, runtime version is >= 3.x)"); + return false; + } +#endif // OPENSSL_VERSION_NUMBER RESOLVEFUNC(SSL_SESSION_get_ticket_lifetime_hint) @@ -1054,9 +1072,14 @@ bool q_resolveOpenSslSymbols() RESOLVEFUNC(SSL_get_error) RESOLVEFUNC(SSL_get_peer_cert_chain) +#if defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3 RESOLVEFUNC(SSL_get1_peer_certificate) RESOLVEFUNC(EVP_PKEY_get_bits) RESOLVEFUNC(EVP_PKEY_get_base_id) +#else + RESOLVEFUNC(SSL_get_peer_certificate) + RESOLVEFUNC(EVP_PKEY_base_id) +#endif // OPENSSL_VERSION_MAJOR >= 3 #ifndef OPENSSL_NO_DEPRECATED_3_0 RESOLVEFUNC(DH_new) @@ -1188,7 +1211,11 @@ bool q_resolveOpenSslSymbols() RESOLVEFUNC(X509_verify_cert) RESOLVEFUNC(d2i_X509) RESOLVEFUNC(i2d_X509) +#if OPENSSL_VERSION_MAJOR < 3 + RESOLVEFUNC(SSL_CTX_load_verify_locations) +#else RESOLVEFUNC(SSL_CTX_load_verify_dir) +#endif // OPENSSL_VERSION_MAJOR RESOLVEFUNC(i2d_SSL_SESSION) RESOLVEFUNC(d2i_SSL_SESSION) diff --git a/src/plugins/tls/openssl/qsslsocket_openssl_symbols_p.h b/src/plugins/tls/openssl/qsslsocket_openssl_symbols_p.h index 7d7ce57371..a93c110b3f 100644 --- a/src/plugins/tls/openssl/qsslsocket_openssl_symbols_p.h +++ b/src/plugins/tls/openssl/qsslsocket_openssl_symbols_p.h @@ -185,7 +185,11 @@ QT_BEGIN_NAMESPACE // **************** Static declarations ****************** #endif // !defined QT_LINKED_OPENSSL +#if defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3 typedef uint64_t qssloptions; +#else +typedef unsigned long qssloptions; +#endif // TODO: the following lines previously were a part of 1.1 - specific header. // To reduce the amount of the change, I'm directly copying and pasting the // content of the header here. Later, can be better sorted/split into groups, @@ -546,7 +550,11 @@ void q_GENERAL_NAME_free(GENERAL_NAME *a); q_SSL_CTX_ctrl(ctx,SSL_CTRL_EXTRA_CHAIN_CERT,0,(char *)x509) #define q_OpenSSL_add_all_algorithms() q_OPENSSL_add_all_algorithms_conf() +#if OPENSSL_VERSION_MAJOR < 3 +int q_SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, const char *CApath); +#else int q_SSL_CTX_load_verify_dir(SSL_CTX *ctx, const char *CApath); +#endif // OPENSSL_VERSION_MAJOR int q_i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp); SSL_SESSION *q_d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length); @@ -668,11 +676,17 @@ const char *q_SSL_alert_desc_string_long(int value); int q_SSL_CTX_get_security_level(const SSL_CTX *ctx); void q_SSL_CTX_set_security_level(SSL_CTX *ctx, int level); +// Here we have the ones that make difference between OpenSSL pre/post v3: +#if defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3 X509 *q_SSL_get1_peer_certificate(SSL *a); #define q_SSL_get_peer_certificate q_SSL_get1_peer_certificate int q_EVP_PKEY_get_bits(const EVP_PKEY *pkey); int q_EVP_PKEY_get_base_id(const EVP_PKEY *pkey); #define q_EVP_PKEY_base_id q_EVP_PKEY_get_base_id +#else +X509 *q_SSL_get_peer_certificate(SSL *a); +int q_EVP_PKEY_base_id(EVP_PKEY *a); +#endif // OPENSSL_VERSION_MAJOR >= 3 #ifndef OPENSSL_NO_DEPRECATED_3_0 diff --git a/src/plugins/tls/openssl/qtls_openssl.cpp b/src/plugins/tls/openssl/qtls_openssl.cpp index ed5211150d..57d09a649b 100644 --- a/src/plugins/tls/openssl/qtls_openssl.cpp +++ b/src/plugins/tls/openssl/qtls_openssl.cpp @@ -1438,11 +1438,14 @@ bool TlsCryptographOpenSSL::initSslContext() else if (mode == QSslSocket::SslServerMode) q_SSL_set_psk_server_callback(ssl, &q_ssl_psk_server_callback); +#if OPENSSL_VERSION_NUMBER >= 0x10101006L // Set the client callback for TLSv1.3 PSK if (mode == QSslSocket::SslClientMode && QSslSocket::sslLibraryBuildVersionNumber() >= 0x10101006L) { q_SSL_set_psk_use_session_callback(ssl, &q_ssl_psk_use_session_callback); } +#endif // openssl version >= 0x10101006L + #endif // OPENSSL_NO_PSK #if QT_CONFIG(ocsp) |