diff options
Diffstat (limited to 'src/network/ssl/qssldiffiehellmanparameters_openssl.cpp')
-rw-r--r-- | src/network/ssl/qssldiffiehellmanparameters_openssl.cpp | 224 |
1 files changed, 0 insertions, 224 deletions
diff --git a/src/network/ssl/qssldiffiehellmanparameters_openssl.cpp b/src/network/ssl/qssldiffiehellmanparameters_openssl.cpp deleted file mode 100644 index aaf8741130..0000000000 --- a/src/network/ssl/qssldiffiehellmanparameters_openssl.cpp +++ /dev/null @@ -1,224 +0,0 @@ -/**************************************************************************** -** -** Copyright (C) 2015 Mikkel Krautz <mikkel@krautz.dk> -** Copyright (C) 2016 Richard J. Moore <rich@kde.org> -** Contact: https://www.qt.io/licensing/ -** -** This file is part of the QtNetwork module of the Qt Toolkit. -** -** $QT_BEGIN_LICENSE:LGPL$ -** Commercial License Usage -** Licensees holding valid commercial Qt licenses may use this file in -** accordance with the commercial license agreement provided with the -** Software or, alternatively, in accordance with the terms contained in -** a written agreement between you and The Qt Company. For licensing terms -** and conditions see https://www.qt.io/terms-conditions. For further -** information use the contact form at https://www.qt.io/contact-us. -** -** GNU Lesser General Public License Usage -** Alternatively, this file may be used under the terms of the GNU Lesser -** General Public License version 3 as published by the Free Software -** Foundation and appearing in the file LICENSE.LGPL3 included in the -** packaging of this file. Please review the following information to -** ensure the GNU Lesser General Public License version 3 requirements -** will be met: https://www.gnu.org/licenses/lgpl-3.0.html. -** -** GNU General Public License Usage -** Alternatively, this file may be used under the terms of the GNU -** General Public License version 2.0 or (at your option) the GNU General -** Public license version 3 or any later version approved by the KDE Free -** Qt Foundation. The licenses are as published by the Free Software -** Foundation and appearing in the file LICENSE.GPL2 and LICENSE.GPL3 -** included in the packaging of this file. Please review the following -** information to ensure the GNU General Public License requirements will -** be met: https://www.gnu.org/licenses/gpl-2.0.html and -** https://www.gnu.org/licenses/gpl-3.0.html. -** -** $QT_END_LICENSE$ -** -****************************************************************************/ - -#include "qssldiffiehellmanparameters.h" -#include "qssldiffiehellmanparameters_p.h" -#include "qsslsocket_openssl_symbols_p.h" -#include "qsslsocket.h" -#include "qsslsocket_p.h" - -#include "private/qssl_p.h" - -#include <QtCore/qatomic.h> -#include <QtCore/qbytearray.h> -#include <QtCore/qiodevice.h> -#include <QtCore/qscopeguard.h> -#ifndef QT_NO_DEBUG_STREAM -#include <QtCore/qdebug.h> -#endif - -#include <openssl/bn.h> -#include <openssl/dh.h> - -QT_BEGIN_NAMESPACE - -#ifdef OPENSSL_NO_DEPRECATED_3_0 - -static int q_DH_check(DH *dh, int *status) -{ - // DH_check was first deprecated in OpenSSL 3.0.0, as low-level - // API; the EVP_PKEY family of functions was advised as an alternative. - // As of now EVP_PKEY_params_check ends up calling ... DH_check, - // which is good enough. - - Q_ASSERT(dh); - Q_ASSERT(status); - - EVP_PKEY *key = q_EVP_PKEY_new(); - if (!key) { - qCWarning(lcSsl, "EVP_PKEY_new failed"); - QSslSocketBackendPrivate::logAndClearErrorQueue(); - return 0; - } - const auto keyDeleter = qScopeGuard([key](){ - q_EVP_PKEY_free(key); - }); - if (!q_EVP_PKEY_set1_DH(key, dh)) { - qCWarning(lcSsl, "EVP_PKEY_set1_DH failed"); - QSslSocketBackendPrivate::logAndClearErrorQueue(); - return 0; - } - - EVP_PKEY_CTX *keyCtx = q_EVP_PKEY_CTX_new(key, nullptr); - if (!keyCtx) { - qCWarning(lcSsl, "EVP_PKEY_CTX_new failed"); - QSslSocketBackendPrivate::logAndClearErrorQueue(); - return 0; - } - const auto ctxDeleter = qScopeGuard([keyCtx]{ - q_EVP_PKEY_CTX_free(keyCtx); - }); - - const int result = q_EVP_PKEY_param_check(keyCtx); - QSslSocketBackendPrivate::logAndClearErrorQueue(); - // Note: unlike DH_check, we cannot obtain the 'status', - // if the 'result' is 0 (actually the result is 1 only - // if this 'status' was 0). We could probably check the - // errors from the error queue, but it's not needed anyway - // - see the 'isSafeDH' below, how it returns immediately - // on 0. - Q_UNUSED(status) - - return result; -} -#endif // OPENSSL_NO_DEPRECATED_3_0 - -static bool isSafeDH(DH *dh) -{ - int status = 0; - int bad = 0; - - QSslSocketPrivate::ensureInitialized(); - - - // From https://wiki.openssl.org/index.php/Diffie-Hellman_parameters: - // - // The additional call to BN_mod_word(dh->p, 24) - // (and unmasking of DH_NOT_SUITABLE_GENERATOR) - // is performed to ensure your program accepts - // IETF group parameters. OpenSSL checks the prime - // is congruent to 11 when g = 2; while the IETF's - // primes are congruent to 23 when g = 2. - // Without the test, the IETF parameters would - // fail validation. For details, see Diffie-Hellman - // Parameter Check (when g = 2, must p mod 24 == 11?). - // Mark p < 1024 bits as unsafe. - if (q_DH_bits(dh) < 1024) - return false; - - if (q_DH_check(dh, &status) != 1) - return false; - - const BIGNUM *p = nullptr; - const BIGNUM *q = nullptr; - const BIGNUM *g = nullptr; - q_DH_get0_pqg(dh, &p, &q, &g); - - if (q_BN_is_word(const_cast<BIGNUM *>(g), DH_GENERATOR_2)) { - const unsigned long residue = q_BN_mod_word(p, 24); - if (residue == 11 || residue == 23) - status &= ~DH_NOT_SUITABLE_GENERATOR; - } - - bad |= DH_CHECK_P_NOT_PRIME; - bad |= DH_CHECK_P_NOT_SAFE_PRIME; - bad |= DH_NOT_SUITABLE_GENERATOR; - - return !(status & bad); -} - -void QSslDiffieHellmanParametersPrivate::decodeDer(const QByteArray &der) -{ - if (der.isEmpty()) { - error = QSslDiffieHellmanParameters::InvalidInputDataError; - return; - } - - const unsigned char *data = reinterpret_cast<const unsigned char *>(der.data()); - int len = der.size(); - - QSslSocketPrivate::ensureInitialized(); - - DH *dh = q_d2i_DHparams(nullptr, &data, len); - if (dh) { - if (isSafeDH(dh)) - derData = der; - else - error = QSslDiffieHellmanParameters::UnsafeParametersError; - } else { - error = QSslDiffieHellmanParameters::InvalidInputDataError; - } - - q_DH_free(dh); -} - -void QSslDiffieHellmanParametersPrivate::decodePem(const QByteArray &pem) -{ - if (pem.isEmpty()) { - error = QSslDiffieHellmanParameters::InvalidInputDataError; - return; - } - - if (!QSslSocket::supportsSsl()) { - error = QSslDiffieHellmanParameters::InvalidInputDataError; - return; - } - - QSslSocketPrivate::ensureInitialized(); - - BIO *bio = q_BIO_new_mem_buf(const_cast<char *>(pem.data()), pem.size()); - if (!bio) { - error = QSslDiffieHellmanParameters::InvalidInputDataError; - return; - } - - DH *dh = nullptr; - q_PEM_read_bio_DHparams(bio, &dh, nullptr, nullptr); - - if (dh) { - if (isSafeDH(dh)) { - char *buf = nullptr; - int len = q_i2d_DHparams(dh, reinterpret_cast<unsigned char **>(&buf)); - if (len > 0) - derData = QByteArray(buf, len); - else - error = QSslDiffieHellmanParameters::InvalidInputDataError; - } else { - error = QSslDiffieHellmanParameters::UnsafeParametersError; - } - } else { - error = QSslDiffieHellmanParameters::InvalidInputDataError; - } - - q_DH_free(dh); - q_BIO_free(bio); -} - -QT_END_NAMESPACE |