From 860f95946bc6965317ad226ff83ee00ef13b7812 Mon Sep 17 00:00:00 2001 From: Brendan Long Date: Thu, 16 Aug 2012 17:14:04 -0600 Subject: Add support for explicit TLS 1.1 and 1.2 Add SslProtocol enums TlsV1_1 and TlsV1_2 and use the appropriate OpenSSL methods when they're selected (TLSv1_1_client_method, TLSv1_2_client_method, TLSv1_1_server_method and TLSv1_2_server_method). This allows us to explicitly use TLS 1.1 or 1.2. Task-number: QTBUG-26866 Change-Id: I159da548546fa746c20e9e96bc0e5b785e4e761b Reviewed-by: Richard J. Moore Reviewed-by: Shane Kearns --- src/network/ssl/qssl.cpp | 2 ++ src/network/ssl/qssl.h | 2 ++ src/network/ssl/qsslsocket_openssl.cpp | 20 ++++++++++++++++++++ src/network/ssl/qsslsocket_openssl_symbols.cpp | 16 ++++++++++++++++ src/network/ssl/qsslsocket_openssl_symbols_p.h | 8 ++++++++ 5 files changed, 48 insertions(+) (limited to 'src/network/ssl') diff --git a/src/network/ssl/qssl.cpp b/src/network/ssl/qssl.cpp index 932b7c9f99..c6f708b8f4 100644 --- a/src/network/ssl/qssl.cpp +++ b/src/network/ssl/qssl.cpp @@ -118,6 +118,8 @@ QT_BEGIN_NAMESPACE \value SslV2 SSLv2 \value TlsV1_0 TLSv1.0 \value TlsV1 Obsolete, means the same as TlsV1_0 + \value TlsV1_1 TLSv1.1 + \value TlsV1_2 TLSv1.2 \value UnknownProtocol The cipher's protocol cannot be determined. \value AnyProtocol The socket understands SSLv2, SSLv3, and TLSv1.0. This value is used by QSslSocket only. diff --git a/src/network/ssl/qssl.h b/src/network/ssl/qssl.h index 7387b0214c..ab43fe0a36 100644 --- a/src/network/ssl/qssl.h +++ b/src/network/ssl/qssl.h @@ -84,6 +84,8 @@ namespace QSsl { #if QT_DEPRECATED_SINCE(5,0) TlsV1 = TlsV1_0, #endif + TlsV1_1, + TlsV1_2, AnyProtocol, TlsV1SslV3, SecureProtocols, diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp index a23e3fa377..250ff0fe38 100644 --- a/src/network/ssl/qsslsocket_openssl.cpp +++ b/src/network/ssl/qsslsocket_openssl.cpp @@ -197,6 +197,10 @@ QSslCipher QSslSocketBackendPrivate::QSslCipher_from_SSL_CIPHER(SSL_CIPHER *ciph ciph.d->protocol = QSsl::SslV2; else if (protoString == QLatin1String("TLSv1")) ciph.d->protocol = QSsl::TlsV1_0; + else if (protoString == QLatin1String("TLSv1.1")) + ciph.d->protocol = QSsl::TlsV1_1; + else if (protoString == QLatin1String("TLSv1.2")) + ciph.d->protocol = QSsl::TlsV1_2; if (descriptionList.at(2).startsWith(QLatin1String("Kx="))) ciph.d->keyExchangeMethod = descriptionList.at(2).mid(3); @@ -318,6 +322,20 @@ init_context: case QSsl::TlsV1_0: ctx = q_SSL_CTX_new(client ? q_TLSv1_client_method() : q_TLSv1_server_method()); break; + case QSsl::TlsV1_1: +#if OPENSSL_VERSION_NUMBER >= 0x10001000L + ctx = q_SSL_CTX_new(client ? q_TLSv1_1_client_method() : q_TLSv1_1_server_method()); +#else + ctx = 0; // TLS 1.1 not supported by the system, but chosen deliberately -> error +#endif + break; + case QSsl::TlsV1_2: +#if OPENSSL_VERSION_NUMBER >= 0x10001000L + ctx = q_SSL_CTX_new(client ? q_TLSv1_2_client_method() : q_TLSv1_2_server_method()); +#else + ctx = 0; // TLS 1.2 not supported by the system, but chosen deliberately -> error +#endif + break; } if (!ctx) { // After stopping Flash 10 the SSL library looses its ciphers. Try re-adding them @@ -473,6 +491,8 @@ init_context: #if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT) if ((configuration.protocol == QSsl::TlsV1SslV3 || configuration.protocol == QSsl::TlsV1_0 || + configuration.protocol == QSsl::TlsV1_1 || + configuration.protocol == QSsl::TlsV1_2 || configuration.protocol == QSsl::SecureProtocols || configuration.protocol == QSsl::AnyProtocol) && client && q_SSLeay() >= 0x00090806fL) { diff --git a/src/network/ssl/qsslsocket_openssl_symbols.cpp b/src/network/ssl/qsslsocket_openssl_symbols.cpp index 152cac513c..2fe71002f6 100644 --- a/src/network/ssl/qsslsocket_openssl_symbols.cpp +++ b/src/network/ssl/qsslsocket_openssl_symbols.cpp @@ -236,12 +236,20 @@ DEFINEFUNC(const SSL_METHOD *, SSLv2_client_method, DUMMYARG, DUMMYARG, return 0 DEFINEFUNC(const SSL_METHOD *, SSLv3_client_method, DUMMYARG, DUMMYARG, return 0, return) DEFINEFUNC(const SSL_METHOD *, SSLv23_client_method, DUMMYARG, DUMMYARG, return 0, return) DEFINEFUNC(const SSL_METHOD *, TLSv1_client_method, DUMMYARG, DUMMYARG, return 0, return) +#if OPENSSL_VERSION_NUMBER >= 0x10001000L +DEFINEFUNC(const SSL_METHOD *, TLSv1_1_client_method, DUMMYARG, DUMMYARG, return 0, return) +DEFINEFUNC(const SSL_METHOD *, TLSv1_2_client_method, DUMMYARG, DUMMYARG, return 0, return) +#endif #ifndef OPENSSL_NO_SSL2 DEFINEFUNC(const SSL_METHOD *, SSLv2_server_method, DUMMYARG, DUMMYARG, return 0, return) #endif DEFINEFUNC(const SSL_METHOD *, SSLv3_server_method, DUMMYARG, DUMMYARG, return 0, return) DEFINEFUNC(const SSL_METHOD *, SSLv23_server_method, DUMMYARG, DUMMYARG, return 0, return) DEFINEFUNC(const SSL_METHOD *, TLSv1_server_method, DUMMYARG, DUMMYARG, return 0, return) +#if OPENSSL_VERSION_NUMBER >= 0x10001000L +DEFINEFUNC(const SSL_METHOD *, TLSv1_1_server_method, DUMMYARG, DUMMYARG, return 0, return) +DEFINEFUNC(const SSL_METHOD *, TLSv1_2_server_method, DUMMYARG, DUMMYARG, return 0, return) +#endif #else DEFINEFUNC(SSL_METHOD *, SSLv2_client_method, DUMMYARG, DUMMYARG, return 0, return) DEFINEFUNC(SSL_METHOD *, SSLv3_client_method, DUMMYARG, DUMMYARG, return 0, return) @@ -678,12 +686,20 @@ bool q_resolveOpenSslSymbols() RESOLVEFUNC(SSLv3_client_method) RESOLVEFUNC(SSLv23_client_method) RESOLVEFUNC(TLSv1_client_method) +#if OPENSSL_VERSION_NUMBER >= 0x10001000L + RESOLVEFUNC(TLSv1_1_client_method) + RESOLVEFUNC(TLSv1_2_client_method) +#endif #ifndef OPENSSL_NO_SSL2 RESOLVEFUNC(SSLv2_server_method) #endif RESOLVEFUNC(SSLv3_server_method) RESOLVEFUNC(SSLv23_server_method) RESOLVEFUNC(TLSv1_server_method) +#if OPENSSL_VERSION_NUMBER >= 0x10001000L + RESOLVEFUNC(TLSv1_1_server_method) + RESOLVEFUNC(TLSv1_2_server_method) +#endif RESOLVEFUNC(X509_NAME_entry_count) RESOLVEFUNC(X509_NAME_get_entry) RESOLVEFUNC(X509_NAME_ENTRY_get_data) diff --git a/src/network/ssl/qsslsocket_openssl_symbols_p.h b/src/network/ssl/qsslsocket_openssl_symbols_p.h index 447afe07a2..6e2ec423d3 100644 --- a/src/network/ssl/qsslsocket_openssl_symbols_p.h +++ b/src/network/ssl/qsslsocket_openssl_symbols_p.h @@ -338,19 +338,27 @@ const SSL_METHOD *q_SSLv2_client_method(); const SSL_METHOD *q_SSLv3_client_method(); const SSL_METHOD *q_SSLv23_client_method(); const SSL_METHOD *q_TLSv1_client_method(); +const SSL_METHOD *q_TLSv1_1_client_method(); +const SSL_METHOD *q_TLSv1_2_client_method(); const SSL_METHOD *q_SSLv2_server_method(); const SSL_METHOD *q_SSLv3_server_method(); const SSL_METHOD *q_SSLv23_server_method(); const SSL_METHOD *q_TLSv1_server_method(); +const SSL_METHOD *q_TLSv1_1_server_method(); +const SSL_METHOD *q_TLSv1_2_server_method(); #else SSL_METHOD *q_SSLv2_client_method(); SSL_METHOD *q_SSLv3_client_method(); SSL_METHOD *q_SSLv23_client_method(); SSL_METHOD *q_TLSv1_client_method(); +SSL_METHOD *q_TLSv1_1_client_method(); +SSL_METHOD *q_TLSv1_2_client_method(); SSL_METHOD *q_SSLv2_server_method(); SSL_METHOD *q_SSLv3_server_method(); SSL_METHOD *q_SSLv23_server_method(); SSL_METHOD *q_TLSv1_server_method(); +SSL_METHOD *q_TLSv1_1_server_method(); +SSL_METHOD *q_TLSv1_2_server_method(); #endif int q_SSL_write(SSL *a, const void *b, int c); int q_X509_cmp(X509 *a, X509 *b); -- cgit v1.2.3