Ticket #58218: patch-openssl11-support-qt597.3.diff
File patch-openssl11-support-qt597.3.diff, 189.2 KB (added by RJVB (René Bertin), 5 years ago) |
---|
-
qtbase/config.tests/openssl/openssl.cpp
From cfbe03a6e035ab3cce5f04962cddd06bd414dcea Mon Sep 17 00:00:00 2001 From: "Richard J. Moore" <rich@kde.org> Date: Thu, 23 Mar 2017 12:43:22 +0100 Subject: [PATCH] QSslSocket: OpenSSL 1.1 backend MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit This patch-set implements a new QSslSocket backend based on OpenSSL 1.1. General. The code in this patch was organized to achieve these (somewhat contradicting) objectives: - keep the new code free of #if-ery, as far as possible; - make it easy to clean away dead code when we're eventually able to retire out-dated OpenSSL versions; - reduce the amount of code duplication. If changes in some file/component were insignificant (~5 one-liners per file), we still use pp-checks like: #if QT_CONFIG(opensslv11) ... #else ... #endif - the logic is simple and it's still easy to clean the code if we remove the legacy back-end. Where it saved #if-ery, we also introduced 'forward-compatible' macros implementing equivalents of 1.1 functions using older OpenSSL. In case some class contains a lot of version-specific ifdefs (particularly where nested #if-ery was complex) we choose to split code into: "pre11" h/cpp files, "shared" h/cpp files (they preserve their original names, e.g qsslsocket_openssl.cpp) and "11" h/cpp files. If in future we remove the legacy back-end, "pre11" should be removed; "shared" and "11" parts - merged. Configuration. We introduced a new feature 'opensslv11' which complements the pre-existing 'openssl' and 'openssl-linked' features. The 'opensslv11' feature is enabled by a simple test which either compiles successfully or ends in a compilation error, depending on a value of the OPENSSL_VERSION_NUMBER constant. If the feature was enabled, we also append an additional compilation flag -DOPENSSL_API_COMPAT=0x10100000L to make sure our new code does not contain deprecated structures, function calls, macro-invocations from OpenSSL < 1.1. Change-Id: I2064efbe9685def5d2bb2233a66f7581954fb74a Reviewed-by: André Klitzing <aklitzing@gmail.com> Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io> Backported to Qt 5.9.7 by R.J.V. Bertin Also includes subsequent fixes from the Qt 5.10 branch: # 8a8788f4df5811346f36613f0c12bfdc6f343e14-QSslCertificatePrivate-make-use-of-QByteArray-toHex-.patch # 8566487286439e65f217c0e80733d40ea9b19ac8-QSslSocketBackendPrivate-transmit-improve-reading-fr.patch # 8853f2bad4c81bf7bc135da93da7a48d6936365d-QSslSocket-stabilize-triggering-for-write.patch # 6aa001570da383b60eb72344bf5edbb28725932f-Fix-OpenSSL-1.1-build.patch # be0a9a76885bee3eaee58734f8964e455c03be5d-Fix-loadOpenSslWin32.patch diff --git a/qtbase/config.tests/openssl/openssl.cpp b/qtbase/config.tests/openssl/openssl.cpp index bb4010437a9eb0c77edd65f836cb1f8847016681..fe168b05b5b802d49a78b7d0a3d1d640cbb19f56 100644
a b 39 39 40 40 #include <openssl/opensslv.h> 41 41 42 #if !defined(OPENSSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER-0 < 0x10000000L || OPENSSL_VERSION_NUMBER-0 >= 0x10100000L43 # error "OpenSSL >= 1.0.0 , and < 1.1.0 is required"42 #if !defined(OPENSSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER-0 < 0x10000000L 43 # error "OpenSSL >= 1.0.0" 44 44 #endif 45 45 46 46 #include <openssl/ssl.h> -
new file qtbase/config.tests/unix/openssl11/openssl.cpp
diff --git a/qtbase/config.tests/unix/openssl11/openssl.cpp b/qtbase/config.tests/unix/openssl11/openssl.cpp new file mode 100644 index 0000000000000000000000000000000000000000..c20cc59debf52697e39927bac6ab56fd5ecddd12
- + 1 /**************************************************************************** 2 ** 3 ** Copyright (C) 2017 The Qt Company Ltd. 4 ** Contact: https://www.qt.io/licensing/ 5 ** 6 ** This file is part of the config.tests of the Qt Toolkit. 7 ** 8 ** $QT_BEGIN_LICENSE:LGPL$ 9 ** Commercial License Usage 10 ** Licensees holding valid commercial Qt licenses may use this file in 11 ** accordance with the commercial license agreement provided with the 12 ** Software or, alternatively, in accordance with the terms contained in 13 ** a written agreement between you and The Qt Company. For licensing terms 14 ** and conditions see https://www.qt.io/terms-conditions. For further 15 ** information use the contact form at https://www.qt.io/contact-us. 16 ** 17 ** GNU Lesser General Public License Usage 18 ** Alternatively, this file may be used under the terms of the GNU Lesser 19 ** General Public License version 3 as published by the Free Software 20 ** Foundation and appearing in the file LICENSE.LGPL3 included in the 21 ** packaging of this file. Please review the following information to 22 ** ensure the GNU Lesser General Public License version 3 requirements 23 ** will be met: https://www.gnu.org/licenses/lgpl-3.0.html. 24 ** 25 ** GNU General Public License Usage 26 ** Alternatively, this file may be used under the terms of the GNU 27 ** General Public License version 2.0 or (at your option) the GNU General 28 ** Public license version 3 or any later version approved by the KDE Free 29 ** Qt Foundation. The licenses are as published by the Free Software 30 ** Foundation and appearing in the file LICENSE.GPL2 and LICENSE.GPL3 31 ** included in the packaging of this file. Please review the following 32 ** information to ensure the GNU General Public License requirements will 33 ** be met: https://www.gnu.org/licenses/gpl-2.0.html and 34 ** https://www.gnu.org/licenses/gpl-3.0.html. 35 ** 36 ** $QT_END_LICENSE$ 37 ** 38 ****************************************************************************/ 39 40 #include <openssl/opensslv.h> 41 42 #if !defined(OPENSSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER-0 < 0x10100000L 43 # error "OpenSSL >= 1.1 is required" 44 #endif 45 46 int main() 47 { 48 } -
new file qtbase/config.tests/unix/openssl11/openssl.pro
diff --git a/qtbase/config.tests/unix/openssl11/openssl.pro b/qtbase/config.tests/unix/openssl11/openssl.pro new file mode 100644 index 0000000000000000000000000000000000000000..a023aee4aa98b5ab0ebb31082ce2893e63900327
- + 1 SOURCES = openssl.cpp 2 CONFIG -= x11 qt -
qtbase/src/network/configure.json
diff --git a/qtbase/src/network/configure.json b/qtbase/src/network/configure.json index 2cf90ed94b7234f00ae5275c15648698226b706f..43debe0895257bb85171f0642021ef4bc7b910cc 100644
a b 146 146 ] 147 147 }, 148 148 "use": "network" 149 }, 150 "openssl11": { 151 "label": "OpenSSL v. 1.1 support", 152 "type": "compile", 153 "test": "unix/openssl11", 154 "use": "network" 149 155 } 150 156 }, 151 157 … … 213 219 "condition": "config.winrt || features.securetransport || features.openssl", 214 220 "output": [ "publicFeature", "feature" ] 215 221 }, 222 "opensslv11": { 223 "label": "OpenSSL v. 1.1", 224 "condition": "tests.openssl11", 225 "output": ["publicFeature", "feature"] 226 }, 216 227 "sctp": { 217 228 "label": "SCTP", 218 229 "autoDetect": false, -
qtbase/src/network/ssl/qsslcertificate_openssl.cpp
diff --git a/qtbase/src/network/ssl/qsslcertificate_openssl.cpp b/qtbase/src/network/ssl/qsslcertificate_openssl.cpp index 28b7eda54ae3d7cd4bd6ee7dd0d2b3d8b106065b..71e514a0253060cad443233e293d0bfb400472b3 100644
a b 1 1 /**************************************************************************** 2 2 ** 3 ** Copyright (C) 2016 The Qt Company Ltd. 3 ** Copyright (C) 2017 The Qt Company Ltd. 4 ** Copyright (C) 2016 Richard J. Moore <rich@kde.org> 4 5 ** Contact: https://www.qt.io/licensing/ 5 6 ** 6 7 ** This file is part of the QtNetwork module of the Qt Toolkit. … … bool QSslCertificate::operator==(const QSslCertificate &other) const 64 65 uint qHash(const QSslCertificate &key, uint seed) Q_DECL_NOTHROW 65 66 { 66 67 if (X509 * const x509 = key.d->x509) { 67 (void)q_X509_cmp(x509, x509); // populate x509->sha1_hash68 // (if someone knows a better way...)69 return qHashBits(x509->sha1_hash, SHA_DIGEST_LENGTH, seed);70 } else {71 return seed;68 const EVP_MD *sha1 = q_EVP_sha1(); 69 unsigned int len = 0; 70 unsigned char md[EVP_MAX_MD_SIZE]; 71 q_X509_digest(x509, sha1, md, &len); 72 return qHashBits(md, len, seed); 72 73 } 74 75 return seed; 73 76 } 74 77 75 78 bool QSslCertificate::isNull() const … … QByteArray QSslCertificate::version() const 89 92 { 90 93 QMutexLocker lock(QMutexPool::globalInstanceGet(d.data())); 91 94 if (d->versionString.isEmpty() && d->x509) 92 d->versionString = 93 QByteArray::number(qlonglong(q_ASN1_INTEGER_get(d->x509->cert_info->version)) + 1); 95 d->versionString = QByteArray::number(qlonglong(q_X509_get_version(d->x509)) + 1); 94 96 95 97 return d->versionString; 96 98 } … … QByteArray QSslCertificate::serialNumber() const 99 101 { 100 102 QMutexLocker lock(QMutexPool::globalInstanceGet(d.data())); 101 103 if (d->serialNumberString.isEmpty() && d->x509) { 102 ASN1_INTEGER *serialNumber = d->x509->cert_info->serialNumber;104 ASN1_INTEGER *serialNumber = q_X509_get_serialNumber(d->x509); 103 105 QByteArray hexString; 104 106 hexString.reserve(serialNumber->length * 3); 105 107 for (int a = 0; a < serialNumber->length; ++a) { … … QMultiMap<QSsl::AlternativeNameEntryType, QString> QSslCertificate::subjectAlter 199 201 continue; 200 202 } 201 203 202 const char *altNameStr = reinterpret_cast<const char *>(q_ASN1_STRING_ data(genName->d.ia5));204 const char *altNameStr = reinterpret_cast<const char *>(q_ASN1_STRING_get0_data(genName->d.ia5)); 203 205 const QString altName = QString::fromLatin1(altNameStr, len); 204 206 if (genName->type == GEN_DNS) 205 207 result.insert(QSsl::DnsEntry, altName); 206 208 else if (genName->type == GEN_EMAIL) 207 209 result.insert(QSsl::EmailEntry, altName); 208 210 } 209 q_sk_pop_free((STACK*)altNames, reinterpret_cast<void(*)(void*)>(q_sk_free)); 211 212 q_OPENSSL_sk_pop_free((OPENSSL_STACK*)altNames, reinterpret_cast<void(*)(void*)>(q_OPENSSL_sk_free)); 210 213 } 211 214 212 215 return result; … … QSslKey QSslCertificate::publicKey() const 235 238 QSslKey key; 236 239 237 240 key.d->type = QSsl::PublicKey; 238 X509_PUBKEY *xkey = d->x509->cert_info->key; 239 EVP_PKEY *pkey = q_X509_ PUBKEY_get(xkey);241 242 EVP_PKEY *pkey = q_X509_get_pubkey(d->x509); 240 243 Q_ASSERT(pkey); 244 const int keyType = q_EVP_PKEY_type(q_EVP_PKEY_base_id(pkey)); 241 245 242 if ( q_EVP_PKEY_type(pkey->type)== EVP_PKEY_RSA) {246 if (keyType == EVP_PKEY_RSA) { 243 247 key.d->rsa = q_EVP_PKEY_get1_RSA(pkey); 244 248 key.d->algorithm = QSsl::Rsa; 245 249 key.d->isNull = false; 246 } else if ( q_EVP_PKEY_type(pkey->type)== EVP_PKEY_DSA) {250 } else if (keyType == EVP_PKEY_DSA) { 247 251 key.d->dsa = q_EVP_PKEY_get1_DSA(pkey); 248 252 key.d->algorithm = QSsl::Dsa; 249 253 key.d->isNull = false; 250 254 #ifndef OPENSSL_NO_EC 251 } else if ( q_EVP_PKEY_type(pkey->type)== EVP_PKEY_EC) {255 } else if (keyType == EVP_PKEY_EC) { 252 256 key.d->ec = q_EVP_PKEY_get1_EC_KEY(pkey); 253 257 key.d->algorithm = QSsl::Ec; 254 258 key.d->isNull = false; 255 259 #endif 256 } else if ( q_EVP_PKEY_type(pkey->type)== EVP_PKEY_DH) {260 } else if (keyType == EVP_PKEY_DH) { 257 261 // DH unsupported 258 262 } else { 259 263 // error? … … static QVariant x509UnknownExtensionToValue(X509_EXTENSION *ext) 275 279 X509V3_EXT_METHOD *meth = const_cast<X509V3_EXT_METHOD *>(q_X509V3_EXT_get(ext)); 276 280 if (!meth) { 277 281 ASN1_OCTET_STRING *value = q_X509_EXTENSION_get_data(ext); 278 QByteArray result( reinterpret_cast<const char *>(q_ASN1_STRING_ data(value)),282 QByteArray result( reinterpret_cast<const char *>(q_ASN1_STRING_get0_data(value)), 279 283 q_ASN1_STRING_length(value)); 280 284 return result; 281 285 } … … static QVariant x509ExtensionToValue(X509_EXTENSION *ext) 371 375 continue; 372 376 } 373 377 374 const char *uriStr = reinterpret_cast<const char *>(q_ASN1_STRING_ data(name->d.uniformResourceIdentifier));378 const char *uriStr = reinterpret_cast<const char *>(q_ASN1_STRING_get0_data(name->d.uniformResourceIdentifier)); 375 379 const QString uri = QString::fromUtf8(uriStr, len); 376 380 377 381 result[QString::fromUtf8(QSslCertificatePrivate::asn1ObjectName(ad->method))] = uri; … … static QVariant x509ExtensionToValue(X509_EXTENSION *ext) 380 384 } 381 385 } 382 386 383 #if OPENSSL_VERSION_NUMBER >= 0x10000000L 384 q_sk_pop_free((_STACK*)info, reinterpret_cast<void(*)(void*)>(q_sk_free)); 385 #else 386 q_sk_pop_free((STACK*)info, reinterpret_cast<void(*)(void*)>(q_sk_free)); 387 #endif 387 q_OPENSSL_sk_pop_free((OPENSSL_STACK*)info, reinterpret_cast<void(*)(void *)>(q_OPENSSL_sk_free)); 388 388 return result; 389 389 } 390 390 break; … … static QMap<QByteArray, QString> _q_mapFromX509Name(X509_NAME *name) 607 607 unsigned char *data = 0; 608 608 int size = q_ASN1_STRING_to_UTF8(&data, q_X509_NAME_ENTRY_get_data(e)); 609 609 info.insertMulti(name, QString::fromUtf8((char*)data, size)); 610 #if QT_CONFIG(opensslv11) 611 q_CRYPTO_free(data, 0, 0); 612 #else 610 613 q_CRYPTO_free(data); 614 #endif 611 615 } 612 616 613 617 return info; … … QSslCertificate QSslCertificatePrivate::QSslCertificate_from_X509(X509 *x509) 619 623 if (!x509 || !QSslSocket::supportsSsl()) 620 624 return certificate; 621 625 622 ASN1_TIME *nbef = q_X509_get_notBefore(x509); 623 ASN1_TIME *naft = q_X509_get_notAfter(x509); 626 ASN1_TIME *nbef = q_X509_getm_notBefore(x509); 627 ASN1_TIME *naft = q_X509_getm_notAfter(x509); 628 624 629 certificate.d->notValidBefore = q_getTimeFromASN1(nbef); 625 630 certificate.d->notValidAfter = q_getTimeFromASN1(naft); 626 631 certificate.d->null = false; -
qtbase/src/network/ssl/qsslcertificate_qt.cpp
diff --git a/qtbase/src/network/ssl/qsslcertificate_qt.cpp b/qtbase/src/network/ssl/qsslcertificate_qt.cpp index 5e8f4cfac7efbbeba6698041b36bc8f083a484c4..1cc2b1f964dc123434699d0c1080ae035317d595 100644
a b QList<QSslCertificate> QSslCertificatePrivate::certificatesFromDer(const QByteAr 272 272 273 273 static QByteArray colonSeparatedHex(const QByteArray &value) 274 274 { 275 QByteArray hexString; 276 hexString.reserve(value.size() * 3); 277 for (int a = 0; a < value.size(); ++a) { 278 const quint8 b = value.at(a); 279 if (b || !hexString.isEmpty()) { // skip leading zeros 280 hexString += QByteArray::number(b, 16).rightJustified(2, '0'); 281 hexString += ':'; 282 } 283 } 284 hexString.chop(1); 285 return hexString; 275 const int size = value.size(); 276 int i = 0; 277 while (i < size && !value.at(i)) // skip leading zeros 278 ++i; 279 280 return value.mid(i).toHex(':'); 286 281 } 287 282 288 283 bool QSslCertificatePrivate::parse(const QByteArray &data) -
qtbase/src/network/ssl/qsslcontext_openssl.cpp
diff --git a/qtbase/src/network/ssl/qsslcontext_openssl.cpp b/qtbase/src/network/ssl/qsslcontext_openssl.cpp index c92d8fc3f853a84c220f35af3bcc9814c6cb474d..cef503710c8c7860184a82e50c29f9c656cd2291 100644
a b 1 1 /**************************************************************************** 2 2 ** 3 ** Copyright (C) 201 6The Qt Company Ltd.3 ** Copyright (C) 2017 The Qt Company Ltd. 4 4 ** Copyright (C) 2014 BlackBerry Limited. All rights reserved. 5 5 ** Copyright (C) 2014 Governikus GmbH & Co. KG. 6 6 ** Contact: https://www.qt.io/licensing/ … … 41 41 42 42 43 43 #include <QtNetwork/qsslsocket.h> 44 #include <QtNetwork/qssldiffiehellmanparameters.h>45 #include <QtCore/qmutex.h>46 44 47 45 #include "private/qssl_p.h" 48 46 #include "private/qsslcontext_openssl_p.h" 49 #include "private/qsslsocket_p.h"50 47 #include "private/qsslsocket_openssl_p.h" 51 48 #include "private/qsslsocket_openssl_symbols_p.h" 52 #include "private/qssldiffiehellmanparameters_p.h"53 49 54 50 QT_BEGIN_NAMESPACE 55 51 56 // defined in qsslsocket_openssl.cpp:57 extern int q_X509Callback(int ok, X509_STORE_CTX *ctx);58 extern QString getErrorsFromOpenSsl();59 60 52 QSslContext::QSslContext() 61 53 : ctx(0), 62 54 pkey(0), … … QSslContext::~QSslContext() 78 70 q_SSL_SESSION_free(session); 79 71 } 80 72 81 static inline QString msgErrorSettingEllipticCurves(const QString &why)82 {83 return QSslSocket::tr("Error when setting the elliptic curves (%1)").arg(why);84 }85 86 // static87 void QSslContext::initSslContext(QSslContext *sslContext, QSslSocket::SslMode mode, const QSslConfiguration &configuration, bool allowRootCertOnDemandLoading)88 {89 sslContext->sslConfiguration = configuration;90 sslContext->errorCode = QSslError::NoError;91 92 bool client = (mode == QSslSocket::SslClientMode);93 94 bool reinitialized = false;95 bool unsupportedProtocol = false;96 init_context:97 switch (sslContext->sslConfiguration.protocol()) {98 case QSsl::SslV2:99 #ifndef OPENSSL_NO_SSL2100 sslContext->ctx = q_SSL_CTX_new(client ? q_SSLv2_client_method() : q_SSLv2_server_method());101 #else102 // SSL 2 not supported by the system, but chosen deliberately -> error103 sslContext->ctx = 0;104 unsupportedProtocol = true;105 #endif106 break;107 case QSsl::SslV3:108 #ifndef OPENSSL_NO_SSL3_METHOD109 sslContext->ctx = q_SSL_CTX_new(client ? q_SSLv3_client_method() : q_SSLv3_server_method());110 #else111 // SSL 3 not supported by the system, but chosen deliberately -> error112 sslContext->ctx = 0;113 unsupportedProtocol = true;114 #endif115 break;116 case QSsl::SecureProtocols:117 // SSLv2 and SSLv3 will be disabled by SSL options118 // But we need q_SSLv23_server_method() otherwise AnyProtocol will be unable to connect on Win32.119 case QSsl::TlsV1SslV3:120 // SSLv2 will will be disabled by SSL options121 case QSsl::AnyProtocol:122 default:123 sslContext->ctx = q_SSL_CTX_new(client ? q_SSLv23_client_method() : q_SSLv23_server_method());124 break;125 case QSsl::TlsV1_0:126 sslContext->ctx = q_SSL_CTX_new(client ? q_TLSv1_client_method() : q_TLSv1_server_method());127 break;128 case QSsl::TlsV1_1:129 #if OPENSSL_VERSION_NUMBER >= 0x10001000L130 sslContext->ctx = q_SSL_CTX_new(client ? q_TLSv1_1_client_method() : q_TLSv1_1_server_method());131 #else132 // TLS 1.1 not supported by the system, but chosen deliberately -> error133 sslContext->ctx = 0;134 unsupportedProtocol = true;135 #endif136 break;137 case QSsl::TlsV1_2:138 #if OPENSSL_VERSION_NUMBER >= 0x10001000L139 sslContext->ctx = q_SSL_CTX_new(client ? q_TLSv1_2_client_method() : q_TLSv1_2_server_method());140 #else141 // TLS 1.2 not supported by the system, but chosen deliberately -> error142 sslContext->ctx = 0;143 unsupportedProtocol = true;144 #endif145 break;146 case QSsl::TlsV1_0OrLater:147 // Specific protocols will be specified via SSL options.148 sslContext->ctx = q_SSL_CTX_new(client ? q_SSLv23_client_method() : q_SSLv23_server_method());149 break;150 case QSsl::TlsV1_1OrLater:151 case QSsl::TlsV1_2OrLater:152 #if OPENSSL_VERSION_NUMBER >= 0x10001000L153 // Specific protocols will be specified via SSL options.154 sslContext->ctx = q_SSL_CTX_new(client ? q_SSLv23_client_method() : q_SSLv23_server_method());155 #else156 // TLS 1.1/1.2 not supported by the system, but chosen deliberately -> error157 sslContext->ctx = 0;158 unsupportedProtocol = true;159 #endif160 break;161 }162 163 if (!sslContext->ctx) {164 // After stopping Flash 10 the SSL library looses its ciphers. Try re-adding them165 // by re-initializing the library.166 if (!reinitialized) {167 reinitialized = true;168 if (q_SSL_library_init() == 1)169 goto init_context;170 }171 172 sslContext->errorStr = QSslSocket::tr("Error creating SSL context (%1)").arg(173 unsupportedProtocol ? QSslSocket::tr("unsupported protocol") : QSslSocketBackendPrivate::getErrorsFromOpenSsl()174 );175 sslContext->errorCode = QSslError::UnspecifiedError;176 return;177 }178 179 // Enable bug workarounds.180 long options = QSslSocketBackendPrivate::setupOpenSslOptions(configuration.protocol(), configuration.d->sslOptions);181 q_SSL_CTX_set_options(sslContext->ctx, options);182 183 #if OPENSSL_VERSION_NUMBER >= 0x10000000L184 // Tell OpenSSL to release memory early185 // http://www.openssl.org/docs/ssl/SSL_CTX_set_mode.html186 if (q_SSLeay() >= 0x10000000L)187 q_SSL_CTX_set_mode(sslContext->ctx, SSL_MODE_RELEASE_BUFFERS);188 #endif189 190 // Initialize ciphers191 QByteArray cipherString;192 bool first = true;193 QList<QSslCipher> ciphers = sslContext->sslConfiguration.ciphers();194 if (ciphers.isEmpty())195 ciphers = QSslSocketPrivate::defaultCiphers();196 for (const QSslCipher &cipher : qAsConst(ciphers)) {197 if (first)198 first = false;199 else200 cipherString.append(':');201 cipherString.append(cipher.name().toLatin1());202 }203 204 if (!q_SSL_CTX_set_cipher_list(sslContext->ctx, cipherString.data())) {205 sslContext->errorStr = QSslSocket::tr("Invalid or empty cipher list (%1)").arg(QSslSocketBackendPrivate::getErrorsFromOpenSsl());206 sslContext->errorCode = QSslError::UnspecifiedError;207 return;208 }209 210 const QDateTime now = QDateTime::currentDateTimeUtc();211 212 // Add all our CAs to this store.213 const auto caCertificates = sslContext->sslConfiguration.caCertificates();214 for (const QSslCertificate &caCertificate : caCertificates) {215 // From https://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html:216 //217 // If several CA certificates matching the name, key identifier, and218 // serial number condition are available, only the first one will be219 // examined. This may lead to unexpected results if the same CA220 // certificate is available with different expiration dates. If a221 // ``certificate expired'' verification error occurs, no other222 // certificate will be searched. Make sure to not have expired223 // certificates mixed with valid ones.224 //225 // See also: QSslSocketBackendPrivate::verify()226 if (caCertificate.expiryDate() >= now) {227 q_X509_STORE_add_cert(q_SSL_CTX_get_cert_store(sslContext->ctx), (X509 *)caCertificate.handle());228 }229 }230 231 if (QSslSocketPrivate::s_loadRootCertsOnDemand && allowRootCertOnDemandLoading) {232 // tell OpenSSL the directories where to look up the root certs on demand233 const QList<QByteArray> unixDirs = QSslSocketPrivate::unixRootCertDirectories();234 for (const QByteArray &unixDir : unixDirs)235 q_SSL_CTX_load_verify_locations(sslContext->ctx, 0, unixDir.constData());236 }237 238 if (!sslContext->sslConfiguration.localCertificate().isNull()) {239 // Require a private key as well.240 if (sslContext->sslConfiguration.privateKey().isNull()) {241 sslContext->errorStr = QSslSocket::tr("Cannot provide a certificate with no key, %1").arg(QSslSocketBackendPrivate::getErrorsFromOpenSsl());242 sslContext->errorCode = QSslError::UnspecifiedError;243 return;244 }245 246 // Load certificate247 if (!q_SSL_CTX_use_certificate(sslContext->ctx, (X509 *)sslContext->sslConfiguration.localCertificate().handle())) {248 sslContext->errorStr = QSslSocket::tr("Error loading local certificate, %1").arg(QSslSocketBackendPrivate::getErrorsFromOpenSsl());249 sslContext->errorCode = QSslError::UnspecifiedError;250 return;251 }252 253 if (configuration.d->privateKey.algorithm() == QSsl::Opaque) {254 sslContext->pkey = reinterpret_cast<EVP_PKEY *>(configuration.d->privateKey.handle());255 } else {256 // Load private key257 sslContext->pkey = q_EVP_PKEY_new();258 // before we were using EVP_PKEY_assign_R* functions and did not use EVP_PKEY_free.259 // this lead to a memory leak. Now we use the *_set1_* functions which do not260 // take ownership of the RSA/DSA key instance because the QSslKey already has ownership.261 if (configuration.d->privateKey.algorithm() == QSsl::Rsa)262 q_EVP_PKEY_set1_RSA(sslContext->pkey, reinterpret_cast<RSA *>(configuration.d->privateKey.handle()));263 else if (configuration.d->privateKey.algorithm() == QSsl::Dsa)264 q_EVP_PKEY_set1_DSA(sslContext->pkey, reinterpret_cast<DSA *>(configuration.d->privateKey.handle()));265 #ifndef OPENSSL_NO_EC266 else if (configuration.d->privateKey.algorithm() == QSsl::Ec)267 q_EVP_PKEY_set1_EC_KEY(sslContext->pkey, reinterpret_cast<EC_KEY *>(configuration.d->privateKey.handle()));268 #endif269 }270 271 if (!q_SSL_CTX_use_PrivateKey(sslContext->ctx, sslContext->pkey)) {272 sslContext->errorStr = QSslSocket::tr("Error loading private key, %1").arg(QSslSocketBackendPrivate::getErrorsFromOpenSsl());273 sslContext->errorCode = QSslError::UnspecifiedError;274 return;275 }276 if (configuration.d->privateKey.algorithm() == QSsl::Opaque)277 sslContext->pkey = 0; // Don't free the private key, it belongs to QSslKey278 279 // Check if the certificate matches the private key.280 if (!q_SSL_CTX_check_private_key(sslContext->ctx)) {281 sslContext->errorStr = QSslSocket::tr("Private key does not certify public key, %1").arg(QSslSocketBackendPrivate::getErrorsFromOpenSsl());282 sslContext->errorCode = QSslError::UnspecifiedError;283 return;284 }285 286 // If we have any intermediate certificates then we need to add them to our chain287 bool first = true;288 for (const QSslCertificate &cert : qAsConst(configuration.d->localCertificateChain)) {289 if (first) {290 first = false;291 continue;292 }293 q_SSL_CTX_ctrl(sslContext->ctx, SSL_CTRL_EXTRA_CHAIN_CERT, 0,294 q_X509_dup(reinterpret_cast<X509 *>(cert.handle())));295 }296 }297 298 // Initialize peer verification.299 if (sslContext->sslConfiguration.peerVerifyMode() == QSslSocket::VerifyNone) {300 q_SSL_CTX_set_verify(sslContext->ctx, SSL_VERIFY_NONE, 0);301 } else {302 q_SSL_CTX_set_verify(sslContext->ctx, SSL_VERIFY_PEER, q_X509Callback);303 }304 305 // Set verification depth.306 if (sslContext->sslConfiguration.peerVerifyDepth() != 0)307 q_SSL_CTX_set_verify_depth(sslContext->ctx, sslContext->sslConfiguration.peerVerifyDepth());308 309 // set persisted session if the user set it310 if (!configuration.sessionTicket().isEmpty())311 sslContext->setSessionASN1(configuration.sessionTicket());312 313 // Set temp DH params314 QSslDiffieHellmanParameters dhparams = configuration.diffieHellmanParameters();315 316 if (!dhparams.isValid()) {317 sslContext->errorStr = QSslSocket::tr("Diffie-Hellman parameters are not valid");318 sslContext->errorCode = QSslError::UnspecifiedError;319 return;320 }321 322 if (!dhparams.isEmpty()) {323 const QByteArray ¶ms = dhparams.d->derData;324 const char *ptr = params.constData();325 DH *dh = q_d2i_DHparams(NULL, reinterpret_cast<const unsigned char **>(&ptr), params.length());326 if (dh == NULL)327 qFatal("q_d2i_DHparams failed to convert QSslDiffieHellmanParameters to DER form");328 q_SSL_CTX_set_tmp_dh(sslContext->ctx, dh);329 q_DH_free(dh);330 }331 332 #ifndef OPENSSL_NO_EC333 #if OPENSSL_VERSION_NUMBER >= 0x10002000L334 if (q_SSLeay() >= 0x10002000L) {335 q_SSL_CTX_ctrl(sslContext->ctx, SSL_CTRL_SET_ECDH_AUTO, 1, NULL);336 } else337 #endif338 {339 // Set temp ECDH params340 EC_KEY *ecdh = 0;341 ecdh = q_EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);342 q_SSL_CTX_set_tmp_ecdh(sslContext->ctx, ecdh);343 q_EC_KEY_free(ecdh);344 }345 #endif // OPENSSL_NO_EC346 347 #if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_PSK)348 if (!client)349 q_SSL_CTX_use_psk_identity_hint(sslContext->ctx, sslContext->sslConfiguration.preSharedKeyIdentityHint().constData());350 #endif // OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_PSK)351 352 const QVector<QSslEllipticCurve> qcurves = sslContext->sslConfiguration.ellipticCurves();353 if (!qcurves.isEmpty()) {354 #if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(OPENSSL_NO_EC)355 // Set the curves to be used356 if (q_SSLeay() >= 0x10002000L) {357 // SSL_CTX_ctrl wants a non-const pointer as last argument,358 // but let's avoid a copy into a temporary array359 if (!q_SSL_CTX_ctrl(sslContext->ctx,360 SSL_CTRL_SET_CURVES,361 qcurves.size(),362 const_cast<int *>(reinterpret_cast<const int *>(qcurves.data())))) {363 sslContext->errorStr = msgErrorSettingEllipticCurves(QSslSocketBackendPrivate::getErrorsFromOpenSsl());364 sslContext->errorCode = QSslError::UnspecifiedError;365 }366 } else367 #endif // OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(OPENSSL_NO_EC)368 {369 // specific curves requested, but not possible to set -> error370 sslContext->errorStr = msgErrorSettingEllipticCurves(QSslSocket::tr("OpenSSL version too old, need at least v1.0.2"));371 sslContext->errorCode = QSslError::UnspecifiedError;372 }373 }374 }375 376 73 QSslContext* QSslContext::fromConfiguration(QSslSocket::SslMode mode, const QSslConfiguration &configuration, bool allowRootCertOnDemandLoading) 377 74 { 378 75 QSslContext *sslContext = new QSslContext(); … … SSL* QSslContext::createSsl() 463 160 m_npnContext.len = m_supportedNPNVersions.count(); 464 161 m_npnContext.status = QSslConfiguration::NextProtocolNegotiationNone; 465 162 #if OPENSSL_VERSION_NUMBER >= 0x10002000L 466 if ( q_SSLeay() >= 0x10002000L) {163 if (QSslSocket::sslLibraryVersionNumber() >= 0x10002000L) { 467 164 // Callback's type has a parameter 'const unsigned char ** out' 468 165 // since it was introduced in 1.0.2. Internally, OpenSSL's own code 469 166 // (tests/examples) cast it to unsigned char * (since it's 'out'). … … bool QSslContext::cacheSession(SSL* ssl) 508 205 unsigned char *data = reinterpret_cast<unsigned char *>(m_sessionASN1.data()); 509 206 if (!q_i2d_SSL_SESSION(session, &data)) 510 207 qCWarning(lcSsl, "could not store persistent version of SSL session"); 511 m_sessionTicketLifeTimeHint = session->tlsext_tick_lifetime_hint;208 m_sessionTicketLifeTimeHint = q_SSL_SESSION_get_ticket_lifetime_hint(session); 512 209 } 513 210 } 514 211 -
new file qtbase/src/network/ssl/qsslcontext_openssl11.cpp
diff --git a/qtbase/src/network/ssl/qsslcontext_openssl11.cpp b/qtbase/src/network/ssl/qsslcontext_openssl11.cpp new file mode 100644 index 0000000000000000000000000000000000000000..787b6ae3f512ca905c5dd8edcb86a04e322b9e76
- + 1 /**************************************************************************** 2 ** 3 ** Copyright (C) 2017 The Qt Company Ltd. 4 ** Copyright (C) 2014 BlackBerry Limited. All rights reserved. 5 ** Copyright (C) 2014 Governikus GmbH & Co. KG. 6 ** Copyright (C) 2016 Richard J. Moore <rich@kde.org> 7 ** Contact: https://www.qt.io/licensing/ 8 ** 9 ** This file is part of the QtNetwork module of the Qt Toolkit. 10 ** 11 ** $QT_BEGIN_LICENSE:LGPL$ 12 ** Commercial License Usage 13 ** Licensees holding valid commercial Qt licenses may use this file in 14 ** accordance with the commercial license agreement provided with the 15 ** Software or, alternatively, in accordance with the terms contained in 16 ** a written agreement between you and The Qt Company. For licensing terms 17 ** and conditions see https://www.qt.io/terms-conditions. For further 18 ** information use the contact form at https://www.qt.io/contact-us. 19 ** 20 ** GNU Lesser General Public License Usage 21 ** Alternatively, this file may be used under the terms of the GNU Lesser 22 ** General Public License version 3 as published by the Free Software 23 ** Foundation and appearing in the file LICENSE.LGPL3 included in the 24 ** packaging of this file. Please review the following information to 25 ** ensure the GNU Lesser General Public License version 3 requirements 26 ** will be met: https://www.gnu.org/licenses/lgpl-3.0.html. 27 ** 28 ** GNU General Public License Usage 29 ** Alternatively, this file may be used under the terms of the GNU 30 ** General Public License version 2.0 or (at your option) the GNU General 31 ** Public license version 3 or any later version approved by the KDE Free 32 ** Qt Foundation. The licenses are as published by the Free Software 33 ** Foundation and appearing in the file LICENSE.GPL2 and LICENSE.GPL3 34 ** included in the packaging of this file. Please review the following 35 ** information to ensure the GNU General Public License requirements will 36 ** be met: https://www.gnu.org/licenses/gpl-2.0.html and 37 ** https://www.gnu.org/licenses/gpl-3.0.html. 38 ** 39 ** $QT_END_LICENSE$ 40 ** 41 ****************************************************************************/ 42 43 44 #include <QtNetwork/qsslsocket.h> 45 #include <QtNetwork/qssldiffiehellmanparameters.h> 46 47 #include "private/qssl_p.h" 48 #include "private/qsslcontext_openssl_p.h" 49 #include "private/qsslsocket_p.h" 50 #include "private/qsslsocket_openssl_p.h" 51 #include "private/qsslsocket_openssl_symbols_p.h" 52 #include "private/qssldiffiehellmanparameters_p.h" 53 54 #include <vector> 55 56 QT_BEGIN_NAMESPACE 57 58 // defined in qsslsocket_openssl.cpp: 59 extern int q_X509Callback(int ok, X509_STORE_CTX *ctx); 60 extern QString getErrorsFromOpenSsl(); 61 62 static inline QString msgErrorSettingEllipticCurves(const QString &why) 63 { 64 return QSslSocket::tr("Error when setting the elliptic curves (%1)").arg(why); 65 } 66 67 // static 68 void QSslContext::initSslContext(QSslContext *sslContext, QSslSocket::SslMode mode, const QSslConfiguration &configuration, bool allowRootCertOnDemandLoading) 69 { 70 sslContext->sslConfiguration = configuration; 71 sslContext->errorCode = QSslError::NoError; 72 73 bool client = (mode == QSslSocket::SslClientMode); 74 75 bool reinitialized = false; 76 bool unsupportedProtocol = false; 77 init_context: 78 if (sslContext->sslConfiguration.protocol() == QSsl::SslV2) { 79 // SSL 2 is no longer supported, but chosen deliberately -> error 80 sslContext->ctx = nullptr; 81 unsupportedProtocol = true; 82 } else { 83 // The ssl options will actually control the supported methods 84 sslContext->ctx = q_SSL_CTX_new(client ? q_TLS_client_method() : q_TLS_server_method()); 85 } 86 87 if (!sslContext->ctx) { 88 // After stopping Flash 10 the SSL library loses its ciphers. Try re-adding them 89 // by re-initializing the library. 90 if (!reinitialized) { 91 reinitialized = true; 92 if (q_OPENSSL_init_ssl(0, nullptr) == 1) 93 goto init_context; 94 } 95 96 sslContext->errorStr = QSslSocket::tr("Error creating SSL context (%1)").arg( 97 unsupportedProtocol ? QSslSocket::tr("unsupported protocol") : QSslSocketBackendPrivate::getErrorsFromOpenSsl() 98 ); 99 sslContext->errorCode = QSslError::UnspecifiedError; 100 return; 101 } 102 103 // Enable bug workarounds. 104 long options = QSslSocketBackendPrivate::setupOpenSslOptions(configuration.protocol(), configuration.d->sslOptions); 105 q_SSL_CTX_set_options(sslContext->ctx, options); 106 107 // Tell OpenSSL to release memory early 108 // http://www.openssl.org/docs/ssl/SSL_CTX_set_mode.html 109 q_SSL_CTX_set_mode(sslContext->ctx, SSL_MODE_RELEASE_BUFFERS); 110 111 // Initialize ciphers 112 QByteArray cipherString; 113 bool first = true; 114 QList<QSslCipher> ciphers = sslContext->sslConfiguration.ciphers(); 115 if (ciphers.isEmpty()) 116 ciphers = QSslSocketPrivate::defaultCiphers(); 117 for (const QSslCipher &cipher : qAsConst(ciphers)) { 118 if (first) 119 first = false; 120 else 121 cipherString.append(':'); 122 cipherString.append(cipher.name().toLatin1()); 123 } 124 125 if (!q_SSL_CTX_set_cipher_list(sslContext->ctx, cipherString.data())) { 126 sslContext->errorStr = QSslSocket::tr("Invalid or empty cipher list (%1)").arg(QSslSocketBackendPrivate::getErrorsFromOpenSsl()); 127 sslContext->errorCode = QSslError::UnspecifiedError; 128 return; 129 } 130 131 const QDateTime now = QDateTime::currentDateTimeUtc(); 132 133 // Add all our CAs to this store. 134 const auto caCertificates = sslContext->sslConfiguration.caCertificates(); 135 for (const QSslCertificate &caCertificate : caCertificates) { 136 // From https://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html: 137 // 138 // If several CA certificates matching the name, key identifier, and 139 // serial number condition are available, only the first one will be 140 // examined. This may lead to unexpected results if the same CA 141 // certificate is available with different expiration dates. If a 142 // ``certificate expired'' verification error occurs, no other 143 // certificate will be searched. Make sure to not have expired 144 // certificates mixed with valid ones. 145 // 146 // See also: QSslSocketBackendPrivate::verify() 147 if (caCertificate.expiryDate() >= now) { 148 q_X509_STORE_add_cert(q_SSL_CTX_get_cert_store(sslContext->ctx), (X509 *)caCertificate.handle()); 149 } 150 } 151 152 if (QSslSocketPrivate::s_loadRootCertsOnDemand && allowRootCertOnDemandLoading) { 153 // tell OpenSSL the directories where to look up the root certs on demand 154 const QList<QByteArray> unixDirs = QSslSocketPrivate::unixRootCertDirectories(); 155 for (const QByteArray &unixDir : unixDirs) 156 q_SSL_CTX_load_verify_locations(sslContext->ctx, nullptr, unixDir.constData()); 157 } 158 159 if (!sslContext->sslConfiguration.localCertificate().isNull()) { 160 // Require a private key as well. 161 if (sslContext->sslConfiguration.privateKey().isNull()) { 162 sslContext->errorStr = QSslSocket::tr("Cannot provide a certificate with no key, %1").arg(QSslSocketBackendPrivate::getErrorsFromOpenSsl()); 163 sslContext->errorCode = QSslError::UnspecifiedError; 164 return; 165 } 166 167 // Load certificate 168 if (!q_SSL_CTX_use_certificate(sslContext->ctx, (X509 *)sslContext->sslConfiguration.localCertificate().handle())) { 169 sslContext->errorStr = QSslSocket::tr("Error loading local certificate, %1").arg(QSslSocketBackendPrivate::getErrorsFromOpenSsl()); 170 sslContext->errorCode = QSslError::UnspecifiedError; 171 return; 172 } 173 174 if (configuration.d->privateKey.algorithm() == QSsl::Opaque) { 175 sslContext->pkey = reinterpret_cast<EVP_PKEY *>(configuration.d->privateKey.handle()); 176 } else { 177 // Load private key 178 sslContext->pkey = q_EVP_PKEY_new(); 179 // before we were using EVP_PKEY_assign_R* functions and did not use EVP_PKEY_free. 180 // this lead to a memory leak. Now we use the *_set1_* functions which do not 181 // take ownership of the RSA/DSA key instance because the QSslKey already has ownership. 182 if (configuration.d->privateKey.algorithm() == QSsl::Rsa) 183 q_EVP_PKEY_set1_RSA(sslContext->pkey, reinterpret_cast<RSA *>(configuration.d->privateKey.handle())); 184 else if (configuration.d->privateKey.algorithm() == QSsl::Dsa) 185 q_EVP_PKEY_set1_DSA(sslContext->pkey, reinterpret_cast<DSA *>(configuration.d->privateKey.handle())); 186 #ifndef OPENSSL_NO_EC 187 else if (configuration.d->privateKey.algorithm() == QSsl::Ec) 188 q_EVP_PKEY_set1_EC_KEY(sslContext->pkey, reinterpret_cast<EC_KEY *>(configuration.d->privateKey.handle())); 189 #endif 190 } 191 192 if (!q_SSL_CTX_use_PrivateKey(sslContext->ctx, sslContext->pkey)) { 193 sslContext->errorStr = QSslSocket::tr("Error loading private key, %1").arg(QSslSocketBackendPrivate::getErrorsFromOpenSsl()); 194 sslContext->errorCode = QSslError::UnspecifiedError; 195 return; 196 } 197 if (configuration.d->privateKey.algorithm() == QSsl::Opaque) 198 sslContext->pkey = nullptr; // Don't free the private key, it belongs to QSslKey 199 200 // Check if the certificate matches the private key. 201 if (!q_SSL_CTX_check_private_key(sslContext->ctx)) { 202 sslContext->errorStr = QSslSocket::tr("Private key does not certify public key, %1").arg(QSslSocketBackendPrivate::getErrorsFromOpenSsl()); 203 sslContext->errorCode = QSslError::UnspecifiedError; 204 return; 205 } 206 207 // If we have any intermediate certificates then we need to add them to our chain 208 bool first = true; 209 for (const QSslCertificate &cert : qAsConst(configuration.d->localCertificateChain)) { 210 if (first) { 211 first = false; 212 continue; 213 } 214 q_SSL_CTX_ctrl(sslContext->ctx, SSL_CTRL_EXTRA_CHAIN_CERT, 0, 215 q_X509_dup(reinterpret_cast<X509 *>(cert.handle()))); 216 } 217 } 218 219 // Initialize peer verification. 220 if (sslContext->sslConfiguration.peerVerifyMode() == QSslSocket::VerifyNone) { 221 q_SSL_CTX_set_verify(sslContext->ctx, SSL_VERIFY_NONE, nullptr); 222 } else { 223 q_SSL_CTX_set_verify(sslContext->ctx, SSL_VERIFY_PEER, q_X509Callback); 224 } 225 226 // Set verification depth. 227 if (sslContext->sslConfiguration.peerVerifyDepth() != 0) 228 q_SSL_CTX_set_verify_depth(sslContext->ctx, sslContext->sslConfiguration.peerVerifyDepth()); 229 230 // set persisted session if the user set it 231 if (!configuration.sessionTicket().isEmpty()) 232 sslContext->setSessionASN1(configuration.sessionTicket()); 233 234 // Set temp DH params 235 QSslDiffieHellmanParameters dhparams = configuration.diffieHellmanParameters(); 236 237 if (!dhparams.isValid()) { 238 sslContext->errorStr = QSslSocket::tr("Diffie-Hellman parameters are not valid"); 239 sslContext->errorCode = QSslError::UnspecifiedError; 240 return; 241 } 242 243 if (!dhparams.isEmpty()) { 244 const QByteArray ¶ms = dhparams.d->derData; 245 const char *ptr = params.constData(); 246 DH *dh = q_d2i_DHparams(NULL, reinterpret_cast<const unsigned char **>(&ptr), params.length()); 247 if (dh == NULL) 248 qFatal("q_d2i_DHparams failed to convert QSslDiffieHellmanParameters to DER form"); 249 q_SSL_CTX_set_tmp_dh(sslContext->ctx, dh); 250 q_DH_free(dh); 251 } 252 253 #ifndef OPENSSL_NO_PSK 254 if (!client) 255 q_SSL_CTX_use_psk_identity_hint(sslContext->ctx, sslContext->sslConfiguration.preSharedKeyIdentityHint().constData()); 256 #endif // !OPENSSL_NO_PSK 257 258 const QVector<QSslEllipticCurve> qcurves = sslContext->sslConfiguration.ellipticCurves(); 259 if (!qcurves.isEmpty()) { 260 #ifdef OPENSSL_NO_EC 261 sslContext->errorStr = msgErrorSettingEllipticCurves(QSslSocket::tr("OpenSSL version with disabled elliptic curves")); 262 sslContext->errorCode = QSslError::UnspecifiedError; 263 #else 264 // Set the curves to be used. 265 std::vector<int> curves; 266 curves.reserve(qcurves.size()); 267 for (const auto &sslCurve : qcurves) 268 curves.push_back(sslCurve.id); 269 if (!q_SSL_CTX_ctrl(sslContext->ctx, SSL_CTRL_SET_CURVES, long(curves.size()), &curves[0])) { 270 sslContext->errorStr = msgErrorSettingEllipticCurves(QSslSocketBackendPrivate::getErrorsFromOpenSsl()); 271 sslContext->errorCode = QSslError::UnspecifiedError; 272 } 273 #endif 274 } 275 } 276 277 QT_END_NAMESPACE -
new file qtbase/src/network/ssl/qsslcontext_opensslpre11.cpp
diff --git a/qtbase/src/network/ssl/qsslcontext_opensslpre11.cpp b/qtbase/src/network/ssl/qsslcontext_opensslpre11.cpp new file mode 100644 index 0000000000000000000000000000000000000000..9c01c2f2dccf9aa23258009eeee5072657aa9b3e
- + 1 /**************************************************************************** 2 ** 3 ** Copyright (C) 2017 The Qt Company Ltd. 4 ** Copyright (C) 2014 BlackBerry Limited. All rights reserved. 5 ** Copyright (C) 2014 Governikus GmbH & Co. KG. 6 ** Contact: https://www.qt.io/licensing/ 7 ** 8 ** This file is part of the QtNetwork module of the Qt Toolkit. 9 ** 10 ** $QT_BEGIN_LICENSE:LGPL$ 11 ** Commercial License Usage 12 ** Licensees holding valid commercial Qt licenses may use this file in 13 ** accordance with the commercial license agreement provided with the 14 ** Software or, alternatively, in accordance with the terms contained in 15 ** a written agreement between you and The Qt Company. For licensing terms 16 ** and conditions see https://www.qt.io/terms-conditions. For further 17 ** information use the contact form at https://www.qt.io/contact-us. 18 ** 19 ** GNU Lesser General Public License Usage 20 ** Alternatively, this file may be used under the terms of the GNU Lesser 21 ** General Public License version 3 as published by the Free Software 22 ** Foundation and appearing in the file LICENSE.LGPL3 included in the 23 ** packaging of this file. Please review the following information to 24 ** ensure the GNU Lesser General Public License version 3 requirements 25 ** will be met: https://www.gnu.org/licenses/lgpl-3.0.html. 26 ** 27 ** GNU General Public License Usage 28 ** Alternatively, this file may be used under the terms of the GNU 29 ** General Public License version 2.0 or (at your option) the GNU General 30 ** Public license version 3 or any later version approved by the KDE Free 31 ** Qt Foundation. The licenses are as published by the Free Software 32 ** Foundation and appearing in the file LICENSE.GPL2 and LICENSE.GPL3 33 ** included in the packaging of this file. Please review the following 34 ** information to ensure the GNU General Public License requirements will 35 ** be met: https://www.gnu.org/licenses/gpl-2.0.html and 36 ** https://www.gnu.org/licenses/gpl-3.0.html. 37 ** 38 ** $QT_END_LICENSE$ 39 ** 40 ****************************************************************************/ 41 42 43 #include <QtNetwork/qsslsocket.h> 44 #include <QtNetwork/qssldiffiehellmanparameters.h> 45 46 #include "private/qssl_p.h" 47 #include "private/qsslcontext_openssl_p.h" 48 #include "private/qsslsocket_p.h" 49 #include "private/qsslsocket_openssl_p.h" 50 #include "private/qsslsocket_openssl_symbols_p.h" 51 #include "private/qssldiffiehellmanparameters_p.h" 52 53 QT_BEGIN_NAMESPACE 54 55 // defined in qsslsocket_openssl.cpp: 56 extern int q_X509Callback(int ok, X509_STORE_CTX *ctx); 57 extern QString getErrorsFromOpenSsl(); 58 59 static inline QString msgErrorSettingEllipticCurves(const QString &why) 60 { 61 return QSslSocket::tr("Error when setting the elliptic curves (%1)").arg(why); 62 } 63 64 // static 65 void QSslContext::initSslContext(QSslContext *sslContext, QSslSocket::SslMode mode, const QSslConfiguration &configuration, bool allowRootCertOnDemandLoading) 66 { 67 sslContext->sslConfiguration = configuration; 68 sslContext->errorCode = QSslError::NoError; 69 70 bool client = (mode == QSslSocket::SslClientMode); 71 72 bool reinitialized = false; 73 bool unsupportedProtocol = false; 74 init_context: 75 switch (sslContext->sslConfiguration.protocol()) { 76 case QSsl::SslV2: 77 #ifndef OPENSSL_NO_SSL2 78 sslContext->ctx = q_SSL_CTX_new(client ? q_SSLv2_client_method() : q_SSLv2_server_method()); 79 #else 80 // SSL 2 not supported by the system, but chosen deliberately -> error 81 sslContext->ctx = 0; 82 unsupportedProtocol = true; 83 #endif 84 break; 85 case QSsl::SslV3: 86 #ifndef OPENSSL_NO_SSL3_METHOD 87 sslContext->ctx = q_SSL_CTX_new(client ? q_SSLv3_client_method() : q_SSLv3_server_method()); 88 #else 89 // SSL 3 not supported by the system, but chosen deliberately -> error 90 sslContext->ctx = 0; 91 unsupportedProtocol = true; 92 #endif 93 break; 94 case QSsl::SecureProtocols: 95 // SSLv2 and SSLv3 will be disabled by SSL options 96 // But we need q_SSLv23_server_method() otherwise AnyProtocol will be unable to connect on Win32. 97 case QSsl::TlsV1SslV3: 98 // SSLv2 will will be disabled by SSL options 99 case QSsl::AnyProtocol: 100 default: 101 sslContext->ctx = q_SSL_CTX_new(client ? q_SSLv23_client_method() : q_SSLv23_server_method()); 102 break; 103 case QSsl::TlsV1_0: 104 sslContext->ctx = q_SSL_CTX_new(client ? q_TLSv1_client_method() : q_TLSv1_server_method()); 105 break; 106 case QSsl::TlsV1_1: 107 #if OPENSSL_VERSION_NUMBER >= 0x10001000L 108 sslContext->ctx = q_SSL_CTX_new(client ? q_TLSv1_1_client_method() : q_TLSv1_1_server_method()); 109 #else 110 // TLS 1.1 not supported by the system, but chosen deliberately -> error 111 sslContext->ctx = 0; 112 unsupportedProtocol = true; 113 #endif 114 break; 115 case QSsl::TlsV1_2: 116 #if OPENSSL_VERSION_NUMBER >= 0x10001000L 117 sslContext->ctx = q_SSL_CTX_new(client ? q_TLSv1_2_client_method() : q_TLSv1_2_server_method()); 118 #else 119 // TLS 1.2 not supported by the system, but chosen deliberately -> error 120 sslContext->ctx = 0; 121 unsupportedProtocol = true; 122 #endif 123 break; 124 case QSsl::TlsV1_0OrLater: 125 // Specific protocols will be specified via SSL options. 126 sslContext->ctx = q_SSL_CTX_new(client ? q_SSLv23_client_method() : q_SSLv23_server_method()); 127 break; 128 case QSsl::TlsV1_1OrLater: 129 case QSsl::TlsV1_2OrLater: 130 #if OPENSSL_VERSION_NUMBER >= 0x10001000L 131 // Specific protocols will be specified via SSL options. 132 sslContext->ctx = q_SSL_CTX_new(client ? q_SSLv23_client_method() : q_SSLv23_server_method()); 133 #else 134 // TLS 1.1/1.2 not supported by the system, but chosen deliberately -> error 135 sslContext->ctx = 0; 136 unsupportedProtocol = true; 137 #endif 138 break; 139 } 140 141 if (!sslContext->ctx) { 142 // After stopping Flash 10 the SSL library loses its ciphers. Try re-adding them 143 // by re-initializing the library. 144 if (!reinitialized) { 145 reinitialized = true; 146 if (q_SSL_library_init() == 1) 147 goto init_context; 148 } 149 150 sslContext->errorStr = QSslSocket::tr("Error creating SSL context (%1)").arg( 151 unsupportedProtocol ? QSslSocket::tr("unsupported protocol") : QSslSocketBackendPrivate::getErrorsFromOpenSsl() 152 ); 153 sslContext->errorCode = QSslError::UnspecifiedError; 154 return; 155 } 156 157 // Enable bug workarounds. 158 long options = QSslSocketBackendPrivate::setupOpenSslOptions(configuration.protocol(), configuration.d->sslOptions); 159 q_SSL_CTX_set_options(sslContext->ctx, options); 160 161 #if OPENSSL_VERSION_NUMBER >= 0x10000000L 162 // Tell OpenSSL to release memory early 163 // http://www.openssl.org/docs/ssl/SSL_CTX_set_mode.html 164 if (q_SSLeay() >= 0x10000000L) 165 q_SSL_CTX_set_mode(sslContext->ctx, SSL_MODE_RELEASE_BUFFERS); 166 #endif 167 168 // Initialize ciphers 169 QByteArray cipherString; 170 bool first = true; 171 QList<QSslCipher> ciphers = sslContext->sslConfiguration.ciphers(); 172 if (ciphers.isEmpty()) 173 ciphers = QSslSocketPrivate::defaultCiphers(); 174 for (const QSslCipher &cipher : qAsConst(ciphers)) { 175 if (first) 176 first = false; 177 else 178 cipherString.append(':'); 179 cipherString.append(cipher.name().toLatin1()); 180 } 181 182 if (!q_SSL_CTX_set_cipher_list(sslContext->ctx, cipherString.data())) { 183 sslContext->errorStr = QSslSocket::tr("Invalid or empty cipher list (%1)").arg(QSslSocketBackendPrivate::getErrorsFromOpenSsl()); 184 sslContext->errorCode = QSslError::UnspecifiedError; 185 return; 186 } 187 188 const QDateTime now = QDateTime::currentDateTimeUtc(); 189 190 // Add all our CAs to this store. 191 const auto caCertificates = sslContext->sslConfiguration.caCertificates(); 192 for (const QSslCertificate &caCertificate : caCertificates) { 193 // From https://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html: 194 // 195 // If several CA certificates matching the name, key identifier, and 196 // serial number condition are available, only the first one will be 197 // examined. This may lead to unexpected results if the same CA 198 // certificate is available with different expiration dates. If a 199 // ``certificate expired'' verification error occurs, no other 200 // certificate will be searched. Make sure to not have expired 201 // certificates mixed with valid ones. 202 // 203 // See also: QSslSocketBackendPrivate::verify() 204 if (caCertificate.expiryDate() >= now) { 205 q_X509_STORE_add_cert(q_SSL_CTX_get_cert_store(sslContext->ctx), (X509 *)caCertificate.handle()); 206 } 207 } 208 209 if (QSslSocketPrivate::s_loadRootCertsOnDemand && allowRootCertOnDemandLoading) { 210 // tell OpenSSL the directories where to look up the root certs on demand 211 const QList<QByteArray> unixDirs = QSslSocketPrivate::unixRootCertDirectories(); 212 for (const QByteArray &unixDir : unixDirs) 213 q_SSL_CTX_load_verify_locations(sslContext->ctx, 0, unixDir.constData()); 214 } 215 216 if (!sslContext->sslConfiguration.localCertificate().isNull()) { 217 // Require a private key as well. 218 if (sslContext->sslConfiguration.privateKey().isNull()) { 219 sslContext->errorStr = QSslSocket::tr("Cannot provide a certificate with no key, %1").arg(QSslSocketBackendPrivate::getErrorsFromOpenSsl()); 220 sslContext->errorCode = QSslError::UnspecifiedError; 221 return; 222 } 223 224 // Load certificate 225 if (!q_SSL_CTX_use_certificate(sslContext->ctx, (X509 *)sslContext->sslConfiguration.localCertificate().handle())) { 226 sslContext->errorStr = QSslSocket::tr("Error loading local certificate, %1").arg(QSslSocketBackendPrivate::getErrorsFromOpenSsl()); 227 sslContext->errorCode = QSslError::UnspecifiedError; 228 return; 229 } 230 231 if (configuration.d->privateKey.algorithm() == QSsl::Opaque) { 232 sslContext->pkey = reinterpret_cast<EVP_PKEY *>(configuration.d->privateKey.handle()); 233 } else { 234 // Load private key 235 sslContext->pkey = q_EVP_PKEY_new(); 236 // before we were using EVP_PKEY_assign_R* functions and did not use EVP_PKEY_free. 237 // this lead to a memory leak. Now we use the *_set1_* functions which do not 238 // take ownership of the RSA/DSA key instance because the QSslKey already has ownership. 239 if (configuration.d->privateKey.algorithm() == QSsl::Rsa) 240 q_EVP_PKEY_set1_RSA(sslContext->pkey, reinterpret_cast<RSA *>(configuration.d->privateKey.handle())); 241 else if (configuration.d->privateKey.algorithm() == QSsl::Dsa) 242 q_EVP_PKEY_set1_DSA(sslContext->pkey, reinterpret_cast<DSA *>(configuration.d->privateKey.handle())); 243 #ifndef OPENSSL_NO_EC 244 else if (configuration.d->privateKey.algorithm() == QSsl::Ec) 245 q_EVP_PKEY_set1_EC_KEY(sslContext->pkey, reinterpret_cast<EC_KEY *>(configuration.d->privateKey.handle())); 246 #endif 247 } 248 249 if (!q_SSL_CTX_use_PrivateKey(sslContext->ctx, sslContext->pkey)) { 250 sslContext->errorStr = QSslSocket::tr("Error loading private key, %1").arg(QSslSocketBackendPrivate::getErrorsFromOpenSsl()); 251 sslContext->errorCode = QSslError::UnspecifiedError; 252 return; 253 } 254 if (configuration.d->privateKey.algorithm() == QSsl::Opaque) 255 sslContext->pkey = 0; // Don't free the private key, it belongs to QSslKey 256 257 // Check if the certificate matches the private key. 258 if (!q_SSL_CTX_check_private_key(sslContext->ctx)) { 259 sslContext->errorStr = QSslSocket::tr("Private key does not certify public key, %1").arg(QSslSocketBackendPrivate::getErrorsFromOpenSsl()); 260 sslContext->errorCode = QSslError::UnspecifiedError; 261 return; 262 } 263 264 // If we have any intermediate certificates then we need to add them to our chain 265 bool first = true; 266 for (const QSslCertificate &cert : qAsConst(configuration.d->localCertificateChain)) { 267 if (first) { 268 first = false; 269 continue; 270 } 271 q_SSL_CTX_ctrl(sslContext->ctx, SSL_CTRL_EXTRA_CHAIN_CERT, 0, 272 q_X509_dup(reinterpret_cast<X509 *>(cert.handle()))); 273 } 274 } 275 276 // Initialize peer verification. 277 if (sslContext->sslConfiguration.peerVerifyMode() == QSslSocket::VerifyNone) { 278 q_SSL_CTX_set_verify(sslContext->ctx, SSL_VERIFY_NONE, 0); 279 } else { 280 q_SSL_CTX_set_verify(sslContext->ctx, SSL_VERIFY_PEER, q_X509Callback); 281 } 282 283 // Set verification depth. 284 if (sslContext->sslConfiguration.peerVerifyDepth() != 0) 285 q_SSL_CTX_set_verify_depth(sslContext->ctx, sslContext->sslConfiguration.peerVerifyDepth()); 286 287 // set persisted session if the user set it 288 if (!configuration.sessionTicket().isEmpty()) 289 sslContext->setSessionASN1(configuration.sessionTicket()); 290 291 // Set temp DH params 292 QSslDiffieHellmanParameters dhparams = configuration.diffieHellmanParameters(); 293 294 if (!dhparams.isValid()) { 295 sslContext->errorStr = QSslSocket::tr("Diffie-Hellman parameters are not valid"); 296 sslContext->errorCode = QSslError::UnspecifiedError; 297 return; 298 } 299 300 if (!dhparams.isEmpty()) { 301 const QByteArray ¶ms = dhparams.d->derData; 302 const char *ptr = params.constData(); 303 DH *dh = q_d2i_DHparams(NULL, reinterpret_cast<const unsigned char **>(&ptr), params.length()); 304 if (dh == NULL) 305 qFatal("q_d2i_DHparams failed to convert QSslDiffieHellmanParameters to DER form"); 306 q_SSL_CTX_set_tmp_dh(sslContext->ctx, dh); 307 q_DH_free(dh); 308 } 309 310 #ifndef OPENSSL_NO_EC 311 #if OPENSSL_VERSION_NUMBER >= 0x10002000L 312 if (q_SSLeay() >= 0x10002000L) { 313 q_SSL_CTX_ctrl(sslContext->ctx, SSL_CTRL_SET_ECDH_AUTO, 1, NULL); 314 } else 315 #endif 316 { 317 // Set temp ECDH params 318 EC_KEY *ecdh = 0; 319 ecdh = q_EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); 320 q_SSL_CTX_set_tmp_ecdh(sslContext->ctx, ecdh); 321 q_EC_KEY_free(ecdh); 322 } 323 #endif // OPENSSL_NO_EC 324 325 #if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_PSK) 326 if (!client) 327 q_SSL_CTX_use_psk_identity_hint(sslContext->ctx, sslContext->sslConfiguration.preSharedKeyIdentityHint().constData()); 328 #endif // OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_PSK) 329 330 const QVector<QSslEllipticCurve> qcurves = sslContext->sslConfiguration.ellipticCurves(); 331 if (!qcurves.isEmpty()) { 332 #if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(OPENSSL_NO_EC) 333 // Set the curves to be used 334 if (q_SSLeay() >= 0x10002000L) { 335 // SSL_CTX_ctrl wants a non-const pointer as last argument, 336 // but let's avoid a copy into a temporary array 337 if (!q_SSL_CTX_ctrl(sslContext->ctx, 338 SSL_CTRL_SET_CURVES, 339 qcurves.size(), 340 const_cast<int *>(reinterpret_cast<const int *>(qcurves.data())))) { 341 sslContext->errorStr = msgErrorSettingEllipticCurves(QSslSocketBackendPrivate::getErrorsFromOpenSsl()); 342 sslContext->errorCode = QSslError::UnspecifiedError; 343 } 344 } else 345 #endif // OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(OPENSSL_NO_EC) 346 { 347 // specific curves requested, but not possible to set -> error 348 sslContext->errorStr = msgErrorSettingEllipticCurves(QSslSocket::tr("OpenSSL version too old, need at least v1.0.2")); 349 sslContext->errorCode = QSslError::UnspecifiedError; 350 } 351 } 352 } 353 354 QT_END_NAMESPACE -
qtbase/src/network/ssl/qssldiffiehellmanparameters_openssl.cpp
diff --git a/qtbase/src/network/ssl/qssldiffiehellmanparameters_openssl.cpp b/qtbase/src/network/ssl/qssldiffiehellmanparameters_openssl.cpp index 90687b05c53ede8b4d8f72fc8fb5af6cf45642f7..5ebad822f1a4ecf5fe2b12b324066293840db8f7 100644
a b 1 1 /**************************************************************************** 2 2 ** 3 3 ** Copyright (C) 2015 Mikkel Krautz <mikkel@krautz.dk> 4 ** Copyright (C) 2016 Richard J. Moore <rich@kde.org> 4 5 ** Contact: https://www.qt.io/licensing/ 5 6 ** 6 7 ** This file is part of the QtNetwork module of the Qt Toolkit. … … 50 51 #include <QtCore/qdebug.h> 51 52 #endif 52 53 53 // For q_BN_is_word.54 54 #include <openssl/bn.h> 55 #include <openssl/dh.h> 55 56 56 57 QT_BEGIN_NAMESPACE 57 58 … … static bool isSafeDH(DH *dh) 62 63 63 64 QSslSocketPrivate::ensureInitialized(); 64 65 65 // Mark p < 1024 bits as unsafe.66 if (q_BN_num_bits(dh->p) < 1024) {67 return false;68 }69 70 if (q_DH_check(dh, &status) != 1)71 return false;72 66 73 67 // From https://wiki.openssl.org/index.php/Diffie-Hellman_parameters: 74 68 // … … static bool isSafeDH(DH *dh) 81 75 // Without the test, the IETF parameters would 82 76 // fail validation. For details, see Diffie-Hellman 83 77 // Parameter Check (when g = 2, must p mod 24 == 11?). 78 #if QT_CONFIG(opensslv11) 79 // Mark p < 1024 bits as unsafe. 80 if (q_DH_bits(dh) < 1024) 81 return false; 82 83 if (q_DH_check(dh, &status) != 1) 84 return false; 85 86 const BIGNUM *p = nullptr; 87 const BIGNUM *q = nullptr; 88 const BIGNUM *g = nullptr; 89 q_DH_get0_pqg(dh, &p, &q, &g); 90 91 if (q_BN_is_word(const_cast<BIGNUM *>(g), DH_GENERATOR_2)) { 92 long residue = q_BN_mod_word(p, 24); 93 if (residue == 11 || residue == 23) 94 status &= ~DH_NOT_SUITABLE_GENERATOR; 95 } 96 97 #else 98 // Mark p < 1024 bits as unsafe. 99 if (q_BN_num_bits(dh->p) < 1024) 100 return false; 101 102 if (q_DH_check(dh, &status) != 1) 103 return false; 104 84 105 if (q_BN_is_word(dh->g, DH_GENERATOR_2)) { 85 106 long residue = q_BN_mod_word(dh->p, 24); 86 107 if (residue == 11 || residue == 23) 87 108 status &= ~DH_NOT_SUITABLE_GENERATOR; 88 109 } 110 #endif 89 111 90 112 bad |= DH_CHECK_P_NOT_PRIME; 91 113 bad |= DH_CHECK_P_NOT_SAFE_PRIME; -
qtbase/src/network/ssl/qsslellipticcurve.h
diff --git a/qtbase/src/network/ssl/qsslellipticcurve.h b/qtbase/src/network/ssl/qsslellipticcurve.h index 231566063ebbfcaabd3873fa8913214cdac4b934..57dda19badd795f0833acbb19cc3727ba2d57615 100644
a b private: 80 80 friend Q_DECL_CONSTEXPR bool operator==(QSslEllipticCurve lhs, QSslEllipticCurve rhs) Q_DECL_NOTHROW; 81 81 friend Q_DECL_CONSTEXPR uint qHash(QSslEllipticCurve curve, uint seed) Q_DECL_NOTHROW; 82 82 83 friend class QSslContext; 83 84 friend class QSslSocketPrivate; 84 85 friend class QSslSocketBackendPrivate; 85 86 }; -
qtbase/src/network/ssl/qsslellipticcurve_openssl.cpp
diff --git a/qtbase/src/network/ssl/qsslellipticcurve_openssl.cpp b/qtbase/src/network/ssl/qsslellipticcurve_openssl.cpp index e18197b703ed8bfc45947f5675a69078433bedee..8cd14837f0fe9efacf9a2d75b89f881eebf5dfd6 100644
a b 1 1 /**************************************************************************** 2 2 ** 3 3 ** Copyright (C) 2014 Governikus GmbH & Co. KG. 4 ** Copyright (C) 2016 Richard J. Moore <rich@kde.org> 4 5 ** Contact: https://www.qt.io/licensing/ 5 6 ** 6 7 ** This file is part of the QtNetwork module of the Qt Toolkit. … … QSslEllipticCurve QSslEllipticCurve::fromShortName(const QString &name) 78 79 QSslEllipticCurve result; 79 80 80 81 #ifndef OPENSSL_NO_EC 81 const QByteArray curveNameLatin1 = name.toLatin1();82 82 83 const QByteArray curveNameLatin1 = name.toLatin1(); 83 84 int nid = q_OBJ_sn2nid(curveNameLatin1.data()); 84 85 85 86 #if OPENSSL_VERSION_NUMBER >= 0x10002000L 86 if (nid == 0 && q_SSLeay() >= 0x10002000L)87 if (nid == 0 && QSslSocket::sslLibraryVersionNumber() >= 0x10002000L) 87 88 nid = q_EC_curve_nist2nid(curveNameLatin1.data()); 88 89 #endif // OPENSSL_VERSION_NUMBER >= 0x10002000L 89 90 90 91 result.id = nid; 91 #endif 92 93 #endif // !OPENSSL_NO_EC 92 94 93 95 return result; 94 96 } -
qtbase/src/network/ssl/qsslkey_openssl.cpp
diff --git a/qtbase/src/network/ssl/qsslkey_openssl.cpp b/qtbase/src/network/ssl/qsslkey_openssl.cpp index 26119023d14dd55393770352d30d7f2c0ba1838b..aa81b735b98234bf88ca3db0841914281c8570d8 100644
a b 1 1 /**************************************************************************** 2 2 ** 3 ** Copyright (C) 2016 The Qt Company Ltd. 3 ** Copyright (C) 2017 The Qt Company Ltd. 4 ** Copyright (C) 2016 Richard J. Moore <rich@kde.org> 4 5 ** Contact: https://www.qt.io/licensing/ 5 6 ** 6 7 ** This file is part of the QtNetwork module of the Qt Toolkit. … … bool QSslKeyPrivate::fromEVP_PKEY(EVP_PKEY *pkey) 87 88 if (pkey == nullptr) 88 89 return false; 89 90 90 if (pkey->type == EVP_PKEY_RSA) { 91 #if QT_CONFIG(opensslv11) 92 const int keyType = q_EVP_PKEY_type(q_EVP_PKEY_base_id(pkey)); 93 #else 94 const int keyType = pkey->type; 95 #endif 96 if (keyType == EVP_PKEY_RSA) { 91 97 isNull = false; 92 98 algorithm = QSsl::Rsa; 93 99 type = QSsl::PrivateKey; 94 95 rsa = q_RSA_new(); 96 memcpy(rsa, q_EVP_PKEY_get1_RSA(pkey), sizeof(RSA)); 97 100 rsa = q_EVP_PKEY_get1_RSA(pkey); 98 101 return true; 99 } 100 else if (pkey->type == EVP_PKEY_DSA) { 102 } else if (keyType == EVP_PKEY_DSA) { 101 103 isNull = false; 102 104 algorithm = QSsl::Dsa; 103 105 type = QSsl::PrivateKey; 104 105 dsa = q_DSA_new(); 106 memcpy(dsa, q_EVP_PKEY_get1_DSA(pkey), sizeof(DSA)); 107 106 dsa = q_EVP_PKEY_get1_DSA(pkey); 108 107 return true; 109 108 } 110 109 #ifndef OPENSSL_NO_EC 111 else if ( pkey->type == EVP_PKEY_EC) {110 else if (keyType == EVP_PKEY_EC) { 112 111 isNull = false; 113 112 algorithm = QSsl::Ec; 114 113 type = QSsl::PrivateKey; 115 ec = q_EC_KEY_dup(q_EVP_PKEY_get1_EC_KEY(pkey)); 116 114 ec = q_EVP_PKEY_get1_EC_KEY(pkey); 117 115 return true; 118 116 } 119 117 #endif … … int QSslKeyPrivate::length() const 181 179 return -1; 182 180 183 181 switch (algorithm) { 184 case QSsl::Rsa: return q_ BN_num_bits(rsa->n);185 case QSsl::Dsa: return q_ BN_num_bits(dsa->p);182 case QSsl::Rsa: return q_RSA_bits(rsa); 183 case QSsl::Dsa: return q_DSA_bits(dsa); 186 184 #ifndef OPENSSL_NO_EC 187 185 case QSsl::Ec: return q_EC_GROUP_get_degree(q_EC_KEY_get0_group(ec)); 188 186 #endif … … Qt::HANDLE QSslKeyPrivate::handle() const 276 274 277 275 static QByteArray doCrypt(QSslKeyPrivate::Cipher cipher, const QByteArray &data, const QByteArray &key, const QByteArray &iv, int enc) 278 276 { 279 EVP_CIPHER_CTX ctx; 277 #if QT_CONFIG(opensslv11) 278 EVP_CIPHER_CTX *ctx = q_EVP_CIPHER_CTX_new(); 279 #else 280 EVP_CIPHER_CTX evpCipherContext; 281 EVP_CIPHER_CTX *ctx = &evpCipherContext; 282 #endif 283 280 284 const EVP_CIPHER* type = 0; 281 285 int i = 0, len = 0; 282 286 … … static QByteArray doCrypt(QSslKeyPrivate::Cipher cipher, const QByteArray &data, 294 298 295 299 QByteArray output; 296 300 output.resize(data.size() + EVP_MAX_BLOCK_LENGTH); 297 q_EVP_CIPHER_CTX_init(&ctx); 298 q_EVP_CipherInit(&ctx, type, NULL, NULL, enc); 299 q_EVP_CIPHER_CTX_set_key_length(&ctx, key.size()); 301 302 #if QT_CONFIG(opensslv11) 303 q_EVP_CIPHER_CTX_reset(ctx); 304 #else 305 q_EVP_CIPHER_CTX_init(ctx); 306 #endif 307 308 q_EVP_CipherInit(ctx, type, NULL, NULL, enc); 309 q_EVP_CIPHER_CTX_set_key_length(ctx, key.size()); 300 310 if (cipher == QSslKeyPrivate::Rc2Cbc) 301 q_EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_SET_RC2_KEY_BITS, 8 * key.size(), NULL); 302 q_EVP_CipherInit(&ctx, NULL, 311 q_EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_SET_RC2_KEY_BITS, 8 * key.size(), NULL); 312 313 #if QT_CONFIG(opensslv11) 314 // EVP_CipherInit in 1.1 resets the context thus making the calls above useless. 315 // We call EVP_CipherInit_ex instead. 316 q_EVP_CipherInit_ex(ctx, nullptr, nullptr, 317 reinterpret_cast<const unsigned char *>(key.constData()), 318 reinterpret_cast<const unsigned char *>(iv.constData()), 319 enc); 320 #else 321 q_EVP_CipherInit(ctx, NULL, 303 322 reinterpret_cast<const unsigned char *>(key.constData()), 304 323 reinterpret_cast<const unsigned char *>(iv.constData()), enc); 305 q_EVP_CipherUpdate(&ctx, 324 #endif // opensslv11 325 326 q_EVP_CipherUpdate(ctx, 306 327 reinterpret_cast<unsigned char *>(output.data()), &len, 307 328 reinterpret_cast<const unsigned char *>(data.constData()), data.size()); 308 q_EVP_CipherFinal( &ctx,329 q_EVP_CipherFinal(ctx, 309 330 reinterpret_cast<unsigned char *>(output.data()) + len, &i); 310 331 len += i; 311 q_EVP_CIPHER_CTX_cleanup(&ctx); 332 333 #if QT_CONFIG(opensslv11) 334 q_EVP_CIPHER_CTX_reset(ctx); 335 q_EVP_CIPHER_CTX_free(ctx); 336 #else 337 q_EVP_CIPHER_CTX_cleanup(ctx); 338 #endif 312 339 313 340 return output.left(len); 314 341 } -
qtbase/src/network/ssl/qsslsocket.cpp
diff --git a/qtbase/src/network/ssl/qsslsocket.cpp b/qtbase/src/network/ssl/qsslsocket.cpp index 8eba5db9fe92ea345ac143c25ce7ab74c4f27890..d06e0b0761a5a7a9b871b9e514fc871f01162df4 100644
a b qint64 QSslSocket::writeData(const char *data, qint64 len) 2025 2025 d->writeBuffer.append(data, len); 2026 2026 2027 2027 // make sure we flush to the plain socket's buffer 2028 QMetaObject::invokeMethod(this, "_q_flushWriteBuffer", Qt::QueuedConnection); 2028 if (!d->flushTriggered) { 2029 d->flushTriggered = true; 2030 QMetaObject::invokeMethod(this, "_q_flushWriteBuffer", Qt::QueuedConnection); 2031 } 2029 2032 2030 2033 return len; 2031 2034 } … … QSslSocketPrivate::QSslSocketPrivate() 2044 2047 , allowRootCertOnDemandLoading(true) 2045 2048 , plainSocket(0) 2046 2049 , paused(false) 2050 , flushTriggered(false) 2047 2051 { 2048 2052 QSslConfigurationPrivate::deepCopyDefaultConfiguration(&configuration); 2049 2053 } … … void QSslSocketPrivate::init() 2066 2070 ignoreAllSslErrors = false; 2067 2071 shutdown = false; 2068 2072 pendingClose = false; 2073 flushTriggered = false; 2069 2074 2070 2075 // we don't want to clear the ignoreErrorsList, so 2071 2076 // that it is possible setting it before connecting … … void QSslSocketPrivate::_q_readChannelFinishedSlot() 2534 2539 void QSslSocketPrivate::_q_flushWriteBuffer() 2535 2540 { 2536 2541 Q_Q(QSslSocket); 2542 2543 // need to notice if knock-on effects of this flush (e.g. a readReady() via transmit()) 2544 // make another necessary, so clear flag before calling: 2545 flushTriggered = false; 2537 2546 if (!writeBuffer.isEmpty()) 2538 2547 q->flush(); 2539 2548 } -
qtbase/src/network/ssl/qsslsocket_openssl.cpp
diff --git a/qtbase/src/network/ssl/qsslsocket_openssl.cpp b/qtbase/src/network/ssl/qsslsocket_openssl.cpp index f5b493897ea0509483341c92c594626aa8ed4ca4..6e2c3714abd98cd01c783e06fb061dbbb465fda3 100644
a b 1 1 /**************************************************************************** 2 2 ** 3 ** Copyright (C) 201 6The Qt Company Ltd.3 ** Copyright (C) 2017 The Qt Company Ltd. 4 4 ** Copyright (C) 2014 Governikus GmbH & Co. KG 5 5 ** Contact: https://www.qt.io/licensing/ 6 6 ** … … 54 54 ****************************************************************************/ 55 55 56 56 //#define QSSLSOCKET_DEBUG 57 //#define QT_DECRYPT_SSL_TRAFFIC58 57 59 58 #include "qssl_p.h" 60 59 #include "qsslsocket_openssl_p.h" … … bool QSslSocketPrivate::s_loadRootCertsOnDemand = false; 97 96 int QSslSocketBackendPrivate::s_indexForSSLExtraData = -1; 98 97 #endif 99 98 100 /* \internal101 102 From OpenSSL's thread(3) manual page:103 104 OpenSSL can safely be used in multi-threaded applications provided that at105 least two callback functions are set.106 107 locking_function(int mode, int n, const char *file, int line) is needed to108 perform locking on shared data structures. (Note that OpenSSL uses a109 number of global data structures that will be implicitly shared110 whenever multiple threads use OpenSSL.) Multi-threaded111 applications will crash at random if it is not set. ...112 ...113 id_function(void) is a function that returns a thread ID. It is not114 needed on Windows nor on platforms where getpid() returns a different115 ID for each thread (most notably Linux)116 */117 class QOpenSslLocks118 {119 public:120 inline QOpenSslLocks()121 : initLocker(QMutex::Recursive),122 locksLocker(QMutex::Recursive)123 {124 QMutexLocker locker(&locksLocker);125 int numLocks = q_CRYPTO_num_locks();126 locks = new QMutex *[numLocks];127 memset(locks, 0, numLocks * sizeof(QMutex *));128 }129 inline ~QOpenSslLocks()130 {131 QMutexLocker locker(&locksLocker);132 for (int i = 0; i < q_CRYPTO_num_locks(); ++i)133 delete locks[i];134 delete [] locks;135 136 QSslSocketPrivate::deinitialize();137 }138 inline QMutex *lock(int num)139 {140 QMutexLocker locker(&locksLocker);141 QMutex *tmp = locks[num];142 if (!tmp)143 tmp = locks[num] = new QMutex(QMutex::Recursive);144 return tmp;145 }146 147 QMutex *globalLock()148 {149 return &locksLocker;150 }151 152 QMutex *initLock()153 {154 return &initLocker;155 }156 157 private:158 QMutex initLocker;159 QMutex locksLocker;160 QMutex **locks;161 };162 Q_GLOBAL_STATIC(QOpenSslLocks, openssl_locks)163 164 99 QString QSslSocketBackendPrivate::getErrorsFromOpenSsl() 165 100 { 166 101 QString errorString; … … QString QSslSocketBackendPrivate::getErrorsFromOpenSsl() 175 110 } 176 111 177 112 extern "C" { 178 static void locking_function(int mode, int lockNumber, const char *, int)179 {180 QMutex *mutex = openssl_locks()->lock(lockNumber);181 182 // Lock or unlock it183 if (mode & CRYPTO_LOCK)184 mutex->lock();185 else186 mutex->unlock();187 }188 static unsigned long id_function()189 {190 return (quintptr)QThread::currentThreadId();191 }192 113 193 114 #if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_PSK) 194 115 static unsigned int q_ssl_psk_client_callback(SSL *ssl, … … QSslSocketBackendPrivate::~QSslSocketBackendPrivate() 227 148 destroySslContext(); 228 149 } 229 150 230 QSslCipher QSslSocketBackendPrivate::QSslCipher_from_SSL_CIPHER( SSL_CIPHER *cipher)151 QSslCipher QSslSocketBackendPrivate::QSslCipher_from_SSL_CIPHER(const SSL_CIPHER *cipher) 231 152 { 232 153 QSslCipher ciph; 233 154 … … QSslCipher QSslSocketBackendPrivate::QSslCipher_from_SSL_CIPHER(SSL_CIPHER *ciph 268 189 } 269 190 270 191 // static 271 inline QSslErrorEntry QSslErrorEntry::fromStoreContext(X509_STORE_CTX *ctx) { 192 inline QSslErrorEntry QSslErrorEntry::fromStoreContext(X509_STORE_CTX *ctx) 193 { 272 194 QSslErrorEntry result = { 273 195 q_X509_STORE_CTX_get_error(ctx), 274 196 q_X509_STORE_CTX_get_error_depth(ctx) … … struct QSslErrorList 283 205 QMutex mutex; 284 206 QVector<QSslErrorEntry> errors; 285 207 }; 208 286 209 Q_GLOBAL_STATIC(QSslErrorList, _q_sslErrorList) 287 210 288 211 int q_X509Callback(int ok, X509_STORE_CTX *ctx) … … int q_X509Callback(int ok, X509_STORE_CTX *ctx) 290 213 if (!ok) { 291 214 // Store the error and at which depth the error was detected. 292 215 _q_sslErrorList()->errors << QSslErrorEntry::fromStoreContext(ctx); 216 #if !QT_CONFIG(opensslv11) 293 217 #ifdef QSSLSOCKET_DEBUG 294 218 qCDebug(lcSsl) << "verification error: dumping bad certificate"; 295 219 qCDebug(lcSsl) << QSslCertificatePrivate::QSslCertificate_from_X509(q_X509_STORE_CTX_get_current_cert(ctx)).toPem(); … … int q_X509Callback(int ok, X509_STORE_CTX *ctx) 310 234 << "ST=" << cert.subjectInfo(QSslCertificate::StateOrProvinceName); 311 235 qCDebug(lcSsl) << "Valid:" << cert.effectiveDate() << '-' << cert.expiryDate(); 312 236 } 313 #endif 237 #endif // QSSLSOCKET_DEBUG 238 #endif // !QT_CONFIG(opensslv11) 314 239 } 315 // Always return OK to allow verification to continue. We 'rehandle the240 // Always return OK to allow verification to continue. We handle the 316 241 // errors gracefully after collecting all errors, after verification has 317 242 // completed. 318 243 return 1; … … bool QSslSocketBackendPrivate::initSslContext() 397 322 if (configuration.protocol != QSsl::SslV2 && 398 323 configuration.protocol != QSsl::SslV3 && 399 324 configuration.protocol != QSsl::UnknownProtocol && 400 mode == QSslSocket::SslClientMode && q_SSLeay() >= 0x00090806fL) {325 mode == QSslSocket::SslClientMode && QSslSocket::sslLibraryVersionNumber() >= 0x00090806fL) { 401 326 // Set server hostname on TLS extension. RFC4366 section 3.1 requires it in ACE format. 402 327 QString tlsHostName = verificationPeerName.isEmpty() ? q->peerName() : verificationPeerName; 403 328 if (tlsHostName.isEmpty()) … … bool QSslSocketBackendPrivate::initSslContext() 438 363 439 364 #if OPENSSL_VERSION_NUMBER >= 0x10001000L 440 365 // Save a pointer to this object into the SSL structure. 441 if ( q_SSLeay() >= 0x10001000L)366 if (QSslSocket::sslLibraryVersionNumber() >= 0x10001000L) 442 367 q_SSL_set_ex_data(ssl, s_indexForSSLExtraData, this); 443 368 #endif 444 369 445 370 #if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_PSK) 446 371 // Set the client callback for PSK 447 if ( q_SSLeay() >= 0x10001000L) {372 if (QSslSocket::sslLibraryVersionNumber() >= 0x10001000L) { 448 373 if (mode == QSslSocket::SslClientMode) 449 374 q_SSL_set_psk_client_callback(ssl, &q_ssl_psk_client_callback); 450 375 else if (mode == QSslSocket::SslServerMode) … … void QSslSocketBackendPrivate::destroySslContext() 464 389 sslContextPointer.clear(); 465 390 } 466 391 467 /*!468 \internal469 */470 void QSslSocketPrivate::deinitialize()471 {472 q_CRYPTO_set_id_callback(0);473 q_CRYPTO_set_locking_callback(0);474 q_ERR_free_strings();475 }476 477 392 /*! 478 393 \internal 479 394 … … bool QSslSocketPrivate::supportsSsl() 486 401 return ensureLibraryLoaded(); 487 402 } 488 403 489 bool QSslSocketPrivate::ensureLibraryLoaded()490 {491 if (!q_resolveOpenSslSymbols())492 return false;493 494 // Check if the library itself needs to be initialized.495 QMutexLocker locker(openssl_locks()->initLock());496 497 if (!s_libraryLoaded) {498 s_libraryLoaded = true;499 500 // Initialize OpenSSL.501 q_CRYPTO_set_id_callback(id_function);502 q_CRYPTO_set_locking_callback(locking_function);503 if (q_SSL_library_init() != 1)504 return false;505 q_SSL_load_error_strings();506 q_OpenSSL_add_all_algorithms();507 508 #if OPENSSL_VERSION_NUMBER >= 0x10001000L509 if (q_SSLeay() >= 0x10001000L)510 QSslSocketBackendPrivate::s_indexForSSLExtraData = q_SSL_get_ex_new_index(0L, NULL, NULL, NULL, NULL);511 #endif512 513 // Initialize OpenSSL's random seed.514 if (!q_RAND_status()) {515 qWarning("Random number generator not seeded, disabling SSL support");516 return false;517 }518 }519 return true;520 }521 522 void QSslSocketPrivate::ensureCiphersAndCertsLoaded()523 {524 QMutexLocker locker(openssl_locks()->initLock());525 if (s_loadedCiphersAndCerts)526 return;527 s_loadedCiphersAndCerts = true;528 529 resetDefaultCiphers();530 resetDefaultEllipticCurves();531 532 #if QT_CONFIG(library)533 //load symbols needed to receive certificates from system store534 #if defined(Q_OS_WIN)535 HINSTANCE hLib = LoadLibraryW(L"Crypt32");536 if (hLib) {537 ptrCertOpenSystemStoreW = (PtrCertOpenSystemStoreW)GetProcAddress(hLib, "CertOpenSystemStoreW");538 ptrCertFindCertificateInStore = (PtrCertFindCertificateInStore)GetProcAddress(hLib, "CertFindCertificateInStore");539 ptrCertCloseStore = (PtrCertCloseStore)GetProcAddress(hLib, "CertCloseStore");540 if (!ptrCertOpenSystemStoreW || !ptrCertFindCertificateInStore || !ptrCertCloseStore)541 qCWarning(lcSsl, "could not resolve symbols in crypt32 library"); // should never happen542 } else {543 qCWarning(lcSsl, "could not load crypt32 library"); // should never happen544 }545 #elif defined(Q_OS_QNX)546 s_loadRootCertsOnDemand = true;547 #elif defined(Q_OS_UNIX) && !defined(Q_OS_MAC)548 // check whether we can enable on-demand root-cert loading (i.e. check whether the sym links are there)549 QList<QByteArray> dirs = unixRootCertDirectories();550 QStringList symLinkFilter;551 symLinkFilter << QLatin1String("[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f].[0-9]");552 for (int a = 0; a < dirs.count(); ++a) {553 QDirIterator iterator(QLatin1String(dirs.at(a)), symLinkFilter, QDir::Files);554 if (iterator.hasNext()) {555 s_loadRootCertsOnDemand = true;556 break;557 }558 }559 #endif560 #endif // QT_CONFIG(library)561 // if on-demand loading was not enabled, load the certs now562 if (!s_loadRootCertsOnDemand)563 setDefaultCaCertificates(systemCaCertificates());564 #ifdef Q_OS_WIN565 //Enabled for fetching additional root certs from windows update on windows 6+566 //This flag is set false by setDefaultCaCertificates() indicating the app uses567 //its own cert bundle rather than the system one.568 //Same logic that disables the unix on demand cert loading.569 //Unlike unix, we do preload the certificates from the cert store.570 if ((QSysInfo::windowsVersion() & QSysInfo::WV_NT_based) >= QSysInfo::WV_6_0)571 s_loadRootCertsOnDemand = true;572 #endif573 }574 575 404 /*! 576 405 \internal 577 406 … … void QSslSocketPrivate::ensureInitialized() 587 416 ensureCiphersAndCertsLoaded(); 588 417 } 589 418 590 long QSslSocketPrivate::sslLibraryVersionNumber()591 {592 if (!supportsSsl())593 return 0;594 595 return q_SSLeay();596 }597 598 QString QSslSocketPrivate::sslLibraryVersionString()599 {600 if (!supportsSsl())601 return QString();602 603 const char *versionString = q_SSLeay_version(SSLEAY_VERSION);604 if (!versionString)605 return QString();606 607 return QString::fromLatin1(versionString);608 }609 610 419 long QSslSocketPrivate::sslLibraryBuildVersionNumber() 611 420 { 612 421 return OPENSSL_VERSION_NUMBER; … … QString QSslSocketPrivate::sslLibraryBuildVersionString() 628 437 */ 629 438 void QSslSocketPrivate::resetDefaultCiphers() 630 439 { 440 #if QT_CONFIG(opensslv11) 441 SSL_CTX *myCtx = q_SSL_CTX_new(q_TLS_client_method()); 442 #else 631 443 SSL_CTX *myCtx = q_SSL_CTX_new(q_SSLv23_client_method()); 444 #endif 632 445 SSL *mySsl = q_SSL_new(myCtx); 633 446 634 447 QList<QSslCipher> ciphers; … … void QSslSocketPrivate::resetDefaultEllipticCurves() 664 477 QVector<QSslEllipticCurve> curves; 665 478 666 479 #ifndef OPENSSL_NO_EC 667 const size_t curveCount = q_EC_get_builtin_curves( NULL, 0);480 const size_t curveCount = q_EC_get_builtin_curves(nullptr, 0); 668 481 669 482 QVarLengthArray<EC_builtin_curve> builtinCurves(static_cast<int>(curveCount)); 670 483 … … QList<QSslCertificate> QSslSocketPrivate::systemCaCertificates() 698 511 if (ptrCertOpenSystemStoreW && ptrCertFindCertificateInStore && ptrCertCloseStore) { 699 512 HCERTSTORE hSystemStore; 700 513 hSystemStore = ptrCertOpenSystemStoreW(0, L"ROOT"); 701 if (hSystemStore) {702 PCCERT_CONTEXT pc = NULL;703 while (1) {704 pc = ptrCertFindCertificateInStore( hSystemStore, X509_ASN_ENCODING, 0, CERT_FIND_ANY, NULL, pc);705 if (!pc)514 if (hSystemStore) { 515 PCCERT_CONTEXT pc = nullptr; 516 while (1) { 517 pc = ptrCertFindCertificateInStore(hSystemStore, X509_ASN_ENCODING, 0, CERT_FIND_ANY, nullptr, pc); 518 if (!pc) 706 519 break; 707 QByteArray der((const char *)(pc->pbCertEncoded), static_cast<int>(pc->cbCertEncoded)); 520 QByteArray der(reinterpret_cast<const char *>(pc->pbCertEncoded), 521 static_cast<int>(pc->cbCertEncoded)); 708 522 QSslCertificate cert(der, QSsl::Der); 709 523 systemCerts.append(cert); 710 524 } … … void QSslSocketBackendPrivate::transmit() 945 759 // we have a readBufferMaxSize. There's no point in leaving data there 946 760 // just so that readBuffer.size() == readBufferMaxSize. 947 761 int readBytes = 0; 948 data.resize(4096); 949 ::memset(data.data(), 0, data.size()); 762 const int bytesToRead = 4096; 950 763 do { 951 764 // Don't use SSL_pending(). It's very unreliable. 952 if ((readBytes = q_SSL_read(ssl, data.data(), data.size())) > 0) { 765 readBytes = q_SSL_read(ssl, buffer.reserve(bytesToRead), bytesToRead); 766 if (readBytes > 0) { 953 767 #ifdef QSSLSOCKET_DEBUG 954 768 qCDebug(lcSsl) << "QSslSocketBackendPrivate::transmit: decrypted" << readBytes << "bytes"; 955 769 #endif 956 buffer. append(data.constData(),readBytes);770 buffer.chop(bytesToRead - readBytes); 957 771 958 772 if (readyReadEmittedPointer) 959 773 *readyReadEmittedPointer = true; … … void QSslSocketBackendPrivate::transmit() 962 776 transmitting = true; 963 777 continue; 964 778 } 779 buffer.chop(bytesToRead); 965 780 966 781 // Error. 967 782 switch (q_SSL_get_error(ssl, readBytes)) { … … QSslCipher QSslSocketBackendPrivate::sessionCipher() const 1504 1319 { 1505 1320 if (!ssl) 1506 1321 return QSslCipher(); 1507 #if OPENSSL_VERSION_NUMBER >= 0x10000000L 1508 // FIXME This is fairly evil, but needed to keep source level compatibility 1509 // with the OpenSSL 0.9.x implementation at maximum -- some other functions 1510 // don't take a const SSL_CIPHER* when they should 1511 SSL_CIPHER *sessionCipher = const_cast<SSL_CIPHER *>(q_SSL_get_current_cipher(ssl)); 1512 #else 1513 SSL_CIPHER *sessionCipher = q_SSL_get_current_cipher(ssl); 1514 #endif 1322 1323 const SSL_CIPHER *sessionCipher = q_SSL_get_current_cipher(ssl); 1515 1324 return sessionCipher ? QSslCipher_from_SSL_CIPHER(sessionCipher) : QSslCipher(); 1516 1325 } 1517 1326 … … QSsl::SslProtocol QSslSocketBackendPrivate::sessionProtocol() const 1537 1346 return QSsl::UnknownProtocol; 1538 1347 } 1539 1348 1540 void QSslSocketBackendPrivate::continueHandshake()1541 {1542 Q_Q(QSslSocket);1543 // if we have a max read buffer size, reset the plain socket's to match1544 if (readBufferMaxSize)1545 plainSocket->setReadBufferSize(readBufferMaxSize);1546 1547 if (q_SSL_ctrl((ssl), SSL_CTRL_GET_SESSION_REUSED, 0, NULL))1548 configuration.peerSessionShared = true;1549 1550 #ifdef QT_DECRYPT_SSL_TRAFFIC1551 if (ssl->session && ssl->s3) {1552 const char *mk = reinterpret_cast<const char *>(ssl->session->master_key);1553 QByteArray masterKey(mk, ssl->session->master_key_length);1554 const char *random = reinterpret_cast<const char *>(ssl->s3->client_random);1555 QByteArray clientRandom(random, SSL3_RANDOM_SIZE);1556 1557 // different format, needed for e.g. older Wireshark versions:1558 // const char *sid = reinterpret_cast<const char *>(ssl->session->session_id);1559 // QByteArray sessionID(sid, ssl->session->session_id_length);1560 // QByteArray debugLineRSA("RSA Session-ID:");1561 // debugLineRSA.append(sessionID.toHex().toUpper());1562 // debugLineRSA.append(" Master-Key:");1563 // debugLineRSA.append(masterKey.toHex().toUpper());1564 // debugLineRSA.append("\n");1565 1566 QByteArray debugLineClientRandom("CLIENT_RANDOM ");1567 debugLineClientRandom.append(clientRandom.toHex().toUpper());1568 debugLineClientRandom.append(" ");1569 debugLineClientRandom.append(masterKey.toHex().toUpper());1570 debugLineClientRandom.append("\n");1571 1572 QString sslKeyFile = QDir::tempPath() + QLatin1String("/qt-ssl-keys");1573 QFile file(sslKeyFile);1574 if (!file.open(QIODevice::Append))1575 qCWarning(lcSsl) << "could not open file" << sslKeyFile << "for appending";1576 if (!file.write(debugLineClientRandom))1577 qCWarning(lcSsl) << "could not write to file" << sslKeyFile;1578 file.close();1579 } else {1580 qCWarning(lcSsl, "could not decrypt SSL traffic");1581 }1582 #endif1583 1584 // Cache this SSL session inside the QSslContext1585 if (!(configuration.sslOptions & QSsl::SslOptionDisableSessionSharing)) {1586 if (!sslContextPointer->cacheSession(ssl)) {1587 sslContextPointer.clear(); // we could not cache the session1588 } else {1589 // Cache the session for permanent usage as well1590 if (!(configuration.sslOptions & QSsl::SslOptionDisableSessionPersistence)) {1591 if (!sslContextPointer->sessionASN1().isEmpty())1592 configuration.sslSession = sslContextPointer->sessionASN1();1593 configuration.sslSessionTicketLifeTimeHint = sslContextPointer->sessionTicketLifeTimeHint();1594 }1595 }1596 }1597 1598 #if OPENSSL_VERSION_NUMBER >= 0x1000100fL && !defined(OPENSSL_NO_NEXTPROTONEG)1599 1600 configuration.nextProtocolNegotiationStatus = sslContextPointer->npnContext().status;1601 if (sslContextPointer->npnContext().status == QSslConfiguration::NextProtocolNegotiationUnsupported) {1602 // we could not agree -> be conservative and use HTTP/1.11603 configuration.nextNegotiatedProtocol = QByteArrayLiteral("http/1.1");1604 } else {1605 const unsigned char *proto = 0;1606 unsigned int proto_len = 0;1607 #if OPENSSL_VERSION_NUMBER >= 0x10002000L1608 if (q_SSLeay() >= 0x10002000L) {1609 q_SSL_get0_alpn_selected(ssl, &proto, &proto_len);1610 if (proto_len && mode == QSslSocket::SslClientMode) {1611 // Client does not have a callback that sets it ...1612 configuration.nextProtocolNegotiationStatus = QSslConfiguration::NextProtocolNegotiationNegotiated;1613 }1614 }1615 1616 if (!proto_len) { // Test if NPN was more lucky ...1617 #else1618 {1619 #endif1620 q_SSL_get0_next_proto_negotiated(ssl, &proto, &proto_len);1621 }1622 1623 if (proto_len)1624 configuration.nextNegotiatedProtocol = QByteArray(reinterpret_cast<const char *>(proto), proto_len);1625 else1626 configuration.nextNegotiatedProtocol.clear();1627 }1628 #endif // OPENSSL_VERSION_NUMBER >= 0x1000100fL ...1629 1630 #if OPENSSL_VERSION_NUMBER >= 0x10002000L1631 if (q_SSLeay() >= 0x10002000L && mode == QSslSocket::SslClientMode) {1632 EVP_PKEY *key;1633 if (q_SSL_get_server_tmp_key(ssl, &key))1634 configuration.ephemeralServerKey = QSslKey(key, QSsl::PublicKey);1635 }1636 #endif // OPENSSL_VERSION_NUMBER >= 0x10002000L ...1637 1638 connectionEncrypted = true;1639 emit q->encrypted();1640 if (autoStartHandshake && pendingClose) {1641 pendingClose = false;1642 q->disconnectFromHost();1643 }1644 }1645 1646 1349 QList<QSslCertificate> QSslSocketBackendPrivate::STACKOFX509_to_QSslCertificates(STACK_OF(X509) *x509) 1647 1350 { 1648 1351 ensureInitialized(); … … QList<QSslError> QSslSocketBackendPrivate::verify(const QList<QSslCertificate> & 1696 1399 QMutexLocker sslErrorListMutexLocker(&_q_sslErrorList()->mutex); 1697 1400 1698 1401 // Register a custom callback to get all verification errors. 1699 X509_STORE_set_verify_cb_func(certStore, q_X509Callback);1402 q_X509_STORE_set_verify_cb(certStore, q_X509Callback); 1700 1403 1701 1404 // Build the chain of intermediate certificates 1702 1405 STACK_OF(X509) *intermediates = 0; 1703 1406 if (certificateChain.length() > 1) { 1704 intermediates = (STACK_OF(X509) *) q_ sk_new_null();1407 intermediates = (STACK_OF(X509) *) q_OPENSSL_sk_new_null(); 1705 1408 1706 1409 if (!intermediates) { 1707 1410 q_X509_STORE_free(certStore); … … QList<QSslError> QSslSocketBackendPrivate::verify(const QList<QSslCertificate> & 1715 1418 first = false; 1716 1419 continue; 1717 1420 } 1718 #if OPENSSL_VERSION_NUMBER >= 0x10000000L 1719 q_sk_push( (_STACK *)intermediates, reinterpret_cast<X509 *>(cert.handle())); 1720 #else 1721 q_sk_push( (STACK *)intermediates, reinterpret_cast<char *>(cert.handle())); 1722 #endif 1421 1422 q_OPENSSL_sk_push((OPENSSL_STACK *)intermediates, reinterpret_cast<X509 *>(cert.handle())); 1723 1423 } 1724 1424 } 1725 1425 … … QList<QSslError> QSslSocketBackendPrivate::verify(const QList<QSslCertificate> & 1743 1443 (void) q_X509_verify_cert(storeContext); 1744 1444 1745 1445 q_X509_STORE_CTX_free(storeContext); 1746 #if OPENSSL_VERSION_NUMBER >= 0x10000000L 1747 q_sk_free( (_STACK *) intermediates); 1748 #else 1749 q_sk_free( (STACK *) intermediates); 1750 #endif 1446 q_OPENSSL_sk_free((OPENSSL_STACK *)intermediates); 1751 1447 1752 1448 // Now process the errors 1753 1449 const auto errorList = std::move(_q_sslErrorList()->errors); … … bool QSslSocketBackendPrivate::importPkcs12(QIODevice *device, 1821 1517 // Convert to Qt types 1822 1518 if (!key->d->fromEVP_PKEY(pkey)) { 1823 1519 qCWarning(lcSsl, "Unable to convert private key"); 1824 q_sk_pop_free(reinterpret_cast<STACK *>(ca), reinterpret_cast<void(*)(void*)>(q_sk_free)); 1520 q_OPENSSL_sk_pop_free(reinterpret_cast<OPENSSL_STACK *>(ca), 1521 reinterpret_cast<void (*)(void *)>(q_OPENSSL_sk_free)); 1825 1522 q_X509_free(x509); 1826 1523 q_EVP_PKEY_free(pkey); 1827 1524 q_PKCS12_free(p12); … … bool QSslSocketBackendPrivate::importPkcs12(QIODevice *device, 1836 1533 *caCertificates = QSslSocketBackendPrivate::STACKOFX509_to_QSslCertificates(ca); 1837 1534 1838 1535 // Clean up 1839 q_sk_pop_free(reinterpret_cast<STACK *>(ca), reinterpret_cast<void(*)(void*)>(q_sk_free)); 1536 // TODO: verify ASAP, in the past we had sk_pop_free with q_OPENSSL_sk_free 1537 // which seems to be blatantly wrong and even crashes with 1.1. 1538 q_OPENSSL_sk_pop_free(reinterpret_cast<OPENSSL_STACK *>(ca), 1539 reinterpret_cast<void (*)(void *)>(q_X509_free)); 1540 1840 1541 q_X509_free(x509); 1841 1542 q_EVP_PKEY_free(pkey); 1842 1543 q_PKCS12_free(p12); -
new file qtbase/src/network/ssl/qsslsocket_openssl11.cpp
diff --git a/qtbase/src/network/ssl/qsslsocket_openssl11.cpp b/qtbase/src/network/ssl/qsslsocket_openssl11.cpp new file mode 100644 index 0000000000000000000000000000000000000000..b6d18943a5ab6e2d3af68dd767a9c58a7edc6c8e
- + 1 /**************************************************************************** 2 ** 3 ** Copyright (C) 2017 The Qt Company Ltd. 4 ** Copyright (C) 2014 Governikus GmbH & Co. KG 5 ** Copyright (C) 2016 Richard J. Moore <rich@kde.org> 6 ** Contact: https://www.qt.io/licensing/ 7 ** 8 ** This file is part of the QtNetwork module of the Qt Toolkit. 9 ** 10 ** $QT_BEGIN_LICENSE:LGPL$ 11 ** Commercial License Usage 12 ** Licensees holding valid commercial Qt licenses may use this file in 13 ** accordance with the commercial license agreement provided with the 14 ** Software or, alternatively, in accordance with the terms contained in 15 ** a written agreement between you and The Qt Company. For licensing terms 16 ** and conditions see https://www.qt.io/terms-conditions. For further 17 ** information use the contact form at https://www.qt.io/contact-us. 18 ** 19 ** GNU Lesser General Public License Usage 20 ** Alternatively, this file may be used under the terms of the GNU Lesser 21 ** General Public License version 3 as published by the Free Software 22 ** Foundation and appearing in the file LICENSE.LGPL3 included in the 23 ** packaging of this file. Please review the following information to 24 ** ensure the GNU Lesser General Public License version 3 requirements 25 ** will be met: https://www.gnu.org/licenses/lgpl-3.0.html. 26 ** 27 ** GNU General Public License Usage 28 ** Alternatively, this file may be used under the terms of the GNU 29 ** General Public License version 2.0 or (at your option) the GNU General 30 ** Public license version 3 or any later version approved by the KDE Free 31 ** Qt Foundation. The licenses are as published by the Free Software 32 ** Foundation and appearing in the file LICENSE.GPL2 and LICENSE.GPL3 33 ** included in the packaging of this file. Please review the following 34 ** information to ensure the GNU General Public License requirements will 35 ** be met: https://www.gnu.org/licenses/gpl-2.0.html and 36 ** https://www.gnu.org/licenses/gpl-3.0.html. 37 ** 38 ** $QT_END_LICENSE$ 39 ** 40 ****************************************************************************/ 41 42 /**************************************************************************** 43 ** 44 ** In addition, as a special exception, the copyright holders listed above give 45 ** permission to link the code of its release of Qt with the OpenSSL project's 46 ** "OpenSSL" library (or modified versions of the "OpenSSL" library that use the 47 ** same license as the original version), and distribute the linked executables. 48 ** 49 ** You must comply with the GNU General Public License version 2 in all 50 ** respects for all of the code used other than the "OpenSSL" code. If you 51 ** modify this file, you may extend this exception to your version of the file, 52 ** but you are not obligated to do so. If you do not wish to do so, delete 53 ** this exception statement from your version of this file. 54 ** 55 ****************************************************************************/ 56 57 //#define QT_DECRYPT_SSL_TRAFFIC 58 59 #include "qssl_p.h" 60 #include "qsslsocket_openssl_p.h" 61 #include "qsslsocket_openssl_symbols_p.h" 62 #include "qsslsocket.h" 63 #include "qsslkey.h" 64 65 #include <QtCore/qdebug.h> 66 #include <QtCore/qdir.h> 67 #include <QtCore/qdiriterator.h> 68 #include <QtCore/qfile.h> 69 #include <QtCore/qmutex.h> 70 #include <QtCore/qlibrary.h> 71 72 QT_BEGIN_NAMESPACE 73 74 Q_GLOBAL_STATIC_WITH_ARGS(QMutex, qt_opensslInitMutex, (QMutex::Recursive)) 75 76 /*! 77 \internal 78 */ 79 void QSslSocketPrivate::deinitialize() 80 { 81 // This function exists only for compatibility with the pre-11 code, 82 // where deinitialize() actually does some cleanup. To be discarded 83 // once we retire < 1.1. 84 } 85 86 bool QSslSocketPrivate::ensureLibraryLoaded() 87 { 88 if (!q_resolveOpenSslSymbols()) 89 return false; 90 91 const QMutexLocker locker(qt_opensslInitMutex); 92 93 if (!s_libraryLoaded) { 94 s_libraryLoaded = true; 95 96 // Initialize OpenSSL. 97 if (q_OPENSSL_init_ssl(0, nullptr) != 1) 98 return false; 99 q_SSL_load_error_strings(); 100 q_OpenSSL_add_all_algorithms(); 101 102 QSslSocketBackendPrivate::s_indexForSSLExtraData 103 = q_CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL, 0L, nullptr, nullptr, 104 nullptr, nullptr); 105 106 // Initialize OpenSSL's random seed. 107 if (!q_RAND_status()) { 108 qWarning("Random number generator not seeded, disabling SSL support"); 109 return false; 110 } 111 } 112 return true; 113 } 114 115 void QSslSocketPrivate::ensureCiphersAndCertsLoaded() 116 { 117 const QMutexLocker locker(qt_opensslInitMutex); 118 119 if (s_loadedCiphersAndCerts) 120 return; 121 s_loadedCiphersAndCerts = true; 122 123 resetDefaultCiphers(); 124 resetDefaultEllipticCurves(); 125 126 #if QT_CONFIG(library) 127 //load symbols needed to receive certificates from system store 128 #if defined(Q_OS_WIN) 129 HINSTANCE hLib = LoadLibraryW(L"Crypt32"); 130 if (hLib) { 131 ptrCertOpenSystemStoreW = (PtrCertOpenSystemStoreW)GetProcAddress(hLib, "CertOpenSystemStoreW"); 132 ptrCertFindCertificateInStore = (PtrCertFindCertificateInStore)GetProcAddress(hLib, "CertFindCertificateInStore"); 133 ptrCertCloseStore = (PtrCertCloseStore)GetProcAddress(hLib, "CertCloseStore"); 134 if (!ptrCertOpenSystemStoreW || !ptrCertFindCertificateInStore || !ptrCertCloseStore) 135 qCWarning(lcSsl, "could not resolve symbols in crypt32 library"); // should never happen 136 } else { 137 qCWarning(lcSsl, "could not load crypt32 library"); // should never happen 138 } 139 #elif defined(Q_OS_QNX) 140 s_loadRootCertsOnDemand = true; 141 #elif defined(Q_OS_UNIX) && !defined(Q_OS_DARWIN) 142 // check whether we can enable on-demand root-cert loading (i.e. check whether the sym links are there) 143 QList<QByteArray> dirs = unixRootCertDirectories(); 144 QStringList symLinkFilter; 145 symLinkFilter << QLatin1String("[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f].[0-9]"); 146 for (int a = 0; a < dirs.count(); ++a) { 147 QDirIterator iterator(QLatin1String(dirs.at(a)), symLinkFilter, QDir::Files); 148 if (iterator.hasNext()) { 149 s_loadRootCertsOnDemand = true; 150 break; 151 } 152 } 153 #endif 154 #endif // QT_CONFIG(library) 155 // if on-demand loading was not enabled, load the certs now 156 if (!s_loadRootCertsOnDemand) 157 setDefaultCaCertificates(systemCaCertificates()); 158 #ifdef Q_OS_WIN 159 //Enabled for fetching additional root certs from windows update on windows 6+ 160 //This flag is set false by setDefaultCaCertificates() indicating the app uses 161 //its own cert bundle rather than the system one. 162 //Same logic that disables the unix on demand cert loading. 163 //Unlike unix, we do preload the certificates from the cert store. 164 if ((QSysInfo::windowsVersion() & QSysInfo::WV_NT_based) >= QSysInfo::WV_6_0) 165 s_loadRootCertsOnDemand = true; 166 #endif 167 } 168 169 long QSslSocketPrivate::sslLibraryVersionNumber() 170 { 171 if (!supportsSsl()) 172 return 0; 173 174 return q_OpenSSL_version_num(); 175 } 176 177 QString QSslSocketPrivate::sslLibraryVersionString() 178 { 179 if (!supportsSsl()) 180 return QString(); 181 182 const char *versionString = q_OpenSSL_version(OPENSSL_VERSION); 183 if (!versionString) 184 return QString(); 185 186 return QString::fromLatin1(versionString); 187 } 188 189 void QSslSocketBackendPrivate::continueHandshake() 190 { 191 Q_Q(QSslSocket); 192 // if we have a max read buffer size, reset the plain socket's to match 193 if (readBufferMaxSize) 194 plainSocket->setReadBufferSize(readBufferMaxSize); 195 196 if (q_SSL_session_reused(ssl)) 197 configuration.peerSessionShared = true; 198 199 #ifdef QT_DECRYPT_SSL_TRAFFIC 200 if (q_SSL_get_session(ssl)) { 201 size_t master_key_len = q_SSL_SESSION_get_master_key(q_SSL_get_session(ssl), 0, 0); 202 size_t client_random_len = q_SSL_get_client_random(ssl, 0, 0); 203 QByteArray masterKey(int(master_key_len), 0); // Will not overflow 204 QByteArray clientRandom(int(client_random_len), 0); // Will not overflow 205 206 q_SSL_SESSION_get_master_key(q_SSL_get_session(ssl), 207 reinterpret_cast<unsigned char*>(masterKey.data()), 208 masterKey.size()); 209 q_SSL_get_client_random(ssl, reinterpret_cast<unsigned char *>(clientRandom.data()), 210 clientRandom.size()); 211 212 QByteArray debugLineClientRandom("CLIENT_RANDOM "); 213 debugLineClientRandom.append(clientRandom.toHex().toUpper()); 214 debugLineClientRandom.append(" "); 215 debugLineClientRandom.append(masterKey.toHex().toUpper()); 216 debugLineClientRandom.append("\n"); 217 218 QString sslKeyFile = QDir::tempPath() + QLatin1String("/qt-ssl-keys"); 219 QFile file(sslKeyFile); 220 if (!file.open(QIODevice::Append)) 221 qCWarning(lcSsl) << "could not open file" << sslKeyFile << "for appending"; 222 if (!file.write(debugLineClientRandom)) 223 qCWarning(lcSsl) << "could not write to file" << sslKeyFile; 224 file.close(); 225 } else { 226 qCWarning(lcSsl, "could not decrypt SSL traffic"); 227 } 228 #endif 229 230 // Cache this SSL session inside the QSslContext 231 if (!(configuration.sslOptions & QSsl::SslOptionDisableSessionSharing)) { 232 if (!sslContextPointer->cacheSession(ssl)) { 233 sslContextPointer.clear(); // we could not cache the session 234 } else { 235 // Cache the session for permanent usage as well 236 if (!(configuration.sslOptions & QSsl::SslOptionDisableSessionPersistence)) { 237 if (!sslContextPointer->sessionASN1().isEmpty()) 238 configuration.sslSession = sslContextPointer->sessionASN1(); 239 configuration.sslSessionTicketLifeTimeHint = sslContextPointer->sessionTicketLifeTimeHint(); 240 } 241 } 242 } 243 244 #if !defined(OPENSSL_NO_NEXTPROTONEG) 245 246 configuration.nextProtocolNegotiationStatus = sslContextPointer->npnContext().status; 247 if (sslContextPointer->npnContext().status == QSslConfiguration::NextProtocolNegotiationUnsupported) { 248 // we could not agree -> be conservative and use HTTP/1.1 249 configuration.nextNegotiatedProtocol = QByteArrayLiteral("http/1.1"); 250 } else { 251 const unsigned char *proto = 0; 252 unsigned int proto_len = 0; 253 254 q_SSL_get0_alpn_selected(ssl, &proto, &proto_len); 255 if (proto_len && mode == QSslSocket::SslClientMode) { 256 // Client does not have a callback that sets it ... 257 configuration.nextProtocolNegotiationStatus = QSslConfiguration::NextProtocolNegotiationNegotiated; 258 } 259 260 if (!proto_len) { // Test if NPN was more lucky ... 261 q_SSL_get0_next_proto_negotiated(ssl, &proto, &proto_len); 262 } 263 264 if (proto_len) 265 configuration.nextNegotiatedProtocol = QByteArray(reinterpret_cast<const char *>(proto), proto_len); 266 else 267 configuration.nextNegotiatedProtocol.clear(); 268 } 269 #endif // !defined(OPENSSL_NO_NEXTPROTONEG) 270 271 if (mode == QSslSocket::SslClientMode) { 272 EVP_PKEY *key; 273 if (q_SSL_get_server_tmp_key(ssl, &key)) 274 configuration.ephemeralServerKey = QSslKey(key, QSsl::PublicKey); 275 } 276 277 connectionEncrypted = true; 278 emit q->encrypted(); 279 if (autoStartHandshake && pendingClose) { 280 pendingClose = false; 281 q->disconnectFromHost(); 282 } 283 } 284 285 QT_END_NAMESPACE -
new file qtbase/src/network/ssl/qsslsocket_openssl11_symbols_p.h
diff --git a/qtbase/src/network/ssl/qsslsocket_openssl11_symbols_p.h b/qtbase/src/network/ssl/qsslsocket_openssl11_symbols_p.h new file mode 100644 index 0000000000000000000000000000000000000000..2980b3d23ed3022c1b7f34eb0ad0a009d6084b31
- + 1 /**************************************************************************** 2 ** 3 ** Copyright (C) 2017 The Qt Company Ltd. 4 ** Copyright (C) 2014 BlackBerry Limited. All rights reserved. 5 ** Copyright (C) 2016 Richard J. Moore <rich@kde.org> 6 ** Contact: https://www.qt.io/licensing/ 7 ** 8 ** This file is part of the QtNetwork module of the Qt Toolkit. 9 ** 10 ** $QT_BEGIN_LICENSE:LGPL$ 11 ** Commercial License Usage 12 ** Licensees holding valid commercial Qt licenses may use this file in 13 ** accordance with the commercial license agreement provided with the 14 ** Software or, alternatively, in accordance with the terms contained in 15 ** a written agreement between you and The Qt Company. For licensing terms 16 ** and conditions see https://www.qt.io/terms-conditions. For further 17 ** information use the contact form at https://www.qt.io/contact-us. 18 ** 19 ** GNU Lesser General Public License Usage 20 ** Alternatively, this file may be used under the terms of the GNU Lesser 21 ** General Public License version 3 as published by the Free Software 22 ** Foundation and appearing in the file LICENSE.LGPL3 included in the 23 ** packaging of this file. Please review the following information to 24 ** ensure the GNU Lesser General Public License version 3 requirements 25 ** will be met: https://www.gnu.org/licenses/lgpl-3.0.html. 26 ** 27 ** GNU General Public License Usage 28 ** Alternatively, this file may be used under the terms of the GNU 29 ** General Public License version 2.0 or (at your option) the GNU General 30 ** Public license version 3 or any later version approved by the KDE Free 31 ** Qt Foundation. The licenses are as published by the Free Software 32 ** Foundation and appearing in the file LICENSE.GPL2 and LICENSE.GPL3 33 ** included in the packaging of this file. Please review the following 34 ** information to ensure the GNU General Public License requirements will 35 ** be met: https://www.gnu.org/licenses/gpl-2.0.html and 36 ** https://www.gnu.org/licenses/gpl-3.0.html. 37 ** 38 ** $QT_END_LICENSE$ 39 ** 40 ****************************************************************************/ 41 42 /**************************************************************************** 43 ** 44 ** In addition, as a special exception, the copyright holders listed above give 45 ** permission to link the code of its release of Qt with the OpenSSL project's 46 ** "OpenSSL" library (or modified versions of the "OpenSSL" library that use the 47 ** same license as the original version), and distribute the linked executables. 48 ** 49 ** You must comply with the GNU General Public License version 2 in all 50 ** respects for all of the code used other than the "OpenSSL" code. If you 51 ** modify this file, you may extend this exception to your version of the file, 52 ** but you are not obligated to do so. If you do not wish to do so, delete 53 ** this exception statement from your version of this file. 54 ** 55 ****************************************************************************/ 56 57 #ifndef QSSLSOCKET_OPENSSL11_SYMBOLS_P_H 58 #define QSSLSOCKET_OPENSSL11_SYMBOLS_P_H 59 60 // 61 // W A R N I N G 62 // ------------- 63 // 64 // This file is not part of the Qt API. It exists purely as an 65 // implementation detail. This header file may change from version to 66 // version without notice, or even be removed. 67 // 68 // We mean it. 69 // 70 71 // Note: this file does not have QT_BEGIN_NAMESPACE/QT_END_NAMESPACE, it's done 72 // in qsslsocket_openssl_symbols_p.h. 73 74 #ifndef QSSLSOCKET_OPENSSL_SYMBOLS_P_H 75 #error "You are not supposed to use this header file, include qsslsocket_openssl_symbols_p.h instead" 76 #endif 77 78 const unsigned char * q_ASN1_STRING_get0_data(const ASN1_STRING *x); 79 80 Q_AUTOTEST_EXPORT BIO *q_BIO_new(const BIO_METHOD *a); 81 Q_AUTOTEST_EXPORT const BIO_METHOD *q_BIO_s_mem(); 82 83 int q_DSA_bits(DSA *a); 84 int q_EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *c); 85 int q_EVP_PKEY_base_id(EVP_PKEY *a); 86 int q_RSA_bits(RSA *a); 87 int q_OPENSSL_sk_num(OPENSSL_STACK *a); 88 void q_OPENSSL_sk_pop_free(OPENSSL_STACK *a, void (*b)(void *)); 89 OPENSSL_STACK *q_OPENSSL_sk_new_null(); 90 void q_OPENSSL_sk_push(OPENSSL_STACK *st, void *data); 91 void q_OPENSSL_sk_free(OPENSSL_STACK *a); 92 void * q_OPENSSL_sk_value(OPENSSL_STACK *a, int b); 93 int q_SSL_session_reused(SSL *a); 94 unsigned long q_SSL_CTX_set_options(SSL_CTX *ctx, unsigned long op); 95 int q_OPENSSL_init_ssl(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings); 96 size_t q_SSL_get_client_random(SSL *a, unsigned char *out, size_t outlen); 97 size_t q_SSL_SESSION_get_master_key(const SSL_SESSION *session, unsigned char *out, size_t outlen); 98 int q_CRYPTO_get_ex_new_index(int class_index, long argl, void *argp, CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func); 99 const SSL_METHOD *q_TLS_method(); 100 const SSL_METHOD *q_TLS_client_method(); 101 const SSL_METHOD *q_TLS_server_method(); 102 ASN1_TIME *q_X509_getm_notBefore(X509 *a); 103 ASN1_TIME *q_X509_getm_notAfter(X509 *a); 104 105 long q_X509_get_version(X509 *a); 106 EVP_PKEY *q_X509_get_pubkey(X509 *a); 107 void q_X509_STORE_set_verify_cb(X509_STORE *ctx, X509_STORE_CTX_verify_cb verify_cb); 108 STACK_OF(X509) *q_X509_STORE_CTX_get0_chain(X509_STORE_CTX *ctx); 109 void q_DH_get0_pqg(const DH *dh, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g); 110 int q_DH_bits(DH *dh); 111 112 # define q_SSL_load_error_strings() q_OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS \ 113 | OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL) 114 115 #define q_SKM_sk_num(type, st) ((int (*)(const STACK_OF(type) *))q_OPENSSL_sk_num)(st) 116 #define q_SKM_sk_value(type, st,i) ((type * (*)(const STACK_OF(type) *, int))q_OPENSSL_sk_value)(st, i) 117 118 #define q_OPENSSL_add_all_algorithms_conf() q_OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS \ 119 | OPENSSL_INIT_ADD_ALL_DIGESTS \ 120 | OPENSSL_INIT_LOAD_CONFIG, NULL) 121 #define q_OPENSSL_add_all_algorithms_noconf() q_OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS \ 122 | OPENSSL_INIT_ADD_ALL_DIGESTS, NULL) 123 124 int q_OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings); 125 void q_CRYPTO_free(void *str, const char *file, int line); 126 127 long q_OpenSSL_version_num(); 128 const char *q_OpenSSL_version(int type); 129 130 unsigned long q_SSL_SESSION_get_ticket_lifetime_hint(const SSL_SESSION *session); 131 132 #endif -
qtbase/src/network/ssl/qsslsocket_openssl_p.h
diff --git a/qtbase/src/network/ssl/qsslsocket_openssl_p.h b/qtbase/src/network/ssl/qsslsocket_openssl_p.h index b2adb3e5473f2c4ddc6967f960a52547d20f762b..7f9e884045866f1bc0887053b5124d26144b5c31 100644
a b 1 1 /**************************************************************************** 2 2 ** 3 ** Copyright (C) 201 6The Qt Company Ltd.3 ** Copyright (C) 2017 The Qt Company Ltd. 4 4 ** Contact: https://www.qt.io/licensing/ 5 5 ** 6 6 ** This file is part of the QtNetwork module of the Qt Toolkit. … … 98 98 #include <openssl/crypto.h> 99 99 #include <openssl/tls1.h> 100 100 101 #if OPENSSL_VERSION_NUMBER >= 0x10000000L102 typedef _STACK STACK; 101 #if QT_CONFIG(opensslv11) 102 #include <openssl/dh.h> 103 103 #endif 104 104 105 105 QT_BEGIN_NAMESPACE … … public: 151 151 #endif 152 152 153 153 Q_AUTOTEST_EXPORT static long setupOpenSslOptions(QSsl::SslProtocol protocol, QSsl::SslOptions sslOptions); 154 static QSslCipher QSslCipher_from_SSL_CIPHER( SSL_CIPHER *cipher);154 static QSslCipher QSslCipher_from_SSL_CIPHER(const SSL_CIPHER *cipher); 155 155 static QList<QSslCertificate> STACKOFX509_to_QSslCertificates(STACK_OF(X509) *x509); 156 156 static QList<QSslError> verify(const QList<QSslCertificate> &certificateChain, const QString &hostName); 157 157 static QString getErrorsFromOpenSsl(); -
qtbase/src/network/ssl/qsslsocket_openssl_symbols.cpp
diff --git a/qtbase/src/network/ssl/qsslsocket_openssl_symbols.cpp b/qtbase/src/network/ssl/qsslsocket_openssl_symbols.cpp index ce02e0bc017dc1137e3493b0ca5715d31a600006..26d135769ab0e3defab15bc8f5df80022e1c2c8f 100644
a b 1 1 /**************************************************************************** 2 2 ** 3 ** Copyright (C) 201 6The Qt Company Ltd.3 ** Copyright (C) 2017 The Qt Company Ltd. 4 4 ** Copyright (C) 2014 BlackBerry Limited. All rights reserved. 5 ** Copyright (C) 2016 Richard J. Moore <rich@kde.org> 5 6 ** Contact: https://www.qt.io/licensing/ 6 7 ** 7 8 ** This file is part of the QtNetwork module of the Qt Toolkit. … … void qsslSocketCannotResolveSymbolWarning(const char *functionName) 136 137 137 138 #endif // QT_LINKED_OPENSSL 138 139 140 #if QT_CONFIG(opensslv11) 141 142 // Below are the functions first introduced in version 1.1: 143 144 DEFINEFUNC(const unsigned char *, ASN1_STRING_get0_data, const ASN1_STRING *a, a, return 0, return) 145 DEFINEFUNC2(int, OPENSSL_init_ssl, uint64_t opts, opts, const OPENSSL_INIT_SETTINGS *settings, settings, return 0, return) 146 DEFINEFUNC2(int, OPENSSL_init_crypto, uint64_t opts, opts, const OPENSSL_INIT_SETTINGS *settings, settings, return 0, return) 147 DEFINEFUNC(BIO *, BIO_new, const BIO_METHOD *a, a, return 0, return) 148 DEFINEFUNC(const BIO_METHOD *, BIO_s_mem, void, DUMMYARG, return 0, return) 149 DEFINEFUNC2(int, BN_is_word, BIGNUM *a, a, BN_ULONG w, w, return 0, return) 150 DEFINEFUNC(int, EVP_CIPHER_CTX_reset, EVP_CIPHER_CTX *c, c, return 0, return) 151 DEFINEFUNC(int, EVP_PKEY_base_id, EVP_PKEY *a, a, return NID_undef, return) 152 DEFINEFUNC(int, RSA_bits, RSA *a, a, return 0, return) 153 DEFINEFUNC(int, DSA_bits, DSA *a, a, return 0, return) 154 DEFINEFUNC(int, OPENSSL_sk_num, OPENSSL_STACK *a, a, return -1, return) 155 DEFINEFUNC2(void, OPENSSL_sk_pop_free, OPENSSL_STACK *a, a, void (*b)(void*), b, return, DUMMYARG) 156 DEFINEFUNC(OPENSSL_STACK *, OPENSSL_sk_new_null, DUMMYARG, DUMMYARG, return 0, return) 157 DEFINEFUNC2(void, OPENSSL_sk_push, OPENSSL_STACK *a, a, void *b, b, return, DUMMYARG) 158 DEFINEFUNC(void, OPENSSL_sk_free, OPENSSL_STACK *a, a, return, DUMMYARG) 159 DEFINEFUNC2(void *, OPENSSL_sk_value, OPENSSL_STACK *a, a, int b, b, return 0, return) 160 DEFINEFUNC(int, SSL_session_reused, SSL *a, a, return 0, return) 161 DEFINEFUNC2(unsigned long, SSL_CTX_set_options, SSL_CTX *ctx, ctx, unsigned long op, op, return 0, return) 162 DEFINEFUNC3(size_t, SSL_get_client_random, SSL *a, a, unsigned char *out, out, size_t outlen, outlen, return 0, return) 163 DEFINEFUNC3(size_t, SSL_SESSION_get_master_key, const SSL_SESSION *ses, ses, unsigned char *out, out, size_t outlen, outlen, return 0, return) 164 DEFINEFUNC6(int, CRYPTO_get_ex_new_index, int class_index, class_index, long argl, argl, void *argp, argp, CRYPTO_EX_new *new_func, new_func, CRYPTO_EX_dup *dup_func, dup_func, CRYPTO_EX_free *free_func, free_func, return -1, return) 165 166 DEFINEFUNC(const SSL_METHOD *, TLS_method, DUMMYARG, DUMMYARG, return 0, return) 167 DEFINEFUNC(const SSL_METHOD *, TLS_client_method, DUMMYARG, DUMMYARG, return 0, return) 168 DEFINEFUNC(const SSL_METHOD *, TLS_server_method, DUMMYARG, DUMMYARG, return 0, return) 169 DEFINEFUNC(ASN1_TIME *, X509_getm_notBefore, X509 *a, a, return 0, return) 170 DEFINEFUNC(ASN1_TIME *, X509_getm_notAfter, X509 *a, a, return 0, return) 171 DEFINEFUNC(long, X509_get_version, X509 *a, a, return -1, return) 172 DEFINEFUNC(EVP_PKEY *, X509_get_pubkey, X509 *a, a, return 0, return) 173 DEFINEFUNC2(void, X509_STORE_set_verify_cb, X509_STORE *a, a, X509_STORE_CTX_verify_cb verify_cb, verify_cb, return, DUMMYARG) 174 DEFINEFUNC(STACK_OF(X509) *, X509_STORE_CTX_get0_chain, X509_STORE_CTX *a, a, return 0, return) 175 DEFINEFUNC3(void, CRYPTO_free, void *str, str, const char *file, file, int line, line, return, DUMMYARG) 176 DEFINEFUNC(long, OpenSSL_version_num, void, DUMMYARG, return 0, return) 177 DEFINEFUNC(const char *, OpenSSL_version, int a, a, return 0, return) 178 DEFINEFUNC(unsigned long, SSL_SESSION_get_ticket_lifetime_hint, const SSL_SESSION *session, session, return 0, return) 179 DEFINEFUNC4(void, DH_get0_pqg, const DH *dh, dh, const BIGNUM **p, p, const BIGNUM **q, q, const BIGNUM **g, g, return, DUMMYARG) 180 DEFINEFUNC(int, DH_bits, DH *dh, dh, return 0, return) 181 182 #else // QT_CONFIG(opensslv11) 183 184 // Functions below are either deprecated or removed in OpenSSL >= 1.1: 185 186 DEFINEFUNC(unsigned char *, ASN1_STRING_data, ASN1_STRING *a, a, return 0, return) 187 139 188 #ifdef SSLEAY_MACROS 140 189 DEFINEFUNC3(void *, ASN1_dup, i2d_of_void *a, a, d2i_of_void *b, b, char *c, c, return 0, return) 141 190 #endif 191 DEFINEFUNC2(BIO *, BIO_new_file, const char *filename, filename, const char *mode, mode, return 0, return) 192 DEFINEFUNC(void, ERR_clear_error, DUMMYARG, DUMMYARG, return, DUMMYARG) 193 DEFINEFUNC(BIO *, BIO_new, BIO_METHOD *a, a, return 0, return) 194 DEFINEFUNC(BIO_METHOD *, BIO_s_mem, void, DUMMYARG, return 0, return) 195 DEFINEFUNC(int, CRYPTO_num_locks, DUMMYARG, DUMMYARG, return 0, return) 196 DEFINEFUNC(void, CRYPTO_set_locking_callback, void (*a)(int, int, const char *, int), a, return, DUMMYARG) 197 DEFINEFUNC(void, CRYPTO_set_id_callback, unsigned long (*a)(), a, return, DUMMYARG) 198 DEFINEFUNC(void, CRYPTO_free, void *a, a, return, DUMMYARG) 199 DEFINEFUNC(unsigned long, ERR_peek_last_error, DUMMYARG, DUMMYARG, return 0, return) 200 DEFINEFUNC(void, ERR_free_strings, void, DUMMYARG, return, DUMMYARG) 201 DEFINEFUNC(void, EVP_CIPHER_CTX_cleanup, EVP_CIPHER_CTX *a, a, return, DUMMYARG) 202 DEFINEFUNC(void, EVP_CIPHER_CTX_init, EVP_CIPHER_CTX *a, a, return, DUMMYARG) 203 204 #ifdef SSLEAY_MACROS 205 DEFINEFUNC6(void *, PEM_ASN1_read_bio, d2i_of_void *a, a, const char *b, b, BIO *c, c, void **d, d, pem_password_cb *e, e, void *f, f, return 0, return) 206 DEFINEFUNC6(void *, PEM_ASN1_write_bio, d2i_of_void *a, a, const char *b, b, BIO *c, c, void **d, d, pem_password_cb *e, e, void *f, f, return 0, return) 207 #endif // SSLEAY_MACROS 208 209 DEFINEFUNC(int, sk_num, STACK *a, a, return -1, return) 210 DEFINEFUNC2(void, sk_pop_free, STACK *a, a, void (*b)(void*), b, return, DUMMYARG) 211 212 #if OPENSSL_VERSION_NUMBER >= 0x10000000L 213 DEFINEFUNC(_STACK *, sk_new_null, DUMMYARG, DUMMYARG, return 0, return) 214 DEFINEFUNC2(void, sk_push, _STACK *a, a, void *b, b, return, DUMMYARG) 215 DEFINEFUNC(void, sk_free, _STACK *a, a, return, DUMMYARG) 216 DEFINEFUNC2(void *, sk_value, STACK *a, a, int b, b, return 0, return) 217 #else 218 DEFINEFUNC(STACK *, sk_new_null, DUMMYARG, DUMMYARG, return 0, return) 219 DEFINEFUNC2(void, sk_push, STACK *a, a, char *b, b, return, DUMMYARG) 220 DEFINEFUNC(void, sk_free, STACK *a, a, return, DUMMYARG) 221 DEFINEFUNC2(char *, sk_value, STACK *a, a, int b, b, return 0, return) 222 #endif // OPENSSL_VERSION_NUMBER >= 0x10000000L 223 224 DEFINEFUNC(int, SSL_library_init, void, DUMMYARG, return -1, return) 225 DEFINEFUNC(void, SSL_load_error_strings, void, DUMMYARG, return, DUMMYARG) 226 227 #if OPENSSL_VERSION_NUMBER >= 0x10001000L 228 DEFINEFUNC5(int, SSL_get_ex_new_index, long argl, argl, void *argp, argp, CRYPTO_EX_new *new_func, new_func, CRYPTO_EX_dup *dup_func, dup_func, CRYPTO_EX_free *free_func, free_func, return -1, return) 229 #endif // OPENSSL_VERSION_NUMBER >= 0x10001000L 230 231 #if OPENSSL_VERSION_NUMBER >= 0x10000000L 232 #ifndef OPENSSL_NO_SSL2 233 DEFINEFUNC(const SSL_METHOD *, SSLv2_client_method, DUMMYARG, DUMMYARG, return 0, return) 234 #endif 235 #ifndef OPENSSL_NO_SSL3_METHOD 236 DEFINEFUNC(const SSL_METHOD *, SSLv3_client_method, DUMMYARG, DUMMYARG, return 0, return) 237 #endif 238 DEFINEFUNC(const SSL_METHOD *, SSLv23_client_method, DUMMYARG, DUMMYARG, return 0, return) 239 DEFINEFUNC(const SSL_METHOD *, TLSv1_client_method, DUMMYARG, DUMMYARG, return 0, return) 240 #if OPENSSL_VERSION_NUMBER >= 0x10001000L 241 DEFINEFUNC(const SSL_METHOD *, TLSv1_1_client_method, DUMMYARG, DUMMYARG, return 0, return) 242 DEFINEFUNC(const SSL_METHOD *, TLSv1_2_client_method, DUMMYARG, DUMMYARG, return 0, return) 243 #endif 244 #ifndef OPENSSL_NO_SSL2 245 DEFINEFUNC(const SSL_METHOD *, SSLv2_server_method, DUMMYARG, DUMMYARG, return 0, return) 246 #endif 247 #ifndef OPENSSL_NO_SSL3_METHOD 248 DEFINEFUNC(const SSL_METHOD *, SSLv3_server_method, DUMMYARG, DUMMYARG, return 0, return) 249 #endif 250 DEFINEFUNC(const SSL_METHOD *, SSLv23_server_method, DUMMYARG, DUMMYARG, return 0, return) 251 DEFINEFUNC(const SSL_METHOD *, TLSv1_server_method, DUMMYARG, DUMMYARG, return 0, return) 252 #if OPENSSL_VERSION_NUMBER >= 0x10001000L 253 DEFINEFUNC(const SSL_METHOD *, TLSv1_1_server_method, DUMMYARG, DUMMYARG, return 0, return) 254 DEFINEFUNC(const SSL_METHOD *, TLSv1_2_server_method, DUMMYARG, DUMMYARG, return 0, return) 255 #endif 256 #else 257 #ifndef OPENSSL_NO_SSL2 258 DEFINEFUNC(SSL_METHOD *, SSLv2_client_method, DUMMYARG, DUMMYARG, return 0, return) 259 #endif 260 #ifndef OPENSSL_NO_SSL3_METHOD 261 DEFINEFUNC(SSL_METHOD *, SSLv3_client_method, DUMMYARG, DUMMYARG, return 0, return) 262 #endif 263 DEFINEFUNC(SSL_METHOD *, SSLv23_client_method, DUMMYARG, DUMMYARG, return 0, return) 264 DEFINEFUNC(SSL_METHOD *, TLSv1_client_method, DUMMYARG, DUMMYARG, return 0, return) 265 #ifndef OPENSSL_NO_SSL2 266 DEFINEFUNC(SSL_METHOD *, SSLv2_server_method, DUMMYARG, DUMMYARG, return 0, return) 267 #endif 268 #ifndef OPENSSL_NO_SSL3_METHOD 269 DEFINEFUNC(SSL_METHOD *, SSLv3_server_method, DUMMYARG, DUMMYARG, return 0, return) 270 #endif 271 DEFINEFUNC(SSL_METHOD *, SSLv23_server_method, DUMMYARG, DUMMYARG, return 0, return) 272 DEFINEFUNC(SSL_METHOD *, TLSv1_server_method, DUMMYARG, DUMMYARG, return 0, return) 273 #endif 274 275 DEFINEFUNC(STACK_OF(X509) *, X509_STORE_CTX_get_chain, X509_STORE_CTX *a, a, return 0, return) 276 277 #ifdef SSLEAY_MACROS 278 DEFINEFUNC2(int, i2d_DSAPrivateKey, const DSA *a, a, unsigned char **b, b, return -1, return) 279 DEFINEFUNC2(int, i2d_RSAPrivateKey, const RSA *a, a, unsigned char **b, b, return -1, return) 280 #ifndef OPENSSL_NO_EC 281 DEFINEFUNC2(int, i2d_ECPrivateKey, const EC_KEY *a, a, unsigned char **b, b, return -1, return) 282 #endif 283 DEFINEFUNC3(RSA *, d2i_RSAPrivateKey, RSA **a, a, unsigned char **b, b, long c, c, return 0, return) 284 DEFINEFUNC3(DSA *, d2i_DSAPrivateKey, DSA **a, a, unsigned char **b, b, long c, c, return 0, return) 285 #ifndef OPENSSL_NO_EC 286 DEFINEFUNC3(EC_KEY *, d2i_ECPrivateKey, EC_KEY **a, a, unsigned char **b, b, long c, c, return 0, return) 287 #endif 288 #endif 289 DEFINEFUNC(char *, CONF_get1_default_config_file, DUMMYARG, DUMMYARG, return 0, return) 290 DEFINEFUNC(void, OPENSSL_add_all_algorithms_noconf, void, DUMMYARG, return, DUMMYARG) 291 DEFINEFUNC(void, OPENSSL_add_all_algorithms_conf, void, DUMMYARG, return, DUMMYARG) 292 DEFINEFUNC(long, SSLeay, void, DUMMYARG, return 0, return) 293 DEFINEFUNC(const char *, SSLeay_version, int a, a, return 0, return) 294 295 #endif // QT_CONFIG(opensslv11) 296 142 297 DEFINEFUNC(long, ASN1_INTEGER_get, ASN1_INTEGER *a, a, return 0, return) 143 DEFINEFUNC(unsigned char *, ASN1_STRING_data, ASN1_STRING *a, a, return 0, return)144 298 DEFINEFUNC(int, ASN1_STRING_length, ASN1_STRING *a, a, return 0, return) 145 DEFINEFUNC2(int, ASN1_STRING_to_UTF8, unsigned char **a, a, ASN1_STRING *b, b, return 0, return) ;299 DEFINEFUNC2(int, ASN1_STRING_to_UTF8, unsigned char **a, a, ASN1_STRING *b, b, return 0, return) 146 300 DEFINEFUNC4(long, BIO_ctrl, BIO *a, a, int b, b, long c, c, void *d, d, return -1, return) 147 301 DEFINEFUNC(int, BIO_free, BIO *a, a, return 0, return) 148 DEFINEFUNC(BIO *, BIO_new, BIO_METHOD *a, a, return 0, return)149 302 DEFINEFUNC2(BIO *, BIO_new_mem_buf, void *a, a, int b, b, return 0, return) 150 303 DEFINEFUNC3(int, BIO_read, BIO *a, a, void *b, b, int c, c, return -1, return) 151 DEFINEFUNC(BIO_METHOD *, BIO_s_mem, void, DUMMYARG, return 0, return) 304 152 305 DEFINEFUNC3(int, BIO_write, BIO *a, a, const void *b, b, int c, c, return -1, return) 153 306 DEFINEFUNC(int, BN_num_bits, const BIGNUM *a, a, return 0, return) 154 #if OPENSSL_VERSION_NUMBER >= 0x10100000L155 DEFINEFUNC2(int, BN_is_word, BIGNUM *a, a, BN_ULONG w, w, return 0, return)156 #endif157 307 DEFINEFUNC2(BN_ULONG, BN_mod_word, const BIGNUM *a, a, BN_ULONG w, w, return static_cast<BN_ULONG>(-1), return) 158 308 #ifndef OPENSSL_NO_EC 159 309 DEFINEFUNC(const EC_GROUP*, EC_KEY_get0_group, const EC_KEY* k, k, return 0, return) 160 310 DEFINEFUNC(int, EC_GROUP_get_degree, const EC_GROUP* g, g, return 0, return) 161 311 #endif 162 DEFINEFUNC(int, CRYPTO_num_locks, DUMMYARG, DUMMYARG, return 0, return)163 DEFINEFUNC(void, CRYPTO_set_locking_callback, void (*a)(int, int, const char *, int), a, return, DUMMYARG)164 DEFINEFUNC(void, CRYPTO_set_id_callback, unsigned long (*a)(), a, return, DUMMYARG)165 DEFINEFUNC(void, CRYPTO_free, void *a, a, return, DUMMYARG)166 312 DEFINEFUNC(DSA *, DSA_new, DUMMYARG, DUMMYARG, return 0, return) 167 313 DEFINEFUNC(void, DSA_free, DSA *a, a, return, DUMMYARG) 168 314 DEFINEFUNC3(X509 *, d2i_X509, X509 **a, a, const unsigned char **b, b, long c, c, return 0, return) 169 315 DEFINEFUNC2(char *, ERR_error_string, unsigned long a, a, char *b, b, return 0, return) 170 316 DEFINEFUNC(unsigned long, ERR_get_error, DUMMYARG, DUMMYARG, return 0, return) 171 DEFINEFUNC(void, ERR_free_strings, void, DUMMYARG, return, DUMMYARG) 172 DEFINEFUNC(void, EVP_CIPHER_CTX_cleanup, EVP_CIPHER_CTX *a, a, return, DUMMYARG) 173 DEFINEFUNC(void, EVP_CIPHER_CTX_init, EVP_CIPHER_CTX *a, a, return, DUMMYARG) 174 DEFINEFUNC4(int, EVP_CIPHER_CTX_ctrl, EVP_CIPHER_CTX *ctx, ctx, int type, type, int arg, arg, void *ptr, ptr, return 0, return); 317 DEFINEFUNC(EVP_CIPHER_CTX *, EVP_CIPHER_CTX_new, void, DUMMYARG, return 0, return) 318 DEFINEFUNC(void, EVP_CIPHER_CTX_free, EVP_CIPHER_CTX *a, a, return, DUMMYARG) 319 DEFINEFUNC4(int, EVP_CIPHER_CTX_ctrl, EVP_CIPHER_CTX *ctx, ctx, int type, type, int arg, arg, void *ptr, ptr, return 0, return) 175 320 DEFINEFUNC2(int, EVP_CIPHER_CTX_set_key_length, EVP_CIPHER_CTX *ctx, ctx, int keylen, keylen, return 0, return) 176 DEFINEFUNC5(int, EVP_CipherInit, EVP_CIPHER_CTX *ctx, ctx, const EVP_CIPHER *type, type, const unsigned char *key, key, const unsigned char *iv, iv, int enc, enc, return 0, return); 177 DEFINEFUNC5(int, EVP_CipherUpdate, EVP_CIPHER_CTX *ctx, ctx, unsigned char *out, out, int *outl, outl, const unsigned char *in, in, int inl, inl, return 0, return); 178 DEFINEFUNC3(int, EVP_CipherFinal, EVP_CIPHER_CTX *ctx, ctx, unsigned char *out, out, int *outl, outl, return 0, return); 321 DEFINEFUNC5(int, EVP_CipherInit, EVP_CIPHER_CTX *ctx, ctx, const EVP_CIPHER *type, type, const unsigned char *key, key, const unsigned char *iv, iv, int enc, enc, return 0, return) 322 DEFINEFUNC6(int, EVP_CipherInit_ex, EVP_CIPHER_CTX *ctx, ctx, const EVP_CIPHER *cipher, cipher, ENGINE *impl, impl, const unsigned char *key, key, const unsigned char *iv, iv, int enc, enc, return 0, return) 323 DEFINEFUNC5(int, EVP_CipherUpdate, EVP_CIPHER_CTX *ctx, ctx, unsigned char *out, out, int *outl, outl, const unsigned char *in, in, int inl, inl, return 0, return) 324 DEFINEFUNC3(int, EVP_CipherFinal, EVP_CIPHER_CTX *ctx, ctx, unsigned char *out, out, int *outl, outl, return 0, return) 179 325 DEFINEFUNC(const EVP_CIPHER *, EVP_des_cbc, DUMMYARG, DUMMYARG, return 0, return) 180 326 DEFINEFUNC(const EVP_CIPHER *, EVP_des_ede3_cbc, DUMMYARG, DUMMYARG, return 0, return) 181 327 DEFINEFUNC(const EVP_CIPHER *, EVP_rc2_cbc, DUMMYARG, DUMMYARG, return 0, return) 328 DEFINEFUNC(const EVP_MD *, EVP_sha1, DUMMYARG, DUMMYARG, return 0, return) 182 329 DEFINEFUNC3(int, EVP_PKEY_assign, EVP_PKEY *a, a, int b, b, char *c, c, return -1, return) 183 330 DEFINEFUNC2(int, EVP_PKEY_set1_RSA, EVP_PKEY *a, a, RSA *b, b, return -1, return) 184 331 DEFINEFUNC2(int, EVP_PKEY_set1_DSA, EVP_PKEY *a, a, DSA *b, b, return -1, return) … … DEFINEFUNC3(int, i2t_ASN1_OBJECT, char *a, a, int b, b, ASN1_OBJECT *c, c, retur 202 349 DEFINEFUNC4(int, OBJ_obj2txt, char *a, a, int b, b, ASN1_OBJECT *c, c, int d, d, return -1, return) 203 350 204 351 DEFINEFUNC(int, OBJ_obj2nid, const ASN1_OBJECT *a, a, return NID_undef, return) 205 #ifdef SSLEAY_MACROS 206 DEFINEFUNC6(void *, PEM_ASN1_read_bio, d2i_of_void *a, a, const char *b, b, BIO *c, c, void **d, d, pem_password_cb *e, e, void *f, f, return 0, return) 207 DEFINEFUNC6(void *, PEM_ASN1_write_bio, d2i_of_void *a, a, const char *b, b, BIO *c, c, void **d, d, pem_password_cb *e, e, void *f, f, return 0, return) 208 #else 352 353 #ifndef SSLEAY_MACROS 209 354 DEFINEFUNC4(EVP_PKEY *, PEM_read_bio_PrivateKey, BIO *a, a, EVP_PKEY **b, b, pem_password_cb *c, c, void *d, d, return 0, return) 210 355 DEFINEFUNC4(DSA *, PEM_read_bio_DSAPrivateKey, BIO *a, a, DSA **b, b, pem_password_cb *c, c, void *d, d, return 0, return) 211 356 DEFINEFUNC4(RSA *, PEM_read_bio_RSAPrivateKey, BIO *a, a, RSA **b, b, pem_password_cb *c, c, void *d, d, return 0, return) … … DEFINEFUNC7(int, PEM_write_bio_RSAPrivateKey, BIO *a, a, RSA *b, b, const EVP_CI 218 363 #ifndef OPENSSL_NO_EC 219 364 DEFINEFUNC7(int, PEM_write_bio_ECPrivateKey, BIO *a, a, EC_KEY *b, b, const EVP_CIPHER *c, c, unsigned char *d, d, int e, e, pem_password_cb *f, f, void *g, g, return 0, return) 220 365 #endif 221 #endif 366 #endif // !SSLEAY_MACROS 222 367 DEFINEFUNC4(EVP_PKEY *, PEM_read_bio_PUBKEY, BIO *a, a, EVP_PKEY **b, b, pem_password_cb *c, c, void *d, d, return 0, return) 223 368 DEFINEFUNC4(DSA *, PEM_read_bio_DSA_PUBKEY, BIO *a, a, DSA **b, b, pem_password_cb *c, c, void *d, d, return 0, return) 224 369 DEFINEFUNC4(RSA *, PEM_read_bio_RSA_PUBKEY, BIO *a, a, RSA **b, b, pem_password_cb *c, c, void *d, d, return 0, return) … … DEFINEFUNC2(void, RAND_seed, const void *a, a, int b, b, return, DUMMYARG) 234 379 DEFINEFUNC(int, RAND_status, void, DUMMYARG, return -1, return) 235 380 DEFINEFUNC(RSA *, RSA_new, DUMMYARG, DUMMYARG, return 0, return) 236 381 DEFINEFUNC(void, RSA_free, RSA *a, a, return, DUMMYARG) 237 DEFINEFUNC(int, sk_num, STACK *a, a, return -1, return)238 DEFINEFUNC2(void, sk_pop_free, STACK *a, a, void (*b)(void*), b, return, DUMMYARG)239 #if OPENSSL_VERSION_NUMBER >= 0x10000000L240 DEFINEFUNC(_STACK *, sk_new_null, DUMMYARG, DUMMYARG, return 0, return)241 DEFINEFUNC2(void, sk_push, _STACK *a, a, void *b, b, return, DUMMYARG)242 DEFINEFUNC(void, sk_free, _STACK *a, a, return, DUMMYARG)243 DEFINEFUNC2(void *, sk_value, STACK *a, a, int b, b, return 0, return)244 #else245 DEFINEFUNC(STACK *, sk_new_null, DUMMYARG, DUMMYARG, return 0, return)246 DEFINEFUNC2(void, sk_push, STACK *a, a, char *b, b, return, DUMMYARG)247 DEFINEFUNC(void, sk_free, STACK *a, a, return, DUMMYARG)248 DEFINEFUNC2(char *, sk_value, STACK *a, a, int b, b, return 0, return)249 #endif250 382 DEFINEFUNC(int, SSL_accept, SSL *a, a, return -1, return) 251 383 DEFINEFUNC(int, SSL_clear, SSL *a, a, return -1, return) 252 DEFINEFUNC3(char *, SSL_CIPHER_description, SSL_CIPHER *a, a, char *b, b, int c, c, return 0, return)253 DEFINEFUNC2(int, SSL_CIPHER_get_bits, SSL_CIPHER *a, a, int *b, b, return 0, return)384 DEFINEFUNC3(char *, SSL_CIPHER_description, const SSL_CIPHER *a, a, char *b, b, int c, c, return 0, return) 385 DEFINEFUNC2(int, SSL_CIPHER_get_bits, const SSL_CIPHER *a, a, int *b, b, return 0, return) 254 386 DEFINEFUNC(int, SSL_connect, SSL *a, a, return -1, return) 255 387 DEFINEFUNC(int, SSL_CTX_check_private_key, const SSL_CTX *a, a, return -1, return) 256 388 DEFINEFUNC4(long, SSL_CTX_ctrl, SSL_CTX *a, a, int b, b, long c, c, void *d, d, return -1, return) … … DEFINEFUNC(long, SSL_get_verify_result, const SSL *a, a, return -1, return) 287 419 #else 288 420 DEFINEFUNC(long, SSL_get_verify_result, SSL *a, a, return -1, return) 289 421 #endif 290 DEFINEFUNC(int, SSL_library_init, void, DUMMYARG, return -1, return)291 DEFINEFUNC(void, SSL_load_error_strings, void, DUMMYARG, return, DUMMYARG)292 422 DEFINEFUNC(SSL *, SSL_new, SSL_CTX *a, a, return 0, return) 293 423 DEFINEFUNC4(long, SSL_ctrl, SSL *a, a, int cmd, cmd, long larg, larg, void *parg, parg, return -1, return) 294 424 DEFINEFUNC3(int, SSL_read, SSL *a, a, void *b, b, int c, c, return -1, return) … … DEFINEFUNC(void, SSL_SESSION_free, SSL_SESSION *ses, ses, return, DUMMYARG) 301 431 DEFINEFUNC(SSL_SESSION*, SSL_get1_session, SSL *ssl, ssl, return 0, return) 302 432 DEFINEFUNC(SSL_SESSION*, SSL_get_session, const SSL *ssl, ssl, return 0, return) 303 433 #if OPENSSL_VERSION_NUMBER >= 0x10001000L 304 DEFINEFUNC5(int, SSL_get_ex_new_index, long argl, argl, void *argp, argp, CRYPTO_EX_new *new_func, new_func, CRYPTO_EX_dup *dup_func, dup_func, CRYPTO_EX_free *free_func, free_func, return -1, return)305 434 DEFINEFUNC3(int, SSL_set_ex_data, SSL *ssl, ssl, int idx, idx, void *arg, arg, return 0, return) 306 435 DEFINEFUNC2(void *, SSL_get_ex_data, const SSL *ssl, ssl, int idx, idx, return NULL, return) 307 436 #endif … … DEFINEFUNC2(void, SSL_set_psk_client_callback, SSL* ssl, ssl, q_psk_client_callb 310 439 DEFINEFUNC2(void, SSL_set_psk_server_callback, SSL* ssl, ssl, q_psk_server_callback_t callback, callback, return, DUMMYARG) 311 440 DEFINEFUNC2(int, SSL_CTX_use_psk_identity_hint, SSL_CTX* ctx, ctx, const char *hint, hint, return 0, return) 312 441 #endif 313 #if OPENSSL_VERSION_NUMBER >= 0x10000000L314 #ifndef OPENSSL_NO_SSL2315 DEFINEFUNC(const SSL_METHOD *, SSLv2_client_method, DUMMYARG, DUMMYARG, return 0, return)316 #endif317 #ifndef OPENSSL_NO_SSL3_METHOD318 DEFINEFUNC(const SSL_METHOD *, SSLv3_client_method, DUMMYARG, DUMMYARG, return 0, return)319 #endif320 DEFINEFUNC(const SSL_METHOD *, SSLv23_client_method, DUMMYARG, DUMMYARG, return 0, return)321 DEFINEFUNC(const SSL_METHOD *, TLSv1_client_method, DUMMYARG, DUMMYARG, return 0, return)322 #if OPENSSL_VERSION_NUMBER >= 0x10001000L323 DEFINEFUNC(const SSL_METHOD *, TLSv1_1_client_method, DUMMYARG, DUMMYARG, return 0, return)324 DEFINEFUNC(const SSL_METHOD *, TLSv1_2_client_method, DUMMYARG, DUMMYARG, return 0, return)325 #endif326 #ifndef OPENSSL_NO_SSL2327 DEFINEFUNC(const SSL_METHOD *, SSLv2_server_method, DUMMYARG, DUMMYARG, return 0, return)328 #endif329 #ifndef OPENSSL_NO_SSL3_METHOD330 DEFINEFUNC(const SSL_METHOD *, SSLv3_server_method, DUMMYARG, DUMMYARG, return 0, return)331 #endif332 DEFINEFUNC(const SSL_METHOD *, SSLv23_server_method, DUMMYARG, DUMMYARG, return 0, return)333 DEFINEFUNC(const SSL_METHOD *, TLSv1_server_method, DUMMYARG, DUMMYARG, return 0, return)334 #if OPENSSL_VERSION_NUMBER >= 0x10001000L335 DEFINEFUNC(const SSL_METHOD *, TLSv1_1_server_method, DUMMYARG, DUMMYARG, return 0, return)336 DEFINEFUNC(const SSL_METHOD *, TLSv1_2_server_method, DUMMYARG, DUMMYARG, return 0, return)337 #endif338 #else339 #ifndef OPENSSL_NO_SSL2340 DEFINEFUNC(SSL_METHOD *, SSLv2_client_method, DUMMYARG, DUMMYARG, return 0, return)341 #endif342 #ifndef OPENSSL_NO_SSL3_METHOD343 DEFINEFUNC(SSL_METHOD *, SSLv3_client_method, DUMMYARG, DUMMYARG, return 0, return)344 #endif345 DEFINEFUNC(SSL_METHOD *, SSLv23_client_method, DUMMYARG, DUMMYARG, return 0, return)346 DEFINEFUNC(SSL_METHOD *, TLSv1_client_method, DUMMYARG, DUMMYARG, return 0, return)347 #ifndef OPENSSL_NO_SSL2348 DEFINEFUNC(SSL_METHOD *, SSLv2_server_method, DUMMYARG, DUMMYARG, return 0, return)349 #endif350 #ifndef OPENSSL_NO_SSL3_METHOD351 DEFINEFUNC(SSL_METHOD *, SSLv3_server_method, DUMMYARG, DUMMYARG, return 0, return)352 #endif353 DEFINEFUNC(SSL_METHOD *, SSLv23_server_method, DUMMYARG, DUMMYARG, return 0, return)354 DEFINEFUNC(SSL_METHOD *, TLSv1_server_method, DUMMYARG, DUMMYARG, return 0, return)355 #endif356 442 DEFINEFUNC3(int, SSL_write, SSL *a, a, const void *b, b, int c, c, return -1, return) 357 443 DEFINEFUNC2(int, X509_cmp, X509 *a, a, X509 *b, b, return -1, return) 444 DEFINEFUNC4(int, X509_digest, const X509 *x509, x509, const EVP_MD *type, type, unsigned char *md, md, unsigned int *len, len, return -1, return) 358 445 #ifndef SSLEAY_MACROS 359 446 DEFINEFUNC(X509 *, X509_dup, X509 *a, a, return 0, return) 360 447 #endif … … DEFINEFUNC2(int, ASN1_STRING_print, BIO *a, a, ASN1_STRING *b, b, return 0, retu 378 465 DEFINEFUNC2(int, X509_check_issued, X509 *a, a, X509 *b, b, return -1, return) 379 466 DEFINEFUNC(X509_NAME *, X509_get_issuer_name, X509 *a, a, return 0, return) 380 467 DEFINEFUNC(X509_NAME *, X509_get_subject_name, X509 *a, a, return 0, return) 468 DEFINEFUNC(ASN1_INTEGER *, X509_get_serialNumber, X509 *a, a, return 0, return) 381 469 DEFINEFUNC(int, X509_verify_cert, X509_STORE_CTX *a, a, return -1, return) 382 470 DEFINEFUNC(int, X509_NAME_entry_count, X509_NAME *a, a, return 0, return) 383 471 DEFINEFUNC2(X509_NAME_ENTRY *, X509_NAME_get_entry, X509_NAME *a, a, int b, b, return 0, return) … … DEFINEFUNC2(int, X509_STORE_CTX_set_purpose, X509_STORE_CTX *a, a, int b, b, ret 393 481 DEFINEFUNC(int, X509_STORE_CTX_get_error, X509_STORE_CTX *a, a, return -1, return) 394 482 DEFINEFUNC(int, X509_STORE_CTX_get_error_depth, X509_STORE_CTX *a, a, return -1, return) 395 483 DEFINEFUNC(X509 *, X509_STORE_CTX_get_current_cert, X509_STORE_CTX *a, a, return 0, return) 396 DEFINEFUNC(STACK_OF(X509) *, X509_STORE_CTX_get_chain, X509_STORE_CTX *a, a, return 0, return)397 484 DEFINEFUNC(X509_STORE_CTX *, X509_STORE_CTX_new, DUMMYARG, DUMMYARG, return 0, return) 398 #ifdef SSLEAY_MACROS399 DEFINEFUNC2(int, i2d_DSAPrivateKey, const DSA *a, a, unsigned char **b, b, return -1, return)400 DEFINEFUNC2(int, i2d_RSAPrivateKey, const RSA *a, a, unsigned char **b, b, return -1, return)401 #ifndef OPENSSL_NO_EC402 DEFINEFUNC2(int, i2d_ECPrivateKey, const EC_KEY *a, a, unsigned char **b, b, return -1, return)403 #endif404 DEFINEFUNC3(RSA *, d2i_RSAPrivateKey, RSA **a, a, unsigned char **b, b, long c, c, return 0, return)405 DEFINEFUNC3(DSA *, d2i_DSAPrivateKey, DSA **a, a, unsigned char **b, b, long c, c, return 0, return)406 #ifndef OPENSSL_NO_EC407 DEFINEFUNC3(EC_KEY *, d2i_ECPrivateKey, EC_KEY **a, a, unsigned char **b, b, long c, c, return 0, return)408 #endif409 #endif410 DEFINEFUNC(void, OPENSSL_add_all_algorithms_noconf, void, DUMMYARG, return, DUMMYARG)411 DEFINEFUNC(void, OPENSSL_add_all_algorithms_conf, void, DUMMYARG, return, DUMMYARG)412 485 DEFINEFUNC3(int, SSL_CTX_load_verify_locations, SSL_CTX *ctx, ctx, const char *CAfile, CAfile, const char *CApath, CApath, return 0, return) 413 DEFINEFUNC(long, SSLeay, void, DUMMYARG, return 0, return)414 DEFINEFUNC(const char *, SSLeay_version, int a, a, return 0, return)415 486 DEFINEFUNC2(int, i2d_SSL_SESSION, SSL_SESSION *in, in, unsigned char **pp, pp, return 0, return) 416 487 DEFINEFUNC3(SSL_SESSION *, d2i_SSL_SESSION, SSL_SESSION **a, a, const unsigned char **pp, pp, long length, length, return 0, return) 417 488 #if OPENSSL_VERSION_NUMBER >= 0x1000100fL && !defined(OPENSSL_NO_NEXTPROTONEG) … … static QPair<QSystemLibrary*, QSystemLibrary*> loadOpenSslWin32() 629 700 pair.first = 0; 630 701 pair.second = 0; 631 702 703 #if QT_CONFIG(opensslv11) 704 // With OpenSSL 1.1 the names have changed to libssl-1_1(-x64) and libcrypto-1_1(-x64), for builds using 705 // MSVC and GCC, (-x64 suffix for 64-bit builds). 706 707 #ifdef Q_PROCESSOR_X86_64 708 #define QT_SSL_SUFFIX "-x64" 709 #else // !Q_PROCESSOFR_X86_64 710 #define QT_SSL_SUFFIX 711 #endif // !Q_PROCESSOR_x86_64 712 713 tryToLoadOpenSslWin32Library(QLatin1String("libssl-1_1" QT_SSL_SUFFIX), 714 QLatin1String("libcrypto-1_1" QT_SSL_SUFFIX), pair); 715 716 #undef QT_SSL_SUFFIX 717 718 #else // QT_CONFIG(opensslv11) 719 632 720 // When OpenSSL is built using MSVC then the libraries are named 'ssleay32.dll' and 'libeay32'dll'. 633 721 // When OpenSSL is built using GCC then different library names are used (depending on the OpenSSL version) 634 722 // The oldest version of a GCC-based OpenSSL which can be detected by the code below is 0.9.8g (released in 2007) … … static QPair<QSystemLibrary*, QSystemLibrary*> loadOpenSslWin32() 639 727 } 640 728 } 641 729 } 730 #endif // !QT_CONFIG(opensslv11) 642 731 643 732 return pair; 644 733 } … … static QPair<QLibrary*, QLibrary*> loadOpenSsl() 695 784 #ifndef Q_OS_DARWIN 696 785 // second attempt: find the development files libssl.so and libcrypto.so 697 786 // 698 // disabled on OS X/iOS:699 // OS X's /usr/lib/libssl.dylib, /usr/lib/libcrypto.dylib will be picked up in the third787 // disabled on macOS/iOS: 788 // macOS's /usr/lib/libssl.dylib, /usr/lib/libcrypto.dylib will be picked up in the third 700 789 // attempt, _after_ <bundle>/Contents/Frameworks has been searched. 701 790 // iOS does not ship a system libssl.dylib, libcrypto.dylib in the first place. 702 791 libssl->setFileNameAndVersion(QLatin1String("ssl"), -1); … … bool q_resolveOpenSslSymbols() 755 844 static bool symbolsResolved = false; 756 845 static bool triedToResolveSymbols = false; 757 846 #ifndef QT_NO_THREAD 847 #if QT_CONFIG(opensslv11) 848 QMutexLocker locker(QMutexPool::globalInstanceGet((void *)&q_OPENSSL_init_ssl)); 849 #else 758 850 QMutexLocker locker(QMutexPool::globalInstanceGet((void *)&q_SSL_library_init)); 851 #endif 759 852 #endif 760 853 if (symbolsResolved) 761 854 return true; … … bool q_resolveOpenSslSymbols() 772 865 // failed to load them 773 866 return false; 774 867 868 #if QT_CONFIG(opensslv11) 869 870 RESOLVEFUNC(OPENSSL_init_ssl) 871 RESOLVEFUNC(OPENSSL_init_crypto) 872 RESOLVEFUNC(ASN1_STRING_get0_data) 873 RESOLVEFUNC(EVP_CIPHER_CTX_reset) 874 RESOLVEFUNC(EVP_PKEY_base_id) 875 RESOLVEFUNC(RSA_bits) 876 RESOLVEFUNC(OPENSSL_sk_new_null) 877 RESOLVEFUNC(OPENSSL_sk_push) 878 RESOLVEFUNC(OPENSSL_sk_free) 879 RESOLVEFUNC(OPENSSL_sk_num) 880 RESOLVEFUNC(OPENSSL_sk_pop_free) 881 RESOLVEFUNC(OPENSSL_sk_value) 882 RESOLVEFUNC(DH_get0_pqg) 883 RESOLVEFUNC(SSL_CTX_set_options) 884 RESOLVEFUNC(SSL_get_client_random) 885 RESOLVEFUNC(SSL_SESSION_get_master_key) 886 RESOLVEFUNC(SSL_session_reused) 887 RESOLVEFUNC(SSL_get_session) 888 RESOLVEFUNC(CRYPTO_get_ex_new_index) 889 RESOLVEFUNC(TLS_method) 890 RESOLVEFUNC(TLS_client_method) 891 RESOLVEFUNC(TLS_server_method) 892 RESOLVEFUNC(X509_STORE_CTX_get0_chain) 893 RESOLVEFUNC(X509_getm_notBefore) 894 RESOLVEFUNC(X509_getm_notAfter) 895 RESOLVEFUNC(X509_get_version) 896 RESOLVEFUNC(X509_get_pubkey) 897 RESOLVEFUNC(X509_STORE_set_verify_cb) 898 RESOLVEFUNC(CRYPTO_free) 899 RESOLVEFUNC(OpenSSL_version_num) 900 RESOLVEFUNC(OpenSSL_version) 901 if (!_q_OpenSSL_version) { 902 // Apparently, we were built with OpenSSL 1.1 enabled but are now using 903 // a wrong library. 904 delete libs.first; 905 delete libs.second; 906 qCWarning(lcSsl, "Incompatible version of OpenSSL"); 907 return false; 908 } 909 910 RESOLVEFUNC(SSL_SESSION_get_ticket_lifetime_hint) 911 RESOLVEFUNC(DH_bits) 912 RESOLVEFUNC(DSA_bits) 913 914 #else // !opensslv11 915 916 RESOLVEFUNC(ASN1_STRING_data) 917 775 918 #ifdef SSLEAY_MACROS 776 919 RESOLVEFUNC(ASN1_dup) 920 #endif // SSLEAY_MACROS 921 RESOLVEFUNC(BIO_new_file) 922 RESOLVEFUNC(ERR_clear_error) 923 RESOLVEFUNC(CRYPTO_free) 924 RESOLVEFUNC(CRYPTO_num_locks) 925 RESOLVEFUNC(CRYPTO_set_id_callback) 926 RESOLVEFUNC(CRYPTO_set_locking_callback) 927 RESOLVEFUNC(ERR_peek_last_error) 928 RESOLVEFUNC(ERR_free_strings) 929 RESOLVEFUNC(EVP_CIPHER_CTX_cleanup) 930 RESOLVEFUNC(EVP_CIPHER_CTX_init) 931 932 #ifdef SSLEAY_MACROS // ### verify 933 RESOLVEFUNC(PEM_ASN1_read_bio) 934 #endif // SSLEAY_MACROS 935 936 RESOLVEFUNC(sk_new_null) 937 RESOLVEFUNC(sk_push) 938 RESOLVEFUNC(sk_free) 939 RESOLVEFUNC(sk_num) 940 RESOLVEFUNC(sk_pop_free) 941 RESOLVEFUNC(sk_value) 942 RESOLVEFUNC(SSL_library_init) 943 RESOLVEFUNC(SSL_load_error_strings) 944 #if OPENSSL_VERSION_NUMBER >= 0x10001000L 945 RESOLVEFUNC(SSL_get_ex_new_index) 946 #endif 947 #ifndef OPENSSL_NO_SSL2 948 RESOLVEFUNC(SSLv2_client_method) 949 #endif 950 #ifndef OPENSSL_NO_SSL3_METHOD 951 RESOLVEFUNC(SSLv3_client_method) 952 #endif 953 RESOLVEFUNC(SSLv23_client_method) 954 RESOLVEFUNC(TLSv1_client_method) 955 #if OPENSSL_VERSION_NUMBER >= 0x10001000L 956 RESOLVEFUNC(TLSv1_1_client_method) 957 RESOLVEFUNC(TLSv1_2_client_method) 777 958 #endif 959 #ifndef OPENSSL_NO_SSL2 960 RESOLVEFUNC(SSLv2_server_method) 961 #endif 962 #ifndef OPENSSL_NO_SSL3_METHOD 963 RESOLVEFUNC(SSLv3_server_method) 964 #endif 965 RESOLVEFUNC(SSLv23_server_method) 966 RESOLVEFUNC(TLSv1_server_method) 967 #if OPENSSL_VERSION_NUMBER >= 0x10001000L 968 RESOLVEFUNC(TLSv1_1_server_method) 969 RESOLVEFUNC(TLSv1_2_server_method) 970 #endif 971 RESOLVEFUNC(X509_STORE_CTX_get_chain) 972 #ifdef SSLEAY_MACROS 973 RESOLVEFUNC(i2d_DSAPrivateKey) 974 RESOLVEFUNC(i2d_RSAPrivateKey) 975 RESOLVEFUNC(d2i_DSAPrivateKey) 976 RESOLVEFUNC(d2i_RSAPrivateKey) 977 #endif 978 RESOLVEFUNC(CONF_get1_default_config_file) 979 RESOLVEFUNC(OPENSSL_add_all_algorithms_noconf) 980 RESOLVEFUNC(OPENSSL_add_all_algorithms_conf) 981 RESOLVEFUNC(SSLeay) 982 983 if (!_q_SSLeay || q_SSLeay() >= 0x10100000L) { 984 // OpenSSL 1.1 has deprecated and removed SSLeay. We consider a failure to 985 // resolve this symbol as a failure to resolve symbols. 986 // The right operand of '||' above is ... a bit of paranoia. 987 delete libs.first; 988 delete libs.second; 989 qCWarning(lcSsl, "Incompatible version of OpenSSL"); 990 return false; 991 } 992 993 994 RESOLVEFUNC(SSLeay_version) 995 996 #ifndef OPENSSL_NO_EC 997 #if OPENSSL_VERSION_NUMBER >= 0x10002000L 998 if (q_SSLeay() >= 0x10002000L) 999 RESOLVEFUNC(EC_curve_nist2nid) 1000 #endif // OPENSSL_VERSION_NUMBER >= 0x10002000L 1001 #endif // OPENSSL_NO_EC 1002 1003 1004 #endif // !opensslv11 1005 778 1006 RESOLVEFUNC(ASN1_INTEGER_get) 779 RESOLVEFUNC(ASN1_STRING_data)780 1007 RESOLVEFUNC(ASN1_STRING_length) 781 1008 RESOLVEFUNC(ASN1_STRING_to_UTF8) 782 1009 RESOLVEFUNC(BIO_ctrl) … … bool q_resolveOpenSslSymbols() 795 1022 RESOLVEFUNC(BN_is_word) 796 1023 #endif 797 1024 RESOLVEFUNC(BN_mod_word) 798 RESOLVEFUNC(CRYPTO_free)799 RESOLVEFUNC(CRYPTO_num_locks)800 RESOLVEFUNC(CRYPTO_set_id_callback)801 RESOLVEFUNC(CRYPTO_set_locking_callback)802 1025 RESOLVEFUNC(DSA_new) 803 1026 RESOLVEFUNC(DSA_free) 804 1027 RESOLVEFUNC(ERR_error_string) 805 1028 RESOLVEFUNC(ERR_get_error) 806 RESOLVEFUNC(ERR_free_strings) 807 RESOLVEFUNC(EVP_CIPHER_CTX_cleanup) 808 RESOLVEFUNC(EVP_CIPHER_CTX_init) 1029 RESOLVEFUNC(EVP_CIPHER_CTX_new) 1030 RESOLVEFUNC(EVP_CIPHER_CTX_free) 809 1031 RESOLVEFUNC(EVP_CIPHER_CTX_ctrl) 810 1032 RESOLVEFUNC(EVP_CIPHER_CTX_set_key_length) 811 1033 RESOLVEFUNC(EVP_CipherInit) 1034 RESOLVEFUNC(EVP_CipherInit_ex) 812 1035 RESOLVEFUNC(EVP_CipherUpdate) 813 1036 RESOLVEFUNC(EVP_CipherFinal) 814 1037 RESOLVEFUNC(EVP_des_cbc) 815 1038 RESOLVEFUNC(EVP_des_ede3_cbc) 816 1039 RESOLVEFUNC(EVP_rc2_cbc) 1040 RESOLVEFUNC(EVP_sha1) 817 1041 RESOLVEFUNC(EVP_PKEY_assign) 818 1042 RESOLVEFUNC(EVP_PKEY_set1_RSA) 819 1043 RESOLVEFUNC(EVP_PKEY_set1_DSA) … … bool q_resolveOpenSslSymbols() 835 1059 RESOLVEFUNC(i2t_ASN1_OBJECT) 836 1060 RESOLVEFUNC(OBJ_obj2txt) 837 1061 RESOLVEFUNC(OBJ_obj2nid) 838 #ifdef SSLEAY_MACROS // ### verify 839 RESOLVEFUNC(PEM_ASN1_read_bio) 840 #else 1062 1063 #ifndef SSLEAY_MACROS 841 1064 RESOLVEFUNC(PEM_read_bio_PrivateKey) 842 1065 RESOLVEFUNC(PEM_read_bio_DSAPrivateKey) 843 1066 RESOLVEFUNC(PEM_read_bio_RSAPrivateKey) … … bool q_resolveOpenSslSymbols() 850 1073 #ifndef OPENSSL_NO_EC 851 1074 RESOLVEFUNC(PEM_write_bio_ECPrivateKey) 852 1075 #endif 853 #endif 1076 #endif // !SSLEAY_MACROS 1077 854 1078 RESOLVEFUNC(PEM_read_bio_PUBKEY) 855 1079 RESOLVEFUNC(PEM_read_bio_DSA_PUBKEY) 856 1080 RESOLVEFUNC(PEM_read_bio_RSA_PUBKEY) … … bool q_resolveOpenSslSymbols() 866 1090 RESOLVEFUNC(RAND_status) 867 1091 RESOLVEFUNC(RSA_new) 868 1092 RESOLVEFUNC(RSA_free) 869 RESOLVEFUNC(sk_new_null)870 RESOLVEFUNC(sk_push)871 RESOLVEFUNC(sk_free)872 RESOLVEFUNC(sk_num)873 RESOLVEFUNC(sk_pop_free)874 RESOLVEFUNC(sk_value)875 1093 RESOLVEFUNC(SSL_CIPHER_description) 876 1094 RESOLVEFUNC(SSL_CIPHER_get_bits) 877 1095 RESOLVEFUNC(SSL_CTX_check_private_key) … … bool q_resolveOpenSslSymbols() 899 1117 RESOLVEFUNC(SSL_get_peer_cert_chain) 900 1118 RESOLVEFUNC(SSL_get_peer_certificate) 901 1119 RESOLVEFUNC(SSL_get_verify_result) 902 RESOLVEFUNC(SSL_library_init)903 RESOLVEFUNC(SSL_load_error_strings)904 1120 RESOLVEFUNC(SSL_new) 905 1121 RESOLVEFUNC(SSL_ctrl) 906 1122 RESOLVEFUNC(SSL_read) … … bool q_resolveOpenSslSymbols() 913 1129 RESOLVEFUNC(SSL_get1_session) 914 1130 RESOLVEFUNC(SSL_get_session) 915 1131 #if OPENSSL_VERSION_NUMBER >= 0x10001000L 916 RESOLVEFUNC(SSL_get_ex_new_index)917 1132 RESOLVEFUNC(SSL_set_ex_data) 918 1133 RESOLVEFUNC(SSL_get_ex_data) 919 1134 #endif … … bool q_resolveOpenSslSymbols() 923 1138 RESOLVEFUNC(SSL_CTX_use_psk_identity_hint) 924 1139 #endif 925 1140 RESOLVEFUNC(SSL_write) 926 #ifndef OPENSSL_NO_SSL2927 RESOLVEFUNC(SSLv2_client_method)928 #endif929 #ifndef OPENSSL_NO_SSL3_METHOD930 RESOLVEFUNC(SSLv3_client_method)931 #endif932 RESOLVEFUNC(SSLv23_client_method)933 RESOLVEFUNC(TLSv1_client_method)934 #if OPENSSL_VERSION_NUMBER >= 0x10001000L935 RESOLVEFUNC(TLSv1_1_client_method)936 RESOLVEFUNC(TLSv1_2_client_method)937 #endif938 #ifndef OPENSSL_NO_SSL2939 RESOLVEFUNC(SSLv2_server_method)940 #endif941 #ifndef OPENSSL_NO_SSL3_METHOD942 RESOLVEFUNC(SSLv3_server_method)943 #endif944 RESOLVEFUNC(SSLv23_server_method)945 RESOLVEFUNC(TLSv1_server_method)946 #if OPENSSL_VERSION_NUMBER >= 0x10001000L947 RESOLVEFUNC(TLSv1_1_server_method)948 RESOLVEFUNC(TLSv1_2_server_method)949 #endif950 1141 RESOLVEFUNC(X509_NAME_entry_count) 951 1142 RESOLVEFUNC(X509_NAME_get_entry) 952 1143 RESOLVEFUNC(X509_NAME_ENTRY_get_data) … … bool q_resolveOpenSslSymbols() 962 1153 RESOLVEFUNC(X509_STORE_CTX_get_error) 963 1154 RESOLVEFUNC(X509_STORE_CTX_get_error_depth) 964 1155 RESOLVEFUNC(X509_STORE_CTX_get_current_cert) 965 RESOLVEFUNC(X509_STORE_CTX_get_chain)966 1156 RESOLVEFUNC(X509_cmp) 967 1157 #ifndef SSLEAY_MACROS 968 1158 RESOLVEFUNC(X509_dup) 969 1159 #endif 970 1160 RESOLVEFUNC(X509_print) 1161 RESOLVEFUNC(X509_digest) 971 1162 RESOLVEFUNC(X509_EXTENSION_get_object) 972 1163 RESOLVEFUNC(X509_free) 973 1164 RESOLVEFUNC(X509_get_ext) … … bool q_resolveOpenSslSymbols() 983 1174 RESOLVEFUNC(X509_check_issued) 984 1175 RESOLVEFUNC(X509_get_issuer_name) 985 1176 RESOLVEFUNC(X509_get_subject_name) 1177 RESOLVEFUNC(X509_get_serialNumber) 986 1178 RESOLVEFUNC(X509_verify_cert) 987 1179 RESOLVEFUNC(d2i_X509) 988 1180 RESOLVEFUNC(i2d_X509) 989 #ifdef SSLEAY_MACROS990 RESOLVEFUNC(i2d_DSAPrivateKey)991 RESOLVEFUNC(i2d_RSAPrivateKey)992 RESOLVEFUNC(d2i_DSAPrivateKey)993 RESOLVEFUNC(d2i_RSAPrivateKey)994 #endif995 RESOLVEFUNC(OPENSSL_add_all_algorithms_noconf)996 RESOLVEFUNC(OPENSSL_add_all_algorithms_conf)997 1181 RESOLVEFUNC(SSL_CTX_load_verify_locations) 998 RESOLVEFUNC(SSLeay)999 RESOLVEFUNC(SSLeay_version)1000 1182 RESOLVEFUNC(i2d_SSL_SESSION) 1001 1183 RESOLVEFUNC(d2i_SSL_SESSION) 1002 1184 #if OPENSSL_VERSION_NUMBER >= 0x1000100fL && !defined(OPENSSL_NO_NEXTPROTONEG) … … bool q_resolveOpenSslSymbols() 1020 1202 RESOLVEFUNC(EC_KEY_new_by_curve_name) 1021 1203 RESOLVEFUNC(EC_KEY_free) 1022 1204 RESOLVEFUNC(EC_get_builtin_curves) 1023 #if OPENSSL_VERSION_NUMBER >= 0x10002000L1024 if (q_SSLeay() >= 0x10002000L)1025 RESOLVEFUNC(EC_curve_nist2nid)1026 #endif // OPENSSL_VERSION_NUMBER >= 0x10002000L1027 1205 #endif // OPENSSL_NO_EC 1028 1206 RESOLVEFUNC(PKCS12_parse) 1029 1207 RESOLVEFUNC(d2i_PKCS12_bio) 1030 1208 RESOLVEFUNC(PKCS12_free) 1031 1209 1210 symbolsResolved = true; 1032 1211 delete libs.first; 1033 1212 delete libs.second; 1034 if (!_q_SSLeay || q_SSLeay() >= 0x10100000L) {1035 // OpenSSL 1.1 deprecated and removed SSLeay. We consider a failure to1036 // resolve this symbol as a failure to resolve symbols.1037 // The right operand of '||' above ... a bit of paranoia.1038 qCWarning(lcSsl, "Incompatible version of OpenSSL");1039 return false;1040 }1041 1042 symbolsResolved = true;1043 1044 1213 return true; 1045 1214 } 1046 1215 #endif // QT_CONFIG(library) -
qtbase/src/network/ssl/qsslsocket_openssl_symbols_p.h
diff --git a/qtbase/src/network/ssl/qsslsocket_openssl_symbols_p.h b/qtbase/src/network/ssl/qsslsocket_openssl_symbols_p.h index b35a895d38112aac796f7b48f2bcabd88a7bf04b..796bf2d4f5982c92bccde5eaca51f041e4420eb6 100644
a b 1 1 /**************************************************************************** 2 2 ** 3 ** Copyright (C) 201 6The Qt Company Ltd.3 ** Copyright (C) 2017 The Qt Company Ltd. 4 4 ** Copyright (C) 2014 BlackBerry Limited. All rights reserved. 5 5 ** Contact: https://www.qt.io/licensing/ 6 6 ** … … 56 56 #ifndef QSSLSOCKET_OPENSSL_SYMBOLS_P_H 57 57 #define QSSLSOCKET_OPENSSL_SYMBOLS_P_H 58 58 59 59 60 // 60 61 // W A R N I N G 61 62 // ------------- … … QT_BEGIN_NAMESPACE 215 216 216 217 #endif // !defined QT_LINKED_OPENSSL 217 218 219 #if QT_CONFIG(opensslv11) 220 #include "qsslsocket_openssl11_symbols_p.h" 221 #else 222 #include "qsslsocket_opensslpre11_symbols_p.h" 223 #endif // QT_CONFIG 224 218 225 bool q_resolveOpenSslSymbols(); 219 226 long q_ASN1_INTEGER_get(ASN1_INTEGER *a); 220 unsigned char * q_ASN1_STRING_data(ASN1_STRING *a);221 227 int q_ASN1_STRING_length(ASN1_STRING *a); 222 228 int q_ASN1_STRING_to_UTF8(unsigned char **a, ASN1_STRING *b); 223 229 long q_BIO_ctrl(BIO *a, int b, long c, void *d); 224 230 Q_AUTOTEST_EXPORT int q_BIO_free(BIO *a); 225 Q_AUTOTEST_EXPORT BIO *q_BIO_new(BIO_METHOD *a);226 231 BIO *q_BIO_new_mem_buf(void *a, int b); 227 232 int q_BIO_read(BIO *a, void *b, int c); 228 Q_AUTOTEST_EXPORT BIO_METHOD *q_BIO_s_mem();229 233 Q_AUTOTEST_EXPORT int q_BIO_write(BIO *a, const void *b, int c); 230 234 int q_BN_num_bits(const BIGNUM *a); 231 235 #if OPENSSL_VERSION_NUMBER >= 0x10100000L … … BN_ULONG q_BN_mod_word(const BIGNUM *a, BN_ULONG w); 247 251 const EC_GROUP* q_EC_KEY_get0_group(const EC_KEY* k); 248 252 int q_EC_GROUP_get_degree(const EC_GROUP* g); 249 253 #endif 250 int q_CRYPTO_num_locks();251 void q_CRYPTO_set_locking_callback(void (*a)(int, int, const char *, int));252 void q_CRYPTO_set_id_callback(unsigned long (*a)());253 void q_CRYPTO_free(void *a);254 254 DSA *q_DSA_new(); 255 255 void q_DSA_free(DSA *a); 256 256 X509 *q_d2i_X509(X509 **a, const unsigned char **b, long c); 257 257 char *q_ERR_error_string(unsigned long a, char *b); 258 258 unsigned long q_ERR_get_error(); 259 void q_ERR_free_strings(); 260 void q_EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *a); 261 void q_EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *a); 259 EVP_CIPHER_CTX *q_EVP_CIPHER_CTX_new(); 260 void q_EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *a); 262 261 int q_EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr); 263 262 int q_EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *x, int keylen); 264 263 int q_EVP_CipherInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, const unsigned char *key, const unsigned char *iv, int enc); 264 int q_EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *impl, const unsigned char *key, const unsigned char *iv, int enc); 265 265 int q_EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, const unsigned char *in, int inl); 266 266 int q_EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl); 267 267 const EVP_CIPHER *q_EVP_des_cbc(); 268 268 const EVP_CIPHER *q_EVP_des_ede3_cbc(); 269 269 const EVP_CIPHER *q_EVP_rc2_cbc(); 270 const EVP_MD *q_EVP_sha1(); 270 271 int q_EVP_PKEY_assign(EVP_PKEY *a, int b, char *c); 271 272 Q_AUTOTEST_EXPORT int q_EVP_PKEY_set1_RSA(EVP_PKEY *a, RSA *b); 272 273 int q_EVP_PKEY_set1_DSA(EVP_PKEY *a, DSA *b); … … int q_PEM_write_bio_RSAPrivateKey(BIO *a, RSA *b, const EVP_CIPHER *c, unsigned 310 311 int q_PEM_write_bio_ECPrivateKey(BIO *a, EC_KEY *b, const EVP_CIPHER *c, unsigned char *d, 311 312 int e, pem_password_cb *f, void *g); 312 313 #endif 313 #endif 314 #endif // SSLEAY_MACROS 314 315 Q_AUTOTEST_EXPORT EVP_PKEY *q_PEM_read_bio_PUBKEY(BIO *a, EVP_PKEY **b, pem_password_cb *c, void *d); 315 316 DSA *q_PEM_read_bio_DSA_PUBKEY(BIO *a, DSA **b, pem_password_cb *c, void *d); 316 317 RSA *q_PEM_read_bio_RSA_PUBKEY(BIO *a, RSA **b, pem_password_cb *c, void *d); … … void q_RAND_seed(const void *a, int b); 326 327 int q_RAND_status(); 327 328 RSA *q_RSA_new(); 328 329 void q_RSA_free(RSA *a); 329 int q_sk_num(STACK *a);330 void q_sk_pop_free(STACK *a, void (*b)(void *));331 #if OPENSSL_VERSION_NUMBER >= 0x10000000L332 _STACK *q_sk_new_null();333 void q_sk_push(_STACK *st, void *data);334 void q_sk_free(_STACK *a);335 void * q_sk_value(STACK *a, int b);336 #else337 STACK *q_sk_new_null();338 void q_sk_push(STACK *st, char *data);339 void q_sk_free(STACK *a);340 char * q_sk_value(STACK *a, int b);341 #endif342 330 int q_SSL_accept(SSL *a); 343 331 int q_SSL_clear(SSL *a); 344 char *q_SSL_CIPHER_description( SSL_CIPHER *a, char *b, int c);345 int q_SSL_CIPHER_get_bits( SSL_CIPHER *a, int *b);332 char *q_SSL_CIPHER_description(const SSL_CIPHER *a, char *b, int c); 333 int q_SSL_CIPHER_get_bits(const SSL_CIPHER *a, int *b); 346 334 int q_SSL_connect(SSL *a); 347 335 int q_SSL_CTX_check_private_key(const SSL_CTX *a); 348 336 long q_SSL_CTX_ctrl(SSL_CTX *a, int b, long c, void *d); … … int q_SSL_get_error(SSL *a, int b); 374 362 STACK_OF(X509) *q_SSL_get_peer_cert_chain(SSL *a); 375 363 X509 *q_SSL_get_peer_certificate(SSL *a); 376 364 long q_SSL_get_verify_result(const SSL *a); 377 int q_SSL_library_init();378 void q_SSL_load_error_strings();379 365 SSL *q_SSL_new(SSL_CTX *a); 380 366 long q_SSL_ctrl(SSL *ssl,int cmd, long larg, void *parg); 381 367 int q_SSL_read(SSL *a, void *b, int c); … … void q_SSL_SESSION_free(SSL_SESSION *ses); 388 374 SSL_SESSION *q_SSL_get1_session(SSL *ssl); 389 375 SSL_SESSION *q_SSL_get_session(const SSL *ssl); 390 376 #if OPENSSL_VERSION_NUMBER >= 0x10001000L 391 int q_SSL_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);392 377 int q_SSL_set_ex_data(SSL *ssl, int idx, void *arg); 393 378 void *q_SSL_get_ex_data(const SSL *ssl, int idx); 394 379 #endif … … typedef unsigned int (*q_psk_server_callback_t)(SSL *ssl, const char *identity, 399 384 void q_SSL_set_psk_server_callback(SSL *ssl, q_psk_server_callback_t callback); 400 385 int q_SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *hint); 401 386 #endif // OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_PSK) 402 #if OPENSSL_VERSION_NUMBER >= 0x10000000L403 #ifndef OPENSSL_NO_SSL2404 const SSL_METHOD *q_SSLv2_client_method();405 #endif406 #ifndef OPENSSL_NO_SSL3_METHOD407 const SSL_METHOD *q_SSLv3_client_method();408 #endif409 const SSL_METHOD *q_SSLv23_client_method();410 const SSL_METHOD *q_TLSv1_client_method();411 const SSL_METHOD *q_TLSv1_1_client_method();412 const SSL_METHOD *q_TLSv1_2_client_method();413 #ifndef OPENSSL_NO_SSL2414 const SSL_METHOD *q_SSLv2_server_method();415 #endif416 #ifndef OPENSSL_NO_SSL3_METHOD417 const SSL_METHOD *q_SSLv3_server_method();418 #endif419 const SSL_METHOD *q_SSLv23_server_method();420 const SSL_METHOD *q_TLSv1_server_method();421 const SSL_METHOD *q_TLSv1_1_server_method();422 const SSL_METHOD *q_TLSv1_2_server_method();423 #else424 #ifndef OPENSSL_NO_SSL2425 SSL_METHOD *q_SSLv2_client_method();426 #endif427 #ifndef OPENSSL_NO_SSL3_METHOD428 SSL_METHOD *q_SSLv3_client_method();429 #endif430 SSL_METHOD *q_SSLv23_client_method();431 SSL_METHOD *q_TLSv1_client_method();432 SSL_METHOD *q_TLSv1_1_client_method();433 SSL_METHOD *q_TLSv1_2_client_method();434 #ifndef OPENSSL_NO_SSL2435 SSL_METHOD *q_SSLv2_server_method();436 #endif437 #ifndef OPENSSL_NO_SSL3_METHOD438 SSL_METHOD *q_SSLv3_server_method();439 #endif440 SSL_METHOD *q_SSLv23_server_method();441 SSL_METHOD *q_TLSv1_server_method();442 SSL_METHOD *q_TLSv1_1_server_method();443 SSL_METHOD *q_TLSv1_2_server_method();444 #endif445 387 int q_SSL_write(SSL *a, const void *b, int c); 446 388 int q_X509_cmp(X509 *a, X509 *b); 447 389 #ifdef SSLEAY_MACROS … … void *q_ASN1_dup(i2d_of_void *i2d, d2i_of_void *d2i, char *x); 452 394 X509 *q_X509_dup(X509 *a); 453 395 #endif 454 396 void q_X509_print(BIO *a, X509*b); 397 int q_X509_digest(const X509 *x509, const EVP_MD *type, unsigned char *md, unsigned int *len); 455 398 ASN1_OBJECT *q_X509_EXTENSION_get_object(X509_EXTENSION *a); 456 399 void q_X509_free(X509 *a); 457 400 X509_EXTENSION *q_X509_get_ext(X509 *a, int b); … … int q_ASN1_STRING_print(BIO *a, ASN1_STRING *b); 471 414 int q_X509_check_issued(X509 *a, X509 *b); 472 415 X509_NAME *q_X509_get_issuer_name(X509 *a); 473 416 X509_NAME *q_X509_get_subject_name(X509 *a); 417 ASN1_INTEGER *q_X509_get_serialNumber(X509 *a); 474 418 int q_X509_verify_cert(X509_STORE_CTX *ctx); 475 419 int q_X509_NAME_entry_count(X509_NAME *a); 476 420 X509_NAME_ENTRY *q_X509_NAME_get_entry(X509_NAME *a,int b); … … int q_X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose); 488 432 int q_X509_STORE_CTX_get_error(X509_STORE_CTX *ctx); 489 433 int q_X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx); 490 434 X509 *q_X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx); 491 STACK_OF(X509) *q_X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx);492 435 493 436 // Diffie-Hellman support 494 437 DH *q_DH_new(); … … int q_PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert, 522 465 PKCS12 *q_d2i_PKCS12_bio(BIO *bio, PKCS12 **pkcs12); 523 466 void q_PKCS12_free(PKCS12 *pkcs12); 524 467 525 526 468 #define q_BIO_get_mem_data(b, pp) (int)q_BIO_ctrl(b,BIO_CTRL_INFO,0,(char *)pp) 527 469 #define q_BIO_pending(b) (int)q_BIO_ctrl(b,BIO_CTRL_PENDING,0,NULL) 528 #ifdef SSLEAY_MACROS529 int q_i2d_DSAPrivateKey(const DSA *a, unsigned char **pp);530 int q_i2d_RSAPrivateKey(const RSA *a, unsigned char **pp);531 RSA *q_d2i_RSAPrivateKey(RSA **a, unsigned char **pp, long length);532 DSA *q_d2i_DSAPrivateKey(DSA **a, unsigned char **pp, long length);533 #define q_PEM_read_bio_RSAPrivateKey(bp, x, cb, u) \534 (RSA *)q_PEM_ASN1_read_bio( \535 (void *(*)(void**, const unsigned char**, long int))q_d2i_RSAPrivateKey, PEM_STRING_RSA, bp, (void **)x, cb, u)536 #define q_PEM_read_bio_DSAPrivateKey(bp, x, cb, u) \537 (DSA *)q_PEM_ASN1_read_bio( \538 (void *(*)(void**, const unsigned char**, long int))q_d2i_DSAPrivateKey, PEM_STRING_DSA, bp, (void **)x, cb, u)539 #define q_PEM_write_bio_RSAPrivateKey(bp,x,enc,kstr,klen,cb,u) \540 PEM_ASN1_write_bio((int (*)(void*, unsigned char**))q_i2d_RSAPrivateKey,PEM_STRING_RSA,\541 bp,(char *)x,enc,kstr,klen,cb,u)542 #define q_PEM_write_bio_DSAPrivateKey(bp,x,enc,kstr,klen,cb,u) \543 PEM_ASN1_write_bio((int (*)(void*, unsigned char**))q_i2d_DSAPrivateKey,PEM_STRING_DSA,\544 bp,(char *)x,enc,kstr,klen,cb,u)545 #define q_PEM_read_bio_DHparams(bp, dh, cb, u) \546 (DH *)q_PEM_ASN1_read_bio( \547 (void *(*)(void**, const unsigned char**, long int))q_d2i_DHparams, PEM_STRING_DHPARAMS, bp, (void **)x, cb, u)548 #endif549 #define q_SSL_CTX_set_options(ctx,op) q_SSL_CTX_ctrl((ctx),SSL_CTRL_OPTIONS,(op),NULL)550 470 #define q_SSL_CTX_set_mode(ctx,op) q_SSL_CTX_ctrl((ctx),SSL_CTRL_MODE,(op),NULL) 551 #define q_SKM_sk_num(type, st) ((int (*)(const STACK_OF(type) *))q_sk_num)(st)552 #define q_SKM_sk_value(type, st,i) ((type * (*)(const STACK_OF(type) *, int))q_sk_value)(st, i)553 471 #define q_sk_GENERAL_NAME_num(st) q_SKM_sk_num(GENERAL_NAME, (st)) 554 472 #define q_sk_GENERAL_NAME_value(st, i) q_SKM_sk_value(GENERAL_NAME, (st), (i)) 555 473 #define q_sk_X509_num(st) q_SKM_sk_num(X509, (st)) … … DSA *q_d2i_DSAPrivateKey(DSA **a, unsigned char **pp, long length); 558 476 #define q_sk_SSL_CIPHER_value(st, i) q_SKM_sk_value(SSL_CIPHER, (st), (i)) 559 477 #define q_SSL_CTX_add_extra_chain_cert(ctx,x509) \ 560 478 q_SSL_CTX_ctrl(ctx,SSL_CTRL_EXTRA_CHAIN_CERT,0,(char *)x509) 561 #define q_X509_get_notAfter(x) X509_get_notAfter(x)562 #define q_X509_get_notBefore(x) X509_get_notBefore(x)563 479 #define q_EVP_PKEY_assign_RSA(pkey,rsa) q_EVP_PKEY_assign((pkey),EVP_PKEY_RSA,\ 564 480 (char *)(rsa)) 565 481 #define q_EVP_PKEY_assign_DSA(pkey,dsa) q_EVP_PKEY_assign((pkey),EVP_PKEY_DSA,\ 566 482 (char *)(dsa)) 567 483 #define q_OpenSSL_add_all_algorithms() q_OPENSSL_add_all_algorithms_conf() 568 void q_OPENSSL_add_all_algorithms_noconf();569 void q_OPENSSL_add_all_algorithms_conf();570 484 int q_SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, const char *CApath); 571 long q_SSLeay();572 const char *q_SSLeay_version(int type);573 485 int q_i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp); 574 486 SSL_SESSION *q_d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length); 575 487 -
new file qtbase/src/network/ssl/qsslsocket_opensslpre11.cpp
diff --git a/qtbase/src/network/ssl/qsslsocket_opensslpre11.cpp b/qtbase/src/network/ssl/qsslsocket_opensslpre11.cpp new file mode 100644 index 0000000000000000000000000000000000000000..e51888c5f2407eec914765fea174215da8a511cd
- + 1 /**************************************************************************** 2 ** 3 ** Copyright (C) 2017 The Qt Company Ltd. 4 ** Copyright (C) 2014 Governikus GmbH & Co. KG 5 ** Contact: https://www.qt.io/licensing/ 6 ** 7 ** This file is part of the QtNetwork module of the Qt Toolkit. 8 ** 9 ** $QT_BEGIN_LICENSE:LGPL$ 10 ** Commercial License Usage 11 ** Licensees holding valid commercial Qt licenses may use this file in 12 ** accordance with the commercial license agreement provided with the 13 ** Software or, alternatively, in accordance with the terms contained in 14 ** a written agreement between you and The Qt Company. For licensing terms 15 ** and conditions see https://www.qt.io/terms-conditions. For further 16 ** information use the contact form at https://www.qt.io/contact-us. 17 ** 18 ** GNU Lesser General Public License Usage 19 ** Alternatively, this file may be used under the terms of the GNU Lesser 20 ** General Public License version 3 as published by the Free Software 21 ** Foundation and appearing in the file LICENSE.LGPL3 included in the 22 ** packaging of this file. Please review the following information to 23 ** ensure the GNU Lesser General Public License version 3 requirements 24 ** will be met: https://www.gnu.org/licenses/lgpl-3.0.html. 25 ** 26 ** GNU General Public License Usage 27 ** Alternatively, this file may be used under the terms of the GNU 28 ** General Public License version 2.0 or (at your option) the GNU General 29 ** Public license version 3 or any later version approved by the KDE Free 30 ** Qt Foundation. The licenses are as published by the Free Software 31 ** Foundation and appearing in the file LICENSE.GPL2 and LICENSE.GPL3 32 ** included in the packaging of this file. Please review the following 33 ** information to ensure the GNU General Public License requirements will 34 ** be met: https://www.gnu.org/licenses/gpl-2.0.html and 35 ** https://www.gnu.org/licenses/gpl-3.0.html. 36 ** 37 ** $QT_END_LICENSE$ 38 ** 39 ****************************************************************************/ 40 41 /**************************************************************************** 42 ** 43 ** In addition, as a special exception, the copyright holders listed above give 44 ** permission to link the code of its release of Qt with the OpenSSL project's 45 ** "OpenSSL" library (or modified versions of the "OpenSSL" library that use the 46 ** same license as the original version), and distribute the linked executables. 47 ** 48 ** You must comply with the GNU General Public License version 2 in all 49 ** respects for all of the code used other than the "OpenSSL" code. If you 50 ** modify this file, you may extend this exception to your version of the file, 51 ** but you are not obligated to do so. If you do not wish to do so, delete 52 ** this exception statement from your version of this file. 53 ** 54 ****************************************************************************/ 55 56 //#define QT_DECRYPT_SSL_TRAFFIC 57 58 #include "qssl_p.h" 59 #include "qsslsocket_openssl_p.h" 60 #include "qsslsocket_openssl_symbols_p.h" 61 #include "qsslsocket.h" 62 #include "qsslkey.h" 63 64 #include <QtCore/qdebug.h> 65 #include <QtCore/qdir.h> 66 #include <QtCore/qdiriterator.h> 67 #include <QtCore/qthread.h> 68 #include <QtCore/qfile.h> 69 #include <QtCore/qmutex.h> 70 #include <QtCore/qlibrary.h> 71 72 QT_BEGIN_NAMESPACE 73 74 /* \internal 75 76 From OpenSSL's thread(3) manual page: 77 78 OpenSSL can safely be used in multi-threaded applications provided that at 79 least two callback functions are set. 80 81 locking_function(int mode, int n, const char *file, int line) is needed to 82 perform locking on shared data structures. (Note that OpenSSL uses a 83 number of global data structures that will be implicitly shared 84 whenever multiple threads use OpenSSL.) Multi-threaded 85 applications will crash at random if it is not set. ... 86 ... 87 id_function(void) is a function that returns a thread ID. It is not 88 needed on Windows nor on platforms where getpid() returns a different 89 ID for each thread (most notably Linux) 90 */ 91 92 class QOpenSslLocks 93 { 94 public: 95 QOpenSslLocks() 96 : initLocker(QMutex::Recursive), 97 locksLocker(QMutex::Recursive) 98 { 99 QMutexLocker locker(&locksLocker); 100 int numLocks = q_CRYPTO_num_locks(); 101 locks = new QMutex *[numLocks]; 102 memset(locks, 0, numLocks * sizeof(QMutex *)); 103 } 104 ~QOpenSslLocks() 105 { 106 QMutexLocker locker(&locksLocker); 107 for (int i = 0; i < q_CRYPTO_num_locks(); ++i) 108 delete locks[i]; 109 delete [] locks; 110 111 QSslSocketPrivate::deinitialize(); 112 } 113 QMutex *lock(int num) 114 { 115 QMutexLocker locker(&locksLocker); 116 QMutex *tmp = locks[num]; 117 if (!tmp) 118 tmp = locks[num] = new QMutex(QMutex::Recursive); 119 return tmp; 120 } 121 122 QMutex *globalLock() 123 { 124 return &locksLocker; 125 } 126 127 QMutex *initLock() 128 { 129 return &initLocker; 130 } 131 132 private: 133 QMutex initLocker; 134 QMutex locksLocker; 135 QMutex **locks; 136 }; 137 138 Q_GLOBAL_STATIC(QOpenSslLocks, openssl_locks) 139 140 extern "C" { 141 static void locking_function(int mode, int lockNumber, const char *, int) 142 { 143 QMutex *mutex = openssl_locks()->lock(lockNumber); 144 145 // Lock or unlock it 146 if (mode & CRYPTO_LOCK) 147 mutex->lock(); 148 else 149 mutex->unlock(); 150 } 151 static unsigned long id_function() 152 { 153 return (quintptr)QThread::currentThreadId(); 154 } 155 156 } // extern "C" 157 158 static void q_OpenSSL_add_all_algorithms_safe() 159 { 160 #ifdef Q_OS_WIN 161 // Prior to version 1.0.1m an attempt to call OpenSSL_add_all_algorithms on 162 // Windows could result in 'exit' call from OPENSSL_config (QTBUG-43843). 163 // We can predict this and avoid OPENSSL_add_all_algorithms call. 164 // From OpenSSL docs: 165 // "An application does not need to add algorithms to use them explicitly, 166 // for example by EVP_sha1(). It just needs to add them if it (or any of 167 // the functions it calls) needs to lookup algorithms. 168 // The cipher and digest lookup functions are used in many parts of the 169 // library. If the table is not initialized several functions will 170 // misbehave and complain they cannot find algorithms. This includes the 171 // PEM, PKCS#12, SSL and S/MIME libraries. This is a common query in 172 // the OpenSSL mailing lists." 173 // 174 // Anyway, as a result, we chose not to call this function if it would exit. 175 176 if (q_SSLeay() < 0x100010DFL) 177 { 178 // Now, before we try to call it, check if an attempt to open config file 179 // will result in exit: 180 if (char *confFileName = q_CONF_get1_default_config_file()) { 181 BIO *confFile = q_BIO_new_file(confFileName, "r"); 182 const auto lastError = q_ERR_peek_last_error(); 183 q_CRYPTO_free(confFileName); 184 if (confFile) { 185 q_BIO_free(confFile); 186 } else { 187 q_ERR_clear_error(); 188 if (ERR_GET_REASON(lastError) == ERR_R_SYS_LIB) { 189 qCWarning(lcSsl, "failed to open openssl.conf file"); 190 return; 191 } 192 } 193 } 194 } 195 #endif // Q_OS_WIN 196 197 q_OpenSSL_add_all_algorithms(); 198 } 199 200 201 /*! 202 \internal 203 */ 204 void QSslSocketPrivate::deinitialize() 205 { 206 q_CRYPTO_set_id_callback(0); 207 q_CRYPTO_set_locking_callback(0); 208 q_ERR_free_strings(); 209 } 210 211 212 bool QSslSocketPrivate::ensureLibraryLoaded() 213 { 214 if (!q_resolveOpenSslSymbols()) 215 return false; 216 217 // Check if the library itself needs to be initialized. 218 QMutexLocker locker(openssl_locks()->initLock()); 219 220 if (!s_libraryLoaded) { 221 s_libraryLoaded = true; 222 223 // Initialize OpenSSL. 224 q_CRYPTO_set_id_callback(id_function); 225 q_CRYPTO_set_locking_callback(locking_function); 226 if (q_SSL_library_init() != 1) 227 return false; 228 q_SSL_load_error_strings(); 229 q_OpenSSL_add_all_algorithms_safe(); 230 231 #if OPENSSL_VERSION_NUMBER >= 0x10001000L 232 if (q_SSLeay() >= 0x10001000L) 233 QSslSocketBackendPrivate::s_indexForSSLExtraData = q_SSL_get_ex_new_index(0L, NULL, NULL, NULL, NULL); 234 #endif 235 236 // Initialize OpenSSL's random seed. 237 if (!q_RAND_status()) { 238 qWarning("Random number generator not seeded, disabling SSL support"); 239 return false; 240 } 241 } 242 return true; 243 } 244 245 void QSslSocketPrivate::ensureCiphersAndCertsLoaded() 246 { 247 QMutexLocker locker(openssl_locks()->initLock()); 248 if (s_loadedCiphersAndCerts) 249 return; 250 s_loadedCiphersAndCerts = true; 251 252 resetDefaultCiphers(); 253 resetDefaultEllipticCurves(); 254 255 #if QT_CONFIG(library) 256 //load symbols needed to receive certificates from system store 257 #if defined(Q_OS_WIN) 258 HINSTANCE hLib = LoadLibraryW(L"Crypt32"); 259 if (hLib) { 260 ptrCertOpenSystemStoreW = (PtrCertOpenSystemStoreW)GetProcAddress(hLib, "CertOpenSystemStoreW"); 261 ptrCertFindCertificateInStore = (PtrCertFindCertificateInStore)GetProcAddress(hLib, "CertFindCertificateInStore"); 262 ptrCertCloseStore = (PtrCertCloseStore)GetProcAddress(hLib, "CertCloseStore"); 263 if (!ptrCertOpenSystemStoreW || !ptrCertFindCertificateInStore || !ptrCertCloseStore) 264 qCWarning(lcSsl, "could not resolve symbols in crypt32 library"); // should never happen 265 } else { 266 qCWarning(lcSsl, "could not load crypt32 library"); // should never happen 267 } 268 #elif defined(Q_OS_QNX) 269 s_loadRootCertsOnDemand = true; 270 #elif defined(Q_OS_UNIX) && !defined(Q_OS_MACOS) 271 // check whether we can enable on-demand root-cert loading (i.e. check whether the sym links are there) 272 QList<QByteArray> dirs = unixRootCertDirectories(); 273 QStringList symLinkFilter; 274 symLinkFilter << QLatin1String("[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f].[0-9]"); 275 for (int a = 0; a < dirs.count(); ++a) { 276 QDirIterator iterator(QLatin1String(dirs.at(a)), symLinkFilter, QDir::Files); 277 if (iterator.hasNext()) { 278 s_loadRootCertsOnDemand = true; 279 break; 280 } 281 } 282 #endif 283 #endif // QT_CONFIG(library) 284 // if on-demand loading was not enabled, load the certs now 285 if (!s_loadRootCertsOnDemand) 286 setDefaultCaCertificates(systemCaCertificates()); 287 #ifdef Q_OS_WIN 288 //Enabled for fetching additional root certs from windows update on windows 6+ 289 //This flag is set false by setDefaultCaCertificates() indicating the app uses 290 //its own cert bundle rather than the system one. 291 //Same logic that disables the unix on demand cert loading. 292 //Unlike unix, we do preload the certificates from the cert store. 293 if ((QSysInfo::windowsVersion() & QSysInfo::WV_NT_based) >= QSysInfo::WV_6_0) 294 s_loadRootCertsOnDemand = true; 295 #endif 296 } 297 298 long QSslSocketPrivate::sslLibraryVersionNumber() 299 { 300 if (!supportsSsl()) 301 return 0; 302 303 return q_SSLeay(); 304 } 305 306 QString QSslSocketPrivate::sslLibraryVersionString() 307 { 308 if (!supportsSsl()) 309 return QString(); 310 311 const char *versionString = q_SSLeay_version(SSLEAY_VERSION); 312 if (!versionString) 313 return QString(); 314 315 return QString::fromLatin1(versionString); 316 } 317 318 void QSslSocketBackendPrivate::continueHandshake() 319 { 320 Q_Q(QSslSocket); 321 // if we have a max read buffer size, reset the plain socket's to match 322 if (readBufferMaxSize) 323 plainSocket->setReadBufferSize(readBufferMaxSize); 324 325 if (q_SSL_ctrl((ssl), SSL_CTRL_GET_SESSION_REUSED, 0, NULL)) 326 configuration.peerSessionShared = true; 327 328 #ifdef QT_DECRYPT_SSL_TRAFFIC 329 if (ssl->session && ssl->s3) { 330 const char *mk = reinterpret_cast<const char *>(ssl->session->master_key); 331 QByteArray masterKey(mk, ssl->session->master_key_length); 332 const char *random = reinterpret_cast<const char *>(ssl->s3->client_random); 333 QByteArray clientRandom(random, SSL3_RANDOM_SIZE); 334 335 // different format, needed for e.g. older Wireshark versions: 336 // const char *sid = reinterpret_cast<const char *>(ssl->session->session_id); 337 // QByteArray sessionID(sid, ssl->session->session_id_length); 338 // QByteArray debugLineRSA("RSA Session-ID:"); 339 // debugLineRSA.append(sessionID.toHex().toUpper()); 340 // debugLineRSA.append(" Master-Key:"); 341 // debugLineRSA.append(masterKey.toHex().toUpper()); 342 // debugLineRSA.append("\n"); 343 344 QByteArray debugLineClientRandom("CLIENT_RANDOM "); 345 debugLineClientRandom.append(clientRandom.toHex().toUpper()); 346 debugLineClientRandom.append(" "); 347 debugLineClientRandom.append(masterKey.toHex().toUpper()); 348 debugLineClientRandom.append("\n"); 349 350 QString sslKeyFile = QDir::tempPath() + QLatin1String("/qt-ssl-keys"); 351 QFile file(sslKeyFile); 352 if (!file.open(QIODevice::Append)) 353 qCWarning(lcSsl) << "could not open file" << sslKeyFile << "for appending"; 354 if (!file.write(debugLineClientRandom)) 355 qCWarning(lcSsl) << "could not write to file" << sslKeyFile; 356 file.close(); 357 } else { 358 qCWarning(lcSsl, "could not decrypt SSL traffic"); 359 } 360 #endif 361 362 // Cache this SSL session inside the QSslContext 363 if (!(configuration.sslOptions & QSsl::SslOptionDisableSessionSharing)) { 364 if (!sslContextPointer->cacheSession(ssl)) { 365 sslContextPointer.clear(); // we could not cache the session 366 } else { 367 // Cache the session for permanent usage as well 368 if (!(configuration.sslOptions & QSsl::SslOptionDisableSessionPersistence)) { 369 if (!sslContextPointer->sessionASN1().isEmpty()) 370 configuration.sslSession = sslContextPointer->sessionASN1(); 371 configuration.sslSessionTicketLifeTimeHint = sslContextPointer->sessionTicketLifeTimeHint(); 372 } 373 } 374 } 375 376 #if OPENSSL_VERSION_NUMBER >= 0x1000100fL && !defined(OPENSSL_NO_NEXTPROTONEG) 377 378 configuration.nextProtocolNegotiationStatus = sslContextPointer->npnContext().status; 379 if (sslContextPointer->npnContext().status == QSslConfiguration::NextProtocolNegotiationUnsupported) { 380 // we could not agree -> be conservative and use HTTP/1.1 381 configuration.nextNegotiatedProtocol = QByteArrayLiteral("http/1.1"); 382 } else { 383 const unsigned char *proto = 0; 384 unsigned int proto_len = 0; 385 #if OPENSSL_VERSION_NUMBER >= 0x10002000L 386 if (q_SSLeay() >= 0x10002000L) { 387 q_SSL_get0_alpn_selected(ssl, &proto, &proto_len); 388 if (proto_len && mode == QSslSocket::SslClientMode) { 389 // Client does not have a callback that sets it ... 390 configuration.nextProtocolNegotiationStatus = QSslConfiguration::NextProtocolNegotiationNegotiated; 391 } 392 } 393 394 if (!proto_len) { // Test if NPN was more lucky ... 395 #else 396 { 397 #endif 398 q_SSL_get0_next_proto_negotiated(ssl, &proto, &proto_len); 399 } 400 401 if (proto_len) 402 configuration.nextNegotiatedProtocol = QByteArray(reinterpret_cast<const char *>(proto), proto_len); 403 else 404 configuration.nextNegotiatedProtocol.clear(); 405 } 406 #endif // OPENSSL_VERSION_NUMBER >= 0x1000100fL ... 407 408 #if OPENSSL_VERSION_NUMBER >= 0x10002000L 409 if (q_SSLeay() >= 0x10002000L && mode == QSslSocket::SslClientMode) { 410 EVP_PKEY *key; 411 if (q_SSL_get_server_tmp_key(ssl, &key)) 412 configuration.ephemeralServerKey = QSslKey(key, QSsl::PublicKey); 413 } 414 #endif // OPENSSL_VERSION_NUMBER >= 0x10002000L ... 415 416 connectionEncrypted = true; 417 emit q->encrypted(); 418 if (autoStartHandshake && pendingClose) { 419 pendingClose = false; 420 q->disconnectFromHost(); 421 } 422 } 423 424 QT_END_NAMESPACE -
new file qtbase/src/network/ssl/qsslsocket_opensslpre11_symbols_p.h
diff --git a/qtbase/src/network/ssl/qsslsocket_opensslpre11_symbols_p.h b/qtbase/src/network/ssl/qsslsocket_opensslpre11_symbols_p.h new file mode 100644 index 0000000000000000000000000000000000000000..9686d22b98c16386568976f8e6d8c1b9b9e18240
- + 1 /**************************************************************************** 2 ** 3 ** Copyright (C) 2017 The Qt Company Ltd. 4 ** Copyright (C) 2014 BlackBerry Limited. All rights reserved. 5 ** Contact: https://www.qt.io/licensing/ 6 ** 7 ** This file is part of the QtNetwork module of the Qt Toolkit. 8 ** 9 ** $QT_BEGIN_LICENSE:LGPL$ 10 ** Commercial License Usage 11 ** Licensees holding valid commercial Qt licenses may use this file in 12 ** accordance with the commercial license agreement provided with the 13 ** Software or, alternatively, in accordance with the terms contained in 14 ** a written agreement between you and The Qt Company. For licensing terms 15 ** and conditions see https://www.qt.io/terms-conditions. For further 16 ** information use the contact form at https://www.qt.io/contact-us. 17 ** 18 ** GNU Lesser General Public License Usage 19 ** Alternatively, this file may be used under the terms of the GNU Lesser 20 ** General Public License version 3 as published by the Free Software 21 ** Foundation and appearing in the file LICENSE.LGPL3 included in the 22 ** packaging of this file. Please review the following information to 23 ** ensure the GNU Lesser General Public License version 3 requirements 24 ** will be met: https://www.gnu.org/licenses/lgpl-3.0.html. 25 ** 26 ** GNU General Public License Usage 27 ** Alternatively, this file may be used under the terms of the GNU 28 ** General Public License version 2.0 or (at your option) the GNU General 29 ** Public license version 3 or any later version approved by the KDE Free 30 ** Qt Foundation. The licenses are as published by the Free Software 31 ** Foundation and appearing in the file LICENSE.GPL2 and LICENSE.GPL3 32 ** included in the packaging of this file. Please review the following 33 ** information to ensure the GNU General Public License requirements will 34 ** be met: https://www.gnu.org/licenses/gpl-2.0.html and 35 ** https://www.gnu.org/licenses/gpl-3.0.html. 36 ** 37 ** $QT_END_LICENSE$ 38 ** 39 ****************************************************************************/ 40 41 /**************************************************************************** 42 ** 43 ** In addition, as a special exception, the copyright holders listed above give 44 ** permission to link the code of its release of Qt with the OpenSSL project's 45 ** "OpenSSL" library (or modified versions of the "OpenSSL" library that use the 46 ** same license as the original version), and distribute the linked executables. 47 ** 48 ** You must comply with the GNU General Public License version 2 in all 49 ** respects for all of the code used other than the "OpenSSL" code. If you 50 ** modify this file, you may extend this exception to your version of the file, 51 ** but you are not obligated to do so. If you do not wish to do so, delete 52 ** this exception statement from your version of this file. 53 ** 54 ****************************************************************************/ 55 56 57 #ifndef QSSLSOCKET_OPENSSLPRE11_SYMBOLS_P_H 58 #define QSSLSOCKET_OPENSSLPRE11_SYMBOLS_P_H 59 60 // 61 // W A R N I N G 62 // ------------- 63 // 64 // This file is not part of the Qt API. It exists purely as an 65 // implementation detail. This header file may change from version to 66 // version without notice, or even be removed. 67 // 68 // We mean it. 69 // 70 71 // Note: this file does not have QT_BEGIN_NAMESPACE/QT_END_NAMESPACE, it's done 72 // in qsslsocket_openssl_symbols_p.h. 73 74 #ifndef QSSLSOCKET_OPENSSL_SYMBOLS_P_H 75 #error "You are not supposed to use this header file, include qsslsocket_openssl_symbols_p.h instead" 76 #endif 77 78 unsigned char * q_ASN1_STRING_data(ASN1_STRING *a); 79 BIO *q_BIO_new_file(const char *filename, const char *mode); 80 void q_ERR_clear_error(); 81 Q_AUTOTEST_EXPORT BIO *q_BIO_new(BIO_METHOD *a); 82 Q_AUTOTEST_EXPORT BIO_METHOD *q_BIO_s_mem(); 83 int q_CRYPTO_num_locks(); 84 void q_CRYPTO_set_locking_callback(void (*a)(int, int, const char *, int)); 85 void q_CRYPTO_set_id_callback(unsigned long (*a)()); 86 void q_CRYPTO_free(void *a); 87 unsigned long q_ERR_peek_last_error(); 88 void q_ERR_free_strings(); 89 void q_EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *a); 90 void q_EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *a); 91 92 #if OPENSSL_VERSION_NUMBER >= 0x10000000L 93 typedef _STACK STACK; 94 #endif 95 96 // The typedef we use to make our pre 1.1 code look more like 1.1 (less ifdefs). 97 typedef STACK OPENSSL_STACK; 98 99 // We resolve q_sk_ functions, but use q_OPENSSL_sk_ macros in code to reduce 100 // the amount of #ifdefs. 101 int q_sk_num(STACK *a); 102 #define q_OPENSSL_sk_num(a) q_sk_num(a) 103 void q_sk_pop_free(STACK *a, void (*b)(void *)); 104 #define q_OPENSSL_sk_pop_free(a, b) q_sk_pop_free(a, b) 105 STACK *q_sk_new_null(); 106 #define q_OPENSSL_sk_new_null() q_sk_new_null() 107 108 void q_sk_free(STACK *a); 109 110 // Just a name alias (not a function call expression) since in code we take an 111 // address of this: 112 #define q_OPENSSL_sk_free q_sk_free 113 114 #if OPENSSL_VERSION_NUMBER >= 0x10000000L 115 void *q_sk_value(STACK *a, int b); 116 void q_sk_push(STACK *st, void *data); 117 #else 118 char *q_sk_value(STACK *a, int b); 119 void q_sk_push(STACK *st, char *data); 120 #endif // OPENSSL_VERSION_NUMBER >= 0x10000000L 121 122 #define q_OPENSSL_sk_value(a, b) q_sk_value(a, b) 123 #define q_OPENSSL_sk_push(st, data) q_sk_push(st, data) 124 125 #if OPENSSL_VERSION_NUMBER >= 0x10000000L 126 SSL_CTX *q_SSL_CTX_new(const SSL_METHOD *a); 127 #else 128 SSL_CTX *q_SSL_CTX_new(SSL_METHOD *a); 129 #endif 130 131 int q_SSL_library_init(); 132 void q_SSL_load_error_strings(); 133 134 #if OPENSSL_VERSION_NUMBER >= 0x10001000L 135 int q_SSL_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func); 136 #endif 137 138 #if OPENSSL_VERSION_NUMBER >= 0x10000000L 139 #ifndef OPENSSL_NO_SSL2 140 const SSL_METHOD *q_SSLv2_client_method(); 141 #endif 142 #ifndef OPENSSL_NO_SSL3_METHOD 143 const SSL_METHOD *q_SSLv3_client_method(); 144 #endif 145 const SSL_METHOD *q_SSLv23_client_method(); 146 const SSL_METHOD *q_TLSv1_client_method(); 147 const SSL_METHOD *q_TLSv1_1_client_method(); 148 const SSL_METHOD *q_TLSv1_2_client_method(); 149 #ifndef OPENSSL_NO_SSL2 150 const SSL_METHOD *q_SSLv2_server_method(); 151 #endif 152 #ifndef OPENSSL_NO_SSL3_METHOD 153 const SSL_METHOD *q_SSLv3_server_method(); 154 #endif 155 const SSL_METHOD *q_SSLv23_server_method(); 156 const SSL_METHOD *q_TLSv1_server_method(); 157 const SSL_METHOD *q_TLSv1_1_server_method(); 158 const SSL_METHOD *q_TLSv1_2_server_method(); 159 #else 160 #ifndef OPENSSL_NO_SSL2 161 SSL_METHOD *q_SSLv2_client_method(); 162 #endif 163 #ifndef OPENSSL_NO_SSL3_METHOD 164 SSL_METHOD *q_SSLv3_client_method(); 165 #endif 166 SSL_METHOD *q_SSLv23_client_method(); 167 SSL_METHOD *q_TLSv1_client_method(); 168 SSL_METHOD *q_TLSv1_1_client_method(); 169 SSL_METHOD *q_TLSv1_2_client_method(); 170 #ifndef OPENSSL_NO_SSL2 171 SSL_METHOD *q_SSLv2_server_method(); 172 #endif 173 #ifndef OPENSSL_NO_SSL3_METHOD 174 SSL_METHOD *q_SSLv3_server_method(); 175 #endif 176 SSL_METHOD *q_SSLv23_server_method(); 177 SSL_METHOD *q_TLSv1_server_method(); 178 SSL_METHOD *q_TLSv1_1_server_method(); 179 SSL_METHOD *q_TLSv1_2_server_method(); 180 #endif 181 182 STACK_OF(X509) *q_X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx); 183 184 #ifdef SSLEAY_MACROS 185 int q_i2d_DSAPrivateKey(const DSA *a, unsigned char **pp); 186 int q_i2d_RSAPrivateKey(const RSA *a, unsigned char **pp); 187 RSA *q_d2i_RSAPrivateKey(RSA **a, unsigned char **pp, long length); 188 DSA *q_d2i_DSAPrivateKey(DSA **a, unsigned char **pp, long length); 189 #define q_PEM_read_bio_RSAPrivateKey(bp, x, cb, u) \ 190 (RSA *)q_PEM_ASN1_read_bio( \ 191 (void *(*)(void**, const unsigned char**, long int))q_d2i_RSAPrivateKey, PEM_STRING_RSA, bp, (void **)x, cb, u) 192 #define q_PEM_read_bio_DSAPrivateKey(bp, x, cb, u) \ 193 (DSA *)q_PEM_ASN1_read_bio( \ 194 (void *(*)(void**, const unsigned char**, long int))q_d2i_DSAPrivateKey, PEM_STRING_DSA, bp, (void **)x, cb, u) 195 #define q_PEM_write_bio_RSAPrivateKey(bp,x,enc,kstr,klen,cb,u) \ 196 PEM_ASN1_write_bio((int (*)(void*, unsigned char**))q_i2d_RSAPrivateKey,PEM_STRING_RSA,\ 197 bp,(char *)x,enc,kstr,klen,cb,u) 198 #define q_PEM_write_bio_DSAPrivateKey(bp,x,enc,kstr,klen,cb,u) \ 199 PEM_ASN1_write_bio((int (*)(void*, unsigned char**))q_i2d_DSAPrivateKey,PEM_STRING_DSA,\ 200 bp,(char *)x,enc,kstr,klen,cb,u) 201 #define q_PEM_read_bio_DHparams(bp, dh, cb, u) \ 202 (DH *)q_PEM_ASN1_read_bio( \ 203 (void *(*)(void**, const unsigned char**, long int))q_d2i_DHparams, PEM_STRING_DHPARAMS, bp, (void **)x, cb, u) 204 #endif // SSLEAY_MACROS 205 206 #define q_SSL_CTX_set_options(ctx,op) q_SSL_CTX_ctrl((ctx),SSL_CTRL_OPTIONS,(op),NULL) 207 #define q_SKM_sk_num(type, st) ((int (*)(const STACK_OF(type) *))q_sk_num)(st) 208 #define q_SKM_sk_value(type, st,i) ((type * (*)(const STACK_OF(type) *, int))q_sk_value)(st, i) 209 #define q_X509_getm_notAfter(x) X509_get_notAfter(x) 210 #define q_X509_getm_notBefore(x) X509_get_notBefore(x) 211 212 // "Forward compatibility" with OpenSSL 1.1 (to save on #if-ery elsewhere): 213 #define q_X509_get_version(x509) q_ASN1_INTEGER_get((x509)->cert_info->version) 214 #define q_ASN1_STRING_get0_data(x) q_ASN1_STRING_data(x) 215 #define q_EVP_PKEY_base_id(pkey) ((pkey)->type) 216 #define q_X509_get_pubkey(x509) q_X509_PUBKEY_get((x509)->cert_info->key) 217 #define q_SSL_SESSION_get_ticket_lifetime_hint(s) ((s)->tlsext_tick_lifetime_hint) 218 #define q_RSA_bits(rsa) q_BN_num_bits((rsa)->n) 219 #define q_DSA_bits(dsa) q_BN_num_bits((dsa)->p) 220 #define q_X509_STORE_set_verify_cb(s,c) X509_STORE_set_verify_cb_func((s),(c)) 221 222 char *q_CONF_get1_default_config_file(); 223 void q_OPENSSL_add_all_algorithms_noconf(); 224 void q_OPENSSL_add_all_algorithms_conf(); 225 226 long q_SSLeay(); 227 const char *q_SSLeay_version(int type); 228 229 230 #endif // QSSLSOCKET_OPENSSL_PRE11_SYMBOLS_P_H -
qtbase/src/network/ssl/qsslsocket_p.h
diff --git a/qtbase/src/network/ssl/qsslsocket_p.h b/qtbase/src/network/ssl/qsslsocket_p.h index 217d6be1dc43dfbd3dc9f333bcdd1046ed186acd..5893417b696e8f71735db26b52afecaddf4a881f 100644
a b private: 218 218 protected: 219 219 bool verifyErrorsHaveBeenIgnored(); 220 220 bool paused; 221 bool flushTriggered; 221 222 }; 222 223 223 224 QT_END_NAMESPACE -
qtbase/src/network/ssl/ssl.pri
diff --git a/qtbase/src/network/ssl/ssl.pri b/qtbase/src/network/ssl/ssl.pri index d2b0c2d60d30e2604eaf1519a6c2bde571a2e4f6..2783effaf123120f9dfea87b11a5f4262faea504 100644
a b qtConfig(ssl) { 60 60 HEADERS += ssl/qsslcontext_openssl_p.h \ 61 61 ssl/qsslsocket_openssl_p.h \ 62 62 ssl/qsslsocket_openssl_symbols_p.h 63 SOURCES += ssl/qsslcertificate_openssl.cpp \ 64 ssl/qsslcontext_openssl.cpp \ 63 SOURCES += ssl/qsslsocket_openssl_symbols.cpp \ 65 64 ssl/qssldiffiehellmanparameters_openssl.cpp \ 65 ssl/qsslcertificate_openssl.cpp \ 66 66 ssl/qsslellipticcurve_openssl.cpp \ 67 67 ssl/qsslkey_openssl.cpp \ 68 68 ssl/qsslsocket_openssl.cpp \ 69 ssl/qsslsocket_openssl_symbols.cpp 69 ssl/qsslcontext_openssl.cpp 70 71 qtConfig(opensslv11) { 72 HEADERS += ssl/qsslsocket_openssl11_symbols_p.h 73 SOURCES += ssl/qsslsocket_openssl11.cpp \ 74 ssl/qsslcontext_openssl11.cpp 75 76 QMAKE_CXXFLAGS += -DOPENSSL_API_COMPAT=0x10100000L 77 } else { 78 HEADERS += ssl/qsslsocket_opensslpre11_symbols_p.h 79 SOURCES += ssl/qsslsocket_opensslpre11.cpp \ 80 ssl/qsslcontext_opensslpre11.cpp 81 } 70 82 71 83 darwin:SOURCES += ssl/qsslsocket_mac_shared.cpp 72 84