OpenSSL: remove support for 1.1

OpenSSL 1.1 reached EOL last September [1]. We will only support
OpenSSL 3.

Cherry-picking aggressively, as there's no purpose at keeping maintained
Qt versions work with an unmaintained library given the security
implications.

[1] https://www.openssl.org/blog/blog/2023/09/11/eol-111/

[ChangeLog][QtNetwork][SSL] Support for OpenSSL 1.1 has been dropped. Qt
now only supports OpenSSL 3.

Change-Id: I51a231a9ca17804739acbd2f22c478d2a8ff9b3b
Fixes: QTBUG-119330
Pick-to: 6.5 6.2 5.15
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
Reviewed-by: Qt CI Bot <qt_ci_bot@qt-project.org>
(cherry picked from commit d201c0a2184881a226bce76528047707e9062856)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>

configure.cmake

@@ -19,55 +19,7 @@ if(TARGET ZLIB::ZLIB)
 endif()
 
 qt_find_package(WrapOpenSSLHeaders PROVIDED_TARGETS WrapOpenSSLHeaders::WrapOpenSSLHeaders MODULE_NAME core)
-# openssl_headers
-# OPENSSL_VERSION_MAJOR is not defined for OpenSSL 1.1.1
-qt_config_compile_test(opensslv11_headers
-    LABEL "opensslv11_headers"
-    LIBRARIES
-        WrapOpenSSLHeaders::WrapOpenSSLHeaders
-    CODE
-"#include <openssl/ssl.h>
-#include <openssl/opensslv.h>
-#if !defined(OPENSSL_VERSION_NUMBER) || defined(OPENSSL_VERSION_MAJOR) || OPENSSL_VERSION_NUMBER-0 < 0x10101000L
-#  error OpenSSL >= 1.1.1 is required
-#endif
-#if !defined(OPENSSL_NO_EC) && !defined(SSL_CTRL_SET_CURVES)
-#  error OpenSSL was reported as >= 1.1.1 but is missing required features, possibly it is libressl which is unsupported
-#endif
-
-int main(void)
-{
-    /* BEGIN TEST: */
-    /* END TEST: */
-    return 0;
-}
-")
-
 qt_find_package(WrapOpenSSL PROVIDED_TARGETS WrapOpenSSL::WrapOpenSSL MODULE_NAME core QMAKE_LIB openssl)
-# openssl
-# OPENSSL_VERSION_MAJOR is not defined for OpenSSL 1.1.1
-qt_config_compile_test(opensslv11
-    LABEL "opensslv11"
-    LIBRARIES
-        WrapOpenSSL::WrapOpenSSL
-    CODE
-"#include <openssl/ssl.h>
-#include <openssl/opensslv.h>
-#if !defined(OPENSSL_VERSION_NUMBER) || defined(OPENSSL_VERSION_MAJOR) || OPENSSL_VERSION_NUMBER-0 < 0x10101000L
-#  error OpenSSL >= 1.1.1 is required
-#endif
-#if !defined(OPENSSL_NO_EC) && !defined(SSL_CTRL_SET_CURVES)
-#  error OpenSSL was reported as >= 1.1.1 but is missing required features, possibly it is libressl which is unsupported
-#endif
-
-int main(void)
-{
-    /* BEGIN TEST: */
-SSL_free(SSL_new(0));
-    /* END TEST: */
-    return 0;
-}
-")
 
 # opensslv30
 # openssl_headers
@@ -1005,22 +957,17 @@ qt_feature_definition("openssl" "QT_NO_OPENSSL" NEGATE)
 qt_feature_config("openssl" QMAKE_PUBLIC_QT_CONFIG)
 qt_feature("openssl-runtime"
     AUTODETECT NOT WASM
-    CONDITION TEST_opensslv11_headers OR TEST_opensslv30_headers
+    CONDITION TEST_opensslv30_headers
     ENABLE INPUT_openssl STREQUAL 'yes' OR INPUT_openssl STREQUAL 'runtime'
     DISABLE INPUT_openssl STREQUAL 'no' OR INPUT_openssl STREQUAL 'linked' OR INPUT_ssl STREQUAL 'no'
 )
 qt_feature("openssl-linked" PUBLIC
     LABEL "  Qt directly linked to OpenSSL"
     AUTODETECT OFF
-    CONDITION TEST_opensslv11 OR TEST_opensslv30
+    CONDITION TEST_opensslv30
     ENABLE INPUT_openssl STREQUAL 'linked'
 )
 qt_feature_definition("openssl-linked" "QT_LINKED_OPENSSL")
-qt_feature("opensslv11" PUBLIC
-    LABEL "OpenSSL 1.1"
-    CONDITION TEST_opensslv11 OR TEST_opensslv11_headers
-    DISABLE INPUT_openssl STREQUAL 'no' OR INPUT_ssl STREQUAL 'no'
-)
 qt_feature("opensslv30" PUBLIC
     LABEL "OpenSSL 3.0"
     CONDITION TEST_opensslv30 OR TEST_opensslv30_headers
@@ -1179,7 +1126,6 @@ qt_configure_add_summary_entry(ARGS "Using vcpkg" TYPE "message" MESSAGE "${_vcp
 qt_configure_add_summary_entry(ARGS "libudev")
 qt_configure_add_summary_entry(ARGS "openssl")
 qt_configure_add_summary_entry(ARGS "openssl-linked")
-qt_configure_add_summary_entry(ARGS "opensslv11")
 qt_configure_add_summary_entry(ARGS "opensslv30")
 qt_configure_add_summary_entry(ARGS "system-zlib")
 qt_configure_add_summary_entry(ARGS "zstd")

src/plugins/tls/openssl/qsslcontext_openssl.cpp

@@ -555,17 +555,10 @@ QT_WARNING_POP
         // tell OpenSSL the directories where to look up the root certs on demand
         const QList<QByteArray> unixDirs = QSslSocketPrivate::unixRootCertDirectories();
         int success = 1;
-#if OPENSSL_VERSION_MAJOR < 3
-        for (const QByteArray &unixDir : unixDirs) {
-            if ((success = q_SSL_CTX_load_verify_locations(sslContext->ctx, nullptr, unixDir.constData())) != 1)
-                break;
-        }
-#else
         for (const QByteArray &unixDir : unixDirs) {
             if ((success = q_SSL_CTX_load_verify_dir(sslContext->ctx, unixDir.constData())) != 1)
                 break;
         }
-#endif // OPENSSL_VERSION_MAJOR
         if (success != 1) {
             const auto qtErrors = QTlsBackendOpenSSL::getErrorsFromOpenSsl();
             qCWarning(lcTlsBackend) << "An error encountered while to set root certificates location:"

src/plugins/tls/openssl/qsslsocket_openssl_symbols.cpp

@@ -302,14 +302,9 @@ DEFINEFUNC(int, SSL_version, const SSL *a, a, return 0, return)
 DEFINEFUNC2(int, SSL_get_error, SSL *a, a, int b, b, return -1, return)
 DEFINEFUNC(STACK_OF(X509) *, SSL_get_peer_cert_chain, SSL *a, a, return nullptr, return)
 
-#if defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3
 DEFINEFUNC(X509 *, SSL_get1_peer_certificate, SSL *a, a, return nullptr, return)
 DEFINEFUNC(int, EVP_PKEY_get_bits, const EVP_PKEY *pkey, pkey, return -1, return)
 DEFINEFUNC(int, EVP_PKEY_get_base_id, const EVP_PKEY *pkey, pkey, return -1, return)
-#else
-DEFINEFUNC(X509 *, SSL_get_peer_certificate, SSL *a, a, return nullptr, return)
-DEFINEFUNC(int, EVP_PKEY_base_id, EVP_PKEY *a, a, return NID_undef, return)
-#endif // OPENSSL_VERSION_MAJOR >= 3
 
 DEFINEFUNC(long, SSL_get_verify_result, const SSL *a, a, return -1, return)
 DEFINEFUNC(SSL *, SSL_new, SSL_CTX *a, a, return nullptr, return)
@@ -380,11 +375,7 @@ DEFINEFUNC(X509_STORE_CTX *, X509_STORE_CTX_new, DUMMYARG, DUMMYARG, return null
 DEFINEFUNC2(void *, X509_STORE_CTX_get_ex_data, X509_STORE_CTX *ctx, ctx, int idx, idx, return nullptr, return)
 DEFINEFUNC(int, SSL_get_ex_data_X509_STORE_CTX_idx, DUMMYARG, DUMMYARG, return -1, return)
 
-#if OPENSSL_VERSION_MAJOR < 3
-DEFINEFUNC3(int, SSL_CTX_load_verify_locations, SSL_CTX *ctx, ctx, const char *CAfile, CAfile, const char *CApath, CApath, return 0, return)
-#else
 DEFINEFUNC2(int, SSL_CTX_load_verify_dir, SSL_CTX *ctx, ctx, const char *CApath, CApath, return 0, return)
-#endif // OPENSSL_VERSION_MAJOR
 
 DEFINEFUNC2(int, i2d_SSL_SESSION, SSL_SESSION *in, in, unsigned char **pp, pp, return 0, return)
 DEFINEFUNC3(SSL_SESSION *, d2i_SSL_SESSION, SSL_SESSION **a, a, const unsigned char **pp, pp, long length, length, return nullptr, return)
@@ -646,9 +637,7 @@ static QStringList findAllLibCrypto()
 }
 # endif
 
-#if (OPENSSL_VERSION_NUMBER >> 28) < 3
-#define QT_OPENSSL_VERSION "1_1"
-#elif OPENSSL_VERSION_MAJOR == 3 // Starting with 3.0 this define is available
+#if OPENSSL_VERSION_MAJOR == 3 // Starting with 3.0 this define is available
 #define QT_OPENSSL_VERSION "3"
 #endif // > 3 intentionally left undefined
 
@@ -919,17 +908,10 @@ bool q_resolveOpenSslSymbols()
             return false;
         }
 
-#if OPENSSL_VERSION_NUMBER >= 0x30000000
         if (q_OpenSSL_version_num() < 0x30000000) {
             qCWarning(lcTlsBackend, "Incompatible version of OpenSSL (built with OpenSSL >= 3.x, runtime version is < 3.x)");
             return false;
         }
-#else
-        if (q_OpenSSL_version_num() >= 0x30000000) {
-            qCWarning(lcTlsBackend, "Incompatible version of OpenSSL (built with OpenSSL 1.x, runtime version is >= 3.x)");
-            return false;
-        }
-#endif // OPENSSL_VERSION_NUMBER
 
         RESOLVEFUNC(SSL_SESSION_get_ticket_lifetime_hint)
 
@@ -1072,14 +1054,9 @@ bool q_resolveOpenSslSymbols()
         RESOLVEFUNC(SSL_get_error)
         RESOLVEFUNC(SSL_get_peer_cert_chain)
 
-#if defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3
         RESOLVEFUNC(SSL_get1_peer_certificate)
         RESOLVEFUNC(EVP_PKEY_get_bits)
         RESOLVEFUNC(EVP_PKEY_get_base_id)
-#else
-        RESOLVEFUNC(SSL_get_peer_certificate)
-        RESOLVEFUNC(EVP_PKEY_base_id)
-#endif // OPENSSL_VERSION_MAJOR >= 3
 
 #ifndef OPENSSL_NO_DEPRECATED_3_0
         RESOLVEFUNC(DH_new)
@@ -1211,11 +1188,7 @@ bool q_resolveOpenSslSymbols()
         RESOLVEFUNC(X509_verify_cert)
         RESOLVEFUNC(d2i_X509)
         RESOLVEFUNC(i2d_X509)
-#if OPENSSL_VERSION_MAJOR < 3
-        RESOLVEFUNC(SSL_CTX_load_verify_locations)
-#else
         RESOLVEFUNC(SSL_CTX_load_verify_dir)
-#endif // OPENSSL_VERSION_MAJOR
         RESOLVEFUNC(i2d_SSL_SESSION)
         RESOLVEFUNC(d2i_SSL_SESSION)
 

src/plugins/tls/openssl/qsslsocket_openssl_symbols_p.h

@@ -185,11 +185,7 @@ QT_BEGIN_NAMESPACE
 // **************** Static declarations ******************
 
 #endif // !defined QT_LINKED_OPENSSL
-#if defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3
 typedef uint64_t qssloptions;
-#else
-typedef unsigned long qssloptions;
-#endif
 // TODO: the following lines previously were a part of 1.1 - specific header.
 // To reduce the amount of the change, I'm directly copying and pasting the
 // content of the header here. Later, can be better sorted/split into groups,
@@ -549,11 +545,7 @@ void q_GENERAL_NAME_free(GENERAL_NAME *a);
         q_SSL_CTX_ctrl(ctx,SSL_CTRL_EXTRA_CHAIN_CERT,0,(char *)x509)
 #define q_OpenSSL_add_all_algorithms() q_OPENSSL_add_all_algorithms_conf()
 
-#if OPENSSL_VERSION_MAJOR < 3
-int q_SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, const char *CApath);
-#else
 int q_SSL_CTX_load_verify_dir(SSL_CTX *ctx, const char *CApath);
-#endif // OPENSSL_VERSION_MAJOR
 
 int q_i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp);
 SSL_SESSION *q_d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length);
@@ -675,17 +667,11 @@ const char *q_SSL_alert_desc_string_long(int value);
 int q_SSL_CTX_get_security_level(const SSL_CTX *ctx);
 void q_SSL_CTX_set_security_level(SSL_CTX *ctx, int level);
 
-// Here we have the ones that make difference between OpenSSL pre/post v3:
-#if defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3
 X509 *q_SSL_get1_peer_certificate(SSL *a);
 #define q_SSL_get_peer_certificate q_SSL_get1_peer_certificate
 int q_EVP_PKEY_get_bits(const EVP_PKEY *pkey);
 int q_EVP_PKEY_get_base_id(const EVP_PKEY *pkey);
 #define q_EVP_PKEY_base_id q_EVP_PKEY_get_base_id
-#else
-X509 *q_SSL_get_peer_certificate(SSL *a);
-int q_EVP_PKEY_base_id(EVP_PKEY *a);
-#endif // OPENSSL_VERSION_MAJOR >= 3
 
 #ifndef OPENSSL_NO_DEPRECATED_3_0
 

src/plugins/tls/openssl/qtls_openssl.cpp

@@ -1438,14 +1438,11 @@ bool TlsCryptographOpenSSL::initSslContext()
     else if (mode == QSslSocket::SslServerMode)
         q_SSL_set_psk_server_callback(ssl, &q_ssl_psk_server_callback);
 
-#if OPENSSL_VERSION_NUMBER >= 0x10101006L
     // Set the client callback for TLSv1.3 PSK
     if (mode == QSslSocket::SslClientMode
         && QSslSocket::sslLibraryBuildVersionNumber() >= 0x10101006L) {
         q_SSL_set_psk_use_session_callback(ssl, &q_ssl_psk_use_session_callback);
     }
-#endif // openssl version >= 0x10101006L
-
 #endif // OPENSSL_NO_PSK
 
 #if QT_CONFIG(ocsp)