Revert "OpenSSL: remove support for 1.1"

This reverts commit d201c0a2184881a226bce76528047707e9062856.

Reason for revert: QNX have support only for OpenSSL1.1.
QNX will start supporting OpenSSL3 with upcoming QNX8.0 but as long as we want to support QNX7.1 (and even QNX7.0) removing OpenSSL1.1 support from Qt is not an option.

Change-Id: Ia2083eda318779968eb6ee84fff2f56ebe3dadf7
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>

configure.cmake

@@ -19,7 +19,55 @@ if(TARGET ZLIB::ZLIB)
 endif()
 
 qt_find_package(WrapOpenSSLHeaders PROVIDED_TARGETS WrapOpenSSLHeaders::WrapOpenSSLHeaders MODULE_NAME core)
+# openssl_headers
+# OPENSSL_VERSION_MAJOR is not defined for OpenSSL 1.1.1
+qt_config_compile_test(opensslv11_headers
+    LABEL "opensslv11_headers"
+    LIBRARIES
+        WrapOpenSSLHeaders::WrapOpenSSLHeaders
+    CODE
+"#include <openssl/ssl.h>
+#include <openssl/opensslv.h>
+#if !defined(OPENSSL_VERSION_NUMBER) || defined(OPENSSL_VERSION_MAJOR) || OPENSSL_VERSION_NUMBER-0 < 0x10101000L
+#  error OpenSSL >= 1.1.1 is required
+#endif
+#if !defined(OPENSSL_NO_EC) && !defined(SSL_CTRL_SET_CURVES)
+#  error OpenSSL was reported as >= 1.1.1 but is missing required features, possibly it is libressl which is unsupported
+#endif
+
+int main(void)
+{
+    /* BEGIN TEST: */
+    /* END TEST: */
+    return 0;
+}
+")
+
 qt_find_package(WrapOpenSSL PROVIDED_TARGETS WrapOpenSSL::WrapOpenSSL MODULE_NAME core QMAKE_LIB openssl)
+# openssl
+# OPENSSL_VERSION_MAJOR is not defined for OpenSSL 1.1.1
+qt_config_compile_test(opensslv11
+    LABEL "opensslv11"
+    LIBRARIES
+        WrapOpenSSL::WrapOpenSSL
+    CODE
+"#include <openssl/ssl.h>
+#include <openssl/opensslv.h>
+#if !defined(OPENSSL_VERSION_NUMBER) || defined(OPENSSL_VERSION_MAJOR) || OPENSSL_VERSION_NUMBER-0 < 0x10101000L
+#  error OpenSSL >= 1.1.1 is required
+#endif
+#if !defined(OPENSSL_NO_EC) && !defined(SSL_CTRL_SET_CURVES)
+#  error OpenSSL was reported as >= 1.1.1 but is missing required features, possibly it is libressl which is unsupported
+#endif
+
+int main(void)
+{
+    /* BEGIN TEST: */
+SSL_free(SSL_new(0));
+    /* END TEST: */
+    return 0;
+}
+")
 
 # opensslv30
 # openssl_headers
@@ -952,17 +1000,22 @@ qt_feature_definition("openssl" "QT_NO_OPENSSL" NEGATE)
 qt_feature_config("openssl" QMAKE_PUBLIC_QT_CONFIG)
 qt_feature("openssl-runtime"
     AUTODETECT NOT WASM
-    CONDITION TEST_opensslv30_headers
+    CONDITION TEST_opensslv11_headers OR TEST_opensslv30_headers
     ENABLE INPUT_openssl STREQUAL 'yes' OR INPUT_openssl STREQUAL 'runtime'
     DISABLE INPUT_openssl STREQUAL 'no' OR INPUT_openssl STREQUAL 'linked' OR INPUT_ssl STREQUAL 'no'
 )
 qt_feature("openssl-linked" PUBLIC
     LABEL "  Qt directly linked to OpenSSL"
     AUTODETECT OFF
-    CONDITION TEST_opensslv30
+    CONDITION TEST_opensslv11 OR TEST_opensslv30
     ENABLE INPUT_openssl STREQUAL 'linked'
 )
 qt_feature_definition("openssl-linked" "QT_LINKED_OPENSSL")
+qt_feature("opensslv11" PUBLIC
+    LABEL "OpenSSL 1.1"
+    CONDITION TEST_opensslv11 OR TEST_opensslv11_headers
+    DISABLE INPUT_openssl STREQUAL 'no' OR INPUT_ssl STREQUAL 'no'
+)
 qt_feature("opensslv30" PUBLIC
     LABEL "OpenSSL 3.0"
     CONDITION TEST_opensslv30 OR TEST_opensslv30_headers
@@ -1148,6 +1201,7 @@ qt_configure_add_summary_entry(ARGS "Using vcpkg" TYPE "message" MESSAGE "${_vcp
 qt_configure_add_summary_entry(ARGS "libudev")
 qt_configure_add_summary_entry(ARGS "openssl")
 qt_configure_add_summary_entry(ARGS "openssl-linked")
+qt_configure_add_summary_entry(ARGS "opensslv11")
 qt_configure_add_summary_entry(ARGS "opensslv30")
 qt_configure_add_summary_entry(ARGS "system-zlib")
 qt_configure_add_summary_entry(ARGS "zstd")

src/plugins/tls/openssl/qsslcontext_openssl.cpp

@@ -555,10 +555,17 @@ QT_WARNING_POP
         // tell OpenSSL the directories where to look up the root certs on demand
         const QList<QByteArray> unixDirs = QSslSocketPrivate::unixRootCertDirectories();
         int success = 1;
+#if OPENSSL_VERSION_MAJOR < 3
+        for (const QByteArray &unixDir : unixDirs) {
+            if ((success = q_SSL_CTX_load_verify_locations(sslContext->ctx, nullptr, unixDir.constData())) != 1)
+                break;
+        }
+#else
         for (const QByteArray &unixDir : unixDirs) {
             if ((success = q_SSL_CTX_load_verify_dir(sslContext->ctx, unixDir.constData())) != 1)
                 break;
         }
+#endif // OPENSSL_VERSION_MAJOR
         if (success != 1) {
             const auto qtErrors = QTlsBackendOpenSSL::getErrorsFromOpenSsl();
             qCWarning(lcTlsBackend) << "An error encountered while to set root certificates location:"

src/plugins/tls/openssl/qsslsocket_openssl_symbols.cpp

@@ -302,9 +302,14 @@ DEFINEFUNC(int, SSL_version, const SSL *a, a, return 0, return)
 DEFINEFUNC2(int, SSL_get_error, SSL *a, a, int b, b, return -1, return)
 DEFINEFUNC(STACK_OF(X509) *, SSL_get_peer_cert_chain, SSL *a, a, return nullptr, return)
 
+#if defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3
 DEFINEFUNC(X509 *, SSL_get1_peer_certificate, SSL *a, a, return nullptr, return)
 DEFINEFUNC(int, EVP_PKEY_get_bits, const EVP_PKEY *pkey, pkey, return -1, return)
 DEFINEFUNC(int, EVP_PKEY_get_base_id, const EVP_PKEY *pkey, pkey, return -1, return)
+#else
+DEFINEFUNC(X509 *, SSL_get_peer_certificate, SSL *a, a, return nullptr, return)
+DEFINEFUNC(int, EVP_PKEY_base_id, EVP_PKEY *a, a, return NID_undef, return)
+#endif // OPENSSL_VERSION_MAJOR >= 3
 
 DEFINEFUNC(long, SSL_get_verify_result, const SSL *a, a, return -1, return)
 DEFINEFUNC(SSL *, SSL_new, SSL_CTX *a, a, return nullptr, return)
@@ -375,7 +380,11 @@ DEFINEFUNC(X509_STORE_CTX *, X509_STORE_CTX_new, DUMMYARG, DUMMYARG, return null
 DEFINEFUNC2(void *, X509_STORE_CTX_get_ex_data, X509_STORE_CTX *ctx, ctx, int idx, idx, return nullptr, return)
 DEFINEFUNC(int, SSL_get_ex_data_X509_STORE_CTX_idx, DUMMYARG, DUMMYARG, return -1, return)
 
+#if OPENSSL_VERSION_MAJOR < 3
+DEFINEFUNC3(int, SSL_CTX_load_verify_locations, SSL_CTX *ctx, ctx, const char *CAfile, CAfile, const char *CApath, CApath, return 0, return)
+#else
 DEFINEFUNC2(int, SSL_CTX_load_verify_dir, SSL_CTX *ctx, ctx, const char *CApath, CApath, return 0, return)
+#endif // OPENSSL_VERSION_MAJOR
 
 DEFINEFUNC2(int, i2d_SSL_SESSION, SSL_SESSION *in, in, unsigned char **pp, pp, return 0, return)
 DEFINEFUNC3(SSL_SESSION *, d2i_SSL_SESSION, SSL_SESSION **a, a, const unsigned char **pp, pp, long length, length, return nullptr, return)
@@ -637,7 +646,9 @@ static QStringList findAllLibCrypto()
 }
 # endif
 
-#if OPENSSL_VERSION_MAJOR == 3 // Starting with 3.0 this define is available
+#if (OPENSSL_VERSION_NUMBER >> 28) < 3
+#define QT_OPENSSL_VERSION "1_1"
+#elif OPENSSL_VERSION_MAJOR == 3 // Starting with 3.0 this define is available
 #define QT_OPENSSL_VERSION "3"
 #endif // > 3 intentionally left undefined
 
@@ -908,10 +919,17 @@ bool q_resolveOpenSslSymbols()
             return false;
         }
 
+#if OPENSSL_VERSION_NUMBER >= 0x30000000
         if (q_OpenSSL_version_num() < 0x30000000) {
             qCWarning(lcTlsBackend, "Incompatible version of OpenSSL (built with OpenSSL >= 3.x, runtime version is < 3.x)");
             return false;
         }
+#else
+        if (q_OpenSSL_version_num() >= 0x30000000) {
+            qCWarning(lcTlsBackend, "Incompatible version of OpenSSL (built with OpenSSL 1.x, runtime version is >= 3.x)");
+            return false;
+        }
+#endif // OPENSSL_VERSION_NUMBER
 
         RESOLVEFUNC(SSL_SESSION_get_ticket_lifetime_hint)
 
@@ -1054,9 +1072,14 @@ bool q_resolveOpenSslSymbols()
         RESOLVEFUNC(SSL_get_error)
         RESOLVEFUNC(SSL_get_peer_cert_chain)
 
+#if defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3
         RESOLVEFUNC(SSL_get1_peer_certificate)
         RESOLVEFUNC(EVP_PKEY_get_bits)
         RESOLVEFUNC(EVP_PKEY_get_base_id)
+#else
+        RESOLVEFUNC(SSL_get_peer_certificate)
+        RESOLVEFUNC(EVP_PKEY_base_id)
+#endif // OPENSSL_VERSION_MAJOR >= 3
 
 #ifndef OPENSSL_NO_DEPRECATED_3_0
         RESOLVEFUNC(DH_new)
@@ -1188,7 +1211,11 @@ bool q_resolveOpenSslSymbols()
         RESOLVEFUNC(X509_verify_cert)
         RESOLVEFUNC(d2i_X509)
         RESOLVEFUNC(i2d_X509)
+#if OPENSSL_VERSION_MAJOR < 3
+        RESOLVEFUNC(SSL_CTX_load_verify_locations)
+#else
         RESOLVEFUNC(SSL_CTX_load_verify_dir)
+#endif // OPENSSL_VERSION_MAJOR
         RESOLVEFUNC(i2d_SSL_SESSION)
         RESOLVEFUNC(d2i_SSL_SESSION)
 

src/plugins/tls/openssl/qsslsocket_openssl_symbols_p.h

@@ -185,7 +185,11 @@ QT_BEGIN_NAMESPACE
 // **************** Static declarations ******************
 
 #endif // !defined QT_LINKED_OPENSSL
+#if defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3
 typedef uint64_t qssloptions;
+#else
+typedef unsigned long qssloptions;
+#endif
 // TODO: the following lines previously were a part of 1.1 - specific header.
 // To reduce the amount of the change, I'm directly copying and pasting the
 // content of the header here. Later, can be better sorted/split into groups,
@@ -546,7 +550,11 @@ void q_GENERAL_NAME_free(GENERAL_NAME *a);
         q_SSL_CTX_ctrl(ctx,SSL_CTRL_EXTRA_CHAIN_CERT,0,(char *)x509)
 #define q_OpenSSL_add_all_algorithms() q_OPENSSL_add_all_algorithms_conf()
 
+#if OPENSSL_VERSION_MAJOR < 3
+int q_SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, const char *CApath);
+#else
 int q_SSL_CTX_load_verify_dir(SSL_CTX *ctx, const char *CApath);
+#endif // OPENSSL_VERSION_MAJOR
 
 int q_i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp);
 SSL_SESSION *q_d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length);
@@ -668,11 +676,17 @@ const char *q_SSL_alert_desc_string_long(int value);
 int q_SSL_CTX_get_security_level(const SSL_CTX *ctx);
 void q_SSL_CTX_set_security_level(SSL_CTX *ctx, int level);
 
+// Here we have the ones that make difference between OpenSSL pre/post v3:
+#if defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3
 X509 *q_SSL_get1_peer_certificate(SSL *a);
 #define q_SSL_get_peer_certificate q_SSL_get1_peer_certificate
 int q_EVP_PKEY_get_bits(const EVP_PKEY *pkey);
 int q_EVP_PKEY_get_base_id(const EVP_PKEY *pkey);
 #define q_EVP_PKEY_base_id q_EVP_PKEY_get_base_id
+#else
+X509 *q_SSL_get_peer_certificate(SSL *a);
+int q_EVP_PKEY_base_id(EVP_PKEY *a);
+#endif // OPENSSL_VERSION_MAJOR >= 3
 
 #ifndef OPENSSL_NO_DEPRECATED_3_0
 

src/plugins/tls/openssl/qtls_openssl.cpp

@@ -1438,11 +1438,14 @@ bool TlsCryptographOpenSSL::initSslContext()
     else if (mode == QSslSocket::SslServerMode)
         q_SSL_set_psk_server_callback(ssl, &q_ssl_psk_server_callback);
 
+#if OPENSSL_VERSION_NUMBER >= 0x10101006L
     // Set the client callback for TLSv1.3 PSK
     if (mode == QSslSocket::SslClientMode
         && QSslSocket::sslLibraryBuildVersionNumber() >= 0x10101006L) {
         q_SSL_set_psk_use_session_callback(ssl, &q_ssl_psk_use_session_callback);
     }
+#endif // openssl version >= 0x10101006L
+
 #endif // OPENSSL_NO_PSK
 
 #if QT_CONFIG(ocsp)