From 65081c67f3d65b1c6e7e051a1b9d008eca3381e5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marianne=20Yrj=C3=A4n=C3=A4?= Date: Thu, 30 Nov 2023 10:24:41 +0000 Subject: [PATCH] Revert "OpenSSL: remove support for 1.1" This reverts commit d201c0a2184881a226bce76528047707e9062856. Reason for revert: QNX have support only for OpenSSL1.1. QNX will start supporting OpenSSL3 with upcoming QNX8.0 but as long as we want to support QNX7.1 (and even QNX7.0) removing OpenSSL1.1 support from Qt is not an option. Change-Id: Ia2083eda318779968eb6ee84fff2f56ebe3dadf7 Reviewed-by: Timur Pocheptsov --- configure.cmake | 58 ++++++++++++++++++- .../tls/openssl/qsslcontext_openssl.cpp | 7 +++ .../openssl/qsslsocket_openssl_symbols.cpp | 29 +++++++++- .../openssl/qsslsocket_openssl_symbols_p.h | 14 +++++ src/plugins/tls/openssl/qtls_openssl.cpp | 3 + 5 files changed, 108 insertions(+), 3 deletions(-) diff --git a/configure.cmake b/configure.cmake index 2213ce233cb..72e331c01ba 100644 --- a/configure.cmake +++ b/configure.cmake @@ -19,7 +19,55 @@ if(TARGET ZLIB::ZLIB) endif() qt_find_package(WrapOpenSSLHeaders PROVIDED_TARGETS WrapOpenSSLHeaders::WrapOpenSSLHeaders MODULE_NAME core) +# openssl_headers +# OPENSSL_VERSION_MAJOR is not defined for OpenSSL 1.1.1 +qt_config_compile_test(opensslv11_headers + LABEL "opensslv11_headers" + LIBRARIES + WrapOpenSSLHeaders::WrapOpenSSLHeaders + CODE +"#include +#include +#if !defined(OPENSSL_VERSION_NUMBER) || defined(OPENSSL_VERSION_MAJOR) || OPENSSL_VERSION_NUMBER-0 < 0x10101000L +# error OpenSSL >= 1.1.1 is required +#endif +#if !defined(OPENSSL_NO_EC) && !defined(SSL_CTRL_SET_CURVES) +# error OpenSSL was reported as >= 1.1.1 but is missing required features, possibly it is libressl which is unsupported +#endif + +int main(void) +{ + /* BEGIN TEST: */ + /* END TEST: */ + return 0; +} +") + qt_find_package(WrapOpenSSL PROVIDED_TARGETS WrapOpenSSL::WrapOpenSSL MODULE_NAME core QMAKE_LIB openssl) +# openssl +# OPENSSL_VERSION_MAJOR is not defined for OpenSSL 1.1.1 +qt_config_compile_test(opensslv11 + LABEL "opensslv11" + LIBRARIES + WrapOpenSSL::WrapOpenSSL + CODE +"#include +#include +#if !defined(OPENSSL_VERSION_NUMBER) || defined(OPENSSL_VERSION_MAJOR) || OPENSSL_VERSION_NUMBER-0 < 0x10101000L +# error OpenSSL >= 1.1.1 is required +#endif +#if !defined(OPENSSL_NO_EC) && !defined(SSL_CTRL_SET_CURVES) +# error OpenSSL was reported as >= 1.1.1 but is missing required features, possibly it is libressl which is unsupported +#endif + +int main(void) +{ + /* BEGIN TEST: */ +SSL_free(SSL_new(0)); + /* END TEST: */ + return 0; +} +") # opensslv30 # openssl_headers @@ -952,17 +1000,22 @@ qt_feature_definition("openssl" "QT_NO_OPENSSL" NEGATE) qt_feature_config("openssl" QMAKE_PUBLIC_QT_CONFIG) qt_feature("openssl-runtime" AUTODETECT NOT WASM - CONDITION TEST_opensslv30_headers + CONDITION TEST_opensslv11_headers OR TEST_opensslv30_headers ENABLE INPUT_openssl STREQUAL 'yes' OR INPUT_openssl STREQUAL 'runtime' DISABLE INPUT_openssl STREQUAL 'no' OR INPUT_openssl STREQUAL 'linked' OR INPUT_ssl STREQUAL 'no' ) qt_feature("openssl-linked" PUBLIC LABEL " Qt directly linked to OpenSSL" AUTODETECT OFF - CONDITION TEST_opensslv30 + CONDITION TEST_opensslv11 OR TEST_opensslv30 ENABLE INPUT_openssl STREQUAL 'linked' ) qt_feature_definition("openssl-linked" "QT_LINKED_OPENSSL") +qt_feature("opensslv11" PUBLIC + LABEL "OpenSSL 1.1" + CONDITION TEST_opensslv11 OR TEST_opensslv11_headers + DISABLE INPUT_openssl STREQUAL 'no' OR INPUT_ssl STREQUAL 'no' +) qt_feature("opensslv30" PUBLIC LABEL "OpenSSL 3.0" CONDITION TEST_opensslv30 OR TEST_opensslv30_headers @@ -1148,6 +1201,7 @@ qt_configure_add_summary_entry(ARGS "Using vcpkg" TYPE "message" MESSAGE "${_vcp qt_configure_add_summary_entry(ARGS "libudev") qt_configure_add_summary_entry(ARGS "openssl") qt_configure_add_summary_entry(ARGS "openssl-linked") +qt_configure_add_summary_entry(ARGS "opensslv11") qt_configure_add_summary_entry(ARGS "opensslv30") qt_configure_add_summary_entry(ARGS "system-zlib") qt_configure_add_summary_entry(ARGS "zstd") diff --git a/src/plugins/tls/openssl/qsslcontext_openssl.cpp b/src/plugins/tls/openssl/qsslcontext_openssl.cpp index a06d2ff65ba..75c192bd01d 100644 --- a/src/plugins/tls/openssl/qsslcontext_openssl.cpp +++ b/src/plugins/tls/openssl/qsslcontext_openssl.cpp @@ -555,10 +555,17 @@ QT_WARNING_POP // tell OpenSSL the directories where to look up the root certs on demand const QList unixDirs = QSslSocketPrivate::unixRootCertDirectories(); int success = 1; +#if OPENSSL_VERSION_MAJOR < 3 + for (const QByteArray &unixDir : unixDirs) { + if ((success = q_SSL_CTX_load_verify_locations(sslContext->ctx, nullptr, unixDir.constData())) != 1) + break; + } +#else for (const QByteArray &unixDir : unixDirs) { if ((success = q_SSL_CTX_load_verify_dir(sslContext->ctx, unixDir.constData())) != 1) break; } +#endif // OPENSSL_VERSION_MAJOR if (success != 1) { const auto qtErrors = QTlsBackendOpenSSL::getErrorsFromOpenSsl(); qCWarning(lcTlsBackend) << "An error encountered while to set root certificates location:" diff --git a/src/plugins/tls/openssl/qsslsocket_openssl_symbols.cpp b/src/plugins/tls/openssl/qsslsocket_openssl_symbols.cpp index 13d3b0cee9a..4aa9ca6fb14 100644 --- a/src/plugins/tls/openssl/qsslsocket_openssl_symbols.cpp +++ b/src/plugins/tls/openssl/qsslsocket_openssl_symbols.cpp @@ -302,9 +302,14 @@ DEFINEFUNC(int, SSL_version, const SSL *a, a, return 0, return) DEFINEFUNC2(int, SSL_get_error, SSL *a, a, int b, b, return -1, return) DEFINEFUNC(STACK_OF(X509) *, SSL_get_peer_cert_chain, SSL *a, a, return nullptr, return) +#if defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3 DEFINEFUNC(X509 *, SSL_get1_peer_certificate, SSL *a, a, return nullptr, return) DEFINEFUNC(int, EVP_PKEY_get_bits, const EVP_PKEY *pkey, pkey, return -1, return) DEFINEFUNC(int, EVP_PKEY_get_base_id, const EVP_PKEY *pkey, pkey, return -1, return) +#else +DEFINEFUNC(X509 *, SSL_get_peer_certificate, SSL *a, a, return nullptr, return) +DEFINEFUNC(int, EVP_PKEY_base_id, EVP_PKEY *a, a, return NID_undef, return) +#endif // OPENSSL_VERSION_MAJOR >= 3 DEFINEFUNC(long, SSL_get_verify_result, const SSL *a, a, return -1, return) DEFINEFUNC(SSL *, SSL_new, SSL_CTX *a, a, return nullptr, return) @@ -375,7 +380,11 @@ DEFINEFUNC(X509_STORE_CTX *, X509_STORE_CTX_new, DUMMYARG, DUMMYARG, return null DEFINEFUNC2(void *, X509_STORE_CTX_get_ex_data, X509_STORE_CTX *ctx, ctx, int idx, idx, return nullptr, return) DEFINEFUNC(int, SSL_get_ex_data_X509_STORE_CTX_idx, DUMMYARG, DUMMYARG, return -1, return) +#if OPENSSL_VERSION_MAJOR < 3 +DEFINEFUNC3(int, SSL_CTX_load_verify_locations, SSL_CTX *ctx, ctx, const char *CAfile, CAfile, const char *CApath, CApath, return 0, return) +#else DEFINEFUNC2(int, SSL_CTX_load_verify_dir, SSL_CTX *ctx, ctx, const char *CApath, CApath, return 0, return) +#endif // OPENSSL_VERSION_MAJOR DEFINEFUNC2(int, i2d_SSL_SESSION, SSL_SESSION *in, in, unsigned char **pp, pp, return 0, return) DEFINEFUNC3(SSL_SESSION *, d2i_SSL_SESSION, SSL_SESSION **a, a, const unsigned char **pp, pp, long length, length, return nullptr, return) @@ -637,7 +646,9 @@ static QStringList findAllLibCrypto() } # endif -#if OPENSSL_VERSION_MAJOR == 3 // Starting with 3.0 this define is available +#if (OPENSSL_VERSION_NUMBER >> 28) < 3 +#define QT_OPENSSL_VERSION "1_1" +#elif OPENSSL_VERSION_MAJOR == 3 // Starting with 3.0 this define is available #define QT_OPENSSL_VERSION "3" #endif // > 3 intentionally left undefined @@ -908,10 +919,17 @@ bool q_resolveOpenSslSymbols() return false; } +#if OPENSSL_VERSION_NUMBER >= 0x30000000 if (q_OpenSSL_version_num() < 0x30000000) { qCWarning(lcTlsBackend, "Incompatible version of OpenSSL (built with OpenSSL >= 3.x, runtime version is < 3.x)"); return false; } +#else + if (q_OpenSSL_version_num() >= 0x30000000) { + qCWarning(lcTlsBackend, "Incompatible version of OpenSSL (built with OpenSSL 1.x, runtime version is >= 3.x)"); + return false; + } +#endif // OPENSSL_VERSION_NUMBER RESOLVEFUNC(SSL_SESSION_get_ticket_lifetime_hint) @@ -1054,9 +1072,14 @@ bool q_resolveOpenSslSymbols() RESOLVEFUNC(SSL_get_error) RESOLVEFUNC(SSL_get_peer_cert_chain) +#if defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3 RESOLVEFUNC(SSL_get1_peer_certificate) RESOLVEFUNC(EVP_PKEY_get_bits) RESOLVEFUNC(EVP_PKEY_get_base_id) +#else + RESOLVEFUNC(SSL_get_peer_certificate) + RESOLVEFUNC(EVP_PKEY_base_id) +#endif // OPENSSL_VERSION_MAJOR >= 3 #ifndef OPENSSL_NO_DEPRECATED_3_0 RESOLVEFUNC(DH_new) @@ -1188,7 +1211,11 @@ bool q_resolveOpenSslSymbols() RESOLVEFUNC(X509_verify_cert) RESOLVEFUNC(d2i_X509) RESOLVEFUNC(i2d_X509) +#if OPENSSL_VERSION_MAJOR < 3 + RESOLVEFUNC(SSL_CTX_load_verify_locations) +#else RESOLVEFUNC(SSL_CTX_load_verify_dir) +#endif // OPENSSL_VERSION_MAJOR RESOLVEFUNC(i2d_SSL_SESSION) RESOLVEFUNC(d2i_SSL_SESSION) diff --git a/src/plugins/tls/openssl/qsslsocket_openssl_symbols_p.h b/src/plugins/tls/openssl/qsslsocket_openssl_symbols_p.h index 7d7ce57371d..a93c110b3f7 100644 --- a/src/plugins/tls/openssl/qsslsocket_openssl_symbols_p.h +++ b/src/plugins/tls/openssl/qsslsocket_openssl_symbols_p.h @@ -185,7 +185,11 @@ QT_BEGIN_NAMESPACE // **************** Static declarations ****************** #endif // !defined QT_LINKED_OPENSSL +#if defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3 typedef uint64_t qssloptions; +#else +typedef unsigned long qssloptions; +#endif // TODO: the following lines previously were a part of 1.1 - specific header. // To reduce the amount of the change, I'm directly copying and pasting the // content of the header here. Later, can be better sorted/split into groups, @@ -546,7 +550,11 @@ void q_GENERAL_NAME_free(GENERAL_NAME *a); q_SSL_CTX_ctrl(ctx,SSL_CTRL_EXTRA_CHAIN_CERT,0,(char *)x509) #define q_OpenSSL_add_all_algorithms() q_OPENSSL_add_all_algorithms_conf() +#if OPENSSL_VERSION_MAJOR < 3 +int q_SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, const char *CApath); +#else int q_SSL_CTX_load_verify_dir(SSL_CTX *ctx, const char *CApath); +#endif // OPENSSL_VERSION_MAJOR int q_i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp); SSL_SESSION *q_d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length); @@ -668,11 +676,17 @@ const char *q_SSL_alert_desc_string_long(int value); int q_SSL_CTX_get_security_level(const SSL_CTX *ctx); void q_SSL_CTX_set_security_level(SSL_CTX *ctx, int level); +// Here we have the ones that make difference between OpenSSL pre/post v3: +#if defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3 X509 *q_SSL_get1_peer_certificate(SSL *a); #define q_SSL_get_peer_certificate q_SSL_get1_peer_certificate int q_EVP_PKEY_get_bits(const EVP_PKEY *pkey); int q_EVP_PKEY_get_base_id(const EVP_PKEY *pkey); #define q_EVP_PKEY_base_id q_EVP_PKEY_get_base_id +#else +X509 *q_SSL_get_peer_certificate(SSL *a); +int q_EVP_PKEY_base_id(EVP_PKEY *a); +#endif // OPENSSL_VERSION_MAJOR >= 3 #ifndef OPENSSL_NO_DEPRECATED_3_0 diff --git a/src/plugins/tls/openssl/qtls_openssl.cpp b/src/plugins/tls/openssl/qtls_openssl.cpp index ed5211150de..57d09a649b1 100644 --- a/src/plugins/tls/openssl/qtls_openssl.cpp +++ b/src/plugins/tls/openssl/qtls_openssl.cpp @@ -1438,11 +1438,14 @@ bool TlsCryptographOpenSSL::initSslContext() else if (mode == QSslSocket::SslServerMode) q_SSL_set_psk_server_callback(ssl, &q_ssl_psk_server_callback); +#if OPENSSL_VERSION_NUMBER >= 0x10101006L // Set the client callback for TLSv1.3 PSK if (mode == QSslSocket::SslClientMode && QSslSocket::sslLibraryBuildVersionNumber() >= 0x10101006L) { q_SSL_set_psk_use_session_callback(ssl, &q_ssl_psk_use_session_callback); } +#endif // openssl version >= 0x10101006L + #endif // OPENSSL_NO_PSK #if QT_CONFIG(ocsp)