Package: qtbase-opensource-src / 5.15.8+dfsg-11+deb12u3

openssl3.diff Patch series | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
 
Description: upstream fixes to support OpenSSL 3.0
Origin: upstream, commits
 https://code.qt.io/cgit/qt/qtbase.git/commit/?id=3186ca3e3972cf46
 https://code.qt.io/cgit/qt/qtbase.git/commit/?id=408656c6f9de326c
 https://code.qt.io/cgit/qt/qtbase.git/commit/?id=ae6590e360fbb04d
 and a small part of
 https://code.qt.io/cgit/qt/qtbase.git/commit/?id=4c0f81490ba0c4ec
Last-Update: 2021-12-09

--- a/src/network/ssl/qsslcontext_openssl.cpp
+++ b/src/network/ssl/qsslcontext_openssl.cpp
@@ -409,7 +409,7 @@ init_context:
         break;
     case QSsl::DtlsV1_0OrLater:
         minVersion = DTLS1_VERSION;
-        maxVersion = DTLS_MAX_VERSION;
+        maxVersion = 0;
         break;
     case QSsl::DtlsV1_2:
         minVersion = DTLS1_2_VERSION;
@@ -417,7 +417,7 @@ init_context:
         break;
     case QSsl::DtlsV1_2OrLater:
         minVersion = DTLS1_2_VERSION;
-        maxVersion = DTLS_MAX_VERSION;
+        maxVersion = 0;
         break;
     case QSsl::TlsV1_3OrLater:
 #ifdef TLS1_3_VERSION
--- a/src/network/ssl/qssldiffiehellmanparameters_openssl.cpp
+++ b/src/network/ssl/qssldiffiehellmanparameters_openssl.cpp
@@ -59,57 +59,6 @@
 
 QT_BEGIN_NAMESPACE
 
-#ifdef OPENSSL_NO_DEPRECATED_3_0
-
-static int q_DH_check(DH *dh, int *status)
-{
-    // DH_check was first deprecated in OpenSSL 3.0.0, as low-level
-    // API; the EVP_PKEY family of functions was advised as an alternative.
-    // As of now EVP_PKEY_params_check ends up calling ... DH_check,
-    // which is good enough.
-
-    Q_ASSERT(dh);
-    Q_ASSERT(status);
-
-    EVP_PKEY *key = q_EVP_PKEY_new();
-    if (!key) {
-        qCWarning(lcSsl, "EVP_PKEY_new failed");
-        QSslSocketBackendPrivate::logAndClearErrorQueue();
-        return 0;
-    }
-    const auto keyDeleter = qScopeGuard([key](){
-        q_EVP_PKEY_free(key);
-    });
-    if (!q_EVP_PKEY_set1_DH(key, dh)) {
-        qCWarning(lcSsl, "EVP_PKEY_set1_DH failed");
-        QSslSocketBackendPrivate::logAndClearErrorQueue();
-        return 0;
-    }
-
-    EVP_PKEY_CTX *keyCtx = q_EVP_PKEY_CTX_new(key, nullptr);
-    if (!keyCtx) {
-        qCWarning(lcSsl, "EVP_PKEY_CTX_new failed");
-        QSslSocketBackendPrivate::logAndClearErrorQueue();
-        return 0;
-    }
-    const auto ctxDeleter = qScopeGuard([keyCtx]{
-        q_EVP_PKEY_CTX_free(keyCtx);
-    });
-
-    const int result = q_EVP_PKEY_param_check(keyCtx);
-    QSslSocketBackendPrivate::logAndClearErrorQueue();
-    // Note: unlike DH_check, we cannot obtain the 'status',
-    // if the 'result' is 0 (actually the result is 1 only
-    // if this 'status' was 0). We could probably check the
-    // errors from the error queue, but it's not needed anyway
-    // - see the 'isSafeDH' below, how it returns immediately
-    // on 0.
-    Q_UNUSED(status)
-
-    return result;
-}
-#endif // OPENSSL_NO_DEPRECATED_3_0
-
 static bool isSafeDH(DH *dh)
 {
     int status = 0;
--- a/src/network/ssl/qsslsocket_openssl_symbols.cpp
+++ b/src/network/ssl/qsslsocket_openssl_symbols.cpp
@@ -148,7 +148,6 @@ DEFINEFUNC(int, EVP_PKEY_up_ref, EVP_PKE
 DEFINEFUNC2(EVP_PKEY_CTX *, EVP_PKEY_CTX_new, EVP_PKEY *pkey, pkey, ENGINE *e, e, return nullptr, return)
 DEFINEFUNC(int, EVP_PKEY_param_check, EVP_PKEY_CTX *ctx, ctx, return 0, return)
 DEFINEFUNC(void, EVP_PKEY_CTX_free, EVP_PKEY_CTX *ctx, ctx, return, return)
-DEFINEFUNC(int, EVP_PKEY_base_id, EVP_PKEY *a, a, return NID_undef, return)
 DEFINEFUNC(int, RSA_bits, RSA *a, a, return 0, return)
 DEFINEFUNC(int, DSA_bits, DSA *a, a, return 0, return)
 DEFINEFUNC(int, OPENSSL_sk_num, OPENSSL_STACK *a, a, return -1, return)
@@ -371,7 +370,15 @@ DEFINEFUNC(const SSL_CIPHER *, SSL_get_c
 DEFINEFUNC(int, SSL_version, const SSL *a, a, return 0, return)
 DEFINEFUNC2(int, SSL_get_error, SSL *a, a, int b, b, return -1, return)
 DEFINEFUNC(STACK_OF(X509) *, SSL_get_peer_cert_chain, SSL *a, a, return nullptr, return)
+
+#if defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3
+DEFINEFUNC(X509 *, SSL_get1_peer_certificate, SSL *a, a, return nullptr, return)
+DEFINEFUNC(int, EVP_PKEY_get_base_id, const EVP_PKEY *pkey, pkey, return -1, return)
+#else
 DEFINEFUNC(X509 *, SSL_get_peer_certificate, SSL *a, a, return nullptr, return)
+DEFINEFUNC(int, EVP_PKEY_base_id, EVP_PKEY *a, a, return NID_undef, return)
+#endif // OPENSSL_VERSION_MAJOR >= 3
+
 DEFINEFUNC(long, SSL_get_verify_result, const SSL *a, a, return -1, return)
 DEFINEFUNC(SSL *, SSL_new, SSL_CTX *a, a, return nullptr, return)
 DEFINEFUNC(SSL_CTX *, SSL_get_SSL_CTX, SSL *a, a, return nullptr, return)
@@ -492,9 +499,7 @@ DEFINEFUNC(DH *, DH_new, DUMMYARG, DUMMY
 DEFINEFUNC(void, DH_free, DH *dh, dh, return, DUMMYARG)
 DEFINEFUNC3(DH *, d2i_DHparams, DH**a, a, const unsigned char **pp, pp, long length, length, return nullptr, return)
 DEFINEFUNC2(int, i2d_DHparams, DH *a, a, unsigned char **p, p, return -1, return)
-#ifndef OPENSSL_NO_DEPRECATED_3_0
 DEFINEFUNC2(int, DH_check, DH *dh, dh, int *codes, codes, return 0, return)
-#endif // OPENSSL_NO_DEPRECATED_3_0
 DEFINEFUNC3(BIGNUM *, BN_bin2bn, const unsigned char *s, s, int len, len, BIGNUM *ret, ret, return nullptr, return)
 
 #ifndef OPENSSL_NO_EC
@@ -868,7 +873,6 @@ bool q_resolveOpenSslSymbols()
     RESOLVEFUNC(EVP_PKEY_CTX_new)
     RESOLVEFUNC(EVP_PKEY_param_check)
     RESOLVEFUNC(EVP_PKEY_CTX_free)
-    RESOLVEFUNC(EVP_PKEY_base_id)
     RESOLVEFUNC(RSA_bits)
     RESOLVEFUNC(OPENSSL_sk_new_null)
     RESOLVEFUNC(OPENSSL_sk_push)
@@ -1107,7 +1111,15 @@ bool q_resolveOpenSslSymbols()
     RESOLVEFUNC(SSL_version)
     RESOLVEFUNC(SSL_get_error)
     RESOLVEFUNC(SSL_get_peer_cert_chain)
+
+#if defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3
+    RESOLVEFUNC(SSL_get1_peer_certificate)
+    RESOLVEFUNC(EVP_PKEY_get_base_id)
+#else
     RESOLVEFUNC(SSL_get_peer_certificate)
+    RESOLVEFUNC(EVP_PKEY_base_id)
+#endif // OPENSSL_VERSION_MAJOR >= 3
+
     RESOLVEFUNC(SSL_get_verify_result)
     RESOLVEFUNC(SSL_new)
     RESOLVEFUNC(SSL_get_SSL_CTX)
@@ -1206,9 +1218,7 @@ bool q_resolveOpenSslSymbols()
     RESOLVEFUNC(DH_free)
     RESOLVEFUNC(d2i_DHparams)
     RESOLVEFUNC(i2d_DHparams)
-#ifndef OPENSSL_NO_DEPRECATED_3_0
     RESOLVEFUNC(DH_check)
-#endif // OPENSSL_NO_DEPRECATED_3_0
     RESOLVEFUNC(BN_bin2bn)
 
 #ifndef OPENSSL_NO_EC
--- a/src/network/ssl/qsslsocket_openssl_symbols_p.h
+++ b/src/network/ssl/qsslsocket_openssl_symbols_p.h
@@ -237,7 +237,6 @@ Q_AUTOTEST_EXPORT int q_EVP_PKEY_up_ref(
 EVP_PKEY_CTX *q_EVP_PKEY_CTX_new(EVP_PKEY *pkey, ENGINE *e);
 void q_EVP_PKEY_CTX_free(EVP_PKEY_CTX *ctx);
 int q_EVP_PKEY_param_check(EVP_PKEY_CTX *ctx);
-int q_EVP_PKEY_base_id(EVP_PKEY *a);
 int q_RSA_bits(RSA *a);
 Q_AUTOTEST_EXPORT int q_OPENSSL_sk_num(OPENSSL_STACK *a);
 Q_AUTOTEST_EXPORT void q_OPENSSL_sk_pop_free(OPENSSL_STACK *a, void (*b)(void *));
@@ -510,7 +509,6 @@ const SSL_CIPHER *q_SSL_get_current_ciph
 int q_SSL_version(const SSL *a);
 int q_SSL_get_error(SSL *a, int b);
 STACK_OF(X509) *q_SSL_get_peer_cert_chain(SSL *a);
-X509 *q_SSL_get_peer_certificate(SSL *a);
 long q_SSL_get_verify_result(const SSL *a);
 SSL *q_SSL_new(SSL_CTX *a);
 SSL_CTX *q_SSL_get_SSL_CTX(SSL *a);
@@ -582,10 +580,7 @@ DH *q_DH_new();
 void q_DH_free(DH *dh);
 DH *q_d2i_DHparams(DH **a, const unsigned char **pp, long length);
 int q_i2d_DHparams(DH *a, unsigned char **p);
-
-#ifndef OPENSSL_NO_DEPRECATED_3_0
 int q_DH_check(DH *dh, int *codes);
-#endif // OPENSSL_NO_DEPRECATED_3_0
 
 BIGNUM *q_BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret);
 #define q_SSL_CTX_set_tmp_dh(ctx, dh) q_SSL_CTX_ctrl((ctx), SSL_CTRL_SET_TMP_DH, 0, (char *)dh)
@@ -754,6 +749,17 @@ void q_CRYPTO_free(void *str, const char
 int q_SSL_CTX_get_security_level(const SSL_CTX *ctx);
 void q_SSL_CTX_set_security_level(SSL_CTX *ctx, int level);
 
+// Here we have the ones that make difference between OpenSSL pre/post v3:
+#if defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3
+X509 *q_SSL_get1_peer_certificate(SSL *a);
+#define q_SSL_get_peer_certificate q_SSL_get1_peer_certificate
+int q_EVP_PKEY_get_base_id(const EVP_PKEY *pkey);
+#define q_EVP_PKEY_base_id q_EVP_PKEY_get_base_id
+#else
+X509 *q_SSL_get_peer_certificate(SSL *a);
+int q_EVP_PKEY_base_id(EVP_PKEY *a);
+#endif // OPENSSL_VERSION_MAJOR >= 3
+
 QT_END_NAMESPACE
 
 #endif