-
Notifications
You must be signed in to change notification settings - Fork 43
/
qtnetwork-5.7.1-libressl.patch
157 lines (148 loc) · 7.18 KB
/
qtnetwork-5.7.1-libressl.patch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
diff -Naur qtbase-opensource-src-5.7.1.orig/src/network/ssl/qsslcontext_openssl.cpp qtbase-opensource-src-5.7.1/src/network/ssl/qsslcontext_openssl.cpp
--- qtbase-opensource-src-5.7.1.orig/src/network/ssl/qsslcontext_openssl.cpp 2017-02-05 11:52:45.100394264 -0800
+++ qtbase-opensource-src-5.7.1/src/network/ssl/qsslcontext_openssl.cpp 2017-02-05 11:57:21.159178021 -0800
@@ -71,6 +71,15 @@
return dh;
}
+static bool q_enableECSetCurves() {
+ // The ability to select elliptic curves is
+ // present in OpenSSL 1.0.2+ and in LibreSSL 2.5.1+
+ // RFC4492 Section 5.1.1 "Supported Elliptic Curves Extension"
+ return (q_SSLeay() >= 0x10002000L && !q_LibreSSL()) ||
+ q_LibreSSL_version() >= 0x2050100fL;
+}
+
+
QSslContext::QSslContext()
: ctx(0),
pkey(0),
@@ -347,23 +356,20 @@
const QVector<QSslEllipticCurve> qcurves = sslContext->sslConfiguration.ellipticCurves();
if (!qcurves.isEmpty()) {
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(OPENSSL_NO_EC)
+#if defined(SSL_CTRL_SET_CURVES) && !defined(OPENSSL_NO_EC)
// Set the curves to be used
- if (q_SSLeay() >= 0x10002000L) {
- // SSL_CTX_ctrl wants a non-const pointer as last argument,
- // but let's avoid a copy into a temporary array
- if (!q_SSL_CTX_ctrl(sslContext->ctx,
- SSL_CTRL_SET_CURVES,
- qcurves.size(),
- const_cast<int *>(reinterpret_cast<const int *>(qcurves.data())))) {
+ if (q_enableECSetCurves()) {
+ if (!q_SSL_CTX_set1_groups(sslContext->ctx,
+ reinterpret_cast<const int *>(qcurves.data()),
+ qcurves.size())) {
sslContext->errorStr = msgErrorSettingEllipticCurves(QSslSocketBackendPrivate::getErrorsFromOpenSsl());
sslContext->errorCode = QSslError::UnspecifiedError;
}
} else
-#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(OPENSSL_NO_EC)
+#endif // defined(SSL_CTRL_SET_CURVES) && !defined(OPENSSL_NO_EC)
{
// specific curves requested, but not possible to set -> error
- sslContext->errorStr = msgErrorSettingEllipticCurves(QSslSocket::tr("OpenSSL version too old, need at least v1.0.2"));
+ sslContext->errorStr = msgErrorSettingEllipticCurves(QSslSocket::tr("This version of OpenSSL lacks support for selecting specific elliptic curves."));
sslContext->errorCode = QSslError::UnspecifiedError;
}
}
diff -Naur qtbase-opensource-src-5.7.1.orig/src/network/ssl/qsslsocket_openssl.cpp qtbase-opensource-src-5.7.1/src/network/ssl/qsslsocket_openssl.cpp
--- qtbase-opensource-src-5.7.1.orig/src/network/ssl/qsslsocket_openssl.cpp 2017-02-05 11:52:45.098394244 -0800
+++ qtbase-opensource-src-5.7.1/src/network/ssl/qsslsocket_openssl.cpp 2017-02-05 11:52:58.870533121 -0800
@@ -98,6 +98,14 @@
int QSslSocketBackendPrivate::s_indexForSSLExtraData = -1;
#endif
+static bool q_enableGetServerTmpKey() {
+ // The ability to get the ephemeral server key is
+ // present in OpenSSL 1.0.2+ and in LibreSSL 2.5.1+
+ // RFC4492 Section 5.4 "Server Key Exchange"
+ return (q_SSLeay() >= 0x10002000L && !q_LibreSSL()) ||
+ q_LibreSSL_version() >= 0x2050100fL;
+}
+
/* \internal
From OpenSSL's thread(3) manual page:
@@ -1587,13 +1595,13 @@
}
#endif // OPENSSL_VERSION_NUMBER >= 0x1000100fL ...
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L
- if (q_SSLeay() >= 0x10002000L && mode == QSslSocket::SslClientMode) {
+#if defined(SSL_CTRL_GET_SERVER_TMP_KEY)
+ if (q_enableGetServerTmpKey() && mode == QSslSocket::SslClientMode) {
EVP_PKEY *key;
if (q_SSL_get_server_tmp_key(ssl, &key))
configuration.ephemeralServerKey = QSslKey(key, QSsl::PublicKey);
}
-#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L ...
+#endif // defined(SSL_CTRL_GET_SERVER_TMP_KEY)
connectionEncrypted = true;
emit q->encrypted();
diff -Naur qtbase-opensource-src-5.7.1.orig/src/network/ssl/qsslsocket_openssl_symbols.cpp qtbase-opensource-src-5.7.1/src/network/ssl/qsslsocket_openssl_symbols.cpp
--- qtbase-opensource-src-5.7.1.orig/src/network/ssl/qsslsocket_openssl_symbols.cpp 2017-02-05 11:52:45.102394284 -0800
+++ qtbase-opensource-src-5.7.1/src/network/ssl/qsslsocket_openssl_symbols.cpp 2017-02-05 11:56:53.848902627 -0800
@@ -247,6 +247,7 @@
DEFINEFUNC(int, SSL_connect, SSL *a, a, return -1, return)
DEFINEFUNC(int, SSL_CTX_check_private_key, const SSL_CTX *a, a, return -1, return)
DEFINEFUNC4(long, SSL_CTX_ctrl, SSL_CTX *a, a, int b, b, long c, c, void *d, d, return -1, return)
+DEFINEFUNC3(int, SSL_CTX_set1_groups, SSL_CTX *a, a, const int* b, b, size_t c, c, return 0, return)
DEFINEFUNC(void, SSL_CTX_free, SSL_CTX *a, a, return, DUMMYARG)
#if OPENSSL_VERSION_NUMBER >= 0x10000000L
DEFINEFUNC(SSL_CTX *, SSL_CTX_new, const SSL_METHOD *a, a, return 0, return)
@@ -846,6 +847,7 @@
RESOLVEFUNC(SSL_CIPHER_get_bits)
RESOLVEFUNC(SSL_CTX_check_private_key)
RESOLVEFUNC(SSL_CTX_ctrl)
+ RESOLVEFUNC(SSL_CTX_set1_groups)
RESOLVEFUNC(SSL_CTX_free)
RESOLVEFUNC(SSL_CTX_new)
RESOLVEFUNC(SSL_CTX_set_cipher_list)
@@ -1006,6 +1008,20 @@
#endif
return true;
}
+
+bool q_LibreSSL()
+{
+ return strncmp(q_SSLeay_version(SSLEAY_VERSION), "LibreSSL", 8) == 0;
+}
+
+long q_LibreSSL_version()
+{
+#ifdef LIBRESSL_VERSION_NUMBER
+ return LIBRESSL_VERSION_NUMBER;
+#else
+ return 0L;
+#endif
+}
#endif // !defined QT_LINKED_OPENSSL
//==============================================================================
diff -Naur qtbase-opensource-src-5.7.1.orig/src/network/ssl/qsslsocket_openssl_symbols_p.h qtbase-opensource-src-5.7.1/src/network/ssl/qsslsocket_openssl_symbols_p.h
--- qtbase-opensource-src-5.7.1.orig/src/network/ssl/qsslsocket_openssl_symbols_p.h 2017-02-05 11:52:45.100394264 -0800
+++ qtbase-opensource-src-5.7.1/src/network/ssl/qsslsocket_openssl_symbols_p.h 2017-02-05 11:52:58.871533131 -0800
@@ -215,6 +215,8 @@
#endif // !defined QT_LINKED_OPENSSL
bool q_resolveOpenSslSymbols();
+bool q_LibreSSL();
+long q_LibreSSL_version();
long q_ASN1_INTEGER_get(ASN1_INTEGER *a);
unsigned char * q_ASN1_STRING_data(ASN1_STRING *a);
int q_ASN1_STRING_length(ASN1_STRING *a);
@@ -327,6 +329,7 @@
int q_SSL_connect(SSL *a);
int q_SSL_CTX_check_private_key(const SSL_CTX *a);
long q_SSL_CTX_ctrl(SSL_CTX *a, int b, long c, void *d);
+int q_SSL_CTX_set1_groups(SSL_CTX *a, const int* b, size_t c);
void q_SSL_CTX_free(SSL_CTX *a);
#if OPENSSL_VERSION_NUMBER >= 0x10000000L
SSL_CTX *q_SSL_CTX_new(const SSL_METHOD *a);
@@ -489,9 +492,9 @@
int q_EC_curve_nist2nid(const char *name);
#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L
#endif // OPENSSL_NO_EC
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L
+#if defined(SSL_CTRL_GET_SERVER_TMP_KEY)
#define q_SSL_get_server_tmp_key(ssl, key) q_SSL_ctrl((ssl), SSL_CTRL_GET_SERVER_TMP_KEY, 0, (char *)key)
-#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L
+#endif // defined(SSL_CTRL_GET_SERVER_TMP_KEY)
// PKCS#12 support
int q_PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca);