Attachment #430296 for bug #562050

Lines 71-76 static DH *get_dh1024() Link Here

(-)a/src/network/ssl/qsslcontext_openssl.cpp (-4 / +11 lines)
71	return dh;	71	return dh;
72	}	72	}
73		73
		74	static bool q_enableECSetCurves() {
		75	// The ability to select elliptic curves is
		76	// present in OpenSSL 1.0.2+ but not in LibreSSL.
		77	// RFC4492 Section 5.1.1 "Supported Elliptic Curves Extension"
		78	return q_SSLeay() >= 0x10002000L && !q_LibreSSL();
		79	}
		80
74	QSslContext::QSslContext()	81	QSslContext::QSslContext()
75	: ctx(0),	82	: ctx(0),
76	pkey(0),	83	pkey(0),
Lines 346-354 init_context: Link Here
346		353
347	const QVector<QSslEllipticCurve> qcurves = sslContext->sslConfiguration.ellipticCurves();	354	const QVector<QSslEllipticCurve> qcurves = sslContext->sslConfiguration.ellipticCurves();
348	if (!qcurves.isEmpty()) {	355	if (!qcurves.isEmpty()) {
349	#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(OPENSSL_NO_EC)	356	#if defined(SSL_CTRL_SET_CURVES) && !defined(OPENSSL_NO_EC)
350	// Set the curves to be used	357	// Set the curves to be used
351	if (q_SSLeay() >= 0x10002000L) {	358	if (q_enableECSetCurves()) {
352	// SSL_CTX_ctrl wants a non-const pointer as last argument,	359	// SSL_CTX_ctrl wants a non-const pointer as last argument,
353	// but let's avoid a copy into a temporary array	360	// but let's avoid a copy into a temporary array
354	if (!q_SSL_CTX_ctrl(sslContext->ctx,	361	if (!q_SSL_CTX_ctrl(sslContext->ctx,
Lines 359-368 init_context: Link Here
359	sslContext->errorCode = QSslError::UnspecifiedError;	366	sslContext->errorCode = QSslError::UnspecifiedError;
360	}	367	}
361	} else	368	} else
362	#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(OPENSSL_NO_EC)	369	#endif // defined(SSL_CTRL_SET_CURVES) && !defined(OPENSSL_NO_EC)
363	{	370	{
364	// specific curves requested, but not possible to set -> error	371	// specific curves requested, but not possible to set -> error
365	sslContext->errorStr = msgErrorSettingEllipticCurves(QSslSocket::tr("OpenSSL version too old, need at least v1.0.2"));	372	sslContext->errorStr = msgErrorSettingEllipticCurves(QSslSocket::tr("This version of OpenSSL lacks support for selecting specific elliptic curves."));
366	sslContext->errorCode = QSslError::UnspecifiedError;	373	sslContext->errorCode = QSslError::UnspecifiedError;
367	}	374	}
368	}	375	}




int QSslSocketBackendPrivate::s_indexForSSLExtraData = -1;
#endif

static bool q_enableGetServerTmpKey() {
        // The ability to get the ephemeral server key is
        // present in OpenSSL 1.0.2+ but not in LibreSSL.
        // RFC4492 Section 5.4 "Server Key Exchange"
        return q_SSLeay() >= 0x10002000L && !q_LibreSSL();
}

/* \internal

    From OpenSSL's thread(3) manual page:

    }
#endif // OPENSSL_VERSION_NUMBER >= 0x1000100fL ...

#if defined(SSL_CTRL_GET_SERVER_TMP_KEY)
    if (q_enableGetServerTmpKey() && mode == QSslSocket::SslClientMode) {
        EVP_PKEY *key;
        if (q_SSL_get_server_tmp_key(ssl, &key))
            configuration.ephemeralServerKey = QSslKey(key, QSsl::PublicKey);
    }
#endif // defined(SSL_CTRL_GET_SERVER_TMP_KEY) ...

    connectionEncrypted = true;
    emit q->encrypted();

Lines 1006-1011 bool q_resolveOpenSslSymbols() Link Here

(-)a/src/network/ssl/qsslsocket_openssl_symbols.cpp (+5 lines)
1006	#endif	1006	#endif
1007	return true;	1007	return true;
1008	}	1008	}
		1009
		1010	bool q_LibreSSL()
		1011	{
		1012	return strncmp(q_SSLeay_version(SSLEAY_VERSION), "LibreSSL", 8) == 0;
		1013	}
1009	#endif // !defined QT_LINKED_OPENSSL	1014	#endif // !defined QT_LINKED_OPENSSL
1010		1015
1011	//==============================================================================	1016	//==============================================================================




#endif // !defined QT_LINKED_OPENSSL

bool q_resolveOpenSslSymbols();
bool q_LibreSSL();
long q_ASN1_INTEGER_get(ASN1_INTEGER *a);
unsigned char * q_ASN1_STRING_data(ASN1_STRING *a);
int q_ASN1_STRING_length(ASN1_STRING *a);

int q_EC_curve_nist2nid(const char *name);
#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L
#endif // OPENSSL_NO_EC
#if defined(SSL_CTRL_GET_SERVER_TMP_KEY)
#define q_SSL_get_server_tmp_key(ssl, key) q_SSL_ctrl((ssl), SSL_CTRL_GET_SERVER_TMP_KEY, 0, (char *)key)
#endif // defined(SSL_CTRL_GET_SERVER_TMP_KEY)

// PKCS#12 support
int q_PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca);

Return to bug 562050

Lines 98-103 bool QSslSocketPrivate::s_loadRootCertsOnDemand = false; Link Here

(-)a/src/network/ssl/qsslsocket_openssl.cpp (-3 / +10 lines)
98	int QSslSocketBackendPrivate::s_indexForSSLExtraData = -1;	98	int QSslSocketBackendPrivate::s_indexForSSLExtraData = -1;
99	#endif	99	#endif
100		100
		101	static bool q_enableGetServerTmpKey() {
		102	// The ability to get the ephemeral server key is
		103	// present in OpenSSL 1.0.2+ but not in LibreSSL.
		104	// RFC4492 Section 5.4 "Server Key Exchange"
		105	return q_SSLeay() >= 0x10002000L && !q_LibreSSL();
		106	}
		107
101	/* \internal	108	/* \internal
102		109
103	From OpenSSL's thread(3) manual page:	110	From OpenSSL's thread(3) manual page:
Lines 1579-1591 void QSslSocketBackendPrivate::continueHandshake() Link Here
1579	}	1586	}
1580	#endif // OPENSSL_VERSION_NUMBER >= 0x1000100fL ...	1587	#endif // OPENSSL_VERSION_NUMBER >= 0x1000100fL ...
1581		1588
1582	#if OPENSSL_VERSION_NUMBER >= 0x10002000L	1589	#if defined(SSL_CTRL_GET_SERVER_TMP_KEY)
1583	if (q_SSLeay() >= 0x10002000L && mode == QSslSocket::SslClientMode) {	1590	if (q_enableGetServerTmpKey() && mode == QSslSocket::SslClientMode) {
1584	EVP_PKEY *key;	1591	EVP_PKEY *key;
1585	if (q_SSL_get_server_tmp_key(ssl, &key))	1592	if (q_SSL_get_server_tmp_key(ssl, &key))
1586	configuration.ephemeralServerKey = QSslKey(key, QSsl::PublicKey);	1593	configuration.ephemeralServerKey = QSslKey(key, QSsl::PublicKey);
1587	}	1594	}
1588	#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L ...	1595	#endif // defined(SSL_CTRL_GET_SERVER_TMP_KEY) ...
1589		1596
1590	connectionEncrypted = true;	1597	connectionEncrypted = true;
1591	emit q->encrypted();	1598	emit q->encrypted();

Lines 215-220 QT_BEGIN_NAMESPACE Link Here

(-)a/src/network/ssl/qsslsocket_openssl_symbols_p.h (-2 / +3 lines)
215	#endif // !defined QT_LINKED_OPENSSL	215	#endif // !defined QT_LINKED_OPENSSL
216		216
217	bool q_resolveOpenSslSymbols();	217	bool q_resolveOpenSslSymbols();
		218	bool q_LibreSSL();
218	long q_ASN1_INTEGER_get(ASN1_INTEGER *a);	219	long q_ASN1_INTEGER_get(ASN1_INTEGER *a);
219	unsigned char * q_ASN1_STRING_data(ASN1_STRING *a);	220	unsigned char * q_ASN1_STRING_data(ASN1_STRING *a);
220	int q_ASN1_STRING_length(ASN1_STRING *a);	221	int q_ASN1_STRING_length(ASN1_STRING *a);
Lines 489-497 size_t q_EC_get_builtin_curves(EC_builtin_curve *r, size_t nitems); Link Here
489	int q_EC_curve_nist2nid(const char *name);	490	int q_EC_curve_nist2nid(const char *name);
490	#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L	491	#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L
491	#endif // OPENSSL_NO_EC	492	#endif // OPENSSL_NO_EC
492	#if OPENSSL_VERSION_NUMBER >= 0x10002000L	493	#if defined(SSL_CTRL_GET_SERVER_TMP_KEY)
493	#define q_SSL_get_server_tmp_key(ssl, key) q_SSL_ctrl((ssl), SSL_CTRL_GET_SERVER_TMP_KEY, 0, (char *)key)	494	#define q_SSL_get_server_tmp_key(ssl, key) q_SSL_ctrl((ssl), SSL_CTRL_GET_SERVER_TMP_KEY, 0, (char *)key)
494	#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L	495	#endif // defined(SSL_CTRL_GET_SERVER_TMP_KEY)
495		496
496	// PKCS#12 support	497	// PKCS#12 support
497	int q_PKCS12_parse(PKCS12 p12, const char pass, EVP_PKEY pkey, X509 cert, STACK_OF(X509) **ca);	498	int q_PKCS12_parse(PKCS12 p12, const char pass, EVP_PKEY pkey, X509 cert, STACK_OF(X509) **ca);