--- qtbase-opensource-src-5.7.1/src/network/ssl/qsslcertificate_openssl.cpp 2016-12-01 02:17:04.000000000 -0600 +++ qtbase-everywhere-src-5.10.0-rc3/src/network/ssl/qsslcertificate_openssl.cpp 2017-11-30 07:49:46.000000000 -0600 @@ -1,6 +1,7 @@ /**************************************************************************** ** -** Copyright (C) 2016 The Qt Company Ltd. +** Copyright (C) 2017 The Qt Company Ltd. +** Copyright (C) 2016 Richard J. Moore ** Contact: https://www.qt.io/licensing/ ** ** This file is part of the QtNetwork module of the Qt Toolkit. @@ -64,12 +65,14 @@ uint qHash(const QSslCertificate &key, uint seed) Q_DECL_NOTHROW { if (X509 * const x509 = key.d->x509) { - (void)q_X509_cmp(x509, x509); // populate x509->sha1_hash - // (if someone knows a better way...) - return qHashBits(x509->sha1_hash, SHA_DIGEST_LENGTH, seed); - } else { - return seed; + const EVP_MD *sha1 = q_EVP_sha1(); + unsigned int len = 0; + unsigned char md[EVP_MAX_MD_SIZE]; + q_X509_digest(x509, sha1, md, &len); + return qHashBits(md, len, seed); } + + return seed; } bool QSslCertificate::isNull() const @@ -89,8 +92,7 @@ { QMutexLocker lock(QMutexPool::globalInstanceGet(d.data())); if (d->versionString.isEmpty() && d->x509) - d->versionString = - QByteArray::number(qlonglong(q_ASN1_INTEGER_get(d->x509->cert_info->version)) + 1); + d->versionString = QByteArray::number(qlonglong(q_X509_get_version(d->x509)) + 1); return d->versionString; } @@ -99,7 +101,7 @@ { QMutexLocker lock(QMutexPool::globalInstanceGet(d.data())); if (d->serialNumberString.isEmpty() && d->x509) { - ASN1_INTEGER *serialNumber = d->x509->cert_info->serialNumber; + ASN1_INTEGER *serialNumber = q_X509_get_serialNumber(d->x509); QByteArray hexString; hexString.reserve(serialNumber->length * 3); for (int a = 0; a < serialNumber->length; ++a) { @@ -199,14 +201,15 @@ continue; } - const char *altNameStr = reinterpret_cast(q_ASN1_STRING_data(genName->d.ia5)); + const char *altNameStr = reinterpret_cast(q_ASN1_STRING_get0_data(genName->d.ia5)); const QString altName = QString::fromLatin1(altNameStr, len); if (genName->type == GEN_DNS) result.insert(QSsl::DnsEntry, altName); else if (genName->type == GEN_EMAIL) result.insert(QSsl::EmailEntry, altName); } - q_sk_pop_free((STACK*)altNames, reinterpret_cast(q_sk_free)); + + q_OPENSSL_sk_pop_free((OPENSSL_STACK*)altNames, reinterpret_cast(q_OPENSSL_sk_free)); } return result; @@ -235,25 +238,26 @@ QSslKey key; key.d->type = QSsl::PublicKey; - X509_PUBKEY *xkey = d->x509->cert_info->key; - EVP_PKEY *pkey = q_X509_PUBKEY_get(xkey); + + EVP_PKEY *pkey = q_X509_get_pubkey(d->x509); Q_ASSERT(pkey); + const int keyType = q_EVP_PKEY_type(q_EVP_PKEY_base_id(pkey)); - if (q_EVP_PKEY_type(pkey->type) == EVP_PKEY_RSA) { + if (keyType == EVP_PKEY_RSA) { key.d->rsa = q_EVP_PKEY_get1_RSA(pkey); key.d->algorithm = QSsl::Rsa; key.d->isNull = false; - } else if (q_EVP_PKEY_type(pkey->type) == EVP_PKEY_DSA) { + } else if (keyType == EVP_PKEY_DSA) { key.d->dsa = q_EVP_PKEY_get1_DSA(pkey); key.d->algorithm = QSsl::Dsa; key.d->isNull = false; #ifndef OPENSSL_NO_EC - } else if (q_EVP_PKEY_type(pkey->type) == EVP_PKEY_EC) { + } else if (keyType == EVP_PKEY_EC) { key.d->ec = q_EVP_PKEY_get1_EC_KEY(pkey); key.d->algorithm = QSsl::Ec; key.d->isNull = false; #endif - } else if (q_EVP_PKEY_type(pkey->type) == EVP_PKEY_DH) { + } else if (keyType == EVP_PKEY_DH) { // DH unsupported } else { // error? @@ -275,7 +279,7 @@ X509V3_EXT_METHOD *meth = const_cast(q_X509V3_EXT_get(ext)); if (!meth) { ASN1_OCTET_STRING *value = q_X509_EXTENSION_get_data(ext); - QByteArray result( reinterpret_cast(q_ASN1_STRING_data(value)), + QByteArray result( reinterpret_cast(q_ASN1_STRING_get0_data(value)), q_ASN1_STRING_length(value)); return result; } @@ -371,7 +375,7 @@ continue; } - const char *uriStr = reinterpret_cast(q_ASN1_STRING_data(name->d.uniformResourceIdentifier)); + const char *uriStr = reinterpret_cast(q_ASN1_STRING_get0_data(name->d.uniformResourceIdentifier)); const QString uri = QString::fromUtf8(uriStr, len); result[QString::fromUtf8(QSslCertificatePrivate::asn1ObjectName(ad->method))] = uri; @@ -380,11 +384,7 @@ } } -#if OPENSSL_VERSION_NUMBER >= 0x10000000L - q_sk_pop_free((_STACK*)info, reinterpret_cast(q_sk_free)); -#else - q_sk_pop_free((STACK*)info, reinterpret_cast(q_sk_free)); -#endif + q_OPENSSL_sk_pop_free((OPENSSL_STACK*)info, reinterpret_cast(q_OPENSSL_sk_free)); return result; } break; @@ -607,7 +607,11 @@ unsigned char *data = 0; int size = q_ASN1_STRING_to_UTF8(&data, q_X509_NAME_ENTRY_get_data(e)); info.insertMulti(name, QString::fromUtf8((char*)data, size)); +#ifdef OPENSSL_API_COMPAT + q_CRYPTO_free(data, 0, 0); +#else q_CRYPTO_free(data); +#endif } return info; @@ -619,8 +623,9 @@ if (!x509 || !QSslSocket::supportsSsl()) return certificate; - ASN1_TIME *nbef = q_X509_get_notBefore(x509); - ASN1_TIME *naft = q_X509_get_notAfter(x509); + ASN1_TIME *nbef = q_X509_getm_notBefore(x509); + ASN1_TIME *naft = q_X509_getm_notAfter(x509); + certificate.d->notValidBefore = q_getTimeFromASN1(nbef); certificate.d->notValidAfter = q_getTimeFromASN1(naft); certificate.d->null = false; --- qtbase-opensource-src-5.7.1/src/network/ssl/qsslcontext_openssl.cpp 2016-12-01 02:17:04.000000000 -0600 +++ qtbase-everywhere-src-5.10.0-rc3/src/network/ssl/qsslcontext_openssl.cpp 2017-11-30 07:49:46.000000000 -0600 @@ -1,6 +1,6 @@ /**************************************************************************** ** -** Copyright (C) 2016 The Qt Company Ltd. +** Copyright (C) 2017 The Qt Company Ltd. ** Copyright (C) 2014 BlackBerry Limited. All rights reserved. ** Copyright (C) 2014 Governikus GmbH & Co. KG. ** Contact: https://www.qt.io/licensing/ @@ -41,36 +41,14 @@ #include -#include #include "private/qssl_p.h" #include "private/qsslcontext_openssl_p.h" -#include "private/qsslsocket_p.h" #include "private/qsslsocket_openssl_p.h" #include "private/qsslsocket_openssl_symbols_p.h" QT_BEGIN_NAMESPACE -// defined in qsslsocket_openssl.cpp: -extern int q_X509Callback(int ok, X509_STORE_CTX *ctx); -extern QString getErrorsFromOpenSsl(); - -static DH *get_dh1024() -{ - // Default DH params - // 1024-bit MODP Group - // From RFC 2409 - QByteArray params = QByteArray::fromBase64( - QByteArrayLiteral("MIGHAoGBAP//////////yQ/aoiFowjTExmKLgNwc0SkCTgiKZ8x0Agu+pjsTmyJR" \ - "Sgh5jjQE3e+VGbPNOkMbMCsKbfJfFDdP4TVtbVHCReSFtXZiXn7G9ExC6aY37WsL" \ - "/1y29Aa37e44a/taiZ+lrp8kEXxLH+ZJKGZR7OZTgf//////////AgEC")); - - const char *ptr = params.constData(); - DH *dh = q_d2i_DHparams(NULL, reinterpret_cast(&ptr), params.length()); - - return dh; -} - QSslContext::QSslContext() : ctx(0), pkey(0), @@ -92,283 +70,6 @@ q_SSL_SESSION_free(session); } -static inline QString msgErrorSettingEllipticCurves(const QString &why) -{ - return QSslSocket::tr("Error when setting the elliptic curves (%1)").arg(why); -} - -// static -void QSslContext::initSslContext(QSslContext *sslContext, QSslSocket::SslMode mode, const QSslConfiguration &configuration, bool allowRootCertOnDemandLoading) -{ - sslContext->sslConfiguration = configuration; - sslContext->errorCode = QSslError::NoError; - - bool client = (mode == QSslSocket::SslClientMode); - - bool reinitialized = false; - bool unsupportedProtocol = false; -init_context: - switch (sslContext->sslConfiguration.protocol()) { - case QSsl::SslV2: -#ifndef OPENSSL_NO_SSL2 - sslContext->ctx = q_SSL_CTX_new(client ? q_SSLv2_client_method() : q_SSLv2_server_method()); -#else - // SSL 2 not supported by the system, but chosen deliberately -> error - sslContext->ctx = 0; - unsupportedProtocol = true; -#endif - break; - case QSsl::SslV3: -#ifndef OPENSSL_NO_SSL3_METHOD - sslContext->ctx = q_SSL_CTX_new(client ? q_SSLv3_client_method() : q_SSLv3_server_method()); -#else - // SSL 3 not supported by the system, but chosen deliberately -> error - sslContext->ctx = 0; - unsupportedProtocol = true; -#endif - break; - case QSsl::SecureProtocols: - // SSLv2 and SSLv3 will be disabled by SSL options - // But we need q_SSLv23_server_method() otherwise AnyProtocol will be unable to connect on Win32. - case QSsl::TlsV1SslV3: - // SSLv2 will will be disabled by SSL options - case QSsl::AnyProtocol: - default: - sslContext->ctx = q_SSL_CTX_new(client ? q_SSLv23_client_method() : q_SSLv23_server_method()); - break; - case QSsl::TlsV1_0: - sslContext->ctx = q_SSL_CTX_new(client ? q_TLSv1_client_method() : q_TLSv1_server_method()); - break; - case QSsl::TlsV1_1: -#if OPENSSL_VERSION_NUMBER >= 0x10001000L - sslContext->ctx = q_SSL_CTX_new(client ? q_TLSv1_1_client_method() : q_TLSv1_1_server_method()); -#else - // TLS 1.1 not supported by the system, but chosen deliberately -> error - sslContext->ctx = 0; - unsupportedProtocol = true; -#endif - break; - case QSsl::TlsV1_2: -#if OPENSSL_VERSION_NUMBER >= 0x10001000L - sslContext->ctx = q_SSL_CTX_new(client ? q_TLSv1_2_client_method() : q_TLSv1_2_server_method()); -#else - // TLS 1.2 not supported by the system, but chosen deliberately -> error - sslContext->ctx = 0; - unsupportedProtocol = true; -#endif - break; - case QSsl::TlsV1_0OrLater: - // Specific protocols will be specified via SSL options. - sslContext->ctx = q_SSL_CTX_new(client ? q_SSLv23_client_method() : q_SSLv23_server_method()); - break; - case QSsl::TlsV1_1OrLater: - case QSsl::TlsV1_2OrLater: -#if OPENSSL_VERSION_NUMBER >= 0x10001000L - // Specific protocols will be specified via SSL options. - sslContext->ctx = q_SSL_CTX_new(client ? q_SSLv23_client_method() : q_SSLv23_server_method()); -#else - // TLS 1.1/1.2 not supported by the system, but chosen deliberately -> error - sslContext->ctx = 0; - unsupportedProtocol = true; -#endif - break; - } - - if (!sslContext->ctx) { - // After stopping Flash 10 the SSL library looses its ciphers. Try re-adding them - // by re-initializing the library. - if (!reinitialized) { - reinitialized = true; - if (q_SSL_library_init() == 1) - goto init_context; - } - - sslContext->errorStr = QSslSocket::tr("Error creating SSL context (%1)").arg( - unsupportedProtocol ? QSslSocket::tr("unsupported protocol") : QSslSocketBackendPrivate::getErrorsFromOpenSsl() - ); - sslContext->errorCode = QSslError::UnspecifiedError; - return; - } - - // Enable bug workarounds. - long options = QSslSocketBackendPrivate::setupOpenSslOptions(configuration.protocol(), configuration.d->sslOptions); - q_SSL_CTX_set_options(sslContext->ctx, options); - -#if OPENSSL_VERSION_NUMBER >= 0x10000000L - // Tell OpenSSL to release memory early - // http://www.openssl.org/docs/ssl/SSL_CTX_set_mode.html - if (q_SSLeay() >= 0x10000000L) - q_SSL_CTX_set_mode(sslContext->ctx, SSL_MODE_RELEASE_BUFFERS); -#endif - - // Initialize ciphers - QByteArray cipherString; - bool first = true; - QList ciphers = sslContext->sslConfiguration.ciphers(); - if (ciphers.isEmpty()) - ciphers = QSslSocketPrivate::defaultCiphers(); - for (const QSslCipher &cipher : qAsConst(ciphers)) { - if (first) - first = false; - else - cipherString.append(':'); - cipherString.append(cipher.name().toLatin1()); - } - - if (!q_SSL_CTX_set_cipher_list(sslContext->ctx, cipherString.data())) { - sslContext->errorStr = QSslSocket::tr("Invalid or empty cipher list (%1)").arg(QSslSocketBackendPrivate::getErrorsFromOpenSsl()); - sslContext->errorCode = QSslError::UnspecifiedError; - return; - } - - const QDateTime now = QDateTime::currentDateTimeUtc(); - - // Add all our CAs to this store. - const auto caCertificates = sslContext->sslConfiguration.caCertificates(); - for (const QSslCertificate &caCertificate : caCertificates) { - // From https://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html: - // - // If several CA certificates matching the name, key identifier, and - // serial number condition are available, only the first one will be - // examined. This may lead to unexpected results if the same CA - // certificate is available with different expiration dates. If a - // ``certificate expired'' verification error occurs, no other - // certificate will be searched. Make sure to not have expired - // certificates mixed with valid ones. - // - // See also: QSslSocketBackendPrivate::verify() - if (caCertificate.expiryDate() >= now) { - q_X509_STORE_add_cert(q_SSL_CTX_get_cert_store(sslContext->ctx), (X509 *)caCertificate.handle()); - } - } - - if (QSslSocketPrivate::s_loadRootCertsOnDemand && allowRootCertOnDemandLoading) { - // tell OpenSSL the directories where to look up the root certs on demand - const QList unixDirs = QSslSocketPrivate::unixRootCertDirectories(); - for (const QByteArray &unixDir : unixDirs) - q_SSL_CTX_load_verify_locations(sslContext->ctx, 0, unixDir.constData()); - } - - if (!sslContext->sslConfiguration.localCertificate().isNull()) { - // Require a private key as well. - if (sslContext->sslConfiguration.privateKey().isNull()) { - sslContext->errorStr = QSslSocket::tr("Cannot provide a certificate with no key, %1").arg(QSslSocketBackendPrivate::getErrorsFromOpenSsl()); - sslContext->errorCode = QSslError::UnspecifiedError; - return; - } - - // Load certificate - if (!q_SSL_CTX_use_certificate(sslContext->ctx, (X509 *)sslContext->sslConfiguration.localCertificate().handle())) { - sslContext->errorStr = QSslSocket::tr("Error loading local certificate, %1").arg(QSslSocketBackendPrivate::getErrorsFromOpenSsl()); - sslContext->errorCode = QSslError::UnspecifiedError; - return; - } - - if (configuration.d->privateKey.algorithm() == QSsl::Opaque) { - sslContext->pkey = reinterpret_cast(configuration.d->privateKey.handle()); - } else { - // Load private key - sslContext->pkey = q_EVP_PKEY_new(); - // before we were using EVP_PKEY_assign_R* functions and did not use EVP_PKEY_free. - // this lead to a memory leak. Now we use the *_set1_* functions which do not - // take ownership of the RSA/DSA key instance because the QSslKey already has ownership. - if (configuration.d->privateKey.algorithm() == QSsl::Rsa) - q_EVP_PKEY_set1_RSA(sslContext->pkey, reinterpret_cast(configuration.d->privateKey.handle())); - else if (configuration.d->privateKey.algorithm() == QSsl::Dsa) - q_EVP_PKEY_set1_DSA(sslContext->pkey, reinterpret_cast(configuration.d->privateKey.handle())); -#ifndef OPENSSL_NO_EC - else if (configuration.d->privateKey.algorithm() == QSsl::Ec) - q_EVP_PKEY_set1_EC_KEY(sslContext->pkey, reinterpret_cast(configuration.d->privateKey.handle())); -#endif - } - - if (!q_SSL_CTX_use_PrivateKey(sslContext->ctx, sslContext->pkey)) { - sslContext->errorStr = QSslSocket::tr("Error loading private key, %1").arg(QSslSocketBackendPrivate::getErrorsFromOpenSsl()); - sslContext->errorCode = QSslError::UnspecifiedError; - return; - } - if (configuration.d->privateKey.algorithm() == QSsl::Opaque) - sslContext->pkey = 0; // Don't free the private key, it belongs to QSslKey - - // Check if the certificate matches the private key. - if (!q_SSL_CTX_check_private_key(sslContext->ctx)) { - sslContext->errorStr = QSslSocket::tr("Private key does not certify public key, %1").arg(QSslSocketBackendPrivate::getErrorsFromOpenSsl()); - sslContext->errorCode = QSslError::UnspecifiedError; - return; - } - - // If we have any intermediate certificates then we need to add them to our chain - bool first = true; - for (const QSslCertificate &cert : qAsConst(configuration.d->localCertificateChain)) { - if (first) { - first = false; - continue; - } - q_SSL_CTX_ctrl(sslContext->ctx, SSL_CTRL_EXTRA_CHAIN_CERT, 0, - q_X509_dup(reinterpret_cast(cert.handle()))); - } - } - - // Initialize peer verification. - if (sslContext->sslConfiguration.peerVerifyMode() == QSslSocket::VerifyNone) { - q_SSL_CTX_set_verify(sslContext->ctx, SSL_VERIFY_NONE, 0); - } else { - q_SSL_CTX_set_verify(sslContext->ctx, SSL_VERIFY_PEER, q_X509Callback); - } - - // Set verification depth. - if (sslContext->sslConfiguration.peerVerifyDepth() != 0) - q_SSL_CTX_set_verify_depth(sslContext->ctx, sslContext->sslConfiguration.peerVerifyDepth()); - - // set persisted session if the user set it - if (!configuration.sessionTicket().isEmpty()) - sslContext->setSessionASN1(configuration.sessionTicket()); - - // Set temp DH params - DH *dh = 0; - dh = get_dh1024(); - q_SSL_CTX_set_tmp_dh(sslContext->ctx, dh); - q_DH_free(dh); - -#ifndef OPENSSL_NO_EC -#if OPENSSL_VERSION_NUMBER >= 0x10002000L - if (q_SSLeay() >= 0x10002000L) { - q_SSL_CTX_ctrl(sslContext->ctx, SSL_CTRL_SET_ECDH_AUTO, 1, NULL); - } else -#endif - { - // Set temp ECDH params - EC_KEY *ecdh = 0; - ecdh = q_EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); - q_SSL_CTX_set_tmp_ecdh(sslContext->ctx, ecdh); - q_EC_KEY_free(ecdh); - } -#endif // OPENSSL_NO_EC - - const QVector qcurves = sslContext->sslConfiguration.ellipticCurves(); - if (!qcurves.isEmpty()) { -#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(OPENSSL_NO_EC) - // Set the curves to be used - if (q_SSLeay() >= 0x10002000L) { - // SSL_CTX_ctrl wants a non-const pointer as last argument, - // but let's avoid a copy into a temporary array - if (!q_SSL_CTX_ctrl(sslContext->ctx, - SSL_CTRL_SET_CURVES, - qcurves.size(), - const_cast(reinterpret_cast(qcurves.data())))) { - sslContext->errorStr = msgErrorSettingEllipticCurves(QSslSocketBackendPrivate::getErrorsFromOpenSsl()); - sslContext->errorCode = QSslError::UnspecifiedError; - } - } else -#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(OPENSSL_NO_EC) - { - // specific curves requested, but not possible to set -> error - sslContext->errorStr = msgErrorSettingEllipticCurves(QSslSocket::tr("OpenSSL version too old, need at least v1.0.2")); - sslContext->errorCode = QSslError::UnspecifiedError; - } - } -} - QSslContext* QSslContext::fromConfiguration(QSslSocket::SslMode mode, const QSslConfiguration &configuration, bool allowRootCertOnDemandLoading) { QSslContext *sslContext = new QSslContext(); @@ -458,6 +159,23 @@ m_npnContext.data = reinterpret_cast(m_supportedNPNVersions.data()); m_npnContext.len = m_supportedNPNVersions.count(); m_npnContext.status = QSslConfiguration::NextProtocolNegotiationNone; +#if OPENSSL_VERSION_NUMBER >= 0x10002000L + if (QSslSocket::sslLibraryVersionNumber() >= 0x10002000L) { + // Callback's type has a parameter 'const unsigned char ** out' + // since it was introduced in 1.0.2. Internally, OpenSSL's own code + // (tests/examples) cast it to unsigned char * (since it's 'out'). + // We just re-use our NPN callback and cast here: + typedef int (*alpn_callback_t) (SSL *, const unsigned char **, unsigned char *, + const unsigned char *, unsigned int, void *); + // With ALPN callback is for a server side only, for a client m_npnContext.status + // will stay in NextProtocolNegotiationNone. + q_SSL_CTX_set_alpn_select_cb(ctx, alpn_callback_t(next_proto_cb), &m_npnContext); + // Client: + q_SSL_set_alpn_protos(ssl, m_npnContext.data, m_npnContext.len); + } +#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L ... + + // And in case our peer does not support ALPN, but supports NPN: q_SSL_CTX_set_next_proto_select_cb(ctx, next_proto_cb, &m_npnContext); } #endif // OPENSSL_VERSION_NUMBER >= 0x1000100fL ... @@ -487,7 +205,7 @@ unsigned char *data = reinterpret_cast(m_sessionASN1.data()); if (!q_i2d_SSL_SESSION(session, &data)) qCWarning(lcSsl, "could not store persistent version of SSL session"); - m_sessionTicketLifeTimeHint = session->tlsext_tick_lifetime_hint; + m_sessionTicketLifeTimeHint = q_SSL_SESSION_get_ticket_lifetime_hint(session); } } --- qtbase-opensource-src-5.7.1/src/network/ssl/qsslcontext_openssl11.cpp 1969-12-31 18:00:00.000000000 -0600 +++ qtbase-everywhere-src-5.10.0-rc3/src/network/ssl/qsslcontext_openssl11.cpp 2017-11-30 07:49:46.000000000 -0600 @@ -0,0 +1,277 @@ +/**************************************************************************** +** +** Copyright (C) 2017 The Qt Company Ltd. +** Copyright (C) 2014 BlackBerry Limited. All rights reserved. +** Copyright (C) 2014 Governikus GmbH & Co. KG. +** Copyright (C) 2016 Richard J. Moore +** Contact: https://www.qt.io/licensing/ +** +** This file is part of the QtNetwork module of the Qt Toolkit. +** +** $QT_BEGIN_LICENSE:LGPL$ +** Commercial License Usage +** Licensees holding valid commercial Qt licenses may use this file in +** accordance with the commercial license agreement provided with the +** Software or, alternatively, in accordance with the terms contained in +** a written agreement between you and The Qt Company. For licensing terms +** and conditions see https://www.qt.io/terms-conditions. For further +** information use the contact form at https://www.qt.io/contact-us. +** +** GNU Lesser General Public License Usage +** Alternatively, this file may be used under the terms of the GNU Lesser +** General Public License version 3 as published by the Free Software +** Foundation and appearing in the file LICENSE.LGPL3 included in the +** packaging of this file. Please review the following information to +** ensure the GNU Lesser General Public License version 3 requirements +** will be met: https://www.gnu.org/licenses/lgpl-3.0.html. +** +** GNU General Public License Usage +** Alternatively, this file may be used under the terms of the GNU +** General Public License version 2.0 or (at your option) the GNU General +** Public license version 3 or any later version approved by the KDE Free +** Qt Foundation. The licenses are as published by the Free Software +** Foundation and appearing in the file LICENSE.GPL2 and LICENSE.GPL3 +** included in the packaging of this file. Please review the following +** information to ensure the GNU General Public License requirements will +** be met: https://www.gnu.org/licenses/gpl-2.0.html and +** https://www.gnu.org/licenses/gpl-3.0.html. +** +** $QT_END_LICENSE$ +** +****************************************************************************/ + + +#include +#include + +#include "private/qssl_p.h" +#include "private/qsslcontext_openssl_p.h" +#include "private/qsslsocket_p.h" +#include "private/qsslsocket_openssl_p.h" +#include "private/qsslsocket_openssl_symbols_p.h" +#include "private/qssldiffiehellmanparameters_p.h" + +#include + +QT_BEGIN_NAMESPACE + +// defined in qsslsocket_openssl.cpp: +extern int q_X509Callback(int ok, X509_STORE_CTX *ctx); +extern QString getErrorsFromOpenSsl(); + +static inline QString msgErrorSettingEllipticCurves(const QString &why) +{ + return QSslSocket::tr("Error when setting the elliptic curves (%1)").arg(why); +} + +// static +void QSslContext::initSslContext(QSslContext *sslContext, QSslSocket::SslMode mode, const QSslConfiguration &configuration, bool allowRootCertOnDemandLoading) +{ + sslContext->sslConfiguration = configuration; + sslContext->errorCode = QSslError::NoError; + + bool client = (mode == QSslSocket::SslClientMode); + + bool reinitialized = false; + bool unsupportedProtocol = false; +init_context: + if (sslContext->sslConfiguration.protocol() == QSsl::SslV2) { + // SSL 2 is no longer supported, but chosen deliberately -> error + sslContext->ctx = nullptr; + unsupportedProtocol = true; + } else { + // The ssl options will actually control the supported methods + sslContext->ctx = q_SSL_CTX_new(client ? q_TLS_client_method() : q_TLS_server_method()); + } + + if (!sslContext->ctx) { + // After stopping Flash 10 the SSL library loses its ciphers. Try re-adding them + // by re-initializing the library. + if (!reinitialized) { + reinitialized = true; + if (q_OPENSSL_init_ssl(0, nullptr) == 1) + goto init_context; + } + + sslContext->errorStr = QSslSocket::tr("Error creating SSL context (%1)").arg( + unsupportedProtocol ? QSslSocket::tr("unsupported protocol") : QSslSocketBackendPrivate::getErrorsFromOpenSsl() + ); + sslContext->errorCode = QSslError::UnspecifiedError; + return; + } + + // Enable bug workarounds. + long options = QSslSocketBackendPrivate::setupOpenSslOptions(configuration.protocol(), configuration.d->sslOptions); + q_SSL_CTX_set_options(sslContext->ctx, options); + + // Tell OpenSSL to release memory early + // http://www.openssl.org/docs/ssl/SSL_CTX_set_mode.html + q_SSL_CTX_set_mode(sslContext->ctx, SSL_MODE_RELEASE_BUFFERS); + + // Initialize ciphers + QByteArray cipherString; + bool first = true; + QList ciphers = sslContext->sslConfiguration.ciphers(); + if (ciphers.isEmpty()) + ciphers = QSslSocketPrivate::defaultCiphers(); + for (const QSslCipher &cipher : qAsConst(ciphers)) { + if (first) + first = false; + else + cipherString.append(':'); + cipherString.append(cipher.name().toLatin1()); + } + + if (!q_SSL_CTX_set_cipher_list(sslContext->ctx, cipherString.data())) { + sslContext->errorStr = QSslSocket::tr("Invalid or empty cipher list (%1)").arg(QSslSocketBackendPrivate::getErrorsFromOpenSsl()); + sslContext->errorCode = QSslError::UnspecifiedError; + return; + } + + const QDateTime now = QDateTime::currentDateTimeUtc(); + + // Add all our CAs to this store. + const auto caCertificates = sslContext->sslConfiguration.caCertificates(); + for (const QSslCertificate &caCertificate : caCertificates) { + // From https://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html: + // + // If several CA certificates matching the name, key identifier, and + // serial number condition are available, only the first one will be + // examined. This may lead to unexpected results if the same CA + // certificate is available with different expiration dates. If a + // ``certificate expired'' verification error occurs, no other + // certificate will be searched. Make sure to not have expired + // certificates mixed with valid ones. + // + // See also: QSslSocketBackendPrivate::verify() + if (caCertificate.expiryDate() >= now) { + q_X509_STORE_add_cert(q_SSL_CTX_get_cert_store(sslContext->ctx), (X509 *)caCertificate.handle()); + } + } + + if (QSslSocketPrivate::s_loadRootCertsOnDemand && allowRootCertOnDemandLoading) { + // tell OpenSSL the directories where to look up the root certs on demand + const QList unixDirs = QSslSocketPrivate::unixRootCertDirectories(); + for (const QByteArray &unixDir : unixDirs) + q_SSL_CTX_load_verify_locations(sslContext->ctx, nullptr, unixDir.constData()); + } + + if (!sslContext->sslConfiguration.localCertificate().isNull()) { + // Require a private key as well. + if (sslContext->sslConfiguration.privateKey().isNull()) { + sslContext->errorStr = QSslSocket::tr("Cannot provide a certificate with no key, %1").arg(QSslSocketBackendPrivate::getErrorsFromOpenSsl()); + sslContext->errorCode = QSslError::UnspecifiedError; + return; + } + + // Load certificate + if (!q_SSL_CTX_use_certificate(sslContext->ctx, (X509 *)sslContext->sslConfiguration.localCertificate().handle())) { + sslContext->errorStr = QSslSocket::tr("Error loading local certificate, %1").arg(QSslSocketBackendPrivate::getErrorsFromOpenSsl()); + sslContext->errorCode = QSslError::UnspecifiedError; + return; + } + + if (configuration.d->privateKey.algorithm() == QSsl::Opaque) { + sslContext->pkey = reinterpret_cast(configuration.d->privateKey.handle()); + } else { + // Load private key + sslContext->pkey = q_EVP_PKEY_new(); + // before we were using EVP_PKEY_assign_R* functions and did not use EVP_PKEY_free. + // this lead to a memory leak. Now we use the *_set1_* functions which do not + // take ownership of the RSA/DSA key instance because the QSslKey already has ownership. + if (configuration.d->privateKey.algorithm() == QSsl::Rsa) + q_EVP_PKEY_set1_RSA(sslContext->pkey, reinterpret_cast(configuration.d->privateKey.handle())); + else if (configuration.d->privateKey.algorithm() == QSsl::Dsa) + q_EVP_PKEY_set1_DSA(sslContext->pkey, reinterpret_cast(configuration.d->privateKey.handle())); +#ifndef OPENSSL_NO_EC + else if (configuration.d->privateKey.algorithm() == QSsl::Ec) + q_EVP_PKEY_set1_EC_KEY(sslContext->pkey, reinterpret_cast(configuration.d->privateKey.handle())); +#endif + } + + if (!q_SSL_CTX_use_PrivateKey(sslContext->ctx, sslContext->pkey)) { + sslContext->errorStr = QSslSocket::tr("Error loading private key, %1").arg(QSslSocketBackendPrivate::getErrorsFromOpenSsl()); + sslContext->errorCode = QSslError::UnspecifiedError; + return; + } + if (configuration.d->privateKey.algorithm() == QSsl::Opaque) + sslContext->pkey = nullptr; // Don't free the private key, it belongs to QSslKey + + // Check if the certificate matches the private key. + if (!q_SSL_CTX_check_private_key(sslContext->ctx)) { + sslContext->errorStr = QSslSocket::tr("Private key does not certify public key, %1").arg(QSslSocketBackendPrivate::getErrorsFromOpenSsl()); + sslContext->errorCode = QSslError::UnspecifiedError; + return; + } + + // If we have any intermediate certificates then we need to add them to our chain + bool first = true; + for (const QSslCertificate &cert : qAsConst(configuration.d->localCertificateChain)) { + if (first) { + first = false; + continue; + } + q_SSL_CTX_ctrl(sslContext->ctx, SSL_CTRL_EXTRA_CHAIN_CERT, 0, + q_X509_dup(reinterpret_cast(cert.handle()))); + } + } + + // Initialize peer verification. + if (sslContext->sslConfiguration.peerVerifyMode() == QSslSocket::VerifyNone) { + q_SSL_CTX_set_verify(sslContext->ctx, SSL_VERIFY_NONE, nullptr); + } else { + q_SSL_CTX_set_verify(sslContext->ctx, SSL_VERIFY_PEER, q_X509Callback); + } + + // Set verification depth. + if (sslContext->sslConfiguration.peerVerifyDepth() != 0) + q_SSL_CTX_set_verify_depth(sslContext->ctx, sslContext->sslConfiguration.peerVerifyDepth()); + + // set persisted session if the user set it + if (!configuration.sessionTicket().isEmpty()) + sslContext->setSessionASN1(configuration.sessionTicket()); + + // Set temp DH params + QSslDiffieHellmanParameters dhparams = configuration.diffieHellmanParameters(); + + if (!dhparams.isValid()) { + sslContext->errorStr = QSslSocket::tr("Diffie-Hellman parameters are not valid"); + sslContext->errorCode = QSslError::UnspecifiedError; + return; + } + + if (!dhparams.isEmpty()) { + const QByteArray ¶ms = dhparams.d->derData; + const char *ptr = params.constData(); + DH *dh = q_d2i_DHparams(NULL, reinterpret_cast(&ptr), params.length()); + if (dh == NULL) + qFatal("q_d2i_DHparams failed to convert QSslDiffieHellmanParameters to DER form"); + q_SSL_CTX_set_tmp_dh(sslContext->ctx, dh); + q_DH_free(dh); + } + +#ifndef OPENSSL_NO_PSK + if (!client) + q_SSL_CTX_use_psk_identity_hint(sslContext->ctx, sslContext->sslConfiguration.preSharedKeyIdentityHint().constData()); +#endif // !OPENSSL_NO_PSK + + const QVector qcurves = sslContext->sslConfiguration.ellipticCurves(); + if (!qcurves.isEmpty()) { +#ifdef OPENSSL_NO_EC + sslContext->errorStr = msgErrorSettingEllipticCurves(QSslSocket::tr("OpenSSL version with disabled elliptic curves")); + sslContext->errorCode = QSslError::UnspecifiedError; +#else + // Set the curves to be used. + std::vector curves; + curves.reserve(qcurves.size()); + for (const auto &sslCurve : qcurves) + curves.push_back(sslCurve.id); + if (!q_SSL_CTX_ctrl(sslContext->ctx, SSL_CTRL_SET_CURVES, long(curves.size()), &curves[0])) { + sslContext->errorStr = msgErrorSettingEllipticCurves(QSslSocketBackendPrivate::getErrorsFromOpenSsl()); + sslContext->errorCode = QSslError::UnspecifiedError; + } +#endif + } +} + +QT_END_NAMESPACE --- qtbase-opensource-src-5.7.1/src/network/ssl/qssldiffiehellmanparameters_openssl.cpp 1969-12-31 18:00:00.000000000 -0600 +++ qtbase-everywhere-src-5.10.0-rc3/src/network/ssl/qssldiffiehellmanparameters_openssl.cpp 2017-11-30 07:49:46.000000000 -0600 @@ -0,0 +1,186 @@ +/**************************************************************************** +** +** Copyright (C) 2015 Mikkel Krautz +** Copyright (C) 2016 Richard J. Moore +** Contact: https://www.qt.io/licensing/ +** +** This file is part of the QtNetwork module of the Qt Toolkit. +** +** $QT_BEGIN_LICENSE:LGPL$ +** Commercial License Usage +** Licensees holding valid commercial Qt licenses may use this file in +** accordance with the commercial license agreement provided with the +** Software or, alternatively, in accordance with the terms contained in +** a written agreement between you and The Qt Company. For licensing terms +** and conditions see https://www.qt.io/terms-conditions. For further +** information use the contact form at https://www.qt.io/contact-us. +** +** GNU Lesser General Public License Usage +** Alternatively, this file may be used under the terms of the GNU Lesser +** General Public License version 3 as published by the Free Software +** Foundation and appearing in the file LICENSE.LGPL3 included in the +** packaging of this file. Please review the following information to +** ensure the GNU Lesser General Public License version 3 requirements +** will be met: https://www.gnu.org/licenses/lgpl-3.0.html. +** +** GNU General Public License Usage +** Alternatively, this file may be used under the terms of the GNU +** General Public License version 2.0 or (at your option) the GNU General +** Public license version 3 or any later version approved by the KDE Free +** Qt Foundation. The licenses are as published by the Free Software +** Foundation and appearing in the file LICENSE.GPL2 and LICENSE.GPL3 +** included in the packaging of this file. Please review the following +** information to ensure the GNU General Public License requirements will +** be met: https://www.gnu.org/licenses/gpl-2.0.html and +** https://www.gnu.org/licenses/gpl-3.0.html. +** +** $QT_END_LICENSE$ +** +****************************************************************************/ + +#include "qssldiffiehellmanparameters.h" +#include "qssldiffiehellmanparameters_p.h" +#include "qsslsocket_openssl_symbols_p.h" +#include "qsslsocket.h" +#include "qsslsocket_p.h" + +#include +#include +#include +#ifndef QT_NO_DEBUG_STREAM +#include +#endif + +#include +#include + +QT_BEGIN_NAMESPACE + +static bool isSafeDH(DH *dh) +{ + int status = 0; + int bad = 0; + + QSslSocketPrivate::ensureInitialized(); + + + // From https://wiki.openssl.org/index.php/Diffie-Hellman_parameters: + // + // The additional call to BN_mod_word(dh->p, 24) + // (and unmasking of DH_NOT_SUITABLE_GENERATOR) + // is performed to ensure your program accepts + // IETF group parameters. OpenSSL checks the prime + // is congruent to 11 when g = 2; while the IETF's + // primes are congruent to 23 when g = 2. + // Without the test, the IETF parameters would + // fail validation. For details, see Diffie-Hellman + // Parameter Check (when g = 2, must p mod 24 == 11?). +#ifdef OPENSSL_API_COMPAT + // Mark p < 1024 bits as unsafe. + if (q_DH_bits(dh) < 1024) + return false; + + if (q_DH_check(dh, &status) != 1) + return false; + + const BIGNUM *p = nullptr; + const BIGNUM *q = nullptr; + const BIGNUM *g = nullptr; + q_DH_get0_pqg(dh, &p, &q, &g); + + if (q_BN_is_word(const_cast(g), DH_GENERATOR_2)) { + long residue = q_BN_mod_word(p, 24); + if (residue == 11 || residue == 23) + status &= ~DH_NOT_SUITABLE_GENERATOR; + } + +#else + // Mark p < 1024 bits as unsafe. + if (q_BN_num_bits(dh->p) < 1024) + return false; + + if (q_DH_check(dh, &status) != 1) + return false; + + if (q_BN_is_word(dh->g, DH_GENERATOR_2)) { + long residue = q_BN_mod_word(dh->p, 24); + if (residue == 11 || residue == 23) + status &= ~DH_NOT_SUITABLE_GENERATOR; + } +#endif + + bad |= DH_CHECK_P_NOT_PRIME; + bad |= DH_CHECK_P_NOT_SAFE_PRIME; + bad |= DH_NOT_SUITABLE_GENERATOR; + + return !(status & bad); +} + +void QSslDiffieHellmanParametersPrivate::decodeDer(const QByteArray &der) +{ + if (der.isEmpty()) { + error = QSslDiffieHellmanParameters::InvalidInputDataError; + return; + } + + const unsigned char *data = reinterpret_cast(der.data()); + int len = der.size(); + + QSslSocketPrivate::ensureInitialized(); + + DH *dh = q_d2i_DHparams(NULL, &data, len); + if (dh) { + if (isSafeDH(dh)) + derData = der; + else + error = QSslDiffieHellmanParameters::UnsafeParametersError; + } else { + error = QSslDiffieHellmanParameters::InvalidInputDataError; + } + + q_DH_free(dh); +} + +void QSslDiffieHellmanParametersPrivate::decodePem(const QByteArray &pem) +{ + if (pem.isEmpty()) { + error = QSslDiffieHellmanParameters::InvalidInputDataError; + return; + } + + if (!QSslSocket::supportsSsl()) { + error = QSslDiffieHellmanParameters::InvalidInputDataError; + return; + } + + QSslSocketPrivate::ensureInitialized(); + + BIO *bio = q_BIO_new_mem_buf(const_cast(pem.data()), pem.size()); + if (!bio) { + error = QSslDiffieHellmanParameters::InvalidInputDataError; + return; + } + + DH *dh = Q_NULLPTR; + q_PEM_read_bio_DHparams(bio, &dh, 0, 0); + + if (dh) { + if (isSafeDH(dh)) { + char *buf = Q_NULLPTR; + int len = q_i2d_DHparams(dh, reinterpret_cast(&buf)); + if (len > 0) + derData = QByteArray(buf, len); + else + error = QSslDiffieHellmanParameters::InvalidInputDataError; + } else { + error = QSslDiffieHellmanParameters::UnsafeParametersError; + } + } else { + error = QSslDiffieHellmanParameters::InvalidInputDataError; + } + + q_DH_free(dh); + q_BIO_free(bio); +} + +QT_END_NAMESPACE --- qtbase-opensource-src-5.7.1/src/network/ssl/qsslellipticcurve.h 2016-12-01 02:17:04.000000000 -0600 +++ qtbase-everywhere-src-5.10.0-rc3/src/network/ssl/qsslellipticcurve.h 2017-11-30 07:49:46.000000000 -0600 @@ -64,8 +64,8 @@ Q_NETWORK_EXPORT static QSslEllipticCurve fromShortName(const QString &name); Q_NETWORK_EXPORT static QSslEllipticCurve fromLongName(const QString &name); - Q_NETWORK_EXPORT QString shortName() const Q_REQUIRED_RESULT; - Q_NETWORK_EXPORT QString longName() const Q_REQUIRED_RESULT; + Q_REQUIRED_RESULT Q_NETWORK_EXPORT QString shortName() const; + Q_REQUIRED_RESULT Q_NETWORK_EXPORT QString longName() const; Q_DECL_CONSTEXPR bool isValid() const Q_DECL_NOTHROW { @@ -80,6 +80,7 @@ friend Q_DECL_CONSTEXPR bool operator==(QSslEllipticCurve lhs, QSslEllipticCurve rhs) Q_DECL_NOTHROW; friend Q_DECL_CONSTEXPR uint qHash(QSslEllipticCurve curve, uint seed) Q_DECL_NOTHROW; + friend class QSslContext; friend class QSslSocketPrivate; friend class QSslSocketBackendPrivate; }; --- qtbase-opensource-src-5.7.1/src/network/ssl/qsslellipticcurve_openssl.cpp 2016-12-01 02:17:04.000000000 -0600 +++ qtbase-everywhere-src-5.10.0-rc3/src/network/ssl/qsslellipticcurve_openssl.cpp 2017-11-30 07:49:46.000000000 -0600 @@ -1,6 +1,7 @@ /**************************************************************************** ** ** Copyright (C) 2014 Governikus GmbH & Co. KG. +** Copyright (C) 2016 Richard J. Moore ** Contact: https://www.qt.io/licensing/ ** ** This file is part of the QtNetwork module of the Qt Toolkit. @@ -78,17 +79,18 @@ QSslEllipticCurve result; #ifndef OPENSSL_NO_EC - const QByteArray curveNameLatin1 = name.toLatin1(); + const QByteArray curveNameLatin1 = name.toLatin1(); int nid = q_OBJ_sn2nid(curveNameLatin1.data()); #if OPENSSL_VERSION_NUMBER >= 0x10002000L - if (nid == 0 && q_SSLeay() >= 0x10002000L) + if (nid == 0 && QSslSocket::sslLibraryVersionNumber() >= 0x10002000L) nid = q_EC_curve_nist2nid(curveNameLatin1.data()); #endif // OPENSSL_VERSION_NUMBER >= 0x10002000L result.id = nid; -#endif + +#endif // !OPENSSL_NO_EC return result; } --- qtbase-opensource-src-5.7.1/src/network/ssl/qsslkey_openssl.cpp 2016-12-01 02:17:04.000000000 -0600 +++ qtbase-everywhere-src-5.10.0-rc3/src/network/ssl/qsslkey_openssl.cpp 2017-11-30 07:49:46.000000000 -0600 @@ -1,6 +1,7 @@ /**************************************************************************** ** -** Copyright (C) 2016 The Qt Company Ltd. +** Copyright (C) 2017 The Qt Company Ltd. +** Copyright (C) 2016 Richard J. Moore ** Contact: https://www.qt.io/licensing/ ** ** This file is part of the QtNetwork module of the Qt Toolkit. @@ -84,33 +85,33 @@ bool QSslKeyPrivate::fromEVP_PKEY(EVP_PKEY *pkey) { - if (pkey->type == EVP_PKEY_RSA) { + if (pkey == nullptr) + return false; + +#ifdef OPENSSL_API_COMPAT + const int keyType = q_EVP_PKEY_type(q_EVP_PKEY_base_id(pkey)); +#else + const int keyType = pkey->type; +#endif + if (keyType == EVP_PKEY_RSA) { isNull = false; algorithm = QSsl::Rsa; type = QSsl::PrivateKey; - - rsa = q_RSA_new(); - memcpy(rsa, q_EVP_PKEY_get1_RSA(pkey), sizeof(RSA)); - + rsa = q_EVP_PKEY_get1_RSA(pkey); return true; - } - else if (pkey->type == EVP_PKEY_DSA) { + } else if (keyType == EVP_PKEY_DSA) { isNull = false; algorithm = QSsl::Dsa; type = QSsl::PrivateKey; - - dsa = q_DSA_new(); - memcpy(dsa, q_EVP_PKEY_get1_DSA(pkey), sizeof(DSA)); - + dsa = q_EVP_PKEY_get1_DSA(pkey); return true; } #ifndef OPENSSL_NO_EC - else if (pkey->type == EVP_PKEY_EC) { + else if (keyType == EVP_PKEY_EC) { isNull = false; algorithm = QSsl::Ec; type = QSsl::PrivateKey; - ec = q_EC_KEY_dup(q_EVP_PKEY_get1_EC_KEY(pkey)); - + ec = q_EVP_PKEY_get1_EC_KEY(pkey); return true; } #endif @@ -178,8 +179,8 @@ return -1; switch (algorithm) { - case QSsl::Rsa: return q_BN_num_bits(rsa->n); - case QSsl::Dsa: return q_BN_num_bits(dsa->p); + case QSsl::Rsa: return q_RSA_bits(rsa); + case QSsl::Dsa: return q_DSA_bits(dsa); #ifndef OPENSSL_NO_EC case QSsl::Ec: return q_EC_GROUP_get_degree(q_EC_KEY_get0_group(ec)); #endif @@ -273,7 +274,13 @@ static QByteArray doCrypt(QSslKeyPrivate::Cipher cipher, const QByteArray &data, const QByteArray &key, const QByteArray &iv, int enc) { - EVP_CIPHER_CTX ctx; +#ifdef OPENSSL_API_COMPAT + EVP_CIPHER_CTX *ctx = q_EVP_CIPHER_CTX_new(); +#else + EVP_CIPHER_CTX evpCipherContext; + EVP_CIPHER_CTX *ctx = &evpCipherContext; +#endif + const EVP_CIPHER* type = 0; int i = 0, len = 0; @@ -291,21 +298,44 @@ QByteArray output; output.resize(data.size() + EVP_MAX_BLOCK_LENGTH); - q_EVP_CIPHER_CTX_init(&ctx); - q_EVP_CipherInit(&ctx, type, NULL, NULL, enc); - q_EVP_CIPHER_CTX_set_key_length(&ctx, key.size()); + +#ifdef OPENSSL_API_COMPAT + q_EVP_CIPHER_CTX_reset(ctx); +#else + q_EVP_CIPHER_CTX_init(ctx); +#endif + + q_EVP_CipherInit(ctx, type, NULL, NULL, enc); + q_EVP_CIPHER_CTX_set_key_length(ctx, key.size()); if (cipher == QSslKeyPrivate::Rc2Cbc) - q_EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_SET_RC2_KEY_BITS, 8 * key.size(), NULL); - q_EVP_CipherInit(&ctx, NULL, + q_EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_SET_RC2_KEY_BITS, 8 * key.size(), NULL); + +#ifdef OPENSSL_API_COMPAT + // EVP_CipherInit in 1.1 resets the context thus making the calls above useless. + // We call EVP_CipherInit_ex instead. + q_EVP_CipherInit_ex(ctx, nullptr, nullptr, + reinterpret_cast(key.constData()), + reinterpret_cast(iv.constData()), + enc); +#else + q_EVP_CipherInit(ctx, NULL, reinterpret_cast(key.constData()), reinterpret_cast(iv.constData()), enc); - q_EVP_CipherUpdate(&ctx, +#endif // openssl + + q_EVP_CipherUpdate(ctx, reinterpret_cast(output.data()), &len, reinterpret_cast(data.constData()), data.size()); - q_EVP_CipherFinal(&ctx, + q_EVP_CipherFinal(ctx, reinterpret_cast(output.data()) + len, &i); len += i; - q_EVP_CIPHER_CTX_cleanup(&ctx); + +#ifdef OPENSSL_API_COMPAT + q_EVP_CIPHER_CTX_reset(ctx); + q_EVP_CIPHER_CTX_free(ctx); +#else + q_EVP_CIPHER_CTX_cleanup(ctx); +#endif return output.left(len); } --- qtbase-opensource-src-5.7.1/src/network/ssl/qsslsocket_openssl.cpp 2016-12-01 02:17:04.000000000 -0600 +++ qtbase-everywhere-src-5.10.0-rc3/src/network/ssl/qsslsocket_openssl.cpp 2017-11-30 07:49:46.000000000 -0600 @@ -1,6 +1,6 @@ /**************************************************************************** ** -** Copyright (C) 2016 The Qt Company Ltd. +** Copyright (C) 2017 The Qt Company Ltd. ** Copyright (C) 2014 Governikus GmbH & Co. KG ** Contact: https://www.qt.io/licensing/ ** @@ -54,7 +54,6 @@ ****************************************************************************/ //#define QSSLSOCKET_DEBUG -//#define QT_DECRYPT_SSL_TRAFFIC #include "qssl_p.h" #include "qsslsocket_openssl_p.h" @@ -78,7 +77,6 @@ #include #include #include -#include // for loading the security lib for the CA store #include @@ -98,70 +96,6 @@ int QSslSocketBackendPrivate::s_indexForSSLExtraData = -1; #endif -/* \internal - - From OpenSSL's thread(3) manual page: - - OpenSSL can safely be used in multi-threaded applications provided that at - least two callback functions are set. - - locking_function(int mode, int n, const char *file, int line) is needed to - perform locking on shared data structures. (Note that OpenSSL uses a - number of global data structures that will be implicitly shared - whenever multiple threads use OpenSSL.) Multi-threaded - applications will crash at random if it is not set. ... - ... - id_function(void) is a function that returns a thread ID. It is not - needed on Windows nor on platforms where getpid() returns a different - ID for each thread (most notably Linux) -*/ -class QOpenSslLocks -{ -public: - inline QOpenSslLocks() - : initLocker(QMutex::Recursive), - locksLocker(QMutex::Recursive) - { - QMutexLocker locker(&locksLocker); - int numLocks = q_CRYPTO_num_locks(); - locks = new QMutex *[numLocks]; - memset(locks, 0, numLocks * sizeof(QMutex *)); - } - inline ~QOpenSslLocks() - { - QMutexLocker locker(&locksLocker); - for (int i = 0; i < q_CRYPTO_num_locks(); ++i) - delete locks[i]; - delete [] locks; - - QSslSocketPrivate::deinitialize(); - } - inline QMutex *lock(int num) - { - QMutexLocker locker(&locksLocker); - QMutex *tmp = locks[num]; - if (!tmp) - tmp = locks[num] = new QMutex(QMutex::Recursive); - return tmp; - } - - QMutex *globalLock() - { - return &locksLocker; - } - - QMutex *initLock() - { - return &initLocker; - } - -private: - QMutex initLocker; - QMutex locksLocker; - QMutex **locks; -}; -Q_GLOBAL_STATIC(QOpenSslLocks, openssl_locks) - QString QSslSocketBackendPrivate::getErrorsFromOpenSsl() { QString errorString; @@ -176,20 +110,6 @@ } extern "C" { -static void locking_function(int mode, int lockNumber, const char *, int) -{ - QMutex *mutex = openssl_locks()->lock(lockNumber); - - // Lock or unlock it - if (mode & CRYPTO_LOCK) - mutex->lock(); - else - mutex->unlock(); -} -static unsigned long id_function() -{ - return (quintptr)QThread::currentThreadId(); -} #if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_PSK) static unsigned int q_ssl_psk_client_callback(SSL *ssl, @@ -201,6 +121,15 @@ Q_ASSERT(d); return d->tlsPskClientCallback(hint, identity, max_identity_len, psk, max_psk_len); } + +static unsigned int q_ssl_psk_server_callback(SSL *ssl, + const char *identity, + unsigned char *psk, unsigned int max_psk_len) +{ + QSslSocketBackendPrivate *d = reinterpret_cast(q_SSL_get_ex_data(ssl, QSslSocketBackendPrivate::s_indexForSSLExtraData)); + Q_ASSERT(d); + return d->tlsPskServerCallback(identity, psk, max_psk_len); +} #endif } // extern "C" @@ -219,7 +148,7 @@ destroySslContext(); } -QSslCipher QSslSocketBackendPrivate::QSslCipher_from_SSL_CIPHER(SSL_CIPHER *cipher) +QSslCipher QSslSocketBackendPrivate::QSslCipher_from_SSL_CIPHER(const SSL_CIPHER *cipher) { QSslCipher ciph; @@ -260,12 +189,12 @@ } // static -inline QSslErrorEntry QSslErrorEntry::fromStoreContext(X509_STORE_CTX *ctx) { - QSslErrorEntry result = { +inline QSslErrorEntry QSslErrorEntry::fromStoreContext(X509_STORE_CTX *ctx) +{ + return { q_X509_STORE_CTX_get_error(ctx), q_X509_STORE_CTX_get_error_depth(ctx) }; - return result; } // ### This list is shared between all threads, and protected by a @@ -275,6 +204,7 @@ QMutex mutex; QVector errors; }; + Q_GLOBAL_STATIC(QSslErrorList, _q_sslErrorList) int q_X509Callback(int ok, X509_STORE_CTX *ctx) @@ -282,6 +212,7 @@ if (!ok) { // Store the error and at which depth the error was detected. _q_sslErrorList()->errors << QSslErrorEntry::fromStoreContext(ctx); +#ifndef OPENSSL_API_COMPAT #ifdef QSSLSOCKET_DEBUG qCDebug(lcSsl) << "verification error: dumping bad certificate"; qCDebug(lcSsl) << QSslCertificatePrivate::QSslCertificate_from_X509(q_X509_STORE_CTX_get_current_cert(ctx)).toPem(); @@ -302,9 +233,10 @@ << "ST=" << cert.subjectInfo(QSslCertificate::StateOrProvinceName); qCDebug(lcSsl) << "Valid:" << cert.effectiveDate() << '-' << cert.expiryDate(); } -#endif +#endif // QSSLSOCKET_DEBUG +#endif // !OPENSSL_API_COMPAT } - // Always return OK to allow verification to continue. We're handle the + // Always return OK to allow verification to continue. We handle the // errors gracefully after collecting all errors, after verification has // completed. return 1; @@ -389,7 +321,7 @@ if (configuration.protocol != QSsl::SslV2 && configuration.protocol != QSsl::SslV3 && configuration.protocol != QSsl::UnknownProtocol && - mode == QSslSocket::SslClientMode && q_SSLeay() >= 0x00090806fL) { + mode == QSslSocket::SslClientMode && QSslSocket::sslLibraryVersionNumber() >= 0x00090806fL) { // Set server hostname on TLS extension. RFC4366 section 3.1 requires it in ACE format. QString tlsHostName = verificationPeerName.isEmpty() ? q->peerName() : verificationPeerName; if (tlsHostName.isEmpty()) @@ -430,14 +362,18 @@ #if OPENSSL_VERSION_NUMBER >= 0x10001000L // Save a pointer to this object into the SSL structure. - if (q_SSLeay() >= 0x10001000L) + if (QSslSocket::sslLibraryVersionNumber() >= 0x10001000L) q_SSL_set_ex_data(ssl, s_indexForSSLExtraData, this); #endif #if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_PSK) // Set the client callback for PSK - if (q_SSLeay() >= 0x10001000L && mode == QSslSocket::SslClientMode) - q_SSL_set_psk_client_callback(ssl, &q_ssl_psk_client_callback); + if (QSslSocket::sslLibraryVersionNumber() >= 0x10001000L) { + if (mode == QSslSocket::SslClientMode) + q_SSL_set_psk_client_callback(ssl, &q_ssl_psk_client_callback); + else if (mode == QSslSocket::SslServerMode) + q_SSL_set_psk_server_callback(ssl, &q_ssl_psk_server_callback); + } #endif return true; @@ -454,16 +390,6 @@ /*! \internal -*/ -void QSslSocketPrivate::deinitialize() -{ - q_CRYPTO_set_id_callback(0); - q_CRYPTO_set_locking_callback(0); - q_ERR_free_strings(); -} - -/*! - \internal Does the minimum amount of initialization to determine whether SSL is supported or not. @@ -474,97 +400,6 @@ return ensureLibraryLoaded(); } -bool QSslSocketPrivate::ensureLibraryLoaded() -{ - if (!q_resolveOpenSslSymbols()) - return false; - - // Check if the library itself needs to be initialized. - QMutexLocker locker(openssl_locks()->initLock()); - - if (!s_libraryLoaded) { - s_libraryLoaded = true; - - // Initialize OpenSSL. - q_CRYPTO_set_id_callback(id_function); - q_CRYPTO_set_locking_callback(locking_function); - if (q_SSL_library_init() != 1) - return false; - q_SSL_load_error_strings(); - q_OpenSSL_add_all_algorithms(); - -#if OPENSSL_VERSION_NUMBER >= 0x10001000L - if (q_SSLeay() >= 0x10001000L) - QSslSocketBackendPrivate::s_indexForSSLExtraData = q_SSL_get_ex_new_index(0L, NULL, NULL, NULL, NULL); -#endif - - // Initialize OpenSSL's random seed. - if (!q_RAND_status()) { - qWarning("Random number generator not seeded, disabling SSL support"); - return false; - } - } - return true; -} - -void QSslSocketPrivate::ensureCiphersAndCertsLoaded() -{ - QMutexLocker locker(openssl_locks()->initLock()); - if (s_loadedCiphersAndCerts) - return; - s_loadedCiphersAndCerts = true; - - resetDefaultCiphers(); - resetDefaultEllipticCurves(); - -#ifndef QT_NO_LIBRARY - //load symbols needed to receive certificates from system store -#if defined(Q_OS_WIN) - HINSTANCE hLib = LoadLibraryW(L"Crypt32"); - if (hLib) { -#if defined(Q_OS_WINCE) - ptrCertOpenSystemStoreW = (PtrCertOpenSystemStoreW)GetProcAddress(hLib, L"CertOpenStore"); - ptrCertFindCertificateInStore = (PtrCertFindCertificateInStore)GetProcAddress(hLib, L"CertFindCertificateInStore"); - ptrCertCloseStore = (PtrCertCloseStore)GetProcAddress(hLib, L"CertCloseStore"); -#else - ptrCertOpenSystemStoreW = (PtrCertOpenSystemStoreW)GetProcAddress(hLib, "CertOpenSystemStoreW"); - ptrCertFindCertificateInStore = (PtrCertFindCertificateInStore)GetProcAddress(hLib, "CertFindCertificateInStore"); - ptrCertCloseStore = (PtrCertCloseStore)GetProcAddress(hLib, "CertCloseStore"); -#endif - if (!ptrCertOpenSystemStoreW || !ptrCertFindCertificateInStore || !ptrCertCloseStore) - qCWarning(lcSsl, "could not resolve symbols in crypt32 library"); // should never happen - } else { - qCWarning(lcSsl, "could not load crypt32 library"); // should never happen - } -#elif defined(Q_OS_QNX) - s_loadRootCertsOnDemand = true; -#elif defined(Q_OS_UNIX) && !defined(Q_OS_MAC) - // check whether we can enable on-demand root-cert loading (i.e. check whether the sym links are there) - QList dirs = unixRootCertDirectories(); - QStringList symLinkFilter; - symLinkFilter << QLatin1String("[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f].[0-9]"); - for (int a = 0; a < dirs.count(); ++a) { - QDirIterator iterator(QLatin1String(dirs.at(a)), symLinkFilter, QDir::Files); - if (iterator.hasNext()) { - s_loadRootCertsOnDemand = true; - break; - } - } -#endif -#endif //QT_NO_LIBRARY - // if on-demand loading was not enabled, load the certs now - if (!s_loadRootCertsOnDemand) - setDefaultCaCertificates(systemCaCertificates()); -#ifdef Q_OS_WIN - //Enabled for fetching additional root certs from windows update on windows 6+ - //This flag is set false by setDefaultCaCertificates() indicating the app uses - //its own cert bundle rather than the system one. - //Same logic that disables the unix on demand cert loading. - //Unlike unix, we do preload the certificates from the cert store. - if ((QSysInfo::windowsVersion() & QSysInfo::WV_NT_based) >= QSysInfo::WV_6_0) - s_loadRootCertsOnDemand = true; -#endif -} /*! \internal @@ -581,26 +416,6 @@ ensureCiphersAndCertsLoaded(); } -long QSslSocketPrivate::sslLibraryVersionNumber() -{ - if (!supportsSsl()) - return 0; - - return q_SSLeay(); -} - -QString QSslSocketPrivate::sslLibraryVersionString() -{ - if (!supportsSsl()) - return QString(); - - const char *versionString = q_SSLeay_version(SSLEAY_VERSION); - if (!versionString) - return QString(); - - return QString::fromLatin1(versionString); -} - long QSslSocketPrivate::sslLibraryBuildVersionNumber() { return OPENSSL_VERSION_NUMBER; @@ -622,7 +437,11 @@ */ void QSslSocketPrivate::resetDefaultCiphers() { +#ifdef OPENSSL_API_COMPAT + SSL_CTX *myCtx = q_SSL_CTX_new(q_TLS_client_method()); +#else SSL_CTX *myCtx = q_SSL_CTX_new(q_SSLv23_client_method()); +#endif SSL *mySsl = q_SSL_new(myCtx); QList ciphers; @@ -658,7 +477,7 @@ QVector curves; #ifndef OPENSSL_NO_EC - const size_t curveCount = q_EC_get_builtin_curves(NULL, 0); + const size_t curveCount = q_EC_get_builtin_curves(nullptr, 0); QVarLengthArray builtinCurves(static_cast(curveCount)); @@ -691,22 +510,15 @@ #if defined(Q_OS_WIN) if (ptrCertOpenSystemStoreW && ptrCertFindCertificateInStore && ptrCertCloseStore) { HCERTSTORE hSystemStore; -#if defined(Q_OS_WINCE) - hSystemStore = ptrCertOpenSystemStoreW(CERT_STORE_PROV_SYSTEM_W, - 0, - 0, - CERT_STORE_NO_CRYPT_RELEASE_FLAG|CERT_SYSTEM_STORE_CURRENT_USER, - L"ROOT"); -#else hSystemStore = ptrCertOpenSystemStoreW(0, L"ROOT"); -#endif - if(hSystemStore) { - PCCERT_CONTEXT pc = NULL; - while(1) { - pc = ptrCertFindCertificateInStore( hSystemStore, X509_ASN_ENCODING, 0, CERT_FIND_ANY, NULL, pc); - if(!pc) + if (hSystemStore) { + PCCERT_CONTEXT pc = nullptr; + while (1) { + pc = ptrCertFindCertificateInStore(hSystemStore, X509_ASN_ENCODING, 0, CERT_FIND_ANY, nullptr, pc); + if (!pc) break; - QByteArray der((const char *)(pc->pbCertEncoded), static_cast(pc->cbCertEncoded)); + QByteArray der(reinterpret_cast(pc->pbCertEncoded), + static_cast(pc->cbCertEncoded)); QSslCertificate cert(der, QSsl::Der); systemCerts.append(cert); } @@ -945,15 +756,15 @@ // we have a readBufferMaxSize. There's no point in leaving data there // just so that readBuffer.size() == readBufferMaxSize. int readBytes = 0; - data.resize(4096); - ::memset(data.data(), 0, data.size()); + const int bytesToRead = 4096; do { // Don't use SSL_pending(). It's very unreliable. - if ((readBytes = q_SSL_read(ssl, data.data(), data.size())) > 0) { + readBytes = q_SSL_read(ssl, buffer.reserve(bytesToRead), bytesToRead); + if (readBytes > 0) { #ifdef QSSLSOCKET_DEBUG qCDebug(lcSsl) << "QSslSocketBackendPrivate::transmit: decrypted" << readBytes << "bytes"; #endif - buffer.append(data.constData(), readBytes); + buffer.chop(bytesToRead - readBytes); if (readyReadEmittedPointer) *readyReadEmittedPointer = true; @@ -962,6 +773,7 @@ transmitting = true; continue; } + buffer.chop(bytesToRead); // Error. switch (q_SSL_get_error(ssl, readBytes)) { @@ -1278,6 +1090,31 @@ return pskLength; } +unsigned int QSslSocketBackendPrivate::tlsPskServerCallback(const char *identity, + unsigned char *psk, unsigned int max_psk_len) +{ + QSslPreSharedKeyAuthenticator authenticator; + + // Fill in some read-only fields (for the user) + //authenticator.d->identityHint = configuration.preSharedKeyIdentityHint; + authenticator.d->identity = identity; + authenticator.d->maximumIdentityLength = 0; // user cannot set an identity + authenticator.d->maximumPreSharedKeyLength = int(max_psk_len); + + // Let the client provide the remaining bits... + Q_Q(QSslSocket); + emit q->preSharedKeyAuthenticationRequired(&authenticator); + + // No PSK set? Return now to make the handshake fail + if (authenticator.preSharedKey().isEmpty()) + return 0; + + // Copy data back into OpenSSL + const int pskLength = qMin(authenticator.preSharedKey().length(), authenticator.maximumPreSharedKeyLength()); + ::memcpy(psk, authenticator.preSharedKey().constData(), pskLength); + return pskLength; +} + #ifdef Q_OS_WIN void QSslSocketBackendPrivate::fetchCaRootForCert(const QSslCertificate &cert) @@ -1479,14 +1316,8 @@ { if (!ssl) return QSslCipher(); -#if OPENSSL_VERSION_NUMBER >= 0x10000000L - // FIXME This is fairly evil, but needed to keep source level compatibility - // with the OpenSSL 0.9.x implementation at maximum -- some other functions - // don't take a const SSL_CIPHER* when they should - SSL_CIPHER *sessionCipher = const_cast(q_SSL_get_current_cipher(ssl)); -#else - SSL_CIPHER *sessionCipher = q_SSL_get_current_cipher(ssl); -#endif + + const SSL_CIPHER *sessionCipher = q_SSL_get_current_cipher(ssl); return sessionCipher ? QSslCipher_from_SSL_CIPHER(sessionCipher) : QSslCipher(); } @@ -1512,97 +1343,6 @@ return QSsl::UnknownProtocol; } -void QSslSocketBackendPrivate::continueHandshake() -{ - Q_Q(QSslSocket); - // if we have a max read buffer size, reset the plain socket's to match - if (readBufferMaxSize) - plainSocket->setReadBufferSize(readBufferMaxSize); - - if (q_SSL_ctrl((ssl), SSL_CTRL_GET_SESSION_REUSED, 0, NULL)) - configuration.peerSessionShared = true; - -#ifdef QT_DECRYPT_SSL_TRAFFIC - if (ssl->session && ssl->s3) { - const char *mk = reinterpret_cast(ssl->session->master_key); - QByteArray masterKey(mk, ssl->session->master_key_length); - const char *random = reinterpret_cast(ssl->s3->client_random); - QByteArray clientRandom(random, SSL3_RANDOM_SIZE); - - // different format, needed for e.g. older Wireshark versions: -// const char *sid = reinterpret_cast(ssl->session->session_id); -// QByteArray sessionID(sid, ssl->session->session_id_length); -// QByteArray debugLineRSA("RSA Session-ID:"); -// debugLineRSA.append(sessionID.toHex().toUpper()); -// debugLineRSA.append(" Master-Key:"); -// debugLineRSA.append(masterKey.toHex().toUpper()); -// debugLineRSA.append("\n"); - - QByteArray debugLineClientRandom("CLIENT_RANDOM "); - debugLineClientRandom.append(clientRandom.toHex().toUpper()); - debugLineClientRandom.append(" "); - debugLineClientRandom.append(masterKey.toHex().toUpper()); - debugLineClientRandom.append("\n"); - - QString sslKeyFile = QDir::tempPath() + QLatin1String("/qt-ssl-keys"); - QFile file(sslKeyFile); - if (!file.open(QIODevice::Append)) - qCWarning(lcSsl) << "could not open file" << sslKeyFile << "for appending"; - if (!file.write(debugLineClientRandom)) - qCWarning(lcSsl) << "could not write to file" << sslKeyFile; - file.close(); - } else { - qCWarning(lcSsl, "could not decrypt SSL traffic"); - } -#endif - - // Cache this SSL session inside the QSslContext - if (!(configuration.sslOptions & QSsl::SslOptionDisableSessionSharing)) { - if (!sslContextPointer->cacheSession(ssl)) { - sslContextPointer.clear(); // we could not cache the session - } else { - // Cache the session for permanent usage as well - if (!(configuration.sslOptions & QSsl::SslOptionDisableSessionPersistence)) { - if (!sslContextPointer->sessionASN1().isEmpty()) - configuration.sslSession = sslContextPointer->sessionASN1(); - configuration.sslSessionTicketLifeTimeHint = sslContextPointer->sessionTicketLifeTimeHint(); - } - } - } - -#if OPENSSL_VERSION_NUMBER >= 0x1000100fL && !defined(OPENSSL_NO_NEXTPROTONEG) - - configuration.nextProtocolNegotiationStatus = sslContextPointer->npnContext().status; - if (sslContextPointer->npnContext().status == QSslConfiguration::NextProtocolNegotiationUnsupported) { - // we could not agree -> be conservative and use HTTP/1.1 - configuration.nextNegotiatedProtocol = QByteArrayLiteral("http/1.1"); - } else { - const unsigned char *proto = 0; - unsigned int proto_len = 0; - q_SSL_get0_next_proto_negotiated(ssl, &proto, &proto_len); - if (proto_len) - configuration.nextNegotiatedProtocol = QByteArray(reinterpret_cast(proto), proto_len); - else - configuration.nextNegotiatedProtocol.clear(); - } -#endif // OPENSSL_VERSION_NUMBER >= 0x1000100fL ... - -#if OPENSSL_VERSION_NUMBER >= 0x10002000L - if (q_SSLeay() >= 0x10002000L && mode == QSslSocket::SslClientMode) { - EVP_PKEY *key; - if (q_SSL_get_server_tmp_key(ssl, &key)) - configuration.ephemeralServerKey = QSslKey(key, QSsl::PublicKey); - } -#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L ... - - connectionEncrypted = true; - emit q->encrypted(); - if (autoStartHandshake && pendingClose) { - pendingClose = false; - q->disconnectFromHost(); - } -} - QList QSslSocketBackendPrivate::STACKOFX509_to_QSslCertificates(STACK_OF(X509) *x509) { ensureInitialized(); @@ -1656,12 +1396,12 @@ QMutexLocker sslErrorListMutexLocker(&_q_sslErrorList()->mutex); // Register a custom callback to get all verification errors. - X509_STORE_set_verify_cb_func(certStore, q_X509Callback); + q_X509_STORE_set_verify_cb(certStore, q_X509Callback); // Build the chain of intermediate certificates STACK_OF(X509) *intermediates = 0; if (certificateChain.length() > 1) { - intermediates = (STACK_OF(X509) *) q_sk_new_null(); + intermediates = (STACK_OF(X509) *) q_OPENSSL_sk_new_null(); if (!intermediates) { q_X509_STORE_free(certStore); @@ -1675,11 +1415,8 @@ first = false; continue; } -#if OPENSSL_VERSION_NUMBER >= 0x10000000L - q_sk_push( (_STACK *)intermediates, reinterpret_cast(cert.handle())); -#else - q_sk_push( (STACK *)intermediates, reinterpret_cast(cert.handle())); -#endif + + q_OPENSSL_sk_push((OPENSSL_STACK *)intermediates, reinterpret_cast(cert.handle())); } } @@ -1703,11 +1440,7 @@ (void) q_X509_verify_cert(storeContext); q_X509_STORE_CTX_free(storeContext); -#if OPENSSL_VERSION_NUMBER >= 0x10000000L - q_sk_free( (_STACK *) intermediates); -#else - q_sk_free( (STACK *) intermediates); -#endif + q_OPENSSL_sk_free((OPENSSL_STACK *)intermediates); // Now process the errors const auto errorList = std::move(_q_sslErrorList()->errors); @@ -1767,7 +1500,7 @@ } // Extract the data - EVP_PKEY *pkey; + EVP_PKEY *pkey = nullptr; X509 *x509; STACK_OF(X509) *ca = 0; @@ -1781,7 +1514,8 @@ // Convert to Qt types if (!key->d->fromEVP_PKEY(pkey)) { qCWarning(lcSsl, "Unable to convert private key"); - q_sk_pop_free(reinterpret_cast(ca), reinterpret_cast(q_sk_free)); + q_OPENSSL_sk_pop_free(reinterpret_cast(ca), + reinterpret_cast(q_OPENSSL_sk_free)); q_X509_free(x509); q_EVP_PKEY_free(pkey); q_PKCS12_free(p12); @@ -1796,7 +1530,11 @@ *caCertificates = QSslSocketBackendPrivate::STACKOFX509_to_QSslCertificates(ca); // Clean up - q_sk_pop_free(reinterpret_cast(ca), reinterpret_cast(q_sk_free)); + // TODO: verify ASAP, in the past we had sk_pop_free with q_OPENSSL_sk_free + // which seems to be blatantly wrong and even crashes with 1.1. + q_OPENSSL_sk_pop_free(reinterpret_cast(ca), + reinterpret_cast(q_X509_free)); + q_X509_free(x509); q_EVP_PKEY_free(pkey); q_PKCS12_free(p12); --- qtbase-opensource-src-5.7.1/src/network/ssl/qsslsocket_openssl11.cpp 1969-12-31 18:00:00.000000000 -0600 +++ qtbase-everywhere-src-5.10.0-rc3/src/network/ssl/qsslsocket_openssl11.cpp 2017-11-30 07:49:46.000000000 -0600 @@ -0,0 +1,285 @@ +/**************************************************************************** +** +** Copyright (C) 2017 The Qt Company Ltd. +** Copyright (C) 2014 Governikus GmbH & Co. KG +** Copyright (C) 2016 Richard J. Moore +** Contact: https://www.qt.io/licensing/ +** +** This file is part of the QtNetwork module of the Qt Toolkit. +** +** $QT_BEGIN_LICENSE:LGPL$ +** Commercial License Usage +** Licensees holding valid commercial Qt licenses may use this file in +** accordance with the commercial license agreement provided with the +** Software or, alternatively, in accordance with the terms contained in +** a written agreement between you and The Qt Company. For licensing terms +** and conditions see https://www.qt.io/terms-conditions. For further +** information use the contact form at https://www.qt.io/contact-us. +** +** GNU Lesser General Public License Usage +** Alternatively, this file may be used under the terms of the GNU Lesser +** General Public License version 3 as published by the Free Software +** Foundation and appearing in the file LICENSE.LGPL3 included in the +** packaging of this file. Please review the following information to +** ensure the GNU Lesser General Public License version 3 requirements +** will be met: https://www.gnu.org/licenses/lgpl-3.0.html. +** +** GNU General Public License Usage +** Alternatively, this file may be used under the terms of the GNU +** General Public License version 2.0 or (at your option) the GNU General +** Public license version 3 or any later version approved by the KDE Free +** Qt Foundation. The licenses are as published by the Free Software +** Foundation and appearing in the file LICENSE.GPL2 and LICENSE.GPL3 +** included in the packaging of this file. Please review the following +** information to ensure the GNU General Public License requirements will +** be met: https://www.gnu.org/licenses/gpl-2.0.html and +** https://www.gnu.org/licenses/gpl-3.0.html. +** +** $QT_END_LICENSE$ +** +****************************************************************************/ + +/**************************************************************************** +** +** In addition, as a special exception, the copyright holders listed above give +** permission to link the code of its release of Qt with the OpenSSL project's +** "OpenSSL" library (or modified versions of the "OpenSSL" library that use the +** same license as the original version), and distribute the linked executables. +** +** You must comply with the GNU General Public License version 2 in all +** respects for all of the code used other than the "OpenSSL" code. If you +** modify this file, you may extend this exception to your version of the file, +** but you are not obligated to do so. If you do not wish to do so, delete +** this exception statement from your version of this file. +** +****************************************************************************/ + +//#define QT_DECRYPT_SSL_TRAFFIC + +#include "qssl_p.h" +#include "qsslsocket_openssl_p.h" +#include "qsslsocket_openssl_symbols_p.h" +#include "qsslsocket.h" +#include "qsslkey.h" + +#include +#include +#include +#include +#include +#include + +QT_BEGIN_NAMESPACE + +Q_GLOBAL_STATIC_WITH_ARGS(QMutex, qt_opensslInitMutex, (QMutex::Recursive)) + +/*! + \internal +*/ +void QSslSocketPrivate::deinitialize() +{ + // This function exists only for compatibility with the pre-11 code, + // where deinitialize() actually does some cleanup. To be discarded + // once we retire < 1.1. +} + +bool QSslSocketPrivate::ensureLibraryLoaded() +{ + if (!q_resolveOpenSslSymbols()) + return false; + + const QMutexLocker locker(qt_opensslInitMutex); + + if (!s_libraryLoaded) { + s_libraryLoaded = true; + + // Initialize OpenSSL. + if (q_OPENSSL_init_ssl(0, nullptr) != 1) + return false; + q_SSL_load_error_strings(); + q_OpenSSL_add_all_algorithms(); + + QSslSocketBackendPrivate::s_indexForSSLExtraData + = q_CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL, 0L, nullptr, nullptr, + nullptr, nullptr); + + // Initialize OpenSSL's random seed. + if (!q_RAND_status()) { + qWarning("Random number generator not seeded, disabling SSL support"); + return false; + } + } + return true; +} + +void QSslSocketPrivate::ensureCiphersAndCertsLoaded() +{ + const QMutexLocker locker(qt_opensslInitMutex); + + if (s_loadedCiphersAndCerts) + return; + s_loadedCiphersAndCerts = true; + + resetDefaultCiphers(); + resetDefaultEllipticCurves(); + +#ifndef QT_NO_LIBRARY + //load symbols needed to receive certificates from system store +#if defined(Q_OS_WIN) + HINSTANCE hLib = LoadLibraryW(L"Crypt32"); + if (hLib) { + ptrCertOpenSystemStoreW = (PtrCertOpenSystemStoreW)GetProcAddress(hLib, "CertOpenSystemStoreW"); + ptrCertFindCertificateInStore = (PtrCertFindCertificateInStore)GetProcAddress(hLib, "CertFindCertificateInStore"); + ptrCertCloseStore = (PtrCertCloseStore)GetProcAddress(hLib, "CertCloseStore"); + if (!ptrCertOpenSystemStoreW || !ptrCertFindCertificateInStore || !ptrCertCloseStore) + qCWarning(lcSsl, "could not resolve symbols in crypt32 library"); // should never happen + } else { + qCWarning(lcSsl, "could not load crypt32 library"); // should never happen + } +#elif defined(Q_OS_QNX) + s_loadRootCertsOnDemand = true; +#elif defined(Q_OS_UNIX) && !defined(Q_OS_DARWIN) + // check whether we can enable on-demand root-cert loading (i.e. check whether the sym links are there) + QList dirs = unixRootCertDirectories(); + QStringList symLinkFilter; + symLinkFilter << QLatin1String("[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f].[0-9]"); + for (int a = 0; a < dirs.count(); ++a) { + QDirIterator iterator(QLatin1String(dirs.at(a)), symLinkFilter, QDir::Files); + if (iterator.hasNext()) { + s_loadRootCertsOnDemand = true; + break; + } + } +#endif +#endif // !QT_NO_LIBRARY + // if on-demand loading was not enabled, load the certs now + if (!s_loadRootCertsOnDemand) + setDefaultCaCertificates(systemCaCertificates()); +#ifdef Q_OS_WIN + //Enabled for fetching additional root certs from windows update on windows 6+ + //This flag is set false by setDefaultCaCertificates() indicating the app uses + //its own cert bundle rather than the system one. + //Same logic that disables the unix on demand cert loading. + //Unlike unix, we do preload the certificates from the cert store. + if ((QSysInfo::windowsVersion() & QSysInfo::WV_NT_based) >= QSysInfo::WV_6_0) + s_loadRootCertsOnDemand = true; +#endif +} + +long QSslSocketPrivate::sslLibraryVersionNumber() +{ + if (!supportsSsl()) + return 0; + + return q_OpenSSL_version_num(); +} + +QString QSslSocketPrivate::sslLibraryVersionString() +{ + if (!supportsSsl()) + return QString(); + + const char *versionString = q_OpenSSL_version(OPENSSL_VERSION); + if (!versionString) + return QString(); + + return QString::fromLatin1(versionString); +} + +void QSslSocketBackendPrivate::continueHandshake() +{ + Q_Q(QSslSocket); + // if we have a max read buffer size, reset the plain socket's to match + if (readBufferMaxSize) + plainSocket->setReadBufferSize(readBufferMaxSize); + + if (q_SSL_session_reused(ssl)) + configuration.peerSessionShared = true; + +#ifdef QT_DECRYPT_SSL_TRAFFIC + if (q_SSL_get_session(ssl)) { + size_t master_key_len = q_SSL_SESSION_get_master_key(q_SSL_get_session(ssl), 0, 0); + size_t client_random_len = q_SSL_get_client_random(ssl, 0, 0); + QByteArray masterKey(int(master_key_len), 0); // Will not overflow + QByteArray clientRandom(int(client_random_len), 0); // Will not overflow + + q_SSL_SESSION_get_master_key(q_SSL_get_session(ssl), + reinterpret_cast(masterKey.data()), + masterKey.size()); + q_SSL_get_client_random(ssl, reinterpret_cast(clientRandom.data()), + clientRandom.size()); + + QByteArray debugLineClientRandom("CLIENT_RANDOM "); + debugLineClientRandom.append(clientRandom.toHex().toUpper()); + debugLineClientRandom.append(" "); + debugLineClientRandom.append(masterKey.toHex().toUpper()); + debugLineClientRandom.append("\n"); + + QString sslKeyFile = QDir::tempPath() + QLatin1String("/qt-ssl-keys"); + QFile file(sslKeyFile); + if (!file.open(QIODevice::Append)) + qCWarning(lcSsl) << "could not open file" << sslKeyFile << "for appending"; + if (!file.write(debugLineClientRandom)) + qCWarning(lcSsl) << "could not write to file" << sslKeyFile; + file.close(); + } else { + qCWarning(lcSsl, "could not decrypt SSL traffic"); + } +#endif + + // Cache this SSL session inside the QSslContext + if (!(configuration.sslOptions & QSsl::SslOptionDisableSessionSharing)) { + if (!sslContextPointer->cacheSession(ssl)) { + sslContextPointer.clear(); // we could not cache the session + } else { + // Cache the session for permanent usage as well + if (!(configuration.sslOptions & QSsl::SslOptionDisableSessionPersistence)) { + if (!sslContextPointer->sessionASN1().isEmpty()) + configuration.sslSession = sslContextPointer->sessionASN1(); + configuration.sslSessionTicketLifeTimeHint = sslContextPointer->sessionTicketLifeTimeHint(); + } + } + } + +#if !defined(OPENSSL_NO_NEXTPROTONEG) + + configuration.nextProtocolNegotiationStatus = sslContextPointer->npnContext().status; + if (sslContextPointer->npnContext().status == QSslConfiguration::NextProtocolNegotiationUnsupported) { + // we could not agree -> be conservative and use HTTP/1.1 + configuration.nextNegotiatedProtocol = QByteArrayLiteral("http/1.1"); + } else { + const unsigned char *proto = 0; + unsigned int proto_len = 0; + + q_SSL_get0_alpn_selected(ssl, &proto, &proto_len); + if (proto_len && mode == QSslSocket::SslClientMode) { + // Client does not have a callback that sets it ... + configuration.nextProtocolNegotiationStatus = QSslConfiguration::NextProtocolNegotiationNegotiated; + } + + if (!proto_len) { // Test if NPN was more lucky ... + q_SSL_get0_next_proto_negotiated(ssl, &proto, &proto_len); + } + + if (proto_len) + configuration.nextNegotiatedProtocol = QByteArray(reinterpret_cast(proto), proto_len); + else + configuration.nextNegotiatedProtocol.clear(); + } +#endif // !defined(OPENSSL_NO_NEXTPROTONEG) + + if (mode == QSslSocket::SslClientMode) { + EVP_PKEY *key; + if (q_SSL_get_server_tmp_key(ssl, &key)) + configuration.ephemeralServerKey = QSslKey(key, QSsl::PublicKey); + } + + connectionEncrypted = true; + emit q->encrypted(); + if (autoStartHandshake && pendingClose) { + pendingClose = false; + q->disconnectFromHost(); + } +} + +QT_END_NAMESPACE --- qtbase-opensource-src-5.7.1/src/network/ssl/qsslsocket_openssl11_symbols_p.h 1969-12-31 18:00:00.000000000 -0600 +++ qtbase-everywhere-src-5.10.0-rc3/src/network/ssl/qsslsocket_openssl11_symbols_p.h 2017-11-30 07:49:46.000000000 -0600 @@ -0,0 +1,132 @@ +/**************************************************************************** +** +** Copyright (C) 2017 The Qt Company Ltd. +** Copyright (C) 2014 BlackBerry Limited. All rights reserved. +** Copyright (C) 2016 Richard J. Moore +** Contact: https://www.qt.io/licensing/ +** +** This file is part of the QtNetwork module of the Qt Toolkit. +** +** $QT_BEGIN_LICENSE:LGPL$ +** Commercial License Usage +** Licensees holding valid commercial Qt licenses may use this file in +** accordance with the commercial license agreement provided with the +** Software or, alternatively, in accordance with the terms contained in +** a written agreement between you and The Qt Company. For licensing terms +** and conditions see https://www.qt.io/terms-conditions. For further +** information use the contact form at https://www.qt.io/contact-us. +** +** GNU Lesser General Public License Usage +** Alternatively, this file may be used under the terms of the GNU Lesser +** General Public License version 3 as published by the Free Software +** Foundation and appearing in the file LICENSE.LGPL3 included in the +** packaging of this file. Please review the following information to +** ensure the GNU Lesser General Public License version 3 requirements +** will be met: https://www.gnu.org/licenses/lgpl-3.0.html. +** +** GNU General Public License Usage +** Alternatively, this file may be used under the terms of the GNU +** General Public License version 2.0 or (at your option) the GNU General +** Public license version 3 or any later version approved by the KDE Free +** Qt Foundation. The licenses are as published by the Free Software +** Foundation and appearing in the file LICENSE.GPL2 and LICENSE.GPL3 +** included in the packaging of this file. Please review the following +** information to ensure the GNU General Public License requirements will +** be met: https://www.gnu.org/licenses/gpl-2.0.html and +** https://www.gnu.org/licenses/gpl-3.0.html. +** +** $QT_END_LICENSE$ +** +****************************************************************************/ + +/**************************************************************************** +** +** In addition, as a special exception, the copyright holders listed above give +** permission to link the code of its release of Qt with the OpenSSL project's +** "OpenSSL" library (or modified versions of the "OpenSSL" library that use the +** same license as the original version), and distribute the linked executables. +** +** You must comply with the GNU General Public License version 2 in all +** respects for all of the code used other than the "OpenSSL" code. If you +** modify this file, you may extend this exception to your version of the file, +** but you are not obligated to do so. If you do not wish to do so, delete +** this exception statement from your version of this file. +** +****************************************************************************/ + +#ifndef QSSLSOCKET_OPENSSL11_SYMBOLS_P_H +#define QSSLSOCKET_OPENSSL11_SYMBOLS_P_H + +// +// W A R N I N G +// ------------- +// +// This file is not part of the Qt API. It exists purely as an +// implementation detail. This header file may change from version to +// version without notice, or even be removed. +// +// We mean it. +// + +// Note: this file does not have QT_BEGIN_NAMESPACE/QT_END_NAMESPACE, it's done +// in qsslsocket_openssl_symbols_p.h. + +#ifndef QSSLSOCKET_OPENSSL_SYMBOLS_P_H +#error "You are not supposed to use this header file, include qsslsocket_openssl_symbols_p.h instead" +#endif + +const unsigned char * q_ASN1_STRING_get0_data(const ASN1_STRING *x); + +Q_AUTOTEST_EXPORT BIO *q_BIO_new(const BIO_METHOD *a); +Q_AUTOTEST_EXPORT const BIO_METHOD *q_BIO_s_mem(); + +int q_DSA_bits(DSA *a); +int q_EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *c); +int q_EVP_PKEY_base_id(EVP_PKEY *a); +int q_RSA_bits(RSA *a); +int q_OPENSSL_sk_num(OPENSSL_STACK *a); +void q_OPENSSL_sk_pop_free(OPENSSL_STACK *a, void (*b)(void *)); +OPENSSL_STACK *q_OPENSSL_sk_new_null(); +void q_OPENSSL_sk_push(OPENSSL_STACK *st, void *data); +void q_OPENSSL_sk_free(OPENSSL_STACK *a); +void * q_OPENSSL_sk_value(OPENSSL_STACK *a, int b); +int q_SSL_session_reused(SSL *a); +unsigned long q_SSL_CTX_set_options(SSL_CTX *ctx, unsigned long op); +int q_OPENSSL_init_ssl(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings); +size_t q_SSL_get_client_random(SSL *a, unsigned char *out, size_t outlen); +size_t q_SSL_SESSION_get_master_key(const SSL_SESSION *session, unsigned char *out, size_t outlen); +int q_CRYPTO_get_ex_new_index(int class_index, long argl, void *argp, CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func); +const SSL_METHOD *q_TLS_method(); +const SSL_METHOD *q_TLS_client_method(); +const SSL_METHOD *q_TLS_server_method(); +ASN1_TIME *q_X509_getm_notBefore(X509 *a); +ASN1_TIME *q_X509_getm_notAfter(X509 *a); + +long q_X509_get_version(X509 *a); +EVP_PKEY *q_X509_get_pubkey(X509 *a); +void q_X509_STORE_set_verify_cb(X509_STORE *ctx, X509_STORE_CTX_verify_cb verify_cb); +STACK_OF(X509) *q_X509_STORE_CTX_get0_chain(X509_STORE_CTX *ctx); +void q_DH_get0_pqg(const DH *dh, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g); +int q_DH_bits(DH *dh); + +# define q_SSL_load_error_strings() q_OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS \ + | OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL) + +#define q_SKM_sk_num(type, st) ((int (*)(const STACK_OF(type) *))q_OPENSSL_sk_num)(st) +#define q_SKM_sk_value(type, st,i) ((type * (*)(const STACK_OF(type) *, int))q_OPENSSL_sk_value)(st, i) + +#define q_OPENSSL_add_all_algorithms_conf() q_OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS \ + | OPENSSL_INIT_ADD_ALL_DIGESTS \ + | OPENSSL_INIT_LOAD_CONFIG, NULL) +#define q_OPENSSL_add_all_algorithms_noconf() q_OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS \ + | OPENSSL_INIT_ADD_ALL_DIGESTS, NULL) + +int q_OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings); +void q_CRYPTO_free(void *str, const char *file, int line); + +long q_OpenSSL_version_num(); +const char *q_OpenSSL_version(int type); + +unsigned long q_SSL_SESSION_get_ticket_lifetime_hint(const SSL_SESSION *session); + +#endif --- qtbase-opensource-src-5.7.1/src/network/ssl/qsslsocket_openssl_p.h 2016-12-01 02:17:04.000000000 -0600 +++ qtbase-everywhere-src-5.10.0-rc3/src/network/ssl/qsslsocket_openssl_p.h 2017-11-30 07:49:46.000000000 -0600 @@ -1,6 +1,6 @@ /**************************************************************************** ** -** Copyright (C) 2016 The Qt Company Ltd. +** Copyright (C) 2017 The Qt Company Ltd. ** Contact: https://www.qt.io/licensing/ ** ** This file is part of the QtNetwork module of the Qt Toolkit. @@ -59,9 +59,9 @@ // W A R N I N G // ------------- // -// This file is not part of the Qt API. It exists for the convenience -// of the QLibrary class. This header file may change from -// version to version without notice, or even be removed. +// This file is not part of the Qt API. It exists purely as an +// implementation detail. This header file may change from version to +// version without notice, or even be removed. // // We mean it. // @@ -97,8 +98,8 @@ #include #include -#if OPENSSL_VERSION_NUMBER >= 0x10000000L -typedef _STACK STACK; +#ifdef OPENSSL_API_COMPAT +#include #endif QT_BEGIN_NAMESPACE @@ -143,13 +144,14 @@ bool checkSslErrors(); void storePeerCertificates(); unsigned int tlsPskClientCallback(const char *hint, char *identity, unsigned int max_identity_len, unsigned char *psk, unsigned int max_psk_len); + unsigned int tlsPskServerCallback(const char *identity, unsigned char *psk, unsigned int max_psk_len); #ifdef Q_OS_WIN void fetchCaRootForCert(const QSslCertificate &cert); void _q_caRootLoaded(QSslCertificate,QSslCertificate) Q_DECL_OVERRIDE; #endif Q_AUTOTEST_EXPORT static long setupOpenSslOptions(QSsl::SslProtocol protocol, QSsl::SslOptions sslOptions); - static QSslCipher QSslCipher_from_SSL_CIPHER(SSL_CIPHER *cipher); + static QSslCipher QSslCipher_from_SSL_CIPHER(const SSL_CIPHER *cipher); static QList STACKOFX509_to_QSslCertificates(STACK_OF(X509) *x509); static QList verify(const QList &certificateChain, const QString &hostName); static QString getErrorsFromOpenSsl(); --- qtbase-opensource-src-5.7.1/src/network/ssl/qsslsocket_openssl_symbols.cpp 2016-12-01 02:17:04.000000000 -0600 +++ qtbase-everywhere-src-5.10.0-rc3/src/network/ssl/qsslsocket_openssl_symbols.cpp 2017-11-30 07:49:46.000000000 -0600 @@ -1,7 +1,8 @@ /**************************************************************************** ** -** Copyright (C) 2016 The Qt Company Ltd. +** Copyright (C) 2017 The Qt Company Ltd. ** Copyright (C) 2014 BlackBerry Limited. All rights reserved. +** Copyright (C) 2016 Richard J. Moore ** Contact: https://www.qt.io/licensing/ ** ** This file is part of the QtNetwork module of the Qt Toolkit. @@ -136,45 +137,195 @@ #endif // QT_LINKED_OPENSSL +#ifdef OPENSSL_API_COMPAT + +// Below are the functions first introduced in version 1.1: + +DEFINEFUNC(const unsigned char *, ASN1_STRING_get0_data, const ASN1_STRING *a, a, return 0, return) +DEFINEFUNC2(int, OPENSSL_init_ssl, uint64_t opts, opts, const OPENSSL_INIT_SETTINGS *settings, settings, return 0, return) +DEFINEFUNC2(int, OPENSSL_init_crypto, uint64_t opts, opts, const OPENSSL_INIT_SETTINGS *settings, settings, return 0, return) +DEFINEFUNC(BIO *, BIO_new, const BIO_METHOD *a, a, return 0, return) +DEFINEFUNC(const BIO_METHOD *, BIO_s_mem, void, DUMMYARG, return 0, return) +DEFINEFUNC2(int, BN_is_word, BIGNUM *a, a, BN_ULONG w, w, return 0, return) +DEFINEFUNC(int, EVP_CIPHER_CTX_reset, EVP_CIPHER_CTX *c, c, return 0, return) +DEFINEFUNC(int, EVP_PKEY_base_id, EVP_PKEY *a, a, return NID_undef, return) +DEFINEFUNC(int, RSA_bits, RSA *a, a, return 0, return) +DEFINEFUNC(int, DSA_bits, DSA *a, a, return 0, return) +DEFINEFUNC(int, OPENSSL_sk_num, OPENSSL_STACK *a, a, return -1, return) +DEFINEFUNC2(void, OPENSSL_sk_pop_free, OPENSSL_STACK *a, a, void (*b)(void*), b, return, DUMMYARG) +DEFINEFUNC(OPENSSL_STACK *, OPENSSL_sk_new_null, DUMMYARG, DUMMYARG, return 0, return) +DEFINEFUNC2(void, OPENSSL_sk_push, OPENSSL_STACK *a, a, void *b, b, return, DUMMYARG) +DEFINEFUNC(void, OPENSSL_sk_free, OPENSSL_STACK *a, a, return, DUMMYARG) +DEFINEFUNC2(void *, OPENSSL_sk_value, OPENSSL_STACK *a, a, int b, b, return 0, return) +DEFINEFUNC(int, SSL_session_reused, SSL *a, a, return 0, return) +DEFINEFUNC2(unsigned long, SSL_CTX_set_options, SSL_CTX *ctx, ctx, unsigned long op, op, return 0, return) +DEFINEFUNC3(size_t, SSL_get_client_random, SSL *a, a, unsigned char *out, out, size_t outlen, outlen, return 0, return) +DEFINEFUNC3(size_t, SSL_SESSION_get_master_key, const SSL_SESSION *ses, ses, unsigned char *out, out, size_t outlen, outlen, return 0, return) +DEFINEFUNC6(int, CRYPTO_get_ex_new_index, int class_index, class_index, long argl, argl, void *argp, argp, CRYPTO_EX_new *new_func, new_func, CRYPTO_EX_dup *dup_func, dup_func, CRYPTO_EX_free *free_func, free_func, return -1, return) + +DEFINEFUNC(const SSL_METHOD *, TLS_method, DUMMYARG, DUMMYARG, return 0, return) +DEFINEFUNC(const SSL_METHOD *, TLS_client_method, DUMMYARG, DUMMYARG, return 0, return) +DEFINEFUNC(const SSL_METHOD *, TLS_server_method, DUMMYARG, DUMMYARG, return 0, return) +DEFINEFUNC(ASN1_TIME *, X509_getm_notBefore, X509 *a, a, return 0, return) +DEFINEFUNC(ASN1_TIME *, X509_getm_notAfter, X509 *a, a, return 0, return) +DEFINEFUNC(long, X509_get_version, X509 *a, a, return -1, return) +DEFINEFUNC(EVP_PKEY *, X509_get_pubkey, X509 *a, a, return 0, return) +DEFINEFUNC2(void, X509_STORE_set_verify_cb, X509_STORE *a, a, X509_STORE_CTX_verify_cb verify_cb, verify_cb, return, DUMMYARG) +DEFINEFUNC(STACK_OF(X509) *, X509_STORE_CTX_get0_chain, X509_STORE_CTX *a, a, return 0, return) +DEFINEFUNC3(void, CRYPTO_free, void *str, str, const char *file, file, int line, line, return, DUMMYARG) +DEFINEFUNC(long, OpenSSL_version_num, void, DUMMYARG, return 0, return) +DEFINEFUNC(const char *, OpenSSL_version, int a, a, return 0, return) +DEFINEFUNC(unsigned long, SSL_SESSION_get_ticket_lifetime_hint, const SSL_SESSION *session, session, return 0, return) +DEFINEFUNC4(void, DH_get0_pqg, const DH *dh, dh, const BIGNUM **p, p, const BIGNUM **q, q, const BIGNUM **g, g, return, DUMMYARG) +DEFINEFUNC(int, DH_bits, DH *dh, dh, return 0, return) + +#else // OPENSSL_API_COMPAT + +// Functions below are either deprecated or removed in OpenSSL >= 1.1: + +DEFINEFUNC(unsigned char *, ASN1_STRING_data, ASN1_STRING *a, a, return 0, return) + #ifdef SSLEAY_MACROS DEFINEFUNC3(void *, ASN1_dup, i2d_of_void *a, a, d2i_of_void *b, b, char *c, c, return 0, return) #endif +DEFINEFUNC2(BIO *, BIO_new_file, const char *filename, filename, const char *mode, mode, return 0, return) +DEFINEFUNC(void, ERR_clear_error, DUMMYARG, DUMMYARG, return, DUMMYARG) +DEFINEFUNC(BIO *, BIO_new, BIO_METHOD *a, a, return 0, return) +DEFINEFUNC(BIO_METHOD *, BIO_s_mem, void, DUMMYARG, return 0, return) +DEFINEFUNC(int, CRYPTO_num_locks, DUMMYARG, DUMMYARG, return 0, return) +DEFINEFUNC(void, CRYPTO_set_locking_callback, void (*a)(int, int, const char *, int), a, return, DUMMYARG) +DEFINEFUNC(void, CRYPTO_set_id_callback, unsigned long (*a)(), a, return, DUMMYARG) +DEFINEFUNC(void, CRYPTO_free, void *a, a, return, DUMMYARG) +DEFINEFUNC(unsigned long, ERR_peek_last_error, DUMMYARG, DUMMYARG, return 0, return) +DEFINEFUNC(void, ERR_free_strings, void, DUMMYARG, return, DUMMYARG) +DEFINEFUNC(void, EVP_CIPHER_CTX_cleanup, EVP_CIPHER_CTX *a, a, return, DUMMYARG) +DEFINEFUNC(void, EVP_CIPHER_CTX_init, EVP_CIPHER_CTX *a, a, return, DUMMYARG) + +#ifdef SSLEAY_MACROS +DEFINEFUNC6(void *, PEM_ASN1_read_bio, d2i_of_void *a, a, const char *b, b, BIO *c, c, void **d, d, pem_password_cb *e, e, void *f, f, return 0, return) +DEFINEFUNC6(void *, PEM_ASN1_write_bio, d2i_of_void *a, a, const char *b, b, BIO *c, c, void **d, d, pem_password_cb *e, e, void *f, f, return 0, return) +#endif // SSLEAY_MACROS + +DEFINEFUNC(int, sk_num, STACK *a, a, return -1, return) +DEFINEFUNC2(void, sk_pop_free, STACK *a, a, void (*b)(void*), b, return, DUMMYARG) + +#if OPENSSL_VERSION_NUMBER >= 0x10000000L +DEFINEFUNC(_STACK *, sk_new_null, DUMMYARG, DUMMYARG, return 0, return) +DEFINEFUNC2(void, sk_push, _STACK *a, a, void *b, b, return, DUMMYARG) +DEFINEFUNC(void, sk_free, _STACK *a, a, return, DUMMYARG) +DEFINEFUNC2(void *, sk_value, STACK *a, a, int b, b, return 0, return) +#else +DEFINEFUNC(STACK *, sk_new_null, DUMMYARG, DUMMYARG, return 0, return) +DEFINEFUNC2(void, sk_push, STACK *a, a, char *b, b, return, DUMMYARG) +DEFINEFUNC(void, sk_free, STACK *a, a, return, DUMMYARG) +DEFINEFUNC2(char *, sk_value, STACK *a, a, int b, b, return 0, return) +#endif // OPENSSL_VERSION_NUMBER >= 0x10000000L + +DEFINEFUNC(int, SSL_library_init, void, DUMMYARG, return -1, return) +DEFINEFUNC(void, SSL_load_error_strings, void, DUMMYARG, return, DUMMYARG) + +#if OPENSSL_VERSION_NUMBER >= 0x10001000L +DEFINEFUNC5(int, SSL_get_ex_new_index, long argl, argl, void *argp, argp, CRYPTO_EX_new *new_func, new_func, CRYPTO_EX_dup *dup_func, dup_func, CRYPTO_EX_free *free_func, free_func, return -1, return) +#endif // OPENSSL_VERSION_NUMBER >= 0x10001000L + +#if OPENSSL_VERSION_NUMBER >= 0x10000000L +#ifndef OPENSSL_NO_SSL2 +DEFINEFUNC(const SSL_METHOD *, SSLv2_client_method, DUMMYARG, DUMMYARG, return 0, return) +#endif +#ifndef OPENSSL_NO_SSL3_METHOD +DEFINEFUNC(const SSL_METHOD *, SSLv3_client_method, DUMMYARG, DUMMYARG, return 0, return) +#endif +DEFINEFUNC(const SSL_METHOD *, SSLv23_client_method, DUMMYARG, DUMMYARG, return 0, return) +DEFINEFUNC(const SSL_METHOD *, TLSv1_client_method, DUMMYARG, DUMMYARG, return 0, return) +#if OPENSSL_VERSION_NUMBER >= 0x10001000L +DEFINEFUNC(const SSL_METHOD *, TLSv1_1_client_method, DUMMYARG, DUMMYARG, return 0, return) +DEFINEFUNC(const SSL_METHOD *, TLSv1_2_client_method, DUMMYARG, DUMMYARG, return 0, return) +#endif +#ifndef OPENSSL_NO_SSL2 +DEFINEFUNC(const SSL_METHOD *, SSLv2_server_method, DUMMYARG, DUMMYARG, return 0, return) +#endif +#ifndef OPENSSL_NO_SSL3_METHOD +DEFINEFUNC(const SSL_METHOD *, SSLv3_server_method, DUMMYARG, DUMMYARG, return 0, return) +#endif +DEFINEFUNC(const SSL_METHOD *, SSLv23_server_method, DUMMYARG, DUMMYARG, return 0, return) +DEFINEFUNC(const SSL_METHOD *, TLSv1_server_method, DUMMYARG, DUMMYARG, return 0, return) +#if OPENSSL_VERSION_NUMBER >= 0x10001000L +DEFINEFUNC(const SSL_METHOD *, TLSv1_1_server_method, DUMMYARG, DUMMYARG, return 0, return) +DEFINEFUNC(const SSL_METHOD *, TLSv1_2_server_method, DUMMYARG, DUMMYARG, return 0, return) +#endif +#else +#ifndef OPENSSL_NO_SSL2 +DEFINEFUNC(SSL_METHOD *, SSLv2_client_method, DUMMYARG, DUMMYARG, return 0, return) +#endif +#ifndef OPENSSL_NO_SSL3_METHOD +DEFINEFUNC(SSL_METHOD *, SSLv3_client_method, DUMMYARG, DUMMYARG, return 0, return) +#endif +DEFINEFUNC(SSL_METHOD *, SSLv23_client_method, DUMMYARG, DUMMYARG, return 0, return) +DEFINEFUNC(SSL_METHOD *, TLSv1_client_method, DUMMYARG, DUMMYARG, return 0, return) +#ifndef OPENSSL_NO_SSL2 +DEFINEFUNC(SSL_METHOD *, SSLv2_server_method, DUMMYARG, DUMMYARG, return 0, return) +#endif +#ifndef OPENSSL_NO_SSL3_METHOD +DEFINEFUNC(SSL_METHOD *, SSLv3_server_method, DUMMYARG, DUMMYARG, return 0, return) +#endif +DEFINEFUNC(SSL_METHOD *, SSLv23_server_method, DUMMYARG, DUMMYARG, return 0, return) +DEFINEFUNC(SSL_METHOD *, TLSv1_server_method, DUMMYARG, DUMMYARG, return 0, return) +#endif + +DEFINEFUNC(STACK_OF(X509) *, X509_STORE_CTX_get_chain, X509_STORE_CTX *a, a, return 0, return) + +#ifdef SSLEAY_MACROS +DEFINEFUNC2(int, i2d_DSAPrivateKey, const DSA *a, a, unsigned char **b, b, return -1, return) +DEFINEFUNC2(int, i2d_RSAPrivateKey, const RSA *a, a, unsigned char **b, b, return -1, return) +#ifndef OPENSSL_NO_EC +DEFINEFUNC2(int, i2d_ECPrivateKey, const EC_KEY *a, a, unsigned char **b, b, return -1, return) +#endif +DEFINEFUNC3(RSA *, d2i_RSAPrivateKey, RSA **a, a, unsigned char **b, b, long c, c, return 0, return) +DEFINEFUNC3(DSA *, d2i_DSAPrivateKey, DSA **a, a, unsigned char **b, b, long c, c, return 0, return) +#ifndef OPENSSL_NO_EC +DEFINEFUNC3(EC_KEY *, d2i_ECPrivateKey, EC_KEY **a, a, unsigned char **b, b, long c, c, return 0, return) +#endif +#endif +DEFINEFUNC(char *, CONF_get1_default_config_file, DUMMYARG, DUMMYARG, return 0, return) +DEFINEFUNC(void, OPENSSL_add_all_algorithms_noconf, void, DUMMYARG, return, DUMMYARG) +DEFINEFUNC(void, OPENSSL_add_all_algorithms_conf, void, DUMMYARG, return, DUMMYARG) +DEFINEFUNC(long, SSLeay, void, DUMMYARG, return 0, return) +DEFINEFUNC(const char *, SSLeay_version, int a, a, return 0, return) + +#endif // OPENSSL_API_COMPAT + DEFINEFUNC(long, ASN1_INTEGER_get, ASN1_INTEGER *a, a, return 0, return) -DEFINEFUNC(unsigned char *, ASN1_STRING_data, ASN1_STRING *a, a, return 0, return) DEFINEFUNC(int, ASN1_STRING_length, ASN1_STRING *a, a, return 0, return) -DEFINEFUNC2(int, ASN1_STRING_to_UTF8, unsigned char **a, a, ASN1_STRING *b, b, return 0, return); +DEFINEFUNC2(int, ASN1_STRING_to_UTF8, unsigned char **a, a, ASN1_STRING *b, b, return 0, return) DEFINEFUNC4(long, BIO_ctrl, BIO *a, a, int b, b, long c, c, void *d, d, return -1, return) DEFINEFUNC(int, BIO_free, BIO *a, a, return 0, return) -DEFINEFUNC(BIO *, BIO_new, BIO_METHOD *a, a, return 0, return) DEFINEFUNC2(BIO *, BIO_new_mem_buf, void *a, a, int b, b, return 0, return) DEFINEFUNC3(int, BIO_read, BIO *a, a, void *b, b, int c, c, return -1, return) -DEFINEFUNC(BIO_METHOD *, BIO_s_mem, void, DUMMYARG, return 0, return) + DEFINEFUNC3(int, BIO_write, BIO *a, a, const void *b, b, int c, c, return -1, return) DEFINEFUNC(int, BN_num_bits, const BIGNUM *a, a, return 0, return) +DEFINEFUNC2(BN_ULONG, BN_mod_word, const BIGNUM *a, a, BN_ULONG w, w, return static_cast(-1), return) #ifndef OPENSSL_NO_EC DEFINEFUNC(const EC_GROUP*, EC_KEY_get0_group, const EC_KEY* k, k, return 0, return) DEFINEFUNC(int, EC_GROUP_get_degree, const EC_GROUP* g, g, return 0, return) #endif -DEFINEFUNC(int, CRYPTO_num_locks, DUMMYARG, DUMMYARG, return 0, return) -DEFINEFUNC(void, CRYPTO_set_locking_callback, void (*a)(int, int, const char *, int), a, return, DUMMYARG) -DEFINEFUNC(void, CRYPTO_set_id_callback, unsigned long (*a)(), a, return, DUMMYARG) -DEFINEFUNC(void, CRYPTO_free, void *a, a, return, DUMMYARG) DEFINEFUNC(DSA *, DSA_new, DUMMYARG, DUMMYARG, return 0, return) DEFINEFUNC(void, DSA_free, DSA *a, a, return, DUMMYARG) DEFINEFUNC3(X509 *, d2i_X509, X509 **a, a, const unsigned char **b, b, long c, c, return 0, return) DEFINEFUNC2(char *, ERR_error_string, unsigned long a, a, char *b, b, return 0, return) DEFINEFUNC(unsigned long, ERR_get_error, DUMMYARG, DUMMYARG, return 0, return) -DEFINEFUNC(void, ERR_free_strings, void, DUMMYARG, return, DUMMYARG) -DEFINEFUNC(void, EVP_CIPHER_CTX_cleanup, EVP_CIPHER_CTX *a, a, return, DUMMYARG) -DEFINEFUNC(void, EVP_CIPHER_CTX_init, EVP_CIPHER_CTX *a, a, return, DUMMYARG) -DEFINEFUNC4(int, EVP_CIPHER_CTX_ctrl, EVP_CIPHER_CTX *ctx, ctx, int type, type, int arg, arg, void *ptr, ptr, return 0, return); +DEFINEFUNC(EVP_CIPHER_CTX *, EVP_CIPHER_CTX_new, void, DUMMYARG, return 0, return) +DEFINEFUNC(void, EVP_CIPHER_CTX_free, EVP_CIPHER_CTX *a, a, return, DUMMYARG) +DEFINEFUNC4(int, EVP_CIPHER_CTX_ctrl, EVP_CIPHER_CTX *ctx, ctx, int type, type, int arg, arg, void *ptr, ptr, return 0, return) DEFINEFUNC2(int, EVP_CIPHER_CTX_set_key_length, EVP_CIPHER_CTX *ctx, ctx, int keylen, keylen, return 0, return) -DEFINEFUNC5(int, EVP_CipherInit, EVP_CIPHER_CTX *ctx, ctx, const EVP_CIPHER *type, type, const unsigned char *key, key, const unsigned char *iv, iv, int enc, enc, return 0, return); -DEFINEFUNC5(int, EVP_CipherUpdate, EVP_CIPHER_CTX *ctx, ctx, unsigned char *out, out, int *outl, outl, const unsigned char *in, in, int inl, inl, return 0, return); -DEFINEFUNC3(int, EVP_CipherFinal, EVP_CIPHER_CTX *ctx, ctx, unsigned char *out, out, int *outl, outl, return 0, return); +DEFINEFUNC5(int, EVP_CipherInit, EVP_CIPHER_CTX *ctx, ctx, const EVP_CIPHER *type, type, const unsigned char *key, key, const unsigned char *iv, iv, int enc, enc, return 0, return) +DEFINEFUNC6(int, EVP_CipherInit_ex, EVP_CIPHER_CTX *ctx, ctx, const EVP_CIPHER *cipher, cipher, ENGINE *impl, impl, const unsigned char *key, key, const unsigned char *iv, iv, int enc, enc, return 0, return) +DEFINEFUNC5(int, EVP_CipherUpdate, EVP_CIPHER_CTX *ctx, ctx, unsigned char *out, out, int *outl, outl, const unsigned char *in, in, int inl, inl, return 0, return) +DEFINEFUNC3(int, EVP_CipherFinal, EVP_CIPHER_CTX *ctx, ctx, unsigned char *out, out, int *outl, outl, return 0, return) DEFINEFUNC(const EVP_CIPHER *, EVP_des_cbc, DUMMYARG, DUMMYARG, return 0, return) DEFINEFUNC(const EVP_CIPHER *, EVP_des_ede3_cbc, DUMMYARG, DUMMYARG, return 0, return) DEFINEFUNC(const EVP_CIPHER *, EVP_rc2_cbc, DUMMYARG, DUMMYARG, return 0, return) +DEFINEFUNC(const EVP_MD *, EVP_sha1, DUMMYARG, DUMMYARG, return 0, return) DEFINEFUNC3(int, EVP_PKEY_assign, EVP_PKEY *a, a, int b, b, char *c, c, return -1, return) DEFINEFUNC2(int, EVP_PKEY_set1_RSA, EVP_PKEY *a, a, RSA *b, b, return -1, return) DEFINEFUNC2(int, EVP_PKEY_set1_DSA, EVP_PKEY *a, a, DSA *b, b, return -1, return) @@ -198,21 +349,22 @@ DEFINEFUNC4(int, OBJ_obj2txt, char *a, a, int b, b, ASN1_OBJECT *c, c, int d, d, return -1, return) DEFINEFUNC(int, OBJ_obj2nid, const ASN1_OBJECT *a, a, return NID_undef, return) -#ifdef SSLEAY_MACROS -DEFINEFUNC6(void *, PEM_ASN1_read_bio, d2i_of_void *a, a, const char *b, b, BIO *c, c, void **d, d, pem_password_cb *e, e, void *f, f, return 0, return) -DEFINEFUNC6(void *, PEM_ASN1_write_bio, d2i_of_void *a, a, const char *b, b, BIO *c, c, void **d, d, pem_password_cb *e, e, void *f, f, return 0, return) -#else + +#ifndef SSLEAY_MACROS +DEFINEFUNC4(EVP_PKEY *, PEM_read_bio_PrivateKey, BIO *a, a, EVP_PKEY **b, b, pem_password_cb *c, c, void *d, d, return 0, return) DEFINEFUNC4(DSA *, PEM_read_bio_DSAPrivateKey, BIO *a, a, DSA **b, b, pem_password_cb *c, c, void *d, d, return 0, return) DEFINEFUNC4(RSA *, PEM_read_bio_RSAPrivateKey, BIO *a, a, RSA **b, b, pem_password_cb *c, c, void *d, d, return 0, return) #ifndef OPENSSL_NO_EC DEFINEFUNC4(EC_KEY *, PEM_read_bio_ECPrivateKey, BIO *a, a, EC_KEY **b, b, pem_password_cb *c, c, void *d, d, return 0, return) #endif +DEFINEFUNC4(DH *, PEM_read_bio_DHparams, BIO *a, a, DH **b, b, pem_password_cb *c, c, void *d, d, return 0, return) DEFINEFUNC7(int, PEM_write_bio_DSAPrivateKey, BIO *a, a, DSA *b, b, const EVP_CIPHER *c, c, unsigned char *d, d, int e, e, pem_password_cb *f, f, void *g, g, return 0, return) DEFINEFUNC7(int, PEM_write_bio_RSAPrivateKey, BIO *a, a, RSA *b, b, const EVP_CIPHER *c, c, unsigned char *d, d, int e, e, pem_password_cb *f, f, void *g, g, return 0, return) #ifndef OPENSSL_NO_EC DEFINEFUNC7(int, PEM_write_bio_ECPrivateKey, BIO *a, a, EC_KEY *b, b, const EVP_CIPHER *c, c, unsigned char *d, d, int e, e, pem_password_cb *f, f, void *g, g, return 0, return) #endif -#endif +#endif // !SSLEAY_MACROS +DEFINEFUNC4(EVP_PKEY *, PEM_read_bio_PUBKEY, BIO *a, a, EVP_PKEY **b, b, pem_password_cb *c, c, void *d, d, return 0, return) DEFINEFUNC4(DSA *, PEM_read_bio_DSA_PUBKEY, BIO *a, a, DSA **b, b, pem_password_cb *c, c, void *d, d, return 0, return) DEFINEFUNC4(RSA *, PEM_read_bio_RSA_PUBKEY, BIO *a, a, RSA **b, b, pem_password_cb *c, c, void *d, d, return 0, return) #ifndef OPENSSL_NO_EC @@ -227,23 +379,10 @@ DEFINEFUNC(int, RAND_status, void, DUMMYARG, return -1, return) DEFINEFUNC(RSA *, RSA_new, DUMMYARG, DUMMYARG, return 0, return) DEFINEFUNC(void, RSA_free, RSA *a, a, return, DUMMYARG) -DEFINEFUNC(int, sk_num, STACK *a, a, return -1, return) -DEFINEFUNC2(void, sk_pop_free, STACK *a, a, void (*b)(void*), b, return, DUMMYARG) -#if OPENSSL_VERSION_NUMBER >= 0x10000000L -DEFINEFUNC(_STACK *, sk_new_null, DUMMYARG, DUMMYARG, return 0, return) -DEFINEFUNC2(void, sk_push, _STACK *a, a, void *b, b, return, DUMMYARG) -DEFINEFUNC(void, sk_free, _STACK *a, a, return, DUMMYARG) -DEFINEFUNC2(void *, sk_value, STACK *a, a, int b, b, return 0, return) -#else -DEFINEFUNC(STACK *, sk_new_null, DUMMYARG, DUMMYARG, return 0, return) -DEFINEFUNC2(void, sk_push, STACK *a, a, char *b, b, return, DUMMYARG) -DEFINEFUNC(void, sk_free, STACK *a, a, return, DUMMYARG) -DEFINEFUNC2(char *, sk_value, STACK *a, a, int b, b, return 0, return) -#endif DEFINEFUNC(int, SSL_accept, SSL *a, a, return -1, return) DEFINEFUNC(int, SSL_clear, SSL *a, a, return -1, return) -DEFINEFUNC3(char *, SSL_CIPHER_description, SSL_CIPHER *a, a, char *b, b, int c, c, return 0, return) -DEFINEFUNC2(int, SSL_CIPHER_get_bits, SSL_CIPHER *a, a, int *b, b, return 0, return) +DEFINEFUNC3(char *, SSL_CIPHER_description, const SSL_CIPHER *a, a, char *b, b, int c, c, return 0, return) +DEFINEFUNC2(int, SSL_CIPHER_get_bits, const SSL_CIPHER *a, a, int *b, b, return 0, return) DEFINEFUNC(int, SSL_connect, SSL *a, a, return -1, return) DEFINEFUNC(int, SSL_CTX_check_private_key, const SSL_CTX *a, a, return -1, return) DEFINEFUNC4(long, SSL_CTX_ctrl, SSL_CTX *a, a, int b, b, long c, c, void *d, d, return -1, return) @@ -280,8 +419,6 @@ #else DEFINEFUNC(long, SSL_get_verify_result, SSL *a, a, return -1, return) #endif -DEFINEFUNC(int, SSL_library_init, void, DUMMYARG, return -1, return) -DEFINEFUNC(void, SSL_load_error_strings, void, DUMMYARG, return, DUMMYARG) DEFINEFUNC(SSL *, SSL_new, SSL_CTX *a, a, return 0, return) DEFINEFUNC4(long, SSL_ctrl, SSL *a, a, int cmd, cmd, long larg, larg, void *parg, parg, return -1, return) DEFINEFUNC3(int, SSL_read, SSL *a, a, void *b, b, int c, c, return -1, return) @@ -294,58 +431,17 @@ DEFINEFUNC(SSL_SESSION*, SSL_get1_session, SSL *ssl, ssl, return 0, return) DEFINEFUNC(SSL_SESSION*, SSL_get_session, const SSL *ssl, ssl, return 0, return) #if OPENSSL_VERSION_NUMBER >= 0x10001000L -DEFINEFUNC5(int, SSL_get_ex_new_index, long argl, argl, void *argp, argp, CRYPTO_EX_new *new_func, new_func, CRYPTO_EX_dup *dup_func, dup_func, CRYPTO_EX_free *free_func, free_func, return -1, return) DEFINEFUNC3(int, SSL_set_ex_data, SSL *ssl, ssl, int idx, idx, void *arg, arg, return 0, return) DEFINEFUNC2(void *, SSL_get_ex_data, const SSL *ssl, ssl, int idx, idx, return NULL, return) #endif #if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_PSK) DEFINEFUNC2(void, SSL_set_psk_client_callback, SSL* ssl, ssl, q_psk_client_callback_t callback, callback, return, DUMMYARG) -#endif -#if OPENSSL_VERSION_NUMBER >= 0x10000000L -#ifndef OPENSSL_NO_SSL2 -DEFINEFUNC(const SSL_METHOD *, SSLv2_client_method, DUMMYARG, DUMMYARG, return 0, return) -#endif -#ifndef OPENSSL_NO_SSL3_METHOD -DEFINEFUNC(const SSL_METHOD *, SSLv3_client_method, DUMMYARG, DUMMYARG, return 0, return) -#endif -DEFINEFUNC(const SSL_METHOD *, SSLv23_client_method, DUMMYARG, DUMMYARG, return 0, return) -DEFINEFUNC(const SSL_METHOD *, TLSv1_client_method, DUMMYARG, DUMMYARG, return 0, return) -#if OPENSSL_VERSION_NUMBER >= 0x10001000L -DEFINEFUNC(const SSL_METHOD *, TLSv1_1_client_method, DUMMYARG, DUMMYARG, return 0, return) -DEFINEFUNC(const SSL_METHOD *, TLSv1_2_client_method, DUMMYARG, DUMMYARG, return 0, return) -#endif -#ifndef OPENSSL_NO_SSL2 -DEFINEFUNC(const SSL_METHOD *, SSLv2_server_method, DUMMYARG, DUMMYARG, return 0, return) -#endif -#ifndef OPENSSL_NO_SSL3_METHOD -DEFINEFUNC(const SSL_METHOD *, SSLv3_server_method, DUMMYARG, DUMMYARG, return 0, return) -#endif -DEFINEFUNC(const SSL_METHOD *, SSLv23_server_method, DUMMYARG, DUMMYARG, return 0, return) -DEFINEFUNC(const SSL_METHOD *, TLSv1_server_method, DUMMYARG, DUMMYARG, return 0, return) -#if OPENSSL_VERSION_NUMBER >= 0x10001000L -DEFINEFUNC(const SSL_METHOD *, TLSv1_1_server_method, DUMMYARG, DUMMYARG, return 0, return) -DEFINEFUNC(const SSL_METHOD *, TLSv1_2_server_method, DUMMYARG, DUMMYARG, return 0, return) -#endif -#else -#ifndef OPENSSL_NO_SSL2 -DEFINEFUNC(SSL_METHOD *, SSLv2_client_method, DUMMYARG, DUMMYARG, return 0, return) -#endif -#ifndef OPENSSL_NO_SSL3_METHOD -DEFINEFUNC(SSL_METHOD *, SSLv3_client_method, DUMMYARG, DUMMYARG, return 0, return) -#endif -DEFINEFUNC(SSL_METHOD *, SSLv23_client_method, DUMMYARG, DUMMYARG, return 0, return) -DEFINEFUNC(SSL_METHOD *, TLSv1_client_method, DUMMYARG, DUMMYARG, return 0, return) -#ifndef OPENSSL_NO_SSL2 -DEFINEFUNC(SSL_METHOD *, SSLv2_server_method, DUMMYARG, DUMMYARG, return 0, return) -#endif -#ifndef OPENSSL_NO_SSL3_METHOD -DEFINEFUNC(SSL_METHOD *, SSLv3_server_method, DUMMYARG, DUMMYARG, return 0, return) -#endif -DEFINEFUNC(SSL_METHOD *, SSLv23_server_method, DUMMYARG, DUMMYARG, return 0, return) -DEFINEFUNC(SSL_METHOD *, TLSv1_server_method, DUMMYARG, DUMMYARG, return 0, return) +DEFINEFUNC2(void, SSL_set_psk_server_callback, SSL* ssl, ssl, q_psk_server_callback_t callback, callback, return, DUMMYARG) +DEFINEFUNC2(int, SSL_CTX_use_psk_identity_hint, SSL_CTX* ctx, ctx, const char *hint, hint, return 0, return) #endif DEFINEFUNC3(int, SSL_write, SSL *a, a, const void *b, b, int c, c, return -1, return) DEFINEFUNC2(int, X509_cmp, X509 *a, a, X509 *b, b, return -1, return) +DEFINEFUNC4(int, X509_digest, const X509 *x509, x509, const EVP_MD *type, type, unsigned char *md, md, unsigned int *len, len, return -1, return) #ifndef SSLEAY_MACROS DEFINEFUNC(X509 *, X509_dup, X509 *a, a, return 0, return) #endif @@ -369,6 +465,7 @@ DEFINEFUNC2(int, X509_check_issued, X509 *a, a, X509 *b, b, return -1, return) DEFINEFUNC(X509_NAME *, X509_get_issuer_name, X509 *a, a, return 0, return) DEFINEFUNC(X509_NAME *, X509_get_subject_name, X509 *a, a, return 0, return) +DEFINEFUNC(ASN1_INTEGER *, X509_get_serialNumber, X509 *a, a, return 0, return) DEFINEFUNC(int, X509_verify_cert, X509_STORE_CTX *a, a, return -1, return) DEFINEFUNC(int, X509_NAME_entry_count, X509_NAME *a, a, return 0, return) DEFINEFUNC2(X509_NAME_ENTRY *, X509_NAME_get_entry, X509_NAME *a, a, int b, b, return 0, return) @@ -384,25 +481,8 @@ DEFINEFUNC(int, X509_STORE_CTX_get_error, X509_STORE_CTX *a, a, return -1, return) DEFINEFUNC(int, X509_STORE_CTX_get_error_depth, X509_STORE_CTX *a, a, return -1, return) DEFINEFUNC(X509 *, X509_STORE_CTX_get_current_cert, X509_STORE_CTX *a, a, return 0, return) -DEFINEFUNC(STACK_OF(X509) *, X509_STORE_CTX_get_chain, X509_STORE_CTX *a, a, return 0, return) DEFINEFUNC(X509_STORE_CTX *, X509_STORE_CTX_new, DUMMYARG, DUMMYARG, return 0, return) -#ifdef SSLEAY_MACROS -DEFINEFUNC2(int, i2d_DSAPrivateKey, const DSA *a, a, unsigned char **b, b, return -1, return) -DEFINEFUNC2(int, i2d_RSAPrivateKey, const RSA *a, a, unsigned char **b, b, return -1, return) -#ifndef OPENSSL_NO_EC -DEFINEFUNC2(int, i2d_ECPrivateKey, const EC_KEY *a, a, unsigned char **b, b, return -1, return) -#endif -DEFINEFUNC3(RSA *, d2i_RSAPrivateKey, RSA **a, a, unsigned char **b, b, long c, c, return 0, return) -DEFINEFUNC3(DSA *, d2i_DSAPrivateKey, DSA **a, a, unsigned char **b, b, long c, c, return 0, return) -#ifndef OPENSSL_NO_EC -DEFINEFUNC3(EC_KEY *, d2i_ECPrivateKey, EC_KEY **a, a, unsigned char **b, b, long c, c, return 0, return) -#endif -#endif -DEFINEFUNC(void, OPENSSL_add_all_algorithms_noconf, void, DUMMYARG, return, DUMMYARG) -DEFINEFUNC(void, OPENSSL_add_all_algorithms_conf, void, DUMMYARG, return, DUMMYARG) DEFINEFUNC3(int, SSL_CTX_load_verify_locations, SSL_CTX *ctx, ctx, const char *CAfile, CAfile, const char *CApath, CApath, return 0, return) -DEFINEFUNC(long, SSLeay, void, DUMMYARG, return 0, return) -DEFINEFUNC(const char *, SSLeay_version, int a, a, return 0, return) DEFINEFUNC2(int, i2d_SSL_SESSION, SSL_SESSION *in, in, unsigned char **pp, pp, return 0, return) DEFINEFUNC3(SSL_SESSION *, d2i_SSL_SESSION, SSL_SESSION **a, a, const unsigned char **pp, pp, long length, length, return 0, return) #if OPENSSL_VERSION_NUMBER >= 0x1000100fL && !defined(OPENSSL_NO_NEXTPROTONEG) @@ -418,10 +498,24 @@ void *arg, arg, return, DUMMYARG) DEFINEFUNC3(void, SSL_get0_next_proto_negotiated, const SSL *s, s, const unsigned char **data, data, unsigned *len, len, return, DUMMYARG) +#if OPENSSL_VERSION_NUMBER >= 0x10002000L +DEFINEFUNC3(int, SSL_set_alpn_protos, SSL *s, s, const unsigned char *protos, protos, + unsigned protos_len, protos_len, return -1, return) +DEFINEFUNC3(void, SSL_CTX_set_alpn_select_cb, SSL_CTX *s, s, + int (*cb) (SSL *ssl, const unsigned char **out, + unsigned char *outlen, + const unsigned char *in, + unsigned int inlen, void *arg), cb, + void *arg, arg, return, DUMMYARG) +DEFINEFUNC3(void, SSL_get0_alpn_selected, const SSL *s, s, const unsigned char **data, data, + unsigned *len, len, return, DUMMYARG) +#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L ... #endif // OPENSSL_VERSION_NUMBER >= 0x1000100fL ... DEFINEFUNC(DH *, DH_new, DUMMYARG, DUMMYARG, return 0, return) DEFINEFUNC(void, DH_free, DH *dh, dh, return, DUMMYARG) DEFINEFUNC3(DH *, d2i_DHparams, DH**a, a, const unsigned char **pp, pp, long length, length, return 0, return) +DEFINEFUNC2(int, i2d_DHparams, DH *a, a, unsigned char **p, p, return -1, return) +DEFINEFUNC2(int, DH_check, DH *dh, dh, int *codes, codes, return 0, return) DEFINEFUNC3(BIGNUM *, BN_bin2bn, const unsigned char *s, s, int len, len, BIGNUM *ret, ret, return 0, return) #ifndef OPENSSL_NO_EC DEFINEFUNC(EC_KEY *, EC_KEY_dup, const EC_KEY *ec, ec, return 0, return) @@ -445,12 +539,11 @@ #if !defined QT_LINKED_OPENSSL -#ifdef QT_NO_LIBRARY +#if !QT_CONFIG(library) bool q_resolveOpenSslSymbols() { - qCWarning(lcSsl, "QSslSocket: unable to resolve symbols. " - "QT_NO_LIBRARY is defined which means runtime resolving of " - "libraries won't work."); + qCWarning(lcSsl, "QSslSocket: unable to resolve symbols. Qt is configured without the " + "'library' feature, which means runtime resolving of libraries won't work."); qCWarning(lcSsl, "Either compile Qt statically or with support for runtime resolving " "of libraries."); return false; @@ -606,6 +699,23 @@ pair.first = 0; pair.second = 0; +#ifdef OPENSSL_API_COMPAT + // With OpenSSL 1.1 the names have changed to libssl-1_1(-x64) and libcrypto-1_1(-x64), for builds using + // MSVC and GCC, (-x64 suffix for 64-bit builds). + +#ifdef Q_PROCESSOR_X86_64 +#define QT_SSL_SUFFIX "-x64" +#else // !Q_PROCESSOFR_X86_64 +#define QT_SSL_SUFFIX +#endif // !Q_PROCESSOR_x86_64 + + tryToLoadOpenSslWin32Library(QLatin1String("libssl-1_1" QT_SSL_SUFFIX), + QLatin1String("libcrypto-1_1" QT_SSL_SUFFIX), pair); + +#undef QT_SSL_SUFFIX + +#else // OPENSSL_API_COMPAT + // When OpenSSL is built using MSVC then the libraries are named 'ssleay32.dll' and 'libeay32'dll'. // When OpenSSL is built using GCC then different library names are used (depending on the OpenSSL version) // The oldest version of a GCC-based OpenSSL which can be detected by the code below is 0.9.8g (released in 2007) @@ -616,6 +726,7 @@ } } } +#endif // !OPENSSL_API_COMPAT return pair; } @@ -672,8 +783,8 @@ #ifndef Q_OS_DARWIN // second attempt: find the development files libssl.so and libcrypto.so // - // disabled on OS X/iOS: - // OS X's /usr/lib/libssl.dylib, /usr/lib/libcrypto.dylib will be picked up in the third + // disabled on macOS/iOS: + // macOS's /usr/lib/libssl.dylib, /usr/lib/libcrypto.dylib will be picked up in the third // attempt, _after_ /Contents/Frameworks has been searched. // iOS does not ship a system libssl.dylib, libcrypto.dylib in the first place. libssl->setFileNameAndVersion(QLatin1String("ssl"), -1); @@ -732,8 +843,12 @@ static bool symbolsResolved = false; static bool triedToResolveSymbols = false; #ifndef QT_NO_THREAD +#ifdef OPENSSL_API_COMPAT + QMutexLocker locker(QMutexPool::globalInstanceGet((void *)&q_OPENSSL_init_ssl)); +#else QMutexLocker locker(QMutexPool::globalInstanceGet((void *)&q_SSL_library_init)); #endif +#endif if (symbolsResolved) return true; if (triedToResolveSymbols) @@ -749,11 +864,145 @@ // failed to load them return false; +#ifdef OPENSSL_API_COMPAT + + RESOLVEFUNC(OPENSSL_init_ssl) + RESOLVEFUNC(OPENSSL_init_crypto) + RESOLVEFUNC(ASN1_STRING_get0_data) + RESOLVEFUNC(EVP_CIPHER_CTX_reset) + RESOLVEFUNC(EVP_PKEY_base_id) + RESOLVEFUNC(RSA_bits) + RESOLVEFUNC(OPENSSL_sk_new_null) + RESOLVEFUNC(OPENSSL_sk_push) + RESOLVEFUNC(OPENSSL_sk_free) + RESOLVEFUNC(OPENSSL_sk_num) + RESOLVEFUNC(OPENSSL_sk_pop_free) + RESOLVEFUNC(OPENSSL_sk_value) + RESOLVEFUNC(DH_get0_pqg) + RESOLVEFUNC(SSL_CTX_set_options) + RESOLVEFUNC(SSL_get_client_random) + RESOLVEFUNC(SSL_SESSION_get_master_key) + RESOLVEFUNC(SSL_session_reused) + RESOLVEFUNC(SSL_get_session) + RESOLVEFUNC(CRYPTO_get_ex_new_index) + RESOLVEFUNC(TLS_method) + RESOLVEFUNC(TLS_client_method) + RESOLVEFUNC(TLS_server_method) + RESOLVEFUNC(X509_STORE_CTX_get0_chain) + RESOLVEFUNC(X509_getm_notBefore) + RESOLVEFUNC(X509_getm_notAfter) + RESOLVEFUNC(X509_get_version) + RESOLVEFUNC(X509_get_pubkey) + RESOLVEFUNC(X509_STORE_set_verify_cb) + RESOLVEFUNC(CRYPTO_free) + RESOLVEFUNC(OpenSSL_version_num) + RESOLVEFUNC(OpenSSL_version) + if (!_q_OpenSSL_version) { + // Apparently, we were built with OpenSSL 1.1 enabled but are now using + // a wrong library. + delete libs.first; + delete libs.second; + qCWarning(lcSsl, "Incompatible version of OpenSSL"); + return false; + } + + RESOLVEFUNC(SSL_SESSION_get_ticket_lifetime_hint) + RESOLVEFUNC(DH_bits) + RESOLVEFUNC(DSA_bits) + +#else // !openssl + + RESOLVEFUNC(ASN1_STRING_data) + #ifdef SSLEAY_MACROS RESOLVEFUNC(ASN1_dup) +#endif // SSLEAY_MACROS + RESOLVEFUNC(BIO_new_file) + RESOLVEFUNC(ERR_clear_error) + RESOLVEFUNC(CRYPTO_free) + RESOLVEFUNC(CRYPTO_num_locks) + RESOLVEFUNC(CRYPTO_set_id_callback) + RESOLVEFUNC(CRYPTO_set_locking_callback) + RESOLVEFUNC(ERR_peek_last_error) + RESOLVEFUNC(ERR_free_strings) + RESOLVEFUNC(EVP_CIPHER_CTX_cleanup) + RESOLVEFUNC(EVP_CIPHER_CTX_init) + +#ifdef SSLEAY_MACROS // ### verify + RESOLVEFUNC(PEM_ASN1_read_bio) +#endif // SSLEAY_MACROS + + RESOLVEFUNC(sk_new_null) + RESOLVEFUNC(sk_push) + RESOLVEFUNC(sk_free) + RESOLVEFUNC(sk_num) + RESOLVEFUNC(sk_pop_free) + RESOLVEFUNC(sk_value) + RESOLVEFUNC(SSL_library_init) + RESOLVEFUNC(SSL_load_error_strings) +#if OPENSSL_VERSION_NUMBER >= 0x10001000L + RESOLVEFUNC(SSL_get_ex_new_index) +#endif +#ifndef OPENSSL_NO_SSL2 + RESOLVEFUNC(SSLv2_client_method) +#endif +#ifndef OPENSSL_NO_SSL3_METHOD + RESOLVEFUNC(SSLv3_client_method) +#endif + RESOLVEFUNC(SSLv23_client_method) + RESOLVEFUNC(TLSv1_client_method) +#if OPENSSL_VERSION_NUMBER >= 0x10001000L + RESOLVEFUNC(TLSv1_1_client_method) + RESOLVEFUNC(TLSv1_2_client_method) +#endif +#ifndef OPENSSL_NO_SSL2 + RESOLVEFUNC(SSLv2_server_method) +#endif +#ifndef OPENSSL_NO_SSL3_METHOD + RESOLVEFUNC(SSLv3_server_method) +#endif + RESOLVEFUNC(SSLv23_server_method) + RESOLVEFUNC(TLSv1_server_method) +#if OPENSSL_VERSION_NUMBER >= 0x10001000L + RESOLVEFUNC(TLSv1_1_server_method) + RESOLVEFUNC(TLSv1_2_server_method) +#endif + RESOLVEFUNC(X509_STORE_CTX_get_chain) +#ifdef SSLEAY_MACROS + RESOLVEFUNC(i2d_DSAPrivateKey) + RESOLVEFUNC(i2d_RSAPrivateKey) + RESOLVEFUNC(d2i_DSAPrivateKey) + RESOLVEFUNC(d2i_RSAPrivateKey) #endif + RESOLVEFUNC(CONF_get1_default_config_file) + RESOLVEFUNC(OPENSSL_add_all_algorithms_noconf) + RESOLVEFUNC(OPENSSL_add_all_algorithms_conf) + RESOLVEFUNC(SSLeay) + + if (!_q_SSLeay || q_SSLeay() >= 0x10100000L) { + // OpenSSL 1.1 has deprecated and removed SSLeay. We consider a failure to + // resolve this symbol as a failure to resolve symbols. + // The right operand of '||' above is ... a bit of paranoia. + delete libs.first; + delete libs.second; + qCWarning(lcSsl, "Incompatible version of OpenSSL"); + return false; + } + + + RESOLVEFUNC(SSLeay_version) + +#ifndef OPENSSL_NO_EC +#if OPENSSL_VERSION_NUMBER >= 0x10002000L + if (q_SSLeay() >= 0x10002000L) + RESOLVEFUNC(EC_curve_nist2nid) +#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L +#endif // OPENSSL_NO_EC + + +#endif // !openssl + RESOLVEFUNC(ASN1_INTEGER_get) - RESOLVEFUNC(ASN1_STRING_data) RESOLVEFUNC(ASN1_STRING_length) RESOLVEFUNC(ASN1_STRING_to_UTF8) RESOLVEFUNC(BIO_ctrl) @@ -768,25 +1017,26 @@ RESOLVEFUNC(EC_GROUP_get_degree) #endif RESOLVEFUNC(BN_num_bits) - RESOLVEFUNC(CRYPTO_free) - RESOLVEFUNC(CRYPTO_num_locks) - RESOLVEFUNC(CRYPTO_set_id_callback) - RESOLVEFUNC(CRYPTO_set_locking_callback) +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + RESOLVEFUNC(BN_is_word) +#endif + RESOLVEFUNC(BN_mod_word) RESOLVEFUNC(DSA_new) RESOLVEFUNC(DSA_free) RESOLVEFUNC(ERR_error_string) RESOLVEFUNC(ERR_get_error) - RESOLVEFUNC(ERR_free_strings) - RESOLVEFUNC(EVP_CIPHER_CTX_cleanup) - RESOLVEFUNC(EVP_CIPHER_CTX_init) + RESOLVEFUNC(EVP_CIPHER_CTX_new) + RESOLVEFUNC(EVP_CIPHER_CTX_free) RESOLVEFUNC(EVP_CIPHER_CTX_ctrl) RESOLVEFUNC(EVP_CIPHER_CTX_set_key_length) RESOLVEFUNC(EVP_CipherInit) + RESOLVEFUNC(EVP_CipherInit_ex) RESOLVEFUNC(EVP_CipherUpdate) RESOLVEFUNC(EVP_CipherFinal) RESOLVEFUNC(EVP_des_cbc) RESOLVEFUNC(EVP_des_ede3_cbc) RESOLVEFUNC(EVP_rc2_cbc) + RESOLVEFUNC(EVP_sha1) RESOLVEFUNC(EVP_PKEY_assign) RESOLVEFUNC(EVP_PKEY_set1_RSA) RESOLVEFUNC(EVP_PKEY_set1_DSA) @@ -808,20 +1058,23 @@ RESOLVEFUNC(i2t_ASN1_OBJECT) RESOLVEFUNC(OBJ_obj2txt) RESOLVEFUNC(OBJ_obj2nid) -#ifdef SSLEAY_MACROS // ### verify - RESOLVEFUNC(PEM_ASN1_read_bio) -#else + +#ifndef SSLEAY_MACROS + RESOLVEFUNC(PEM_read_bio_PrivateKey) RESOLVEFUNC(PEM_read_bio_DSAPrivateKey) RESOLVEFUNC(PEM_read_bio_RSAPrivateKey) #ifndef OPENSSL_NO_EC RESOLVEFUNC(PEM_read_bio_ECPrivateKey) #endif + RESOLVEFUNC(PEM_read_bio_DHparams) RESOLVEFUNC(PEM_write_bio_DSAPrivateKey) RESOLVEFUNC(PEM_write_bio_RSAPrivateKey) #ifndef OPENSSL_NO_EC RESOLVEFUNC(PEM_write_bio_ECPrivateKey) #endif -#endif +#endif // !SSLEAY_MACROS + + RESOLVEFUNC(PEM_read_bio_PUBKEY) RESOLVEFUNC(PEM_read_bio_DSA_PUBKEY) RESOLVEFUNC(PEM_read_bio_RSA_PUBKEY) #ifndef OPENSSL_NO_EC @@ -836,12 +1089,6 @@ RESOLVEFUNC(RAND_status) RESOLVEFUNC(RSA_new) RESOLVEFUNC(RSA_free) - RESOLVEFUNC(sk_new_null) - RESOLVEFUNC(sk_push) - RESOLVEFUNC(sk_free) - RESOLVEFUNC(sk_num) - RESOLVEFUNC(sk_pop_free) - RESOLVEFUNC(sk_value) RESOLVEFUNC(SSL_CIPHER_description) RESOLVEFUNC(SSL_CIPHER_get_bits) RESOLVEFUNC(SSL_CTX_check_private_key) @@ -869,8 +1116,6 @@ RESOLVEFUNC(SSL_get_peer_cert_chain) RESOLVEFUNC(SSL_get_peer_certificate) RESOLVEFUNC(SSL_get_verify_result) - RESOLVEFUNC(SSL_library_init) - RESOLVEFUNC(SSL_load_error_strings) RESOLVEFUNC(SSL_new) RESOLVEFUNC(SSL_ctrl) RESOLVEFUNC(SSL_read) @@ -883,38 +1128,15 @@ RESOLVEFUNC(SSL_get1_session) RESOLVEFUNC(SSL_get_session) #if OPENSSL_VERSION_NUMBER >= 0x10001000L - RESOLVEFUNC(SSL_get_ex_new_index) RESOLVEFUNC(SSL_set_ex_data) RESOLVEFUNC(SSL_get_ex_data) #endif #if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_PSK) RESOLVEFUNC(SSL_set_psk_client_callback) + RESOLVEFUNC(SSL_set_psk_server_callback) + RESOLVEFUNC(SSL_CTX_use_psk_identity_hint) #endif RESOLVEFUNC(SSL_write) -#ifndef OPENSSL_NO_SSL2 - RESOLVEFUNC(SSLv2_client_method) -#endif -#ifndef OPENSSL_NO_SSL3_METHOD - RESOLVEFUNC(SSLv3_client_method) -#endif - RESOLVEFUNC(SSLv23_client_method) - RESOLVEFUNC(TLSv1_client_method) -#if OPENSSL_VERSION_NUMBER >= 0x10001000L - RESOLVEFUNC(TLSv1_1_client_method) - RESOLVEFUNC(TLSv1_2_client_method) -#endif -#ifndef OPENSSL_NO_SSL2 - RESOLVEFUNC(SSLv2_server_method) -#endif -#ifndef OPENSSL_NO_SSL3_METHOD - RESOLVEFUNC(SSLv3_server_method) -#endif - RESOLVEFUNC(SSLv23_server_method) - RESOLVEFUNC(TLSv1_server_method) -#if OPENSSL_VERSION_NUMBER >= 0x10001000L - RESOLVEFUNC(TLSv1_1_server_method) - RESOLVEFUNC(TLSv1_2_server_method) -#endif RESOLVEFUNC(X509_NAME_entry_count) RESOLVEFUNC(X509_NAME_get_entry) RESOLVEFUNC(X509_NAME_ENTRY_get_data) @@ -930,12 +1152,12 @@ RESOLVEFUNC(X509_STORE_CTX_get_error) RESOLVEFUNC(X509_STORE_CTX_get_error_depth) RESOLVEFUNC(X509_STORE_CTX_get_current_cert) - RESOLVEFUNC(X509_STORE_CTX_get_chain) RESOLVEFUNC(X509_cmp) #ifndef SSLEAY_MACROS RESOLVEFUNC(X509_dup) #endif RESOLVEFUNC(X509_print) + RESOLVEFUNC(X509_digest) RESOLVEFUNC(X509_EXTENSION_get_object) RESOLVEFUNC(X509_free) RESOLVEFUNC(X509_get_ext) @@ -951,20 +1173,11 @@ RESOLVEFUNC(X509_check_issued) RESOLVEFUNC(X509_get_issuer_name) RESOLVEFUNC(X509_get_subject_name) + RESOLVEFUNC(X509_get_serialNumber) RESOLVEFUNC(X509_verify_cert) RESOLVEFUNC(d2i_X509) RESOLVEFUNC(i2d_X509) -#ifdef SSLEAY_MACROS - RESOLVEFUNC(i2d_DSAPrivateKey) - RESOLVEFUNC(i2d_RSAPrivateKey) - RESOLVEFUNC(d2i_DSAPrivateKey) - RESOLVEFUNC(d2i_RSAPrivateKey) -#endif - RESOLVEFUNC(OPENSSL_add_all_algorithms_noconf) - RESOLVEFUNC(OPENSSL_add_all_algorithms_conf) RESOLVEFUNC(SSL_CTX_load_verify_locations) - RESOLVEFUNC(SSLeay) - RESOLVEFUNC(SSLeay_version) RESOLVEFUNC(i2d_SSL_SESSION) RESOLVEFUNC(d2i_SSL_SESSION) #if OPENSSL_VERSION_NUMBER >= 0x1000100fL && !defined(OPENSSL_NO_NEXTPROTONEG) @@ -972,19 +1185,22 @@ RESOLVEFUNC(SSL_CTX_set_next_proto_select_cb) RESOLVEFUNC(SSL_get0_next_proto_negotiated) #endif // OPENSSL_VERSION_NUMBER >= 0x1000100fL ... +#if OPENSSL_VERSION_NUMBER >= 0x10002000L + RESOLVEFUNC(SSL_set_alpn_protos) + RESOLVEFUNC(SSL_CTX_set_alpn_select_cb) + RESOLVEFUNC(SSL_get0_alpn_selected) +#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L ... RESOLVEFUNC(DH_new) RESOLVEFUNC(DH_free) RESOLVEFUNC(d2i_DHparams) + RESOLVEFUNC(i2d_DHparams) + RESOLVEFUNC(DH_check) RESOLVEFUNC(BN_bin2bn) #ifndef OPENSSL_NO_EC RESOLVEFUNC(EC_KEY_dup) RESOLVEFUNC(EC_KEY_new_by_curve_name) RESOLVEFUNC(EC_KEY_free) RESOLVEFUNC(EC_get_builtin_curves) -#if OPENSSL_VERSION_NUMBER >= 0x10002000L - if (q_SSLeay() >= 0x10002000L) - RESOLVEFUNC(EC_curve_nist2nid) -#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L #endif // OPENSSL_NO_EC RESOLVEFUNC(PKCS12_parse) RESOLVEFUNC(d2i_PKCS12_bio) @@ -995,7 +1211,7 @@ delete libs.second; return true; } -#endif // QT_NO_LIBRARY +#endif // QT_CONFIG(library) #else // !defined QT_LINKED_OPENSSL --- qtbase-opensource-src-5.7.1/src/network/ssl/qsslsocket_openssl_symbols_p.h 2016-12-01 02:17:04.000000000 -0600 +++ qtbase-everywhere-src-5.10.0-rc3/src/network/ssl/qsslsocket_openssl_symbols_p.h 2017-11-30 07:49:46.000000000 -0600 @@ -1,6 +1,6 @@ /**************************************************************************** ** -** Copyright (C) 2016 The Qt Company Ltd. +** Copyright (C) 2017 The Qt Company Ltd. ** Copyright (C) 2014 BlackBerry Limited. All rights reserved. ** Contact: https://www.qt.io/licensing/ ** @@ -56,13 +56,14 @@ #ifndef QSSLSOCKET_OPENSSL_SYMBOLS_P_H #define QSSLSOCKET_OPENSSL_SYMBOLS_P_H + // // W A R N I N G // ------------- // -// This file is not part of the Qt API. It exists for the convenience -// of the QLibrary class. This header file may change from -// version to version without notice, or even be removed. +// This file is not part of the Qt API. It exists purely as an +// implementation detail. This header file may change from version to +// version without notice, or even be removed. // // We mean it. // @@ -214,43 +216,58 @@ #endif // !defined QT_LINKED_OPENSSL +#ifdef OPENSSL_API_COMPAT +#include "qsslsocket_openssl11_symbols_p.h" +#else +#include "qsslsocket_opensslpre11_symbols_p.h" +#endif // QT_CONFIG + bool q_resolveOpenSslSymbols(); long q_ASN1_INTEGER_get(ASN1_INTEGER *a); -unsigned char * q_ASN1_STRING_data(ASN1_STRING *a); int q_ASN1_STRING_length(ASN1_STRING *a); int q_ASN1_STRING_to_UTF8(unsigned char **a, ASN1_STRING *b); long q_BIO_ctrl(BIO *a, int b, long c, void *d); -int q_BIO_free(BIO *a); -BIO *q_BIO_new(BIO_METHOD *a); +Q_AUTOTEST_EXPORT int q_BIO_free(BIO *a); BIO *q_BIO_new_mem_buf(void *a, int b); int q_BIO_read(BIO *a, void *b, int c); -BIO_METHOD *q_BIO_s_mem(); -int q_BIO_write(BIO *a, const void *b, int c); +Q_AUTOTEST_EXPORT int q_BIO_write(BIO *a, const void *b, int c); int q_BN_num_bits(const BIGNUM *a); +#if OPENSSL_VERSION_NUMBER >= 0x10100000L +int q_BN_is_word(BIGNUM *a, BN_ULONG w); +#else +// BN_is_word is implemented purely as a +// macro in OpenSSL < 1.1. It doesn't +// call any functions. +// +// The implementation of BN_is_word is +// 100% the same between 1.0.0, 1.0.1 +// and 1.0.2. +// +// Users are required to include . +#define q_BN_is_word BN_is_word +#endif // OPENSSL_VERSION_NUMBER >= 0x10100000L +BN_ULONG q_BN_mod_word(const BIGNUM *a, BN_ULONG w); #ifndef OPENSSL_NO_EC const EC_GROUP* q_EC_KEY_get0_group(const EC_KEY* k); int q_EC_GROUP_get_degree(const EC_GROUP* g); #endif -int q_CRYPTO_num_locks(); -void q_CRYPTO_set_locking_callback(void (*a)(int, int, const char *, int)); -void q_CRYPTO_set_id_callback(unsigned long (*a)()); -void q_CRYPTO_free(void *a); DSA *q_DSA_new(); void q_DSA_free(DSA *a); X509 *q_d2i_X509(X509 **a, const unsigned char **b, long c); char *q_ERR_error_string(unsigned long a, char *b); unsigned long q_ERR_get_error(); -void q_ERR_free_strings(); -void q_EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *a); -void q_EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *a); +EVP_CIPHER_CTX *q_EVP_CIPHER_CTX_new(); +void q_EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *a); int q_EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr); int q_EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *x, int keylen); int q_EVP_CipherInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, const unsigned char *key, const unsigned char *iv, int enc); +int q_EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *impl, const unsigned char *key, const unsigned char *iv, int enc); int q_EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, const unsigned char *in, int inl); int q_EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl); const EVP_CIPHER *q_EVP_des_cbc(); const EVP_CIPHER *q_EVP_des_ede3_cbc(); const EVP_CIPHER *q_EVP_rc2_cbc(); +const EVP_MD *q_EVP_sha1(); int q_EVP_PKEY_assign(EVP_PKEY *a, int b, char *c); Q_AUTOTEST_EXPORT int q_EVP_PKEY_set1_RSA(EVP_PKEY *a, RSA *b); int q_EVP_PKEY_set1_DSA(EVP_PKEY *a, DSA *b); @@ -279,11 +296,13 @@ void *f); // ### ditto for write #else +Q_AUTOTEST_EXPORT EVP_PKEY *q_PEM_read_bio_PrivateKey(BIO *a, EVP_PKEY **b, pem_password_cb *c, void *d); DSA *q_PEM_read_bio_DSAPrivateKey(BIO *a, DSA **b, pem_password_cb *c, void *d); RSA *q_PEM_read_bio_RSAPrivateKey(BIO *a, RSA **b, pem_password_cb *c, void *d); #ifndef OPENSSL_NO_EC EC_KEY *q_PEM_read_bio_ECPrivateKey(BIO *a, EC_KEY **b, pem_password_cb *c, void *d); #endif +DH *q_PEM_read_bio_DHparams(BIO *a, DH **b, pem_password_cb *c, void *d); int q_PEM_write_bio_DSAPrivateKey(BIO *a, DSA *b, const EVP_CIPHER *c, unsigned char *d, int e, pem_password_cb *f, void *g); int q_PEM_write_bio_RSAPrivateKey(BIO *a, RSA *b, const EVP_CIPHER *c, unsigned char *d, @@ -292,7 +311,8 @@ int q_PEM_write_bio_ECPrivateKey(BIO *a, EC_KEY *b, const EVP_CIPHER *c, unsigned char *d, int e, pem_password_cb *f, void *g); #endif -#endif +#endif // SSLEAY_MACROS +Q_AUTOTEST_EXPORT EVP_PKEY *q_PEM_read_bio_PUBKEY(BIO *a, EVP_PKEY **b, pem_password_cb *c, void *d); DSA *q_PEM_read_bio_DSA_PUBKEY(BIO *a, DSA **b, pem_password_cb *c, void *d); RSA *q_PEM_read_bio_RSA_PUBKEY(BIO *a, RSA **b, pem_password_cb *c, void *d); #ifndef OPENSSL_NO_EC @@ -307,23 +327,10 @@ int q_RAND_status(); RSA *q_RSA_new(); void q_RSA_free(RSA *a); -int q_sk_num(STACK *a); -void q_sk_pop_free(STACK *a, void (*b)(void *)); -#if OPENSSL_VERSION_NUMBER >= 0x10000000L -_STACK *q_sk_new_null(); -void q_sk_push(_STACK *st, void *data); -void q_sk_free(_STACK *a); -void * q_sk_value(STACK *a, int b); -#else -STACK *q_sk_new_null(); -void q_sk_push(STACK *st, char *data); -void q_sk_free(STACK *a); -char * q_sk_value(STACK *a, int b); -#endif int q_SSL_accept(SSL *a); int q_SSL_clear(SSL *a); -char *q_SSL_CIPHER_description(SSL_CIPHER *a, char *b, int c); -int q_SSL_CIPHER_get_bits(SSL_CIPHER *a, int *b); +char *q_SSL_CIPHER_description(const SSL_CIPHER *a, char *b, int c); +int q_SSL_CIPHER_get_bits(const SSL_CIPHER *a, int *b); int q_SSL_connect(SSL *a); int q_SSL_CTX_check_private_key(const SSL_CTX *a); long q_SSL_CTX_ctrl(SSL_CTX *a, int b, long c, void *d); @@ -355,8 +362,6 @@ STACK_OF(X509) *q_SSL_get_peer_cert_chain(SSL *a); X509 *q_SSL_get_peer_certificate(SSL *a); long q_SSL_get_verify_result(const SSL *a); -int q_SSL_library_init(); -void q_SSL_load_error_strings(); SSL *q_SSL_new(SSL_CTX *a); long q_SSL_ctrl(SSL *ssl,int cmd, long larg, void *parg); int q_SSL_read(SSL *a, void *b, int c); @@ -369,57 +374,16 @@ SSL_SESSION *q_SSL_get1_session(SSL *ssl); SSL_SESSION *q_SSL_get_session(const SSL *ssl); #if OPENSSL_VERSION_NUMBER >= 0x10001000L -int q_SSL_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func); int q_SSL_set_ex_data(SSL *ssl, int idx, void *arg); void *q_SSL_get_ex_data(const SSL *ssl, int idx); #endif #if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_PSK) typedef unsigned int (*q_psk_client_callback_t)(SSL *ssl, const char *hint, char *identity, unsigned int max_identity_len, unsigned char *psk, unsigned int max_psk_len); void q_SSL_set_psk_client_callback(SSL *ssl, q_psk_client_callback_t callback); +typedef unsigned int (*q_psk_server_callback_t)(SSL *ssl, const char *identity, unsigned char *psk, unsigned int max_psk_len); +void q_SSL_set_psk_server_callback(SSL *ssl, q_psk_server_callback_t callback); +int q_SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *hint); #endif // OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_PSK) -#if OPENSSL_VERSION_NUMBER >= 0x10000000L -#ifndef OPENSSL_NO_SSL2 -const SSL_METHOD *q_SSLv2_client_method(); -#endif -#ifndef OPENSSL_NO_SSL3_METHOD -const SSL_METHOD *q_SSLv3_client_method(); -#endif -const SSL_METHOD *q_SSLv23_client_method(); -const SSL_METHOD *q_TLSv1_client_method(); -const SSL_METHOD *q_TLSv1_1_client_method(); -const SSL_METHOD *q_TLSv1_2_client_method(); -#ifndef OPENSSL_NO_SSL2 -const SSL_METHOD *q_SSLv2_server_method(); -#endif -#ifndef OPENSSL_NO_SSL3_METHOD -const SSL_METHOD *q_SSLv3_server_method(); -#endif -const SSL_METHOD *q_SSLv23_server_method(); -const SSL_METHOD *q_TLSv1_server_method(); -const SSL_METHOD *q_TLSv1_1_server_method(); -const SSL_METHOD *q_TLSv1_2_server_method(); -#else -#ifndef OPENSSL_NO_SSL2 -SSL_METHOD *q_SSLv2_client_method(); -#endif -#ifndef OPENSSL_NO_SSL3_METHOD -SSL_METHOD *q_SSLv3_client_method(); -#endif -SSL_METHOD *q_SSLv23_client_method(); -SSL_METHOD *q_TLSv1_client_method(); -SSL_METHOD *q_TLSv1_1_client_method(); -SSL_METHOD *q_TLSv1_2_client_method(); -#ifndef OPENSSL_NO_SSL2 -SSL_METHOD *q_SSLv2_server_method(); -#endif -#ifndef OPENSSL_NO_SSL3_METHOD -SSL_METHOD *q_SSLv3_server_method(); -#endif -SSL_METHOD *q_SSLv23_server_method(); -SSL_METHOD *q_TLSv1_server_method(); -SSL_METHOD *q_TLSv1_1_server_method(); -SSL_METHOD *q_TLSv1_2_server_method(); -#endif int q_SSL_write(SSL *a, const void *b, int c); int q_X509_cmp(X509 *a, X509 *b); #ifdef SSLEAY_MACROS @@ -430,6 +394,7 @@ X509 *q_X509_dup(X509 *a); #endif void q_X509_print(BIO *a, X509*b); +int q_X509_digest(const X509 *x509, const EVP_MD *type, unsigned char *md, unsigned int *len); ASN1_OBJECT *q_X509_EXTENSION_get_object(X509_EXTENSION *a); void q_X509_free(X509 *a); X509_EXTENSION *q_X509_get_ext(X509 *a, int b); @@ -449,6 +414,7 @@ int q_X509_check_issued(X509 *a, X509 *b); X509_NAME *q_X509_get_issuer_name(X509 *a); X509_NAME *q_X509_get_subject_name(X509 *a); +ASN1_INTEGER *q_X509_get_serialNumber(X509 *a); int q_X509_verify_cert(X509_STORE_CTX *ctx); int q_X509_NAME_entry_count(X509_NAME *a); X509_NAME_ENTRY *q_X509_NAME_get_entry(X509_NAME *a,int b); @@ -466,12 +432,13 @@ int q_X509_STORE_CTX_get_error(X509_STORE_CTX *ctx); int q_X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx); X509 *q_X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx); -STACK_OF(X509) *q_X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx); // Diffie-Hellman support DH *q_DH_new(); void q_DH_free(DH *dh); DH *q_d2i_DHparams(DH **a, const unsigned char **pp, long length); +int q_i2d_DHparams(DH *a, unsigned char **p); +int q_DH_check(DH *dh, int *codes); BIGNUM *q_BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret); #define q_SSL_CTX_set_tmp_dh(ctx, dh) q_SSL_CTX_ctrl((ctx), SSL_CTRL_SET_TMP_DH, 0, (char *)dh) @@ -498,31 +465,9 @@ PKCS12 *q_d2i_PKCS12_bio(BIO *bio, PKCS12 **pkcs12); void q_PKCS12_free(PKCS12 *pkcs12); - #define q_BIO_get_mem_data(b, pp) (int)q_BIO_ctrl(b,BIO_CTRL_INFO,0,(char *)pp) #define q_BIO_pending(b) (int)q_BIO_ctrl(b,BIO_CTRL_PENDING,0,NULL) -#ifdef SSLEAY_MACROS -int q_i2d_DSAPrivateKey(const DSA *a, unsigned char **pp); -int q_i2d_RSAPrivateKey(const RSA *a, unsigned char **pp); -RSA *q_d2i_RSAPrivateKey(RSA **a, unsigned char **pp, long length); -DSA *q_d2i_DSAPrivateKey(DSA **a, unsigned char **pp, long length); -#define q_PEM_read_bio_RSAPrivateKey(bp, x, cb, u) \ - (RSA *)q_PEM_ASN1_read_bio( \ - (void *(*)(void**, const unsigned char**, long int))q_d2i_RSAPrivateKey, PEM_STRING_RSA, bp, (void **)x, cb, u) -#define q_PEM_read_bio_DSAPrivateKey(bp, x, cb, u) \ - (DSA *)q_PEM_ASN1_read_bio( \ - (void *(*)(void**, const unsigned char**, long int))q_d2i_DSAPrivateKey, PEM_STRING_DSA, bp, (void **)x, cb, u) -#define q_PEM_write_bio_RSAPrivateKey(bp,x,enc,kstr,klen,cb,u) \ - PEM_ASN1_write_bio((int (*)(void*, unsigned char**))q_i2d_RSAPrivateKey,PEM_STRING_RSA,\ - bp,(char *)x,enc,kstr,klen,cb,u) -#define q_PEM_write_bio_DSAPrivateKey(bp,x,enc,kstr,klen,cb,u) \ - PEM_ASN1_write_bio((int (*)(void*, unsigned char**))q_i2d_DSAPrivateKey,PEM_STRING_DSA,\ - bp,(char *)x,enc,kstr,klen,cb,u) -#endif -#define q_SSL_CTX_set_options(ctx,op) q_SSL_CTX_ctrl((ctx),SSL_CTRL_OPTIONS,(op),NULL) #define q_SSL_CTX_set_mode(ctx,op) q_SSL_CTX_ctrl((ctx),SSL_CTRL_MODE,(op),NULL) -#define q_SKM_sk_num(type, st) ((int (*)(const STACK_OF(type) *))q_sk_num)(st) -#define q_SKM_sk_value(type, st,i) ((type * (*)(const STACK_OF(type) *, int))q_sk_value)(st, i) #define q_sk_GENERAL_NAME_num(st) q_SKM_sk_num(GENERAL_NAME, (st)) #define q_sk_GENERAL_NAME_value(st, i) q_SKM_sk_value(GENERAL_NAME, (st), (i)) #define q_sk_X509_num(st) q_SKM_sk_num(X509, (st)) @@ -531,18 +476,12 @@ #define q_sk_SSL_CIPHER_value(st, i) q_SKM_sk_value(SSL_CIPHER, (st), (i)) #define q_SSL_CTX_add_extra_chain_cert(ctx,x509) \ q_SSL_CTX_ctrl(ctx,SSL_CTRL_EXTRA_CHAIN_CERT,0,(char *)x509) -#define q_X509_get_notAfter(x) X509_get_notAfter(x) -#define q_X509_get_notBefore(x) X509_get_notBefore(x) #define q_EVP_PKEY_assign_RSA(pkey,rsa) q_EVP_PKEY_assign((pkey),EVP_PKEY_RSA,\ (char *)(rsa)) #define q_EVP_PKEY_assign_DSA(pkey,dsa) q_EVP_PKEY_assign((pkey),EVP_PKEY_DSA,\ (char *)(dsa)) #define q_OpenSSL_add_all_algorithms() q_OPENSSL_add_all_algorithms_conf() -void q_OPENSSL_add_all_algorithms_noconf(); -void q_OPENSSL_add_all_algorithms_conf(); int q_SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, const char *CApath); -long q_SSLeay(); -const char *q_SSLeay_version(int type); int q_i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp); SSL_SESSION *q_d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length); @@ -558,6 +497,19 @@ void *arg); void q_SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data, unsigned *len); +#if OPENSSL_VERSION_NUMBER >= 0x10002000L +int q_SSL_set_alpn_protos(SSL *ssl, const unsigned char *protos, + unsigned protos_len); +void q_SSL_CTX_set_alpn_select_cb(SSL_CTX *ctx, + int (*cb) (SSL *ssl, + const unsigned char **out, + unsigned char *outlen, + const unsigned char *in, + unsigned int inlen, + void *arg), void *arg); +void q_SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data, + unsigned *len); +#endif #endif // OPENSSL_VERSION_NUMBER >= 0x1000100fL ... // Helper function --- qtbase-opensource-src-5.7.1/src/network/ssl/ssl.pri 2016-12-01 02:17:04.000000000 -0600 +++ qtbase-everywhere-src-5.10.0-rc3/src/network/ssl/ssl.pri 2017-11-30 07:49:46.000000000 -0600 @@ -9,6 +9,8 @@ ssl/qsslconfiguration_p.h \ ssl/qsslcipher.h \ ssl/qsslcipher_p.h \ + ssl/qssldiffiehellmanparameters.h \ + ssl/qssldiffiehellmanparameters_p.h \ ssl/qsslellipticcurve.h \ ssl/qsslerror.h \ ssl/qsslkey.h \ @@ -24,6 +26,7 @@ ssl/qsslcertificate.cpp \ ssl/qsslconfiguration.cpp \ ssl/qsslcipher.cpp \ + ssl/qssldiffiehellmanparameters.cpp \ ssl/qsslellipticcurve.cpp \ ssl/qsslkey_p.cpp \ ssl/qsslerror.cpp \ @@ -35,6 +38,7 @@ HEADERS += ssl/qsslsocket_winrt_p.h SOURCES += ssl/qsslcertificate_qt.cpp \ ssl/qsslcertificate_winrt.cpp \ + ssl/qssldiffiehellmanparameters_dummy.cpp \ ssl/qsslkey_qt.cpp \ ssl/qsslkey_winrt.cpp \ ssl/qsslsocket_winrt.cpp \ @@ -44,6 +48,7 @@ contains(QT_CONFIG, securetransport) { HEADERS += ssl/qsslsocket_mac_p.h SOURCES += ssl/qsslcertificate_qt.cpp \ + ssl/qssldiffiehellmanparameters_dummy.cpp \ ssl/qsslkey_qt.cpp \ ssl/qsslkey_mac.cpp \ ssl/qsslsocket_mac_shared.cpp \ @@ -56,12 +61,19 @@ HEADERS += ssl/qsslcontext_openssl_p.h \ ssl/qsslsocket_openssl_p.h \ ssl/qsslsocket_openssl_symbols_p.h - SOURCES += ssl/qsslcertificate_openssl.cpp \ - ssl/qsslcontext_openssl.cpp \ + SOURCES += ssl/qsslsocket_openssl_symbols.cpp \ + ssl/qssldiffiehellmanparameters_openssl.cpp \ + ssl/qsslcertificate_openssl.cpp \ ssl/qsslellipticcurve_openssl.cpp \ ssl/qsslkey_openssl.cpp \ ssl/qsslsocket_openssl.cpp \ - ssl/qsslsocket_openssl_symbols.cpp + ssl/qsslcontext_openssl.cpp + + HEADERS += ssl/qsslsocket_openssl11_symbols_p.h + SOURCES += ssl/qsslsocket_openssl11.cpp \ + ssl/qsslcontext_openssl11.cpp + + QMAKE_CXXFLAGS += -DOPENSSL_API_COMPAT=0x10100000L darwin:SOURCES += ssl/qsslsocket_mac_shared.cpp --- qtbase-opensource-src-5.7.1/src/network/ssl/qssldiffiehellmanparameters.h 1969-12-31 18:00:00.000000000 -0600 +++ qtbase-everywhere-src-5.10.0-rc3/src/network/ssl/qssldiffiehellmanparameters.h 2017-11-30 07:49:46.000000000 -0600 @@ -0,0 +1,118 @@ +/**************************************************************************** +** +** Copyright (C) 2015 Mikkel Krautz +** Contact: https://www.qt.io/licensing/ +** +** This file is part of the QtNetwork module of the Qt Toolkit. +** +** $QT_BEGIN_LICENSE:LGPL$ +** Commercial License Usage +** Licensees holding valid commercial Qt licenses may use this file in +** accordance with the commercial license agreement provided with the +** Software or, alternatively, in accordance with the terms contained in +** a written agreement between you and The Qt Company. For licensing terms +** and conditions see https://www.qt.io/terms-conditions. For further +** information use the contact form at https://www.qt.io/contact-us. +** +** GNU Lesser General Public License Usage +** Alternatively, this file may be used under the terms of the GNU Lesser +** General Public License version 3 as published by the Free Software +** Foundation and appearing in the file LICENSE.LGPL3 included in the +** packaging of this file. Please review the following information to +** ensure the GNU Lesser General Public License version 3 requirements +** will be met: https://www.gnu.org/licenses/lgpl-3.0.html. +** +** GNU General Public License Usage +** Alternatively, this file may be used under the terms of the GNU +** General Public License version 2.0 or (at your option) the GNU General +** Public license version 3 or any later version approved by the KDE Free +** Qt Foundation. The licenses are as published by the Free Software +** Foundation and appearing in the file LICENSE.GPL2 and LICENSE.GPL3 +** included in the packaging of this file. Please review the following +** information to ensure the GNU General Public License requirements will +** be met: https://www.gnu.org/licenses/gpl-2.0.html and +** https://www.gnu.org/licenses/gpl-3.0.html. +** +** $QT_END_LICENSE$ +** +****************************************************************************/ + + +#ifndef QSSLDIFFIEHELLMANPARAMETERS_H +#define QSSLDIFFIEHELLMANPARAMETERS_H + +#include +#include +#include +#include + +QT_BEGIN_NAMESPACE + +#ifndef QT_NO_SSL + +class QIODevice; +class QSslContext; +class QSslDiffieHellmanParametersPrivate; + +class QSslDiffieHellmanParameters; +// qHash is a friend, but we can't use default arguments for friends (ยง8.3.6.4) +Q_NETWORK_EXPORT uint qHash(const QSslDiffieHellmanParameters &dhparam, uint seed = 0) Q_DECL_NOTHROW; + +#ifndef QT_NO_DEBUG_STREAM +class QDebug; +Q_NETWORK_EXPORT QDebug operator<<(QDebug debug, const QSslDiffieHellmanParameters &dhparams); +#endif + +Q_NETWORK_EXPORT bool operator==(const QSslDiffieHellmanParameters &lhs, const QSslDiffieHellmanParameters &rhs) Q_DECL_NOTHROW; + +inline bool operator!=(const QSslDiffieHellmanParameters &lhs, const QSslDiffieHellmanParameters &rhs) Q_DECL_NOTHROW +{ + return !operator==(lhs, rhs); +} + +class QSslDiffieHellmanParameters +{ +public: + enum Error { + NoError, + InvalidInputDataError, + UnsafeParametersError + }; + + Q_NETWORK_EXPORT static QSslDiffieHellmanParameters defaultParameters(); + + Q_NETWORK_EXPORT QSslDiffieHellmanParameters(); + Q_NETWORK_EXPORT QSslDiffieHellmanParameters(const QSslDiffieHellmanParameters &other); + QSslDiffieHellmanParameters(QSslDiffieHellmanParameters &&other) Q_DECL_NOTHROW : d(other.d) { other.d = nullptr; } + Q_NETWORK_EXPORT ~QSslDiffieHellmanParameters(); + + Q_NETWORK_EXPORT QSslDiffieHellmanParameters &operator=(const QSslDiffieHellmanParameters &other); + QSslDiffieHellmanParameters &operator=(QSslDiffieHellmanParameters &&other) Q_DECL_NOTHROW { swap(other); return *this; } + + void swap(QSslDiffieHellmanParameters &other) Q_DECL_NOTHROW { qSwap(d, other.d); } + + Q_NETWORK_EXPORT static QSslDiffieHellmanParameters fromEncoded(const QByteArray &encoded, QSsl::EncodingFormat format = QSsl::Pem); + Q_NETWORK_EXPORT static QSslDiffieHellmanParameters fromEncoded(QIODevice *device, QSsl::EncodingFormat format = QSsl::Pem); + + Q_NETWORK_EXPORT bool isEmpty() const Q_DECL_NOTHROW; + Q_NETWORK_EXPORT bool isValid() const Q_DECL_NOTHROW; + Q_NETWORK_EXPORT Error error() const Q_DECL_NOTHROW; + Q_NETWORK_EXPORT QString errorString() const Q_DECL_NOTHROW; + +private: + QSslDiffieHellmanParametersPrivate *d; + friend class QSslContext; + friend Q_NETWORK_EXPORT bool operator==(const QSslDiffieHellmanParameters &lhs, const QSslDiffieHellmanParameters &rhs) Q_DECL_NOTHROW; +#ifndef QT_NO_DEBUG_STREAM + friend Q_NETWORK_EXPORT QDebug operator<<(QDebug debug, const QSslDiffieHellmanParameters &dhparam); +#endif + friend Q_NETWORK_EXPORT uint qHash(const QSslDiffieHellmanParameters &dhparam, uint seed) Q_DECL_NOTHROW; +}; + +Q_DECLARE_SHARED(QSslDiffieHellmanParameters) + +#endif // QT_NO_SSL + +QT_END_NAMESPACE + +#endif --- qtbase-opensource-src-5.7.1/src/network/ssl/qssldiffiehellmanparameters_p.h 1969-12-31 18:00:00.000000000 -0600 +++ qtbase-everywhere-src-5.10.0-rc3/src/network/ssl/qssldiffiehellmanparameters_p.h 2017-11-30 07:49:46.000000000 -0600 @@ -0,0 +1,77 @@ +/**************************************************************************** +** +** Copyright (C) 2015 Mikkel Krautz +** Contact: https://www.qt.io/licensing/ +** +** This file is part of the QtNetwork module of the Qt Toolkit. +** +** $QT_BEGIN_LICENSE:LGPL$ +** Commercial License Usage +** Licensees holding valid commercial Qt licenses may use this file in +** accordance with the commercial license agreement provided with the +** Software or, alternatively, in accordance with the terms contained in +** a written agreement between you and The Qt Company. For licensing terms +** and conditions see https://www.qt.io/terms-conditions. For further +** information use the contact form at https://www.qt.io/contact-us. +** +** GNU Lesser General Public License Usage +** Alternatively, this file may be used under the terms of the GNU Lesser +** General Public License version 3 as published by the Free Software +** Foundation and appearing in the file LICENSE.LGPL3 included in the +** packaging of this file. Please review the following information to +** ensure the GNU Lesser General Public License version 3 requirements +** will be met: https://www.gnu.org/licenses/lgpl-3.0.html. +** +** GNU General Public License Usage +** Alternatively, this file may be used under the terms of the GNU +** General Public License version 2.0 or (at your option) the GNU General +** Public license version 3 or any later version approved by the KDE Free +** Qt Foundation. The licenses are as published by the Free Software +** Foundation and appearing in the file LICENSE.GPL2 and LICENSE.GPL3 +** included in the packaging of this file. Please review the following +** information to ensure the GNU General Public License requirements will +** be met: https://www.gnu.org/licenses/gpl-2.0.html and +** https://www.gnu.org/licenses/gpl-3.0.html. +** +** $QT_END_LICENSE$ +** +****************************************************************************/ + + +#ifndef QSSLDIFFIEHELLMANPARAMETERS_P_H +#define QSSLDIFFIEHELLMANPARAMETERS_P_H + +// +// W A R N I N G +// ------------- +// +// This file is not part of the Qt API. It exists for the convenience +// of qssldiffiehellmanparameters.cpp. This header file may change from version to version +// without notice, or even be removed. +// +// We mean it. +// + +#include + +#include "qsslkey.h" +#include "qssldiffiehellmanparameters.h" +#include "qsslsocket_p.h" // includes wincrypt.h + +QT_BEGIN_NAMESPACE + +class QSslDiffieHellmanParametersPrivate : public QSharedData +{ +public: + QSslDiffieHellmanParametersPrivate() : error(QSslDiffieHellmanParameters::NoError) {}; + + void decodeDer(const QByteArray &der); + void decodePem(const QByteArray &pem); + + QSslDiffieHellmanParameters::Error error; + QByteArray derData; +}; + +QT_END_NAMESPACE + +#endif // QSSLDIFFIEHELLMANPARAMETERS_P_H --- qtbase-opensource-src-5.7.1/src/network/ssl/qssldiffiehellmanparameters.cpp 1969-12-31 18:00:00.000000000 -0600 +++ qtbase-everywhere-src-5.10.0-rc3/src/network/ssl/qssldiffiehellmanparameters.cpp 2017-11-30 07:49:46.000000000 -0600 @@ -0,0 +1,324 @@ +/**************************************************************************** +** +** Copyright (C) 2015 Mikkel Krautz +** Contact: https://www.qt.io/licensing/ +** +** This file is part of the QtNetwork module of the Qt Toolkit. +** +** $QT_BEGIN_LICENSE:LGPL$ +** Commercial License Usage +** Licensees holding valid commercial Qt licenses may use this file in +** accordance with the commercial license agreement provided with the +** Software or, alternatively, in accordance with the terms contained in +** a written agreement between you and The Qt Company. For licensing terms +** and conditions see https://www.qt.io/terms-conditions. For further +** information use the contact form at https://www.qt.io/contact-us. +** +** GNU Lesser General Public License Usage +** Alternatively, this file may be used under the terms of the GNU Lesser +** General Public License version 3 as published by the Free Software +** Foundation and appearing in the file LICENSE.LGPL3 included in the +** packaging of this file. Please review the following information to +** ensure the GNU Lesser General Public License version 3 requirements +** will be met: https://www.gnu.org/licenses/lgpl-3.0.html. +** +** GNU General Public License Usage +** Alternatively, this file may be used under the terms of the GNU +** General Public License version 2.0 or (at your option) the GNU General +** Public license version 3 or any later version approved by the KDE Free +** Qt Foundation. The licenses are as published by the Free Software +** Foundation and appearing in the file LICENSE.GPL2 and LICENSE.GPL3 +** included in the packaging of this file. Please review the following +** information to ensure the GNU General Public License requirements will +** be met: https://www.gnu.org/licenses/gpl-2.0.html and +** https://www.gnu.org/licenses/gpl-3.0.html. +** +** $QT_END_LICENSE$ +** +****************************************************************************/ + + +/*! + \class QSslDiffieHellmanParameters + \brief The QSslDiffieHellmanParameters class provides an interface for Diffie-Hellman parameters for servers. + \since 5.8 + + \reentrant + \ingroup network + \ingroup ssl + \ingroup shared + \inmodule QtNetwork + + QSslDiffieHellmanParameters provides an interface for setting Diffie-Hellman parameters to servers based on QSslSocket. + + \sa QSslSocket, QSslCipher, QSslConfiguration +*/ + +#include "qssldiffiehellmanparameters.h" +#include "qssldiffiehellmanparameters_p.h" +#include "qsslsocket.h" +#include "qsslsocket_p.h" + +#include +#include +#include +#include +#include +#include + +QT_BEGIN_NAMESPACE + +// The 1024-bit MODP group from RFC 2459 (Second Oakley Group) +Q_AUTOTEST_EXPORT const char *qssl_dhparams_default_base64 = + "MIGHAoGBAP//////////yQ/aoiFowjTExmKLgNwc0SkCTgiKZ8x0Agu+pjsTmyJR" + "Sgh5jjQE3e+VGbPNOkMbMCsKbfJfFDdP4TVtbVHCReSFtXZiXn7G9ExC6aY37WsL" + "/1y29Aa37e44a/taiZ+lrp8kEXxLH+ZJKGZR7OZTgf//////////AgEC"; + +/*! + Returns the default QSslDiffieHellmanParameters used by QSslSocket. + + This is currently the 1024-bit MODP group from RFC 2459, also + known as the Second Oakley Group. +*/ +QSslDiffieHellmanParameters QSslDiffieHellmanParameters::defaultParameters() +{ + QSslDiffieHellmanParameters def; + def.d->derData = QByteArray::fromBase64(QByteArray(qssl_dhparams_default_base64)); + return def; +} + +/*! + Constructs an empty QSslDiffieHellmanParameters instance. + + If an empty QSslDiffieHellmanParameters instance is set on a + QSslConfiguration object, Diffie-Hellman negotiation will + be disabled. + + \sa isValid() + \sa QSslConfiguration +*/ +QSslDiffieHellmanParameters::QSslDiffieHellmanParameters() + : d(new QSslDiffieHellmanParametersPrivate) +{ + d->ref.ref(); +} + +/*! + Constructs a QSslDiffieHellmanParameters object using + the byte array \a encoded in either PEM or DER form as specified by \a encoding. + + Use the isValid() method on the returned object to + check whether the Diffie-Hellman parameters were valid and + loaded correctly. + + \sa isValid() + \sa QSslConfiguration +*/ +QSslDiffieHellmanParameters QSslDiffieHellmanParameters::fromEncoded(const QByteArray &encoded, QSsl::EncodingFormat encoding) +{ + QSslDiffieHellmanParameters result; + switch (encoding) { + case QSsl::Der: + result.d->decodeDer(encoded); + break; + case QSsl::Pem: + result.d->decodePem(encoded); + break; + } + return result; +} + +/*! + Constructs a QSslDiffieHellmanParameters object by + reading from \a device in either PEM or DER form as specified by \a encoding. + + Use the isValid() method on the returned object + to check whether the Diffie-Hellman parameters were valid + and loaded correctly. + + In particular, if \a device is \c nullptr or not open for reading, an invalid + object will be returned. + + \sa isValid() + \sa QSslConfiguration +*/ +QSslDiffieHellmanParameters QSslDiffieHellmanParameters::fromEncoded(QIODevice *device, QSsl::EncodingFormat encoding) +{ + if (device) + return fromEncoded(device->readAll(), encoding); + else + return QSslDiffieHellmanParameters(); +} + +/*! + Constructs an identical copy of \a other. +*/ +QSslDiffieHellmanParameters::QSslDiffieHellmanParameters(const QSslDiffieHellmanParameters &other) + : d(other.d) +{ + if (d) + d->ref.ref(); +} + +/*! + \fn QSslDiffieHellmanParameters(QSslDiffieHellmanParameters &&other) + + Move-constructs from \a other. + + \note The moved-from object \a other is placed in a partially-formed state, in which + the only valid operations are destruction and assignment of a new value. +*/ + +/*! + Destroys the QSslDiffieHellmanParameters object. +*/ +QSslDiffieHellmanParameters::~QSslDiffieHellmanParameters() +{ + if (d && !d->ref.deref()) + delete d; +} + +/*! + Copies the contents of \a other into this QSslDiffieHellmanParameters, making the two QSslDiffieHellmanParameters + identical. + + Returns a reference to this QSslDiffieHellmanParameters. +*/ +QSslDiffieHellmanParameters &QSslDiffieHellmanParameters::operator=(const QSslDiffieHellmanParameters &other) +{ + QSslDiffieHellmanParameters copy(other); + swap(copy); + return *this; +} + +/*! + \fn QSslDiffieHellmanParameters &QSslDiffieHellmanParameters::operator=(QSslDiffieHellmanParameters &&other) + + Move-assigns \a other to this QSslDiffieHellmanParameters instance. + + \note The moved-from object \a other is placed in a partially-formed state, in which + the only valid operations are destruction and assignment of a new value. +*/ + +/*! + \fn void QSslDiffieHellmanParameters::swap(QSslDiffieHellmanParameters &other) + + Swaps this QSslDiffieHellmanParameters with \a other. This function is very fast and + never fails. +*/ + +/*! + Returns \c true if this is a an empty QSslDiffieHellmanParameters instance. + + Setting an empty QSslDiffieHellmanParameters instance on a QSslSocket-based + server will disable Diffie-Hellman key exchange. +*/ +bool QSslDiffieHellmanParameters::isEmpty() const Q_DECL_NOTHROW +{ + return d->derData.isNull() && d->error == QSslDiffieHellmanParameters::NoError; +} + +/*! + Returns \c true if this is a valid QSslDiffieHellmanParameters; otherwise false. + + This method should be used after constructing a QSslDiffieHellmanParameters + object to determine its validity. + + If a QSslDiffieHellmanParameters object is not valid, you can use the error() + method to determine what error prevented the object from being constructed. + + \sa error() +*/ +bool QSslDiffieHellmanParameters::isValid() const Q_DECL_NOTHROW +{ + return d->error == QSslDiffieHellmanParameters::NoError; +} + +/*! + \enum QSslDiffieHellmanParameters::Error + + Describes a QSslDiffieHellmanParameters error. + + \value NoError No error occurred. + + \value InvalidInputDataError The given input data could not be used to + construct a QSslDiffieHellmanParameters + object. + + \value UnsafeParametersError The Diffie-Hellman parameters are unsafe + and should not be used. +*/ + +/*! + Returns the error that caused the QSslDiffieHellmanParameters object + to be invalid. +*/ +QSslDiffieHellmanParameters::Error QSslDiffieHellmanParameters::error() const Q_DECL_NOTHROW +{ + return d->error; +} + +/*! + Returns a human-readable description of the error that caused the + QSslDiffieHellmanParameters object to be invalid. +*/ +QString QSslDiffieHellmanParameters::errorString() const Q_DECL_NOTHROW +{ + switch (d->error) { + case QSslDiffieHellmanParameters::NoError: + return QCoreApplication::translate("QSslDiffieHellmanParameter", "No error"); + case QSslDiffieHellmanParameters::InvalidInputDataError: + return QCoreApplication::translate("QSslDiffieHellmanParameter", "Invalid input data"); + case QSslDiffieHellmanParameters::UnsafeParametersError: + return QCoreApplication::translate("QSslDiffieHellmanParameter", "The given Diffie-Hellman parameters are deemed unsafe"); + } + + Q_UNREACHABLE(); + return QString(); +} + +/*! + \since 5.8 + \relates QSslDiffieHellmanParameters + + Returns \c true if \a lhs is equal to \a rhs; otherwise returns \c false. +*/ +bool operator==(const QSslDiffieHellmanParameters &lhs, const QSslDiffieHellmanParameters &rhs) Q_DECL_NOTHROW +{ + return lhs.d->derData == rhs.d->derData; +} + +#ifndef QT_NO_DEBUG_STREAM +/*! + \since 5.8 + \relates QSslDiffieHellmanParameters + + Writes the set of Diffie-Hellman parameters in \a dhparam into the debug object \a debug for + debugging purposes. + + The Diffie-Hellman parameters will be represented in Base64-encoded DER form. + + \sa {Debugging Techniques} +*/ +QDebug operator<<(QDebug debug, const QSslDiffieHellmanParameters &dhparam) +{ + QDebugStateSaver saver(debug); + debug.resetFormat().nospace(); + debug << "QSslDiffieHellmanParameters(" << dhparam.d->derData.toBase64() << ')'; + return debug; +} +#endif + +/*! + \since 5.8 + \relates QSslDiffieHellmanParameters + + Returns an hash value for \a dhparam, using \a seed to seed + the calculation. +*/ +uint qHash(const QSslDiffieHellmanParameters &dhparam, uint seed) Q_DECL_NOTHROW +{ + return qHash(dhparam.d->derData, seed); +} + +QT_END_NAMESPACE --- a/include/QtNetwork/headers.pri 2016-12-02 04:57:56.000000000 -0600 +++ b/include/QtNetwork/headers.pri 2019-11-14 04:52:59.000000000 -0600 @@ -1,6 +1,6 @@ -SYNCQT.HEADER_FILES = access/qabstractnetworkcache.h access/qhttpmultipart.h access/qnetworkaccessmanager.h access/qnetworkcookie.h access/qnetworkcookiejar.h access/qnetworkdiskcache.h access/qnetworkreply.h access/qnetworkrequest.h bearer/qnetworkconfigmanager.h bearer/qnetworkconfiguration.h bearer/qnetworksession.h kernel/qauthenticator.h kernel/qdnslookup.h kernel/qhostaddress.h kernel/qhostinfo.h kernel/qnetworkfunctions_wince.h kernel/qnetworkinterface.h kernel/qnetworkproxy.h socket/qabstractsocket.h socket/qlocalserver.h socket/qlocalsocket.h socket/qtcpserver.h socket/qtcpsocket.h socket/qudpsocket.h ssl/qssl.h ssl/qsslcertificate.h ssl/qsslcertificateextension.h ssl/qsslcipher.h ssl/qsslconfiguration.h ssl/qsslellipticcurve.h ssl/qsslerror.h ssl/qsslkey.h ssl/qsslpresharedkeyauthenticator.h ssl/qsslsocket.h ../../include/QtNetwork/qtnetworkversion.h ../../include/QtNetwork/QtNetwork +SYNCQT.HEADER_FILES = access/qabstractnetworkcache.h access/qhttpmultipart.h access/qnetworkaccessmanager.h access/qnetworkcookie.h access/qnetworkcookiejar.h access/qnetworkdiskcache.h access/qnetworkreply.h access/qnetworkrequest.h bearer/qnetworkconfigmanager.h bearer/qnetworkconfiguration.h bearer/qnetworksession.h kernel/qauthenticator.h kernel/qdnslookup.h kernel/qhostaddress.h kernel/qhostinfo.h kernel/qnetworkfunctions_wince.h kernel/qnetworkinterface.h kernel/qnetworkproxy.h socket/qabstractsocket.h socket/qlocalserver.h socket/qlocalsocket.h socket/qtcpserver.h socket/qtcpsocket.h socket/qudpsocket.h ssl/qssl.h ssl/qsslcertificate.h ssl/qsslcertificateextension.h ssl/qsslcipher.h ssl/qsslconfiguration.h ssl/qssldiffiehellmanparameters.h ssl/qsslellipticcurve.h ssl/qsslerror.h ssl/qsslkey.h ssl/qsslpresharedkeyauthenticator.h ssl/qsslsocket.h ../../include/QtNetwork/qtnetworkversion.h ../../include/QtNetwork/QtNetwork -SYNCQT.HEADER_CLASSES = ../../include/QtNetwork/QNetworkCacheMetaData ../../include/QtNetwork/QAbstractNetworkCache ../../include/QtNetwork/QHttpPart ../../include/QtNetwork/QHttpMultiPart ../../include/QtNetwork/QNetworkAccessManager ../../include/QtNetwork/QNetworkCookie ../../include/QtNetwork/QNetworkCookieJar ../../include/QtNetwork/QNetworkDiskCache ../../include/QtNetwork/QNetworkReply ../../include/QtNetwork/QNetworkRequest ../../include/QtNetwork/QNetworkConfigurationManager ../../include/QtNetwork/QNetworkConfiguration ../../include/QtNetwork/QNetworkSession ../../include/QtNetwork/QAuthenticator ../../include/QtNetwork/QDnsDomainNameRecord ../../include/QtNetwork/QDnsHostAddressRecord ../../include/QtNetwork/QDnsMailExchangeRecord ../../include/QtNetwork/QDnsServiceRecord ../../include/QtNetwork/QDnsTextRecord ../../include/QtNetwork/QDnsLookup ../../include/QtNetwork/QIPv6Address ../../include/QtNetwork/Q_IPV6ADDR ../../include/QtNetwork/QHostAddress ../../include/QtNetwork/QHostInfo ../../include/QtNetwork/QNetworkAddressEntry ../../include/QtNetwork/QNetworkInterface ../../include/QtNetwork/QNetworkProxyQuery ../../include/QtNetwork/QNetworkProxy ../../include/QtNetwork/QNetworkProxyFactory ../../include/QtNetwork/QAbstractSocket ../../include/QtNetwork/QLocalServer ../../include/QtNetwork/QLocalSocket ../../include/QtNetwork/QTcpServer ../../include/QtNetwork/QTcpSocket ../../include/QtNetwork/QUdpSocket ../../include/QtNetwork/QSsl ../../include/QtNetwork/QSslCertificate ../../include/QtNetwork/QSslCertificateExtension ../../include/QtNetwork/QSslCipher ../../include/QtNetwork/QSslConfiguration ../../include/QtNetwork/QSslEllipticCurve ../../include/QtNetwork/QSslError ../../include/QtNetwork/QSslKey ../../include/QtNetwork/QSslPreSharedKeyAuthenticator ../../include/QtNetwork/QSslSocket ../../include/QtNetwork/QtNetworkVersion +SYNCQT.HEADER_CLASSES = ../../include/QtNetwork/QNetworkCacheMetaData ../../include/QtNetwork/QAbstractNetworkCache ../../include/QtNetwork/QHttpPart ../../include/QtNetwork/QHttpMultiPart ../../include/QtNetwork/QNetworkAccessManager ../../include/QtNetwork/QNetworkCookie ../../include/QtNetwork/QNetworkCookieJar ../../include/QtNetwork/QNetworkDiskCache ../../include/QtNetwork/QNetworkReply ../../include/QtNetwork/QNetworkRequest ../../include/QtNetwork/QNetworkConfigurationManager ../../include/QtNetwork/QNetworkConfiguration ../../include/QtNetwork/QNetworkSession ../../include/QtNetwork/QAuthenticator ../../include/QtNetwork/QDnsDomainNameRecord ../../include/QtNetwork/QDnsHostAddressRecord ../../include/QtNetwork/QDnsMailExchangeRecord ../../include/QtNetwork/QDnsServiceRecord ../../include/QtNetwork/QDnsTextRecord ../../include/QtNetwork/QDnsLookup ../../include/QtNetwork/QIPv6Address ../../include/QtNetwork/Q_IPV6ADDR ../../include/QtNetwork/QHostAddress ../../include/QtNetwork/QHostInfo ../../include/QtNetwork/QNetworkAddressEntry ../../include/QtNetwork/QNetworkInterface ../../include/QtNetwork/QNetworkProxyQuery ../../include/QtNetwork/QNetworkProxy ../../include/QtNetwork/QNetworkProxyFactory ../../include/QtNetwork/QAbstractSocket ../../include/QtNetwork/QLocalServer ../../include/QtNetwork/QLocalSocket ../../include/QtNetwork/QTcpServer ../../include/QtNetwork/QTcpSocket ../../include/QtNetwork/QUdpSocket ../../include/QtNetwork/QSsl ../../include/QtNetwork/QSslCertificate ../../include/QtNetwork/QSslCertificateExtension ../../include/QtNetwork/QSslCipher ../../include/QtNetwork/QSslConfiguration ../../include/QtNetwork/QSslDiffieHellmanParameters ../../include/QtNetwork/QSslEllipticCurve ../../include/QtNetwork/QSslError ../../include/QtNetwork/QSslKey ../../include/QtNetwork/QSslPreSharedKeyAuthenticator ../../include/QtNetwork/QSslEllipticCurve ../../include/QtNetwork/QSslError ../../include/QtNetwork/QSslKey ../../include/QtNetwork/QSslPreSharedKeyAuthenticator ../../include/QtNetwork/QSslSocket ../../include/QtNetwork/QtNetworkVersion -SYNCQT.PRIVATE_HEADER_FILES = access/qabstractnetworkcache_p.h access/qabstractprotocolhandler_p.h access/qftp_p.h access/qhttpmultipart_p.h access/qhttpnetworkconnection_p.h access/qhttpnetworkconnectionchannel_p.h access/qhttpnetworkheader_p.h access/qhttpnetworkreply_p.h access/qhttpnetworkrequest_p.h access/qhttpprotocolhandler_p.h access/qhttpthreaddelegate_p.h access/qnetworkaccessauthenticationmanager_p.h access/qnetworkaccessbackend_p.h access/qnetworkaccesscache_p.h access/qnetworkaccesscachebackend_p.h access/qnetworkaccessdebugpipebackend_p.h access/qnetworkaccessfilebackend_p.h access/qnetworkaccessftpbackend_p.h access/qnetworkaccessmanager_p.h access/qnetworkcookie_p.h access/qnetworkcookiejar_p.h access/qnetworkdiskcache_p.h access/qnetworkreply_p.h access/qnetworkreplydataimpl_p.h access/qnetworkreplyfileimpl_p.h access/qnetworkreplyhttpimpl_p.h access/qnetworkreplyimpl_p.h access/qnetworkrequest_p.h access/qspdyprotocolhandler_p.h bearer/qbearerengine_p.h bearer/qbearerplugin_p.h bearer/qnetworkconfigmanager_p.h bearer/qnetworkconfiguration_p.h bearer/qnetworksession_p.h bearer/qsharednetworksession_p.h kernel/qauthenticator_p.h kernel/qdnslookup_p.h kernel/qhostaddress_p.h kernel/qhostinfo_p.h kernel/qnetworkdatagram_p.h kernel/qnetworkinterface_p.h kernel/qnetworkproxy_p.h kernel/qurlinfo_p.h socket/qabstractsocket_p.h socket/qabstractsocketengine_p.h socket/qhttpsocketengine_p.h socket/qlocalserver_p.h socket/qlocalsocket_p.h socket/qnativesocketengine_p.h socket/qnativesocketengine_winrt_p.h socket/qnet_unix_p.h socket/qsocks5socketengine_p.h socket/qtcpserver_p.h socket/qtcpsocket_p.h ssl/qasn1element_p.h ssl/qssl_p.h ssl/qsslcertificate_p.h ssl/qsslcertificateextension_p.h ssl/qsslcipher_p.h ssl/qsslconfiguration_p.h ssl/qsslcontext_openssl_p.h ssl/qsslkey_p.h ssl/qsslpresharedkeyauthenticator_p.h ssl/qsslsocket_mac_p.h ssl/qsslsocket_openssl_p.h ssl/qsslsocket_openssl_symbols_p.h ssl/qsslsocket_p.h ssl/qsslsocket_winrt_p.h +SYNCQT.PRIVATE_HEADER_FILES = access/qabstractnetworkcache_p.h access/qabstractprotocolhandler_p.h access/qftp_p.h access/qhttpmultipart_p.h access/qhttpnetworkconnection_p.h access/qhttpnetworkconnectionchannel_p.h access/qhttpnetworkheader_p.h access/qhttpnetworkreply_p.h access/qhttpnetworkrequest_p.h access/qhttpprotocolhandler_p.h access/qhttpthreaddelegate_p.h access/qnetworkaccessauthenticationmanager_p.h access/qnetworkaccessbackend_p.h access/qnetworkaccesscache_p.h access/qnetworkaccesscachebackend_p.h access/qnetworkaccessdebugpipebackend_p.h access/qnetworkaccessfilebackend_p.h access/qnetworkaccessftpbackend_p.h access/qnetworkaccessmanager_p.h access/qnetworkcookie_p.h access/qnetworkcookiejar_p.h access/qnetworkdiskcache_p.h access/qnetworkreply_p.h access/qnetworkreplydataimpl_p.h access/qnetworkreplyfileimpl_p.h access/qnetworkreplyhttpimpl_p.h access/qnetworkreplyimpl_p.h access/qnetworkrequest_p.h access/qspdyprotocolhandler_p.h bearer/qbearerengine_p.h bearer/qbearerplugin_p.h bearer/qnetworkconfigmanager_p.h bearer/qnetworkconfiguration_p.h bearer/qnetworksession_p.h bearer/qsharednetworksession_p.h kernel/qauthenticator_p.h kernel/qdnslookup_p.h kernel/qhostaddress_p.h kernel/qhostinfo_p.h kernel/qnetworkdatagram_p.h kernel/qnetworkinterface_p.h kernel/qnetworkproxy_p.h kernel/qurlinfo_p.h socket/qabstractsocket_p.h socket/qabstractsocketengine_p.h socket/qhttpsocketengine_p.h socket/qlocalserver_p.h socket/qlocalsocket_p.h socket/qnativesocketengine_p.h socket/qnativesocketengine_winrt_p.h socket/qnet_unix_p.h socket/qsocks5socketengine_p.h socket/qtcpserver_p.h socket/qtcpsocket_p.h ssl/qasn1element_p.h ssl/qssl_p.h ssl/qsslcertificate_p.h ssl/qsslcertificateextension_p.h ssl/qsslcipher_p.h ssl/qsslconfiguration_p.h ssl/qsslcontext_openssl_p.h ssl/qssldiffiehellmanparameters_p.h ssl/qsslkey_p.h ssl/qsslpresharedkeyauthenticator_p.h ssl/qsslsocket_mac_p.h ssl/qsslsocket_openssl11_symbols_p.h ssl/qsslsocket_openssl_p.h ssl/qsslsocket_openssl_symbols_p.h ssl/qsslsocket_p.h ssl/qsslsocket_winrt_p.h SYNCQT.QPA_HEADER_FILES = -SYNCQT.CLEAN_HEADER_FILES = access/qabstractnetworkcache.h access/qhttpmultipart.h access/qnetworkaccessmanager.h access/qnetworkcookie.h access/qnetworkcookiejar.h access/qnetworkdiskcache.h access/qnetworkreply.h access/qnetworkrequest.h bearer/qnetworkconfigmanager.h bearer/qnetworkconfiguration.h bearer/qnetworksession.h kernel/qauthenticator.h kernel/qdnslookup.h kernel/qhostaddress.h kernel/qhostinfo.h kernel/qnetworkfunctions_wince.h kernel/qnetworkinterface.h kernel/qnetworkproxy.h socket/qabstractsocket.h socket/qlocalserver.h socket/qlocalsocket.h socket/qtcpserver.h socket/qtcpsocket.h socket/qudpsocket.h ssl/qssl.h ssl/qsslcertificate.h ssl/qsslcertificateextension.h ssl/qsslcipher.h ssl/qsslconfiguration.h ssl/qsslellipticcurve.h ssl/qsslerror.h ssl/qsslkey.h ssl/qsslpresharedkeyauthenticator.h ssl/qsslsocket.h +SYNCQT.CLEAN_HEADER_FILES = access/qabstractnetworkcache.h access/qhttpmultipart.h access/qnetworkaccessmanager.h access/qnetworkcookie.h access/qnetworkcookiejar.h access/qnetworkdiskcache.h access/qnetworkreply.h access/qnetworkrequest.h bearer/qnetworkconfigmanager.h bearer/qnetworkconfiguration.h bearer/qnetworksession.h kernel/qauthenticator.h kernel/qdnslookup.h kernel/qhostaddress.h kernel/qhostinfo.h kernel/qnetworkfunctions_wince.h kernel/qnetworkinterface.h kernel/qnetworkproxy.h socket/qabstractsocket.h socket/qlocalserver.h socket/qlocalsocket.h socket/qtcpserver.h socket/qtcpsocket.h socket/qudpsocket.h ssl/qssl.h ssl/qsslcertificate.h ssl/qsslcertificateextension.h ssl/qsslcipher.h ssl/qsslconfiguration.h ssl/qssldiffiehellmanparameters.h ssl/qsslellipticcurve.h ssl/qsslerror.h ssl/qsslkey.h ssl/qsslpresharedkeyauthenticator.h ssl/qsslsocket.h SYNCQT.INJECTIONS = --- qtbase-opensource-src-5.7.1/include/QtNetwork/5.7.1/QtNetwork/private/qssldiffiehellmanparameters_p.h 1969-12-31 18:00:00.000000000 -0600 +++ qtbase-everywhere-src-5.10.0-rc3/include/QtNetwork/5.10.0/QtNetwork/private/qssldiffiehellmanparameters_p.h 2017-11-30 07:49:46.000000000 -0600 @@ -0,0 +1 @@ +#include "../../../../../src/network/ssl/qssldiffiehellmanparameters_p.h" --- qtbase-opensource-src-5.7.1/include/QtNetwork/QSslDiffieHellmanParameters 1969-12-31 18:00:00.000000000 -0600 +++ qtbase-everywhere-src-5.10.0-rc3/include/QtNetwork/QSslDiffieHellmanParameters 2017-11-30 07:49:46.000000000 -0600 @@ -0,0 +1 @@ +#include "qssldiffiehellmanparameters.h" --- qtbase-opensource-src-5.7.1/include/QtNetwork/5.7.1/QtNetwork/private/qsslsocket_openssl11_symbols_p.h 1969-12-31 18:00:00.000000000 -0600 +++ qtbase-everywhere-src-5.10.0-rc3/include/QtNetwork/5.10.0/QtNetwork/private/qsslsocket_openssl11_symbols_p.h 2017-11-30 07:49:46.000000000 -0600 @@ -0,0 +1 @@ +#include "../../../../../src/network/ssl/qsslsocket_openssl11_symbols_p.h" --- a/include/QtNetwork/QtNetwork 2016-12-02 04:57:56.000000000 -0600 +++ b/include/QtNetwork/QtNetwork 2019-11-15 05:20:47.000000000 -0600 @@ -29,6 +29,7 @@ #include "qsslcertificateextension.h" #include "qsslcipher.h" #include "qsslconfiguration.h" +#include "qssldiffiehellmanparameters.h" #include "qsslellipticcurve.h" #include "qsslerror.h" #include "qsslkey.h" --- qtbase-opensource-src-5.7.1/src/network/ssl/qsslconfiguration.h 2016-12-01 02:17:04.000000000 -0600 +++ qtbase-everywhere-src-5.10.0-rc3/src/network/ssl/qsslconfiguration.h 2017-11-30 07:49:46.000000000 -0600 @@ -69,6 +70,7 @@ class QSslCipher; class QSslKey; class QSslEllipticCurve; +class QSslDiffieHellmanParameters; class QSslConfigurationPrivate; class Q_NETWORK_EXPORT QSslConfiguration @@ -141,6 +143,12 @@ void setEllipticCurves(const QVector &curves); static QVector supportedEllipticCurves(); + QByteArray preSharedKeyIdentityHint() const; + void setPreSharedKeyIdentityHint(const QByteArray &hint); + + QSslDiffieHellmanParameters diffieHellmanParameters() const; + void setDiffieHellmanParameters(const QSslDiffieHellmanParameters &dhparams); + static QSslConfiguration defaultConfiguration(); static void setDefaultConfiguration(const QSslConfiguration &configuration); @@ -160,6 +168,7 @@ QByteArray nextNegotiatedProtocol() const; NextProtocolNegotiationStatus nextProtocolNegotiationStatus() const; + static const char ALPNProtocolHTTP2[]; static const char NextProtocolSpdy3_0[]; static const char NextProtocolHttp1_1[]; --- qtbase-opensource-src-5.7.1/src/network/ssl/qsslconfiguration.cpp 2016-12-01 02:17:04.000000000 -0600 +++ qtbase-everywhere-src-5.10.0-rc3/src/network/ssl/qsslconfiguration.cpp 2017-11-30 07:49:46.000000000 -0600 @@ -53,6 +53,7 @@ |QSsl::SslOptionDisableCompression |QSsl::SslOptionDisableSessionPersistence; +const char QSslConfiguration::ALPNProtocolHTTP2[] = "h2"; const char QSslConfiguration::NextProtocolSpdy3_0[] = "spdy/3"; const char QSslConfiguration::NextProtocolHttp1_1[] = "http/1.1"; @@ -119,7 +120,8 @@ /*! \enum QSslConfiguration::NextProtocolNegotiationStatus - Describes the status of the Next Protocol Negotiation (NPN). + Describes the status of the Next Protocol Negotiation (NPN) or + Application-Layer Protocol Negotiation (ALPN). \value NextProtocolNegotiationNone No application protocol has been negotiated (yet). @@ -209,9 +211,11 @@ d->privateKey == other.d->privateKey && d->sessionCipher == other.d->sessionCipher && d->sessionProtocol == other.d->sessionProtocol && + d->preSharedKeyIdentityHint == other.d->preSharedKeyIdentityHint && d->ciphers == other.d->ciphers && d->ellipticCurves == other.d->ellipticCurves && d->ephemeralServerKey == other.d->ephemeralServerKey && + d->dhParams == other.d->dhParams && d->caCertificates == other.d->caCertificates && d->protocol == other.d->protocol && d->peerVerifyMode == other.d->peerVerifyMode && @@ -254,6 +258,7 @@ d->ciphers.count() == 0 && d->ellipticCurves.isEmpty() && d->ephemeralServerKey.isNull() && + d->dhParams == QSslDiffieHellmanParameters::defaultParameters() && d->localCertificateChain.isEmpty() && d->privateKey.isNull() && d->peerCertificate.isNull() && @@ -261,6 +266,7 @@ d->sslOptions == QSslConfigurationPrivate::defaultSslOptions && d->sslSession.isNull() && d->sslSessionTicketLifeTimeHint == -1 && + d->preSharedKeyIdentityHint.isNull() && d->nextAllowedProtocols.isEmpty() && d->nextNegotiatedProtocol.isNull() && d->nextProtocolNegotiationStatus == QSslConfiguration::NextProtocolNegotiationNone); @@ -811,11 +817,65 @@ } /*! + \since 5.8 + + Returns the identity hint. + + \sa setPreSharedKeyIdentityHint() +*/ +QByteArray QSslConfiguration::preSharedKeyIdentityHint() const +{ + return d->preSharedKeyIdentityHint; +} + +/*! + \since 5.8 + + Sets the identity hint for a preshared key authentication to \a hint. This will + affect the next initiated handshake; calling this function on an already-encrypted + socket will not affect the socket's identity hint. + + The identity hint is used in QSslSocket::SslServerMode only! +*/ +void QSslConfiguration::setPreSharedKeyIdentityHint(const QByteArray &hint) +{ + d->preSharedKeyIdentityHint = hint; +} + +/*! + \since 5.8 + + Retrieves the current set of Diffie-Hellman parameters. + + If no Diffie-Hellman parameters have been set, the QSslConfiguration object + defaults to using the 1024-bit MODP group from RFC 2409. + */ +QSslDiffieHellmanParameters QSslConfiguration::diffieHellmanParameters() const +{ + return d->dhParams; +} + +/*! + \since 5.8 + + Sets a custom set of Diffie-Hellman parameters to be used by this socket when functioning as + a server to \a dhparams. + + If no Diffie-Hellman parameters have been set, the QSslConfiguration object + defaults to using the 1024-bit MODP group from RFC 2409. + */ +void QSslConfiguration::setDiffieHellmanParameters(const QSslDiffieHellmanParameters &dhparams) +{ + d->dhParams = dhparams; +} + +/*! \since 5.3 This function returns the protocol negotiated with the server - if the Next Protocol Negotiation (NPN) TLS extension was enabled. - In order for the NPN extension to be enabled, setAllowedNextProtocols() + if the Next Protocol Negotiation (NPN) or Application-Layer Protocol + Negotiation (ALPN) TLS extension was enabled. + In order for the NPN/ALPN extension to be enabled, setAllowedNextProtocols() needs to be called explicitly before connecting to the server. If no protocol could be negotiated or the extension was not enabled, @@ -832,9 +892,10 @@ \since 5.3 This function sets the allowed \a protocols to be negotiated with the - server through the Next Protocol Negotiation (NPN) TLS extension; each + server through the Next Protocol Negotiation (NPN) or Application-Layer + Protocol Negotiation (ALPN) TLS extension; each element in \a protocols must define one allowed protocol. - The function must be called explicitly before connecting to send the NPN + The function must be called explicitly before connecting to send the NPN/ALPN extension in the SSL handshake. Whether or not the negotiation succeeded can be queried through nextProtocolNegotiationStatus(). @@ -854,8 +915,8 @@ \since 5.3 This function returns the allowed protocols to be negotiated with the - server through the Next Protocol Negotiation (NPN) TLS extension, as set - by setAllowedNextProtocols(). + server through the Next Protocol Negotiation (NPN) or Application-Layer + Protocol Negotiation (ALPN) TLS extension, as set by setAllowedNextProtocols(). \sa nextNegotiatedProtocol(), nextProtocolNegotiationStatus(), setAllowedNextProtocols(), QSslConfiguration::NextProtocolSpdy3_0, QSslConfiguration::NextProtocolHttp1_1 */ @@ -867,7 +928,8 @@ /*! \since 5.3 - This function returns the status of the Next Protocol Negotiation (NPN). + This function returns the status of the Next Protocol Negotiation (NPN) + or Application-Layer Protocol Negotiation (ALPN). If the feature has not been enabled through setAllowedNextProtocols(), this function returns NextProtocolNegotiationNone. The status will be set before emitting the encrypted() signal. --- qtbase-opensource-src-5.7.1/src/network/ssl/qsslconfiguration_p.h 2016-12-01 02:17:04.000000000 -0600 +++ qtbase-everywhere-src-5.10.0-rc3/src/network/ssl/qsslconfiguration_p.h 2017-11-30 07:49:46.000000000 -0600 @@ -60,6 +60,7 @@ #include "qsslcipher.h" #include "qsslkey.h" #include "qsslellipticcurve.h" +#include "qssldiffiehellmanparameters.h" QT_BEGIN_NAMESPACE @@ -80,8 +82,10 @@ allowRootCertOnDemandLoading(true), peerSessionShared(false), sslOptions(QSslConfigurationPrivate::defaultSslOptions), + dhParams(QSslDiffieHellmanParameters::defaultParameters()), sslSessionTicketLifeTimeHint(-1), ephemeralServerKey(), + preSharedKeyIdentityHint(), nextProtocolNegotiationStatus(QSslConfiguration::NextProtocolNegotiationNone) { } @@ -117,11 +121,15 @@ QVector ellipticCurves; + QSslDiffieHellmanParameters dhParams; + QByteArray sslSession; int sslSessionTicketLifeTimeHint; QSslKey ephemeralServerKey; + QByteArray preSharedKeyIdentityHint; + QList nextAllowedProtocols; QByteArray nextNegotiatedProtocol; QSslConfiguration::NextProtocolNegotiationStatus nextProtocolNegotiationStatus;