From 992a3f224414d8ae3538cb5283ee1c2a9608b1e8 Mon Sep 17 00:00:00 2001 From: CN_SZTL <22235437+1715173329@users.noreply.github.com> Date: Mon, 9 Dec 2019 21:08:27 +0800 Subject: [PATCH] OpenSSL: bump to v1.1.1d (#2332) * openssl: bump to v1.1.1d * trojan: compile with native openssl utils * qt5: fix compile with openssl v1.1.x --- package/lean/openssl1.1/Makefile | 159 - package/lean/qt5/Makefile | 2 +- ...qtbase-fix-compile-with-openssl1.1.1.patch | 3985 +++++++++++++++++ package/lean/trojan/Makefile | 19 +- package/lean/trojan/files/trojan.init | 0 package/libs/openssl/Config.in | 137 +- package/libs/openssl/Makefile | 224 +- .../100-Configure-afalg-support.patch | 6 +- .../openssl/patches/100-openwrt_targets.patch | 44 - .../patches}/110-openwrt_targets.patch | 5 +- .../libs/openssl/patches/110-perl-path.patch | 64 - .../openssl/patches/120-makefile-dirs.patch | 11 - .../120-strip-cflags-from-binary.patch | 10 +- .../patches/130-disable_doc_tests.patch | 58 - .../patches}/130-dont-build-tests-fuzz.patch | 6 +- .../patches}/140-allow-prefer-chacha20.patch | 10 +- .../libs/openssl/patches/140-bash_path.patch | 8 - .../patches/150-fix_link_segfault.patch | 18 - .../150-openssl.cnf-add-engines-conf.patch | 56 + .../patches/160-remove_timestamp_check.patch | 23 - .../openssl/patches/170-parallel_build.patch | 184 - .../180-strip-cflags-from-binary.patch | 21 - ...o-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch | 60 + ..._devcrypto-add-configuration-options.patch | 569 +++ ...ypto-add-command-to-dump-driver-info.patch | 275 ++ ...o-make-the-dev-crypto-engine-dynamic.patch | 368 ++ ...default-to-not-use-digests-in-engine.patch | 43 + ...to-ignore-error-when-closing-session.patch | 26 + 28 files changed, 5667 insertions(+), 724 deletions(-) delete mode 100644 package/lean/openssl1.1/Makefile create mode 100644 package/lean/qt5/patches/030-qtbase-fix-compile-with-openssl1.1.1.patch mode change 100644 => 100755 package/lean/trojan/files/trojan.init rename package/{lean/openssl1.1/patches/1.1.1 => libs/openssl/patches}/100-Configure-afalg-support.patch (79%) delete mode 100644 package/libs/openssl/patches/100-openwrt_targets.patch rename package/{lean/openssl1.1/patches/1.1.1 => libs/openssl/patches}/110-openwrt_targets.patch (90%) delete mode 100644 package/libs/openssl/patches/110-perl-path.patch delete mode 100644 package/libs/openssl/patches/120-makefile-dirs.patch rename package/{lean/openssl1.1/patches/1.1.1 => libs/openssl/patches}/120-strip-cflags-from-binary.patch (65%) delete mode 100644 package/libs/openssl/patches/130-disable_doc_tests.patch rename package/{lean/openssl1.1/patches/1.1.1 => libs/openssl/patches}/130-dont-build-tests-fuzz.patch (78%) rename package/{lean/openssl1.1/patches/1.1.1 => libs/openssl/patches}/140-allow-prefer-chacha20.patch (90%) delete mode 100644 package/libs/openssl/patches/140-bash_path.patch delete mode 100644 package/libs/openssl/patches/150-fix_link_segfault.patch create mode 100644 package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch delete mode 100644 package/libs/openssl/patches/160-remove_timestamp_check.patch delete mode 100644 package/libs/openssl/patches/170-parallel_build.patch delete mode 100644 package/libs/openssl/patches/180-strip-cflags-from-binary.patch create mode 100644 package/libs/openssl/patches/400-eng_devcrypto-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch create mode 100644 package/libs/openssl/patches/410-eng_devcrypto-add-configuration-options.patch create mode 100644 package/libs/openssl/patches/420-eng_devcrypto-add-command-to-dump-driver-info.patch create mode 100644 package/libs/openssl/patches/430-e_devcrypto-make-the-dev-crypto-engine-dynamic.patch create mode 100644 package/libs/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch create mode 100644 package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch diff --git a/package/lean/openssl1.1/Makefile b/package/lean/openssl1.1/Makefile deleted file mode 100644 index 2197b2210..000000000 --- a/package/lean/openssl1.1/Makefile +++ /dev/null @@ -1,159 +0,0 @@ -# -# Copyright (C) 2006-2016 OpenWrt.org -# -# This is free software, licensed under the GNU General Public License v2. -# See /LICENSE for more information. -# - -### Modified by wongsyrone to fit need of trojan-gfw/trojan - -include $(TOPDIR)/rules.mk - -PKG_NAME:=openssl1.1 - -PKG_BASE:=1.1.1 -PKG_BUGFIX:=d -PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) -PKG_HASH:=1e3a91bc1f9dfce01af26026f856e064eab4c8ee0a8f457b5ae30b40b8b711f2 -ENGINES_DIR=engines-1.1 - - -PKG_RELEASE:=1 -PKG_USE_MIPS16:=0 -PATCH_DIR=./patches/$(PKG_BASE) - -PKG_BUILD_PARALLEL:=0 -PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)/openssl-$(PKG_VERSION) - -PKG_SOURCE:=openssl-$(PKG_VERSION).tar.gz -PKG_SOURCE_URL:= \ - http://www.openssl.org/source/ \ - http://www.openssl.org/source/old/$(PKG_BASE)/ - -PKG_LICENSE:=OpenSSL -PKG_LICENSE_FILES:=LICENSE -PKG_CPE_ID:=cpe:/a:openssl:openssl - -include $(INCLUDE_DIR)/package.mk - -ifneq ($(CONFIG_CCACHE),) -HOSTCC=$(HOSTCC_NOCACHE) -HOSTCXX=$(HOSTCXX_NOCACHE) -endif - -define Package/$(PKG_NAME)/Default - TITLE:=Open source SSL toolkit - URL:=http://www.openssl.org/ - SECTION:=libs - CATEGORY:=Libraries -endef - -define Package/openssl1.1/Default/description -The OpenSSL Project is a collaborative effort to develop a robust, -commercial-grade, full-featured, and Open Source toolkit implementing the -Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols as well -as a full-strength general-purpose cryptography library. -endef - -define Package/libopenssl1.1 -$(call Package/openssl1.1/Default) - SUBMENU:=SSL - TITLE+= (libraries) - ABI_VERSION:=$(PKG_VERSION) - MENU:=1 -endef - -define Package/libopenssl1.1/description -$(call Package/openssl/Default/description) -This package contains the OpenSSL shared libraries, needed by other programs. -endef - - -define Package/libopenssl1.1/conffiles -/etc/ssl/openssl.cnf -endef - -# do NOT interfere original openssl staging dir -MY_PKG_STAGING_DIR:=$(BUILD_DIR)/openssl1.1_staging_dir - -OPENSSL_OPTIONS:= no-shared no-ssl3-method - -# https://github.com/openssl/openssl/issues/1607 -# it seems musl-libc doesn't support this -OPENSSL_OPTIONS += no-async - -OPENSSL_OPTIONS += no-sm2 no-sm3 no-sm4 - -OPENSSL_OPTIONS += no-idea - -OPENSSL_OPTIONS += no-seed - -OPENSSL_OPTIONS += no-whirlpool - -OPENSSL_OPTIONS += no-deprecated - -TARGET_CFLAGS := $(filter-out -O%,$(TARGET_CFLAGS)) -O0 -g3 - - - -OPENSSL_TARGET:=linux-$(call qstrip,$(CONFIG_ARCH))-openwrt - - -STAMP_CONFIGURED := $(STAMP_CONFIGURED)_$(shell echo $(OPENSSL_OPTIONS) | mkhash md5) - -define Build/Configure - [ -f $(STAMP_CONFIGURED) ] || { \ - rm -f $(PKG_BUILD_DIR)/*.so.* $(PKG_BUILD_DIR)/*.a; \ - find $(PKG_BUILD_DIR) -name \*.o | xargs rm -f; \ - rm -rf $(MY_PKG_STAGING_DIR); \ - } - (cd $(PKG_BUILD_DIR); \ - ./Configure $(OPENSSL_TARGET) \ - --prefix=/usr \ - --openssldir=/etc/ssl \ - --libdir=lib \ - $(TARGET_CPPFLAGS) \ - $(TARGET_LDFLAGS) \ - $(OPENSSL_OPTIONS) && \ - { [ -f $(STAMP_CONFIGURED) ] || make clean; } \ - ) - -endef - -#$(FPIC) -TARGET_CFLAGS += -ffunction-sections -fdata-sections -TARGET_LDFLAGS += -Wl,--gc-sections - -define Build/Compile - +$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \ - CROSS_COMPILE="$(TARGET_CROSS)" \ - CC="$(TARGET_CC)" \ - SOURCE_DATE_EPOCH=$(SOURCE_DATE_EPOCH) \ - OPENWRT_OPTIMIZATION_FLAGS="$(TARGET_CFLAGS)" \ - $(OPENSSL_MAKEFLAGS) \ - all - $(MAKE) -C $(PKG_BUILD_DIR) \ - CROSS_COMPILE="$(TARGET_CROSS)" \ - CC="$(TARGET_CC)" \ - DESTDIR="$(PKG_INSTALL_DIR)" \ - $(OPENSSL_MAKEFLAGS) \ - install_sw install_ssldirs -endef - -define Build/InstallDev - $(INSTALL_DIR) $(MY_PKG_STAGING_DIR)/usr/include - $(CP) $(PKG_INSTALL_DIR)/usr/include/openssl $(MY_PKG_STAGING_DIR)/usr/include/ - $(INSTALL_DIR) $(MY_PKG_STAGING_DIR)/usr/lib/ - $(CP) $(PKG_INSTALL_DIR)/usr/lib/lib{crypto,ssl}.a $(MY_PKG_STAGING_DIR)/usr/lib/ -endef - -define Build/Clean - rm -rf $(MY_PKG_STAGING_DIR) - $(call Build/Clean/Default) -endef - -define Package/libopenssl1.1/install -true -endef - -$(eval $(call BuildPackage,libopenssl1.1)) diff --git a/package/lean/qt5/Makefile b/package/lean/qt5/Makefile index 89ffa4efa..8d51639e1 100644 --- a/package/lean/qt5/Makefile +++ b/package/lean/qt5/Makefile @@ -84,7 +84,7 @@ CONFIGURE_ARGS = \ -system-pcre \ -system-zlib \ -no-slog2 \ - -openssl-runtime \ + -openssl-linked \ -no-cups \ -no-freetype \ -no-harfbuzz \ diff --git a/package/lean/qt5/patches/030-qtbase-fix-compile-with-openssl1.1.1.patch b/package/lean/qt5/patches/030-qtbase-fix-compile-with-openssl1.1.1.patch new file mode 100644 index 000000000..b68ac8e33 --- /dev/null +++ b/package/lean/qt5/patches/030-qtbase-fix-compile-with-openssl1.1.1.patch @@ -0,0 +1,3985 @@ +commit 2d88fc0ce4ac76924a65ffd797183de9422ba672 +Author: Andreas Rammhold +Date: Wed Mar 6 00:18:51 2019 +0100 + + openssl1.1 compat + +diff --git a/qtbase/config.tests/openssl/openssl.cpp b/qtbase/config.tests/openssl/openssl.cpp +index 6c8a9e8f19..d33b62389c 100644 +--- a/qtbase/config.tests/openssl/openssl.cpp ++++ b/qtbase/config.tests/openssl/openssl.cpp +@@ -39,8 +39,8 @@ + + #include + +-#if !defined(OPENSSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER-0 < 0x10000000L || OPENSSL_VERSION_NUMBER-0 >= 0x10100000L +-# error "OpenSSL >= 1.0.0, and < 1.1.0 is required" ++#if !defined(OPENSSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER-0 < 0x10000000L ++# error "OpenSSL >= 1.0.0 is required" + #endif + + #include +diff --git a/qtbase/config.tests/openssl11/openssl.cpp b/qtbase/config.tests/openssl11/openssl.cpp +new file mode 100644 +index 0000000000..c20cc59deb +--- /dev/null ++++ b/qtbase/config.tests/openssl11/openssl.cpp +@@ -0,0 +1,48 @@ ++/**************************************************************************** ++** ++** Copyright (C) 2017 The Qt Company Ltd. ++** Contact: https://www.qt.io/licensing/ ++** ++** This file is part of the config.tests of the Qt Toolkit. ++** ++** $QT_BEGIN_LICENSE:LGPL$ ++** Commercial License Usage ++** Licensees holding valid commercial Qt licenses may use this file in ++** accordance with the commercial license agreement provided with the ++** Software or, alternatively, in accordance with the terms contained in ++** a written agreement between you and The Qt Company. For licensing terms ++** and conditions see https://www.qt.io/terms-conditions. For further ++** information use the contact form at https://www.qt.io/contact-us. ++** ++** GNU Lesser General Public License Usage ++** Alternatively, this file may be used under the terms of the GNU Lesser ++** General Public License version 3 as published by the Free Software ++** Foundation and appearing in the file LICENSE.LGPL3 included in the ++** packaging of this file. Please review the following information to ++** ensure the GNU Lesser General Public License version 3 requirements ++** will be met: https://www.gnu.org/licenses/lgpl-3.0.html. ++** ++** GNU General Public License Usage ++** Alternatively, this file may be used under the terms of the GNU ++** General Public License version 2.0 or (at your option) the GNU General ++** Public license version 3 or any later version approved by the KDE Free ++** Qt Foundation. The licenses are as published by the Free Software ++** Foundation and appearing in the file LICENSE.GPL2 and LICENSE.GPL3 ++** included in the packaging of this file. Please review the following ++** information to ensure the GNU General Public License requirements will ++** be met: https://www.gnu.org/licenses/gpl-2.0.html and ++** https://www.gnu.org/licenses/gpl-3.0.html. ++** ++** $QT_END_LICENSE$ ++** ++****************************************************************************/ ++ ++#include ++ ++#if !defined(OPENSSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER-0 < 0x10100000L ++# error "OpenSSL >= 1.1 is required" ++#endif ++ ++int main() ++{ ++} +diff --git a/qtbase/config.tests/openssl11/openssl11.pro b/qtbase/config.tests/openssl11/openssl11.pro +new file mode 100644 +index 0000000000..a023aee4aa +--- /dev/null ++++ b/qtbase/config.tests/openssl11/openssl11.pro +@@ -0,0 +1,2 @@ ++SOURCES = openssl.cpp ++CONFIG -= x11 qt +diff --git a/qtbase/src/network/configure.json b/qtbase/src/network/configure.json +index 2cf90ed94b..a021c0734b 100644 +--- a/qtbase/src/network/configure.json ++++ b/qtbase/src/network/configure.json +@@ -77,6 +77,17 @@ + }, + { "libs": "-lssl -lcrypto", "condition": "!config.win32" } + ] ++ }, ++ "openssl11": { ++ "label": "OpenSSL v. 1.1 support", ++ "type": "compile", ++ "test": "openssl11", ++ "sources": [ ++ { ++ "comment": "placeholder for OPENSSL_PATH", ++ "libs": "" ++ } ++ ] + } + }, + +@@ -182,7 +193,7 @@ + "enable": "input.openssl == 'yes' || input.openssl == 'linked' || input.openssl == 'runtime'", + "disable": "input.openssl == 'no' || input.ssl == 'no'", + "autoDetect": "!config.winrt", +- "condition": "!features.securetransport && (features.openssl-linked || libs.openssl_headers)", ++ "condition": "!features.securetransport && (features.openssl-linked || libs.openssl_headers || feature.opensslv11)", + "output": [ + "privateFeature", + { "type": "publicQtConfig", "condition": "!features.openssl-linked" }, +@@ -193,7 +204,7 @@ + "label": " Qt directly linked to OpenSSL", + "enable": "input.openssl == 'linked'", + "disable": "input.openssl != 'linked'", +- "condition": "!features.securetransport && libs.openssl", ++ "condition": "!features.securetransport && (libs.openssl || feature.opensslv11)", + "output": [ + "privateFeature", + { "type": "define", "name": "QT_LINKED_OPENSSL" } +@@ -213,6 +224,11 @@ + "condition": "config.winrt || features.securetransport || features.openssl", + "output": [ "publicFeature", "feature" ] + }, ++ "opensslv11": { ++ "label": "OpenSSL v. 1.1", ++ "condition": "libs.openssl11", ++ "output": ["publicFeature", "feature"] ++ }, + "sctp": { + "label": "SCTP", + "autoDetect": false, +diff --git a/qtbase/src/network/ssl/qsslcertificate_openssl.cpp b/qtbase/src/network/ssl/qsslcertificate_openssl.cpp +index 28b7eda54a..71e514a025 100644 +--- a/qtbase/src/network/ssl/qsslcertificate_openssl.cpp ++++ b/qtbase/src/network/ssl/qsslcertificate_openssl.cpp +@@ -1,6 +1,7 @@ + /**************************************************************************** + ** +-** Copyright (C) 2016 The Qt Company Ltd. ++** Copyright (C) 2017 The Qt Company Ltd. ++** Copyright (C) 2016 Richard J. Moore + ** Contact: https://www.qt.io/licensing/ + ** + ** This file is part of the QtNetwork module of the Qt Toolkit. +@@ -64,12 +65,14 @@ bool QSslCertificate::operator==(const QSslCertificate &other) const + uint qHash(const QSslCertificate &key, uint seed) Q_DECL_NOTHROW + { + if (X509 * const x509 = key.d->x509) { +- (void)q_X509_cmp(x509, x509); // populate x509->sha1_hash +- // (if someone knows a better way...) +- return qHashBits(x509->sha1_hash, SHA_DIGEST_LENGTH, seed); +- } else { +- return seed; ++ const EVP_MD *sha1 = q_EVP_sha1(); ++ unsigned int len = 0; ++ unsigned char md[EVP_MAX_MD_SIZE]; ++ q_X509_digest(x509, sha1, md, &len); ++ return qHashBits(md, len, seed); + } ++ ++ return seed; + } + + bool QSslCertificate::isNull() const +@@ -89,8 +92,7 @@ QByteArray QSslCertificate::version() const + { + QMutexLocker lock(QMutexPool::globalInstanceGet(d.data())); + if (d->versionString.isEmpty() && d->x509) +- d->versionString = +- QByteArray::number(qlonglong(q_ASN1_INTEGER_get(d->x509->cert_info->version)) + 1); ++ d->versionString = QByteArray::number(qlonglong(q_X509_get_version(d->x509)) + 1); + + return d->versionString; + } +@@ -99,7 +101,7 @@ QByteArray QSslCertificate::serialNumber() const + { + QMutexLocker lock(QMutexPool::globalInstanceGet(d.data())); + if (d->serialNumberString.isEmpty() && d->x509) { +- ASN1_INTEGER *serialNumber = d->x509->cert_info->serialNumber; ++ ASN1_INTEGER *serialNumber = q_X509_get_serialNumber(d->x509); + QByteArray hexString; + hexString.reserve(serialNumber->length * 3); + for (int a = 0; a < serialNumber->length; ++a) { +@@ -199,14 +201,15 @@ QMultiMap QSslCertificate::subjectAlter + continue; + } + +- const char *altNameStr = reinterpret_cast(q_ASN1_STRING_data(genName->d.ia5)); ++ const char *altNameStr = reinterpret_cast(q_ASN1_STRING_get0_data(genName->d.ia5)); + const QString altName = QString::fromLatin1(altNameStr, len); + if (genName->type == GEN_DNS) + result.insert(QSsl::DnsEntry, altName); + else if (genName->type == GEN_EMAIL) + result.insert(QSsl::EmailEntry, altName); + } +- q_sk_pop_free((STACK*)altNames, reinterpret_cast(q_sk_free)); ++ ++ q_OPENSSL_sk_pop_free((OPENSSL_STACK*)altNames, reinterpret_cast(q_OPENSSL_sk_free)); + } + + return result; +@@ -235,25 +238,26 @@ QSslKey QSslCertificate::publicKey() const + QSslKey key; + + key.d->type = QSsl::PublicKey; +- X509_PUBKEY *xkey = d->x509->cert_info->key; +- EVP_PKEY *pkey = q_X509_PUBKEY_get(xkey); ++ ++ EVP_PKEY *pkey = q_X509_get_pubkey(d->x509); + Q_ASSERT(pkey); ++ const int keyType = q_EVP_PKEY_type(q_EVP_PKEY_base_id(pkey)); + +- if (q_EVP_PKEY_type(pkey->type) == EVP_PKEY_RSA) { ++ if (keyType == EVP_PKEY_RSA) { + key.d->rsa = q_EVP_PKEY_get1_RSA(pkey); + key.d->algorithm = QSsl::Rsa; + key.d->isNull = false; +- } else if (q_EVP_PKEY_type(pkey->type) == EVP_PKEY_DSA) { ++ } else if (keyType == EVP_PKEY_DSA) { + key.d->dsa = q_EVP_PKEY_get1_DSA(pkey); + key.d->algorithm = QSsl::Dsa; + key.d->isNull = false; + #ifndef OPENSSL_NO_EC +- } else if (q_EVP_PKEY_type(pkey->type) == EVP_PKEY_EC) { ++ } else if (keyType == EVP_PKEY_EC) { + key.d->ec = q_EVP_PKEY_get1_EC_KEY(pkey); + key.d->algorithm = QSsl::Ec; + key.d->isNull = false; + #endif +- } else if (q_EVP_PKEY_type(pkey->type) == EVP_PKEY_DH) { ++ } else if (keyType == EVP_PKEY_DH) { + // DH unsupported + } else { + // error? +@@ -275,7 +279,7 @@ static QVariant x509UnknownExtensionToValue(X509_EXTENSION *ext) + X509V3_EXT_METHOD *meth = const_cast(q_X509V3_EXT_get(ext)); + if (!meth) { + ASN1_OCTET_STRING *value = q_X509_EXTENSION_get_data(ext); +- QByteArray result( reinterpret_cast(q_ASN1_STRING_data(value)), ++ QByteArray result( reinterpret_cast(q_ASN1_STRING_get0_data(value)), + q_ASN1_STRING_length(value)); + return result; + } +@@ -371,7 +375,7 @@ static QVariant x509ExtensionToValue(X509_EXTENSION *ext) + continue; + } + +- const char *uriStr = reinterpret_cast(q_ASN1_STRING_data(name->d.uniformResourceIdentifier)); ++ const char *uriStr = reinterpret_cast(q_ASN1_STRING_get0_data(name->d.uniformResourceIdentifier)); + const QString uri = QString::fromUtf8(uriStr, len); + + result[QString::fromUtf8(QSslCertificatePrivate::asn1ObjectName(ad->method))] = uri; +@@ -380,11 +384,7 @@ static QVariant x509ExtensionToValue(X509_EXTENSION *ext) + } + } + +-#if OPENSSL_VERSION_NUMBER >= 0x10000000L +- q_sk_pop_free((_STACK*)info, reinterpret_cast(q_sk_free)); +-#else +- q_sk_pop_free((STACK*)info, reinterpret_cast(q_sk_free)); +-#endif ++ q_OPENSSL_sk_pop_free((OPENSSL_STACK*)info, reinterpret_cast(q_OPENSSL_sk_free)); + return result; + } + break; +@@ -607,7 +607,11 @@ static QMap _q_mapFromX509Name(X509_NAME *name) + unsigned char *data = 0; + int size = q_ASN1_STRING_to_UTF8(&data, q_X509_NAME_ENTRY_get_data(e)); + info.insertMulti(name, QString::fromUtf8((char*)data, size)); ++#if QT_CONFIG(opensslv11) ++ q_CRYPTO_free(data, 0, 0); ++#else + q_CRYPTO_free(data); ++#endif + } + + return info; +@@ -619,8 +623,9 @@ QSslCertificate QSslCertificatePrivate::QSslCertificate_from_X509(X509 *x509) + if (!x509 || !QSslSocket::supportsSsl()) + return certificate; + +- ASN1_TIME *nbef = q_X509_get_notBefore(x509); +- ASN1_TIME *naft = q_X509_get_notAfter(x509); ++ ASN1_TIME *nbef = q_X509_getm_notBefore(x509); ++ ASN1_TIME *naft = q_X509_getm_notAfter(x509); ++ + certificate.d->notValidBefore = q_getTimeFromASN1(nbef); + certificate.d->notValidAfter = q_getTimeFromASN1(naft); + certificate.d->null = false; +diff --git a/qtbase/src/network/ssl/qsslcontext_openssl.cpp b/qtbase/src/network/ssl/qsslcontext_openssl.cpp +index c92d8fc3f8..cef503710c 100644 +--- a/qtbase/src/network/ssl/qsslcontext_openssl.cpp ++++ b/qtbase/src/network/ssl/qsslcontext_openssl.cpp +@@ -1,6 +1,6 @@ + /**************************************************************************** + ** +-** Copyright (C) 2016 The Qt Company Ltd. ++** Copyright (C) 2017 The Qt Company Ltd. + ** Copyright (C) 2014 BlackBerry Limited. All rights reserved. + ** Copyright (C) 2014 Governikus GmbH & Co. KG. + ** Contact: https://www.qt.io/licensing/ +@@ -41,22 +41,14 @@ + + + #include +-#include +-#include + + #include "private/qssl_p.h" + #include "private/qsslcontext_openssl_p.h" +-#include "private/qsslsocket_p.h" + #include "private/qsslsocket_openssl_p.h" + #include "private/qsslsocket_openssl_symbols_p.h" +-#include "private/qssldiffiehellmanparameters_p.h" + + QT_BEGIN_NAMESPACE + +-// defined in qsslsocket_openssl.cpp: +-extern int q_X509Callback(int ok, X509_STORE_CTX *ctx); +-extern QString getErrorsFromOpenSsl(); +- + QSslContext::QSslContext() + : ctx(0), + pkey(0), +@@ -78,301 +70,6 @@ QSslContext::~QSslContext() + q_SSL_SESSION_free(session); + } + +-static inline QString msgErrorSettingEllipticCurves(const QString &why) +-{ +- return QSslSocket::tr("Error when setting the elliptic curves (%1)").arg(why); +-} +- +-// static +-void QSslContext::initSslContext(QSslContext *sslContext, QSslSocket::SslMode mode, const QSslConfiguration &configuration, bool allowRootCertOnDemandLoading) +-{ +- sslContext->sslConfiguration = configuration; +- sslContext->errorCode = QSslError::NoError; +- +- bool client = (mode == QSslSocket::SslClientMode); +- +- bool reinitialized = false; +- bool unsupportedProtocol = false; +-init_context: +- switch (sslContext->sslConfiguration.protocol()) { +- case QSsl::SslV2: +-#ifndef OPENSSL_NO_SSL2 +- sslContext->ctx = q_SSL_CTX_new(client ? q_SSLv2_client_method() : q_SSLv2_server_method()); +-#else +- // SSL 2 not supported by the system, but chosen deliberately -> error +- sslContext->ctx = 0; +- unsupportedProtocol = true; +-#endif +- break; +- case QSsl::SslV3: +-#ifndef OPENSSL_NO_SSL3_METHOD +- sslContext->ctx = q_SSL_CTX_new(client ? q_SSLv3_client_method() : q_SSLv3_server_method()); +-#else +- // SSL 3 not supported by the system, but chosen deliberately -> error +- sslContext->ctx = 0; +- unsupportedProtocol = true; +-#endif +- break; +- case QSsl::SecureProtocols: +- // SSLv2 and SSLv3 will be disabled by SSL options +- // But we need q_SSLv23_server_method() otherwise AnyProtocol will be unable to connect on Win32. +- case QSsl::TlsV1SslV3: +- // SSLv2 will will be disabled by SSL options +- case QSsl::AnyProtocol: +- default: +- sslContext->ctx = q_SSL_CTX_new(client ? q_SSLv23_client_method() : q_SSLv23_server_method()); +- break; +- case QSsl::TlsV1_0: +- sslContext->ctx = q_SSL_CTX_new(client ? q_TLSv1_client_method() : q_TLSv1_server_method()); +- break; +- case QSsl::TlsV1_1: +-#if OPENSSL_VERSION_NUMBER >= 0x10001000L +- sslContext->ctx = q_SSL_CTX_new(client ? q_TLSv1_1_client_method() : q_TLSv1_1_server_method()); +-#else +- // TLS 1.1 not supported by the system, but chosen deliberately -> error +- sslContext->ctx = 0; +- unsupportedProtocol = true; +-#endif +- break; +- case QSsl::TlsV1_2: +-#if OPENSSL_VERSION_NUMBER >= 0x10001000L +- sslContext->ctx = q_SSL_CTX_new(client ? q_TLSv1_2_client_method() : q_TLSv1_2_server_method()); +-#else +- // TLS 1.2 not supported by the system, but chosen deliberately -> error +- sslContext->ctx = 0; +- unsupportedProtocol = true; +-#endif +- break; +- case QSsl::TlsV1_0OrLater: +- // Specific protocols will be specified via SSL options. +- sslContext->ctx = q_SSL_CTX_new(client ? q_SSLv23_client_method() : q_SSLv23_server_method()); +- break; +- case QSsl::TlsV1_1OrLater: +- case QSsl::TlsV1_2OrLater: +-#if OPENSSL_VERSION_NUMBER >= 0x10001000L +- // Specific protocols will be specified via SSL options. +- sslContext->ctx = q_SSL_CTX_new(client ? q_SSLv23_client_method() : q_SSLv23_server_method()); +-#else +- // TLS 1.1/1.2 not supported by the system, but chosen deliberately -> error +- sslContext->ctx = 0; +- unsupportedProtocol = true; +-#endif +- break; +- } +- +- if (!sslContext->ctx) { +- // After stopping Flash 10 the SSL library looses its ciphers. Try re-adding them +- // by re-initializing the library. +- if (!reinitialized) { +- reinitialized = true; +- if (q_SSL_library_init() == 1) +- goto init_context; +- } +- +- sslContext->errorStr = QSslSocket::tr("Error creating SSL context (%1)").arg( +- unsupportedProtocol ? QSslSocket::tr("unsupported protocol") : QSslSocketBackendPrivate::getErrorsFromOpenSsl() +- ); +- sslContext->errorCode = QSslError::UnspecifiedError; +- return; +- } +- +- // Enable bug workarounds. +- long options = QSslSocketBackendPrivate::setupOpenSslOptions(configuration.protocol(), configuration.d->sslOptions); +- q_SSL_CTX_set_options(sslContext->ctx, options); +- +-#if OPENSSL_VERSION_NUMBER >= 0x10000000L +- // Tell OpenSSL to release memory early +- // http://www.openssl.org/docs/ssl/SSL_CTX_set_mode.html +- if (q_SSLeay() >= 0x10000000L) +- q_SSL_CTX_set_mode(sslContext->ctx, SSL_MODE_RELEASE_BUFFERS); +-#endif +- +- // Initialize ciphers +- QByteArray cipherString; +- bool first = true; +- QList ciphers = sslContext->sslConfiguration.ciphers(); +- if (ciphers.isEmpty()) +- ciphers = QSslSocketPrivate::defaultCiphers(); +- for (const QSslCipher &cipher : qAsConst(ciphers)) { +- if (first) +- first = false; +- else +- cipherString.append(':'); +- cipherString.append(cipher.name().toLatin1()); +- } +- +- if (!q_SSL_CTX_set_cipher_list(sslContext->ctx, cipherString.data())) { +- sslContext->errorStr = QSslSocket::tr("Invalid or empty cipher list (%1)").arg(QSslSocketBackendPrivate::getErrorsFromOpenSsl()); +- sslContext->errorCode = QSslError::UnspecifiedError; +- return; +- } +- +- const QDateTime now = QDateTime::currentDateTimeUtc(); +- +- // Add all our CAs to this store. +- const auto caCertificates = sslContext->sslConfiguration.caCertificates(); +- for (const QSslCertificate &caCertificate : caCertificates) { +- // From https://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html: +- // +- // If several CA certificates matching the name, key identifier, and +- // serial number condition are available, only the first one will be +- // examined. This may lead to unexpected results if the same CA +- // certificate is available with different expiration dates. If a +- // ``certificate expired'' verification error occurs, no other +- // certificate will be searched. Make sure to not have expired +- // certificates mixed with valid ones. +- // +- // See also: QSslSocketBackendPrivate::verify() +- if (caCertificate.expiryDate() >= now) { +- q_X509_STORE_add_cert(q_SSL_CTX_get_cert_store(sslContext->ctx), (X509 *)caCertificate.handle()); +- } +- } +- +- if (QSslSocketPrivate::s_loadRootCertsOnDemand && allowRootCertOnDemandLoading) { +- // tell OpenSSL the directories where to look up the root certs on demand +- const QList unixDirs = QSslSocketPrivate::unixRootCertDirectories(); +- for (const QByteArray &unixDir : unixDirs) +- q_SSL_CTX_load_verify_locations(sslContext->ctx, 0, unixDir.constData()); +- } +- +- if (!sslContext->sslConfiguration.localCertificate().isNull()) { +- // Require a private key as well. +- if (sslContext->sslConfiguration.privateKey().isNull()) { +- sslContext->errorStr = QSslSocket::tr("Cannot provide a certificate with no key, %1").arg(QSslSocketBackendPrivate::getErrorsFromOpenSsl()); +- sslContext->errorCode = QSslError::UnspecifiedError; +- return; +- } +- +- // Load certificate +- if (!q_SSL_CTX_use_certificate(sslContext->ctx, (X509 *)sslContext->sslConfiguration.localCertificate().handle())) { +- sslContext->errorStr = QSslSocket::tr("Error loading local certificate, %1").arg(QSslSocketBackendPrivate::getErrorsFromOpenSsl()); +- sslContext->errorCode = QSslError::UnspecifiedError; +- return; +- } +- +- if (configuration.d->privateKey.algorithm() == QSsl::Opaque) { +- sslContext->pkey = reinterpret_cast(configuration.d->privateKey.handle()); +- } else { +- // Load private key +- sslContext->pkey = q_EVP_PKEY_new(); +- // before we were using EVP_PKEY_assign_R* functions and did not use EVP_PKEY_free. +- // this lead to a memory leak. Now we use the *_set1_* functions which do not +- // take ownership of the RSA/DSA key instance because the QSslKey already has ownership. +- if (configuration.d->privateKey.algorithm() == QSsl::Rsa) +- q_EVP_PKEY_set1_RSA(sslContext->pkey, reinterpret_cast(configuration.d->privateKey.handle())); +- else if (configuration.d->privateKey.algorithm() == QSsl::Dsa) +- q_EVP_PKEY_set1_DSA(sslContext->pkey, reinterpret_cast(configuration.d->privateKey.handle())); +-#ifndef OPENSSL_NO_EC +- else if (configuration.d->privateKey.algorithm() == QSsl::Ec) +- q_EVP_PKEY_set1_EC_KEY(sslContext->pkey, reinterpret_cast(configuration.d->privateKey.handle())); +-#endif +- } +- +- if (!q_SSL_CTX_use_PrivateKey(sslContext->ctx, sslContext->pkey)) { +- sslContext->errorStr = QSslSocket::tr("Error loading private key, %1").arg(QSslSocketBackendPrivate::getErrorsFromOpenSsl()); +- sslContext->errorCode = QSslError::UnspecifiedError; +- return; +- } +- if (configuration.d->privateKey.algorithm() == QSsl::Opaque) +- sslContext->pkey = 0; // Don't free the private key, it belongs to QSslKey +- +- // Check if the certificate matches the private key. +- if (!q_SSL_CTX_check_private_key(sslContext->ctx)) { +- sslContext->errorStr = QSslSocket::tr("Private key does not certify public key, %1").arg(QSslSocketBackendPrivate::getErrorsFromOpenSsl()); +- sslContext->errorCode = QSslError::UnspecifiedError; +- return; +- } +- +- // If we have any intermediate certificates then we need to add them to our chain +- bool first = true; +- for (const QSslCertificate &cert : qAsConst(configuration.d->localCertificateChain)) { +- if (first) { +- first = false; +- continue; +- } +- q_SSL_CTX_ctrl(sslContext->ctx, SSL_CTRL_EXTRA_CHAIN_CERT, 0, +- q_X509_dup(reinterpret_cast(cert.handle()))); +- } +- } +- +- // Initialize peer verification. +- if (sslContext->sslConfiguration.peerVerifyMode() == QSslSocket::VerifyNone) { +- q_SSL_CTX_set_verify(sslContext->ctx, SSL_VERIFY_NONE, 0); +- } else { +- q_SSL_CTX_set_verify(sslContext->ctx, SSL_VERIFY_PEER, q_X509Callback); +- } +- +- // Set verification depth. +- if (sslContext->sslConfiguration.peerVerifyDepth() != 0) +- q_SSL_CTX_set_verify_depth(sslContext->ctx, sslContext->sslConfiguration.peerVerifyDepth()); +- +- // set persisted session if the user set it +- if (!configuration.sessionTicket().isEmpty()) +- sslContext->setSessionASN1(configuration.sessionTicket()); +- +- // Set temp DH params +- QSslDiffieHellmanParameters dhparams = configuration.diffieHellmanParameters(); +- +- if (!dhparams.isValid()) { +- sslContext->errorStr = QSslSocket::tr("Diffie-Hellman parameters are not valid"); +- sslContext->errorCode = QSslError::UnspecifiedError; +- return; +- } +- +- if (!dhparams.isEmpty()) { +- const QByteArray ¶ms = dhparams.d->derData; +- const char *ptr = params.constData(); +- DH *dh = q_d2i_DHparams(NULL, reinterpret_cast(&ptr), params.length()); +- if (dh == NULL) +- qFatal("q_d2i_DHparams failed to convert QSslDiffieHellmanParameters to DER form"); +- q_SSL_CTX_set_tmp_dh(sslContext->ctx, dh); +- q_DH_free(dh); +- } +- +-#ifndef OPENSSL_NO_EC +-#if OPENSSL_VERSION_NUMBER >= 0x10002000L +- if (q_SSLeay() >= 0x10002000L) { +- q_SSL_CTX_ctrl(sslContext->ctx, SSL_CTRL_SET_ECDH_AUTO, 1, NULL); +- } else +-#endif +- { +- // Set temp ECDH params +- EC_KEY *ecdh = 0; +- ecdh = q_EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); +- q_SSL_CTX_set_tmp_ecdh(sslContext->ctx, ecdh); +- q_EC_KEY_free(ecdh); +- } +-#endif // OPENSSL_NO_EC +- +-#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_PSK) +- if (!client) +- q_SSL_CTX_use_psk_identity_hint(sslContext->ctx, sslContext->sslConfiguration.preSharedKeyIdentityHint().constData()); +-#endif // OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_PSK) +- +- const QVector qcurves = sslContext->sslConfiguration.ellipticCurves(); +- if (!qcurves.isEmpty()) { +-#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(OPENSSL_NO_EC) +- // Set the curves to be used +- if (q_SSLeay() >= 0x10002000L) { +- // SSL_CTX_ctrl wants a non-const pointer as last argument, +- // but let's avoid a copy into a temporary array +- if (!q_SSL_CTX_ctrl(sslContext->ctx, +- SSL_CTRL_SET_CURVES, +- qcurves.size(), +- const_cast(reinterpret_cast(qcurves.data())))) { +- sslContext->errorStr = msgErrorSettingEllipticCurves(QSslSocketBackendPrivate::getErrorsFromOpenSsl()); +- sslContext->errorCode = QSslError::UnspecifiedError; +- } +- } else +-#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(OPENSSL_NO_EC) +- { +- // specific curves requested, but not possible to set -> error +- sslContext->errorStr = msgErrorSettingEllipticCurves(QSslSocket::tr("OpenSSL version too old, need at least v1.0.2")); +- sslContext->errorCode = QSslError::UnspecifiedError; +- } +- } +-} +- + QSslContext* QSslContext::fromConfiguration(QSslSocket::SslMode mode, const QSslConfiguration &configuration, bool allowRootCertOnDemandLoading) + { + QSslContext *sslContext = new QSslContext(); +@@ -463,7 +160,7 @@ SSL* QSslContext::createSsl() + m_npnContext.len = m_supportedNPNVersions.count(); + m_npnContext.status = QSslConfiguration::NextProtocolNegotiationNone; + #if OPENSSL_VERSION_NUMBER >= 0x10002000L +- if (q_SSLeay() >= 0x10002000L) { ++ if (QSslSocket::sslLibraryVersionNumber() >= 0x10002000L) { + // Callback's type has a parameter 'const unsigned char ** out' + // since it was introduced in 1.0.2. Internally, OpenSSL's own code + // (tests/examples) cast it to unsigned char * (since it's 'out'). +@@ -508,7 +205,7 @@ bool QSslContext::cacheSession(SSL* ssl) + unsigned char *data = reinterpret_cast(m_sessionASN1.data()); + if (!q_i2d_SSL_SESSION(session, &data)) + qCWarning(lcSsl, "could not store persistent version of SSL session"); +- m_sessionTicketLifeTimeHint = session->tlsext_tick_lifetime_hint; ++ m_sessionTicketLifeTimeHint = q_SSL_SESSION_get_ticket_lifetime_hint(session); + } + } + +diff --git a/qtbase/src/network/ssl/qsslcontext_openssl11.cpp b/qtbase/src/network/ssl/qsslcontext_openssl11.cpp +new file mode 100644 +index 0000000000..787b6ae3f5 +--- /dev/null ++++ b/qtbase/src/network/ssl/qsslcontext_openssl11.cpp +@@ -0,0 +1,277 @@ ++/**************************************************************************** ++** ++** Copyright (C) 2017 The Qt Company Ltd. ++** Copyright (C) 2014 BlackBerry Limited. All rights reserved. ++** Copyright (C) 2014 Governikus GmbH & Co. KG. ++** Copyright (C) 2016 Richard J. Moore ++** Contact: https://www.qt.io/licensing/ ++** ++** This file is part of the QtNetwork module of the Qt Toolkit. ++** ++** $QT_BEGIN_LICENSE:LGPL$ ++** Commercial License Usage ++** Licensees holding valid commercial Qt licenses may use this file in ++** accordance with the commercial license agreement provided with the ++** Software or, alternatively, in accordance with the terms contained in ++** a written agreement between you and The Qt Company. For licensing terms ++** and conditions see https://www.qt.io/terms-conditions. For further ++** information use the contact form at https://www.qt.io/contact-us. ++** ++** GNU Lesser General Public License Usage ++** Alternatively, this file may be used under the terms of the GNU Lesser ++** General Public License version 3 as published by the Free Software ++** Foundation and appearing in the file LICENSE.LGPL3 included in the ++** packaging of this file. Please review the following information to ++** ensure the GNU Lesser General Public License version 3 requirements ++** will be met: https://www.gnu.org/licenses/lgpl-3.0.html. ++** ++** GNU General Public License Usage ++** Alternatively, this file may be used under the terms of the GNU ++** General Public License version 2.0 or (at your option) the GNU General ++** Public license version 3 or any later version approved by the KDE Free ++** Qt Foundation. The licenses are as published by the Free Software ++** Foundation and appearing in the file LICENSE.GPL2 and LICENSE.GPL3 ++** included in the packaging of this file. Please review the following ++** information to ensure the GNU General Public License requirements will ++** be met: https://www.gnu.org/licenses/gpl-2.0.html and ++** https://www.gnu.org/licenses/gpl-3.0.html. ++** ++** $QT_END_LICENSE$ ++** ++****************************************************************************/ ++ ++ ++#include ++#include ++ ++#include "private/qssl_p.h" ++#include "private/qsslcontext_openssl_p.h" ++#include "private/qsslsocket_p.h" ++#include "private/qsslsocket_openssl_p.h" ++#include "private/qsslsocket_openssl_symbols_p.h" ++#include "private/qssldiffiehellmanparameters_p.h" ++ ++#include ++ ++QT_BEGIN_NAMESPACE ++ ++// defined in qsslsocket_openssl.cpp: ++extern int q_X509Callback(int ok, X509_STORE_CTX *ctx); ++extern QString getErrorsFromOpenSsl(); ++ ++static inline QString msgErrorSettingEllipticCurves(const QString &why) ++{ ++ return QSslSocket::tr("Error when setting the elliptic curves (%1)").arg(why); ++} ++ ++// static ++void QSslContext::initSslContext(QSslContext *sslContext, QSslSocket::SslMode mode, const QSslConfiguration &configuration, bool allowRootCertOnDemandLoading) ++{ ++ sslContext->sslConfiguration = configuration; ++ sslContext->errorCode = QSslError::NoError; ++ ++ bool client = (mode == QSslSocket::SslClientMode); ++ ++ bool reinitialized = false; ++ bool unsupportedProtocol = false; ++init_context: ++ if (sslContext->sslConfiguration.protocol() == QSsl::SslV2) { ++ // SSL 2 is no longer supported, but chosen deliberately -> error ++ sslContext->ctx = nullptr; ++ unsupportedProtocol = true; ++ } else { ++ // The ssl options will actually control the supported methods ++ sslContext->ctx = q_SSL_CTX_new(client ? q_TLS_client_method() : q_TLS_server_method()); ++ } ++ ++ if (!sslContext->ctx) { ++ // After stopping Flash 10 the SSL library loses its ciphers. Try re-adding them ++ // by re-initializing the library. ++ if (!reinitialized) { ++ reinitialized = true; ++ if (q_OPENSSL_init_ssl(0, nullptr) == 1) ++ goto init_context; ++ } ++ ++ sslContext->errorStr = QSslSocket::tr("Error creating SSL context (%1)").arg( ++ unsupportedProtocol ? QSslSocket::tr("unsupported protocol") : QSslSocketBackendPrivate::getErrorsFromOpenSsl() ++ ); ++ sslContext->errorCode = QSslError::UnspecifiedError; ++ return; ++ } ++ ++ // Enable bug workarounds. ++ long options = QSslSocketBackendPrivate::setupOpenSslOptions(configuration.protocol(), configuration.d->sslOptions); ++ q_SSL_CTX_set_options(sslContext->ctx, options); ++ ++ // Tell OpenSSL to release memory early ++ // http://www.openssl.org/docs/ssl/SSL_CTX_set_mode.html ++ q_SSL_CTX_set_mode(sslContext->ctx, SSL_MODE_RELEASE_BUFFERS); ++ ++ // Initialize ciphers ++ QByteArray cipherString; ++ bool first = true; ++ QList ciphers = sslContext->sslConfiguration.ciphers(); ++ if (ciphers.isEmpty()) ++ ciphers = QSslSocketPrivate::defaultCiphers(); ++ for (const QSslCipher &cipher : qAsConst(ciphers)) { ++ if (first) ++ first = false; ++ else ++ cipherString.append(':'); ++ cipherString.append(cipher.name().toLatin1()); ++ } ++ ++ if (!q_SSL_CTX_set_cipher_list(sslContext->ctx, cipherString.data())) { ++ sslContext->errorStr = QSslSocket::tr("Invalid or empty cipher list (%1)").arg(QSslSocketBackendPrivate::getErrorsFromOpenSsl()); ++ sslContext->errorCode = QSslError::UnspecifiedError; ++ return; ++ } ++ ++ const QDateTime now = QDateTime::currentDateTimeUtc(); ++ ++ // Add all our CAs to this store. ++ const auto caCertificates = sslContext->sslConfiguration.caCertificates(); ++ for (const QSslCertificate &caCertificate : caCertificates) { ++ // From https://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html: ++ // ++ // If several CA certificates matching the name, key identifier, and ++ // serial number condition are available, only the first one will be ++ // examined. This may lead to unexpected results if the same CA ++ // certificate is available with different expiration dates. If a ++ // ``certificate expired'' verification error occurs, no other ++ // certificate will be searched. Make sure to not have expired ++ // certificates mixed with valid ones. ++ // ++ // See also: QSslSocketBackendPrivate::verify() ++ if (caCertificate.expiryDate() >= now) { ++ q_X509_STORE_add_cert(q_SSL_CTX_get_cert_store(sslContext->ctx), (X509 *)caCertificate.handle()); ++ } ++ } ++ ++ if (QSslSocketPrivate::s_loadRootCertsOnDemand && allowRootCertOnDemandLoading) { ++ // tell OpenSSL the directories where to look up the root certs on demand ++ const QList unixDirs = QSslSocketPrivate::unixRootCertDirectories(); ++ for (const QByteArray &unixDir : unixDirs) ++ q_SSL_CTX_load_verify_locations(sslContext->ctx, nullptr, unixDir.constData()); ++ } ++ ++ if (!sslContext->sslConfiguration.localCertificate().isNull()) { ++ // Require a private key as well. ++ if (sslContext->sslConfiguration.privateKey().isNull()) { ++ sslContext->errorStr = QSslSocket::tr("Cannot provide a certificate with no key, %1").arg(QSslSocketBackendPrivate::getErrorsFromOpenSsl()); ++ sslContext->errorCode = QSslError::UnspecifiedError; ++ return; ++ } ++ ++ // Load certificate ++ if (!q_SSL_CTX_use_certificate(sslContext->ctx, (X509 *)sslContext->sslConfiguration.localCertificate().handle())) { ++ sslContext->errorStr = QSslSocket::tr("Error loading local certificate, %1").arg(QSslSocketBackendPrivate::getErrorsFromOpenSsl()); ++ sslContext->errorCode = QSslError::UnspecifiedError; ++ return; ++ } ++ ++ if (configuration.d->privateKey.algorithm() == QSsl::Opaque) { ++ sslContext->pkey = reinterpret_cast(configuration.d->privateKey.handle()); ++ } else { ++ // Load private key ++ sslContext->pkey = q_EVP_PKEY_new(); ++ // before we were using EVP_PKEY_assign_R* functions and did not use EVP_PKEY_free. ++ // this lead to a memory leak. Now we use the *_set1_* functions which do not ++ // take ownership of the RSA/DSA key instance because the QSslKey already has ownership. ++ if (configuration.d->privateKey.algorithm() == QSsl::Rsa) ++ q_EVP_PKEY_set1_RSA(sslContext->pkey, reinterpret_cast(configuration.d->privateKey.handle())); ++ else if (configuration.d->privateKey.algorithm() == QSsl::Dsa) ++ q_EVP_PKEY_set1_DSA(sslContext->pkey, reinterpret_cast(configuration.d->privateKey.handle())); ++#ifndef OPENSSL_NO_EC ++ else if (configuration.d->privateKey.algorithm() == QSsl::Ec) ++ q_EVP_PKEY_set1_EC_KEY(sslContext->pkey, reinterpret_cast(configuration.d->privateKey.handle())); ++#endif ++ } ++ ++ if (!q_SSL_CTX_use_PrivateKey(sslContext->ctx, sslContext->pkey)) { ++ sslContext->errorStr = QSslSocket::tr("Error loading private key, %1").arg(QSslSocketBackendPrivate::getErrorsFromOpenSsl()); ++ sslContext->errorCode = QSslError::UnspecifiedError; ++ return; ++ } ++ if (configuration.d->privateKey.algorithm() == QSsl::Opaque) ++ sslContext->pkey = nullptr; // Don't free the private key, it belongs to QSslKey ++ ++ // Check if the certificate matches the private key. ++ if (!q_SSL_CTX_check_private_key(sslContext->ctx)) { ++ sslContext->errorStr = QSslSocket::tr("Private key does not certify public key, %1").arg(QSslSocketBackendPrivate::getErrorsFromOpenSsl()); ++ sslContext->errorCode = QSslError::UnspecifiedError; ++ return; ++ } ++ ++ // If we have any intermediate certificates then we need to add them to our chain ++ bool first = true; ++ for (const QSslCertificate &cert : qAsConst(configuration.d->localCertificateChain)) { ++ if (first) { ++ first = false; ++ continue; ++ } ++ q_SSL_CTX_ctrl(sslContext->ctx, SSL_CTRL_EXTRA_CHAIN_CERT, 0, ++ q_X509_dup(reinterpret_cast(cert.handle()))); ++ } ++ } ++ ++ // Initialize peer verification. ++ if (sslContext->sslConfiguration.peerVerifyMode() == QSslSocket::VerifyNone) { ++ q_SSL_CTX_set_verify(sslContext->ctx, SSL_VERIFY_NONE, nullptr); ++ } else { ++ q_SSL_CTX_set_verify(sslContext->ctx, SSL_VERIFY_PEER, q_X509Callback); ++ } ++ ++ // Set verification depth. ++ if (sslContext->sslConfiguration.peerVerifyDepth() != 0) ++ q_SSL_CTX_set_verify_depth(sslContext->ctx, sslContext->sslConfiguration.peerVerifyDepth()); ++ ++ // set persisted session if the user set it ++ if (!configuration.sessionTicket().isEmpty()) ++ sslContext->setSessionASN1(configuration.sessionTicket()); ++ ++ // Set temp DH params ++ QSslDiffieHellmanParameters dhparams = configuration.diffieHellmanParameters(); ++ ++ if (!dhparams.isValid()) { ++ sslContext->errorStr = QSslSocket::tr("Diffie-Hellman parameters are not valid"); ++ sslContext->errorCode = QSslError::UnspecifiedError; ++ return; ++ } ++ ++ if (!dhparams.isEmpty()) { ++ const QByteArray ¶ms = dhparams.d->derData; ++ const char *ptr = params.constData(); ++ DH *dh = q_d2i_DHparams(NULL, reinterpret_cast(&ptr), params.length()); ++ if (dh == NULL) ++ qFatal("q_d2i_DHparams failed to convert QSslDiffieHellmanParameters to DER form"); ++ q_SSL_CTX_set_tmp_dh(sslContext->ctx, dh); ++ q_DH_free(dh); ++ } ++ ++#ifndef OPENSSL_NO_PSK ++ if (!client) ++ q_SSL_CTX_use_psk_identity_hint(sslContext->ctx, sslContext->sslConfiguration.preSharedKeyIdentityHint().constData()); ++#endif // !OPENSSL_NO_PSK ++ ++ const QVector qcurves = sslContext->sslConfiguration.ellipticCurves(); ++ if (!qcurves.isEmpty()) { ++#ifdef OPENSSL_NO_EC ++ sslContext->errorStr = msgErrorSettingEllipticCurves(QSslSocket::tr("OpenSSL version with disabled elliptic curves")); ++ sslContext->errorCode = QSslError::UnspecifiedError; ++#else ++ // Set the curves to be used. ++ std::vector curves; ++ curves.reserve(qcurves.size()); ++ for (const auto &sslCurve : qcurves) ++ curves.push_back(sslCurve.id); ++ if (!q_SSL_CTX_ctrl(sslContext->ctx, SSL_CTRL_SET_CURVES, long(curves.size()), &curves[0])) { ++ sslContext->errorStr = msgErrorSettingEllipticCurves(QSslSocketBackendPrivate::getErrorsFromOpenSsl()); ++ sslContext->errorCode = QSslError::UnspecifiedError; ++ } ++#endif ++ } ++} ++ ++QT_END_NAMESPACE +diff --git a/qtbase/src/network/ssl/qsslcontext_opensslpre11.cpp b/qtbase/src/network/ssl/qsslcontext_opensslpre11.cpp +new file mode 100644 +index 0000000000..9c01c2f2dc +--- /dev/null ++++ b/qtbase/src/network/ssl/qsslcontext_opensslpre11.cpp +@@ -0,0 +1,354 @@ ++/**************************************************************************** ++** ++** Copyright (C) 2017 The Qt Company Ltd. ++** Copyright (C) 2014 BlackBerry Limited. All rights reserved. ++** Copyright (C) 2014 Governikus GmbH & Co. KG. ++** Contact: https://www.qt.io/licensing/ ++** ++** This file is part of the QtNetwork module of the Qt Toolkit. ++** ++** $QT_BEGIN_LICENSE:LGPL$ ++** Commercial License Usage ++** Licensees holding valid commercial Qt licenses may use this file in ++** accordance with the commercial license agreement provided with the ++** Software or, alternatively, in accordance with the terms contained in ++** a written agreement between you and The Qt Company. For licensing terms ++** and conditions see https://www.qt.io/terms-conditions. For further ++** information use the contact form at https://www.qt.io/contact-us. ++** ++** GNU Lesser General Public License Usage ++** Alternatively, this file may be used under the terms of the GNU Lesser ++** General Public License version 3 as published by the Free Software ++** Foundation and appearing in the file LICENSE.LGPL3 included in the ++** packaging of this file. Please review the following information to ++** ensure the GNU Lesser General Public License version 3 requirements ++** will be met: https://www.gnu.org/licenses/lgpl-3.0.html. ++** ++** GNU General Public License Usage ++** Alternatively, this file may be used under the terms of the GNU ++** General Public License version 2.0 or (at your option) the GNU General ++** Public license version 3 or any later version approved by the KDE Free ++** Qt Foundation. The licenses are as published by the Free Software ++** Foundation and appearing in the file LICENSE.GPL2 and LICENSE.GPL3 ++** included in the packaging of this file. Please review the following ++** information to ensure the GNU General Public License requirements will ++** be met: https://www.gnu.org/licenses/gpl-2.0.html and ++** https://www.gnu.org/licenses/gpl-3.0.html. ++** ++** $QT_END_LICENSE$ ++** ++****************************************************************************/ ++ ++ ++#include ++#include ++ ++#include "private/qssl_p.h" ++#include "private/qsslcontext_openssl_p.h" ++#include "private/qsslsocket_p.h" ++#include "private/qsslsocket_openssl_p.h" ++#include "private/qsslsocket_openssl_symbols_p.h" ++#include "private/qssldiffiehellmanparameters_p.h" ++ ++QT_BEGIN_NAMESPACE ++ ++// defined in qsslsocket_openssl.cpp: ++extern int q_X509Callback(int ok, X509_STORE_CTX *ctx); ++extern QString getErrorsFromOpenSsl(); ++ ++static inline QString msgErrorSettingEllipticCurves(const QString &why) ++{ ++ return QSslSocket::tr("Error when setting the elliptic curves (%1)").arg(why); ++} ++ ++// static ++void QSslContext::initSslContext(QSslContext *sslContext, QSslSocket::SslMode mode, const QSslConfiguration &configuration, bool allowRootCertOnDemandLoading) ++{ ++ sslContext->sslConfiguration = configuration; ++ sslContext->errorCode = QSslError::NoError; ++ ++ bool client = (mode == QSslSocket::SslClientMode); ++ ++ bool reinitialized = false; ++ bool unsupportedProtocol = false; ++init_context: ++ switch (sslContext->sslConfiguration.protocol()) { ++ case QSsl::SslV2: ++#ifndef OPENSSL_NO_SSL2 ++ sslContext->ctx = q_SSL_CTX_new(client ? q_SSLv2_client_method() : q_SSLv2_server_method()); ++#else ++ // SSL 2 not supported by the system, but chosen deliberately -> error ++ sslContext->ctx = 0; ++ unsupportedProtocol = true; ++#endif ++ break; ++ case QSsl::SslV3: ++#ifndef OPENSSL_NO_SSL3_METHOD ++ sslContext->ctx = q_SSL_CTX_new(client ? q_SSLv3_client_method() : q_SSLv3_server_method()); ++#else ++ // SSL 3 not supported by the system, but chosen deliberately -> error ++ sslContext->ctx = 0; ++ unsupportedProtocol = true; ++#endif ++ break; ++ case QSsl::SecureProtocols: ++ // SSLv2 and SSLv3 will be disabled by SSL options ++ // But we need q_SSLv23_server_method() otherwise AnyProtocol will be unable to connect on Win32. ++ case QSsl::TlsV1SslV3: ++ // SSLv2 will will be disabled by SSL options ++ case QSsl::AnyProtocol: ++ default: ++ sslContext->ctx = q_SSL_CTX_new(client ? q_SSLv23_client_method() : q_SSLv23_server_method()); ++ break; ++ case QSsl::TlsV1_0: ++ sslContext->ctx = q_SSL_CTX_new(client ? q_TLSv1_client_method() : q_TLSv1_server_method()); ++ break; ++ case QSsl::TlsV1_1: ++#if OPENSSL_VERSION_NUMBER >= 0x10001000L ++ sslContext->ctx = q_SSL_CTX_new(client ? q_TLSv1_1_client_method() : q_TLSv1_1_server_method()); ++#else ++ // TLS 1.1 not supported by the system, but chosen deliberately -> error ++ sslContext->ctx = 0; ++ unsupportedProtocol = true; ++#endif ++ break; ++ case QSsl::TlsV1_2: ++#if OPENSSL_VERSION_NUMBER >= 0x10001000L ++ sslContext->ctx = q_SSL_CTX_new(client ? q_TLSv1_2_client_method() : q_TLSv1_2_server_method()); ++#else ++ // TLS 1.2 not supported by the system, but chosen deliberately -> error ++ sslContext->ctx = 0; ++ unsupportedProtocol = true; ++#endif ++ break; ++ case QSsl::TlsV1_0OrLater: ++ // Specific protocols will be specified via SSL options. ++ sslContext->ctx = q_SSL_CTX_new(client ? q_SSLv23_client_method() : q_SSLv23_server_method()); ++ break; ++ case QSsl::TlsV1_1OrLater: ++ case QSsl::TlsV1_2OrLater: ++#if OPENSSL_VERSION_NUMBER >= 0x10001000L ++ // Specific protocols will be specified via SSL options. ++ sslContext->ctx = q_SSL_CTX_new(client ? q_SSLv23_client_method() : q_SSLv23_server_method()); ++#else ++ // TLS 1.1/1.2 not supported by the system, but chosen deliberately -> error ++ sslContext->ctx = 0; ++ unsupportedProtocol = true; ++#endif ++ break; ++ } ++ ++ if (!sslContext->ctx) { ++ // After stopping Flash 10 the SSL library loses its ciphers. Try re-adding them ++ // by re-initializing the library. ++ if (!reinitialized) { ++ reinitialized = true; ++ if (q_SSL_library_init() == 1) ++ goto init_context; ++ } ++ ++ sslContext->errorStr = QSslSocket::tr("Error creating SSL context (%1)").arg( ++ unsupportedProtocol ? QSslSocket::tr("unsupported protocol") : QSslSocketBackendPrivate::getErrorsFromOpenSsl() ++ ); ++ sslContext->errorCode = QSslError::UnspecifiedError; ++ return; ++ } ++ ++ // Enable bug workarounds. ++ long options = QSslSocketBackendPrivate::setupOpenSslOptions(configuration.protocol(), configuration.d->sslOptions); ++ q_SSL_CTX_set_options(sslContext->ctx, options); ++ ++#if OPENSSL_VERSION_NUMBER >= 0x10000000L ++ // Tell OpenSSL to release memory early ++ // http://www.openssl.org/docs/ssl/SSL_CTX_set_mode.html ++ if (q_SSLeay() >= 0x10000000L) ++ q_SSL_CTX_set_mode(sslContext->ctx, SSL_MODE_RELEASE_BUFFERS); ++#endif ++ ++ // Initialize ciphers ++ QByteArray cipherString; ++ bool first = true; ++ QList ciphers = sslContext->sslConfiguration.ciphers(); ++ if (ciphers.isEmpty()) ++ ciphers = QSslSocketPrivate::defaultCiphers(); ++ for (const QSslCipher &cipher : qAsConst(ciphers)) { ++ if (first) ++ first = false; ++ else ++ cipherString.append(':'); ++ cipherString.append(cipher.name().toLatin1()); ++ } ++ ++ if (!q_SSL_CTX_set_cipher_list(sslContext->ctx, cipherString.data())) { ++ sslContext->errorStr = QSslSocket::tr("Invalid or empty cipher list (%1)").arg(QSslSocketBackendPrivate::getErrorsFromOpenSsl()); ++ sslContext->errorCode = QSslError::UnspecifiedError; ++ return; ++ } ++ ++ const QDateTime now = QDateTime::currentDateTimeUtc(); ++ ++ // Add all our CAs to this store. ++ const auto caCertificates = sslContext->sslConfiguration.caCertificates(); ++ for (const QSslCertificate &caCertificate : caCertificates) { ++ // From https://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html: ++ // ++ // If several CA certificates matching the name, key identifier, and ++ // serial number condition are available, only the first one will be ++ // examined. This may lead to unexpected results if the same CA ++ // certificate is available with different expiration dates. If a ++ // ``certificate expired'' verification error occurs, no other ++ // certificate will be searched. Make sure to not have expired ++ // certificates mixed with valid ones. ++ // ++ // See also: QSslSocketBackendPrivate::verify() ++ if (caCertificate.expiryDate() >= now) { ++ q_X509_STORE_add_cert(q_SSL_CTX_get_cert_store(sslContext->ctx), (X509 *)caCertificate.handle()); ++ } ++ } ++ ++ if (QSslSocketPrivate::s_loadRootCertsOnDemand && allowRootCertOnDemandLoading) { ++ // tell OpenSSL the directories where to look up the root certs on demand ++ const QList unixDirs = QSslSocketPrivate::unixRootCertDirectories(); ++ for (const QByteArray &unixDir : unixDirs) ++ q_SSL_CTX_load_verify_locations(sslContext->ctx, 0, unixDir.constData()); ++ } ++ ++ if (!sslContext->sslConfiguration.localCertificate().isNull()) { ++ // Require a private key as well. ++ if (sslContext->sslConfiguration.privateKey().isNull()) { ++ sslContext->errorStr = QSslSocket::tr("Cannot provide a certificate with no key, %1").arg(QSslSocketBackendPrivate::getErrorsFromOpenSsl()); ++ sslContext->errorCode = QSslError::UnspecifiedError; ++ return; ++ } ++ ++ // Load certificate ++ if (!q_SSL_CTX_use_certificate(sslContext->ctx, (X509 *)sslContext->sslConfiguration.localCertificate().handle())) { ++ sslContext->errorStr = QSslSocket::tr("Error loading local certificate, %1").arg(QSslSocketBackendPrivate::getErrorsFromOpenSsl()); ++ sslContext->errorCode = QSslError::UnspecifiedError; ++ return; ++ } ++ ++ if (configuration.d->privateKey.algorithm() == QSsl::Opaque) { ++ sslContext->pkey = reinterpret_cast(configuration.d->privateKey.handle()); ++ } else { ++ // Load private key ++ sslContext->pkey = q_EVP_PKEY_new(); ++ // before we were using EVP_PKEY_assign_R* functions and did not use EVP_PKEY_free. ++ // this lead to a memory leak. Now we use the *_set1_* functions which do not ++ // take ownership of the RSA/DSA key instance because the QSslKey already has ownership. ++ if (configuration.d->privateKey.algorithm() == QSsl::Rsa) ++ q_EVP_PKEY_set1_RSA(sslContext->pkey, reinterpret_cast(configuration.d->privateKey.handle())); ++ else if (configuration.d->privateKey.algorithm() == QSsl::Dsa) ++ q_EVP_PKEY_set1_DSA(sslContext->pkey, reinterpret_cast(configuration.d->privateKey.handle())); ++#ifndef OPENSSL_NO_EC ++ else if (configuration.d->privateKey.algorithm() == QSsl::Ec) ++ q_EVP_PKEY_set1_EC_KEY(sslContext->pkey, reinterpret_cast(configuration.d->privateKey.handle())); ++#endif ++ } ++ ++ if (!q_SSL_CTX_use_PrivateKey(sslContext->ctx, sslContext->pkey)) { ++ sslContext->errorStr = QSslSocket::tr("Error loading private key, %1").arg(QSslSocketBackendPrivate::getErrorsFromOpenSsl()); ++ sslContext->errorCode = QSslError::UnspecifiedError; ++ return; ++ } ++ if (configuration.d->privateKey.algorithm() == QSsl::Opaque) ++ sslContext->pkey = 0; // Don't free the private key, it belongs to QSslKey ++ ++ // Check if the certificate matches the private key. ++ if (!q_SSL_CTX_check_private_key(sslContext->ctx)) { ++ sslContext->errorStr = QSslSocket::tr("Private key does not certify public key, %1").arg(QSslSocketBackendPrivate::getErrorsFromOpenSsl()); ++ sslContext->errorCode = QSslError::UnspecifiedError; ++ return; ++ } ++ ++ // If we have any intermediate certificates then we need to add them to our chain ++ bool first = true; ++ for (const QSslCertificate &cert : qAsConst(configuration.d->localCertificateChain)) { ++ if (first) { ++ first = false; ++ continue; ++ } ++ q_SSL_CTX_ctrl(sslContext->ctx, SSL_CTRL_EXTRA_CHAIN_CERT, 0, ++ q_X509_dup(reinterpret_cast(cert.handle()))); ++ } ++ } ++ ++ // Initialize peer verification. ++ if (sslContext->sslConfiguration.peerVerifyMode() == QSslSocket::VerifyNone) { ++ q_SSL_CTX_set_verify(sslContext->ctx, SSL_VERIFY_NONE, 0); ++ } else { ++ q_SSL_CTX_set_verify(sslContext->ctx, SSL_VERIFY_PEER, q_X509Callback); ++ } ++ ++ // Set verification depth. ++ if (sslContext->sslConfiguration.peerVerifyDepth() != 0) ++ q_SSL_CTX_set_verify_depth(sslContext->ctx, sslContext->sslConfiguration.peerVerifyDepth()); ++ ++ // set persisted session if the user set it ++ if (!configuration.sessionTicket().isEmpty()) ++ sslContext->setSessionASN1(configuration.sessionTicket()); ++ ++ // Set temp DH params ++ QSslDiffieHellmanParameters dhparams = configuration.diffieHellmanParameters(); ++ ++ if (!dhparams.isValid()) { ++ sslContext->errorStr = QSslSocket::tr("Diffie-Hellman parameters are not valid"); ++ sslContext->errorCode = QSslError::UnspecifiedError; ++ return; ++ } ++ ++ if (!dhparams.isEmpty()) { ++ const QByteArray ¶ms = dhparams.d->derData; ++ const char *ptr = params.constData(); ++ DH *dh = q_d2i_DHparams(NULL, reinterpret_cast(&ptr), params.length()); ++ if (dh == NULL) ++ qFatal("q_d2i_DHparams failed to convert QSslDiffieHellmanParameters to DER form"); ++ q_SSL_CTX_set_tmp_dh(sslContext->ctx, dh); ++ q_DH_free(dh); ++ } ++ ++#ifndef OPENSSL_NO_EC ++#if OPENSSL_VERSION_NUMBER >= 0x10002000L ++ if (q_SSLeay() >= 0x10002000L) { ++ q_SSL_CTX_ctrl(sslContext->ctx, SSL_CTRL_SET_ECDH_AUTO, 1, NULL); ++ } else ++#endif ++ { ++ // Set temp ECDH params ++ EC_KEY *ecdh = 0; ++ ecdh = q_EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); ++ q_SSL_CTX_set_tmp_ecdh(sslContext->ctx, ecdh); ++ q_EC_KEY_free(ecdh); ++ } ++#endif // OPENSSL_NO_EC ++ ++#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_PSK) ++ if (!client) ++ q_SSL_CTX_use_psk_identity_hint(sslContext->ctx, sslContext->sslConfiguration.preSharedKeyIdentityHint().constData()); ++#endif // OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_PSK) ++ ++ const QVector qcurves = sslContext->sslConfiguration.ellipticCurves(); ++ if (!qcurves.isEmpty()) { ++#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(OPENSSL_NO_EC) ++ // Set the curves to be used ++ if (q_SSLeay() >= 0x10002000L) { ++ // SSL_CTX_ctrl wants a non-const pointer as last argument, ++ // but let's avoid a copy into a temporary array ++ if (!q_SSL_CTX_ctrl(sslContext->ctx, ++ SSL_CTRL_SET_CURVES, ++ qcurves.size(), ++ const_cast(reinterpret_cast(qcurves.data())))) { ++ sslContext->errorStr = msgErrorSettingEllipticCurves(QSslSocketBackendPrivate::getErrorsFromOpenSsl()); ++ sslContext->errorCode = QSslError::UnspecifiedError; ++ } ++ } else ++#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(OPENSSL_NO_EC) ++ { ++ // specific curves requested, but not possible to set -> error ++ sslContext->errorStr = msgErrorSettingEllipticCurves(QSslSocket::tr("OpenSSL version too old, need at least v1.0.2")); ++ sslContext->errorCode = QSslError::UnspecifiedError; ++ } ++ } ++} ++ ++QT_END_NAMESPACE +diff --git a/qtbase/src/network/ssl/qssldiffiehellmanparameters_openssl.cpp b/qtbase/src/network/ssl/qssldiffiehellmanparameters_openssl.cpp +index 90687b05c5..5ebad822f1 100644 +--- a/qtbase/src/network/ssl/qssldiffiehellmanparameters_openssl.cpp ++++ b/qtbase/src/network/ssl/qssldiffiehellmanparameters_openssl.cpp +@@ -1,6 +1,7 @@ + /**************************************************************************** + ** + ** Copyright (C) 2015 Mikkel Krautz ++** Copyright (C) 2016 Richard J. Moore + ** Contact: https://www.qt.io/licensing/ + ** + ** This file is part of the QtNetwork module of the Qt Toolkit. +@@ -50,8 +51,8 @@ + #include + #endif + +-// For q_BN_is_word. + #include ++#include + + QT_BEGIN_NAMESPACE + +@@ -62,13 +63,6 @@ static bool isSafeDH(DH *dh) + + QSslSocketPrivate::ensureInitialized(); + +- // Mark p < 1024 bits as unsafe. +- if (q_BN_num_bits(dh->p) < 1024) { +- return false; +- } +- +- if (q_DH_check(dh, &status) != 1) +- return false; + + // From https://wiki.openssl.org/index.php/Diffie-Hellman_parameters: + // +@@ -81,11 +75,39 @@ static bool isSafeDH(DH *dh) + // Without the test, the IETF parameters would + // fail validation. For details, see Diffie-Hellman + // Parameter Check (when g = 2, must p mod 24 == 11?). ++#if QT_CONFIG(opensslv11) ++ // Mark p < 1024 bits as unsafe. ++ if (q_DH_bits(dh) < 1024) ++ return false; ++ ++ if (q_DH_check(dh, &status) != 1) ++ return false; ++ ++ const BIGNUM *p = nullptr; ++ const BIGNUM *q = nullptr; ++ const BIGNUM *g = nullptr; ++ q_DH_get0_pqg(dh, &p, &q, &g); ++ ++ if (q_BN_is_word(const_cast(g), DH_GENERATOR_2)) { ++ long residue = q_BN_mod_word(p, 24); ++ if (residue == 11 || residue == 23) ++ status &= ~DH_NOT_SUITABLE_GENERATOR; ++ } ++ ++#else ++ // Mark p < 1024 bits as unsafe. ++ if (q_BN_num_bits(dh->p) < 1024) ++ return false; ++ ++ if (q_DH_check(dh, &status) != 1) ++ return false; ++ + if (q_BN_is_word(dh->g, DH_GENERATOR_2)) { + long residue = q_BN_mod_word(dh->p, 24); + if (residue == 11 || residue == 23) + status &= ~DH_NOT_SUITABLE_GENERATOR; + } ++#endif + + bad |= DH_CHECK_P_NOT_PRIME; + bad |= DH_CHECK_P_NOT_SAFE_PRIME; +diff --git a/qtbase/src/network/ssl/qsslellipticcurve.h b/qtbase/src/network/ssl/qsslellipticcurve.h +index 231566063e..57dda19bad 100644 +--- a/qtbase/src/network/ssl/qsslellipticcurve.h ++++ b/qtbase/src/network/ssl/qsslellipticcurve.h +@@ -80,6 +80,7 @@ private: + friend Q_DECL_CONSTEXPR bool operator==(QSslEllipticCurve lhs, QSslEllipticCurve rhs) Q_DECL_NOTHROW; + friend Q_DECL_CONSTEXPR uint qHash(QSslEllipticCurve curve, uint seed) Q_DECL_NOTHROW; + ++ friend class QSslContext; + friend class QSslSocketPrivate; + friend class QSslSocketBackendPrivate; + }; +diff --git a/qtbase/src/network/ssl/qsslellipticcurve_openssl.cpp b/qtbase/src/network/ssl/qsslellipticcurve_openssl.cpp +index e18197b703..8cd14837f0 100644 +--- a/qtbase/src/network/ssl/qsslellipticcurve_openssl.cpp ++++ b/qtbase/src/network/ssl/qsslellipticcurve_openssl.cpp +@@ -1,6 +1,7 @@ + /**************************************************************************** + ** + ** Copyright (C) 2014 Governikus GmbH & Co. KG. ++** Copyright (C) 2016 Richard J. Moore + ** Contact: https://www.qt.io/licensing/ + ** + ** This file is part of the QtNetwork module of the Qt Toolkit. +@@ -78,17 +79,18 @@ QSslEllipticCurve QSslEllipticCurve::fromShortName(const QString &name) + QSslEllipticCurve result; + + #ifndef OPENSSL_NO_EC +- const QByteArray curveNameLatin1 = name.toLatin1(); + ++ const QByteArray curveNameLatin1 = name.toLatin1(); + int nid = q_OBJ_sn2nid(curveNameLatin1.data()); + + #if OPENSSL_VERSION_NUMBER >= 0x10002000L +- if (nid == 0 && q_SSLeay() >= 0x10002000L) ++ if (nid == 0 && QSslSocket::sslLibraryVersionNumber() >= 0x10002000L) + nid = q_EC_curve_nist2nid(curveNameLatin1.data()); + #endif // OPENSSL_VERSION_NUMBER >= 0x10002000L + + result.id = nid; +-#endif ++ ++#endif // !OPENSSL_NO_EC + + return result; + } +diff --git a/qtbase/src/network/ssl/qsslkey_openssl.cpp b/qtbase/src/network/ssl/qsslkey_openssl.cpp +index 26119023d1..2b03af9441 100644 +--- a/qtbase/src/network/ssl/qsslkey_openssl.cpp ++++ b/qtbase/src/network/ssl/qsslkey_openssl.cpp +@@ -1,6 +1,7 @@ + /**************************************************************************** + ** +-** Copyright (C) 2016 The Qt Company Ltd. ++** Copyright (C) 2017 The Qt Company Ltd. ++** Copyright (C) 2016 Richard J. Moore + ** Contact: https://www.qt.io/licensing/ + ** + ** This file is part of the QtNetwork module of the Qt Toolkit. +@@ -87,33 +88,32 @@ bool QSslKeyPrivate::fromEVP_PKEY(EVP_PKEY *pkey) + if (pkey == nullptr) + return false; + +- if (pkey->type == EVP_PKEY_RSA) { ++#if QT_CONFIG(opensslv11) ++ const int keyType = q_EVP_PKEY_type(q_EVP_PKEY_base_id(pkey)); ++#else ++ const int keyType = pkey->type; ++#endif ++ if (keyType == EVP_PKEY_RSA) { + isNull = false; + algorithm = QSsl::Rsa; + type = QSsl::PrivateKey; + +- rsa = q_RSA_new(); +- memcpy(rsa, q_EVP_PKEY_get1_RSA(pkey), sizeof(RSA)); +- ++ rsa = q_EVP_PKEY_get1_RSA(pkey); + return true; +- } +- else if (pkey->type == EVP_PKEY_DSA) { ++ } else if (keyType == EVP_PKEY_DSA) { + isNull = false; + algorithm = QSsl::Dsa; + type = QSsl::PrivateKey; + +- dsa = q_DSA_new(); +- memcpy(dsa, q_EVP_PKEY_get1_DSA(pkey), sizeof(DSA)); +- ++ dsa = q_EVP_PKEY_get1_DSA(pkey); + return true; + } + #ifndef OPENSSL_NO_EC +- else if (pkey->type == EVP_PKEY_EC) { ++ else if (keyType == EVP_PKEY_EC) { + isNull = false; + algorithm = QSsl::Ec; + type = QSsl::PrivateKey; +- ec = q_EC_KEY_dup(q_EVP_PKEY_get1_EC_KEY(pkey)); +- ++ ec = q_EVP_PKEY_get1_EC_KEY(pkey); + return true; + } + #endif +@@ -181,8 +181,8 @@ int QSslKeyPrivate::length() const + return -1; + + switch (algorithm) { +- case QSsl::Rsa: return q_BN_num_bits(rsa->n); +- case QSsl::Dsa: return q_BN_num_bits(dsa->p); ++ case QSsl::Rsa: return q_RSA_bits(rsa); ++ case QSsl::Dsa: return q_DSA_bits(dsa); + #ifndef OPENSSL_NO_EC + case QSsl::Ec: return q_EC_GROUP_get_degree(q_EC_KEY_get0_group(ec)); + #endif +@@ -276,7 +276,13 @@ Qt::HANDLE QSslKeyPrivate::handle() const + + static QByteArray doCrypt(QSslKeyPrivate::Cipher cipher, const QByteArray &data, const QByteArray &key, const QByteArray &iv, int enc) + { +- EVP_CIPHER_CTX ctx; ++#if QT_CONFIG(opensslv11) ++ EVP_CIPHER_CTX *ctx = q_EVP_CIPHER_CTX_new(); ++#else ++ EVP_CIPHER_CTX evpCipherContext; ++ EVP_CIPHER_CTX *ctx = &evpCipherContext; ++#endif ++ + const EVP_CIPHER* type = 0; + int i = 0, len = 0; + +@@ -294,21 +300,44 @@ static QByteArray doCrypt(QSslKeyPrivate::Cipher cipher, const QByteArray &data, + + QByteArray output; + output.resize(data.size() + EVP_MAX_BLOCK_LENGTH); +- q_EVP_CIPHER_CTX_init(&ctx); +- q_EVP_CipherInit(&ctx, type, NULL, NULL, enc); +- q_EVP_CIPHER_CTX_set_key_length(&ctx, key.size()); ++ ++#if QT_CONFIG(opensslv11) ++ q_EVP_CIPHER_CTX_reset(ctx); ++#else ++ q_EVP_CIPHER_CTX_init(ctx); ++#endif ++ ++ q_EVP_CipherInit(ctx, type, NULL, NULL, enc); ++ q_EVP_CIPHER_CTX_set_key_length(ctx, key.size()); + if (cipher == QSslKeyPrivate::Rc2Cbc) +- q_EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_SET_RC2_KEY_BITS, 8 * key.size(), NULL); +- q_EVP_CipherInit(&ctx, NULL, ++ q_EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_SET_RC2_KEY_BITS, 8 * key.size(), NULL); ++ ++#if QT_CONFIG(opensslv11) ++ // EVP_CipherInit in 1.1 resets the context thus making the calls above useless. ++ // We call EVP_CipherInit_ex instead. ++ q_EVP_CipherInit_ex(ctx, nullptr, nullptr, ++ reinterpret_cast(key.constData()), ++ reinterpret_cast(iv.constData()), ++ enc); ++#else ++ q_EVP_CipherInit(ctx, NULL, + reinterpret_cast(key.constData()), + reinterpret_cast(iv.constData()), enc); +- q_EVP_CipherUpdate(&ctx, ++#endif // opensslv11 ++ ++ q_EVP_CipherUpdate(ctx, + reinterpret_cast(output.data()), &len, + reinterpret_cast(data.constData()), data.size()); +- q_EVP_CipherFinal(&ctx, ++ q_EVP_CipherFinal(ctx, + reinterpret_cast(output.data()) + len, &i); + len += i; +- q_EVP_CIPHER_CTX_cleanup(&ctx); ++ ++#if QT_CONFIG(opensslv11) ++ q_EVP_CIPHER_CTX_reset(ctx); ++ q_EVP_CIPHER_CTX_free(ctx); ++#else ++ q_EVP_CIPHER_CTX_cleanup(ctx); ++#endif + + return output.left(len); + } +diff --git a/qtbase/src/network/ssl/qsslsocket_openssl.cpp b/qtbase/src/network/ssl/qsslsocket_openssl.cpp +index f5b493897e..45cea490fc 100644 +--- a/qtbase/src/network/ssl/qsslsocket_openssl.cpp ++++ b/qtbase/src/network/ssl/qsslsocket_openssl.cpp +@@ -1,6 +1,6 @@ + /**************************************************************************** + ** +-** Copyright (C) 2016 The Qt Company Ltd. ++** Copyright (C) 2017 The Qt Company Ltd. + ** Copyright (C) 2014 Governikus GmbH & Co. KG + ** Contact: https://www.qt.io/licensing/ + ** +@@ -97,70 +97,6 @@ bool QSslSocketPrivate::s_loadRootCertsOnDemand = false; + int QSslSocketBackendPrivate::s_indexForSSLExtraData = -1; + #endif + +-/* \internal +- +- From OpenSSL's thread(3) manual page: +- +- OpenSSL can safely be used in multi-threaded applications provided that at +- least two callback functions are set. +- +- locking_function(int mode, int n, const char *file, int line) is needed to +- perform locking on shared data structures. (Note that OpenSSL uses a +- number of global data structures that will be implicitly shared +- whenever multiple threads use OpenSSL.) Multi-threaded +- applications will crash at random if it is not set. ... +- ... +- id_function(void) is a function that returns a thread ID. It is not +- needed on Windows nor on platforms where getpid() returns a different +- ID for each thread (most notably Linux) +-*/ +-class QOpenSslLocks +-{ +-public: +- inline QOpenSslLocks() +- : initLocker(QMutex::Recursive), +- locksLocker(QMutex::Recursive) +- { +- QMutexLocker locker(&locksLocker); +- int numLocks = q_CRYPTO_num_locks(); +- locks = new QMutex *[numLocks]; +- memset(locks, 0, numLocks * sizeof(QMutex *)); +- } +- inline ~QOpenSslLocks() +- { +- QMutexLocker locker(&locksLocker); +- for (int i = 0; i < q_CRYPTO_num_locks(); ++i) +- delete locks[i]; +- delete [] locks; +- +- QSslSocketPrivate::deinitialize(); +- } +- inline QMutex *lock(int num) +- { +- QMutexLocker locker(&locksLocker); +- QMutex *tmp = locks[num]; +- if (!tmp) +- tmp = locks[num] = new QMutex(QMutex::Recursive); +- return tmp; +- } +- +- QMutex *globalLock() +- { +- return &locksLocker; +- } +- +- QMutex *initLock() +- { +- return &initLocker; +- } +- +-private: +- QMutex initLocker; +- QMutex locksLocker; +- QMutex **locks; +-}; +-Q_GLOBAL_STATIC(QOpenSslLocks, openssl_locks) +- + QString QSslSocketBackendPrivate::getErrorsFromOpenSsl() + { + QString errorString; +@@ -175,20 +111,6 @@ QString QSslSocketBackendPrivate::getErrorsFromOpenSsl() + } + + extern "C" { +-static void locking_function(int mode, int lockNumber, const char *, int) +-{ +- QMutex *mutex = openssl_locks()->lock(lockNumber); +- +- // Lock or unlock it +- if (mode & CRYPTO_LOCK) +- mutex->lock(); +- else +- mutex->unlock(); +-} +-static unsigned long id_function() +-{ +- return (quintptr)QThread::currentThreadId(); +-} + + #if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_PSK) + static unsigned int q_ssl_psk_client_callback(SSL *ssl, +@@ -227,7 +149,7 @@ QSslSocketBackendPrivate::~QSslSocketBackendPrivate() + destroySslContext(); + } + +-QSslCipher QSslSocketBackendPrivate::QSslCipher_from_SSL_CIPHER(SSL_CIPHER *cipher) ++QSslCipher QSslSocketBackendPrivate::QSslCipher_from_SSL_CIPHER(const SSL_CIPHER *cipher) + { + QSslCipher ciph; + +@@ -283,6 +205,7 @@ struct QSslErrorList + QMutex mutex; + QVector errors; + }; ++ + Q_GLOBAL_STATIC(QSslErrorList, _q_sslErrorList) + + int q_X509Callback(int ok, X509_STORE_CTX *ctx) +@@ -312,7 +235,7 @@ int q_X509Callback(int ok, X509_STORE_CTX *ctx) + } + #endif + } +- // Always return OK to allow verification to continue. We're handle the ++ // Always return OK to allow verification to continue. We handle the + // errors gracefully after collecting all errors, after verification has + // completed. + return 1; +@@ -397,7 +320,7 @@ bool QSslSocketBackendPrivate::initSslContext() + if (configuration.protocol != QSsl::SslV2 && + configuration.protocol != QSsl::SslV3 && + configuration.protocol != QSsl::UnknownProtocol && +- mode == QSslSocket::SslClientMode && q_SSLeay() >= 0x00090806fL) { ++ mode == QSslSocket::SslClientMode && QSslSocket::sslLibraryVersionNumber() >= 0x00090806fL) { + // Set server hostname on TLS extension. RFC4366 section 3.1 requires it in ACE format. + QString tlsHostName = verificationPeerName.isEmpty() ? q->peerName() : verificationPeerName; + if (tlsHostName.isEmpty()) +@@ -438,13 +361,13 @@ bool QSslSocketBackendPrivate::initSslContext() + + #if OPENSSL_VERSION_NUMBER >= 0x10001000L + // Save a pointer to this object into the SSL structure. +- if (q_SSLeay() >= 0x10001000L) ++ if (QSslSocket::sslLibraryVersionNumber() >= 0x10001000L) + q_SSL_set_ex_data(ssl, s_indexForSSLExtraData, this); + #endif + + #if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_PSK) + // Set the client callback for PSK +- if (q_SSLeay() >= 0x10001000L) { ++ if (QSslSocket::sslLibraryVersionNumber() >= 0x10001000L) { + if (mode == QSslSocket::SslClientMode) + q_SSL_set_psk_client_callback(ssl, &q_ssl_psk_client_callback); + else if (mode == QSslSocket::SslServerMode) +@@ -464,16 +387,6 @@ void QSslSocketBackendPrivate::destroySslContext() + sslContextPointer.clear(); + } + +-/*! +- \internal +-*/ +-void QSslSocketPrivate::deinitialize() +-{ +- q_CRYPTO_set_id_callback(0); +- q_CRYPTO_set_locking_callback(0); +- q_ERR_free_strings(); +-} +- + /*! + \internal + +@@ -486,91 +399,6 @@ bool QSslSocketPrivate::supportsSsl() + return ensureLibraryLoaded(); + } + +-bool QSslSocketPrivate::ensureLibraryLoaded() +-{ +- if (!q_resolveOpenSslSymbols()) +- return false; +- +- // Check if the library itself needs to be initialized. +- QMutexLocker locker(openssl_locks()->initLock()); +- +- if (!s_libraryLoaded) { +- s_libraryLoaded = true; +- +- // Initialize OpenSSL. +- q_CRYPTO_set_id_callback(id_function); +- q_CRYPTO_set_locking_callback(locking_function); +- if (q_SSL_library_init() != 1) +- return false; +- q_SSL_load_error_strings(); +- q_OpenSSL_add_all_algorithms(); +- +-#if OPENSSL_VERSION_NUMBER >= 0x10001000L +- if (q_SSLeay() >= 0x10001000L) +- QSslSocketBackendPrivate::s_indexForSSLExtraData = q_SSL_get_ex_new_index(0L, NULL, NULL, NULL, NULL); +-#endif +- +- // Initialize OpenSSL's random seed. +- if (!q_RAND_status()) { +- qWarning("Random number generator not seeded, disabling SSL support"); +- return false; +- } +- } +- return true; +-} +- +-void QSslSocketPrivate::ensureCiphersAndCertsLoaded() +-{ +- QMutexLocker locker(openssl_locks()->initLock()); +- if (s_loadedCiphersAndCerts) +- return; +- s_loadedCiphersAndCerts = true; +- +- resetDefaultCiphers(); +- resetDefaultEllipticCurves(); +- +-#if QT_CONFIG(library) +- //load symbols needed to receive certificates from system store +-#if defined(Q_OS_WIN) +- HINSTANCE hLib = LoadLibraryW(L"Crypt32"); +- if (hLib) { +- ptrCertOpenSystemStoreW = (PtrCertOpenSystemStoreW)GetProcAddress(hLib, "CertOpenSystemStoreW"); +- ptrCertFindCertificateInStore = (PtrCertFindCertificateInStore)GetProcAddress(hLib, "CertFindCertificateInStore"); +- ptrCertCloseStore = (PtrCertCloseStore)GetProcAddress(hLib, "CertCloseStore"); +- if (!ptrCertOpenSystemStoreW || !ptrCertFindCertificateInStore || !ptrCertCloseStore) +- qCWarning(lcSsl, "could not resolve symbols in crypt32 library"); // should never happen +- } else { +- qCWarning(lcSsl, "could not load crypt32 library"); // should never happen +- } +-#elif defined(Q_OS_QNX) +- s_loadRootCertsOnDemand = true; +-#elif defined(Q_OS_UNIX) && !defined(Q_OS_MAC) +- // check whether we can enable on-demand root-cert loading (i.e. check whether the sym links are there) +- QList dirs = unixRootCertDirectories(); +- QStringList symLinkFilter; +- symLinkFilter << QLatin1String("[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f].[0-9]"); +- for (int a = 0; a < dirs.count(); ++a) { +- QDirIterator iterator(QLatin1String(dirs.at(a)), symLinkFilter, QDir::Files); +- if (iterator.hasNext()) { +- s_loadRootCertsOnDemand = true; +- break; +- } +- } +-#endif +-#endif // QT_CONFIG(library) +- // if on-demand loading was not enabled, load the certs now +- if (!s_loadRootCertsOnDemand) +- setDefaultCaCertificates(systemCaCertificates()); +-#ifdef Q_OS_WIN +- //Enabled for fetching additional root certs from windows update on windows 6+ +- //This flag is set false by setDefaultCaCertificates() indicating the app uses +- //its own cert bundle rather than the system one. +- //Same logic that disables the unix on demand cert loading. +- //Unlike unix, we do preload the certificates from the cert store. +- if ((QSysInfo::windowsVersion() & QSysInfo::WV_NT_based) >= QSysInfo::WV_6_0) +- s_loadRootCertsOnDemand = true; +-#endif +-} + + /*! + \internal +@@ -587,26 +415,6 @@ void QSslSocketPrivate::ensureInitialized() + ensureCiphersAndCertsLoaded(); + } + +-long QSslSocketPrivate::sslLibraryVersionNumber() +-{ +- if (!supportsSsl()) +- return 0; +- +- return q_SSLeay(); +-} +- +-QString QSslSocketPrivate::sslLibraryVersionString() +-{ +- if (!supportsSsl()) +- return QString(); +- +- const char *versionString = q_SSLeay_version(SSLEAY_VERSION); +- if (!versionString) +- return QString(); +- +- return QString::fromLatin1(versionString); +-} +- + long QSslSocketPrivate::sslLibraryBuildVersionNumber() + { + return OPENSSL_VERSION_NUMBER; +@@ -628,7 +436,11 @@ QString QSslSocketPrivate::sslLibraryBuildVersionString() + */ + void QSslSocketPrivate::resetDefaultCiphers() + { ++#if QT_CONFIG(opensslv11) ++ SSL_CTX *myCtx = q_SSL_CTX_new(q_TLS_client_method()); ++#else + SSL_CTX *myCtx = q_SSL_CTX_new(q_SSLv23_client_method()); ++#endif + SSL *mySsl = q_SSL_new(myCtx); + + QList ciphers; +@@ -664,7 +476,7 @@ void QSslSocketPrivate::resetDefaultEllipticCurves() + QVector curves; + + #ifndef OPENSSL_NO_EC +- const size_t curveCount = q_EC_get_builtin_curves(NULL, 0); ++ const size_t curveCount = q_EC_get_builtin_curves(nullptr, 0); + + QVarLengthArray builtinCurves(static_cast(curveCount)); + +@@ -698,13 +510,14 @@ QList QSslSocketPrivate::systemCaCertificates() + if (ptrCertOpenSystemStoreW && ptrCertFindCertificateInStore && ptrCertCloseStore) { + HCERTSTORE hSystemStore; + hSystemStore = ptrCertOpenSystemStoreW(0, L"ROOT"); +- if(hSystemStore) { +- PCCERT_CONTEXT pc = NULL; +- while(1) { +- pc = ptrCertFindCertificateInStore( hSystemStore, X509_ASN_ENCODING, 0, CERT_FIND_ANY, NULL, pc); +- if(!pc) ++ if (hSystemStore) { ++ PCCERT_CONTEXT pc = nullptr; ++ while (1) { ++ pc = ptrCertFindCertificateInStore(hSystemStore, X509_ASN_ENCODING, 0, CERT_FIND_ANY, nullptr, pc); ++ if (!pc) + break; +- QByteArray der((const char *)(pc->pbCertEncoded), static_cast(pc->cbCertEncoded)); ++ QByteArray der(reinterpret_cast(pc->pbCertEncoded), ++ static_cast(pc->cbCertEncoded)); + QSslCertificate cert(der, QSsl::Der); + systemCerts.append(cert); + } +@@ -1504,14 +1317,8 @@ QSslCipher QSslSocketBackendPrivate::sessionCipher() const + { + if (!ssl) + return QSslCipher(); +-#if OPENSSL_VERSION_NUMBER >= 0x10000000L +- // FIXME This is fairly evil, but needed to keep source level compatibility +- // with the OpenSSL 0.9.x implementation at maximum -- some other functions +- // don't take a const SSL_CIPHER* when they should +- SSL_CIPHER *sessionCipher = const_cast(q_SSL_get_current_cipher(ssl)); +-#else +- SSL_CIPHER *sessionCipher = q_SSL_get_current_cipher(ssl); +-#endif ++ ++ const SSL_CIPHER *sessionCipher = q_SSL_get_current_cipher(ssl); + return sessionCipher ? QSslCipher_from_SSL_CIPHER(sessionCipher) : QSslCipher(); + } + +@@ -1537,112 +1344,6 @@ QSsl::SslProtocol QSslSocketBackendPrivate::sessionProtocol() const + return QSsl::UnknownProtocol; + } + +-void QSslSocketBackendPrivate::continueHandshake() +-{ +- Q_Q(QSslSocket); +- // if we have a max read buffer size, reset the plain socket's to match +- if (readBufferMaxSize) +- plainSocket->setReadBufferSize(readBufferMaxSize); +- +- if (q_SSL_ctrl((ssl), SSL_CTRL_GET_SESSION_REUSED, 0, NULL)) +- configuration.peerSessionShared = true; +- +-#ifdef QT_DECRYPT_SSL_TRAFFIC +- if (ssl->session && ssl->s3) { +- const char *mk = reinterpret_cast(ssl->session->master_key); +- QByteArray masterKey(mk, ssl->session->master_key_length); +- const char *random = reinterpret_cast(ssl->s3->client_random); +- QByteArray clientRandom(random, SSL3_RANDOM_SIZE); +- +- // different format, needed for e.g. older Wireshark versions: +-// const char *sid = reinterpret_cast(ssl->session->session_id); +-// QByteArray sessionID(sid, ssl->session->session_id_length); +-// QByteArray debugLineRSA("RSA Session-ID:"); +-// debugLineRSA.append(sessionID.toHex().toUpper()); +-// debugLineRSA.append(" Master-Key:"); +-// debugLineRSA.append(masterKey.toHex().toUpper()); +-// debugLineRSA.append("\n"); +- +- QByteArray debugLineClientRandom("CLIENT_RANDOM "); +- debugLineClientRandom.append(clientRandom.toHex().toUpper()); +- debugLineClientRandom.append(" "); +- debugLineClientRandom.append(masterKey.toHex().toUpper()); +- debugLineClientRandom.append("\n"); +- +- QString sslKeyFile = QDir::tempPath() + QLatin1String("/qt-ssl-keys"); +- QFile file(sslKeyFile); +- if (!file.open(QIODevice::Append)) +- qCWarning(lcSsl) << "could not open file" << sslKeyFile << "for appending"; +- if (!file.write(debugLineClientRandom)) +- qCWarning(lcSsl) << "could not write to file" << sslKeyFile; +- file.close(); +- } else { +- qCWarning(lcSsl, "could not decrypt SSL traffic"); +- } +-#endif +- +- // Cache this SSL session inside the QSslContext +- if (!(configuration.sslOptions & QSsl::SslOptionDisableSessionSharing)) { +- if (!sslContextPointer->cacheSession(ssl)) { +- sslContextPointer.clear(); // we could not cache the session +- } else { +- // Cache the session for permanent usage as well +- if (!(configuration.sslOptions & QSsl::SslOptionDisableSessionPersistence)) { +- if (!sslContextPointer->sessionASN1().isEmpty()) +- configuration.sslSession = sslContextPointer->sessionASN1(); +- configuration.sslSessionTicketLifeTimeHint = sslContextPointer->sessionTicketLifeTimeHint(); +- } +- } +- } +- +-#if OPENSSL_VERSION_NUMBER >= 0x1000100fL && !defined(OPENSSL_NO_NEXTPROTONEG) +- +- configuration.nextProtocolNegotiationStatus = sslContextPointer->npnContext().status; +- if (sslContextPointer->npnContext().status == QSslConfiguration::NextProtocolNegotiationUnsupported) { +- // we could not agree -> be conservative and use HTTP/1.1 +- configuration.nextNegotiatedProtocol = QByteArrayLiteral("http/1.1"); +- } else { +- const unsigned char *proto = 0; +- unsigned int proto_len = 0; +-#if OPENSSL_VERSION_NUMBER >= 0x10002000L +- if (q_SSLeay() >= 0x10002000L) { +- q_SSL_get0_alpn_selected(ssl, &proto, &proto_len); +- if (proto_len && mode == QSslSocket::SslClientMode) { +- // Client does not have a callback that sets it ... +- configuration.nextProtocolNegotiationStatus = QSslConfiguration::NextProtocolNegotiationNegotiated; +- } +- } +- +- if (!proto_len) { // Test if NPN was more lucky ... +-#else +- { +-#endif +- q_SSL_get0_next_proto_negotiated(ssl, &proto, &proto_len); +- } +- +- if (proto_len) +- configuration.nextNegotiatedProtocol = QByteArray(reinterpret_cast(proto), proto_len); +- else +- configuration.nextNegotiatedProtocol.clear(); +- } +-#endif // OPENSSL_VERSION_NUMBER >= 0x1000100fL ... +- +-#if OPENSSL_VERSION_NUMBER >= 0x10002000L +- if (q_SSLeay() >= 0x10002000L && mode == QSslSocket::SslClientMode) { +- EVP_PKEY *key; +- if (q_SSL_get_server_tmp_key(ssl, &key)) +- configuration.ephemeralServerKey = QSslKey(key, QSsl::PublicKey); +- } +-#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L ... +- +- connectionEncrypted = true; +- emit q->encrypted(); +- if (autoStartHandshake && pendingClose) { +- pendingClose = false; +- q->disconnectFromHost(); +- } +-} +- + QList QSslSocketBackendPrivate::STACKOFX509_to_QSslCertificates(STACK_OF(X509) *x509) + { + ensureInitialized(); +@@ -1696,12 +1397,12 @@ QList QSslSocketBackendPrivate::verify(const QList & + QMutexLocker sslErrorListMutexLocker(&_q_sslErrorList()->mutex); + + // Register a custom callback to get all verification errors. +- X509_STORE_set_verify_cb_func(certStore, q_X509Callback); ++ q_X509_STORE_set_verify_cb(certStore, q_X509Callback); + + // Build the chain of intermediate certificates + STACK_OF(X509) *intermediates = 0; + if (certificateChain.length() > 1) { +- intermediates = (STACK_OF(X509) *) q_sk_new_null(); ++ intermediates = (STACK_OF(X509) *) q_OPENSSL_sk_new_null(); + + if (!intermediates) { + q_X509_STORE_free(certStore); +@@ -1715,11 +1416,8 @@ QList QSslSocketBackendPrivate::verify(const QList & + first = false; + continue; + } +-#if OPENSSL_VERSION_NUMBER >= 0x10000000L +- q_sk_push( (_STACK *)intermediates, reinterpret_cast(cert.handle())); +-#else +- q_sk_push( (STACK *)intermediates, reinterpret_cast(cert.handle())); +-#endif ++ ++ q_OPENSSL_sk_push((OPENSSL_STACK *)intermediates, reinterpret_cast(cert.handle())); + } + } + +@@ -1743,11 +1441,7 @@ QList QSslSocketBackendPrivate::verify(const QList & + (void) q_X509_verify_cert(storeContext); + + q_X509_STORE_CTX_free(storeContext); +-#if OPENSSL_VERSION_NUMBER >= 0x10000000L +- q_sk_free( (_STACK *) intermediates); +-#else +- q_sk_free( (STACK *) intermediates); +-#endif ++ q_OPENSSL_sk_free((OPENSSL_STACK *)intermediates); + + // Now process the errors + const auto errorList = std::move(_q_sslErrorList()->errors); +@@ -1821,7 +1515,8 @@ bool QSslSocketBackendPrivate::importPkcs12(QIODevice *device, + // Convert to Qt types + if (!key->d->fromEVP_PKEY(pkey)) { + qCWarning(lcSsl, "Unable to convert private key"); +- q_sk_pop_free(reinterpret_cast(ca), reinterpret_cast(q_sk_free)); ++ q_OPENSSL_sk_pop_free(reinterpret_cast(ca), ++ reinterpret_cast(q_OPENSSL_sk_free)); + q_X509_free(x509); + q_EVP_PKEY_free(pkey); + q_PKCS12_free(p12); +@@ -1836,7 +1531,11 @@ bool QSslSocketBackendPrivate::importPkcs12(QIODevice *device, + *caCertificates = QSslSocketBackendPrivate::STACKOFX509_to_QSslCertificates(ca); + + // Clean up +- q_sk_pop_free(reinterpret_cast(ca), reinterpret_cast(q_sk_free)); ++ // TODO: verify ASAP, in the past we had sk_pop_free with q_OPENSSL_sk_free ++ // which seems to be blatantly wrong and even crashes with 1.1. ++ q_OPENSSL_sk_pop_free(reinterpret_cast(ca), ++ reinterpret_cast(q_X509_free)); ++ + q_X509_free(x509); + q_EVP_PKEY_free(pkey); + q_PKCS12_free(p12); +diff --git a/qtbase/src/network/ssl/qsslsocket_openssl11.cpp b/qtbase/src/network/ssl/qsslsocket_openssl11.cpp +new file mode 100644 +index 0000000000..b6d18943a5 +--- /dev/null ++++ b/qtbase/src/network/ssl/qsslsocket_openssl11.cpp +@@ -0,0 +1,285 @@ ++/**************************************************************************** ++** ++** Copyright (C) 2017 The Qt Company Ltd. ++** Copyright (C) 2014 Governikus GmbH & Co. KG ++** Copyright (C) 2016 Richard J. Moore ++** Contact: https://www.qt.io/licensing/ ++** ++** This file is part of the QtNetwork module of the Qt Toolkit. ++** ++** $QT_BEGIN_LICENSE:LGPL$ ++** Commercial License Usage ++** Licensees holding valid commercial Qt licenses may use this file in ++** accordance with the commercial license agreement provided with the ++** Software or, alternatively, in accordance with the terms contained in ++** a written agreement between you and The Qt Company. For licensing terms ++** and conditions see https://www.qt.io/terms-conditions. For further ++** information use the contact form at https://www.qt.io/contact-us. ++** ++** GNU Lesser General Public License Usage ++** Alternatively, this file may be used under the terms of the GNU Lesser ++** General Public License version 3 as published by the Free Software ++** Foundation and appearing in the file LICENSE.LGPL3 included in the ++** packaging of this file. Please review the following information to ++** ensure the GNU Lesser General Public License version 3 requirements ++** will be met: https://www.gnu.org/licenses/lgpl-3.0.html. ++** ++** GNU General Public License Usage ++** Alternatively, this file may be used under the terms of the GNU ++** General Public License version 2.0 or (at your option) the GNU General ++** Public license version 3 or any later version approved by the KDE Free ++** Qt Foundation. The licenses are as published by the Free Software ++** Foundation and appearing in the file LICENSE.GPL2 and LICENSE.GPL3 ++** included in the packaging of this file. Please review the following ++** information to ensure the GNU General Public License requirements will ++** be met: https://www.gnu.org/licenses/gpl-2.0.html and ++** https://www.gnu.org/licenses/gpl-3.0.html. ++** ++** $QT_END_LICENSE$ ++** ++****************************************************************************/ ++ ++/**************************************************************************** ++** ++** In addition, as a special exception, the copyright holders listed above give ++** permission to link the code of its release of Qt with the OpenSSL project's ++** "OpenSSL" library (or modified versions of the "OpenSSL" library that use the ++** same license as the original version), and distribute the linked executables. ++** ++** You must comply with the GNU General Public License version 2 in all ++** respects for all of the code used other than the "OpenSSL" code. If you ++** modify this file, you may extend this exception to your version of the file, ++** but you are not obligated to do so. If you do not wish to do so, delete ++** this exception statement from your version of this file. ++** ++****************************************************************************/ ++ ++//#define QT_DECRYPT_SSL_TRAFFIC ++ ++#include "qssl_p.h" ++#include "qsslsocket_openssl_p.h" ++#include "qsslsocket_openssl_symbols_p.h" ++#include "qsslsocket.h" ++#include "qsslkey.h" ++ ++#include ++#include ++#include ++#include ++#include ++#include ++ ++QT_BEGIN_NAMESPACE ++ ++Q_GLOBAL_STATIC_WITH_ARGS(QMutex, qt_opensslInitMutex, (QMutex::Recursive)) ++ ++/*! ++ \internal ++*/ ++void QSslSocketPrivate::deinitialize() ++{ ++ // This function exists only for compatibility with the pre-11 code, ++ // where deinitialize() actually does some cleanup. To be discarded ++ // once we retire < 1.1. ++} ++ ++bool QSslSocketPrivate::ensureLibraryLoaded() ++{ ++ if (!q_resolveOpenSslSymbols()) ++ return false; ++ ++ const QMutexLocker locker(qt_opensslInitMutex); ++ ++ if (!s_libraryLoaded) { ++ s_libraryLoaded = true; ++ ++ // Initialize OpenSSL. ++ if (q_OPENSSL_init_ssl(0, nullptr) != 1) ++ return false; ++ q_SSL_load_error_strings(); ++ q_OpenSSL_add_all_algorithms(); ++ ++ QSslSocketBackendPrivate::s_indexForSSLExtraData ++ = q_CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL, 0L, nullptr, nullptr, ++ nullptr, nullptr); ++ ++ // Initialize OpenSSL's random seed. ++ if (!q_RAND_status()) { ++ qWarning("Random number generator not seeded, disabling SSL support"); ++ return false; ++ } ++ } ++ return true; ++} ++ ++void QSslSocketPrivate::ensureCiphersAndCertsLoaded() ++{ ++ const QMutexLocker locker(qt_opensslInitMutex); ++ ++ if (s_loadedCiphersAndCerts) ++ return; ++ s_loadedCiphersAndCerts = true; ++ ++ resetDefaultCiphers(); ++ resetDefaultEllipticCurves(); ++ ++#if QT_CONFIG(library) ++ //load symbols needed to receive certificates from system store ++#if defined(Q_OS_WIN) ++ HINSTANCE hLib = LoadLibraryW(L"Crypt32"); ++ if (hLib) { ++ ptrCertOpenSystemStoreW = (PtrCertOpenSystemStoreW)GetProcAddress(hLib, "CertOpenSystemStoreW"); ++ ptrCertFindCertificateInStore = (PtrCertFindCertificateInStore)GetProcAddress(hLib, "CertFindCertificateInStore"); ++ ptrCertCloseStore = (PtrCertCloseStore)GetProcAddress(hLib, "CertCloseStore"); ++ if (!ptrCertOpenSystemStoreW || !ptrCertFindCertificateInStore || !ptrCertCloseStore) ++ qCWarning(lcSsl, "could not resolve symbols in crypt32 library"); // should never happen ++ } else { ++ qCWarning(lcSsl, "could not load crypt32 library"); // should never happen ++ } ++#elif defined(Q_OS_QNX) ++ s_loadRootCertsOnDemand = true; ++#elif defined(Q_OS_UNIX) && !defined(Q_OS_DARWIN) ++ // check whether we can enable on-demand root-cert loading (i.e. check whether the sym links are there) ++ QList dirs = unixRootCertDirectories(); ++ QStringList symLinkFilter; ++ symLinkFilter << QLatin1String("[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f].[0-9]"); ++ for (int a = 0; a < dirs.count(); ++a) { ++ QDirIterator iterator(QLatin1String(dirs.at(a)), symLinkFilter, QDir::Files); ++ if (iterator.hasNext()) { ++ s_loadRootCertsOnDemand = true; ++ break; ++ } ++ } ++#endif ++#endif // QT_CONFIG(library) ++ // if on-demand loading was not enabled, load the certs now ++ if (!s_loadRootCertsOnDemand) ++ setDefaultCaCertificates(systemCaCertificates()); ++#ifdef Q_OS_WIN ++ //Enabled for fetching additional root certs from windows update on windows 6+ ++ //This flag is set false by setDefaultCaCertificates() indicating the app uses ++ //its own cert bundle rather than the system one. ++ //Same logic that disables the unix on demand cert loading. ++ //Unlike unix, we do preload the certificates from the cert store. ++ if ((QSysInfo::windowsVersion() & QSysInfo::WV_NT_based) >= QSysInfo::WV_6_0) ++ s_loadRootCertsOnDemand = true; ++#endif ++} ++ ++long QSslSocketPrivate::sslLibraryVersionNumber() ++{ ++ if (!supportsSsl()) ++ return 0; ++ ++ return q_OpenSSL_version_num(); ++} ++ ++QString QSslSocketPrivate::sslLibraryVersionString() ++{ ++ if (!supportsSsl()) ++ return QString(); ++ ++ const char *versionString = q_OpenSSL_version(OPENSSL_VERSION); ++ if (!versionString) ++ return QString(); ++ ++ return QString::fromLatin1(versionString); ++} ++ ++void QSslSocketBackendPrivate::continueHandshake() ++{ ++ Q_Q(QSslSocket); ++ // if we have a max read buffer size, reset the plain socket's to match ++ if (readBufferMaxSize) ++ plainSocket->setReadBufferSize(readBufferMaxSize); ++ ++ if (q_SSL_session_reused(ssl)) ++ configuration.peerSessionShared = true; ++ ++#ifdef QT_DECRYPT_SSL_TRAFFIC ++ if (q_SSL_get_session(ssl)) { ++ size_t master_key_len = q_SSL_SESSION_get_master_key(q_SSL_get_session(ssl), 0, 0); ++ size_t client_random_len = q_SSL_get_client_random(ssl, 0, 0); ++ QByteArray masterKey(int(master_key_len), 0); // Will not overflow ++ QByteArray clientRandom(int(client_random_len), 0); // Will not overflow ++ ++ q_SSL_SESSION_get_master_key(q_SSL_get_session(ssl), ++ reinterpret_cast(masterKey.data()), ++ masterKey.size()); ++ q_SSL_get_client_random(ssl, reinterpret_cast(clientRandom.data()), ++ clientRandom.size()); ++ ++ QByteArray debugLineClientRandom("CLIENT_RANDOM "); ++ debugLineClientRandom.append(clientRandom.toHex().toUpper()); ++ debugLineClientRandom.append(" "); ++ debugLineClientRandom.append(masterKey.toHex().toUpper()); ++ debugLineClientRandom.append("\n"); ++ ++ QString sslKeyFile = QDir::tempPath() + QLatin1String("/qt-ssl-keys"); ++ QFile file(sslKeyFile); ++ if (!file.open(QIODevice::Append)) ++ qCWarning(lcSsl) << "could not open file" << sslKeyFile << "for appending"; ++ if (!file.write(debugLineClientRandom)) ++ qCWarning(lcSsl) << "could not write to file" << sslKeyFile; ++ file.close(); ++ } else { ++ qCWarning(lcSsl, "could not decrypt SSL traffic"); ++ } ++#endif ++ ++ // Cache this SSL session inside the QSslContext ++ if (!(configuration.sslOptions & QSsl::SslOptionDisableSessionSharing)) { ++ if (!sslContextPointer->cacheSession(ssl)) { ++ sslContextPointer.clear(); // we could not cache the session ++ } else { ++ // Cache the session for permanent usage as well ++ if (!(configuration.sslOptions & QSsl::SslOptionDisableSessionPersistence)) { ++ if (!sslContextPointer->sessionASN1().isEmpty()) ++ configuration.sslSession = sslContextPointer->sessionASN1(); ++ configuration.sslSessionTicketLifeTimeHint = sslContextPointer->sessionTicketLifeTimeHint(); ++ } ++ } ++ } ++ ++#if !defined(OPENSSL_NO_NEXTPROTONEG) ++ ++ configuration.nextProtocolNegotiationStatus = sslContextPointer->npnContext().status; ++ if (sslContextPointer->npnContext().status == QSslConfiguration::NextProtocolNegotiationUnsupported) { ++ // we could not agree -> be conservative and use HTTP/1.1 ++ configuration.nextNegotiatedProtocol = QByteArrayLiteral("http/1.1"); ++ } else { ++ const unsigned char *proto = 0; ++ unsigned int proto_len = 0; ++ ++ q_SSL_get0_alpn_selected(ssl, &proto, &proto_len); ++ if (proto_len && mode == QSslSocket::SslClientMode) { ++ // Client does not have a callback that sets it ... ++ configuration.nextProtocolNegotiationStatus = QSslConfiguration::NextProtocolNegotiationNegotiated; ++ } ++ ++ if (!proto_len) { // Test if NPN was more lucky ... ++ q_SSL_get0_next_proto_negotiated(ssl, &proto, &proto_len); ++ } ++ ++ if (proto_len) ++ configuration.nextNegotiatedProtocol = QByteArray(reinterpret_cast(proto), proto_len); ++ else ++ configuration.nextNegotiatedProtocol.clear(); ++ } ++#endif // !defined(OPENSSL_NO_NEXTPROTONEG) ++ ++ if (mode == QSslSocket::SslClientMode) { ++ EVP_PKEY *key; ++ if (q_SSL_get_server_tmp_key(ssl, &key)) ++ configuration.ephemeralServerKey = QSslKey(key, QSsl::PublicKey); ++ } ++ ++ connectionEncrypted = true; ++ emit q->encrypted(); ++ if (autoStartHandshake && pendingClose) { ++ pendingClose = false; ++ q->disconnectFromHost(); ++ } ++} ++ ++QT_END_NAMESPACE +diff --git a/qtbase/src/network/ssl/qsslsocket_openssl11_symbols_p.h b/qtbase/src/network/ssl/qsslsocket_openssl11_symbols_p.h +new file mode 100644 +index 0000000000..2980b3d23e +--- /dev/null ++++ b/qtbase/src/network/ssl/qsslsocket_openssl11_symbols_p.h +@@ -0,0 +1,132 @@ ++/**************************************************************************** ++** ++** Copyright (C) 2017 The Qt Company Ltd. ++** Copyright (C) 2014 BlackBerry Limited. All rights reserved. ++** Copyright (C) 2016 Richard J. Moore ++** Contact: https://www.qt.io/licensing/ ++** ++** This file is part of the QtNetwork module of the Qt Toolkit. ++** ++** $QT_BEGIN_LICENSE:LGPL$ ++** Commercial License Usage ++** Licensees holding valid commercial Qt licenses may use this file in ++** accordance with the commercial license agreement provided with the ++** Software or, alternatively, in accordance with the terms contained in ++** a written agreement between you and The Qt Company. For licensing terms ++** and conditions see https://www.qt.io/terms-conditions. For further ++** information use the contact form at https://www.qt.io/contact-us. ++** ++** GNU Lesser General Public License Usage ++** Alternatively, this file may be used under the terms of the GNU Lesser ++** General Public License version 3 as published by the Free Software ++** Foundation and appearing in the file LICENSE.LGPL3 included in the ++** packaging of this file. Please review the following information to ++** ensure the GNU Lesser General Public License version 3 requirements ++** will be met: https://www.gnu.org/licenses/lgpl-3.0.html. ++** ++** GNU General Public License Usage ++** Alternatively, this file may be used under the terms of the GNU ++** General Public License version 2.0 or (at your option) the GNU General ++** Public license version 3 or any later version approved by the KDE Free ++** Qt Foundation. The licenses are as published by the Free Software ++** Foundation and appearing in the file LICENSE.GPL2 and LICENSE.GPL3 ++** included in the packaging of this file. Please review the following ++** information to ensure the GNU General Public License requirements will ++** be met: https://www.gnu.org/licenses/gpl-2.0.html and ++** https://www.gnu.org/licenses/gpl-3.0.html. ++** ++** $QT_END_LICENSE$ ++** ++****************************************************************************/ ++ ++/**************************************************************************** ++** ++** In addition, as a special exception, the copyright holders listed above give ++** permission to link the code of its release of Qt with the OpenSSL project's ++** "OpenSSL" library (or modified versions of the "OpenSSL" library that use the ++** same license as the original version), and distribute the linked executables. ++** ++** You must comply with the GNU General Public License version 2 in all ++** respects for all of the code used other than the "OpenSSL" code. If you ++** modify this file, you may extend this exception to your version of the file, ++** but you are not obligated to do so. If you do not wish to do so, delete ++** this exception statement from your version of this file. ++** ++****************************************************************************/ ++ ++#ifndef QSSLSOCKET_OPENSSL11_SYMBOLS_P_H ++#define QSSLSOCKET_OPENSSL11_SYMBOLS_P_H ++ ++// ++// W A R N I N G ++// ------------- ++// ++// This file is not part of the Qt API. It exists purely as an ++// implementation detail. This header file may change from version to ++// version without notice, or even be removed. ++// ++// We mean it. ++// ++ ++// Note: this file does not have QT_BEGIN_NAMESPACE/QT_END_NAMESPACE, it's done ++// in qsslsocket_openssl_symbols_p.h. ++ ++#ifndef QSSLSOCKET_OPENSSL_SYMBOLS_P_H ++#error "You are not supposed to use this header file, include qsslsocket_openssl_symbols_p.h instead" ++#endif ++ ++const unsigned char * q_ASN1_STRING_get0_data(const ASN1_STRING *x); ++ ++Q_AUTOTEST_EXPORT BIO *q_BIO_new(const BIO_METHOD *a); ++Q_AUTOTEST_EXPORT const BIO_METHOD *q_BIO_s_mem(); ++ ++int q_DSA_bits(DSA *a); ++int q_EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *c); ++int q_EVP_PKEY_base_id(EVP_PKEY *a); ++int q_RSA_bits(RSA *a); ++int q_OPENSSL_sk_num(OPENSSL_STACK *a); ++void q_OPENSSL_sk_pop_free(OPENSSL_STACK *a, void (*b)(void *)); ++OPENSSL_STACK *q_OPENSSL_sk_new_null(); ++void q_OPENSSL_sk_push(OPENSSL_STACK *st, void *data); ++void q_OPENSSL_sk_free(OPENSSL_STACK *a); ++void * q_OPENSSL_sk_value(OPENSSL_STACK *a, int b); ++int q_SSL_session_reused(SSL *a); ++unsigned long q_SSL_CTX_set_options(SSL_CTX *ctx, unsigned long op); ++int q_OPENSSL_init_ssl(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings); ++size_t q_SSL_get_client_random(SSL *a, unsigned char *out, size_t outlen); ++size_t q_SSL_SESSION_get_master_key(const SSL_SESSION *session, unsigned char *out, size_t outlen); ++int q_CRYPTO_get_ex_new_index(int class_index, long argl, void *argp, CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func); ++const SSL_METHOD *q_TLS_method(); ++const SSL_METHOD *q_TLS_client_method(); ++const SSL_METHOD *q_TLS_server_method(); ++ASN1_TIME *q_X509_getm_notBefore(X509 *a); ++ASN1_TIME *q_X509_getm_notAfter(X509 *a); ++ ++long q_X509_get_version(X509 *a); ++EVP_PKEY *q_X509_get_pubkey(X509 *a); ++void q_X509_STORE_set_verify_cb(X509_STORE *ctx, X509_STORE_CTX_verify_cb verify_cb); ++STACK_OF(X509) *q_X509_STORE_CTX_get0_chain(X509_STORE_CTX *ctx); ++void q_DH_get0_pqg(const DH *dh, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g); ++int q_DH_bits(DH *dh); ++ ++# define q_SSL_load_error_strings() q_OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS \ ++ | OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL) ++ ++#define q_SKM_sk_num(type, st) ((int (*)(const STACK_OF(type) *))q_OPENSSL_sk_num)(st) ++#define q_SKM_sk_value(type, st,i) ((type * (*)(const STACK_OF(type) *, int))q_OPENSSL_sk_value)(st, i) ++ ++#define q_OPENSSL_add_all_algorithms_conf() q_OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS \ ++ | OPENSSL_INIT_ADD_ALL_DIGESTS \ ++ | OPENSSL_INIT_LOAD_CONFIG, NULL) ++#define q_OPENSSL_add_all_algorithms_noconf() q_OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS \ ++ | OPENSSL_INIT_ADD_ALL_DIGESTS, NULL) ++ ++int q_OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings); ++void q_CRYPTO_free(void *str, const char *file, int line); ++ ++long q_OpenSSL_version_num(); ++const char *q_OpenSSL_version(int type); ++ ++unsigned long q_SSL_SESSION_get_ticket_lifetime_hint(const SSL_SESSION *session); ++ ++#endif +diff --git a/qtbase/src/network/ssl/qsslsocket_openssl_p.h b/qtbase/src/network/ssl/qsslsocket_openssl_p.h +index b2adb3e547..7f9e884045 100644 +--- a/qtbase/src/network/ssl/qsslsocket_openssl_p.h ++++ b/qtbase/src/network/ssl/qsslsocket_openssl_p.h +@@ -1,6 +1,6 @@ + /**************************************************************************** + ** +-** Copyright (C) 2016 The Qt Company Ltd. ++** Copyright (C) 2017 The Qt Company Ltd. + ** Contact: https://www.qt.io/licensing/ + ** + ** This file is part of the QtNetwork module of the Qt Toolkit. +@@ -98,8 +98,8 @@ + #include + #include + +-#if OPENSSL_VERSION_NUMBER >= 0x10000000L +-typedef _STACK STACK; ++#if QT_CONFIG(opensslv11) ++#include + #endif + + QT_BEGIN_NAMESPACE +@@ -151,7 +151,7 @@ public: + #endif + + Q_AUTOTEST_EXPORT static long setupOpenSslOptions(QSsl::SslProtocol protocol, QSsl::SslOptions sslOptions); +- static QSslCipher QSslCipher_from_SSL_CIPHER(SSL_CIPHER *cipher); ++ static QSslCipher QSslCipher_from_SSL_CIPHER(const SSL_CIPHER *cipher); + static QList STACKOFX509_to_QSslCertificates(STACK_OF(X509) *x509); + static QList verify(const QList &certificateChain, const QString &hostName); + static QString getErrorsFromOpenSsl(); +diff --git a/qtbase/src/network/ssl/qsslsocket_openssl_symbols.cpp b/qtbase/src/network/ssl/qsslsocket_openssl_symbols.cpp +index c344a94427..0ef8bf6b5e 100644 +--- a/qtbase/src/network/ssl/qsslsocket_openssl_symbols.cpp ++++ b/qtbase/src/network/ssl/qsslsocket_openssl_symbols.cpp +@@ -1,7 +1,8 @@ + /**************************************************************************** + ** +-** Copyright (C) 2016 The Qt Company Ltd. ++** Copyright (C) 2017 The Qt Company Ltd. + ** Copyright (C) 2014 BlackBerry Limited. All rights reserved. ++** Copyright (C) 2016 Richard J. Moore + ** Contact: https://www.qt.io/licensing/ + ** + ** This file is part of the QtNetwork module of the Qt Toolkit. +@@ -136,49 +137,195 @@ void qsslSocketCannotResolveSymbolWarning(const char *functionName) + + #endif // QT_LINKED_OPENSSL + ++#if QT_CONFIG(opensslv11) ++ ++// Below are the functions first introduced in version 1.1: ++ ++DEFINEFUNC(const unsigned char *, ASN1_STRING_get0_data, const ASN1_STRING *a, a, return 0, return) ++DEFINEFUNC2(int, OPENSSL_init_ssl, uint64_t opts, opts, const OPENSSL_INIT_SETTINGS *settings, settings, return 0, return) ++DEFINEFUNC2(int, OPENSSL_init_crypto, uint64_t opts, opts, const OPENSSL_INIT_SETTINGS *settings, settings, return 0, return) ++DEFINEFUNC(BIO *, BIO_new, const BIO_METHOD *a, a, return 0, return) ++DEFINEFUNC(const BIO_METHOD *, BIO_s_mem, void, DUMMYARG, return 0, return) ++DEFINEFUNC2(int, BN_is_word, BIGNUM *a, a, BN_ULONG w, w, return 0, return) ++DEFINEFUNC(int, EVP_CIPHER_CTX_reset, EVP_CIPHER_CTX *c, c, return 0, return) ++DEFINEFUNC(int, EVP_PKEY_base_id, EVP_PKEY *a, a, return NID_undef, return) ++DEFINEFUNC(int, RSA_bits, RSA *a, a, return 0, return) ++DEFINEFUNC(int, DSA_bits, DSA *a, a, return 0, return) ++DEFINEFUNC(int, OPENSSL_sk_num, OPENSSL_STACK *a, a, return -1, return) ++DEFINEFUNC2(void, OPENSSL_sk_pop_free, OPENSSL_STACK *a, a, void (*b)(void*), b, return, DUMMYARG) ++DEFINEFUNC(OPENSSL_STACK *, OPENSSL_sk_new_null, DUMMYARG, DUMMYARG, return 0, return) ++DEFINEFUNC2(void, OPENSSL_sk_push, OPENSSL_STACK *a, a, void *b, b, return, DUMMYARG) ++DEFINEFUNC(void, OPENSSL_sk_free, OPENSSL_STACK *a, a, return, DUMMYARG) ++DEFINEFUNC2(void *, OPENSSL_sk_value, OPENSSL_STACK *a, a, int b, b, return 0, return) ++DEFINEFUNC(int, SSL_session_reused, SSL *a, a, return 0, return) ++DEFINEFUNC2(unsigned long, SSL_CTX_set_options, SSL_CTX *ctx, ctx, unsigned long op, op, return 0, return) ++DEFINEFUNC3(size_t, SSL_get_client_random, SSL *a, a, unsigned char *out, out, size_t outlen, outlen, return 0, return) ++DEFINEFUNC3(size_t, SSL_SESSION_get_master_key, const SSL_SESSION *ses, ses, unsigned char *out, out, size_t outlen, outlen, return 0, return) ++DEFINEFUNC6(int, CRYPTO_get_ex_new_index, int class_index, class_index, long argl, argl, void *argp, argp, CRYPTO_EX_new *new_func, new_func, CRYPTO_EX_dup *dup_func, dup_func, CRYPTO_EX_free *free_func, free_func, return -1, return) ++ ++DEFINEFUNC(const SSL_METHOD *, TLS_method, DUMMYARG, DUMMYARG, return 0, return) ++DEFINEFUNC(const SSL_METHOD *, TLS_client_method, DUMMYARG, DUMMYARG, return 0, return) ++DEFINEFUNC(const SSL_METHOD *, TLS_server_method, DUMMYARG, DUMMYARG, return 0, return) ++DEFINEFUNC(ASN1_TIME *, X509_getm_notBefore, X509 *a, a, return 0, return) ++DEFINEFUNC(ASN1_TIME *, X509_getm_notAfter, X509 *a, a, return 0, return) ++DEFINEFUNC(long, X509_get_version, X509 *a, a, return -1, return) ++DEFINEFUNC(EVP_PKEY *, X509_get_pubkey, X509 *a, a, return 0, return) ++DEFINEFUNC2(void, X509_STORE_set_verify_cb, X509_STORE *a, a, X509_STORE_CTX_verify_cb verify_cb, verify_cb, return, DUMMYARG) ++DEFINEFUNC(STACK_OF(X509) *, X509_STORE_CTX_get0_chain, X509_STORE_CTX *a, a, return 0, return) ++DEFINEFUNC3(void, CRYPTO_free, void *str, str, const char *file, file, int line, line, return, DUMMYARG) ++DEFINEFUNC(long, OpenSSL_version_num, void, DUMMYARG, return 0, return) ++DEFINEFUNC(const char *, OpenSSL_version, int a, a, return 0, return) ++DEFINEFUNC(unsigned long, SSL_SESSION_get_ticket_lifetime_hint, const SSL_SESSION *session, session, return 0, return) ++DEFINEFUNC4(void, DH_get0_pqg, const DH *dh, dh, const BIGNUM **p, p, const BIGNUM **q, q, const BIGNUM **g, g, return, DUMMYARG) ++DEFINEFUNC(int, DH_bits, DH *dh, dh, return 0, return) ++ ++#else // QT_CONFIG(opensslv11) ++ ++// Functions below are either deprecated or removed in OpenSSL >= 1.1: ++ ++DEFINEFUNC(unsigned char *, ASN1_STRING_data, ASN1_STRING *a, a, return 0, return) ++ + #ifdef SSLEAY_MACROS + DEFINEFUNC3(void *, ASN1_dup, i2d_of_void *a, a, d2i_of_void *b, b, char *c, c, return 0, return) + #endif ++DEFINEFUNC2(BIO *, BIO_new_file, const char *filename, filename, const char *mode, mode, return 0, return) ++DEFINEFUNC(void, ERR_clear_error, DUMMYARG, DUMMYARG, return, DUMMYARG) ++DEFINEFUNC(BIO *, BIO_new, BIO_METHOD *a, a, return 0, return) ++DEFINEFUNC(BIO_METHOD *, BIO_s_mem, void, DUMMYARG, return 0, return) ++DEFINEFUNC(int, CRYPTO_num_locks, DUMMYARG, DUMMYARG, return 0, return) ++DEFINEFUNC(void, CRYPTO_set_locking_callback, void (*a)(int, int, const char *, int), a, return, DUMMYARG) ++DEFINEFUNC(void, CRYPTO_set_id_callback, unsigned long (*a)(), a, return, DUMMYARG) ++DEFINEFUNC(void, CRYPTO_free, void *a, a, return, DUMMYARG) ++DEFINEFUNC(unsigned long, ERR_peek_last_error, DUMMYARG, DUMMYARG, return 0, return) ++DEFINEFUNC(void, ERR_free_strings, void, DUMMYARG, return, DUMMYARG) ++DEFINEFUNC(void, EVP_CIPHER_CTX_cleanup, EVP_CIPHER_CTX *a, a, return, DUMMYARG) ++DEFINEFUNC(void, EVP_CIPHER_CTX_init, EVP_CIPHER_CTX *a, a, return, DUMMYARG) ++ ++#ifdef SSLEAY_MACROS ++DEFINEFUNC6(void *, PEM_ASN1_read_bio, d2i_of_void *a, a, const char *b, b, BIO *c, c, void **d, d, pem_password_cb *e, e, void *f, f, return 0, return) ++DEFINEFUNC6(void *, PEM_ASN1_write_bio, d2i_of_void *a, a, const char *b, b, BIO *c, c, void **d, d, pem_password_cb *e, e, void *f, f, return 0, return) ++#endif // SSLEAY_MACROS ++ ++DEFINEFUNC(int, sk_num, STACK *a, a, return -1, return) ++DEFINEFUNC2(void, sk_pop_free, STACK *a, a, void (*b)(void*), b, return, DUMMYARG) ++ ++#if OPENSSL_VERSION_NUMBER >= 0x10000000L ++DEFINEFUNC(_STACK *, sk_new_null, DUMMYARG, DUMMYARG, return 0, return) ++DEFINEFUNC2(void, sk_push, _STACK *a, a, void *b, b, return, DUMMYARG) ++DEFINEFUNC(void, sk_free, _STACK *a, a, return, DUMMYARG) ++DEFINEFUNC2(void *, sk_value, STACK *a, a, int b, b, return 0, return) ++#else ++DEFINEFUNC(STACK *, sk_new_null, DUMMYARG, DUMMYARG, return 0, return) ++DEFINEFUNC2(void, sk_push, STACK *a, a, char *b, b, return, DUMMYARG) ++DEFINEFUNC(void, sk_free, STACK *a, a, return, DUMMYARG) ++DEFINEFUNC2(char *, sk_value, STACK *a, a, int b, b, return 0, return) ++#endif // OPENSSL_VERSION_NUMBER >= 0x10000000L ++ ++DEFINEFUNC(int, SSL_library_init, void, DUMMYARG, return -1, return) ++DEFINEFUNC(void, SSL_load_error_strings, void, DUMMYARG, return, DUMMYARG) ++ ++#if OPENSSL_VERSION_NUMBER >= 0x10001000L ++DEFINEFUNC5(int, SSL_get_ex_new_index, long argl, argl, void *argp, argp, CRYPTO_EX_new *new_func, new_func, CRYPTO_EX_dup *dup_func, dup_func, CRYPTO_EX_free *free_func, free_func, return -1, return) ++#endif // OPENSSL_VERSION_NUMBER >= 0x10001000L ++ ++#if OPENSSL_VERSION_NUMBER >= 0x10000000L ++#ifndef OPENSSL_NO_SSL2 ++DEFINEFUNC(const SSL_METHOD *, SSLv2_client_method, DUMMYARG, DUMMYARG, return 0, return) ++#endif ++#ifndef OPENSSL_NO_SSL3_METHOD ++DEFINEFUNC(const SSL_METHOD *, SSLv3_client_method, DUMMYARG, DUMMYARG, return 0, return) ++#endif ++DEFINEFUNC(const SSL_METHOD *, SSLv23_client_method, DUMMYARG, DUMMYARG, return 0, return) ++DEFINEFUNC(const SSL_METHOD *, TLSv1_client_method, DUMMYARG, DUMMYARG, return 0, return) ++#if OPENSSL_VERSION_NUMBER >= 0x10001000L ++DEFINEFUNC(const SSL_METHOD *, TLSv1_1_client_method, DUMMYARG, DUMMYARG, return 0, return) ++DEFINEFUNC(const SSL_METHOD *, TLSv1_2_client_method, DUMMYARG, DUMMYARG, return 0, return) ++#endif ++#ifndef OPENSSL_NO_SSL2 ++DEFINEFUNC(const SSL_METHOD *, SSLv2_server_method, DUMMYARG, DUMMYARG, return 0, return) ++#endif ++#ifndef OPENSSL_NO_SSL3_METHOD ++DEFINEFUNC(const SSL_METHOD *, SSLv3_server_method, DUMMYARG, DUMMYARG, return 0, return) ++#endif ++DEFINEFUNC(const SSL_METHOD *, SSLv23_server_method, DUMMYARG, DUMMYARG, return 0, return) ++DEFINEFUNC(const SSL_METHOD *, TLSv1_server_method, DUMMYARG, DUMMYARG, return 0, return) ++#if OPENSSL_VERSION_NUMBER >= 0x10001000L ++DEFINEFUNC(const SSL_METHOD *, TLSv1_1_server_method, DUMMYARG, DUMMYARG, return 0, return) ++DEFINEFUNC(const SSL_METHOD *, TLSv1_2_server_method, DUMMYARG, DUMMYARG, return 0, return) ++#endif ++#else ++#ifndef OPENSSL_NO_SSL2 ++DEFINEFUNC(SSL_METHOD *, SSLv2_client_method, DUMMYARG, DUMMYARG, return 0, return) ++#endif ++#ifndef OPENSSL_NO_SSL3_METHOD ++DEFINEFUNC(SSL_METHOD *, SSLv3_client_method, DUMMYARG, DUMMYARG, return 0, return) ++#endif ++DEFINEFUNC(SSL_METHOD *, SSLv23_client_method, DUMMYARG, DUMMYARG, return 0, return) ++DEFINEFUNC(SSL_METHOD *, TLSv1_client_method, DUMMYARG, DUMMYARG, return 0, return) ++#ifndef OPENSSL_NO_SSL2 ++DEFINEFUNC(SSL_METHOD *, SSLv2_server_method, DUMMYARG, DUMMYARG, return 0, return) ++#endif ++#ifndef OPENSSL_NO_SSL3_METHOD ++DEFINEFUNC(SSL_METHOD *, SSLv3_server_method, DUMMYARG, DUMMYARG, return 0, return) ++#endif ++DEFINEFUNC(SSL_METHOD *, SSLv23_server_method, DUMMYARG, DUMMYARG, return 0, return) ++DEFINEFUNC(SSL_METHOD *, TLSv1_server_method, DUMMYARG, DUMMYARG, return 0, return) ++#endif ++ ++DEFINEFUNC(STACK_OF(X509) *, X509_STORE_CTX_get_chain, X509_STORE_CTX *a, a, return 0, return) ++ ++#ifdef SSLEAY_MACROS ++DEFINEFUNC2(int, i2d_DSAPrivateKey, const DSA *a, a, unsigned char **b, b, return -1, return) ++DEFINEFUNC2(int, i2d_RSAPrivateKey, const RSA *a, a, unsigned char **b, b, return -1, return) ++#ifndef OPENSSL_NO_EC ++DEFINEFUNC2(int, i2d_ECPrivateKey, const EC_KEY *a, a, unsigned char **b, b, return -1, return) ++#endif ++DEFINEFUNC3(RSA *, d2i_RSAPrivateKey, RSA **a, a, unsigned char **b, b, long c, c, return 0, return) ++DEFINEFUNC3(DSA *, d2i_DSAPrivateKey, DSA **a, a, unsigned char **b, b, long c, c, return 0, return) ++#ifndef OPENSSL_NO_EC ++DEFINEFUNC3(EC_KEY *, d2i_ECPrivateKey, EC_KEY **a, a, unsigned char **b, b, long c, c, return 0, return) ++#endif ++#endif ++DEFINEFUNC(char *, CONF_get1_default_config_file, DUMMYARG, DUMMYARG, return 0, return) ++DEFINEFUNC(void, OPENSSL_add_all_algorithms_noconf, void, DUMMYARG, return, DUMMYARG) ++DEFINEFUNC(void, OPENSSL_add_all_algorithms_conf, void, DUMMYARG, return, DUMMYARG) ++DEFINEFUNC(long, SSLeay, void, DUMMYARG, return 0, return) ++DEFINEFUNC(const char *, SSLeay_version, int a, a, return 0, return) ++ ++#endif // QT_CONFIG(opensslv11) ++ + DEFINEFUNC(long, ASN1_INTEGER_get, ASN1_INTEGER *a, a, return 0, return) +-DEFINEFUNC(unsigned char *, ASN1_STRING_data, ASN1_STRING *a, a, return 0, return) + DEFINEFUNC(int, ASN1_STRING_length, ASN1_STRING *a, a, return 0, return) +-DEFINEFUNC2(int, ASN1_STRING_to_UTF8, unsigned char **a, a, ASN1_STRING *b, b, return 0, return); ++DEFINEFUNC2(int, ASN1_STRING_to_UTF8, unsigned char **a, a, ASN1_STRING *b, b, return 0, return) + DEFINEFUNC4(long, BIO_ctrl, BIO *a, a, int b, b, long c, c, void *d, d, return -1, return) + DEFINEFUNC(int, BIO_free, BIO *a, a, return 0, return) +-DEFINEFUNC(BIO *, BIO_new, BIO_METHOD *a, a, return 0, return) + DEFINEFUNC2(BIO *, BIO_new_mem_buf, void *a, a, int b, b, return 0, return) + DEFINEFUNC3(int, BIO_read, BIO *a, a, void *b, b, int c, c, return -1, return) +-DEFINEFUNC(BIO_METHOD *, BIO_s_mem, void, DUMMYARG, return 0, return) ++ + DEFINEFUNC3(int, BIO_write, BIO *a, a, const void *b, b, int c, c, return -1, return) + DEFINEFUNC(int, BN_num_bits, const BIGNUM *a, a, return 0, return) +-#if OPENSSL_VERSION_NUMBER >= 0x10100000L +-DEFINEFUNC2(int, BN_is_word, BIGNUM *a, a, BN_ULONG w, w, return 0, return) +-#endif + DEFINEFUNC2(BN_ULONG, BN_mod_word, const BIGNUM *a, a, BN_ULONG w, w, return static_cast(-1), return) + #ifndef OPENSSL_NO_EC + DEFINEFUNC(const EC_GROUP*, EC_KEY_get0_group, const EC_KEY* k, k, return 0, return) + DEFINEFUNC(int, EC_GROUP_get_degree, const EC_GROUP* g, g, return 0, return) + #endif +-DEFINEFUNC(int, CRYPTO_num_locks, DUMMYARG, DUMMYARG, return 0, return) +-DEFINEFUNC(void, CRYPTO_set_locking_callback, void (*a)(int, int, const char *, int), a, return, DUMMYARG) +-DEFINEFUNC(void, CRYPTO_set_id_callback, unsigned long (*a)(), a, return, DUMMYARG) +-DEFINEFUNC(void, CRYPTO_free, void *a, a, return, DUMMYARG) + DEFINEFUNC(DSA *, DSA_new, DUMMYARG, DUMMYARG, return 0, return) + DEFINEFUNC(void, DSA_free, DSA *a, a, return, DUMMYARG) + DEFINEFUNC3(X509 *, d2i_X509, X509 **a, a, const unsigned char **b, b, long c, c, return 0, return) + DEFINEFUNC2(char *, ERR_error_string, unsigned long a, a, char *b, b, return 0, return) + DEFINEFUNC(unsigned long, ERR_get_error, DUMMYARG, DUMMYARG, return 0, return) +-DEFINEFUNC(void, ERR_free_strings, void, DUMMYARG, return, DUMMYARG) +-DEFINEFUNC(void, EVP_CIPHER_CTX_cleanup, EVP_CIPHER_CTX *a, a, return, DUMMYARG) +-DEFINEFUNC(void, EVP_CIPHER_CTX_init, EVP_CIPHER_CTX *a, a, return, DUMMYARG) +-DEFINEFUNC4(int, EVP_CIPHER_CTX_ctrl, EVP_CIPHER_CTX *ctx, ctx, int type, type, int arg, arg, void *ptr, ptr, return 0, return); ++DEFINEFUNC(EVP_CIPHER_CTX *, EVP_CIPHER_CTX_new, void, DUMMYARG, return 0, return) ++DEFINEFUNC(void, EVP_CIPHER_CTX_free, EVP_CIPHER_CTX *a, a, return, DUMMYARG) ++DEFINEFUNC4(int, EVP_CIPHER_CTX_ctrl, EVP_CIPHER_CTX *ctx, ctx, int type, type, int arg, arg, void *ptr, ptr, return 0, return) + DEFINEFUNC2(int, EVP_CIPHER_CTX_set_key_length, EVP_CIPHER_CTX *ctx, ctx, int keylen, keylen, return 0, return) +-DEFINEFUNC5(int, EVP_CipherInit, EVP_CIPHER_CTX *ctx, ctx, const EVP_CIPHER *type, type, const unsigned char *key, key, const unsigned char *iv, iv, int enc, enc, return 0, return); +-DEFINEFUNC5(int, EVP_CipherUpdate, EVP_CIPHER_CTX *ctx, ctx, unsigned char *out, out, int *outl, outl, const unsigned char *in, in, int inl, inl, return 0, return); +-DEFINEFUNC3(int, EVP_CipherFinal, EVP_CIPHER_CTX *ctx, ctx, unsigned char *out, out, int *outl, outl, return 0, return); ++DEFINEFUNC5(int, EVP_CipherInit, EVP_CIPHER_CTX *ctx, ctx, const EVP_CIPHER *type, type, const unsigned char *key, key, const unsigned char *iv, iv, int enc, enc, return 0, return) ++DEFINEFUNC6(int, EVP_CipherInit_ex, EVP_CIPHER_CTX *ctx, ctx, const EVP_CIPHER *cipher, cipher, ENGINE *impl, impl, const unsigned char *key, key, const unsigned char *iv, iv, int enc, enc, return 0, return) ++DEFINEFUNC5(int, EVP_CipherUpdate, EVP_CIPHER_CTX *ctx, ctx, unsigned char *out, out, int *outl, outl, const unsigned char *in, in, int inl, inl, return 0, return) ++DEFINEFUNC3(int, EVP_CipherFinal, EVP_CIPHER_CTX *ctx, ctx, unsigned char *out, out, int *outl, outl, return 0, return) + DEFINEFUNC(const EVP_CIPHER *, EVP_des_cbc, DUMMYARG, DUMMYARG, return 0, return) + DEFINEFUNC(const EVP_CIPHER *, EVP_des_ede3_cbc, DUMMYARG, DUMMYARG, return 0, return) + DEFINEFUNC(const EVP_CIPHER *, EVP_rc2_cbc, DUMMYARG, DUMMYARG, return 0, return) ++DEFINEFUNC(const EVP_MD *, EVP_sha1, DUMMYARG, DUMMYARG, return 0, return) + DEFINEFUNC3(int, EVP_PKEY_assign, EVP_PKEY *a, a, int b, b, char *c, c, return -1, return) + DEFINEFUNC2(int, EVP_PKEY_set1_RSA, EVP_PKEY *a, a, RSA *b, b, return -1, return) + DEFINEFUNC2(int, EVP_PKEY_set1_DSA, EVP_PKEY *a, a, DSA *b, b, return -1, return) +@@ -202,10 +349,8 @@ DEFINEFUNC3(int, i2t_ASN1_OBJECT, char *a, a, int b, b, ASN1_OBJECT *c, c, retur + DEFINEFUNC4(int, OBJ_obj2txt, char *a, a, int b, b, ASN1_OBJECT *c, c, int d, d, return -1, return) + + DEFINEFUNC(int, OBJ_obj2nid, const ASN1_OBJECT *a, a, return NID_undef, return) +-#ifdef SSLEAY_MACROS +-DEFINEFUNC6(void *, PEM_ASN1_read_bio, d2i_of_void *a, a, const char *b, b, BIO *c, c, void **d, d, pem_password_cb *e, e, void *f, f, return 0, return) +-DEFINEFUNC6(void *, PEM_ASN1_write_bio, d2i_of_void *a, a, const char *b, b, BIO *c, c, void **d, d, pem_password_cb *e, e, void *f, f, return 0, return) +-#else ++ ++#ifndef SSLEAY_MACROS + DEFINEFUNC4(EVP_PKEY *, PEM_read_bio_PrivateKey, BIO *a, a, EVP_PKEY **b, b, pem_password_cb *c, c, void *d, d, return 0, return) + DEFINEFUNC4(DSA *, PEM_read_bio_DSAPrivateKey, BIO *a, a, DSA **b, b, pem_password_cb *c, c, void *d, d, return 0, return) + DEFINEFUNC4(RSA *, PEM_read_bio_RSAPrivateKey, BIO *a, a, RSA **b, b, pem_password_cb *c, c, void *d, d, return 0, return) +@@ -218,7 +363,7 @@ DEFINEFUNC7(int, PEM_write_bio_RSAPrivateKey, BIO *a, a, RSA *b, b, const EVP_CI + #ifndef OPENSSL_NO_EC + DEFINEFUNC7(int, PEM_write_bio_ECPrivateKey, BIO *a, a, EC_KEY *b, b, const EVP_CIPHER *c, c, unsigned char *d, d, int e, e, pem_password_cb *f, f, void *g, g, return 0, return) + #endif +-#endif ++#endif // !SSLEAY_MACROS + DEFINEFUNC4(EVP_PKEY *, PEM_read_bio_PUBKEY, BIO *a, a, EVP_PKEY **b, b, pem_password_cb *c, c, void *d, d, return 0, return) + DEFINEFUNC4(DSA *, PEM_read_bio_DSA_PUBKEY, BIO *a, a, DSA **b, b, pem_password_cb *c, c, void *d, d, return 0, return) + DEFINEFUNC4(RSA *, PEM_read_bio_RSA_PUBKEY, BIO *a, a, RSA **b, b, pem_password_cb *c, c, void *d, d, return 0, return) +@@ -234,23 +379,10 @@ DEFINEFUNC2(void, RAND_seed, const void *a, a, int b, b, return, DUMMYARG) + DEFINEFUNC(int, RAND_status, void, DUMMYARG, return -1, return) + DEFINEFUNC(RSA *, RSA_new, DUMMYARG, DUMMYARG, return 0, return) + DEFINEFUNC(void, RSA_free, RSA *a, a, return, DUMMYARG) +-DEFINEFUNC(int, sk_num, STACK *a, a, return -1, return) +-DEFINEFUNC2(void, sk_pop_free, STACK *a, a, void (*b)(void*), b, return, DUMMYARG) +-#if OPENSSL_VERSION_NUMBER >= 0x10000000L +-DEFINEFUNC(_STACK *, sk_new_null, DUMMYARG, DUMMYARG, return 0, return) +-DEFINEFUNC2(void, sk_push, _STACK *a, a, void *b, b, return, DUMMYARG) +-DEFINEFUNC(void, sk_free, _STACK *a, a, return, DUMMYARG) +-DEFINEFUNC2(void *, sk_value, STACK *a, a, int b, b, return 0, return) +-#else +-DEFINEFUNC(STACK *, sk_new_null, DUMMYARG, DUMMYARG, return 0, return) +-DEFINEFUNC2(void, sk_push, STACK *a, a, char *b, b, return, DUMMYARG) +-DEFINEFUNC(void, sk_free, STACK *a, a, return, DUMMYARG) +-DEFINEFUNC2(char *, sk_value, STACK *a, a, int b, b, return 0, return) +-#endif + DEFINEFUNC(int, SSL_accept, SSL *a, a, return -1, return) + DEFINEFUNC(int, SSL_clear, SSL *a, a, return -1, return) +-DEFINEFUNC3(char *, SSL_CIPHER_description, SSL_CIPHER *a, a, char *b, b, int c, c, return 0, return) +-DEFINEFUNC2(int, SSL_CIPHER_get_bits, SSL_CIPHER *a, a, int *b, b, return 0, return) ++DEFINEFUNC3(char *, SSL_CIPHER_description, const SSL_CIPHER *a, a, char *b, b, int c, c, return 0, return) ++DEFINEFUNC2(int, SSL_CIPHER_get_bits, const SSL_CIPHER *a, a, int *b, b, return 0, return) + DEFINEFUNC(int, SSL_connect, SSL *a, a, return -1, return) + DEFINEFUNC(int, SSL_CTX_check_private_key, const SSL_CTX *a, a, return -1, return) + DEFINEFUNC4(long, SSL_CTX_ctrl, SSL_CTX *a, a, int b, b, long c, c, void *d, d, return -1, return) +@@ -287,8 +419,6 @@ DEFINEFUNC(long, SSL_get_verify_result, const SSL *a, a, return -1, return) + #else + DEFINEFUNC(long, SSL_get_verify_result, SSL *a, a, return -1, return) + #endif +-DEFINEFUNC(int, SSL_library_init, void, DUMMYARG, return -1, return) +-DEFINEFUNC(void, SSL_load_error_strings, void, DUMMYARG, return, DUMMYARG) + DEFINEFUNC(SSL *, SSL_new, SSL_CTX *a, a, return 0, return) + DEFINEFUNC4(long, SSL_ctrl, SSL *a, a, int cmd, cmd, long larg, larg, void *parg, parg, return -1, return) + DEFINEFUNC3(int, SSL_read, SSL *a, a, void *b, b, int c, c, return -1, return) +@@ -301,7 +431,6 @@ DEFINEFUNC(void, SSL_SESSION_free, SSL_SESSION *ses, ses, return, DUMMYARG) + DEFINEFUNC(SSL_SESSION*, SSL_get1_session, SSL *ssl, ssl, return 0, return) + DEFINEFUNC(SSL_SESSION*, SSL_get_session, const SSL *ssl, ssl, return 0, return) + #if OPENSSL_VERSION_NUMBER >= 0x10001000L +-DEFINEFUNC5(int, SSL_get_ex_new_index, long argl, argl, void *argp, argp, CRYPTO_EX_new *new_func, new_func, CRYPTO_EX_dup *dup_func, dup_func, CRYPTO_EX_free *free_func, free_func, return -1, return) + DEFINEFUNC3(int, SSL_set_ex_data, SSL *ssl, ssl, int idx, idx, void *arg, arg, return 0, return) + DEFINEFUNC2(void *, SSL_get_ex_data, const SSL *ssl, ssl, int idx, idx, return NULL, return) + #endif +@@ -310,51 +439,9 @@ DEFINEFUNC2(void, SSL_set_psk_client_callback, SSL* ssl, ssl, q_psk_client_callb + DEFINEFUNC2(void, SSL_set_psk_server_callback, SSL* ssl, ssl, q_psk_server_callback_t callback, callback, return, DUMMYARG) + DEFINEFUNC2(int, SSL_CTX_use_psk_identity_hint, SSL_CTX* ctx, ctx, const char *hint, hint, return 0, return) + #endif +-#if OPENSSL_VERSION_NUMBER >= 0x10000000L +-#ifndef OPENSSL_NO_SSL2 +-DEFINEFUNC(const SSL_METHOD *, SSLv2_client_method, DUMMYARG, DUMMYARG, return 0, return) +-#endif +-#ifndef OPENSSL_NO_SSL3_METHOD +-DEFINEFUNC(const SSL_METHOD *, SSLv3_client_method, DUMMYARG, DUMMYARG, return 0, return) +-#endif +-DEFINEFUNC(const SSL_METHOD *, SSLv23_client_method, DUMMYARG, DUMMYARG, return 0, return) +-DEFINEFUNC(const SSL_METHOD *, TLSv1_client_method, DUMMYARG, DUMMYARG, return 0, return) +-#if OPENSSL_VERSION_NUMBER >= 0x10001000L +-DEFINEFUNC(const SSL_METHOD *, TLSv1_1_client_method, DUMMYARG, DUMMYARG, return 0, return) +-DEFINEFUNC(const SSL_METHOD *, TLSv1_2_client_method, DUMMYARG, DUMMYARG, return 0, return) +-#endif +-#ifndef OPENSSL_NO_SSL2 +-DEFINEFUNC(const SSL_METHOD *, SSLv2_server_method, DUMMYARG, DUMMYARG, return 0, return) +-#endif +-#ifndef OPENSSL_NO_SSL3_METHOD +-DEFINEFUNC(const SSL_METHOD *, SSLv3_server_method, DUMMYARG, DUMMYARG, return 0, return) +-#endif +-DEFINEFUNC(const SSL_METHOD *, SSLv23_server_method, DUMMYARG, DUMMYARG, return 0, return) +-DEFINEFUNC(const SSL_METHOD *, TLSv1_server_method, DUMMYARG, DUMMYARG, return 0, return) +-#if OPENSSL_VERSION_NUMBER >= 0x10001000L +-DEFINEFUNC(const SSL_METHOD *, TLSv1_1_server_method, DUMMYARG, DUMMYARG, return 0, return) +-DEFINEFUNC(const SSL_METHOD *, TLSv1_2_server_method, DUMMYARG, DUMMYARG, return 0, return) +-#endif +-#else +-#ifndef OPENSSL_NO_SSL2 +-DEFINEFUNC(SSL_METHOD *, SSLv2_client_method, DUMMYARG, DUMMYARG, return 0, return) +-#endif +-#ifndef OPENSSL_NO_SSL3_METHOD +-DEFINEFUNC(SSL_METHOD *, SSLv3_client_method, DUMMYARG, DUMMYARG, return 0, return) +-#endif +-DEFINEFUNC(SSL_METHOD *, SSLv23_client_method, DUMMYARG, DUMMYARG, return 0, return) +-DEFINEFUNC(SSL_METHOD *, TLSv1_client_method, DUMMYARG, DUMMYARG, return 0, return) +-#ifndef OPENSSL_NO_SSL2 +-DEFINEFUNC(SSL_METHOD *, SSLv2_server_method, DUMMYARG, DUMMYARG, return 0, return) +-#endif +-#ifndef OPENSSL_NO_SSL3_METHOD +-DEFINEFUNC(SSL_METHOD *, SSLv3_server_method, DUMMYARG, DUMMYARG, return 0, return) +-#endif +-DEFINEFUNC(SSL_METHOD *, SSLv23_server_method, DUMMYARG, DUMMYARG, return 0, return) +-DEFINEFUNC(SSL_METHOD *, TLSv1_server_method, DUMMYARG, DUMMYARG, return 0, return) +-#endif + DEFINEFUNC3(int, SSL_write, SSL *a, a, const void *b, b, int c, c, return -1, return) + DEFINEFUNC2(int, X509_cmp, X509 *a, a, X509 *b, b, return -1, return) ++DEFINEFUNC4(int, X509_digest, const X509 *x509, x509, const EVP_MD *type, type, unsigned char *md, md, unsigned int *len, len, return -1, return) + #ifndef SSLEAY_MACROS + DEFINEFUNC(X509 *, X509_dup, X509 *a, a, return 0, return) + #endif +@@ -378,6 +465,7 @@ DEFINEFUNC2(int, ASN1_STRING_print, BIO *a, a, ASN1_STRING *b, b, return 0, retu + DEFINEFUNC2(int, X509_check_issued, X509 *a, a, X509 *b, b, return -1, return) + DEFINEFUNC(X509_NAME *, X509_get_issuer_name, X509 *a, a, return 0, return) + DEFINEFUNC(X509_NAME *, X509_get_subject_name, X509 *a, a, return 0, return) ++DEFINEFUNC(ASN1_INTEGER *, X509_get_serialNumber, X509 *a, a, return 0, return) + DEFINEFUNC(int, X509_verify_cert, X509_STORE_CTX *a, a, return -1, return) + DEFINEFUNC(int, X509_NAME_entry_count, X509_NAME *a, a, return 0, return) + DEFINEFUNC2(X509_NAME_ENTRY *, X509_NAME_get_entry, X509_NAME *a, a, int b, b, return 0, return) +@@ -393,25 +481,8 @@ DEFINEFUNC2(int, X509_STORE_CTX_set_purpose, X509_STORE_CTX *a, a, int b, b, ret + DEFINEFUNC(int, X509_STORE_CTX_get_error, X509_STORE_CTX *a, a, return -1, return) + DEFINEFUNC(int, X509_STORE_CTX_get_error_depth, X509_STORE_CTX *a, a, return -1, return) + DEFINEFUNC(X509 *, X509_STORE_CTX_get_current_cert, X509_STORE_CTX *a, a, return 0, return) +-DEFINEFUNC(STACK_OF(X509) *, X509_STORE_CTX_get_chain, X509_STORE_CTX *a, a, return 0, return) + DEFINEFUNC(X509_STORE_CTX *, X509_STORE_CTX_new, DUMMYARG, DUMMYARG, return 0, return) +-#ifdef SSLEAY_MACROS +-DEFINEFUNC2(int, i2d_DSAPrivateKey, const DSA *a, a, unsigned char **b, b, return -1, return) +-DEFINEFUNC2(int, i2d_RSAPrivateKey, const RSA *a, a, unsigned char **b, b, return -1, return) +-#ifndef OPENSSL_NO_EC +-DEFINEFUNC2(int, i2d_ECPrivateKey, const EC_KEY *a, a, unsigned char **b, b, return -1, return) +-#endif +-DEFINEFUNC3(RSA *, d2i_RSAPrivateKey, RSA **a, a, unsigned char **b, b, long c, c, return 0, return) +-DEFINEFUNC3(DSA *, d2i_DSAPrivateKey, DSA **a, a, unsigned char **b, b, long c, c, return 0, return) +-#ifndef OPENSSL_NO_EC +-DEFINEFUNC3(EC_KEY *, d2i_ECPrivateKey, EC_KEY **a, a, unsigned char **b, b, long c, c, return 0, return) +-#endif +-#endif +-DEFINEFUNC(void, OPENSSL_add_all_algorithms_noconf, void, DUMMYARG, return, DUMMYARG) +-DEFINEFUNC(void, OPENSSL_add_all_algorithms_conf, void, DUMMYARG, return, DUMMYARG) + DEFINEFUNC3(int, SSL_CTX_load_verify_locations, SSL_CTX *ctx, ctx, const char *CAfile, CAfile, const char *CApath, CApath, return 0, return) +-DEFINEFUNC(long, SSLeay, void, DUMMYARG, return 0, return) +-DEFINEFUNC(const char *, SSLeay_version, int a, a, return 0, return) + DEFINEFUNC2(int, i2d_SSL_SESSION, SSL_SESSION *in, in, unsigned char **pp, pp, return 0, return) + DEFINEFUNC3(SSL_SESSION *, d2i_SSL_SESSION, SSL_SESSION **a, a, const unsigned char **pp, pp, long length, length, return 0, return) + #if OPENSSL_VERSION_NUMBER >= 0x1000100fL && !defined(OPENSSL_NO_NEXTPROTONEG) +@@ -694,8 +765,8 @@ static QPair loadOpenSsl() + #ifndef Q_OS_DARWIN + // second attempt: find the development files libssl.so and libcrypto.so + // +- // disabled on OS X/iOS: +- // OS X's /usr/lib/libssl.dylib, /usr/lib/libcrypto.dylib will be picked up in the third ++ // disabled on macOS/iOS: ++ // macOS's /usr/lib/libssl.dylib, /usr/lib/libcrypto.dylib will be picked up in the third + // attempt, _after_ /Contents/Frameworks has been searched. + // iOS does not ship a system libssl.dylib, libcrypto.dylib in the first place. + libssl->setFileNameAndVersion(QLatin1String("ssl"), -1); +@@ -754,7 +825,11 @@ bool q_resolveOpenSslSymbols() + static bool symbolsResolved = false; + static bool triedToResolveSymbols = false; + #ifndef QT_NO_THREAD ++#if QT_CONFIG(opensslv11) ++ QMutexLocker locker(QMutexPool::globalInstanceGet((void *)&q_OPENSSL_init_ssl)); ++#else + QMutexLocker locker(QMutexPool::globalInstanceGet((void *)&q_SSL_library_init)); ++#endif + #endif + if (symbolsResolved) + return true; +@@ -771,11 +846,145 @@ bool q_resolveOpenSslSymbols() + // failed to load them + return false; + ++#if QT_CONFIG(opensslv11) ++ ++ RESOLVEFUNC(OPENSSL_init_ssl) ++ RESOLVEFUNC(OPENSSL_init_crypto) ++ RESOLVEFUNC(ASN1_STRING_get0_data) ++ RESOLVEFUNC(EVP_CIPHER_CTX_reset) ++ RESOLVEFUNC(EVP_PKEY_base_id) ++ RESOLVEFUNC(RSA_bits) ++ RESOLVEFUNC(OPENSSL_sk_new_null) ++ RESOLVEFUNC(OPENSSL_sk_push) ++ RESOLVEFUNC(OPENSSL_sk_free) ++ RESOLVEFUNC(OPENSSL_sk_num) ++ RESOLVEFUNC(OPENSSL_sk_pop_free) ++ RESOLVEFUNC(OPENSSL_sk_value) ++ RESOLVEFUNC(DH_get0_pqg) ++ RESOLVEFUNC(SSL_CTX_set_options) ++ RESOLVEFUNC(SSL_get_client_random) ++ RESOLVEFUNC(SSL_SESSION_get_master_key) ++ RESOLVEFUNC(SSL_session_reused) ++ RESOLVEFUNC(SSL_get_session) ++ RESOLVEFUNC(CRYPTO_get_ex_new_index) ++ RESOLVEFUNC(TLS_method) ++ RESOLVEFUNC(TLS_client_method) ++ RESOLVEFUNC(TLS_server_method) ++ RESOLVEFUNC(X509_STORE_CTX_get0_chain) ++ RESOLVEFUNC(X509_getm_notBefore) ++ RESOLVEFUNC(X509_getm_notAfter) ++ RESOLVEFUNC(X509_get_version) ++ RESOLVEFUNC(X509_get_pubkey) ++ RESOLVEFUNC(X509_STORE_set_verify_cb) ++ RESOLVEFUNC(CRYPTO_free) ++ RESOLVEFUNC(OpenSSL_version_num) ++ RESOLVEFUNC(OpenSSL_version) ++ if (!_q_OpenSSL_version) { ++ // Apparently, we were built with OpenSSL 1.1 enabled but are now using ++ // a wrong library. ++ delete libs.first; ++ delete libs.second; ++ qCWarning(lcSsl, "Incompatible version of OpenSSL"); ++ return false; ++ } ++ ++ RESOLVEFUNC(SSL_SESSION_get_ticket_lifetime_hint) ++ RESOLVEFUNC(DH_bits) ++ RESOLVEFUNC(DSA_bits) ++ ++#else // !opensslv11 ++ ++ RESOLVEFUNC(ASN1_STRING_data) ++ + #ifdef SSLEAY_MACROS + RESOLVEFUNC(ASN1_dup) ++#endif // SSLEAY_MACROS ++ RESOLVEFUNC(BIO_new_file) ++ RESOLVEFUNC(ERR_clear_error) ++ RESOLVEFUNC(CRYPTO_free) ++ RESOLVEFUNC(CRYPTO_num_locks) ++ RESOLVEFUNC(CRYPTO_set_id_callback) ++ RESOLVEFUNC(CRYPTO_set_locking_callback) ++ RESOLVEFUNC(ERR_peek_last_error) ++ RESOLVEFUNC(ERR_free_strings) ++ RESOLVEFUNC(EVP_CIPHER_CTX_cleanup) ++ RESOLVEFUNC(EVP_CIPHER_CTX_init) ++ ++#ifdef SSLEAY_MACROS // ### verify ++ RESOLVEFUNC(PEM_ASN1_read_bio) ++#endif // SSLEAY_MACROS ++ ++ RESOLVEFUNC(sk_new_null) ++ RESOLVEFUNC(sk_push) ++ RESOLVEFUNC(sk_free) ++ RESOLVEFUNC(sk_num) ++ RESOLVEFUNC(sk_pop_free) ++ RESOLVEFUNC(sk_value) ++ RESOLVEFUNC(SSL_library_init) ++ RESOLVEFUNC(SSL_load_error_strings) ++#if OPENSSL_VERSION_NUMBER >= 0x10001000L ++ RESOLVEFUNC(SSL_get_ex_new_index) ++#endif ++#ifndef OPENSSL_NO_SSL2 ++ RESOLVEFUNC(SSLv2_client_method) + #endif ++#ifndef OPENSSL_NO_SSL3_METHOD ++ RESOLVEFUNC(SSLv3_client_method) ++#endif ++ RESOLVEFUNC(SSLv23_client_method) ++ RESOLVEFUNC(TLSv1_client_method) ++#if OPENSSL_VERSION_NUMBER >= 0x10001000L ++ RESOLVEFUNC(TLSv1_1_client_method) ++ RESOLVEFUNC(TLSv1_2_client_method) ++#endif ++#ifndef OPENSSL_NO_SSL2 ++ RESOLVEFUNC(SSLv2_server_method) ++#endif ++#ifndef OPENSSL_NO_SSL3_METHOD ++ RESOLVEFUNC(SSLv3_server_method) ++#endif ++ RESOLVEFUNC(SSLv23_server_method) ++ RESOLVEFUNC(TLSv1_server_method) ++#if OPENSSL_VERSION_NUMBER >= 0x10001000L ++ RESOLVEFUNC(TLSv1_1_server_method) ++ RESOLVEFUNC(TLSv1_2_server_method) ++#endif ++ RESOLVEFUNC(X509_STORE_CTX_get_chain) ++#ifdef SSLEAY_MACROS ++ RESOLVEFUNC(i2d_DSAPrivateKey) ++ RESOLVEFUNC(i2d_RSAPrivateKey) ++ RESOLVEFUNC(d2i_DSAPrivateKey) ++ RESOLVEFUNC(d2i_RSAPrivateKey) ++#endif ++ RESOLVEFUNC(CONF_get1_default_config_file) ++ RESOLVEFUNC(OPENSSL_add_all_algorithms_noconf) ++ RESOLVEFUNC(OPENSSL_add_all_algorithms_conf) ++ RESOLVEFUNC(SSLeay) ++ ++ if (!_q_SSLeay || q_SSLeay() >= 0x10100000L) { ++ // OpenSSL 1.1 has deprecated and removed SSLeay. We consider a failure to ++ // resolve this symbol as a failure to resolve symbols. ++ // The right operand of '||' above is ... a bit of paranoia. ++ delete libs.first; ++ delete libs.second; ++ qCWarning(lcSsl, "Incompatible version of OpenSSL"); ++ return false; ++ } ++ ++ ++ RESOLVEFUNC(SSLeay_version) ++ ++#ifndef OPENSSL_NO_EC ++#if OPENSSL_VERSION_NUMBER >= 0x10002000L ++ if (q_SSLeay() >= 0x10002000L) ++ RESOLVEFUNC(EC_curve_nist2nid) ++#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L ++#endif // OPENSSL_NO_EC ++ ++ ++#endif // !opensslv11 ++ + RESOLVEFUNC(ASN1_INTEGER_get) +- RESOLVEFUNC(ASN1_STRING_data) + RESOLVEFUNC(ASN1_STRING_length) + RESOLVEFUNC(ASN1_STRING_to_UTF8) + RESOLVEFUNC(BIO_ctrl) +@@ -794,25 +1003,22 @@ bool q_resolveOpenSslSymbols() + RESOLVEFUNC(BN_is_word) + #endif + RESOLVEFUNC(BN_mod_word) +- RESOLVEFUNC(CRYPTO_free) +- RESOLVEFUNC(CRYPTO_num_locks) +- RESOLVEFUNC(CRYPTO_set_id_callback) +- RESOLVEFUNC(CRYPTO_set_locking_callback) + RESOLVEFUNC(DSA_new) + RESOLVEFUNC(DSA_free) + RESOLVEFUNC(ERR_error_string) + RESOLVEFUNC(ERR_get_error) +- RESOLVEFUNC(ERR_free_strings) +- RESOLVEFUNC(EVP_CIPHER_CTX_cleanup) +- RESOLVEFUNC(EVP_CIPHER_CTX_init) ++ RESOLVEFUNC(EVP_CIPHER_CTX_new) ++ RESOLVEFUNC(EVP_CIPHER_CTX_free) + RESOLVEFUNC(EVP_CIPHER_CTX_ctrl) + RESOLVEFUNC(EVP_CIPHER_CTX_set_key_length) + RESOLVEFUNC(EVP_CipherInit) ++ RESOLVEFUNC(EVP_CipherInit_ex) + RESOLVEFUNC(EVP_CipherUpdate) + RESOLVEFUNC(EVP_CipherFinal) + RESOLVEFUNC(EVP_des_cbc) + RESOLVEFUNC(EVP_des_ede3_cbc) + RESOLVEFUNC(EVP_rc2_cbc) ++ RESOLVEFUNC(EVP_sha1) + RESOLVEFUNC(EVP_PKEY_assign) + RESOLVEFUNC(EVP_PKEY_set1_RSA) + RESOLVEFUNC(EVP_PKEY_set1_DSA) +@@ -834,9 +1040,8 @@ bool q_resolveOpenSslSymbols() + RESOLVEFUNC(i2t_ASN1_OBJECT) + RESOLVEFUNC(OBJ_obj2txt) + RESOLVEFUNC(OBJ_obj2nid) +-#ifdef SSLEAY_MACROS // ### verify +- RESOLVEFUNC(PEM_ASN1_read_bio) +-#else ++ ++#ifndef SSLEAY_MACROS + RESOLVEFUNC(PEM_read_bio_PrivateKey) + RESOLVEFUNC(PEM_read_bio_DSAPrivateKey) + RESOLVEFUNC(PEM_read_bio_RSAPrivateKey) +@@ -849,7 +1054,8 @@ bool q_resolveOpenSslSymbols() + #ifndef OPENSSL_NO_EC + RESOLVEFUNC(PEM_write_bio_ECPrivateKey) + #endif +-#endif ++#endif // !SSLEAY_MACROS ++ + RESOLVEFUNC(PEM_read_bio_PUBKEY) + RESOLVEFUNC(PEM_read_bio_DSA_PUBKEY) + RESOLVEFUNC(PEM_read_bio_RSA_PUBKEY) +@@ -865,12 +1071,6 @@ bool q_resolveOpenSslSymbols() + RESOLVEFUNC(RAND_status) + RESOLVEFUNC(RSA_new) + RESOLVEFUNC(RSA_free) +- RESOLVEFUNC(sk_new_null) +- RESOLVEFUNC(sk_push) +- RESOLVEFUNC(sk_free) +- RESOLVEFUNC(sk_num) +- RESOLVEFUNC(sk_pop_free) +- RESOLVEFUNC(sk_value) + RESOLVEFUNC(SSL_CIPHER_description) + RESOLVEFUNC(SSL_CIPHER_get_bits) + RESOLVEFUNC(SSL_CTX_check_private_key) +@@ -898,8 +1098,6 @@ bool q_resolveOpenSslSymbols() + RESOLVEFUNC(SSL_get_peer_cert_chain) + RESOLVEFUNC(SSL_get_peer_certificate) + RESOLVEFUNC(SSL_get_verify_result) +- RESOLVEFUNC(SSL_library_init) +- RESOLVEFUNC(SSL_load_error_strings) + RESOLVEFUNC(SSL_new) + RESOLVEFUNC(SSL_ctrl) + RESOLVEFUNC(SSL_read) +@@ -912,7 +1110,6 @@ bool q_resolveOpenSslSymbols() + RESOLVEFUNC(SSL_get1_session) + RESOLVEFUNC(SSL_get_session) + #if OPENSSL_VERSION_NUMBER >= 0x10001000L +- RESOLVEFUNC(SSL_get_ex_new_index) + RESOLVEFUNC(SSL_set_ex_data) + RESOLVEFUNC(SSL_get_ex_data) + #endif +@@ -922,30 +1119,6 @@ bool q_resolveOpenSslSymbols() + RESOLVEFUNC(SSL_CTX_use_psk_identity_hint) + #endif + RESOLVEFUNC(SSL_write) +-#ifndef OPENSSL_NO_SSL2 +- RESOLVEFUNC(SSLv2_client_method) +-#endif +-#ifndef OPENSSL_NO_SSL3_METHOD +- RESOLVEFUNC(SSLv3_client_method) +-#endif +- RESOLVEFUNC(SSLv23_client_method) +- RESOLVEFUNC(TLSv1_client_method) +-#if OPENSSL_VERSION_NUMBER >= 0x10001000L +- RESOLVEFUNC(TLSv1_1_client_method) +- RESOLVEFUNC(TLSv1_2_client_method) +-#endif +-#ifndef OPENSSL_NO_SSL2 +- RESOLVEFUNC(SSLv2_server_method) +-#endif +-#ifndef OPENSSL_NO_SSL3_METHOD +- RESOLVEFUNC(SSLv3_server_method) +-#endif +- RESOLVEFUNC(SSLv23_server_method) +- RESOLVEFUNC(TLSv1_server_method) +-#if OPENSSL_VERSION_NUMBER >= 0x10001000L +- RESOLVEFUNC(TLSv1_1_server_method) +- RESOLVEFUNC(TLSv1_2_server_method) +-#endif + RESOLVEFUNC(X509_NAME_entry_count) + RESOLVEFUNC(X509_NAME_get_entry) + RESOLVEFUNC(X509_NAME_ENTRY_get_data) +@@ -961,12 +1134,12 @@ bool q_resolveOpenSslSymbols() + RESOLVEFUNC(X509_STORE_CTX_get_error) + RESOLVEFUNC(X509_STORE_CTX_get_error_depth) + RESOLVEFUNC(X509_STORE_CTX_get_current_cert) +- RESOLVEFUNC(X509_STORE_CTX_get_chain) + RESOLVEFUNC(X509_cmp) + #ifndef SSLEAY_MACROS + RESOLVEFUNC(X509_dup) + #endif + RESOLVEFUNC(X509_print) ++ RESOLVEFUNC(X509_digest) + RESOLVEFUNC(X509_EXTENSION_get_object) + RESOLVEFUNC(X509_free) + RESOLVEFUNC(X509_get_ext) +@@ -982,20 +1155,11 @@ bool q_resolveOpenSslSymbols() + RESOLVEFUNC(X509_check_issued) + RESOLVEFUNC(X509_get_issuer_name) + RESOLVEFUNC(X509_get_subject_name) ++ RESOLVEFUNC(X509_get_serialNumber) + RESOLVEFUNC(X509_verify_cert) + RESOLVEFUNC(d2i_X509) + RESOLVEFUNC(i2d_X509) +-#ifdef SSLEAY_MACROS +- RESOLVEFUNC(i2d_DSAPrivateKey) +- RESOLVEFUNC(i2d_RSAPrivateKey) +- RESOLVEFUNC(d2i_DSAPrivateKey) +- RESOLVEFUNC(d2i_RSAPrivateKey) +-#endif +- RESOLVEFUNC(OPENSSL_add_all_algorithms_noconf) +- RESOLVEFUNC(OPENSSL_add_all_algorithms_conf) + RESOLVEFUNC(SSL_CTX_load_verify_locations) +- RESOLVEFUNC(SSLeay) +- RESOLVEFUNC(SSLeay_version) + RESOLVEFUNC(i2d_SSL_SESSION) + RESOLVEFUNC(d2i_SSL_SESSION) + #if OPENSSL_VERSION_NUMBER >= 0x1000100fL && !defined(OPENSSL_NO_NEXTPROTONEG) +@@ -1019,27 +1183,14 @@ bool q_resolveOpenSslSymbols() + RESOLVEFUNC(EC_KEY_new_by_curve_name) + RESOLVEFUNC(EC_KEY_free) + RESOLVEFUNC(EC_get_builtin_curves) +-#if OPENSSL_VERSION_NUMBER >= 0x10002000L +- if (q_SSLeay() >= 0x10002000L) +- RESOLVEFUNC(EC_curve_nist2nid) +-#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L + #endif // OPENSSL_NO_EC + RESOLVEFUNC(PKCS12_parse) + RESOLVEFUNC(d2i_PKCS12_bio) + RESOLVEFUNC(PKCS12_free) + ++ symbolsResolved = true; + delete libs.first; + delete libs.second; +- if (!_q_SSLeay || q_SSLeay() >= 0x10100000L) { +- // OpenSSL 1.1 deprecated and removed SSLeay. We consider a failure to +- // resolve this symbol as a failure to resolve symbols. +- // The right operand of '||' above ... a bit of paranoia. +- qCWarning(lcSsl, "Incompatible version of OpenSSL"); +- return false; +- } +- +- symbolsResolved = true; +- + return true; + } + #endif // QT_CONFIG(library) +diff --git a/qtbase/src/network/ssl/qsslsocket_openssl_symbols_p.h b/qtbase/src/network/ssl/qsslsocket_openssl_symbols_p.h +index b35a895d38..796bf2d4f5 100644 +--- a/qtbase/src/network/ssl/qsslsocket_openssl_symbols_p.h ++++ b/qtbase/src/network/ssl/qsslsocket_openssl_symbols_p.h +@@ -1,6 +1,6 @@ + /**************************************************************************** + ** +-** Copyright (C) 2016 The Qt Company Ltd. ++** Copyright (C) 2017 The Qt Company Ltd. + ** Copyright (C) 2014 BlackBerry Limited. All rights reserved. + ** Contact: https://www.qt.io/licensing/ + ** +@@ -56,6 +56,7 @@ + #ifndef QSSLSOCKET_OPENSSL_SYMBOLS_P_H + #define QSSLSOCKET_OPENSSL_SYMBOLS_P_H + ++ + // + // W A R N I N G + // ------------- +@@ -215,17 +216,20 @@ QT_BEGIN_NAMESPACE + + #endif // !defined QT_LINKED_OPENSSL + ++#if QT_CONFIG(opensslv11) ++#include "qsslsocket_openssl11_symbols_p.h" ++#else ++#include "qsslsocket_opensslpre11_symbols_p.h" ++#endif // QT_CONFIG ++ + bool q_resolveOpenSslSymbols(); + long q_ASN1_INTEGER_get(ASN1_INTEGER *a); +-unsigned char * q_ASN1_STRING_data(ASN1_STRING *a); + int q_ASN1_STRING_length(ASN1_STRING *a); + int q_ASN1_STRING_to_UTF8(unsigned char **a, ASN1_STRING *b); + long q_BIO_ctrl(BIO *a, int b, long c, void *d); + Q_AUTOTEST_EXPORT int q_BIO_free(BIO *a); +-Q_AUTOTEST_EXPORT BIO *q_BIO_new(BIO_METHOD *a); + BIO *q_BIO_new_mem_buf(void *a, int b); + int q_BIO_read(BIO *a, void *b, int c); +-Q_AUTOTEST_EXPORT BIO_METHOD *q_BIO_s_mem(); + Q_AUTOTEST_EXPORT int q_BIO_write(BIO *a, const void *b, int c); + int q_BN_num_bits(const BIGNUM *a); + #if OPENSSL_VERSION_NUMBER >= 0x10100000L +@@ -247,26 +251,23 @@ BN_ULONG q_BN_mod_word(const BIGNUM *a, BN_ULONG w); + const EC_GROUP* q_EC_KEY_get0_group(const EC_KEY* k); + int q_EC_GROUP_get_degree(const EC_GROUP* g); + #endif +-int q_CRYPTO_num_locks(); +-void q_CRYPTO_set_locking_callback(void (*a)(int, int, const char *, int)); +-void q_CRYPTO_set_id_callback(unsigned long (*a)()); +-void q_CRYPTO_free(void *a); + DSA *q_DSA_new(); + void q_DSA_free(DSA *a); + X509 *q_d2i_X509(X509 **a, const unsigned char **b, long c); + char *q_ERR_error_string(unsigned long a, char *b); + unsigned long q_ERR_get_error(); +-void q_ERR_free_strings(); +-void q_EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *a); +-void q_EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *a); ++EVP_CIPHER_CTX *q_EVP_CIPHER_CTX_new(); ++void q_EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *a); + int q_EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr); + int q_EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *x, int keylen); + int q_EVP_CipherInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, const unsigned char *key, const unsigned char *iv, int enc); ++int q_EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *impl, const unsigned char *key, const unsigned char *iv, int enc); + int q_EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, const unsigned char *in, int inl); + int q_EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl); + const EVP_CIPHER *q_EVP_des_cbc(); + const EVP_CIPHER *q_EVP_des_ede3_cbc(); + const EVP_CIPHER *q_EVP_rc2_cbc(); ++const EVP_MD *q_EVP_sha1(); + int q_EVP_PKEY_assign(EVP_PKEY *a, int b, char *c); + Q_AUTOTEST_EXPORT int q_EVP_PKEY_set1_RSA(EVP_PKEY *a, RSA *b); + int q_EVP_PKEY_set1_DSA(EVP_PKEY *a, DSA *b); +@@ -310,7 +311,7 @@ int q_PEM_write_bio_RSAPrivateKey(BIO *a, RSA *b, const EVP_CIPHER *c, unsigned + int q_PEM_write_bio_ECPrivateKey(BIO *a, EC_KEY *b, const EVP_CIPHER *c, unsigned char *d, + int e, pem_password_cb *f, void *g); + #endif +-#endif ++#endif // SSLEAY_MACROS + Q_AUTOTEST_EXPORT EVP_PKEY *q_PEM_read_bio_PUBKEY(BIO *a, EVP_PKEY **b, pem_password_cb *c, void *d); + DSA *q_PEM_read_bio_DSA_PUBKEY(BIO *a, DSA **b, pem_password_cb *c, void *d); + RSA *q_PEM_read_bio_RSA_PUBKEY(BIO *a, RSA **b, pem_password_cb *c, void *d); +@@ -326,23 +327,10 @@ void q_RAND_seed(const void *a, int b); + int q_RAND_status(); + RSA *q_RSA_new(); + void q_RSA_free(RSA *a); +-int q_sk_num(STACK *a); +-void q_sk_pop_free(STACK *a, void (*b)(void *)); +-#if OPENSSL_VERSION_NUMBER >= 0x10000000L +-_STACK *q_sk_new_null(); +-void q_sk_push(_STACK *st, void *data); +-void q_sk_free(_STACK *a); +-void * q_sk_value(STACK *a, int b); +-#else +-STACK *q_sk_new_null(); +-void q_sk_push(STACK *st, char *data); +-void q_sk_free(STACK *a); +-char * q_sk_value(STACK *a, int b); +-#endif + int q_SSL_accept(SSL *a); + int q_SSL_clear(SSL *a); +-char *q_SSL_CIPHER_description(SSL_CIPHER *a, char *b, int c); +-int q_SSL_CIPHER_get_bits(SSL_CIPHER *a, int *b); ++char *q_SSL_CIPHER_description(const SSL_CIPHER *a, char *b, int c); ++int q_SSL_CIPHER_get_bits(const SSL_CIPHER *a, int *b); + int q_SSL_connect(SSL *a); + int q_SSL_CTX_check_private_key(const SSL_CTX *a); + long q_SSL_CTX_ctrl(SSL_CTX *a, int b, long c, void *d); +@@ -374,8 +362,6 @@ int q_SSL_get_error(SSL *a, int b); + STACK_OF(X509) *q_SSL_get_peer_cert_chain(SSL *a); + X509 *q_SSL_get_peer_certificate(SSL *a); + long q_SSL_get_verify_result(const SSL *a); +-int q_SSL_library_init(); +-void q_SSL_load_error_strings(); + SSL *q_SSL_new(SSL_CTX *a); + long q_SSL_ctrl(SSL *ssl,int cmd, long larg, void *parg); + int q_SSL_read(SSL *a, void *b, int c); +@@ -388,7 +374,6 @@ void q_SSL_SESSION_free(SSL_SESSION *ses); + SSL_SESSION *q_SSL_get1_session(SSL *ssl); + SSL_SESSION *q_SSL_get_session(const SSL *ssl); + #if OPENSSL_VERSION_NUMBER >= 0x10001000L +-int q_SSL_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func); + int q_SSL_set_ex_data(SSL *ssl, int idx, void *arg); + void *q_SSL_get_ex_data(const SSL *ssl, int idx); + #endif +@@ -399,49 +384,6 @@ typedef unsigned int (*q_psk_server_callback_t)(SSL *ssl, const char *identity, + void q_SSL_set_psk_server_callback(SSL *ssl, q_psk_server_callback_t callback); + int q_SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *hint); + #endif // OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_PSK) +-#if OPENSSL_VERSION_NUMBER >= 0x10000000L +-#ifndef OPENSSL_NO_SSL2 +-const SSL_METHOD *q_SSLv2_client_method(); +-#endif +-#ifndef OPENSSL_NO_SSL3_METHOD +-const SSL_METHOD *q_SSLv3_client_method(); +-#endif +-const SSL_METHOD *q_SSLv23_client_method(); +-const SSL_METHOD *q_TLSv1_client_method(); +-const SSL_METHOD *q_TLSv1_1_client_method(); +-const SSL_METHOD *q_TLSv1_2_client_method(); +-#ifndef OPENSSL_NO_SSL2 +-const SSL_METHOD *q_SSLv2_server_method(); +-#endif +-#ifndef OPENSSL_NO_SSL3_METHOD +-const SSL_METHOD *q_SSLv3_server_method(); +-#endif +-const SSL_METHOD *q_SSLv23_server_method(); +-const SSL_METHOD *q_TLSv1_server_method(); +-const SSL_METHOD *q_TLSv1_1_server_method(); +-const SSL_METHOD *q_TLSv1_2_server_method(); +-#else +-#ifndef OPENSSL_NO_SSL2 +-SSL_METHOD *q_SSLv2_client_method(); +-#endif +-#ifndef OPENSSL_NO_SSL3_METHOD +-SSL_METHOD *q_SSLv3_client_method(); +-#endif +-SSL_METHOD *q_SSLv23_client_method(); +-SSL_METHOD *q_TLSv1_client_method(); +-SSL_METHOD *q_TLSv1_1_client_method(); +-SSL_METHOD *q_TLSv1_2_client_method(); +-#ifndef OPENSSL_NO_SSL2 +-SSL_METHOD *q_SSLv2_server_method(); +-#endif +-#ifndef OPENSSL_NO_SSL3_METHOD +-SSL_METHOD *q_SSLv3_server_method(); +-#endif +-SSL_METHOD *q_SSLv23_server_method(); +-SSL_METHOD *q_TLSv1_server_method(); +-SSL_METHOD *q_TLSv1_1_server_method(); +-SSL_METHOD *q_TLSv1_2_server_method(); +-#endif + int q_SSL_write(SSL *a, const void *b, int c); + int q_X509_cmp(X509 *a, X509 *b); + #ifdef SSLEAY_MACROS +@@ -452,6 +394,7 @@ void *q_ASN1_dup(i2d_of_void *i2d, d2i_of_void *d2i, char *x); + X509 *q_X509_dup(X509 *a); + #endif + void q_X509_print(BIO *a, X509*b); ++int q_X509_digest(const X509 *x509, const EVP_MD *type, unsigned char *md, unsigned int *len); + ASN1_OBJECT *q_X509_EXTENSION_get_object(X509_EXTENSION *a); + void q_X509_free(X509 *a); + X509_EXTENSION *q_X509_get_ext(X509 *a, int b); +@@ -471,6 +414,7 @@ int q_ASN1_STRING_print(BIO *a, ASN1_STRING *b); + int q_X509_check_issued(X509 *a, X509 *b); + X509_NAME *q_X509_get_issuer_name(X509 *a); + X509_NAME *q_X509_get_subject_name(X509 *a); ++ASN1_INTEGER *q_X509_get_serialNumber(X509 *a); + int q_X509_verify_cert(X509_STORE_CTX *ctx); + int q_X509_NAME_entry_count(X509_NAME *a); + X509_NAME_ENTRY *q_X509_NAME_get_entry(X509_NAME *a,int b); +@@ -488,7 +432,6 @@ int q_X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose); + int q_X509_STORE_CTX_get_error(X509_STORE_CTX *ctx); + int q_X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx); + X509 *q_X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx); +-STACK_OF(X509) *q_X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx); + + // Diffie-Hellman support + DH *q_DH_new(); +@@ -522,34 +465,9 @@ int q_PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert, + PKCS12 *q_d2i_PKCS12_bio(BIO *bio, PKCS12 **pkcs12); + void q_PKCS12_free(PKCS12 *pkcs12); + +- + #define q_BIO_get_mem_data(b, pp) (int)q_BIO_ctrl(b,BIO_CTRL_INFO,0,(char *)pp) + #define q_BIO_pending(b) (int)q_BIO_ctrl(b,BIO_CTRL_PENDING,0,NULL) +-#ifdef SSLEAY_MACROS +-int q_i2d_DSAPrivateKey(const DSA *a, unsigned char **pp); +-int q_i2d_RSAPrivateKey(const RSA *a, unsigned char **pp); +-RSA *q_d2i_RSAPrivateKey(RSA **a, unsigned char **pp, long length); +-DSA *q_d2i_DSAPrivateKey(DSA **a, unsigned char **pp, long length); +-#define q_PEM_read_bio_RSAPrivateKey(bp, x, cb, u) \ +- (RSA *)q_PEM_ASN1_read_bio( \ +- (void *(*)(void**, const unsigned char**, long int))q_d2i_RSAPrivateKey, PEM_STRING_RSA, bp, (void **)x, cb, u) +-#define q_PEM_read_bio_DSAPrivateKey(bp, x, cb, u) \ +- (DSA *)q_PEM_ASN1_read_bio( \ +- (void *(*)(void**, const unsigned char**, long int))q_d2i_DSAPrivateKey, PEM_STRING_DSA, bp, (void **)x, cb, u) +-#define q_PEM_write_bio_RSAPrivateKey(bp,x,enc,kstr,klen,cb,u) \ +- PEM_ASN1_write_bio((int (*)(void*, unsigned char**))q_i2d_RSAPrivateKey,PEM_STRING_RSA,\ +- bp,(char *)x,enc,kstr,klen,cb,u) +-#define q_PEM_write_bio_DSAPrivateKey(bp,x,enc,kstr,klen,cb,u) \ +- PEM_ASN1_write_bio((int (*)(void*, unsigned char**))q_i2d_DSAPrivateKey,PEM_STRING_DSA,\ +- bp,(char *)x,enc,kstr,klen,cb,u) +-#define q_PEM_read_bio_DHparams(bp, dh, cb, u) \ +- (DH *)q_PEM_ASN1_read_bio( \ +- (void *(*)(void**, const unsigned char**, long int))q_d2i_DHparams, PEM_STRING_DHPARAMS, bp, (void **)x, cb, u) +-#endif +-#define q_SSL_CTX_set_options(ctx,op) q_SSL_CTX_ctrl((ctx),SSL_CTRL_OPTIONS,(op),NULL) + #define q_SSL_CTX_set_mode(ctx,op) q_SSL_CTX_ctrl((ctx),SSL_CTRL_MODE,(op),NULL) +-#define q_SKM_sk_num(type, st) ((int (*)(const STACK_OF(type) *))q_sk_num)(st) +-#define q_SKM_sk_value(type, st,i) ((type * (*)(const STACK_OF(type) *, int))q_sk_value)(st, i) + #define q_sk_GENERAL_NAME_num(st) q_SKM_sk_num(GENERAL_NAME, (st)) + #define q_sk_GENERAL_NAME_value(st, i) q_SKM_sk_value(GENERAL_NAME, (st), (i)) + #define q_sk_X509_num(st) q_SKM_sk_num(X509, (st)) +@@ -558,18 +476,12 @@ DSA *q_d2i_DSAPrivateKey(DSA **a, unsigned char **pp, long length); + #define q_sk_SSL_CIPHER_value(st, i) q_SKM_sk_value(SSL_CIPHER, (st), (i)) + #define q_SSL_CTX_add_extra_chain_cert(ctx,x509) \ + q_SSL_CTX_ctrl(ctx,SSL_CTRL_EXTRA_CHAIN_CERT,0,(char *)x509) +-#define q_X509_get_notAfter(x) X509_get_notAfter(x) +-#define q_X509_get_notBefore(x) X509_get_notBefore(x) + #define q_EVP_PKEY_assign_RSA(pkey,rsa) q_EVP_PKEY_assign((pkey),EVP_PKEY_RSA,\ + (char *)(rsa)) + #define q_EVP_PKEY_assign_DSA(pkey,dsa) q_EVP_PKEY_assign((pkey),EVP_PKEY_DSA,\ + (char *)(dsa)) + #define q_OpenSSL_add_all_algorithms() q_OPENSSL_add_all_algorithms_conf() +-void q_OPENSSL_add_all_algorithms_noconf(); +-void q_OPENSSL_add_all_algorithms_conf(); + int q_SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, const char *CApath); +-long q_SSLeay(); +-const char *q_SSLeay_version(int type); + int q_i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp); + SSL_SESSION *q_d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length); + +diff --git a/qtbase/src/network/ssl/qsslsocket_opensslpre11.cpp b/qtbase/src/network/ssl/qsslsocket_opensslpre11.cpp +new file mode 100644 +index 0000000000..e51888c5f2 +--- /dev/null ++++ b/qtbase/src/network/ssl/qsslsocket_opensslpre11.cpp +@@ -0,0 +1,424 @@ ++/**************************************************************************** ++** ++** Copyright (C) 2017 The Qt Company Ltd. ++** Copyright (C) 2014 Governikus GmbH & Co. KG ++** Contact: https://www.qt.io/licensing/ ++** ++** This file is part of the QtNetwork module of the Qt Toolkit. ++** ++** $QT_BEGIN_LICENSE:LGPL$ ++** Commercial License Usage ++** Licensees holding valid commercial Qt licenses may use this file in ++** accordance with the commercial license agreement provided with the ++** Software or, alternatively, in accordance with the terms contained in ++** a written agreement between you and The Qt Company. For licensing terms ++** and conditions see https://www.qt.io/terms-conditions. For further ++** information use the contact form at https://www.qt.io/contact-us. ++** ++** GNU Lesser General Public License Usage ++** Alternatively, this file may be used under the terms of the GNU Lesser ++** General Public License version 3 as published by the Free Software ++** Foundation and appearing in the file LICENSE.LGPL3 included in the ++** packaging of this file. Please review the following information to ++** ensure the GNU Lesser General Public License version 3 requirements ++** will be met: https://www.gnu.org/licenses/lgpl-3.0.html. ++** ++** GNU General Public License Usage ++** Alternatively, this file may be used under the terms of the GNU ++** General Public License version 2.0 or (at your option) the GNU General ++** Public license version 3 or any later version approved by the KDE Free ++** Qt Foundation. The licenses are as published by the Free Software ++** Foundation and appearing in the file LICENSE.GPL2 and LICENSE.GPL3 ++** included in the packaging of this file. Please review the following ++** information to ensure the GNU General Public License requirements will ++** be met: https://www.gnu.org/licenses/gpl-2.0.html and ++** https://www.gnu.org/licenses/gpl-3.0.html. ++** ++** $QT_END_LICENSE$ ++** ++****************************************************************************/ ++ ++/**************************************************************************** ++** ++** In addition, as a special exception, the copyright holders listed above give ++** permission to link the code of its release of Qt with the OpenSSL project's ++** "OpenSSL" library (or modified versions of the "OpenSSL" library that use the ++** same license as the original version), and distribute the linked executables. ++** ++** You must comply with the GNU General Public License version 2 in all ++** respects for all of the code used other than the "OpenSSL" code. If you ++** modify this file, you may extend this exception to your version of the file, ++** but you are not obligated to do so. If you do not wish to do so, delete ++** this exception statement from your version of this file. ++** ++****************************************************************************/ ++ ++//#define QT_DECRYPT_SSL_TRAFFIC ++ ++#include "qssl_p.h" ++#include "qsslsocket_openssl_p.h" ++#include "qsslsocket_openssl_symbols_p.h" ++#include "qsslsocket.h" ++#include "qsslkey.h" ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++QT_BEGIN_NAMESPACE ++ ++/* \internal ++ ++ From OpenSSL's thread(3) manual page: ++ ++ OpenSSL can safely be used in multi-threaded applications provided that at ++ least two callback functions are set. ++ ++ locking_function(int mode, int n, const char *file, int line) is needed to ++ perform locking on shared data structures. (Note that OpenSSL uses a ++ number of global data structures that will be implicitly shared ++ whenever multiple threads use OpenSSL.) Multi-threaded ++ applications will crash at random if it is not set. ... ++ ... ++ id_function(void) is a function that returns a thread ID. It is not ++ needed on Windows nor on platforms where getpid() returns a different ++ ID for each thread (most notably Linux) ++*/ ++ ++class QOpenSslLocks ++{ ++public: ++ QOpenSslLocks() ++ : initLocker(QMutex::Recursive), ++ locksLocker(QMutex::Recursive) ++ { ++ QMutexLocker locker(&locksLocker); ++ int numLocks = q_CRYPTO_num_locks(); ++ locks = new QMutex *[numLocks]; ++ memset(locks, 0, numLocks * sizeof(QMutex *)); ++ } ++ ~QOpenSslLocks() ++ { ++ QMutexLocker locker(&locksLocker); ++ for (int i = 0; i < q_CRYPTO_num_locks(); ++i) ++ delete locks[i]; ++ delete [] locks; ++ ++ QSslSocketPrivate::deinitialize(); ++ } ++ QMutex *lock(int num) ++ { ++ QMutexLocker locker(&locksLocker); ++ QMutex *tmp = locks[num]; ++ if (!tmp) ++ tmp = locks[num] = new QMutex(QMutex::Recursive); ++ return tmp; ++ } ++ ++ QMutex *globalLock() ++ { ++ return &locksLocker; ++ } ++ ++ QMutex *initLock() ++ { ++ return &initLocker; ++ } ++ ++private: ++ QMutex initLocker; ++ QMutex locksLocker; ++ QMutex **locks; ++}; ++ ++Q_GLOBAL_STATIC(QOpenSslLocks, openssl_locks) ++ ++extern "C" { ++static void locking_function(int mode, int lockNumber, const char *, int) ++{ ++ QMutex *mutex = openssl_locks()->lock(lockNumber); ++ ++ // Lock or unlock it ++ if (mode & CRYPTO_LOCK) ++ mutex->lock(); ++ else ++ mutex->unlock(); ++} ++static unsigned long id_function() ++{ ++ return (quintptr)QThread::currentThreadId(); ++} ++ ++} // extern "C" ++ ++static void q_OpenSSL_add_all_algorithms_safe() ++{ ++#ifdef Q_OS_WIN ++ // Prior to version 1.0.1m an attempt to call OpenSSL_add_all_algorithms on ++ // Windows could result in 'exit' call from OPENSSL_config (QTBUG-43843). ++ // We can predict this and avoid OPENSSL_add_all_algorithms call. ++ // From OpenSSL docs: ++ // "An application does not need to add algorithms to use them explicitly, ++ // for example by EVP_sha1(). It just needs to add them if it (or any of ++ // the functions it calls) needs to lookup algorithms. ++ // The cipher and digest lookup functions are used in many parts of the ++ // library. If the table is not initialized several functions will ++ // misbehave and complain they cannot find algorithms. This includes the ++ // PEM, PKCS#12, SSL and S/MIME libraries. This is a common query in ++ // the OpenSSL mailing lists." ++ // ++ // Anyway, as a result, we chose not to call this function if it would exit. ++ ++ if (q_SSLeay() < 0x100010DFL) ++ { ++ // Now, before we try to call it, check if an attempt to open config file ++ // will result in exit: ++ if (char *confFileName = q_CONF_get1_default_config_file()) { ++ BIO *confFile = q_BIO_new_file(confFileName, "r"); ++ const auto lastError = q_ERR_peek_last_error(); ++ q_CRYPTO_free(confFileName); ++ if (confFile) { ++ q_BIO_free(confFile); ++ } else { ++ q_ERR_clear_error(); ++ if (ERR_GET_REASON(lastError) == ERR_R_SYS_LIB) { ++ qCWarning(lcSsl, "failed to open openssl.conf file"); ++ return; ++ } ++ } ++ } ++ } ++#endif // Q_OS_WIN ++ ++ q_OpenSSL_add_all_algorithms(); ++} ++ ++ ++/*! ++ \internal ++*/ ++void QSslSocketPrivate::deinitialize() ++{ ++ q_CRYPTO_set_id_callback(0); ++ q_CRYPTO_set_locking_callback(0); ++ q_ERR_free_strings(); ++} ++ ++ ++bool QSslSocketPrivate::ensureLibraryLoaded() ++{ ++ if (!q_resolveOpenSslSymbols()) ++ return false; ++ ++ // Check if the library itself needs to be initialized. ++ QMutexLocker locker(openssl_locks()->initLock()); ++ ++ if (!s_libraryLoaded) { ++ s_libraryLoaded = true; ++ ++ // Initialize OpenSSL. ++ q_CRYPTO_set_id_callback(id_function); ++ q_CRYPTO_set_locking_callback(locking_function); ++ if (q_SSL_library_init() != 1) ++ return false; ++ q_SSL_load_error_strings(); ++ q_OpenSSL_add_all_algorithms_safe(); ++ ++#if OPENSSL_VERSION_NUMBER >= 0x10001000L ++ if (q_SSLeay() >= 0x10001000L) ++ QSslSocketBackendPrivate::s_indexForSSLExtraData = q_SSL_get_ex_new_index(0L, NULL, NULL, NULL, NULL); ++#endif ++ ++ // Initialize OpenSSL's random seed. ++ if (!q_RAND_status()) { ++ qWarning("Random number generator not seeded, disabling SSL support"); ++ return false; ++ } ++ } ++ return true; ++} ++ ++void QSslSocketPrivate::ensureCiphersAndCertsLoaded() ++{ ++ QMutexLocker locker(openssl_locks()->initLock()); ++ if (s_loadedCiphersAndCerts) ++ return; ++ s_loadedCiphersAndCerts = true; ++ ++ resetDefaultCiphers(); ++ resetDefaultEllipticCurves(); ++ ++#if QT_CONFIG(library) ++ //load symbols needed to receive certificates from system store ++#if defined(Q_OS_WIN) ++ HINSTANCE hLib = LoadLibraryW(L"Crypt32"); ++ if (hLib) { ++ ptrCertOpenSystemStoreW = (PtrCertOpenSystemStoreW)GetProcAddress(hLib, "CertOpenSystemStoreW"); ++ ptrCertFindCertificateInStore = (PtrCertFindCertificateInStore)GetProcAddress(hLib, "CertFindCertificateInStore"); ++ ptrCertCloseStore = (PtrCertCloseStore)GetProcAddress(hLib, "CertCloseStore"); ++ if (!ptrCertOpenSystemStoreW || !ptrCertFindCertificateInStore || !ptrCertCloseStore) ++ qCWarning(lcSsl, "could not resolve symbols in crypt32 library"); // should never happen ++ } else { ++ qCWarning(lcSsl, "could not load crypt32 library"); // should never happen ++ } ++#elif defined(Q_OS_QNX) ++ s_loadRootCertsOnDemand = true; ++#elif defined(Q_OS_UNIX) && !defined(Q_OS_MACOS) ++ // check whether we can enable on-demand root-cert loading (i.e. check whether the sym links are there) ++ QList dirs = unixRootCertDirectories(); ++ QStringList symLinkFilter; ++ symLinkFilter << QLatin1String("[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f].[0-9]"); ++ for (int a = 0; a < dirs.count(); ++a) { ++ QDirIterator iterator(QLatin1String(dirs.at(a)), symLinkFilter, QDir::Files); ++ if (iterator.hasNext()) { ++ s_loadRootCertsOnDemand = true; ++ break; ++ } ++ } ++#endif ++#endif // QT_CONFIG(library) ++ // if on-demand loading was not enabled, load the certs now ++ if (!s_loadRootCertsOnDemand) ++ setDefaultCaCertificates(systemCaCertificates()); ++#ifdef Q_OS_WIN ++ //Enabled for fetching additional root certs from windows update on windows 6+ ++ //This flag is set false by setDefaultCaCertificates() indicating the app uses ++ //its own cert bundle rather than the system one. ++ //Same logic that disables the unix on demand cert loading. ++ //Unlike unix, we do preload the certificates from the cert store. ++ if ((QSysInfo::windowsVersion() & QSysInfo::WV_NT_based) >= QSysInfo::WV_6_0) ++ s_loadRootCertsOnDemand = true; ++#endif ++} ++ ++long QSslSocketPrivate::sslLibraryVersionNumber() ++{ ++ if (!supportsSsl()) ++ return 0; ++ ++ return q_SSLeay(); ++} ++ ++QString QSslSocketPrivate::sslLibraryVersionString() ++{ ++ if (!supportsSsl()) ++ return QString(); ++ ++ const char *versionString = q_SSLeay_version(SSLEAY_VERSION); ++ if (!versionString) ++ return QString(); ++ ++ return QString::fromLatin1(versionString); ++} ++ ++void QSslSocketBackendPrivate::continueHandshake() ++{ ++ Q_Q(QSslSocket); ++ // if we have a max read buffer size, reset the plain socket's to match ++ if (readBufferMaxSize) ++ plainSocket->setReadBufferSize(readBufferMaxSize); ++ ++ if (q_SSL_ctrl((ssl), SSL_CTRL_GET_SESSION_REUSED, 0, NULL)) ++ configuration.peerSessionShared = true; ++ ++#ifdef QT_DECRYPT_SSL_TRAFFIC ++ if (ssl->session && ssl->s3) { ++ const char *mk = reinterpret_cast(ssl->session->master_key); ++ QByteArray masterKey(mk, ssl->session->master_key_length); ++ const char *random = reinterpret_cast(ssl->s3->client_random); ++ QByteArray clientRandom(random, SSL3_RANDOM_SIZE); ++ ++ // different format, needed for e.g. older Wireshark versions: ++// const char *sid = reinterpret_cast(ssl->session->session_id); ++// QByteArray sessionID(sid, ssl->session->session_id_length); ++// QByteArray debugLineRSA("RSA Session-ID:"); ++// debugLineRSA.append(sessionID.toHex().toUpper()); ++// debugLineRSA.append(" Master-Key:"); ++// debugLineRSA.append(masterKey.toHex().toUpper()); ++// debugLineRSA.append("\n"); ++ ++ QByteArray debugLineClientRandom("CLIENT_RANDOM "); ++ debugLineClientRandom.append(clientRandom.toHex().toUpper()); ++ debugLineClientRandom.append(" "); ++ debugLineClientRandom.append(masterKey.toHex().toUpper()); ++ debugLineClientRandom.append("\n"); ++ ++ QString sslKeyFile = QDir::tempPath() + QLatin1String("/qt-ssl-keys"); ++ QFile file(sslKeyFile); ++ if (!file.open(QIODevice::Append)) ++ qCWarning(lcSsl) << "could not open file" << sslKeyFile << "for appending"; ++ if (!file.write(debugLineClientRandom)) ++ qCWarning(lcSsl) << "could not write to file" << sslKeyFile; ++ file.close(); ++ } else { ++ qCWarning(lcSsl, "could not decrypt SSL traffic"); ++ } ++#endif ++ ++ // Cache this SSL session inside the QSslContext ++ if (!(configuration.sslOptions & QSsl::SslOptionDisableSessionSharing)) { ++ if (!sslContextPointer->cacheSession(ssl)) { ++ sslContextPointer.clear(); // we could not cache the session ++ } else { ++ // Cache the session for permanent usage as well ++ if (!(configuration.sslOptions & QSsl::SslOptionDisableSessionPersistence)) { ++ if (!sslContextPointer->sessionASN1().isEmpty()) ++ configuration.sslSession = sslContextPointer->sessionASN1(); ++ configuration.sslSessionTicketLifeTimeHint = sslContextPointer->sessionTicketLifeTimeHint(); ++ } ++ } ++ } ++ ++#if OPENSSL_VERSION_NUMBER >= 0x1000100fL && !defined(OPENSSL_NO_NEXTPROTONEG) ++ ++ configuration.nextProtocolNegotiationStatus = sslContextPointer->npnContext().status; ++ if (sslContextPointer->npnContext().status == QSslConfiguration::NextProtocolNegotiationUnsupported) { ++ // we could not agree -> be conservative and use HTTP/1.1 ++ configuration.nextNegotiatedProtocol = QByteArrayLiteral("http/1.1"); ++ } else { ++ const unsigned char *proto = 0; ++ unsigned int proto_len = 0; ++#if OPENSSL_VERSION_NUMBER >= 0x10002000L ++ if (q_SSLeay() >= 0x10002000L) { ++ q_SSL_get0_alpn_selected(ssl, &proto, &proto_len); ++ if (proto_len && mode == QSslSocket::SslClientMode) { ++ // Client does not have a callback that sets it ... ++ configuration.nextProtocolNegotiationStatus = QSslConfiguration::NextProtocolNegotiationNegotiated; ++ } ++ } ++ ++ if (!proto_len) { // Test if NPN was more lucky ... ++#else ++ { ++#endif ++ q_SSL_get0_next_proto_negotiated(ssl, &proto, &proto_len); ++ } ++ ++ if (proto_len) ++ configuration.nextNegotiatedProtocol = QByteArray(reinterpret_cast(proto), proto_len); ++ else ++ configuration.nextNegotiatedProtocol.clear(); ++ } ++#endif // OPENSSL_VERSION_NUMBER >= 0x1000100fL ... ++ ++#if OPENSSL_VERSION_NUMBER >= 0x10002000L ++ if (q_SSLeay() >= 0x10002000L && mode == QSslSocket::SslClientMode) { ++ EVP_PKEY *key; ++ if (q_SSL_get_server_tmp_key(ssl, &key)) ++ configuration.ephemeralServerKey = QSslKey(key, QSsl::PublicKey); ++ } ++#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L ... ++ ++ connectionEncrypted = true; ++ emit q->encrypted(); ++ if (autoStartHandshake && pendingClose) { ++ pendingClose = false; ++ q->disconnectFromHost(); ++ } ++} ++ ++QT_END_NAMESPACE +diff --git a/qtbase/src/network/ssl/ssl.pri b/qtbase/src/network/ssl/ssl.pri +index d2b0c2d60d..2783effaf1 100644 +--- a/qtbase/src/network/ssl/ssl.pri ++++ b/qtbase/src/network/ssl/ssl.pri +@@ -60,13 +60,25 @@ qtConfig(ssl) { + HEADERS += ssl/qsslcontext_openssl_p.h \ + ssl/qsslsocket_openssl_p.h \ + ssl/qsslsocket_openssl_symbols_p.h +- SOURCES += ssl/qsslcertificate_openssl.cpp \ +- ssl/qsslcontext_openssl.cpp \ ++ SOURCES += ssl/qsslsocket_openssl_symbols.cpp \ + ssl/qssldiffiehellmanparameters_openssl.cpp \ ++ ssl/qsslcertificate_openssl.cpp \ + ssl/qsslellipticcurve_openssl.cpp \ + ssl/qsslkey_openssl.cpp \ + ssl/qsslsocket_openssl.cpp \ +- ssl/qsslsocket_openssl_symbols.cpp ++ ssl/qsslcontext_openssl.cpp ++ ++ qtConfig(opensslv11) { ++ HEADERS += ssl/qsslsocket_openssl11_symbols_p.h ++ SOURCES += ssl/qsslsocket_openssl11.cpp \ ++ ssl/qsslcontext_openssl11.cpp ++ ++ QMAKE_CXXFLAGS += -DOPENSSL_API_COMPAT=0x10100000L ++ } else { ++ HEADERS += ssl/qsslsocket_opensslpre11_symbols_p.h ++ SOURCES += ssl/qsslsocket_opensslpre11.cpp \ ++ ssl/qsslcontext_opensslpre11.cpp ++ } + + darwin:SOURCES += ssl/qsslsocket_mac_shared.cpp + diff --git a/package/lean/trojan/Makefile b/package/lean/trojan/Makefile index b570edba2..9d74c81d5 100644 --- a/package/lean/trojan/Makefile +++ b/package/lean/trojan/Makefile @@ -15,13 +15,12 @@ PKG_SOURCE_URL:=https://github.com/trojan-gfw/trojan.git PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION) PKG_SOURCE_VERSION:=842ad5bb07eb8bce035fb274571e586629a97c99 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz + CMAKE_INSTALL:=1 PKG_BUILD_PARALLEL:=0 - -PKG_BUILD_DEPENDS:=openssl1.1 +PKG_BUILD_DEPENDS:=openssl PKG_LICENSE:=GPL-3.0 - PKG_MAINTAINER:=GreaterFire include $(INCLUDE_DIR)/package.mk @@ -36,19 +35,10 @@ TARGET_LDFLAGS += -flto # CXX standard TARGET_CXXFLAGS += -std=c++11 - TARGET_CXXFLAGS := $(filter-out -O%,$(TARGET_CXXFLAGS)) -O3 -MY_OPENSSL_DIR:=$(BUILD_DIR)/openssl1.1_staging_dir/usr - TARGET_CXXFLAGS += -ffunction-sections -fdata-sections TARGET_LDFLAGS += -Wl,--gc-sections -CMAKE_FIND_ROOT_PATH := $(MY_OPENSSL_DIR);$(CMAKE_FIND_ROOT_PATH) -TARGET_CXXFLAGS := -I$(MY_OPENSSL_DIR)/include $(TARGET_CXXFLAGS) -TARGET_LDFLAGS := -L$(MY_OPENSSL_DIR)/lib $(TARGET_LDFLAGS) - - - CMAKE_OPTIONS += \ -DENABLE_MYSQL=OFF \ -DENABLE_SSL_KEYLOG=ON \ @@ -59,8 +49,6 @@ CMAKE_OPTIONS += \ -DBoost_DEBUG=ON \ -DBoost_NO_BOOST_CMAKE=ON - - define Package/trojan SECTION:=net CATEGORY:=Network @@ -70,8 +58,6 @@ define Package/trojan +boost +boost-system +boost-program_options +boost-date_time endef - - define Package/trojan/install $(INSTALL_DIR) $(1)/usr/sbin $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/trojan $(1)/usr/sbin/trojan @@ -82,5 +68,4 @@ define Package/trojan/install $(INSTALL_CONF) $(PKG_INSTALL_DIR)/etc/trojan/config.json $(1)/etc/trojan.json endef - $(eval $(call BuildPackage,trojan)) diff --git a/package/lean/trojan/files/trojan.init b/package/lean/trojan/files/trojan.init old mode 100644 new mode 100755 diff --git a/package/libs/openssl/Config.in b/package/libs/openssl/Config.in index 82f6c61c7..42d384508 100644 --- a/package/libs/openssl/Config.in +++ b/package/libs/openssl/Config.in @@ -54,7 +54,9 @@ config OPENSSL_WITH_DEPRECATED default y prompt "Include deprecated APIs (See help for a list of packages that need this)" help - Squid currently requires this. + Since openssl 1.1.x is still new to openwrt, some packages + requiring this option do not list it as a requirement yet: + * freeswitch-stable, freeswitch, python, python3, squid. config OPENSSL_NO_DEPRECATED bool @@ -62,6 +64,7 @@ config OPENSSL_NO_DEPRECATED config OPENSSL_WITH_ERROR_MESSAGES bool + default y if !SMALL_FLASH && !LOW_MEMORY_FOOTPRINT prompt "Include error messages" help This option aids debugging, but increases package size and @@ -69,6 +72,20 @@ config OPENSSL_WITH_ERROR_MESSAGES comment "Protocol Support" +config OPENSSL_WITH_TLS13 + bool + default y + prompt "Enable support for TLS 1.3" + help + TLS 1.3 is the newest version of the TLS specification. + It aims: + * to increase the overall security of the protocol, + removing outdated algorithms, and encrypting more of the + protocol; + * to increase performance by reducing the number of round-trips + when performing a full handshake. + It increases package size by ~4KB. + config OPENSSL_WITH_DTLS bool prompt "Enable DTLS support" @@ -78,7 +95,6 @@ config OPENSSL_WITH_DTLS config OPENSSL_WITH_NPN bool - default y prompt "Enable NPN support" help NPN is a TLS extension, obsoleted and replaced with ALPN, @@ -103,24 +119,35 @@ config OPENSSL_WITH_CMS comment "Algorithm Selection" -config OPENSSL_WITH_EC - bool - default y - prompt "Enable elliptic curve support" - help - Elliptic-curve cryptography (ECC) is an approach to public-key - cryptography based on the algebraic structure of elliptic curves - over finite fields. ECC requires smaller keys compared to non-ECC - cryptography to provide equivalent security. - config OPENSSL_WITH_EC2M bool - depends on OPENSSL_WITH_EC prompt "Enable ec2m support" help This option enables the more efficient, yet less common, binary field elliptic curves. +config OPENSSL_WITH_CHACHA_POLY1305 + bool + default y + prompt "Enable ChaCha20-Poly1305 ciphersuite support" + help + ChaCha20-Poly1305 is an AEAD ciphersuite with 256-bit keys, + combining ChaCha stream cipher with Poly1305 MAC. + It is 3x faster than AES, when not using a CPU with AES-specific + instructions, as is the case of most embedded devices. + +config OPENSSL_PREFER_CHACHA_OVER_GCM + bool + default y if !x86_64 && !aarch64 + prompt "Prefer ChaCha20-Poly1305 over AES-GCM by default" + depends on OPENSSL_WITH_CHACHA_POLY1305 + help + The default openssl preference is for AES-GCM before ChaCha, but + that takes into account AES-NI capable chips. It is not the + case with most embedded chips, so it may be better to invert + that preference. This is just for the default case. The + application can always override this. + config OPENSSL_WITH_PSK bool default y @@ -130,6 +157,12 @@ config OPENSSL_WITH_PSK comment "Less commonly used build options" +config OPENSSL_WITH_ARIA + bool + prompt "Enable ARIA support" + help + ARIA is a block cipher developed in South Korea, based on AES. + config OPENSSL_WITH_CAMELLIA bool prompt "Enable Camellia cipher support" @@ -150,6 +183,23 @@ config OPENSSL_WITH_SEED SEED is a block cipher with 128-bit keys broadly used in South Korea, but seldom found elsewhere. +config OPENSSL_WITH_SM234 + bool + prompt "Enable SM2/3/4 algorithms support" + help + These algorithms are a set of "Commercial Cryptography" + algorithms approved for use in China. + * SM2 is an EC algorithm equivalent to ECDSA P-256 + * SM3 is a hash function equivalent to SHA-256 + * SM4 is a 128-block cipher equivalent to AES-128 + +config OPENSSL_WITH_BLAKE2 + bool + prompt "Enable BLAKE2 digest support" + help + BLAKE2 is a cryptographic hash function based on the ChaCha + stream cipher. + config OPENSSL_WITH_MDC2 bool prompt "Enable MDC2 digest support" @@ -184,27 +234,66 @@ comment "Engine/Hardware Support" config OPENSSL_ENGINE bool "Enable engine support" default y + select PACKAGE_libopenssl-devcrypto help This enables alternative cryptography implementations, most commonly for interfacing with external crypto devices, or supporting new/alternative ciphers and digests. + If you compile the library with this option disabled, packages built + using an engine-enabled library (i.e. from the official repo) may + fail to run. Compile and install the packages with engine support + disabled, and you should be fine. + Note that you need to enable KERNEL_AIO to be able to build the + afalg engine package. -config OPENSSL_ENGINE_CRYPTO +config OPENSSL_ENGINE_BUILTIN + bool "Build chosen engines into libcrypto" + depends on OPENSSL_ENGINE + help + This builds all chosen engines into libcrypto.so, instead of building + them as dynamic engines in separate packages. + The benefit of building the engines into libcrypto is that they won't + require any configuration to be used by default. + +config OPENSSL_ENGINE_BUILTIN_AFALG bool - select OPENSSL_ENGINE - select PACKAGE_kmod-cryptodev + prompt "Acceleration support through AF_ALG sockets engine" + depends on OPENSSL_ENGINE_BUILTIN && KERNEL_AIO + select PACKAGE_libopenssl-conf + help + This enables use of hardware acceleration through the + AF_ALG kernel interface. + +config OPENSSL_ENGINE_BUILTIN_DEVCRYPTO + bool + default y prompt "Acceleration support through /dev/crypto" + depends on OPENSSL_ENGINE_BUILTIN + select PACKAGE_libopenssl-conf help This enables use of hardware acceleration through OpenBSD Cryptodev API (/dev/crypto) interface. - You must install kmod-cryptodev (under Kernel modules, Cryptographic - API modules) for /dev/crypto to show up and use hardware - acceleration; otherwise it falls back to software. + Even though configuration is not strictly needed, it is worth seeing + https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators + for information on how to configure the engine. -config OPENSSL_ENGINE_DIGEST +config OPENSSL_ENGINE_BUILTIN_PADLOCK bool - depends on OPENSSL_ENGINE_CRYPTO - prompt "/dev/crypto digest (md5/sha1) acceleration support" + prompt "VIA Padlock Acceleration support engine" + depends on OPENSSL_ENGINE_BUILTIN && TARGET_x86 + select PACKAGE_libopenssl-conf + help + This enables use of hardware acceleration through the + VIA Padlock module. + +config OPENSSL_WITH_ASYNC + bool + prompt "Enable asynchronous jobs support" + depends on OPENSSL_ENGINE && USE_GLIBC + help + Enables async-aware applications to be able to use OpenSSL to + initiate crypto operations asynchronously. In order to work + this will require the presence of an async capable engine. config OPENSSL_WITH_GOST bool @@ -213,6 +302,8 @@ config OPENSSL_WITH_GOST help This option prepares the library to accept engine support for Russian GOST crypto algorithms. + The gost engine is not included in standard openwrt feeds. + To build such engine yourself, see: + https://github.com/gost-engine/engine endif - diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index b5cd165e9..eb267f31f 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -8,14 +8,14 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openssl -PKG_BASE:=1.0.2 -PKG_BUGFIX:=q +PKG_BASE:=1.1.1 +PKG_BUGFIX:=d PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) -PKG_RELEASE:=3 +PKG_RELEASE:=2 PKG_USE_MIPS16:=0 +ENGINES_DIR=engines-1.1 -PKG_BUILD_PARALLEL:=0 -PKG_BUILD_DEPENDS:=cryptodev-linux +PKG_BUILD_PARALLEL:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:= \ @@ -24,24 +24,30 @@ PKG_SOURCE_URL:= \ ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/ \ http://www.openssl.org/source/ \ http://www.openssl.org/source/old/$(PKG_BASE)/ -PKG_HASH:=5744cfcbcec2b1b48629f7354203bc1e5e9b5466998bbccc5b5fcde3b18eb684 -ENGINES_DIR=engines +PKG_HASH:=1e3a91bc1f9dfce01af26026f856e064eab4c8ee0a8f457b5ae30b40b8b711f2 PKG_LICENSE:=OpenSSL PKG_LICENSE_FILES:=LICENSE +PKG_MAINTAINER:=Eneas U de Queiroz PKG_CPE_ID:=cpe:/a:openssl:openssl PKG_CONFIG_DEPENDS:= \ CONFIG_OPENSSL_ENGINE \ - CONFIG_OPENSSL_ENGINE_CRYPTO \ - CONFIG_OPENSSL_ENGINE_DIGEST \ + CONFIG_OPENSSL_ENGINE_BUILTIN \ + CONFIG_OPENSSL_ENGINE_BUILTIN_AFALG \ + CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO \ + CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK \ CONFIG_OPENSSL_NO_DEPRECATED \ CONFIG_OPENSSL_OPTIMIZE_SPEED \ + CONFIG_OPENSSL_PREFER_CHACHA_OVER_GCM \ + CONFIG_OPENSSL_WITH_ARIA \ CONFIG_OPENSSL_WITH_ASM \ + CONFIG_OPENSSL_WITH_ASYNC \ + CONFIG_OPENSSL_WITH_BLAKE2 \ CONFIG_OPENSSL_WITH_CAMELLIA \ + CONFIG_OPENSSL_WITH_CHACHA_POLY1305 \ CONFIG_OPENSSL_WITH_CMS \ CONFIG_OPENSSL_WITH_COMPRESSION \ CONFIG_OPENSSL_WITH_DTLS \ - CONFIG_OPENSSL_WITH_EC \ CONFIG_OPENSSL_WITH_EC2M \ CONFIG_OPENSSL_WITH_ERROR_MESSAGES \ CONFIG_OPENSSL_WITH_GOST \ @@ -51,8 +57,10 @@ PKG_CONFIG_DEPENDS:= \ CONFIG_OPENSSL_WITH_PSK \ CONFIG_OPENSSL_WITH_RFC3779 \ CONFIG_OPENSSL_WITH_SEED \ + CONFIG_OPENSSL_WITH_SM234 \ CONFIG_OPENSSL_WITH_SRP \ CONFIG_OPENSSL_WITH_SSE2 \ + CONFIG_OPENSSL_WITH_TLS13 \ CONFIG_OPENSSL_WITH_WHIRLPOOL include $(INCLUDE_DIR)/package.mk @@ -83,9 +91,12 @@ endef define Package/libopenssl $(call Package/openssl/Default) SUBMENU:=SSL - DEPENDS:=+OPENSSL_WITH_COMPRESSION:zlib + DEPENDS:=+OPENSSL_WITH_COMPRESSION:zlib \ + +OPENSSL_ENGINE_BUILTIN_AFALG:kmod-crypto-user \ + +OPENSSL_ENGINE_BUILTIN_DEVCRYPTO:kmod-cryptodev \ + +OPENSSL_ENGINE_BUILTIN_PADLOCK:kmod-crypto-hw-padlock TITLE+= (libraries) - ABI_VERSION:=1.0.0 + ABI_VERSION:=1.1 MENU:=1 endef @@ -98,51 +109,97 @@ define Package/openssl-util $(call Package/openssl/Default) SECTION:=utils CATEGORY:=Utilities - DEPENDS:=+libopenssl + DEPENDS:=+libopenssl +libopenssl-conf TITLE+= (utility) endef -define Package/openssl-util/conffiles -/etc/ssl/openssl.cnf -endef - define Package/openssl-util/description $(call Package/openssl/Default/description) This package contains the OpenSSL command-line utility. endef -define Package/libopenssl-gost +define Package/libopenssl-conf $(call Package/openssl/Default) SUBMENU:=SSL - TITLE:=Russian GOST algorithms engine - DEPENDS:=libopenssl +@OPENSSL_WITH_GOST + TITLE:=/etc/ssl/openssl.cnf config file + DEPENDS:=libopenssl endef -define Package/libopenssl-gost/description -This package adds an engine that enables Russian GOST algorithms. +define Package/libopenssl-conf/conffiles +/etc/ssl/openssl.cnf +endef + +define Package/libopenssl-conf/description +$(call Package/openssl/Default/description) +This package installs the OpenSSL configuration file /etc/ssl/openssl.cnf. +endef + +define Package/libopenssl-afalg + $(call Package/openssl/Default) + SUBMENU:=SSL + TITLE:=AFALG hardware acceleration engine + DEPENDS:=libopenssl @OPENSSL_ENGINE @KERNEL_AIO \ + +PACKAGE_libopenssl-afalg:kmod-crypto-user +libopenssl-conf @!OPENSSL_ENGINE_BUILTIN +endef + +define Package/libopenssl-afalg/description +This package adds an engine that enables hardware acceleration +through the AF_ALG kernel interface. To use it, you need to configure the engine in /etc/ssl/openssl.cnf -See https://www.openssl.org/docs/man1.0.2/apps/config.html#ENGINE-CONFIGURATION-MODULE -The engine_id is "gost" +See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module +and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators +The engine_id is "afalg" +endef + +define Package/libopenssl-devcrypto + $(call Package/openssl/Default) + SUBMENU:=SSL + TITLE:=/dev/crypto hardware acceleration engine + DEPENDS:=libopenssl @OPENSSL_ENGINE +PACKAGE_libopenssl-devcrypto:kmod-cryptodev +libopenssl-conf \ + @!OPENSSL_ENGINE_BUILTIN +endef + +define Package/libopenssl-devcrypto/description +This package adds an engine that enables hardware acceleration +through the /dev/crypto kernel interface. +To use it, you need to configure the engine in /etc/ssl/openssl.cnf +See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module +and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators +The engine_id is "devcrypto" endef define Package/libopenssl-padlock $(call Package/openssl/Default) SUBMENU:=SSL TITLE:=VIA Padlock hardware acceleration engine - DEPENDS:=libopenssl @OPENSSL_ENGINE @TARGET_x86 +kmod-crypto-hw-padlock + DEPENDS:=libopenssl @OPENSSL_ENGINE @TARGET_x86 +PACKAGE_libopenssl-padlock:kmod-crypto-hw-padlock \ + +libopenssl-conf @!OPENSSL_ENGINE_BUILTIN endef define Package/libopenssl-padlock/description This package adds an engine that enables VIA Padlock hardware acceleration. To use it, you need to configure it in /etc/ssl/openssl.cnf. -See https://www.openssl.org/docs/man1.0.2/apps/config.html#ENGINE-CONFIGURATION-MODULE +See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module +and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "padlock" endef -OPENSSL_OPTIONS:= shared no-heartbeats no-sha0 no-ssl2-method no-ssl3-method +OPENSSL_OPTIONS:= shared -ifndef CONFIG_OPENSSL_WITH_EC - OPENSSL_OPTIONS += no-ec +ifndef CONFIG_OPENSSL_WITH_BLAKE2 + OPENSSL_OPTIONS += no-blake2 +endif + +ifndef CONFIG_OPENSSL_WITH_CHACHA_POLY1305 + OPENSSL_OPTIONS += no-chacha no-poly1305 +else + ifdef CONFIG_OPENSSL_PREFER_CHACHA_OVER_GCM + OPENSSL_OPTIONS += -DOPENSSL_PREFER_CHACHA_OVER_GCM + endif +endif + +ifndef CONFIG_OPENSSL_WITH_ASYNC + OPENSSL_OPTIONS += no-async endif ifndef CONFIG_OPENSSL_WITH_EC2M @@ -153,6 +210,18 @@ ifndef CONFIG_OPENSSL_WITH_ERROR_MESSAGES OPENSSL_OPTIONS += no-err endif +ifndef CONFIG_OPENSSL_WITH_TLS13 + OPENSSL_OPTIONS += no-tls1_3 +endif + +ifndef CONFIG_OPENSSL_WITH_ARIA + OPENSSL_OPTIONS += no-aria +endif + +ifndef CONFIG_OPENSSL_WITH_SM234 + OPENSSL_OPTIONS += no-sm2 no-sm3 no-sm4 +endif + ifndef CONFIG_OPENSSL_WITH_CAMELLIA OPENSSL_OPTIONS += no-camellia endif @@ -177,8 +246,8 @@ ifndef CONFIG_OPENSSL_WITH_CMS OPENSSL_OPTIONS += no-cms endif -ifdef CONFIG_OPENSSL_WITH_RFC3779 - OPENSSL_OPTIONS += enable-rfc3779 +ifndef CONFIG_OPENSSL_WITH_RFC3779 + OPENSSL_OPTIONS += no-rfc3779 endif ifdef CONFIG_OPENSSL_NO_DEPRECATED @@ -192,14 +261,27 @@ else endif ifdef CONFIG_OPENSSL_ENGINE - ifdef CONFIG_OPENSSL_ENGINE_CRYPTO - OPENSSL_OPTIONS += -DHAVE_CRYPTODEV - ifdef CONFIG_OPENSSL_ENGINE_DIGEST - OPENSSL_OPTIONS += -DUSE_CRYPTODEV_DIGESTS + ifdef CONFIG_OPENSSL_ENGINE_BUILTIN + OPENSSL_OPTIONS += disable-dynamic-engine + ifndef CONFIG_OPENSSL_ENGINE_BUILTIN_AFALG + OPENSSL_OPTIONS += no-afalgeng + endif + ifdef CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO + OPENSSL_OPTIONS += enable-devcryptoeng + endif + ifndef CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK + OPENSSL_OPTIONS += no-hw-padlock + endif + else + ifdef CONFIG_PACKAGE_libopenssl-devcrypto + OPENSSL_OPTIONS += enable-devcryptoeng + endif + ifndef CONFIG_PACKAGE_libopenssl-afalg + OPENSSL_OPTIONS += no-afalgeng + endif + ifndef CONFIG_PACKAGE_libopenssl-padlock + OPENSSL_OPTIONS += no-hw-padlock endif - endif - ifndef CONFIG_PACKAGE_libopenssl-padlock - OPENSSL_OPTIONS += no-hw-padlock endif else OPENSSL_OPTIONS += no-engine @@ -209,10 +291,8 @@ ifndef CONFIG_OPENSSL_WITH_GOST OPENSSL_OPTIONS += no-gost endif -# Even with no-dtls and no-dtls1 options, the library keeps the DTLS code, -# but openssl util gets built without it ifndef CONFIG_OPENSSL_WITH_DTLS - OPENSSL_OPTIONS += no-dtls no-dtls1 + OPENSSL_OPTIONS += no-dtls endif ifdef CONFIG_OPENSSL_WITH_COMPRESSION @@ -248,10 +328,6 @@ OPENSSL_TARGET:=linux-$(call qstrip,$(CONFIG_ARCH))-openwrt STAMP_CONFIGURED := $(STAMP_CONFIGURED)_$(shell echo $(OPENSSL_OPTIONS) | mkhash md5) define Build/Configure - [ -f $(STAMP_CONFIGURED) ] || { \ - rm -f $(PKG_BUILD_DIR)/*.so.* $(PKG_BUILD_DIR)/*.a; \ - find $(PKG_BUILD_DIR) -name \*.o | xargs rm -f; \ - } (cd $(PKG_BUILD_DIR); \ ./Configure $(OPENSSL_TARGET) \ --prefix=/usr \ @@ -259,14 +335,9 @@ define Build/Configure --openssldir=/etc/ssl \ $(TARGET_CPPFLAGS) \ $(TARGET_LDFLAGS) \ - $(OPENSSL_OPTIONS) \ + $(OPENSSL_OPTIONS) && \ + { [ -f $(STAMP_CONFIGURED) ] || make clean; } \ ) - +$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \ - CROSS_COMPILE="$(TARGET_CROSS)" \ - MAKEDEPPROG="$(TARGET_CROSS)gcc" \ - OPENWRT_OPTIMIZATION_FLAGS="$(TARGET_CFLAGS)" \ - $(OPENSSL_MAKEFLAGS) \ - depend endef TARGET_CFLAGS += $(FPIC) -ffunction-sections -fdata-sections @@ -276,35 +347,16 @@ define Build/Compile +$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \ CROSS_COMPILE="$(TARGET_CROSS)" \ CC="$(TARGET_CC)" \ - ASFLAGS="$(TARGET_ASFLAGS) -I$(PKG_BUILD_DIR)/crypto -c" \ - AR="$(TARGET_CROSS)ar r" \ - RANLIB="$(TARGET_CROSS)ranlib" \ + SOURCE_DATE_EPOCH=$(SOURCE_DATE_EPOCH) \ OPENWRT_OPTIMIZATION_FLAGS="$(TARGET_CFLAGS)" \ $(OPENSSL_MAKEFLAGS) \ all - +$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \ - CROSS_COMPILE="$(TARGET_CROSS)" \ - CC="$(TARGET_CC)" \ - ASFLAGS="$(TARGET_ASFLAGS) -I$(PKG_BUILD_DIR)/crypto -c" \ - AR="$(TARGET_CROSS)ar r" \ - RANLIB="$(TARGET_CROSS)ranlib" \ - OPENWRT_OPTIMIZATION_FLAGS="$(TARGET_CFLAGS)" \ - $(OPENSSL_MAKEFLAGS) \ - build-shared - # Work around openssl build bug to link libssl.so with libcrypto.so. - -rm $(PKG_BUILD_DIR)/libssl.so.*.*.* - +$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \ - CROSS_COMPILE="$(TARGET_CROSS)" \ - CC="$(TARGET_CC)" \ - OPENWRT_OPTIMIZATION_FLAGS="$(TARGET_CFLAGS)" \ - $(OPENSSL_MAKEFLAGS) \ - do_linux-shared $(MAKE) -C $(PKG_BUILD_DIR) \ CROSS_COMPILE="$(TARGET_CROSS)" \ CC="$(TARGET_CC)" \ - INSTALL_PREFIX="$(PKG_INSTALL_DIR)" \ + DESTDIR="$(PKG_INSTALL_DIR)" \ $(OPENSSL_MAKEFLAGS) \ - install + install_sw install_ssldirs endef define Build/InstallDev @@ -327,24 +379,34 @@ define Package/libopenssl/install $(if $(CONFIG_OPENSSL_ENGINE),$(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR)) endef -define Package/openssl-util/install +define Package/libopenssl-conf/install $(INSTALL_DIR) $(1)/etc/ssl $(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/ +endef + +define Package/openssl-util/install $(INSTALL_DIR) $(1)/usr/bin $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/openssl $(1)/usr/bin/ endef +define Package/libopenssl-afalg/install + $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/afalg.so $(1)/usr/lib/$(ENGINES_DIR) +endef + +define Package/libopenssl-devcrypto/install + $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/devcrypto.so $(1)/usr/lib/$(ENGINES_DIR) +endef + define Package/libopenssl-padlock/install $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR) $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/*padlock.so $(1)/usr/lib/$(ENGINES_DIR) endef -define Package/libopenssl-gost/install - $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR) - $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/libgost.so $(1)/usr/lib/$(ENGINES_DIR) -endef - $(eval $(call BuildPackage,libopenssl)) -$(eval $(call BuildPackage,libopenssl-gost)) +$(eval $(call BuildPackage,libopenssl-conf)) +$(eval $(call BuildPackage,libopenssl-afalg)) +$(eval $(call BuildPackage,libopenssl-devcrypto)) $(eval $(call BuildPackage,libopenssl-padlock)) $(eval $(call BuildPackage,openssl-util)) diff --git a/package/lean/openssl1.1/patches/1.1.1/100-Configure-afalg-support.patch b/package/libs/openssl/patches/100-Configure-afalg-support.patch similarity index 79% rename from package/lean/openssl1.1/patches/1.1.1/100-Configure-afalg-support.patch rename to package/libs/openssl/patches/100-Configure-afalg-support.patch index b801449bf..0f91a9d5d 100644 --- a/package/lean/openssl1.1/patches/1.1.1/100-Configure-afalg-support.patch +++ b/package/libs/openssl/patches/100-Configure-afalg-support.patch @@ -1,4 +1,4 @@ -From bf4f3a5696c65b4a48935599ccba43311c114c95 Mon Sep 17 00:00:00 2001 +From 559fbff13af9ce2fbc0b9bc5727a7323e1db6217 Mon Sep 17 00:00:00 2001 From: Eneas U de Queiroz Date: Thu, 27 Sep 2018 08:29:21 -0300 Subject: Do not use host kernel version to disable AFALG @@ -8,9 +8,11 @@ version to disable building the AFALG engine on openwrt targets. Signed-off-by: Eneas U de Queiroz +diff --git a/Configure b/Configure +index 5a699836f3..74d057c219 100755 --- a/Configure +++ b/Configure -@@ -1532,7 +1532,9 @@ unless ($disabled{"crypto-mdebug-backtra +@@ -1532,7 +1532,9 @@ unless ($disabled{"crypto-mdebug-backtrace"}) unless ($disabled{afalgeng}) { $config{afalgeng}=""; diff --git a/package/libs/openssl/patches/100-openwrt_targets.patch b/package/libs/openssl/patches/100-openwrt_targets.patch deleted file mode 100644 index 52a51f9f4..000000000 --- a/package/libs/openssl/patches/100-openwrt_targets.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 1ce02d8c7ce3e4a2c16b92968c8aea5a15746917 Mon Sep 17 00:00:00 2001 -From: Eneas U de Queiroz -Date: Wed, 26 Sep 2018 16:21:27 -0300 -Subject: Add openwrt targets - -Targets are named: linux-$(CONFIG_ARCH)-openwrt - -Signed-off-by: Eneas U de Queiroz - ---- a/Configure -+++ b/Configure -@@ -470,6 +470,32 @@ my %table=( - "linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}", - "linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}", - -+# OpenWrt targets -+# from linux-aarch64 -+"linux-aarch64-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -+# from linux-generic32 -+"linux-arc-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -+# from linux-armv4 -+"linux-arm-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -+# from linux-armv4 -+"linux-armeb-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -+# from linux-elf -+"linux-i386-openwrt", "gcc:-DL_ENDIAN -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -+# from linux-mips32 -+"linux-mips-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips32_asm}:o32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -+# from linux64-mips64 -+"linux-mips64-openwrt", "gcc:-mabi=64 -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall -DBN_DIV3W::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips64_asm}:64:dlfcn:linux-shared:-fPIC:-mabi=64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", -+# from linux64-mips64 -+"linux-mips64el-openwrt", "gcc:-mabi=64 -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall -DBN_DIV3W::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips64_asm}:64:dlfcn:linux-shared:-fPIC:-mabi=64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", -+# from linux-mips32 -+"linux-mipsel-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips32_asm}:o32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -+# from linux-ppc -+"linux-powerpc-openwrt", "gcc:-DB_ENDIAN -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -+# from linux-x86_64 -+"linux-x86_64-openwrt", "gcc:-m64 -DL_ENDIAN -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", -+# from linux-generic32 -+"linux-generic32-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -+ - # Android: linux-* but without pointers to headers and libs. - "android","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", - "android-x86","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:".eval{my $asm=${x86_elf_asm};$asm=~s/:elf/:android/;$asm}.":dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", diff --git a/package/lean/openssl1.1/patches/1.1.1/110-openwrt_targets.patch b/package/libs/openssl/patches/110-openwrt_targets.patch similarity index 90% rename from package/lean/openssl1.1/patches/1.1.1/110-openwrt_targets.patch rename to package/libs/openssl/patches/110-openwrt_targets.patch index bc49e27ae..d0530b466 100644 --- a/package/lean/openssl1.1/patches/1.1.1/110-openwrt_targets.patch +++ b/package/libs/openssl/patches/110-openwrt_targets.patch @@ -1,4 +1,4 @@ -From 9a83f8fb7c46215dfb8d6dc2e2cc612bc2a0fd01 Mon Sep 17 00:00:00 2001 +From 3d43acc6068f00dbfc0c9a06355e2c8f7d302d0f Mon Sep 17 00:00:00 2001 From: Eneas U de Queiroz Date: Thu, 27 Sep 2018 08:30:24 -0300 Subject: Add openwrt targets @@ -7,6 +7,9 @@ Targets are named: linux-$(CONFIG_ARCH)-openwrt Signed-off-by: Eneas U de Queiroz +diff --git a/Configurations/25-openwrt.conf b/Configurations/25-openwrt.conf +new file mode 100644 +index 0000000000..86a86d31e4 --- /dev/null +++ b/Configurations/25-openwrt.conf @@ -0,0 +1,48 @@ diff --git a/package/libs/openssl/patches/110-perl-path.patch b/package/libs/openssl/patches/110-perl-path.patch deleted file mode 100644 index 2dbdc7601..000000000 --- a/package/libs/openssl/patches/110-perl-path.patch +++ /dev/null @@ -1,64 +0,0 @@ ---- a/Configure -+++ b/Configure -@@ -1,4 +1,4 @@ --: -+#!/usr/bin/perl - eval 'exec perl -S $0 ${1+"$@"}' - if $running_under_some_shell; - ## ---- a/tools/c_rehash.in -+++ b/tools/c_rehash.in -@@ -1,4 +1,4 @@ --#!/usr/local/bin/perl -+#!/usr/bin/perl - - # Perl c_rehash script, scan all files in a directory - # and add symbolic links to their hash values. ---- a/util/clean-depend.pl -+++ b/util/clean-depend.pl -@@ -1,4 +1,4 @@ --#!/usr/local/bin/perl -w -+#!/usr/bin/perl - # Clean the dependency list in a makefile of standard includes... - # Written by Ben Laurie 19 Jan 1999 - ---- a/util/mkdef.pl -+++ b/util/mkdef.pl -@@ -1,4 +1,4 @@ --#!/usr/local/bin/perl -w -+#!/usr/bin/perl - # - # generate a .def file - # ---- a/util/mkerr.pl -+++ b/util/mkerr.pl -@@ -1,4 +1,4 @@ --#!/usr/local/bin/perl -w -+#!/usr/bin/perl - - my $config = "crypto/err/openssl.ec"; - my $hprefix = "openssl/"; ---- a/util/mkstack.pl -+++ b/util/mkstack.pl -@@ -1,4 +1,4 @@ --#!/usr/local/bin/perl -w -+#!/usr/bin/perl - - # This is a utility that searches out "DECLARE_STACK_OF()" - # declarations in .h and .c files, and updates/creates/replaces ---- a/util/pod2man.pl -+++ b/util/pod2man.pl -@@ -1,4 +1,4 @@ --: #!/usr/bin/perl-5.005 -+#!/usr/bin/perl - eval 'exec /usr/bin/perl -S $0 ${1+"$@"}' - if $running_under_some_shell; - ---- a/util/selftest.pl -+++ b/util/selftest.pl -@@ -1,4 +1,4 @@ --#!/usr/local/bin/perl -w -+#!/usr/bin/perl - # - # Run the test suite and generate a report - # diff --git a/package/libs/openssl/patches/120-makefile-dirs.patch b/package/libs/openssl/patches/120-makefile-dirs.patch deleted file mode 100644 index 5bcb31648..000000000 --- a/package/libs/openssl/patches/120-makefile-dirs.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- a/Makefile.org -+++ b/Makefile.org -@@ -137,7 +137,7 @@ FIPSCANLIB= - - BASEADDR= - --DIRS= crypto ssl engines apps test tools -+DIRS= crypto ssl engines apps - ENGDIRS= ccgost - SHLIBDIRS= crypto ssl - diff --git a/package/lean/openssl1.1/patches/1.1.1/120-strip-cflags-from-binary.patch b/package/libs/openssl/patches/120-strip-cflags-from-binary.patch similarity index 65% rename from package/lean/openssl1.1/patches/1.1.1/120-strip-cflags-from-binary.patch rename to package/libs/openssl/patches/120-strip-cflags-from-binary.patch index d6e35b745..7faec9ab8 100644 --- a/package/lean/openssl1.1/patches/1.1.1/120-strip-cflags-from-binary.patch +++ b/package/libs/openssl/patches/120-strip-cflags-from-binary.patch @@ -1,21 +1,23 @@ -From f453f3eccb852740e37e9436dac5670d311c13b0 Mon Sep 17 00:00:00 2001 +From 4ad8f2fe6bf3b91df7904fcbe960e5fdfca36336 Mon Sep 17 00:00:00 2001 From: Eneas U de Queiroz Date: Thu, 27 Sep 2018 08:31:38 -0300 -Subject: void exposing build directories +Subject: Avoid exposing build directories The CFLAGS contain the build directories, and are shown by calling OpenSSL_version(OPENSSL_CFLAGS), or running openssl version -a Signed-off-by: Eneas U de Queiroz +diff --git a/crypto/build.info b/crypto/build.info +index 2c619c62e8..893128345a 100644 --- a/crypto/build.info +++ b/crypto/build.info -@@ -10,7 +10,7 @@ EXTRA= ../ms/uplink-x86.pl ../ms/uplink +@@ -10,7 +10,7 @@ EXTRA= ../ms/uplink-x86.pl ../ms/uplink.c ../ms/applink.c \ ppccpuid.pl pariscid.pl alphacpuid.pl arm64cpuid.pl armv4cpuid.pl DEPEND[cversion.o]=buildinf.h -GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(CC) $(LIB_CFLAGS) $(CPPFLAGS_Q)" "$(PLATFORM)" -+GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(filter-out -I% -iremap% -fmacro-prefix-map%,$(CC) $(LIB_CFLAGS) $(CPPFLAGS_Q))" "$(PLATFORM)" ++GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(filter-out -I% -iremap% -fmacro-prefix-map% -ffile-prefix-map%,$(CC) $(LIB_CFLAGS) $(CPPFLAGS_Q))" "$(PLATFORM)" DEPEND[buildinf.h]=../configdata.pm GENERATE[uplink-x86.s]=../ms/uplink-x86.pl $(PERLASM_SCHEME) diff --git a/package/libs/openssl/patches/130-disable_doc_tests.patch b/package/libs/openssl/patches/130-disable_doc_tests.patch deleted file mode 100644 index e38d44a76..000000000 --- a/package/libs/openssl/patches/130-disable_doc_tests.patch +++ /dev/null @@ -1,58 +0,0 @@ ---- a/Makefile -+++ b/Makefile -@@ -139,7 +139,7 @@ FIPSCANLIB= - - BASEADDR=0xFB00000 - --DIRS= crypto ssl engines apps test tools -+DIRS= crypto ssl engines apps tools - ENGDIRS= ccgost - SHLIBDIRS= crypto ssl - -@@ -157,7 +157,7 @@ SDIRS= \ - - # tests to perform. "alltests" is a special word indicating that all tests - # should be performed. --TESTS = alltests -+TESTS = - - MAKEFILE= Makefile - -@@ -171,7 +171,7 @@ SHELL=/bin/sh - - TOP= . - ONEDIRS=out tmp --EDIRS= times doc bugs util include certs ms shlib mt demos perl sf dep VMS -+EDIRS= times bugs util include certs ms shlib mt demos perl sf dep VMS - WDIRS= windows - LIBS= libcrypto.a libssl.a - SHARED_CRYPTO=libcrypto$(SHLIB_EXT) -@@ -276,7 +276,7 @@ reflect: - - sub_all: build_all - --build_all: build_libs build_apps build_tests build_tools -+build_all: build_libs build_apps build_tools - - build_libs: build_libcrypto build_libssl openssl.pc - -@@ -542,7 +542,7 @@ dist: - @$(MAKE) SDIRS='$(SDIRS)' clean - @$(MAKE) TAR='$(TAR)' TARFLAGS='$(TARFLAGS)' $(DISTTARVARS) tar - --install: all install_docs install_sw -+install: all install_sw - - install_sw: - @$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \ ---- a/Makefile.org -+++ b/Makefile.org -@@ -540,7 +540,7 @@ dist: - @$(MAKE) SDIRS='$(SDIRS)' clean - @$(MAKE) TAR='$(TAR)' TARFLAGS='$(TARFLAGS)' $(DISTTARVARS) tar - --install: all install_docs install_sw -+install: all install_sw - - install_sw: - @$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \ diff --git a/package/lean/openssl1.1/patches/1.1.1/130-dont-build-tests-fuzz.patch b/package/libs/openssl/patches/130-dont-build-tests-fuzz.patch similarity index 78% rename from package/lean/openssl1.1/patches/1.1.1/130-dont-build-tests-fuzz.patch rename to package/libs/openssl/patches/130-dont-build-tests-fuzz.patch index d89b1c8a0..fa79cc602 100644 --- a/package/lean/openssl1.1/patches/1.1.1/130-dont-build-tests-fuzz.patch +++ b/package/libs/openssl/patches/130-dont-build-tests-fuzz.patch @@ -1,4 +1,4 @@ -From e2339aa9c68837089d17cf309022cee497fe2412 Mon Sep 17 00:00:00 2001 +From ba2fe646f2d9104a18b066e43582154049e9ffcb Mon Sep 17 00:00:00 2001 From: Eneas U de Queiroz Date: Thu, 27 Sep 2018 08:34:38 -0300 Subject: Do not build tests and fuzz directories @@ -7,9 +7,11 @@ This shortens build time. Signed-off-by: Eneas U de Queiroz +diff --git a/Configure b/Configure +index 74d057c219..5813e9f8fe 100755 --- a/Configure +++ b/Configure -@@ -296,7 +296,7 @@ my $auto_threads=1; # enable threads +@@ -296,7 +296,7 @@ my $auto_threads=1; # enable threads automatically? true by default my $default_ranlib; # Top level directories to build diff --git a/package/lean/openssl1.1/patches/1.1.1/140-allow-prefer-chacha20.patch b/package/libs/openssl/patches/140-allow-prefer-chacha20.patch similarity index 90% rename from package/lean/openssl1.1/patches/1.1.1/140-allow-prefer-chacha20.patch rename to package/libs/openssl/patches/140-allow-prefer-chacha20.patch index 5e11c2bbf..b293db28f 100644 --- a/package/lean/openssl1.1/patches/1.1.1/140-allow-prefer-chacha20.patch +++ b/package/libs/openssl/patches/140-allow-prefer-chacha20.patch @@ -1,4 +1,4 @@ -From 286e015bf0d30530707a5e7b3b871509f2ab50d7 Mon Sep 17 00:00:00 2001 +From 4f7ab2040bb71f03a8f8388911144559aa2a5b60 Mon Sep 17 00:00:00 2001 From: Eneas U de Queiroz Date: Thu, 27 Sep 2018 08:44:39 -0300 Subject: Add OPENSSL_PREFER_CHACHA_OVER_GCM option @@ -14,6 +14,8 @@ when the client has it on top of its ciphersuite preference. Signed-off-by: Eneas U de Queiroz +diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h +index 6724ccf2d2..96d959427e 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -173,9 +173,15 @@ extern "C" { @@ -35,9 +37,11 @@ Signed-off-by: Eneas U de Queiroz # else # define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \ "TLS_AES_128_GCM_SHA256" +diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c +index 27a1b2ec68..7039811323 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c -@@ -1467,11 +1467,29 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ +@@ -1467,11 +1467,29 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, &tail); @@ -67,7 +71,7 @@ Signed-off-by: Eneas U de Queiroz /* * ...and generally, our preferred cipher is AES. -@@ -1527,7 +1545,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ +@@ -1527,7 +1545,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, * Within each group, ciphers remain sorted by strength and previous * preference, i.e., * 1) ECDHE > DHE diff --git a/package/libs/openssl/patches/140-bash_path.patch b/package/libs/openssl/patches/140-bash_path.patch deleted file mode 100644 index c29b59afd..000000000 --- a/package/libs/openssl/patches/140-bash_path.patch +++ /dev/null @@ -1,8 +0,0 @@ ---- a/util/domd -+++ b/util/domd -@@ -1,4 +1,4 @@ --#!/bin/sh -+#!/usr/bin/env bash - # Do a makedepend, only leave out the standard headers - # Written by Ben Laurie 19 Jan 1999 - diff --git a/package/libs/openssl/patches/150-fix_link_segfault.patch b/package/libs/openssl/patches/150-fix_link_segfault.patch deleted file mode 100644 index 3e36beb49..000000000 --- a/package/libs/openssl/patches/150-fix_link_segfault.patch +++ /dev/null @@ -1,18 +0,0 @@ ---- a/Makefile.shared -+++ b/Makefile.shared -@@ -95,7 +95,6 @@ LINK_APP= \ - LDCMD="$${LDCMD:-$(CC)}"; LDFLAGS="$${LDFLAGS:-$(CFLAGS)}"; \ - LIBPATH=`for x in $$LIBDEPS; do echo $$x; done | sed -e 's/^ *-L//;t' -e d | uniq`; \ - LIBPATH=`echo $$LIBPATH | sed -e 's/ /:/g'`; \ -- LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \ - $${LDCMD} $${LDFLAGS} -o $${APPNAME:=$(APPNAME)} $(OBJECTS) $${LIBDEPS} ) - - LINK_SO= \ -@@ -105,7 +104,6 @@ LINK_SO= \ - SHAREDFLAGS="$${SHAREDFLAGS:-$(CFLAGS) $(SHARED_LDFLAGS)}"; \ - LIBPATH=`for x in $$LIBDEPS; do echo $$x; done | sed -e 's/^ *-L//;t' -e d | uniq`; \ - LIBPATH=`echo $$LIBPATH | sed -e 's/ /:/g'`; \ -- LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \ - $${SHAREDCMD} $${SHAREDFLAGS} \ - -o $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX \ - $$ALLSYMSFLAGS $$SHOBJECTS $$NOALLSYMSFLAGS $$LIBDEPS \ diff --git a/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch b/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch new file mode 100644 index 000000000..6c7143dd7 --- /dev/null +++ b/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch @@ -0,0 +1,56 @@ +--- a/apps/openssl.cnf ++++ b/apps/openssl.cnf +@@ -22,6 +22,53 @@ oid_section = new_oids + # (Alternatively, use a configuration file that has only + # X.509v3 extensions in its main [= default] section.) + ++openssl_conf=openssl_conf ++ ++[openssl_conf] ++engines=engines ++ ++[engines] ++# To enable an engine, install the package, and uncomment it here: ++#devcrypto=devcrypto ++#afalg=afalg ++#padlock=padlock ++ ++[afalg] ++default_algorithms = ALL ++ ++[devcrypto] ++# Leave this alone and configure algorithms with CIPERS/DIGESTS below ++default_algorithms = ALL ++ ++# Configuration commands: ++# Run 'openssl engine -t -c -vv -pre DUMP_INFO devcrypto' to see a ++# list of supported algorithms, along with their driver, whether they ++# are hw accelerated or not, and the engine's configuration commands. ++ ++# USE_SOFTDRIVERS: specifies whether to use software (not accelerated) ++# drivers (0=use only accelerated drivers, 1=allow all drivers, 2=use ++# if acceleration can't be determined) [default=2] ++#USE_SOFTDRIVERS = 2 ++ ++# CIPHERS: either ALL, NONE, or a comma-separated list of ciphers to ++# enable [default=ALL] ++# It is recommended to disable the ECB ciphers; in most cases, it will ++# only be used for PRNG, in small blocks, where performance is poor, ++# and there may be problems with apps forking with open crypto ++# contexts, leading to failures. The CBC ciphers work well: ++#CIPHERS=DES-CBC, DES-EDE3-CBC, AES-128-CBC, AES-192-CBC, AES-256-CBC ++ ++# DIGESTS: either ALL, NONE, or a comma-separated list of digests to ++# enable [default=NONE] ++# It is strongly recommended not to enable digests; their performance ++# is poor, and there are many cases in which they will not work, ++# especially when calling fork with open crypto contexts. Openssh, ++# for example, does this, and you may not be able to login. ++#DIGESTS = NONE ++ ++[padlock] ++default_algorithms = ALL ++ + [ new_oids ] + + # We can add new OIDs in here for use by 'ca', 'req' and 'ts'. diff --git a/package/libs/openssl/patches/160-remove_timestamp_check.patch b/package/libs/openssl/patches/160-remove_timestamp_check.patch deleted file mode 100644 index 424e66063..000000000 --- a/package/libs/openssl/patches/160-remove_timestamp_check.patch +++ /dev/null @@ -1,23 +0,0 @@ ---- a/Makefile.org -+++ b/Makefile.org -@@ -185,7 +185,7 @@ TARFILE= ../$(NAME).tar - EXHEADER= e_os2.h - HEADER= e_os.h - --all: Makefile build_all -+all: build_all - - # as we stick to -e, CLEARENV ensures that local variables in lower - # Makefiles remain local and variable. $${VAR+VAR} is tribute to Korn -@@ -404,11 +404,6 @@ openssl.pc: Makefile - echo 'Version: '$(VERSION); \ - echo 'Requires: libssl libcrypto' ) > openssl.pc - --Makefile: Makefile.org Configure config -- @echo "Makefile is older than Makefile.org, Configure or config." -- @echo "Reconfigure the source tree (via './config' or 'perl Configure'), please." -- @false -- - libclean: - rm -f *.map *.so *.so.* *.dylib *.dll engines/*.so engines/*.dll engines/*.dylib *.a engines/*.a */lib */*/lib - diff --git a/package/libs/openssl/patches/170-parallel_build.patch b/package/libs/openssl/patches/170-parallel_build.patch deleted file mode 100644 index cbe5d5124..000000000 --- a/package/libs/openssl/patches/170-parallel_build.patch +++ /dev/null @@ -1,184 +0,0 @@ ---- a/Makefile.org -+++ b/Makefile.org -@@ -282,17 +282,17 @@ build_libcrypto: build_crypto build_engi - build_libssl: build_ssl libssl.pc - - build_crypto: -- @dir=crypto; target=all; $(BUILD_ONE_CMD) -+ +@dir=crypto; target=all; $(BUILD_ONE_CMD) - build_ssl: build_crypto -- @dir=ssl; target=all; $(BUILD_ONE_CMD) -+ +@dir=ssl; target=all; $(BUILD_ONE_CMD) - build_engines: build_crypto -- @dir=engines; target=all; $(BUILD_ONE_CMD) -+ +@dir=engines; target=all; $(BUILD_ONE_CMD) - build_apps: build_libs -- @dir=apps; target=all; $(BUILD_ONE_CMD) -+ +@dir=apps; target=all; $(BUILD_ONE_CMD) - build_tests: build_libs -- @dir=test; target=all; $(BUILD_ONE_CMD) -+ +@dir=test; target=all; $(BUILD_ONE_CMD) - build_tools: build_libs -- @dir=tools; target=all; $(BUILD_ONE_CMD) -+ +@dir=tools; target=all; $(BUILD_ONE_CMD) - - all_testapps: build_libs build_testapps - build_testapps: -@@ -473,7 +473,7 @@ update: errors stacks util/libeay.num ut - @set -e; target=update; $(RECURSIVE_BUILD_CMD) - - depend: -- @set -e; target=depend; $(RECURSIVE_BUILD_CMD) -+ +@set -e; target=depend; $(RECURSIVE_BUILD_CMD) - - lint: - @set -e; target=lint; $(RECURSIVE_BUILD_CMD) -@@ -535,9 +535,9 @@ dist: - @$(MAKE) SDIRS='$(SDIRS)' clean - @$(MAKE) TAR='$(TAR)' TARFLAGS='$(TARFLAGS)' $(DISTTARVARS) tar - --install: all install_sw -+install: install_sw - --install_sw: -+install_dirs: - @$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \ - $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR) \ - $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines \ -@@ -546,12 +546,19 @@ install_sw: - $(INSTALL_PREFIX)$(OPENSSLDIR)/misc \ - $(INSTALL_PREFIX)$(OPENSSLDIR)/certs \ - $(INSTALL_PREFIX)$(OPENSSLDIR)/private -+ @$(PERL) $(TOP)/util/mkdir-p.pl \ -+ $(INSTALL_PREFIX)$(MANDIR)/man1 \ -+ $(INSTALL_PREFIX)$(MANDIR)/man3 \ -+ $(INSTALL_PREFIX)$(MANDIR)/man5 \ -+ $(INSTALL_PREFIX)$(MANDIR)/man7 -+ -+install_sw: install_dirs - @set -e; headerlist="$(EXHEADER)"; for i in $$headerlist;\ - do \ - (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ - chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ - done; -- @set -e; target=install; $(RECURSIVE_BUILD_CMD) -+ +@set -e; target=install; $(RECURSIVE_BUILD_CMD) - @set -e; liblist="$(LIBS)"; for i in $$liblist ;\ - do \ - if [ -f "$$i" ]; then \ -@@ -635,12 +642,7 @@ install_html_docs: - done; \ - done - --install_docs: -- @$(PERL) $(TOP)/util/mkdir-p.pl \ -- $(INSTALL_PREFIX)$(MANDIR)/man1 \ -- $(INSTALL_PREFIX)$(MANDIR)/man3 \ -- $(INSTALL_PREFIX)$(MANDIR)/man5 \ -- $(INSTALL_PREFIX)$(MANDIR)/man7 -+install_docs: install_dirs - @pod2man="`cd ./util; ./pod2mantest $(PERL)`"; \ - here="`pwd`"; \ - filecase=; \ ---- a/Makefile.shared -+++ b/Makefile.shared -@@ -120,6 +120,7 @@ SYMLINK_SO= \ - done; \ - fi; \ - if [ -n "$$SHLIB_SOVER" ]; then \ -+ [ -e "$$SHLIB$$SHLIB_SUFFIX" ] || \ - ( $(SET_X); rm -f $$SHLIB$$SHLIB_SUFFIX; \ - ln -s $$prev $$SHLIB$$SHLIB_SUFFIX ); \ - fi; \ ---- a/crypto/Makefile -+++ b/crypto/Makefile -@@ -87,11 +87,11 @@ testapps: - @if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi - - subdirs: -- @target=all; $(RECURSIVE_MAKE) -+ +@target=all; $(RECURSIVE_MAKE) - - files: - $(PERL) $(TOP)/util/files.pl "CPUID_OBJ=$(CPUID_OBJ)" Makefile >> $(TOP)/MINFO -- @target=files; $(RECURSIVE_MAKE) -+ +@target=files; $(RECURSIVE_MAKE) - - links: - @$(PERL) $(TOP)/util/mklink.pl ../include/openssl $(EXHEADER) -@@ -102,7 +102,7 @@ links: - # lib: $(LIB): are splitted to avoid end-less loop - lib: $(LIB) - @touch lib --$(LIB): $(LIBOBJ) -+$(LIB): $(LIBOBJ) | subdirs - $(AR) $(LIB) $(LIBOBJ) - test -z "$(FIPSLIBDIR)" || $(AR) $(LIB) $(FIPSLIBDIR)fipscanister.o - $(RANLIB) $(LIB) || echo Never mind. -@@ -113,7 +113,7 @@ shared: buildinf.h lib subdirs - fi - - libs: -- @target=lib; $(RECURSIVE_MAKE) -+ +@target=lib; $(RECURSIVE_MAKE) - - install: - @[ -n "$(INSTALLTOP)" ] # should be set by top Makefile... -@@ -122,7 +122,7 @@ install: - (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ - chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ - done; -- @target=install; $(RECURSIVE_MAKE) -+ +@target=install; $(RECURSIVE_MAKE) - - lint: - @target=lint; $(RECURSIVE_MAKE) ---- a/engines/Makefile -+++ b/engines/Makefile -@@ -72,7 +72,7 @@ top: - - all: lib subdirs - --lib: $(LIBOBJ) -+lib: $(LIBOBJ) | subdirs - @if [ -n "$(SHARED_LIBS)" ]; then \ - set -e; \ - for l in $(LIBNAMES); do \ -@@ -89,7 +89,7 @@ lib: $(LIBOBJ) - - subdirs: - echo $(EDIRS) -- @target=all; $(RECURSIVE_MAKE) -+ +@target=all; $(RECURSIVE_MAKE) - - files: - $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO -@@ -128,7 +128,7 @@ install: - mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx ); \ - done; \ - fi -- @target=install; $(RECURSIVE_MAKE) -+ +@target=install; $(RECURSIVE_MAKE) - - tags: - ctags $(SRC) ---- a/test/Makefile -+++ b/test/Makefile -@@ -145,7 +145,7 @@ install: - tags: - ctags $(SRC) - --tests: exe apps $(TESTS) -+tests: exe $(TESTS) - - apps: - @(cd ..; $(MAKE) DIRS=apps all) -@@ -593,7 +593,7 @@ $(DTLSTEST)$(EXE_EXT): $(DTLSTEST).o ssl - # fi - - dummytest$(EXE_EXT): dummytest.o $(DLIBCRYPTO) -- @target=dummytest; $(BUILD_CMD) -+ +@target=dummytest; $(BUILD_CMD) - - # DO NOT DELETE THIS LINE -- make depend depends on it. - diff --git a/package/libs/openssl/patches/180-strip-cflags-from-binary.patch b/package/libs/openssl/patches/180-strip-cflags-from-binary.patch deleted file mode 100644 index e70bd077d..000000000 --- a/package/libs/openssl/patches/180-strip-cflags-from-binary.patch +++ /dev/null @@ -1,21 +0,0 @@ -From f17f027c258338994a6167091a398c0cc1588acb Mon Sep 17 00:00:00 2001 -From: Eneas U de Queiroz -Date: Wed, 26 Sep 2018 18:04:58 -0300 -Subject: Avoid exposing build directories - -The CFLAGS contain the build directories, and are shown by calling -SSLeay_version(SSLEAY_CFLAGS), or running openssl version -a - -Signed-off-by: Eneas U de Queiroz - ---- a/crypto/Makefile -+++ b/crypto/Makefile -@@ -57,7 +57,7 @@ top: - all: shared - - buildinf.h: ../Makefile -- $(PERL) $(TOP)/util/mkbuildinf.pl "$(CC) $(CFLAGS)" "$(PLATFORM)" >buildinf.h -+ $(PERL) $(TOP)/util/mkbuildinf.pl "$(filter-out -I% -iremap% -fmacro-prefix-map%,$(CC) $(CFLAGS))" "$(PLATFORM)" >buildinf.h - - x86cpuid.s: x86cpuid.pl perlasm/x86asm.pl - $(PERL) x86cpuid.pl $(PERLASM_SCHEME) $(CFLAGS) $(PROCESSOR) > $@ diff --git a/package/libs/openssl/patches/400-eng_devcrypto-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch b/package/libs/openssl/patches/400-eng_devcrypto-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch new file mode 100644 index 000000000..84c68b16a --- /dev/null +++ b/package/libs/openssl/patches/400-eng_devcrypto-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch @@ -0,0 +1,60 @@ +From f14345422747a495a52f9237a43b8be189f21912 Mon Sep 17 00:00:00 2001 +From: Eneas U de Queiroz +Date: Mon, 5 Nov 2018 15:54:17 -0200 +Subject: eng_devcrypto: save ioctl if EVP_MD_..FLAG_ONESHOT + +Since each ioctl causes a context switch, slowing things down, if +EVP_MD_CTX_FLAG_ONESHOT is set, then: + - call the ioctl in digest_update, saving the result; and + - just copy the result in digest_final, instead of using another ioctl. + +Signed-off-by: Eneas U de Queiroz + +Reviewed-by: Matthias St. Pierre +Reviewed-by: Richard Levitte +(Merged from https://github.com/openssl/openssl/pull/7585) + +diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c +index a727c6f646..a2c9a966f7 100644 +--- a/crypto/engine/eng_devcrypto.c ++++ b/crypto/engine/eng_devcrypto.c +@@ -461,6 +461,7 @@ struct digest_ctx { + struct session_op sess; + /* This signals that the init function was called, not that it succeeded. */ + int init_called; ++ unsigned char digest_res[HASH_MAX_LEN]; + }; + + static const struct digest_data_st { +@@ -564,12 +565,15 @@ static int digest_update(EVP_MD_CTX *ctx, const void *data, size_t count) + if (digest_ctx == NULL) + return 0; + +- if (digest_op(digest_ctx, data, count, NULL, COP_FLAG_UPDATE) < 0) { +- SYSerr(SYS_F_IOCTL, errno); +- return 0; ++ if (EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_ONESHOT)) { ++ if (digest_op(digest_ctx, data, count, digest_ctx->digest_res, 0) >= 0) ++ return 1; ++ } else if (digest_op(digest_ctx, data, count, NULL, COP_FLAG_UPDATE) >= 0) { ++ return 1; + } + +- return 1; ++ SYSerr(SYS_F_IOCTL, errno); ++ return 0; + } + + static int digest_final(EVP_MD_CTX *ctx, unsigned char *md) +@@ -579,7 +583,10 @@ static int digest_final(EVP_MD_CTX *ctx, unsigned char *md) + + if (md == NULL || digest_ctx == NULL) + return 0; +- if (digest_op(digest_ctx, NULL, 0, md, COP_FLAG_FINAL) < 0) { ++ ++ if (EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_ONESHOT)) { ++ memcpy(md, digest_ctx->digest_res, EVP_MD_CTX_size(ctx)); ++ } else if (digest_op(digest_ctx, NULL, 0, md, COP_FLAG_FINAL) < 0) { + SYSerr(SYS_F_IOCTL, errno); + return 0; + } diff --git a/package/libs/openssl/patches/410-eng_devcrypto-add-configuration-options.patch b/package/libs/openssl/patches/410-eng_devcrypto-add-configuration-options.patch new file mode 100644 index 000000000..8745364cf --- /dev/null +++ b/package/libs/openssl/patches/410-eng_devcrypto-add-configuration-options.patch @@ -0,0 +1,569 @@ +From 1c2fabcdb34e436286b4a8760cfbfbff11ea551a Mon Sep 17 00:00:00 2001 +From: Eneas U de Queiroz +Date: Sat, 3 Nov 2018 15:41:10 -0300 +Subject: eng_devcrypto: add configuration options + +USE_SOFTDRIVERS: whether to use software (not accelerated) drivers +CIPHERS: list of ciphers to enable +DIGESTS: list of digests to enable + +Signed-off-by: Eneas U de Queiroz + +Reviewed-by: Matthias St. Pierre +Reviewed-by: Richard Levitte +(Merged from https://github.com/openssl/openssl/pull/7585) + +diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c +index a2c9a966f7..5ec38ca8f3 100644 +--- a/crypto/engine/eng_devcrypto.c ++++ b/crypto/engine/eng_devcrypto.c +@@ -16,6 +16,7 @@ + #include + #include + ++#include + #include + #include + #include +@@ -36,6 +37,30 @@ + * saner... why re-open /dev/crypto for every session? + */ + static int cfd; ++#define DEVCRYPTO_REQUIRE_ACCELERATED 0 /* require confirmation of acceleration */ ++#define DEVCRYPTO_USE_SOFTWARE 1 /* allow software drivers */ ++#define DEVCRYPTO_REJECT_SOFTWARE 2 /* only disallow confirmed software drivers */ ++ ++#define DEVCRYPTO_DEFAULT_USE_SOFDTRIVERS DEVCRYPTO_REJECT_SOFTWARE ++static int use_softdrivers = DEVCRYPTO_DEFAULT_USE_SOFDTRIVERS; ++ ++/* ++ * cipher/digest status & acceleration definitions ++ * Make sure the defaults are set to 0 ++ */ ++struct driver_info_st { ++ enum devcrypto_status_t { ++ DEVCRYPTO_STATUS_UNUSABLE = -1, /* session open failed */ ++ DEVCRYPTO_STATUS_UNKNOWN = 0, /* not tested yet */ ++ DEVCRYPTO_STATUS_USABLE = 1 /* algo can be used */ ++ } status; ++ ++ enum devcrypto_accelerated_t { ++ DEVCRYPTO_NOT_ACCELERATED = -1, /* software implemented */ ++ DEVCRYPTO_ACCELERATION_UNKNOWN = 0, /* acceleration support unkown */ ++ DEVCRYPTO_ACCELERATED = 1 /* hardware accelerated */ ++ } accelerated; ++}; + + static int clean_devcrypto_session(struct session_op *sess) { + if (ioctl(cfd, CIOCFSESSION, &sess->ses) < 0) { +@@ -119,13 +144,22 @@ static const struct cipher_data_st { + #endif + }; + +-static size_t get_cipher_data_index(int nid) ++static size_t find_cipher_data_index(int nid) + { + size_t i; + + for (i = 0; i < OSSL_NELEM(cipher_data); i++) + if (nid == cipher_data[i].nid) + return i; ++ return (size_t)-1; ++} ++ ++static size_t get_cipher_data_index(int nid) ++{ ++ size_t i = find_cipher_data_index(nid); ++ ++ if (i != (size_t)-1) ++ return i; + + /* + * Code further down must make sure that only NIDs in the table above +@@ -333,19 +367,40 @@ static int cipher_cleanup(EVP_CIPHER_CTX *ctx) + } + + /* +- * Keep a table of known nids and associated methods. ++ * Keep tables of known nids, associated methods, selected ciphers, and driver ++ * info. + * Note that known_cipher_nids[] isn't necessarily indexed the same way as +- * cipher_data[] above, which known_cipher_methods[] is. ++ * cipher_data[] above, which the other tables are. + */ + static int known_cipher_nids[OSSL_NELEM(cipher_data)]; + static int known_cipher_nids_amount = -1; /* -1 indicates not yet initialised */ + static EVP_CIPHER *known_cipher_methods[OSSL_NELEM(cipher_data)] = { NULL, }; ++static int selected_ciphers[OSSL_NELEM(cipher_data)]; ++static struct driver_info_st cipher_driver_info[OSSL_NELEM(cipher_data)]; ++ ++ ++static int devcrypto_test_cipher(size_t cipher_data_index) ++{ ++ return (cipher_driver_info[cipher_data_index].status == DEVCRYPTO_STATUS_USABLE ++ && selected_ciphers[cipher_data_index] == 1 ++ && (cipher_driver_info[cipher_data_index].accelerated ++ == DEVCRYPTO_ACCELERATED ++ || use_softdrivers == DEVCRYPTO_USE_SOFTWARE ++ || (cipher_driver_info[cipher_data_index].accelerated ++ != DEVCRYPTO_NOT_ACCELERATED ++ && use_softdrivers == DEVCRYPTO_REJECT_SOFTWARE))); ++} + + static void prepare_cipher_methods(void) + { + size_t i; + struct session_op sess; + unsigned long cipher_mode; ++#ifdef CIOCGSESSINFO ++ struct session_info_op siop; ++#endif ++ ++ memset(&cipher_driver_info, 0, sizeof(cipher_driver_info)); + + memset(&sess, 0, sizeof(sess)); + sess.key = (void *)"01234567890123456789012345678901234567890123456789"; +@@ -353,15 +408,16 @@ static void prepare_cipher_methods(void) + for (i = 0, known_cipher_nids_amount = 0; + i < OSSL_NELEM(cipher_data); i++) { + ++ selected_ciphers[i] = 1; + /* +- * Check that the algo is really availably by trying to open and close +- * a session. ++ * Check that the cipher is usable + */ + sess.cipher = cipher_data[i].devcryptoid; + sess.keylen = cipher_data[i].keylen; +- if (ioctl(cfd, CIOCGSESSION, &sess) < 0 +- || ioctl(cfd, CIOCFSESSION, &sess.ses) < 0) ++ if (ioctl(cfd, CIOCGSESSION, &sess) < 0) { ++ cipher_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE; + continue; ++ } + + cipher_mode = cipher_data[i].flags & EVP_CIPH_MODE; + +@@ -387,15 +443,41 @@ static void prepare_cipher_methods(void) + cipher_cleanup) + || !EVP_CIPHER_meth_set_impl_ctx_size(known_cipher_methods[i], + sizeof(struct cipher_ctx))) { ++ cipher_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE; + EVP_CIPHER_meth_free(known_cipher_methods[i]); + known_cipher_methods[i] = NULL; + } else { ++ cipher_driver_info[i].status = DEVCRYPTO_STATUS_USABLE; ++#ifdef CIOCGSESSINFO ++ siop.ses = sess.ses; ++ if (ioctl(cfd, CIOCGSESSINFO, &siop) < 0) ++ cipher_driver_info[i].accelerated = DEVCRYPTO_ACCELERATION_UNKNOWN; ++ else if (!(siop.flags & SIOP_FLAG_KERNEL_DRIVER_ONLY)) ++ cipher_driver_info[i].accelerated = DEVCRYPTO_NOT_ACCELERATED; ++ else ++ cipher_driver_info[i].accelerated = DEVCRYPTO_ACCELERATED; ++#endif /* CIOCGSESSINFO */ ++ } ++ ioctl(cfd, CIOCFSESSION, &sess.ses); ++ if (devcrypto_test_cipher(i)) { + known_cipher_nids[known_cipher_nids_amount++] = + cipher_data[i].nid; + } + } + } + ++static void rebuild_known_cipher_nids(ENGINE *e) ++{ ++ size_t i; ++ ++ for (i = 0, known_cipher_nids_amount = 0; i < OSSL_NELEM(cipher_data); i++) { ++ if (devcrypto_test_cipher(i)) ++ known_cipher_nids[known_cipher_nids_amount++] = cipher_data[i].nid; ++ } ++ ENGINE_unregister_ciphers(e); ++ ENGINE_register_ciphers(e); ++} ++ + static const EVP_CIPHER *get_cipher_method(int nid) + { + size_t i = get_cipher_data_index(nid); +@@ -438,6 +520,36 @@ static int devcrypto_ciphers(ENGINE *e, const EVP_CIPHER **cipher, + return *cipher != NULL; + } + ++static void devcrypto_select_all_ciphers(int *cipher_list) ++{ ++ size_t i; ++ ++ for (i = 0; i < OSSL_NELEM(cipher_data); i++) ++ cipher_list[i] = 1; ++} ++ ++static int cryptodev_select_cipher_cb(const char *str, int len, void *usr) ++{ ++ int *cipher_list = (int *)usr; ++ char *name; ++ const EVP_CIPHER *EVP; ++ size_t i; ++ ++ if (len == 0) ++ return 1; ++ if (usr == NULL || (name = OPENSSL_strndup(str, len)) == NULL) ++ return 0; ++ EVP = EVP_get_cipherbyname(name); ++ if (EVP == NULL) ++ fprintf(stderr, "devcrypto: unknown cipher %s\n", name); ++ else if ((i = find_cipher_data_index(EVP_CIPHER_nid(EVP))) != (size_t)-1) ++ cipher_list[i] = 1; ++ else ++ fprintf(stderr, "devcrypto: cipher %s not available\n", name); ++ OPENSSL_free(name); ++ return 1; ++} ++ + /* + * We only support digests if the cryptodev implementation supports multiple + * data updates and session copying. Otherwise, we would be forced to maintain +@@ -493,13 +605,22 @@ static const struct digest_data_st { + #endif + }; + +-static size_t get_digest_data_index(int nid) ++static size_t find_digest_data_index(int nid) + { + size_t i; + + for (i = 0; i < OSSL_NELEM(digest_data); i++) + if (nid == digest_data[i].nid) + return i; ++ return (size_t)-1; ++} ++ ++static size_t get_digest_data_index(int nid) ++{ ++ size_t i = find_digest_data_index(nid); ++ ++ if (i != (size_t)-1) ++ return i; + + /* + * Code further down must make sure that only NIDs in the table above +@@ -516,8 +637,8 @@ static const struct digest_data_st *get_digest_data(int nid) + } + + /* +- * Following are the four necessary functions to map OpenSSL functionality +- * with cryptodev. ++ * Following are the five necessary functions to map OpenSSL functionality ++ * with cryptodev: init, update, final, cleanup, and copy. + */ + + static int digest_init(EVP_MD_CTX *ctx) +@@ -630,52 +751,94 @@ static int digest_cleanup(EVP_MD_CTX *ctx) + return clean_devcrypto_session(&digest_ctx->sess); + } + +-static int devcrypto_test_digest(size_t digest_data_index) +-{ +- struct session_op sess1, sess2; +- struct cphash_op cphash; +- int ret=0; +- +- memset(&sess1, 0, sizeof(sess1)); +- memset(&sess2, 0, sizeof(sess2)); +- sess1.mac = digest_data[digest_data_index].devcryptoid; +- if (ioctl(cfd, CIOCGSESSION, &sess1) < 0) +- return 0; +- /* Make sure the driver is capable of hash state copy */ +- sess2.mac = sess1.mac; +- if (ioctl(cfd, CIOCGSESSION, &sess2) >= 0) { +- cphash.src_ses = sess1.ses; +- cphash.dst_ses = sess2.ses; +- if (ioctl(cfd, CIOCCPHASH, &cphash) >= 0) +- ret = 1; +- ioctl(cfd, CIOCFSESSION, &sess2.ses); +- } +- ioctl(cfd, CIOCFSESSION, &sess1.ses); +- return ret; +-} +- + /* +- * Keep a table of known nids and associated methods. ++ * Keep tables of known nids, associated methods, selected digests, and ++ * driver info. + * Note that known_digest_nids[] isn't necessarily indexed the same way as +- * digest_data[] above, which known_digest_methods[] is. ++ * digest_data[] above, which the other tables are. + */ + static int known_digest_nids[OSSL_NELEM(digest_data)]; + static int known_digest_nids_amount = -1; /* -1 indicates not yet initialised */ + static EVP_MD *known_digest_methods[OSSL_NELEM(digest_data)] = { NULL, }; ++static int selected_digests[OSSL_NELEM(digest_data)]; ++static struct driver_info_st digest_driver_info[OSSL_NELEM(digest_data)]; ++ ++static int devcrypto_test_digest(size_t digest_data_index) ++{ ++ return (digest_driver_info[digest_data_index].status == DEVCRYPTO_STATUS_USABLE ++ && selected_digests[digest_data_index] == 1 ++ && (digest_driver_info[digest_data_index].accelerated ++ == DEVCRYPTO_ACCELERATED ++ || use_softdrivers == DEVCRYPTO_USE_SOFTWARE ++ || (digest_driver_info[digest_data_index].accelerated ++ != DEVCRYPTO_NOT_ACCELERATED ++ && use_softdrivers == DEVCRYPTO_REJECT_SOFTWARE))); ++} ++ ++static void rebuild_known_digest_nids(ENGINE *e) ++{ ++ size_t i; ++ ++ for (i = 0, known_digest_nids_amount = 0; i < OSSL_NELEM(digest_data); i++) { ++ if (devcrypto_test_digest(i)) ++ known_digest_nids[known_digest_nids_amount++] = digest_data[i].nid; ++ } ++ ENGINE_unregister_digests(e); ++ ENGINE_register_digests(e); ++} + + static void prepare_digest_methods(void) + { + size_t i; ++ struct session_op sess1, sess2; ++#ifdef CIOCGSESSINFO ++ struct session_info_op siop; ++#endif ++ struct cphash_op cphash; ++ ++ memset(&digest_driver_info, 0, sizeof(digest_driver_info)); ++ ++ memset(&sess1, 0, sizeof(sess1)); ++ memset(&sess2, 0, sizeof(sess2)); + + for (i = 0, known_digest_nids_amount = 0; i < OSSL_NELEM(digest_data); + i++) { + ++ selected_digests[i] = 1; ++ + /* +- * Check that the algo is usable ++ * Check that the digest is usable + */ +- if (!devcrypto_test_digest(i)) +- continue; ++ sess1.mac = digest_data[i].devcryptoid; ++ sess2.ses = 0; ++ if (ioctl(cfd, CIOCGSESSION, &sess1) < 0) { ++ digest_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE; ++ goto finish; ++ } + ++#ifdef CIOCGSESSINFO ++ /* gather hardware acceleration info from the driver */ ++ siop.ses = sess1.ses; ++ if (ioctl(cfd, CIOCGSESSINFO, &siop) < 0) ++ digest_driver_info[i].accelerated = DEVCRYPTO_ACCELERATION_UNKNOWN; ++ else if (siop.flags & SIOP_FLAG_KERNEL_DRIVER_ONLY) ++ digest_driver_info[i].accelerated = DEVCRYPTO_ACCELERATED; ++ else ++ digest_driver_info[i].accelerated = DEVCRYPTO_NOT_ACCELERATED; ++#endif ++ ++ /* digest must be capable of hash state copy */ ++ sess2.mac = sess1.mac; ++ if (ioctl(cfd, CIOCGSESSION, &sess2) < 0) { ++ digest_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE; ++ goto finish; ++ } ++ cphash.src_ses = sess1.ses; ++ cphash.dst_ses = sess2.ses; ++ if (ioctl(cfd, CIOCCPHASH, &cphash) < 0) { ++ digest_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE; ++ goto finish; ++ } + if ((known_digest_methods[i] = EVP_MD_meth_new(digest_data[i].nid, + NID_undef)) == NULL + || !EVP_MD_meth_set_input_blocksize(known_digest_methods[i], +@@ -689,11 +852,18 @@ static void prepare_digest_methods(void) + || !EVP_MD_meth_set_cleanup(known_digest_methods[i], digest_cleanup) + || !EVP_MD_meth_set_app_datasize(known_digest_methods[i], + sizeof(struct digest_ctx))) { ++ digest_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE; + EVP_MD_meth_free(known_digest_methods[i]); + known_digest_methods[i] = NULL; +- } else { +- known_digest_nids[known_digest_nids_amount++] = digest_data[i].nid; ++ goto finish; + } ++ digest_driver_info[i].status = DEVCRYPTO_STATUS_USABLE; ++finish: ++ ioctl(cfd, CIOCFSESSION, &sess1.ses); ++ if (sess2.ses != 0) ++ ioctl(cfd, CIOCFSESSION, &sess2.ses); ++ if (devcrypto_test_digest(i)) ++ known_digest_nids[known_digest_nids_amount++] = digest_data[i].nid; + } + } + +@@ -739,8 +909,154 @@ static int devcrypto_digests(ENGINE *e, const EVP_MD **digest, + return *digest != NULL; + } + ++static void devcrypto_select_all_digests(int *digest_list) ++{ ++ size_t i; ++ ++ for (i = 0; i < OSSL_NELEM(digest_data); i++) ++ digest_list[i] = 1; ++} ++ ++static int cryptodev_select_digest_cb(const char *str, int len, void *usr) ++{ ++ int *digest_list = (int *)usr; ++ char *name; ++ const EVP_MD *EVP; ++ size_t i; ++ ++ if (len == 0) ++ return 1; ++ if (usr == NULL || (name = OPENSSL_strndup(str, len)) == NULL) ++ return 0; ++ EVP = EVP_get_digestbyname(name); ++ if (EVP == NULL) ++ fprintf(stderr, "devcrypto: unknown digest %s\n", name); ++ else if ((i = find_digest_data_index(EVP_MD_type(EVP))) != (size_t)-1) ++ digest_list[i] = 1; ++ else ++ fprintf(stderr, "devcrypto: digest %s not available\n", name); ++ OPENSSL_free(name); ++ return 1; ++} ++ ++#endif ++ ++/****************************************************************************** ++ * ++ * CONTROL COMMANDS ++ * ++ *****/ ++ ++#define DEVCRYPTO_CMD_USE_SOFTDRIVERS ENGINE_CMD_BASE ++#define DEVCRYPTO_CMD_CIPHERS (ENGINE_CMD_BASE + 1) ++#define DEVCRYPTO_CMD_DIGESTS (ENGINE_CMD_BASE + 2) ++#define DEVCRYPTO_CMD_DUMP_INFO (ENGINE_CMD_BASE + 3) ++ ++/* Helper macros for CPP string composition */ ++#ifndef OPENSSL_MSTR ++# define OPENSSL_MSTR_HELPER(x) #x ++# define OPENSSL_MSTR(x) OPENSSL_MSTR_HELPER(x) ++#endif ++ ++static const ENGINE_CMD_DEFN devcrypto_cmds[] = { ++#ifdef CIOCGSESSINFO ++ {DEVCRYPTO_CMD_USE_SOFTDRIVERS, ++ "USE_SOFTDRIVERS", ++ "specifies whether to use software (not accelerated) drivers (" ++ OPENSSL_MSTR(DEVCRYPTO_REQUIRE_ACCELERATED) "=use only accelerated drivers, " ++ OPENSSL_MSTR(DEVCRYPTO_USE_SOFTWARE) "=allow all drivers, " ++ OPENSSL_MSTR(DEVCRYPTO_REJECT_SOFTWARE) ++ "=use if acceleration can't be determined) [default=" ++ OPENSSL_MSTR(DEVCRYPTO_DEFAULT_USE_SOFDTRIVERS) "]", ++ ENGINE_CMD_FLAG_NUMERIC}, ++#endif ++ ++ {DEVCRYPTO_CMD_CIPHERS, ++ "CIPHERS", ++ "either ALL, NONE, or a comma-separated list of ciphers to enable [default=ALL]", ++ ENGINE_CMD_FLAG_STRING}, ++ ++#ifdef IMPLEMENT_DIGEST ++ {DEVCRYPTO_CMD_DIGESTS, ++ "DIGESTS", ++ "either ALL, NONE, or a comma-separated list of digests to enable [default=ALL]", ++ ENGINE_CMD_FLAG_STRING}, + #endif + ++ {0, NULL, NULL, 0} ++}; ++ ++static int devcrypto_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f) (void)) ++{ ++ int *new_list; ++ switch (cmd) { ++#ifdef CIOCGSESSINFO ++ case DEVCRYPTO_CMD_USE_SOFTDRIVERS: ++ switch (i) { ++ case DEVCRYPTO_REQUIRE_ACCELERATED: ++ case DEVCRYPTO_USE_SOFTWARE: ++ case DEVCRYPTO_REJECT_SOFTWARE: ++ break; ++ default: ++ fprintf(stderr, "devcrypto: invalid value (%ld) for USE_SOFTDRIVERS\n", i); ++ return 0; ++ } ++ if (use_softdrivers == i) ++ return 1; ++ use_softdrivers = i; ++#ifdef IMPLEMENT_DIGEST ++ rebuild_known_digest_nids(e); ++#endif ++ rebuild_known_cipher_nids(e); ++ return 1; ++#endif /* CIOCGSESSINFO */ ++ ++ case DEVCRYPTO_CMD_CIPHERS: ++ if (p == NULL) ++ return 1; ++ if (strcasecmp((const char *)p, "ALL") == 0) { ++ devcrypto_select_all_ciphers(selected_ciphers); ++ } else if (strcasecmp((const char*)p, "NONE") == 0) { ++ memset(selected_ciphers, 0, sizeof(selected_ciphers)); ++ } else { ++ new_list=OPENSSL_zalloc(sizeof(selected_ciphers)); ++ if (!CONF_parse_list(p, ',', 1, cryptodev_select_cipher_cb, new_list)) { ++ OPENSSL_free(new_list); ++ return 0; ++ } ++ memcpy(selected_ciphers, new_list, sizeof(selected_ciphers)); ++ OPENSSL_free(new_list); ++ } ++ rebuild_known_cipher_nids(e); ++ return 1; ++ ++#ifdef IMPLEMENT_DIGEST ++ case DEVCRYPTO_CMD_DIGESTS: ++ if (p == NULL) ++ return 1; ++ if (strcasecmp((const char *)p, "ALL") == 0) { ++ devcrypto_select_all_digests(selected_digests); ++ } else if (strcasecmp((const char*)p, "NONE") == 0) { ++ memset(selected_digests, 0, sizeof(selected_digests)); ++ } else { ++ new_list=OPENSSL_zalloc(sizeof(selected_digests)); ++ if (!CONF_parse_list(p, ',', 1, cryptodev_select_digest_cb, new_list)) { ++ OPENSSL_free(new_list); ++ return 0; ++ } ++ memcpy(selected_digests, new_list, sizeof(selected_digests)); ++ OPENSSL_free(new_list); ++ } ++ rebuild_known_digest_nids(e); ++ return 1; ++#endif /* IMPLEMENT_DIGEST */ ++ ++ default: ++ break; ++ } ++ return 0; ++} ++ + /****************************************************************************** + * + * LOAD / UNLOAD +@@ -793,6 +1109,8 @@ void engine_load_devcrypto_int() + + if (!ENGINE_set_id(e, "devcrypto") + || !ENGINE_set_name(e, "/dev/crypto engine") ++ || !ENGINE_set_cmd_defns(e, devcrypto_cmds) ++ || !ENGINE_set_ctrl_function(e, devcrypto_ctrl) + + /* + * Asymmetric ciphers aren't well supported with /dev/crypto. Among the BSD diff --git a/package/libs/openssl/patches/420-eng_devcrypto-add-command-to-dump-driver-info.patch b/package/libs/openssl/patches/420-eng_devcrypto-add-command-to-dump-driver-info.patch new file mode 100644 index 000000000..ad83a51a1 --- /dev/null +++ b/package/libs/openssl/patches/420-eng_devcrypto-add-command-to-dump-driver-info.patch @@ -0,0 +1,275 @@ +From 78e7b1cc7119622645bc5a8542c55b6c95dc7868 Mon Sep 17 00:00:00 2001 +From: Eneas U de Queiroz +Date: Tue, 6 Nov 2018 22:54:07 -0200 +Subject: eng_devcrypto: add command to dump driver info + +This is useful to determine the kernel driver running each algorithm. + +Signed-off-by: Eneas U de Queiroz + +Reviewed-by: Matthias St. Pierre +Reviewed-by: Richard Levitte +(Merged from https://github.com/openssl/openssl/pull/7585) + +diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c +index 5ec38ca8f3..64dc6b891d 100644 +--- a/crypto/engine/eng_devcrypto.c ++++ b/crypto/engine/eng_devcrypto.c +@@ -50,16 +50,20 @@ static int use_softdrivers = DEVCRYPTO_DEFAULT_USE_SOFDTRIVERS; + */ + struct driver_info_st { + enum devcrypto_status_t { +- DEVCRYPTO_STATUS_UNUSABLE = -1, /* session open failed */ +- DEVCRYPTO_STATUS_UNKNOWN = 0, /* not tested yet */ +- DEVCRYPTO_STATUS_USABLE = 1 /* algo can be used */ ++ DEVCRYPTO_STATUS_FAILURE = -3, /* unusable for other reason */ ++ DEVCRYPTO_STATUS_NO_CIOCCPHASH = -2, /* hash state copy not supported */ ++ DEVCRYPTO_STATUS_NO_CIOCGSESSION = -1, /* session open failed */ ++ DEVCRYPTO_STATUS_UNKNOWN = 0, /* not tested yet */ ++ DEVCRYPTO_STATUS_USABLE = 1 /* algo can be used */ + } status; + + enum devcrypto_accelerated_t { +- DEVCRYPTO_NOT_ACCELERATED = -1, /* software implemented */ +- DEVCRYPTO_ACCELERATION_UNKNOWN = 0, /* acceleration support unkown */ +- DEVCRYPTO_ACCELERATED = 1 /* hardware accelerated */ ++ DEVCRYPTO_NOT_ACCELERATED = -1, /* software implemented */ ++ DEVCRYPTO_ACCELERATION_UNKNOWN = 0, /* acceleration support unkown */ ++ DEVCRYPTO_ACCELERATED = 1 /* hardware accelerated */ + } accelerated; ++ ++ char *driver_name; + }; + + static int clean_devcrypto_session(struct session_op *sess) { +@@ -415,7 +419,7 @@ static void prepare_cipher_methods(void) + sess.cipher = cipher_data[i].devcryptoid; + sess.keylen = cipher_data[i].keylen; + if (ioctl(cfd, CIOCGSESSION, &sess) < 0) { +- cipher_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE; ++ cipher_driver_info[i].status = DEVCRYPTO_STATUS_NO_CIOCGSESSION; + continue; + } + +@@ -443,19 +447,24 @@ static void prepare_cipher_methods(void) + cipher_cleanup) + || !EVP_CIPHER_meth_set_impl_ctx_size(known_cipher_methods[i], + sizeof(struct cipher_ctx))) { +- cipher_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE; ++ cipher_driver_info[i].status = DEVCRYPTO_STATUS_FAILURE; + EVP_CIPHER_meth_free(known_cipher_methods[i]); + known_cipher_methods[i] = NULL; + } else { + cipher_driver_info[i].status = DEVCRYPTO_STATUS_USABLE; + #ifdef CIOCGSESSINFO + siop.ses = sess.ses; +- if (ioctl(cfd, CIOCGSESSINFO, &siop) < 0) ++ if (ioctl(cfd, CIOCGSESSINFO, &siop) < 0) { + cipher_driver_info[i].accelerated = DEVCRYPTO_ACCELERATION_UNKNOWN; +- else if (!(siop.flags & SIOP_FLAG_KERNEL_DRIVER_ONLY)) +- cipher_driver_info[i].accelerated = DEVCRYPTO_NOT_ACCELERATED; +- else +- cipher_driver_info[i].accelerated = DEVCRYPTO_ACCELERATED; ++ } else { ++ cipher_driver_info[i].driver_name = ++ OPENSSL_strndup(siop.cipher_info.cra_driver_name, ++ CRYPTODEV_MAX_ALG_NAME); ++ if (!(siop.flags & SIOP_FLAG_KERNEL_DRIVER_ONLY)) ++ cipher_driver_info[i].accelerated = DEVCRYPTO_NOT_ACCELERATED; ++ else ++ cipher_driver_info[i].accelerated = DEVCRYPTO_ACCELERATED; ++ } + #endif /* CIOCGSESSINFO */ + } + ioctl(cfd, CIOCFSESSION, &sess.ses); +@@ -505,8 +514,11 @@ static void destroy_all_cipher_methods(void) + { + size_t i; + +- for (i = 0; i < OSSL_NELEM(cipher_data); i++) ++ for (i = 0; i < OSSL_NELEM(cipher_data); i++) { + destroy_cipher_method(cipher_data[i].nid); ++ OPENSSL_free(cipher_driver_info[i].driver_name); ++ cipher_driver_info[i].driver_name = NULL; ++ } + } + + static int devcrypto_ciphers(ENGINE *e, const EVP_CIPHER **cipher, +@@ -550,6 +562,40 @@ static int cryptodev_select_cipher_cb(const char *str, int len, void *usr) + return 1; + } + ++static void dump_cipher_info(void) ++{ ++ size_t i; ++ const char *name; ++ ++ fprintf (stderr, "Information about ciphers supported by the /dev/crypto" ++ " engine:\n"); ++#ifndef CIOCGSESSINFO ++ fprintf(stderr, "CIOCGSESSINFO (session info call) unavailable\n"); ++#endif ++ for (i = 0; i < OSSL_NELEM(cipher_data); i++) { ++ name = OBJ_nid2sn(cipher_data[i].nid); ++ fprintf (stderr, "Cipher %s, NID=%d, /dev/crypto info: id=%d, ", ++ name ? name : "unknown", cipher_data[i].nid, ++ cipher_data[i].devcryptoid); ++ if (cipher_driver_info[i].status == DEVCRYPTO_STATUS_NO_CIOCGSESSION ) { ++ fprintf (stderr, "CIOCGSESSION (session open call) failed\n"); ++ continue; ++ } ++ fprintf (stderr, "driver=%s ", cipher_driver_info[i].driver_name ? ++ cipher_driver_info[i].driver_name : "unknown"); ++ if (cipher_driver_info[i].accelerated == DEVCRYPTO_ACCELERATED) ++ fprintf(stderr, "(hw accelerated)"); ++ else if (cipher_driver_info[i].accelerated == DEVCRYPTO_NOT_ACCELERATED) ++ fprintf(stderr, "(software)"); ++ else ++ fprintf(stderr, "(acceleration status unknown)"); ++ if (cipher_driver_info[i].status == DEVCRYPTO_STATUS_FAILURE) ++ fprintf (stderr, ". Cipher setup failed"); ++ fprintf(stderr, "\n"); ++ } ++ fprintf(stderr, "\n"); ++} ++ + /* + * We only support digests if the cryptodev implementation supports multiple + * data updates and session copying. Otherwise, we would be forced to maintain +@@ -812,31 +858,36 @@ static void prepare_digest_methods(void) + sess1.mac = digest_data[i].devcryptoid; + sess2.ses = 0; + if (ioctl(cfd, CIOCGSESSION, &sess1) < 0) { +- digest_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE; ++ digest_driver_info[i].status = DEVCRYPTO_STATUS_NO_CIOCGSESSION; + goto finish; + } + + #ifdef CIOCGSESSINFO + /* gather hardware acceleration info from the driver */ + siop.ses = sess1.ses; +- if (ioctl(cfd, CIOCGSESSINFO, &siop) < 0) ++ if (ioctl(cfd, CIOCGSESSINFO, &siop) < 0) { + digest_driver_info[i].accelerated = DEVCRYPTO_ACCELERATION_UNKNOWN; +- else if (siop.flags & SIOP_FLAG_KERNEL_DRIVER_ONLY) +- digest_driver_info[i].accelerated = DEVCRYPTO_ACCELERATED; +- else +- digest_driver_info[i].accelerated = DEVCRYPTO_NOT_ACCELERATED; ++ } else { ++ digest_driver_info[i].driver_name = ++ OPENSSL_strndup(siop.hash_info.cra_driver_name, ++ CRYPTODEV_MAX_ALG_NAME); ++ if (siop.flags & SIOP_FLAG_KERNEL_DRIVER_ONLY) ++ digest_driver_info[i].accelerated = DEVCRYPTO_ACCELERATED; ++ else ++ digest_driver_info[i].accelerated = DEVCRYPTO_NOT_ACCELERATED; ++ } + #endif + + /* digest must be capable of hash state copy */ + sess2.mac = sess1.mac; + if (ioctl(cfd, CIOCGSESSION, &sess2) < 0) { +- digest_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE; ++ digest_driver_info[i].status = DEVCRYPTO_STATUS_FAILURE; + goto finish; + } + cphash.src_ses = sess1.ses; + cphash.dst_ses = sess2.ses; + if (ioctl(cfd, CIOCCPHASH, &cphash) < 0) { +- digest_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE; ++ digest_driver_info[i].status = DEVCRYPTO_STATUS_NO_CIOCCPHASH; + goto finish; + } + if ((known_digest_methods[i] = EVP_MD_meth_new(digest_data[i].nid, +@@ -852,7 +903,7 @@ static void prepare_digest_methods(void) + || !EVP_MD_meth_set_cleanup(known_digest_methods[i], digest_cleanup) + || !EVP_MD_meth_set_app_datasize(known_digest_methods[i], + sizeof(struct digest_ctx))) { +- digest_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE; ++ digest_driver_info[i].status = DEVCRYPTO_STATUS_FAILURE; + EVP_MD_meth_free(known_digest_methods[i]); + known_digest_methods[i] = NULL; + goto finish; +@@ -894,8 +945,11 @@ static void destroy_all_digest_methods(void) + { + size_t i; + +- for (i = 0; i < OSSL_NELEM(digest_data); i++) ++ for (i = 0; i < OSSL_NELEM(digest_data); i++) { + destroy_digest_method(digest_data[i].nid); ++ OPENSSL_free(digest_driver_info[i].driver_name); ++ digest_driver_info[i].driver_name = NULL; ++ } + } + + static int devcrypto_digests(ENGINE *e, const EVP_MD **digest, +@@ -939,6 +993,43 @@ static int cryptodev_select_digest_cb(const char *str, int len, void *usr) + return 1; + } + ++static void dump_digest_info(void) ++{ ++ size_t i; ++ const char *name; ++ ++ fprintf (stderr, "Information about digests supported by the /dev/crypto" ++ " engine:\n"); ++#ifndef CIOCGSESSINFO ++ fprintf(stderr, "CIOCGSESSINFO (session info call) unavailable\n"); ++#endif ++ ++ for (i = 0; i < OSSL_NELEM(digest_data); i++) { ++ name = OBJ_nid2sn(digest_data[i].nid); ++ fprintf (stderr, "Digest %s, NID=%d, /dev/crypto info: id=%d, driver=%s", ++ name ? name : "unknown", digest_data[i].nid, ++ digest_data[i].devcryptoid, ++ digest_driver_info[i].driver_name ? digest_driver_info[i].driver_name : "unknown"); ++ if (digest_driver_info[i].status == DEVCRYPTO_STATUS_NO_CIOCGSESSION) { ++ fprintf (stderr, ". CIOCGSESSION (session open) failed\n"); ++ continue; ++ } ++ if (digest_driver_info[i].accelerated == DEVCRYPTO_ACCELERATED) ++ fprintf(stderr, " (hw accelerated)"); ++ else if (digest_driver_info[i].accelerated == DEVCRYPTO_NOT_ACCELERATED) ++ fprintf(stderr, " (software)"); ++ else ++ fprintf(stderr, " (acceleration status unknown)"); ++ if (cipher_driver_info[i].status == DEVCRYPTO_STATUS_FAILURE) ++ fprintf (stderr, ". Cipher setup failed\n"); ++ else if (digest_driver_info[i].status == DEVCRYPTO_STATUS_NO_CIOCCPHASH) ++ fprintf(stderr, ", CIOCCPHASH failed\n"); ++ else ++ fprintf(stderr, ", CIOCCPHASH capable\n"); ++ } ++ fprintf(stderr, "\n"); ++} ++ + #endif + + /****************************************************************************** +@@ -983,6 +1074,11 @@ static const ENGINE_CMD_DEFN devcrypto_cmds[] = { + ENGINE_CMD_FLAG_STRING}, + #endif + ++ {DEVCRYPTO_CMD_DUMP_INFO, ++ "DUMP_INFO", ++ "dump info about each algorithm to stderr; use 'openssl engine -pre DUMP_INFO devcrypto'", ++ ENGINE_CMD_FLAG_NO_INPUT}, ++ + {0, NULL, NULL, 0} + }; + +@@ -1051,6 +1147,13 @@ static int devcrypto_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f) (void)) + return 1; + #endif /* IMPLEMENT_DIGEST */ + ++ case DEVCRYPTO_CMD_DUMP_INFO: ++ dump_cipher_info(); ++#ifdef IMPLEMENT_DIGEST ++ dump_digest_info(); ++#endif ++ return 1; ++ + default: + break; + } diff --git a/package/libs/openssl/patches/430-e_devcrypto-make-the-dev-crypto-engine-dynamic.patch b/package/libs/openssl/patches/430-e_devcrypto-make-the-dev-crypto-engine-dynamic.patch new file mode 100644 index 000000000..ee3394242 --- /dev/null +++ b/package/libs/openssl/patches/430-e_devcrypto-make-the-dev-crypto-engine-dynamic.patch @@ -0,0 +1,368 @@ +From f3cef70b34afde3afd13ce3636232d41533b0162 Mon Sep 17 00:00:00 2001 +From: Eneas U de Queiroz +Date: Tue, 6 Nov 2018 10:57:03 -0200 +Subject: e_devcrypto: make the /dev/crypto engine dynamic + +Engine has been moved from crypto/engine/eng_devcrypto.c to +engines/e_devcrypto.c. + +Signed-off-by: Eneas U de Queiroz + +diff --git a/crypto/engine/build.info b/crypto/engine/build.info +index e00802a3fd..47fe948966 100644 +--- a/crypto/engine/build.info ++++ b/crypto/engine/build.info +@@ -6,6 +6,3 @@ SOURCE[../../libcrypto]=\ + tb_cipher.c tb_digest.c tb_pkmeth.c tb_asnmth.c tb_eckey.c \ + eng_openssl.c eng_cnf.c eng_dyn.c \ + eng_rdrand.c +-IF[{- !$disabled{devcryptoeng} -}] +- SOURCE[../../libcrypto]=eng_devcrypto.c +-ENDIF +diff --git a/crypto/init.c b/crypto/init.c +index 9fc0e8ef68..b387559920 100644 +--- a/crypto/init.c ++++ b/crypto/init.c +@@ -329,18 +329,6 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_engine_openssl) + engine_load_openssl_int(); + return 1; + } +-# ifndef OPENSSL_NO_DEVCRYPTOENG +-static CRYPTO_ONCE engine_devcrypto = CRYPTO_ONCE_STATIC_INIT; +-DEFINE_RUN_ONCE_STATIC(ossl_init_engine_devcrypto) +-{ +-# ifdef OPENSSL_INIT_DEBUG +- fprintf(stderr, "OPENSSL_INIT: ossl_init_engine_devcrypto: " +- "engine_load_devcrypto_int()\n"); +-# endif +- engine_load_devcrypto_int(); +- return 1; +-} +-# endif + + # ifndef OPENSSL_NO_RDRAND + static CRYPTO_ONCE engine_rdrand = CRYPTO_ONCE_STATIC_INIT; +@@ -365,6 +353,18 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_engine_dynamic) + return 1; + } + # ifndef OPENSSL_NO_STATIC_ENGINE ++# ifndef OPENSSL_NO_DEVCRYPTOENG ++static CRYPTO_ONCE engine_devcrypto = CRYPTO_ONCE_STATIC_INIT; ++DEFINE_RUN_ONCE_STATIC(ossl_init_engine_devcrypto) ++{ ++# ifdef OPENSSL_INIT_DEBUG ++ fprintf(stderr, "OPENSSL_INIT: ossl_init_engine_devcrypto: " ++ "engine_load_devcrypto_int()\n"); ++# endif ++ engine_load_devcrypto_int(); ++ return 1; ++} ++# endif + # if !defined(OPENSSL_NO_HW) && !defined(OPENSSL_NO_HW_PADLOCK) + static CRYPTO_ONCE engine_padlock = CRYPTO_ONCE_STATIC_INIT; + DEFINE_RUN_ONCE_STATIC(ossl_init_engine_padlock) +@@ -713,11 +713,6 @@ int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings) + if ((opts & OPENSSL_INIT_ENGINE_OPENSSL) + && !RUN_ONCE(&engine_openssl, ossl_init_engine_openssl)) + return 0; +-# if !defined(OPENSSL_NO_HW) && !defined(OPENSSL_NO_DEVCRYPTOENG) +- if ((opts & OPENSSL_INIT_ENGINE_CRYPTODEV) +- && !RUN_ONCE(&engine_devcrypto, ossl_init_engine_devcrypto)) +- return 0; +-# endif + # ifndef OPENSSL_NO_RDRAND + if ((opts & OPENSSL_INIT_ENGINE_RDRAND) + && !RUN_ONCE(&engine_rdrand, ossl_init_engine_rdrand)) +@@ -727,6 +722,11 @@ int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings) + && !RUN_ONCE(&engine_dynamic, ossl_init_engine_dynamic)) + return 0; + # ifndef OPENSSL_NO_STATIC_ENGINE ++# ifndef OPENSSL_NO_DEVCRYPTOENG ++ if ((opts & OPENSSL_INIT_ENGINE_CRYPTODEV) ++ && !RUN_ONCE(&engine_devcrypto, ossl_init_engine_devcrypto)) ++ return 0; ++# endif + # if !defined(OPENSSL_NO_HW) && !defined(OPENSSL_NO_HW_PADLOCK) + if ((opts & OPENSSL_INIT_ENGINE_PADLOCK) + && !RUN_ONCE(&engine_padlock, ossl_init_engine_padlock)) +diff --git a/engines/build.info b/engines/build.info +index 1db771971c..33a25d7004 100644 +--- a/engines/build.info ++++ b/engines/build.info +@@ -11,6 +11,9 @@ IF[{- !$disabled{"engine"} -}] + IF[{- !$disabled{afalgeng} -}] + SOURCE[../libcrypto]=e_afalg.c + ENDIF ++ IF[{- !$disabled{"devcryptoeng"} -}] ++ SOURCE[../libcrypto]=e_devcrypto.c ++ ENDIF + ELSE + IF[{- !$disabled{hw} && !$disabled{'hw-padlock'} -}] + ENGINES=padlock +@@ -30,6 +33,12 @@ IF[{- !$disabled{"engine"} -}] + DEPEND[afalg]=../libcrypto + INCLUDE[afalg]= ../include + ENDIF ++ IF[{- !$disabled{"devcryptoeng"} -}] ++ ENGINES=devcrypto ++ SOURCE[devcrypto]=e_devcrypto.c ++ DEPEND[devcrypto]=../libcrypto ++ INCLUDE[devcrypto]=../include ++ ENDIF + + ENGINES_NO_INST=ossltest dasync + SOURCE[dasync]=e_dasync.c +diff --git a/crypto/engine/eng_devcrypto.c b/engines/e_devcrypto.c +similarity index 95% +rename from crypto/engine/eng_devcrypto.c +rename to engines/e_devcrypto.c +index 64dc6b891d..fb5c6e1636 100644 +--- a/crypto/engine/eng_devcrypto.c ++++ b/engines/e_devcrypto.c +@@ -7,7 +7,7 @@ + * https://www.openssl.org/source/license.html + */ + +-#include "e_os.h" ++#include "../e_os.h" + #include + #include + #include +@@ -23,26 +23,26 @@ + #include + #include + +-#include "internal/engine.h" +- + /* #define ENGINE_DEVCRYPTO_DEBUG */ + + #if CRYPTO_ALGORITHM_MIN < CRYPTO_ALGORITHM_MAX + # define CHECK_BSD_STYLE_MACROS + #endif + ++#define engine_devcrypto_id "devcrypto" ++ + /* + * ONE global file descriptor for all sessions. This allows operations + * such as digest session data copying (see digest_copy()), but is also + * saner... why re-open /dev/crypto for every session? + */ +-static int cfd; ++static int cfd = -1; + #define DEVCRYPTO_REQUIRE_ACCELERATED 0 /* require confirmation of acceleration */ + #define DEVCRYPTO_USE_SOFTWARE 1 /* allow software drivers */ + #define DEVCRYPTO_REJECT_SOFTWARE 2 /* only disallow confirmed software drivers */ + +-#define DEVCRYPTO_DEFAULT_USE_SOFDTRIVERS DEVCRYPTO_REJECT_SOFTWARE +-static int use_softdrivers = DEVCRYPTO_DEFAULT_USE_SOFDTRIVERS; ++#define DEVCRYPTO_DEFAULT_USE_SOFTDRIVERS DEVCRYPTO_REJECT_SOFTWARE ++static int use_softdrivers = DEVCRYPTO_DEFAULT_USE_SOFTDRIVERS; + + /* + * cipher/digest status & acceleration definitions +@@ -66,6 +66,10 @@ struct driver_info_st { + char *driver_name; + }; + ++#ifdef OPENSSL_NO_DYNAMIC_ENGINE ++void engine_load_devcrypto_int(void); ++#endif ++ + static int clean_devcrypto_session(struct session_op *sess) { + if (ioctl(cfd, CIOCFSESSION, &sess->ses) < 0) { + SYSerr(SYS_F_IOCTL, errno); +@@ -341,6 +345,7 @@ static int cipher_ctrl(EVP_CIPHER_CTX *ctx, int type, int p1, void* p2) + struct cipher_ctx *to_cipher_ctx; + + switch (type) { ++ + case EVP_CTRL_COPY: + if (cipher_ctx == NULL) + return 1; +@@ -702,7 +707,6 @@ static int digest_init(EVP_MD_CTX *ctx) + SYSerr(SYS_F_IOCTL, errno); + return 0; + } +- + return 1; + } + +@@ -1058,7 +1062,7 @@ static const ENGINE_CMD_DEFN devcrypto_cmds[] = { + OPENSSL_MSTR(DEVCRYPTO_USE_SOFTWARE) "=allow all drivers, " + OPENSSL_MSTR(DEVCRYPTO_REJECT_SOFTWARE) + "=use if acceleration can't be determined) [default=" +- OPENSSL_MSTR(DEVCRYPTO_DEFAULT_USE_SOFDTRIVERS) "]", ++ OPENSSL_MSTR(DEVCRYPTO_DEFAULT_USE_SOFTDRIVERS) "]", + ENGINE_CMD_FLAG_NUMERIC}, + #endif + +@@ -1166,55 +1170,70 @@ static int devcrypto_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f) (void)) + * + *****/ + +-static int devcrypto_unload(ENGINE *e) +-{ +- destroy_all_cipher_methods(); +-#ifdef IMPLEMENT_DIGEST +- destroy_all_digest_methods(); +-#endif +- +- close(cfd); +- +- return 1; +-} + /* +- * This engine is always built into libcrypto, so it doesn't offer any +- * ability to be dynamically loadable. ++ * Opens /dev/crypto + */ +-void engine_load_devcrypto_int() ++static int open_devcrypto(void) + { +- ENGINE *e = NULL; ++ if (cfd >= 0) ++ return 1; + + if ((cfd = open("/dev/crypto", O_RDWR, 0)) < 0) { + #ifndef ENGINE_DEVCRYPTO_DEBUG + if (errno != ENOENT) + #endif + fprintf(stderr, "Could not open /dev/crypto: %s\n", strerror(errno)); +- return; ++ return 0; + } + +- if ((e = ENGINE_new()) == NULL +- || !ENGINE_set_destroy_function(e, devcrypto_unload)) { +- ENGINE_free(e); +- /* +- * We know that devcrypto_unload() won't be called when one of the +- * above two calls have failed, so we close cfd explicitly here to +- * avoid leaking resources. +- */ +- close(cfd); +- return; ++ return 1; ++} ++ ++static int close_devcrypto(void) ++{ ++ int ret; ++ ++ if (cfd < 0) ++ return 1; ++ ret = close(cfd); ++ cfd = -1; ++ if (ret != 0) { ++ fprintf(stderr, "Error closing /dev/crypto: %s\n", strerror(errno)); ++ return 0; + } ++ return 1; ++} + +- prepare_cipher_methods(); ++static int devcrypto_unload(ENGINE *e) ++{ ++ destroy_all_cipher_methods(); + #ifdef IMPLEMENT_DIGEST +- prepare_digest_methods(); ++ destroy_all_digest_methods(); + #endif + +- if (!ENGINE_set_id(e, "devcrypto") ++ close_devcrypto(); ++ ++ return 1; ++} ++ ++static int bind_devcrypto(ENGINE *e) { ++ ++ if (!ENGINE_set_id(e, engine_devcrypto_id) + || !ENGINE_set_name(e, "/dev/crypto engine") ++ || !ENGINE_set_destroy_function(e, devcrypto_unload) + || !ENGINE_set_cmd_defns(e, devcrypto_cmds) +- || !ENGINE_set_ctrl_function(e, devcrypto_ctrl) ++ || !ENGINE_set_ctrl_function(e, devcrypto_ctrl)) ++ return 0; ++ ++ prepare_cipher_methods(); ++#ifdef IMPLEMENT_DIGEST ++ prepare_digest_methods(); ++#endif + ++ return (ENGINE_set_ciphers(e, devcrypto_ciphers) ++#ifdef IMPLEMENT_DIGEST ++ && ENGINE_set_digests(e, devcrypto_digests) ++#endif + /* + * Asymmetric ciphers aren't well supported with /dev/crypto. Among the BSD + * implementations, it seems to only exist in FreeBSD, and regarding the +@@ -1237,23 +1256,36 @@ void engine_load_devcrypto_int() + */ + #if 0 + # ifndef OPENSSL_NO_RSA +- || !ENGINE_set_RSA(e, devcrypto_rsa) ++ && ENGINE_set_RSA(e, devcrypto_rsa) + # endif + # ifndef OPENSSL_NO_DSA +- || !ENGINE_set_DSA(e, devcrypto_dsa) ++ && ENGINE_set_DSA(e, devcrypto_dsa) + # endif + # ifndef OPENSSL_NO_DH +- || !ENGINE_set_DH(e, devcrypto_dh) ++ && ENGINE_set_DH(e, devcrypto_dh) + # endif + # ifndef OPENSSL_NO_EC +- || !ENGINE_set_EC(e, devcrypto_ec) ++ && ENGINE_set_EC(e, devcrypto_ec) + # endif + #endif +- || !ENGINE_set_ciphers(e, devcrypto_ciphers) +-#ifdef IMPLEMENT_DIGEST +- || !ENGINE_set_digests(e, devcrypto_digests) +-#endif +- ) { ++ ); ++} ++ ++#ifdef OPENSSL_NO_DYNAMIC_ENGINE ++/* ++ * In case this engine is built into libcrypto, then it doesn't offer any ++ * ability to be dynamically loadable. ++ */ ++void engine_load_devcrypto_int(void) ++{ ++ ENGINE *e = NULL; ++ ++ if (!open_devcrypto()) ++ return; ++ ++ if ((e = ENGINE_new()) == NULL ++ || !bind_devcrypto(e)) { ++ close_devcrypto(); + ENGINE_free(e); + return; + } +@@ -1262,3 +1294,22 @@ void engine_load_devcrypto_int() + ENGINE_free(e); /* Loose our local reference */ + ERR_clear_error(); + } ++ ++#else ++ ++static int bind_helper(ENGINE *e, const char *id) ++{ ++ if ((id && (strcmp(id, engine_devcrypto_id) != 0)) ++ || !open_devcrypto()) ++ return 0; ++ if (!bind_devcrypto(e)) { ++ close_devcrypto(); ++ return 0; ++ } ++ return 1; ++} ++ ++IMPLEMENT_DYNAMIC_CHECK_FN() ++IMPLEMENT_DYNAMIC_BIND_FN(bind_helper) ++ ++#endif diff --git a/package/libs/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch b/package/libs/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch new file mode 100644 index 000000000..89385fa47 --- /dev/null +++ b/package/libs/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch @@ -0,0 +1,43 @@ +From 52ddedc09ee81fe05ea2fa384fce89afe92d6d72 Mon Sep 17 00:00:00 2001 +From: Eneas U de Queiroz +Date: Mon, 11 Mar 2019 09:29:13 -0300 +Subject: e_devcrypto: default to not use digests in engine + +Digests are almost always slower when using /dev/crypto because of the +cost of the context switches. Only for large blocks it is worth it. + +Also, when forking, the open context structures are duplicated, but the +internal kernel sessions are still shared between forks, which means an +update/close operation in one fork affects all processes using that +session. + +This affects digests, especially for HMAC, where the session with the +key hash is used as a source for subsequent operations. At least one +popular application does this across a fork. Disabling digests by +default will mitigate the problem, while still allowing the user to +turn them on if it is safe and fast enough. + +Signed-off-by: Eneas U de Queiroz + +diff --git a/engines/e_devcrypto.c b/engines/e_devcrypto.c +index fb5c6e1636..7741138b82 100644 +--- a/engines/e_devcrypto.c ++++ b/engines/e_devcrypto.c +@@ -854,7 +854,7 @@ static void prepare_digest_methods(void) + for (i = 0, known_digest_nids_amount = 0; i < OSSL_NELEM(digest_data); + i++) { + +- selected_digests[i] = 1; ++ selected_digests[i] = 0; + + /* + * Check that the digest is usable +@@ -1074,7 +1074,7 @@ static const ENGINE_CMD_DEFN devcrypto_cmds[] = { + #ifdef IMPLEMENT_DIGEST + {DEVCRYPTO_CMD_DIGESTS, + "DIGESTS", +- "either ALL, NONE, or a comma-separated list of digests to enable [default=ALL]", ++ "either ALL, NONE, or a comma-separated list of digests to enable [default=NONE]", + ENGINE_CMD_FLAG_STRING}, + #endif + diff --git a/package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch b/package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch new file mode 100644 index 000000000..087994376 --- /dev/null +++ b/package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch @@ -0,0 +1,26 @@ +From b6b2744f06f64922b449b3cb4bf0ad3df3efba71 Mon Sep 17 00:00:00 2001 +From: Eneas U de Queiroz +Date: Mon, 11 Mar 2019 10:15:14 -0300 +Subject: e_devcrypto: ignore error when closing session + +In cipher_init, ignore an eventual error when closing the previous +session. It may have been closed by another process after a fork. + +Signed-off-by: Eneas U de Queiroz + +diff --git a/engines/e_devcrypto.c b/engines/e_devcrypto.c +index 7741138b82..2480bdbd57 100644 +--- a/engines/e_devcrypto.c ++++ b/engines/e_devcrypto.c +@@ -197,9 +197,8 @@ static int cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key, + get_cipher_data(EVP_CIPHER_CTX_nid(ctx)); + + /* cleanup a previous session */ +- if (cipher_ctx->sess.ses != 0 && +- clean_devcrypto_session(&cipher_ctx->sess) == 0) +- return 0; ++ if (cipher_ctx->sess.ses != 0) ++ clean_devcrypto_session(&cipher_ctx->sess); + + cipher_ctx->sess.cipher = cipher_d->devcryptoid; + cipher_ctx->sess.keylen = cipher_d->keylen;