[neon/qt/qtbase/Neon/release] debian: Backport upstream changes to improve support for OpenSSL 3.0.
Dmitry Shachnev
null at kde.org
Thu May 5 10:59:25 BST 2022
Git commit ac269709b1fd6ce3f2233e5a717786f56929df04 by Dmitry Shachnev.
Committed on 05/12/2021 at 14:33.
Pushed by jriddell into branch 'Neon/release'.
Backport upstream changes to improve support for OpenSSL 3.0.
M +2 -0 debian/changelog
A +186 -0 debian/patches/openssl3.diff
M +1 -0 debian/patches/series
https://invent.kde.org/neon/qt/qtbase/commit/ac269709b1fd6ce3f2233e5a717786f56929df04
diff --git a/debian/changelog b/debian/changelog
index 1bcdc20..8621a32 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,7 @@
qtbase-opensource-src (5.15.2+dfsg-15) UNRELEASED; urgency=medium
+ [ Dmitry Shachnev ]
+ * Backport upstream changes to improve support for OpenSSL 3.0.
-- Debian Qt/KDE Maintainers <debian-qt-kde at lists.debian.org> Sun, 05 Dec 2021 17:23:13 +0300
diff --git a/debian/patches/openssl3.diff b/debian/patches/openssl3.diff
new file mode 100644
index 0000000..e48f60b
--- /dev/null
+++ b/debian/patches/openssl3.diff
@@ -0,0 +1,186 @@
+Description: upstream fixes to support OpenSSL 3.0
+Origin: upstream, commits
+ https://code.qt.io/cgit/qt/qtbase.git/commit/?id=3186ca3e3972cf46
+ https://code.qt.io/cgit/qt/qtbase.git/commit/?id=408656c6f9de326c
+ https://code.qt.io/cgit/qt/qtbase.git/commit/?id=ae6590e360fbb04d
+ and a small part of
+ https://code.qt.io/cgit/qt/qtbase.git/commit/?id=4c0f81490ba0c4ec
+Last-Update: 2021-12-05
+
+--- a/src/network/ssl/qsslcontext_openssl.cpp
++++ b/src/network/ssl/qsslcontext_openssl.cpp
+@@ -409,7 +409,7 @@ init_context:
+ break;
+ case QSsl::DtlsV1_0OrLater:
+ minVersion = DTLS1_VERSION;
+- maxVersion = DTLS_MAX_VERSION;
++ maxVersion = 0;
+ break;
+ case QSsl::DtlsV1_2:
+ minVersion = DTLS1_2_VERSION;
+@@ -417,7 +417,7 @@ init_context:
+ break;
+ case QSsl::DtlsV1_2OrLater:
+ minVersion = DTLS1_2_VERSION;
+- maxVersion = DTLS_MAX_VERSION;
++ maxVersion = 0;
+ break;
+ case QSsl::TlsV1_3OrLater:
+ #ifdef TLS1_3_VERSION
+--- a/src/network/ssl/qssldiffiehellmanparameters_openssl.cpp
++++ b/src/network/ssl/qssldiffiehellmanparameters_openssl.cpp
+@@ -59,57 +59,6 @@
+
+ QT_BEGIN_NAMESPACE
+
+-#ifdef OPENSSL_NO_DEPRECATED_3_0
+-
+-static int q_DH_check(DH *dh, int *status)
+-{
+- // DH_check was first deprecated in OpenSSL 3.0.0, as low-level
+- // API; the EVP_PKEY family of functions was advised as an alternative.
+- // As of now EVP_PKEY_params_check ends up calling ... DH_check,
+- // which is good enough.
+-
+- Q_ASSERT(dh);
+- Q_ASSERT(status);
+-
+- EVP_PKEY *key = q_EVP_PKEY_new();
+- if (!key) {
+- qCWarning(lcSsl, "EVP_PKEY_new failed");
+- QSslSocketBackendPrivate::logAndClearErrorQueue();
+- return 0;
+- }
+- const auto keyDeleter = qScopeGuard([key](){
+- q_EVP_PKEY_free(key);
+- });
+- if (!q_EVP_PKEY_set1_DH(key, dh)) {
+- qCWarning(lcSsl, "EVP_PKEY_set1_DH failed");
+- QSslSocketBackendPrivate::logAndClearErrorQueue();
+- return 0;
+- }
+-
+- EVP_PKEY_CTX *keyCtx = q_EVP_PKEY_CTX_new(key, nullptr);
+- if (!keyCtx) {
+- qCWarning(lcSsl, "EVP_PKEY_CTX_new failed");
+- QSslSocketBackendPrivate::logAndClearErrorQueue();
+- return 0;
+- }
+- const auto ctxDeleter = qScopeGuard([keyCtx]{
+- q_EVP_PKEY_CTX_free(keyCtx);
+- });
+-
+- const int result = q_EVP_PKEY_param_check(keyCtx);
+- QSslSocketBackendPrivate::logAndClearErrorQueue();
+- // Note: unlike DH_check, we cannot obtain the 'status',
+- // if the 'result' is 0 (actually the result is 1 only
+- // if this 'status' was 0). We could probably check the
+- // errors from the error queue, but it's not needed anyway
+- // - see the 'isSafeDH' below, how it returns immediately
+- // on 0.
+- Q_UNUSED(status)
+-
+- return result;
+-}
+-#endif // OPENSSL_NO_DEPRECATED_3_0
+-
+ static bool isSafeDH(DH *dh)
+ {
+ int status = 0;
+--- a/src/network/ssl/qsslsocket_openssl_symbols.cpp
++++ b/src/network/ssl/qsslsocket_openssl_symbols.cpp
+@@ -368,7 +368,13 @@ DEFINEFUNC(const SSL_CIPHER *, SSL_get_c
+ DEFINEFUNC(int, SSL_version, const SSL *a, a, return 0, return)
+ DEFINEFUNC2(int, SSL_get_error, SSL *a, a, int b, b, return -1, return)
+ DEFINEFUNC(STACK_OF(X509) *, SSL_get_peer_cert_chain, SSL *a, a, return nullptr, return)
++
++#if defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3
++DEFINEFUNC(X509 *, SSL_get1_peer_certificate, SSL *a, a, return nullptr, return)
++#else
+ DEFINEFUNC(X509 *, SSL_get_peer_certificate, SSL *a, a, return nullptr, return)
++#endif // OPENSSL_VERSION_MAJOR >= 3
++
+ DEFINEFUNC(long, SSL_get_verify_result, const SSL *a, a, return -1, return)
+ DEFINEFUNC(SSL *, SSL_new, SSL_CTX *a, a, return nullptr, return)
+ DEFINEFUNC(SSL_CTX *, SSL_get_SSL_CTX, SSL *a, a, return nullptr, return)
+@@ -489,9 +495,7 @@ DEFINEFUNC(DH *, DH_new, DUMMYARG, DUMMY
+ DEFINEFUNC(void, DH_free, DH *dh, dh, return, DUMMYARG)
+ DEFINEFUNC3(DH *, d2i_DHparams, DH**a, a, const unsigned char **pp, pp, long length, length, return nullptr, return)
+ DEFINEFUNC2(int, i2d_DHparams, DH *a, a, unsigned char **p, p, return -1, return)
+-#ifndef OPENSSL_NO_DEPRECATED_3_0
+ DEFINEFUNC2(int, DH_check, DH *dh, dh, int *codes, codes, return 0, return)
+-#endif // OPENSSL_NO_DEPRECATED_3_0
+ DEFINEFUNC3(BIGNUM *, BN_bin2bn, const unsigned char *s, s, int len, len, BIGNUM *ret, ret, return nullptr, return)
+
+ #ifndef OPENSSL_NO_EC
+@@ -1073,7 +1077,13 @@ bool q_resolveOpenSslSymbols()
+ RESOLVEFUNC(SSL_version)
+ RESOLVEFUNC(SSL_get_error)
+ RESOLVEFUNC(SSL_get_peer_cert_chain)
++
++#if defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3
++ RESOLVEFUNC(SSL_get1_peer_certificate)
++#else
+ RESOLVEFUNC(SSL_get_peer_certificate)
++#endif // OPENSSL_VERSION_MAJOR >= 3
++
+ RESOLVEFUNC(SSL_get_verify_result)
+ RESOLVEFUNC(SSL_new)
+ RESOLVEFUNC(SSL_get_SSL_CTX)
+@@ -1172,9 +1182,7 @@ bool q_resolveOpenSslSymbols()
+ RESOLVEFUNC(DH_free)
+ RESOLVEFUNC(d2i_DHparams)
+ RESOLVEFUNC(i2d_DHparams)
+-#ifndef OPENSSL_NO_DEPRECATED_3_0
+ RESOLVEFUNC(DH_check)
+-#endif // OPENSSL_NO_DEPRECATED_3_0
+ RESOLVEFUNC(BN_bin2bn)
+
+ #ifndef OPENSSL_NO_EC
+--- a/src/network/ssl/qsslsocket_openssl_symbols_p.h
++++ b/src/network/ssl/qsslsocket_openssl_symbols_p.h
+@@ -236,7 +236,6 @@ Q_AUTOTEST_EXPORT int q_EVP_PKEY_up_ref(
+ EVP_PKEY_CTX *q_EVP_PKEY_CTX_new(EVP_PKEY *pkey, ENGINE *e);
+ void q_EVP_PKEY_CTX_free(EVP_PKEY_CTX *ctx);
+ int q_EVP_PKEY_param_check(EVP_PKEY_CTX *ctx);
+-int q_EVP_PKEY_base_id(EVP_PKEY *a);
+ int q_RSA_bits(RSA *a);
+ Q_AUTOTEST_EXPORT int q_OPENSSL_sk_num(OPENSSL_STACK *a);
+ Q_AUTOTEST_EXPORT void q_OPENSSL_sk_pop_free(OPENSSL_STACK *a, void (*b)(void *));
+@@ -509,7 +508,6 @@ const SSL_CIPHER *q_SSL_get_current_ciph
+ int q_SSL_version(const SSL *a);
+ int q_SSL_get_error(SSL *a, int b);
+ STACK_OF(X509) *q_SSL_get_peer_cert_chain(SSL *a);
+-X509 *q_SSL_get_peer_certificate(SSL *a);
+ long q_SSL_get_verify_result(const SSL *a);
+ SSL *q_SSL_new(SSL_CTX *a);
+ SSL_CTX *q_SSL_get_SSL_CTX(SSL *a);
+@@ -581,10 +579,7 @@ DH *q_DH_new();
+ void q_DH_free(DH *dh);
+ DH *q_d2i_DHparams(DH **a, const unsigned char **pp, long length);
+ int q_i2d_DHparams(DH *a, unsigned char **p);
+-
+-#ifndef OPENSSL_NO_DEPRECATED_3_0
+ int q_DH_check(DH *dh, int *codes);
+-#endif // OPENSSL_NO_DEPRECATED_3_0
+
+ BIGNUM *q_BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret);
+ #define q_SSL_CTX_set_tmp_dh(ctx, dh) q_SSL_CTX_ctrl((ctx), SSL_CTRL_SET_TMP_DH, 0, (char *)dh)
+@@ -751,6 +746,17 @@ void *q_CRYPTO_malloc(size_t num, const
+ int q_SSL_CTX_get_security_level(const SSL_CTX *ctx);
+ void q_SSL_CTX_set_security_level(SSL_CTX *ctx, int level);
+
++// Here we have the ones that make difference between OpenSSL pre/post v3:
++#if defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3
++X509 *q_SSL_get1_peer_certificate(SSL *a);
++#define q_SSL_get_peer_certificate q_SSL_get1_peer_certificate
++int q_EVP_PKEY_get_base_id(const EVP_PKEY *pkey);
++#define q_EVP_PKEY_base_id q_EVP_PKEY_get_base_id
++#else
++X509 *q_SSL_get_peer_certificate(SSL *a);
++int q_EVP_PKEY_base_id(EVP_PKEY *a);
++#endif // OPENSSL_VERSION_MAJOR >= 3
++
+ QT_END_NAMESPACE
+
+ #endif
diff --git a/debian/patches/series b/debian/patches/series
index 8c127ef..8725f63 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -14,6 +14,7 @@ xcb_add_a_timeout_control_when_reading_INCR_property.diff
fix_recursion_crash.diff
mysql_field_readonly.diff
CVE-2021-38593.diff
+openssl3.diff
# Debian specific.
gnukfreebsd.diff
More information about the Neon-commits
mailing list