Index: files/patch-libressl =================================================================== --- files/patch-libressl (nonexistent) +++ files/patch-libressl (working copy) @@ -0,0 +1,163 @@ +diff -Naur qtbase-opensource-src-5.7.1.orig/src/network/ssl/qsslcontext_openssl.cpp qtbase-opensource-src-5.7.1/src/network/ssl/qsslcontext_openssl.cpp +--- src/network/ssl/qsslcontext_openssl.cpp 2017-02-05 11:52:45.100394264 -0800 ++++ src/network/ssl/qsslcontext_openssl.cpp 2017-02-05 11:57:21.159178021 -0800 +@@ -71,6 +71,15 @@ + return dh; + } + ++static bool q_enableECSetCurves() { ++ // The ability to select elliptic curves is ++ // present in OpenSSL 1.0.2+ and in LibreSSL 2.5.1+ ++ // RFC4492 Section 5.1.1 "Supported Elliptic Curves Extension" ++ return (q_SSLeay() >= 0x10002000L && !q_LibreSSL()) || ++ q_LibreSSL_version() >= 0x2050100fL; ++} ++ ++ + QSslContext::QSslContext() + : ctx(0), + pkey(0), +@@ -347,23 +356,20 @@ + + const QVector qcurves = sslContext->sslConfiguration.ellipticCurves(); + if (!qcurves.isEmpty()) { +-#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(OPENSSL_NO_EC) ++#if defined(SSL_CTRL_SET_CURVES) && !defined(OPENSSL_NO_EC) + // Set the curves to be used +- if (q_SSLeay() >= 0x10002000L) { +- // SSL_CTX_ctrl wants a non-const pointer as last argument, +- // but let's avoid a copy into a temporary array +- if (!q_SSL_CTX_ctrl(sslContext->ctx, +- SSL_CTRL_SET_CURVES, +- qcurves.size(), +- const_cast(reinterpret_cast(qcurves.data())))) { ++ if (q_enableECSetCurves()) { ++ if (!q_SSL_CTX_set1_groups(sslContext->ctx, ++ reinterpret_cast(qcurves.data()), ++ qcurves.size())) { + sslContext->errorStr = msgErrorSettingEllipticCurves(QSslSocketBackendPrivate::getErrorsFromOpenSsl()); + sslContext->errorCode = QSslError::UnspecifiedError; + } + } else +-#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(OPENSSL_NO_EC) ++#endif // defined(SSL_CTRL_SET_CURVES) && !defined(OPENSSL_NO_EC) + { + // specific curves requested, but not possible to set -> error +- sslContext->errorStr = msgErrorSettingEllipticCurves(QSslSocket::tr("OpenSSL version too old, need at least v1.0.2")); ++ sslContext->errorStr = msgErrorSettingEllipticCurves(QSslSocket::tr("This version of OpenSSL lacks support for selecting specific elliptic curves.")); + sslContext->errorCode = QSslError::UnspecifiedError; + } + } +diff -Naur qtbase-opensource-src-5.7.1.orig/src/network/ssl/qsslsocket_openssl.cpp qtbase-opensource-src-5.7.1/src/network/ssl/qsslsocket_openssl.cpp +--- src/network/ssl/qsslsocket_openssl.cpp 2017-02-05 11:52:45.098394244 -0800 ++++ src/network/ssl/qsslsocket_openssl.cpp 2017-02-05 11:52:58.870533121 -0800 +@@ -98,6 +98,14 @@ + int QSslSocketBackendPrivate::s_indexForSSLExtraData = -1; + #endif + ++static bool q_enableGetServerTmpKey() { ++ // The ability to get the ephemeral server key is ++ // present in OpenSSL 1.0.2+ and in LibreSSL 2.5.1+ ++ // RFC4492 Section 5.4 "Server Key Exchange" ++ return (q_SSLeay() >= 0x10002000L && !q_LibreSSL()) || ++ q_LibreSSL_version() >= 0x2050100fL; ++} ++ + /* \internal + + From OpenSSL's thread(3) manual page: +@@ -1587,13 +1595,13 @@ + } + #endif // OPENSSL_VERSION_NUMBER >= 0x1000100fL ... + +-#if OPENSSL_VERSION_NUMBER >= 0x10002000L +- if (q_SSLeay() >= 0x10002000L && mode == QSslSocket::SslClientMode) { ++#if defined(SSL_CTRL_GET_SERVER_TMP_KEY) ++ if (q_enableGetServerTmpKey() && mode == QSslSocket::SslClientMode) { + EVP_PKEY *key; + if (q_SSL_get_server_tmp_key(ssl, &key)) + configuration.ephemeralServerKey = QSslKey(key, QSsl::PublicKey); + } +-#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L ... ++#endif // defined(SSL_CTRL_GET_SERVER_TMP_KEY) + + connectionEncrypted = true; + emit q->encrypted(); +diff -Naur qtbase-opensource-src-5.7.1.orig/src/network/ssl/qsslsocket_openssl_symbols.cpp qtbase-opensource-src-5.7.1/src/network/ssl/qsslsocket_openssl_symbols.cpp +--- src/network/ssl/qsslsocket_openssl_symbols.cpp 2017-02-05 11:52:45.102394284 -0800 ++++ network/ssl/qsslsocket_openssl_symbols.cpp 2017-02-05 11:56:53.848902627 -0800 +@@ -247,6 +247,7 @@ + DEFINEFUNC(int, SSL_connect, SSL *a, a, return -1, return) + DEFINEFUNC(int, SSL_CTX_check_private_key, const SSL_CTX *a, a, return -1, return) + DEFINEFUNC4(long, SSL_CTX_ctrl, SSL_CTX *a, a, int b, b, long c, c, void *d, d, return -1, return) ++DEFINEFUNC3(int, SSL_CTX_set1_groups, SSL_CTX *a, a, const int* b, b, size_t c, c, return 0, return) + DEFINEFUNC(void, SSL_CTX_free, SSL_CTX *a, a, return, DUMMYARG) + #if OPENSSL_VERSION_NUMBER >= 0x10000000L + DEFINEFUNC(SSL_CTX *, SSL_CTX_new, const SSL_METHOD *a, a, return 0, return) +@@ -846,6 +847,7 @@ + RESOLVEFUNC(SSL_CIPHER_get_bits) + RESOLVEFUNC(SSL_CTX_check_private_key) + RESOLVEFUNC(SSL_CTX_ctrl) ++ RESOLVEFUNC(SSL_CTX_set1_groups) + RESOLVEFUNC(SSL_CTX_free) + RESOLVEFUNC(SSL_CTX_new) + RESOLVEFUNC(SSL_CTX_set_cipher_list) +@@ -1006,6 +1008,20 @@ + #endif + return true; + } ++ ++bool q_LibreSSL() ++{ ++ return strncmp(q_SSLeay_version(SSLEAY_VERSION), "LibreSSL", 8) == 0; ++} ++ ++long q_LibreSSL_version() ++{ ++#ifdef LIBRESSL_VERSION_NUMBER ++ return LIBRESSL_VERSION_NUMBER; ++#else ++ return 0L; ++#endif ++} + #endif // !defined QT_LINKED_OPENSSL + + //============================================================================== +diff -Naur qtbase-opensource-src-5.7.1.orig/src/network/ssl/qsslsocket_openssl_symbols_p.h qtbase-opensource-src-5.7.1/src/network/ssl/qsslsocket_openssl_symbols_p.h +--- src/network/ssl/qsslsocket_openssl_symbols_p.h 2017-02-05 11:52:45.100394264 -0800 ++++ src/network/ssl/qsslsocket_openssl_symbols_p.h 2017-02-05 11:52:58.871533131 -0800 +@@ -215,6 +215,8 @@ + #endif // !defined QT_LINKED_OPENSSL + + bool q_resolveOpenSslSymbols(); ++bool q_LibreSSL(); ++long q_LibreSSL_version(); + long q_ASN1_INTEGER_get(ASN1_INTEGER *a); + unsigned char * q_ASN1_STRING_data(ASN1_STRING *a); + int q_ASN1_STRING_length(ASN1_STRING *a); +@@ -327,6 +329,7 @@ + int q_SSL_connect(SSL *a); + int q_SSL_CTX_check_private_key(const SSL_CTX *a); + long q_SSL_CTX_ctrl(SSL_CTX *a, int b, long c, void *d); ++int q_SSL_CTX_set1_groups(SSL_CTX *a, const int* b, size_t c); + void q_SSL_CTX_free(SSL_CTX *a); + #if OPENSSL_VERSION_NUMBER >= 0x10000000L + SSL_CTX *q_SSL_CTX_new(const SSL_METHOD *a); +@@ -489,9 +492,9 @@ + int q_EC_curve_nist2nid(const char *name); + #endif // OPENSSL_VERSION_NUMBER >= 0x10002000L + #endif // OPENSSL_NO_EC +-#if OPENSSL_VERSION_NUMBER >= 0x10002000L ++#if defined(SSL_CTRL_GET_SERVER_TMP_KEY) + #define q_SSL_get_server_tmp_key(ssl, key) q_SSL_ctrl((ssl), SSL_CTRL_GET_SERVER_TMP_KEY, 0, (char *)key) +-#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L ++#endif // defined(SSL_CTRL_GET_SERVER_TMP_KEY) + + // PKCS#12 support + int q_PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca); + + Contact GitHub API Training Shop Blog About + + +:: + Property changes on: files/patch-libressl ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: files/patch-src_network_ssl_qsslcontext__openssl.cpp =================================================================== --- files/patch-src_network_ssl_qsslcontext__openssl.cpp (revision 434754) +++ files/patch-src_network_ssl_qsslcontext__openssl.cpp (nonexistent) @@ -1,43 +0,0 @@ -* Instead of using the SSL_CTRL_SET_CURVES macros which only exists in OpenSSL, -* call the SSL_CTX_set1_curves functions as suggested by BoringSSL porting docs -* and which is the function in OpenSSL that is called through the replaced macro. -* LibreSSL has a SSL_CTX_set1_groups functions and provides a compat macro. -* Unfortunately, since Qt resolves the symbols at runtime, we cannot call through -* that macro and must instead explicitly call SSL_CTX_set1_groups if the library -* doesn't export a function called SSL_CTX_set1_curves, as in the case of LibreSSL. -* ---- src/network/ssl/qsslcontext_openssl.cpp.orig 2016-12-01 08:17:04 UTC -+++ src/network/ssl/qsslcontext_openssl.cpp -@@ -350,14 +350,24 @@ init_context: - #if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(OPENSSL_NO_EC) - // Set the curves to be used - if (q_SSLeay() >= 0x10002000L) { -- // SSL_CTX_ctrl wants a non-const pointer as last argument, -- // but let's avoid a copy into a temporary array -- if (!q_SSL_CTX_ctrl(sslContext->ctx, -- SSL_CTRL_SET_CURVES, -- qcurves.size(), -- const_cast(reinterpret_cast(qcurves.data())))) { -- sslContext->errorStr = msgErrorSettingEllipticCurves(QSslSocketBackendPrivate::getErrorsFromOpenSsl()); -- sslContext->errorCode = QSslError::UnspecifiedError; -+ switch (q_SSL_CTX_set1_curves(sslContext->ctx, -+ const_cast(reinterpret_cast(qcurves.data())), -+ qcurves.size())) { -+ case 1: -+ default: -+ break; -+ case 0: -+ sslContext->errorStr = msgErrorSettingEllipticCurves(QSslSocketBackendPrivate::getErrorsFromOpenSsl()); -+ sslContext->errorCode = QSslError::UnspecifiedError; -+ break; -+ case -1: -+ if (q_SSL_CTX_set1_groups(sslContext->ctx, -+ reinterpret_cast(qcurves.data()), -+ qcurves.size()) < 1) { -+ sslContext->errorStr = msgErrorSettingEllipticCurves(QSslSocketBackendPrivate::getErrorsFromOpenSsl()); -+ sslContext->errorCode = QSslError::UnspecifiedError; -+ } -+ break; - } - } else - #endif // OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(OPENSSL_NO_EC) Property changes on: files/patch-src_network_ssl_qsslcontext__openssl.cpp ___________________________________________________________________ Deleted: fbsd:nokeywords ## -1 +0,0 ## -yes \ No newline at end of property Deleted: svn:eol-style ## -1 +0,0 ## -native \ No newline at end of property Deleted: svn:mime-type ## -1 +0,0 ## -text/plain \ No newline at end of property Index: files/patch-src_network_ssl_qsslsocket__openssl__symbols.cpp =================================================================== --- files/patch-src_network_ssl_qsslsocket__openssl__symbols.cpp (revision 434754) +++ files/patch-src_network_ssl_qsslsocket__openssl__symbols.cpp (nonexistent) @@ -1,51 +0,0 @@ -* Boilerplate for SSL_CTX_set1_curves/groups() used in qsslcontext_openssl.cpp -* -* Prepend the path of the SSL libraries used for building so the same libraries are -* found and loaded at runtime. Normal search finds base SSL libraries before ports. -* ---- src/network/ssl/qsslsocket_openssl_symbols.cpp.orig 2016-09-16 05:49:42 UTC -+++ src/network/ssl/qsslsocket_openssl_symbols.cpp -@@ -424,6 +424,8 @@ DEFINEFUNC(void, EC_KEY_free, EC_KEY *ec - DEFINEFUNC2(size_t, EC_get_builtin_curves, EC_builtin_curve * r, r, size_t nitems, nitems, return 0, return) - #if OPENSSL_VERSION_NUMBER >= 0x10002000L - DEFINEFUNC(int, EC_curve_nist2nid, const char *name, name, return 0, return) -+DEFINEFUNC3(int, SSL_CTX_set1_curves, SSL_CTX *a, a, int *b, b, int c, c, return -1, return) -+DEFINEFUNC3(int, SSL_CTX_set1_groups, SSL_CTX *a, a, const int *b, b, size_t c, c, return -1, return) - #endif // OPENSSL_VERSION_NUMBER >= 0x10002000L - #endif // OPENSSL_NO_EC - -@@ -652,8 +654,8 @@ static QPair loadO - #endif - #if defined(SHLIB_VERSION_NUMBER) && !defined(Q_OS_QNX) // on QNX, the libs are always libssl.so and libcrypto.so - // first attempt: the canonical name is libssl.so. -- libssl->setFileNameAndVersion(QLatin1String("ssl"), QLatin1String(SHLIB_VERSION_NUMBER)); -- libcrypto->setFileNameAndVersion(QLatin1String("crypto"), QLatin1String(SHLIB_VERSION_NUMBER)); -+ libssl->setFileNameAndVersion(QLatin1String("%%OPENSSLLIB%%/libssl"), QLatin1String(SHLIB_VERSION_NUMBER)); -+ libcrypto->setFileNameAndVersion(QLatin1String("%%OPENSSLLIB%%/libcrypto"), QLatin1String(SHLIB_VERSION_NUMBER)); - if (libcrypto->load() && libssl->load()) { - // libssl.so. and libcrypto.so. found - return pair; -@@ -670,8 +672,8 @@ static QPair loadO - // OS X's /usr/lib/libssl.dylib, /usr/lib/libcrypto.dylib will be picked up in the third - // attempt, _after_ /Contents/Frameworks has been searched. - // iOS does not ship a system libssl.dylib, libcrypto.dylib in the first place. -- libssl->setFileNameAndVersion(QLatin1String("ssl"), -1); -- libcrypto->setFileNameAndVersion(QLatin1String("crypto"), -1); -+ libssl->setFileNameAndVersion(QLatin1String("%%OPENSSLLIB%%/libssl"), -1); -+ libcrypto->setFileNameAndVersion(QLatin1String("%%OPENSSLLIB%%/libcrypto"), -1); - if (libcrypto->load() && libssl->load()) { - // libssl.so.0 and libcrypto.so.0 found - return pair; -@@ -976,8 +978,11 @@ bool q_resolveOpenSslSymbols() - RESOLVEFUNC(EC_KEY_free) - RESOLVEFUNC(EC_get_builtin_curves) - #if OPENSSL_VERSION_NUMBER >= 0x10002000L -- if (q_SSLeay() >= 0x10002000L) -+ if (q_SSLeay() >= 0x10002000L) { - RESOLVEFUNC(EC_curve_nist2nid) -+ RESOLVEFUNC(SSL_CTX_set1_curves) -+ RESOLVEFUNC(SSL_CTX_set1_groups) -+ } - #endif // OPENSSL_VERSION_NUMBER >= 0x10002000L - #endif // OPENSSL_NO_EC - RESOLVEFUNC(PKCS12_parse) Property changes on: files/patch-src_network_ssl_qsslsocket__openssl__symbols.cpp ___________________________________________________________________ Deleted: fbsd:nokeywords ## -1 +0,0 ## -yes \ No newline at end of property Deleted: svn:eol-style ## -1 +0,0 ## -native \ No newline at end of property Deleted: svn:mime-type ## -1 +0,0 ## -text/plain \ No newline at end of property Index: files/patch-src_network_ssl_qsslsocket__openssl__symbols__p.h =================================================================== --- files/patch-src_network_ssl_qsslsocket__openssl__symbols__p.h (revision 434754) +++ files/patch-src_network_ssl_qsslsocket__openssl__symbols__p.h (nonexistent) @@ -1,13 +0,0 @@ -* Boilerplate for SSL_CTX_set1_curves/groups() used in qsslcontext_openssl.cpp -* ---- src/network/ssl/qsslsocket_openssl_symbols_p.h.orig 2016-09-16 05:49:42 UTC -+++ src/network/ssl/qsslsocket_openssl_symbols_p.h -@@ -481,6 +481,8 @@ void q_EC_KEY_free(EC_KEY *ecdh); - size_t q_EC_get_builtin_curves(EC_builtin_curve *r, size_t nitems); - #if OPENSSL_VERSION_NUMBER >= 0x10002000L - int q_EC_curve_nist2nid(const char *name); -+int q_SSL_CTX_set1_curves(SSL_CTX *a, int *b, int c); -+int q_SSL_CTX_set1_groups(SSL_CTX *a, const int *b, size_t c); - #endif // OPENSSL_VERSION_NUMBER >= 0x10002000L - #endif // OPENSSL_NO_EC - Property changes on: files/patch-src_network_ssl_qsslsocket__openssl__symbols__p.h ___________________________________________________________________ Deleted: fbsd:nokeywords ## -1 +0,0 ## -yes \ No newline at end of property Deleted: svn:eol-style ## -1 +0,0 ## -native \ No newline at end of property Deleted: svn:mime-type ## -1 +0,0 ## -text/plain \ No newline at end of property