Re: Bug#828522: QT4 and OpenSSL 1.1.0: [was Re: OpenSSL 1.1.0]
On Tue, Jun 28, 2016 at 07:36:27PM +0200, Gert Wollny wrote:
> Okay, the attached patch corrects this.
I had a quick look at the patch and have some comments.
> --- a/src/network/ssl/qsslcertificate.cpp
> +++ b/src/network/ssl/qsslcertificate.cpp
> @@ -259,10 +259,15 @@
> QByteArray QSslCertificate::version() const
> {
> QMutexLocker lock(QMutexPool::globalInstanceGet(d.data()));
> - if (d->versionString.isEmpty() && d->x509)
> + if (d->versionString.isEmpty() && d->x509) {
> +#if OPENSSL_VERSION_NUMBER < 0x10100000L
> d->versionString =
> - QByteArray::number(qlonglong(q_ASN1_INTEGER_get(d->x509->cert_info->version)) + 1);
> -
> + QByteArray::number(qlonglong(q_ASN1_INTEGER_get(d->x509->cert_info->version)) + 1);
> +#else
> + d->versionString =
> + QByteArray::number(qlonglong(q_X509_get_version(d->x509)) + 1);
> +#endif
X509_get_version() exist in old versions (as macro), there is no
reason to have the version check, just always use it.
> @@ -276,7 +281,11 @@
> {
> QMutexLocker lock(QMutexPool::globalInstanceGet(d.data()));
> if (d->serialNumberString.isEmpty() && d->x509) {
> +#if OPENSSL_VERSION_NUMBER < 0x10100000L
> ASN1_INTEGER *serialNumber = d->x509->cert_info->serialNumber;
> +#else
> + ASN1_INTEGER *serialNumber = q_X509_get_serialNumber(d->x509);
> +#endif
Same as above.
> @@ -489,24 +498,33 @@
> QSslKey key;
>
> key.d->type = QSsl::PublicKey;
> +#if OPENSSL_VERSION_NUMBER < 0x10100000L
> X509_PUBKEY *xkey = d->x509->cert_info->key;
> +#else
> + X509_PUBKEY *xkey = q_X509_get_X509_PUBKEY(d->x509);
> +#endif
> EVP_PKEY *pkey = q_X509_PUBKEY_get(xkey);
> Q_ASSERT(pkey);
>
> - if (q_EVP_PKEY_type(pkey->type) == EVP_PKEY_RSA) {
> + int key_id;
> +#if OPENSSL_VERSION_NUMBER < 0x10100000L
> + key_id = q_EVP_PKEY_type(pkey->type);
> +#else
> + key_id = q_EVP_PKEY_id(pkey);
> +#endif
You probably want EVP_PKEY_base_id here, look at the manpage.
> + if (key_id == EVP_PKEY_RSA) {
> key.d->rsa = q_EVP_PKEY_get1_RSA(pkey);
> key.d->algorithm = QSsl::Rsa;
> key.d->isNull = false;
> - } else if (q_EVP_PKEY_type(pkey->type) == EVP_PKEY_DSA) {
> + } else if (key_id == EVP_PKEY_DSA) {
> key.d->dsa = q_EVP_PKEY_get1_DSA(pkey);
> key.d->algorithm = QSsl::Dsa;
> key.d->isNull = false;
> - } else if (q_EVP_PKEY_type(pkey->type) == EVP_PKEY_DH) {
> + } else if (key_id == EVP_PKEY_DH) {
> // DH unsupported
> } else {
> // error?
> }
As already explain, you want to have EC support.
>
> +#if OPENSSL_VERSION_NUMBER < 0x10100000L
> + q_X509_STORE_add_cert(ctx->cert_store, (X509 *)caCertificate.handle());
> +#else
> + q_X509_STORE_add_cert(q_SSL_CTX_get_cert_store(ctx), (X509 *)caCertificate.handle());
> +#endif
SSL_CTX_get_cert_store should exist in old version.
Kurt
Reply to: