In an upcoming libssl bump we're going to make SSL_CTX and SSL_CIPHER
opaque. This needs some adjustment in a number of ports that reach
inside these structs. The diff below adds two accessors
(SSL_CTX_get_cert_store() and SSL_CIPHER_get_bits()) from libssl to
QtNetwork. So this is a minor bump for QtNetwork and the two remaining
libraries linking against it.
The patch for qsslsocket_openssl.cpp uses these accessors and exploits
the fact that cipher->valid is always true in libssl.
I was unsure whether -debug and -examples need a REVISION bump, so I
bumped them to be on the safe side.
This builds on -current and will continue building after the libssl
bump, so I'd like to get this in now.
Index: Makefile
===================================================================
RCS file: /cvs/ports/x11/qt4/Makefile,v
retrieving revision 1.165
diff -u -p -r1.165 Makefile
--- Makefile 26 Jan 2021 18:29:01 -0000 1.165
+++ Makefile 2 May 2021 17:06:24 -0000
@@ -23,24 +23,24 @@ PKGNAME-main = qt4-${PKGVERSION}
PKGNAME-debug = qt4-debug-${PKGVERSION}
FULLPKGNAME-html = qt4-html-${PKGVERSION}
FULLPKGPATH-html = ${BASE_PKGPATH},-html
-REVISION-main = 24
+REVISION-main = 25
REVISION-mysql = 8
REVISION-postgresql = 7
REVISION-sqlite2 = 7
REVISION-tds = 7
-REVISION-debug = 5
-REVISION-examples = 10
+REVISION-debug = 6
+REVISION-examples = 11
REVISION-html = 4
# XXX qmake include parser is bogus
DPB_PROPERTIES = parallel nojunk
-SHARED_LIBS = Qt3Support 10.0 \
+SHARED_LIBS = Qt3Support 10.1 \
QtCore 10.0 \
QtDesigner 8.0 \
QtDesignerComponents 8.0 \
QtGui 11.0 \
- QtNetwork 12.0 \
+ QtNetwork 12.1 \
QtSql 9.0 \
QtXml 9.0 \
QtSvg 8.0 \
@@ -48,7 +48,7 @@ SHARED_LIBS = Qt3Support 10.0 \
QtDBus 4.0 \
QtScript 3.0 \
QtCLucene 2.0 \
- QtHelp 3.0 \
+ QtHelp 3.1 \
QtScriptTools 1.0
VERSION = 4.8.7
Index: patches/patch-src_network_ssl_qsslsocket_openssl_cpp
===================================================================
RCS file:
/cvs/ports/x11/qt4/patches/patch-src_network_ssl_qsslsocket_openssl_cpp,v
retrieving revision 1.4
diff -u -p -r1.4 patch-src_network_ssl_qsslsocket_openssl_cpp
--- patches/patch-src_network_ssl_qsslsocket_openssl_cpp 6 Jan 2016
17:17:32 -0000 1.4
+++ patches/patch-src_network_ssl_qsslsocket_openssl_cpp 2 May 2021
13:21:18 -0000
@@ -1,13 +1,28 @@
$OpenBSD: patch-src_network_ssl_qsslsocket_openssl_cpp,v 1.4 2016/01/06
17:17:32 zhuk Exp $
-1. Disable SSLv3 by default.
-2. TLSv1_*_method() are TLSv1.0-only, so default to SSLv23_*_method(), which
is
+
+1.,3.,4. Use accessors to access members of the SSL_CIPHER and SSL_CTX
structs.
+2. Disable SSLv3 by default.
+2a. TLSv1_*_method() are TLSv1.0-only, so default to SSLv23_*_method(), which
is
actually TLSv1.* nowadays.
-2a. Make QSsl::TlsV1 also use SSLv23_*_method(), noone in good mind would
+2b. Make QSsl::TlsV1 also use SSLv23_*_method(), noone in good mind would
want to run TLSv1.0-only connections, and too many developers fail
same way due to bad naming.
---- src/network/ssl/qsslsocket_openssl.cpp.orig Thu May 7 17:14:44 2015
-+++ src/network/ssl/qsslsocket_openssl.cpp Wed Jan 6 20:10:23 2016
-@@ -267,16 +267,18 @@ init_context:
+
+Index: src/network/ssl/qsslsocket_openssl.cpp
+--- src/network/ssl/qsslsocket_openssl.cpp.orig
++++ src/network/ssl/qsslsocket_openssl.cpp
+@@ -222,9 +222,7 @@ QSslCipher QSslSocketBackendPrivate::QSslCipher_from_S
+ ciph.d->encryptionMethod = descriptionList.at(4).mid(4);
+ ciph.d->exportable = (descriptionList.size() > 6 &&
descriptionList.at(6) == QLatin1String("export"));
+
+- ciph.d->bits = cipher->strength_bits;
+- ciph.d->supportedBits = cipher->alg_bits;
+-
++ ciph.d->bits = q_SSL_CIPHER_get_bits(cipher, &ciph.d->supportedBits);
+ }
+ return ciph;
+ }
+@@ -267,17 +265,19 @@ init_context:
#endif
break;
case QSsl::SslV3:
@@ -25,9 +40,36 @@ $OpenBSD: patch-src_network_ssl_qsslsock
+ case QSsl::TlsV1: // this is TLSv1.0 only case, but misused as TLSv1.x
too often
default:
ctx = q_SSL_CTX_new(client ? q_SSLv23_client_method() :
q_SSLv23_server_method());
-- break;
+ break;
- case QSsl::TlsV1:
- ctx = q_SSL_CTX_new(client ? q_TLSv1_client_method() :
q_TLSv1_server_method());
- break;
+- break;
}
if (!ctx) {
+ // After stopping Flash 10 the SSL library looses its ciphers. Try
re-adding them
+@@ -363,7 +363,7 @@ init_context:
+ //
+ // See also: QSslContext::fromConfiguration()
+ if (caCertificate.expiryDate() >= QDateTime::currentDateTime()) {
+- q_X509_STORE_add_cert(ctx->cert_store, (X509
*)caCertificate.handle());
++ q_X509_STORE_add_cert(q_SSL_CTX_get_cert_store(ctx), (X509
*)caCertificate.handle());
+ }
+ }
+
+@@ -659,12 +659,10 @@ void QSslSocketPrivate::resetDefaultCiphers()
+ STACK_OF(SSL_CIPHER) *supportedCiphers = q_SSL_get_ciphers(mySsl);
+ for (int i = 0; i < q_sk_SSL_CIPHER_num(supportedCiphers); ++i) {
+ if (SSL_CIPHER *cipher = q_sk_SSL_CIPHER_value(supportedCiphers, i)) {
+- if (cipher->valid) {
+- QSslCipher ciph =
QSslSocketBackendPrivate::QSslCipher_from_SSL_CIPHER(cipher);
+- if (!ciph.isNull()) {
+- if
(!ciph.name().toLower().startsWith(QLatin1String("adh")))
+- ciphers << ciph;
+- }
++ QSslCipher ciph =
QSslSocketBackendPrivate::QSslCipher_from_SSL_CIPHER(cipher);
++ if (!ciph.isNull()) {
++ if (!ciph.name().toLower().startsWith(QLatin1String("adh")))
++ ciphers << ciph;
+ }
+ }
+ }
Index: patches/patch-src_network_ssl_qsslsocket_openssl_symbols_cpp
===================================================================
RCS file:
/cvs/ports/x11/qt4/patches/patch-src_network_ssl_qsslsocket_openssl_symbols_cpp,v
retrieving revision 1.4
diff -u -p -r1.4 patch-src_network_ssl_qsslsocket_openssl_symbols_cpp
--- patches/patch-src_network_ssl_qsslsocket_openssl_symbols_cpp 27 Aug
2018 03:54:57 -0000 1.4
+++ patches/patch-src_network_ssl_qsslsocket_openssl_symbols_cpp 2 May
2021 13:21:18 -0000
@@ -2,7 +2,16 @@ $OpenBSD: patch-src_network_ssl_qsslsock
Index: src/network/ssl/qsslsocket_openssl_symbols.cpp
--- src/network/ssl/qsslsocket_openssl_symbols.cpp.orig
+++ src/network/ssl/qsslsocket_openssl_symbols.cpp
-@@ -228,13 +228,17 @@ DEFINEFUNC(int, SSL_shutdown, SSL *a, a, return -1, re
+@@ -193,6 +193,8 @@ DEFINEFUNC2(int, SSL_CTX_use_PrivateKey, SSL_CTX *a, a
+ DEFINEFUNC2(int, SSL_CTX_use_RSAPrivateKey, SSL_CTX *a, a, RSA *b, b, return
-1, return)
+ DEFINEFUNC3(int, SSL_CTX_use_PrivateKey_file, SSL_CTX *a, a, const char *b,
b, int c, c, return -1, return)
+ DEFINEFUNC(void, SSL_free, SSL *a, a, return, DUMMYARG)
++DEFINEFUNC(X509_STORE *, SSL_CTX_get_cert_store, const SSL_CTX *a, a, return
0, return)
++DEFINEFUNC2(int, SSL_CIPHER_get_bits, const SSL_CIPHER *c, c, int *alg_bits,
alg_bits, return 0, return)
+ #if OPENSSL_VERSION_NUMBER >= 0x00908000L
+ // 0.9.8 broke SC and BC by changing this function's signature.
+ DEFINEFUNC(STACK_OF(SSL_CIPHER) *, SSL_get_ciphers, const SSL *a, a, return
0, return)
+@@ -228,13 +230,17 @@ DEFINEFUNC(int, SSL_shutdown, SSL *a, a, return -1, re
#ifndef OPENSSL_NO_SSL2
DEFINEFUNC(const SSL_METHOD *, SSLv2_client_method, DUMMYARG, DUMMYARG,
return 0, return)
#endif
@@ -20,7 +29,7 @@ Index: src/network/ssl/qsslsocket_openss
DEFINEFUNC(const SSL_METHOD *, SSLv23_server_method, DUMMYARG, DUMMYARG,
return 0, return)
DEFINEFUNC(const SSL_METHOD *, TLSv1_server_method, DUMMYARG, DUMMYARG,
return 0, return)
#else
-@@ -257,6 +261,8 @@ DEFINEFUNC(void, X509_free, X509 *a, a, return, DUMMYA
+@@ -257,6 +263,8 @@ DEFINEFUNC(void, X509_free, X509 *a, a, return, DUMMYA
DEFINEFUNC2(X509_EXTENSION *, X509_get_ext, X509 *a, a, int b, b, return 0,
return)
DEFINEFUNC(int, X509_get_ext_count, X509 *a, a, return 0, return)
DEFINEFUNC4(void *, X509_get_ext_d2i, X509 *a, a, int b, b, int *c, c, int
*d, d, return 0, return)
@@ -29,7 +38,16 @@ Index: src/network/ssl/qsslsocket_openss
DEFINEFUNC(X509_NAME *, X509_get_issuer_name, X509 *a, a, return 0, return)
DEFINEFUNC(X509_NAME *, X509_get_subject_name, X509 *a, a, return 0, return)
DEFINEFUNC(int, X509_verify_cert, X509_STORE_CTX *a, a, return -1, return)
-@@ -822,13 +828,17 @@ bool q_resolveOpenSslSymbols()
+@@ -801,6 +809,8 @@ bool q_resolveOpenSslSymbols()
+ RESOLVEFUNC(SSL_clear)
+ RESOLVEFUNC(SSL_connect)
+ RESOLVEFUNC(SSL_free)
++ RESOLVEFUNC(SSL_CTX_get_cert_store)
++ RESOLVEFUNC(SSL_CIPHER_get_bits)
+ RESOLVEFUNC(SSL_get_ciphers)
+ RESOLVEFUNC(SSL_get_current_cipher)
+ RESOLVEFUNC(SSL_get_error)
+@@ -822,13 +832,17 @@ bool q_resolveOpenSslSymbols()
#ifndef OPENSSL_NO_SSL2
RESOLVEFUNC(SSLv2_client_method)
#endif
@@ -47,7 +65,7 @@ Index: src/network/ssl/qsslsocket_openss
RESOLVEFUNC(SSLv23_server_method)
RESOLVEFUNC(TLSv1_server_method)
RESOLVEFUNC(X509_NAME_entry_count)
-@@ -858,6 +868,8 @@ bool q_resolveOpenSslSymbols()
+@@ -858,6 +872,8 @@ bool q_resolveOpenSslSymbols()
RESOLVEFUNC(X509_get_ext_d2i)
RESOLVEFUNC(X509_get_issuer_name)
RESOLVEFUNC(X509_get_subject_name)
Index: patches/patch-src_network_ssl_qsslsocket_openssl_symbols_p_h
===================================================================
RCS file:
/cvs/ports/x11/qt4/patches/patch-src_network_ssl_qsslsocket_openssl_symbols_p_h,v
retrieving revision 1.2
diff -u -p -r1.2 patch-src_network_ssl_qsslsocket_openssl_symbols_p_h
--- patches/patch-src_network_ssl_qsslsocket_openssl_symbols_p_h 12 Nov
2019 09:55:51 -0000 1.2
+++ patches/patch-src_network_ssl_qsslsocket_openssl_symbols_p_h 2 May
2021 13:21:18 -0000
@@ -3,7 +3,16 @@ $OpenBSD: patch-src_network_ssl_qsslsock
Index: src/network/ssl/qsslsocket_openssl_symbols_p.h
--- src/network/ssl/qsslsocket_openssl_symbols_p.h.orig
+++ src/network/ssl/qsslsocket_openssl_symbols_p.h
-@@ -360,6 +360,8 @@ int q_X509_get_ext_count(X509 *a);
+@@ -294,6 +294,8 @@ int q_SSL_CTX_use_PrivateKey(SSL_CTX *a, EVP_PKEY *b);
+ int q_SSL_CTX_use_RSAPrivateKey(SSL_CTX *a, RSA *b);
+ int q_SSL_CTX_use_PrivateKey_file(SSL_CTX *a, const char *b, int c);
+ void q_SSL_free(SSL *a);
++X509_STORE *q_SSL_CTX_get_cert_store(const SSL_CTX *a);
++int q_SSL_CIPHER_get_bits(const SSL_CIPHER *c, int *alg_bits);
+ #if OPENSSL_VERSION_NUMBER >= 0x00908000L
+ // 0.9.8 broke SC and BC by changing this function's signature.
+ STACK_OF(SSL_CIPHER) *q_SSL_get_ciphers(const SSL *a);
+@@ -360,6 +362,8 @@ int q_X509_get_ext_count(X509 *a);
void *q_X509_get_ext_d2i(X509 *a, int b, int *c, int *d);
X509_NAME *q_X509_get_issuer_name(X509 *a);
X509_NAME *q_X509_get_subject_name(X509 *a);
@@ -12,7 +21,7 @@ Index: src/network/ssl/qsslsocket_openss
int q_X509_verify_cert(X509_STORE_CTX *ctx);
int q_X509_NAME_entry_count(X509_NAME *a);
X509_NAME_ENTRY *q_X509_NAME_get_entry(X509_NAME *a,int b);
-@@ -410,8 +412,8 @@ DSA *q_d2i_DSAPrivateKey(DSA **a, unsigned char **pp,
+@@ -410,8 +414,8 @@ DSA *q_d2i_DSAPrivateKey(DSA **a, unsigned char **pp,
#define q_sk_SSL_CIPHER_value(st, i) q_SKM_sk_value(SSL_CIPHER, (st), (i))
#define q_SSL_CTX_add_extra_chain_cert(ctx,x509) \
q_SSL_CTX_ctrl(ctx,SSL_CTRL_EXTRA_CHAIN_CERT,0,(char *)x509)
