In an upcoming libssl bump we're going to make SSL_CTX and SSL_CIPHER opaque. This needs some adjustment in a number of ports that reach inside these structs. The diff below adds two accessors (SSL_CTX_get_cert_store() and SSL_CIPHER_get_bits()) from libssl to QtNetwork. So this is a minor bump for QtNetwork and the two remaining libraries linking against it.
The patch for qsslsocket_openssl.cpp uses these accessors and exploits the fact that cipher->valid is always true in libssl. I was unsure whether -debug and -examples need a REVISION bump, so I bumped them to be on the safe side. This builds on -current and will continue building after the libssl bump, so I'd like to get this in now. Index: Makefile =================================================================== RCS file: /cvs/ports/x11/qt4/Makefile,v retrieving revision 1.165 diff -u -p -r1.165 Makefile --- Makefile 26 Jan 2021 18:29:01 -0000 1.165 +++ Makefile 2 May 2021 17:06:24 -0000 @@ -23,24 +23,24 @@ PKGNAME-main = qt4-${PKGVERSION} PKGNAME-debug = qt4-debug-${PKGVERSION} FULLPKGNAME-html = qt4-html-${PKGVERSION} FULLPKGPATH-html = ${BASE_PKGPATH},-html -REVISION-main = 24 +REVISION-main = 25 REVISION-mysql = 8 REVISION-postgresql = 7 REVISION-sqlite2 = 7 REVISION-tds = 7 -REVISION-debug = 5 -REVISION-examples = 10 +REVISION-debug = 6 +REVISION-examples = 11 REVISION-html = 4 # XXX qmake include parser is bogus DPB_PROPERTIES = parallel nojunk -SHARED_LIBS = Qt3Support 10.0 \ +SHARED_LIBS = Qt3Support 10.1 \ QtCore 10.0 \ QtDesigner 8.0 \ QtDesignerComponents 8.0 \ QtGui 11.0 \ - QtNetwork 12.0 \ + QtNetwork 12.1 \ QtSql 9.0 \ QtXml 9.0 \ QtSvg 8.0 \ @@ -48,7 +48,7 @@ SHARED_LIBS = Qt3Support 10.0 \ QtDBus 4.0 \ QtScript 3.0 \ QtCLucene 2.0 \ - QtHelp 3.0 \ + QtHelp 3.1 \ QtScriptTools 1.0 VERSION = 4.8.7 Index: patches/patch-src_network_ssl_qsslsocket_openssl_cpp =================================================================== RCS file: /cvs/ports/x11/qt4/patches/patch-src_network_ssl_qsslsocket_openssl_cpp,v retrieving revision 1.4 diff -u -p -r1.4 patch-src_network_ssl_qsslsocket_openssl_cpp --- patches/patch-src_network_ssl_qsslsocket_openssl_cpp 6 Jan 2016 17:17:32 -0000 1.4 +++ patches/patch-src_network_ssl_qsslsocket_openssl_cpp 2 May 2021 13:21:18 -0000 @@ -1,13 +1,28 @@ $OpenBSD: patch-src_network_ssl_qsslsocket_openssl_cpp,v 1.4 2016/01/06 17:17:32 zhuk Exp $ -1. Disable SSLv3 by default. -2. TLSv1_*_method() are TLSv1.0-only, so default to SSLv23_*_method(), which is + +1.,3.,4. Use accessors to access members of the SSL_CIPHER and SSL_CTX structs. +2. Disable SSLv3 by default. +2a. TLSv1_*_method() are TLSv1.0-only, so default to SSLv23_*_method(), which is actually TLSv1.* nowadays. -2a. Make QSsl::TlsV1 also use SSLv23_*_method(), noone in good mind would +2b. Make QSsl::TlsV1 also use SSLv23_*_method(), noone in good mind would want to run TLSv1.0-only connections, and too many developers fail same way due to bad naming. ---- src/network/ssl/qsslsocket_openssl.cpp.orig Thu May 7 17:14:44 2015 -+++ src/network/ssl/qsslsocket_openssl.cpp Wed Jan 6 20:10:23 2016 -@@ -267,16 +267,18 @@ init_context: + +Index: src/network/ssl/qsslsocket_openssl.cpp +--- src/network/ssl/qsslsocket_openssl.cpp.orig ++++ src/network/ssl/qsslsocket_openssl.cpp +@@ -222,9 +222,7 @@ QSslCipher QSslSocketBackendPrivate::QSslCipher_from_S + ciph.d->encryptionMethod = descriptionList.at(4).mid(4); + ciph.d->exportable = (descriptionList.size() > 6 && descriptionList.at(6) == QLatin1String("export")); + +- ciph.d->bits = cipher->strength_bits; +- ciph.d->supportedBits = cipher->alg_bits; +- ++ ciph.d->bits = q_SSL_CIPHER_get_bits(cipher, &ciph.d->supportedBits); + } + return ciph; + } +@@ -267,17 +265,19 @@ init_context: #endif break; case QSsl::SslV3: @@ -25,9 +40,36 @@ $OpenBSD: patch-src_network_ssl_qsslsock + case QSsl::TlsV1: // this is TLSv1.0 only case, but misused as TLSv1.x too often default: ctx = q_SSL_CTX_new(client ? q_SSLv23_client_method() : q_SSLv23_server_method()); -- break; + break; - case QSsl::TlsV1: - ctx = q_SSL_CTX_new(client ? q_TLSv1_client_method() : q_TLSv1_server_method()); - break; +- break; } if (!ctx) { + // After stopping Flash 10 the SSL library looses its ciphers. Try re-adding them +@@ -363,7 +363,7 @@ init_context: + // + // See also: QSslContext::fromConfiguration() + if (caCertificate.expiryDate() >= QDateTime::currentDateTime()) { +- q_X509_STORE_add_cert(ctx->cert_store, (X509 *)caCertificate.handle()); ++ q_X509_STORE_add_cert(q_SSL_CTX_get_cert_store(ctx), (X509 *)caCertificate.handle()); + } + } + +@@ -659,12 +659,10 @@ void QSslSocketPrivate::resetDefaultCiphers() + STACK_OF(SSL_CIPHER) *supportedCiphers = q_SSL_get_ciphers(mySsl); + for (int i = 0; i < q_sk_SSL_CIPHER_num(supportedCiphers); ++i) { + if (SSL_CIPHER *cipher = q_sk_SSL_CIPHER_value(supportedCiphers, i)) { +- if (cipher->valid) { +- QSslCipher ciph = QSslSocketBackendPrivate::QSslCipher_from_SSL_CIPHER(cipher); +- if (!ciph.isNull()) { +- if (!ciph.name().toLower().startsWith(QLatin1String("adh"))) +- ciphers << ciph; +- } ++ QSslCipher ciph = QSslSocketBackendPrivate::QSslCipher_from_SSL_CIPHER(cipher); ++ if (!ciph.isNull()) { ++ if (!ciph.name().toLower().startsWith(QLatin1String("adh"))) ++ ciphers << ciph; + } + } + } Index: patches/patch-src_network_ssl_qsslsocket_openssl_symbols_cpp =================================================================== RCS file: /cvs/ports/x11/qt4/patches/patch-src_network_ssl_qsslsocket_openssl_symbols_cpp,v retrieving revision 1.4 diff -u -p -r1.4 patch-src_network_ssl_qsslsocket_openssl_symbols_cpp --- patches/patch-src_network_ssl_qsslsocket_openssl_symbols_cpp 27 Aug 2018 03:54:57 -0000 1.4 +++ patches/patch-src_network_ssl_qsslsocket_openssl_symbols_cpp 2 May 2021 13:21:18 -0000 @@ -2,7 +2,16 @@ $OpenBSD: patch-src_network_ssl_qsslsock Index: src/network/ssl/qsslsocket_openssl_symbols.cpp --- src/network/ssl/qsslsocket_openssl_symbols.cpp.orig +++ src/network/ssl/qsslsocket_openssl_symbols.cpp -@@ -228,13 +228,17 @@ DEFINEFUNC(int, SSL_shutdown, SSL *a, a, return -1, re +@@ -193,6 +193,8 @@ DEFINEFUNC2(int, SSL_CTX_use_PrivateKey, SSL_CTX *a, a + DEFINEFUNC2(int, SSL_CTX_use_RSAPrivateKey, SSL_CTX *a, a, RSA *b, b, return -1, return) + DEFINEFUNC3(int, SSL_CTX_use_PrivateKey_file, SSL_CTX *a, a, const char *b, b, int c, c, return -1, return) + DEFINEFUNC(void, SSL_free, SSL *a, a, return, DUMMYARG) ++DEFINEFUNC(X509_STORE *, SSL_CTX_get_cert_store, const SSL_CTX *a, a, return 0, return) ++DEFINEFUNC2(int, SSL_CIPHER_get_bits, const SSL_CIPHER *c, c, int *alg_bits, alg_bits, return 0, return) + #if OPENSSL_VERSION_NUMBER >= 0x00908000L + // 0.9.8 broke SC and BC by changing this function's signature. + DEFINEFUNC(STACK_OF(SSL_CIPHER) *, SSL_get_ciphers, const SSL *a, a, return 0, return) +@@ -228,13 +230,17 @@ DEFINEFUNC(int, SSL_shutdown, SSL *a, a, return -1, re #ifndef OPENSSL_NO_SSL2 DEFINEFUNC(const SSL_METHOD *, SSLv2_client_method, DUMMYARG, DUMMYARG, return 0, return) #endif @@ -20,7 +29,7 @@ Index: src/network/ssl/qsslsocket_openss DEFINEFUNC(const SSL_METHOD *, SSLv23_server_method, DUMMYARG, DUMMYARG, return 0, return) DEFINEFUNC(const SSL_METHOD *, TLSv1_server_method, DUMMYARG, DUMMYARG, return 0, return) #else -@@ -257,6 +261,8 @@ DEFINEFUNC(void, X509_free, X509 *a, a, return, DUMMYA +@@ -257,6 +263,8 @@ DEFINEFUNC(void, X509_free, X509 *a, a, return, DUMMYA DEFINEFUNC2(X509_EXTENSION *, X509_get_ext, X509 *a, a, int b, b, return 0, return) DEFINEFUNC(int, X509_get_ext_count, X509 *a, a, return 0, return) DEFINEFUNC4(void *, X509_get_ext_d2i, X509 *a, a, int b, b, int *c, c, int *d, d, return 0, return) @@ -29,7 +38,16 @@ Index: src/network/ssl/qsslsocket_openss DEFINEFUNC(X509_NAME *, X509_get_issuer_name, X509 *a, a, return 0, return) DEFINEFUNC(X509_NAME *, X509_get_subject_name, X509 *a, a, return 0, return) DEFINEFUNC(int, X509_verify_cert, X509_STORE_CTX *a, a, return -1, return) -@@ -822,13 +828,17 @@ bool q_resolveOpenSslSymbols() +@@ -801,6 +809,8 @@ bool q_resolveOpenSslSymbols() + RESOLVEFUNC(SSL_clear) + RESOLVEFUNC(SSL_connect) + RESOLVEFUNC(SSL_free) ++ RESOLVEFUNC(SSL_CTX_get_cert_store) ++ RESOLVEFUNC(SSL_CIPHER_get_bits) + RESOLVEFUNC(SSL_get_ciphers) + RESOLVEFUNC(SSL_get_current_cipher) + RESOLVEFUNC(SSL_get_error) +@@ -822,13 +832,17 @@ bool q_resolveOpenSslSymbols() #ifndef OPENSSL_NO_SSL2 RESOLVEFUNC(SSLv2_client_method) #endif @@ -47,7 +65,7 @@ Index: src/network/ssl/qsslsocket_openss RESOLVEFUNC(SSLv23_server_method) RESOLVEFUNC(TLSv1_server_method) RESOLVEFUNC(X509_NAME_entry_count) -@@ -858,6 +868,8 @@ bool q_resolveOpenSslSymbols() +@@ -858,6 +872,8 @@ bool q_resolveOpenSslSymbols() RESOLVEFUNC(X509_get_ext_d2i) RESOLVEFUNC(X509_get_issuer_name) RESOLVEFUNC(X509_get_subject_name) Index: patches/patch-src_network_ssl_qsslsocket_openssl_symbols_p_h =================================================================== RCS file: /cvs/ports/x11/qt4/patches/patch-src_network_ssl_qsslsocket_openssl_symbols_p_h,v retrieving revision 1.2 diff -u -p -r1.2 patch-src_network_ssl_qsslsocket_openssl_symbols_p_h --- patches/patch-src_network_ssl_qsslsocket_openssl_symbols_p_h 12 Nov 2019 09:55:51 -0000 1.2 +++ patches/patch-src_network_ssl_qsslsocket_openssl_symbols_p_h 2 May 2021 13:21:18 -0000 @@ -3,7 +3,16 @@ $OpenBSD: patch-src_network_ssl_qsslsock Index: src/network/ssl/qsslsocket_openssl_symbols_p.h --- src/network/ssl/qsslsocket_openssl_symbols_p.h.orig +++ src/network/ssl/qsslsocket_openssl_symbols_p.h -@@ -360,6 +360,8 @@ int q_X509_get_ext_count(X509 *a); +@@ -294,6 +294,8 @@ int q_SSL_CTX_use_PrivateKey(SSL_CTX *a, EVP_PKEY *b); + int q_SSL_CTX_use_RSAPrivateKey(SSL_CTX *a, RSA *b); + int q_SSL_CTX_use_PrivateKey_file(SSL_CTX *a, const char *b, int c); + void q_SSL_free(SSL *a); ++X509_STORE *q_SSL_CTX_get_cert_store(const SSL_CTX *a); ++int q_SSL_CIPHER_get_bits(const SSL_CIPHER *c, int *alg_bits); + #if OPENSSL_VERSION_NUMBER >= 0x00908000L + // 0.9.8 broke SC and BC by changing this function's signature. + STACK_OF(SSL_CIPHER) *q_SSL_get_ciphers(const SSL *a); +@@ -360,6 +362,8 @@ int q_X509_get_ext_count(X509 *a); void *q_X509_get_ext_d2i(X509 *a, int b, int *c, int *d); X509_NAME *q_X509_get_issuer_name(X509 *a); X509_NAME *q_X509_get_subject_name(X509 *a); @@ -12,7 +21,7 @@ Index: src/network/ssl/qsslsocket_openss int q_X509_verify_cert(X509_STORE_CTX *ctx); int q_X509_NAME_entry_count(X509_NAME *a); X509_NAME_ENTRY *q_X509_NAME_get_entry(X509_NAME *a,int b); -@@ -410,8 +412,8 @@ DSA *q_d2i_DSAPrivateKey(DSA **a, unsigned char **pp, +@@ -410,8 +414,8 @@ DSA *q_d2i_DSAPrivateKey(DSA **a, unsigned char **pp, #define q_sk_SSL_CIPHER_value(st, i) q_SKM_sk_value(SSL_CIPHER, (st), (i)) #define q_SSL_CTX_add_extra_chain_cert(ctx,x509) \ q_SSL_CTX_ctrl(ctx,SSL_CTRL_EXTRA_CHAIN_CERT,0,(char *)x509)