[mingw-qt] QSslSocket may report incorrect errors when certificate verification fails
Erik van Pienbroek
epienbro at fedoraproject.org
Sun Apr 14 18:46:05 UTC 2013
commit 42054ff075dd923782115457e29bd8102a0619e6
Author: Erik van Pienbroek <epienbro at fedoraproject.org>
Date: Sun Apr 14 20:45:58 2013 +0200
QSslSocket may report incorrect errors when certificate verification fails
...-incompatibility-between-openssl-versions.patch | 80 ++++++++++++++++++++
mingw-qt.spec | 10 ++-
2 files changed, 89 insertions(+), 1 deletions(-)
---
diff --git a/0054-Fix-binary-incompatibility-between-openssl-versions.patch b/0054-Fix-binary-incompatibility-between-openssl-versions.patch
new file mode 100644
index 0000000..5f56edd
--- /dev/null
+++ b/0054-Fix-binary-incompatibility-between-openssl-versions.patch
@@ -0,0 +1,80 @@
+From 691e78e5061d4cbc0de212d23b06c5dffddf2098 Mon Sep 17 00:00:00 2001
+From: Shane Kearns <dbgshane at gmail.com>
+Date: Thu, 6 Dec 2012 17:03:18 +0000
+Subject: [PATCH 54/79] Fix binary incompatibility between openssl versions
+
+OpenSSL changed the layout of X509_STORE_CTX between 0.9 and 1.0
+So we have to consider this struct as private implementation, and use
+the access functions instead.
+
+This bug would cause certificate verification problems if a different
+version of openssl is loaded at runtime to the headers Qt was compiled
+against.
+
+Task-number: QTBUG-28343
+Change-Id: I47fc24336f7d9c80f08f9c8ba6debc51a5591258
+Reviewed-by: Richard J. Moore <rich at kde.org>
+(cherry picked from commit eb2688c4c4f257d0a4d978ba4bf57d6347b15252)
+---
+ src/network/ssl/qsslsocket_openssl.cpp | 2 +-
+ src/network/ssl/qsslsocket_openssl_symbols.cpp | 8 ++++++++
+ src/network/ssl/qsslsocket_openssl_symbols_p.h | 4 ++++
+ 3 files changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp
+index b7ca290..e912abac 100644
+--- a/src/network/ssl/qsslsocket_openssl.cpp
++++ b/src/network/ssl/qsslsocket_openssl.cpp
+@@ -236,7 +236,7 @@ static int q_X509Callback(int ok, X509_STORE_CTX *ctx)
+ {
+ if (!ok) {
+ // Store the error and at which depth the error was detected.
+- _q_sslErrorList()->errors << qMakePair<int, int>(ctx->error, ctx->error_depth);
++ _q_sslErrorList()->errors << qMakePair<int, int>(q_X509_STORE_CTX_get_error(ctx), q_X509_STORE_CTX_get_error_depth(ctx));
+ }
+ // Always return OK to allow verification to continue. We're handle the
+ // errors gracefully after collecting all errors, after verification has
+diff --git a/src/network/ssl/qsslsocket_openssl_symbols.cpp b/src/network/ssl/qsslsocket_openssl_symbols.cpp
+index 2d6a25b..2e6ccd0 100644
+--- a/src/network/ssl/qsslsocket_openssl_symbols.cpp
++++ b/src/network/ssl/qsslsocket_openssl_symbols.cpp
+@@ -267,6 +267,10 @@ DEFINEFUNC2(int, X509_STORE_add_cert, X509_STORE *a, a, X509 *b, b, return 0, re
+ DEFINEFUNC(void, X509_STORE_CTX_free, X509_STORE_CTX *a, a, return, DUMMYARG)
+ DEFINEFUNC4(int, X509_STORE_CTX_init, X509_STORE_CTX *a, a, X509_STORE *b, b, X509 *c, c, STACK_OF(X509) *d, d, return -1, return)
+ DEFINEFUNC2(int, X509_STORE_CTX_set_purpose, X509_STORE_CTX *a, a, int b, b, return -1, return)
++DEFINEFUNC(int, X509_STORE_CTX_get_error, X509_STORE_CTX *a, a, return -1, return)
++DEFINEFUNC(int, X509_STORE_CTX_get_error_depth, X509_STORE_CTX *a, a, return -1, return)
++DEFINEFUNC(X509 *, X509_STORE_CTX_get_current_cert, X509_STORE_CTX *a, a, return 0, return)
++DEFINEFUNC(STACK_OF(X509) *, X509_STORE_CTX_get_chain, X509_STORE_CTX *a, a, return 0, return)
+ DEFINEFUNC(X509_STORE_CTX *, X509_STORE_CTX_new, DUMMYARG, DUMMYARG, return 0, return)
+ #ifdef SSLEAY_MACROS
+ DEFINEFUNC2(int, i2d_DSAPrivateKey, const DSA *a, a, unsigned char **b, b, return -1, return)
+@@ -832,6 +836,10 @@ bool q_resolveOpenSslSymbols()
+ RESOLVEFUNC(X509_STORE_CTX_init)
+ RESOLVEFUNC(X509_STORE_CTX_new)
+ RESOLVEFUNC(X509_STORE_CTX_set_purpose)
++ RESOLVEFUNC(X509_STORE_CTX_get_error)
++ RESOLVEFUNC(X509_STORE_CTX_get_error_depth)
++ RESOLVEFUNC(X509_STORE_CTX_get_current_cert)
++ RESOLVEFUNC(X509_STORE_CTX_get_chain)
+ RESOLVEFUNC(X509_cmp)
+ #ifndef SSLEAY_MACROS
+ RESOLVEFUNC(X509_dup)
+diff --git a/src/network/ssl/qsslsocket_openssl_symbols_p.h b/src/network/ssl/qsslsocket_openssl_symbols_p.h
+index fa9a157..87f3697 100644
+--- a/src/network/ssl/qsslsocket_openssl_symbols_p.h
++++ b/src/network/ssl/qsslsocket_openssl_symbols_p.h
+@@ -374,6 +374,10 @@ int q_X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store,
+ X509 *x509, STACK_OF(X509) *chain);
+ X509_STORE_CTX *q_X509_STORE_CTX_new();
+ int q_X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose);
++int q_X509_STORE_CTX_get_error(X509_STORE_CTX *ctx);
++int q_X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx);
++X509 *q_X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx);
++STACK_OF(X509) *q_X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx);
+
+ #define q_BIO_get_mem_data(b, pp) (int)q_BIO_ctrl(b,BIO_CTRL_INFO,0,(char *)pp)
+ #define q_BIO_pending(b) (int)q_BIO_ctrl(b,BIO_CTRL_PENDING,0,NULL)
+--
+1.8.0.2
+
diff --git a/mingw-qt.spec b/mingw-qt.spec
index 339081d..7a2d597 100644
--- a/mingw-qt.spec
+++ b/mingw-qt.spec
@@ -14,7 +14,7 @@
Name: mingw-qt
Version: 4.8.4
-Release: 2%{?pre}%{?dist}
+Release: 3%{?pre}%{?dist}
Summary: Qt for Windows
License: GPLv3 with exceptions or LGPLv2 with exceptions
@@ -72,6 +72,10 @@ Patch24: qt-everywhere-opensource-src-4.8.1-linguist_qmake-qt4.patch
# https://codereview.qt-project.org/42316
Patch25: qt-4.8.4-fix-sse-suppport-build-regression.patch
+# QSslSocket may report incorrect errors when certificate verification fails
+# https://codereview.qt-project.org/#change,42461
+Patch26: 0054-Fix-binary-incompatibility-between-openssl-versions.patch
+
BuildRequires: mingw32-filesystem >= 95
BuildRequires: mingw32-gcc
BuildRequires: mingw32-gcc-c++
@@ -211,6 +215,7 @@ Static version of the mingw64-qt library.
%patch23 -p1
%patch24 -p1 -b .linguist_qtmake-qt4
%patch25 -p0 -b .ssse3
+%patch26 -p1 -b .cert_verify
# Patch 19 (openssl) needs an additional change
# qt loads openssl libraries (ssleay32, libeay32) at runtime, but they are called libssl-OPENSSL_SONAME
@@ -1075,6 +1080,9 @@ sed -i s@'$${QT_LIBINFIX}d'@'d$${QT_LIBINFIX}'@ $RPM_BUILD_ROOT%{mingw64_datadir
%changelog
+* Sun Apr 14 2013 Erik van Pienbroek <epienbro at fedoraproject.org> - 4.8.4-3
+- QSslSocket may report incorrect errors when certificate verification fails
+
* Sun Jan 27 2013 Erik van Pienbroek <epienbro at fedoraproject.org> - 4.8.4-2
- Rebuild against mingw-gcc 4.8 (win64 uses SEH exceptions now)
More information about the scm-commits
mailing list