From 23dec1f185da8f281b0f25936709fca7444bd5b9 Mon Sep 17 00:00:00 2001 From: Rex Dieter Date: Fri, 4 Jan 2013 07:00:09 -0600 Subject: [PATCH] QSslSocket may report incorrect errors when certificate verification fails --- ...mpatibility-between-openssl-versions.patch | 80 +++++++++++++++++++ qt.spec | 9 ++- 2 files changed, 88 insertions(+), 1 deletion(-) create mode 100644 0054-Fix-binary-incompatibility-between-openssl-versions.patch diff --git a/0054-Fix-binary-incompatibility-between-openssl-versions.patch b/0054-Fix-binary-incompatibility-between-openssl-versions.patch new file mode 100644 index 0000000..5f56edd --- /dev/null +++ b/0054-Fix-binary-incompatibility-between-openssl-versions.patch @@ -0,0 +1,80 @@ +From 691e78e5061d4cbc0de212d23b06c5dffddf2098 Mon Sep 17 00:00:00 2001 +From: Shane Kearns +Date: Thu, 6 Dec 2012 17:03:18 +0000 +Subject: [PATCH 54/79] Fix binary incompatibility between openssl versions + +OpenSSL changed the layout of X509_STORE_CTX between 0.9 and 1.0 +So we have to consider this struct as private implementation, and use +the access functions instead. + +This bug would cause certificate verification problems if a different +version of openssl is loaded at runtime to the headers Qt was compiled +against. + +Task-number: QTBUG-28343 +Change-Id: I47fc24336f7d9c80f08f9c8ba6debc51a5591258 +Reviewed-by: Richard J. Moore +(cherry picked from commit eb2688c4c4f257d0a4d978ba4bf57d6347b15252) +--- + src/network/ssl/qsslsocket_openssl.cpp | 2 +- + src/network/ssl/qsslsocket_openssl_symbols.cpp | 8 ++++++++ + src/network/ssl/qsslsocket_openssl_symbols_p.h | 4 ++++ + 3 files changed, 13 insertions(+), 1 deletion(-) + +diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp +index b7ca290..e912abac 100644 +--- a/src/network/ssl/qsslsocket_openssl.cpp ++++ b/src/network/ssl/qsslsocket_openssl.cpp +@@ -236,7 +236,7 @@ static int q_X509Callback(int ok, X509_STORE_CTX *ctx) + { + if (!ok) { + // Store the error and at which depth the error was detected. +- _q_sslErrorList()->errors << qMakePair(ctx->error, ctx->error_depth); ++ _q_sslErrorList()->errors << qMakePair(q_X509_STORE_CTX_get_error(ctx), q_X509_STORE_CTX_get_error_depth(ctx)); + } + // Always return OK to allow verification to continue. We're handle the + // errors gracefully after collecting all errors, after verification has +diff --git a/src/network/ssl/qsslsocket_openssl_symbols.cpp b/src/network/ssl/qsslsocket_openssl_symbols.cpp +index 2d6a25b..2e6ccd0 100644 +--- a/src/network/ssl/qsslsocket_openssl_symbols.cpp ++++ b/src/network/ssl/qsslsocket_openssl_symbols.cpp +@@ -267,6 +267,10 @@ DEFINEFUNC2(int, X509_STORE_add_cert, X509_STORE *a, a, X509 *b, b, return 0, re + DEFINEFUNC(void, X509_STORE_CTX_free, X509_STORE_CTX *a, a, return, DUMMYARG) + DEFINEFUNC4(int, X509_STORE_CTX_init, X509_STORE_CTX *a, a, X509_STORE *b, b, X509 *c, c, STACK_OF(X509) *d, d, return -1, return) + DEFINEFUNC2(int, X509_STORE_CTX_set_purpose, X509_STORE_CTX *a, a, int b, b, return -1, return) ++DEFINEFUNC(int, X509_STORE_CTX_get_error, X509_STORE_CTX *a, a, return -1, return) ++DEFINEFUNC(int, X509_STORE_CTX_get_error_depth, X509_STORE_CTX *a, a, return -1, return) ++DEFINEFUNC(X509 *, X509_STORE_CTX_get_current_cert, X509_STORE_CTX *a, a, return 0, return) ++DEFINEFUNC(STACK_OF(X509) *, X509_STORE_CTX_get_chain, X509_STORE_CTX *a, a, return 0, return) + DEFINEFUNC(X509_STORE_CTX *, X509_STORE_CTX_new, DUMMYARG, DUMMYARG, return 0, return) + #ifdef SSLEAY_MACROS + DEFINEFUNC2(int, i2d_DSAPrivateKey, const DSA *a, a, unsigned char **b, b, return -1, return) +@@ -832,6 +836,10 @@ bool q_resolveOpenSslSymbols() + RESOLVEFUNC(X509_STORE_CTX_init) + RESOLVEFUNC(X509_STORE_CTX_new) + RESOLVEFUNC(X509_STORE_CTX_set_purpose) ++ RESOLVEFUNC(X509_STORE_CTX_get_error) ++ RESOLVEFUNC(X509_STORE_CTX_get_error_depth) ++ RESOLVEFUNC(X509_STORE_CTX_get_current_cert) ++ RESOLVEFUNC(X509_STORE_CTX_get_chain) + RESOLVEFUNC(X509_cmp) + #ifndef SSLEAY_MACROS + RESOLVEFUNC(X509_dup) +diff --git a/src/network/ssl/qsslsocket_openssl_symbols_p.h b/src/network/ssl/qsslsocket_openssl_symbols_p.h +index fa9a157..87f3697 100644 +--- a/src/network/ssl/qsslsocket_openssl_symbols_p.h ++++ b/src/network/ssl/qsslsocket_openssl_symbols_p.h +@@ -374,6 +374,10 @@ int q_X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, + X509 *x509, STACK_OF(X509) *chain); + X509_STORE_CTX *q_X509_STORE_CTX_new(); + int q_X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose); ++int q_X509_STORE_CTX_get_error(X509_STORE_CTX *ctx); ++int q_X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx); ++X509 *q_X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx); ++STACK_OF(X509) *q_X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx); + + #define q_BIO_get_mem_data(b, pp) (int)q_BIO_ctrl(b,BIO_CTRL_INFO,0,(char *)pp) + #define q_BIO_pending(b) (int)q_BIO_ctrl(b,BIO_CTRL_PENDING,0,NULL) +-- +1.8.0.2 + diff --git a/qt.spec b/qt.spec index 8479f5f..4a1fbae 100644 --- a/qt.spec +++ b/qt.spec @@ -16,7 +16,7 @@ Summary: Qt toolkit Name: qt Epoch: 1 Version: 4.8.4 -Release: 3%{?dist} +Release: 4%{?dist} # See LGPL_EXCEPTIONS.txt, LICENSE.GPL3, respectively, for exception details License: (LGPLv2 with exceptions or GPLv3 with exceptions) and ASL 2.0 and BSD and FTL and MIT @@ -119,6 +119,9 @@ Patch83: qt-4.8-poll.patch # upstream patches # http://codereview.qt-project.org/#change,22006 Patch100: qt-everywhere-opensource-src-4.8.1-qtgahandle.patch +# QSslSocket may report incorrect errors when certificate verification fails +# https://codereview.qt-project.org/#change,42461 +Patch101: 0054-Fix-binary-incompatibility-between-openssl-versions.patch # security patches # CVE-2011-3922 qt: Stack-based buffer overflow in embedded harfbuzz code @@ -463,6 +466,7 @@ rm -fv mkspecs/linux-g++*/qmake.conf.multilib-optflags # upstream patches %patch100 -p1 -b .QTgaHandler +%patch101 -p1 -b .0054 # security fixes %patch200 -p1 -b .CVE-2011-3922 @@ -1105,6 +1109,9 @@ fi %changelog +* Fri Jan 04 2013 Rex Dieter 1:4.8.4-4 +- QSslSocket may report incorrect errors when certificate verification fails + * Thu Jan 03 2013 Rex Dieter 1:4.8.4-3 - -x11: %%exclude %%{_qt4_plugindir}/designer/libqwebview.so