QSsl: workaround a 'very secure' OpenSSL version (CentOS 8.x et al)

CentOS it seems not only backported some OpenSSL 3 functions, but also raised the default security level to 2, making some of our keys (and MDs?) 'too weak' and failing auto-tests here and there as a result. For our auto-test we lower the level to 1, as it is expected to be. Fixes: QTBUG-86336 Pick-to: 5.15 Change-Id: I7062a1b292e8b60eb9c2b2e82bd002f09f9da603 Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
2020-09-09 08:37:54 +02:00 · 2020-09-09 08:37:54 +02:00 · 605d2163f1
commit 605d2163f1
parent 5bb4baae03
7 changed files with 50 additions and 1 deletions
--- a/src/network/ssl/qsslcontext_openssl.cpp
+++ b/src/network/ssl/qsslcontext_openssl.cpp
@ -54,6 +54,13 @@

 QT_BEGIN_NAMESPACE

+Q_GLOBAL_STATIC(bool, forceSecurityLevel)
+
+Q_NETWORK_EXPORT void qt_ForceTlsSecurityLevel()
+{
+    *forceSecurityLevel() = true;
+}
+
 // defined in qsslsocket_openssl.cpp:
 extern int q_X509Callback(int ok, X509_STORE_CTX *ctx);
 extern "C" int q_X509CallbackDirect(int ok, X509_STORE_CTX *ctx);
@ -334,6 +341,10 @@ init_context:
        return;
    }

+    // A nasty hacked OpenSSL using a level that will make our auto-tests fail:
+    if (q_SSL_CTX_get_security_level(sslContext->ctx) > 1 && *forceSecurityLevel())
+        q_SSL_CTX_set_security_level(sslContext->ctx, 1);
+
    const long anyVersion =
 #if QT_CONFIG(dtls)
                            isDtls ? DTLS_ANY_VERSION : TLS_ANY_VERSION;
--- a/src/network/ssl/qsslsocket_openssl_symbols.cpp
+++ b/src/network/ssl/qsslsocket_openssl_symbols.cpp
@ -164,6 +164,8 @@ using info_callback = void (*) (const SSL *ssl, int type, int val);
 DEFINEFUNC2(void, SSL_set_info_callback, SSL *ssl, ssl, info_callback cb, cb, return, return)
 DEFINEFUNC(const char *, SSL_alert_type_string, int value, value, return nullptr, return)
 DEFINEFUNC(const char *, SSL_alert_desc_string_long, int value, value, return nullptr, return)
+DEFINEFUNC(int, SSL_CTX_get_security_level, const SSL_CTX *ctx, ctx, return -1, return)
+DEFINEFUNC2(void, SSL_CTX_set_security_level, SSL_CTX *ctx, ctx, int level, level, return, return)
 #ifdef TLS1_3_VERSION
 DEFINEFUNC2(int, SSL_CTX_set_ciphersuites, SSL_CTX *ctx, ctx, const char *str, str, return 0, return)
 DEFINEFUNC2(void, SSL_set_psk_use_session_callback, SSL *ssl, ssl, q_SSL_psk_use_session_cb_func_t callback, callback, return, DUMMYARG)
@ -865,6 +867,8 @@ bool q_resolveOpenSslSymbols()
    RESOLVEFUNC(SSL_set_info_callback)
    RESOLVEFUNC(SSL_alert_type_string)
    RESOLVEFUNC(SSL_alert_desc_string_long)
+    RESOLVEFUNC(SSL_CTX_get_security_level)
+    RESOLVEFUNC(SSL_CTX_set_security_level)
 #ifdef TLS1_3_VERSION
    RESOLVEFUNC(SSL_CTX_set_ciphersuites)
    RESOLVEFUNC(SSL_set_psk_use_session_callback)
--- a/src/network/ssl/qsslsocket_openssl_symbols_p.h
+++ b/src/network/ssl/qsslsocket_openssl_symbols_p.h
@ -753,6 +753,9 @@ void q_SSL_set_info_callback(SSL *ssl, void (*cb) (const SSL *ssl, int type, int
 const char *q_SSL_alert_type_string(int value);
 const char *q_SSL_alert_desc_string_long(int value);

+int q_SSL_CTX_get_security_level(const SSL_CTX *ctx);
+void q_SSL_CTX_set_security_level(SSL_CTX *ctx, int level);
+
 QT_END_NAMESPACE

 #endif
--- a/tests/auto/network/access/qnetworkreply/tst_qnetworkreply.cpp
+++ b/tests/auto/network/access/qnetworkreply/tst_qnetworkreply.cpp
@ -98,6 +98,12 @@ Q_DECLARE_METATYPE(QNetworkProxyQuery)

 typedef QSharedPointer<QNetworkReply> QNetworkReplyPtr;

+#ifndef QT_NO_OPENSSL
+QT_BEGIN_NAMESPACE
+void qt_ForceTlsSecurityLevel();
+QT_END_NAMESPACE
+#endif
+
 class MyCookieJar;
 class tst_QNetworkReply: public QObject
 {
@ -1564,6 +1570,10 @@ void tst_QNetworkReply::initTestCase()
        QString::fromLatin1("Couldn't find echo dir starting from %1.").arg(QDir::currentPath())));

    cleanupTestData();
+#ifndef QT_NO_OPENSSL
+    QT_PREPEND_NAMESPACE(qt_ForceTlsSecurityLevel)();
+#endif // QT_NO_OPENSSL
+
 }

 void tst_QNetworkReply::cleanupTestCase()
--- a/tests/auto/network/ssl/qdtls/tst_qdtls.cpp
+++ b/tests/auto/network/ssl/qdtls/tst_qdtls.cpp
@ -188,6 +188,9 @@ void tst_QDtls::initTestCase()
    defaultServerConfig.setDtlsCookieVerificationEnabled(false);

    hostName = QStringLiteral("bob.org");
+
+    void qt_ForceTlsSecurityLevel();
+    qt_ForceTlsSecurityLevel();
 }

 void tst_QDtls::init()
--- a/tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp
+++ b/tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp
@ -101,6 +101,11 @@ static const quint16 PSK_SERVER_PORT = 4433;
 static const QByteArray PSK_CLIENT_PRESHAREDKEY = QByteArrayLiteral("\x1a\x2b\x3c\x4d\x5e\x6f");
 static const QByteArray PSK_SERVER_IDENTITY_HINT = QByteArrayLiteral("QtTestServerHint");
 static const QByteArray PSK_CLIENT_IDENTITY = QByteArrayLiteral("Client_identity");
+
+QT_BEGIN_NAMESPACE
+void qt_ForceTlsSecurityLevel();
+QT_END_NAMESPACE
+
 #endif  // !QT_NO_OPENSSL

 class tst_QSslSocket : public QObject
@ -440,6 +445,10 @@ void tst_QSslSocket::init()
 #endif // QT_NO_NETWORKPROXY
    }

+#ifndef QT_NO_OPENSSL
+    QT_PREPEND_NAMESPACE(qt_ForceTlsSecurityLevel)();
+#endif // QT_NO_OPENSSL
+
    qt_qhostinfo_clear_cache();
 }

--- a/tests/auto/network/ssl/qsslsocket_onDemandCertificates_member/tst_qsslsocket_onDemandCertificates_member.cpp
+++ b/tests/auto/network/ssl/qsslsocket_onDemandCertificates_member/tst_qsslsocket_onDemandCertificates_member.cpp
@ -43,6 +43,11 @@

 #ifndef QT_NO_OPENSSL
 typedef QSharedPointer<QSslSocket> QSslSocketPtr;
+
+QT_BEGIN_NAMESPACE
+void qt_ForceTlsSecurityLevel();
+QT_END_NAMESPACE
+
 #endif

 class tst_QSslSocket_onDemandCertificates_member : public QObject
@ -54,6 +59,10 @@ class tst_QSslSocket_onDemandCertificates_member : public QObject
 public:

 #ifndef QT_NO_OPENSSL
+    tst_QSslSocket_onDemandCertificates_member()
+    {
+        QT_PREPEND_NAMESPACE(qt_ForceTlsSecurityLevel)();
+    }
    QSslSocketPtr newSocket();
 #endif

@ -69,7 +78,7 @@ private slots:
    void onDemandRootCertLoadingMemberMethods();

 private:
-    QSslSocket *socket;
+    QSslSocket *socket = nullptr;
 #endif // QT_NO_OPENSSL
 };