From c9d4ca7a4f9904789abf4e67c606613c8503d4cd Mon Sep 17 00:00:00 2001 From: Raul Metsma Date: Mon, 28 Aug 2023 07:51:04 +0300 Subject: [PATCH] Update OpenSSL 3.0.10 (#549) IB-7803 Signed-off-by: Raul Metsma --- .github/workflows/build.yml | 4 ++-- patches/vcpkg-ports/openssl/portfile.cmake | 8 +++++++- patches/vcpkg-ports/openssl/unix/configure | 2 +- patches/vcpkg-ports/openssl/vcpkg.json | 6 +++++- patches/vcpkg-ports/openssl/windows/portfile.cmake | 7 ++++++- src/crypto/TS.cpp | 10 ++++++---- src/crypto/X509CertStore.cpp | 4 ++-- vcpkg.json | 2 +- 8 files changed, 30 insertions(+), 13 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 2e2cdcc6f..3777c3930 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -165,7 +165,7 @@ jobs: - name: Prepare vcpkg X64 uses: lukka/run-vcpkg@v11 with: - vcpkgGitCommitId: 5787cfa699a75805ef41938ec66bc7492714d290 + vcpkgGitCommitId: 2f6176ce98fee807a207dc9e8fec213f111c291b vcpkgJsonGlob: ${{ steps.path.outputs.value }}/vcpkg.json runVcpkgInstall: true runVcpkgFormatString: "[`install`, `--recurse`, `--clean-after-build`, `--x-install-root`, `$[env.VCPKG_INSTALLED_DIR]`, `--triplet`, `$[env.VCPKG_DEFAULT_TRIPLET]`, `--x-feature`, `tests`]" @@ -175,7 +175,7 @@ jobs: - name: Prepare vcpkg X86 uses: lukka/run-vcpkg@v11 with: - vcpkgGitCommitId: 5787cfa699a75805ef41938ec66bc7492714d290 + vcpkgGitCommitId: 2f6176ce98fee807a207dc9e8fec213f111c291b vcpkgJsonGlob: ${{ steps.path.outputs.value }}/vcpkg.json runVcpkgInstall: true runVcpkgFormatString: "[`install`, `--recurse`, `--clean-after-build`, `--x-install-root`, `$[env.VCPKG_INSTALLED_DIR]`, `--triplet`, `$[env.VCPKG_DEFAULT_TRIPLET]`, `--x-feature`, `tests`]" diff --git a/patches/vcpkg-ports/openssl/portfile.cmake b/patches/vcpkg-ports/openssl/portfile.cmake index 039efc246..71455d47c 100644 --- a/patches/vcpkg-ports/openssl/portfile.cmake +++ b/patches/vcpkg-ports/openssl/portfile.cmake @@ -19,7 +19,7 @@ vcpkg_from_github( OUT_SOURCE_PATH SOURCE_PATH REPO openssl/openssl REF "openssl-${VERSION}" - SHA512 4762ce7faa0d7f43d0d4882700dcb10cd31bb025c52110fb2f1a8d3911f4ed92153db982935be6f38f45ae3f030f7edb4968e96dd5a41367ad7365c03c25edb1 + SHA512 5c20269f9666eae0111252378baf196d74ae14a68b19cac49703d73fa564f7ae7aaf06209f5a3d7dc48c014ddb2e760bdf765141c14adde63edee552a8de015e PATCHES disable-apps.patch disable-install-docs.patch @@ -40,6 +40,12 @@ vcpkg_list(SET CONFIGURE_OPTIONS no-tests ) +set(INSTALL_FIPS "") +if("fips" IN_LIST FEATURES) + vcpkg_list(APPEND INSTALL_FIPS install_fips) + vcpkg_list(APPEND CONFIGURE_OPTIONS enable-fips) +endif() + if(VCPKG_LIBRARY_LINKAGE STREQUAL "dynamic") vcpkg_list(APPEND CONFIGURE_OPTIONS shared) else() diff --git a/patches/vcpkg-ports/openssl/unix/configure b/patches/vcpkg-ports/openssl/unix/configure index 5599aaa0f..2d49b3d16 100644 --- a/patches/vcpkg-ports/openssl/unix/configure +++ b/patches/vcpkg-ports/openssl/unix/configure @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash set -e diff --git a/patches/vcpkg-ports/openssl/vcpkg.json b/patches/vcpkg-ports/openssl/vcpkg.json index ec43c1a5c..1252cc58e 100644 --- a/patches/vcpkg-ports/openssl/vcpkg.json +++ b/patches/vcpkg-ports/openssl/vcpkg.json @@ -1,6 +1,6 @@ { "name": "openssl", - "version": "3.0.9", + "version": "3.0.10", "description": "OpenSSL is an open source project that provides a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It is also a general-purpose cryptography library.", "homepage": "https://www.openssl.org", "license": "Apache-2.0", @@ -19,6 +19,10 @@ } ], "features": { + "fips": { + "description": "Enable fips", + "supports": "!static" + }, "tools": { "description": "Install openssl executable and scripts", "supports": "!uwp" diff --git a/patches/vcpkg-ports/openssl/windows/portfile.cmake b/patches/vcpkg-ports/openssl/windows/portfile.cmake index a5a5da413..c1ce27745 100644 --- a/patches/vcpkg-ports/openssl/windows/portfile.cmake +++ b/patches/vcpkg-ports/openssl/windows/portfile.cmake @@ -77,7 +77,7 @@ vcpkg_build_nmake( "LD=${ld}" "LDFLAGS=${VCPKG_COMBINED_SHARED_LINKER_FLAGS_DEBUG}" PROJECT_NAME "makefile" - TARGET install_dev install_modules + TARGET install_dev install_modules ${INSTALL_FIPS} LOGFILE_ROOT install OPTIONS "INSTALL_PDBS=${OPENSSL_BUILD_MAKES_PDBS}" # install-pdbs.patch @@ -89,6 +89,9 @@ set(scripts "bin/c_rehash.pl" "misc/CA.pl" "misc/tsget.pl") if("tools" IN_LIST FEATURES) file(MAKE_DIRECTORY "${CURRENT_PACKAGES_DIR}/tools/${PORT}") file(RENAME "${CURRENT_PACKAGES_DIR}/openssl.cnf" "${CURRENT_PACKAGES_DIR}/tools/${PORT}/openssl.cnf") + if("fips" IN_LIST FEATURES) + file(RENAME "${CURRENT_PACKAGES_DIR}/fipsmodule.cnf" "${CURRENT_PACKAGES_DIR}/tools/${PORT}/fipsmodule.cnf") + endif() foreach(script IN LISTS scripts) file(COPY "${CURRENT_PACKAGES_DIR}/${script}" DESTINATION "${CURRENT_PACKAGES_DIR}/tools/${PORT}") file(REMOVE "${CURRENT_PACKAGES_DIR}/${script}" "${CURRENT_PACKAGES_DIR}/debug/${script}") @@ -96,6 +99,7 @@ if("tools" IN_LIST FEATURES) vcpkg_copy_tools(TOOL_NAMES openssl AUTO_CLEAN) else() file(REMOVE "${CURRENT_PACKAGES_DIR}/openssl.cnf") + file(REMOVE "${CURRENT_PACKAGES_DIR}/fipsmodule.cnf") foreach(script IN LISTS scripts) file(REMOVE "${CURRENT_PACKAGES_DIR}/${script}" "${CURRENT_PACKAGES_DIR}/debug/${script}") endforeach() @@ -125,4 +129,5 @@ file(REMOVE "${CURRENT_PACKAGES_DIR}/debug/ct_log_list.cnf.dist" "${CURRENT_PACKAGES_DIR}/debug/openssl.cnf" "${CURRENT_PACKAGES_DIR}/debug/openssl.cnf.dist" + "${CURRENT_PACKAGES_DIR}/debug/fipsmodule.cnf" ) diff --git a/src/crypto/TS.cpp b/src/crypto/TS.cpp index 775cc8953..47ab67394 100644 --- a/src/crypto/TS.cpp +++ b/src/crypto/TS.cpp @@ -131,7 +131,7 @@ TS::TS(const unsigned char *data, size_t size) #ifndef OPENSSL_NO_CMS if(d) return; - OpenSSLException(EXCEPTION_PARAMS("ignore")); //Clear errors + ERR_clear_error(); /** * Handle CMS based TimeStamp tokens * https://rt.openssl.org/Ticket/Display.html?id=4519 @@ -139,12 +139,14 @@ TS::TS(const unsigned char *data, size_t size) * * If PKCS7 wrapped TimeStamp parsing fails, try with CMS wrapping */ - auto bio = SCOPE_PTR(BIO, BIO_new_mem_buf((void*)data, int(size))); - cms.reset(d2i_CMS_bio(bio.get(), nullptr), CMS_ContentInfo_free); + cms.reset(d2i_CMS_ContentInfo(nullptr, &data, long(size)), [](CMS_ContentInfo *contentInfo) { + CMS_ContentInfo_free(contentInfo); + ERR_clear_error(); + }); if(!cms || OBJ_obj2nid(CMS_get0_eContentType(cms.get())) != NID_id_smime_ct_TSTInfo) cms.reset(); - OpenSSLException(EXCEPTION_PARAMS("ignore")); //Clear errors + ERR_clear_error(); #endif } diff --git a/src/crypto/X509CertStore.cpp b/src/crypto/X509CertStore.cpp index 7cdba0745..2d7fb1c22 100644 --- a/src/crypto/X509CertStore.cpp +++ b/src/crypto/X509CertStore.cpp @@ -187,7 +187,7 @@ int X509CertStore::validate(int ok, X509_STORE_CTX *ctx, const Type &type) SCOPE(EVP_PKEY, pub, X509_get_pubkey(issuer.handle())); if(X509_verify(x509, pub.get()) == 1) return true; - OpenSSLException(EXCEPTION_PARAMS("ignore")); //Clear errors + ERR_clear_error(); return false; })) continue; @@ -234,7 +234,7 @@ bool X509CertStore::verify(const X509Cert &cert, bool noqscd) const if(noqscd) return true; - const TSL::Validity *v = static_cast(X509_STORE_CTX_get_ex_data(csc.get(), 0)); + const auto *v = static_cast(X509_STORE_CTX_get_ex_data(csc.get(), 0)); const vector policies = cert.certificatePolicies(); const vector qcstatement = cert.qcStatements(); const vector keyUsage = cert.keyUsage(); diff --git a/vcpkg.json b/vcpkg.json index ade0ef028..86d751907 100644 --- a/vcpkg.json +++ b/vcpkg.json @@ -8,7 +8,7 @@ "features": { "tests": { "description": "Build tests", "dependencies": ["boost-test"] } }, - "builtin-baseline": "5787cfa699a75805ef41938ec66bc7492714d290", + "builtin-baseline": "2f6176ce98fee807a207dc9e8fec213f111c291b", "vcpkg-configuration": { "overlay-triplets": ["./patches/vcpkg-triplets"], "overlay-ports": [