Uppdate OpenSSL 3.0.14

IB-8121, IB-8123

Signed-off-by: Raul Metsma <raul@metsma.ee>

.github/workflows/build.yml

@@ -165,7 +165,7 @@ jobs:
     - name: Prepare vcpkg
       uses: lukka/run-vcpkg@v11
       with:
-        vcpkgGitCommitId: 1f619be01b436b796dab797dd1e1721c5676f8ac
+        vcpkgGitCommitId: 4065f37d0a6628ef17cf6ee15385f9091f1075bc
         vcpkgJsonGlob: ./vcpkg.json
         runVcpkgInstall: true
         runVcpkgFormatString: "[`install`, `--recurse`, `--clean-after-build`, `--x-install-root`, `$[env.VCPKG_INSTALLED_DIR]`, `--triplet`, `$[env.VCPKG_DEFAULT_TRIPLET]`, `--x-feature`, `tests`]"
@@ -210,7 +210,7 @@ jobs:
       with:
         submodules: recursive
     - name: Install dependencies
-      run: sudo apt update -qq && sudo apt install --no-install-recommends -y cmake xsdcxx libxml-security-c-dev zlib1g-dev doxygen
+      run: sudo apt update -qq && sudo apt install --no-install-recommends -y cmake xsdcxx libxml-security-c-dev libxml2-dev zlib1g-dev doxygen
     - name: Build docs
       run: |
         cmake -B build -S .
@@ -234,7 +234,7 @@ jobs:
       with:
         submodules: recursive
     - name: Install dependencies
-      run: sudo apt update -qq && sudo apt install --no-install-recommends -y cmake xsdcxx libxml-security-c-dev zlib1g-dev curl ca-certificates
+      run: sudo apt update -qq && sudo apt install --no-install-recommends -y cmake xsdcxx libxml-security-c-dev libxml2-dev zlib1g-dev curl ca-certificates
     - name: Download Coverity Build Tool
       run: |
         curl --silent --data "token=$TOKEN&project=$PROJECTNAME" -o cov-analysis-linux64.tar.gz https://scan.coverity.com/download/cxx/linux64
@@ -268,7 +268,7 @@ jobs:
       with:
         submodules: recursive
     - name: Install dependencies
-      run: sudo apt update -qq && sudo apt install --no-install-recommends -y cmake xsdcxx libxml-security-c-dev zlib1g-dev curl ca-certificates
+      run: sudo apt update -qq && sudo apt install --no-install-recommends -y cmake xsdcxx libxml-security-c-dev libxml2-dev zlib1g-dev curl ca-certificates
     - name: Initialize CodeQL
       uses: github/codeql-action/init@v3
       with:

CMakeLists.txt

@@ -22,7 +22,7 @@ set_env( TSL_CERTS
     ${CMAKE_SOURCE_DIR}/etc/tl-mp6.crt
     ${CMAKE_SOURCE_DIR}/etc/tl-mp7.crt
     CACHE FILEPATH "TSL trust list signing certificates" )
-set_env( TSA_URL "http://dd-at.ria.ee/tsa" CACHE STRING "Default TSA URL" )
+set_env(TSA_URL "https://eid-dd.ria.ee/ts" CACHE STRING "Default TSA URL")
 set_env( SIVA_URL "https://siva.eesti.ee/V3/validate" CACHE STRING "Default SiVa validation service URL" )
 set( BUILD_TOOLS YES CACHE BOOL "Build digidoc-tool" )
 set( BUILD_SHARED_LIBS YES CACHE BOOL "Build library as SHARED or STATIC" )

examples/DigiDocCSharp/digidoc/.gitignore

@@ -0,0 +1 @@
+*.cs

libdigidocpp.dox

@@ -595,7 +595,7 @@ If left unspecified then the logging output is written to standard output stream
 </tr>
 <tr>
   <td>ts.url</td>
-  <td>Specifies the URL of the time-stamping service that is used during signature creation, needed only in case of TS signature profile. By default, the RIA's time-stamping service is used by the library (http://dd-at.ria.ee/tsa)
+  <td>Specifies the URL of the time-stamping service that is used during signature creation, needed only in case of TS signature profile. By default, the RIA's time-stamping service is used by the library (https://eid-dd.ria.ee/ts)
 </td>
 </tr>
 </table>
@@ -877,7 +877,7 @@ In case of BDOC format, you can also use a different digest algorithm for calcul
 
 
 \paragraph API-sign-create Create the signature
-The signing method also adds validation data from external services (OCSP and/or time-stamping servers). Note that the OCSP responder and time-stamping server settings (in case of TS profile) should be configured before calling out the following method (see also \ref initialization and \ref parameters). By default, the RIA's time-stamping service http://dd-at.ria.ee/tsa is used.
+The signing method also adds validation data from external services (OCSP and/or time-stamping servers). Note that the OCSP responder and time-stamping server settings (in case of TS profile) should be configured before calling out the following method (see also \ref initialization and \ref parameters). By default, the RIA's time-stamping service https://eid-dd.ria.ee/ts is used.
 Container holds the Signature object reference and there is no need cleanup memory.
 
 \code{.cpp}

patches/vcpkg-ports/openssl/command-line-length.patch

@@ -0,0 +1,13 @@
+diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
+index 8ddb128..52b9ad6 100644
+--- a/Configurations/unix-Makefile.tmpl
++++ b/Configurations/unix-Makefile.tmpl
+@@ -1961,7 +1961,7 @@ EOF
+       my @objs = map { platform->obj($_) } @{$args{objs}};
+       my $deps = join(" \\\n" . ' ' x (length($lib) + 2),
+                       fill_lines(' ', $COLUMNS - length($lib) - 2, @objs));
+-      my $max_per_call = 500;
++      my $max_per_call = ($^O eq 'msys') ? 80 : 500;
+       my @objs_grouped;
+       push @objs_grouped, join(" ", splice @objs, 0, $max_per_call) while @objs;
+       my $fill_lib =

patches/vcpkg-ports/openssl/portfile.cmake

@@ -7,22 +7,14 @@ if(VCPKG_TARGET_IS_EMSCRIPTEN)
     vcpkg_check_linkage(ONLY_STATIC_LIBRARY)
 endif()
 
-if (NOT "${VERSION}" MATCHES [[^([0-9]+)\.([0-9]+)\.([0-9]+)$]])
-    message(FATAL_ERROR "Version regex did not match.")
-endif()
-set(OPENSSL_VERSION_MAJOR "${CMAKE_MATCH_1}")
-set(OPENSSL_VERSION_MINOR "${CMAKE_MATCH_2}")
-set(OPENSSL_VERSION_FIX "${CMAKE_MATCH_3}")
-configure_file("${CMAKE_CURRENT_LIST_DIR}/vcpkg-cmake-wrapper.cmake.in" "${CURRENT_PACKAGES_DIR}/share/${PORT}/vcpkg-cmake-wrapper.cmake" @ONLY)
-
 vcpkg_from_github(
     OUT_SOURCE_PATH SOURCE_PATH
     REPO openssl/openssl
     REF "openssl-${VERSION}"
-    SHA512 272223fefae76759de40219dd05ff119b99688a807c1af01360470ac5f390426e45463c1445988bf0a6e4cca23a6e0b1649a78121f9d6f69f92563e307a7fd70
+    SHA512 ebd70c82ef2b8d882858e26333c27b8975e55cc8a350b646c24505cd6feba1e92d4894026ec6b0cefe6d7dcbedb5799bd72df4114c832efb2616b68ad303f5d1
     PATCHES
         disable-apps.patch
-        disable-install-docs.patch
+        command-line-length.patch
         script-prefix.patch
         windows/install-layout.patch
         windows/install-pdbs.patch
@@ -35,8 +27,6 @@ vcpkg_from_github(
 vcpkg_list(SET CONFIGURE_OPTIONS
     enable-static-engine
     enable-capieng
-    no-ssl3
-    no-weak-ssl-ciphers
     no-tests
 )
 
@@ -56,6 +46,15 @@ if(NOT "tools" IN_LIST FEATURES)
     vcpkg_list(APPEND CONFIGURE_OPTIONS no-apps)
 endif()
 
+if("weak-ssl-ciphers" IN_LIST FEATURES)
+    vcpkg_list(APPEND CONFIGURE_OPTIONS enable-weak-ssl-ciphers)
+endif()
+
+if("ssl3" IN_LIST FEATURES)
+    vcpkg_list(APPEND CONFIGURE_OPTIONS enable-ssl3)
+    vcpkg_list(APPEND CONFIGURE_OPTIONS enable-ssl3-method)
+endif()
+
 if(DEFINED OPENSSL_USE_NOPINSHARED)
     vcpkg_list(APPEND CONFIGURE_OPTIONS no-pinshared)
 endif()
@@ -72,4 +71,13 @@ else()
 endif()
 
 file(INSTALL "${CMAKE_CURRENT_LIST_DIR}/usage" DESTINATION "${CURRENT_PACKAGES_DIR}/share/${PORT}")
+
+if (NOT "${VERSION}" MATCHES [[^([0-9]+)\.([0-9]+)\.([0-9]+)$]])
+    message(FATAL_ERROR "Version regex did not match.")
+endif()
+set(OPENSSL_VERSION_MAJOR "${CMAKE_MATCH_1}")
+set(OPENSSL_VERSION_MINOR "${CMAKE_MATCH_2}")
+set(OPENSSL_VERSION_FIX "${CMAKE_MATCH_3}")
+configure_file("${CMAKE_CURRENT_LIST_DIR}/vcpkg-cmake-wrapper.cmake.in" "${CURRENT_PACKAGES_DIR}/share/${PORT}/vcpkg-cmake-wrapper.cmake" @ONLY)
+
 vcpkg_install_copyright(FILE_LIST "${SOURCE_PATH}/LICENSE.txt")

patches/vcpkg-ports/openssl/unix/portfile.cmake

@@ -6,7 +6,7 @@ openssl requires Linux kernel headers from the system package manager.
 ]])
 endif()
 
-if(CMAKE_HOST_WIN32)
+if(VCPKG_HOST_IS_WINDOWS)
     vcpkg_acquire_msys(MSYS_ROOT PACKAGES make perl)
     set(MAKE "${MSYS_ROOT}/usr/bin/make.exe")
     set(PERL "${MSYS_ROOT}/usr/bin/perl.exe")
@@ -88,6 +88,7 @@ elseif(VCPKG_TARGET_IS_MINGW)
         set(OPENSSL_ARCH mingw)
     endif()
 elseif(VCPKG_TARGET_IS_EMSCRIPTEN)
+    set(OPENSSL_ARCH linux-x32)
     vcpkg_list(APPEND CONFIGURE_OPTIONS
         threads
         no-engine

patches/vcpkg-ports/openssl/usage

@@ -1,4 +1,5 @@
-The package openssl is compatible with built-in CMake targets:
+openssl is compatible with built-in CMake targets:
 
-    find_package(OpenSSL REQUIRED)
-    target_link_libraries(main PRIVATE OpenSSL::SSL OpenSSL::Crypto)
+  find_package(OpenSSL REQUIRED)
+  target_link_libraries(main PRIVATE OpenSSL::SSL)
+  target_link_libraries(main PRIVATE OpenSSL::Crypto)

patches/vcpkg-ports/openssl/vcpkg.json

@@ -1,6 +1,6 @@
 {
   "name": "openssl",
-  "version": "3.0.13",
+  "version": "3.0.14",
   "description": "OpenSSL is an open source project that provides a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It is also a general-purpose cryptography library.",
   "homepage": "https://www.openssl.org",
   "license": "Apache-2.0",
@@ -23,9 +23,15 @@
       "description": "Enable fips",
       "supports": "!static"
     },
+    "ssl3": {
+      "description": "Enable SSL3"
+    },
     "tools": {
       "description": "Install openssl executable and scripts",
       "supports": "!uwp"
+    },
+    "weak-ssl-ciphers": {
+      "description": "Enable weak-ssl-ciphers"
     }
   }
 }

patches/vcpkg-ports/openssl/windows/portfile.cmake

@@ -1,6 +1,7 @@
-vcpkg_find_acquire_program(NASM)
-get_filename_component(NASM_EXE_PATH "${NASM}" DIRECTORY)
-vcpkg_add_to_path(PREPEND "${NASM_EXE_PATH}")
+# Need cmd to pass quoted CC from nmake to mkbuildinf.pl, GH-37134
+find_program(CMD_EXECUTABLE cmd HINTS ENV PATH NO_DEFAULT_PATH REQUIRED)
+cmake_path(NATIVE_PATH CMD_EXECUTABLE cmd)
+set(ENV{COMSPEC} "${cmd}")
 
 vcpkg_find_acquire_program(PERL)
 get_filename_component(PERL_EXE_PATH "${PERL}" DIRECTORY)
@@ -21,7 +22,7 @@ elseif(VCPKG_TARGET_ARCHITECTURE STREQUAL "arm64")
     elseif(VCPKG_DETECTED_CMAKE_C_COMPILER_ID MATCHES "Clang")
         set(OPENSSL_ARCH VC-CLANG-WIN64-CLANGASM-ARM)
     else()
-        set(OPENSSL_ARCH VC-WIN64-ARM)
+        set(OPENSSL_ARCH VC-WIN64-CLANGASM-ARM)
     endif()
 else()
     message(FATAL_ERROR "Unsupported target architecture: ${VCPKG_TARGET_ARCHITECTURE}")
@@ -48,22 +49,23 @@ if (VCPKG_DETECTED_CMAKE_C_COMPILER_ID MATCHES "Clang" OR VCPKG_LIBRARY_LINKAGE
     set(OPENSSL_BUILD_MAKES_PDBS OFF)
 endif()
 
-if(VCPKG_TARGET_ARCHITECTURE STREQUAL "arm64" AND NOT VCPKG_TARGET_IS_UWP)
+cmake_path(NATIVE_PATH VCPKG_DETECTED_CMAKE_C_COMPILER NORMALIZE cc)
+if(OPENSSL_ARCH MATCHES "CLANG")
     vcpkg_find_acquire_program(CLANG)
-    set(clang "${CLANG}")
-    cmake_path(GET clang PARENT_PATH clang_path)
+    cmake_path(GET CLANG PARENT_PATH clang_path)
     vcpkg_add_to_path("${clang_path}")
-
-    set(as clang-cl)
-
-    vcpkg_list(APPEND CONFIGURE_OPTIONS "ASFLAGS=--target=aarch64-win32-msvc")
     if(VCPKG_DETECTED_CMAKE_C_COMPILER_ID MATCHES "Clang")
         string(APPEND VCPKG_COMBINED_C_FLAGS_DEBUG " --target=aarch64-win32-msvc")
         string(APPEND VCPKG_COMBINED_C_FLAGS_RELEASE " --target=aarch64-win32-msvc")
     endif()
+endif()
+if(OPENSSL_ARCH MATCHES "CLANGASM")
+    vcpkg_list(APPEND CONFIGURE_OPTIONS "ASFLAGS=--target=aarch64-win32-msvc")
 else()
+    vcpkg_find_acquire_program(NASM)
     cmake_path(NATIVE_PATH NASM NORMALIZE as)
-    cmake_path(NATIVE_PATH VCPKG_DETECTED_CMAKE_C_COMPILER NORMALIZE cc)
+    cmake_path(GET NASM PARENT_PATH nasm_path)
+    vcpkg_add_to_path("${nasm_path}") # Needed by Configure
 endif()
 
 cmake_path(NATIVE_PATH VCPKG_DETECTED_CMAKE_AR NORMALIZE ar)
@@ -135,13 +137,14 @@ vcpkg_copy_pdbs()
 file(REMOVE_RECURSE
     "${CURRENT_PACKAGES_DIR}/certs"
     "${CURRENT_PACKAGES_DIR}/misc"
-	"${CURRENT_PACKAGES_DIR}/private"
-	"${CURRENT_PACKAGES_DIR}/lib/engines-3"
-	"${CURRENT_PACKAGES_DIR}/debug/certs"
+    "${CURRENT_PACKAGES_DIR}/private"
+    "${CURRENT_PACKAGES_DIR}/lib/engines-3"
+    "${CURRENT_PACKAGES_DIR}/debug/certs"
     "${CURRENT_PACKAGES_DIR}/debug/misc"
-	"${CURRENT_PACKAGES_DIR}/debug/lib/engines-3"
-	"${CURRENT_PACKAGES_DIR}/debug/private"
-	"${CURRENT_PACKAGES_DIR}/debug/include"
+    "${CURRENT_PACKAGES_DIR}/debug/lib/engines-3"
+    "${CURRENT_PACKAGES_DIR}/debug/private"
+    "${CURRENT_PACKAGES_DIR}/debug/include"
+    "${CURRENT_PACKAGES_DIR}/debug/share"
 )
 file(REMOVE
     "${CURRENT_PACKAGES_DIR}/ct_log_list.cnf"

prepare_osx_build_environment.sh

@@ -5,7 +5,7 @@ XERCES_DIR=xerces-c-3.2.5
 XALAN_DIR=xalan_c-1.12
 XMLSEC_DIR=xml-security-c-2.0.4
 XSD=xsd-4.0.0-i686-macosx
-OPENSSL_DIR=openssl-3.0.13
+OPENSSL_DIR=openssl-3.0.14
 LIBXML2_DIR=libxml2-2.12.5
 ANDROID_NDK=android-ndk-r26d
 FREETYPE_DIR=freetype-2.10.1

vcpkg.json

@@ -5,17 +5,14 @@
       "xml-security-c",
       {
         "name": "libxml2",
-        "features": [
-          "zlib"
-        ],
         "default-features": false
       },
       "zlib"
     ],
     "features": {
       "tests": { "description": "Build tests", "dependencies": ["boost-test"] }
     },
-    "builtin-baseline": "1f619be01b436b796dab797dd1e1721c5676f8ac",
+    "builtin-baseline": "4065f37d0a6628ef17cf6ee15385f9091f1075bc",
     "vcpkg-configuration": {
         "overlay-ports": [
           "patches/vcpkg-ports/openssl",