From 283a497c7305907bc4eaf4143c8442a5cea53ba2 Mon Sep 17 00:00:00 2001 From: Raul Metsma Date: Mon, 17 Jun 2024 13:39:45 +0300 Subject: [PATCH] Uppdate OpenSSL 3.0.14 IB-8121, IB-8123 Signed-off-by: Raul Metsma --- .github/workflows/build.yml | 8 ++-- CMakeLists.txt | 2 +- examples/DigiDocCSharp/digidoc/.gitignore | 1 + libdigidocpp.dox | 4 +- .../openssl/command-line-length.patch | 13 +++++++ patches/vcpkg-ports/openssl/portfile.cmake | 32 +++++++++------ .../vcpkg-ports/openssl/unix/portfile.cmake | 3 +- patches/vcpkg-ports/openssl/usage | 7 ++-- patches/vcpkg-ports/openssl/vcpkg.json | 8 +++- .../openssl/windows/portfile.cmake | 39 ++++++++++--------- prepare_osx_build_environment.sh | 2 +- vcpkg.json | 5 +-- 12 files changed, 77 insertions(+), 47 deletions(-) create mode 100644 patches/vcpkg-ports/openssl/command-line-length.patch diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index befa985e4..dc4a21177 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -165,7 +165,7 @@ jobs: - name: Prepare vcpkg uses: lukka/run-vcpkg@v11 with: - vcpkgGitCommitId: 1f619be01b436b796dab797dd1e1721c5676f8ac + vcpkgGitCommitId: 4065f37d0a6628ef17cf6ee15385f9091f1075bc vcpkgJsonGlob: ./vcpkg.json runVcpkgInstall: true runVcpkgFormatString: "[`install`, `--recurse`, `--clean-after-build`, `--x-install-root`, `$[env.VCPKG_INSTALLED_DIR]`, `--triplet`, `$[env.VCPKG_DEFAULT_TRIPLET]`, `--x-feature`, `tests`]" @@ -210,7 +210,7 @@ jobs: with: submodules: recursive - name: Install dependencies - run: sudo apt update -qq && sudo apt install --no-install-recommends -y cmake xsdcxx libxml-security-c-dev zlib1g-dev doxygen + run: sudo apt update -qq && sudo apt install --no-install-recommends -y cmake xsdcxx libxml-security-c-dev libxml2-dev zlib1g-dev doxygen - name: Build docs run: | cmake -B build -S . @@ -234,7 +234,7 @@ jobs: with: submodules: recursive - name: Install dependencies - run: sudo apt update -qq && sudo apt install --no-install-recommends -y cmake xsdcxx libxml-security-c-dev zlib1g-dev curl ca-certificates + run: sudo apt update -qq && sudo apt install --no-install-recommends -y cmake xsdcxx libxml-security-c-dev libxml2-dev zlib1g-dev curl ca-certificates - name: Download Coverity Build Tool run: | curl --silent --data "token=$TOKEN&project=$PROJECTNAME" -o cov-analysis-linux64.tar.gz https://scan.coverity.com/download/cxx/linux64 @@ -268,7 +268,7 @@ jobs: with: submodules: recursive - name: Install dependencies - run: sudo apt update -qq && sudo apt install --no-install-recommends -y cmake xsdcxx libxml-security-c-dev zlib1g-dev curl ca-certificates + run: sudo apt update -qq && sudo apt install --no-install-recommends -y cmake xsdcxx libxml-security-c-dev libxml2-dev zlib1g-dev curl ca-certificates - name: Initialize CodeQL uses: github/codeql-action/init@v3 with: diff --git a/CMakeLists.txt b/CMakeLists.txt index 3818c84ab..a2b7ba277 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -22,7 +22,7 @@ set_env( TSL_CERTS ${CMAKE_SOURCE_DIR}/etc/tl-mp6.crt ${CMAKE_SOURCE_DIR}/etc/tl-mp7.crt CACHE FILEPATH "TSL trust list signing certificates" ) -set_env( TSA_URL "http://dd-at.ria.ee/tsa" CACHE STRING "Default TSA URL" ) +set_env(TSA_URL "https://eid-dd.ria.ee/ts" CACHE STRING "Default TSA URL") set_env( SIVA_URL "https://siva.eesti.ee/V3/validate" CACHE STRING "Default SiVa validation service URL" ) set( BUILD_TOOLS YES CACHE BOOL "Build digidoc-tool" ) set( BUILD_SHARED_LIBS YES CACHE BOOL "Build library as SHARED or STATIC" ) diff --git a/examples/DigiDocCSharp/digidoc/.gitignore b/examples/DigiDocCSharp/digidoc/.gitignore index e69de29bb..8143e15f9 100644 --- a/examples/DigiDocCSharp/digidoc/.gitignore +++ b/examples/DigiDocCSharp/digidoc/.gitignore @@ -0,0 +1 @@ +*.cs diff --git a/libdigidocpp.dox b/libdigidocpp.dox index ca7bd7f47..f73724789 100644 --- a/libdigidocpp.dox +++ b/libdigidocpp.dox @@ -595,7 +595,7 @@ If left unspecified then the logging output is written to standard output stream ts.url - Specifies the URL of the time-stamping service that is used during signature creation, needed only in case of TS signature profile. By default, the RIA's time-stamping service is used by the library (http://dd-at.ria.ee/tsa) + Specifies the URL of the time-stamping service that is used during signature creation, needed only in case of TS signature profile. By default, the RIA's time-stamping service is used by the library (https://eid-dd.ria.ee/ts) @@ -877,7 +877,7 @@ In case of BDOC format, you can also use a different digest algorithm for calcul \paragraph API-sign-create Create the signature -The signing method also adds validation data from external services (OCSP and/or time-stamping servers). Note that the OCSP responder and time-stamping server settings (in case of TS profile) should be configured before calling out the following method (see also \ref initialization and \ref parameters). By default, the RIA's time-stamping service http://dd-at.ria.ee/tsa is used. +The signing method also adds validation data from external services (OCSP and/or time-stamping servers). Note that the OCSP responder and time-stamping server settings (in case of TS profile) should be configured before calling out the following method (see also \ref initialization and \ref parameters). By default, the RIA's time-stamping service https://eid-dd.ria.ee/ts is used. Container holds the Signature object reference and there is no need cleanup memory. \code{.cpp} diff --git a/patches/vcpkg-ports/openssl/command-line-length.patch b/patches/vcpkg-ports/openssl/command-line-length.patch new file mode 100644 index 000000000..08fb51be5 --- /dev/null +++ b/patches/vcpkg-ports/openssl/command-line-length.patch @@ -0,0 +1,13 @@ +diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl +index 8ddb128..52b9ad6 100644 +--- a/Configurations/unix-Makefile.tmpl ++++ b/Configurations/unix-Makefile.tmpl +@@ -1961,7 +1961,7 @@ EOF + my @objs = map { platform->obj($_) } @{$args{objs}}; + my $deps = join(" \\\n" . ' ' x (length($lib) + 2), + fill_lines(' ', $COLUMNS - length($lib) - 2, @objs)); +- my $max_per_call = 500; ++ my $max_per_call = ($^O eq 'msys') ? 80 : 500; + my @objs_grouped; + push @objs_grouped, join(" ", splice @objs, 0, $max_per_call) while @objs; + my $fill_lib = diff --git a/patches/vcpkg-ports/openssl/portfile.cmake b/patches/vcpkg-ports/openssl/portfile.cmake index 4b86c7de9..9f4c27aad 100644 --- a/patches/vcpkg-ports/openssl/portfile.cmake +++ b/patches/vcpkg-ports/openssl/portfile.cmake @@ -7,22 +7,14 @@ if(VCPKG_TARGET_IS_EMSCRIPTEN) vcpkg_check_linkage(ONLY_STATIC_LIBRARY) endif() -if (NOT "${VERSION}" MATCHES [[^([0-9]+)\.([0-9]+)\.([0-9]+)$]]) - message(FATAL_ERROR "Version regex did not match.") -endif() -set(OPENSSL_VERSION_MAJOR "${CMAKE_MATCH_1}") -set(OPENSSL_VERSION_MINOR "${CMAKE_MATCH_2}") -set(OPENSSL_VERSION_FIX "${CMAKE_MATCH_3}") -configure_file("${CMAKE_CURRENT_LIST_DIR}/vcpkg-cmake-wrapper.cmake.in" "${CURRENT_PACKAGES_DIR}/share/${PORT}/vcpkg-cmake-wrapper.cmake" @ONLY) - vcpkg_from_github( OUT_SOURCE_PATH SOURCE_PATH REPO openssl/openssl REF "openssl-${VERSION}" - SHA512 272223fefae76759de40219dd05ff119b99688a807c1af01360470ac5f390426e45463c1445988bf0a6e4cca23a6e0b1649a78121f9d6f69f92563e307a7fd70 + SHA512 ebd70c82ef2b8d882858e26333c27b8975e55cc8a350b646c24505cd6feba1e92d4894026ec6b0cefe6d7dcbedb5799bd72df4114c832efb2616b68ad303f5d1 PATCHES disable-apps.patch - disable-install-docs.patch + command-line-length.patch script-prefix.patch windows/install-layout.patch windows/install-pdbs.patch @@ -35,8 +27,6 @@ vcpkg_from_github( vcpkg_list(SET CONFIGURE_OPTIONS enable-static-engine enable-capieng - no-ssl3 - no-weak-ssl-ciphers no-tests ) @@ -56,6 +46,15 @@ if(NOT "tools" IN_LIST FEATURES) vcpkg_list(APPEND CONFIGURE_OPTIONS no-apps) endif() +if("weak-ssl-ciphers" IN_LIST FEATURES) + vcpkg_list(APPEND CONFIGURE_OPTIONS enable-weak-ssl-ciphers) +endif() + +if("ssl3" IN_LIST FEATURES) + vcpkg_list(APPEND CONFIGURE_OPTIONS enable-ssl3) + vcpkg_list(APPEND CONFIGURE_OPTIONS enable-ssl3-method) +endif() + if(DEFINED OPENSSL_USE_NOPINSHARED) vcpkg_list(APPEND CONFIGURE_OPTIONS no-pinshared) endif() @@ -72,4 +71,13 @@ else() endif() file(INSTALL "${CMAKE_CURRENT_LIST_DIR}/usage" DESTINATION "${CURRENT_PACKAGES_DIR}/share/${PORT}") + +if (NOT "${VERSION}" MATCHES [[^([0-9]+)\.([0-9]+)\.([0-9]+)$]]) + message(FATAL_ERROR "Version regex did not match.") +endif() +set(OPENSSL_VERSION_MAJOR "${CMAKE_MATCH_1}") +set(OPENSSL_VERSION_MINOR "${CMAKE_MATCH_2}") +set(OPENSSL_VERSION_FIX "${CMAKE_MATCH_3}") +configure_file("${CMAKE_CURRENT_LIST_DIR}/vcpkg-cmake-wrapper.cmake.in" "${CURRENT_PACKAGES_DIR}/share/${PORT}/vcpkg-cmake-wrapper.cmake" @ONLY) + vcpkg_install_copyright(FILE_LIST "${SOURCE_PATH}/LICENSE.txt") diff --git a/patches/vcpkg-ports/openssl/unix/portfile.cmake b/patches/vcpkg-ports/openssl/unix/portfile.cmake index 02e62732d..72b04e16a 100644 --- a/patches/vcpkg-ports/openssl/unix/portfile.cmake +++ b/patches/vcpkg-ports/openssl/unix/portfile.cmake @@ -6,7 +6,7 @@ openssl requires Linux kernel headers from the system package manager. ]]) endif() -if(CMAKE_HOST_WIN32) +if(VCPKG_HOST_IS_WINDOWS) vcpkg_acquire_msys(MSYS_ROOT PACKAGES make perl) set(MAKE "${MSYS_ROOT}/usr/bin/make.exe") set(PERL "${MSYS_ROOT}/usr/bin/perl.exe") @@ -88,6 +88,7 @@ elseif(VCPKG_TARGET_IS_MINGW) set(OPENSSL_ARCH mingw) endif() elseif(VCPKG_TARGET_IS_EMSCRIPTEN) + set(OPENSSL_ARCH linux-x32) vcpkg_list(APPEND CONFIGURE_OPTIONS threads no-engine diff --git a/patches/vcpkg-ports/openssl/usage b/patches/vcpkg-ports/openssl/usage index f535cb6a4..14e12e956 100644 --- a/patches/vcpkg-ports/openssl/usage +++ b/patches/vcpkg-ports/openssl/usage @@ -1,4 +1,5 @@ -The package openssl is compatible with built-in CMake targets: +openssl is compatible with built-in CMake targets: - find_package(OpenSSL REQUIRED) - target_link_libraries(main PRIVATE OpenSSL::SSL OpenSSL::Crypto) + find_package(OpenSSL REQUIRED) + target_link_libraries(main PRIVATE OpenSSL::SSL) + target_link_libraries(main PRIVATE OpenSSL::Crypto) diff --git a/patches/vcpkg-ports/openssl/vcpkg.json b/patches/vcpkg-ports/openssl/vcpkg.json index 9703b2531..1b8187abc 100644 --- a/patches/vcpkg-ports/openssl/vcpkg.json +++ b/patches/vcpkg-ports/openssl/vcpkg.json @@ -1,6 +1,6 @@ { "name": "openssl", - "version": "3.0.13", + "version": "3.0.14", "description": "OpenSSL is an open source project that provides a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It is also a general-purpose cryptography library.", "homepage": "https://www.openssl.org", "license": "Apache-2.0", @@ -23,9 +23,15 @@ "description": "Enable fips", "supports": "!static" }, + "ssl3": { + "description": "Enable SSL3" + }, "tools": { "description": "Install openssl executable and scripts", "supports": "!uwp" + }, + "weak-ssl-ciphers": { + "description": "Enable weak-ssl-ciphers" } } } diff --git a/patches/vcpkg-ports/openssl/windows/portfile.cmake b/patches/vcpkg-ports/openssl/windows/portfile.cmake index 9b98f148e..d35f30972 100644 --- a/patches/vcpkg-ports/openssl/windows/portfile.cmake +++ b/patches/vcpkg-ports/openssl/windows/portfile.cmake @@ -1,6 +1,7 @@ -vcpkg_find_acquire_program(NASM) -get_filename_component(NASM_EXE_PATH "${NASM}" DIRECTORY) -vcpkg_add_to_path(PREPEND "${NASM_EXE_PATH}") +# Need cmd to pass quoted CC from nmake to mkbuildinf.pl, GH-37134 +find_program(CMD_EXECUTABLE cmd HINTS ENV PATH NO_DEFAULT_PATH REQUIRED) +cmake_path(NATIVE_PATH CMD_EXECUTABLE cmd) +set(ENV{COMSPEC} "${cmd}") vcpkg_find_acquire_program(PERL) get_filename_component(PERL_EXE_PATH "${PERL}" DIRECTORY) @@ -21,7 +22,7 @@ elseif(VCPKG_TARGET_ARCHITECTURE STREQUAL "arm64") elseif(VCPKG_DETECTED_CMAKE_C_COMPILER_ID MATCHES "Clang") set(OPENSSL_ARCH VC-CLANG-WIN64-CLANGASM-ARM) else() - set(OPENSSL_ARCH VC-WIN64-ARM) + set(OPENSSL_ARCH VC-WIN64-CLANGASM-ARM) endif() else() message(FATAL_ERROR "Unsupported target architecture: ${VCPKG_TARGET_ARCHITECTURE}") @@ -48,22 +49,23 @@ if (VCPKG_DETECTED_CMAKE_C_COMPILER_ID MATCHES "Clang" OR VCPKG_LIBRARY_LINKAGE set(OPENSSL_BUILD_MAKES_PDBS OFF) endif() -if(VCPKG_TARGET_ARCHITECTURE STREQUAL "arm64" AND NOT VCPKG_TARGET_IS_UWP) +cmake_path(NATIVE_PATH VCPKG_DETECTED_CMAKE_C_COMPILER NORMALIZE cc) +if(OPENSSL_ARCH MATCHES "CLANG") vcpkg_find_acquire_program(CLANG) - set(clang "${CLANG}") - cmake_path(GET clang PARENT_PATH clang_path) + cmake_path(GET CLANG PARENT_PATH clang_path) vcpkg_add_to_path("${clang_path}") - - set(as clang-cl) - - vcpkg_list(APPEND CONFIGURE_OPTIONS "ASFLAGS=--target=aarch64-win32-msvc") if(VCPKG_DETECTED_CMAKE_C_COMPILER_ID MATCHES "Clang") string(APPEND VCPKG_COMBINED_C_FLAGS_DEBUG " --target=aarch64-win32-msvc") string(APPEND VCPKG_COMBINED_C_FLAGS_RELEASE " --target=aarch64-win32-msvc") endif() +endif() +if(OPENSSL_ARCH MATCHES "CLANGASM") + vcpkg_list(APPEND CONFIGURE_OPTIONS "ASFLAGS=--target=aarch64-win32-msvc") else() + vcpkg_find_acquire_program(NASM) cmake_path(NATIVE_PATH NASM NORMALIZE as) - cmake_path(NATIVE_PATH VCPKG_DETECTED_CMAKE_C_COMPILER NORMALIZE cc) + cmake_path(GET NASM PARENT_PATH nasm_path) + vcpkg_add_to_path("${nasm_path}") # Needed by Configure endif() cmake_path(NATIVE_PATH VCPKG_DETECTED_CMAKE_AR NORMALIZE ar) @@ -135,13 +137,14 @@ vcpkg_copy_pdbs() file(REMOVE_RECURSE "${CURRENT_PACKAGES_DIR}/certs" "${CURRENT_PACKAGES_DIR}/misc" - "${CURRENT_PACKAGES_DIR}/private" - "${CURRENT_PACKAGES_DIR}/lib/engines-3" - "${CURRENT_PACKAGES_DIR}/debug/certs" + "${CURRENT_PACKAGES_DIR}/private" + "${CURRENT_PACKAGES_DIR}/lib/engines-3" + "${CURRENT_PACKAGES_DIR}/debug/certs" "${CURRENT_PACKAGES_DIR}/debug/misc" - "${CURRENT_PACKAGES_DIR}/debug/lib/engines-3" - "${CURRENT_PACKAGES_DIR}/debug/private" - "${CURRENT_PACKAGES_DIR}/debug/include" + "${CURRENT_PACKAGES_DIR}/debug/lib/engines-3" + "${CURRENT_PACKAGES_DIR}/debug/private" + "${CURRENT_PACKAGES_DIR}/debug/include" + "${CURRENT_PACKAGES_DIR}/debug/share" ) file(REMOVE "${CURRENT_PACKAGES_DIR}/ct_log_list.cnf" diff --git a/prepare_osx_build_environment.sh b/prepare_osx_build_environment.sh index f933ec56c..813c15c6c 100755 --- a/prepare_osx_build_environment.sh +++ b/prepare_osx_build_environment.sh @@ -5,7 +5,7 @@ XERCES_DIR=xerces-c-3.2.5 XALAN_DIR=xalan_c-1.12 XMLSEC_DIR=xml-security-c-2.0.4 XSD=xsd-4.0.0-i686-macosx -OPENSSL_DIR=openssl-3.0.13 +OPENSSL_DIR=openssl-3.0.14 LIBXML2_DIR=libxml2-2.12.5 ANDROID_NDK=android-ndk-r26d FREETYPE_DIR=freetype-2.10.1 diff --git a/vcpkg.json b/vcpkg.json index 2f9ddbcaa..47f688fcd 100644 --- a/vcpkg.json +++ b/vcpkg.json @@ -5,9 +5,6 @@ "xml-security-c", { "name": "libxml2", - "features": [ - "zlib" - ], "default-features": false }, "zlib" @@ -15,7 +12,7 @@ "features": { "tests": { "description": "Build tests", "dependencies": ["boost-test"] } }, - "builtin-baseline": "1f619be01b436b796dab797dd1e1721c5676f8ac", + "builtin-baseline": "4065f37d0a6628ef17cf6ee15385f9091f1075bc", "vcpkg-configuration": { "overlay-ports": [ "patches/vcpkg-ports/openssl",