Update OpenSSL 3.0.10

.github/workflows/build.yml

@@ -165,7 +165,7 @@ jobs:
     - name: Prepare vcpkg X64
       uses: lukka/run-vcpkg@v11
       with:
-        vcpkgGitCommitId: 5787cfa699a75805ef41938ec66bc7492714d290
+        vcpkgGitCommitId: 2f6176ce98fee807a207dc9e8fec213f111c291b
         vcpkgJsonGlob: ${{ steps.path.outputs.value }}/vcpkg.json
         runVcpkgInstall: true
         runVcpkgFormatString: "[`install`, `--recurse`, `--clean-after-build`, `--x-install-root`, `$[env.VCPKG_INSTALLED_DIR]`, `--triplet`, `$[env.VCPKG_DEFAULT_TRIPLET]`, `--x-feature`, `tests`]"
@@ -175,7 +175,7 @@ jobs:
     - name: Prepare vcpkg X86
       uses: lukka/run-vcpkg@v11
       with:
-        vcpkgGitCommitId: 5787cfa699a75805ef41938ec66bc7492714d290
+        vcpkgGitCommitId: 2f6176ce98fee807a207dc9e8fec213f111c291b
         vcpkgJsonGlob: ${{ steps.path.outputs.value }}/vcpkg.json
         runVcpkgInstall: true
         runVcpkgFormatString: "[`install`, `--recurse`, `--clean-after-build`, `--x-install-root`, `$[env.VCPKG_INSTALLED_DIR]`, `--triplet`, `$[env.VCPKG_DEFAULT_TRIPLET]`, `--x-feature`, `tests`]"
@@ -184,6 +184,10 @@ jobs:
         VCPKG_INSTALLED_DIR: ${{ github.workspace }}/vcpkg_installed
     - name: Install dependencies
       run: choco install doxygen.install swig -y > $null
+    - uses: actions/setup-python@v4
+      with:
+        python-version: 3.11
+        architecture: x86
     - name: Build xsd
       run: .\prepare_win_build_environment.ps1 -xsd
     - name: Build

patches/vcpkg-ports/openssl/portfile.cmake

@@ -19,7 +19,7 @@ vcpkg_from_github(
     OUT_SOURCE_PATH SOURCE_PATH
     REPO openssl/openssl
     REF "openssl-${VERSION}"
-    SHA512 4762ce7faa0d7f43d0d4882700dcb10cd31bb025c52110fb2f1a8d3911f4ed92153db982935be6f38f45ae3f030f7edb4968e96dd5a41367ad7365c03c25edb1
+    SHA512 5c20269f9666eae0111252378baf196d74ae14a68b19cac49703d73fa564f7ae7aaf06209f5a3d7dc48c014ddb2e760bdf765141c14adde63edee552a8de015e
     PATCHES
         disable-apps.patch
         disable-install-docs.patch
@@ -40,6 +40,12 @@ vcpkg_list(SET CONFIGURE_OPTIONS
     no-tests
 )
 
+set(INSTALL_FIPS "")
+if("fips" IN_LIST FEATURES)
+    vcpkg_list(APPEND INSTALL_FIPS install_fips)
+    vcpkg_list(APPEND CONFIGURE_OPTIONS enable-fips)
+endif()
+
 if(VCPKG_LIBRARY_LINKAGE STREQUAL "dynamic")
     vcpkg_list(APPEND CONFIGURE_OPTIONS shared)
 else()

patches/vcpkg-ports/openssl/unix/configure

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 
 set -e
 

patches/vcpkg-ports/openssl/vcpkg.json

@@ -1,6 +1,6 @@
 {
   "name": "openssl",
-  "version": "3.0.9",
+  "version": "3.0.10",
   "description": "OpenSSL is an open source project that provides a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It is also a general-purpose cryptography library.",
   "homepage": "https://www.openssl.org",
   "license": "Apache-2.0",
@@ -19,6 +19,10 @@
     }
   ],
   "features": {
+    "fips": {
+      "description": "Enable fips",
+      "supports": "!static"
+    },
     "tools": {
       "description": "Install openssl executable and scripts",
       "supports": "!uwp"

patches/vcpkg-ports/openssl/windows/portfile.cmake

@@ -77,7 +77,7 @@ vcpkg_build_nmake(
         "LD=${ld}"
         "LDFLAGS=${VCPKG_COMBINED_SHARED_LINKER_FLAGS_DEBUG}"
     PROJECT_NAME "makefile"
-    TARGET install_dev install_modules
+    TARGET install_dev install_modules ${INSTALL_FIPS}
     LOGFILE_ROOT install
     OPTIONS
         "INSTALL_PDBS=${OPENSSL_BUILD_MAKES_PDBS}" # install-pdbs.patch
@@ -89,13 +89,17 @@ set(scripts "bin/c_rehash.pl" "misc/CA.pl" "misc/tsget.pl")
 if("tools" IN_LIST FEATURES)
     file(MAKE_DIRECTORY "${CURRENT_PACKAGES_DIR}/tools/${PORT}")
     file(RENAME "${CURRENT_PACKAGES_DIR}/openssl.cnf" "${CURRENT_PACKAGES_DIR}/tools/${PORT}/openssl.cnf")
+    if("fips" IN_LIST FEATURES)
+	file(RENAME "${CURRENT_PACKAGES_DIR}/fipsmodule.cnf" "${CURRENT_PACKAGES_DIR}/tools/${PORT}/fipsmodule.cnf")
+    endif()
     foreach(script IN LISTS scripts)
         file(COPY "${CURRENT_PACKAGES_DIR}/${script}" DESTINATION "${CURRENT_PACKAGES_DIR}/tools/${PORT}")
         file(REMOVE "${CURRENT_PACKAGES_DIR}/${script}" "${CURRENT_PACKAGES_DIR}/debug/${script}")
     endforeach()
     vcpkg_copy_tools(TOOL_NAMES openssl AUTO_CLEAN)
 else()
     file(REMOVE "${CURRENT_PACKAGES_DIR}/openssl.cnf")
+    file(REMOVE "${CURRENT_PACKAGES_DIR}/fipsmodule.cnf")
     foreach(script IN LISTS scripts)
         file(REMOVE "${CURRENT_PACKAGES_DIR}/${script}" "${CURRENT_PACKAGES_DIR}/debug/${script}")
     endforeach()
@@ -125,4 +129,5 @@ file(REMOVE
     "${CURRENT_PACKAGES_DIR}/debug/ct_log_list.cnf.dist"
     "${CURRENT_PACKAGES_DIR}/debug/openssl.cnf"
     "${CURRENT_PACKAGES_DIR}/debug/openssl.cnf.dist"
+    "${CURRENT_PACKAGES_DIR}/debug/fipsmodule.cnf"
 )

src/crypto/TS.cpp

@@ -131,20 +131,22 @@ TS::TS(const unsigned char *data, size_t size)
 #ifndef OPENSSL_NO_CMS
     if(d)
         return;
-    OpenSSLException(EXCEPTION_PARAMS("ignore")); //Clear errors
+    ERR_clear_error();
     /**
      * Handle CMS based TimeStamp tokens
      * https://rt.openssl.org/Ticket/Display.html?id=4519
      * https://github.com/openssl/openssl/issues/993
      *
      * If PKCS7 wrapped TimeStamp parsing fails, try with CMS wrapping
      */
-    auto bio = SCOPE_PTR(BIO, BIO_new_mem_buf((void*)data, int(size)));
-    cms.reset(d2i_CMS_bio(bio.get(), nullptr), CMS_ContentInfo_free);
+    cms.reset(d2i_CMS_ContentInfo(nullptr, &data, long(size)), [](CMS_ContentInfo *contentInfo) {
+        CMS_ContentInfo_free(contentInfo);
+        ERR_clear_error();
+    });
     if(!cms || OBJ_obj2nid(CMS_get0_eContentType(cms.get())) != NID_id_smime_ct_TSTInfo)
         cms.reset();
 
-    OpenSSLException(EXCEPTION_PARAMS("ignore")); //Clear errors
+    ERR_clear_error();
 #endif
 }
 

src/crypto/X509CertStore.cpp

@@ -187,7 +187,7 @@ int X509CertStore::validate(int ok, X509_STORE_CTX *ctx, const Type &type)
                 SCOPE(EVP_PKEY, pub, X509_get_pubkey(issuer.handle()));
                 if(X509_verify(x509, pub.get()) == 1)
                     return true;
-                OpenSSLException(EXCEPTION_PARAMS("ignore")); //Clear errors
+                ERR_clear_error();
                 return false;
             }))
             continue;
@@ -234,7 +234,7 @@ bool X509CertStore::verify(const X509Cert &cert, bool noqscd) const
     if(noqscd)
         return true;
 
-    const TSL::Validity *v = static_cast<const TSL::Validity*>(X509_STORE_CTX_get_ex_data(csc.get(), 0));
+    const auto *v = static_cast<const TSL::Validity*>(X509_STORE_CTX_get_ex_data(csc.get(), 0));
     const vector<string> policies = cert.certificatePolicies();
     const vector<string> qcstatement = cert.qcStatements();
     const vector<X509Cert::KeyUsage> keyUsage = cert.keyUsage();

vcpkg.json

@@ -8,7 +8,7 @@
     "features": {
       "tests": { "description": "Build tests", "dependencies": ["boost-test"] }
     },
-    "builtin-baseline": "5787cfa699a75805ef41938ec66bc7492714d290",
+    "builtin-baseline": "2f6176ce98fee807a207dc9e8fec213f111c291b",
     "vcpkg-configuration": {
         "overlay-triplets": ["./patches/vcpkg-triplets"],
         "overlay-ports": [