Skip to content

Commit 36c4e54

Browse files
committed
Update libs
* OpenSSL to 3.5.7 * xmlsec to 1.3.12 * fix build with OpenSSL 4.0 IB-8991 Signed-off-by: Raul Metsma <raul@metsma.ee>
1 parent 26a8ad3 commit 36c4e54

10 files changed

Lines changed: 40 additions & 35 deletions

File tree

.github/workflows/build.yml

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -112,8 +112,6 @@ jobs:
112112
export VCPKG_ROOT=$VCPKG_INSTALLATION_ROOT
113113
export ANDROID_NDK_HOME=$ANDROID_NDK_LATEST_HOME
114114
export ANDROID_NDK_ROOT=$ANDROID_NDK_LATEST_HOME
115-
git -C $VCPKG_INSTALLATION_ROOT fetch origin f77737496dabd44c63ecc599dc0f4d6cff30d0d5
116-
git -C $VCPKG_INSTALLATION_ROOT reset --hard f77737496dabd44c63ecc599dc0f4d6cff30d0d5
117115
cmake --preset ${{ matrix.target }} "-GUnix Makefiles" -DCMAKE_BUILD_TYPE=RelWithDebInfo
118116
cmake --build --preset ${{ matrix.target }}
119117
cmake --build --preset ${{ matrix.target }} --target install/strip
@@ -130,7 +128,7 @@ jobs:
130128
container: fedora:${{ matrix.container }}
131129
strategy:
132130
matrix:
133-
container: [43, 44]
131+
container: [43, 44, rawhide]
134132
steps:
135133
- name: Install Deps
136134
run: |
@@ -349,6 +347,7 @@ jobs:
349347
uses: github/codeql-action/init@v4
350348
with:
351349
languages: cpp
350+
build-mode: none
352351
queries: +security-and-quality
353352
- name: Build
354353
run: |

prepare_osx_build_environment.sh

Lines changed: 4 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,8 @@
11
#!/bin/sh
22
set -e
33

4-
OPENSSL_DIR=openssl-3.5.6
5-
XMLSEC_DIR=xmlsec1-1.3.11
4+
OPENSSL_DIR=openssl-3.5.7
5+
XMLSEC_DIR=xmlsec1-1.3.12
66

77
case "$@" in
88
*android*|*iphone*|*simulator*)
@@ -26,7 +26,7 @@ function xmlsec {
2626
rm -rf ${XMLSEC_DIR}
2727
tar xf ${XMLSEC_DIR}.tar.gz
2828
cd ${XMLSEC_DIR}
29-
patch -Np1 -i ../xmlsec1-1.3.10.legacy.patch
29+
patch -Np1 -i ../xmlsec1-1.3.12.legacy.patch
3030
sed -i '' 's/XMLSEC_VERSION_INFO=.*/XMLSEC_VERSION_INFO="1:0:0"/' configure
3131
./configure CFLAGS="-arch ${ARCHS// / -arch }" --prefix=${TARGET_PATH} --disable-static --enable-shared \
3232
--disable-dependency-tracking \
@@ -36,9 +36,7 @@ function xmlsec {
3636
--without-gcrypt \
3737
--without-nss \
3838
--with-openssl=${TARGET_PATH} \
39-
--disable-apps \
40-
--disable-docs \
41-
--disable-mans
39+
--disable-apps
4240
make -s
4341
sudo make install
4442
cd -

src/crypto/Digest.cpp

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -54,7 +54,8 @@ vector<unsigned char> Digest::digestInfoDigest(const std::vector<unsigned char>
5454
return {};
5555
const ASN1_OCTET_STRING *value {};
5656
X509_SIG_get0(sig.get(), nullptr, &value);
57-
return { value->data, std::next(value->data, value->length) };
57+
const unsigned char *data = ASN1_STRING_get0_data(value);
58+
return { data, std::next(data, ASN1_STRING_length(value)) };
5859
}
5960

6061
string Digest::digestInfoUri(const std::vector<unsigned char> &digest)

src/crypto/OCSP.cpp

Lines changed: 8 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -153,9 +153,10 @@ bool OCSP::compareResponderCert(const X509Cert &cert) const
153153
if(hash)
154154
{
155155
std::array<unsigned char,SHA_DIGEST_LENGTH> sha1{};
156-
ASN1_BIT_STRING *key = X509_get0_pubkey_bitstr(cert.handle());
157-
SHA1(key->data, size_t(key->length), sha1.data());
158-
if(!equal(sha1.cbegin(), sha1.cend(), hash->data, std::next(hash->data, hash->length)))
156+
auto *key = X509_get0_pubkey_bitstr(cert.handle());
157+
SHA1(ASN1_STRING_get0_data(key), size_t(ASN1_STRING_length(key)), sha1.data());
158+
const unsigned char *data = ASN1_STRING_get0_data(hash);
159+
if(!equal(sha1.cbegin(), sha1.cend(), data, std::next(data, ASN1_STRING_length(hash))))
159160
return false;
160161
}
161162
else if(X509_NAME_cmp(X509_get_subject_name(cert.handle()), name) != 0)
@@ -277,12 +278,13 @@ vector<unsigned char> OCSP::nonce() const
277278
int resp_idx = OCSP_BASICRESP_get_ext_by_NID(basic.get(), NID_id_pkix_OCSP_Nonce, -1);
278279
if(resp_idx < 0)
279280
return nonce;
280-
X509_EXTENSION *ext = OCSP_BASICRESP_get_ext(basic.get(), resp_idx);
281+
auto *ext = OCSP_BASICRESP_get_ext(basic.get(), resp_idx);
281282
if(!ext)
282283
return nonce;
283284

284-
ASN1_OCTET_STRING *value = X509_EXTENSION_get_data(ext);
285-
nonce.assign(value->data, std::next(value->data, value->length));
285+
auto *value = X509_EXTENSION_get_data(ext);
286+
const unsigned char *data = ASN1_STRING_get0_data(value);
287+
nonce.assign(data, std::next(data, ASN1_STRING_length(value)));
286288
//OpenSSL OCSP created messages NID_id_pkix_OCSP_Nonce field is DER encoded twice, not a problem with java impl
287289
//XXX: UglyHackTM check if nonceAsn1 contains ASN1_OCTET_STRING
288290
//XXX: if first 2 bytes seem to be beginning of DER ASN1_OCTET_STRING then remove them

src/crypto/TS.cpp

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,7 @@
3636
#include <openssl/ts.h>
3737

3838
#include <algorithm>
39+
#include <array>
3940

4041
using namespace digidoc;
4142
using namespace std;
@@ -86,10 +87,11 @@ TS::TS(const Digest &digest, const std::string &userAgent)
8687
}
8788
#endif
8889

90+
std::array<unsigned char, 20> nonce_bytes{};
91+
for(; nonce_bytes[0] == 0;) // Make sure that first byte is not 0x00
92+
RAND_bytes(nonce_bytes.data(), nonce_bytes.size());
8993
auto nonce = make_unique_ptr<ASN1_INTEGER_free>(ASN1_INTEGER_new());
90-
ASN1_STRING_set(nonce.get(), nullptr, 20);
91-
for(nonce->data[0] = 0; nonce->data[0] == 0;) // Make sure that first byte is not 0x00
92-
RAND_bytes(nonce->data, nonce->length);
94+
ASN1_STRING_set(nonce.get(), nonce_bytes.data(), nonce_bytes.size());
9395
TS_REQ_set_nonce(req.get(), nonce.get());
9496

9597
Connect::Result result = Connect(CONF(TSUrl), "POST", 0, CONF(TSCerts), userAgent).exec({

src/crypto/X509Cert.cpp

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -424,7 +424,7 @@ vector<string> X509Cert::qcStatements() const
424424
int pos = X509_get_ext_by_NID(cert.get(), NID_qcStatements, -1);
425425
if(pos == -1)
426426
return result;
427-
X509_EXTENSION *ext = X509_get_ext(cert.get(), pos);
427+
auto *ext = X509_get_ext(cert.get(), pos);
428428
auto qc = make_unique_cast<QCStatements_free>(ASN1_item_unpack(X509_EXTENSION_get_data(ext), ASN1_ITEM_rptr(QCStatements)));
429429
if(!qc)
430430
return result;
@@ -492,15 +492,15 @@ string X509Cert::toString(const string &obj) const
492492
string str;
493493
if(!cert)
494494
return str;
495-
X509_NAME* name = Func(cert.get());
495+
auto *name = Func(cert.get());
496496
if(!name)
497497
THROW_OPENSSLEXCEPTION("Failed to convert X.509 certificate name");
498498

499499
if(!obj.empty())
500500
{
501501
for(int i = 0; i < X509_NAME_entry_count(name); ++i)
502502
{
503-
X509_NAME_ENTRY *e = X509_NAME_get_entry(name, i);
503+
auto *e = X509_NAME_get_entry(name, i);
504504
if(obj != OBJ_nid2sn(OBJ_obj2nid(X509_NAME_ENTRY_get_object(e))))
505505
continue;
506506

src/crypto/X509CertStore.cpp

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -119,7 +119,10 @@ X509Cert X509CertStore::issuerFromAIA(const X509Cert &cert)
119119
if(ACCESS_DESCRIPTION *ad = sk_ACCESS_DESCRIPTION_value(aia.get(), i);
120120
ad->location->type == GEN_URI &&
121121
OBJ_obj2nid(ad->method) == NID_ad_ca_issuers)
122-
url.assign((const char*)ad->location->d.uniformResourceIdentifier->data, ad->location->d.uniformResourceIdentifier->length);
122+
{
123+
const unsigned char *data = ASN1_STRING_get0_data(ad->location->d.uniformResourceIdentifier);
124+
url.assign((const char*)data, ASN1_STRING_length(ad->location->d.uniformResourceIdentifier));
125+
}
123126
}
124127
if(url.empty())
125128
return X509Cert();

src/crypto/X509Crypto.cpp

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -157,7 +157,7 @@ int X509Crypto::compareIssuerToString(string_view name) const
157157
bool found = false;
158158
for(int i = 0; i < X509_NAME_entry_count(issuer); ++i)
159159
{
160-
X509_NAME_ENTRY *entb = X509_NAME_get_entry(issuer, i);
160+
auto *entb = X509_NAME_get_entry(issuer, i);
161161
if(OBJ_cmp(obja.get(), X509_NAME_ENTRY_get_object(entb)) != 0)
162162
continue;
163163

vcpkg.json

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -15,15 +15,15 @@
1515
"features": {
1616
"tests": { "description": "Build tests", "dependencies": ["boost-test"] }
1717
},
18-
"builtin-baseline": "f77737496dabd44c63ecc599dc0f4d6cff30d0d5",
18+
"builtin-baseline": "67b5ee32c608c87971eed243d4bff140568ebe53",
1919
"vcpkg-configuration": {
2020
"overlay-triplets": ["./vcpkg-triplets"],
2121
"registries": [
2222
{
2323
"kind": "git",
2424
"repository": "https://github.com/open-eid/vcpkg-ports",
2525
"reference": "vcpkg-registry",
26-
"baseline": "e841c32c534b9db3130a824992f4bacd79fae1bc",
26+
"baseline": "408ae35659d383cf5563a8d9ea943a81bba5c008",
2727
"packages": ["openssl", "xmlsec"]
2828
}
2929
]
Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -1,15 +1,15 @@
1-
--- a/src/openssl/signatures.c 2026-04-20 08:56:41
2-
+++ b/src/openssl/signatures.c 2026-04-20 08:56:41
3-
@@ -38,6 +38,8 @@
1+
--- a/src/openssl/signatures.c
2+
+++ b/src/openssl/signatures.c
3+
@@ -35,6 +35,8 @@
44
#endif /* XMLSEC_OPENSSL_API_300 */
5-
5+
66
#include "../cast_helpers.h"
77
+#include <openssl/x509.h>
88
+
99
#include "../transform_helpers.h"
1010
#include "openssl_compat.h"
11-
12-
@@ -1068,7 +1070,11 @@
11+
#include "private.h"
12+
@@ -1066,7 +1068,11 @@
1313
goto error;
1414
}
1515
} else {
@@ -22,10 +22,10 @@
2222
if(ret <= 0) {
2323
xmlSecOpenSSLError2("EVP_PKEY_verify_init", xmlSecTransformGetName(transform),
2424
"ret=%d", ret);
25-
@@ -1076,11 +1082,13 @@
25+
@@ -1074,11 +1080,13 @@
2626
}
2727
}
28-
28+
2929
- ret = EVP_PKEY_CTX_set_signature_md(pKeyCtx, ctx->digest);
3030
- if(ret <= 0) {
3131
- xmlSecOpenSSLError2("EVP_PKEY_CTX_set_signature_md", xmlSecTransformGetName(transform),
@@ -101,5 +101,5 @@
101101
+ X509_SIG_free(sig);
102102
+ }
103103
break;
104-
104+
105105
case xmlSecOpenSSLEvpSignatureFormat_Dsa:

0 commit comments

Comments
 (0)