From 8f21b806c7e7fec551f961b774ed66e653971f6e Mon Sep 17 00:00:00 2001 From: Raul Metsma Date: Thu, 11 Jun 2026 13:08:44 +0300 Subject: [PATCH] Update OpenSSL to 3.5.7 and fix build with OpenSSL 4.0 IB-8991 Signed-off-by: Raul Metsma --- .github/workflows/build.yml | 3 ++- prepare_osx_build_environment.sh | 2 +- src/crypto/Digest.cpp | 3 ++- src/crypto/OCSP.cpp | 14 ++++++++------ src/crypto/TS.cpp | 8 +++++--- src/crypto/X509Cert.cpp | 6 +++--- src/crypto/X509CertStore.cpp | 5 ++++- src/crypto/X509Crypto.cpp | 2 +- vcpkg.json | 4 ++-- 9 files changed, 28 insertions(+), 19 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 32eff4258..8f5c8c1cd 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -130,7 +130,7 @@ jobs: container: fedora:${{ matrix.container }} strategy: matrix: - container: [43, 44] + container: [43, 44, rawhide] steps: - name: Install Deps run: | @@ -349,6 +349,7 @@ jobs: uses: github/codeql-action/init@v4 with: languages: cpp + build-mode: none queries: +security-and-quality - name: Build run: | diff --git a/prepare_osx_build_environment.sh b/prepare_osx_build_environment.sh index 3bed0040f..4bccd878b 100755 --- a/prepare_osx_build_environment.sh +++ b/prepare_osx_build_environment.sh @@ -1,7 +1,7 @@ #!/bin/sh set -e -OPENSSL_DIR=openssl-3.5.6 +OPENSSL_DIR=openssl-3.5.7 XMLSEC_DIR=xmlsec1-1.3.11 case "$@" in diff --git a/src/crypto/Digest.cpp b/src/crypto/Digest.cpp index 4a61d6dff..60d216e31 100644 --- a/src/crypto/Digest.cpp +++ b/src/crypto/Digest.cpp @@ -54,7 +54,8 @@ vector Digest::digestInfoDigest(const std::vector return {}; const ASN1_OCTET_STRING *value {}; X509_SIG_get0(sig.get(), nullptr, &value); - return { value->data, std::next(value->data, value->length) }; + const unsigned char *data = ASN1_STRING_get0_data(value); + return { data, std::next(data, ASN1_STRING_length(value)) }; } string Digest::digestInfoUri(const std::vector &digest) diff --git a/src/crypto/OCSP.cpp b/src/crypto/OCSP.cpp index b2a32805c..0859b9a73 100644 --- a/src/crypto/OCSP.cpp +++ b/src/crypto/OCSP.cpp @@ -153,9 +153,10 @@ bool OCSP::compareResponderCert(const X509Cert &cert) const if(hash) { std::array sha1{}; - ASN1_BIT_STRING *key = X509_get0_pubkey_bitstr(cert.handle()); - SHA1(key->data, size_t(key->length), sha1.data()); - if(!equal(sha1.cbegin(), sha1.cend(), hash->data, std::next(hash->data, hash->length))) + auto *key = X509_get0_pubkey_bitstr(cert.handle()); + SHA1(ASN1_STRING_get0_data(key), size_t(ASN1_STRING_length(key)), sha1.data()); + const unsigned char *data = ASN1_STRING_get0_data(hash); + if(!equal(sha1.cbegin(), sha1.cend(), data, std::next(data, ASN1_STRING_length(hash)))) return false; } else if(X509_NAME_cmp(X509_get_subject_name(cert.handle()), name) != 0) @@ -277,12 +278,13 @@ vector OCSP::nonce() const int resp_idx = OCSP_BASICRESP_get_ext_by_NID(basic.get(), NID_id_pkix_OCSP_Nonce, -1); if(resp_idx < 0) return nonce; - X509_EXTENSION *ext = OCSP_BASICRESP_get_ext(basic.get(), resp_idx); + auto *ext = OCSP_BASICRESP_get_ext(basic.get(), resp_idx); if(!ext) return nonce; - ASN1_OCTET_STRING *value = X509_EXTENSION_get_data(ext); - nonce.assign(value->data, std::next(value->data, value->length)); + auto *value = X509_EXTENSION_get_data(ext); + const unsigned char *data = ASN1_STRING_get0_data(value); + nonce.assign(data, std::next(data, ASN1_STRING_length(value))); //OpenSSL OCSP created messages NID_id_pkix_OCSP_Nonce field is DER encoded twice, not a problem with java impl //XXX: UglyHackTM check if nonceAsn1 contains ASN1_OCTET_STRING //XXX: if first 2 bytes seem to be beginning of DER ASN1_OCTET_STRING then remove them diff --git a/src/crypto/TS.cpp b/src/crypto/TS.cpp index d96dfc91c..ba7c3e36a 100644 --- a/src/crypto/TS.cpp +++ b/src/crypto/TS.cpp @@ -36,6 +36,7 @@ #include #include +#include using namespace digidoc; using namespace std; @@ -86,10 +87,11 @@ TS::TS(const Digest &digest, const std::string &userAgent) } #endif + std::array nonce_bytes{}; + for(; nonce_bytes[0] == 0;) // Make sure that first byte is not 0x00 + RAND_bytes(nonce_bytes.data(), nonce_bytes.size()); auto nonce = make_unique_ptr(ASN1_INTEGER_new()); - ASN1_STRING_set(nonce.get(), nullptr, 20); - for(nonce->data[0] = 0; nonce->data[0] == 0;) // Make sure that first byte is not 0x00 - RAND_bytes(nonce->data, nonce->length); + ASN1_STRING_set(nonce.get(), nonce_bytes.data(), nonce_bytes.size()); TS_REQ_set_nonce(req.get(), nonce.get()); Connect::Result result = Connect(CONF(TSUrl), "POST", 0, CONF(TSCerts), userAgent).exec({ diff --git a/src/crypto/X509Cert.cpp b/src/crypto/X509Cert.cpp index f8c47b45d..fa5b528e5 100644 --- a/src/crypto/X509Cert.cpp +++ b/src/crypto/X509Cert.cpp @@ -424,7 +424,7 @@ vector X509Cert::qcStatements() const int pos = X509_get_ext_by_NID(cert.get(), NID_qcStatements, -1); if(pos == -1) return result; - X509_EXTENSION *ext = X509_get_ext(cert.get(), pos); + auto *ext = X509_get_ext(cert.get(), pos); auto qc = make_unique_cast(ASN1_item_unpack(X509_EXTENSION_get_data(ext), ASN1_ITEM_rptr(QCStatements))); if(!qc) return result; @@ -492,7 +492,7 @@ string X509Cert::toString(const string &obj) const string str; if(!cert) return str; - X509_NAME* name = Func(cert.get()); + auto *name = Func(cert.get()); if(!name) THROW_OPENSSLEXCEPTION("Failed to convert X.509 certificate name"); @@ -500,7 +500,7 @@ string X509Cert::toString(const string &obj) const { for(int i = 0; i < X509_NAME_entry_count(name); ++i) { - X509_NAME_ENTRY *e = X509_NAME_get_entry(name, i); + auto *e = X509_NAME_get_entry(name, i); if(obj != OBJ_nid2sn(OBJ_obj2nid(X509_NAME_ENTRY_get_object(e)))) continue; diff --git a/src/crypto/X509CertStore.cpp b/src/crypto/X509CertStore.cpp index fba1ffef8..684882fbf 100644 --- a/src/crypto/X509CertStore.cpp +++ b/src/crypto/X509CertStore.cpp @@ -119,7 +119,10 @@ X509Cert X509CertStore::issuerFromAIA(const X509Cert &cert) if(ACCESS_DESCRIPTION *ad = sk_ACCESS_DESCRIPTION_value(aia.get(), i); ad->location->type == GEN_URI && OBJ_obj2nid(ad->method) == NID_ad_ca_issuers) - url.assign((const char*)ad->location->d.uniformResourceIdentifier->data, ad->location->d.uniformResourceIdentifier->length); + { + const unsigned char *data = ASN1_STRING_get0_data(ad->location->d.uniformResourceIdentifier); + url.assign((const char*)data, ASN1_STRING_length(ad->location->d.uniformResourceIdentifier)); + } } if(url.empty()) return X509Cert(); diff --git a/src/crypto/X509Crypto.cpp b/src/crypto/X509Crypto.cpp index 7ee9937e1..105e4160d 100644 --- a/src/crypto/X509Crypto.cpp +++ b/src/crypto/X509Crypto.cpp @@ -157,7 +157,7 @@ int X509Crypto::compareIssuerToString(string_view name) const bool found = false; for(int i = 0; i < X509_NAME_entry_count(issuer); ++i) { - X509_NAME_ENTRY *entb = X509_NAME_get_entry(issuer, i); + auto *entb = X509_NAME_get_entry(issuer, i); if(OBJ_cmp(obja.get(), X509_NAME_ENTRY_get_object(entb)) != 0) continue; diff --git a/vcpkg.json b/vcpkg.json index 16058a75c..ab366c1ed 100644 --- a/vcpkg.json +++ b/vcpkg.json @@ -15,7 +15,7 @@ "features": { "tests": { "description": "Build tests", "dependencies": ["boost-test"] } }, - "builtin-baseline": "f77737496dabd44c63ecc599dc0f4d6cff30d0d5", + "builtin-baseline": "7849750896c86bd7a4a02ed760812dba321a4a9b", "vcpkg-configuration": { "overlay-triplets": ["./vcpkg-triplets"], "registries": [ @@ -23,7 +23,7 @@ "kind": "git", "repository": "https://github.com/open-eid/vcpkg-ports", "reference": "vcpkg-registry", - "baseline": "e841c32c534b9db3130a824992f4bacd79fae1bc", + "baseline": "230d98d5832f3bacd75e5af79adf34587d02846b", "packages": ["openssl", "xmlsec"] } ]