Update OpenSSL to 3.5.7 and fix build with OpenSSL 4.0

.github/workflows/build.yml

@@ -130,7 +130,7 @@ jobs:
     container: fedora:${{ matrix.container }}
     strategy:
       matrix:
-        container: [43, 44]
+        container: [43, 44, rawhide]
     steps:
     - name: Install Deps
       run: |
@@ -349,6 +349,7 @@ jobs:
       uses: github/codeql-action/init@v4
       with:
         languages: cpp
+        build-mode: none
         queries: +security-and-quality
     - name: Build
       run: |

prepare_osx_build_environment.sh

@@ -1,7 +1,7 @@
 #!/bin/sh
 set -e
 
-OPENSSL_DIR=openssl-3.5.6
+OPENSSL_DIR=openssl-3.5.7
 XMLSEC_DIR=xmlsec1-1.3.11
 
 case "$@" in

src/crypto/Digest.cpp

@@ -54,7 +54,8 @@ vector<unsigned char> Digest::digestInfoDigest(const std::vector<unsigned char>
         return {};
     const ASN1_OCTET_STRING *value {};
     X509_SIG_get0(sig.get(), nullptr, &value);
-    return { value->data, std::next(value->data, value->length) };
+    const unsigned char *data = ASN1_STRING_get0_data(value);
+    return { data, std::next(data, ASN1_STRING_length(value)) };
 }
 
 string Digest::digestInfoUri(const std::vector<unsigned char> &digest)

src/crypto/OCSP.cpp

@@ -153,9 +153,10 @@ bool OCSP::compareResponderCert(const X509Cert &cert) const
     if(hash)
     {
         std::array<unsigned char,SHA_DIGEST_LENGTH> sha1{};
-        ASN1_BIT_STRING *key = X509_get0_pubkey_bitstr(cert.handle());
-        SHA1(key->data, size_t(key->length), sha1.data());
-        if(!equal(sha1.cbegin(), sha1.cend(), hash->data, std::next(hash->data, hash->length)))
+        auto *key = X509_get0_pubkey_bitstr(cert.handle());
+        SHA1(ASN1_STRING_get0_data(key), size_t(ASN1_STRING_length(key)), sha1.data());
+        const unsigned char *data = ASN1_STRING_get0_data(hash);
+        if(!equal(sha1.cbegin(), sha1.cend(), data, std::next(data, ASN1_STRING_length(hash))))
             return false;
     }
     else if(X509_NAME_cmp(X509_get_subject_name(cert.handle()), name) != 0)
@@ -277,12 +278,13 @@ vector<unsigned char> OCSP::nonce() const
     int resp_idx = OCSP_BASICRESP_get_ext_by_NID(basic.get(), NID_id_pkix_OCSP_Nonce, -1);
     if(resp_idx < 0)
         return nonce;
-    X509_EXTENSION *ext = OCSP_BASICRESP_get_ext(basic.get(), resp_idx);
+    auto *ext = OCSP_BASICRESP_get_ext(basic.get(), resp_idx);
     if(!ext)
         return nonce;
 
-    ASN1_OCTET_STRING *value = X509_EXTENSION_get_data(ext);
-    nonce.assign(value->data, std::next(value->data, value->length));
+    auto *value = X509_EXTENSION_get_data(ext);
+    const unsigned char *data = ASN1_STRING_get0_data(value);
+    nonce.assign(data, std::next(data, ASN1_STRING_length(value)));
     //OpenSSL OCSP created messages NID_id_pkix_OCSP_Nonce field is DER encoded twice, not a problem with java impl
     //XXX: UglyHackTM check if nonceAsn1 contains ASN1_OCTET_STRING
     //XXX: if first 2 bytes seem to be beginning of DER ASN1_OCTET_STRING then remove them

src/crypto/TS.cpp

@@ -36,6 +36,7 @@
 #include <openssl/ts.h>
 
 #include <algorithm>
+#include <array>
 
 using namespace digidoc;
 using namespace std;
@@ -86,10 +87,11 @@ TS::TS(const Digest &digest, const std::string &userAgent)
     }
 #endif
 
+    std::array<unsigned char, 20> nonce_bytes{};
+    for(; nonce_bytes[0] == 0;) // Make sure that first byte is not 0x00
+        RAND_bytes(nonce_bytes.data(), nonce_bytes.size());
     auto nonce = make_unique_ptr<ASN1_INTEGER_free>(ASN1_INTEGER_new());
-    ASN1_STRING_set(nonce.get(), nullptr, 20);
-    for(nonce->data[0] = 0; nonce->data[0] == 0;) // Make sure that first byte is not 0x00
-        RAND_bytes(nonce->data, nonce->length);
+    ASN1_STRING_set(nonce.get(), nonce_bytes.data(), nonce_bytes.size());
     TS_REQ_set_nonce(req.get(), nonce.get());
 
     Connect::Result result = Connect(CONF(TSUrl), "POST", 0, CONF(TSCerts), userAgent).exec({

src/crypto/X509Cert.cpp

@@ -424,7 +424,7 @@ vector<string> X509Cert::qcStatements() const
     int pos = X509_get_ext_by_NID(cert.get(), NID_qcStatements, -1);
     if(pos == -1)
         return result;
-    X509_EXTENSION *ext = X509_get_ext(cert.get(), pos);
+    auto *ext = X509_get_ext(cert.get(), pos);
     auto qc = make_unique_cast<QCStatements_free>(ASN1_item_unpack(X509_EXTENSION_get_data(ext), ASN1_ITEM_rptr(QCStatements)));
     if(!qc)
         return result;
@@ -492,15 +492,15 @@ string X509Cert::toString(const string &obj) const
     string str;
     if(!cert)
         return str;
-    X509_NAME* name = Func(cert.get());
+    auto *name = Func(cert.get());
     if(!name)
         THROW_OPENSSLEXCEPTION("Failed to convert X.509 certificate name");
 
     if(!obj.empty())
     {
         for(int i = 0; i < X509_NAME_entry_count(name); ++i)
         {
-            X509_NAME_ENTRY *e = X509_NAME_get_entry(name, i);
+            auto *e = X509_NAME_get_entry(name, i);
             if(obj != OBJ_nid2sn(OBJ_obj2nid(X509_NAME_ENTRY_get_object(e))))
                 continue;
 

src/crypto/X509CertStore.cpp

@@ -119,7 +119,10 @@ X509Cert X509CertStore::issuerFromAIA(const X509Cert &cert)
         if(ACCESS_DESCRIPTION *ad = sk_ACCESS_DESCRIPTION_value(aia.get(), i);
             ad->location->type == GEN_URI &&
             OBJ_obj2nid(ad->method) == NID_ad_ca_issuers)
-            url.assign((const char*)ad->location->d.uniformResourceIdentifier->data, ad->location->d.uniformResourceIdentifier->length);
+        {
+            const unsigned char *data = ASN1_STRING_get0_data(ad->location->d.uniformResourceIdentifier);
+            url.assign((const char*)data, ASN1_STRING_length(ad->location->d.uniformResourceIdentifier));
+        }
     }
     if(url.empty())
         return X509Cert();

src/crypto/X509Crypto.cpp

@@ -157,7 +157,7 @@ int X509Crypto::compareIssuerToString(string_view name) const
         bool found = false;
         for(int i = 0; i < X509_NAME_entry_count(issuer); ++i)
         {
-            X509_NAME_ENTRY *entb = X509_NAME_get_entry(issuer, i);
+            auto *entb = X509_NAME_get_entry(issuer, i);
             if(OBJ_cmp(obja.get(), X509_NAME_ENTRY_get_object(entb)) != 0)
                 continue;
 

vcpkg.json

@@ -15,15 +15,15 @@
     "features": {
       "tests": { "description": "Build tests", "dependencies": ["boost-test"] }
     },
-    "builtin-baseline": "f77737496dabd44c63ecc599dc0f4d6cff30d0d5",
+    "builtin-baseline": "7849750896c86bd7a4a02ed760812dba321a4a9b",
     "vcpkg-configuration": {
       "overlay-triplets": ["./vcpkg-triplets"],
       "registries": [
         {
           "kind": "git",
           "repository": "https://github.com/open-eid/vcpkg-ports",
           "reference": "vcpkg-registry",
-          "baseline": "e841c32c534b9db3130a824992f4bacd79fae1bc",
+          "baseline": "230d98d5832f3bacd75e5af79adf34587d02846b",
           "packages": ["openssl", "xmlsec"]
         }
       ]