This is an automated email from the ASF dual-hosted git repository. fgerlits pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi-minifi-cpp.git
commit 1f93c33b68203bee44a29e02951ed01ffc78bdda Author: Gabor Gyimesi <[email protected]> AuthorDate: Thu Jan 13 17:50:47 2022 +0100 MINIFICPP-1719 Replace LibreSSL with OpenSSL 3.1.1 Also added patch to backport OpenSSL#20305 to fix OpenSSL#20753 Co-authored-by: Adam Debreceni <[email protected]> Signed-off-by: Ferenc Gerlits <[email protected]> This closes #1583 --- .github/workflows/ci.yml | 2 + CMakeLists.txt | 6 +- LICENSE | 126 +---- NOTICE | 3 +- README.md | 8 +- aptitude.sh | 2 + arch.sh | 2 + bootstrap.sh | 5 +- bstrp_functions.sh | 2 + centos.sh | 2 + cmake/BundledAwsSdkCpp.cmake | 4 +- cmake/BundledLibSSH2.cmake | 4 +- cmake/BundledLibreSSL.cmake | 107 ---- cmake/BundledOpenSSL.cmake | 137 +++++ cmake/CivetWeb.cmake | 4 + cmake/GoogleCloudCpp.cmake | 7 + cmake/KubernetesClientC.cmake | 22 +- cmake/Zstd.cmake | 1 + cmake/ssl/FindOpenSSL.cmake | 4 +- darwin.sh | 2 + debian.sh | 2 + docker/centos/Dockerfile | 2 +- docker/fedora/Dockerfile | 2 +- docker/rockylinux/Dockerfile | 2 +- .../civetweb/tests/resources/badCA_goodClient.p12 | Bin 2413 -> 2563 bytes .../civetweb/tests/resources/badCA_goodClient.pem | 90 ++-- extensions/civetweb/tests/resources/goodCA.crt | 36 +- .../civetweb/tests/resources/goodCA_badClient.p12 | Bin 2413 -> 2563 bytes .../civetweb/tests/resources/goodCA_badClient.pem | 90 ++-- .../civetweb/tests/resources/goodCA_goodClient.p12 | Bin 2413 -> 2563 bytes .../civetweb/tests/resources/goodCA_goodClient.pem | 90 ++-- extensions/civetweb/tests/resources/server.p12 | Bin 2405 -> 2563 bytes extensions/civetweb/tests/resources/server.pem | 89 ++-- extensions/http-curl/CMakeLists.txt | 4 + extensions/http-curl/client/HTTPClient.cpp | 43 ++ extensions/kubernetes/CMakeLists.txt | 2 +- .../standard-processors/processors/HashContent.h | 36 +- .../TLSClientSocketSupportedProtocolsTest.cpp | 7 +- .../TLSServerSocketSupportedProtocolsTest.cpp | 12 +- .../tests/unit/HashContentTest.cpp | 6 +- .../tests/unit/ListenTcpTests.cpp | 2 +- fedora.sh | 2 + libminifi/include/controllers/SSLContextService.h | 9 + libminifi/include/utils/tls/ExtendedKeyUsage.h | 14 +- libminifi/src/controllers/SSLContextService.cpp | 86 +++- libminifi/src/core/state/Value.cpp | 25 +- libminifi/src/io/tls/TLSSocket.cpp | 2 +- libminifi/src/utils/net/TcpServer.cpp | 2 +- libminifi/src/utils/tls/CertificateUtils.cpp | 4 +- libminifi/src/utils/tls/ExtendedKeyUsage.cpp | 21 +- libminifi/test/SimpleSSLTestServer.h | 6 +- libminifi/test/unit/tls/TLSStreamTests.cpp | 2 +- rheldistro.sh | 2 + suse.sh | 2 + thirdparty/aws-sdk-cpp/openssl3-fix.patch | 54 ++ thirdparty/civetweb/openssl3.patch | 14 + thirdparty/libwebsockets/openssl3.patch | 118 +++++ ...arch64-feature-detection-code-in-armcap.c.patch | 560 +++++++++++++++++++++ 58 files changed, 1347 insertions(+), 541 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index cdfa244d6..95fb35f49 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -93,6 +93,8 @@ jobs: python-version: '3.11' - name: Set up Lua uses: xpol/[email protected] + - name: Set up NASM for OpenSSL + uses: ilammy/setup-nasm@v1 - id: install-sqliteodbc-driver run: | Invoke-WebRequest -Uri "http://www.ch-werner.de/sqliteodbc/sqliteodbc_w64.exe"; -OutFile "sqliteodbc_w64.exe" diff --git a/CMakeLists.txt b/CMakeLists.txt index 16dfe54c0..96466f6d9 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -245,10 +245,10 @@ if(NOT WIN32) use_bundled_osspuuid(${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) endif() -# OpenSSL/LibreSSL +# OpenSSL if (NOT OPENSSL_OFF) - include(BundledLibreSSL) - use_libre_ssl("${CMAKE_CURRENT_SOURCE_DIR}" "${CMAKE_CURRENT_BINARY_DIR}") + include(BundledOpenSSL) + use_openssl("${CMAKE_CURRENT_SOURCE_DIR}" "${CMAKE_CURRENT_BINARY_DIR}") list(APPEND CMAKE_MODULE_PATH "${CMAKE_SOURCE_DIR}/cmake/ssl") set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DOPENSSL_SUPPORT") diff --git a/LICENSE b/LICENSE index 9b9611fe9..dace74cfe 100644 --- a/LICENSE +++ b/LICENSE @@ -212,6 +212,7 @@ This project bundles 'C++ Client Libraries for Google Cloud Services' which is a This project bundles 'Abseil Common Libraries (C++)' which is available under an ALv2 license This product bundles 'Kubernetes Client Library for C' (kubernetes-client/c), which is available under an ALv2 license This project bundles a configuration file from 'Kubernetes Metrics Server' (kubernetes-sigs/metrics-server), which is available under an ALv2 license +This project bundles 'OpenSSL' which is available under an ALv2 license The Apache NiFi - MiNiFi C++ project contains subcomponents with separate copyright notices and license terms. Your use of the source code for the these @@ -1271,131 +1272,6 @@ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. -This product bundles 'LibreSSL' which is available under BSD-style licenses - -The OpenSSL toolkit stays under a dual license, i.e. both the conditions of - the OpenSSL License and the original SSLeay license apply to the toolkit. - See below for the actual license texts. Actually both licenses are BSD-style - Open Source licenses. In case of any license issues related to OpenSSL - please contact [email protected]. - - OpenSSL License - --------------- - -/* ==================================================================== - * Copyright (c) 1998-2011 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * [email protected]. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * ([email protected]). This product includes software written by Tim - * Hudson ([email protected]). - * - */ - - Original SSLeay License - ----------------------- - -/* Copyright (C) 1995-1998 Eric Young ([email protected]) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young ([email protected]). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson ([email protected]). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young ([email protected])" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson ([email protected])" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - This product bundles zlib which is available under the zlib license: (C) 1995-2017 Jean-loup Gailly and Mark Adler diff --git a/NOTICE b/NOTICE index 2417c98a0..ae7f8946c 100644 --- a/NOTICE +++ b/NOTICE @@ -1,5 +1,5 @@ Apache NiFi MiNiFi C++ -Copyright 2022 The Apache Software Foundation +Copyright 2023 The Apache Software Foundation This product includes software developed at The Apache Software Foundation (http://www.apache.org/). @@ -73,6 +73,7 @@ This software includes third party software subject to the following copyrights: - prometheus-cpp - Copyright (c) 2016-2021 Jupp Mueller, Copyright (c) 2017-2022 Gregor Jasny - Zstandard - Copyright (c) 2016-present, Facebook, Inc. All rights reserved. - LZ4 Library - Copyright (c) 2011-2020, Yann Collet +- OpenSSL - Copyright (c) 1998-2022 The OpenSSL Project, Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson. All rights reserved. The licenses for these third party components are included in LICENSE.txt diff --git a/README.md b/README.md index ebc3d6713..a0518995c 100644 --- a/README.md +++ b/README.md @@ -125,7 +125,7 @@ Through JNI extensions you can run NiFi processors using NARs. The JNI extension ##### External Projects The following utilities are needed to build external projects, when bundled -versions of LibreSSL, cURL, or zlib are used: +versions of OpenSSL, cURL, or zlib are used: * patch * autoconf @@ -151,6 +151,10 @@ and rebuild. * Lua and development headers -- Required if Lua support is enabled * libgps-dev -- Required if building libGPS support * Zlib headers +* perl -- Required for OpenSSL configuration +* NASM -- Required for OpenSSL only on Windows + +**NOTE** On Windows if Strawberry Perl is used the `${StrawberryPerlRoot}\c\bin` directory should not be part of the %PATH% variable or make sure to find git's patch executable before that as Strawberry Perl's patch.exe will be found as the patch executable in the configure phase instead of the git patch executable. Also on Windows CMake's CPack is used for MSI generation, building WIX files and calling WIX toolset tools to create an MSI. If Chocolatey package manager is used its CPack c [...] #### CentOS 7 @@ -181,7 +185,7 @@ On all distributions please use -DUSE_SHARED_LIBS=OFF to statically link zlib, l * libuuid * librocksdb (built and statically linked) * libcurl-openssl (If not available or desired, NSS will be used) -* libssl and libcrypto from libressl (built and statically linked) +* libssl and libcrypto from openssl (built and statically linked) * libarchive (built and statically linked) * librdkafka (built and statically linked) * Python 3 -- Required if Python support is enabled diff --git a/aptitude.sh b/aptitude.sh index babe25bb0..77a3d34d9 100644 --- a/aptitude.sh +++ b/aptitude.sh @@ -102,6 +102,8 @@ build_deps(){ INSTALLED+=("liblzma-dev") elif [ "$FOUND_VALUE" = "boost" ]; then INSTALLED+=("libboost-dev") + elif [ "$FOUND_VALUE" = "opensslbuild" ]; then + INSTALLED+=("perl") fi fi done diff --git a/arch.sh b/arch.sh index 05e536564..e593ccc25 100644 --- a/arch.sh +++ b/arch.sh @@ -80,6 +80,8 @@ build_deps(){ INSTALLED+=("tensorflow") elif [ "$FOUND_VALUE" = "boost" ]; then INSTALLED+=("boost") + elif [ "$FOUND_VALUE" = "opensslbuild" ]; then + INSTALLED+=("perl") fi fi done diff --git a/bootstrap.sh b/bootstrap.sh index b524f5ccc..5d04ef878 100755 --- a/bootstrap.sh +++ b/bootstrap.sh @@ -343,6 +343,9 @@ add_option PROCFS_ENABLED ${TRUE} "ENABLE_PROCFS" add_option PROMETHEUS_ENABLED ${FALSE} "ENABLE_PROMETHEUS" +add_option OPENSSL_ENABLED ${TRUE} "OPENSSL_OFF" +add_dependency OPENSSL_ENABLED "opensslbuild" + USE_SHARED_LIBS=${TRUE} ASAN_ENABLED=${FALSE} FAIL_ON_WARNINGS=${FALSE} @@ -445,7 +448,7 @@ build_cmake_command(){ if [ "$FOUND" = "1" ]; then set_value=OFF option_value="${!option}" - if { [[ "$option_value" = "${FALSE}" ]] && [[ "$FOUND_VALUE" == "DISABLE"* ]]; } || \ + if { [[ "$option_value" = "${FALSE}" ]] && { [[ "$FOUND_VALUE" == "DISABLE"* ]] || [[ "$FOUND_VALUE" == *"OFF" ]]; }; } || \ { [[ "$option_value" = "${TRUE}" ]] && [[ "$FOUND_VALUE" == "ENABLE"* ]]; }; then set_value=ON fi diff --git a/bstrp_functions.sh b/bstrp_functions.sh index a9e0f07f9..cb87e5eff 100755 --- a/bstrp_functions.sh +++ b/bstrp_functions.sh @@ -400,6 +400,7 @@ show_supported_features() { echo "5. Build Profile ...............$(print_multi_option_status BUILD_PROFILE)" echo "6. Create ASAN build ...........$(print_feature_status ASAN_ENABLED)" echo "7. Treat warnings as errors.....$(print_feature_status FAIL_ON_WARNINGS)" + echo "8. Enable OpenSSL...............$(print_feature_status OPENSSL_ENABLED)" echo "P. Continue with these options" if [ "$GUIDED_INSTALL" = "${TRUE}" ]; then echo "R. Return to Main Menu" @@ -452,6 +453,7 @@ read_feature_options(){ 5) ToggleMultiOption BUILD_PROFILE;; 6) ToggleFeature ASAN_ENABLED;; 7) ToggleFeature FAIL_ON_WARNINGS;; + 8) ToggleFeature OPENSSL_ENABLED;; p) export FEATURES_SELECTED="true" ;; r) if [ "$GUIDED_INSTALL" = "${TRUE}" ]; then export MENU="main" diff --git a/centos.sh b/centos.sh index 70af06ca8..1649c775a 100644 --- a/centos.sh +++ b/centos.sh @@ -118,6 +118,8 @@ build_deps() { INSTALLED+=("libssh2-devel") elif [ "$FOUND_VALUE" = "boost" ]; then INSTALLED+=("boost-devel") + elif [ "$FOUND_VALUE" = "opensslbuild" ]; then + INSTALLED+=("perl") fi fi done diff --git a/cmake/BundledAwsSdkCpp.cmake b/cmake/BundledAwsSdkCpp.cmake index 67c028533..75a326ee2 100644 --- a/cmake/BundledAwsSdkCpp.cmake +++ b/cmake/BundledAwsSdkCpp.cmake @@ -20,11 +20,13 @@ function(use_bundled_libaws SOURCE_DIR BINARY_DIR) set(PATCH_FILE2 "${SOURCE_DIR}/thirdparty/aws-sdk-cpp/dll-export-injection.patch") set(PATCH_FILE3 "${SOURCE_DIR}/thirdparty/aws-sdk-cpp/shutdown-fix.patch") set(PATCH_FILE4 "${SOURCE_DIR}/thirdparty/aws-sdk-cpp/bundle-openssl.patch") + set(PATCH_FILE5 "${SOURCE_DIR}/thirdparty/aws-sdk-cpp/openssl3-fix.patch") set(AWS_SDK_CPP_PATCH_COMMAND ${Bash_EXECUTABLE} -c "set -x &&\ (\"${Patch_EXECUTABLE}\" -p1 -R -s -f --dry-run -i \"${PATCH_FILE1}\" || \"${Patch_EXECUTABLE}\" -p1 -N -i \"${PATCH_FILE1}\") &&\ (\"${Patch_EXECUTABLE}\" -p1 -R -s -f --dry-run -i \"${PATCH_FILE2}\" || \"${Patch_EXECUTABLE}\" -p1 -N -i \"${PATCH_FILE2}\") &&\ (\"${Patch_EXECUTABLE}\" -p1 -R -s -f --dry-run -i \"${PATCH_FILE3}\" || \"${Patch_EXECUTABLE}\" -p1 -N -i \"${PATCH_FILE3}\") &&\ - (\"${Patch_EXECUTABLE}\" -p1 -R -s -f --dry-run -i \"${PATCH_FILE4}\" || \"${Patch_EXECUTABLE}\" -p1 -N -i \"${PATCH_FILE4}\") ") + (\"${Patch_EXECUTABLE}\" -p1 -R -s -f --dry-run -i \"${PATCH_FILE4}\" || \"${Patch_EXECUTABLE}\" -p1 -N -i \"${PATCH_FILE4}\") &&\ + (\"${Patch_EXECUTABLE}\" -p1 -R -s -f --dry-run -i \"${PATCH_FILE5}\" || \"${Patch_EXECUTABLE}\" -p1 -N -i \"${PATCH_FILE5}\") ") if (WIN32) set(LIBDIR "lib") diff --git a/cmake/BundledLibSSH2.cmake b/cmake/BundledLibSSH2.cmake index 7c3bf829f..bd7c8a2d6 100644 --- a/cmake/BundledLibSSH2.cmake +++ b/cmake/BundledLibSSH2.cmake @@ -44,8 +44,8 @@ function(use_bundled_libssh2 SOURCE_DIR BINARY_DIR) # Build project ExternalProject_Add( libssh2-external - URL "https://www.libssh2.org/download/libssh2-1.8.2.tar.gz"; - URL_HASH "SHA256=088307d9f6b6c4b8c13f34602e8ff65d21c2dc4d55284dfe15d502c4ee190d67" + URL "https://github.com/libssh2/libssh2/releases/download/libssh2-1.10.0/libssh2-1.10.0.tar.gz"; + URL_HASH "SHA256=2d64e90f3ded394b91d3a2e774ca203a4179f69aebee03003e5a6fa621e41d51" SOURCE_DIR "${BINARY_DIR}/thirdparty/libssh2-src" LIST_SEPARATOR % # This is needed for passing semicolon-separated lists CMAKE_ARGS ${LIBSSH2_CMAKE_ARGS} diff --git a/cmake/BundledLibreSSL.cmake b/cmake/BundledLibreSSL.cmake deleted file mode 100644 index 2b25234ab..000000000 --- a/cmake/BundledLibreSSL.cmake +++ /dev/null @@ -1,107 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, -# software distributed under the License is distributed on an -# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -# KIND, either express or implied. See the License for the -# specific language governing permissions and limitations -# under the License. - -function(use_libre_ssl SOURCE_DIR BINARY_DIR) - message("Using bundled LibreSSL") - - # Define byproducts - if (WIN32) - set(BYPRODUCT_PREFIX "" CACHE STRING "" FORCE) - set(BYPRODUCT_SUFFIX ".lib" CACHE STRING "" FORCE) - else() - set(BYPRODUCT_PREFIX "lib" CACHE STRING "" FORCE) - set(BYPRODUCT_SUFFIX ".a" CACHE STRING "" FORCE) - endif() - - set(BYPRODUCTS - "lib/${BYPRODUCT_PREFIX}tls${BYPRODUCT_SUFFIX}" - "lib/${BYPRODUCT_PREFIX}ssl${BYPRODUCT_SUFFIX}" - "lib/${BYPRODUCT_PREFIX}crypto${BYPRODUCT_SUFFIX}" - ) - - set(LIBRESSL_BIN_DIR "${BINARY_DIR}/thirdparty/libressl-install" CACHE STRING "" FORCE) - - FOREACH(BYPRODUCT ${BYPRODUCTS}) - LIST(APPEND LIBRESSL_LIBRARIES_LIST "${LIBRESSL_BIN_DIR}/${BYPRODUCT}") - ENDFOREACH(BYPRODUCT) - - # Set build options - set(LIBRESSL_CMAKE_ARGS ${PASSTHROUGH_CMAKE_ARGS} - "-DCMAKE_INSTALL_PREFIX=${LIBRESSL_BIN_DIR}" - -DLIBRESSL_APPS=OFF - -DLIBRESSL_TESTS=OFF - -DCMAKE_POLICY_DEFAULT_CMP0063=NEW - # avoid polluting the global namespace, otherwise could interfere with the system openssl (e.g. python script extension using numpy) - -DCMAKE_C_VISIBILITY_PRESET=hidden - -DCMAKE_CXX_VISIBILITY_PRESET=hidden - -DCMAKE_VISIBILITY_INLINES_HIDDEN=ON - ) - - # Build project - ExternalProject_Add( - libressl-portable - URL https://cdn.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.0.2.tar.gz https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.0.2.tar.gz https://gentoo.osuosl.org/distfiles/libressl-3.0.2.tar.gz - URL_HASH "SHA256=df7b172bf79b957dd27ef36dcaa1fb162562c0e8999e194aa8c1a3df2f15398e" - SOURCE_DIR "${BINARY_DIR}/thirdparty/libressl-src" - CMAKE_ARGS ${LIBRESSL_CMAKE_ARGS} - BUILD_BYPRODUCTS ${LIBRESSL_LIBRARIES_LIST} - EXCLUDE_FROM_ALL TRUE - ) - - # Set variables - set(OPENSSL_FOUND "YES" CACHE STRING "" FORCE) - set(OPENSSL_INCLUDE_DIR "${LIBRESSL_BIN_DIR}/include" CACHE STRING "" FORCE) - set(OPENSSL_LIBRARIES ${LIBRESSL_LIBRARIES_LIST} CACHE STRING "" FORCE) - set(OPENSSL_CRYPTO_LIBRARY "${LIBRESSL_BIN_DIR}/lib/${BYPRODUCT_PREFIX}crypto${BYPRODUCT_SUFFIX}" CACHE STRING "" FORCE) - set(OPENSSL_SSL_LIBRARY "${LIBRESSL_BIN_DIR}/lib/${BYPRODUCT_PREFIX}ssl${BYPRODUCT_SUFFIX}" CACHE STRING "" FORCE) - - # Set exported variables for FindPackage.cmake - set(PASSTHROUGH_VARIABLES ${PASSTHROUGH_VARIABLES} "-DEXPORTED_OPENSSL_INCLUDE_DIR=${OPENSSL_INCLUDE_DIR}" CACHE STRING "" FORCE) - string(REPLACE ";" "%" OPENSSL_LIBRARIES_EXPORT "${OPENSSL_LIBRARIES}") - set(PASSTHROUGH_VARIABLES ${PASSTHROUGH_VARIABLES} "-DEXPORTED_OPENSSL_LIBRARIES=${OPENSSL_LIBRARIES_EXPORT}" CACHE STRING "" FORCE) - set(PASSTHROUGH_VARIABLES ${PASSTHROUGH_VARIABLES} "-DEXPORTED_OPENSSL_CRYPTO_LIBRARY=${OPENSSL_CRYPTO_LIBRARY}" CACHE STRING "" FORCE) - set(PASSTHROUGH_VARIABLES ${PASSTHROUGH_VARIABLES} "-DEXPORTED_OPENSSL_SSL_LIBRARY=${OPENSSL_SSL_LIBRARY}" CACHE STRING "" FORCE) - - # Create imported targets - file(MAKE_DIRECTORY ${OPENSSL_INCLUDE_DIR}) - - add_library(OpenSSL::Crypto STATIC IMPORTED) - set_target_properties(OpenSSL::Crypto PROPERTIES - INTERFACE_INCLUDE_DIRECTORIES "${OPENSSL_INCLUDE_DIR}") - set_target_properties(OpenSSL::Crypto PROPERTIES - IMPORTED_LINK_INTERFACE_LANGUAGES "C" - IMPORTED_LOCATION "${LIBRESSL_BIN_DIR}/lib/${BYPRODUCT_PREFIX}crypto${BYPRODUCT_SUFFIX}") - add_dependencies(OpenSSL::Crypto libressl-portable) - - add_library(OpenSSL::SSL STATIC IMPORTED) - set_target_properties(OpenSSL::SSL PROPERTIES - INTERFACE_INCLUDE_DIRECTORIES "${OPENSSL_INCLUDE_DIR}") - set_target_properties(OpenSSL::SSL PROPERTIES - IMPORTED_LINK_INTERFACE_LANGUAGES "C" - IMPORTED_LOCATION "${LIBRESSL_BIN_DIR}/lib/${BYPRODUCT_PREFIX}ssl${BYPRODUCT_SUFFIX}") - add_dependencies(OpenSSL::SSL libressl-portable) - set_property(TARGET OpenSSL::SSL APPEND PROPERTY INTERFACE_LINK_LIBRARIES OpenSSL::Crypto) - - add_library(LibreSSL::TLS STATIC IMPORTED) - set_target_properties(LibreSSL::TLS PROPERTIES - INTERFACE_INCLUDE_DIRECTORIES "${OPENSSL_INCLUDE_DIR}") - set_target_properties(LibreSSL::TLS PROPERTIES - IMPORTED_LINK_INTERFACE_LANGUAGES "C" - IMPORTED_LOCATION "${LIBRESSL_BIN_DIR}/lib/${BYPRODUCT_PREFIX}tls${BYPRODUCT_SUFFIX}") - add_dependencies(LibreSSL::TLS libressl-portable) - set_property(TARGET LibreSSL::TLS APPEND PROPERTY INTERFACE_LINK_LIBRARIES OpenSSL::Crypto) -endfunction(use_libre_ssl) diff --git a/cmake/BundledOpenSSL.cmake b/cmake/BundledOpenSSL.cmake new file mode 100644 index 000000000..b9caca42f --- /dev/null +++ b/cmake/BundledOpenSSL.cmake @@ -0,0 +1,137 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +function(use_openssl SOURCE_DIR BINARY_DIR) + message("Using bundled OpenSSL") + + if(APPLE OR WIN32 OR CMAKE_SIZEOF_VOID_P EQUAL 4) + set(LIBDIR "lib") + else() + set(LIBDIR "lib64") + endif() + + # Define byproducts + set(BYPRODUCT_PREFIX "lib" CACHE STRING "" FORCE) + if (WIN32) + set(BYPRODUCT_SUFFIX ".lib" CACHE STRING "" FORCE) + # Due to OpenSSL 3's static linking issue on x86 MacOS platform we make an exception to build a shared library instead + elseif (APPLE AND (CMAKE_SYSTEM_PROCESSOR MATCHES "x86_64|amd64|AMD64")) + set(BYPRODUCT_SUFFIX ".dylib" CACHE STRING "" FORCE) + else() + set(BYPRODUCT_SUFFIX ".a" CACHE STRING "" FORCE) + endif() + + if (APPLE AND (CMAKE_SYSTEM_PROCESSOR MATCHES "x86_64|amd64|AMD64")) + set(OPENSSL_SHARED_FLAG "" CACHE STRING "" FORCE) + else() + set(OPENSSL_SHARED_FLAG "no-shared" CACHE STRING "" FORCE) + endif() + + set(BYPRODUCTS + "${LIBDIR}/${BYPRODUCT_PREFIX}ssl${BYPRODUCT_SUFFIX}" + "${LIBDIR}/${BYPRODUCT_PREFIX}crypto${BYPRODUCT_SUFFIX}" + ) + + set(OPENSSL_BIN_DIR "${BINARY_DIR}/thirdparty/openssl-install" CACHE STRING "" FORCE) + + FOREACH(BYPRODUCT ${BYPRODUCTS}) + LIST(APPEND OPENSSL_LIBRARIES_LIST "${OPENSSL_BIN_DIR}/${BYPRODUCT}") + ENDFOREACH(BYPRODUCT) + + # Define patch step + set(PATCH_FILE "${SOURCE_DIR}/thirdparty/openssl/Tidy-up-aarch64-feature-detection-code-in-armcap.c.patch") + set(PC ${Bash_EXECUTABLE} -c "set -x && \ + (\"${Patch_EXECUTABLE}\" -p1 -R -s -f --dry-run -i \"${PATCH_FILE}\" || \"${Patch_EXECUTABLE}\" -p1 -N -i \"${PATCH_FILE}\")") + + # Set build options + set(OPENSSL_CMAKE_ARGS ${PASSTHROUGH_CMAKE_ARGS} + "-DCMAKE_INSTALL_PREFIX=${OPENSSL_BIN_DIR}" + "-DCMAKE_POLICY_DEFAULT_CMP0063=NEW" + # avoid polluting the global namespace, otherwise could interfere with the system openssl (e.g. python script extension using numpy) + "-DCMAKE_C_VISIBILITY_PRESET=hidden" + "-DCMAKE_CXX_VISIBILITY_PRESET=hidden" + "-DCMAKE_VISIBILITY_INLINES_HIDDEN=ON" + ) + + # Note: when upgrading to a later release than 3.1.1 the --no-apps could be used instead of --no-tests to minimize the build size + if (WIN32) + ExternalProject_Add( + openssl-external + URL https://github.com/openssl/openssl/releases/download/openssl-3.1.1/openssl-3.1.1.tar.gz + URL_HASH "SHA256=b3aa61334233b852b63ddb048df181177c2c659eb9d4376008118f9c08d07674" + SOURCE_DIR "${BINARY_DIR}/thirdparty/openssl-src" + BUILD_IN_SOURCE true + CONFIGURE_COMMAND perl Configure "CFLAGS=${PASSTHROUGH_CMAKE_C_FLAGS} -fPIC" "CXXFLAGS=${PASSTHROUGH_CMAKE_CXX_FLAGS} -fPIC" ${OPENSSL_SHARED_FLAG} no-tests "--prefix=${OPENSSL_BIN_DIR}" "--openssldir=${OPENSSL_BIN_DIR}" + BUILD_BYPRODUCTS ${OPENSSL_LIBRARIES_LIST} + PATCH_COMMAND ${PC} + EXCLUDE_FROM_ALL TRUE + BUILD_COMMAND nmake + INSTALL_COMMAND nmake install + ) + else() + ExternalProject_Add( + openssl-external + URL https://github.com/openssl/openssl/releases/download/openssl-3.1.1/openssl-3.1.1.tar.gz + URL_HASH "SHA256=b3aa61334233b852b63ddb048df181177c2c659eb9d4376008118f9c08d07674" + SOURCE_DIR "${BINARY_DIR}/thirdparty/openssl-src" + BUILD_IN_SOURCE true + CONFIGURE_COMMAND ./Configure "CFLAGS=${PASSTHROUGH_CMAKE_C_FLAGS} -fPIC" "CXXFLAGS=${PASSTHROUGH_CMAKE_CXX_FLAGS} -fPIC" ${OPENSSL_SHARED_FLAG} no-tests "--prefix=${OPENSSL_BIN_DIR}" "--openssldir=${OPENSSL_BIN_DIR}" + BUILD_BYPRODUCTS ${OPENSSL_LIBRARIES_LIST} + PATCH_COMMAND ${PC} + EXCLUDE_FROM_ALL TRUE + ) + endif() + + # Set variables + set(OPENSSL_FOUND "YES" CACHE STRING "" FORCE) + set(OPENSSL_INCLUDE_DIR "${OPENSSL_BIN_DIR}/include" CACHE STRING "" FORCE) + set(OPENSSL_LIBRARIES "${OPENSSL_LIBRARIES_LIST};${CMAKE_DL_LIBS}" CACHE STRING "" FORCE) + set(OPENSSL_CRYPTO_LIBRARY "${OPENSSL_BIN_DIR}/${LIBDIR}/${BYPRODUCT_PREFIX}crypto${BYPRODUCT_SUFFIX}" CACHE STRING "" FORCE) + set(OPENSSL_SSL_LIBRARY "${OPENSSL_BIN_DIR}/${LIBDIR}/${BYPRODUCT_PREFIX}ssl${BYPRODUCT_SUFFIX}" CACHE STRING "" FORCE) + + # Set exported variables for FindPackage.cmake + set(PASSTHROUGH_VARIABLES ${PASSTHROUGH_VARIABLES} "-DEXPORTED_OPENSSL_INCLUDE_DIR=${OPENSSL_INCLUDE_DIR}" CACHE STRING "" FORCE) + string(REPLACE ";" "%" OPENSSL_LIBRARIES_EXPORT "${OPENSSL_LIBRARIES}") + set(PASSTHROUGH_VARIABLES ${PASSTHROUGH_VARIABLES} "-DEXPORTED_OPENSSL_LIBRARIES=${OPENSSL_LIBRARIES_EXPORT}" CACHE STRING "" FORCE) + set(PASSTHROUGH_VARIABLES ${PASSTHROUGH_VARIABLES} "-DEXPORTED_OPENSSL_CRYPTO_LIBRARY=${OPENSSL_CRYPTO_LIBRARY}" CACHE STRING "" FORCE) + set(PASSTHROUGH_VARIABLES ${PASSTHROUGH_VARIABLES} "-DEXPORTED_OPENSSL_SSL_LIBRARY=${OPENSSL_SSL_LIBRARY}" CACHE STRING "" FORCE) + + # Create imported targets + file(MAKE_DIRECTORY ${OPENSSL_INCLUDE_DIR}) + + add_library(OpenSSL::Crypto STATIC IMPORTED) + set_target_properties(OpenSSL::Crypto PROPERTIES + INTERFACE_INCLUDE_DIRECTORIES "${OPENSSL_INCLUDE_DIR}") + set_target_properties(OpenSSL::Crypto PROPERTIES + IMPORTED_LINK_INTERFACE_LANGUAGES "C" + IMPORTED_LOCATION "${OPENSSL_BIN_DIR}/${LIBDIR}/${BYPRODUCT_PREFIX}crypto${BYPRODUCT_SUFFIX}") + add_dependencies(OpenSSL::Crypto openssl-external) + + add_library(OpenSSL::SSL STATIC IMPORTED) + set_target_properties(OpenSSL::SSL PROPERTIES + INTERFACE_INCLUDE_DIRECTORIES "${OPENSSL_INCLUDE_DIR}") + set_target_properties(OpenSSL::SSL PROPERTIES + IMPORTED_LINK_INTERFACE_LANGUAGES "C" + IMPORTED_LOCATION "${OPENSSL_BIN_DIR}/${LIBDIR}/${BYPRODUCT_PREFIX}ssl${BYPRODUCT_SUFFIX}") + add_dependencies(OpenSSL::SSL openssl-external) + set_property(TARGET OpenSSL::SSL APPEND PROPERTY INTERFACE_LINK_LIBRARIES OpenSSL::Crypto) + + if(WIN32) + set_property(TARGET OpenSSL::Crypto APPEND PROPERTY INTERFACE_LINK_LIBRARIES crypt32.lib ) + set_property(TARGET OpenSSL::SSL APPEND PROPERTY INTERFACE_LINK_LIBRARIES crypt32.lib) + endif() +endfunction(use_openssl) diff --git a/cmake/CivetWeb.cmake b/cmake/CivetWeb.cmake index cbd1b2c31..f1614817d 100644 --- a/cmake/CivetWeb.cmake +++ b/cmake/CivetWeb.cmake @@ -24,10 +24,14 @@ set(CIVETWEB_ENABLE_LUA "OFF" CACHE STRING "" FORCE) set(CIVETWEB_ENABLE_CXX "ON" CACHE STRING "" FORCE) set(CIVETWEB_ALLOW_WARNINGS "ON" CACHE STRING "" FORCE) set(CIVETWEB_ENABLE_ASAN "OFF" CACHE STRING "" FORCE) +set(PATCH_FILE "${CMAKE_SOURCE_DIR}/thirdparty/civetweb/openssl3.patch") +set(PC ${Bash_EXECUTABLE} -c "set -x &&\ + (\\\"${Patch_EXECUTABLE}\\\" -p1 -R -s -f --dry-run -i \\\"${PATCH_FILE}\\\" || \\\"${Patch_EXECUTABLE}\\\" -p1 -N -i \\\"${PATCH_FILE}\\\")") FetchContent_Declare(civetweb URL https://github.com/civetweb/civetweb/archive/refs/tags/v1.16.tar.gz URL_HASH SHA256=f0e471c1bf4e7804a6cfb41ea9d13e7d623b2bcc7bc1e2a4dd54951a24d60285 + PATCH_COMMAND "${PC}" ) FetchContent_MakeAvailable(civetweb) diff --git a/cmake/GoogleCloudCpp.cmake b/cmake/GoogleCloudCpp.cmake index 05e1d400c..aca4ac3e0 100644 --- a/cmake/GoogleCloudCpp.cmake +++ b/cmake/GoogleCloudCpp.cmake @@ -59,3 +59,10 @@ FetchContent_MakeAvailable(google-cloud-cpp) if (CMAKE_CXX_COMPILER_ID STREQUAL "Clang" AND CMAKE_CXX_COMPILER_VERSION VERSION_GREATER_EQUAL "14.0.0" ) target_compile_options(google_cloud_cpp_common PUBLIC -Wno-error=deprecated-pragma) endif() + +# MD5_Init, MD5_Update and MD5_Final used in Google Cloud C++ library are deprecated since OpenSSL 3.0 +if (WIN32) + target_compile_options(google_cloud_cpp_storage PUBLIC /wd4996) +else() + target_compile_options(google_cloud_cpp_storage PUBLIC -Wno-error=deprecated-declarations) +endif() diff --git a/cmake/KubernetesClientC.cmake b/cmake/KubernetesClientC.cmake index f97b7a811..61878d673 100644 --- a/cmake/KubernetesClientC.cmake +++ b/cmake/KubernetesClientC.cmake @@ -24,17 +24,21 @@ FetchContent_Declare(yaml GIT_TAG 2c891fc7a770e8ba2fec34fc6b545c672beb37e6 # 0.2.5 ) -set(LWS_WITHOUT_TESTAPPS ON CACHE BOOL "" FORCE) -set(LWS_WITHOUT_TEST_SERVER ON CACHE BOOL "" FORCE) -set(LWS_WITHOUT_TEST_SERVER_EXTPOLL ON CACHE BOOL "" FORCE) -set(LWS_WITHOUT_TEST_PING ON CACHE BOOL "" FORCE) -set(LWS_WITHOUT_TEST_CLIENT ON CACHE BOOL "" FORCE) -set(LWS_WITH_SHARED OFF CACHE BOOL "" FORCE) -set(CMAKE_C_FLAGS "-fpic" CACHE STRING "" FORCE) +set(LWS_WITHOUT_TESTAPPS ON CACHE BOOL "" FORCE) +set(LWS_WITHOUT_TEST_SERVER ON CACHE BOOL "" FORCE) +set(LWS_WITHOUT_TEST_SERVER_EXTPOLL ON CACHE BOOL "" FORCE) +set(LWS_WITHOUT_TEST_PING ON CACHE BOOL "" FORCE) +set(LWS_WITHOUT_TEST_CLIENT ON CACHE BOOL "" FORCE) +set(LWS_WITH_SHARED OFF CACHE BOOL "" FORCE) +set(LWS_OPENSSL_INCLUDE_DIRS "${OPENSSL_INCLUDE_DIR}" CACHE STRING "" FORCE) +set(LWS_OPENSSL_LIBRARIES "${OPENSSL_LIBRARIES}" CACHE STRING "" FORCE) +set(CMAKE_C_FLAGS "-fpic" CACHE STRING "" FORCE) -set(WEBSOCKETS_PATCH_FILE "${CMAKE_SOURCE_DIR}/thirdparty/libwebsockets/fix-include-dirs.patch") +set(WEBSOCKETS_PATCH_FILE_1 "${CMAKE_SOURCE_DIR}/thirdparty/libwebsockets/fix-include-dirs.patch") +set(WEBSOCKETS_PATCH_FILE_2 "${CMAKE_SOURCE_DIR}/thirdparty/libwebsockets/openssl3.patch") set(WEBSOCKETS_PC ${Bash_EXECUTABLE} -c "set -x &&\ - (${Patch_EXECUTABLE} -R -p1 -s -f --dry-run -i ${WEBSOCKETS_PATCH_FILE} || ${Patch_EXECUTABLE} -p1 -i ${WEBSOCKETS_PATCH_FILE})") + (${Patch_EXECUTABLE} -R -p1 -s -f --dry-run -i ${WEBSOCKETS_PATCH_FILE_1} || ${Patch_EXECUTABLE} -p1 -i ${WEBSOCKETS_PATCH_FILE_1}) &&\ + (${Patch_EXECUTABLE} -R -p1 -s -f --dry-run -i ${WEBSOCKETS_PATCH_FILE_2} || ${Patch_EXECUTABLE} -p1 -i ${WEBSOCKETS_PATCH_FILE_2}) ") FetchContent_Declare(websockets URL https://github.com/warmcat/libwebsockets/archive/refs/tags/v4.3.2.tar.gz URL_HASH SHA256=6a85a1bccf25acc7e8e5383e4934c9b32a102880d1e4c37c70b27ae2a42406e1 diff --git a/cmake/Zstd.cmake b/cmake/Zstd.cmake index 7d8a2313a..debb209d9 100644 --- a/cmake/Zstd.cmake +++ b/cmake/Zstd.cmake @@ -19,6 +19,7 @@ include(FetchContent) set(ZSTD_BUILD_SHARED OFF CACHE BOOL "" FORCE) +set(PC "") if (WIN32) set(PATCH_FILE "${CMAKE_SOURCE_DIR}/thirdparty/zstd/exclude_gcc_clang_compiler_options_from_windows.patch") set(PC "${Patch_EXECUTABLE}" -p1 -i "${PATCH_FILE}") diff --git a/cmake/ssl/FindOpenSSL.cmake b/cmake/ssl/FindOpenSSL.cmake index 0dc22d891..3b6adc46f 100644 --- a/cmake/ssl/FindOpenSSL.cmake +++ b/cmake/ssl/FindOpenSSL.cmake @@ -22,8 +22,8 @@ if(NOT OPENSSL_FOUND) set(OPENSSL_INCLUDE_DIR "${EXPORTED_OPENSSL_INCLUDE_DIR}" CACHE STRING "" FORCE) set(OPENSSL_CRYPTO_LIBRARY "${EXPORTED_OPENSSL_CRYPTO_LIBRARY}" CACHE STRING "" FORCE) set(OPENSSL_SSL_LIBRARY "${EXPORTED_OPENSSL_SSL_LIBRARY}" CACHE STRING "" FORCE) - set(OPENSSL_LIBRARIES ${EXPORTED_OPENSSL_LIBRARIES} CACHE STRING "" FORCE) - set(OPENSSL_VERSION "1.0.2" CACHE STRING "" FORCE) + set(OPENSSL_LIBRARIES "${EXPORTED_OPENSSL_LIBRARIES}" CACHE STRING "" FORCE) + set(OPENSSL_VERSION "3.1.0" CACHE STRING "" FORCE) endif() if(NOT TARGET OpenSSL::Crypto) diff --git a/darwin.sh b/darwin.sh index 8bdc1ff6d..21cb161b1 100644 --- a/darwin.sh +++ b/darwin.sh @@ -109,6 +109,8 @@ build_deps(){ INSTALLED+=("bzip2") elif [ "$FOUND_VALUE" = "libssh2" ]; then INSTALLED+=("libssh2") + elif [ "$FOUND_VALUE" = "opensslbuild" ]; then + INSTALLED+=("perl") fi fi done diff --git a/debian.sh b/debian.sh index 99d0b6a30..4b09cc4f2 100644 --- a/debian.sh +++ b/debian.sh @@ -89,6 +89,8 @@ build_deps(){ INSTALLED+=("libssh2-1-dev") elif [ "$FOUND_VALUE" = "boost" ]; then INSTALLED+=("libboost-dev") + elif [ "$FOUND_VALUE" = "opensslbuild" ]; then + INSTALLED+=("perl") fi fi done diff --git a/docker/centos/Dockerfile b/docker/centos/Dockerfile index 99dc583a0..9ae84e426 100644 --- a/docker/centos/Dockerfile +++ b/docker/centos/Dockerfile @@ -43,7 +43,7 @@ RUN mkdir -p $MINIFI_BASE_DIR COPY . ${MINIFI_BASE_DIR} # gpsd-devel and ccache are in EPEL -RUN yum -y install epel-release && yum -y install sudo git which make libarchive ccache ca-certificates && \ +RUN yum -y install epel-release && yum -y install sudo git which make libarchive ccache ca-certificates perl-IPC-Cmd && \ if echo "$MINIFI_OPTIONS" | grep -q "ENABLE_GPS=ON"; then yum -y install gpsd-devel; fi && \ if echo "$MINIFI_OPTIONS" | grep -q "ENABLE_JNI=ON"; then yum -y install java-1.8.0-openjdk maven; fi && \ if echo "$MINIFI_OPTIONS" | grep -q "ENABLE_PCAP=ON"; then yum -y install libpcap-devel; fi && \ diff --git a/docker/fedora/Dockerfile b/docker/fedora/Dockerfile index dd93e0eab..b9e78cad0 100644 --- a/docker/fedora/Dockerfile +++ b/docker/fedora/Dockerfile @@ -33,7 +33,7 @@ ENV MINIFI_HOME $MINIFI_BASE_DIR/nifi-minifi-cpp-$MINIFI_VERSION RUN echo "fastestmirror=True" | tee -a /etc/dnf/dnf.conf RUN for iter in {1..10}; do yum update -y && \ yum -y install java-1.8.0-openjdk java-1.8.0-openjdk-devel flex bison make patch sudo git which maven libtool autoconf automake java-1.8.0-openjdk java-1.8.0-openjdk-devel sudo \ - git which maven make libarchive boost-devel lua-devel libusb-devel libpng-devel gpsd-devel libpcap-devel && \ + git which maven make libarchive boost-devel lua-devel libusb-devel libpng-devel gpsd-devel libpcap-devel perl && \ yum clean all && exit_code=0 && break || exit_code=$? && echo "yum error: retry $iter in 10s" && sleep 10; done; \ (exit $exit_code) diff --git a/docker/rockylinux/Dockerfile b/docker/rockylinux/Dockerfile index 7d9c96f58..d90112e8f 100644 --- a/docker/rockylinux/Dockerfile +++ b/docker/rockylinux/Dockerfile @@ -40,7 +40,7 @@ COPY . ${MINIFI_BASE_DIR} # Install the system dependencies needed for a build # gpsd-devel and ccache are in EPEL -RUN dnf -y install epel-release && dnf -y install sudo git which make libarchive ccache ca-certificates cmake && \ +RUN dnf -y install epel-release && dnf -y install sudo git which make libarchive ccache ca-certificates cmake perl && \ if echo "$MINIFI_OPTIONS" | grep -q "ENABLE_GPS=ON"; then dnf -y install gpsd-devel; fi && \ if echo "$MINIFI_OPTIONS" | grep -q "ENABLE_JNI=ON"; then dnf -y install java-1.8.0-openjdk maven; fi && \ if echo "$MINIFI_OPTIONS" | grep -q "ENABLE_PCAP=ON"; then dnf -y install libpcap-devel; fi && \ diff --git a/extensions/civetweb/tests/resources/badCA_goodClient.p12 b/extensions/civetweb/tests/resources/badCA_goodClient.p12 index b51a3a3f9..507d45dae 100644 Binary files a/extensions/civetweb/tests/resources/badCA_goodClient.p12 and b/extensions/civetweb/tests/resources/badCA_goodClient.p12 differ diff --git a/extensions/civetweb/tests/resources/badCA_goodClient.pem b/extensions/civetweb/tests/resources/badCA_goodClient.pem index 86bc17c28..40187c254 100644 --- a/extensions/civetweb/tests/resources/badCA_goodClient.pem +++ b/extensions/civetweb/tests/resources/badCA_goodClient.pem @@ -1,46 +1,48 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEogIBAAKCAQEAsccjk4783E7/2RDkqunqTAO31PnTwJQyxr8UJIRe1ZVAsTlp -4UbQfQ3fonpyYg1oJOt0RvgKIRMQA4ECKvTmQpaWqmrjCmie25nnGzCCZuNJ6wU/ -qmsA15LAJOzcNDKLmVGh/5ts7tIkof0ujvGhHWv2MhfciBhICIxn9feTgj3U1eyH -q+TqqGKXwuclS6wFrMPZd0OnfKXteTyxfjUrW7YDn1GQZrJJBOSXVKP93fRE/FY7 -pbqrLyzOE4XU+Y9RM8gGFuMc1BKCiKZGubgdDexoUL8iLOQxzVt0GCzRri3ugfjO -YvbfClgP1lLfX96ISm2sXjffXNl4DJgAF4FfqQIDAQABAoIBABqqSfXKDrdkyg9e -702LhG8eZ6Z0SoSqNeuFoZnQmQDkQC3U9MKrgn4fZJnUT+/RHvvarTgv4CUR3OcJ -pK+YyCjYuYSaP6/B/YHm1blIT2brVJ0BzojbP+cVxehD9suFgVbf3bKfN3mi34fE -mAUszQPCu8zLs3JeYf+WP8mu9tsj9xMkGnWDcfApl5TLT/gEQgkS2K6UUPXZb6m3 -YzjW3hp2jcx+0RrJxBbbSTWzAj5SDExYzw/ulYyhuenFK0LTi0RK5c+3XPq9lfxY -0AjHVYTb7D5dl9oRgCPaaFJAidSGD1s5tXY43yQhaupWjOUkgIohVWkkDfEjrH7r -+omCEAECgYEA2iqpJlGn8U/aIPar8TmOo5aVI8x6lMYOlGhgwgscXjx4YBjal+fo -cv6o0Lw0RU0agpnPDgWon2xb0ufIaR7cn+DXU1vXAKLVzip+vuPbfh+l86LO+Zfl -KlhRime7hWUJLo8EtFSs4ooVuu8n3gSJYbVa45xD1IrUPQdrI/jLnwECgYEA0Jtz -XIS+DlizmPStqtfTQ6JSSlV+3QJC02/IllNSihsBNnuqwQjYIv2NLwBKAzjEO159 -Fsrk2WovjdtKs8jPzlb/pNwkn88/6jnUfxh+2/hKSAjiMadY3wDtDY8V4sj20EU4 -hi/gHPnqillabEvTrK+WkoY5pv5a6622Hn19aKkCgYBXUhHn03ELxfFBllmVsHrm -ASRqcrJxj6BQSELKB9Zv5XYsyGXdvSWtuT3qZhnpzwWYVmWocB1gyecq0DjH0mFt -4Hlu1OiGSaaX4SxfzSWSIqqyjGyZO/GudDEW25QTvS/iob25S9byyWAPNR/Y3in6 -oLLjPS1tCbAPSUPZ3v/pAQKBgBKr91VupDxQgDLOo8TI8KX7H3Z71JEfpK+cL84U -wyyNYjxoMU555i6rlzl/wyAqspXFzVh+7KDxOjRuTm9tJ/yGGPe+pKCRQl1Ks9R0 -ctZpkOyFrwlWu0Oqp40xI3pbFoxpxbdtDZhKXk3n1Yof92BbjxSqYvqphaXWtJhi -DxmRAoGAQxlwKKlx2NU9mvMkJ1oXLUiegrjAXK/y1ErC1I07SFz/Yfq6Pf94l2kd -CVenMLeQxl3RxleejoF8ZcUQrqEP+OoXhkxQRthyM57pF/jYMpeD/Pd0Pe4hflEF -aoljZz+7YdGg8R5CGLYpqHb9LpqnmosDPpEz+L8Mao3DPJ8lC8M= ------END RSA PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDOwDUoONPNu/VB +a72M90rMKOGbnsfAQO15HJwy0KHXHGq+A81qAzoL4i/rMXXxqKSOXtqDNAkT5479 +eqqc0w88+WLjGiHzeInBNfYzjj/1TCj5JEGtnuEJYC/DHa0bHBT441iFGZ89nZyV +RGfoFoJchNOn056nM6mBwTOgRk8xQrxR38glDkPdK5yPGdBe5LR/q7/O89o7Q62n +7zZ+OSqdkkBtaPLXGJCnOSaufBlPPd0CtGmPKlk3cOPlxo8Wdzh5GSt+v9c9PDXc +u6dh8MMKFuynHkmm9usqLcRh1eSplEGE69GzGHMj0j9GdCFBB6DFw9SZOAOsb0HF +RJD6bovbAgMBAAECggEAEWVP7Uil9/gdN6bwD1qGezN8k0WpB76uyUAkaFlWwXmz +nxwRl+tNLzWV08bMMxjkcTiYtbqWgb7VY8CDEHTo7rfXbF8euJSaZDZWtwAvo3ah +nLmo1da5yocpHaEM/dK/QcqNmfPA8UQMqiAgugEC11pmg9PYOoTfRnqe2swJQVsP +meUSnalnX5Aci0cXHSDapO/G4Tvz10T+m2lDHxg1hW62zglyqGIG6RttJpdIcs8n +ZqOQfavZyMTQy6UH3TMCj0cXcaW/w8sJSu/HqGwAHszPuEoe2o5VGw/gPdW93DXe +B0I0M0lqkhrO0y3JwTGYJyOPz9VO4g4eFyH7FCVf4QKBgQDpGhWq+bYjuA8gRxmq +mx472QuitrBXeaAMPFzjNdHs+S9howSR4HOJVDuDnXQGT2cAihJSbQIZjTpAzo4A +Gqw3CbHZ/L86LaCnOd8AvtL2np03KOxZR3/b18/zvy0sx2TpN86DCuY9TmsIU7iM +Ha+5eMOWqAaIjIK2WhPzR9jNUQKBgQDjD3X3kU//3LYVj3wwFGPiF9aBTv0bhf/M +5JJwm3PeKU0RLIYptM8o/r2Thb5w/2S8w0vhnMK4/h0fi67WK9JL3FDOPNZ+4xN/ +k7SKGpqX21O+7mUCfnDdIsy2LUvCs/LLfI9YJseFiAzDJREXocf8ldsfUfBLRVov +kWd2cYpLawKBgH/WpGd+R5vTR8hl9feQ1sXvxOfZ1WBD/bh4KmEZlSWni4q6grkW +JYb9QR5vbcBAL7cmAeJekjY9M+Ny5IG+HxCYKofoi192wpKztE+OV9iVKJelw+k6 +wy5ob024XSgfuoIE7ycDBT4+EYkhkSaW6VaImou3Xs3ocY9cW3CiyI3hAoGAf4BS +DOfDVXjZonfFE7aPdAlQwaHaTVdMkgCUHrmcMdddWFR5LfhDD9EkIS/MBeXT6o98 +D7+YNIs1TV6BmfBXkZOwqG7PP8dBTrVhft97ieR2PVPe0qyvse11qKL81ON5ZjyW +vbhg96GzEO3CkFOfWj3IIuk/FvVltCphP8h4EOsCgYBDjzeHMTKDiy4UDlK+Qd9i +BpBimM2lxl/u8cr+ozDm5RP55I2Es9XylgeqUO9+AzSbxwZmOZDCkMmfxVtv1dPm +pIfh9H0u8jw54BxfeR4FiAaiTW07tj929W/tlWoufp7g8Ff46ZQ1PsNEFM6rmhjP +4EfjV41Si97Airh09i5ILA== +-----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- -MIIDJDCCAgwCCQDtE0id+/yQXjANBgkqhkiG9w0BAQsFADBbMQswCQYDVQQGEwJV -UzELMAkGA1UECAwCQ0ExFjAUBgNVBAoMDUV4YW1wbGUsIEluYy4xJzAlBgNVBAMM -HkJhZCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xOTA3MTIwOTUyNTNa -Fw0yOTA3MDkwOTUyNTNaME0xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQG -A1UECgwNRXhhbXBsZSwgSW5jLjEZMBcGA1UEAwwQZ29vZC5leGFtcGxlLmNvbTCC -ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALHHI5OO/NxO/9kQ5Krp6kwD -t9T508CUMsa/FCSEXtWVQLE5aeFG0H0N36J6cmINaCTrdEb4CiETEAOBAir05kKW -lqpq4wpontuZ5xswgmbjSesFP6prANeSwCTs3DQyi5lRof+bbO7SJKH9Lo7xoR1r -9jIX3IgYSAiMZ/X3k4I91NXsh6vk6qhil8LnJUusBazD2XdDp3yl7Xk8sX41K1u2 -A59RkGaySQTkl1Sj/d30RPxWO6W6qy8szhOF1PmPUTPIBhbjHNQSgoimRrm4HQ3s -aFC/IizkMc1bdBgs0a4t7oH4zmL23wpYD9ZS31/eiEptrF4331zZeAyYABeBX6kC -AwEAATANBgkqhkiG9w0BAQsFAAOCAQEADMnoHqwUbGM2NRdqoJ2FdgK697b/ah5n -EjsmAeyYNhTRpVFyErWqvZp9F4R1ARSOXH3RLo79jexAvqt9b8Ho8a1bfIliGVkr -482qLjTbS15sv6lwSX8XCeSI1994Csj9iB1d+zIHax6UXe62biaomtUzBzEdll1G -EcuwJOzpEbROPp4ciLYPmIDY2Gdn4eeEGvxjFLT+U979BH4kwz98vKLUwUiY4o+Z -n1gndeIHwVB0YZFFZWqumQ6FNSChH7YRuhxDMgoj/dgOSAZkvR20HYatJhjErEhX -dTVJtNP8eU/vTFrxTvVTRqJWR4dnwDFre1J9CIIGL20r34MvbjTCQA== +MIIDLzCCAhcCFB1RAcKU6d5gfYNRynnxKoJsWXJUMA0GCSqGSIb3DQEBCwUAMFsx +CzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UECgwNRXhhbXBsZSwgSW5j +LjEnMCUGA1UEAwweQmFkIFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTIz +MDUwODA5MDMwMVoXDTMzMDUwNTA5MDMwMVowTTELMAkGA1UEBhMCVVMxCzAJBgNV +BAgMAkNBMRYwFAYDVQQKDA1FeGFtcGxlLCBJbmMuMRkwFwYDVQQDDBBnb29kLmV4 +YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzsA1KDjT +zbv1QWu9jPdKzCjhm57HwEDteRycMtCh1xxqvgPNagM6C+Iv6zF18aikjl7agzQJ +E+eO/XqqnNMPPPli4xoh83iJwTX2M44/9Uwo+SRBrZ7hCWAvwx2tGxwU+ONYhRmf +PZ2clURn6BaCXITTp9OepzOpgcEzoEZPMUK8Ud/IJQ5D3SucjxnQXuS0f6u/zvPa +O0Otp+82fjkqnZJAbWjy1xiQpzkmrnwZTz3dArRpjypZN3Dj5caPFnc4eRkrfr/X +PTw13LunYfDDChbspx5JpvbrKi3EYdXkqZRBhOvRsxhzI9I/RnQhQQegxcPUmTgD +rG9BxUSQ+m6L2wIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAb6KFfUAHWM7BaFa06 +ytYthgKH7skbeGCONSiNg7oSL1TqE91GC5GDvJ5AQvys3GXrkWHVaV1MeVeb2TyI +3tq+vxzgmyQPFXDccLoZvkrZ/JOBVvh5J/umPBL+pKwb6q7wSexf/oOHPxy1i9qU +iCJ7puXEr9G0OlWC08+8loNMGcfwKezd9/XCgFemfm5+wrc5ZlQRGuHPDkU1z8Gb +vFE7/FmLnhdc3CmxgTpQVo1uuJs6k/m+k+5FQ/kVl82+9DIGNCcpD3fJH+9UWe8Y +300gH/o5Tyn8rE568cyfedfU7xgfklR/25buto8nUkdumOmhlmWoKw29gfC/Shvx +xfZW -----END CERTIFICATE----- diff --git a/extensions/civetweb/tests/resources/goodCA.crt b/extensions/civetweb/tests/resources/goodCA.crt index e801553c9..0bd0547e3 100644 --- a/extensions/civetweb/tests/resources/goodCA.crt +++ b/extensions/civetweb/tests/resources/goodCA.crt @@ -1,20 +1,22 @@ -----BEGIN CERTIFICATE----- -MIIDNDCCAhwCCQDoXhDkdH/BBjANBgkqhkiG9w0BAQsFADBcMQswCQYDVQQGEwJV +MIIDmzCCAoOgAwIBAgIUUsX9zg7tYlsyWpxv0IqomEmRCp0wDQYJKoZIhvcNAQEL +BQAwXDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRYwFAYDVQQKDA1FeGFtcGxl +LCBJbmMuMSgwJgYDVQQDDB9Hb29kIFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5 +MCAXDTIzMDUwODA5MDMwMFoYDzIwNTMwNDMwMDkwMzAwWjBcMQswCQYDVQQGEwJV UzELMAkGA1UECAwCQ0ExFjAUBgNVBAoMDUV4YW1wbGUsIEluYy4xKDAmBgNVBAMM -H0dvb2QgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTkwNzEyMDk1MjUz -WhcNNDkwNzA0MDk1MjUzWjBcMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFjAU -BgNVBAoMDUV4YW1wbGUsIEluYy4xKDAmBgNVBAMMH0dvb2QgUm9vdCBDZXJ0aWZp -Y2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDG -t5qp++4NAO83uASsVx7xRc3YS1Ss6La2opJTeXSnnsL6d+eLIUZrO6R/vofjLMPb -qHisnQXAtl560d/XPBXm/ydp2IBLJQJW9aRxa/zqcf4tDTdBLKXYHhqKSQDJGS78 -vOuNuhf6T+p1guqnLYxwlRp6V8DMY/nC5n+IgByr9Jp2QtqJceH5WdyABVauqtMo -LKXdbhfU6lDZ1XIZNeoKY8u2s34UQLUvOGaP/FzYHvKev1KzFF/nR3+svK8cvxXM -EuqHM5tdtIp1ugjvR66PUIT00HoT00wS6VIpBdHq/8uXJeY77lr52xyVdk282tlw -wr9/W0AGXjVMW3O+VRhFAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAE5HYjHkh3fI -qakhENGL5PSszmOz5yQRrggP2ZJeEAoFjy5fbf/zUPIPMgMa0qM4QI+2C0iGlem1 -c1MCGNk5BiDPWMaUjppYmPZWkXzYu9Nl1dizXYidcnTiiBTROkpMij2fzCErymx9 -CmYxfeFyeJ5uAHSWSOGCfvlxi0vHvHn/+5rm0eqHcGP2c9ivW/SC/6RCXnHuIS9O -O/UHrQPQe7YmdBgCHw4K4UHLZkYPH6osMPdII09PbZBB1TgrogbuA6TMp9NU6LrX -WNN3nhFaVVjEb8tawMabfG9PU/1PKGRuNdaLsYb3IXhT0I/SWobD3MJ9xcO9sAhv -QKZuUQf4ntI= +H0dvb2QgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQCfY4x72ulz5GtlJKtQkASrwVbffPTvqnP953T4tkD5 +l+aQcqtaAIQYj4ZwGNsnSaXhAZIB5I4lh1pfRSP9lZLZ1EeR+8AjK/QZkIyvcHSW +MKkJAJaeaWfxsA6XZiwZQ8dmjUswUI5wCtPdyGB1UUlab4rfT6FmEhxQQrZkTNcN +fLDTnetPyTqAK2/KmZTOSJF5sESjBha3i4sZb30DNbAwQkpxFERjpLHKNp61Ohkz +chvZ8bcSTCpIaCYKMNH9OWhCvu/75qqufVMBQNb3UMYitSXXSSnyJvoMcqM+O/Gd +n88xlVd0s59nSgv+ObaPAEozezSgyctNRZM8SNlYyrftAgMBAAGjUzBRMB0GA1Ud +DgQWBBTgzk7nBSqiHt7/obbFWZDw1rstdzAfBgNVHSMEGDAWgBTgzk7nBSqiHt7/ +obbFWZDw1rstdzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBb +bidNJ57xKNlrLQPM21zft06lRR/2i5AafpEZUnPIxYkuQZbYwV9tS+aDnovPVBhM +DpbzpeUha8KsRX+OuISCNTux50NyHzKNNqBnkFwSw4IK2w5kwIibmdDNX5V0OdrQ +PvPIKU6BMLQYztWmkQvPslbOTYh/vSaCgRtyRRKX1dxTO8sbgP5l16cj7uOzRmiP +EquStQa8mpLaV7sEXRqgvG3IXNShKgGVd0EEVRGrr0pungEbF99iLn8SBYXvLHs/ +YgkakNDvX9uMLuO+95G1wALMbxyH5dsLy9Wo2drtoWa/8qxxMFQJnJUZw2zvJeP9 +B8N58IlR9e7beZ1O/fi/ -----END CERTIFICATE----- diff --git a/extensions/civetweb/tests/resources/goodCA_badClient.p12 b/extensions/civetweb/tests/resources/goodCA_badClient.p12 index 7154fc85b..975d5e33c 100644 Binary files a/extensions/civetweb/tests/resources/goodCA_badClient.p12 and b/extensions/civetweb/tests/resources/goodCA_badClient.p12 differ diff --git a/extensions/civetweb/tests/resources/goodCA_badClient.pem b/extensions/civetweb/tests/resources/goodCA_badClient.pem index 6a33c193b..78ddc9db1 100644 --- a/extensions/civetweb/tests/resources/goodCA_badClient.pem +++ b/extensions/civetweb/tests/resources/goodCA_badClient.pem @@ -1,46 +1,48 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEA9c7u+CkKybpZIBPzUiYgkvlb07enbZR1skpQt6hUO5p7Dvgx -OKDxy/83gwyOwTOxjeS82Vvfd8QJuwIPVHOy5WwX0zgOZlwL2OiIpPIim7idO9a7 -9Y0fSlOMofbisa1ssVEypqvOCrvsNbLPXuioPxse5FnSrncPpR0Qj9FtX01SGIK5 -QYER1RiLZ5ZVaUxxdc81mvuxvsCrS+SO7BaCr5Pd46FMWZzr+f1unCjLsLvYLoVP -Gt7stJOnbThY9/wKp9SjdNr2Q30rKIHwjjKSchxEWuldu6gcZHmgjdPP4bA2utCr -/I04ucrZV4wy1IESlyjBhMLOoHhWoHxSewowtQIDAQABAoIBAQCw0X13R9a5y/Gm -sJM8ia6u6u8SOi8XFU8gxHKR2mVVRse0ufZ2PNgSnXEqNNNPyUa0wlDSrlLuzTcO -remnH18Vx47P4qgBG79t9b+tn3wjtkZssAgfF7fleHpWW8kwdIcWeklMOZQKhqng -6tJe/E9irbioHLD/zSeU53ZtbgIWJZi4X9v5n03n8usBj9+TgueE4RhaXmP5PtO6 -+AA7DKARxeVFo9j6vmmGkxeOdyeb/28pzK2lxHTEUROW9b0kqShs//9sUczgP1j/ -hetF9FWc+b5ZT0bHrv1a3+buPzMVk1Uok71piMwvO5Hbim38XB54Be5sLbLtotRX -J9xJlCVhAoGBAP18BzvUbW9PyUjHqzHPEemJnlDj4SE89i+PqaCHpJdi7nvBjBmF -Dmv6M1FiRK5AT/Pren6P3CHmRLftfilX1E/4/ea8yxL5DOUv/gup9bf6lRnAgXiR -79bCUwGWC9q+/NvneXGv7WKJVF45cf0JTm580vlCrupgfxrj8ogjIM/9AoGBAPg/ -Z3SqFwJ2L+2AmObtgqUd9MuQqKKdEYAx1HdPs7vLB9yAcbousoBXYzWjPuG/pMdI -2+ObOEGDYG1QI9C+1xE5flMLPI5rqk+WqA40s00X2CsR4pH+L7uQTNRbj9g4clbj -muDYPysR6G34YzIc92y39pkHwt2fhVGOMfE3aLUZAoGBAI57dv10bIcTDAty4JHA -2UqyZmEFlng+cgtN74Uieav2miLKKlv15KNhIhNu7zgbQlXTWSlm58/ORXY1cqL+ -kYLabK2UFXn2r/7ruRsJT+s4WTL+eEgzj+LhnBLaKpOsoylgtWzn/MFUfC3ykFYx -Mvr8AwLFLtjjoM6Wrq9DP6BpAoGAB06Oc/+hp7/kzz/OwFVTWBrWnrtGS2sGHdjZ -oR1mc+uY8qORNWK0fFSWJfkFG83xQrBhUIS8FimQyAbo1vcXC3m+vyEAikye+bK8 -hZaFhIpkIXhoS9XIf+PSbxm21S1sKCSQ5XdX/KONTNdXzBzQJ5IOnxh8YtuUJ/9g -dvIjkdkCgYBwXD3eT9dbRbEBGGR70yey4wg5DYmQB3jl97zSK9G9aoyMvNnUobjR -3sq1v/kWRSLKihizis5SV3onu8SCdhUr91gvq0y7xOe0JlDSnfJ3r6wX3AD1p8+6 -8qRRO43Bl80N782iVFhjl4LyWyttFIWCu35jtSE6wbKfCPRAW3cNgw== ------END RSA PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC4pbdGU39sG4Is +Del+iD6Yjo2hDeAuRGTyF8ZkStXy1tTdUJN7TFKfdJVVGyiRqmzidu4jFSXvk38s +hmcLTr6XDFjUC+0S1ksermI5oX1S2UiHlPWYovPQjEDEreuPe2NXSdjCxoLn8h20 +1F7ffQeVSy5f5WIo3kWBwGQXAj1KOuophoZYbfs0GNAc+u0e6y6u0Bz/PKcLdcf7 +eBU6svRwHNDOACEn5khfQI0IxB1dEhx2V0nyvMfwUBIN50u+nRc1WlrvkNoo3RVb +K+vdrHpViO6zQtL31Vj45Y9LHoN/Z/MU+e8Ayzyq1TnOCIZSc12xcYH6NXS//AcG +0lkINepdAgMBAAECggEACmGCssj59nV7dYeYs3zsa/5DtyTFEETXGgc9J6FPcvYi +BIlFqV5qnL1cseqzdrEKqxa9n6pONjBoK3Qo8elM7MgMbGt5OiBjG8f5DL1oAtLl +cX3t6tVqeLSR5ZzTi/8HYD5uGdE4RdsGUYbJCK6KURnncwu934dTiA5tch+1m2kp +DpK/JKgCAG9UGYFs/JZeD4wc4XeUaKp2cR82BJhEHqlCkaD8ZxQps3CK/DRajU14 +/Qa9LJ8c5tQ4rr7bnA6Q609DkbauHCe+vXyiH+EVsBwQwbYXW/OXbHkGyvFlGkGn +Lm3vr6K8SlqpIoF3x5sxbK5382jEwlseifDZsxbxsQKBgQDiYcg+zZhZPCy/6mJE +fjUqKflQDlSxZKhQGitttFwfc39gQtmJ9QnH+PoerKNl5VKb0tl8UlRkL2UjIajI +iIkisTzMkqiqunPbDsgoSxjpkD3N0hNhnRfpRqD74Y8iOvNUfVxyYuhrYjDt0cb8 +be53oX4rvSl1KbbaQIQ1rtzmWQKBgQDQzh1HVzM/ETmIByJ5K/6LdJp2QkUtC4Xu +TaStGL/EWe9x8N20IfkbpWGImzE8Mu0Yl49MXkcAtqkrX3lxHhhVhObZTIbs2I1d +Xqv7HwQnUiWnM1JRJbrfzFx1ZiR7PhSRPw3uu6nrFuW2l10RVtnNKY+6TGvnd/w6 +WpVzJrirpQKBgAlZxp6peVh+Ps7yjHqNx/5k23JuFRt6r+UXH6IZaBC4gZNlT3z+ +TRggdZxcvycPUNk03VzgPbIhrwjDdChMU3XGYl+E00iyCOUMeEIJ0A6dsZ/VxI0s +ovc0vqOIzpO4YaKkxvPGmBkPZjv8hT6Z/9abKg3+cz7uqSncrllVTrSJAoGAfIfQ +8nFRQPXW6AfJSZcxcp6SWKFhfGH4+I0Z/5pZFJPGuJ+8uefhF9nkd4KHNK3ytc3+ +Sr+XfRdzgUiptwsJ3EctHsADYFIuzVbfHx/6bDET/8od+AOWlk7dfa7zZwU5Yv7G +InGN/4VibymK+gJgV3nIHIXjfOMUbQEFTO31CXkCgYEAlDIlBIgAgfZKAv/H6hNT +UWnRjR/nGALzdS+kALgmwzn2BOUFgjSFDry6Gn7ZNGlPhJeXPxAfaBE67Yjp3jbx +3lpqu6K3g9hiKwUQJ5qdLwlJhMJNf1xCPCgmmDH7pEuSDEB9RZ2nminhOl9yT6dq +uk1h9WSAVEOfJbOCwQvTqGY= +-----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- -MIIDJDCCAgwCCQDclmfqcI6z1TANBgkqhkiG9w0BAQsFADBcMQswCQYDVQQGEwJV -UzELMAkGA1UECAwCQ0ExFjAUBgNVBAoMDUV4YW1wbGUsIEluYy4xKDAmBgNVBAMM -H0dvb2QgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTkwNzEyMDk1MjUz -WhcNMjkwNzA5MDk1MjUzWjBMMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFjAU -BgNVBAoMDUV4YW1wbGUsIEluYy4xGDAWBgNVBAMMD2JhZC5leGFtcGxlLmNvbTCC -ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPXO7vgpCsm6WSAT81ImIJL5 -W9O3p22UdbJKULeoVDuaew74MTig8cv/N4MMjsEzsY3kvNlb33fECbsCD1RzsuVs -F9M4DmZcC9joiKTyIpu4nTvWu/WNH0pTjKH24rGtbLFRMqarzgq77DWyz17oqD8b -HuRZ0q53D6UdEI/RbV9NUhiCuUGBEdUYi2eWVWlMcXXPNZr7sb7Aq0vkjuwWgq+T -3eOhTFmc6/n9bpwoy7C72C6FTxre7LSTp204WPf8CqfUo3Ta9kN9KyiB8I4yknIc -RFrpXbuoHGR5oI3Tz+GwNrrQq/yNOLnK2VeMMtSBEpcowYTCzqB4VqB8UnsKMLUC -AwEAATANBgkqhkiG9w0BAQsFAAOCAQEAljiINTae1/lqQRTYc5GNnf9qz0tf56GQ -UMc8LnYsETFJ5cUu7jvgkulXkIH8ItVWG+s96otEqvw7Cibe/PYYUIteS8gIrFLf -OcxaWWaCD4aKYvdwCJ8oRsS/ULzF7VWSBv8fPVHRbBWHh8ET/FR1R684IHaD/7nI -UJYnvzFAfdPJrPo4VdQwk9h0fTC8Q6Yqkxtpm5nQmSyXuV6vWh/Yiltqywn9Hz51 -c4YJx1whXJ5/zcruY2Jj53qs/ZlnifSJ0mm9tpHA5Tm9UfnnUV7vunIzc/n2MYw2 -EudqHqzsZriRHMlASfdGpWLLICrNQMl53A2Fo48mxkAeiXwxlX4Z9w== +MIIDLzCCAhcCFCcuHg7Dz/3Wopfmik1XaJD7AlL4MA0GCSqGSIb3DQEBCwUAMFwx +CzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UECgwNRXhhbXBsZSwgSW5j +LjEoMCYGA1UEAwwfR29vZCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0y +MzA1MDgwOTAzMDFaFw0zMzA1MDUwOTAzMDFaMEwxCzAJBgNVBAYTAlVTMQswCQYD +VQQIDAJDQTEWMBQGA1UECgwNRXhhbXBsZSwgSW5jLjEYMBYGA1UEAwwPYmFkLmV4 +YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuKW3RlN/ +bBuCLA3pfog+mI6NoQ3gLkRk8hfGZErV8tbU3VCTe0xSn3SVVRsokaps4nbuIxUl +75N/LIZnC06+lwxY1AvtEtZLHq5iOaF9UtlIh5T1mKLz0IxAxK3rj3tjV0nYwsaC +5/IdtNRe330HlUsuX+ViKN5FgcBkFwI9SjrqKYaGWG37NBjQHPrtHusurtAc/zyn +C3XH+3gVOrL0cBzQzgAhJ+ZIX0CNCMQdXRIcdldJ8rzH8FASDedLvp0XNVpa75Da +KN0VWyvr3ax6VYjus0LS99VY+OWPSx6Df2fzFPnvAMs8qtU5zgiGUnNdsXGB+jV0 +v/wHBtJZCDXqXQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAw2dgYYeKbv+xfh47O +zWRNAnIICBksQPpWdNNMKmKMCsU1G8Cr+/NtMzp+C3fy7QM51gbU/F4E8SpbB7nV +a68hry157aNc5dnAjXpVoozdg4IY2HnuQcm5d145XkkdVwJOEdGZWq5EMPfeful6 +/csDrOLYRujP14UnZisfVVw56TxguvDQOgU+cIhZ7KKp7oVYNe5vIoPjomuVjoig +nA07kIB9PbVtKJuINqmKcnMvoYjVpsApYZEKIYmNbZ/5P6xtC935WTVVbthM8XvZ +FpZA60qtsVp2O7oyi4EwOLpSo5neB+hicproob1j0FP/EO8mB6I6+HQOz0hEP5KR +HVO6 -----END CERTIFICATE----- diff --git a/extensions/civetweb/tests/resources/goodCA_goodClient.p12 b/extensions/civetweb/tests/resources/goodCA_goodClient.p12 index a5355d553..ec90a6b2d 100644 Binary files a/extensions/civetweb/tests/resources/goodCA_goodClient.p12 and b/extensions/civetweb/tests/resources/goodCA_goodClient.p12 differ diff --git a/extensions/civetweb/tests/resources/goodCA_goodClient.pem b/extensions/civetweb/tests/resources/goodCA_goodClient.pem index e4891c58b..45de62a0a 100644 --- a/extensions/civetweb/tests/resources/goodCA_goodClient.pem +++ b/extensions/civetweb/tests/resources/goodCA_goodClient.pem @@ -1,46 +1,48 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEpQIBAAKCAQEAtdEk8MHL8RFiOuHz/hfyjEe3PxumlNnubzn7u6EdJpiLhOLs -cWcvQAbYvbsyI6duGzKh1FRNmS8+Q/gp/36vmssZy96B4K+axiG7WBqHfjPJbjfa -NHbz3D7D7i36r/Vu/pXsBMPb/DSJ978maY3oikSB9906bx73XJHAx3RLxgLHl4po -vt20SDOY9R2Klcbew4pDXuUpRdEK0h1+fdZkYU92YiAz2O86eYMvwgorCX9tBrcw -sih/cYYiTQ9DMZ3DPJ0HfDH5T5gIPH/+5/YVHaTBdthhIZ13UNY/X8XcOVO/nlzC -3/MtBiTxKj4zIyqncbClm4BqzW3S5hxUQXR32QIDAQABAoIBAAXoCmwrz4VATFGf -X37EpmN6PPC25D13qvBAEPZycHD9iaLCgG3arUVGM6pON33DBaeqiGlOZ8rvJvWs -TSj4o5nCuU7PJqb27W88T0q4aehmpEeJVvRXXOqtu020fq1Sqs1ob2dkOXRC/Kxo -sEXDj2dWfGZh8HEFr4F5VqrkE0YWaQLaNHf9g6vAuOtlNMnhu5iM7mNq0qQi4Qg0 -zmOpEyAK5obhPEa8eYgjuWUeuul342wpMEGaFqD3lr4rnhcESZtm/S37L6lJ24UF -SIBPzuEjEDlthlh3tqgKyQFsHvcMN4XN4850J/nMoX8jDcvnV7iYYFykHEb6y6FZ -+ZlftNECgYEA2hS+s7yer2bQGw3LsKqwpNmpckLeAb84JEbra6i7A7SPUMEYwjOm -Q2ePpz6ZBVDs7qODBgMV2g9a9GCbSzgV7SeQ0367dCPugONckVQvMVU5wPtSkFKF -8jLn66+6YK64ASTqLLVd8TkU3bdByWcsh3JTR/lmDwlSeGjbm1OETj0CgYEA1W41 -Pi8ZbGDrpc9/CnyFCLMaipq9cAm4n/M58CVf0ogxeAXShIcDboTfv7lqpnqM2vg7 -sSRjyHz0++5VZTNSnQDlLIndQHQ6NKKC1tb0zNKlRuL2gwMHwMmWLqCjbLsqSP5E -lHEM8fn2EVAMiKRod01kOY7OnUnPSSgMD7QvJc0CgYEAyWqZi0WtRhDuKd5+/0dW -6JqDrp1lkDV887xwmLl5KH3uU8ZUSKENcXnHqs7c45UPj4SDcd0NpJ3EAqrrIvjE -/4kocL2/AhBhqrbS+wLGp4iwU7WLVvJw9fXgT8S4na0hEyV2Bx7nifCPfgtQfmSF -Mv/7PSFyCncwrTcjhP0I2H0CgYEAkTNbEaUlXLBLYRDbUx0HvLVstyMzAgf7DQaC -QjiLCkYRsZ/0aqkX0pafSmYwgnYZYddDdO5W3Ez2tnacri7OY3X6c+SPG4x3FNwC -u3qeLMKaIrHCF7t2CNicTbiHti9XQzWJHpwSvITbvUeCX2vKjm+eYfIf6q4OUazn -F7/z23kCgYEA0r2N20DkEN9uD281SZbjAmkjYMMvUkDyChk2oWnODZcFkEhuaGM9 -0TBw1vjpoO67H/tSNEUziXMNLtnH4p5gRzP84ZGpMPxe4MK6pIwbDxhDyPlLCwOG -dYnaYyWqsiMbqtv6LbMh/uatuMpCzqJEQZz80xDNUp3k90muk3+0M4w= ------END RSA PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDJc+Ry+Wu3upa1 +T/itTN+E8EkB6lPWp7m80CbCfKW8bIhE/oMWn2F2FSyhJ89BUn88oVG+ClcQxWQw +HwNkhLiJQZSpa2c+FMihf4dotfyyRZ3gZeFeAMVendF1A8ng9OToi1uEerDPYu9v +ZYtAMmor1S/S2cBQSDuzfBet7m2KOEAScMIrfyi53a+tKuJdydOi+ZEXTm9DtSpu +gTY10135Q8D2BBnKlfgPC2NwrMKo5GOWAOHJCNtNYCyfO2qyYguo0jaRUbAD8pdb +6fXJUyXkZP5xFGu5UhKVkAx1QUDtKfmDS9ngCMxUgE5t2rLC8FsUd8TtR+fjCTp2 +F/9W2FGJAgMBAAECggEAOiWh8I/OyDrqyk3ZfQgd0kza/dsJtQE3qui371Y0LnVz +RdrispJxerh059VKTNQHltQHeJ+abuRS3VLuU0K90xxjUR2HsNMl7/uT9aTl2f0f +K0is6sm1LnDGJwzfZfe55OdolI4nX8zySIiaT37dx2YjBizFBkc7ODzextz1sDm2 +CbsR4NDJJEP2AKmIHpetXBAYzWN6UXvVUTE5ytoTUJ6bXu5boQPO4Eob70QnzxzO +hZVry86EQuUTDQFWo2yZmzmU8amQ8N8rssc92IObrP1lRcT4QmvLaE6NqK0srFjF +8fiRTSQs04Hj8wGvimhoH3Vz+tPYlMCpIoMym0EMswKBgQDs3vMGqWNcrNuEFgQ1 +f9BPIf2Mj9aAUu/h8AkRObHNOPfKoeY0FI+f47tViKJqYArF9tGj1iSOj6+hOEdO +4vjiUZwIevXpDPiNZMfk9pX4ikd4jQziZOsbb2emMhZ3O8zQcyXymrfHXaAFo2vM +QL68AvyBDYio33OFBeaGCO9OSwKBgQDZuLXJCv6IPgK6cCJvgY1/HwS8IIEiE3lw +dQQM7ABaUXKbNZU35k4gMdl0FVya6xBO4ytMd3+9n0vfQmG2NNokhLpV91xUpqfp +eRKP0ljd537J/n88ocp07n8X5T/QS/XuqgiPUOGBsLQo+cbyTudkPdCqvhXvHObt +9Qe+JDLq+wKBgQDse/I6FmcjIVjP2IM/PmokdxUCfqBy4VqpQdJrpiRDdbq+TUDd +giGaSezACnfMqDJZToAiiCtbQUzhMqTOt4Avw7Z6KPjWQaLs109S4nT7/GI6kufo +J0Uq0OC0ZpFTXRqwiiW6voj4vBqFRpDbDVDfuEOMPIzRvLVCe4+ZBdaVXQKBgBHi +CRRtUcDRDxpPMZTlGEEzxAjLxq+M1/GzutRw4gqJHBfBi/MeeJZOYeUWCBg1bI5+ +PEU4n4ZsuiepZSs5Jh3PxRpgifXuBma36h1kEqaPaCuhOsQ5Kc728/t7egVa5+Vl +k/RpmUw0vmeLNJscfgcOyL/tgxGz1wf+k1c70+7XAoGAfxhxYa9RWY+prTa9Z24Y +4ZbSDWLPlSI4HoquJQXnnruAUKSTAq5/cPwz03MOfJ7tnZlREYLgi2c5kHqsIA1L +Gs+NH+3F4MnlGAeNMf8t1Hv1/G8c9adqsIq0Xl/3pEbNC6I3uAWporLsDqyZ+8Xe +ypr2srbhy9jzXAF4BOD/0JY= +-----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- -MIIDJTCCAg0CCQDclmfqcI6z1DANBgkqhkiG9w0BAQsFADBcMQswCQYDVQQGEwJV -UzELMAkGA1UECAwCQ0ExFjAUBgNVBAoMDUV4YW1wbGUsIEluYy4xKDAmBgNVBAMM -H0dvb2QgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTkwNzEyMDk1MjUz -WhcNMjkwNzA5MDk1MjUzWjBNMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFjAU -BgNVBAoMDUV4YW1wbGUsIEluYy4xGTAXBgNVBAMMEGdvb2QuZXhhbXBsZS5jb20w -ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC10STwwcvxEWI64fP+F/KM -R7c/G6aU2e5vOfu7oR0mmIuE4uxxZy9ABti9uzIjp24bMqHUVE2ZLz5D+Cn/fq+a -yxnL3oHgr5rGIbtYGod+M8luN9o0dvPcPsPuLfqv9W7+lewEw9v8NIn3vyZpjeiK -RIH33TpvHvdckcDHdEvGAseXimi+3bRIM5j1HYqVxt7DikNe5SlF0QrSHX591mRh -T3ZiIDPY7zp5gy/CCisJf20GtzCyKH9xhiJND0MxncM8nQd8MflPmAg8f/7n9hUd -pMF22GEhnXdQ1j9fxdw5U7+eXMLf8y0GJPEqPjMjKqdxsKWbgGrNbdLmHFRBdHfZ -AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAIh6k/epw3dWtRuMwXxjqEobi/RD/8Nk -52kX6x8WTcnglrSzPSvkhnfR5PQ9whY2Zbw0aVdenejlGZEi8cAxwmJbN4NIhQwW -FjHYYQA0MPgFGq/4XFT9E49aS212+ivUBRoPlWfw7QmCdGq3z6eQGfVtIGGLfSGH -cvnC9Z4VdY0RJrnzgRKd7iq/RW66u3Uyg1fdOKCp9F5PSwwl+6dPgKO84muWjRi4 -9y+htcXSboEtYQy/ncul0MeJ8fGTY1YEG2QUolmCKeJ8a2e6SHcX0Unu+6tAD8sK -fjpZAOI1lgRrhrIKhi3Rx0aCkhayhvvScDQL0ODA5ciCu5EJHRhWCbg= +MIIDMDCCAhgCFCATPgdKTOZ2jrvaPyYC8lQnk9UaMA0GCSqGSIb3DQEBCwUAMFwx +CzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UECgwNRXhhbXBsZSwgSW5j +LjEoMCYGA1UEAwwfR29vZCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0y +MzA1MDgwOTAzMDBaFw0zMzA1MDUwOTAzMDBaME0xCzAJBgNVBAYTAlVTMQswCQYD +VQQIDAJDQTEWMBQGA1UECgwNRXhhbXBsZSwgSW5jLjEZMBcGA1UEAwwQZ29vZC5l +eGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMlz5HL5 +a7e6lrVP+K1M34TwSQHqU9anubzQJsJ8pbxsiET+gxafYXYVLKEnz0FSfzyhUb4K +VxDFZDAfA2SEuIlBlKlrZz4UyKF/h2i1/LJFneBl4V4AxV6d0XUDyeD05OiLW4R6 +sM9i729li0AyaivVL9LZwFBIO7N8F63ubYo4QBJwwit/KLndr60q4l3J06L5kRdO +b0O1Km6BNjXTXflDwPYEGcqV+A8LY3CswqjkY5YA4ckI201gLJ87arJiC6jSNpFR +sAPyl1vp9clTJeRk/nEUa7lSEpWQDHVBQO0p+YNL2eAIzFSATm3assLwWxR3xO1H +5+MJOnYX/1bYUYkCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAObORhtI4TddtMORR +n+/CWNa4TcyjLgp+Ny1AwfJgUWk8B6zCGHL3WNuynMB9Xo0fByIylkHoAOcsnPi6 +wE3LLd3eodXSP8Ld4pRfxhbEUS1StWaRk7qaj1Ew3B9Jb3JkRTyRoAwkVHwequQ0 +HrOKx//Qg5FnPM59hsLBCbPEz4u2AtIhwpIi6ZY2iT9BbhY+l9Iso3mZtX7kXvAm +zBoFzCcoMQCVq5ahsvISjz+wHKEyID4+5tmKFjmYhmu+arinqAmALXKvpOttmXmJ +e859IkBJwMt4j8UgT2o5cEWZhDUpLIEXEOkAp8y5e7wtyMjbJqohP1XCb9JtkRJ7 +nDuvPg== -----END CERTIFICATE----- diff --git a/extensions/civetweb/tests/resources/server.p12 b/extensions/civetweb/tests/resources/server.p12 index f4616b4f3..375485141 100644 Binary files a/extensions/civetweb/tests/resources/server.p12 and b/extensions/civetweb/tests/resources/server.p12 differ diff --git a/extensions/civetweb/tests/resources/server.pem b/extensions/civetweb/tests/resources/server.pem index 5d4ae85b1..5fada4340 100644 --- a/extensions/civetweb/tests/resources/server.pem +++ b/extensions/civetweb/tests/resources/server.pem @@ -1,46 +1,47 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEAu68f+fPUMAWkBGrqImsm5geyfwrZaHkoyNHD0fqV+eHGIerN -lPwKIqc5jGZk1gC2557O7QbguRjTYyCXlgf8Os60nZmcvYKiTEddVaSzunFroHlb -M3teePOdraO9Dmot9FSo31iaCrEhTVMLSEvlSCgtOZxrVzz2+WraO6s7BGLASwha -Gk5K+vvaa2GEK8qyj6ybRSRr301pr/ZUpYKzVcuyfSAVGD+D+oJM7sUc73n3Az8o -fGMNUx0tbTy9o9XMgzoqyZD2c6LdkPhVyc/bc8PaMb2jKuybGiXHroUb301hInAE -LeUn5YAH7AeG6mwRWcEGY0OZVO+uqwFA3Ozv3QIDAQABAoIBAQCl3uAjx5p/1nxe -ax8BzDFUmvjlznDWJD4nPTwTF6P0c9TnpNyMDzPl7GSv8M6tU3RSv8ehM7Ln40jv -Ep7luajxUD3QCzK7Sfil8WxLhIRTAmpcKOSxWxbjTmrMSymK08xJY4jb2zJIwMLt -07bk7i501w0hHVzAfODJDeZRVcOS2y9yDkEHAnX4plcasFNKG1jOk1nT6hjRkD3u -BK8Xntqryk2VWXn5SLm6zrHq7ca+uLD4+iXB3oTGYWIdXJaG+PN2BrwmQncMm8cj -dFwwW1EzRqCkSNv7y69HxGugaYAoKUHZ5mXv2Hy9VN54N+/EsNiDZtLMgtPqwOLl -+KtQVKgBAoGBAOjAsqMi1oCjIDhxbqMayaV0TBX3AMC6vtMEkW3MH05JCFlGYDTr -rBeqb8tZWJqv+tjGsyl5wiffk7nSXEBnQk08fnv9DW/0sLUBiJCrwSdKRhD0pGF+ -sPpCOGU1ir7lYlRNViXoipGkbk+OEkfqBh6NYscu6J2xu7ASy7tg6F4JAoGBAM5u -DsVMmOZehZHZGkc1SeDLIPqGIX2ek5yeFmrTYuO62XEeP/MLL1fuKTihcoMuzz5D -tgIjtKsEMv8RH5+XBu8WGsoJ5z/+cDuEJD6XKiKzbZMFMHNwFqoXoMgk3xA9V3zW -Df0BeKhC+LRZVT8ENtzJQm1eaGrjUsRvEhX+I7g1AoGAAqVWIoad255/GkUn1dDT -I/9bchB5wLcevjVaFd5xKKmp36HuLAvVy/sTBEPCvxdrCZXQqZMJwvxGqKEcjVrf -JROf+Hba9T/Z1mTrEYHyUykD/ONbDwSqrF2eWIAwUJU49e5fIVUwZhFxc5QQ3yJo -6WYADnWZDVnc4VaFXF7wpUkCgYBA3t8va2HFS0DoU3RpmjpsNQlZERunMVUr65YZ -3fH+pLI+VQY9p28qT8KOdFXbGbOw2nBw/a2B7KDl/QiWC0z3h1fF1BTizF+SpHUL -Yk+wdfhiMkhGjpvgueoh20xp+wzqQw5EStkS73DepBAg7H8dJPYGDpv7sxJIfqsN -VD7/XQKBgQDQnLwMQdsSZmkWUBIbTV3aqQqtoRun2GIol+YZzx0fCN+1SWd828po -kzH7sgrim8G9psGEjIJmVLbGhPKKqNMhJS/hZIuREFd9yQ5zLlz//A/qQPsabaUw -kNly6sCvEakSa9O5EP6bGAZL1WfN3XqvrUo2bF6EjqV5R3b6fQK4dg== ------END RSA PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCyoBlUQNG9vooM +lQ+dtqGBa8g8s6K+EmJhg8eKkCzxcjjxbuF7RP27HvfO7OBj4U6sa158MYJovPv/ +yS+wiWvhZPguODT8WhAAKrDuaq8VUR/q4P2ITGauqL/56Hofllui7EPlKiBbc4sp +fHWGXwR8lHpwS0DcUn+GKsGQp8TRFMZGcz5Aabee+9P5Cur1dB66iTWS5Xdz3VBv +XM0Loc2GdHhV+LN1pY/TcWkUujYSBsBQ71X82ErfMRA/AX4HogTYYIEXrWYBijOs +3xzp1zUsQZHTtDGcTqZ7177tUkPyEntSmbqT0/FtPaTb2GdVA93PvT7j1eoYdtor +jnNwLBedAgMBAAECggEAUSLQrokM3FO2sBVrNPe2b6uOFiiAdTazkljB5AouJ/P6 +sovrhsslN4BPDqJhIG1Ah6fzkJUKh9nD24E+lMEvDAAJjTEBvFiKaRD7MiiqY5Po +XA+bifQuNgq3vOPgyQVKlXwdMPRMI04d+ZeraIAzcQUegnBkQ0+D1mUIbFUQXOl/ +KIFo6OqRao0Jn3eZQO57anwjq7612+gdrKlqG8FfCvuDb2yrakSA6K2cEO8PGVYg +oiisUHjOWnnu9I1rfZOKM+xA8kPhd/zr8gjOiHnm9QArcBkFfz5ibKzUY2Bo0vp+ ++srjZqtiR7TVvNnJp6K/A6oWIh+sXJA2qYtgOsEgfwKBgQC6BarZm7tyRJJ9HUw0 +xOatYDnFphCbrpJ3fwWoE49EQmoSlB3Ei70WECeTYsaCYyyrKRXJQyIGNHI92EDM +pUZXuRfADpc94xlHUog9oJsqFRFTfPU252NnVUQNkt50igNmcb67FTRQmIwMalDl +TyJdq0jsdRon/aEHYn+JLAV3/wKBgQD10hvCYaaO9PlkKpbgQTrGdb4rehLpuQDt +lHtk45wPWEnBplo8ZKgTR1qQN8Maz7saPWtkZEF7SRbPa/TjbQV/DupAzQ22z3rK +vuOcJDsJqNlW/wVYcx+qJ/sVAlVDKMnIAesKAdtSzhaS1bp7h+aGmf5/1BqfH5/n +2R4sQ3FQYwKBgGorKeOguk7xTBoUSpYjevSg4tgne3sfG4EQAg53e2Ed9qQ73PF8 +P6MD/VJlIZ7xM2FMxZ5krlqUPE+HyRQDkC4o+aEnsrIjlx3ZwOBLdcOC2qynuNxp +G5ayV3DXzhb9XgtuB8mGxKDrL6M2Wo1FqPuE8s3h19fTLcClOtzzPvvJAoGBAJlk +TZwjESr9pK2jgdhX+9QhXtSEbU7Y+cJGuCUBfr14izXCl2Y+LT8ydEmv8hhF7ev2 +zY+sm8vRlOFD7WEJA7gAV56uFdOwbmAbc65YUVq6uTx3EB/cXrLwFdZLSWcKCbe7 +sq3g8LogDaf8pEw3RltRtqSPdzk6I68qJZDbWNcfAoGAGJezF5utNRsJt163x0lc +kEcmSga4G3gtd8MmcBku7n3lSuTbbgtIb+kIDZAqhXefbxexKaQ1WCmqtTxtGWYW +WtK08Wa0DkWk5MLU6Z8I56NqfVkquSprsPjFEV+fpUjyJXDpnXGyD9oTWSMEJzlc +knfycrxH0v52i3MAkxHes3Q= +-----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- -MIIDHjCCAgYCCQDclmfqcI6z0zANBgkqhkiG9w0BAQsFADBcMQswCQYDVQQGEwJV -UzELMAkGA1UECAwCQ0ExFjAUBgNVBAoMDUV4YW1wbGUsIEluYy4xKDAmBgNVBAMM -H0dvb2QgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTkwNzEyMDk1MjUz -WhcNMjkwNzA5MDk1MjUzWjBGMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFjAU -BgNVBAoMDUV4YW1wbGUsIEluYy4xEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJ -KoZIhvcNAQEBBQADggEPADCCAQoCggEBALuvH/nz1DAFpARq6iJrJuYHsn8K2Wh5 -KMjRw9H6lfnhxiHqzZT8CiKnOYxmZNYAtueezu0G4LkY02Mgl5YH/DrOtJ2ZnL2C -okxHXVWks7pxa6B5WzN7Xnjzna2jvQ5qLfRUqN9YmgqxIU1TC0hL5UgoLTmca1c8 -9vlq2jurOwRiwEsIWhpOSvr72mthhCvKso+sm0Uka99Naa/2VKWCs1XLsn0gFRg/ -g/qCTO7FHO959wM/KHxjDVMdLW08vaPVzIM6KsmQ9nOi3ZD4VcnP23PD2jG9oyrs -mxolx66FG99NYSJwBC3lJ+WAB+wHhupsEVnBBmNDmVTvrqsBQNzs790CAwEAATAN -BgkqhkiG9w0BAQsFAAOCAQEAbQswzjiFCYaA7v7nwAbi6EPJgeqyITBduPZLFMLO -WEhhOm3B9x2jhxkojlIaGq99sC3WXfX2A8xtOj3D0w2/rFyTk+4rfnbJD81qIuUN -bcYajh2mCBl2j+OP34sxd5G79eDgY4N0wIXLoG+NfpOK5r3G5/hKC0ccd0srkunr -WJi7kI512uA6KFqw2dUl6KFV0Tqvz8Dsp8UKxc6JoikZ1LTIUfNordaWeCt6Kwv+ -agsnY3+SKp8yv8GMu0FRbBrTkypXLrbKhtU4LuJkEgNvW1ymvN8vghAYty6YKPxi -FGuf5L43MQEP9zUANUZrHGhThWoIEShb1qjHQnxjSgaV7A== +MIIDKTCCAhECFAsO1DdNqNctry2rRzEy9fc6NGMTMA0GCSqGSIb3DQEBCwUAMFwx +CzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UECgwNRXhhbXBsZSwgSW5j +LjEoMCYGA1UEAwwfR29vZCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0y +MzA1MDgwOTAzMDBaFw0zMzA1MDUwOTAzMDBaMEYxCzAJBgNVBAYTAlVTMQswCQYD +VQQIDAJDQTEWMBQGA1UECgwNRXhhbXBsZSwgSW5jLjESMBAGA1UEAwwJbG9jYWxo +b3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsqAZVEDRvb6KDJUP +nbahgWvIPLOivhJiYYPHipAs8XI48W7he0T9ux73zuzgY+FOrGtefDGCaLz7/8kv +sIlr4WT4Ljg0/FoQACqw7mqvFVEf6uD9iExmrqi/+eh6H5ZbouxD5SogW3OLKXx1 +hl8EfJR6cEtA3FJ/hirBkKfE0RTGRnM+QGm3nvvT+Qrq9XQeuok1kuV3c91Qb1zN +C6HNhnR4VfizdaWP03FpFLo2EgbAUO9V/NhK3zEQPwF+B6IE2GCBF61mAYozrN8c +6dc1LEGR07QxnE6me9e+7VJD8hJ7Upm6k9PxbT2k29hnVQPdz70+49XqGHbaK45z +cCwXnQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAXZ0mtdB7xOhUn1mJP8nuUPbLA +Q6Bd+0/litJ24RDGzyclsOmNBZ3TNIIvG3NNKf9V02KIBwsTXfM81CAsa7u8sX+O +x93axb+7K1z+QDQ8OGiVdGpoS++kq9b2uRDpnuiubSShs9Lm23q0cRU8/SnGlyZP +lNDlMJ07l4R0thu929Y378wgVJIVL2j8muSfwgerUjizKHcMoz1gE+atQLs3YqVz +97BtY1RyiNJmZPx4FInhVwTMbFHKYCSx8yCl/owDhRNIPDNiwkr4OcydyrUmIPFx +z17T/OS6QivB2WpWUQlB7wiAKGUzmDDSPWNI63AzTsRgMdjn+rLBt2NtXDdE -----END CERTIFICATE----- diff --git a/extensions/http-curl/CMakeLists.txt b/extensions/http-curl/CMakeLists.txt index 67edd3129..cdecc4cdc 100644 --- a/extensions/http-curl/CMakeLists.txt +++ b/extensions/http-curl/CMakeLists.txt @@ -33,5 +33,9 @@ add_library(minifi-http-curl SHARED ${SOURCES}) target_link_libraries(minifi-http-curl ${LIBMINIFI} Threads::Threads) target_link_libraries(minifi-http-curl CURL::libcurl RapidJSON) +if (APPLE) + target_link_libraries(minifi-http-curl "-framework CoreFoundation -framework SystemConfiguration") +endif() + register_extension(minifi-http-curl "HTTP CURL" HTTP-CURL "This enables RESTProtocol, InvokeHTTP, and the HTTPClient for Site to Site" "extensions/http-curl/tests/") register_extension_linter(minifi-http-curl-linter) diff --git a/extensions/http-curl/client/HTTPClient.cpp b/extensions/http-curl/client/HTTPClient.cpp index 95caebe01..f375dc772 100644 --- a/extensions/http-curl/client/HTTPClient.cpp +++ b/extensions/http-curl/client/HTTPClient.cpp @@ -145,6 +145,29 @@ void HTTPClient::clearBasicAuth() { } bool HTTPClient::setSpecificSSLVersion(utils::SSLVersion specific_version) { +#ifdef OPENSSL_SUPPORT + if (ssl_context_service_) { + switch (specific_version) { + case utils::SSLVersion::TLSv1_0: { + ssl_context_service_->setMinTlsVersion(TLS1_VERSION); + ssl_context_service_->setMaxTlsVersion(TLS1_VERSION); + break; + } + case utils::SSLVersion::TLSv1_1: { + ssl_context_service_->setMinTlsVersion(TLS1_1_VERSION); + ssl_context_service_->setMaxTlsVersion(TLS1_1_VERSION); + break; + } + case utils::SSLVersion::TLSv1_2: { + ssl_context_service_->setMinTlsVersion(TLS1_2_VERSION); + ssl_context_service_->setMaxTlsVersion(TLS1_2_VERSION); + break; + } + default: break; + } + } +#endif + #if CURL_AT_LEAST_VERSION(7, 54, 0) // bitwise or of different enum types is deprecated in C++20, but the curl api explicitly supports ORing one of CURL_SSLVERSION and one of CURL_SSLVERSION_MAX switch (specific_version) { @@ -163,6 +186,26 @@ bool HTTPClient::setSpecificSSLVersion(utils::SSLVersion specific_version) { // If not set, the default will be TLS 1.0, see https://curl.haxx.se/libcurl/c/CURLOPT_SSLVERSION.html bool HTTPClient::setMinimumSSLVersion(utils::SSLVersion minimum_version) { +#ifdef OPENSSL_SUPPORT + if (ssl_context_service_) { + switch (minimum_version) { + case utils::SSLVersion::TLSv1_0: { + ssl_context_service_->setMinTlsVersion(TLS1_VERSION); + break; + } + case utils::SSLVersion::TLSv1_1: { + ssl_context_service_->setMinTlsVersion(TLS1_1_VERSION); + break; + } + case utils::SSLVersion::TLSv1_2: { + ssl_context_service_->setMinTlsVersion(TLS1_2_VERSION); + break; + } + default: break; + } + } +#endif + CURLcode ret = CURLE_UNKNOWN_OPTION; switch (minimum_version) { case utils::SSLVersion::TLSv1_0: diff --git a/extensions/kubernetes/CMakeLists.txt b/extensions/kubernetes/CMakeLists.txt index 7421904fa..f841d95f1 100644 --- a/extensions/kubernetes/CMakeLists.txt +++ b/extensions/kubernetes/CMakeLists.txt @@ -15,7 +15,7 @@ # specific language governing permissions and limitations # under the License. -if (NOT (CMAKE_SYSTEM_NAME STREQUAL "Linux" AND ENABLE_KUBERNETES)) +if (NOT (CMAKE_SYSTEM_NAME STREQUAL "Linux" AND ENABLE_KUBERNETES) OR OPENSSL_OFF) return() endif() diff --git a/extensions/standard-processors/processors/HashContent.h b/extensions/standard-processors/processors/HashContent.h index 33224d505..72c42eb02 100644 --- a/extensions/standard-processors/processors/HashContent.h +++ b/extensions/standard-processors/processors/HashContent.h @@ -21,8 +21,9 @@ #ifdef OPENSSL_SUPPORT -#include <openssl/md5.h> +#include <openssl/evp.h> #include <openssl/sha.h> +#include <openssl/md5.h> #include <array> #include <cstdint> @@ -49,21 +50,24 @@ namespace { // NOLINT HashReturnType ret_val; ret_val.second = 0; std::array<std::byte, HASH_BUFFER_SIZE> buffer{}; - MD5_CTX context; - MD5_Init(&context); + EVP_MD_CTX *context = EVP_MD_CTX_new(); + const auto guard = gsl::finally([&context]() { + EVP_MD_CTX_free(context); + }); + EVP_DigestInit_ex(context, EVP_md5(), nullptr); size_t ret = 0; do { ret = stream->read(buffer); if (ret > 0) { - MD5_Update(&context, buffer.data(), ret); + EVP_DigestUpdate(context, buffer.data(), ret); ret_val.second += gsl::narrow<int64_t>(ret); } } while (ret > 0); if (ret_val.second > 0) { std::array<std::byte, MD5_DIGEST_LENGTH> digest{}; - MD5_Final(reinterpret_cast<unsigned char*>(digest.data()), &context); + EVP_DigestFinal_ex(context, reinterpret_cast<unsigned char*>(digest.data()), nullptr); ret_val.first = org::apache::nifi::minifi::utils::StringUtils::to_hex(digest, true /*uppercase*/); } return ret_val; @@ -73,21 +77,24 @@ namespace { // NOLINT HashReturnType ret_val; ret_val.second = 0; std::array<std::byte, HASH_BUFFER_SIZE> buffer{}; - SHA_CTX context; - SHA1_Init(&context); + EVP_MD_CTX *context = EVP_MD_CTX_new(); + const auto guard = gsl::finally([&context]() { + EVP_MD_CTX_free(context); + }); + EVP_DigestInit_ex(context, EVP_sha1(), nullptr); size_t ret = 0; do { ret = stream->read(buffer); if (ret > 0) { - SHA1_Update(&context, buffer.data(), ret); + EVP_DigestUpdate(context, buffer.data(), ret); ret_val.second += gsl::narrow<int64_t>(ret); } } while (ret > 0); if (ret_val.second > 0) { std::array<std::byte, SHA_DIGEST_LENGTH> digest{}; - SHA1_Final(reinterpret_cast<unsigned char*>(digest.data()), &context); + EVP_DigestFinal_ex(context, reinterpret_cast<unsigned char*>(digest.data()), nullptr); ret_val.first = org::apache::nifi::minifi::utils::StringUtils::to_hex(digest, true /*uppercase*/); } return ret_val; @@ -97,21 +104,24 @@ namespace { // NOLINT HashReturnType ret_val; ret_val.second = 0; std::array<std::byte, HASH_BUFFER_SIZE> buffer{}; - SHA256_CTX context; - SHA256_Init(&context); + EVP_MD_CTX *context = EVP_MD_CTX_new(); + const auto guard = gsl::finally([&context]() { + EVP_MD_CTX_free(context); + }); + EVP_DigestInit_ex(context, EVP_sha256(), nullptr); size_t ret; do { ret = stream->read(buffer); if (ret > 0) { - SHA256_Update(&context, buffer.data(), ret); + EVP_DigestUpdate(context, buffer.data(), ret); ret_val.second += gsl::narrow<int64_t>(ret); } } while (ret > 0); if (ret_val.second > 0) { std::array<std::byte, SHA256_DIGEST_LENGTH> digest{}; - SHA256_Final(reinterpret_cast<unsigned char*>(digest.data()), &context); + EVP_DigestFinal_ex(context, reinterpret_cast<unsigned char*>(digest.data()), nullptr); ret_val.first = org::apache::nifi::minifi::utils::StringUtils::to_hex(digest, true /*uppercase*/); } return ret_val; diff --git a/extensions/standard-processors/tests/integration/TLSClientSocketSupportedProtocolsTest.cpp b/extensions/standard-processors/tests/integration/TLSClientSocketSupportedProtocolsTest.cpp index 0f15a33d0..8ca1c3efa 100644 --- a/extensions/standard-processors/tests/integration/TLSClientSocketSupportedProtocolsTest.cpp +++ b/extensions/standard-processors/tests/integration/TLSClientSocketSupportedProtocolsTest.cpp @@ -30,25 +30,24 @@ #include "SimpleSSLTestServer.h" namespace minifi = org::apache::nifi::minifi; - class SimpleSSLTestServerTLSv1 : public SimpleSSLTestServer { public: SimpleSSLTestServerTLSv1(int port, const std::filesystem::path& key_dir) - : SimpleSSLTestServer(TLSv1_server_method(), port, key_dir) { + : SimpleSSLTestServer(TLS1_VERSION, port, key_dir) { } }; class SimpleSSLTestServerTLSv1_1 : public SimpleSSLTestServer { public: SimpleSSLTestServerTLSv1_1(int port, const std::filesystem::path& key_dir) - : SimpleSSLTestServer(TLSv1_1_server_method(), port, key_dir) { + : SimpleSSLTestServer(TLS1_1_VERSION, port, key_dir) { } }; class SimpleSSLTestServerTLSv1_2 : public SimpleSSLTestServer { public: SimpleSSLTestServerTLSv1_2(int port, const std::filesystem::path& key_dir) - : SimpleSSLTestServer(TLSv1_2_server_method(), port, key_dir) { + : SimpleSSLTestServer(TLS1_2_VERSION, port, key_dir) { } }; diff --git a/extensions/standard-processors/tests/integration/TLSServerSocketSupportedProtocolsTest.cpp b/extensions/standard-processors/tests/integration/TLSServerSocketSupportedProtocolsTest.cpp index ac79bb3e5..bf6333212 100644 --- a/extensions/standard-processors/tests/integration/TLSServerSocketSupportedProtocolsTest.cpp +++ b/extensions/standard-processors/tests/integration/TLSServerSocketSupportedProtocolsTest.cpp @@ -119,10 +119,12 @@ void log_addrinfo(addrinfo* const ai, minifi::core::logging::Logger& logger) { class SimpleSSLTestClient { public: - SimpleSSLTestClient(const SSL_METHOD* method, std::string host, std::string port) : + SimpleSSLTestClient(uint64_t version, std::string host, std::string port) : host_(std::move(host)), port_(std::move(port)) { - ctx_ = SSL_CTX_new(method); + ctx_ = SSL_CTX_new(TLS_client_method()); + SSL_CTX_set_min_proto_version(ctx_, version); + SSL_CTX_set_max_proto_version(ctx_, version); sfd_ = openConnection(host_.c_str(), port_.c_str(), *logger_); if (ctx_ != nullptr) ssl_ = SSL_new(ctx_); @@ -194,21 +196,21 @@ class SimpleSSLTestClient { class SimpleSSLTestClientTLSv1 : public SimpleSSLTestClient { public: SimpleSSLTestClientTLSv1(const std::string& host, const std::string& port) - : SimpleSSLTestClient(TLSv1_client_method(), host, port) { + : SimpleSSLTestClient(TLS1_VERSION, host, port) { } }; class SimpleSSLTestClientTLSv1_1 : public SimpleSSLTestClient { public: SimpleSSLTestClientTLSv1_1(const std::string& host, const std::string& port) - : SimpleSSLTestClient(TLSv1_1_client_method(), host, port) { + : SimpleSSLTestClient(TLS1_1_VERSION, host, port) { } }; class SimpleSSLTestClientTLSv1_2 : public SimpleSSLTestClient { public: SimpleSSLTestClientTLSv1_2(const std::string& host, const std::string& port) - : SimpleSSLTestClient(TLSv1_2_client_method(), host, port) { + : SimpleSSLTestClient(TLS1_2_VERSION, host, port) { } }; diff --git a/extensions/standard-processors/tests/unit/HashContentTest.cpp b/extensions/standard-processors/tests/unit/HashContentTest.cpp index d0a1f6e4d..efd24d93e 100644 --- a/extensions/standard-processors/tests/unit/HashContentTest.cpp +++ b/extensions/standard-processors/tests/unit/HashContentTest.cpp @@ -110,19 +110,19 @@ TEST_CASE("Test usage of ExtractText", "[extracttextTest]") { } std::stringstream ss2; - ss2 << "key:" << MD5_ATTR << " value:" << MD5_CHECKSUM; + ss2 << "key:" << MD5_ATTR << " value:" << MD5_CHECKSUM << "\n"; std::string log_check = ss2.str(); REQUIRE(LogTestController::getInstance().contains(log_check)); ss2.str(""); - ss2 << "key:" << SHA1_ATTR << " value:" << SHA1_CHECKSUM; + ss2 << "key:" << SHA1_ATTR << " value:" << SHA1_CHECKSUM << "\n"; log_check = ss2.str(); REQUIRE(LogTestController::getInstance().contains(log_check)); ss2.str(""); - ss2 << "key:" << SHA256_ATTR << " value:" << SHA256_CHECKSUM; + ss2 << "key:" << SHA256_ATTR << " value:" << SHA256_CHECKSUM << "\n"; log_check = ss2.str(); REQUIRE(LogTestController::getInstance().contains(log_check)); diff --git a/extensions/standard-processors/tests/unit/ListenTcpTests.cpp b/extensions/standard-processors/tests/unit/ListenTcpTests.cpp index 32b0c6558..a2d01dac5 100644 --- a/extensions/standard-processors/tests/unit/ListenTcpTests.cpp +++ b/extensions/standard-processors/tests/unit/ListenTcpTests.cpp @@ -287,7 +287,7 @@ TEST_CASE("Test ListenTCP SSL/TLS compatibility", "[ListenTCP][NetworkListenerPr SECTION("tlsv13 should be enabled") { client_method = asio::ssl::context::method::tlsv13_client; - expected_to_work = true; + expected_to_work = false; } if (!isSslMethodAvailable(client_method)) diff --git a/fedora.sh b/fedora.sh index 881659888..61048156d 100644 --- a/fedora.sh +++ b/fedora.sh @@ -84,6 +84,8 @@ build_deps(){ INSTALLED+=("libssh2-devel") elif [ "$FOUND_VALUE" = "boost" ]; then INSTALLED+=("boost-devel") + elif [ "$FOUND_VALUE" = "opensslbuild" ]; then + INSTALLED+=("perl") fi fi done diff --git a/libminifi/include/controllers/SSLContextService.h b/libminifi/include/controllers/SSLContextService.h index 300db0266..0ea92fed0 100644 --- a/libminifi/include/controllers/SSLContextService.h +++ b/libminifi/include/controllers/SSLContextService.h @@ -158,6 +158,13 @@ class SSLContextService : public core::controller::ControllerService { } #ifdef OPENSSL_SUPPORT + void setMinTlsVersion(long min_version) { // NOLINT(runtime/int) long due to SSL lib API + minimum_tls_version_ = min_version; + } + + void setMaxTlsVersion(long max_version) { // NOLINT(runtime/int) long due to SSL lib API + maximum_tls_version_ = max_version; + } bool configure_ssl_context(SSL_CTX *ctx); #endif @@ -247,6 +254,8 @@ class SSLContextService : public core::controller::ControllerService { bool useClientCertificate(PCCERT_CONTEXT certificate, ClientCertCallback cb) const; bool useServerCertificate(PCCERT_CONTEXT certificate, ServerCertCallback cb) const; #endif // WIN32 + long minimum_tls_version_ = -1; // NOLINT(runtime/int) long due to SSL lib API + long maximum_tls_version_ = -1; // NOLINT(runtime/int) long due to SSL lib API #endif // OPENSSL_SUPPORT void verifyCertificateExpiration(); diff --git a/libminifi/include/utils/tls/ExtendedKeyUsage.h b/libminifi/include/utils/tls/ExtendedKeyUsage.h index c34b01efa..089433ab0 100644 --- a/libminifi/include/utils/tls/ExtendedKeyUsage.h +++ b/libminifi/include/utils/tls/ExtendedKeyUsage.h @@ -27,12 +27,7 @@ struct stack_st_ASN1_OBJECT; typedef stack_st_ASN1_OBJECT EXTENDED_KEY_USAGE; -namespace org { -namespace apache { -namespace nifi { -namespace minifi { -namespace utils { -namespace tls { +namespace org::apache::nifi::minifi::utils::tls { struct EXTENDED_KEY_USAGE_deleter { void operator()(EXTENDED_KEY_USAGE* key_usage) const; @@ -55,11 +50,6 @@ class ExtendedKeyUsage { std::shared_ptr<core::logging::Logger> logger_; }; -} // namespace tls -} // namespace utils -} // namespace minifi -} // namespace nifi -} // namespace apache -} // namespace org +} // namespace org::apache::nifi::minifi::utils::tls #endif // OPENSSL_SUPPORT diff --git a/libminifi/src/controllers/SSLContextService.cpp b/libminifi/src/controllers/SSLContextService.cpp index 635e95144..a14a004f1 100644 --- a/libminifi/src/controllers/SSLContextService.cpp +++ b/libminifi/src/controllers/SSLContextService.cpp @@ -21,6 +21,7 @@ #include <openssl/err.h> #include <openssl/ssl.h> #include <openssl/x509v3.h> +#include <openssl/bio.h> #ifdef WIN32 #pragma comment(lib, "crypt32.lib") #pragma comment(lib, "Ws2_32.lib") @@ -112,6 +113,35 @@ const core::Property SSLContextService::ClientCertKeyUsage( ->build()); #endif // WIN32 +namespace { +bool is_valid_and_readable_path(const std::filesystem::path& path_to_be_tested) { + std::ifstream file_to_be_tested(path_to_be_tested); + return file_to_be_tested.good(); +} + +#ifdef WIN32 +std::string getCertName(const utils::tls::X509_unique_ptr& cert) { + const size_t BUFFER_SIZE = 256; + char name_buffer[BUFFER_SIZE]; + + BIO* bio = BIO_new(BIO_s_mem()); + if (!bio) { + return {}; + } + const auto guard = gsl::finally([&bio]() { + BIO_free(bio); + }); + + X509_NAME_print_ex(bio, X509_get_subject_name(cert.get()), 0, XN_FLAG_ONELINE); + + int length = BIO_read(bio, name_buffer, BUFFER_SIZE - 1); + name_buffer[length] = '\0'; + + return name_buffer; +} +#endif +} // namespace + void SSLContextService::initialize() { std::lock_guard<std::mutex> lock(initialization_mutex_); if (initialized_) { @@ -165,6 +195,19 @@ bool SSLContextService::configure_ssl_context(SSL_CTX *ctx) { } } + // Security level set to 0 for backwards compatibility to support TLS versions below v1.2 + SSL_CTX_set_security_level(ctx, 0); + + if (minimum_tls_version_ != -1) { + SSL_CTX_set_min_proto_version(ctx, minimum_tls_version_); + } + + if (maximum_tls_version_ != -1) { + SSL_CTX_set_max_proto_version(ctx, maximum_tls_version_); + } else { + SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION); + } + return true; } @@ -245,13 +288,14 @@ bool SSLContextService::findClientCertificate(ClientCertCallback cb) const { #ifdef WIN32 bool SSLContextService::addClientCertificateFromSystemStoreToSSLContext(SSL_CTX* ctx) const { return findClientCertificate([&] (auto cert, auto priv_key) -> bool { + auto cert_name = getCertName(cert); if (SSL_CTX_use_certificate(ctx, cert.get()) != 1) { - logger_->log_error("Failed to set certificate from %s, %s", cert->name, getLatestOpenSSLErrorString); + logger_->log_error("Failed to set certificate from %s, %s", cert_name, getLatestOpenSSLErrorString); return false; } if (SSL_CTX_use_PrivateKey(ctx, priv_key.get()) != 1) { - logger_->log_error("Failed to use private key %s, %s", cert->name, getLatestOpenSSLErrorString()); + logger_->log_error("Failed to use private key %s, %s", cert_name, getLatestOpenSSLErrorString()); return false; } return true; @@ -272,36 +316,36 @@ bool SSLContextService::useClientCertificate(PCCERT_CONTEXT certificate, ClientC return false; } + std::string x509_name = getCertName(x509_cert); utils::tls::EVP_PKEY_unique_ptr private_key = utils::tls::extractPrivateKey(certificate); if (!private_key) { - logger_->log_debug("Skipping client certificate %s because it has no exportable private key", x509_cert->name); + logger_->log_debug("Skipping client certificate %s because it has no exportable private key", x509_name); return false; } if (!client_cert_cn_.empty()) { - utils::tls::DistinguishedName dn = utils::tls::DistinguishedName::fromSlashSeparated(x509_cert->name); + utils::tls::DistinguishedName dn = utils::tls::DistinguishedName::fromSlashSeparated(x509_name); std::optional<std::string> cn = dn.getCN(); if (!cn || *cn != client_cert_cn_) { - logger_->log_debug("Skipping client certificate %s because it doesn't match CN=%s", x509_cert->name, client_cert_cn_); + logger_->log_debug("Skipping client certificate %s because it doesn't match CN=%s", x509_name, client_cert_cn_); return false; } } utils::tls::EXTENDED_KEY_USAGE_unique_ptr key_usage{static_cast<EXTENDED_KEY_USAGE*>(X509_get_ext_d2i(x509_cert.get(), NID_ext_key_usage, nullptr, nullptr))}; if (!key_usage) { - logger_->log_error("Skipping client certificate %s because it has no extended key usage", x509_cert->name); + logger_->log_error("Skipping client certificate %s because it has no extended key usage", x509_name); return false; } if (!(client_cert_key_usage_.isSubsetOf(utils::tls::ExtendedKeyUsage{*key_usage}))) { logger_->log_debug("Skipping client certificate %s because its extended key usage set does not contain all usages specified in %s", - x509_cert->name, Configuration::nifi_security_windows_client_cert_key_usage); + x509_name, Configuration::nifi_security_windows_client_cert_key_usage); return false; } - std::string cert_name = x509_cert->name; if (cb(std::move(x509_cert), std::move(private_key))) { - logger_->log_debug("Found client certificate %s", cert_name); + logger_->log_debug("Found client certificate %s", x509_name); return true; } @@ -319,19 +363,20 @@ bool SSLContextService::addServerCertificatesFromSystemStoreToSSLContext(SSL_CTX findServerCertificate([&] (auto cert) -> bool { // return false to indicate that we wish to iterate over all subsequent certificates as well + auto cert_name = getCertName(cert); int success = X509_STORE_add_cert(ssl_store, cert.get()); if (success == 1) { - logger_->log_debug("Added server certificate %s from the system store to the SSL store", cert->name); + logger_->log_debug("Added server certificate %s from the system store to the SSL store", cert_name); return false; } auto err = ERR_peek_last_error(); if (ERR_GET_REASON(err) == X509_R_CERT_ALREADY_IN_HASH_TABLE) { - logger_->log_debug("Ignoring duplicate server certificate %s", cert->name); + logger_->log_debug("Ignoring duplicate server certificate %s", cert_name); return false; } - logger_->log_error("Failed to add server certificate %s to the SSL store; error: %s", cert->name, getLatestOpenSSLErrorString()); + logger_->log_error("Failed to add server certificate %s to the SSL store; error: %s", cert_name, getLatestOpenSSLErrorString()); return false; }); @@ -387,7 +432,7 @@ std::unique_ptr<SSLContext> SSLContextService::createSSLContext() { OpenSSL_add_all_algorithms(); SSL_load_error_strings(); - method = TLSv1_2_client_method(); + method = TLS_client_method(); SSL_CTX *ctx = SSL_CTX_new(method); if (ctx == nullptr) { @@ -425,13 +470,6 @@ const std::filesystem::path &SSLContextService::getCACertificate() const { return ca_certificate_; } -namespace { -bool is_valid_and_readable_path(const std::filesystem::path& path_to_be_tested) { - std::ifstream file_to_be_tested(path_to_be_tested); - return file_to_be_tested.good(); -} -} // namespace - void SSLContextService::onEnable() { std::filesystem::path default_dir; @@ -603,16 +641,20 @@ void SSLContextService::verifyCertificateExpiration() { } #ifdef WIN32 + + if (use_system_cert_store_ && IsNullOrEmpty(certificate_)) { findClientCertificate([&] (auto cert, auto /*priv_key*/) -> bool { - verify(cert->name, cert); + auto cert_name = getCertName(cert); + verify(cert_name, cert); return false; // keep on iterating, check all }); } if (use_system_cert_store_ && IsNullOrEmpty(ca_certificate_)) { findServerCertificate([&] (auto cert) -> bool { - verify(cert->name, cert); + auto cert_name = getCertName(cert); + verify(cert_name, cert); return false; // keep on iterating, check all }); } diff --git a/libminifi/src/core/state/Value.cpp b/libminifi/src/core/state/Value.cpp index f34478fd1..988b51772 100644 --- a/libminifi/src/core/state/Value.cpp +++ b/libminifi/src/core/state/Value.cpp @@ -17,7 +17,7 @@ */ #include "core/state/Value.h" -#include <openssl/sha.h> +#include <openssl/evp.h> #include <utility> #include <string> #include "rapidjson/prettywriter.h" @@ -32,25 +32,28 @@ const std::type_index Value::BOOL_TYPE = std::type_index(typeid(bool)); const std::type_index Value::DOUBLE_TYPE = std::type_index(typeid(double)); const std::type_index Value::STRING_TYPE = std::type_index(typeid(std::string)); -void hashNode(const SerializedResponseNode& node, SHA512_CTX& ctx) { - SHA512_Update(&ctx, node.name.c_str(), node.name.length()); +void hashNode(const SerializedResponseNode& node, EVP_MD_CTX& ctx) { + EVP_DigestUpdate(&ctx, node.name.c_str(), node.name.length()); const auto valueStr = node.value.to_string(); - SHA512_Update(&ctx, valueStr.c_str(), valueStr.length()); - SHA512_Update(&ctx, &node.array, sizeof(node.array)); - SHA512_Update(&ctx, &node.collapsible, sizeof(node.collapsible)); + EVP_DigestUpdate(&ctx, valueStr.c_str(), valueStr.length()); + EVP_DigestUpdate(&ctx, &node.array, sizeof(node.array)); + EVP_DigestUpdate(&ctx, &node.collapsible, sizeof(node.collapsible)); for (const auto& child : node.children) { hashNode(child, ctx); } } std::string hashResponseNodes(const std::vector<SerializedResponseNode>& nodes) { - SHA512_CTX ctx; - SHA512_Init(&ctx); + EVP_MD_CTX *ctx = EVP_MD_CTX_new(); + const auto guard = gsl::finally([&ctx]() { + EVP_MD_CTX_free(ctx); + }); + EVP_DigestInit_ex(ctx, EVP_sha512(), nullptr); for (const auto& node : nodes) { - hashNode(node, ctx); + hashNode(node, *ctx); } - std::array<std::byte, SHA512_DIGEST_LENGTH> digest{}; - SHA512_Final(reinterpret_cast<unsigned char*>(digest.data()), &ctx); + std::array<std::byte, EVP_MAX_MD_SIZE> digest{}; + EVP_DigestFinal_ex(ctx, reinterpret_cast<unsigned char*>(digest.data()), nullptr); return utils::StringUtils::to_hex(digest, true /*uppercase*/); } diff --git a/libminifi/src/io/tls/TLSSocket.cpp b/libminifi/src/io/tls/TLSSocket.cpp index 957f866b3..9ac1cab5f 100644 --- a/libminifi/src/io/tls/TLSSocket.cpp +++ b/libminifi/src/io/tls/TLSSocket.cpp @@ -65,7 +65,7 @@ int16_t TLSContext::initialize(bool server_method) { org::apache::nifi::minifi::utils::StringUtils::toBool(clientAuthStr).value_or(true)); const SSL_METHOD *method; - method = server_method ? TLSv1_2_server_method() : TLSv1_2_client_method(); + method = server_method ? TLS_server_method() : TLS_client_method(); auto local_context = std::unique_ptr<SSL_CTX, decltype(&deleteContext)>(SSL_CTX_new(method), deleteContext); if (local_context == nullptr) { logger_->log_error("Could not create SSL context, error: %s.", std::strerror(errno)); diff --git a/libminifi/src/utils/net/TcpServer.cpp b/libminifi/src/utils/net/TcpServer.cpp index fcd02d1e4..b1fa06b20 100644 --- a/libminifi/src/utils/net/TcpServer.cpp +++ b/libminifi/src/utils/net/TcpServer.cpp @@ -57,7 +57,7 @@ asio::awaitable<void> TcpServer::insecureSession(asio::ip::tcp::socket socket) { namespace { asio::ssl::context setupSslContext(SslServerOptions& ssl_data) { - asio::ssl::context ssl_context(asio::ssl::context::tls_server); + asio::ssl::context ssl_context(asio::ssl::context::tlsv12_server); ssl_context.set_options(asio::ssl::context::default_workarounds | asio::ssl::context::single_dh_use | asio::ssl::context::no_tlsv1 | asio::ssl::context::no_tlsv1_1); ssl_context.set_password_callback([key_pw = ssl_data.cert_data.key_pw](std::size_t&, asio::ssl::context_base::password_purpose&) { return key_pw; }); ssl_context.use_certificate_file(ssl_data.cert_data.cert_loc.string(), asio::ssl::context::pem); diff --git a/libminifi/src/utils/tls/CertificateUtils.cpp b/libminifi/src/utils/tls/CertificateUtils.cpp index c8251b1fe..a8dcb50a5 100644 --- a/libminifi/src/utils/tls/CertificateUtils.cpp +++ b/libminifi/src/utils/tls/CertificateUtils.cpp @@ -22,6 +22,8 @@ #include <openssl/err.h> #ifdef WIN32 +#include <winsock2.h> + #pragma comment(lib, "ncrypt.lib") #pragma comment(lib, "Ws2_32.lib") #endif // WIN32 @@ -172,7 +174,7 @@ std::optional<std::chrono::system_clock::time_point> getCertificateExpiration(co return {}; } std::tm end{}; - int ret = ASN1_time_parse(reinterpret_cast<const char*>(asn1_end->data), asn1_end->length, &end, 0); + int ret = ASN1_TIME_to_tm(asn1_end, &end); if (ret == -1) { return {}; } diff --git a/libminifi/src/utils/tls/ExtendedKeyUsage.cpp b/libminifi/src/utils/tls/ExtendedKeyUsage.cpp index 41d7cc9d1..07b273f29 100644 --- a/libminifi/src/utils/tls/ExtendedKeyUsage.cpp +++ b/libminifi/src/utils/tls/ExtendedKeyUsage.cpp @@ -26,12 +26,7 @@ #include "core/logging/LoggerConfiguration.h" #include "utils/StringUtils.h" -namespace org { -namespace apache { -namespace nifi { -namespace minifi { -namespace utils { -namespace tls { +namespace org::apache::nifi::minifi::utils::tls { namespace { @@ -60,8 +55,11 @@ ExtendedKeyUsage::ExtendedKeyUsage(const EXTENDED_KEY_USAGE& key_usage_asn1) : E const int num_oids = sk_ASN1_OBJECT_num(&key_usage_asn1); for (int i = 0; i < num_oids; ++i) { const ASN1_OBJECT* const oid = sk_ASN1_OBJECT_value(&key_usage_asn1, i); - assert(oid && oid->length > 0); - const unsigned char last_byte_of_oid = oid->data[oid->length - 1]; + assert(oid); + auto length = OBJ_length(oid); + assert(length > 0); + auto data = OBJ_get0_data(oid); + const unsigned char last_byte_of_oid = data[length - 1]; if (last_byte_of_oid < bits_.size()) { bits_.set(last_byte_of_oid); } @@ -95,11 +93,6 @@ bool operator!=(const ExtendedKeyUsage& left, const ExtendedKeyUsage& right) { return !(left == right); } -} // namespace tls -} // namespace utils -} // namespace minifi -} // namespace nifi -} // namespace apache -} // namespace org +} // namespace org::apache::nifi::minifi::utils::tls #endif // OPENSSL_SUPPORT diff --git a/libminifi/test/SimpleSSLTestServer.h b/libminifi/test/SimpleSSLTestServer.h index b6cecf59a..78a2b0ab7 100644 --- a/libminifi/test/SimpleSSLTestServer.h +++ b/libminifi/test/SimpleSSLTestServer.h @@ -50,11 +50,13 @@ class SimpleSSLTestServer { }; public: - SimpleSSLTestServer(const SSL_METHOD* method, int port, const std::filesystem::path& key_dir) + SimpleSSLTestServer(uint64_t version, int port, const std::filesystem::path& key_dir) : port_(port), had_connection_(false) { static SocketInitializer socket_initializer{}; minifi::io::OpenSSLInitializer::getInstance(); - ctx_ = SSL_CTX_new(method); + ctx_ = SSL_CTX_new(TLS_server_method()); + SSL_CTX_set_min_proto_version(ctx_, version); + SSL_CTX_set_max_proto_version(ctx_, version); configureContext(key_dir); socket_descriptor_ = createSocket(port_); } diff --git a/libminifi/test/unit/tls/TLSStreamTests.cpp b/libminifi/test/unit/tls/TLSStreamTests.cpp index ff51894a4..8b30b88c4 100644 --- a/libminifi/test/unit/tls/TLSStreamTests.cpp +++ b/libminifi/test/unit/tls/TLSStreamTests.cpp @@ -54,7 +54,7 @@ int main(int argc, char** argv) { LogTestController::getInstance().setTrace<minifi::io::TLSServerSocket>(); LogTestController::getInstance().setTrace<minifi::io::TLSContext>(); - auto server = std::make_unique<SimpleSSLTestServer>(TLSv1_2_server_method(), 0, key_dir); + auto server = std::make_unique<SimpleSSLTestServer>(SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_3, 0, key_dir); int port = server->getPort(); server->waitForConnection(); diff --git a/rheldistro.sh b/rheldistro.sh index 8d83d123c..fd0df52c1 100644 --- a/rheldistro.sh +++ b/rheldistro.sh @@ -119,6 +119,8 @@ build_deps(){ INSTALLED+=("xz-devel") elif [ "$FOUND_VALUE" = "libssh2" ]; then INSTALLED+=("libssh2-devel") + elif [ "$FOUND_VALUE" = "opensslbuild" ]; then + INSTALLED+=("perl") fi fi done diff --git a/suse.sh b/suse.sh index 064c560a5..71a0a0414 100644 --- a/suse.sh +++ b/suse.sh @@ -105,6 +105,8 @@ build_deps(){ INSTALLED+=("xz-devel") elif [ "$FOUND_VALUE" = "libssh2" ]; then INSTALLED+=("libssh2-devel") + elif [ "$FOUND_VALUE" = "opensslbuild" ]; then + INSTALLED+=("perl") fi fi done diff --git a/thirdparty/aws-sdk-cpp/openssl3-fix.patch b/thirdparty/aws-sdk-cpp/openssl3-fix.patch new file mode 100644 index 000000000..1845fcd99 --- /dev/null +++ b/thirdparty/aws-sdk-cpp/openssl3-fix.patch @@ -0,0 +1,54 @@ +diff --git a/crt/aws-crt-cpp/crt/s2n/CMakeLists.txt b/crt/aws-crt-cpp/crt/s2n/CMakeLists.txt +index f5ee8379..eb3b2591 100644 +--- a/crt/aws-crt-cpp/crt/s2n/CMakeLists.txt ++++ b/crt/aws-crt-cpp/crt/s2n/CMakeLists.txt +@@ -402,17 +402,17 @@ if (LIBCRYPTO_SUPPORTS_EVP_MD5_SHA1_HASH) + target_compile_options(${PROJECT_NAME} PUBLIC -DS2N_LIBCRYPTO_SUPPORTS_EVP_MD5_SHA1_HASH) + endif() + +-# Determine if RC4 is available in libcrypto +-try_compile( +- LIBCRYPTO_SUPPORTS_EVP_RC4 +- ${CMAKE_BINARY_DIR} +- SOURCES "${CMAKE_CURRENT_LIST_DIR}/tests/features/evp_rc4.c" +- LINK_LIBRARIES ${LINK_LIB} ${OS_LIBS} +-) +- +-if (LIBCRYPTO_SUPPORTS_EVP_RC4) +- target_compile_options(${PROJECT_NAME} PUBLIC -DS2N_LIBCRYPTO_SUPPORTS_EVP_RC4) +-endif() ++# # Determine if RC4 is available in libcrypto ++# try_compile( ++# LIBCRYPTO_SUPPORTS_EVP_RC4 ++# ${CMAKE_BINARY_DIR} ++# SOURCES "${CMAKE_CURRENT_LIST_DIR}/tests/features/evp_rc4.c" ++# LINK_LIBRARIES ${LINK_LIB} ${OS_LIBS} ++# ) ++ ++# if (LIBCRYPTO_SUPPORTS_EVP_RC4) ++# target_compile_options(${PROJECT_NAME} PUBLIC -DS2N_LIBCRYPTO_SUPPORTS_EVP_RC4) ++# endif() + + # Determine if EVP_MD_CTX_set_pkey_ctx is available in libcrypto + try_compile( +diff --git a/crt/aws-crt-cpp/crt/s2n/s2n.mk b/crt/aws-crt-cpp/crt/s2n/s2n.mk +index 3b0e1500..acf87e15 100644 +--- a/crt/aws-crt-cpp/crt/s2n/s2n.mk ++++ b/crt/aws-crt-cpp/crt/s2n/s2n.mk +@@ -217,11 +217,11 @@ ifeq ($(TRY_EVP_MD5_SHA1_HASH), 0) + DEFAULT_CFLAGS += -DS2N_LIBCRYPTO_SUPPORTS_EVP_MD5_SHA1_HASH + endif + +-# Determine if EVP_md5_sha1 is available +-TRY_EVP_RC4 := $(call try_compile,$(S2N_ROOT)/tests/features/evp_rc4.c) +-ifeq ($(TRY_EVP_RC4), 0) +- DEFAULT_CFLAGS += -DS2N_LIBCRYPTO_SUPPORTS_EVP_RC4 +-endif ++# # Determine if EVP_md5_sha1 is available ++# TRY_EVP_RC4 := $(call try_compile,$(S2N_ROOT)/tests/features/evp_rc4.c) ++# ifeq ($(TRY_EVP_RC4), 0) ++# DEFAULT_CFLAGS += -DS2N_LIBCRYPTO_SUPPORTS_EVP_RC4 ++# endif + + # Determine if EVP_MD_CTX_set_pkey_ctx is available + TRY_EVP_MD_CTX_SET_PKEY_CTX := $(call try_compile,$(S2N_ROOT)/tests/features/evp_md_ctx_set_pkey_ctx.c) diff --git a/thirdparty/civetweb/openssl3.patch b/thirdparty/civetweb/openssl3.patch new file mode 100644 index 000000000..23f896bf5 --- /dev/null +++ b/thirdparty/civetweb/openssl3.patch @@ -0,0 +1,14 @@ +diff --git a/src/main.c b/src/main.c +index 66510d0f..8fa52bfb 100644 +--- a/src/main.c ++++ b/src/main.c +@@ -22,6 +22,9 @@ + + #if defined(_WIN32) + ++#pragma comment(lib, "crypt32.lib") ++#pragma comment(lib, "Ws2_32.lib") ++ + #if !defined(_CRT_SECURE_NO_WARNINGS) + #define _CRT_SECURE_NO_WARNINGS /* Disable deprecation warning in VS2005 */ + #endif diff --git a/thirdparty/libwebsockets/openssl3.patch b/thirdparty/libwebsockets/openssl3.patch new file mode 100644 index 000000000..48f5cea55 --- /dev/null +++ b/thirdparty/libwebsockets/openssl3.patch @@ -0,0 +1,118 @@ +diff --git a/lib/tls/CMakeLists.txt b/lib/tls/CMakeLists.txt +index fb9a75fe..84f30d57 100644 +--- a/lib/tls/CMakeLists.txt ++++ b/lib/tls/CMakeLists.txt +@@ -318,58 +318,54 @@ if (NOT VARIA) + set(VARIA "") + endif() + +-CHECK_FUNCTION_EXISTS(${VARIA}SSL_CTX_set1_param LWS_HAVE_SSL_CTX_set1_param PARENT_SCOPE) +-CHECK_FUNCTION_EXISTS(${VARIA}SSL_set_info_callback LWS_HAVE_SSL_SET_INFO_CALLBACK PARENT_SCOPE) +-CHECK_FUNCTION_EXISTS(${VARIA}X509_VERIFY_PARAM_set1_host LWS_HAVE_X509_VERIFY_PARAM_set1_host PARENT_SCOPE) +-CHECK_SYMBOL_EXISTS(${VARIA}X509_VERIFY_PARAM_set1_host LWS_HAVE_X509_VERIFY_PARAM_set1_host_sym PARENT_SCOPE) ++set(LWS_HAVE_SSL_CTX_set1_param 1 CACHE BOOL x) ++set(LWS_HAVE_SSL_SET_INFO_CALLBACK 1 CACHE BOOL x) ++set(LWS_HAVE_X509_VERIFY_PARAM_set1_host 1 CACHE BOOL x) ++set(LWS_HAVE_X509_VERIFY_PARAM_set1_host_sym 1 CACHE BOOL x) + if (LWS_HAVE_X509_VERIFY_PARAM_set1_host_sym) + set(LWS_HAVE_X509_VERIFY_PARAM_set1_host 1 PARENT_SCOPE) + endif() + +-CHECK_FUNCTION_EXISTS(${VARIA}RSA_set0_key LWS_HAVE_RSA_SET0_KEY PARENT_SCOPE) +-CHECK_FUNCTION_EXISTS(${VARIA}X509_get_key_usage LWS_HAVE_X509_get_key_usage PARENT_SCOPE) +-CHECK_FUNCTION_EXISTS(${VARIA}SSL_CTX_EVP_PKEY_new_raw_private_key LWS_HAVE_SSL_CTX_EVP_PKEY_new_raw_private_key PARENT_SCOPE) +-CHECK_FUNCTION_EXISTS(${VARIA}SSL_CTX_get0_certificate LWS_HAVE_SSL_CTX_get0_certificate PARENT_SCOPE) +-CHECK_FUNCTION_EXISTS(${VARIA}SSL_get0_alpn_selected LWS_HAVE_SSL_get0_alpn_selected PARENT_SCOPE) +-CHECK_FUNCTION_EXISTS(${VARIA}SSL_set_alpn_protos LWS_HAVE_SSL_set_alpn_protos PARENT_SCOPE) +-CHECK_FUNCTION_EXISTS(${VARIA}EVP_aes_128_cfb8 LWS_HAVE_EVP_aes_128_cfb8 PARENT_SCOPE) +-CHECK_FUNCTION_EXISTS(${VARIA}EVP_aes_128_cfb128 LWS_HAVE_EVP_aes_128_cfb128 PARENT_SCOPE) +-CHECK_FUNCTION_EXISTS(${VARIA}EVP_aes_192_cfb8 LWS_HAVE_EVP_aes_192_cfb8 PARENT_SCOPE) +-CHECK_FUNCTION_EXISTS(${VARIA}EVP_aes_192_cfb128 LWS_HAVE_EVP_aes_192_cfb128 PARENT_SCOPE) +-CHECK_FUNCTION_EXISTS(${VARIA}EVP_aes_256_cfb8 LWS_HAVE_EVP_aes_256_cfb8 PARENT_SCOPE) +-CHECK_FUNCTION_EXISTS(${VARIA}EVP_aes_256_cfb128 LWS_HAVE_EVP_aes_256_cfb128 PARENT_SCOPE) +-CHECK_FUNCTION_EXISTS(${VARIA}EVP_aes_128_xts LWS_HAVE_EVP_aes_128_xts PARENT_SCOPE) +-CHECK_FUNCTION_EXISTS(${VARIA}EVP_aes_128_ofb LWS_HAVE_EVP_aes_128_ofb PARENT_SCOPE) +-CHECK_FUNCTION_EXISTS(${VARIA}EVP_aes_128_ecb LWS_HAVE_EVP_aes_128_ecb PARENT_SCOPE) +-CHECK_FUNCTION_EXISTS(${VARIA}EVP_aes_128_ctr LWS_HAVE_EVP_aes_128_ctr PARENT_SCOPE) +- +- +-CHECK_FUNCTION_EXISTS(${VARIA}EVP_aes_128_xts LWS_HAVE_EVP_aes_128_xts PARENT_SCOPE) +-CHECK_FUNCTION_EXISTS(${VARIA}RSA_verify_pss_mgf1 LWS_HAVE_RSA_verify_pss_mgf1 PARENT_SCOPE) +-CHECK_FUNCTION_EXISTS(${VARIA}HMAC_CTX_new LWS_HAVE_HMAC_CTX_new PARENT_SCOPE) +-CHECK_SYMBOL_EXISTS(${VARIA}SSL_CTX_set_ciphersuites LWS_HAVE_SSL_CTX_set_ciphersuites PARENT_SCOPE) +-CHECK_FUNCTION_EXISTS(${VARIA}EVP_PKEY_new_raw_private_key LWS_HAVE_EVP_PKEY_new_raw_private_key PARENT_SCOPE) +-CHECK_FUNCTION_EXISTS(${VARIA}SSL_SESSION_set_time LWS_HAVE_SSL_SESSION_set_time PARENT_SCOPE) +-CHECK_SYMBOL_EXISTS(${VARIA}SSL_SESSION_up_ref LWS_HAVE_SSL_SESSION_up_ref PARENT_SCOPE) ++set(LWS_HAVE_RSA_SET0_KEY 1 CACHE BOOL x) ++set(LWS_HAVE_X509_get_key_usage 1 CACHE BOOL x) ++set(LWS_HAVE_SSL_CTX_EVP_PKEY_new_raw_private_key 1 CACHE BOOL x) ++set(LWS_HAVE_SSL_CTX_get0_certificate 1 CACHE BOOL x) ++set(LWS_HAVE_SSL_get0_alpn_selected 1 CACHE BOOL x) ++set(LWS_HAVE_SSL_set_alpn_protos 1 CACHE BOOL x) ++set(LWS_HAVE_EVP_aes_128_cfb8 1 CACHE BOOL x) ++set(LWS_HAVE_EVP_aes_128_cfb128 1 CACHE BOOL x) ++set(LWS_HAVE_EVP_aes_192_cfb8 1 CACHE BOOL x) ++set(LWS_HAVE_EVP_aes_192_cfb128 1 CACHE BOOL x) ++set(LWS_HAVE_EVP_aes_256_cfb8 1 CACHE BOOL x) ++set(LWS_HAVE_EVP_aes_256_cfb128 1 CACHE BOOL x) ++set(LWS_HAVE_EVP_aes_128_xts 1 CACHE BOOL x) ++set(LWS_HAVE_EVP_aes_128_ofb 1 CACHE BOOL x) ++set(LWS_HAVE_EVP_aes_128_ecb 1 CACHE BOOL x) ++set(LWS_HAVE_EVP_aes_128_ctr 1 CACHE BOOL x) ++ ++ ++set(LWS_HAVE_EVP_aes_128_xts 1 CACHE BOOL x) ++set(LWS_HAVE_RSA_verify_pss_mgf1 1 CACHE BOOL x) ++set(LWS_HAVE_HMAC_CTX_new 1 CACHE BOOL x) ++set(LWS_HAVE_SSL_CTX_set_ciphersuites 1 CACHE BOOL x) ++set(LWS_HAVE_EVP_PKEY_new_raw_private_key 1 CACHE BOOL x) ++set(LWS_HAVE_SSL_SESSION_set_time 1 CACHE BOOL x) ++set(LWS_HAVE_SSL_SESSION_up_ref 1 CACHE BOOL x) + + + # deprecated in openssl v3 +-CHECK_FUNCTION_EXISTS(${VARIA}EC_KEY_new_by_curve_name LWS_HAVE_EC_KEY_new_by_curve_name PARENT_SCOPE) ++set(LWS_HAVE_EC_KEY_new_by_curve_name 0 CACHE BOOL x) + + if (LWS_WITH_SSL AND NOT LWS_WITH_MBEDTLS) +- # we don't want to confuse what's in or out of the wrapper with +- # what's in an openssl also installed on the build host +-CHECK_C_SOURCE_COMPILES("#include <openssl/ssl.h>\nint main(void) { STACK_OF(X509) *c = NULL; SSL_CTX *ctx = NULL; return (int)SSL_CTX_get_extra_chain_certs_only(ctx, &c); }\n" LWS_HAVE_SSL_EXTRA_CHAIN_CERTS) +-CHECK_C_SOURCE_COMPILES("#include <openssl/ssl.h>\nint main(void) { EVP_MD_CTX *md_ctx = NULL; EVP_MD_CTX_free(md_ctx); return 0; }\n" LWS_HAVE_EVP_MD_CTX_free) +-CHECK_C_SOURCE_COMPILES("#include <openssl/ssl.h>\nint main(void) { OPENSSL_STACK *x = NULL; return !x; } \n" LWS_HAVE_OPENSSL_STACK) +-set(LWS_HAVE_SSL_EXTRA_CHAIN_CERTS ${LWS_HAVE_SSL_EXTRA_CHAIN_CERTS} PARENT_SCOPE) +-set(LWS_HAVE_EVP_MD_CTX_free ${LWS_HAVE_EVP_MD_CTX_free} PARENT_SCOPE) +-CHECK_FUNCTION_EXISTS(${VARIA}ECDSA_SIG_set0 LWS_HAVE_ECDSA_SIG_set0 PARENT_SCOPE) +-CHECK_FUNCTION_EXISTS(${VARIA}BN_bn2binpad LWS_HAVE_BN_bn2binpad PARENT_SCOPE) +-CHECK_FUNCTION_EXISTS(${VARIA}EVP_aes_128_wrap LWS_HAVE_EVP_aes_128_wrap PARENT_SCOPE) +-CHECK_FUNCTION_EXISTS(${VARIA}EC_POINT_get_affine_coordinates LWS_HAVE_EC_POINT_get_affine_coordinates PARENT_SCOPE) +-CHECK_SYMBOL_EXISTS(${VARIA}SSL_CTX_load_verify_file LWS_HAVE_SSL_CTX_load_verify_file PARENT_SCOPE) +-CHECK_SYMBOL_EXISTS(${VARIA}SSL_CTX_load_verify_dir LWS_HAVE_SSL_CTX_load_verify_dir PARENT_SCOPE) ++set(LWS_HAVE_OPENSSL_STACK 1 CACHE BOOL x) ++set(LWS_HAVE_SSL_EXTRA_CHAIN_CERTS 1 CACHE BOOL x) ++set(LWS_HAVE_EVP_MD_CTX_free 1 CACHE BOOL x) ++set(LWS_HAVE_ECDSA_SIG_set0 1 CACHE BOOL x) ++set(LWS_HAVE_BN_bn2binpad 1 CACHE BOOL x) ++set(LWS_HAVE_EVP_aes_128_wrap 1 CACHE BOOL x) ++set(LWS_HAVE_EC_POINT_get_affine_coordinates 1 CACHE BOOL x) ++set(LWS_HAVE_SSL_CTX_load_verify_file 1 CACHE BOOL x) ++set(LWS_HAVE_SSL_CTX_load_verify_dir 1 CACHE BOOL x) + endif() + + if (LWS_WITH_MBEDTLS) +@@ -412,8 +408,8 @@ if (LWS_WITH_MBEDTLS) + CHECK_FUNCTION_EXISTS(mbedtls_internal_aes_encrypt LWS_HAVE_mbedtls_internal_aes_encrypt PARENT_SCOPE) # not on xenial 2.2 + endif() + else() +-CHECK_FUNCTION_EXISTS(${VARIA}TLS_client_method LWS_HAVE_TLS_CLIENT_METHOD PARENT_SCOPE) +-CHECK_FUNCTION_EXISTS(${VARIA}TLSv1_2_client_method LWS_HAVE_TLSV1_2_CLIENT_METHOD PARENT_SCOPE) ++set(LWS_HAVE_TLS_CLIENT_METHOD 1 CACHE BOOL x) ++set(LWS_HAVE_TLSV1_2_CLIENT_METHOD 1 CACHE BOOL x) + endif() + + # Generate self-signed SSL certs for the test-server. +@@ -572,3 +568,4 @@ set(TEST_SERVER_SSL_KEY "${TEST_SERVER_SSL_KEY}" PARENT_SCOPE) + set(TEST_SERVER_SSL_CERT "${TEST_SERVER_SSL_CERT}" PARENT_SCOPE) + set(TEST_SERVER_DATA ${TEST_SERVER_DATA} PARENT_SCOPE) + ++ diff --git a/thirdparty/openssl/Tidy-up-aarch64-feature-detection-code-in-armcap.c.patch b/thirdparty/openssl/Tidy-up-aarch64-feature-detection-code-in-armcap.c.patch new file mode 100644 index 000000000..55a5301de --- /dev/null +++ b/thirdparty/openssl/Tidy-up-aarch64-feature-detection-code-in-armcap.c.patch @@ -0,0 +1,560 @@ +From ea5f76e8dd33f65bf87bcdd39b9d6d5418bcb1f9 Mon Sep 17 00:00:00 2001 +From: Tom Cosgrove <[email protected]> +Date: Sun, 12 Feb 2023 20:26:23 +0000 +Subject: [PATCH] Tidy up aarch64 feature detection code in armcap.c + +Make the SIGILL-based code easier to read, and don't use it on Apple Silicon. + +Also fix "error: 'HWCAP(2)_*' macro redefined" warnings on FreeBSD. + +Fixes #20188 + +Change-Id: I5618bbe9444cc40cb5705c6ccbdc331c16bab794 + +Reviewed-by: Tomas Mraz <[email protected]> +Reviewed-by: Paul Dale <[email protected]> +(Merged from https://github.com/openssl/openssl/pull/20305) +--- + crypto/armcap.c | 402 +++++++++++++++++++++++++----------------------- + 1 file changed, 209 insertions(+), 193 deletions(-) + +diff --git a/crypto/armcap.c b/crypto/armcap.c +index 71296786c3..38f6c961a4 100644 +--- a/crypto/armcap.c ++++ b/crypto/armcap.c +@@ -1,5 +1,5 @@ + /* +- * Copyright 2011-2022 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 2011-2023 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -10,17 +10,18 @@ + #include <stdio.h> + #include <stdlib.h> + #include <string.h> +-#include <setjmp.h> +-#include <signal.h> + #include <openssl/crypto.h> + #ifdef __APPLE__ + #include <sys/sysctl.h> ++#else ++#include <setjmp.h> ++#include <signal.h> + #endif + #include "internal/cryptlib.h" +-#ifndef _WIN32 +-#include <unistd.h> +-#else ++#ifdef _WIN32 + #include <windows.h> ++#else ++#include <unistd.h> + #endif + #include "arm_arch.h" + +@@ -46,7 +47,7 @@ uint32_t OPENSSL_rdtsc(void) + { + return 0; + } +-#elif __ARM_MAX_ARCH__<7 ++#elif __ARM_MAX_ARCH__ < 7 + void OPENSSL_cpuid_setup(void) + { + } +@@ -55,73 +56,11 @@ uint32_t OPENSSL_rdtsc(void) + { + return 0; + } +-#else +-static sigset_t all_masked; +- +-static sigjmp_buf ill_jmp; +-static void ill_handler(int sig) +-{ +- siglongjmp(ill_jmp, sig); +-} +- +-/* +- * Following subroutines could have been inlined, but it's not all +- * ARM compilers support inline assembler... +- */ +-void _armv7_neon_probe(void); +-void _armv8_aes_probe(void); +-void _armv8_sha1_probe(void); +-void _armv8_sha256_probe(void); +-void _armv8_pmull_probe(void); +-# ifdef __aarch64__ +-void _armv8_sm3_probe(void); +-void _armv8_sm4_probe(void); +-void _armv8_eor3_probe(void); +-void _armv8_sha512_probe(void); +-unsigned int _armv8_cpuid_probe(void); +-void _armv8_sve_probe(void); +-void _armv8_sve2_probe(void); +-void _armv8_rng_probe(void); +- +-size_t OPENSSL_rndr_asm(unsigned char *buf, size_t len); +-size_t OPENSSL_rndrrs_asm(unsigned char *buf, size_t len); +- +-size_t OPENSSL_rndr_bytes(unsigned char *buf, size_t len); +-size_t OPENSSL_rndrrs_bytes(unsigned char *buf, size_t len); +- +-static size_t OPENSSL_rndr_wrapper(size_t (*func)(unsigned char *, size_t), unsigned char *buf, size_t len) +-{ +- size_t buffer_size = 0; +- int i; +- +- for (i = 0; i < 8; i++) { +- buffer_size = func(buf, len); +- if (buffer_size == len) +- break; +- usleep(5000); /* 5000 microseconds (5 milliseconds) */ +- } +- return buffer_size; +-} ++#else /* !_WIN32 && __ARM_MAX_ARCH__ >= 7 */ + +-size_t OPENSSL_rndr_bytes(unsigned char *buf, size_t len) +-{ +- return OPENSSL_rndr_wrapper(OPENSSL_rndr_asm, buf, len); +-} ++ /* 3 ways of handling things here: __APPLE__, getauxval() or SIGILL detect */ + +-size_t OPENSSL_rndrrs_bytes(unsigned char *buf, size_t len) +-{ +- return OPENSSL_rndr_wrapper(OPENSSL_rndrrs_asm, buf, len); +-} +-# endif +-uint32_t _armv7_tick(void); +- +-uint32_t OPENSSL_rdtsc(void) +-{ +- if (OPENSSL_armcap_P & ARMV7_TICK) +- return _armv7_tick(); +- else +- return 0; +-} ++ /* First determine if getauxval() is available (OSSL_IMPLEMENT_GETAUXVAL) */ + + # if defined(__GNUC__) && __GNUC__>=2 + void OPENSSL_cpuid_setup(void) __attribute__ ((constructor)); +@@ -161,10 +100,10 @@ static unsigned long getauxval(unsigned long key) + * Android: according to https://developer.android.com/ndk/guides/cpu-features, + * getauxval is supported starting with API level 18 + */ +-# if defined(__ANDROID__) && defined(__ANDROID_API__) && __ANDROID_API__ >= 18 +-# include <sys/auxv.h> +-# define OSSL_IMPLEMENT_GETAUXVAL +-# endif ++# if defined(__ANDROID__) && defined(__ANDROID_API__) && __ANDROID_API__ >= 18 ++# include <sys/auxv.h> ++# define OSSL_IMPLEMENT_GETAUXVAL ++# endif + + /* + * ARM puts the feature bits for Crypto Extensions in AT_HWCAP2, whereas +@@ -177,40 +116,144 @@ static unsigned long getauxval(unsigned long key) + # define AT_HWCAP2 26 + # endif + # if defined(__arm__) || defined (__arm) +-# define HWCAP AT_HWCAP +-# define HWCAP_NEON (1 << 12) +- +-# define HWCAP_CE AT_HWCAP2 +-# define HWCAP_CE_AES (1 << 0) +-# define HWCAP_CE_PMULL (1 << 1) +-# define HWCAP_CE_SHA1 (1 << 2) +-# define HWCAP_CE_SHA256 (1 << 3) ++# define OSSL_HWCAP AT_HWCAP ++# define OSSL_HWCAP_NEON (1 << 12) ++ ++# define OSSL_HWCAP_CE AT_HWCAP2 ++# define OSSL_HWCAP_CE_AES (1 << 0) ++# define OSSL_HWCAP_CE_PMULL (1 << 1) ++# define OSSL_HWCAP_CE_SHA1 (1 << 2) ++# define OSSL_HWCAP_CE_SHA256 (1 << 3) + # elif defined(__aarch64__) +-# define HWCAP AT_HWCAP +-# define HWCAP_NEON (1 << 1) +- +-# define HWCAP_CE HWCAP +-# define HWCAP_CE_AES (1 << 3) +-# define HWCAP_CE_PMULL (1 << 4) +-# define HWCAP_CE_SHA1 (1 << 5) +-# define HWCAP_CE_SHA256 (1 << 6) +-# define HWCAP_CPUID (1 << 11) +-# define HWCAP_SHA3 (1 << 17) +-# define HWCAP_CE_SM3 (1 << 18) +-# define HWCAP_CE_SM4 (1 << 19) +-# define HWCAP_CE_SHA512 (1 << 21) +-# define HWCAP_SVE (1 << 22) +- /* AT_HWCAP2 */ +-# define HWCAP2 26 +-# define HWCAP2_SVE2 (1 << 1) +-# define HWCAP2_RNG (1 << 16) ++# define OSSL_HWCAP AT_HWCAP ++# define OSSL_HWCAP_NEON (1 << 1) ++ ++# define OSSL_HWCAP_CE AT_HWCAP ++# define OSSL_HWCAP_CE_AES (1 << 3) ++# define OSSL_HWCAP_CE_PMULL (1 << 4) ++# define OSSL_HWCAP_CE_SHA1 (1 << 5) ++# define OSSL_HWCAP_CE_SHA256 (1 << 6) ++# define OSSL_HWCAP_CPUID (1 << 11) ++# define OSSL_HWCAP_SHA3 (1 << 17) ++# define OSSL_HWCAP_CE_SM3 (1 << 18) ++# define OSSL_HWCAP_CE_SM4 (1 << 19) ++# define OSSL_HWCAP_CE_SHA512 (1 << 21) ++# define OSSL_HWCAP_SVE (1 << 22) ++ /* AT_HWCAP2 */ ++# define OSSL_HWCAP2 26 ++# define OSSL_HWCAP2_SVE2 (1 << 1) ++# define OSSL_HWCAP2_RNG (1 << 16) ++# endif ++ ++uint32_t _armv7_tick(void); ++ ++uint32_t OPENSSL_rdtsc(void) ++{ ++ if (OPENSSL_armcap_P & ARMV7_TICK) ++ return _armv7_tick(); ++ else ++ return 0; ++} ++ ++# ifdef __aarch64__ ++size_t OPENSSL_rndr_asm(unsigned char *buf, size_t len); ++size_t OPENSSL_rndrrs_asm(unsigned char *buf, size_t len); ++ ++size_t OPENSSL_rndr_bytes(unsigned char *buf, size_t len); ++size_t OPENSSL_rndrrs_bytes(unsigned char *buf, size_t len); ++ ++static size_t OPENSSL_rndr_wrapper(size_t (*func)(unsigned char *, size_t), unsigned char *buf, size_t len) ++{ ++ size_t buffer_size = 0; ++ int i; ++ ++ for (i = 0; i < 8; i++) { ++ buffer_size = func(buf, len); ++ if (buffer_size == len) ++ break; ++ usleep(5000); /* 5000 microseconds (5 milliseconds) */ ++ } ++ return buffer_size; ++} ++ ++size_t OPENSSL_rndr_bytes(unsigned char *buf, size_t len) ++{ ++ return OPENSSL_rndr_wrapper(OPENSSL_rndr_asm, buf, len); ++} ++ ++size_t OPENSSL_rndrrs_bytes(unsigned char *buf, size_t len) ++{ ++ return OPENSSL_rndr_wrapper(OPENSSL_rndrrs_asm, buf, len); ++} ++# endif ++ ++# if !defined(__APPLE__) && !defined(OSSL_IMPLEMENT_GETAUXVAL) ++static sigset_t all_masked; ++ ++static sigjmp_buf ill_jmp; ++static void ill_handler(int sig) ++{ ++ siglongjmp(ill_jmp, sig); ++} ++ ++/* ++ * Following subroutines could have been inlined, but not all ++ * ARM compilers support inline assembler, and we'd then have to ++ * worry about the compiler optimising out the detection code... ++ */ ++void _armv7_neon_probe(void); ++void _armv8_aes_probe(void); ++void _armv8_sha1_probe(void); ++void _armv8_sha256_probe(void); ++void _armv8_pmull_probe(void); ++# ifdef __aarch64__ ++void _armv8_sm3_probe(void); ++void _armv8_sm4_probe(void); ++void _armv8_sha512_probe(void); ++void _armv8_eor3_probe(void); ++void _armv8_sve_probe(void); ++void _armv8_sve2_probe(void); ++void _armv8_rng_probe(void); ++# endif ++# endif /* !__APPLE__ && !OSSL_IMPLEMENT_GETAUXVAL */ ++ ++/* We only call _armv8_cpuid_probe() if (OPENSSL_armcap_P & ARMV8_CPUID) != 0 */ ++unsigned int _armv8_cpuid_probe(void); ++ ++# if defined(__APPLE__) ++/* ++ * Checks the specified integer sysctl, returning `value` if it's 1, otherwise returning 0. ++ */ ++static unsigned int sysctl_query(const char *name, unsigned int value) ++{ ++ unsigned int sys_value = 0; ++ size_t len = sizeof(sys_value); ++ ++ return (sysctlbyname(name, &sys_value, &len, NULL, 0) == 0 && sys_value == 1) ? value : 0; ++} ++# elif !defined(OSSL_IMPLEMENT_GETAUXVAL) ++/* ++ * Calls a provided probe function, which may SIGILL. If it doesn't, return `value`, otherwise return 0. ++ */ ++static unsigned int arm_probe_for(void (*probe)(void), volatile unsigned int value) ++{ ++ if (sigsetjmp(ill_jmp, 1) == 0) { ++ probe(); ++ return value; ++ } else { ++ /* The probe function gave us SIGILL */ ++ return 0; ++ } ++} + # endif + + void OPENSSL_cpuid_setup(void) + { + const char *e; ++# if !defined(__APPLE__) && !defined(OSSL_IMPLEMENT_GETAUXVAL) + struct sigaction ill_oact, ill_act; + sigset_t oset; ++# endif + static int trigger = 0; + + if (trigger) +@@ -225,7 +268,7 @@ void OPENSSL_cpuid_setup(void) + } + + # if defined(__APPLE__) +-# if !defined(__aarch64__) ++# if !defined(__aarch64__) + /* + * Capability probing by catching SIGILL appears to be problematic + * on iOS. But since Apple universe is "monocultural", it's actually +@@ -235,77 +278,82 @@ void OPENSSL_cpuid_setup(void) + OPENSSL_armcap_P = ARMV7_NEON; + return; + } +- /* +- * One could do same even for __aarch64__ iOS builds. It's not done +- * exclusively for reasons of keeping code unified across platforms. +- * Unified code works because it never triggers SIGILL on Apple +- * devices... +- */ +-# else ++# else + { +- unsigned int feature; +- size_t len = sizeof(feature); +- char uarch[64]; +- +- if (sysctlbyname("hw.optional.armv8_2_sha512", &feature, &len, NULL, 0) == 0 && feature == 1) +- OPENSSL_armcap_P |= ARMV8_SHA512; +- feature = 0; +- if (sysctlbyname("hw.optional.armv8_2_sha3", &feature, &len, NULL, 0) == 0 && feature == 1) { +- OPENSSL_armcap_P |= ARMV8_SHA3; +- len = sizeof(uarch); ++ /* ++ * From ++ * https://github.com/llvm/llvm-project/blob/412237dcd07e5a2afbb1767858262a5f037149a3/llvm/lib/Target/AArch64/AArch64.td#L719 ++ * all of these have been available on 64-bit Apple Silicon from the ++ * beginning (the A7). ++ */ ++ OPENSSL_armcap_P |= ARMV7_NEON | ARMV8_PMULL | ARMV8_AES | ARMV8_SHA1 | ARMV8_SHA256; ++ ++ /* More recent extensions are indicated by sysctls */ ++ OPENSSL_armcap_P |= sysctl_query("hw.optional.armv8_2_sha512", ARMV8_SHA512); ++ OPENSSL_armcap_P |= sysctl_query("hw.optional.armv8_2_sha3", ARMV8_SHA3); ++ ++ if (OPENSSL_armcap_P & ARMV8_SHA3) { ++ char uarch[64]; ++ ++ size_t len = sizeof(uarch); + if ((sysctlbyname("machdep.cpu.brand_string", uarch, &len, NULL, 0) == 0) && +- (strncmp(uarch, "Apple M1", 8) == 0)) ++ ((strncmp(uarch, "Apple M1", 8) == 0) || ++ (strncmp(uarch, "Apple M2", 8) == 0))) { + OPENSSL_armcap_P |= ARMV8_UNROLL8_EOR3; ++ } + } + } +-# endif +-# endif ++# endif /* __aarch64__ */ ++ ++# elif defined(OSSL_IMPLEMENT_GETAUXVAL) + +-# ifdef OSSL_IMPLEMENT_GETAUXVAL +- if (getauxval(HWCAP) & HWCAP_NEON) { +- unsigned long hwcap = getauxval(HWCAP_CE); ++ if (getauxval(OSSL_HWCAP) & OSSL_HWCAP_NEON) { ++ unsigned long hwcap = getauxval(OSSL_HWCAP_CE); + + OPENSSL_armcap_P |= ARMV7_NEON; + +- if (hwcap & HWCAP_CE_AES) ++ if (hwcap & OSSL_HWCAP_CE_AES) + OPENSSL_armcap_P |= ARMV8_AES; + +- if (hwcap & HWCAP_CE_PMULL) ++ if (hwcap & OSSL_HWCAP_CE_PMULL) + OPENSSL_armcap_P |= ARMV8_PMULL; + +- if (hwcap & HWCAP_CE_SHA1) ++ if (hwcap & OSSL_HWCAP_CE_SHA1) + OPENSSL_armcap_P |= ARMV8_SHA1; + +- if (hwcap & HWCAP_CE_SHA256) ++ if (hwcap & OSSL_HWCAP_CE_SHA256) + OPENSSL_armcap_P |= ARMV8_SHA256; + + # ifdef __aarch64__ +- if (hwcap & HWCAP_CE_SM4) ++ if (hwcap & OSSL_HWCAP_CE_SM4) + OPENSSL_armcap_P |= ARMV8_SM4; + +- if (hwcap & HWCAP_CE_SHA512) ++ if (hwcap & OSSL_HWCAP_CE_SHA512) + OPENSSL_armcap_P |= ARMV8_SHA512; + +- if (hwcap & HWCAP_CPUID) ++ if (hwcap & OSSL_HWCAP_CPUID) + OPENSSL_armcap_P |= ARMV8_CPUID; + +- if (hwcap & HWCAP_CE_SM3) ++ if (hwcap & OSSL_HWCAP_CE_SM3) + OPENSSL_armcap_P |= ARMV8_SM3; +- if (hwcap & HWCAP_SHA3) ++ if (hwcap & OSSL_HWCAP_SHA3) + OPENSSL_armcap_P |= ARMV8_SHA3; + # endif + } + # ifdef __aarch64__ +- if (getauxval(HWCAP) & HWCAP_SVE) ++ if (getauxval(OSSL_HWCAP) & OSSL_HWCAP_SVE) + OPENSSL_armcap_P |= ARMV8_SVE; + +- if (getauxval(HWCAP2) & HWCAP2_SVE2) ++ if (getauxval(OSSL_HWCAP2) & OSSL_HWCAP2_SVE2) + OPENSSL_armcap_P |= ARMV8_SVE2; + +- if (getauxval(HWCAP2) & HWCAP2_RNG) ++ if (getauxval(OSSL_HWCAP2) & OSSL_HWCAP2_RNG) + OPENSSL_armcap_P |= ARMV8_RNG; + # endif +-# endif ++ ++# else /* !__APPLE__ && !OSSL_IMPLEMENT_GETAUXVAL */ ++ ++ /* If all else fails, do brute force SIGILL-based feature detection */ + + sigfillset(&all_masked); + sigdelset(&all_masked, SIGILL); +@@ -321,74 +369,42 @@ void OPENSSL_cpuid_setup(void) + sigprocmask(SIG_SETMASK, &ill_act.sa_mask, &oset); + sigaction(SIGILL, &ill_act, &ill_oact); + +- /* If we used getauxval, we already have all the values */ +-# ifndef OSSL_IMPLEMENT_GETAUXVAL +- if (sigsetjmp(ill_jmp, 1) == 0) { +- _armv7_neon_probe(); +- OPENSSL_armcap_P |= ARMV7_NEON; +- if (sigsetjmp(ill_jmp, 1) == 0) { +- _armv8_pmull_probe(); +- OPENSSL_armcap_P |= ARMV8_PMULL | ARMV8_AES; +- } else if (sigsetjmp(ill_jmp, 1) == 0) { +- _armv8_aes_probe(); +- OPENSSL_armcap_P |= ARMV8_AES; +- } +- if (sigsetjmp(ill_jmp, 1) == 0) { +- _armv8_sha1_probe(); +- OPENSSL_armcap_P |= ARMV8_SHA1; +- } +- if (sigsetjmp(ill_jmp, 1) == 0) { +- _armv8_sha256_probe(); +- OPENSSL_armcap_P |= ARMV8_SHA256; +- } +-# if defined(__aarch64__) && !defined(__APPLE__) +- if (sigsetjmp(ill_jmp, 1) == 0) { +- _armv8_sm4_probe(); +- OPENSSL_armcap_P |= ARMV8_SM4; +- } ++ OPENSSL_armcap_P |= arm_probe_for(_armv7_neon_probe, ARMV7_NEON); + +- if (sigsetjmp(ill_jmp, 1) == 0) { +- _armv8_sha512_probe(); +- OPENSSL_armcap_P |= ARMV8_SHA512; +- } ++ if (OPENSSL_armcap_P & ARMV7_NEON) { + +- if (sigsetjmp(ill_jmp, 1) == 0) { +- _armv8_sm3_probe(); +- OPENSSL_armcap_P |= ARMV8_SM3; ++ OPENSSL_armcap_P |= arm_probe_for(_armv8_pmull_probe, ARMV8_PMULL | ARMV8_AES); ++ if (!(OPENSSL_armcap_P & ARMV8_AES)) { ++ OPENSSL_armcap_P |= arm_probe_for(_armv8_aes_probe, ARMV8_AES); + } +- if (sigsetjmp(ill_jmp, 1) == 0) { +- _armv8_eor3_probe(); +- OPENSSL_armcap_P |= ARMV8_SHA3; +- } +-# endif +- } +-# ifdef __aarch64__ +- if (sigsetjmp(ill_jmp, 1) == 0) { +- _armv8_sve_probe(); +- OPENSSL_armcap_P |= ARMV8_SVE; +- } + +- if (sigsetjmp(ill_jmp, 1) == 0) { +- _armv8_sve2_probe(); +- OPENSSL_armcap_P |= ARMV8_SVE2; +- } ++ OPENSSL_armcap_P |= arm_probe_for(_armv8_sha1_probe, ARMV8_SHA1); ++ OPENSSL_armcap_P |= arm_probe_for(_armv8_sha256_probe, ARMV8_SHA256); + +- if (sigsetjmp(ill_jmp, 1) == 0) { +- _armv8_rng_probe(); +- OPENSSL_armcap_P |= ARMV8_RNG; ++# if defined(__aarch64__) ++ OPENSSL_armcap_P |= arm_probe_for(_armv8_sm3_probe, ARMV8_SM3); ++ OPENSSL_armcap_P |= arm_probe_for(_armv8_sm4_probe, ARMV8_SM4); ++ OPENSSL_armcap_P |= arm_probe_for(_armv8_sha512_probe, ARMV8_SHA512); ++ OPENSSL_armcap_P |= arm_probe_for(_armv8_eor3_probe, ARMV8_SHA3); ++# endif + } ++# ifdef __aarch64__ ++ OPENSSL_armcap_P |= arm_probe_for(_armv8_sve_probe, ARMV8_SVE); ++ OPENSSL_armcap_P |= arm_probe_for(_armv8_sve2_probe, ARMV8_SVE2); ++ OPENSSL_armcap_P |= arm_probe_for(_armv8_rng_probe, ARMV8_RNG); + # endif +-# endif + + /* + * Probing for ARMV7_TICK is known to produce unreliable results, +- * so we will only use the feature when the user explicitly enables +- * it with OPENSSL_armcap. ++ * so we only use the feature when the user explicitly enables it ++ * with OPENSSL_armcap. + */ + + sigaction(SIGILL, &ill_oact, NULL); + sigprocmask(SIG_SETMASK, &oset, NULL); + ++# endif /* __APPLE__, OSSL_IMPLEMENT_GETAUXVAL */ ++ + # ifdef __aarch64__ + if (OPENSSL_armcap_P & ARMV8_CPUID) + OPENSSL_arm_midr = _armv8_cpuid_probe(); +@@ -404,4 +420,4 @@ void OPENSSL_cpuid_setup(void) + OPENSSL_armcap_P |= ARMV8_UNROLL8_EOR3; + # endif + } +-#endif ++#endif /* _WIN32, __ARM_MAX_ARCH__ >= 7 */ +-- +2.39.2 (Apple Git-143) +
