bin/symstore.sh
| 4
configure.ac
| 3
download.lst
| 4
external/openssl/0001-x509-excessive-resource-use-verifying-policy-constra.patch.1
| 222 ----------
external/openssl/ExternalPackage_openssl.mk
| 8
external/openssl/README
| 2
external/openssl/UnpackedTarball_openssl.mk
| 4
external/openssl/configurable-z-option.patch.0
| 6
external/openssl/openssl-no-_umul128-on-aarch64.patch.1
| 58 --
external/openssl/openssl-no-ipc-cmd.patch.0
| 83 +++
external/openssl/openssl-no-multilib.patch.0
| 24 -
external/openssl/system-cannot-find-path-for-move.patch.0
| 11
external/python3/python-3.7.6-msvc-ssl.patch.1
| 6
readlicense_oo/license/license.xml
| 73 ---
14 files changed, 128 insertions(+), 380 deletions(-)
New commits:
commit 929ee378ce7536f3acd82b3669c09db8e96b7875
Author: Taichi Haradaguchi <20001...@ymail.ne.jp>
AuthorDate: Sun Aug 6 01:57:31 2023 +0900
Commit: Michael Stahl <michael.st...@allotropia.de>
CommitDate: Mon Sep 25 12:36:42 2023 +0200
openssl: upgrade to release 3.0.10
Change-Id: Iee5716bdd111e2f30cb38d48a86104da52872dd5
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/155382
Tested-by: Jenkins
Reviewed-by: Taichi Haradaguchi <20001...@ymail.ne.jp>
(cherry picked from commit 72f28e12b15823197e42265af1f8dda21224c90a)
diff --git a/download.lst b/download.lst
index 58d5b64e265e..d269f5cfd3c3 100644
--- a/download.lst
+++ b/download.lst
@@ -439,8 +439,8 @@ OPENLDAP_TARBALL := openldap-2.4.59.tgz
# three static lines
# so that git cherry-pick
# will not run into conflicts
-OPENSSL_SHA256SUM :=
eb1ab04781474360f77c318ab89d8c5a03abc38e63d65a603cabbf1b00a1dc90
-OPENSSL_TARBALL := openssl-3.0.9.tar.gz
+OPENSSL_SHA256SUM :=
1761d4f5b13a1028b9b6f3d4b8e17feb0cedc9370f6afe61d7193d2cdce83323
+OPENSSL_TARBALL := openssl-3.0.10.tar.gz
# three static lines
# so that git cherry-pick
# will not run into conflicts
commit 78dee1875be7cd7f13a4d8727c152fd4241c403c
Author: Christian Lohmaier <lohmaier+libreoff...@googlemail.com>
AuthorDate: Sat Mar 11 21:22:55 2023 +0100
Commit: Michael Stahl <michael.st...@allotropia.de>
CommitDate: Mon Sep 25 12:35:15 2023 +0200
cross-compiling on windows needs openssl to build internal python
→ add back OPENSSL as a permissable sub-build target and explicitly
enable openssl when cross-compiling for windows_aarch64
partially reverts 4132bd5477c25a505f7bfbee1e7dcf6602c927d3
Change-Id: Ic162a2f0c6db377eadedb149fb428f0f015539f9
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/148688
Tested-by: Jenkins
Reviewed-by: Christian Lohmaier <lohmaier+libreoff...@googlemail.com>
(cherry picked from commit 5f20f4ff21f597e55d899f5ea4dfe1c1fa5824bc)
diff --git a/configure.ac b/configure.ac
index b222b378e3b1..0c94e04acaca 100644
--- a/configure.ac
+++ b/configure.ac
@@ -5629,6 +5629,9 @@ if test "$cross_compiling" = "yes"; then
if test "$_os" = "Emscripten"; then
sub_conf_opts="$sub_conf_opts --without-system-libxml
--without-system-fontconfig --without-system-freetype --without-system-zlib"
fi
+ # windows uses full-internal python and that in turn relies on openssl, so
also enable openssl
+ # when cross-compiling for aarch64, overriding the defaults below
+ test "${PLATFORMID}" = "windows_aarch64" && sub_conf_opts="$sub_conf_opts
--enable-openssl --with-tls=openssl"
# Don't bother having configure look for stuff not needed for the build
platform anyway
# WARNING: any option with an argument containing spaces must be handled
separately (see --with-theme)
commit bc527b17dddfe8eb204c1702bf28bfc7c1c564ba
Author: Andras Timar <andras.ti...@collabora.com>
AuthorDate: Sun Feb 26 23:04:54 2023 +0100
Commit: Michael Stahl <michael.st...@allotropia.de>
CommitDate: Mon Sep 25 12:34:57 2023 +0200
OpenSSL 3 is covered by Apache License v2
Change-Id: I20b30ce01b08787f560cd00cd87db9cec1699240
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/147746
Tested-by: Jenkins
Reviewed-by: Andras Timar <andras.ti...@collabora.com>
(cherry picked from commit 62d3da841b402f7cc9421d87f3f1db714b278d40)
diff --git a/readlicense_oo/license/license.xml
b/readlicense_oo/license/license.xml
index d1dec6ad962f..5fdcdad12d0a 100644
--- a/readlicense_oo/license/license.xml
+++ b/readlicense_oo/license/license.xml
@@ -1525,78 +1525,7 @@
<h2>OpenSSL</h2>
<p>The following software may be included in this product: OpenSSL.
Use of any of this software is governed by
the terms of the license below:</p>
- <p>The OpenSSL toolkit stays under a dual license, i.e. both the
conditions of the OpenSSL License and the
- original SSLeay license apply to the toolkit.</p>
- <p>See below for the actual license texts. Actually both licenses are
BSD-style Open Source licenses. In case
- of any license issues related to OpenSSL please contact
openssl-c...@openssl.org.</p>
- <h3>OpenSSL License</h3>
- <p>Copyright (c) 1998-2007 The OpenSSL Project. All rights
reserved.</p>
- <p>Redistribution and use in source and binary forms, with or without
modification, are permitted provided that
- the following conditions are met:</p>
- <ol>
- <li>Redistribution of source code must retain the above copyright
notice, this list of conditions and the
- following disclaimer.</li>
- <li>Redistribution in binary form must reproduce the above
copyright notice, this list of conditions and
- the following disclaimer in the documentation and/or other
materials provided with the distribution. </li>
- <li>All advertising materials mentioning features or use of this
software must display the following
- acknowledgment: "This product includes software developed by the
OpenSSL Project for use in the OpenSSL
- Toolkit. (<a
href="http://www.openssl.org/";>http://www.openssl.org/</a>)" </li>
- <li>The names "OpenSSL Toolkit" and "OpenSSL Project" must not be
used to endorse or promote products
- derived from this software without prior written permission. For
written permission, please contact
- openssl-c...@openssl.org. </li>
- <li>Products derived from this software may not be called
"OpenSSL" nor may "OpenSSL" appear in their names
- without prior written permission of the OpenSSL Project. </li>
- <li>Redistribution of any form whatsoever must retain the
following acknowledgment: "This product includes
- software developed by the OpenSSL Project for use in the OpenSSL
Toolkit (<a href=
- "http://www.openssl.org/";>http://www.openssl.org/</a>)" </li>
- </ol>
- <p>THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
EXPRESSED OR IMPLIED WARRANTIES,
- INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
- INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
BUT NOT LIMITED TO, PROCUREMENT OF
- SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
- ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
THE POSSIBILITY OF SUCH DAMAGE.</p>
- <p>This product includes cryptographic software written by Eric Young
(e...@cryptsoft.com). This product
- includes software written by Tim Hudson (t...@cryptsoft.com).</p>
- <h3>Original SSLeay License</h3>
- <p>Copyright (C) 1995-1998 Eric Young (e...@cryptsoft.com) All rights
reserved.</p>
- <p>This package is an SSL implementation written by Eric Young (<a
href=
- "mailto:e...@cryptsoft.com";>e...@cryptsoft.com</a>).<br />
- The implementation was written so as to conform with Netscapes SSL.</p>
- <p>This library is free for commercial and non-commercial use as long
as the following conditions are aheared
- to. The following conditions apply to all code found in this
distribution, be it the RC4, RSA, lhash, DES,
- etc., code; not just the SSL code. The SSL documentation included with
this distribution is covered by the same
- copyright terms except that the holder is Tim Hudson
(t...@cryptsoft.com).</p>
- <p>Copyright remains Eric Young's, and as such any Copyright notices
in the code are not to be removed. If this
- package is used in a product, Eric Young should be given attribution
as the author of the parts of the library
- used. This can be in the form of a textual message at program startup
or in documentation (online or textual)
- provided with the package.</p>
- <p>Redistribution and use in source and binary forms, with or without
modification, are permitted provided that
- the following conditions are met:</p>
- <ol>
- <li>Redistribution of source code must retain the copyright
notice, this list of conditions and the
- following disclaimer.</li>
- <li>Redistribution in binary form must reproduce the above
copyright notice, this list of conditions and
- the following disclaimer in the documentation and/or other
materials provided with the distribution. </li>
- <li>All advertising materials mentioning features or use of this
software must display the following
- acknowledgment: "This product includes cryptographic software
written by Eric Young (e...@cryptsoft.com)"
- The word 'cryptographic' can be left out if the routines from the
library being used are not cryptographic
- related :-). </li>
- <li>If you include any Windows specific code (or a derivative
thereof) from the apps directory (application
- code) you must include an acknowledgment: "This product includes
software written by Tim Hudson
- (t...@cryptsoft.com)" </li>
- </ol>
- <p>THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS
OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
A PARTICULAR PURPOSE ARE DISCLAIMED. IN
- NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
- USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
ANY THEORY OF LIABILITY, WHETHER IN
- CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.</p>
- <p>The license and distribution terms for any publicly available
version or derivative of this code cannot be
- changed. i.e. this code cannot simply be copied and put under another
distribution license [including the GNU
- Public License.]</p>
+ <p><a href="#a__Apache_License_version_2_0">Jump to Apache License
Version 2.0</a></p>
</div>
<div class="PDFIUM">
<h2>PDFium</h2>
commit 0f207267ca5597997d37b94aef652a0f0078bf68
Author: Taichi Haradaguchi <20001...@ymail.ne.jp>
AuthorDate: Sun Feb 12 19:36:25 2023 +0100
Commit: Michael Stahl <michael.st...@allotropia.de>
CommitDate: Mon Sep 25 12:33:09 2023 +0200
openssl: upgrade to release 3.0.9
Fixes CVE-2023-1255, CVE-2023-2650 and 3 more CVEs that
probably don't affect LibreOffice.
Change-Id: Ic615b008298471267121a0f4deb227ddb3a0409e
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/152851
Tested-by: Jenkins
Reviewed-by: Taichi Haradaguchi <20001...@ymail.ne.jp>
(cherry picked from commit 2137d04d1ddb80691c29de0df99fc2ba58820ce0)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/152970
Reviewed-by: Xisco Fauli <xiscofa...@libreoffice.org>
(cherry picked from commit 69ea3ca8e97cb5990170e9b41e095a44313c2de7)
diff --git a/download.lst b/download.lst
index dcbda698e3f6..58d5b64e265e 100644
--- a/download.lst
+++ b/download.lst
@@ -439,8 +439,8 @@ OPENLDAP_TARBALL := openldap-2.4.59.tgz
# three static lines
# so that git cherry-pick
# will not run into conflicts
-OPENSSL_SHA256SUM :=
6c13d2bf38fdf31eac3ce2a347073673f5d63263398f1f69d0df4a41253e4b3e
-OPENSSL_TARBALL := openssl-3.0.8.tar.gz
+OPENSSL_SHA256SUM :=
eb1ab04781474360f77c318ab89d8c5a03abc38e63d65a603cabbf1b00a1dc90
+OPENSSL_TARBALL := openssl-3.0.9.tar.gz
# three static lines
# so that git cherry-pick
# will not run into conflicts
diff --git a/external/openssl/README b/external/openssl/README
index 399bdd56fded..eda5e7eb17ec 100644
--- a/external/openssl/README
+++ b/external/openssl/README
@@ -1,6 +1,6 @@
Open Source toolkit implementing SSL and TLS.
-From [http://www.openssl.org/].
+From [https://www.openssl.org/].
SSL = Secure Sockets Layer (SSL v2/v3) protocol.
TLS = Transport Layer Security (TLS v1) protocol.
commit 49071cc5eb55880d61998954baa6c207f3e5a3c7
Author: Michael Stahl <michael.st...@allotropia.de>
AuthorDate: Wed Feb 8 12:36:16 2023 +0100
Commit: Michael Stahl <michael.st...@allotropia.de>
CommitDate: Mon Sep 25 12:28:00 2023 +0200
openssl: upgrade to release 3.0.8
Fixes CVE-2023-0401 CVE-2023-0286 CVE-2023-0217 CVE-2023-0216
CVE-2023-0215 CVE-2022-4450 CVE-2022-4304 CVE-2022-4203 CVE-2022-3996
Remove the patch that fixed CVE-2022-3996.
Change-Id: I8587d780ea7dc07637278643dc1c49b577e3ae56
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/146657
Tested-by: Michael Stahl <michael.st...@allotropia.de>
Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
(cherry picked from commit 80dd2ce29413809ca337618e313795bd9610cf80)
diff --git a/download.lst b/download.lst
index ff5a8f062b5c..dcbda698e3f6 100644
--- a/download.lst
+++ b/download.lst
@@ -439,8 +439,8 @@ OPENLDAP_TARBALL := openldap-2.4.59.tgz
# three static lines
# so that git cherry-pick
# will not run into conflicts
-export OPENSSL_SHA256SUM :=
83049d042a260e696f62406ac5c08bf706fd84383f945cf21bd61e9ed95c396e
-export OPENSSL_TARBALL := openssl-3.0.7.tar.gz
+OPENSSL_SHA256SUM :=
6c13d2bf38fdf31eac3ce2a347073673f5d63263398f1f69d0df4a41253e4b3e
+OPENSSL_TARBALL := openssl-3.0.8.tar.gz
# three static lines
# so that git cherry-pick
# will not run into conflicts
diff --git a/external/openssl/0001-x509-fix-double-locking-problem.patch.1
b/external/openssl/0001-x509-fix-double-locking-problem.patch.1
deleted file mode 100644
index ec289215e1a5..000000000000
--- a/external/openssl/0001-x509-fix-double-locking-problem.patch.1
+++ /dev/null
@@ -1,39 +0,0 @@
-From 7725e7bfe6f2ce8146b6552b44e0d226be7638e7 Mon Sep 17 00:00:00 2001
-From: Pauli <pa...@openssl.org>
-Date: Fri, 11 Nov 2022 09:40:19 +1100
-Subject: [PATCH] x509: fix double locking problem
-
-This reverts commit 9aa4be691f5c73eb3c68606d824c104550c053f7 and removed the
-redundant flag setting.
-
-Fixes #19643
-
-Fixes LOW CVE-2022-3996
-
-Reviewed-by: Dmitry Belyavskiy <beld...@gmail.com>
-Reviewed-by: Tomas Mraz <to...@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/19652)
-
-(cherry picked from commit 4d0340a6d2f327700a059f0b8f954d6160f8eef5)
----
- crypto/x509/pcy_map.c | 4 ----
- 1 file changed, 4 deletions(-)
-
-diff --git a/crypto/x509/pcy_map.c b/crypto/x509/pcy_map.c
-index 05406c6493..60dfd1e320 100644
---- a/crypto/x509/pcy_map.c
-+++ b/crypto/x509/pcy_map.c
-@@ -73,10 +73,6 @@ int ossl_policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS
*maps)
-
- ret = 1;
- bad_mapping:
-- if (ret == -1 && CRYPTO_THREAD_write_lock(x->lock)) {
-- x->ex_flags |= EXFLAG_INVALID_POLICY;
-- CRYPTO_THREAD_unlock(x->lock);
-- }
- sk_POLICY_MAPPING_pop_free(maps, POLICY_MAPPING_free);
- return ret;
-
---
-2.39.0
-
diff --git a/external/openssl/UnpackedTarball_openssl.mk
b/external/openssl/UnpackedTarball_openssl.mk
index 7ee91bb43425..2a8f3bb3f905 100644
--- a/external/openssl/UnpackedTarball_openssl.mk
+++ b/external/openssl/UnpackedTarball_openssl.mk
@@ -12,7 +12,6 @@ $(eval $(call gb_UnpackedTarball_UnpackedTarball,openssl))
$(eval $(call
gb_UnpackedTarball_set_tarball,openssl,$(OPENSSL_TARBALL),,openssl))
$(eval $(call gb_UnpackedTarball_add_patches,openssl,\
- external/openssl/0001-x509-fix-double-locking-problem.patch.1 \
external/openssl/openssl-no-multilib.patch.0 \
external/openssl/configurable-z-option.patch.0 \
external/openssl/openssl-no-ipc-cmd.patch.0 \
diff --git a/external/openssl/system-cannot-find-path-for-move.patch.0
b/external/openssl/system-cannot-find-path-for-move.patch.0
index 7d08dd636730..421d6b8df2be 100644
--- a/external/openssl/system-cannot-find-path-for-move.patch.0
+++ b/external/openssl/system-cannot-find-path-for-move.patch.0
@@ -1,16 +1,5 @@
--- Configurations/windows-makefile.tmpl 2022-09-09 15:18:35.849924899
+0100
+++ Configurations/windows-makefile.tmpl 2022-09-09 15:20:28.895825331
+0100
-@@ -777,8 +777,8 @@
- $target: "$gen0" $deps
- cmd /C "set "ASM=\$(AS)" & $generator \$@.S"
- \$(CPP) $incs $cppflags $defs \$@.S > \$@.i
-- move /Y \$@.i \$@
-- del /Q \$@.S
-+ mv -f \$@.i \$@
-+ rm -f \$@.S
- EOF
- }
- # Otherwise....
@@ -790,7 +790,7 @@
return <<"EOF";
$target: "$gen0" $deps
commit 9c958481a83dce47f8a97806e1cd8504d0527945
Author: Taichi Haradaguchi <20001...@ymail.ne.jp>
AuthorDate: Sat Dec 24 16:34:15 2022 +0900
Commit: Michael Stahl <michael.st...@allotropia.de>
CommitDate: Mon Sep 25 12:26:37 2023 +0200
openssl3: add patch for CVE-2022-3996
Severity: Low
backport
<https://github.com/openssl/openssl/commit/7725e7bfe6f2ce8146b6552b44e0d226be7638e7>.
OpenSSL 1.1.1 series are not affected by this vulnerability.
Security Advisary: https://www.openssl.org/news/secadv/20221213.txt
Change-Id: I42caba9c51291445fa96fc6f2280c681d6d6e582
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/144791
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caol...@redhat.com>
(cherry picked from commit f41966222f05ab327550dc7a5cf9ad40052124b3)
diff --git a/external/openssl/0001-x509-fix-double-locking-problem.patch.1
b/external/openssl/0001-x509-fix-double-locking-problem.patch.1
new file mode 100644
index 000000000000..ec289215e1a5
--- /dev/null
+++ b/external/openssl/0001-x509-fix-double-locking-problem.patch.1
@@ -0,0 +1,39 @@
+From 7725e7bfe6f2ce8146b6552b44e0d226be7638e7 Mon Sep 17 00:00:00 2001
+From: Pauli <pa...@openssl.org>
+Date: Fri, 11 Nov 2022 09:40:19 +1100
+Subject: [PATCH] x509: fix double locking problem
+
+This reverts commit 9aa4be691f5c73eb3c68606d824c104550c053f7 and removed the
+redundant flag setting.
+
+Fixes #19643
+
+Fixes LOW CVE-2022-3996
+
+Reviewed-by: Dmitry Belyavskiy <beld...@gmail.com>
+Reviewed-by: Tomas Mraz <to...@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/19652)
+
+(cherry picked from commit 4d0340a6d2f327700a059f0b8f954d6160f8eef5)
+---
+ crypto/x509/pcy_map.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/crypto/x509/pcy_map.c b/crypto/x509/pcy_map.c
+index 05406c6493..60dfd1e320 100644
+--- a/crypto/x509/pcy_map.c
++++ b/crypto/x509/pcy_map.c
+@@ -73,10 +73,6 @@ int ossl_policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS
*maps)
+
+ ret = 1;
+ bad_mapping:
+- if (ret == -1 && CRYPTO_THREAD_write_lock(x->lock)) {
+- x->ex_flags |= EXFLAG_INVALID_POLICY;
+- CRYPTO_THREAD_unlock(x->lock);
+- }
+ sk_POLICY_MAPPING_pop_free(maps, POLICY_MAPPING_free);
+ return ret;
+
+--
+2.39.0
+
diff --git a/external/openssl/UnpackedTarball_openssl.mk
b/external/openssl/UnpackedTarball_openssl.mk
index 2a8f3bb3f905..7ee91bb43425 100644
--- a/external/openssl/UnpackedTarball_openssl.mk
+++ b/external/openssl/UnpackedTarball_openssl.mk
@@ -12,6 +12,7 @@ $(eval $(call gb_UnpackedTarball_UnpackedTarball,openssl))
$(eval $(call
gb_UnpackedTarball_set_tarball,openssl,$(OPENSSL_TARBALL),,openssl))
$(eval $(call gb_UnpackedTarball_add_patches,openssl,\
+ external/openssl/0001-x509-fix-double-locking-problem.patch.1 \
external/openssl/openssl-no-multilib.patch.0 \
external/openssl/configurable-z-option.patch.0 \
external/openssl/openssl-no-ipc-cmd.patch.0 \
commit 4ffbbd623f87723ceb97c90d10b722409e5d11f0
Author: Michael Stahl <michael.st...@allotropia.de>
AuthorDate: Tue Nov 8 13:05:39 2022 +0100
Commit: Michael Stahl <michael.st...@allotropia.de>
CommitDate: Mon Sep 25 12:25:41 2023 +0200
openssl: patch out another call to IPC::Cmd
... which is used when cross-compiling.
Change-Id: I08f5ccd5d9418a81c9b1273667133065552325dc
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/143387
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
(cherry picked from commit 7ea19dd9086c9afe1a044716ca7f9643442a846c)
diff --git a/external/openssl/openssl-no-ipc-cmd.patch.0
b/external/openssl/openssl-no-ipc-cmd.patch.0
index 75ed669eabc9..7f75b8ce64fe 100644
--- a/external/openssl/openssl-no-ipc-cmd.patch.0
+++ b/external/openssl/openssl-no-ipc-cmd.patch.0
@@ -63,3 +63,21 @@
if ( $SYSTEM eq "SunOS" ) {
# check for Oracle Developer Studio, expected output is "cc:
blah-blah C x.x blah-blah"
+--- util/perl/OpenSSL/config.pm.orig 2022-11-08 12:54:59.751298823 +0100
++++ util/perl/OpenSSL/config.pm 2022-11-08 12:55:16.436287053 +0100
+@@ -52,13 +52,13 @@
+ my @cc_version =
+ (
+ clang => sub {
+- return undef unless IPC::Cmd::can_run("$CROSS_COMPILE$CC");
++ return undef; # unless IPC::Cmd::can_run("$CROSS_COMPILE$CC");
+ my $v = `$CROSS_COMPILE$CC -v 2>&1`;
+ $v =~ m/(?:(?:clang|LLVM) version|.*based on
LLVM)\s+([0-9]+\.[0-9]+)/;
+ return $1;
+ },
+ gnu => sub {
+- return undef unless IPC::Cmd::can_run("$CROSS_COMPILE$CC");
++ return undef; # unless IPC::Cmd::can_run("$CROSS_COMPILE$CC");
+ my $nul = File::Spec->devnull();
+ my $v = `$CROSS_COMPILE$CC -dumpversion 2> $nul`;
+ # Strip off whatever prefix egcs prepends the number with.
commit 72246c020dc4ab65e70bd66bd2fd86ab7d93597e
Author: Taichi Haradaguchi <20001...@ymail.ne.jp>
AuthorDate: Thu Nov 3 13:34:28 2022 +0900
Commit: Michael Stahl <michael.st...@allotropia.de>
CommitDate: Mon Sep 25 12:24:29 2023 +0200
external/openssl: fix and remove some patches
* openssl-no-multilib.patch.0: fix patch coverage
* opensslios.patch: remove this patch as it is not used.
Change-Id: I4651fc4107992bdaaefc2af3d0ff04c7bf26fa87
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/142190
Reviewed-by: Caolán McNamara <caol...@redhat.com>
Tested-by: Caolán McNamara <caol...@redhat.com>
(cherry picked from commit dbd5667793f2b333e7e00e720bb09d917a3468db)
diff --git a/external/openssl/openssl-no-multilib.patch.0
b/external/openssl/openssl-no-multilib.patch.0
index 83137fe5b712..da9adf35785a 100644
--- a/external/openssl/openssl-no-multilib.patch.0
+++ b/external/openssl/openssl-no-multilib.patch.0
@@ -1,6 +1,6 @@
--- Configure.orig 2020-04-21 14:22:39.000000000 +0200
+++ Configure 2020-07-07 17:25:19.256297500 +0200
-@@ -28,7 +28,7 @@
+@@ -27,7 +27,7 @@
my $orig_death_handler = $SIG{__DIE__};
$SIG{__DIE__} = \&death_handler;
@@ -9,7 +9,7 @@
my $banner = <<"EOF";
-@@ -87,6 +87,7 @@
+@@ -86,6 +86,7 @@
# If disabled, it also disables shared and dynamic-engine.
# no-asm do not use assembler
# no-egd do not compile support for the entropy-gathering daemon APIs
@@ -17,7 +17,7 @@
# [no-]zlib [don't] compile support for zlib compression.
# zlib-dynamic Like "zlib", but the zlib library is expected to be a shared
# library and will be loaded in run-time by the OpenSSL library.
-@@ -459,6 +460,7 @@
+@@ -458,6 +459,7 @@
"module",
"msan",
"multiblock",
@@ -25,7 +25,7 @@
"nextprotoneg",
"ocb",
"ocsp",
-@@ -1917,6 +1919,10 @@
+@@ -1907,6 +1909,10 @@
my @build_dirs = ( [ ] ); # current directory
commit fead5b36b56f55d267871a4483faff76ee254860
Author: Caolán McNamara <caol...@redhat.com>
AuthorDate: Wed Nov 2 16:08:31 2022 +0000
Commit: Michael Stahl <michael.st...@allotropia.de>
CommitDate: Mon Sep 25 12:21:21 2023 +0200
upgrade to openssl 3.0.7
Change-Id: I92eb4f6ce4c7eb38651ed94b9704ce10804e5224
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/142180
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caol...@redhat.com>
(cherry picked from commit fc29f11d6e1737b26eb89efababc89cf700e0f05)
diff --git a/download.lst b/download.lst
index 705ca4e376d2..ff5a8f062b5c 100644
--- a/download.lst
+++ b/download.lst
@@ -439,8 +439,8 @@ OPENLDAP_TARBALL := openldap-2.4.59.tgz
# three static lines
# so that git cherry-pick
# will not run into conflicts
-export OPENSSL_SHA256SUM :=
aa7d8d9bef71ad6525c55ba11e5f4397889ce49c2c9349dcea6d3e4f0b024a7a
-export OPENSSL_TARBALL := openssl-3.0.5.tar.gz
+export OPENSSL_SHA256SUM :=
83049d042a260e696f62406ac5c08bf706fd84383f945cf21bd61e9ed95c396e
+export OPENSSL_TARBALL := openssl-3.0.7.tar.gz
# three static lines
# so that git cherry-pick
# will not run into conflicts
diff --git a/external/openssl/0001-Inthe-VC-common-target-unquote-CC.patch.1
b/external/openssl/0001-Inthe-VC-common-target-unquote-CC.patch.1
deleted file mode 100644
index 45ce5a9038e5..000000000000
--- a/external/openssl/0001-Inthe-VC-common-target-unquote-CC.patch.1
+++ /dev/null
@@ -1,54 +0,0 @@
-From c04b8819161de007cee831dd9e58dde52268da18 Mon Sep 17 00:00:00 2001
-From: Richard Levitte <levi...@openssl.org>
-Date: Mon, 25 Jul 2022 08:07:33 +0200
-Subject: [PATCH] Configurations/10-main.conf: In the VC-common target, unquote
- $(CC)
-
-Some of the VC-common attributes have values that use `$(CC)`, wrapped with
-quotes. However, `Configurations/windows-makefile.tmpl` already quotes the
-`CC` value, like this:
-
- CC="{- $config{CC} -}"
-
-The interaction between that makefile variable and the attributes using
-`$(CC)` wrapped with quotes is a command line with the quotes doubled. For
-example, the value of `$(CPP)` becomes `""cl""`.
-
-Strangely enough, this appears to be tolerated, at least on some versions of
-Windows. However, this has been reported not to be the case.
-
-This is fixed by removing the quotes in `Configurations/10-main.conf`,
-making `Configurations/windows-makefile.tmpl` responsible for proper
-quoting.
-
-Fixes #18823
-
-Reviewed-by: Hugo Landau <hlan...@openssl.org>
-Reviewed-by: Matt Caswell <m...@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/18861)
----
- Configurations/10-main.conf | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf
-index c824f4ed4a0..73ace78bc41 100644
---- a/Configurations/10-main.conf
-+++ b/Configurations/10-main.conf
-@@ -1309,7 +1309,7 @@ my %targets = (
- inherit_from => [ "BASE_Windows" ],
- template => 1,
- CC => "cl",
-- CPP => '"$(CC)" /EP /C',
-+ CPP => '$(CC) /EP /C',
- CFLAGS => "/W3 /wd4090 /nologo",
- coutflag => "/Fo",
- LD => "link",
-@@ -1318,7 +1318,7 @@ my %targets = (
- ldpostoutflag => "",
- ld_resp_delim => "\n",
- bin_lflags => "setargv.obj",
-- makedepcmd => '"$(CC)" /Zs /showIncludes',
-+ makedepcmd => '$(CC) /Zs /showIncludes',
- makedep_scheme => 'VC',
- AR => "lib",
- ARFLAGS => "/nologo",
diff --git a/external/openssl/UnpackedTarball_openssl.mk
b/external/openssl/UnpackedTarball_openssl.mk
index 18ed71850627..2a8f3bb3f905 100644
--- a/external/openssl/UnpackedTarball_openssl.mk
+++ b/external/openssl/UnpackedTarball_openssl.mk
@@ -15,7 +15,6 @@ $(eval $(call gb_UnpackedTarball_add_patches,openssl,\
external/openssl/openssl-no-multilib.patch.0 \
external/openssl/configurable-z-option.patch.0 \
external/openssl/openssl-no-ipc-cmd.patch.0 \
- external/openssl/0001-Inthe-VC-common-target-unquote-CC.patch.1 \
external/openssl/system-cannot-find-path-for-move.patch.0 \
))
diff --git a/external/openssl/openssl-no-ipc-cmd.patch.0
b/external/openssl/openssl-no-ipc-cmd.patch.0
index f844831a34ae..75ed669eabc9 100644
--- a/external/openssl/openssl-no-ipc-cmd.patch.0
+++ b/external/openssl/openssl-no-ipc-cmd.patch.0
@@ -1,15 +1,15 @@
--- util/perl/OpenSSL/config.pm 2022-09-08 11:45:57.408532119 +0100
+++ util/perl/OpenSSL/config.pm 2022-09-08 11:47:46.877590711 +0100
-@@ -15,7 +15,7 @@
- use warnings;
+@@ -16,7 +16,7 @@
use Getopt::Std;
use File::Basename;
+ use File::Spec;
-use IPC::Cmd;
+# use IPC::Cmd;
use POSIX;
+ use Config;
use Carp;
-
-@@ -193,7 +193,8 @@
+@@ -205,7 +205,8 @@
# Look for ISC/SCO with its unique uname program
sub is_sco_uname {
@@ -19,7 +19,7 @@
open UNAME, "uname -X 2>/dev/null|" or return '';
my $line = "";
-@@ -291,13 +292,13 @@
+@@ -303,13 +304,13 @@
$CCVENDOR = ''; # Dunno, don't care (unless found later)
# Find a compiler if we don't already have one
@@ -40,7 +40,7 @@
if ( $CC ) {
# Find the compiler vendor and version number for certain compilers
-@@ -352,14 +353,14 @@
+@@ -364,14 +365,14 @@
}
}
commit 94c5ee02d286e680716feb101c084afc887d4fbd
Author: Caolán McNamara <caol...@redhat.com>
AuthorDate: Thu Sep 8 11:08:36 2022 +0100
Commit: Michael Stahl <michael.st...@allotropia.de>
CommitDate: Mon Sep 25 12:19:54 2023 +0200
upgrade to openssl-3.0.5
patch out using IPC::Cmd instead of requiring adding it
to build-time dependencies
for mysterious:
The system cannot find the path specified.
NMAKE : fatal error U1077:
'""C:\PROGRA~2\MIB055~1\2019\COMMUN~1\VC\Tools\MSVC\1429~1.301\bin\Hostx64\x86\cl.exe'
: return code '0x1'
Stop.
NMAKE : fatal error U1077: '"C:\Program Files (x86)\Microsoft Visual
Studio\2019\Community\VC\Tools\MSVC\14.29.30133\bin\Hostx64\x86\nmake.exe"' :
return code '0x2'
Stop.
include fix from https://github.com/openssl/openssl/issues/18823
and for
move /Y crypto/aes/aes-586.asm.i crypto/aes/aes-586.asm
The system cannot find the path specified.
NMAKE : fatal error U1077: 'move' : return code '0x1'
add own patch to use mv and rm for move and del
Change-Id: I071750e20efd0931ea1c5c3b49e7a5173c7283f8
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/139641
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caol...@redhat.com>
(cherry picked from commit a539db002bc9ee6692d14cde2aaa166bd213eb51)
diff --git a/bin/symstore.sh b/bin/symstore.sh
index 2734f1b22a58..332c9d817f56 100755
--- a/bin/symstore.sh
+++ b/bin/symstore.sh
@@ -16,8 +16,8 @@ EXCLUDE_LIST="python.exe"
#
# Same format as for EXCLUDE_LIST above
MOREPDBS_OKLIST="libcurl.dll
-libcrypto-1_1.dll
-libssl-1_1.dll
+libcrypto-3.dll
+libssl-3.dll
freebl3.dll
libeay32.dll
nspr4.dll
diff --git a/download.lst b/download.lst
index 3419a960db37..705ca4e376d2 100644
--- a/download.lst
+++ b/download.lst
@@ -439,8 +439,8 @@ OPENLDAP_TARBALL := openldap-2.4.59.tgz
# three static lines
# so that git cherry-pick
# will not run into conflicts
-OPENSSL_SHA256SUM :=
8dee9b24bdb1dcbf0c3d1e9b02fb8f6bf22165e807f45adeb7c9677536859d3b
-OPENSSL_TARBALL := openssl-1.1.1t.tar.gz
+export OPENSSL_SHA256SUM :=
aa7d8d9bef71ad6525c55ba11e5f4397889ce49c2c9349dcea6d3e4f0b024a7a
+export OPENSSL_TARBALL := openssl-3.0.5.tar.gz
# three static lines
# so that git cherry-pick
# will not run into conflicts
diff --git a/external/openssl/0001-Inthe-VC-common-target-unquote-CC.patch.1
b/external/openssl/0001-Inthe-VC-common-target-unquote-CC.patch.1
new file mode 100644
index 000000000000..45ce5a9038e5
--- /dev/null
+++ b/external/openssl/0001-Inthe-VC-common-target-unquote-CC.patch.1
@@ -0,0 +1,54 @@
+From c04b8819161de007cee831dd9e58dde52268da18 Mon Sep 17 00:00:00 2001
+From: Richard Levitte <levi...@openssl.org>
+Date: Mon, 25 Jul 2022 08:07:33 +0200
+Subject: [PATCH] Configurations/10-main.conf: In the VC-common target, unquote
+ $(CC)
+
+Some of the VC-common attributes have values that use `$(CC)`, wrapped with
+quotes. However, `Configurations/windows-makefile.tmpl` already quotes the
+`CC` value, like this:
+
+ CC="{- $config{CC} -}"
+
+The interaction between that makefile variable and the attributes using
+`$(CC)` wrapped with quotes is a command line with the quotes doubled. For
+example, the value of `$(CPP)` becomes `""cl""`.
+
+Strangely enough, this appears to be tolerated, at least on some versions of
+Windows. However, this has been reported not to be the case.
+
+This is fixed by removing the quotes in `Configurations/10-main.conf`,
+making `Configurations/windows-makefile.tmpl` responsible for proper
+quoting.
+
+Fixes #18823
+
+Reviewed-by: Hugo Landau <hlan...@openssl.org>
+Reviewed-by: Matt Caswell <m...@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/18861)
+---
+ Configurations/10-main.conf | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf
+index c824f4ed4a0..73ace78bc41 100644
+--- a/Configurations/10-main.conf
++++ b/Configurations/10-main.conf
+@@ -1309,7 +1309,7 @@ my %targets = (
+ inherit_from => [ "BASE_Windows" ],
+ template => 1,
+ CC => "cl",
+- CPP => '"$(CC)" /EP /C',
++ CPP => '$(CC) /EP /C',
+ CFLAGS => "/W3 /wd4090 /nologo",
+ coutflag => "/Fo",
+ LD => "link",
+@@ -1318,7 +1318,7 @@ my %targets = (
+ ldpostoutflag => "",
+ ld_resp_delim => "\n",
+ bin_lflags => "setargv.obj",
+- makedepcmd => '"$(CC)" /Zs /showIncludes',
++ makedepcmd => '$(CC) /Zs /showIncludes',
+ makedep_scheme => 'VC',
+ AR => "lib",
+ ARFLAGS => "/nologo",
diff --git
a/external/openssl/0001-x509-excessive-resource-use-verifying-policy-constra.patch.1
b/external/openssl/0001-x509-excessive-resource-use-verifying-policy-constra.patch.1
deleted file mode 100644
index f87f8f588840..000000000000
---
a/external/openssl/0001-x509-excessive-resource-use-verifying-policy-constra.patch.1
+++ /dev/null
@@ -1,222 +0,0 @@
-From 879f7080d7e141f415c79eaa3a8ac4a3dad0348b Mon Sep 17 00:00:00 2001
-From: Pauli <pa...@openssl.org>
-Date: Wed, 8 Mar 2023 15:28:20 +1100
-Subject: [PATCH] x509: excessive resource use verifying policy constraints
-
-A security vulnerability has been identified in all supported versions
-of OpenSSL related to the verification of X.509 certificate chains
-that include policy constraints. Attackers may be able to exploit this
-vulnerability by creating a malicious certificate chain that triggers
-exponential use of computational resources, leading to a denial-of-service
-(DoS) attack on affected systems.
-
-Fixes CVE-2023-0464
-
-Reviewed-by: Tomas Mraz <to...@openssl.org>
-Reviewed-by: Shane Lontis <shane.lon...@oracle.com>
-(Merged from https://github.com/openssl/openssl/pull/20569)
----
- crypto/x509v3/pcy_local.h | 8 +++++++-
- crypto/x509v3/pcy_node.c | 12 +++++++++---
- crypto/x509v3/pcy_tree.c | 37 +++++++++++++++++++++++++++----------
- 3 files changed, 43 insertions(+), 14 deletions(-)
-
-diff --git a/crypto/x509v3/pcy_local.h b/crypto/x509v3/pcy_local.h
-index 5daf78de45..344aa06765 100644
---- a/crypto/x509v3/pcy_local.h
-+++ b/crypto/x509v3/pcy_local.h
-@@ -111,6 +111,11 @@ struct X509_POLICY_LEVEL_st {
- };
-
- struct X509_POLICY_TREE_st {
-+ /* The number of nodes in the tree */
-+ size_t node_count;
-+ /* The maximum number of nodes in the tree */
-+ size_t node_maximum;
-+
- /* This is the tree 'level' data */
- X509_POLICY_LEVEL *levels;
- int nlevel;
-@@ -159,7 +164,8 @@ X509_POLICY_NODE *tree_find_sk(STACK_OF(X509_POLICY_NODE)
*sk,
- X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
- X509_POLICY_DATA *data,
- X509_POLICY_NODE *parent,
-- X509_POLICY_TREE *tree);
-+ X509_POLICY_TREE *tree,
-+ int extra_data);
- void policy_node_free(X509_POLICY_NODE *node);
- int policy_node_match(const X509_POLICY_LEVEL *lvl,
- const X509_POLICY_NODE *node, const ASN1_OBJECT *oid);
-diff --git a/crypto/x509v3/pcy_node.c b/crypto/x509v3/pcy_node.c
-index e2d7b15322..d574fb9d66 100644
---- a/crypto/x509v3/pcy_node.c
-+++ b/crypto/x509v3/pcy_node.c
-@@ -59,10 +59,15 @@ X509_POLICY_NODE *level_find_node(const X509_POLICY_LEVEL
*level,
- X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
- X509_POLICY_DATA *data,
- X509_POLICY_NODE *parent,
-- X509_POLICY_TREE *tree)
-+ X509_POLICY_TREE *tree,
-+ int extra_data)
- {
- X509_POLICY_NODE *node;
-
-+ /* Verify that the tree isn't too large. This mitigates CVE-2023-0464 */
-+ if (tree->node_maximum > 0 && tree->node_count >= tree->node_maximum)
-+ return NULL;
-+
- node = OPENSSL_zalloc(sizeof(*node));
- if (node == NULL) {
- X509V3err(X509V3_F_LEVEL_ADD_NODE, ERR_R_MALLOC_FAILURE);
-@@ -70,7 +75,7 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
- }
- node->data = data;
- node->parent = parent;
-- if (level) {
-+ if (level != NULL) {
- if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) {
- if (level->anyPolicy)
- goto node_error;
-@@ -90,7 +95,7 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
- }
- }
-
-- if (tree) {
-+ if (extra_data) {
- if (tree->extra_data == NULL)
- tree->extra_data = sk_X509_POLICY_DATA_new_null();
- if (tree->extra_data == NULL){
-@@ -103,6 +108,7 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
- }
- }
-
-+ tree->node_count++;
- if (parent)
- parent->nchild++;
-
-diff --git a/crypto/x509v3/pcy_tree.c b/crypto/x509v3/pcy_tree.c
-index 6e8322cbc5..6c7fd35405 100644
---- a/crypto/x509v3/pcy_tree.c
-+++ b/crypto/x509v3/pcy_tree.c
-@@ -13,6 +13,18 @@
-
- #include "pcy_local.h"
-
-+/*
-+ * If the maximum number of nodes in the policy tree isn't defined, set it to
-+ * a generous default of 1000 nodes.
-+ *
-+ * Defining this to be zero means unlimited policy tree growth which opens the
-+ * door on CVE-2023-0464.
-+ */
-+
-+#ifndef OPENSSL_POLICY_TREE_NODES_MAX
-+# define OPENSSL_POLICY_TREE_NODES_MAX 1000
-+#endif
-+
- /*
- * Enable this to print out the complete policy tree at various point during
- * evaluation.
-@@ -168,6 +180,9 @@ static int tree_init(X509_POLICY_TREE **ptree,
STACK_OF(X509) *certs,
- return X509_PCY_TREE_INTERNAL;
- }
-
-+ /* Limit the growth of the tree to mitigate CVE-2023-0464 */
-+ tree->node_maximum = OPENSSL_POLICY_TREE_NODES_MAX;
-+
- /*
- * http://tools.ietf.org/html/rfc5280#section-6.1.2, figure 3.
- *
-@@ -184,7 +199,7 @@ static int tree_init(X509_POLICY_TREE **ptree,
STACK_OF(X509) *certs,
- level = tree->levels;
- if ((data = policy_data_new(NULL, OBJ_nid2obj(NID_any_policy), 0)) ==
NULL)
- goto bad_tree;
-- if (level_add_node(level, data, NULL, tree) == NULL) {
-+ if (level_add_node(level, data, NULL, tree, 1) == NULL) {
- policy_data_free(data);
- goto bad_tree;
- }
-@@ -243,7 +258,8 @@ static int tree_init(X509_POLICY_TREE **ptree,
STACK_OF(X509) *certs,
- * Return value: 1 on success, 0 otherwise
- */
- static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
-- X509_POLICY_DATA *data)
-+ X509_POLICY_DATA *data,
-+ X509_POLICY_TREE *tree)
- {
- X509_POLICY_LEVEL *last = curr - 1;
- int i, matched = 0;
-@@ -253,13 +269,13 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL
*curr,
- X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(last->nodes, i);
-
- if (policy_node_match(last, node, data->valid_policy)) {
-- if (level_add_node(curr, data, node, NULL) == NULL)
-+ if (level_add_node(curr, data, node, tree, 0) == NULL)
- return 0;
- matched = 1;
- }
- }
- if (!matched && last->anyPolicy) {
-- if (level_add_node(curr, data, last->anyPolicy, NULL) == NULL)
-+ if (level_add_node(curr, data, last->anyPolicy, tree, 0) == NULL)
- return 0;
- }
- return 1;
-@@ -272,7 +288,8 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL
*curr,
- * Return value: 1 on success, 0 otherwise.
- */
- static int tree_link_nodes(X509_POLICY_LEVEL *curr,
-- const X509_POLICY_CACHE *cache)
-+ const X509_POLICY_CACHE *cache,
-+ X509_POLICY_TREE *tree)
- {
- int i;
-
-@@ -280,7 +297,7 @@ static int tree_link_nodes(X509_POLICY_LEVEL *curr,
- X509_POLICY_DATA *data = sk_X509_POLICY_DATA_value(cache->data, i);
-
- /* Look for matching nodes in previous level */
-- if (!tree_link_matching_nodes(curr, data))
-+ if (!tree_link_matching_nodes(curr, data, tree))
- return 0;
- }
- return 1;
-@@ -311,7 +328,7 @@ static int tree_add_unmatched(X509_POLICY_LEVEL *curr,
- /* Curr may not have anyPolicy */
- data->qualifier_set = cache->anyPolicy->qualifier_set;
- data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
-- if (level_add_node(curr, data, node, tree) == NULL) {
-+ if (level_add_node(curr, data, node, tree, 1) == NULL) {
- policy_data_free(data);
- return 0;
- }
-@@ -373,7 +390,7 @@ static int tree_link_any(X509_POLICY_LEVEL *curr,
- }
- /* Finally add link to anyPolicy */
- if (last->anyPolicy &&
-- level_add_node(curr, cache->anyPolicy, last->anyPolicy, NULL) == NULL)
-+ level_add_node(curr, cache->anyPolicy, last->anyPolicy, tree, 0) ==
NULL)
- return 0;
- return 1;
- }
-@@ -555,7 +572,7 @@ static int tree_calculate_user_set(X509_POLICY_TREE *tree,
- extra->qualifier_set = anyPolicy->data->qualifier_set;
- extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS
- | POLICY_DATA_FLAG_EXTRA_NODE;
-- node = level_add_node(NULL, extra, anyPolicy->parent, tree);
-+ node = level_add_node(NULL, extra, anyPolicy->parent, tree, 1);
- }
- if (!tree->user_policies) {
- tree->user_policies = sk_X509_POLICY_NODE_new_null();
-@@ -582,7 +599,7 @@ static int tree_evaluate(X509_POLICY_TREE *tree)
-
- for (i = 1; i < tree->nlevel; i++, curr++) {
- cache = policy_cache_set(curr->cert);
-- if (!tree_link_nodes(curr, cache))
-+ if (!tree_link_nodes(curr, cache, tree))
- return X509_PCY_TREE_INTERNAL;
-
- if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY)
---
-2.34.1
-
diff --git a/external/openssl/ExternalPackage_openssl.mk
b/external/openssl/ExternalPackage_openssl.mk
index d0c0dbaab975..7d02dfc6ed1c 100644
--- a/external/openssl/ExternalPackage_openssl.mk
+++ b/external/openssl/ExternalPackage_openssl.mk
@@ -13,14 +13,14 @@ $(eval $(call
gb_ExternalPackage_use_external_project,openssl,openssl))
ifeq ($(COM),MSC)
$(eval $(call gb_ExternalPackage_add_files,openssl,$(LIBO_LIB_FOLDER),\
- libcrypto-1_1.dll \
- libssl-1_1.dll \
+ libcrypto-3.dll \
+ libssl-3.dll \
))
ifneq ($(DISABLE_PYTHON),TRUE)
ifneq ($(SYSTEM_PYTHON),TRUE)
$(eval $(call
gb_ExternalPackage_add_files,openssl,$(LIBO_LIB_FOLDER)/python-core-$(PYTHON_VERSION)/lib,
\
- libcrypto-1_1.dll \
- libssl-1_1.dll \
+ libcrypto-3.dll \
+ libssl-3.dll \
))
endif
endif
diff --git a/external/openssl/UnpackedTarball_openssl.mk
b/external/openssl/UnpackedTarball_openssl.mk
index 650ca154d80e..18ed71850627 100644
--- a/external/openssl/UnpackedTarball_openssl.mk
+++ b/external/openssl/UnpackedTarball_openssl.mk
@@ -12,10 +12,11 @@ $(eval $(call gb_UnpackedTarball_UnpackedTarball,openssl))
$(eval $(call
gb_UnpackedTarball_set_tarball,openssl,$(OPENSSL_TARBALL),,openssl))
$(eval $(call gb_UnpackedTarball_add_patches,openssl,\
-
external/openssl/0001-x509-excessive-resource-use-verifying-policy-constra.patch.1
\
external/openssl/openssl-no-multilib.patch.0 \
external/openssl/configurable-z-option.patch.0 \
- external/openssl/openssl-no-_umul128-on-aarch64.patch.1 \
+ external/openssl/openssl-no-ipc-cmd.patch.0 \
+ external/openssl/0001-Inthe-VC-common-target-unquote-CC.patch.1 \
+ external/openssl/system-cannot-find-path-for-move.patch.0 \
))
# vim: set noet sw=4 ts=4:
diff --git a/external/openssl/configurable-z-option.patch.0
b/external/openssl/configurable-z-option.patch.0
index 3dcf49dc81a6..9a4426edd5d2 100644
--- a/external/openssl/configurable-z-option.patch.0
+++ b/external/openssl/configurable-z-option.patch.0
@@ -18,7 +18,7 @@
asflags => "/Cp /coff /c /Cx",
asoutflag => "/Fo",
perlasm_scheme => "win32" };
-@@ -1231,10 +1231,10 @@
+@@ -1323,10 +1323,10 @@
"UNICODE", "_UNICODE",
"_CRT_SECURE_NO_DEPRECATE",
"_WINSOCK_DEPRECATED_NO_WARNINGS"),
@@ -29,6 +29,6 @@
- bin_cflags => "/Zi /Fdapp.pdb",
+ dso_cflags => "\$(DEBUG_FLAGS_VALUE)",
+ bin_cflags => "\$(DEBUG_FLAGS_VALUE)",
+ # def_flag made to empty string so a .def file gets generated
+ shared_defflag => '',
shared_ldflag => "/dll",
- shared_target => "win-shared", # meaningless except it gives
Configure a hint
- thread_scheme => "winthreads",
diff --git a/external/openssl/openssl-no-_umul128-on-aarch64.patch.1
b/external/openssl/openssl-no-_umul128-on-aarch64.patch.1
deleted file mode 100644
index c7ca53bc574c..000000000000
--- a/external/openssl/openssl-no-_umul128-on-aarch64.patch.1
+++ /dev/null
@@ -1,58 +0,0 @@
-From 98f9a401c3964c7ff0e6ca048685e28a2a6401d4 Mon Sep 17 00:00:00 2001
-From: Hubert Kario <hka...@redhat.com>
-Date: Wed, 8 Feb 2023 14:13:24 +0100
-Subject: [PATCH] rsa: add msvc intrinsic for non x64 platforms
-
-_umul128() is x86_64 (x64) only, while __umulh() works everywhere, but
-doesn't generate optimal code on x64
-
-Reviewed-by: Dmitry Belyavskiy <beld...@gmail.com>
-Reviewed-by: Paul Dale <pa...@openssl.org>
-Reviewed-by: Tomas Mraz <to...@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/20244)
-
-(cherry picked from commit 075652f224479dad2e64b92e791b296177af8705)
----
- crypto/bn/rsa_sup_mul.c | 24 +++++++++++++++++++++++-
- 1 file changed, 23 insertions(+), 1 deletion(-)
-
-diff --git a/crypto/bn/rsa_sup_mul.c b/crypto/bn/rsa_sup_mul.c
-index 0e0d02e1946e..3b57161b4589 100644
---- a/crypto/bn/rsa_sup_mul.c
-+++ b/crypto/bn/rsa_sup_mul.c
-@@ -110,12 +110,34 @@ static ossl_inline void _mul_limb(limb_t *hi, limb_t
*lo, limb_t a, limb_t b)
- *lo = (limb_t)t;
- }
- #elif (BN_BYTES == 8) && (defined _MSC_VER)
--/* https://learn.microsoft.com/en-us/cpp/intrinsics/umul128?view=msvc-170 */
-+# if defined(_M_X64)
-+/*
-+ * on x86_64 (x64) we can use the _umul128 intrinsic to get one `mul`
-+ * instruction to get both high and low 64 bits of the multiplication.
-+ * https://learn.microsoft.com/en-us/cpp/intrinsics/umul128?view=msvc-140
-+ */
-+#include <intrin.h>
- #pragma intrinsic(_umul128)
- static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b)
- {
- *lo = _umul128(a, b, hi);
- }
-+# elif defined(_M_ARM64) || defined (_M_IA64)
-+/*
-+ * We can't use the __umulh() on x86_64 as then msvc generates two `mul`
-+ * instructions; so use this more portable intrinsic on platforms that
-+ * don't support _umul128 (like aarch64 (ARM64) or ia64)
-+ * https://learn.microsoft.com/en-us/cpp/intrinsics/umulh?view=msvc-140
-+ */
-+#include <intrin.h>
-+static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b)
-+{
-+ *lo = a * b;
-+ *hi = __umulh(a, b);
-+}
-+# else
-+# error Only x64, ARM64 and IA64 supported.
-+# endif /* defined(_M_X64) */
- #else
- /*
- * if the compiler doesn't have either a 128bit data type nor a "return
diff --git a/external/openssl/openssl-no-ipc-cmd.patch.0
b/external/openssl/openssl-no-ipc-cmd.patch.0
new file mode 100644
index 000000000000..f844831a34ae
--- /dev/null
+++ b/external/openssl/openssl-no-ipc-cmd.patch.0
@@ -0,0 +1,65 @@
+--- util/perl/OpenSSL/config.pm 2022-09-08 11:45:57.408532119 +0100
++++ util/perl/OpenSSL/config.pm 2022-09-08 11:47:46.877590711 +0100
+@@ -15,7 +15,7 @@
+ use warnings;
+ use Getopt::Std;
+ use File::Basename;
+-use IPC::Cmd;
++# use IPC::Cmd;
+ use POSIX;
+ use Carp;
+
+@@ -193,7 +193,8 @@
+
+ # Look for ISC/SCO with its unique uname program
+ sub is_sco_uname {
+- return undef unless IPC::Cmd::can_run('uname');
++ return undef;
++# return undef unless IPC::Cmd::can_run('uname');
+
+ open UNAME, "uname -X 2>/dev/null|" or return '';
+ my $line = "";
+@@ -291,13 +292,13 @@
+ $CCVENDOR = ''; # Dunno, don't care (unless found later)
+
+ # Find a compiler if we don't already have one
+- if ( ! $cc ) {
+- foreach (@c_compilers) {
+- next unless IPC::Cmd::can_run("$CROSS_COMPILE$_");
+- $CC = $_;
+- last;
+- }
+- }
++# if ( ! $cc ) {
++# foreach (@c_compilers) {
++# next unless IPC::Cmd::can_run("$CROSS_COMPILE$_");
++# $CC = $_;
++# last;
++# }
++# }
+
+ if ( $CC ) {
+ # Find the compiler vendor and version number for certain compilers
+@@ -352,14 +353,14 @@
+ }
+ }
+
+- if ( ${SYSTEM} eq 'AIX' ) {
+- # favor vendor cc over gcc
+- if (IPC::Cmd::can_run('cc')) {
+- $CC = 'cc';
+- $CCVENDOR = ''; # Determine later
+- $CCVER = 0;
+- }
+- }
++# if ( ${SYSTEM} eq 'AIX' ) {
++# # favor vendor cc over gcc
++# if (IPC::Cmd::can_run('cc')) {
++# $CC = 'cc';
++# $CCVENDOR = ''; # Determine later
++# $CCVER = 0;
++# }
++# }
+
+ if ( $SYSTEM eq "SunOS" ) {
+ # check for Oracle Developer Studio, expected output is "cc:
blah-blah C x.x blah-blah"
diff --git a/external/openssl/openssl-no-multilib.patch.0
b/external/openssl/openssl-no-multilib.patch.0
index 07c45318ac25..83137fe5b712 100644
--- a/external/openssl/openssl-no-multilib.patch.0
+++ b/external/openssl/openssl-no-multilib.patch.0
@@ -1,15 +1,15 @@
--- Configure.orig 2020-04-21 14:22:39.000000000 +0200
+++ Configure 2020-07-07 17:25:19.256297500 +0200
-@@ -24,7 +24,7 @@
+@@ -28,7 +28,7 @@
my $orig_death_handler = $SIG{__DIE__};
$SIG{__DIE__} = \&death_handler;
-my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx]
[-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared]
[[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR]
[--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE]
os/compiler[:flags]\n";
+my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx]
[-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared]
[[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [no-multilib] [sctp] [386]
[--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE]
os/compiler[:flags]\n";
- # Options:
- #
-@@ -59,6 +59,7 @@
+ my $banner = <<"EOF";
+
+@@ -87,6 +87,7 @@
# If disabled, it also disables shared and dynamic-engine.
# no-asm do not use assembler
# no-egd do not compile support for the entropy-gathering daemon APIs
@@ -17,22 +17,22 @@
# [no-]zlib [don't] compile support for zlib compression.
# zlib-dynamic Like "zlib", but the zlib library is expected to be a shared
# library and will be loaded in run-time by the OpenSSL library.
-@@ -383,6 +384,7 @@
- "mdc2",
+@@ -459,6 +460,7 @@
+ "module",
"msan",
"multiblock",
+ "multilib",
"nextprotoneg",
- "pinshared",
"ocb",
-@@ -1754,6 +1756,10 @@
- if (-f catfile($srcdir, "test", $_, "build.info"));
- }
+ "ocsp",
+@@ -1917,6 +1919,10 @@
+
+ my @build_dirs = ( [ ] ); # current directory
+ if ($disabled{"multilib"}) {
+ $target{"multilib"} = "";
+ }
-+
++
$config{build_infos} = [ ];
- my %ordinals = ();
+ # We want to detect configdata.pm in the source tree, so we
diff --git a/external/openssl/system-cannot-find-path-for-move.patch.0
b/external/openssl/system-cannot-find-path-for-move.patch.0
new file mode 100644
index 000000000000..7d08dd636730
--- /dev/null
+++ b/external/openssl/system-cannot-find-path-for-move.patch.0
@@ -0,0 +1,22 @@
+--- Configurations/windows-makefile.tmpl 2022-09-09 15:18:35.849924899
+0100
++++ Configurations/windows-makefile.tmpl 2022-09-09 15:20:28.895825331
+0100
+@@ -777,8 +777,8 @@
+ $target: "$gen0" $deps
+ cmd /C "set "ASM=\$(AS)" & $generator \$@.S"
+ \$(CPP) $incs $cppflags $defs \$@.S > \$@.i
+- move /Y \$@.i \$@
+- del /Q \$@.S
++ mv -f \$@.i \$@
++ rm -f \$@.S
+ EOF
+ }
+ # Otherwise....
+@@ -790,7 +790,7 @@
+ return <<"EOF";
+ $target: "$gen0" $deps
+ \$(CPP) $incs $cppflags $defs "$gen0" > \$@.i
+- move /Y \$@.i \$@
++ mv -f \$@.i \$@
+ EOF
+ } elsif ($gen0 =~ m|^.*\.in$|) {
+ #
diff --git a/external/python3/python-3.7.6-msvc-ssl.patch.1
b/external/python3/python-3.7.6-msvc-ssl.patch.1
index 17cc440f2204..50b1c65645df 100644
--- a/external/python3/python-3.7.6-msvc-ssl.patch.1
+++ b/external/python3/python-3.7.6-msvc-ssl.patch.1
@@ -14,12 +14,14 @@ No use for applink.c OPENSSL_Applink, everything is
compiled with the same MSVC
<ResourceCompile Include="..\PC\python_nt.rc" />
--- python3/PCbuild/openssl.props.orig 2019-12-23 16:20:34.588135900 +0100
+++ python3/PCbuild/openssl.props 2019-12-23 16:20:51.074001300 +0100
-@@ -6,8 +6,6 @@
+@@ -10,9 +10,7 @@
+ </Link>
</ItemDefinitionGroup>
<PropertyGroup>
- <_DLLSuffix>-1_1</_DLLSuffix>
+- <_DLLSuffix>-1_1</_DLLSuffix>
- <_DLLSuffix Condition="$(Platform) ==
'ARM'">$(_DLLSuffix)-arm</_DLLSuffix>
- <_DLLSuffix Condition="$(Platform) ==
'ARM64'">$(_DLLSuffix)-arm64</_DLLSuffix>
++ <_DLLSuffix>-3</_DLLSuffix>
</PropertyGroup>
<ItemGroup>
<_SSLDLL Include="$(opensslOutDir)\libcrypto$(_DLLSuffix).dll" />
commit 8a7c6657293187bbd093066617bea0f033beeab9
Author: Michael Stahl <michael.st...@allotropia.de>
AuthorDate: Mon Sep 25 12:03:35 2023 +0200
Commit: Michael Stahl <michael.st...@allotropia.de>
CommitDate: Mon Sep 25 12:04:44 2023 +0200
Revert "external/openssl: fix and remove some patches"
This reverts commit 983f68e3f5e8bb5c1ac2618fc49f4b01b3de5c0c.
[ Except the deletion of ios patch ]
Change-Id: Ic3cc29cfba172b2d170399c44c483befd896c242
diff --git a/external/openssl/configurable-z-option.patch.0
b/external/openssl/configurable-z-option.patch.0
index 99d46f75410d..3dcf49dc81a6 100644
--- a/external/openssl/configurable-z-option.patch.0
+++ b/external/openssl/configurable-z-option.patch.0
@@ -18,7 +18,7 @@
asflags => "/Cp /coff /c /Cx",
asoutflag => "/Fo",
perlasm_scheme => "win32" };
-@@ -1252,10 +1252,10 @@
+@@ -1231,10 +1231,10 @@
"UNICODE", "_UNICODE",
"_CRT_SECURE_NO_DEPRECATE",
"_WINSOCK_DEPRECATED_NO_WARNINGS"),
diff --git a/external/openssl/openssl-no-multilib.patch.0
b/external/openssl/openssl-no-multilib.patch.0
index 3d0083ed4793..07c45318ac25 100644
--- a/external/openssl/openssl-no-multilib.patch.0
+++ b/external/openssl/openssl-no-multilib.patch.0
@@ -17,7 +17,7 @@
# [no-]zlib [don't] compile support for zlib compression.
# zlib-dynamic Like "zlib", but the zlib library is expected to be a shared
# library and will be loaded in run-time by the OpenSSL library.
-@@ -393,6 +394,7 @@
+@@ -383,6 +384,7 @@
"mdc2",
"msan",
"multiblock",
@@ -25,7 +25,7 @@
"nextprotoneg",
"pinshared",
"ocb",
-@@ -1770,6 +1772,10 @@
+@@ -1754,6 +1756,10 @@
if (-f catfile($srcdir, "test", $_, "build.info"));
}
