bin/symstore.sh | 4 configure.ac | 3 download.lst | 4 external/openssl/0001-x509-excessive-resource-use-verifying-policy-constra.patch.1 | 222 ---------- external/openssl/ExternalPackage_openssl.mk | 8 external/openssl/README | 2 external/openssl/UnpackedTarball_openssl.mk | 4 external/openssl/configurable-z-option.patch.0 | 6 external/openssl/openssl-no-_umul128-on-aarch64.patch.1 | 58 -- external/openssl/openssl-no-ipc-cmd.patch.0 | 83 +++ external/openssl/openssl-no-multilib.patch.0 | 24 - external/openssl/system-cannot-find-path-for-move.patch.0 | 11 external/python3/python-3.7.6-msvc-ssl.patch.1 | 6 readlicense_oo/license/license.xml | 73 --- 14 files changed, 128 insertions(+), 380 deletions(-)
New commits: commit 929ee378ce7536f3acd82b3669c09db8e96b7875 Author: Taichi Haradaguchi <20001...@ymail.ne.jp> AuthorDate: Sun Aug 6 01:57:31 2023 +0900 Commit: Michael Stahl <michael.st...@allotropia.de> CommitDate: Mon Sep 25 12:36:42 2023 +0200 openssl: upgrade to release 3.0.10 Change-Id: Iee5716bdd111e2f30cb38d48a86104da52872dd5 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/155382 Tested-by: Jenkins Reviewed-by: Taichi Haradaguchi <20001...@ymail.ne.jp> (cherry picked from commit 72f28e12b15823197e42265af1f8dda21224c90a) diff --git a/download.lst b/download.lst index 58d5b64e265e..d269f5cfd3c3 100644 --- a/download.lst +++ b/download.lst @@ -439,8 +439,8 @@ OPENLDAP_TARBALL := openldap-2.4.59.tgz # three static lines # so that git cherry-pick # will not run into conflicts -OPENSSL_SHA256SUM := eb1ab04781474360f77c318ab89d8c5a03abc38e63d65a603cabbf1b00a1dc90 -OPENSSL_TARBALL := openssl-3.0.9.tar.gz +OPENSSL_SHA256SUM := 1761d4f5b13a1028b9b6f3d4b8e17feb0cedc9370f6afe61d7193d2cdce83323 +OPENSSL_TARBALL := openssl-3.0.10.tar.gz # three static lines # so that git cherry-pick # will not run into conflicts commit 78dee1875be7cd7f13a4d8727c152fd4241c403c Author: Christian Lohmaier <lohmaier+libreoff...@googlemail.com> AuthorDate: Sat Mar 11 21:22:55 2023 +0100 Commit: Michael Stahl <michael.st...@allotropia.de> CommitDate: Mon Sep 25 12:35:15 2023 +0200 cross-compiling on windows needs openssl to build internal python → add back OPENSSL as a permissable sub-build target and explicitly enable openssl when cross-compiling for windows_aarch64 partially reverts 4132bd5477c25a505f7bfbee1e7dcf6602c927d3 Change-Id: Ic162a2f0c6db377eadedb149fb428f0f015539f9 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/148688 Tested-by: Jenkins Reviewed-by: Christian Lohmaier <lohmaier+libreoff...@googlemail.com> (cherry picked from commit 5f20f4ff21f597e55d899f5ea4dfe1c1fa5824bc) diff --git a/configure.ac b/configure.ac index b222b378e3b1..0c94e04acaca 100644 --- a/configure.ac +++ b/configure.ac @@ -5629,6 +5629,9 @@ if test "$cross_compiling" = "yes"; then if test "$_os" = "Emscripten"; then sub_conf_opts="$sub_conf_opts --without-system-libxml --without-system-fontconfig --without-system-freetype --without-system-zlib" fi + # windows uses full-internal python and that in turn relies on openssl, so also enable openssl + # when cross-compiling for aarch64, overriding the defaults below + test "${PLATFORMID}" = "windows_aarch64" && sub_conf_opts="$sub_conf_opts --enable-openssl --with-tls=openssl" # Don't bother having configure look for stuff not needed for the build platform anyway # WARNING: any option with an argument containing spaces must be handled separately (see --with-theme) commit bc527b17dddfe8eb204c1702bf28bfc7c1c564ba Author: Andras Timar <andras.ti...@collabora.com> AuthorDate: Sun Feb 26 23:04:54 2023 +0100 Commit: Michael Stahl <michael.st...@allotropia.de> CommitDate: Mon Sep 25 12:34:57 2023 +0200 OpenSSL 3 is covered by Apache License v2 Change-Id: I20b30ce01b08787f560cd00cd87db9cec1699240 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/147746 Tested-by: Jenkins Reviewed-by: Andras Timar <andras.ti...@collabora.com> (cherry picked from commit 62d3da841b402f7cc9421d87f3f1db714b278d40) diff --git a/readlicense_oo/license/license.xml b/readlicense_oo/license/license.xml index d1dec6ad962f..5fdcdad12d0a 100644 --- a/readlicense_oo/license/license.xml +++ b/readlicense_oo/license/license.xml @@ -1525,78 +1525,7 @@ <h2>OpenSSL</h2> <p>The following software may be included in this product: OpenSSL. Use of any of this software is governed by the terms of the license below:</p> - <p>The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the - original SSLeay license apply to the toolkit.</p> - <p>See below for the actual license texts. Actually both licenses are BSD-style Open Source licenses. In case - of any license issues related to OpenSSL please contact openssl-c...@openssl.org.</p> - <h3>OpenSSL License</h3> - <p>Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.</p> - <p>Redistribution and use in source and binary forms, with or without modification, are permitted provided that - the following conditions are met:</p> - <ol> - <li>Redistribution of source code must retain the above copyright notice, this list of conditions and the - following disclaimer.</li> - <li>Redistribution in binary form must reproduce the above copyright notice, this list of conditions and - the following disclaimer in the documentation and/or other materials provided with the distribution. </li> - <li>All advertising materials mentioning features or use of this software must display the following - acknowledgment: "This product includes software developed by the OpenSSL Project for use in the OpenSSL - Toolkit. (<a href="http://www.openssl.org/">http://www.openssl.org/</a>)" </li> - <li>The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to endorse or promote products - derived from this software without prior written permission. For written permission, please contact - openssl-c...@openssl.org. </li> - <li>Products derived from this software may not be called "OpenSSL" nor may "OpenSSL" appear in their names - without prior written permission of the OpenSSL Project. </li> - <li>Redistribution of any form whatsoever must retain the following acknowledgment: "This product includes - software developed by the OpenSSL Project for use in the OpenSSL Toolkit (<a href= - "http://www.openssl.org/">http://www.openssl.org/</a>)" </li> - </ol> - <p>THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, - INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON - ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.</p> - <p>This product includes cryptographic software written by Eric Young (e...@cryptsoft.com). This product - includes software written by Tim Hudson (t...@cryptsoft.com).</p> - <h3>Original SSLeay License</h3> - <p>Copyright (C) 1995-1998 Eric Young (e...@cryptsoft.com) All rights reserved.</p> - <p>This package is an SSL implementation written by Eric Young (<a href= - "mailto:e...@cryptsoft.com">e...@cryptsoft.com</a>).<br /> - The implementation was written so as to conform with Netscapes SSL.</p> - <p>This library is free for commercial and non-commercial use as long as the following conditions are aheared - to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, - etc., code; not just the SSL code. The SSL documentation included with this distribution is covered by the same - copyright terms except that the holder is Tim Hudson (t...@cryptsoft.com).</p> - <p>Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be removed. If this - package is used in a product, Eric Young should be given attribution as the author of the parts of the library - used. This can be in the form of a textual message at program startup or in documentation (online or textual) - provided with the package.</p> - <p>Redistribution and use in source and binary forms, with or without modification, are permitted provided that - the following conditions are met:</p> - <ol> - <li>Redistribution of source code must retain the copyright notice, this list of conditions and the - following disclaimer.</li> - <li>Redistribution in binary form must reproduce the above copyright notice, this list of conditions and - the following disclaimer in the documentation and/or other materials provided with the distribution. </li> - <li>All advertising materials mentioning features or use of this software must display the following - acknowledgment: "This product includes cryptographic software written by Eric Young (e...@cryptsoft.com)" - The word 'cryptographic' can be left out if the routines from the library being used are not cryptographic - related :-). </li> - <li>If you include any Windows specific code (or a derivative thereof) from the apps directory (application - code) you must include an acknowledgment: "This product includes software written by Tim Hudson - (t...@cryptsoft.com)" </li> - </ol> - <p>THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN - NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF - USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.</p> - <p>The license and distribution terms for any publicly available version or derivative of this code cannot be - changed. i.e. this code cannot simply be copied and put under another distribution license [including the GNU - Public License.]</p> + <p><a href="#a__Apache_License_version_2_0">Jump to Apache License Version 2.0</a></p> </div> <div class="PDFIUM"> <h2>PDFium</h2> commit 0f207267ca5597997d37b94aef652a0f0078bf68 Author: Taichi Haradaguchi <20001...@ymail.ne.jp> AuthorDate: Sun Feb 12 19:36:25 2023 +0100 Commit: Michael Stahl <michael.st...@allotropia.de> CommitDate: Mon Sep 25 12:33:09 2023 +0200 openssl: upgrade to release 3.0.9 Fixes CVE-2023-1255, CVE-2023-2650 and 3 more CVEs that probably don't affect LibreOffice. Change-Id: Ic615b008298471267121a0f4deb227ddb3a0409e Reviewed-on: https://gerrit.libreoffice.org/c/core/+/152851 Tested-by: Jenkins Reviewed-by: Taichi Haradaguchi <20001...@ymail.ne.jp> (cherry picked from commit 2137d04d1ddb80691c29de0df99fc2ba58820ce0) Reviewed-on: https://gerrit.libreoffice.org/c/core/+/152970 Reviewed-by: Xisco Fauli <xiscofa...@libreoffice.org> (cherry picked from commit 69ea3ca8e97cb5990170e9b41e095a44313c2de7) diff --git a/download.lst b/download.lst index dcbda698e3f6..58d5b64e265e 100644 --- a/download.lst +++ b/download.lst @@ -439,8 +439,8 @@ OPENLDAP_TARBALL := openldap-2.4.59.tgz # three static lines # so that git cherry-pick # will not run into conflicts -OPENSSL_SHA256SUM := 6c13d2bf38fdf31eac3ce2a347073673f5d63263398f1f69d0df4a41253e4b3e -OPENSSL_TARBALL := openssl-3.0.8.tar.gz +OPENSSL_SHA256SUM := eb1ab04781474360f77c318ab89d8c5a03abc38e63d65a603cabbf1b00a1dc90 +OPENSSL_TARBALL := openssl-3.0.9.tar.gz # three static lines # so that git cherry-pick # will not run into conflicts diff --git a/external/openssl/README b/external/openssl/README index 399bdd56fded..eda5e7eb17ec 100644 --- a/external/openssl/README +++ b/external/openssl/README @@ -1,6 +1,6 @@ Open Source toolkit implementing SSL and TLS. -From [http://www.openssl.org/]. +From [https://www.openssl.org/]. SSL = Secure Sockets Layer (SSL v2/v3) protocol. TLS = Transport Layer Security (TLS v1) protocol. commit 49071cc5eb55880d61998954baa6c207f3e5a3c7 Author: Michael Stahl <michael.st...@allotropia.de> AuthorDate: Wed Feb 8 12:36:16 2023 +0100 Commit: Michael Stahl <michael.st...@allotropia.de> CommitDate: Mon Sep 25 12:28:00 2023 +0200 openssl: upgrade to release 3.0.8 Fixes CVE-2023-0401 CVE-2023-0286 CVE-2023-0217 CVE-2023-0216 CVE-2023-0215 CVE-2022-4450 CVE-2022-4304 CVE-2022-4203 CVE-2022-3996 Remove the patch that fixed CVE-2022-3996. Change-Id: I8587d780ea7dc07637278643dc1c49b577e3ae56 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/146657 Tested-by: Michael Stahl <michael.st...@allotropia.de> Reviewed-by: Michael Stahl <michael.st...@allotropia.de> (cherry picked from commit 80dd2ce29413809ca337618e313795bd9610cf80) diff --git a/download.lst b/download.lst index ff5a8f062b5c..dcbda698e3f6 100644 --- a/download.lst +++ b/download.lst @@ -439,8 +439,8 @@ OPENLDAP_TARBALL := openldap-2.4.59.tgz # three static lines # so that git cherry-pick # will not run into conflicts -export OPENSSL_SHA256SUM := 83049d042a260e696f62406ac5c08bf706fd84383f945cf21bd61e9ed95c396e -export OPENSSL_TARBALL := openssl-3.0.7.tar.gz +OPENSSL_SHA256SUM := 6c13d2bf38fdf31eac3ce2a347073673f5d63263398f1f69d0df4a41253e4b3e +OPENSSL_TARBALL := openssl-3.0.8.tar.gz # three static lines # so that git cherry-pick # will not run into conflicts diff --git a/external/openssl/0001-x509-fix-double-locking-problem.patch.1 b/external/openssl/0001-x509-fix-double-locking-problem.patch.1 deleted file mode 100644 index ec289215e1a5..000000000000 --- a/external/openssl/0001-x509-fix-double-locking-problem.patch.1 +++ /dev/null @@ -1,39 +0,0 @@ -From 7725e7bfe6f2ce8146b6552b44e0d226be7638e7 Mon Sep 17 00:00:00 2001 -From: Pauli <pa...@openssl.org> -Date: Fri, 11 Nov 2022 09:40:19 +1100 -Subject: [PATCH] x509: fix double locking problem - -This reverts commit 9aa4be691f5c73eb3c68606d824c104550c053f7 and removed the -redundant flag setting. - -Fixes #19643 - -Fixes LOW CVE-2022-3996 - -Reviewed-by: Dmitry Belyavskiy <beld...@gmail.com> -Reviewed-by: Tomas Mraz <to...@openssl.org> -(Merged from https://github.com/openssl/openssl/pull/19652) - -(cherry picked from commit 4d0340a6d2f327700a059f0b8f954d6160f8eef5) ---- - crypto/x509/pcy_map.c | 4 ---- - 1 file changed, 4 deletions(-) - -diff --git a/crypto/x509/pcy_map.c b/crypto/x509/pcy_map.c -index 05406c6493..60dfd1e320 100644 ---- a/crypto/x509/pcy_map.c -+++ b/crypto/x509/pcy_map.c -@@ -73,10 +73,6 @@ int ossl_policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps) - - ret = 1; - bad_mapping: -- if (ret == -1 && CRYPTO_THREAD_write_lock(x->lock)) { -- x->ex_flags |= EXFLAG_INVALID_POLICY; -- CRYPTO_THREAD_unlock(x->lock); -- } - sk_POLICY_MAPPING_pop_free(maps, POLICY_MAPPING_free); - return ret; - --- -2.39.0 - diff --git a/external/openssl/UnpackedTarball_openssl.mk b/external/openssl/UnpackedTarball_openssl.mk index 7ee91bb43425..2a8f3bb3f905 100644 --- a/external/openssl/UnpackedTarball_openssl.mk +++ b/external/openssl/UnpackedTarball_openssl.mk @@ -12,7 +12,6 @@ $(eval $(call gb_UnpackedTarball_UnpackedTarball,openssl)) $(eval $(call gb_UnpackedTarball_set_tarball,openssl,$(OPENSSL_TARBALL),,openssl)) $(eval $(call gb_UnpackedTarball_add_patches,openssl,\ - external/openssl/0001-x509-fix-double-locking-problem.patch.1 \ external/openssl/openssl-no-multilib.patch.0 \ external/openssl/configurable-z-option.patch.0 \ external/openssl/openssl-no-ipc-cmd.patch.0 \ diff --git a/external/openssl/system-cannot-find-path-for-move.patch.0 b/external/openssl/system-cannot-find-path-for-move.patch.0 index 7d08dd636730..421d6b8df2be 100644 --- a/external/openssl/system-cannot-find-path-for-move.patch.0 +++ b/external/openssl/system-cannot-find-path-for-move.patch.0 @@ -1,16 +1,5 @@ --- Configurations/windows-makefile.tmpl 2022-09-09 15:18:35.849924899 +0100 +++ Configurations/windows-makefile.tmpl 2022-09-09 15:20:28.895825331 +0100 -@@ -777,8 +777,8 @@ - $target: "$gen0" $deps - cmd /C "set "ASM=\$(AS)" & $generator \$@.S" - \$(CPP) $incs $cppflags $defs \$@.S > \$@.i -- move /Y \$@.i \$@ -- del /Q \$@.S -+ mv -f \$@.i \$@ -+ rm -f \$@.S - EOF - } - # Otherwise.... @@ -790,7 +790,7 @@ return <<"EOF"; $target: "$gen0" $deps commit 9c958481a83dce47f8a97806e1cd8504d0527945 Author: Taichi Haradaguchi <20001...@ymail.ne.jp> AuthorDate: Sat Dec 24 16:34:15 2022 +0900 Commit: Michael Stahl <michael.st...@allotropia.de> CommitDate: Mon Sep 25 12:26:37 2023 +0200 openssl3: add patch for CVE-2022-3996 Severity: Low backport <https://github.com/openssl/openssl/commit/7725e7bfe6f2ce8146b6552b44e0d226be7638e7>. OpenSSL 1.1.1 series are not affected by this vulnerability. Security Advisary: https://www.openssl.org/news/secadv/20221213.txt Change-Id: I42caba9c51291445fa96fc6f2280c681d6d6e582 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/144791 Tested-by: Jenkins Reviewed-by: Caolán McNamara <caol...@redhat.com> (cherry picked from commit f41966222f05ab327550dc7a5cf9ad40052124b3) diff --git a/external/openssl/0001-x509-fix-double-locking-problem.patch.1 b/external/openssl/0001-x509-fix-double-locking-problem.patch.1 new file mode 100644 index 000000000000..ec289215e1a5 --- /dev/null +++ b/external/openssl/0001-x509-fix-double-locking-problem.patch.1 @@ -0,0 +1,39 @@ +From 7725e7bfe6f2ce8146b6552b44e0d226be7638e7 Mon Sep 17 00:00:00 2001 +From: Pauli <pa...@openssl.org> +Date: Fri, 11 Nov 2022 09:40:19 +1100 +Subject: [PATCH] x509: fix double locking problem + +This reverts commit 9aa4be691f5c73eb3c68606d824c104550c053f7 and removed the +redundant flag setting. + +Fixes #19643 + +Fixes LOW CVE-2022-3996 + +Reviewed-by: Dmitry Belyavskiy <beld...@gmail.com> +Reviewed-by: Tomas Mraz <to...@openssl.org> +(Merged from https://github.com/openssl/openssl/pull/19652) + +(cherry picked from commit 4d0340a6d2f327700a059f0b8f954d6160f8eef5) +--- + crypto/x509/pcy_map.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/crypto/x509/pcy_map.c b/crypto/x509/pcy_map.c +index 05406c6493..60dfd1e320 100644 +--- a/crypto/x509/pcy_map.c ++++ b/crypto/x509/pcy_map.c +@@ -73,10 +73,6 @@ int ossl_policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps) + + ret = 1; + bad_mapping: +- if (ret == -1 && CRYPTO_THREAD_write_lock(x->lock)) { +- x->ex_flags |= EXFLAG_INVALID_POLICY; +- CRYPTO_THREAD_unlock(x->lock); +- } + sk_POLICY_MAPPING_pop_free(maps, POLICY_MAPPING_free); + return ret; + +-- +2.39.0 + diff --git a/external/openssl/UnpackedTarball_openssl.mk b/external/openssl/UnpackedTarball_openssl.mk index 2a8f3bb3f905..7ee91bb43425 100644 --- a/external/openssl/UnpackedTarball_openssl.mk +++ b/external/openssl/UnpackedTarball_openssl.mk @@ -12,6 +12,7 @@ $(eval $(call gb_UnpackedTarball_UnpackedTarball,openssl)) $(eval $(call gb_UnpackedTarball_set_tarball,openssl,$(OPENSSL_TARBALL),,openssl)) $(eval $(call gb_UnpackedTarball_add_patches,openssl,\ + external/openssl/0001-x509-fix-double-locking-problem.patch.1 \ external/openssl/openssl-no-multilib.patch.0 \ external/openssl/configurable-z-option.patch.0 \ external/openssl/openssl-no-ipc-cmd.patch.0 \ commit 4ffbbd623f87723ceb97c90d10b722409e5d11f0 Author: Michael Stahl <michael.st...@allotropia.de> AuthorDate: Tue Nov 8 13:05:39 2022 +0100 Commit: Michael Stahl <michael.st...@allotropia.de> CommitDate: Mon Sep 25 12:25:41 2023 +0200 openssl: patch out another call to IPC::Cmd ... which is used when cross-compiling. Change-Id: I08f5ccd5d9418a81c9b1273667133065552325dc Reviewed-on: https://gerrit.libreoffice.org/c/core/+/143387 Tested-by: Jenkins Reviewed-by: Michael Stahl <michael.st...@allotropia.de> (cherry picked from commit 7ea19dd9086c9afe1a044716ca7f9643442a846c) diff --git a/external/openssl/openssl-no-ipc-cmd.patch.0 b/external/openssl/openssl-no-ipc-cmd.patch.0 index 75ed669eabc9..7f75b8ce64fe 100644 --- a/external/openssl/openssl-no-ipc-cmd.patch.0 +++ b/external/openssl/openssl-no-ipc-cmd.patch.0 @@ -63,3 +63,21 @@ if ( $SYSTEM eq "SunOS" ) { # check for Oracle Developer Studio, expected output is "cc: blah-blah C x.x blah-blah" +--- util/perl/OpenSSL/config.pm.orig 2022-11-08 12:54:59.751298823 +0100 ++++ util/perl/OpenSSL/config.pm 2022-11-08 12:55:16.436287053 +0100 +@@ -52,13 +52,13 @@ + my @cc_version = + ( + clang => sub { +- return undef unless IPC::Cmd::can_run("$CROSS_COMPILE$CC"); ++ return undef; # unless IPC::Cmd::can_run("$CROSS_COMPILE$CC"); + my $v = `$CROSS_COMPILE$CC -v 2>&1`; + $v =~ m/(?:(?:clang|LLVM) version|.*based on LLVM)\s+([0-9]+\.[0-9]+)/; + return $1; + }, + gnu => sub { +- return undef unless IPC::Cmd::can_run("$CROSS_COMPILE$CC"); ++ return undef; # unless IPC::Cmd::can_run("$CROSS_COMPILE$CC"); + my $nul = File::Spec->devnull(); + my $v = `$CROSS_COMPILE$CC -dumpversion 2> $nul`; + # Strip off whatever prefix egcs prepends the number with. commit 72246c020dc4ab65e70bd66bd2fd86ab7d93597e Author: Taichi Haradaguchi <20001...@ymail.ne.jp> AuthorDate: Thu Nov 3 13:34:28 2022 +0900 Commit: Michael Stahl <michael.st...@allotropia.de> CommitDate: Mon Sep 25 12:24:29 2023 +0200 external/openssl: fix and remove some patches * openssl-no-multilib.patch.0: fix patch coverage * opensslios.patch: remove this patch as it is not used. Change-Id: I4651fc4107992bdaaefc2af3d0ff04c7bf26fa87 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/142190 Reviewed-by: Caolán McNamara <caol...@redhat.com> Tested-by: Caolán McNamara <caol...@redhat.com> (cherry picked from commit dbd5667793f2b333e7e00e720bb09d917a3468db) diff --git a/external/openssl/openssl-no-multilib.patch.0 b/external/openssl/openssl-no-multilib.patch.0 index 83137fe5b712..da9adf35785a 100644 --- a/external/openssl/openssl-no-multilib.patch.0 +++ b/external/openssl/openssl-no-multilib.patch.0 @@ -1,6 +1,6 @@ --- Configure.orig 2020-04-21 14:22:39.000000000 +0200 +++ Configure 2020-07-07 17:25:19.256297500 +0200 -@@ -28,7 +28,7 @@ +@@ -27,7 +27,7 @@ my $orig_death_handler = $SIG{__DIE__}; $SIG{__DIE__} = \&death_handler; @@ -9,7 +9,7 @@ my $banner = <<"EOF"; -@@ -87,6 +87,7 @@ +@@ -86,6 +86,7 @@ # If disabled, it also disables shared and dynamic-engine. # no-asm do not use assembler # no-egd do not compile support for the entropy-gathering daemon APIs @@ -17,7 +17,7 @@ # [no-]zlib [don't] compile support for zlib compression. # zlib-dynamic Like "zlib", but the zlib library is expected to be a shared # library and will be loaded in run-time by the OpenSSL library. -@@ -459,6 +460,7 @@ +@@ -458,6 +459,7 @@ "module", "msan", "multiblock", @@ -25,7 +25,7 @@ "nextprotoneg", "ocb", "ocsp", -@@ -1917,6 +1919,10 @@ +@@ -1907,6 +1909,10 @@ my @build_dirs = ( [ ] ); # current directory commit fead5b36b56f55d267871a4483faff76ee254860 Author: Caolán McNamara <caol...@redhat.com> AuthorDate: Wed Nov 2 16:08:31 2022 +0000 Commit: Michael Stahl <michael.st...@allotropia.de> CommitDate: Mon Sep 25 12:21:21 2023 +0200 upgrade to openssl 3.0.7 Change-Id: I92eb4f6ce4c7eb38651ed94b9704ce10804e5224 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/142180 Tested-by: Jenkins Reviewed-by: Caolán McNamara <caol...@redhat.com> (cherry picked from commit fc29f11d6e1737b26eb89efababc89cf700e0f05) diff --git a/download.lst b/download.lst index 705ca4e376d2..ff5a8f062b5c 100644 --- a/download.lst +++ b/download.lst @@ -439,8 +439,8 @@ OPENLDAP_TARBALL := openldap-2.4.59.tgz # three static lines # so that git cherry-pick # will not run into conflicts -export OPENSSL_SHA256SUM := aa7d8d9bef71ad6525c55ba11e5f4397889ce49c2c9349dcea6d3e4f0b024a7a -export OPENSSL_TARBALL := openssl-3.0.5.tar.gz +export OPENSSL_SHA256SUM := 83049d042a260e696f62406ac5c08bf706fd84383f945cf21bd61e9ed95c396e +export OPENSSL_TARBALL := openssl-3.0.7.tar.gz # three static lines # so that git cherry-pick # will not run into conflicts diff --git a/external/openssl/0001-Inthe-VC-common-target-unquote-CC.patch.1 b/external/openssl/0001-Inthe-VC-common-target-unquote-CC.patch.1 deleted file mode 100644 index 45ce5a9038e5..000000000000 --- a/external/openssl/0001-Inthe-VC-common-target-unquote-CC.patch.1 +++ /dev/null @@ -1,54 +0,0 @@ -From c04b8819161de007cee831dd9e58dde52268da18 Mon Sep 17 00:00:00 2001 -From: Richard Levitte <levi...@openssl.org> -Date: Mon, 25 Jul 2022 08:07:33 +0200 -Subject: [PATCH] Configurations/10-main.conf: In the VC-common target, unquote - $(CC) - -Some of the VC-common attributes have values that use `$(CC)`, wrapped with -quotes. However, `Configurations/windows-makefile.tmpl` already quotes the -`CC` value, like this: - - CC="{- $config{CC} -}" - -The interaction between that makefile variable and the attributes using -`$(CC)` wrapped with quotes is a command line with the quotes doubled. For -example, the value of `$(CPP)` becomes `""cl""`. - -Strangely enough, this appears to be tolerated, at least on some versions of -Windows. However, this has been reported not to be the case. - -This is fixed by removing the quotes in `Configurations/10-main.conf`, -making `Configurations/windows-makefile.tmpl` responsible for proper -quoting. - -Fixes #18823 - -Reviewed-by: Hugo Landau <hlan...@openssl.org> -Reviewed-by: Matt Caswell <m...@openssl.org> -(Merged from https://github.com/openssl/openssl/pull/18861) ---- - Configurations/10-main.conf | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf -index c824f4ed4a0..73ace78bc41 100644 ---- a/Configurations/10-main.conf -+++ b/Configurations/10-main.conf -@@ -1309,7 +1309,7 @@ my %targets = ( - inherit_from => [ "BASE_Windows" ], - template => 1, - CC => "cl", -- CPP => '"$(CC)" /EP /C', -+ CPP => '$(CC) /EP /C', - CFLAGS => "/W3 /wd4090 /nologo", - coutflag => "/Fo", - LD => "link", -@@ -1318,7 +1318,7 @@ my %targets = ( - ldpostoutflag => "", - ld_resp_delim => "\n", - bin_lflags => "setargv.obj", -- makedepcmd => '"$(CC)" /Zs /showIncludes', -+ makedepcmd => '$(CC) /Zs /showIncludes', - makedep_scheme => 'VC', - AR => "lib", - ARFLAGS => "/nologo", diff --git a/external/openssl/UnpackedTarball_openssl.mk b/external/openssl/UnpackedTarball_openssl.mk index 18ed71850627..2a8f3bb3f905 100644 --- a/external/openssl/UnpackedTarball_openssl.mk +++ b/external/openssl/UnpackedTarball_openssl.mk @@ -15,7 +15,6 @@ $(eval $(call gb_UnpackedTarball_add_patches,openssl,\ external/openssl/openssl-no-multilib.patch.0 \ external/openssl/configurable-z-option.patch.0 \ external/openssl/openssl-no-ipc-cmd.patch.0 \ - external/openssl/0001-Inthe-VC-common-target-unquote-CC.patch.1 \ external/openssl/system-cannot-find-path-for-move.patch.0 \ )) diff --git a/external/openssl/openssl-no-ipc-cmd.patch.0 b/external/openssl/openssl-no-ipc-cmd.patch.0 index f844831a34ae..75ed669eabc9 100644 --- a/external/openssl/openssl-no-ipc-cmd.patch.0 +++ b/external/openssl/openssl-no-ipc-cmd.patch.0 @@ -1,15 +1,15 @@ --- util/perl/OpenSSL/config.pm 2022-09-08 11:45:57.408532119 +0100 +++ util/perl/OpenSSL/config.pm 2022-09-08 11:47:46.877590711 +0100 -@@ -15,7 +15,7 @@ - use warnings; +@@ -16,7 +16,7 @@ use Getopt::Std; use File::Basename; + use File::Spec; -use IPC::Cmd; +# use IPC::Cmd; use POSIX; + use Config; use Carp; - -@@ -193,7 +193,8 @@ +@@ -205,7 +205,8 @@ # Look for ISC/SCO with its unique uname program sub is_sco_uname { @@ -19,7 +19,7 @@ open UNAME, "uname -X 2>/dev/null|" or return ''; my $line = ""; -@@ -291,13 +292,13 @@ +@@ -303,13 +304,13 @@ $CCVENDOR = ''; # Dunno, don't care (unless found later) # Find a compiler if we don't already have one @@ -40,7 +40,7 @@ if ( $CC ) { # Find the compiler vendor and version number for certain compilers -@@ -352,14 +353,14 @@ +@@ -364,14 +365,14 @@ } } commit 94c5ee02d286e680716feb101c084afc887d4fbd Author: Caolán McNamara <caol...@redhat.com> AuthorDate: Thu Sep 8 11:08:36 2022 +0100 Commit: Michael Stahl <michael.st...@allotropia.de> CommitDate: Mon Sep 25 12:19:54 2023 +0200 upgrade to openssl-3.0.5 patch out using IPC::Cmd instead of requiring adding it to build-time dependencies for mysterious: The system cannot find the path specified. NMAKE : fatal error U1077: '""C:\PROGRA~2\MIB055~1\2019\COMMUN~1\VC\Tools\MSVC\1429~1.301\bin\Hostx64\x86\cl.exe' : return code '0x1' Stop. NMAKE : fatal error U1077: '"C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.29.30133\bin\Hostx64\x86\nmake.exe"' : return code '0x2' Stop. include fix from https://github.com/openssl/openssl/issues/18823 and for move /Y crypto/aes/aes-586.asm.i crypto/aes/aes-586.asm The system cannot find the path specified. NMAKE : fatal error U1077: 'move' : return code '0x1' add own patch to use mv and rm for move and del Change-Id: I071750e20efd0931ea1c5c3b49e7a5173c7283f8 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/139641 Tested-by: Jenkins Reviewed-by: Caolán McNamara <caol...@redhat.com> (cherry picked from commit a539db002bc9ee6692d14cde2aaa166bd213eb51) diff --git a/bin/symstore.sh b/bin/symstore.sh index 2734f1b22a58..332c9d817f56 100755 --- a/bin/symstore.sh +++ b/bin/symstore.sh @@ -16,8 +16,8 @@ EXCLUDE_LIST="python.exe" # # Same format as for EXCLUDE_LIST above MOREPDBS_OKLIST="libcurl.dll -libcrypto-1_1.dll -libssl-1_1.dll +libcrypto-3.dll +libssl-3.dll freebl3.dll libeay32.dll nspr4.dll diff --git a/download.lst b/download.lst index 3419a960db37..705ca4e376d2 100644 --- a/download.lst +++ b/download.lst @@ -439,8 +439,8 @@ OPENLDAP_TARBALL := openldap-2.4.59.tgz # three static lines # so that git cherry-pick # will not run into conflicts -OPENSSL_SHA256SUM := 8dee9b24bdb1dcbf0c3d1e9b02fb8f6bf22165e807f45adeb7c9677536859d3b -OPENSSL_TARBALL := openssl-1.1.1t.tar.gz +export OPENSSL_SHA256SUM := aa7d8d9bef71ad6525c55ba11e5f4397889ce49c2c9349dcea6d3e4f0b024a7a +export OPENSSL_TARBALL := openssl-3.0.5.tar.gz # three static lines # so that git cherry-pick # will not run into conflicts diff --git a/external/openssl/0001-Inthe-VC-common-target-unquote-CC.patch.1 b/external/openssl/0001-Inthe-VC-common-target-unquote-CC.patch.1 new file mode 100644 index 000000000000..45ce5a9038e5 --- /dev/null +++ b/external/openssl/0001-Inthe-VC-common-target-unquote-CC.patch.1 @@ -0,0 +1,54 @@ +From c04b8819161de007cee831dd9e58dde52268da18 Mon Sep 17 00:00:00 2001 +From: Richard Levitte <levi...@openssl.org> +Date: Mon, 25 Jul 2022 08:07:33 +0200 +Subject: [PATCH] Configurations/10-main.conf: In the VC-common target, unquote + $(CC) + +Some of the VC-common attributes have values that use `$(CC)`, wrapped with +quotes. However, `Configurations/windows-makefile.tmpl` already quotes the +`CC` value, like this: + + CC="{- $config{CC} -}" + +The interaction between that makefile variable and the attributes using +`$(CC)` wrapped with quotes is a command line with the quotes doubled. For +example, the value of `$(CPP)` becomes `""cl""`. + +Strangely enough, this appears to be tolerated, at least on some versions of +Windows. However, this has been reported not to be the case. + +This is fixed by removing the quotes in `Configurations/10-main.conf`, +making `Configurations/windows-makefile.tmpl` responsible for proper +quoting. + +Fixes #18823 + +Reviewed-by: Hugo Landau <hlan...@openssl.org> +Reviewed-by: Matt Caswell <m...@openssl.org> +(Merged from https://github.com/openssl/openssl/pull/18861) +--- + Configurations/10-main.conf | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf +index c824f4ed4a0..73ace78bc41 100644 +--- a/Configurations/10-main.conf ++++ b/Configurations/10-main.conf +@@ -1309,7 +1309,7 @@ my %targets = ( + inherit_from => [ "BASE_Windows" ], + template => 1, + CC => "cl", +- CPP => '"$(CC)" /EP /C', ++ CPP => '$(CC) /EP /C', + CFLAGS => "/W3 /wd4090 /nologo", + coutflag => "/Fo", + LD => "link", +@@ -1318,7 +1318,7 @@ my %targets = ( + ldpostoutflag => "", + ld_resp_delim => "\n", + bin_lflags => "setargv.obj", +- makedepcmd => '"$(CC)" /Zs /showIncludes', ++ makedepcmd => '$(CC) /Zs /showIncludes', + makedep_scheme => 'VC', + AR => "lib", + ARFLAGS => "/nologo", diff --git a/external/openssl/0001-x509-excessive-resource-use-verifying-policy-constra.patch.1 b/external/openssl/0001-x509-excessive-resource-use-verifying-policy-constra.patch.1 deleted file mode 100644 index f87f8f588840..000000000000 --- a/external/openssl/0001-x509-excessive-resource-use-verifying-policy-constra.patch.1 +++ /dev/null @@ -1,222 +0,0 @@ -From 879f7080d7e141f415c79eaa3a8ac4a3dad0348b Mon Sep 17 00:00:00 2001 -From: Pauli <pa...@openssl.org> -Date: Wed, 8 Mar 2023 15:28:20 +1100 -Subject: [PATCH] x509: excessive resource use verifying policy constraints - -A security vulnerability has been identified in all supported versions -of OpenSSL related to the verification of X.509 certificate chains -that include policy constraints. Attackers may be able to exploit this -vulnerability by creating a malicious certificate chain that triggers -exponential use of computational resources, leading to a denial-of-service -(DoS) attack on affected systems. - -Fixes CVE-2023-0464 - -Reviewed-by: Tomas Mraz <to...@openssl.org> -Reviewed-by: Shane Lontis <shane.lon...@oracle.com> -(Merged from https://github.com/openssl/openssl/pull/20569) ---- - crypto/x509v3/pcy_local.h | 8 +++++++- - crypto/x509v3/pcy_node.c | 12 +++++++++--- - crypto/x509v3/pcy_tree.c | 37 +++++++++++++++++++++++++++---------- - 3 files changed, 43 insertions(+), 14 deletions(-) - -diff --git a/crypto/x509v3/pcy_local.h b/crypto/x509v3/pcy_local.h -index 5daf78de45..344aa06765 100644 ---- a/crypto/x509v3/pcy_local.h -+++ b/crypto/x509v3/pcy_local.h -@@ -111,6 +111,11 @@ struct X509_POLICY_LEVEL_st { - }; - - struct X509_POLICY_TREE_st { -+ /* The number of nodes in the tree */ -+ size_t node_count; -+ /* The maximum number of nodes in the tree */ -+ size_t node_maximum; -+ - /* This is the tree 'level' data */ - X509_POLICY_LEVEL *levels; - int nlevel; -@@ -159,7 +164,8 @@ X509_POLICY_NODE *tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk, - X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level, - X509_POLICY_DATA *data, - X509_POLICY_NODE *parent, -- X509_POLICY_TREE *tree); -+ X509_POLICY_TREE *tree, -+ int extra_data); - void policy_node_free(X509_POLICY_NODE *node); - int policy_node_match(const X509_POLICY_LEVEL *lvl, - const X509_POLICY_NODE *node, const ASN1_OBJECT *oid); -diff --git a/crypto/x509v3/pcy_node.c b/crypto/x509v3/pcy_node.c -index e2d7b15322..d574fb9d66 100644 ---- a/crypto/x509v3/pcy_node.c -+++ b/crypto/x509v3/pcy_node.c -@@ -59,10 +59,15 @@ X509_POLICY_NODE *level_find_node(const X509_POLICY_LEVEL *level, - X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level, - X509_POLICY_DATA *data, - X509_POLICY_NODE *parent, -- X509_POLICY_TREE *tree) -+ X509_POLICY_TREE *tree, -+ int extra_data) - { - X509_POLICY_NODE *node; - -+ /* Verify that the tree isn't too large. This mitigates CVE-2023-0464 */ -+ if (tree->node_maximum > 0 && tree->node_count >= tree->node_maximum) -+ return NULL; -+ - node = OPENSSL_zalloc(sizeof(*node)); - if (node == NULL) { - X509V3err(X509V3_F_LEVEL_ADD_NODE, ERR_R_MALLOC_FAILURE); -@@ -70,7 +75,7 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level, - } - node->data = data; - node->parent = parent; -- if (level) { -+ if (level != NULL) { - if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) { - if (level->anyPolicy) - goto node_error; -@@ -90,7 +95,7 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level, - } - } - -- if (tree) { -+ if (extra_data) { - if (tree->extra_data == NULL) - tree->extra_data = sk_X509_POLICY_DATA_new_null(); - if (tree->extra_data == NULL){ -@@ -103,6 +108,7 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level, - } - } - -+ tree->node_count++; - if (parent) - parent->nchild++; - -diff --git a/crypto/x509v3/pcy_tree.c b/crypto/x509v3/pcy_tree.c -index 6e8322cbc5..6c7fd35405 100644 ---- a/crypto/x509v3/pcy_tree.c -+++ b/crypto/x509v3/pcy_tree.c -@@ -13,6 +13,18 @@ - - #include "pcy_local.h" - -+/* -+ * If the maximum number of nodes in the policy tree isn't defined, set it to -+ * a generous default of 1000 nodes. -+ * -+ * Defining this to be zero means unlimited policy tree growth which opens the -+ * door on CVE-2023-0464. -+ */ -+ -+#ifndef OPENSSL_POLICY_TREE_NODES_MAX -+# define OPENSSL_POLICY_TREE_NODES_MAX 1000 -+#endif -+ - /* - * Enable this to print out the complete policy tree at various point during - * evaluation. -@@ -168,6 +180,9 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, - return X509_PCY_TREE_INTERNAL; - } - -+ /* Limit the growth of the tree to mitigate CVE-2023-0464 */ -+ tree->node_maximum = OPENSSL_POLICY_TREE_NODES_MAX; -+ - /* - * http://tools.ietf.org/html/rfc5280#section-6.1.2, figure 3. - * -@@ -184,7 +199,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, - level = tree->levels; - if ((data = policy_data_new(NULL, OBJ_nid2obj(NID_any_policy), 0)) == NULL) - goto bad_tree; -- if (level_add_node(level, data, NULL, tree) == NULL) { -+ if (level_add_node(level, data, NULL, tree, 1) == NULL) { - policy_data_free(data); - goto bad_tree; - } -@@ -243,7 +258,8 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, - * Return value: 1 on success, 0 otherwise - */ - static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr, -- X509_POLICY_DATA *data) -+ X509_POLICY_DATA *data, -+ X509_POLICY_TREE *tree) - { - X509_POLICY_LEVEL *last = curr - 1; - int i, matched = 0; -@@ -253,13 +269,13 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr, - X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(last->nodes, i); - - if (policy_node_match(last, node, data->valid_policy)) { -- if (level_add_node(curr, data, node, NULL) == NULL) -+ if (level_add_node(curr, data, node, tree, 0) == NULL) - return 0; - matched = 1; - } - } - if (!matched && last->anyPolicy) { -- if (level_add_node(curr, data, last->anyPolicy, NULL) == NULL) -+ if (level_add_node(curr, data, last->anyPolicy, tree, 0) == NULL) - return 0; - } - return 1; -@@ -272,7 +288,8 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr, - * Return value: 1 on success, 0 otherwise. - */ - static int tree_link_nodes(X509_POLICY_LEVEL *curr, -- const X509_POLICY_CACHE *cache) -+ const X509_POLICY_CACHE *cache, -+ X509_POLICY_TREE *tree) - { - int i; - -@@ -280,7 +297,7 @@ static int tree_link_nodes(X509_POLICY_LEVEL *curr, - X509_POLICY_DATA *data = sk_X509_POLICY_DATA_value(cache->data, i); - - /* Look for matching nodes in previous level */ -- if (!tree_link_matching_nodes(curr, data)) -+ if (!tree_link_matching_nodes(curr, data, tree)) - return 0; - } - return 1; -@@ -311,7 +328,7 @@ static int tree_add_unmatched(X509_POLICY_LEVEL *curr, - /* Curr may not have anyPolicy */ - data->qualifier_set = cache->anyPolicy->qualifier_set; - data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS; -- if (level_add_node(curr, data, node, tree) == NULL) { -+ if (level_add_node(curr, data, node, tree, 1) == NULL) { - policy_data_free(data); - return 0; - } -@@ -373,7 +390,7 @@ static int tree_link_any(X509_POLICY_LEVEL *curr, - } - /* Finally add link to anyPolicy */ - if (last->anyPolicy && -- level_add_node(curr, cache->anyPolicy, last->anyPolicy, NULL) == NULL) -+ level_add_node(curr, cache->anyPolicy, last->anyPolicy, tree, 0) == NULL) - return 0; - return 1; - } -@@ -555,7 +572,7 @@ static int tree_calculate_user_set(X509_POLICY_TREE *tree, - extra->qualifier_set = anyPolicy->data->qualifier_set; - extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS - | POLICY_DATA_FLAG_EXTRA_NODE; -- node = level_add_node(NULL, extra, anyPolicy->parent, tree); -+ node = level_add_node(NULL, extra, anyPolicy->parent, tree, 1); - } - if (!tree->user_policies) { - tree->user_policies = sk_X509_POLICY_NODE_new_null(); -@@ -582,7 +599,7 @@ static int tree_evaluate(X509_POLICY_TREE *tree) - - for (i = 1; i < tree->nlevel; i++, curr++) { - cache = policy_cache_set(curr->cert); -- if (!tree_link_nodes(curr, cache)) -+ if (!tree_link_nodes(curr, cache, tree)) - return X509_PCY_TREE_INTERNAL; - - if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY) --- -2.34.1 - diff --git a/external/openssl/ExternalPackage_openssl.mk b/external/openssl/ExternalPackage_openssl.mk index d0c0dbaab975..7d02dfc6ed1c 100644 --- a/external/openssl/ExternalPackage_openssl.mk +++ b/external/openssl/ExternalPackage_openssl.mk @@ -13,14 +13,14 @@ $(eval $(call gb_ExternalPackage_use_external_project,openssl,openssl)) ifeq ($(COM),MSC) $(eval $(call gb_ExternalPackage_add_files,openssl,$(LIBO_LIB_FOLDER),\ - libcrypto-1_1.dll \ - libssl-1_1.dll \ + libcrypto-3.dll \ + libssl-3.dll \ )) ifneq ($(DISABLE_PYTHON),TRUE) ifneq ($(SYSTEM_PYTHON),TRUE) $(eval $(call gb_ExternalPackage_add_files,openssl,$(LIBO_LIB_FOLDER)/python-core-$(PYTHON_VERSION)/lib, \ - libcrypto-1_1.dll \ - libssl-1_1.dll \ + libcrypto-3.dll \ + libssl-3.dll \ )) endif endif diff --git a/external/openssl/UnpackedTarball_openssl.mk b/external/openssl/UnpackedTarball_openssl.mk index 650ca154d80e..18ed71850627 100644 --- a/external/openssl/UnpackedTarball_openssl.mk +++ b/external/openssl/UnpackedTarball_openssl.mk @@ -12,10 +12,11 @@ $(eval $(call gb_UnpackedTarball_UnpackedTarball,openssl)) $(eval $(call gb_UnpackedTarball_set_tarball,openssl,$(OPENSSL_TARBALL),,openssl)) $(eval $(call gb_UnpackedTarball_add_patches,openssl,\ - external/openssl/0001-x509-excessive-resource-use-verifying-policy-constra.patch.1 \ external/openssl/openssl-no-multilib.patch.0 \ external/openssl/configurable-z-option.patch.0 \ - external/openssl/openssl-no-_umul128-on-aarch64.patch.1 \ + external/openssl/openssl-no-ipc-cmd.patch.0 \ + external/openssl/0001-Inthe-VC-common-target-unquote-CC.patch.1 \ + external/openssl/system-cannot-find-path-for-move.patch.0 \ )) # vim: set noet sw=4 ts=4: diff --git a/external/openssl/configurable-z-option.patch.0 b/external/openssl/configurable-z-option.patch.0 index 3dcf49dc81a6..9a4426edd5d2 100644 --- a/external/openssl/configurable-z-option.patch.0 +++ b/external/openssl/configurable-z-option.patch.0 @@ -18,7 +18,7 @@ asflags => "/Cp /coff /c /Cx", asoutflag => "/Fo", perlasm_scheme => "win32" }; -@@ -1231,10 +1231,10 @@ +@@ -1323,10 +1323,10 @@ "UNICODE", "_UNICODE", "_CRT_SECURE_NO_DEPRECATE", "_WINSOCK_DEPRECATED_NO_WARNINGS"), @@ -29,6 +29,6 @@ - bin_cflags => "/Zi /Fdapp.pdb", + dso_cflags => "\$(DEBUG_FLAGS_VALUE)", + bin_cflags => "\$(DEBUG_FLAGS_VALUE)", + # def_flag made to empty string so a .def file gets generated + shared_defflag => '', shared_ldflag => "/dll", - shared_target => "win-shared", # meaningless except it gives Configure a hint - thread_scheme => "winthreads", diff --git a/external/openssl/openssl-no-_umul128-on-aarch64.patch.1 b/external/openssl/openssl-no-_umul128-on-aarch64.patch.1 deleted file mode 100644 index c7ca53bc574c..000000000000 --- a/external/openssl/openssl-no-_umul128-on-aarch64.patch.1 +++ /dev/null @@ -1,58 +0,0 @@ -From 98f9a401c3964c7ff0e6ca048685e28a2a6401d4 Mon Sep 17 00:00:00 2001 -From: Hubert Kario <hka...@redhat.com> -Date: Wed, 8 Feb 2023 14:13:24 +0100 -Subject: [PATCH] rsa: add msvc intrinsic for non x64 platforms - -_umul128() is x86_64 (x64) only, while __umulh() works everywhere, but -doesn't generate optimal code on x64 - -Reviewed-by: Dmitry Belyavskiy <beld...@gmail.com> -Reviewed-by: Paul Dale <pa...@openssl.org> -Reviewed-by: Tomas Mraz <to...@openssl.org> -(Merged from https://github.com/openssl/openssl/pull/20244) - -(cherry picked from commit 075652f224479dad2e64b92e791b296177af8705) ---- - crypto/bn/rsa_sup_mul.c | 24 +++++++++++++++++++++++- - 1 file changed, 23 insertions(+), 1 deletion(-) - -diff --git a/crypto/bn/rsa_sup_mul.c b/crypto/bn/rsa_sup_mul.c -index 0e0d02e1946e..3b57161b4589 100644 ---- a/crypto/bn/rsa_sup_mul.c -+++ b/crypto/bn/rsa_sup_mul.c -@@ -110,12 +110,34 @@ static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b) - *lo = (limb_t)t; - } - #elif (BN_BYTES == 8) && (defined _MSC_VER) --/* https://learn.microsoft.com/en-us/cpp/intrinsics/umul128?view=msvc-170 */ -+# if defined(_M_X64) -+/* -+ * on x86_64 (x64) we can use the _umul128 intrinsic to get one `mul` -+ * instruction to get both high and low 64 bits of the multiplication. -+ * https://learn.microsoft.com/en-us/cpp/intrinsics/umul128?view=msvc-140 -+ */ -+#include <intrin.h> - #pragma intrinsic(_umul128) - static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b) - { - *lo = _umul128(a, b, hi); - } -+# elif defined(_M_ARM64) || defined (_M_IA64) -+/* -+ * We can't use the __umulh() on x86_64 as then msvc generates two `mul` -+ * instructions; so use this more portable intrinsic on platforms that -+ * don't support _umul128 (like aarch64 (ARM64) or ia64) -+ * https://learn.microsoft.com/en-us/cpp/intrinsics/umulh?view=msvc-140 -+ */ -+#include <intrin.h> -+static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b) -+{ -+ *lo = a * b; -+ *hi = __umulh(a, b); -+} -+# else -+# error Only x64, ARM64 and IA64 supported. -+# endif /* defined(_M_X64) */ - #else - /* - * if the compiler doesn't have either a 128bit data type nor a "return diff --git a/external/openssl/openssl-no-ipc-cmd.patch.0 b/external/openssl/openssl-no-ipc-cmd.patch.0 new file mode 100644 index 000000000000..f844831a34ae --- /dev/null +++ b/external/openssl/openssl-no-ipc-cmd.patch.0 @@ -0,0 +1,65 @@ +--- util/perl/OpenSSL/config.pm 2022-09-08 11:45:57.408532119 +0100 ++++ util/perl/OpenSSL/config.pm 2022-09-08 11:47:46.877590711 +0100 +@@ -15,7 +15,7 @@ + use warnings; + use Getopt::Std; + use File::Basename; +-use IPC::Cmd; ++# use IPC::Cmd; + use POSIX; + use Carp; + +@@ -193,7 +193,8 @@ + + # Look for ISC/SCO with its unique uname program + sub is_sco_uname { +- return undef unless IPC::Cmd::can_run('uname'); ++ return undef; ++# return undef unless IPC::Cmd::can_run('uname'); + + open UNAME, "uname -X 2>/dev/null|" or return ''; + my $line = ""; +@@ -291,13 +292,13 @@ + $CCVENDOR = ''; # Dunno, don't care (unless found later) + + # Find a compiler if we don't already have one +- if ( ! $cc ) { +- foreach (@c_compilers) { +- next unless IPC::Cmd::can_run("$CROSS_COMPILE$_"); +- $CC = $_; +- last; +- } +- } ++# if ( ! $cc ) { ++# foreach (@c_compilers) { ++# next unless IPC::Cmd::can_run("$CROSS_COMPILE$_"); ++# $CC = $_; ++# last; ++# } ++# } + + if ( $CC ) { + # Find the compiler vendor and version number for certain compilers +@@ -352,14 +353,14 @@ + } + } + +- if ( ${SYSTEM} eq 'AIX' ) { +- # favor vendor cc over gcc +- if (IPC::Cmd::can_run('cc')) { +- $CC = 'cc'; +- $CCVENDOR = ''; # Determine later +- $CCVER = 0; +- } +- } ++# if ( ${SYSTEM} eq 'AIX' ) { ++# # favor vendor cc over gcc ++# if (IPC::Cmd::can_run('cc')) { ++# $CC = 'cc'; ++# $CCVENDOR = ''; # Determine later ++# $CCVER = 0; ++# } ++# } + + if ( $SYSTEM eq "SunOS" ) { + # check for Oracle Developer Studio, expected output is "cc: blah-blah C x.x blah-blah" diff --git a/external/openssl/openssl-no-multilib.patch.0 b/external/openssl/openssl-no-multilib.patch.0 index 07c45318ac25..83137fe5b712 100644 --- a/external/openssl/openssl-no-multilib.patch.0 +++ b/external/openssl/openssl-no-multilib.patch.0 @@ -1,15 +1,15 @@ --- Configure.orig 2020-04-21 14:22:39.000000000 +0200 +++ Configure 2020-07-07 17:25:19.256297500 +0200 -@@ -24,7 +24,7 @@ +@@ -28,7 +28,7 @@ my $orig_death_handler = $SIG{__DIE__}; $SIG{__DIE__} = \&death_handler; -my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n"; +my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [no-multilib] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n"; - # Options: - # -@@ -59,6 +59,7 @@ + my $banner = <<"EOF"; + +@@ -87,6 +87,7 @@ # If disabled, it also disables shared and dynamic-engine. # no-asm do not use assembler # no-egd do not compile support for the entropy-gathering daemon APIs @@ -17,22 +17,22 @@ # [no-]zlib [don't] compile support for zlib compression. # zlib-dynamic Like "zlib", but the zlib library is expected to be a shared # library and will be loaded in run-time by the OpenSSL library. -@@ -383,6 +384,7 @@ - "mdc2", +@@ -459,6 +460,7 @@ + "module", "msan", "multiblock", + "multilib", "nextprotoneg", - "pinshared", "ocb", -@@ -1754,6 +1756,10 @@ - if (-f catfile($srcdir, "test", $_, "build.info")); - } + "ocsp", +@@ -1917,6 +1919,10 @@ + + my @build_dirs = ( [ ] ); # current directory + if ($disabled{"multilib"}) { + $target{"multilib"} = ""; + } -+ ++ $config{build_infos} = [ ]; - my %ordinals = (); + # We want to detect configdata.pm in the source tree, so we diff --git a/external/openssl/system-cannot-find-path-for-move.patch.0 b/external/openssl/system-cannot-find-path-for-move.patch.0 new file mode 100644 index 000000000000..7d08dd636730 --- /dev/null +++ b/external/openssl/system-cannot-find-path-for-move.patch.0 @@ -0,0 +1,22 @@ +--- Configurations/windows-makefile.tmpl 2022-09-09 15:18:35.849924899 +0100 ++++ Configurations/windows-makefile.tmpl 2022-09-09 15:20:28.895825331 +0100 +@@ -777,8 +777,8 @@ + $target: "$gen0" $deps + cmd /C "set "ASM=\$(AS)" & $generator \$@.S" + \$(CPP) $incs $cppflags $defs \$@.S > \$@.i +- move /Y \$@.i \$@ +- del /Q \$@.S ++ mv -f \$@.i \$@ ++ rm -f \$@.S + EOF + } + # Otherwise.... +@@ -790,7 +790,7 @@ + return <<"EOF"; + $target: "$gen0" $deps + \$(CPP) $incs $cppflags $defs "$gen0" > \$@.i +- move /Y \$@.i \$@ ++ mv -f \$@.i \$@ + EOF + } elsif ($gen0 =~ m|^.*\.in$|) { + # diff --git a/external/python3/python-3.7.6-msvc-ssl.patch.1 b/external/python3/python-3.7.6-msvc-ssl.patch.1 index 17cc440f2204..50b1c65645df 100644 --- a/external/python3/python-3.7.6-msvc-ssl.patch.1 +++ b/external/python3/python-3.7.6-msvc-ssl.patch.1 @@ -14,12 +14,14 @@ No use for applink.c OPENSSL_Applink, everything is compiled with the same MSVC <ResourceCompile Include="..\PC\python_nt.rc" /> --- python3/PCbuild/openssl.props.orig 2019-12-23 16:20:34.588135900 +0100 +++ python3/PCbuild/openssl.props 2019-12-23 16:20:51.074001300 +0100 -@@ -6,8 +6,6 @@ +@@ -10,9 +10,7 @@ + </Link> </ItemDefinitionGroup> <PropertyGroup> - <_DLLSuffix>-1_1</_DLLSuffix> +- <_DLLSuffix>-1_1</_DLLSuffix> - <_DLLSuffix Condition="$(Platform) == 'ARM'">$(_DLLSuffix)-arm</_DLLSuffix> - <_DLLSuffix Condition="$(Platform) == 'ARM64'">$(_DLLSuffix)-arm64</_DLLSuffix> ++ <_DLLSuffix>-3</_DLLSuffix> </PropertyGroup> <ItemGroup> <_SSLDLL Include="$(opensslOutDir)\libcrypto$(_DLLSuffix).dll" /> commit 8a7c6657293187bbd093066617bea0f033beeab9 Author: Michael Stahl <michael.st...@allotropia.de> AuthorDate: Mon Sep 25 12:03:35 2023 +0200 Commit: Michael Stahl <michael.st...@allotropia.de> CommitDate: Mon Sep 25 12:04:44 2023 +0200 Revert "external/openssl: fix and remove some patches" This reverts commit 983f68e3f5e8bb5c1ac2618fc49f4b01b3de5c0c. [ Except the deletion of ios patch ] Change-Id: Ic3cc29cfba172b2d170399c44c483befd896c242 diff --git a/external/openssl/configurable-z-option.patch.0 b/external/openssl/configurable-z-option.patch.0 index 99d46f75410d..3dcf49dc81a6 100644 --- a/external/openssl/configurable-z-option.patch.0 +++ b/external/openssl/configurable-z-option.patch.0 @@ -18,7 +18,7 @@ asflags => "/Cp /coff /c /Cx", asoutflag => "/Fo", perlasm_scheme => "win32" }; -@@ -1252,10 +1252,10 @@ +@@ -1231,10 +1231,10 @@ "UNICODE", "_UNICODE", "_CRT_SECURE_NO_DEPRECATE", "_WINSOCK_DEPRECATED_NO_WARNINGS"), diff --git a/external/openssl/openssl-no-multilib.patch.0 b/external/openssl/openssl-no-multilib.patch.0 index 3d0083ed4793..07c45318ac25 100644 --- a/external/openssl/openssl-no-multilib.patch.0 +++ b/external/openssl/openssl-no-multilib.patch.0 @@ -17,7 +17,7 @@ # [no-]zlib [don't] compile support for zlib compression. # zlib-dynamic Like "zlib", but the zlib library is expected to be a shared # library and will be loaded in run-time by the OpenSSL library. -@@ -393,6 +394,7 @@ +@@ -383,6 +384,7 @@ "mdc2", "msan", "multiblock", @@ -25,7 +25,7 @@ "nextprotoneg", "pinshared", "ocb", -@@ -1770,6 +1772,10 @@ +@@ -1754,6 +1756,10 @@ if (-f catfile($srcdir, "test", $_, "build.info")); }