update openssl to 3.4.0 (#567)

chouquette · web-flow · commit d4a12d8a009e · 2025-01-30T09:08:55.000+01:00
* update openssl to 3.4.0

* enforce the default install path for openssl config

* attempt to fix path to config dir

* fix openssldir arg

* provide a context name

* use the 3.3 naming for OPENSSL_CTX

* attempt to workaround hardcoded path for windows

* fix prefix being split at whitespace

* fix copy

* assume we're going to use openssl 3.4

* use the correct but undocumented define for OSSLCTX

* fix preprocessor concatenation

* update patch

* update patch

* update patch, again

* update the patch, again again
diff --git a/config/patches/openssl3/0001-fix-preprocessor-concatenation.patch b/config/patches/openssl3/0001-fix-preprocessor-concatenation.patch
@@ -0,0 +1,116 @@
+From d5dacfca529711ba95662dc7411493ac6f1d99c7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Hugo=20Beauz=C3=A9e-Luyssen?= <hugo@beauzee.fr>
+Date: Mon, 27 Jan 2025 08:36:07 +0100
+Subject: [PATCH] crypto: fix preprocessor concatenation
+
+String litteral don't need the '##' operator, which causes build
+failures:
+crypto/defaults.c:kepi:23: error: pasting ""SOFTWARE\\WOW6432Node\\OpenSSL"" and ""-"" does not give a valid preprocessing token
+---
+ crypto/cversion.c |  2 +-
+ crypto/defaults.c | 38 ++++++++++++++++++++------------------
+ 2 files changed, 21 insertions(+), 19 deletions(-)
+
+diff --git a/crypto/cversion.c b/crypto/cversion.c
+index 87154645b0..ae439c668b 100644
+--- a/crypto/cversion.c
++++ b/crypto/cversion.c
+@@ -72,7 +72,7 @@ DEFINE_RUN_ONCE_STATIC(version_strings_setup)
+ }
+ 
+ # define TOSTR(x) #x
+-# define OSSL_WINCTX_STRING "OSSL_WINCTX: \"" ## TOSTR(OSSL_WINCTX) ## "\""
++# define OSSL_WINCTX_STRING "OSSL_WINCTX: \"" TOSTR(OSSL_WINCTX) "\""
+ 
+ #endif
+ 
+diff --git a/crypto/defaults.c b/crypto/defaults.c
+index 908539cf31..3272087228 100644
+--- a/crypto/defaults.c
++++ b/crypto/defaults.c
+@@ -19,7 +19,7 @@
+ # define MAKESTR(x) TOSTR(x)
+ # define NOQUOTE(x) x
+ # if defined(OSSL_WINCTX)
+-# define REGISTRY_KEY "SOFTWARE\\WOW6432Node\\OpenSSL" ##"-"## MAKESTR(OPENSSL_VERSION_MAJOR) ##"."## MAKESTR(OPENSSL_VERSION_MINOR) ##"-"## MAKESTR(OSSL_WINCTX)
++#  define REGISTRY_KEY "SOFTWARE\\WOW6432Node\\OpenSSL" "-" MAKESTR(OPENSSL_VERSION_MAJOR) "." MAKESTR(OPENSSL_VERSION_MINOR) "-" MAKESTR(OSSL_WINCTX)
+ # endif
+ 
+ /**
+@@ -60,44 +60,46 @@ static char *modulesdirptr = NULL;
+  *
+  * @return A pointer to a char array containing the registry directories.
+  */
+-static char *get_windows_regdirs(char *dst, LPCTSTR valuename)
++static char *get_windows_regdirs(char *dst, DWORD dstsizebytes, LPCWSTR valuename)
+ {
+     char *retval = NULL;
+ # ifdef REGISTRY_KEY
+-    DWORD keysize;
++    DWORD keysizebytes;
+     DWORD ktype;
+     HKEY hkey;
+     LSTATUS ret;
+     DWORD index = 0;
+-    LPCTCH tempstr = NULL;
+-   
++    LPCWSTR tempstr = NULL;
++
+     ret = RegOpenKeyEx(HKEY_LOCAL_MACHINE,
+                        TEXT(REGISTRY_KEY), KEY_WOW64_32KEY,
+                        KEY_QUERY_VALUE, &hkey);
+     if (ret != ERROR_SUCCESS)
+         goto out;
+ 
+-    ret = RegQueryValueEx(hkey, valuename, NULL, &ktype, NULL,
+-                          &keysize);
++    // Always use wide call so we can avoid extra encoding conversions on the output
++    ret = RegQueryValueExW(hkey, valuename, NULL, &ktype, NULL,
++                          &keysizebytes);
+     if (ret != ERROR_SUCCESS)
+         goto out;
+-    if (ktype != REG_EXPAND_SZ)
++    if (ktype != REG_EXPAND_SZ && ktype != REG_SZ)
+         goto out;
+-    if (keysize > MAX_PATH)
++    if (keysizebytes > MAX_PATH*sizeof(WCHAR))
+         goto out;
+ 
+-    keysize++;
+-    tempstr = OPENSSL_zalloc(keysize * sizeof(TCHAR));
++    // RegQueryValueExW does not guarantee the buffer is null terminated,
++    // so we make space for one in the allocation
++    tempstr = OPENSSL_zalloc(keysizebytes+sizeof(WCHAR));
+ 
+     if (tempstr == NULL)
+         goto out;
+ 
+-    if (RegQueryValueEx(hkey, valuename,
+-                        NULL, &ktype, tempstr, &keysize) != ERROR_SUCCESS)
++    if (RegQueryValueExW(hkey, valuename,
++                        NULL, &ktype, (LPBYTE)tempstr, &keysizebytes) != ERROR_SUCCESS)
+         goto out;
+ 
+-    if (!WideCharToMultiByte(CP_UTF8, 0, tempstr, -1, dst, keysize,
+-                             NULL, NULL)) 
++    if (!WideCharToMultiByte(CP_UTF8, 0, tempstr, -1, dst, dstsizebytes,
++                             NULL, NULL))
+         goto out;
+ 
+     retval = dst;
+@@ -117,9 +119,9 @@ static CRYPTO_ONCE defaults_setup_init = CRYPTO_ONCE_STATIC_INIT;
+  */
+ DEFINE_RUN_ONCE_STATIC(do_defaults_setup)
+ {
+-    get_windows_regdirs(openssldir, TEXT("OPENSSLDIR"));
+-    get_windows_regdirs(enginesdir, TEXT("ENGINESDIR"));
+-    get_windows_regdirs(modulesdir, TEXT("MODULESDIR"));
++    get_windows_regdirs(openssldir, sizeof(openssldir), L"OPENSSLDIR");
++    get_windows_regdirs(enginesdir, sizeof(enginesdir), L"ENGINESDIR");
++    get_windows_regdirs(modulesdir, sizeof(modulesdir), L"MODULESDIR");
+ 
+     /*
+      * Set our pointers only if the directories are fetched properly
+-- 
+2.34.1
+
diff --git a/config/software/openssl3.rb b/config/software/openssl3.rb
@@ -10,7 +10,7 @@
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
+# See the License for the specific language governing permissions andopenssl
 # limitations under the License.
 #
 
@@ -23,7 +23,7 @@
 dependency "zlib"
 dependency "cacerts"
 
-default_version "3.3.2"
+default_version "3.4.0"
 
 source url: "https://www.openssl.org/source/openssl-#{version}.tar.gz", extract: :lax_tar
 
@@ -37,10 +37,12 @@
 version("3.3.0") { source sha256: "53e66b043322a606abf0087e7699a0e033a37fa13feb9742df35c3a33b18fb02" }
 version("3.3.1") { source sha256: "777cd596284c883375a2a7a11bf5d2786fc5413255efab20c50d6ffe6d020b7e" }
 version("3.3.2") { source sha256: "2e8a40b01979afe8be0bbfb3de5dc1c6709fedb46d6c89c10da114ab5fc3d281" }
+version("3.4.0") { source sha256: "e15dda82fe2fe8139dc2ac21a36d4ca01d5313c75f99f46c4e8a27709b7294bf" }
 
 relative_path "openssl-#{version}"
 
 build do
+  patch source: "0001-fix-preprocessor-concatenation.patch"
 
   env = with_standard_compiler_flags(with_embedded_path)
   if windows?
@@ -79,6 +81,11 @@
 
   if windows?
     configure_args << "zlib-dynamic"
+    if ENV['AGENT_FLAVOR'] == "fips"
+      configure_args << '--openssldir="C:/Program Files/Datadog/Datadog Agent/embedded3/ssl"'
+      # Provide a context name for our configuration through the registry
+      configure_args << "-DOSSL_WINCTX=datadog-fips-agent"
+    end
   else
     configure_args << "zlib"
   end
