Upgrade openssl 1.1.1m and fix crash with new openssl version (#453)

Fixes #452, IB-7265

Signed-off-by: Raul Metsma <[email protected]>

Author: metsma

.github/workflows/build.yml

@@ -165,7 +165,7 @@ jobs:
           "zlib:x64-windows-v${{ matrix.toolset }}"
           "boost-test:x86-windows-v${{ matrix.toolset }}"
           "boost-test:x64-windows-v${{ matrix.toolset }}"
-        vcpkgGitCommitId: 30465138ef7facf1d4c1aa8a06dd62ceb71cc2eb
+        vcpkgGitCommitId: 291b84e651bc21d90088394139097f9a5396cc00
     - name: Install dependencies
       run: choco install doxygen.install swig -y > $null
     - name: Build xsd

build-library.sh

@@ -8,11 +8,11 @@ if [ "$#" -eq 0 ]; then
   echo "  target: osx ios iossimulator androidarm androidarm64 androidx86 androidx86_64"
   echo "To control iOS, macOS builds set environment variables:"
   echo " minimum deployment target"
-  echo " - MACOSX_DEPLOYMENT_TARGET=10.11"
-  echo " - IPHONEOS_DEPLOYMENT_TARGET=9.0"
+  echo " - MACOSX_DEPLOYMENT_TARGET=10.14"
+  echo " - IPHONEOS_DEPLOYMENT_TARGET=12.0"
   echo " archs to build on macOS/iOS"
   echo " - ARCHS=\"x86_64 arm64\" (macOS)"
-  echo " - ARCHS=\"armv7 arm64\" (iOS)"
+  echo " - ARCHS=\"arm64\" (iOS)"
   echo " - ARCHS=\"x86_64\" (iPhoneSimulator)"
   exit
 fi
@@ -59,11 +59,11 @@ case "$@" in
   *)
     echo "Building for iOS"
     TARGET=iphoneos
-    : ${ARCHS:="armv7 arm64"}
+    : ${ARCHS:="arm64"}
     ;;
   esac
   TARGET_PATH=/Library/libdigidocpp.${TARGET}
-  : ${IPHONEOS_DEPLOYMENT_TARGET:="9.0"}
+  : ${IPHONEOS_DEPLOYMENT_TARGET:="12.0"}
   export IPHONEOS_DEPLOYMENT_TARGET
   CMAKEARGS="
     -DCMAKE_C_COMPILER_WORKS=yes \
@@ -83,7 +83,7 @@ case "$@" in
   TARGET=macOS
   TARGET_PATH=/Library/libdigidocpp
   : ${ARCHS:="x86_64 arm64"}
-  : ${MACOSX_DEPLOYMENT_TARGET:="10.13"}
+  : ${MACOSX_DEPLOYMENT_TARGET:="10.14"}
   export MACOSX_DEPLOYMENT_TARGET
 esac
 

prepare_osx_build_environment.sh

@@ -5,7 +5,7 @@ XERCES_DIR=xerces-c-3.2.3
 XALAN_DIR=xalan_c-1.12
 XMLSEC_DIR=xml-security-c-2.0.4
 XSD=xsd-4.0.0-i686-macosx
-OPENSSL_DIR=openssl-1.1.1l
+OPENSSL_DIR=openssl-1.1.1m
 LIBXML2_DIR=libxml2-2.9.10
 ANDROID_NDK=android-ndk-r21e
 FREETYPE_DIR=freetype-2.10.1
@@ -77,7 +77,7 @@ case "$@" in
   CONFIGURE="--host=arm-apple-darwin --enable-static --disable-shared --disable-dependency-tracking"
   SYSROOT=$(xcrun -sdk iphonesimulator --show-sdk-path)
   : ${ARCHS:="x86_64"}
-  : ${IPHONEOS_DEPLOYMENT_TARGET:="9.0"}
+  : ${IPHONEOS_DEPLOYMENT_TARGET:="12.0"}
   export IPHONEOS_DEPLOYMENT_TARGET
   export CFLAGS="-arch ${ARCHS// / -arch } -isysroot ${SYSROOT}"
   export CXXFLAGS="${CFLAGS} -std=gnu++11 -Wno-null-conversion"
@@ -87,8 +87,8 @@ case "$@" in
   TARGET_PATH=/Library/libdigidocpp.iphoneos
   CONFIGURE="--host=arm-apple-darwin --enable-static --disable-shared --disable-dependency-tracking"
   SYSROOT=$(xcrun -sdk iphoneos --show-sdk-path)
-  : ${ARCHS:="armv7 arm64"}
-  : ${IPHONEOS_DEPLOYMENT_TARGET:="9.0"}
+  : ${ARCHS:="arm64"}
+  : ${IPHONEOS_DEPLOYMENT_TARGET:="12.0"}
   export IPHONEOS_DEPLOYMENT_TARGET
   export CFLAGS="-arch ${ARCHS// / -arch } -isysroot ${SYSROOT}"
   export CXXFLAGS="${CFLAGS} -std=gnu++11 -Wno-null-conversion"
@@ -99,7 +99,7 @@ case "$@" in
   CONFIGURE="--disable-static --enable-shared --disable-dependency-tracking"
   SYSROOT=$(xcrun -sdk macosx --show-sdk-path)
   : ${ARCHS:="x86_64 arm64"}
-  : ${MACOSX_DEPLOYMENT_TARGET:="10.13"}
+  : ${MACOSX_DEPLOYMENT_TARGET:="10.14"}
   export MACOSX_DEPLOYMENT_TARGET
   export CFLAGS="-arch ${ARCHS// / -arch } "
   export CXXFLAGS="${CFLAGS} -std=gnu++11 -Wno-null-conversion"
@@ -433,10 +433,10 @@ case "$@" in
     echo "  tasks: xerces, xalan, openssl, xmlsec, xsd, all, help"
     echo "To control iOS, macOS builds set environment variables:"
     echo " minimum deployment target"
-    echo " - MACOSX_DEPLOYMENT_TARGET=10.11"
-    echo " - IPHONEOS_DEPLOYMENT_TARGET=9.0"
+    echo " - MACOSX_DEPLOYMENT_TARGET=10.14"
+    echo " - IPHONEOS_DEPLOYMENT_TARGET=12.0"
     echo " archs to build on iOS"
-    echo " - ARCHS=\"armv7 arm64\" (iOS)"
+    echo " - ARCHS=\"arm64\" (iOS)"
     echo " - ARCHS=\"x86_64\" (iPhoneSimulator)"
     ;;
 esac

src/crypto/TS.cpp

@@ -48,6 +48,7 @@ static void TS_VERIFY_CTX_set_flags(TS_VERIFY_CTX *ctx, int f)
 
 static void TS_VERIFY_CTX_set_imprint(TS_VERIFY_CTX *ctx, unsigned char *hexstr, long len)
 {
+    OPENSSL_free(ctx->imprint);
     ctx->imprint = hexstr;
     ctx->imprint_len = unsigned(len);
 }
@@ -257,11 +258,10 @@ void TS::verify(const Digest &digest)
     {
         SCOPE(TS_VERIFY_CTX, ctx, TS_VERIFY_CTX_new());
         TS_VERIFY_CTX_set_flags(ctx.get(), TS_VFY_IMPRINT|TS_VFY_VERSION|TS_VFY_SIGNATURE);
-        TS_VERIFY_CTX_set_imprint(ctx.get(), data.data(), long(data.size()));
+        TS_VERIFY_CTX_set_imprint(ctx.get(),
+            (unsigned char*)OPENSSL_memdup(data.data(), data.size()), long(data.size()));
         TS_VERIFY_CTX_set_store(ctx.get(), store.release());
-        int err = TS_RESP_verify_token(ctx.get(), d.get());
-        TS_VERIFY_CTX_set_imprint(ctx.get(), nullptr, 0); //Avoid CRYPTO_free
-        if(err != 1)
+        if(TS_RESP_verify_token(ctx.get(), d.get()) != 1)
         {
             unsigned long err = ERR_get_error();
             if(ERR_GET_LIB(err) == ERR_LIB_TS && ERR_GET_REASON(err) == TS_R_CERTIFICATE_VERIFY_ERROR)