upgrade bundled POCO C++ Libraries to 1.11.3

GiyeonBang · Jun 14, 2022 · 5c15444 · 5c15444
1 parent ef24ba0
commit 5c15444
Show file tree

Hide file tree

Showing 82 changed files with 16,521 additions and 4,481 deletions.
diff --git a/platform/Crypto/include/Poco/Crypto/Cipher.h b/platform/Crypto/include/Poco/Crypto/Cipher.h
@@ -93,7 +93,6 @@ class Crypto_API Cipher: public Poco::RefCountedObject
 		ENC_BINHEX       = 0x02, /// BinHex-encoded output
 		ENC_BASE64_NO_LF = 0x81, /// Base64-encoded output, no linefeeds
 		ENC_BINHEX_NO_LF = 0x82  /// BinHex-encoded output, no linefeeds
-
 	};
 
 	virtual ~Cipher();

diff --git a/platform/Crypto/include/Poco/Crypto/Crypto.h b/platform/Crypto/include/Poco/Crypto/Crypto.h
@@ -24,6 +24,15 @@
 #define POCO_EXTERNAL_OPENSSL_SLPRO 2
 
 
+//
+// Temporarily suppress deprecation warnings coming
+// from OpenSSL 3.0, until we have updated our code.
+//
+#if !defined(POCO_DONT_SUPPRESS_OPENSSL_DEPRECATED)
+#define OPENSSL_SUPPRESS_DEPRECATED
+#endif
+
+
 #include "Poco/Foundation.h"
 #include <openssl/opensslv.h>
 
@@ -39,6 +48,11 @@
 #endif
 
 
+#if OPENSSL_VERSION_NUMBER < 0x10000000L
+#error "OpenSSL version too old. At least OpenSSL 1.0.0 is required."
+#endif
+
+
 enum RSAPaddingMode
 	/// The padding mode used for RSA public key encryption.
 {

diff --git a/platform/Crypto/include/Poco/Crypto/OpenSSLInitializer.h b/platform/Crypto/include/Poco/Crypto/OpenSSLInitializer.h
@@ -22,7 +22,9 @@
 #include "Poco/Mutex.h"
 #include "Poco/AtomicCounter.h"
 #include <openssl/crypto.h>
-
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+#include <openssl/provider.h>
+#endif
 #if defined(OPENSSL_FIPS) && OPENSSL_VERSION_NUMBER < 0x010001000L
 #include <openssl/fips.h>
 #endif
@@ -50,38 +52,48 @@ class Crypto_API OpenSSLInitializer
 public:
 	OpenSSLInitializer();
 		/// Automatically initialize OpenSSL on startup.
-		
+
 	~OpenSSLInitializer();
 		/// Automatically shut down OpenSSL on exit.
-	
+
 	static void initialize();
 		/// Initializes the OpenSSL machinery.
 
 	static void uninitialize();
 		/// Shuts down the OpenSSL machinery.
 
 	static bool isFIPSEnabled();
-		// Returns true if FIPS mode is enabled, false otherwise.
+		/// Returns true if FIPS mode is enabled, false otherwise.
 
 	static void enableFIPSMode(bool enabled);
-		// Enable or disable FIPS mode. If FIPS is not available, this method doesn't do anything.
+		/// Enable or disable FIPS mode. If FIPS is not available, this method doesn't do anything.
 
 protected:
 	enum
 	{
 		SEEDSIZE = 256
 	};
-
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 	// OpenSSL multithreading support
 	static void lock(int mode, int n, const char* file, int line);
 	static unsigned long id();
 	static struct CRYPTO_dynlock_value* dynlockCreate(const char* file, int line);
 	static void dynlock(int mode, struct CRYPTO_dynlock_value* lock, const char* file, int line);
 	static void dynlockDestroy(struct CRYPTO_dynlock_value* lock, const char* file, int line);
+#endif
 
 private:
-	static Poco::FastMutex* _mutexes;
 	static Poco::AtomicCounter _rc;
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+	static Poco::FastMutex* _mutexes;
+#endif
+
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+	static OSSL_PROVIDER* _defaultProvider;
+	static OSSL_PROVIDER* _legacyProvider;
+#endif
 };
 
 

diff --git a/platform/Crypto/src/CipherImpl.cpp b/platform/Crypto/src/CipherImpl.cpp
@@ -98,20 +98,22 @@ namespace
 	{
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
 		_pContext = EVP_CIPHER_CTX_new();
-		EVP_CipherInit(
+		if (!_pContext) throwError();
+		int rc = EVP_CipherInit(
 			_pContext,
 			_pCipher,
 			&_key[0],
 			_iv.empty() ? 0 : &_iv[0],
 			(dir == DIR_ENCRYPT) ? 1 : 0);
 #else
-		EVP_CipherInit(
+		int rc = EVP_CipherInit(
 			&_context,
 			_pCipher,
 			&_key[0],
 			_iv.empty() ? 0 : &_iv[0],
 			(dir == DIR_ENCRYPT) ? 1 : 0);
 #endif
+		if (rc == 0) throwError();
 
 #if OPENSSL_VERSION_NUMBER >= 0x10001000L
 		if (_iv.size() != EVP_CIPHER_iv_length(_pCipher) && EVP_CIPHER_mode(_pCipher) == EVP_CIPH_GCM_MODE)

diff --git a/platform/Crypto/src/CipherKeyImpl.cpp b/platform/Crypto/src/CipherKeyImpl.cpp
@@ -21,6 +21,25 @@
 #include <openssl/evp.h>
 
 
+namespace
+{
+	void throwError()
+	{
+		unsigned long err;
+		std::string msg;
+
+		while ((err = ERR_get_error()))
+		{
+			if (!msg.empty())
+				msg.append("; ");
+			msg.append(ERR_error_string(err, 0));
+		}
+
+		throw Poco::IOException(msg);
+	}
+}
+
+
 namespace Poco {
 namespace Crypto {
 
@@ -186,6 +205,8 @@ void CipherKeyImpl::generateKey(
 		keyBytes,
 		ivBytes);
 
+	if (!keySize) throwError();
+
 	// Copy the buffers to our member byte vectors.
 	_key.assign(keyBytes, keyBytes + keySize);
 

diff --git a/platform/Crypto/src/ECKeyImpl.cpp b/platform/Crypto/src/ECKeyImpl.cpp
@@ -21,9 +21,7 @@
 #include "Poco/StreamCopier.h"
 #include <sstream>
 #include <openssl/evp.h>
-#if OPENSSL_VERSION_NUMBER >= 0x00908000L
 #include <openssl/bn.h>
-#endif
 
 
 namespace Poco {
@@ -78,8 +76,8 @@ ECKeyImpl::ECKeyImpl(int curve):
 }
 
 
-ECKeyImpl::ECKeyImpl(const std::string& publicKeyFile, 
-	const std::string& privateKeyFile, 
+ECKeyImpl::ECKeyImpl(const std::string& publicKeyFile,
+	const std::string& privateKeyFile,
 	const std::string& privateKeyPassphrase): KeyPairImpl("ec", KT_EC_IMPL), _pEC(0)
 {
 	if (EVPPKey::loadKey(&_pEC, PEM_read_PrivateKey, EVP_PKEY_get1_EC_KEY, privateKeyFile, privateKeyPassphrase))

diff --git a/platform/Crypto/src/OpenSSLInitializer.cpp b/platform/Crypto/src/OpenSSLInitializer.cpp
@@ -13,15 +13,16 @@
 
 
 #include "Poco/Crypto/OpenSSLInitializer.h"
+#include "Poco/Crypto/CryptoException.h"
 #include "Poco/RandomStream.h"
 #include "Poco/Thread.h"
 #include <openssl/ssl.h>
 #include <openssl/rand.h>
 #include <openssl/crypto.h>
 #include <openssl/err.h>
-#if OPENSSL_VERSION_NUMBER >= 0x0907000L
 #include <openssl/conf.h>
-#endif
+
+
 #if defined(POCO_OS_FAMILY_WINDOWS)
 	#define POCO_STR_HELPER(x) #x
 	#define POCO_STR(x) POCO_STR_HELPER(x)
@@ -58,9 +59,17 @@ namespace Poco {
 namespace Crypto {
 
 
-Poco::FastMutex* OpenSSLInitializer::_mutexes(0);
 Poco::AtomicCounter OpenSSLInitializer::_rc;
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+Poco::FastMutex* OpenSSLInitializer::_mutexes(0);
+#endif
+
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+OSSL_PROVIDER* OpenSSLInitializer::_defaultProvider(0);
+OSSL_PROVIDER* OpenSSLInitializer::_legacyProvider(0);
+#endif
+
 
 OpenSSLInitializer::OpenSSLInitializer()
 {
@@ -87,18 +96,15 @@ void OpenSSLInitializer::initialize()
 	{
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
 		CONF_modules_load(NULL, NULL, 0);
-#elif OPENSSL_VERSION_NUMBER >= 0x0907000L
+#else
 		OPENSSL_config(NULL);
 #endif
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 		SSL_library_init();
 		SSL_load_error_strings();
 		OpenSSL_add_all_algorithms();
-
-		char seed[SEEDSIZE];
-		RandomInputStream rnd;
-		rnd.read(seed, sizeof(seed));
-		RAND_seed(seed, SEEDSIZE);
-
+
 		int nMutexes = CRYPTO_num_locks();
 		_mutexes = new Poco::FastMutex[nMutexes];
 		CRYPTO_set_locking_callback(&OpenSSLInitializer::lock);
@@ -107,14 +113,33 @@ void OpenSSLInitializer::initialize()
 // https://sourceforge.net/p/poco/bugs/110/
 //
 // From http://www.openssl.org/docs/crypto/threads.html :
-// "If the application does not register such a callback using CRYPTO_THREADID_set_callback(), 
-//  then a default implementation is used - on Windows and BeOS this uses the system's 
+// "If the application does not register such a callback using CRYPTO_THREADID_set_callback(),
+//  then a default implementation is used - on Windows and BeOS this uses the system's
 //  default thread identifying APIs"
 		CRYPTO_set_id_callback(&OpenSSLInitializer::id);
 #endif
 		CRYPTO_set_dynlock_create_callback(&OpenSSLInitializer::dynlockCreate);
 		CRYPTO_set_dynlock_lock_callback(&OpenSSLInitializer::dynlock);
 		CRYPTO_set_dynlock_destroy_callback(&OpenSSLInitializer::dynlockDestroy);
+
+		char seed[SEEDSIZE];
+		RandomInputStream rnd;
+		rnd.read(seed, sizeof(seed));
+		RAND_seed(seed, SEEDSIZE);
+#endif
+
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+		if (!_defaultProvider)
+		{
+			_defaultProvider = OSSL_PROVIDER_load(NULL, "default");
+			if (!_defaultProvider) throw CryptoException("Failed to load OpenSSL default provider");
+		}
+		if (!_legacyProvider)
+		{
+			_legacyProvider = OSSL_PROVIDER_load(NULL, "legacy");
+			if (!_legacyProvider) throw CryptoException("Failed to load OpenSSL legacy provider");
+		}
+#endif
 	}
 }
 
@@ -123,19 +148,22 @@ void OpenSSLInitializer::uninitialize()
 {
 	if (--_rc == 0)
 	{
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 		EVP_cleanup();
 		ERR_free_strings();
 		CRYPTO_set_locking_callback(0);
 #ifndef POCO_OS_FAMILY_WINDOWS
 		CRYPTO_set_id_callback(0);
 #endif
 		delete [] _mutexes;
-
-		CONF_modules_free();
+#endif
 	}
 }
 
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+
+
 void OpenSSLInitializer::lock(int mode, int n, const char* file, int line)
 {
 	if (mode & CRYPTO_LOCK)
@@ -177,6 +205,9 @@ void OpenSSLInitializer::dynlockDestroy(struct CRYPTO_dynlock_value* lock, const
 }
 
 
+#endif // OPENSSL_VERSION_NUMBER < 0x10100000L
+
+
 void initializeCrypto()
 {
 	OpenSSLInitializer::initialize();

diff --git a/platform/Crypto/src/PKCS12Container.cpp b/platform/Crypto/src/PKCS12Container.cpp
@@ -171,7 +171,15 @@ void PKCS12Container::load(PKCS12* pPKCS12, const std::string& password)
 				int certCount = sk_X509_num(pCA);
 				for (int i = 0; i < certCount; ++i)
 				{
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
 					X509* pX509 = sk_X509_value(pCA, i);
+#else
+					// Cert order is reversed on OpenSSL < 3.
+ 					// https://github.com/openssl/openssl/issues/16421
+ 					// https://github.com/openssl/openssl/pull/12641
+ 					// https://github.com/jeroen/openssl/commit/f5eb85eb0fd432406a24abda6511c449eaee6162
+					X509* pX509 = sk_X509_value(pCA, certCount - i - 1);
+#endif
 					if (pX509)
 					{
 						_caCertList.push_back(X509Certificate(pX509, true));