Add explicit support in util/shlib_wrap.sh.in for NonStop DLL loading.
The NonStop platform uses a proprietary mechanism for specifying DLL
locations.
CLA: Permission is granted by the author to the OpenSSL team to use these modifications.
Fixes #14666
Signed-off-by: Randall S. Becker <rsbecker@nexbridge.com> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14669)
Andrey Matyukov [Wed, 24 Mar 2021 07:05:29 +0000 (10:05 +0300)]
Increase minimum clang version requirement for rsaz-avx512.pl
The reason is that clang-6 does not enable proper -march flags by
default for assembly modules (rsaz-avx512.pl requires avx512ifma, avx512dq,
avx512vl, avx512f). This is not true for newer clang versions - clang-7 and
further work ok.
For older clang versions users who want to get optimization from this
file, we have a note in the OPENSSL_ia32cap.pod with the workaround that
proposes having a wrapper that forces using external assembler.
Fixes #14668: clang-6.0.0 build broken
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14671)
Nan Xiao [Sat, 27 Mar 2021 10:23:59 +0000 (18:23 +0800)]
Fix typos in bio.pod
CLA: trivial
Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14706)
Pauli [Mon, 29 Mar 2021 01:19:33 +0000 (11:19 +1000)]
ssl: fix problem where MAC IDs were globally cached.
Instead, they should be cached per SSL_CTX.
This also addresses a threading issue where multiple attempts to write the
same location occur. The last one winning. Under 1.1.1, this wasn't an issue
but under 3.0 with library contexts, the results can and will be different.
Fixes #13456
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14715)
Richard Levitte [Mon, 29 Mar 2021 10:36:34 +0000 (12:36 +0200)]
Android config targets: don't include the SO version in the shlib file name
Reports say that the Android platform(s) don't have the SO version
number in the shared library file name. Reportedly, Android package
managers do complain that our shared libraries do include the SO
version number. That's easy enough to fix.
Fixes #14711
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14727)
Richard Levitte [Mon, 29 Mar 2021 10:23:40 +0000 (12:23 +0200)]
Unix build file template: symlink "simple" to "full" shlib selectively
On Unix-like platforms where the shared library comes in a form with
and a form without SO version number, the one without is symbolically
linked to the one with.
However, we have Unix-like platforms where we don't deal with SO
version numbers, and where the "simple" shlib thereby ends up being
symbolically linked to itself. A simple check of the two shlib file
names is enough to ensure that we only do the symbolic link when
actually necessary.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14726)
Add $(PERL) to util/wrap.pl execution to avoid env incompatibilities
Using /usr/bin/env on the NonStop ia64 and x86 platforms
causes a translation of - to -i as part of the implicit interpretation
by env of its arguments prior to handing off the arguments to perl.
This causes the FIPS module configuration to be written to a file
named -i instead of going to stdout.
CLA: Trivial
Fixes: #14612 Signed-off-by: Randall S. Becker <rsbecker@nexbridge.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14613)
Nan Xiao [Sat, 27 Mar 2021 09:56:35 +0000 (17:56 +0800)]
Fix typo in bio.h.in
CLA: trivial
Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14705)
Sahana Prasad [Mon, 22 Mar 2021 10:04:45 +0000 (11:04 +0100)]
Allocates and initializes pubkey in X509_PUBKEY_dup()
Fixes #14617
Signed-off-by: Sahana Prasad <sahana@redhat.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14642)
Shane Lontis [Fri, 26 Mar 2021 03:47:39 +0000 (13:47 +1000)]
Fix Build issue on Oracle Linux x64
'typedef struct ecx_key_st ECX_KEY' was defined multiple times.
It is defined inside include/crypto/types.h which is included from include/crypto/ecx.h.
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14693)
Tomas Mraz [Thu, 25 Mar 2021 13:57:16 +0000 (14:57 +0100)]
Make the SM2 group the default group for the SM2 algorithm
Fixes #14481
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14684)
Matt Caswell [Thu, 18 Mar 2021 16:52:10 +0000 (16:52 +0000)]
Ensure buffer/length pairs are always in sync
Following on from CVE-2021-3449 which was caused by a non-zero length
associated with a NULL buffer, other buffer/length pairs are updated to
ensure that they too are always in sync.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
As the variable peer_sigalgslen is not cleared on ssl rehandshake, it's
possible to crash an openssl tls secured server remotely by sending a
manipulated hello message in a rehandshake.
On such a manipulated rehandshake, tls1_set_shared_sigalgs() calls
tls12_shared_sigalgs() with the peer_sigalgslen of the previous
handshake, while the peer_sigalgs has been freed.
As a result tls12_shared_sigalgs() walks over the available
peer_sigalgs and tries to access data of a NULL pointer.
This issue was introduced by c589c34e61 (Add support for the TLS 1.3
signature_algorithms_cert extension, 2018-01-11).
Signed-off-by: Peter Kästle <peter.kaestle@nokia.com> Signed-off-by: Samuel Sapalski <samuel.sapalski@nokia.com>
CVE-2021-3449
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
Matt Caswell [Thu, 18 Mar 2021 15:25:42 +0000 (15:25 +0000)]
Teach TLSProxy how to encrypt <= TLSv1.2 ETM records
Previously TLSProxy only knew how to "repack" messages for TLSv1.3.
Most of the handshake in <= TLSv1.2 is unencrypted so this hasn't been
too much of restriction. However we now want to modify reneg handshakes
which are encrypted so we need to add that capability.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
Andrey Matyukov [Tue, 23 Mar 2021 17:47:28 +0000 (20:47 +0300)]
Rearranged .pdata entries in rsaz-avx512.pl to make them properly ordered.
Fixes #14660: Windows linking error
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14665)
Juergen Christ [Mon, 22 Mar 2021 09:04:26 +0000 (10:04 +0100)]
Fix compilation under -Werror
With strict warnings and warnings as error, openssl currently does not compile
due to a missing include.
Signed-off-by: Juergen Christ <jchrist@linux.ibm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Patrick Steuer <patrick.steuer@de.ibm.com> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14640)
Matt Caswell [Mon, 22 Mar 2021 11:26:04 +0000 (11:26 +0000)]
Be more selective about copying libcrypto symbols into legacy.so
Some private libcrypto symbols are also included in legacy.so.
Unfortunately this included some files with "RUN_ONCE" functions and
global data. This doesn't get properly cleaned up when OpenSSL exits.
Therefore we are more selective about the symbols we include in legacy.so.
Fixes #13560
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14646)
Disable fips-securitychecks if no-fips is configured.
Fixes: #14629 Signed-off-by: Randall S. Becker <rsbecker@nexbridge.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14634)
Andrey Matyukov [Tue, 8 Dec 2020 19:53:39 +0000 (22:53 +0300)]
Dual 1024-bit exponentiation optimization for Intel IceLake CPU
with AVX512_IFMA + AVX512_VL instructions, primarily for RSA CRT private key
operations. It uses 256-bit registers to avoid CPU frequency scaling issues.
The performance speedup for RSA2k signature on ICL is ~2x.
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13750)
Shane Lontis [Thu, 18 Mar 2021 05:00:23 +0000 (15:00 +1000)]
Fix DER reading from stdin for BIO_f_readbuffer
Fixes #14559
The intitial implementation of the gets() function tried using the next bio's gets() function.
For a file BIO this returned incorrect data for binary data containing 0x00.
Just buffering all data during gets() did not work however since some
applications open and close the bio multiple times when dealing with pem
files containing multiple entries.. This does not work
when reading from stdin unless the data if buffered one byte at a time.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14599)
Richard Levitte [Sat, 20 Mar 2021 08:09:40 +0000 (09:09 +0100)]
ASN1: Reset the content dump flag after dumping
When encountering a badly coded item, the DER printer (ASN1_print_dump())
sets a flag to ensure that an additional hex dump of the offending content
is printed as part of the output. Unfortunately, this flag is never reset,
which means that all following items are printed with the extra hex dump,
whether they are faulty or not.
Resetting the flag after hex dumping ensures that only the faulty contents
are printed with the additional hex dump.
Fixes #14626
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14627)
projects / thirdparty / openssl.git / log
