From b20add0971b5106aee1b369d27727df28405b388 Mon Sep 17 00:00:00 2001 From: LiSijia Date: Tue, 14 Mar 2023 16:45:26 +0800 Subject: [PATCH 1/4] add CVE-2023-23841 --- cve/openssl/2021/CVE-2021-23841/.gitignore | 174 ++ .../2021/CVE-2021-23841/CVE-2021-23841.c | 231 ++ cve/openssl/2021/CVE-2021-23841/README.md | 83 + cve/openssl/2021/CVE-2021-23841/main.conf | 1894 +++++++++++++++++ cve/openssl/2021/yaml/CVE-2021-23841.yaml | 39 + openkylin_list.yaml | 1 + 6 files changed, 2422 insertions(+) create mode 100644 cve/openssl/2021/CVE-2021-23841/.gitignore create mode 100644 cve/openssl/2021/CVE-2021-23841/CVE-2021-23841.c create mode 100644 cve/openssl/2021/CVE-2021-23841/README.md create mode 100644 cve/openssl/2021/CVE-2021-23841/main.conf create mode 100644 cve/openssl/2021/yaml/CVE-2021-23841.yaml diff --git a/cve/openssl/2021/CVE-2021-23841/.gitignore b/cve/openssl/2021/CVE-2021-23841/.gitignore new file mode 100644 index 00000000..7324bda1 --- /dev/null +++ b/cve/openssl/2021/CVE-2021-23841/.gitignore @@ -0,0 +1,174 @@ +# Ignore editor artefacts +/.dir-locals.el + +# Top level excludes +/Makefile.orig +/MINFO +/TABLE +/*.a +/*.pc +/rehash.time +/inc.* +/makefile.* +/out.* +/tmp.* +/configdata.pm + +# *all* Makefiles +Makefile +# ... except in demos +!/demos/*/Makefile + +# Links under apps +/apps/CA.pl +/apps/tsget +/apps/tsget.pl +/apps/md4.c + +# Auto generated headers +/crypto/buildinf.h +/apps/progs.h +/crypto/include/internal/*_conf.h +/openssl/include/opensslconf.h +/util/domd + +# Executables +/apps/openssl +/test/sha256t +/test/sha512t +/test/gost2814789t +/test/ssltest_old +/test/*test +/test/fips_aesavs +/test/fips_desmovs +/test/fips_dhvs +/test/fips_drbgvs +/test/fips_dssvs +/test/fips_ecdhvs +/test/fips_ecdsavs +/test/fips_rngvs +/test/fips_test_suite +/test/ssltest_old +/test/x509aux +/test/v3ext + +# Certain files that get created by tests on the fly +/test/test-runs +/test/buildtest_* + +# Fuzz stuff. +# Anything without an extension is an executable on Unix, so we keep files +# with extensions. And we keep the corpora subddir versioned as well. +# Anything more generic with extensions that should be ignored will be taken +# care of by general ignores for those extensions (*.o, *.obj, *.exe, ...) +/fuzz/* +!/fuzz/README* +!/fuzz/corpora +!/fuzz/*.* + +# Misc auto generated files +/include/openssl/opensslconf.h +/tools/c_rehash +/tools/c_rehash.pl +/util/shlib_wrap.sh +/tags +/TAGS +/crypto.map +/ssl.map + +# Windows (legacy) +/tmp32 +/tmp32.dbg +/tmp32dll +/tmp32dll.dbg +/out32 +/out32.dbg +/out32dll +/out32dll.dbg +/inc32 +/MINFO +/ms/.rnd +/ms/bcb.mak +/ms/libeay32.def +/ms/nt.mak +/ms/ntdll.mak +/ms/ssleay32.def +/ms/version32.rc + +# Files created on other branches that are not held in git, and are not +# needed on this branch +/include/openssl/asn1_mac.h +/include/openssl/des_old.h +/include/openssl/fips.h +/include/openssl/fips_rand.h +/include/openssl/krb5_asn.h +/include/openssl/kssl.h +/include/openssl/pq_compat.h +/include/openssl/ssl23.h +/include/openssl/tmdiff.h +/include/openssl/ui_compat.h +/test/fips_aesavs.c +/test/fips_desmovs.c +/test/fips_dsatest.c +/test/fips_dssvs.c +/test/fips_hmactest.c +/test/fips_randtest.c +/test/fips_rngvs.c +/test/fips_rsagtest.c +/test/fips_rsastest.c +/test/fips_rsavtest.c +/test/fips_shatest.c +/test/fips_test_suite.c +/test/shatest.c + +##### Generic patterns +# Auto generated assembly language source files +*.s +!/crypto/*/asm/*.s +/crypto/arm*.S +/crypto/*/*.S +*.asm +!/crypto/*/asm/*.asm + +# Object files +*.o +*.obj + +# editor artefacts +*.swp +.#* +\#*# +*~ + +# Certificate symbolic links +*.0 + +# All kinds of executables +*.so +*.so.* +*.dylib +*.dylib.* +*.dll +*.dll.* +*.exe +*.pyc +*.exp +*.lib +*.pdb +*.ilk +*.def +*.rc +*.res + +# Misc generated stuff +Makefile.save +/crypto/**/lib +/engines/**/lib +/ssl/**/lib +*.bak +cscope.* +*.d +pod2htmd.tmp + +# Windows manifest files +*.manifest diff --git a/cve/openssl/2021/CVE-2021-23841/CVE-2021-23841.c b/cve/openssl/2021/CVE-2021-23841/CVE-2021-23841.c new file mode 100644 index 00000000..2c20d6d7 --- /dev/null +++ b/cve/openssl/2021/CVE-2021-23841/CVE-2021-23841.c @@ -0,0 +1,231 @@ +/* + * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL licenses, (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * https://www.openssl.org/source/license.html + * or in the file LICENSE in the source distribution. + */ + +#include +#include +#include + +#include +#include +#include +#include + +#include "../e_os.h" + +static const char *progname; + +static void test_usage(void) +{ + fprintf(stderr, "usage: %s certfile\n", progname); +} + +static void print_errors(void) +{ + unsigned long err; + char buffer[1024]; + const char *file; + const char *data; + int line; + int flags; + + while ((err = ERR_get_error_line_data(&file, &line, &data, &flags)) != 0) { + ERR_error_string_n(err, buffer, sizeof(buffer)); + if (flags & ERR_TXT_STRING) + fprintf(stderr, "Error: %s:%s:%d:%s\n", buffer, file, line, data); + else + fprintf(stderr, "Error: %s:%s:%d\n", buffer, file, line); + } +} + +static int test_certs(BIO *fp) +{ + int count; + char *name = 0; + char *header = 0; + unsigned char *data = 0; + long len; + typedef X509 *(*d2i_X509_t)(X509 **, const unsigned char **, long); + typedef int (*i2d_X509_t)(X509 *, unsigned char **); + int err = 0; + + for (count = 0; + !err && PEM_read_bio(fp, &name, &header, &data, &len); + ++count) { + int trusted = strcmp(name, PEM_STRING_X509_TRUSTED) == 0; + d2i_X509_t d2i = trusted ? d2i_X509_AUX : d2i_X509; + i2d_X509_t i2d = trusted ? i2d_X509_AUX : i2d_X509; + X509 *cert = NULL; + const unsigned char *p = data; + unsigned char *buf = NULL; + unsigned char *bufp; + long enclen; + + if (!trusted + && strcmp(name, PEM_STRING_X509) != 0 + && strcmp(name, PEM_STRING_X509_OLD) != 0) { + fprintf(stderr, "unexpected PEM object: %s\n", name); + err = 1; + goto next; + } + cert = d2i(NULL, &p, len); + + if (cert == NULL || (p - data) != len) { + fprintf(stderr, "error parsing input %s\n", name); + err = 1; + goto next; + } + + /* Test traditional 2-pass encoding into caller allocated buffer */ + enclen = i2d(cert, NULL); + if (len != enclen) { + fprintf(stderr, "encoded length %ld of %s != input length %ld\n", + enclen, name, len); + err = 1; + goto next; + } + if ((buf = bufp = OPENSSL_malloc(len)) == NULL) { + perror("malloc"); + err = 1; + goto next; + } + enclen = i2d(cert, &bufp); + if (len != enclen) { + fprintf(stderr, "encoded length %ld of %s != input length %ld\n", + enclen, name, len); + err = 1; + goto next; + } + enclen = (long) (bufp - buf); + if (enclen != len) { + fprintf(stderr, "unexpected buffer position after encoding %s\n", + name); + err = 1; + goto next; + } + if (memcmp(buf, data, len) != 0) { + fprintf(stderr, "encoded content of %s does not match input\n", + name); + err = 1; + goto next; + } + OPENSSL_free(buf); + buf = NULL; + + /* Test 1-pass encoding into library allocated buffer */ + enclen = i2d(cert, &buf); + if (len != enclen) { + fprintf(stderr, "encoded length %ld of %s != input length %ld\n", + enclen, name, len); + err = 1; + goto next; + } + if (memcmp(buf, data, len) != 0) { + fprintf(stderr, "encoded content of %s does not match input\n", + name); + err = 1; + goto next; + } + + if (trusted) { + /* Encode just the cert and compare with initial encoding */ + OPENSSL_free(buf); + buf = NULL; + + /* Test 1-pass encoding into library allocated buffer */ + enclen = i2d(cert, &buf); + if (enclen > len) { + fprintf(stderr, "encoded length %ld of %s > input length %ld\n", + enclen, name, len); + err = 1; + goto next; + } + if (memcmp(buf, data, enclen) != 0) { + fprintf(stderr, "encoded cert content does not match input\n"); + err = 1; + goto next; + } + } + + /* + * If any of these were null, PEM_read() would have failed. + */ + next: + X509_free(cert); + OPENSSL_free(buf); + OPENSSL_free(name); + OPENSSL_free(header); + OPENSSL_free(data); + } + + if (ERR_GET_REASON(ERR_peek_last_error()) == PEM_R_NO_START_LINE) { + /* Reached end of PEM file */ + if (count > 0) { + ERR_clear_error(); + return 1; + } + } + + /* Some other PEM read error */ + print_errors(); + return 0; +} + +int main(int argc, char *argv[]) +{ + BIO *bio_err; + const char *p; + int ret = 1; + + progname = argv[0]; + if (argc < 2) { + test_usage(); + EXIT(ret); + } + + bio_err = BIO_new_fp(stderr, BIO_NOCLOSE | BIO_FP_TEXT); + + p = getenv("OPENSSL_DEBUG_MEMORY"); + if (p != NULL && strcmp(p, "on") == 0) + CRYPTO_set_mem_debug(1); + CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); + + argc--; + argv++; + + while (argc >= 1) { + BIO *f = BIO_new_file(*argv, "r"); + int ok; + + if (f == NULL) { + fprintf(stderr, "%s: Error opening cert file: '%s': %s\n", + progname, *argv, strerror(errno)); + EXIT(ret); + } + ret = !(ok = test_certs(f)); + BIO_free(f); + + if (!ok) { + printf("%s ERROR\n", *argv); + ret = 1; + break; + } + printf("%s OK\n", *argv); + + argc--; + argv++; + } + +#ifndef OPENSSL_NO_CRYPTO_MDEBUG + if (CRYPTO_mem_leaks(bio_err) <= 0) + ret = 1; +#endif + BIO_free(bio_err); + EXIT(ret); +} diff --git a/cve/openssl/2021/CVE-2021-23841/README.md b/cve/openssl/2021/CVE-2021-23841/README.md new file mode 100644 index 00000000..c87f979f --- /dev/null +++ b/cve/openssl/2021/CVE-2021-23841/README.md @@ -0,0 +1,83 @@ +# CVE-2021-23841 + -------- +The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x). + +## DESCRIPTION + -------- +The OpenSSL Project is a collaborative effort to develop a robust, + commercial-grade, fully featured, and Open Source toolkit implementing the + Transport Layer Security (TLS) protocols (including SSLv3) as well as a + full-strength general purpose cryptographic library. + + OpenSSL is descended from the SSLeay library developed by Eric A. Young + and Tim J. Hudson. The OpenSSL toolkit is licensed under a dual-license (the + OpenSSL license plus the SSLeay license), which means that you are free to + get and use it for commercial and non-commercial purposes as long as you + fulfill the conditions of both licenses. + +## OVERVIEW + -------- + The OpenSSL toolkit includes: + + libssl (with platform specific naming): + Provides the client and server-side implementations for SSLv3 and TLS. + + libcrypto (with platform specific naming): + Provides general cryptographic and X.509 support needed by SSL/TLS but + not logically part of it. + + openssl: + A command line tool that can be used for: + Creation of key parameters + Creation of X.509 certificates, CSRs and CRLs + Calculation of message digests + Encryption and decryption + SSL/TLS client and server tests + Handling of S/MIME signed or encrypted mail + And more... +## INSTALLATION + ------------ + + See the appropriate file: + INSTALL Linux, Unix, Windows, OpenVMS, ... + NOTES.* INSTALL addendums for different platforms + + ## SUPPORT + ------- + + See the OpenSSL website www.openssl.org for details on how to obtain + commercial technical support. Free community support is available through the + openssl-users email list (see + https://www.openssl.org/community/mailinglists.html for further details). + + If you have any problems with OpenSSL then please take the following steps + first: + + - Download the latest version from the repository + to see if the problem has already been addressed + - Configure with no-asm + - Remove compiler optimisation flags + + If you wish to report a bug then please include the following information + and create an issue on GitHub: + + - OpenSSL version: output of 'openssl version -a' + - Any "Configure" options that you selected during compilation of the + library if applicable (see INSTALL) + - OS Name, Version, Hardware platform + - Compiler Details (name, version) + - Application Details (name, version) + - Problem Description (steps that will reproduce the problem, if known) + - Stack Traceback (if the application dumps core) + + Just because something doesn't work the way you expect does not mean it + is necessarily a bug in OpenSSL. Use the openssl-users email list for this type + of query. + + ## LEGALITIES + ---------- + + A number of nations restrict the use or export of cryptography. If you + are potentially subject to such restrictions you should seek competent + professional legal advice before attempting to develop or distribute + cryptographic code. \ No newline at end of file diff --git a/cve/openssl/2021/CVE-2021-23841/main.conf b/cve/openssl/2021/CVE-2021-23841/main.conf new file mode 100644 index 00000000..39b89e7e --- /dev/null +++ b/cve/openssl/2021/CVE-2021-23841/main.conf @@ -0,0 +1,1894 @@ +## -*- mode: perl; -*- +## Standard openssl configuration targets. + +# Helper functions for the Windows configs +my $vc_win64a_info = {}; +sub vc_win64a_info { + unless (%$vc_win64a_info) { + if (`nasm -v 2>NUL` =~ /NASM version ([0-9]+\.[0-9]+)/ && $1 >= 2.0) { + $vc_win64a_info = { as => "nasm", + asflags => "-f win64 -DNEAR -Ox -g", + asoutflag => "-o" }; + } elsif ($disabled{asm}) { + $vc_win64a_info = { as => "ml64", + asflags => "/c /Cp /Cx /Zi", + asoutflag => "/Fo" }; + } else { + $die->("NASM not found - please read INSTALL and NOTES.WIN for further details\n"); + $vc_win64a_info = { as => "{unknown}", + asflags => "", + asoutflag => "" }; + } + } + return $vc_win64a_info; +} + +my $vc_win32_info = {}; +sub vc_win32_info { + unless (%$vc_win32_info) { + my $ver=`nasm -v 2>NUL`; + my $vew=`nasmw -v 2>NUL`; + if ($ver ne "" || $vew ne "") { + $vc_win32_info = { as => $ver ge $vew ? "nasm" : "nasmw", + asflags => "-f win32", + asoutflag => "-o", + perlasm_scheme => "win32n" }; + } elsif ($disabled{asm}) { + $vc_win32_info = { as => "ml", + asflags => "/nologo /Cp /coff /c /Cx /Zi", + asoutflag => "/Fo", + perlasm_scheme => "win32" }; + } else { + $die->("NASM not found - please read INSTALL and NOTES.WIN for further details\n"); + $vc_win32_info = { as => "{unknown}", + asflags => "", + asoutflag => "", + perlasm_scheme => "win32" }; + } + } + return $vc_win32_info; +} + +my $vc_wince_info = {}; +sub vc_wince_info { + unless (%$vc_wince_info) { + # sanity check + $die->('%OSVERSION% is not defined') if (!defined($ENV{'OSVERSION'})); + $die->('%PLATFORM% is not defined') if (!defined($ENV{'PLATFORM'})); + $die->('%TARGETCPU% is not defined') if (!defined($ENV{'TARGETCPU'})); + + # + # Idea behind this is to mimic flags set by eVC++ IDE... + # + my $wcevers = $ENV{'OSVERSION'}; # WCENNN + my $wcevernum; + my $wceverdotnum; + if ($wcevers =~ /^WCE([1-9])([0-9]{2})$/) { + $wcevernum = "$1$2"; + $wceverdotnum = "$1.$2"; + } else { + $die->('%OSVERSION% value is insane'); + $wcevernum = "{unknown}"; + $wceverdotnum = "{unknown}"; + } + my $wcecdefs = "-D_WIN32_WCE=$wcevernum -DUNDER_CE=$wcevernum"; # -D_WIN32_WCE=NNN + my $wcelflag = "/subsystem:windowsce,$wceverdotnum"; # ...,N.NN + + my $wceplatf = $ENV{'PLATFORM'}; + + $wceplatf =~ tr/a-z0-9 /A-Z0-9_/; + $wcecdefs .= " -DWCE_PLATFORM_$wceplatf"; + + my $wcetgt = $ENV{'TARGETCPU'}; # just shorter name... + SWITCH: for($wcetgt) { + /^X86/ && do { $wcecdefs.=" -Dx86 -D_X86_ -D_i386_ -Di_386_"; + $wcelflag.=" /machine:X86"; last; }; + /^ARMV4[IT]/ && do { $wcecdefs.=" -DARM -D_ARM_ -D$wcetgt"; + $wcecdefs.=" -DTHUMB -D_THUMB_" if($wcetgt=~/T$/); + $wcecdefs.=" -QRarch4T -QRinterwork-return"; + $wcelflag.=" /machine:THUMB"; last; }; + /^ARM/ && do { $wcecdefs.=" -DARM -D_ARM_ -D$wcetgt"; + $wcelflag.=" /machine:ARM"; last; }; + /^MIPSIV/ && do { $wcecdefs.=" -DMIPS -D_MIPS_ -DR4000 -D$wcetgt"; + $wcecdefs.=" -D_MIPS64 -QMmips4 -QMn32"; + $wcelflag.=" /machine:MIPSFPU"; last; }; + /^MIPS16/ && do { $wcecdefs.=" -DMIPS -D_MIPS_ -DR4000 -D$wcetgt"; + $wcecdefs.=" -DMIPSII -QMmips16"; + $wcelflag.=" /machine:MIPS16"; last; }; + /^MIPSII/ && do { $wcecdefs.=" -DMIPS -D_MIPS_ -DR4000 -D$wcetgt"; + $wcecdefs.=" -QMmips2"; + $wcelflag.=" /machine:MIPS"; last; }; + /^R4[0-9]{3}/ && do { $wcecdefs.=" -DMIPS -D_MIPS_ -DR4000"; + $wcelflag.=" /machine:MIPS"; last; }; + /^SH[0-9]/ && do { $wcecdefs.=" -D$wcetgt -D_${wcetgt}_ -DSHx"; + $wcecdefs.=" -Qsh4" if ($wcetgt =~ /^SH4/); + $wcelflag.=" /machine:$wcetgt"; last; }; + { $wcecdefs.=" -D$wcetgt -D_${wcetgt}_"; + $wcelflag.=" /machine:$wcetgt"; last; }; + } + + $vc_wince_info = { cflags => $wcecdefs, + lflags => $wcelflag }; + } + return $vc_wince_info; +} + +# Helper functions for the VMS configs +my $vms_info = {}; +sub vms_info { + unless (%$vms_info) { + my $pointer_size = shift; + my $pointer_size_str = $pointer_size == 0 ? "" : "$pointer_size"; + + $vms_info->{disable_warns} = [ ]; + $vms_info->{pointer_size} = $pointer_size_str; + if ($pointer_size == 64) { + `PIPE CC /NOCROSS_REFERENCE /NOLIST /NOOBJECT /WARNINGS = DISABLE = ( MAYLOSEDATA3, EMPTYFILE ) NL: 2> NL:`; + if ($? == 0) { + push @{$vms_info->{disable_warns}}, "MAYLOSEDATA3"; + } + } + + unless ($disabled{zlib}) { + my $default_zlib = 'GNV$LIBZSHR' . $pointer_size_str; + if (defined($disabled{"zlib-dynamic"})) { + $vms_info->{zlib} = $withargs{zlib_lib} || "$default_zlib/SHARE"; + } else { + $vms_info->{def_zlib} = $withargs{zlib_lib} || $default_zlib; + # In case the --with-zlib-lib value contains something like + # /SHARE or /LIB or so at the end, remove it. + $vms_info->{def_zlib} =~ s|/.*$||g; + } + } + } + return $vms_info; +} + +%targets = ( + +#### Basic configs that should work on any 32-bit box + "gcc" => { + cc => "gcc", + cflags => picker(debug => "-O0 -g", + release => "-O3"), + thread_scheme => "(unknown)", + bn_ops => "BN_LLONG", + }, + "cc" => { + cc => "cc", + cflags => "-O", + thread_scheme => "(unknown)", + }, + +#### VOS Configurations + "vos-gcc" => { + inherit_from => [ "BASE_unix" ], + cc => "gcc", + cflags => picker(default => "-Wall -DOPENSSL_SYS_VOS -D_POSIX_C_SOURCE=200112L -D_BSD -D_VOS_EXTENDED_NAMES -DB_ENDIAN", + debug => "-O0 -g", + release => "-O3"), + thread_scheme => "(unknown)", + sys_id => "VOS", + lflags => "-Wl,-map", + bn_ops => "BN_LLONG", + shared_extension => ".so", + }, + +#### Solaris configurations + "solaris-common" => { + inherit_from => [ "BASE_unix" ], + template => 1, + cflags => "-DFILIO_H", + ex_libs => add("-lsocket -lnsl -ldl"), + dso_scheme => "dlfcn", + thread_scheme => "pthreads", + shared_target => "solaris-shared", + shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", + }, +#### Solaris x86 with GNU C setups + "solaris-x86-gcc" => { + # NB. GNU C has to be configured to use GNU assembler, and not + # /usr/ccs/bin/as. Failure to comply will result in compile + # failures [at least] in 32-bit build. + # [Above statement is in direct contradition with one below. + # Latter is kept, because it's formally inappropriate to + # modify compile flags in letter release.] + # -DOPENSSL_NO_INLINE_ASM switches off inline assembler. We have + # to do it here because whenever GNU C instantiates an assembler + # template it surrounds it with #APP #NO_APP comment pair which + # (at least Solaris 7_x86) /usr/ccs/bin/as fails to assemble + # with "Illegal mnemonic" error message. + inherit_from => [ "solaris-common", asm("x86_elf_asm") ], + cc => "gcc", + cflags => add_before(picker(default => "-Wall -DL_ENDIAN -DOPENSSL_NO_INLINE_ASM", + debug => "-O0 -g", + release => "-O3 -fomit-frame-pointer"), + threads("-pthread")), + bn_ops => "BN_LLONG", + shared_cflag => "-fPIC", + shared_ldflag => "-shared -static-libgcc", + }, + "solaris64-x86_64-gcc" => { + # -shared -static-libgcc might appear controversial, but modules + # taken from static libgcc do not have relocations and linking + # them into our shared objects doesn't have any negative side + # effects. On the contrary, doing so makes it possible to use + # gcc shared build with Sun C. Given that gcc generates faster + # code [thanks to inline assembler], I would actually recommend + # to consider using gcc shared build even with vendor compiler:-) + # + inherit_from => [ "solaris-common", asm("x86_64_asm") ], + cc => "gcc", + cflags => add_before(picker(default => "-m64 -Wall -DL_ENDIAN", + debug => "-O0 -g", + release => "-O3"), + threads("-pthread")), + bn_ops => "SIXTY_FOUR_BIT_LONG", + perlasm_scheme => "elf", + shared_cflag => "-fPIC", + shared_ldflag => "-m64 -shared -static-libgcc", + multilib => "/64", + }, + +#### Solaris x86 with Sun C setups + # There used to be solaris-x86-cc target, but it was removed, + # primarily because vendor assembler can't assemble our modules + # with -KPIC flag. As result it, assembly support, was not even + # available as option. But its lack means lack of side-channel + # resistant code, which is incompatible with security by todays + # standards. Fortunately gcc is readily available prepackaged + # option, which we can firmly point at... + # + # On related note, solaris64-x86_64-cc target won't compile code + # paths utilizing AVX and post-Haswell instruction extensions. + # Consider switching to solaris64-x86_64-gcc even here... + # + "solaris64-x86_64-cc" => { + inherit_from => [ "solaris-common", asm("x86_64_asm") ], + cc => "cc", + cflags => add_before(picker(default => "-xarch=generic64 -xstrconst -Xa -DL_ENDIAN", + debug => "-g", + release => "-xO5 -xdepend -xbuiltin"), + threads("-D_REENTRANT")), + thread_scheme => "pthreads", + lflags => add("-xarch=generic64",threads("-mt")), + ex_libs => add(threads("-lpthread")), + bn_ops => "SIXTY_FOUR_BIT_LONG", + perlasm_scheme => "elf", + shared_cflag => "-KPIC", + shared_ldflag => "-xarch=generic64 -G -dy -z text", + multilib => "/64", + }, + +#### SPARC Solaris with GNU C setups + "solaris-sparcv7-gcc" => { + inherit_from => [ "solaris-common" ], + cc => "gcc", + cflags => add_before(picker(default => "-Wall -DB_ENDIAN -DBN_DIV2W", + debug => "-O0 -g", + release => "-O3"), + threads("-pthread")), + bn_ops => "BN_LLONG RC4_CHAR", + shared_cflag => "-fPIC", + shared_ldflag => "-shared", + }, + "solaris-sparcv8-gcc" => { + inherit_from => [ "solaris-sparcv7-gcc", asm("sparcv8_asm") ], + cflags => add_before("-mcpu=v8"), + }, + "solaris-sparcv9-gcc" => { + # -m32 should be safe to add as long as driver recognizes + # -mcpu=ultrasparc + inherit_from => [ "solaris-sparcv7-gcc", asm("sparcv9_asm") ], + cflags => add_before("-m32 -mcpu=ultrasparc"), + }, + "solaris64-sparcv9-gcc" => { + inherit_from => [ "solaris-sparcv9-gcc" ], + cflags => sub { my $f=join(" ",@_); $f =~ s/\-m32/-m64/; $f; }, + bn_ops => "BN_LLONG RC4_CHAR", + shared_ldflag => "-m64 -shared", + multilib => "/64", + }, + +#### SPARC Solaris with Sun C setups +# SC4.0 doesn't pass 'make test', upgrade to SC5.0 or SC4.2. +# SC4.2 is ok, better than gcc even on bn as long as you tell it -xarch=v8 +# SC5.0 note: Compiler common patch 107357-01 or later is required! + "solaris-sparcv7-cc" => { + inherit_from => [ "solaris-common" ], + cc => "cc", + cflags => add_before(picker(default => "-xstrconst -Xa -DB_ENDIAN -DBN_DIV2W", + debug => "-g", + release => "-xO5 -xdepend"), + threads("-D_REENTRANT")), + lflags => add(threads("-mt")), + ex_libs => add(threads("-lpthread")), + bn_ops => "BN_LLONG RC4_CHAR", + shared_cflag => "-KPIC", + shared_ldflag => "-G -dy -z text", + }, +#### + "solaris-sparcv8-cc" => { + inherit_from => [ "solaris-sparcv7-cc", asm("sparcv8_asm") ], + cflags => add_before("-xarch=v8"), + }, + "solaris-sparcv9-cc" => { + inherit_from => [ "solaris-sparcv7-cc", asm("sparcv9_asm") ], + cflags => add_before("-xarch=v8plus"), + }, + "solaris64-sparcv9-cc" => { + inherit_from => [ "solaris-sparcv7-cc", asm("sparcv9_asm") ], + cflags => add_before("-xarch=v9"), + lflags => add_before("-xarch=v9"), + bn_ops => "BN_LLONG RC4_CHAR", + shared_ldflag => "-xarch=v9 -G -dy -z text", + multilib => "/64", + }, + +#### IRIX 6.x configs +# Only N32 and N64 ABIs are supported. + "irix-mips3-gcc" => { + inherit_from => [ "BASE_unix", asm("mips64_asm") ], + cc => "gcc", + cflags => combine(picker(default => "-mabi=n32 -DB_ENDIAN -DBN_DIV3W", + debug => "-g -O0", + release => "-O3"), + threads("-D_SGI_MP_SOURCE")), + ex_libs => add(threads("-lpthread")), + bn_ops => "RC4_CHAR SIXTY_FOUR_BIT", + thread_scheme => "pthreads", + perlasm_scheme => "n32", + dso_scheme => "dlfcn", + shared_target => "irix-shared", + shared_ldflag => "-mabi=n32", + shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", + multilib => "32", + }, + "irix-mips3-cc" => { + inherit_from => [ "BASE_unix", asm("mips64_asm") ], + cc => "cc", + cflags => combine(picker(default => "-n32 -mips3 -use_readonly_const -G0 -rdata_shared -DB_ENDIAN -DBN_DIV3W", + debug => "-g -O0", + release => "-O2"), + threads("-D_SGI_MP_SOURCE")), + ex_libs => add(threads("-lpthread")), + bn_ops => "RC4_CHAR SIXTY_FOUR_BIT", + thread_scheme => "pthreads", + perlasm_scheme => "n32", + dso_scheme => "dlfcn", + shared_target => "irix-shared", + shared_ldflag => "-n32", + shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", + multilib => "32", + }, + # N64 ABI builds. + "irix64-mips4-gcc" => { + inherit_from => [ "BASE_unix", asm("mips64_asm") ], + cc => "gcc", + cflags => combine(picker(default => "-mabi=64 -mips4 -DB_ENDIAN -DBN_DIV3W", + debug => "-g -O0", + release => "-O3"), + threads("-D_SGI_MP_SOURCE")), + ex_libs => add(threads("-lpthread")), + bn_ops => "RC4_CHAR SIXTY_FOUR_BIT_LONG", + thread_scheme => "pthreads", + perlasm_scheme => "64", + dso_scheme => "dlfcn", + shared_target => "irix-shared", + shared_ldflag => "-mabi=64", + shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", + multilib => "64", + }, + "irix64-mips4-cc" => { + inherit_from => [ "BASE_unix", asm("mips64_asm") ], + cc => "cc", + cflags => combine(picker(default => "-64 -mips4 -use_readonly_const -G0 -rdata_shared -DB_ENDIAN -DBN_DIV3W", + debug => "-g -O0", + release => "-O2"), + threads("-D_SGI_MP_SOURCE")), + ex_libs => add(threads("-lpthread")), + bn_ops => "RC4_CHAR SIXTY_FOUR_BIT_LONG", + thread_scheme => "pthreads", + perlasm_scheme => "64", + dso_scheme => "dlfcn", + shared_target => "irix-shared", + shared_ldflag => "-64", + shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", + multilib => "64", + }, + +#### Unified HP-UX ANSI C configs. +# Special notes: +# - Originally we were optimizing at +O4 level. It should be noted +# that the only difference between +O3 and +O4 is global inter- +# procedural analysis. As it has to be performed during the link +# stage the compiler leaves behind certain pseudo-code in lib*.a +# which might be release or even patch level specific. Generating +# the machine code for and analyzing the *whole* program appears +# to be *extremely* memory demanding while the performance gain is +# actually questionable. The situation is intensified by the default +# HP-UX data set size limit (infamous 'maxdsiz' tunable) of 64MB +# which is way too low for +O4. In other words, doesn't +O3 make +# more sense? +# - Keep in mind that the HP compiler by default generates code +# suitable for execution on the host you're currently compiling at. +# If the toolkit is meant to be used on various PA-RISC processors +# consider './Configure hpux-parisc-[g]cc +DAportable'. +# - -DMD32_XARRAY triggers workaround for compiler bug we ran into in +# 32-bit message digests. (For the moment of this writing) HP C +# doesn't seem to "digest" too many local variables (they make "him" +# chew forever:-). For more details look-up MD32_XARRAY comment in +# crypto/sha/sha_lcl.h. +# - originally there were 32-bit hpux-parisc2-* targets. They were +# scrapped, because a) they were not interchangeable with other 32-bit +# targets; b) performance-critical 32-bit assembly modules implement +# even PA-RISC 2.0-specific code paths, which are chosen at run-time, +# thus adequate performance is provided even with PA-RISC 1.1 build. +# + "hpux-parisc-gcc" => { + inherit_from => [ "BASE_unix" ], + cc => "gcc", + cflags => combine(picker(default => "-DB_ENDIAN -DBN_DIV2W", + debug => "-O0 -g", + release => "-O3"), + threads("-pthread")), + ex_libs => add("-Wl,+s -ldld"), + bn_ops => "BN_LLONG", + thread_scheme => "pthreads", + dso_scheme => "dl", + shared_target => "hpux-shared", + shared_cflag => "-fPIC", + shared_ldflag => "-shared", + shared_extension => ".sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", + }, + "hpux-parisc1_1-gcc" => { + inherit_from => [ "hpux-parisc-gcc", asm("parisc11_asm") ], + multilib => "/pa1.1", + }, + "hpux64-parisc2-gcc" => { + inherit_from => [ "BASE_unix", asm("parisc20_64_asm") ], + cc => "gcc", + cflags => combine(picker(default => "-DB_ENDIAN", + debug => "-O0 -g", + release => "-O3"), + threads("-D_REENTRANT")), + ex_libs => add("-ldl"), + bn_ops => "SIXTY_FOUR_BIT_LONG RC4_CHAR", + thread_scheme => "pthreads", + dso_scheme => "dlfcn", + shared_target => "hpux-shared", + shared_cflag => "-fpic", + shared_ldflag => "-shared", + shared_extension => ".sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", + multilib => "/pa20_64", + }, + + # More attempts at unified 10.X and 11.X targets for HP C compiler. + # + # Chris Ruemmler + # Kevin Steves + "hpux-parisc-cc" => { + inherit_from => [ "BASE_unix" ], + cc => "cc", + cflags => combine(picker(default => "+Optrs_strongly_typed -Ae +ESlit -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY", + debug => "+O0 +d -g", + release => "+O3"), + threads("-D_REENTRANT")), + ex_libs => add("-Wl,+s -ldld",threads("-lpthread")), + bn_ops => "RC4_CHAR", + thread_scheme => "pthreads", + dso_scheme => "dl", + shared_target => "hpux-shared", + shared_cflag => "+Z", + shared_ldflag => "-b", + shared_extension => ".sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", + }, + "hpux-parisc1_1-cc" => { + inherit_from => [ "hpux-parisc-cc", asm("parisc11_asm") ], + cflags => add_before("+DA1.1"), + multilib => "/pa1.1", + }, + "hpux64-parisc2-cc" => { + inherit_from => [ "BASE_unix", asm("parisc20_64_asm") ], + cc => "cc", + cflags => combine(picker(default => "+DD64 +Optrs_strongly_typed -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY", + debug => "+O0 +d -g", + release => "+O3"), + threads("-D_REENTRANT")), + ex_libs => add("-ldl",threads("-lpthread")), + bn_ops => "SIXTY_FOUR_BIT_LONG RC4_CHAR", + thread_scheme => "pthreads", + dso_scheme => "dlfcn", + shared_target => "hpux-shared", + shared_cflag => "+Z", + shared_ldflag => "+DD64 -b", + shared_extension => ".sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", + multilib => "/pa20_64", + }, + + # HP/UX IA-64 targets + "hpux-ia64-cc" => { + inherit_from => [ "BASE_unix", asm("ia64_asm") ], + cc => "cc", + cflags => combine(picker(default => "-Ae +DD32 +Olit=all -z -DB_ENDIAN", + debug => "+O0 +d -g", + release => "+O2"), + threads("-D_REENTRANT")), + ex_libs => add("-ldl",threads("-lpthread")), + bn_ops => "SIXTY_FOUR_BIT", + thread_scheme => "pthreads", + dso_scheme => "dlfcn", + shared_target => "hpux-shared", + shared_cflag => "+Z", + shared_ldflag => "+DD32 -b", + shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", + multilib => "/hpux32", + }, + # Frank Geurts has patiently assisted + # with debugging of the following config. + "hpux64-ia64-cc" => { + inherit_from => [ "BASE_unix", asm("ia64_asm") ], + cc => "cc", + cflags => combine(picker(default => "-Ae +DD64 +Olit=all -z -DB_ENDIAN", + debug => "+O0 +d -g", + release => "+O3"), + threads("-D_REENTRANT")), + ex_libs => add("-ldl", threads("-lpthread")), + bn_ops => "SIXTY_FOUR_BIT_LONG", + thread_scheme => "pthreads", + dso_scheme => "dlfcn", + shared_target => "hpux-shared", + shared_cflag => "+Z", + shared_ldflag => "+DD64 -b", + shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", + multilib => "/hpux64", + }, + # GCC builds... + "hpux-ia64-gcc" => { + inherit_from => [ "BASE_unix", asm("ia64_asm") ], + cc => "gcc", + cflags => combine(picker(default => "-DB_ENDIAN", + debug => "-O0 -g", + release => "-O3"), + threads("-pthread")), + ex_libs => add("-ldl"), + bn_ops => "SIXTY_FOUR_BIT", + thread_scheme => "pthreads", + dso_scheme => "dlfcn", + shared_target => "hpux-shared", + shared_cflag => "-fpic", + shared_ldflag => "-shared", + shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", + multilib => "/hpux32", + }, + "hpux64-ia64-gcc" => { + inherit_from => [ "BASE_unix", asm("ia64_asm") ], + cc => "gcc", + cflags => combine(picker(default => "-mlp64 -DB_ENDIAN", + debug => "-O0 -g", + release => "-O3"), + threads("-pthread")), + ex_libs => add("-ldl"), + bn_ops => "SIXTY_FOUR_BIT_LONG", + thread_scheme => "pthreads", + dso_scheme => "dlfcn", + shared_target => "hpux-shared", + shared_cflag => "-fpic", + shared_ldflag => "-mlp64 -shared", + shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", + multilib => "/hpux64", + }, + +#### HP MPE/iX http://jazz.external.hp.com/src/openssl/ + "MPE/iX-gcc" => { + inherit_from => [ "BASE_unix" ], + cc => "gcc", + cflags => "-D_ENDIAN -DBN_DIV2W -O3 -D_POSIX_SOURCE -D_SOCKET_SOURCE -I/SYSLOG/PUB", + sys_id => "MPE", + ex_libs => add("-L/SYSLOG/PUB -lsyslog -lsocket -lcurses"), + thread_scheme => "(unknown)", + bn_ops => "BN_LLONG", + }, + +#### DEC Alpha Tru64 targets. Tru64 is marketing name for OSF/1 version 4 +#### and forward. In reality 'uname -s' still returns "OSF1". Originally +#### there were even osf1-* configs targeting prior versions provided, +#### but not anymore... + "tru64-alpha-gcc" => { + inherit_from => [ "BASE_unix", asm("alpha_asm") ], + cc => "gcc", + cflags => combine("-std=c9x -D_XOPEN_SOURCE=500 -D_OSF_SOURCE -O3", + threads("-pthread")), + ex_libs => "-lrt", # for mlock(2) + bn_ops => "SIXTY_FOUR_BIT_LONG", + thread_scheme => "pthreads", + dso_scheme => "dlfcn", + shared_target => "alpha-osf1-shared", + shared_extension => ".so", + }, + "tru64-alpha-cc" => { + inherit_from => [ "BASE_unix", asm("alpha_asm") ], + cc => "cc", + cflags => combine("-std1 -D_XOPEN_SOURCE=500 -D_OSF_SOURCE -tune host -fast -readonly_strings", + threads("-pthread")), + ex_libs => "-lrt", # for mlock(2) + bn_ops => "SIXTY_FOUR_BIT_LONG", + thread_scheme => "pthreads", + dso_scheme => "dlfcn", + shared_target => "alpha-osf1-shared", + shared_ldflag => "-msym", + shared_extension => ".so", + }, + +#### +#### Variety of LINUX:-) +#### +# *-generic* is endian-neutral target, but ./config is free to +# throw in -D[BL]_ENDIAN, whichever appropriate... + "linux-generic32" => { + inherit_from => [ "BASE_unix" ], + cc => "gcc", + cflags => combine(picker(default => "-Wall", + debug => "-O0 -g", + release => "-O3"), + threads("-pthread")), + ex_libs => add("-ldl"), + bn_ops => "BN_LLONG RC4_CHAR", + thread_scheme => "pthreads", + dso_scheme => "dlfcn", + shared_target => "linux-shared", + shared_cflag => "-fPIC -DOPENSSL_USE_NODELETE", + shared_ldflag => "-Wl,-znodelete", + shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", + }, + "linux-generic64" => { + inherit_from => [ "linux-generic32" ], + bn_ops => "SIXTY_FOUR_BIT_LONG RC4_CHAR", + }, + + "linux-ppc" => { + inherit_from => [ "linux-generic32", asm("ppc32_asm") ], + perlasm_scheme => "linux32", + }, + "linux-ppc64" => { + inherit_from => [ "linux-generic64", asm("ppc64_asm") ], + cflags => add("-m64 -DB_ENDIAN"), + perlasm_scheme => "linux64", + shared_ldflag => add("-m64"), + multilib => "64", + }, + "linux-ppc64le" => { + inherit_from => [ "linux-generic64", asm("ppc64_asm") ], + cflags => add("-m64 -DL_ENDIAN"), + perlasm_scheme => "linux64le", + shared_ldflag => add("-m64"), + }, + + "linux-armv4" => { + ################################################################ + # Note that -march is not among compiler options in linux-armv4 + # target description. Not specifying one is intentional to give + # you choice to: + # + # a) rely on your compiler default by not specifying one; + # b) specify your target platform explicitly for optimal + # performance, e.g. -march=armv6 or -march=armv7-a; + # c) build "universal" binary that targets *range* of platforms + # by specifying minimum and maximum supported architecture; + # + # As for c) option. It actually makes no sense to specify + # maximum to be less than ARMv7, because it's the least + # requirement for run-time switch between platform-specific + # code paths. And without run-time switch performance would be + # equivalent to one for minimum. Secondly, there are some + # natural limitations that you'd have to accept and respect. + # Most notably you can *not* build "universal" binary for + # big-endian platform. This is because ARMv7 processor always + # picks instructions in little-endian order. Another similar + # limitation is that -mthumb can't "cross" -march=armv6t2 + # boundary, because that's where it became Thumb-2. Well, this + # limitation is a bit artificial, because it's not really + # impossible, but it's deemed too tricky to support. And of + # course you have to be sure that your binutils are actually + # up to the task of handling maximum target platform. With all + # this in mind here is an example of how to configure + # "universal" build: + # + # ./Configure linux-armv4 -march=armv6 -D__ARM_MAX_ARCH__=8 + # + inherit_from => [ "linux-generic32", asm("armv4_asm") ], + perlasm_scheme => "linux32", + }, + "linux-aarch64" => { + inherit_from => [ "linux-generic64", asm("aarch64_asm") ], + perlasm_scheme => "linux64", + }, + "linux-arm64ilp32" => { # https://wiki.linaro.org/Platform/arm64-ilp32 + inherit_from => [ "linux-generic32", asm("aarch64_asm") ], + cflags => add("-mabi=ilp32"), + bn_ops => "SIXTY_FOUR_BIT RC4_CHAR", + perlasm_scheme => "linux64", + shared_ldflag => add("-mabi=ilp32"), + }, + + "linux-mips32" => { + # Configure script adds minimally required -march for assembly + # support, if no -march was specified at command line. + inherit_from => [ "linux-generic32", asm("mips32_asm") ], + cflags => add("-mabi=32 -DBN_DIV3W"), + perlasm_scheme => "o32", + shared_ldflag => add("-mabi=32"), + }, + # mips32 and mips64 below refer to contemporary MIPS Architecture + # specifications, MIPS32 and MIPS64, rather than to kernel bitness. + "linux-mips64" => { + inherit_from => [ "linux-generic32", asm("mips64_asm") ], + cflags => add("-mabi=n32 -DBN_DIV3W"), + bn_ops => "SIXTY_FOUR_BIT RC4_CHAR", + perlasm_scheme => "n32", + shared_ldflag => add("-mabi=n32"), + multilib => "32", + }, + "linux64-mips64" => { + inherit_from => [ "linux-generic64", asm("mips64_asm") ], + cflags => add("-mabi=64 -DBN_DIV3W"), + perlasm_scheme => "64", + shared_ldflag => add("-mabi=64"), + multilib => "64", + }, + + #### IA-32 targets... + #### These two targets are a bit aged and are to be used on older Linux + #### machines where gcc doesn't understand -m32 and -m64 + "linux-elf" => { + inherit_from => [ "linux-generic32", asm("x86_elf_asm") ], + cflags => add(picker(default => "-DL_ENDIAN", + release => "-fomit-frame-pointer")), + bn_ops => "BN_LLONG", + }, + "linux-aout" => { + inherit_from => [ "BASE_unix", asm("x86_asm") ], + cc => "gcc", + cflags => add(picker(default => "-DL_ENDIAN -Wall", + debug => "-O0 -g", + release => "-O3 -fomit-frame-pointer")), + bn_ops => "BN_LLONG", + thread_scheme => "(unknown)", + perlasm_scheme => "a.out", + }, + + #### X86 / X86_64 targets + "linux-x86" => { + inherit_from => [ "linux-generic32", asm("x86_asm") ], + cflags => add(picker(default => "-m32 -DL_ENDIAN", + release => "-fomit-frame-pointer")), + bn_ops => "BN_LLONG", + perlasm_scheme => "elf", + shared_ldflag => add("-m32"), + }, + "linux-x86-clang" => { + inherit_from => [ "linux-x86" ], + cc => "clang", + cxx => "clang++", + cflags => add("-Wextra -Qunused-arguments"), + }, + "linux-x86_64" => { + inherit_from => [ "linux-generic64", asm("x86_64_asm") ], + cflags => add("-m64 -DL_ENDIAN"), + bn_ops => "SIXTY_FOUR_BIT_LONG", + perlasm_scheme => "elf", + shared_ldflag => add("-m64"), + multilib => "64", + }, + "linux-x86_64-clang" => { + inherit_from => [ "linux-x86_64" ], + cc => "clang", + cflags => add("-Wextra -Qunused-arguments"), + }, + "linux-x32" => { + inherit_from => [ "linux-generic32", asm("x86_64_asm") ], + cflags => add("-mx32 -DL_ENDIAN"), + bn_ops => "SIXTY_FOUR_BIT", + perlasm_scheme => "elf32", + shared_ldflag => add("-mx32"), + multilib => "x32", + }, + + "linux-ia64" => { + inherit_from => [ "linux-generic64", asm("ia64_asm") ], + bn_ops => "SIXTY_FOUR_BIT_LONG", + }, + + "linux64-s390x" => { + inherit_from => [ "linux-generic64", asm("s390x_asm") ], + cflags => add("-m64 -DB_ENDIAN"), + perlasm_scheme => "64", + shared_ldflag => add("-m64"), + multilib => "64", + }, + "linux32-s390x" => { + #### So called "highgprs" target for z/Architecture CPUs + # "Highgprs" is kernel feature first implemented in Linux + # 2.6.32, see /proc/cpuinfo. The idea is to preserve most + # significant bits of general purpose registers not only + # upon 32-bit process context switch, but even on + # asynchronous signal delivery to such process. This makes + # it possible to deploy 64-bit instructions even in legacy + # application context and achieve better [or should we say + # adequate] performance. The build is binary compatible with + # linux-generic32, and the idea is to be able to install the + # resulting libcrypto.so alongside generic one, e.g. as + # /lib/highgprs/libcrypto.so.x.y, for ldconfig and run-time + # linker to autodiscover. Unfortunately it doesn't work just + # yet, because of couple of bugs in glibc + # sysdeps/s390/dl-procinfo.c affecting ldconfig and ld.so.1... + # + inherit_from => [ "linux-generic32", asm("s390x_asm") ], + cflags => add("-m31 -Wa,-mzarch -DB_ENDIAN"), + bn_asm_src => sub { my $r=join(" ",@_); $r=~s|asm/s390x\.S|bn_asm.c|; $r; }, + perlasm_scheme => "31", + shared_ldflag => add("-m31"), + multilib => "/highgprs", + }, + + #### SPARC Linux setups + # Ray Miller has + # patiently assisted with debugging of following two configs. + "linux-sparcv8" => { + inherit_from => [ "linux-generic32", asm("sparcv8_asm") ], + cflags => add("-mcpu=v8 -DB_ENDIAN -DBN_DIV2W"), + }, + "linux-sparcv9" => { + # it's a real mess with -mcpu=ultrasparc option under Linux, + # but -Wa,-Av8plus should do the trick no matter what. + inherit_from => [ "linux-generic32", asm("sparcv9_asm") ], + cflags => add("-m32 -mcpu=ultrasparc -Wa,-Av8plus -DB_ENDIAN -DBN_DIV2W"), + shared_ldflag => add("-m32"), + }, + "linux64-sparcv9" => { + # GCC 3.1 is a requirement + inherit_from => [ "linux-generic64", asm("sparcv9_asm") ], + cflags => add("-m64 -mcpu=ultrasparc -DB_ENDIAN"), + bn_ops => "BN_LLONG RC4_CHAR", + shared_ldflag => add("-m64"), + multilib => "64", + }, + + "linux-alpha-gcc" => { + inherit_from => [ "linux-generic64", asm("alpha_asm") ], + cflags => add("-DL_ENDIAN"), + bn_ops => "SIXTY_FOUR_BIT_LONG", + }, + "linux-c64xplus" => { + inherit_from => [ "BASE_unix" ], + # TI_CGT_C6000_7.3.x is a requirement + cc => "cl6x", + cflags => combine("--linux -ea=.s -eo=.o -mv6400+ -o2 -ox -ms -pden -DOPENSSL_SMALL_FOOTPRINT", + threads("-D_REENTRANT")), + bn_ops => "BN_LLONG", + cpuid_asm_src => "c64xpluscpuid.s", + bn_asm_src => "asm/bn-c64xplus.asm c64xplus-gf2m.s", + aes_asm_src => "aes-c64xplus.s aes_cbc.c aes-ctr.fake", + sha1_asm_src => "sha1-c64xplus.s sha256-c64xplus.s sha512-c64xplus.s", + rc4_asm_src => "rc4-c64xplus.s", + modes_asm_src => "ghash-c64xplus.s", + chacha_asm_src => "chacha-c64xplus.s", + poly1305_asm_src => "poly1305-c64xplus.s", + thread_scheme => "pthreads", + perlasm_scheme => "void", + dso_scheme => "dlfcn", + shared_target => "linux-shared", + shared_cflag => "--pic", + shared_ldflag => add("-z --sysv --shared"), + shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", + ranlib => "true", + }, + +#### Android: linux-* but without pointers to headers and libs. + # + # It takes pair of prior-set environment variables to make it work: + # + # CROSS_SYSROOT=/some/where/android-ndk-/platforms/android-/arch- + # CROSS_COMPILE= + # + # As well as PATH adjusted to cover ${CROSS_COMPILE}gcc and company. + # For example to compile for ICS and ARM with NDK 10d, you'd: + # + # ANDROID_NDK=/some/where/android-ndk-10d + # CROSS_SYSROOT=$ANDROID_NDK/platforms/android-14/arch-arm + # CROSS_COMPILE=arm-linux-adroideabi- + # PATH=$ANDROID_NDK/toolchains/arm-linux-androideabi-4.8/prebuild/linux-x86_64/bin + # + "android" => { + inherit_from => [ "linux-generic32" ], + # Special note about unconditional -fPIC and -pie. The underlying + # reason is that Lollipop refuses to run non-PIE. But what about + # older systems and NDKs? -fPIC was never problem, so the only + # concern is -pie. Older toolchains, e.g. r4, appear to handle it + # and binaries turn mostly functional. "Mostly" means that oldest + # Androids, such as Froyo, fail to handle executable, but newer + # systems are perfectly capable of executing binaries targeting + # Froyo. Keep in mind that in the nutshell Android builds are + # about JNI, i.e. shared libraries, not applications. + cflags => add(picker(default => "-mandroid -fPIC --sysroot=\$(CROSS_SYSROOT) -Wa,--noexecstack")), + bin_cflags => "-pie", + }, + "android-x86" => { + inherit_from => [ "android", asm("x86_asm") ], + cflags => add(picker(release => "-fomit-frame-pointer")), + bn_ops => "BN_LLONG", + perlasm_scheme => "android", + }, + ################################################################ + # Contemporary Android applications can provide multiple JNI + # providers in .apk, targeting multiple architectures. Among + # them there is "place" for two ARM flavours: generic eabi and + # armv7-a/hard-float. However, it should be noted that OpenSSL's + # ability to engage NEON is not constrained by ABI choice, nor + # is your ability to call OpenSSL from your application code + # compiled with floating-point ABI other than default 'soft'. + # [Latter thanks to __attribute__((pcs("aapcs"))) declaration.] + # This means that choice of ARM libraries you provide in .apk + # is driven by application needs. For example if application + # itself benefits from NEON or is floating-point intensive, then + # it might be appropriate to provide both libraries. Otherwise + # just generic eabi would do. But in latter case it would be + # appropriate to + # + # ./Configure android-armeabi -D__ARM_MAX_ARCH__=8 + # + # in order to build "universal" binary and allow OpenSSL take + # advantage of NEON when it's available. + # + "android-armeabi" => { + inherit_from => [ "android", asm("armv4_asm") ], + }, + "android-mips" => { + inherit_from => [ "android", asm("mips32_asm") ], + perlasm_scheme => "o32", + }, + + "android64" => { + inherit_from => [ "linux-generic64" ], + cflags => add(picker(default => "-mandroid -fPIC --sysroot=\$(CROSS_SYSROOT) -Wa,--noexecstack")), + bin_cflags => "-pie", + }, + "android64-aarch64" => { + inherit_from => [ "android64", asm("aarch64_asm") ], + perlasm_scheme => "linux64", + }, + +#### *BSD + "BSD-generic32" => { + # As for thread cflag. Idea is to maintain "collective" set of + # flags, which would cover all BSD flavors. -pthread applies + # to them all, but is treated differently. OpenBSD expands is + # as -D_POSIX_THREAD -lc_r, which is sufficient. FreeBSD 4.x + # expands it as -lc_r, which has to be accompanied by explicit + # -D_THREAD_SAFE and sometimes -D_REENTRANT. FreeBSD 5.x + # expands it as -lc_r, which seems to be sufficient? + inherit_from => [ "BASE_unix" ], + cc => "cc", + cflags => combine(picker(default => "-Wall", + debug => "-O0 -g", + release => "-O3"), + threads("-pthread -D_THREAD_SAFE -D_REENTRANT")), + bn_ops => "BN_LLONG", + thread_scheme => "pthreads", + dso_scheme => "dlfcn", + shared_target => "bsd-gcc-shared", + shared_cflag => "-fPIC", + shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", + }, + "BSD-generic64" => { + inherit_from => [ "BSD-generic32" ], + bn_ops => "SIXTY_FOUR_BIT_LONG", + }, + + "BSD-x86" => { + inherit_from => [ "BSD-generic32", asm("x86_asm") ], + cflags => add(picker(default => "-DL_ENDIAN", + release => "-fomit-frame-pointer")), + bn_ops => "BN_LLONG", + shared_target => "bsd-shared", + perlasm_scheme => "a.out", + }, + "BSD-x86-elf" => { + inherit_from => [ "BSD-x86" ], + perlasm_scheme => "elf", + }, + + "BSD-sparcv8" => { + inherit_from => [ "BSD-generic32", asm("sparcv8_asm") ], + cflags => add("-mcpu=v8 -DB_ENDIAN"), + }, + "BSD-sparc64" => { + # -DMD32_REG_T=int doesn't actually belong in sparc64 target, it + # simply *happens* to work around a compiler bug in gcc 3.3.3, + # triggered by RIPEMD160 code. + inherit_from => [ "BSD-generic64", asm("sparcv9_asm") ], + cflags => add("-DB_ENDIAN -DMD32_REG_T=int"), + bn_ops => "BN_LLONG", + }, + + "BSD-ia64" => { + inherit_from => [ "BSD-generic64", asm("ia64_asm") ], + cflags => add_before("-DL_ENDIAN"), + bn_ops => "SIXTY_FOUR_BIT_LONG", + }, + + "BSD-x86_64" => { + inherit_from => [ "BSD-generic64", asm("x86_64_asm") ], + cflags => add_before("-DL_ENDIAN"), + bn_ops => "SIXTY_FOUR_BIT_LONG", + perlasm_scheme => "elf", + }, + + "bsdi-elf-gcc" => { + inherit_from => [ "BASE_unix", asm("x86_elf_asm") ], + cc => "gcc", + cflags => "-DPERL5 -DL_ENDIAN -fomit-frame-pointer -O3 -Wall", + ex_libs => add("-ldl"), + bn_ops => "BN_LLONG", + thread_scheme => "(unknown)", + dso_scheme => "dlfcn", + shared_target => "bsd-gcc-shared", + shared_cflag => "-fPIC", + shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", + }, + + "nextstep" => { + inherit_from => [ "BASE_unix" ], + cc => "cc", + cflags => "-O -Wall", + unistd => "", + bn_ops => "BN_LLONG", + thread_scheme => "(unknown)", + }, + "nextstep3.3" => { + inherit_from => [ "BASE_unix" ], + cc => "cc", + cflags => "-O3 -Wall", + unistd => "", + bn_ops => "BN_LLONG", + thread_scheme => "(unknown)", + }, + +# QNX + "qnx4" => { + inherit_from => [ "BASE_unix" ], + cc => "cc", + cflags => "-DL_ENDIAN -DTERMIO", + thread_scheme => "(unknown)", + }, + "QNX6" => { + inherit_from => [ "BASE_unix" ], + cc => "gcc", + ex_libs => add("-lsocket"), + dso_scheme => "dlfcn", + shared_target => "bsd-gcc-shared", + shared_cflag => "-fPIC", + shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", + }, + "QNX6-i386" => { + inherit_from => [ "BASE_unix", asm("x86_elf_asm") ], + cc => "gcc", + cflags => "-DL_ENDIAN -O2 -Wall", + ex_libs => add("-lsocket"), + dso_scheme => "dlfcn", + shared_target => "bsd-gcc-shared", + shared_cflag => "-fPIC", + shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", + }, + +#### SCO/Caldera targets. +# +# Originally we had like unixware-*, unixware-*-pentium, unixware-*-p6, etc. +# Now we only have blended unixware-* as it's the only one used by ./config. +# If you want to optimize for particular microarchitecture, bypass ./config +# and './Configure unixware-7 -Kpentium_pro' or whatever appropriate. +# Note that not all targets include assembler support. Mostly because of +# lack of motivation to support out-of-date platforms with out-of-date +# compiler drivers and assemblers. Tim Rice has +# patiently assisted to debug most of it. +# +# UnixWare 2.0x fails destest with -O. + "unixware-2.0" => { + inherit_from => [ "BASE_unix" ], + cc => "cc", + cflags => combine("-DFILIO_H -DNO_STRINGS_H", + threads("-Kthread")), + ex_libs => add("-lsocket -lnsl -lresolv -lx"), + thread_scheme => "uithreads", + }, + "unixware-2.1" => { + inherit_from => [ "BASE_unix" ], + cc => "cc", + cflags => combine("-O -DFILIO_H", + threads("-Kthread")), + ex_libs => add("-lsocket -lnsl -lresolv -lx"), + thread_scheme => "uithreads", + }, + "unixware-7" => { + inherit_from => [ "BASE_unix", asm("x86_elf_asm") ], + cc => "cc", + cflags => combine("-O -DFILIO_H -Kalloca", + threads("-Kthread")), + ex_libs => add("-lsocket -lnsl"), + thread_scheme => "uithreads", + bn_ops => "BN_LLONG", + perlasm_scheme => "elf-1", + dso_scheme => "dlfcn", + shared_target => "svr5-shared", + shared_cflag => "-Kpic", + shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", + }, + "unixware-7-gcc" => { + inherit_from => [ "BASE_unix", asm("x86_elf_asm") ], + cc => "gcc", + cflags => combine("-DL_ENDIAN -DFILIO_H -O3 -fomit-frame-pointer -Wall", + threads("-D_REENTRANT")), + ex_libs => add("-lsocket -lnsl"), + bn_ops => "BN_LLONG", + thread_scheme => "pthreads", + perlasm_scheme => "elf-1", + dso_scheme => "dlfcn", + shared_target => "gnu-shared", + shared_cflag => "-fPIC", + shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", + }, +# SCO 5 - Ben Laurie says the -O breaks the SCO cc. + "sco5-cc" => { + inherit_from => [ "BASE_unix", asm("x86_elf_asm") ], + cc => "cc", + cflags => "-belf", + ex_libs => add("-lsocket -lnsl"), + thread_scheme => "(unknown)", + perlasm_scheme => "elf-1", + dso_scheme => "dlfcn", + shared_target => "svr3-shared", + shared_cflag => "-Kpic", + shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", + }, + "sco5-gcc" => { + inherit_from => [ "BASE_unix", asm("x86_elf_asm") ], + cc => "gcc", + cflags => "-O3 -fomit-frame-pointer", + ex_libs => add("-lsocket -lnsl"), + bn_ops => "BN_LLONG", + thread_scheme => "(unknown)", + perlasm_scheme => "elf-1", + dso_scheme => "dlfcn", + shared_target => "svr3-shared", + shared_cflag => "-fPIC", + shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", + }, + +#### IBM's AIX. + # Below targets assume AIX >=5. Caveat lector. If you are accustomed + # to control compilation "bitness" by setting $OBJECT_MODE environment + # variable, then you should know that in OpenSSL case it's considered + # only in ./config. Once configured, build procedure remains "deaf" to + # current value of $OBJECT_MODE. + "aix-gcc" => { + inherit_from => [ "BASE_unix", asm("ppc32_asm") ], + cc => "gcc", + cflags => combine(picker(default => "-DB_ENDIAN", + debug => "-O0 -g", + release => "-O"), + threads("-pthread")), + sys_id => "AIX", + bn_ops => "BN_LLONG RC4_CHAR", + thread_scheme => "pthreads", + perlasm_scheme => "aix32", + dso_scheme => "dlfcn", + shared_target => "aix-shared", + shared_ldflag => "-shared -static-libgcc -Wl,-G", + shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", + arflags => "-X32", + }, + "aix64-gcc" => { + inherit_from => [ "BASE_unix", asm("ppc64_asm") ], + cc => "gcc", + cflags => combine(picker(default => "-maix64 -DB_ENDIAN", + debug => "-O0 -g", + release => "-O"), + threads("-pthread")), + sys_id => "AIX", + bn_ops => "SIXTY_FOUR_BIT_LONG RC4_CHAR", + thread_scheme => "pthreads", + perlasm_scheme => "aix64", + dso_scheme => "dlfcn", + shared_target => "aix-shared", + shared_ldflag => "-maix64 -shared -static-libgcc -Wl,-G", + shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", + arflags => "-X64", + }, + "aix-cc" => { + inherit_from => [ "BASE_unix", asm("ppc32_asm") ], + cc => "cc", + cflags => combine(picker(default => "-q32 -DB_ENDIAN -qmaxmem=16384 -qro -qroconst", + debug => "-O0 -g", + release => "-O"), + threads("-qthreaded -D_THREAD_SAFE")), + sys_id => "AIX", + bn_ops => "BN_LLONG RC4_CHAR", + thread_scheme => "pthreads", + ex_libs => threads("-lpthreads"), + perlasm_scheme => "aix32", + dso_scheme => "dlfcn", + shared_target => "aix-shared", + shared_ldflag => "-q32 -G", + shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", + arflags => "-X 32", + }, + "aix64-cc" => { + inherit_from => [ "BASE_unix", asm("ppc64_asm") ], + cc => "cc", + cflags => combine(picker(default => "-q64 -DB_ENDIAN -qmaxmem=16384 -qro -qroconst", + debug => "-O0 -g", + release => "-O"), + threads("-qthreaded -D_THREAD_SAFE")), + sys_id => "AIX", + bn_ops => "SIXTY_FOUR_BIT_LONG RC4_CHAR", + thread_scheme => "pthreads", + ex_libs => threads("-lpthreads"), + perlasm_scheme => "aix64", + dso_scheme => "dlfcn", + shared_target => "aix-shared", + shared_ldflag => "-q64 -G", + shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", + arflags => "-X 64", + }, + +# SIEMENS BS2000/OSD: an EBCDIC-based mainframe + "BS2000-OSD" => { + inherit_from => [ "BASE_unix" ], + cc => "c89", + cflags => "-O -XLLML -XLLMK -XL -DB_ENDIAN -DCHARSET_EBCDIC", + ex_libs => add("-lsocket -lnsl"), + bn_ops => "THIRTY_TWO_BIT RC4_CHAR", + thread_scheme => "(unknown)", + }, + +# OS/390 Unix an EBCDIC-based Unix system on IBM mainframe +# You need to compile using the c89.sh wrapper in the tools directory, because the +# IBM compiler does not like the -L switch after any object modules. +# + "OS390-Unix" => { + inherit_from => [ "BASE_unix" ], + cc => "c89.sh", + cflags => "-O -DB_ENDIAN -DCHARSET_EBCDIC -DNO_SYS_PARAM_H -D_ALL_SOURCE", + bn_ops => "THIRTY_TWO_BIT RC4_CHAR", + thread_scheme => "(unknown)", + }, + +#### Visual C targets +# +# Win64 targets, WIN64I denotes IA-64 and WIN64A - AMD64 +# +# Note about -wd4090, disable warning C4090. This warning returns false +# positives in some situations. Disabling it altogether masks both +# legitimate and false cases, but as we compile on multiple platforms, +# we rely on other compilers to catch legitimate cases. +# +# Also note that we force threads no matter what. Configuring "no-threads" +# is ignored. + "VC-common" => { + inherit_from => [ "BASE_Windows" ], + template => 1, + cc => "cl", + cflags => "-W3 -wd4090 -Gs0 -GF -Gy -nologo -DOPENSSL_SYS_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE", + defines => add(sub { my @defs = (); + unless ($disabled{"zlib-dynamic"}) { + my $zlib = + $withargs{zlib_lib} // "ZLIB1"; + push @defs, + quotify("perl", + 'LIBZ="' . $zlib . '"'); + } + return [ @defs ]; + }), + coutflag => "/Fo", + lib_cflags => add("/Zi /Fdossl_static"), + dso_cflags => "/Zi /Fddso", + bin_cflags => "/Zi /Fdapp", + lflags => add("/debug"), + shared_ldflag => "/dll", + shared_target => "win-shared", # meaningless except it gives Configure a hint + thread_scheme => "winthreads", + dso_scheme => "win32", + apps_aux_src => add("win32_init.c"), + }, + "VC-noCE-common" => { + inherit_from => [ "VC-common" ], + template => 1, + cflags => add(picker(default => "-DUNICODE -D_UNICODE", + debug => + sub { + ($disabled{shared} ? "" : "/MDd") + ." /Od -DDEBUG -D_DEBUG"; + }, + release => + sub { + ($disabled{shared} ? "" : "/MD") + ." /O2"; + })), + lib_cflags => add(sub { $disabled{shared} ? "/MT /Zl" : () }), + # Following might/should appears controversial, i.e. defining + # /MDd without evaluating $disabled{shared}. It works in + # non-shared build because static library is compiled with /Zl + # and bares no reference to specific RTL. And it works in + # shared build because multiple /MDd options are not prohibited. + # But why /MDd in static build? Well, basically this is just a + # reference point, which allows to catch eventual errors that + # would prevent those who want to wrap OpenSSL into own .DLL. + # Why not /MD in release build then? Well, some are likely to + # prefer [non-debug] openssl.exe to be free from Micorosoft RTL + # redistributable. + bin_cflags => add(picker(debug => "/MDd", + release => sub { $disabled{shared} ? "/MT" : () }, + )), + bin_lflags => add("/subsystem:console /opt:ref"), + ex_libs => add(sub { + my @ex_libs = (); + push @ex_libs, 'ws2_32.lib' unless $disabled{sock}; + push @ex_libs, 'gdi32.lib advapi32.lib crypt32.lib user32.lib'; + return join(" ", @ex_libs); + }), + }, + "VC-WIN64-common" => { + inherit_from => [ "VC-noCE-common" ], + template => 1, + ex_libs => add(sub { + my @ex_libs = (); + push @ex_libs, 'bufferoverflowu.lib' if (`cl 2>&1` =~ /14\.00\.4[0-9]{4}\./); + return join(" ", @_, @ex_libs); + }), + bn_ops => "SIXTY_FOUR_BIT EXPORT_VAR_AS_FN", + build_scheme => add("VC-W64", { separator => undef }), + }, + "VC-WIN64I" => { + inherit_from => [ "VC-WIN64-common", asm("ia64_asm"), + sub { $disabled{shared} ? () : "ia64_uplink" } ], + as => "ias", + asflags => "-d debug", + asoutflag => "-o", + sys_id => "WIN64I", + bn_asm_src => sub { return undef unless @_; + my $r=join(" ",@_); $r=~s|bn-ia64.s|bn_asm.c|; $r; }, + perlasm_scheme => "ias", + multilib => "-ia64", + }, + "VC-WIN64A" => { + inherit_from => [ "VC-WIN64-common", asm("x86_64_asm"), + sub { $disabled{shared} ? () : "x86_64_uplink" } ], + as => sub { vc_win64a_info()->{as} }, + asflags => sub { vc_win64a_info()->{asflags} }, + asoutflag => sub { vc_win64a_info()->{asoutflag} }, + sys_id => "WIN64A", + bn_asm_src => sub { return undef unless @_; + my $r=join(" ",@_); $r=~s|asm/x86_64-gcc|bn_asm|; $r; }, + perlasm_scheme => "auto", + multilib => "-x64", + }, + "VC-WIN32" => { + # x86 Win32 target defaults to ANSI API, if you want UNICODE, + # configure with 'perl Configure VC-WIN32 -DUNICODE -D_UNICODE' + inherit_from => [ "VC-noCE-common", asm("x86_asm"), + sub { $disabled{shared} ? () : "uplink_common" } ], + as => sub { vc_win32_info()->{as} }, + asflags => sub { vc_win32_info()->{asflags} }, + asoutflag => sub { vc_win32_info()->{asoutflag} }, + ex_libs => add(sub { + my @ex_libs = (); + # WIN32 UNICODE build gets linked with unicows.lib for + # backward compatibility with Win9x. + push @ex_libs, 'unicows.lib' + if (grep { $_ eq "UNICODE" } @user_defines); + return join(" ", @ex_libs, @_); + }), + sys_id => "WIN32", + bn_ops => "BN_LLONG EXPORT_VAR_AS_FN", + perlasm_scheme => sub { vc_win32_info()->{perlasm_scheme} }, + build_scheme => add("VC-W32", { separator => undef }), + }, + "VC-CE" => { + inherit_from => [ "VC-common" ], + as => "ml", + asflags => "/nologo /Cp /coff /c /Cx /Zi", + asoutflag => "/Fo", + cc => "cl", + cflags => + picker(default => + combine('/W3 /WX /GF /Gy /nologo -DUNICODE -D_UNICODE -DOPENSSL_SYS_WINCE -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32 -DNO_CHMOD -DOPENSSL_SMALL_FOOTPRINT', + sub { vc_wince_info()->{cflags}; }, + sub { defined($ENV{'WCECOMPAT'}) + ? '-I$(WCECOMPAT)/include' : (); }, + sub { defined($ENV{'PORTSDK_LIBPATH'}) + ? '-I$(PORTSDK_LIBPATH)/../../include' : (); }, + sub { `cl 2>&1` =~ /Version ([0-9]+)\./ && $1>=14 + ? ($disabled{shared} ? " /MT" : " /MD") + : " /MC"; }), + debug => "/Od -DDEBUG -D_DEBUG", + release => "/O1i"), + lflags => combine("/nologo /opt:ref", + sub { vc_wince_info()->{lflags}; }, + sub { defined($ENV{PORTSDK_LIBPATH}) + ? "/entry:mainCRTstartup" : (); }), + sys_id => "WINCE", + bn_ops => "BN_LLONG EXPORT_VAR_AS_FN", + ex_libs => add(sub { + my @ex_libs = (); + push @ex_libs, 'ws2.lib' unless $disabled{sock}; + push @ex_libs, 'crypt32.lib'; + if (defined($ENV{WCECOMPAT})) { + my $x = '$(WCECOMPAT)/lib'; + if (-f "$x/$ENV{TARGETCPU}/wcecompatex.lib") { + $x .= '/$(TARGETCPU)/wcecompatex.lib'; + } else { + $x .= '/wcecompatex.lib'; + } + push @ex_libs, $x; + } + push @ex_libs, '$(PORTSDK_LIBPATH)/portlib.lib' + if (defined($ENV{'PORTSDK_LIBPATH'})); + push @ex_libs, ' /nodefaultlib coredll.lib corelibc.lib' + if ($ENV{'TARGETCPU'} eq "X86"); + return @ex_libs; + }), + build_scheme => add("VC-WCE", { separator => undef }), + }, + +#### MinGW + "mingw" => { + inherit_from => [ "BASE_unix", asm("x86_asm"), + sub { $disabled{shared} ? () : "x86_uplink" } ], + cc => "gcc", + cflags => combine(picker(default => "-DL_ENDIAN -DWIN32_LEAN_AND_MEAN -DUNICODE -D_UNICODE -m32 -Wall", + debug => "-g -O0", + release => "-O3 -fomit-frame-pointer"), + threads("-D_MT")), + sys_id => "MINGW32", + ex_libs => add("-lws2_32 -lgdi32 -lcrypt32"), + bn_ops => "BN_LLONG EXPORT_VAR_AS_FN", + thread_scheme => "winthreads", + perlasm_scheme => "coff", + dso_scheme => "win32", + shared_target => "mingw-shared", + shared_cflag => add("-D_WINDLL"), + shared_ldflag => "-static-libgcc", + shared_rcflag => "--target=pe-i386", + shared_extension => ".dll", + multilib => "", + apps_aux_src => add("win32_init.c"), + }, + "mingw64" => { + # As for OPENSSL_USE_APPLINK. Applink makes it possible to use + # .dll compiled with one compiler with application compiled with + # another compiler. It's possible to engage Applink support in + # mingw64 build, but it's not done, because till mingw64 + # supports structured exception handling, one can't seriously + # consider its binaries for using with non-mingw64 run-time + # environment. And as mingw64 is always consistent with itself, + # Applink is never engaged and can as well be omitted. + inherit_from => [ "BASE_unix", asm("x86_64_asm") ], + cc => "gcc", + cflags => combine(picker(default => "-DL_ENDIAN -DWIN32_LEAN_AND_MEAN -DUNICODE -D_UNICODE -m64 -Wall", + debug => "-g -O0", + release => "-O3"), + threads("-D_MT")), + sys_id => "MINGW64", + ex_libs => add("-lws2_32 -lgdi32 -lcrypt32"), + bn_ops => "SIXTY_FOUR_BIT EXPORT_VAR_AS_FN", + thread_scheme => "winthreads", + perlasm_scheme => "mingw64", + dso_scheme => "win32", + shared_target => "mingw-shared", + shared_cflag => add("-D_WINDLL"), + shared_ldflag => "-static-libgcc", + shared_rcflag => "--target=pe-x86-64", + shared_extension => ".dll", + multilib => "64", + apps_aux_src => add("win32_init.c"), + }, + +#### UEFI + "UEFI" => { + inherit_from => [ "BASE_unix" ], + cc => "cc", + cflags => "-DL_ENDIAN -O", + sys_id => "UEFI", + }, + +#### UWIN + "UWIN" => { + inherit_from => [ "BASE_unix" ], + cc => "cc", + cflags => "-DTERMIOS -DL_ENDIAN -O -Wall", + sys_id => "UWIN", + bn_ops => "BN_LLONG", + dso_scheme => "win32", + }, + +#### Cygwin + "Cygwin-x86" => { + inherit_from => [ "BASE_unix", asm("x86_asm") ], + cc => "gcc", + cflags => picker(default => "-DTERMIOS -DL_ENDIAN -Wall", + debug => "-g -O0", + release => "-O3 -fomit-frame-pointer"), + sys_id => "CYGWIN", + bn_ops => "BN_LLONG", + thread_scheme => "pthread", + perlasm_scheme => "coff", + dso_scheme => "dlfcn", + shared_target => "cygwin-shared", + shared_cflag => "-D_WINDLL", + shared_ldflag => "-shared", + shared_extension => ".dll", + }, + "Cygwin-x86_64" => { + inherit_from => [ "BASE_unix", asm("x86_64_asm") ], + cc => "gcc", + cflags => picker(default => "-DTERMIOS -DL_ENDIAN -Wall", + debug => "-g -O0", + release => "-O3"), + sys_id => "CYGWIN", + bn_ops => "SIXTY_FOUR_BIT_LONG", + thread_scheme => "pthread", + perlasm_scheme => "mingw64", + dso_scheme => "dlfcn", + shared_target => "cygwin-shared", + shared_cflag => "-D_WINDLL", + shared_ldflag => "-shared", + shared_extension => ".dll", + }, + # Backward compatibility for those using this target + "Cygwin" => { + inherit_from => [ "Cygwin-x86" ] + }, + # In case someone constructs the Cygwin target name themself + "Cygwin-i386" => { + inherit_from => [ "Cygwin-x86" ] + }, + "Cygwin-i486" => { + inherit_from => [ "Cygwin-x86" ] + }, + "Cygwin-i586" => { + inherit_from => [ "Cygwin-x86" ] + }, + "Cygwin-i686" => { + inherit_from => [ "Cygwin-x86" ] + }, + +##### MacOS X (a.k.a. Darwin) setup + "darwin-common" => { + inherit_from => [ "BASE_unix" ], + template => 1, + cc => "cc", + cflags => combine(picker(default => "", + debug => "-g -O0", + release => "-O3"), + threads("-D_REENTRANT")), + sys_id => "MACOSX", + plib_lflags => "-Wl,-search_paths_first", + bn_ops => "BN_LLONG RC4_CHAR", + thread_scheme => "pthreads", + perlasm_scheme => "osx32", + dso_scheme => "dlfcn", + ranlib => "ranlib -c", + shared_target => "darwin-shared", + shared_cflag => "-fPIC", + shared_ldflag => "-dynamiclib", + shared_extension => ".\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib", + }, + # Option "freeze" such as -std=gnu9x can't negatively interfere + # with future defaults for below two targets, because MacOS X + # for PPC has no future, it was discontinued by vendor in 2009. + "darwin-ppc-cc" => { + inherit_from => [ "darwin-common", asm("ppc32_asm") ], + cflags => add("-arch ppc -std=gnu9x -DB_ENDIAN -Wa,-force_cpusubtype_ALL"), + perlasm_scheme => "osx32", + shared_ldflag => "-arch ppc -dynamiclib", + }, + "darwin64-ppc-cc" => { + inherit_from => [ "darwin-common", asm("ppc64_asm") ], + cflags => add("-arch ppc64 -std=gnu9x -DB_ENDIAN"), + bn_ops => "SIXTY_FOUR_BIT_LONG RC4_CHAR", + perlasm_scheme => "osx64", + shared_ldflag => "-arch ppc64 -dynamiclib", + }, + "darwin-i386-cc" => { + inherit_from => [ "darwin-common", asm("x86_asm") ], + cflags => add(picker(default => "-arch i386 -DL_ENDIAN", + release => "-fomit-frame-pointer")), + bn_ops => "BN_LLONG RC4_INT", + perlasm_scheme => "macosx", + shared_ldflag => "-arch i386 -dynamiclib", + }, + "darwin64-x86_64-cc" => { + inherit_from => [ "darwin-common", asm("x86_64_asm") ], + cflags => add("-arch x86_64 -DL_ENDIAN -Wall"), + bn_ops => "SIXTY_FOUR_BIT_LONG", + perlasm_scheme => "macosx", + shared_ldflag => "-arch x86_64 -dynamiclib", + }, + +#### iPhoneOS/iOS +# +# It takes three prior-set environment variables to make it work: +# +# CROSS_COMPILE=/where/toolchain/is/usr/bin/ [note ending slash] +# CROSS_TOP=/where/SDKs/are +# CROSS_SDK=iPhoneOSx.y.sdk +# +# Exact paths vary with Xcode releases, but for couple of last ones +# they would look like this: +# +# CROSS_COMPILE=`xcode-select --print-path`/Toolchains/XcodeDefault.xctoolchain/usr/bin/ +# CROSS_TOP=`xcode-select --print-path`/Platforms/iPhoneOS.platform/Developer +# CROSS_SDK=iPhoneOS.sdk +# + "iphoneos-cross" => { + inherit_from => [ "darwin-common" ], + cflags => add("-isysroot \$(CROSS_TOP)/SDKs/\$(CROSS_SDK) -fno-common"), + sys_id => "iOS", + }, + "ios-cross" => { + inherit_from => [ "darwin-common", asm("armv4_asm") ], + # It should be possible to go below iOS 6 and even add -arch armv6, + # thus targeting iPhone pre-3GS, but it's assumed to be irrelevant + # at this point. + cflags => add("-arch armv7 -mios-version-min=6.0.0 -isysroot \$(CROSS_TOP)/SDKs/\$(CROSS_SDK) -fno-common"), + sys_id => "iOS", + perlasm_scheme => "ios32", + }, + "ios64-cross" => { + inherit_from => [ "darwin-common", asm("aarch64_asm") ], + cflags => add("-arch arm64 -mios-version-min=7.0.0 -isysroot \$(CROSS_TOP)/SDKs/\$(CROSS_SDK) -fno-common"), + sys_id => "iOS", + bn_ops => "SIXTY_FOUR_BIT_LONG RC4_CHAR", + perlasm_scheme => "ios64", + }, + +##### GNU Hurd + "hurd-x86" => { + inherit_from => [ "BASE_unix" ], + inherit_from => [ asm("x86_elf_asm") ], + cc => "gcc", + cflags => combine("-DL_ENDIAN -O3 -fomit-frame-pointer -Wall", + threads("-pthread")), + ex_libs => add("-ldl"), + bn_ops => "BN_LLONG", + thread_scheme => "pthreads", + dso_scheme => "dlfcn", + shared_target => "linux-shared", + shared_cflag => "-fPIC", + shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", + }, + +##### VxWorks for various targets + "vxworks-ppc60x" => { + inherit_from => [ "BASE_unix" ], + cc => "ccppc", + cflags => "-D_REENTRANT -mrtp -mhard-float -mstrict-align -fno-implicit-fp -DPPC32_fp60x -O2 -fstrength-reduce -fno-builtin -fno-strict-aliasing -Wall -DCPU=PPC32 -DTOOL_FAMILY=gnu -DTOOL=gnu -I\$(WIND_BASE)/target/usr/h -I\$(WIND_BASE)/target/usr/h/wrn/coreip", + sys_id => "VXWORKS", + ex_libs => add("-Wl,--defsym,__wrs_rtp_base=0xe0000000 -L \$(WIND_BASE)/target/usr/lib/ppc/PPC32/common"), + }, + "vxworks-ppcgen" => { + inherit_from => [ "BASE_unix" ], + cc => "ccppc", + cflags => "-D_REENTRANT -mrtp -msoft-float -mstrict-align -O1 -fno-builtin -fno-strict-aliasing -Wall -DCPU=PPC32 -DTOOL_FAMILY=gnu -DTOOL=gnu -I\$(WIND_BASE)/target/usr/h -I\$(WIND_BASE)/target/usr/h/wrn/coreip", + sys_id => "VXWORKS", + ex_libs => add("-Wl,--defsym,__wrs_rtp_base=0xe0000000 -L \$(WIND_BASE)/target/usr/lib/ppc/PPC32/sfcommon"), + }, + "vxworks-ppc405" => { + inherit_from => [ "BASE_unix" ], + cc => "ccppc", + cflags => "-g -msoft-float -mlongcall -DCPU=PPC405 -I\$(WIND_BASE)/target/h", + sys_id => "VXWORKS", + lflags => "-r", + }, + "vxworks-ppc750" => { + inherit_from => [ "BASE_unix" ], + cc => "ccppc", + cflags => "-ansi -nostdinc -DPPC750 -D_REENTRANT -fvolatile -fno-builtin -fno-for-scope -fsigned-char -Wall -msoft-float -mlongcall -DCPU=PPC604 -I\$(WIND_BASE)/target/h \$(DEBUG_FLAG)", + sys_id => "VXWORKS", + lflags => "-r", + }, + "vxworks-ppc750-debug" => { + inherit_from => [ "BASE_unix" ], + cc => "ccppc", + cflags => "-ansi -nostdinc -DPPC750 -D_REENTRANT -fvolatile -fno-builtin -fno-for-scope -fsigned-char -Wall -msoft-float -mlongcall -DCPU=PPC604 -I\$(WIND_BASE)/target/h -DPEDANTIC -DDEBUG -g", + sys_id => "VXWORKS", + lflags => "-r", + }, + "vxworks-ppc860" => { + inherit_from => [ "BASE_unix" ], + cc => "ccppc", + cflags => "-nostdinc -msoft-float -DCPU=PPC860 -DNO_STRINGS_H -I\$(WIND_BASE)/target/h", + sys_id => "VXWORKS", + lflags => "-r", + }, + "vxworks-simlinux" => { + inherit_from => [ "BASE_unix" ], + cc => "ccpentium", + cflags => "-B\$(WIND_BASE)/host/\$(WIND_HOST_TYPE)/lib/gcc-lib/ -D_VSB_CONFIG_FILE=\"\$(WIND_BASE)/target/lib/h/config/vsbConfig.h\" -DL_ENDIAN -DCPU=SIMLINUX -DTOOL_FAMILY=gnu -DTOOL=gnu -fno-builtin -fno-defer-pop -DNO_STRINGS_H -I\$(WIND_BASE)/target/h -I\$(WIND_BASE)/target/h/wrn/coreip -DOPENSSL_NO_HW_PADLOCK", + sys_id => "VXWORKS", + lflags => "-r", + ranlib => "ranlibpentium", + }, + "vxworks-mips" => { + inherit_from => [ "BASE_unix", asm("mips32_asm") ], + cc => "ccmips", + cflags => combine("-mrtp -mips2 -O -G 0 -B\$(WIND_BASE)/host/\$(WIND_HOST_TYPE)/lib/gcc-lib/ -D_VSB_CONFIG_FILE=\"\$(WIND_BASE)/target/lib/h/config/vsbConfig.h\" -DCPU=MIPS32 -msoft-float -mno-branch-likely -DTOOL_FAMILY=gnu -DTOOL=gnu -fno-builtin -fno-defer-pop -DNO_STRINGS_H -I\$(WIND_BASE)/target/usr/h -I\$(WIND_BASE)/target/h/wrn/coreip", + threads("-D_REENTRANT")), + sys_id => "VXWORKS", + ex_libs => add("-Wl,--defsym,__wrs_rtp_base=0xe0000000 -L \$(WIND_BASE)/target/usr/lib/mips/MIPSI32/sfcommon"), + thread_scheme => "pthreads", + perlasm_scheme => "o32", + ranlib => "ranlibmips", + }, + +#### uClinux + "uClinux-dist" => { + inherit_from => [ "BASE_unix" ], + cc => "$ENV{'CC'}", + cflags => combine("\$(CFLAGS)", + threads("-D_REENTRANT")), + plib_lflags => "\$(LDFLAGS)", + ex_libs => add("\$(LDLIBS)"), + bn_ops => "BN_LLONG", + thread_scheme => "pthreads", + dso_scheme => "$ENV{'LIBSSL_dlfcn'}", + shared_target => "linux-shared", + shared_cflag => "-fPIC", + shared_ldflag => "-shared", + shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", + ranlib => "$ENV{'RANLIB'}", + }, + "uClinux-dist64" => { + inherit_from => [ "BASE_unix" ], + cc => "$ENV{'CC'}", + cflags => combine("\$(CFLAGS)", + threads("-D_REENTRANT")), + plib_lflags => "\$(LDFLAGS)", + ex_libs => add("\$(LDLIBS)"), + bn_ops => "SIXTY_FOUR_BIT_LONG", + thread_scheme => "pthreads", + dso_scheme => "$ENV{'LIBSSL_dlfcn'}", + shared_target => "linux-shared", + shared_cflag => "-fPIC", + shared_ldflag => "-shared", + shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", + ranlib => "$ENV{'RANLIB'}", + }, + + ##### VMS + "vms-generic" => { + inherit_from => [ "BASE_VMS" ], + template => 1, + cc => "CC/DECC", + cflags => picker(default => "/STANDARD=(ISOC94,RELAXED)/NOLIST/PREFIX=ALL", + debug => "/NOOPTIMIZE/DEBUG", + release => "/OPTIMIZE/NODEBUG"), + defines => add("OPENSSL_USE_NODELETE"), + lflags => picker(default => "/MAP", + debug => "/DEBUG/TRACEBACK", + release => "/NODEBUG/NOTRACEBACK"), + lib_cflags => add("/NAMES=(AS_IS,SHORTENED)/EXTERN_MODEL=STRICT_REFDEF"), + dso_cflags => add("/NAMES=(AS_IS,SHORTENED)"), + shared_target => "vms-shared", + dso_scheme => "vms", + thread_scheme => "pthreads", + + apps_aux_src => "vms_decc_init.c vms_term_sock.c", + }, + + "vms-alpha" => { + inherit_from => [ "vms-generic" ], + cflags => add(sub { my @warnings = + @{vms_info(0)->{disable_warns}}; + @warnings + ? "/WARNINGS=DISABLE=(".join(",",@warnings).")" : (); }), + defines => + add(sub { + return vms_info(0)->{def_zlib} + ? "LIBZ=\"\"\"".vms_info(0)->{def_zlib}."\"\"\"" : (); + }), + ex_libs => add(sub { return vms_info(0)->{zlib} || (); }), + pointer_size => sub { return vms_info(0)->{pointer_size} }, + #as => "???", + #debug_aflags => "/NOOPTIMIZE/DEBUG", + #release_aflags => "/OPTIMIZE/NODEBUG", + bn_opts => "SIXTY_FOUR_BIT RC4_INT", + }, + "vms-alpha-p32" => { + inherit_from => [ "vms-generic" ], + cflags => + add("/POINTER_SIZE=32", + sub { my @warnings = + @{vms_info(32)->{disable_warns}}; + @warnings + ? "/WARNINGS=DISABLE=(".join(",",@warnings).")" : (); + } ), + defines => + add(sub { + return vms_info(32)->{def_zlib} + ? "LIBZ=\"\"\"".vms_info(32)->{def_zlib}."\"\"\"" : (); + }), + ex_libs => add(sub { return vms_info(32)->{zlib} || (); }), + pointer_size => sub { return vms_info(32)->{pointer_size} }, + }, + "vms-alpha-p64" => { + inherit_from => [ "vms-generic" ], + cflags => + add("/POINTER_SIZE=64=ARGV", + sub { my @warnings = + @{vms_info(64)->{disable_warns}}; + @warnings + ? "/WARNINGS=DISABLE=(".join(",",@warnings).")" : (); + } ), + defines => + add(sub { + return vms_info(64)->{def_zlib} + ? "LIBZ=\"\"\"".vms_info(64)->{def_zlib}."\"\"\"" : (); + }), + ex_libs => add(sub { return vms_info(64)->{zlib} || (); }), + pointer_size => sub { return vms_info(64)->{pointer_size} }, + }, + "vms-ia64" => { + inherit_from => [ "vms-generic" ], + cflags => add(sub { my @warnings = + @{vms_info(0)->{disable_warns}}; + @warnings + ? "/WARNINGS=DISABLE=(".join(",",@warnings).")" : (); }), + defines => + add(sub { + return vms_info(0)->{def_zlib} + ? "LIBZ=\"\"\"".vms_info(0)->{def_zlib}."\"\"\"" : (); + }), + ex_libs => add(sub { return vms_info(0)->{zlib} || (); }), + pointer_size => sub { return vms_info(0)->{pointer_size} }, + #as => "I4S", + #debug_aflags => "/NOOPTIMIZE/DEBUG", + #release_aflags => "/OPTIMIZE/NODEBUG", + bn_opts => "SIXTY_FOUR_BIT RC4_INT", + }, + "vms-ia64-p32" => { + inherit_from => [ "vms-generic" ], + cflags => + add("/POINTER_SIZE=32", + sub { my @warnings = + @{vms_info(32)->{disable_warns}}; + @warnings + ? "/WARNINGS=DISABLE=(".join(",",@warnings).")" : (); + } ), + defines => + add(sub { + return vms_info(32)->{def_zlib} + ? "LIBZ=\"\"\"".vms_info(32)->{def_zlib}."\"\"\"" : (); + }), + ex_libs => add(sub { return vms_info(32)->{zlib} || (); }), + pointer_size => sub { return vms_info(32)->{pointer_size} }, + }, + "vms-ia64-p64" => { + inherit_from => [ "vms-generic" ], + cflags => + add("/POINTER_SIZE=64=ARGV", + sub { my @warnings = + @{vms_info(64)->{disable_warns}}; + @warnings + ? "/WARNINGS=DISABLE=(".join(",",@warnings).")" : (); + } ), + defines => + add(sub { + return vms_info(64)->{def_zlib} + ? "LIBZ=\"\"\"".vms_info(64)->{def_zlib}."\"\"\"" : (); + }), + ex_libs => add(sub { return vms_info(64)->{zlib} || (); }), + pointer_size => sub { return vms_info(64)->{pointer_size} }, + }, + +); diff --git a/cve/openssl/2021/yaml/CVE-2021-23841.yaml b/cve/openssl/2021/yaml/CVE-2021-23841.yaml new file mode 100644 index 00000000..0880d3f0 --- /dev/null +++ b/cve/openssl/2021/yaml/CVE-2021-23841.yaml @@ -0,0 +1,39 @@ +id: CVE-2021-23841 +source: + https://github.com/Trinadh465/external_boringssl_openssl_1.1.0g_CVE-2021-23841/blob/master/test/x509aux.c +info: + name: OpenSSL是用于传输层安全性(TLS)和安全套接字层(SSL)协议的功能强大的,商业级且功能齐全的工具包。它也是一个通用密码库。 + severity: medium + description: OpenSSL公共API函数 X509_issuer_and_serial_hash()尝试根据X509证书中包含的颁发者和序列号数据创建唯一的哈希值。但是,它无法正确处理解析颁发者字段时可能发生的任何错误(如果颁发者字段是恶意构造的,则可能会发生这种情况)。这随后可能导致空指针deref和崩溃,从而导致潜在的拒绝服务攻击。OpenSSL本身永远不会直接调用函数X509_issuer_and_serial_hash(),因此应用程序只有在直接使用此函数并在可能从不受信任的来源获得的证书上使用它时才容易受到攻击。OpenSSL版本1.1.1i及更低版本受此问题影响。这些版本的用户应升级到OpenSSL 1.1.1j。OpenSSL版本1.0.2x及更低版本受此问题影响。但是,OpenSSL 1.0.2不再受支持,不再接收公共更新。OpenSSL 1.0.2 的高级支持客户应升级到 1.0.2y。其他用户应升级到1.1.1j。在OpenSSL 1.1.1j 中修复(受影响的 1.1.1-1.1.1i)。在OpenSSL 1.0.2y中修复。 + scope-of-influence: + OpenSSL 1.0.2到1.0.2y版本 + reference: + - http://seclists.org/fulldisclosure/2021/May/67 + - http://seclists.org/fulldisclosure/2021/May/68 + - http://seclists.org/fulldisclosure/2021/May/70 + - https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf + - https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=122a19ab48091c657f7cb1fb3af9fc07bd557bbf + - https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8252ee4d90f3f2004d3d0aeeed003ad49c9a7807 + - https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846 + - https://security.gentoo.org/glsa/202103-03 + - https://security.netapp.com/advisory/ntap-20210219-0009/ + - https://security.netapp.com/advisory/ntap-20210513-0002/ + - https://support.apple.com/kb/HT212528 + - https://support.apple.com/kb/HT212529 + - https://support.apple.com/kb/HT212534 + - https://www.debian.org/security/2021/dsa-4855 + - https://www.openssl.org/news/secadv/20210216.txt + - https://www.oracle.com//security-alerts/cpujul2021.html + - https://www.oracle.com/security-alerts/cpuApr2021.html + - https://www.oracle.com/security-alerts/cpuapr2022.html + - https://www.oracle.com/security-alerts/cpuoct2021.html + - https://www.tenable.com/security/tns-2021-03 + - https://www.tenable.com/security/tns-2021-09 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H + cvss-score: 5.9 + cve-id: CVE-2021-23841 + cwe-id: CWE-476 + cnvd-id: None + kve-id: None + tags: X509, DoS \ No newline at end of file diff --git a/openkylin_list.yaml b/openkylin_list.yaml index 127b8584..359dd255 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -78,6 +78,7 @@ cve: - CVE-2023-25136 - CVE-2021-3449 - CVE-2022-0778 + - CVE-2021-23841 libxml2: - CVE-2020-24977 - CVE-2021-3517 -- Gitee From dbfd28b0bd76fd9ecd9b8a24fa1b27bdfed04d5f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E6=80=9D=E4=BD=B3?= Date: Tue, 14 Mar 2023 08:56:42 +0000 Subject: [PATCH 2/4] update cve/openssl/2021/yaml/CVE-2021-23841.yaml. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 李思佳 --- cve/openssl/2021/yaml/CVE-2021-23841.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cve/openssl/2021/yaml/CVE-2021-23841.yaml b/cve/openssl/2021/yaml/CVE-2021-23841.yaml index 0880d3f0..47a989b1 100644 --- a/cve/openssl/2021/yaml/CVE-2021-23841.yaml +++ b/cve/openssl/2021/yaml/CVE-2021-23841.yaml @@ -25,7 +25,7 @@ info: - https://www.openssl.org/news/secadv/20210216.txt - https://www.oracle.com//security-alerts/cpujul2021.html - https://www.oracle.com/security-alerts/cpuApr2021.html - - https://www.oracle.com/security-alerts/cpuapr2022.html + - https://www.oracle.com/security-alerts/cpuapr2022.html - https://www.oracle.com/security-alerts/cpuoct2021.html - https://www.tenable.com/security/tns-2021-03 - https://www.tenable.com/security/tns-2021-09 -- Gitee From a7fefda32ff8585c37a586c9bb7c868d2976bf0a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E6=80=9D=E4=BD=B3?= Date: Tue, 14 Mar 2023 09:00:39 +0000 Subject: [PATCH 3/4] update cve/openssl/2021/CVE-2021-23841/README.md. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 李思佳 --- cve/openssl/2021/CVE-2021-23841/README.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/cve/openssl/2021/CVE-2021-23841/README.md b/cve/openssl/2021/CVE-2021-23841/README.md index c87f979f..6b2a36bb 100644 --- a/cve/openssl/2021/CVE-2021-23841/README.md +++ b/cve/openssl/2021/CVE-2021-23841/README.md @@ -53,8 +53,7 @@ The OpenSSL Project is a collaborative effort to develop a robust, If you have any problems with OpenSSL then please take the following steps first: - - Download the latest version from the repository - to see if the problem has already been addressed + - Download the latest version from the repository to see if the problem has already been addressed - Configure with no-asm - Remove compiler optimisation flags @@ -62,8 +61,7 @@ The OpenSSL Project is a collaborative effort to develop a robust, and create an issue on GitHub: - OpenSSL version: output of 'openssl version -a' - - Any "Configure" options that you selected during compilation of the - library if applicable (see INSTALL) + - Any "Configure" options that you selected during compilation of the library if applicable (see INSTALL) - OS Name, Version, Hardware platform - Compiler Details (name, version) - Application Details (name, version) -- Gitee From c61deae1a159c68a6c3784523230a17b292be11d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E6=80=9D=E4=BD=B3?= Date: Tue, 14 Mar 2023 09:02:59 +0000 Subject: [PATCH 4/4] update cve/openssl/2021/yaml/CVE-2021-23841.yaml. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 李思佳 --- cve/openssl/2021/yaml/CVE-2021-23841.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cve/openssl/2021/yaml/CVE-2021-23841.yaml b/cve/openssl/2021/yaml/CVE-2021-23841.yaml index 47a989b1..834dda08 100644 --- a/cve/openssl/2021/yaml/CVE-2021-23841.yaml +++ b/cve/openssl/2021/yaml/CVE-2021-23841.yaml @@ -36,4 +36,4 @@ info: cwe-id: CWE-476 cnvd-id: None kve-id: None - tags: X509, DoS \ No newline at end of file + tags: X509, 输入编辑错误漏洞 \ No newline at end of file -- Gitee