As diagnosed by kettenis, running the regress/lib/libssl/interop/openssl
test results in a SIGILL or SIGBUS due to an alignment issue. The reason
for this is that the configure magic fails to pick up -m64 which is
needed for the perlasm to generate the correct flavor of assembly.
None of the approaches for setting variables in the main port Makefile
worked. Since we already patch out -O3 from Configure, I added -m64
there. The resulting binary seems to work well. The interop tests on
sparc64 pass with this patch.
Many thanks to kettenis for figuring this out and to sthen who helped
me save a lot of time with FLAVOR=no_man.
ok sthen
- Fixed NULL pointer deref in the GENERAL_NAME_cmp function, CVE-2020-1971
- In 1.1.1h, an expired trusted (root) certificate was not anymore rejected
when validating a certificate path.
On OpenBSD, setsockopt(sock, IPPROTO_IPV6, IPV6_V6ONLY, ...) only allows
setting to 1 (which is the default anyway). Setting to 0 results in EINVAL.
This doesn't fix everything, there are still some other problems with binds
to v6 addresses with OpenSSL 1.1 on OpenBSD.
Detection succeeds on sparc64 where clang uses gas, but then build fails
because of a mix of -Wa,foobar unused argument warning and -Werror.
Just drop the use of --noexecstack, the stack is always marked
non-executable on OpenBSD.
ok sthen@ (maintainer)
build system to assume gcc/binutils compatible linker. There is autodetection
in detect_gnu_ld() for partially unknown build targets but it's broken
(it tries to run $config{CC} -Wl,-V before it sets up $config{CC}, and even
if that did work, the regex matching output doesn't match LLD's string).
Initial research by naddy@. Mucu further headscratching and deciding on a
not-too-horrible way to work around the problem by me.
Unbreaks i386.
was added to OpenSSL 1.1.0 but was omitted from OpenSSL 1.0.2i. As a
result any attempt to use CRLs in OpenSSL 1.0.2i will crash with a null
pointer exception."
(not moved to 1.1.0 yet, so today's critical fix for CVE-2016-6309
doesn't apply).
*) Prevent padding oracle in AES-NI CBC MAC check
*) Fix EVP_EncodeUpdate overflow
*) Fix EVP_EncryptUpdate overflow
*) Prevent ASN.1 BIO excessive memory allocation
*) EBCDIC overread
*) Modify behavior of ALPN to invoke callback after SNI/servername
callback, such that updates to the SSL_CTX affect ALPN.
*) Remove LOW from the DEFAULT cipher list, removing single DES
from the default.
*) Only remove the SSLv2 methods with the no-ssl2-method option.
When the methods are enabled and ssl2 is disabled the methods return
NULL. (i.e. restore ABI compat with pre-1.0.2g cf. SSLv2_*_method)
