--- a/components/openssl/README Wed May 27 17:12:47 2015 -0700
+++ b/components/openssl/README Thu May 28 09:54:36 2015 -0700
@@ -18,7 +18,7 @@
#
# CDDL HEADER END
#
-# Copyright (c) 2009, 2014, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2009, 2015, Oracle and/or its affiliates. All rights reserved.
#
@@ -57,95 +57,15 @@
The non-fips Build.
---
-The non-fips build is the main build of OpenSSL and includes the regular
+The non-fips build is the 'default' build of OpenSSL and includes the regular
binaries, libraries, man pages, and header files.
-Patches
----
-
-08-6193522.patch
-Give CA.pl better defaults. See 6193522 for more information.
-
-11-6546806.patch
-Make sure the HMAC_CTX_init(3) man page gets delivered. See 6546806 for
-more information.
-
-14-manpage_openssl.patch
-Force openssl to install man pages into man[1357]openssl instead of man[1357].
-
-15-pkcs11_engine-0.9.8a.patch
-Patch which adds the pkcs11 engine. See also the engine/pkcs11
-sub-directory.
-
-18-compiler_opts.patch
-Adds five Solaris specific configurations (both 32bit and 64bit for both sparc
-and x86, plus 64bit sparc for wanboot) to Configure which are then explicitly
-used by the Makefiles. Wanboot configuration is special in that it doesn't link
-with libc and uses -xF=%all to put functions in separate sections, so that
-unused code can be discarded.
-
-Care should be taken if modifying this patch as changes to compile-time options
-can change the ABI. One example of this is the use of RC4_INT vs RC4_CHAR.
-
-20-remove_rpath.patch
-Prevent build binaries having an unnecessary runpath (/lib).
-
-23-noexstack.patch
-Build with non-executable stacks and non-executable data (x86).
-
-27-6978791.patch
-Modifies Makefile.shared so that libssl is built with -znodelete.
-
-28-enginesdir.patch
-Adds a new "enginesdir" option to the Configure script which allows a user to
-specify the engines directory.
-
-30_wanboot.patch:
-Wanboot specific patches.
-- modified Makefiles not to build in engines apps test tools
-- not using vfprintf for error print in crypto/cryptlib.c
-- not using ERR_load_DSO_strings() in crypto/err/err_all.c
-- not using EVP_read_pw_string() in crypto/evp/evp_key.c
- - reading password is implemented in disabled DES library
-- avoid select() in crypto/rand/rand_unix.c
-- direct reading of IP to avoid sscanf() in crypto/x509v3/v3_utl.c
-- using functions from libsock in e_os.h
-- by-passing version of sparc detection in crypto/sparcv9cap.c
- - results in not using FPU for big numbers multiplication
- - should be ok - original detection seems broken, FPU gets never used
-- implementation of atoi()
-- avoid using ssl_fill_hello_random() in s3_clnt.c
-
-37_openssl_t4_inline.patch
-SPARC-only patch.
-Add patch to support inline T4 instruction in OpenSSL upstream code until
-OpenSSL 1.0.2 is released.
-
-opensslconf.patch
-Modifies opensslconf.h so that it is suitable for both 32bit and 64bit installs.
-OpenSSL either builds for 32bit or 64bit - it doesn't allow for combined 32bit
-and 64bit builds.
-
-38_remove_illegal_instruction_calls.patch
-SPARC patch. Solaris-only patch.
-For instructions in sparcv9cap.c, remove if not supported on any platforms.
-Otherwise modify them to call getisax() to check for HW capability instead.
The fips Build
---
We are now shipping FIPS-140 certified OpenSSL 1.0.1 with S12 and S11.2.
The admin may choose to activate 'openssl-fips' implementation using 'pkg mediator'.
-The change will come soon.
-
-
-Patches
----
-
-All the patches from 1.0.1 (non-fips) are used in 1.0.1(fips) as well aside from
-14-manpage_openssl.patch which is not needed since we do not deliver 1.0.1(fips) man
-pages. Once we make fips version public, we should deliver man page.
-(coming soon)
The wanboot Build
----
@@ -312,3 +232,120 @@
Finally, resulting wanboot binary shall be deployed on some install server and
wanbooting from this server shall be tested.
+
+===============
+Common Patches
+===============
+
+Common patch files are located in the components/openssl/common/patches dir,
+and they are copied to both FIPS and non-FIPS 'patches' dir as soon as the
+Makefile is parsed. The Common patch filename has prefix '0',
+
+----
+
+008-6193522.patch
+Give CA.pl better defaults. See 6193522 for more information.
+
+011-6546806.patch
+Make sure the HMAC_CTX_init(3) man page gets delivered. See 6546806 for
+more information.
+
+015-pkcs11_engine-0.9.8a.patch
+Patch which adds the pkcs11 engine. See also the engine/pkcs11
+sub-directory.
+
+018-compiler_opts.patch
+Adds five Solaris specific configurations (both 32bit and 64bit for both sparc
+and x86, plus 64bit sparc for wanboot) to Configure which are then explicitly
+used by the Makefiles. Wanboot configuration is special in that it doesn't link
+with libc and uses -xF=%all to put functions in separate sections, so that
+unused code can be discarded.
+
+Care should be taken if modifying this patch as changes to compile-time options
+can change the ABI. One example of this is the use of RC4_INT vs RC4_CHAR.
+
+020-remove_rpath.patch
+Prevent build binaries having an unnecessary runpath (/lib).
+
+023-noexstack.patch
+Build with non-executable stacks and non-executable data (x86).
+
+027-6978791.patch
+Modifies Makefile.shared so that libssl is built with -znodelete.
+
+028-enginesdir.patch
+Adds a new "enginesdir" option to the Configure script which allows a user to
+specify the engines directory.
+
+029-fork_safe.patch
+Adds the code to setup internal mutexes and callback function.
+See PSARC/2014/077.
+
+032-aes_cbc_len_check.patch
+AES-CBC input length is checked to avoid segmentation fault.
+
+033-cert_chain.patch
+Fixes the certificate chain bug.
+
+036-evp_leak.patch
+Fixes the memory leak bug.
+
+038_remove_illegal_instruction_calls.patch
+SPARC patch. Solaris-only patch.
+For instructions in sparcv9cap.c, remove if not supported on any platforms.
+Otherwise modify them to call getisax() to check for HW capability instead.
+
+039-internal_tests.patch
+Remove test 'test_ca' because it depends on directories not present in the
+build directory.
+
+=========================
+Non-FIPS specific Patches
+=========================
+
+Non-FIPS specific patch files are located in the
+components/openssl/openssl-1.0.1/patches dir.
+The Non-FIPS specific patch filename has prefix '1',
+
+----
+101-manpage_openssl.patch
+Force openssl to install man pages into man[1357]openssl instead of man[1357].
+
+102-wanboot.patch:
+Wanboot specific patches.
+- modified Makefiles not to build in engines apps test tools
+- not using vfprintf for error print in crypto/cryptlib.c
+- not using ERR_load_DSO_strings() in crypto/err/err_all.c
+- not using EVP_read_pw_string() in crypto/evp/evp_key.c
+ - reading password is implemented in disabled DES library
+- avoid select() in crypto/rand/rand_unix.c
+- direct reading of IP to avoid sscanf() in crypto/x509v3/v3_utl.c
+- using functions from libsock in e_os.h
+- by-passing version of sparc detection in crypto/sparcv9cap.c
+ - results in not using FPU for big numbers multiplication
+ - should be ok - original detection seems broken, FPU gets never used
+- implementation of atoi()
+- avoid using ssl_fill_hello_random() in s3_clnt.c
+
+103-openssl_t4_inline.patch
+Add patch to support inline T4 instruction in OpenSSL upstream code until
+OpenSSL 1.0.2 is released.
+
+104-suppress_v8plus_abi_warnings.patch
+Suppress warnings about sparcv8+ ABI violation when building T4-specific
+modules as 32-bit.
+
+=========================
+FIPS specific Patches
+=========================
+
+FIPS specific patch files are located in the
+components/openssl/openssl-1.0.1-fips-140/patches dir.
+The FIPS specific patch filename has prefix '2',
+
+---
+201-openssl_fips.patch
+Change openssl(1) to call the FIPS routines only if the fips mediator is activated.
+
+202-17952966.patch
+FIPS version needs to build with '-lc' explicitly with stuido 12.3 and above.