# HG changeset patch # User Ronald Jordan # Date 1402398530 25200 # Node ID c059623861df52b8f3b3c803dc8eff05a149fae7 # Parent bb9303d6e615f2bacf8c8b3c9e3f6a9c345765bd 18889686 problem in UTILITY/OPENSSL 18889720 problem in UTILITY/OPENSSL 18889740 problem in UTILITY/OPENSSL 18889837 problem in UTILITY/OPENSSL 18889844 problem in UTILITY/OPENSSL 18889862 problem in UTILITY/OPENSSL 18924227 Upgrade OpenSSL to 1.0.0m 18924454 OpenSSL 1.0.0m upgrade requires removal of patch fix for CVE-2014-0076 18924292 Build failure caused by OpenSSL 1.0.0m upgrade diff -r bb9303d6e615 -r c059623861df components/openssl/openssl-0.9.8-fips-140/Makefile --- a/components/openssl/openssl-0.9.8-fips-140/Makefile Tue May 27 22:38:08 2014 -0700 +++ b/components/openssl/openssl-0.9.8-fips-140/Makefile Tue Jun 10 04:08:50 2014 -0700 @@ -18,7 +18,7 @@ # # CDDL HEADER END # -# Copyright (c) 2011, 2013, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 2011, 2014, Oracle and/or its affiliates. All rights reserved. # PARFAIT_BUILD=no @@ -29,13 +29,13 @@ COMPONENT_NAME = openssl # Note that this is the OpenSSL version that is used to build FIPS-140 certified # libraries. However, we use the FIPS canister version for the IPS package. -COMPONENT_VERSION = 0.9.8y +COMPONENT_VERSION = 0.9.8za IPS_COMPONENT_VERSION = 1.2 COMPONENT_PROJECT_URL= http://www.openssl.org/ COMPONENT_SRC = $(COMPONENT_NAME)-$(COMPONENT_VERSION) COMPONENT_ARCHIVE = $(COMPONENT_SRC).tar.gz COMPONENT_ARCHIVE_HASH= \ - sha256:bbecf13495e612936e3a9860c29c0701413564b7a964bf771a3575eaa867cee3 + sha256:cdcb98d0fbc026ca798b17919334310271d3a593554ffd6a59659b9222fd4e48 COMPONENT_ARCHIVE_URL = $(COMPONENT_PROJECT_URL)source/$(COMPONENT_ARCHIVE) # Apply the patch on SPARC only. Must put this before including prep.mk as diff -r bb9303d6e615 -r c059623861df components/openssl/openssl-0.9.8-fips-140/patches/38-openssl-0.9.8za-include-limits.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/openssl/openssl-0.9.8-fips-140/patches/38-openssl-0.9.8za-include-limits.patch Tue Jun 10 04:08:50 2014 -0700 @@ -0,0 +1,13 @@ +Patch developed in-house. This issue has been addressed upstream and this +patch will need to be obsoleted upon the next OpenSSL 0.9.8 release. + +--- openssl-0.9.8za/ssl/s3_pkt.c.orig Thu Jun 5 02:41:31 2014 ++++ openssl-0.9.8za/ssl/s3_pkt.c Thu Jun 5 06:42:42 2014 +@@ -109,6 +109,7 @@ + * + */ + ++#include + #include + #include + #define USE_SOCKETS diff -r bb9303d6e615 -r c059623861df components/openssl/openssl-1.0.0/Makefile --- a/components/openssl/openssl-1.0.0/Makefile Tue May 27 22:38:08 2014 -0700 +++ b/components/openssl/openssl-1.0.0/Makefile Tue Jun 10 04:08:50 2014 -0700 @@ -28,15 +28,15 @@ # When upgrading OpenSSL, please, DON'T FORGET TO TEST WANBOOT too. # For more information about wanboot-openssl testing, please refer to # ../README. -COMPONENT_VERSION = 1.0.0l +COMPONENT_VERSION = 1.0.0m # Version for IPS. It is easier to do it manually than convert the letter to a # number while taking into account that there might be no letter at all. -IPS_COMPONENT_VERSION = 1.0.0.12 +IPS_COMPONENT_VERSION = 1.0.0.13 COMPONENT_PROJECT_URL= http://www.openssl.org/ COMPONENT_SRC = $(COMPONENT_NAME)-$(COMPONENT_VERSION) COMPONENT_ARCHIVE = $(COMPONENT_SRC).tar.gz COMPONENT_ARCHIVE_HASH= \ - sha256:2a072e67d9e3ae900548c43d7936305ba576025bd083d1e91ff14d68ded1fdec + sha256:224dbbfaee3ad7337665e24eab516c67446d5081379a40b2f623cf7801e672de COMPONENT_ARCHIVE_URL = $(COMPONENT_PROJECT_URL)source/$(COMPONENT_ARCHIVE) # Architecture-specific patches diff -r bb9303d6e615 -r c059623861df components/openssl/openssl-1.0.0/patches/37-cve-2014-0076.patch --- a/components/openssl/openssl-1.0.0/patches/37-cve-2014-0076.patch Tue May 27 22:38:08 2014 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,148 +0,0 @@ -Patch comes from upstream: - http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=2198be3483259de374f91e57d247d0fc667aef29 -It will be obsoleted when openssl-1.0.0m is available. - ---- openssl-1.0.0l/crypto/bn/bn.h.orig Mon Jan 6 07:00:59 2014 -+++ openssl-1.0.0l/crypto/bn/bn.h Fri Apr 18 13:03:57 2014 -@@ -538,6 +538,8 @@ - BIGNUM *BN_mod_sqrt(BIGNUM *ret, - const BIGNUM *a, const BIGNUM *n,BN_CTX *ctx); - -+void BN_consttime_swap(BN_ULONG swap, BIGNUM *a, BIGNUM *b, int nwords); -+ - /* Deprecated versions */ - #ifndef OPENSSL_NO_DEPRECATED - BIGNUM *BN_generate_prime(BIGNUM *ret,int bits,int safe, -@@ -759,11 +761,20 @@ - - #define bn_fix_top(a) bn_check_top(a) - -+#define bn_check_size(bn, bits) bn_wcheck_size(bn, ((bits+BN_BITS2-1))/BN_BITS2) -+#define bn_wcheck_size(bn, words) \ -+ do { \ -+ const BIGNUM *_bnum2 = (bn); \ -+ assert(words <= (_bnum2)->dmax && words >= (_bnum2)->top); \ -+ } while(0) -+ - #else /* !BN_DEBUG */ - - #define bn_pollute(a) - #define bn_check_top(a) - #define bn_fix_top(a) bn_correct_top(a) -+#define bn_check_size(bn, bits) -+#define bn_wcheck_size(bn, words) - - #endif - ---- openssl-1.0.0l/crypto/bn/bn_lib.c.orig Mon Jan 6 07:00:59 2014 -+++ openssl-1.0.0l/crypto/bn/bn_lib.c Fri Apr 18 13:03:08 2014 -@@ -843,3 +843,55 @@ - } - return bn_cmp_words(a,b,cl); - } -+ -+/* -+ * Constant-time conditional swap of a and b. -+ * a and b are swapped if condition is not 0. The code assumes that at most one bit of condition is set. -+ * nwords is the number of words to swap. The code assumes that at least nwords are allocated in both a and b, -+ * and that no more than nwords are used by either a or b. -+ * a and b cannot be the same number -+ */ -+void BN_consttime_swap(BN_ULONG condition, BIGNUM *a, BIGNUM *b, int nwords) -+ { -+ BN_ULONG t; -+ int i; -+ -+ bn_wcheck_size(a, nwords); -+ bn_wcheck_size(b, nwords); -+ -+ assert(a != b); -+ assert((condition & (condition - 1)) == 0); -+ assert(sizeof(BN_ULONG) >= sizeof(int)); -+ -+ condition = ((condition - 1) >> (BN_BITS2 - 1)) - 1; -+ -+ t = (a->top^b->top) & condition; -+ a->top ^= t; -+ b->top ^= t; -+ -+#define BN_CONSTTIME_SWAP(ind) \ -+ do { \ -+ t = (a->d[ind] ^ b->d[ind]) & condition; \ -+ a->d[ind] ^= t; \ -+ b->d[ind] ^= t; \ -+ } while (0) -+ -+ -+ switch (nwords) { -+ default: -+ for (i = 10; i < nwords; i++) -+ BN_CONSTTIME_SWAP(i); -+ /* Fallthrough */ -+ case 10: BN_CONSTTIME_SWAP(9); /* Fallthrough */ -+ case 9: BN_CONSTTIME_SWAP(8); /* Fallthrough */ -+ case 8: BN_CONSTTIME_SWAP(7); /* Fallthrough */ -+ case 7: BN_CONSTTIME_SWAP(6); /* Fallthrough */ -+ case 6: BN_CONSTTIME_SWAP(5); /* Fallthrough */ -+ case 5: BN_CONSTTIME_SWAP(4); /* Fallthrough */ -+ case 4: BN_CONSTTIME_SWAP(3); /* Fallthrough */ -+ case 3: BN_CONSTTIME_SWAP(2); /* Fallthrough */ -+ case 2: BN_CONSTTIME_SWAP(1); /* Fallthrough */ -+ case 1: BN_CONSTTIME_SWAP(0); -+ } -+#undef BN_CONSTTIME_SWAP -+} ---- openssl-1.0.0l/crypto/ec/ec2_mult.c.orig Mon Jan 6 07:00:59 2014 -+++ openssl-1.0.0l/crypto/ec/ec2_mult.c Fri Apr 18 13:00:28 2014 -@@ -206,11 +206,15 @@ - return ret; - } - -+ - /* Computes scalar*point and stores the result in r. - * point can not equal r. -- * Uses algorithm 2P of -+ * Uses a modified algorithm 2P of - * Lopez, J. and Dahab, R. "Fast multiplication on elliptic curves over - * GF(2^m) without precomputation" (CHES '99, LNCS 1717). -+ * -+ * To protect against side-channel attack the function uses constant time swap, -+ * avoiding conditional branches. - */ - static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, - const EC_POINT *point, BN_CTX *ctx) -@@ -244,6 +248,11 @@ - x2 = &r->X; - z2 = &r->Y; - -+ bn_wexpand(x1, group->field.top); -+ bn_wexpand(z1, group->field.top); -+ bn_wexpand(x2, group->field.top); -+ bn_wexpand(z2, group->field.top); -+ - if (!BN_GF2m_mod_arr(x1, &point->X, group->poly)) goto err; /* x1 = x */ - if (!BN_one(z1)) goto err; /* z1 = 1 */ - if (!group->meth->field_sqr(group, z2, x1, ctx)) goto err; /* z2 = x1^2 = x^2 */ -@@ -268,16 +277,12 @@ - word = scalar->d[i]; - while (mask) - { -- if (word & mask) -- { -- if (!gf2m_Madd(group, &point->X, x1, z1, x2, z2, ctx)) goto err; -- if (!gf2m_Mdouble(group, x2, z2, ctx)) goto err; -- } -- else -- { -- if (!gf2m_Madd(group, &point->X, x2, z2, x1, z1, ctx)) goto err; -- if (!gf2m_Mdouble(group, x1, z1, ctx)) goto err; -- } -+ BN_consttime_swap(word & mask, x1, x2, group->field.top); -+ BN_consttime_swap(word & mask, z1, z2, group->field.top); -+ if (!gf2m_Madd(group, &point->X, x2, z2, x1, z1, ctx)) goto err; -+ if (!gf2m_Mdouble(group, x1, z1, ctx)) goto err; -+ BN_consttime_swap(word & mask, x1, x2, group->field.top); -+ BN_consttime_swap(word & mask, z1, z2, group->field.top); - mask >>= 1; - } - mask = BN_TBIT; diff -r bb9303d6e615 -r c059623861df components/openssl/openssl-1.0.0/patches/38-openssl-1.0.0m-include-limits.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/openssl/openssl-1.0.0/patches/38-openssl-1.0.0m-include-limits.patch Tue Jun 10 04:08:50 2014 -0700 @@ -0,0 +1,13 @@ +Patch developed in-house. This issue has been addressed upstream and this +patch will need to be obsoleted upon the next OpenSSL 1.0.0 release. + +--- openssl-1.0.0m/ssl/s3_pkt.c.orig Thu Jun 5 02:41:31 2014 ++++ openssl-1.0.0m/ssl/s3_pkt.c Thu Jun 5 06:42:42 2014 +@@ -109,6 +109,7 @@ + * + */ + ++#include + #include + #include + #define USE_SOCKETS