# HG changeset patch # User Misaki Miyashita # Date 1389817307 28800 # Node ID 2fc479afcf70df770df539ba5fdeb4d10aa147e7 # Parent 849c16a5333c13eff7ec116f1250502122610d1a 18024740 problem in UTILITY/OPENSSL diff -r 849c16a5333c -r 2fc479afcf70 components/openssl/openssl-1.0.1-fips-140/Makefile --- a/components/openssl/openssl-1.0.1-fips-140/Makefile Wed Jan 15 11:48:34 2014 +0100 +++ b/components/openssl/openssl-1.0.1-fips-140/Makefile Wed Jan 15 12:21:47 2014 -0800 @@ -18,7 +18,7 @@ # # CDDL HEADER END # -# Copyright (c) 2011, 2013, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 2011, 2014, Oracle and/or its affiliates. All rights reserved. # export PARFAIT_BUILD=no @@ -29,14 +29,14 @@ COMPONENT_NAME = openssl-fips-140 # Note that this is the OpenSSL version that is used to build FIPS-140 certified # libraries. However, we use the FIPS canister version for the IPS package. -COMPONENT_VERSION = 1.0.1e -IPS_COMPONENT_VERSION = 2.0.5 +COMPONENT_VERSION = 1.0.1f +IPS_COMPONENT_VERSION = 2.0.6 COMPONENT_PROJECT_URL= http://www.openssl.org/ COMPONENT_SRC_NAME = openssl COMPONENT_SRC = $(COMPONENT_SRC_NAME)-$(COMPONENT_VERSION) COMPONENT_ARCHIVE = $(COMPONENT_SRC).tar.gz COMPONENT_ARCHIVE_HASH= \ - sha256:f74f15e8c8ff11aa3d5bb5f276d202ec18d7246e95f961db76054199c69c1ae3 + sha256:6cc2a80b17d64de6b7bac985745fdaba971d54ffd7d38d3556f998d7c0c9cb5a COMPONENT_ARCHIVE_URL = $(COMPONENT_PROJECT_URL)source/$(COMPONENT_ARCHIVE) COMPONENT_BUGDB= utility/openssl diff -r 849c16a5333c -r 2fc479afcf70 components/openssl/openssl-1.0.1-fips-140/openssl-1.0.1-fips-140.p5m --- a/components/openssl/openssl-1.0.1-fips-140/openssl-1.0.1-fips-140.p5m Wed Jan 15 11:48:34 2014 +0100 +++ b/components/openssl/openssl-1.0.1-fips-140/openssl-1.0.1-fips-140.p5m Wed Jan 15 12:21:47 2014 -0800 @@ -27,7 +27,8 @@ set name=pkg.human-version value=$(COMPONENT_VERSION) set name=pkg.summary value="FIPS 140-2 Capable OpenSSL libraries" set name=com.oracle.info.description value="the FIPS 140-2 Capable OpenSSL libraries" -set name=com.oracle.info.tpno value=13019 +# TPNO number for the new component is not yet available (bug #18071490) +# set name=com.oracle.info.tpno value= set name=info.classification \ value="org.opensolaris.category.2008:System/Security" set name=info.source-url value=$(COMPONENT_ARCHIVE_URL) diff -r 849c16a5333c -r 2fc479afcf70 components/openssl/openssl-1.0.1-fips-140/patches/26-openssl_fips.patch --- a/components/openssl/openssl-1.0.1-fips-140/patches/26-openssl_fips.patch Wed Jan 15 11:48:34 2014 +0100 +++ b/components/openssl/openssl-1.0.1-fips-140/patches/26-openssl_fips.patch Wed Jan 15 12:21:47 2014 -0800 @@ -1,6 +1,6 @@ --- openssl-0.9.8m/apps/openssl.c Thu Oct 15 19:28:02 2009 +++ openssl-0.9.8m/apps/openssl.c Fri Feb 26 16:12:30 2010 -@@ -133,6 +133,9 @@ +@@ -134,6 +134,9 @@ #include #endif @@ -10,7 +10,7 @@ /* The LHASH callbacks ("hash" & "cmp") have been replaced by functions with the * base prototypes (we cast each variable inside the function to the required * type of "FUNCTION*"). This removes the necessity for macro-generated wrapper -@@ -152,9 +155,10 @@ +@@ -153,9 +156,10 @@ #endif @@ -22,7 +22,7 @@ const char *errstr = NULL; int rw; -@@ -165,7 +169,7 @@ +@@ -166,7 +170,7 @@ goto err; } @@ -31,7 +31,7 @@ { errstr = "type out of bounds"; goto err; -@@ -310,6 +314,14 @@ +@@ -311,6 +315,14 @@ if (getenv("OPENSSL_DEBUG_LOCKING") != NULL) #endif { @@ -46,7 +46,7 @@ CRYPTO_set_locking_callback(lock_dbg_cb); } -@@ -313,18 +325,28 @@ +@@ -314,18 +326,28 @@ CRYPTO_set_locking_callback(lock_dbg_cb); } diff -r 849c16a5333c -r 2fc479afcf70 components/openssl/openssl-1.0.1-fips-140/patches/31_dtls_version.patch --- a/components/openssl/openssl-1.0.1-fips-140/patches/31_dtls_version.patch Wed Jan 15 11:48:34 2014 +0100 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,11 +0,0 @@ ---- openssl-1.0.1e/ssl/s3_cbc.c 2013-02-14 08:06:58.000000000 -0800 -+++ openssl-1.0.1e/ssl/s3_cbc.c.orig 2013-02-14 03:04:08.440194448 -0700 -@@ -148,7 +148,7 @@ - unsigned padding_length, good, to_check, i; - const unsigned overhead = 1 /* padding length byte */ + mac_size; - /* Check if version requires explicit IV */ -- if (s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION) -+ if (s->version >= TLS1_1_VERSION || s->version == DTLS1_BAD_VER) - { - /* These lengths are all public so we can test them in - * non-constant time. diff -r 849c16a5333c -r 2fc479afcf70 components/openssl/openssl-1.0.1-fips-140/patches/33_cert_chain.patch --- a/components/openssl/openssl-1.0.1-fips-140/patches/33_cert_chain.patch Wed Jan 15 11:48:34 2014 +0100 +++ b/components/openssl/openssl-1.0.1-fips-140/patches/33_cert_chain.patch Wed Jan 15 12:21:47 2014 -0800 @@ -166,7 +166,7 @@ } static int check_revocation(X509_STORE_CTX *ctx) -@@ -1591,6 +1630,8 @@ static int internal_verify(X509_STORE_CTX *ctx) +@@ -1602,6 +1641,8 @@ static int internal_verify(X509_STORE_CTX *ctx) xs=xi; else { diff -r 849c16a5333c -r 2fc479afcf70 components/openssl/openssl-1.0.1-fips-140/patches/34_tls_segfault.patch --- a/components/openssl/openssl-1.0.1-fips-140/patches/34_tls_segfault.patch Wed Jan 15 11:48:34 2014 +0100 +++ b/components/openssl/openssl-1.0.1-fips-140/patches/34_tls_segfault.patch Wed Jan 15 12:21:47 2014 -0800 @@ -3,7 +3,7 @@ $ diff -ru ssl/t1_enc.c ssl/t1_enc.c --- t1_enc.c.orig Tue Dec 10 15:36:05 2013 +++ t1_enc.c Wed Dec 11 09:29:02 2013 -@@ -980,7 +980,10 @@ +@@ -986,7 +986,10 @@ } else { diff -r 849c16a5333c -r 2fc479afcf70 components/openssl/openssl-1.0.1/Makefile --- a/components/openssl/openssl-1.0.1/Makefile Wed Jan 15 11:48:34 2014 +0100 +++ b/components/openssl/openssl-1.0.1/Makefile Wed Jan 15 12:21:47 2014 -0800 @@ -18,7 +18,7 @@ # # CDDL HEADER END # -# Copyright (c) 2011, 2013, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 2011, 2014, Oracle and/or its affiliates. All rights reserved. # include ../../../make-rules/shared-macros.mk @@ -28,15 +28,15 @@ # When upgrading OpenSSL, please, DON'T FORGET TO TEST WANBOOT too. # For more information about wanboot-openssl testing, please refer to # ../README. -COMPONENT_VERSION = 1.0.1e +COMPONENT_VERSION = 1.0.1f # Version for IPS. It is easier to do it manually than convert the letter to a # number while taking into account that there might be no letter at all. -IPS_COMPONENT_VERSION = 1.0.1.5 +IPS_COMPONENT_VERSION = 1.0.1.6 COMPONENT_PROJECT_URL= http://www.openssl.org/ COMPONENT_SRC = $(COMPONENT_NAME)-$(COMPONENT_VERSION) COMPONENT_ARCHIVE = $(COMPONENT_SRC).tar.gz COMPONENT_ARCHIVE_HASH= \ - sha256:f74f15e8c8ff11aa3d5bb5f276d202ec18d7246e95f961db76054199c69c1ae3 + sha256:6cc2a80b17d64de6b7bac985745fdaba971d54ffd7d38d3556f998d7c0c9cb5a COMPONENT_ARCHIVE_URL = $(COMPONENT_PROJECT_URL)source/$(COMPONENT_ARCHIVE) COMPONENT_BUGDB= utility/openssl diff -r 849c16a5333c -r 2fc479afcf70 components/openssl/openssl-1.0.1/openssl-1.0.1.p5m --- a/components/openssl/openssl-1.0.1/openssl-1.0.1.p5m Wed Jan 15 11:48:34 2014 +0100 +++ b/components/openssl/openssl-1.0.1/openssl-1.0.1.p5m Wed Jan 15 12:21:47 2014 -0800 @@ -29,7 +29,8 @@ value="OpenSSL is a full-featured toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library." set name=pkg.summary value="OpenSSL - a Toolkit for Secure Sockets Layer (SSL v2/v3) and Transport Layer (TLS v1) protocols and general purpose cryptographic library" set name=com.oracle.info.description value="OpenSSL" -set name=com.oracle.info.tpno value=13003 +# TPNO number for the new component is not yet available (bug #18071490) +# set name=com.oracle.info.tpno value= set name=info.classification \ value="org.opensolaris.category.2008:System/Security" set name=info.source-url value=$(COMPONENT_ARCHIVE_URL) diff -r 849c16a5333c -r 2fc479afcf70 components/openssl/openssl-1.0.1/patches/31_dtls_version.patch --- a/components/openssl/openssl-1.0.1/patches/31_dtls_version.patch Wed Jan 15 11:48:34 2014 +0100 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,11 +0,0 @@ ---- openssl-1.0.1e/ssl/s3_cbc.c 2013-02-14 08:06:58.000000000 -0800 -+++ openssl-1.0.1e/ssl/s3_cbc.c.orig 2013-02-14 03:04:08.440194448 -0700 -@@ -148,7 +148,7 @@ - unsigned padding_length, good, to_check, i; - const unsigned overhead = 1 /* padding length byte */ + mac_size; - /* Check if version requires explicit IV */ -- if (s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION) -+ if (s->version >= TLS1_1_VERSION || s->version == DTLS1_BAD_VER) - { - /* These lengths are all public so we can test them in - * non-constant time. diff -r 849c16a5333c -r 2fc479afcf70 components/openssl/openssl-1.0.1/patches/33_cert_chain.patch --- a/components/openssl/openssl-1.0.1/patches/33_cert_chain.patch Wed Jan 15 11:48:34 2014 +0100 +++ b/components/openssl/openssl-1.0.1/patches/33_cert_chain.patch Wed Jan 15 12:21:47 2014 -0800 @@ -166,7 +166,7 @@ } static int check_revocation(X509_STORE_CTX *ctx) -@@ -1591,6 +1630,8 @@ static int internal_verify(X509_STORE_CTX *ctx) +@@ -1602,6 +1641,8 @@ static int internal_verify(X509_STORE_CTX *ctx) xs=xi; else { diff -r 849c16a5333c -r 2fc479afcf70 components/openssl/openssl-1.0.1/patches/34_tls_segfault.patch --- a/components/openssl/openssl-1.0.1/patches/34_tls_segfault.patch Wed Jan 15 11:48:34 2014 +0100 +++ b/components/openssl/openssl-1.0.1/patches/34_tls_segfault.patch Wed Jan 15 12:21:47 2014 -0800 @@ -3,7 +3,7 @@ $ diff -ru ssl/t1_enc.c ssl/t1_enc.c --- t1_enc.c.orig Tue Dec 10 15:36:05 2013 +++ t1_enc.c Wed Dec 11 09:29:02 2013 -@@ -980,7 +980,10 @@ +@@ -986,7 +986,10 @@ } else { diff -r 849c16a5333c -r 2fc479afcf70 components/openssl/openssl-1.0.1/patches/openssl-t4-inline.sparc-patch --- a/components/openssl/openssl-1.0.1/patches/openssl-t4-inline.sparc-patch Wed Jan 15 11:48:34 2014 +0100 +++ b/components/openssl/openssl-1.0.1/patches/openssl-t4-inline.sparc-patch Wed Jan 15 12:21:47 2014 -0800 @@ -519,7 +519,7 @@ diff -ru openssl-1.0.1e/crypto/sha/Makefile openssl-1.0.1e/crypto/sha/Makefile --- openssl-1.0.1e/crypto/sha/Makefile 2011-05-24 17:02:24.000000000 -0700 +++ openssl-1.0.1e/crypto/sha/Makefile 2011-07-27 10:48:17.817470000 -0700 -@@ -66,9 +66,9 @@ +@@ -68,9 +68,9 @@ sha1-x86_64.s: asm/sha1-x86_64.pl; $(PERL) asm/sha1-x86_64.pl $(PERLASM_SCHEME) > $@ sha256-x86_64.s:asm/sha512-x86_64.pl; $(PERL) asm/sha512-x86_64.pl $(PERLASM_SCHEME) $@ sha512-x86_64.s:asm/sha512-x86_64.pl; $(PERL) asm/sha512-x86_64.pl $(PERLASM_SCHEME) $@ @@ -1191,7 +1191,7 @@ #ifdef KSSL_DEBUG { int i; -@@ -132,10 +152,16 @@ static int des_ede_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, +@@ -132,10 +154,16 @@ printf("\n"); } #endif /* KSSL_DEBUG */ @@ -1201,7 +1201,7 @@ + return 1; + } + - if (inl>=EVP_MAXCHUNK) + while (inl>=EVP_MAXCHUNK) { DES_ede3_cbc_encrypt(in, out, (long)EVP_MAXCHUNK, - &data(ctx)->ks1, &data(ctx)->ks2, &data(ctx)->ks3, @@ -2221,16 +2221,16 @@ CRYPTO_gcm128_init(&gctx->gcm,&gctx->ks, (block128_f)vpaes_encrypt); gctx->ctr = NULL; -@@ -846,7 +1220,7 @@ - break; - } +@@ -849,7 +1223,7 @@ #endif + (void)0; /* terminate potentially open 'else' */ + - AES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks); + AES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks.ks); CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, (block128_f)AES_encrypt); #ifdef AES_CTR_ASM gctx->ctr = (ctr128_f)AES_ctr32_encrypt; -@@ -1077,17 +1451,17 @@ +@@ -1080,17 +1454,17 @@ { if (enc) { @@ -2245,14 +2245,14 @@ xctx->xts.block1 = (block128_f)vpaes_decrypt; } - vpaes_set_encrypt_key(key + ctx->key_len/2, + vpaes_set_encrypt_key(key + ctx->key_len/2, - ctx->key_len * 4, &xctx->ks2); + ctx->key_len * 4, &xctx->ks2.ks); - xctx->xts.block2 = (block128_f)vpaes_encrypt; + xctx->xts.block2 = (block128_f)vpaes_encrypt; - xctx->xts.key1 = &xctx->ks1; -@@ -1096,17 +1470,17 @@ - #endif + xctx->xts.key1 = &xctx->ks1; +@@ -1102,17 +1476,17 @@ + if (enc) { - AES_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1); @@ -2272,7 +2272,7 @@ xctx->xts.block2 = (block128_f)AES_encrypt; xctx->xts.key1 = &xctx->ks1; -@@ -1217,7 +1591,7 @@ +@@ -1223,7 +1597,7 @@ #ifdef VPAES_CAPABLE if (VPAES_CAPABLE) { @@ -2281,7 +2281,7 @@ CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L, &cctx->ks, (block128_f)vpaes_encrypt); cctx->str = NULL; -@@ -1225,7 +1599,7 @@ +@@ -1231,7 +1605,7 @@ break; } #endif @@ -2290,7 +2290,7 @@ CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L, &cctx->ks, (block128_f)AES_encrypt); cctx->str = NULL; -@@ -1313,5 +1687,4 @@ +@@ -1319,5 +1693,4 @@ BLOCK_CIPHER_custom(NID_aes,192,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS) BLOCK_CIPHER_custom(NID_aes,256,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)