# HG changeset patch # User Misaki Miyashita # Date 1420860061 28800 # Node ID 3e00113c37438f4f6478ae3d9665dac199bb0fd1 # Parent 90ca63e65ecdae95b7afb1ecd34c86f4a5a12c23 20325338 Upgrade OpenSSL version to 1.0.1k 20325565 problem in LIBRARY/OPENSSL 20325572 problem in LIBRARY/OPENSSL 20325582 problem in LIBRARY/OPENSSL 20325589 problem in LIBRARY/OPENSSL 20325594 problem in LIBRARY/OPENSSL 20325597 problem in LIBRARY/OPENSSL 20325600 problem in LIBRARY/OPENSSL 20325603 problem in LIBRARY/OPENSSL diff -r 90ca63e65ecd -r 3e00113c3743 components/openssl/openssl-1.0.1-fips-140/Makefile --- a/components/openssl/openssl-1.0.1-fips-140/Makefile Fri Jan 09 17:04:21 2015 -0800 +++ b/components/openssl/openssl-1.0.1-fips-140/Makefile Fri Jan 09 19:21:01 2015 -0800 @@ -18,7 +18,7 @@ # # CDDL HEADER END # -# Copyright (c) 2011, 2014, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved. # export PARFAIT_BUILD=no @@ -32,18 +32,18 @@ COMPONENT_NAME = openssl-fips-140 # Note that this is the OpenSSL version that is used to build FIPS-140 certified # libraries. However, we use the FIPS canister version for the IPS package. -COMPONENT_VERSION = 1.0.1j +COMPONENT_VERSION = 1.0.1k IPS_COMPONENT_VERSION = 2.0.6 COMPONENT_PROJECT_URL= http://www.openssl.org/ COMPONENT_SRC_NAME = openssl COMPONENT_SRC = $(COMPONENT_SRC_NAME)-$(COMPONENT_VERSION) COMPONENT_ARCHIVE = $(COMPONENT_SRC).tar.gz COMPONENT_ARCHIVE_HASH= \ - sha256:1b60ca8789ba6f03e8ef20da2293b8dc131c39d83814e775069f02d26354edf3 + sha256:8f9faeaebad088e772f4ef5e38252d472be4d878c6b3a2718c10a4fcebe7a41c COMPONENT_ARCHIVE_URL = $(COMPONENT_PROJECT_URL)source/$(COMPONENT_ARCHIVE) COMPONENT_BUGDB= library/openssl -TPNO= 19492 +TPNO= 21111 # OpenSSL FIPS directory OPENSSL_FIPS_DIR = $(COMPONENT_DIR)/../openssl-fips diff -r 90ca63e65ecd -r 3e00113c3743 components/openssl/openssl-1.0.1-fips-140/patches/36_evp_leak.patch --- a/components/openssl/openssl-1.0.1-fips-140/patches/36_evp_leak.patch Fri Jan 09 17:04:21 2015 -0800 +++ b/components/openssl/openssl-1.0.1-fips-140/patches/36_evp_leak.patch Fri Jan 09 19:21:01 2015 -0800 @@ -57,32 +57,32 @@ return ret; } -@@ -502,6 +515,7 @@ +@@ -501,6 +501,7 @@ int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl) { - unsigned int i, b; + int i,n; + int err = 1; - unsigned char pad, padding_good; + unsigned int b; *outl=0; -@@ -509,10 +522,14 @@ +@@ -508,10 +509,14 @@ { - int ret = M_do_cipher(ctx, out, NULL, 0); - if (ret < 0) + i = M_do_cipher(ctx, out, NULL, 0); + if (i < 0) - return 0; + { + err = 0; + goto cleanup; + } else - *outl = ret; + *outl = i; - return 1; + err = 1; + goto cleanup; } - b=(unsigned int)(ctx->cipher->block_size); -@@ -521,10 +538,12 @@ + b=ctx->cipher->block_size; +@@ -520,10 +525,12 @@ if(ctx->buf_len) { EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH); @@ -97,7 +97,7 @@ } if (b > 1) { -@@ -531,7 +550,8 @@ +@@ -530,7 +537,8 @@ if (ctx->buf_len || !ctx->final_used) { EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,EVP_R_WRONG_FINAL_BLOCK_LENGTH); @@ -106,28 +106,38 @@ + goto cleanup; } OPENSSL_assert(b <= sizeof ctx->final); - pad=ctx->final[b-1]; -@@ -555,13 +577,22 @@ - out[i] = ctx->final[i] & padding_good; - /* Safe cast: for a good padding, EVP_MAX_IV_LENGTH >= b >= pad */ - *outl = padding_good & ((unsigned char)(b - pad)); -- return padding_good & 1; -+ err = padding_good & 1; -+ goto cleanup; + +@@ -542,7 +550,8 @@ + if (n == 0 || n > (int)b) + { + EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,EVP_R_BAD_DECRYPT); +- return(0); ++ err = 0; ++ goto cleanup; + } + for (i=0; ifinal[--b] != n) + { + EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,EVP_R_BAD_DECRYPT); +- return(0); ++ err = 0; ++ goto cleanup; + } + } + n=ctx->cipher->block_size-n; +@@ -559,7 +569,13 @@ } else - { - *outl = 0; -- return 1; -+ err = 1; - } -+ + *outl=0; +- return(1); ++ err = 1; +cleanup: + if (ctx->cipher->cleanup) + { + ctx->cipher->cleanup(ctx); + } -+ + return err; } diff -r 90ca63e65ecd -r 3e00113c3743 components/openssl/openssl-1.0.1/Makefile --- a/components/openssl/openssl-1.0.1/Makefile Fri Jan 09 17:04:21 2015 -0800 +++ b/components/openssl/openssl-1.0.1/Makefile Fri Jan 09 19:21:01 2015 -0800 @@ -18,7 +18,7 @@ # # CDDL HEADER END # -# Copyright (c) 2011, 2014, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved. # include ../../../make-rules/shared-macros.mk @@ -28,19 +28,19 @@ # When upgrading OpenSSL, please, DON'T FORGET TO TEST WANBOOT too. # For more information about wanboot-openssl testing, please refer to # ../README. -COMPONENT_VERSION = 1.0.1j +COMPONENT_VERSION = 1.0.1k # Version for IPS. It is easier to do it manually than convert the letter to a # number while taking into account that there might be no letter at all. -IPS_COMPONENT_VERSION = 1.0.1.10 +IPS_COMPONENT_VERSION = 1.0.1.11 COMPONENT_PROJECT_URL= http://www.openssl.org/ COMPONENT_SRC = $(COMPONENT_NAME)-$(COMPONENT_VERSION) COMPONENT_ARCHIVE = $(COMPONENT_SRC).tar.gz COMPONENT_ARCHIVE_HASH= \ - sha256:1b60ca8789ba6f03e8ef20da2293b8dc131c39d83814e775069f02d26354edf3 + sha256:8f9faeaebad088e772f4ef5e38252d472be4d878c6b3a2718c10a4fcebe7a41c COMPONENT_ARCHIVE_URL = $(COMPONENT_PROJECT_URL)source/$(COMPONENT_ARCHIVE) COMPONENT_BUGDB= library/openssl -TPNO= 19492 +TPNO= 21111 include $(WS_TOP)/make-rules/prep.mk include $(WS_TOP)/make-rules/configure.mk diff -r 90ca63e65ecd -r 3e00113c3743 components/openssl/openssl-1.0.1/patches/36_evp_leak.patch --- a/components/openssl/openssl-1.0.1/patches/36_evp_leak.patch Fri Jan 09 17:04:21 2015 -0800 +++ b/components/openssl/openssl-1.0.1/patches/36_evp_leak.patch Fri Jan 09 19:21:01 2015 -0800 @@ -57,32 +57,32 @@ return ret; } -@@ -502,6 +515,7 @@ +@@ -501,6 +501,7 @@ int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl) { - unsigned int i, b; + int i,n; + int err = 1; - unsigned char pad, padding_good; + unsigned int b; *outl=0; -@@ -509,10 +522,14 @@ +@@ -508,10 +509,14 @@ { - int ret = M_do_cipher(ctx, out, NULL, 0); - if (ret < 0) + i = M_do_cipher(ctx, out, NULL, 0); + if (i < 0) - return 0; + { + err = 0; + goto cleanup; + } else - *outl = ret; + *outl = i; - return 1; + err = 1; + goto cleanup; } - b=(unsigned int)(ctx->cipher->block_size); -@@ -521,10 +538,12 @@ + b=ctx->cipher->block_size; +@@ -520,10 +525,12 @@ if(ctx->buf_len) { EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH); @@ -97,7 +97,7 @@ } if (b > 1) { -@@ -531,7 +550,8 @@ +@@ -530,7 +537,8 @@ if (ctx->buf_len || !ctx->final_used) { EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,EVP_R_WRONG_FINAL_BLOCK_LENGTH); @@ -106,28 +106,38 @@ + goto cleanup; } OPENSSL_assert(b <= sizeof ctx->final); - pad=ctx->final[b-1]; -@@ -555,13 +577,22 @@ - out[i] = ctx->final[i] & padding_good; - /* Safe cast: for a good padding, EVP_MAX_IV_LENGTH >= b >= pad */ - *outl = padding_good & ((unsigned char)(b - pad)); -- return padding_good & 1; -+ err = padding_good & 1; -+ goto cleanup; + +@@ -542,7 +550,8 @@ + if (n == 0 || n > (int)b) + { + EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,EVP_R_BAD_DECRYPT); +- return(0); ++ err = 0; ++ goto cleanup; + } + for (i=0; ifinal[--b] != n) + { + EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,EVP_R_BAD_DECRYPT); +- return(0); ++ err = 0; ++ goto cleanup; + } + } + n=ctx->cipher->block_size-n; +@@ -559,7 +569,13 @@ } else - { - *outl = 0; -- return 1; -+ err = 1; - } -+ + *outl=0; +- return(1); ++ err = 1; +cleanup: + if (ctx->cipher->cleanup) + { + ctx->cipher->cleanup(ctx); + } -+ + return err; }