# HG changeset patch # User Misaki Miyashita # Date 1449614201 28800 # Node ID 4e8b3c0ea78cf2b4667065e930d8431ff321a412 # Parent 970e0f411b42055d4eff884b837668e9ecbad74e 22307393 Upgrade OpenSSL version to 1.0.2e 22307570 problem in LIBRARY/OPENSSL 22307591 problem in LIBRARY/OPENSSL 22307596 problem in LIBRARY/OPENSSL 22307601 problem in LIBRARY/OPENSSL 22317607 problem in LIBRARY/OPENSSL diff -r 970e0f411b42 -r 4e8b3c0ea78c components/openssl/common/patches/038-remove_illegal_instruction_calls.patch --- a/components/openssl/common/patches/038-remove_illegal_instruction_calls.patch Mon Nov 09 17:42:03 2015 -0800 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,204 +0,0 @@ -# -# This patch was developed in house. -# This is Solaris-specific: not suitable for upstream. -# ---- openssl-1.0.1g/crypto/sparcv9cap.c.~1~ Thu May 1 13:07:00 2014 -+++ openssl-1.0.1g/crypto/sparcv9cap.c Thu May 1 13:11:33 2014 -@@ -2,10 +2,10 @@ - #include - #include - #include --#include - #include - #include - #include -+#include - - #include "sparc_arch.h" - -@@ -69,13 +69,8 @@ - } - - unsigned long _sparcv9_rdtick(void); --void _sparcv9_vis1_probe(void); - unsigned long _sparcv9_vis1_instrument(void); --void _sparcv9_vis2_probe(void); --void _sparcv9_fmadd_probe(void); - unsigned long _sparcv9_rdcfr(void); --void _sparcv9_vis3_probe(void); --unsigned long _sparcv9_random(void); - size_t _sparcv9_vis1_instrument_bus(unsigned int *, size_t); - size_t _sparcv9_vis1_instrument_bus2(unsigned int *, size_t, size_t); - -@@ -231,18 +227,11 @@ - - #else - --static sigjmp_buf common_jmp; --static void common_handler(int sig) --{ -- siglongjmp(common_jmp, sig); --} -- - void OPENSSL_cpuid_setup(void) - { - char *e; -- struct sigaction common_act, ill_oact, bus_oact; -- sigset_t all_masked, oset; - static int trigger = 0; -+ uint_t ui = 0; - - if (trigger) - return; -@@ -255,47 +255,23 @@ - return; - } - -+ (void) getisax(&ui, 1); -+ - /* Initial value, fits UltraSPARC-I&II... */ -- OPENSSL_sparcv9cap_P[0] = SPARCV9_PREFER_FPU | SPARCV9_TICK_PRIVILEGED; -+ OPENSSL_sparcv9cap_P[0] = SPARCV9_BLK; - -- sigfillset(&all_masked); -- sigdelset(&all_masked, SIGILL); -- sigdelset(&all_masked, SIGTRAP); --# ifdef SIGEMT -- sigdelset(&all_masked, SIGEMT); --# endif -- sigdelset(&all_masked, SIGFPE); -- sigdelset(&all_masked, SIGBUS); -- sigdelset(&all_masked, SIGSEGV); -- sigprocmask(SIG_SETMASK, &all_masked, &oset); -- -- memset(&common_act, 0, sizeof(common_act)); -- common_act.sa_handler = common_handler; -- common_act.sa_mask = all_masked; -- -- sigaction(SIGILL, &common_act, &ill_oact); -- sigaction(SIGBUS, &common_act, &bus_oact); /* T1 fails 16-bit ldda [on -- * Linux] */ -- -- if (sigsetjmp(common_jmp, 1) == 0) { -- _sparcv9_rdtick(); -- OPENSSL_sparcv9cap_P[0] &= ~SPARCV9_TICK_PRIVILEGED; -- } -- -- if (sigsetjmp(common_jmp, 1) == 0) { -- _sparcv9_vis1_probe(); -- OPENSSL_sparcv9cap_P[0] |= SPARCV9_VIS1 | SPARCV9_BLK; -- /* detect UltraSPARC-Tx, see sparccpud.S for details... */ -- if (_sparcv9_vis1_instrument() >= 12) -- OPENSSL_sparcv9cap_P[0] &= ~(SPARCV9_VIS1 | SPARCV9_PREFER_FPU); -- else { -- _sparcv9_vis2_probe(); -- OPENSSL_sparcv9cap_P[0] |= SPARCV9_VIS2; -+ if (ui & AV_SPARC_VIS) { -+ /* detect UltraSPARC-Tx, see sparccpuid.S for details... */ -+ if (_sparcv9_vis1_instrument() < 7) -+ OPENSSL_sparcv9cap_P[0] |= SPARCV9_TICK_PRIVILEGED; -+ if (_sparcv9_vis1_instrument() < 12) { -+ OPENSSL_sparcv9cap_P[0] |= SPARCV9_VIS1|SPARCV9_PREFER_FPU; -+ if (ui & AV_SPARC_VIS2) -+ OPENSSL_sparcv9cap_P[0] |= SPARCV9_VIS2; - } - } - -- if (sigsetjmp(common_jmp, 1) == 0) { -- _sparcv9_fmadd_probe(); -+ if (ui & AV_SPARC_FMAF) { - OPENSSL_sparcv9cap_P[0] |= SPARCV9_FMADD; - } - -@@ -303,36 +279,23 @@ - * VIS3 flag is tested independently from VIS1, unlike VIS2 that is, - * because VIS3 defines even integer instructions. - */ -- if (sigsetjmp(common_jmp, 1) == 0) { -- _sparcv9_vis3_probe(); -- OPENSSL_sparcv9cap_P[0] |= SPARCV9_VIS3; -+ if (ui & AV_SPARC_VIS3) { -+ OPENSSL_sparcv9cap_P[0] |= SPARCV9_VIS3; - } --# if 0 /* was planned at some point but never -- * implemented in hardware */ -- if (sigsetjmp(common_jmp, 1) == 0) { -- (void)_sparcv9_random(); -- OPENSSL_sparcv9cap_P[0] |= SPARCV9_RANDOM; -- } --# endif - -- /* -- * In wait for better solution _sparcv9_rdcfr is masked by -- * VIS3 flag, because it goes to uninterruptable endless -- * loop on UltraSPARC II running Solaris. Things might be -- * different on Linux... -- */ -- if ((OPENSSL_sparcv9cap_P[0] & SPARCV9_VIS3) && -- sigsetjmp(common_jmp, 1) == 0) { -+#define AV_T4_MECHS (AV_SPARC_AES | AV_SPARC_DES | AV_SPARC_KASUMI | \ -+ AV_SPARC_CAMELLIA | AV_SPARC_MD5 | AV_SPARC_SHA1 | \ -+ AV_SPARC_SHA256 | AV_SPARC_SHA512 | AV_SPARC_MPMUL | \ -+ AV_SPARC_CRC32C) -+ -+ if ((OPENSSL_sparcv9cap_P[0]&SPARCV9_VIS3) && (ui & AV_T4_MECHS)) { - OPENSSL_sparcv9cap_P[1] = (unsigned int)_sparcv9_rdcfr(); - } - -- sigaction(SIGBUS, &bus_oact, NULL); -- sigaction(SIGILL, &ill_oact, NULL); -+ if (sizeof(size_t) == 8) { -+ OPENSSL_sparcv9cap_P[0] |= SPARCV9_64BIT_STACK; -+ } - -- sigprocmask(SIG_SETMASK, &oset, NULL); -- -- if (sizeof(size_t) == 8) -- OPENSSL_sparcv9cap_P[0] |= SPARCV9_64BIT_STACK; - # ifdef __linux - else { - int ret = syscall(340); ---- openssl-1.0.1g/crypto/sparccpuid.S.~1~ Thu May 1 13:07:00 2014 -+++ openssl-1.0.1g/crypto/sparccpuid.S Thu May 1 13:11:33 2014 -@@ -232,16 +232,6 @@ - .type _sparcv9_rdtick,#function - .size _sparcv9_rdtick,.-_sparcv9_rdtick - --.global _sparcv9_vis1_probe --.align 8 --_sparcv9_vis1_probe: -- add %sp,BIAS+2,%o1 -- .word 0xc19a5a40 !ldda [%o1]ASI_FP16_P,%f0 -- retl -- .word 0x81b00d80 !fxor %f0,%f0,%f0 --.type _sparcv9_vis1_probe,#function --.size _sparcv9_vis1_probe,.-_sparcv9_vis1_probe -- - ! Probe and instrument VIS1 instruction. Output is number of cycles it - ! takes to execute rdtick and pair of VIS1 instructions. US-Tx VIS unit - ! is slow (documented to be 6 cycles on T2) and the core is in-order -@@ -303,24 +293,6 @@ - .type _sparcv9_vis1_instrument,#function - .size _sparcv9_vis1_instrument,.-_sparcv9_vis1_instrument - --.global _sparcv9_vis2_probe --.align 8 --_sparcv9_vis2_probe: -- retl -- .word 0x81b00980 !bshuffle %f0,%f0,%f0 --.type _sparcv9_vis2_probe,#function --.size _sparcv9_vis2_probe,.-_sparcv9_vis2_probe -- --.global _sparcv9_fmadd_probe --.align 8 --_sparcv9_fmadd_probe: -- .word 0x81b00d80 !fxor %f0,%f0,%f0 -- .word 0x85b08d82 !fxor %f2,%f2,%f2 -- retl -- .word 0x81b80440 !fmaddd %f0,%f0,%f2,%f0 --.type _sparcv9_fmadd_probe,#function --.size _sparcv9_fmadd_probe,.-_sparcv9_fmadd_probe -- - .global _sparcv9_rdcfr - .align 8 - _sparcv9_rdcfr: diff -r 970e0f411b42 -r 4e8b3c0ea78c components/openssl/common/patches/039-internal_tests.patch --- a/components/openssl/common/patches/039-internal_tests.patch Mon Nov 09 17:42:03 2015 -0800 +++ b/components/openssl/common/patches/039-internal_tests.patch Tue Dec 08 14:36:41 2015 -0800 @@ -13,5 +13,5 @@ - test_ss test_ca test_engine test_evp test_evp_extra test_ssl test_tsa test_ige \ + test_ss test_engine test_evp test_evp_extra test_ssl test_tsa test_ige \ test_jpake test_srp test_cms test_ocsp test_v3name test_heartbeat \ - test_constant_time test_verify_extra + test_constant_time test_verify_extra test_clienthello diff -r 970e0f411b42 -r 4e8b3c0ea78c components/openssl/common/patches/042-default_fips_keygen.patch --- a/components/openssl/common/patches/042-default_fips_keygen.patch Mon Nov 09 17:42:03 2015 -0800 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,27 +0,0 @@ -# -# This patch came from the upstream to use x9.31 keygen by default in -# the FIPS mode. This will be available in the next release. -# ---- openssl-1.0.1p/crypto/rsa/rsa_gen.c.orig Tue Aug 11 10:47:51 2015 -+++ openssl-1.0.1p/crypto/rsa/rsa_gen.c Tue Aug 11 10:56:07 2015 -@@ -69,6 +69,8 @@ - #include - #ifdef OPENSSL_FIPS - # include -+extern int FIPS_rsa_x931_generate_key_ex(RSA *rsa, int bits, BIGNUM *e, -+ BN_GENCB *cb); - #endif - - static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, -@@ -93,8 +95,9 @@ - if (rsa->meth->rsa_keygen) - return rsa->meth->rsa_keygen(rsa, bits, e_value, cb); - #ifdef OPENSSL_FIPS -- if (FIPS_mode()) -- return FIPS_rsa_generate_key_ex(rsa, bits, e_value, cb); -+ if (FIPS_mode()) { -+ return FIPS_rsa_x931_generate_key_ex(rsa, bits, e_value, cb); -+ } - #endif - return rsa_builtin_keygen(rsa, bits, e_value, cb); - } diff -r 970e0f411b42 -r 4e8b3c0ea78c components/openssl/openssl-default/Makefile --- a/components/openssl/openssl-default/Makefile Mon Nov 09 17:42:03 2015 -0800 +++ b/components/openssl/openssl-default/Makefile Tue Dec 08 14:36:41 2015 -0800 @@ -28,19 +28,19 @@ # When upgrading OpenSSL, please, DON'T FORGET TO TEST WANBOOT too. # For more information about wanboot-openssl testing, please refer to # ../README. -COMPONENT_VERSION = 1.0.2d +COMPONENT_VERSION = 1.0.2e # Version for IPS. It is easier to do it manually than convert the letter to a # number while taking into account that there might be no letter at all. -IPS_COMPONENT_VERSION = 1.0.2.4 +IPS_COMPONENT_VERSION = 1.0.2.5 COMPONENT_PROJECT_URL= http://www.openssl.org/ COMPONENT_SRC = $(COMPONENT_NAME)-$(COMPONENT_VERSION) COMPONENT_ARCHIVE = $(COMPONENT_SRC).tar.gz COMPONENT_ARCHIVE_HASH= \ - sha256:671c36487785628a703374c652ad2cebea45fa920ae5681515df25d9f2c9a8c8 + sha256:e23ccafdb75cfcde782da0151731aa2185195ac745eea3846133f2e05c0e0bff COMPONENT_ARCHIVE_URL = $(COMPONENT_PROJECT_URL)source/$(COMPONENT_ARCHIVE) COMPONENT_BUGDB= library/openssl -TPNO= 24194 +TPNO= 25900 # Clone the patch files to the patches-all dir. # COPY_COMMON_FILES is there so that rsync is called as soon as diff -r 970e0f411b42 -r 4e8b3c0ea78c components/openssl/openssl-default/patches/102-wanboot.patch --- a/components/openssl/openssl-default/patches/102-wanboot.patch Mon Nov 09 17:42:03 2015 -0800 +++ b/components/openssl/openssl-default/patches/102-wanboot.patch Tue Dec 08 14:36:41 2015 -0800 @@ -119,7 +119,7 @@ void CRYPTO_set_locking_callback(void (*func) (int mode, int type, @@ -1104,6 +1120,12 @@ - MessageBox(NULL, buf, _T("OpenSSL: FATAL"), MB_OK | MB_ICONSTOP); + MessageBox(NULL, buf, _T("OpenSSL: FATAL"), MB_OK | MB_ICONERROR); } #else +/* @@ -658,15 +658,15 @@ } +#endif /*!_BOOT*/ - int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, - int n) + int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, + unsigned char *limit) @@ -2486,11 +2492,13 @@ return 0; } +#ifndef _BOOT custom_ext_init(&s->cert->srv_ext); - if (ssl_scan_clienthello_custom_tlsext(s, ptmp, d + n, &al) <= 0) { + if (ssl_scan_clienthello_custom_tlsext(s, ptmp, limit, &al) <= 0) { ssl3_send_alert(s, SSL3_AL_FATAL, al); return 0; } diff -r 970e0f411b42 -r 4e8b3c0ea78c components/openssl/openssl-fips-140/Makefile --- a/components/openssl/openssl-fips-140/Makefile Mon Nov 09 17:42:03 2015 -0800 +++ b/components/openssl/openssl-fips-140/Makefile Tue Dec 08 14:36:41 2015 -0800 @@ -31,18 +31,18 @@ COMPONENT_NAME = openssl-fips-140 # Note that this is the OpenSSL version that is used to build FIPS-140 certified # libraries. However, we use the FIPS canister version for the IPS package. -COMPONENT_VERSION = 1.0.2d +COMPONENT_VERSION = 1.0.2e IPS_COMPONENT_VERSION = 2.0.6 COMPONENT_PROJECT_URL= http://www.openssl.org/ COMPONENT_SRC_NAME = openssl COMPONENT_SRC = $(COMPONENT_SRC_NAME)-$(COMPONENT_VERSION) COMPONENT_ARCHIVE = $(COMPONENT_SRC).tar.gz COMPONENT_ARCHIVE_HASH= \ - sha256:671c36487785628a703374c652ad2cebea45fa920ae5681515df25d9f2c9a8c8 + sha256:e23ccafdb75cfcde782da0151731aa2185195ac745eea3846133f2e05c0e0bff COMPONENT_ARCHIVE_URL = $(COMPONENT_PROJECT_URL)source/$(COMPONENT_ARCHIVE) COMPONENT_BUGDB= library/openssl -TPNO= 24194 +TPNO= 25900 # Clone the patch files to the patches-all dir. # COPY_COMMON_FILES is there so that rsync is called as soon as