# HG changeset patch
# User Misaki Miyashita <Misaki.Miyashita@Oracle.COM>
# Date 1394240565 28800
# Node ID 84e093c079e256ebbe22b97309aa13acb15af2c8
# Parent  2c57b522c401a54e617f35523a1af15518149bc2
PSARC/2014/077 OpenSSL Thread and Fork Safety
17822462 svc:/network/sendmail-client:default (sendmail SMTP client queue runner) core
18071490 OpenSSL: Update the package file with new TPNO number for OpenSSL 1.0.1f

diff -r 2c57b522c401 -r 84e093c079e2 components/openssl/openssl-1.0.1-fips-140/openssl-1.0.1-fips-140.p5m
--- a/components/openssl/openssl-1.0.1-fips-140/openssl-1.0.1-fips-140.p5m	Fri Mar 07 14:59:54 2014 -0800
+++ b/components/openssl/openssl-1.0.1-fips-140/openssl-1.0.1-fips-140.p5m	Fri Mar 07 17:02:45 2014 -0800
@@ -34,8 +34,7 @@
 set name=pkg.human-version value=$(COMPONENT_VERSION)
 set name=com.oracle.info.description \
     value="the FIPS 140-2 Capable OpenSSL libraries"
-# TPNO number for the new component is not yet available (bug #18071490)
-# set name=com.oracle.info.tpno value=
+set name=com.oracle.info.tpno value=16634
 set name=info.classification value=org.opensolaris.category.2008:System/Security
 set name=info.source-url value=$(COMPONENT_ARCHIVE_URL)
 set name=info.upstream-url value=$(COMPONENT_PROJECT_URL)
diff -r 2c57b522c401 -r 84e093c079e2 components/openssl/openssl-1.0.1-fips-140/patches/18-compiler_opts.patch
--- a/components/openssl/openssl-1.0.1-fips-140/patches/18-compiler_opts.patch	Fri Mar 07 14:59:54 2014 -0800
+++ b/components/openssl/openssl-1.0.1-fips-140/patches/18-compiler_opts.patch	Fri Mar 07 17:02:45 2014 -0800
@@ -1,3 +1,6 @@
+#
+# Solaris-specific; not suitable for upstream
+#
 diff -ruN openssl-0.9.8k/Configure openssl-0.9.8k/Configure
 --- openssl-0.9.8k/Configure	2009-02-16 09:44:22.000000000 +0100
 +++ openssl-0.9.8k/Configure	2009-06-25 16:19:22.897811727 +0200
@@ -17,7 +20,7 @@
 +#### Solaris configs, used for OpenSSL as delivered by OpenSolaris
 +"solaris-x86-cc-sunw","cc:-m32 -xO3 -xspace -Xa::-D_REENTRANT::-lsocket -lnsl -lc -R /lib/openssl/fips-140:BN_LLONG RC4_CHUNK DES_PTR DES_UNROLL BF_PTR:${x86_elf_asm}:dlfcn:solaris-shared:-KPIC:-m32 -G -dy -z text -zdefs -Bdirect -zignore -M/usr/lib/ld/map.pagealign -M/usr/lib/ld/map.noexdata:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 +"solaris64-x86_64-cc-sunw","cc:-xO3 -m64 -xstrconst -Xa -DL_ENDIAN::-D_REENTRANT::-lsocket -lnsl -lc -R /lib/openssl/fips-140/64:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR DES_PTR DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:solaris-shared:-KPIC:-m64 -G -dy -z text -zdefs -Bdirect -zignore -M/usr/lib/ld/map.pagealign -M/usr/lib/ld/map.noexdata:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"solaris-sparcv8-cc-sunw","cc:-xtarget=ultra -m32 -Qoption cg -xregs=no%appl -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -lc -lsoftcrypto -R /lib/openssl/fips-140:BN_LLONG RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:solaris-shared:-KPIC:-m32 -G -dy -z text -zdefs -Bdirect -zignore -M/usr/lib/ld/map.pagealign:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"solaris-sparcv8-cc-sunw","cc:-xtarget=ultra -m32 -Qoption cg -xregs=no%appl -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -lc -lsoftcrypto -R /lib/openssl/fips-140:BN_LLONG RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:solaris-shared:-KPIC:-m32 -G -dy -z text -zdefs -Bdirect -zignore -M/usr/lib/ld/map.pagealign:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 +"solaris64-sparcv9-cc-sunw","cc:-xtarget=ultra -m64 -Qoption cg -xregs=no%appl -xO5 -xstrconst -xdepend -xspace -Xa -DB_ENDIAN::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -lc -lsoftcrypto -R /lib/openssl/fips-140/64:BN_LLONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:solaris-shared:-KPIC:-m64 -G -dy -z text -zdefs -Bdirect -zignore -M/usr/lib/ld/map.pagealign:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):/usr/ccs/bin/ar rs::/64",
 +
  #### IRIX 5.x configs
diff -r 2c57b522c401 -r 84e093c079e2 components/openssl/openssl-1.0.1-fips-140/patches/29_fork_safe.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssl/openssl-1.0.1-fips-140/patches/29_fork_safe.patch	Fri Mar 07 17:02:45 2014 -0800
@@ -0,0 +1,161 @@
+#
+# This file adds the code to setup internal mutexes and callback function.
+#	PSARC/2014/077
+# This change was implemented in-house.  The issue was brought up to
+# the upstream engineers, but there was no commitment.
+#
+--- openssl-1.0.1f/crypto/cryptlib.c.~1~	Fri Feb  7 10:41:36 2014
++++ openssl-1.0.1f/crypto/cryptlib.c	Thu Feb  6 16:03:58 2014
+@@ -116,6 +116,7 @@
+ 
+ #include "cryptlib.h"
+ #include <openssl/safestack.h>
++#include <pthread.h>
+ 
+ #if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_WIN16)
+ static double SSLeay_MSVC5_hack=0.0; /* and for VC1.5 */
+@@ -181,6 +182,7 @@
+    numbers.  */
+ static STACK_OF(CRYPTO_dynlock) *dyn_locks=NULL;
+ 
++static pthread_mutex_t *solaris_openssl_locks;
+ 
+ static void (MS_FAR *locking_callback)(int mode,int type,
+ 	const char *file,int line)=0;
+@@ -406,6 +409,79 @@
+ 	return(add_lock_callback);
+ 	}
+
++/*
++ * This is the locking callback function which all applications will be
++ * using when CRYPTO_lock() is called.
++ */ 
++static void solaris_locking_callback(int mode, int type, const char *file,
++    int line)
++	{
++	if (mode & CRYPTO_LOCK)
++		{
++		pthread_mutex_lock(&solaris_openssl_locks[type]);
++		}
++	else
++		{
++		pthread_mutex_unlock(&solaris_openssl_locks[type]);
++		}
++	}
++
++
++/*
++ * This function is called when a child process is forked to setup its own
++ * global locking callback function ptr and mutexes.
++ */
++static void solaris_fork_child(void)
++	{
++		/*
++		 * clear locking_callback to indicate that locks should
++		 * be reinitialized.
++		 */
++		locking_callback = NULL;
++		solaris_locking_setup();
++	}
++
++/*
++ * This function allocates and initializes the global mutex array, and
++ * sets the locking callback.
++ */
++void solaris_locking_setup()
++	{
++	int i;
++	int num_locks;
++
++	/* locking callback is already setup. Nothing to do */
++	if (locking_callback != NULL)
++		{
++		return;
++		}
++
++	/*
++	 * Set atfork handler so that child can setup its own mutexes and
++	 * locking callbacks when it is forked
++	 */
++	(void) pthread_atfork(NULL, NULL, solaris_fork_child);
++
++	/* allocate locks needed by OpenSSL  */
++	num_locks = CRYPTO_num_locks();
++	solaris_openssl_locks =
++	    OPENSSL_malloc(sizeof (pthread_mutex_t) * num_locks);
++	if (solaris_openssl_locks == NULL)
++		{
++		fprintf(stderr,
++			"solaris_locking_setup: memory allocation failure.\n");
++		abort();
++		}
++
++	/* initialize openssl mutexes */
++	for (i = 0; i < num_locks; i++)
++		{
++		pthread_mutex_init(&solaris_openssl_locks[i], NULL);
++		}
++	locking_callback = solaris_locking_callback;
++
++	}
++
+ void CRYPTO_set_locking_callback(void (*func)(int mode,int type,
+ 					      const char *file,int line))
+ 	{
+@@ -413,7 +478,11 @@
+ 	 * are started.
+ 	 */
+ 	OPENSSL_init();
+-	locking_callback=func;
++
++	/*
++	 * we now setup our own locking callback and mutexes, and disallow
++	 * setting of another locking callback.
++	 */
+ 	}
+ 
+ void CRYPTO_set_add_lock_callback(int (*func)(int *num,int mount,int type,
+--- openssl-1.0.1f/crypto/cryptlib.h.~1~	Fri Feb  7 10:41:42 2014
++++ openssl-1.0.1f/crypto/cryptlib.h	Thu Feb  6 16:04:16 2014
+@@ -104,6 +104,8 @@
+ void *OPENSSL_stderr(void);
+ extern int OPENSSL_NONPIC_relocated;
+ 
++void solaris_locking_setup();
++
+ #ifdef  __cplusplus
+ }
+ #endif
+--- openssl-1.0.1f/crypto/sparccpuid.S.~1~	Fri Feb  7 10:41:37 2014
++++ openssl-1.0.1f/crypto/sparccpuid.S	Thu Feb  6 16:04:14 2014
+@@ -398,5 +398,7 @@
+ .size	OPENSSL_cleanse,.-OPENSSL_cleanse
+
+ .section	".init",#alloc,#execinstr
++	call	solaris_locking_setup
++	nop
+ 	call	OPENSSL_cpuid_setup
+ 	nop
+--- openssl-1.0.1f/crypto/x86_64cpuid.pl.~1~	Wed Feb 12 13:20:09 2014
++++ openssl-1.0.1f/crypto/x86_64cpuid.pl	Wed Feb 12 13:21:20 2014
+@@ -20,7 +20,10 @@
+ print<<___;
+ .extern		OPENSSL_cpuid_setup
+ .hidden		OPENSSL_cpuid_setup
++.extern		solaris_locking_setup
++.hidden		solaris_locking_setup
+ .section	.init
++	call	solaris_locking_setup
+ 	call	OPENSSL_cpuid_setup
+ 
+ .hidden	OPENSSL_ia32cap_P
+--- openssl-1.0.1f/crypto/x86cpuid.pl.~1~	Wed Feb 12 13:38:03 2014
++++ openssl-1.0.1f/crypto/x86cpuid.pl	Wed Feb 12 13:38:31 2014
+@@ -353,6 +353,7 @@
+ 	&ret	();
+ &function_end_B("OPENSSL_ia32_rdrand");
+ 
++&initseg("solaris_locking_setup");
+ &initseg("OPENSSL_cpuid_setup");
+ 
+ &asm_finish();
diff -r 2c57b522c401 -r 84e093c079e2 components/openssl/openssl-1.0.1/openssl-1.0.1.p5m
--- a/components/openssl/openssl-1.0.1/openssl-1.0.1.p5m	Fri Mar 07 14:59:54 2014 -0800
+++ b/components/openssl/openssl-1.0.1/openssl-1.0.1.p5m	Fri Mar 07 17:02:45 2014 -0800
@@ -30,8 +30,7 @@
     value="OpenSSL is a full-featured toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library."
 set name=pkg.human-version value=$(COMPONENT_VERSION)
 set name=com.oracle.info.description value=OpenSSL
-# TPNO number for the new component is not yet available (bug #18071490)
-# set name=com.oracle.info.tpno value=
+set name=com.oracle.info.tpno value=16634
 set name=info.classification value=org.opensolaris.category.2008:System/Security
 set name=info.source-url value=$(COMPONENT_ARCHIVE_URL)
 set name=info.upstream-url value=$(COMPONENT_PROJECT_URL)
diff -r 2c57b522c401 -r 84e093c079e2 components/openssl/openssl-1.0.1/patches/29_fork_safe.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssl/openssl-1.0.1/patches/29_fork_safe.patch	Fri Mar 07 17:02:45 2014 -0800
@@ -0,0 +1,161 @@
+#
+# This file adds the code to setup internal mutexes and callback function.
+#	PSARC/2014/077
+# This change was implemented in-house.  The issue was brought up to
+# the upstream engineers, but there was no commitment.
+#
+--- openssl-1.0.1f/crypto/cryptlib.c.~1~	Fri Feb  7 10:41:36 2014
++++ openssl-1.0.1f/crypto/cryptlib.c	Thu Feb  6 16:03:58 2014
+@@ -116,6 +116,7 @@
+ 
+ #include "cryptlib.h"
+ #include <openssl/safestack.h>
++#include <pthread.h>
+ 
+ #if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_WIN16)
+ static double SSLeay_MSVC5_hack=0.0; /* and for VC1.5 */
+@@ -181,6 +182,7 @@
+    numbers.  */
+ static STACK_OF(CRYPTO_dynlock) *dyn_locks=NULL;
+ 
++static pthread_mutex_t *solaris_openssl_locks;
+ 
+ static void (MS_FAR *locking_callback)(int mode,int type,
+ 	const char *file,int line)=0;
+@@ -406,6 +409,79 @@
+ 	return(add_lock_callback);
+ 	}
+
++/*
++ * This is the locking callback function which all applications will be
++ * using when CRYPTO_lock() is called.
++ */ 
++static void solaris_locking_callback(int mode, int type, const char *file,
++    int line)
++	{
++	if (mode & CRYPTO_LOCK)
++		{
++		pthread_mutex_lock(&solaris_openssl_locks[type]);
++		}
++	else
++		{
++		pthread_mutex_unlock(&solaris_openssl_locks[type]);
++		}
++	}
++
++
++/*
++ * This function is called when a child process is forked to setup its own
++ * global locking callback function ptr and mutexes.
++ */
++static void solaris_fork_child(void)
++	{
++		/*
++		 * clear locking_callback to indicate that locks should
++		 * be reinitialized.
++		 */
++		locking_callback = NULL;
++		solaris_locking_setup();
++	}
++
++/*
++ * This function allocates and initializes the global mutex array, and
++ * sets the locking callback.
++ */
++void solaris_locking_setup()
++	{
++	int i;
++	int num_locks;
++
++	/* locking callback is already setup. Nothing to do */
++	if (locking_callback != NULL)
++		{
++		return;
++		}
++
++	/*
++	 * Set atfork handler so that child can setup its own mutexes and
++	 * locking callbacks when it is forked
++	 */
++	(void) pthread_atfork(NULL, NULL, solaris_fork_child);
++
++	/* allocate locks needed by OpenSSL  */
++	num_locks = CRYPTO_num_locks();
++	solaris_openssl_locks =
++	    OPENSSL_malloc(sizeof (pthread_mutex_t) * num_locks);
++	if (solaris_openssl_locks == NULL)
++		{
++		fprintf(stderr,
++			"solaris_locking_setup: memory allocation failure.\n");
++		abort();
++		}
++
++	/* initialize openssl mutexes */
++	for (i = 0; i < num_locks; i++)
++		{
++		pthread_mutex_init(&solaris_openssl_locks[i], NULL);
++		}
++	locking_callback = solaris_locking_callback;
++
++	}
++
+ void CRYPTO_set_locking_callback(void (*func)(int mode,int type,
+ 					      const char *file,int line))
+ 	{
+@@ -413,7 +478,11 @@
+ 	 * are started.
+ 	 */
+ 	OPENSSL_init();
+-	locking_callback=func;
++
++	/*
++	 * we now setup our own locking callback and mutexes, and disallow
++	 * setting of another locking callback.
++	 */
+ 	}
+ 
+ void CRYPTO_set_add_lock_callback(int (*func)(int *num,int mount,int type,
+--- openssl-1.0.1f/crypto/cryptlib.h.~1~	Fri Feb  7 10:41:42 2014
++++ openssl-1.0.1f/crypto/cryptlib.h	Thu Feb  6 16:04:16 2014
+@@ -104,6 +104,8 @@
+ void *OPENSSL_stderr(void);
+ extern int OPENSSL_NONPIC_relocated;
+ 
++void solaris_locking_setup();
++
+ #ifdef  __cplusplus
+ }
+ #endif
+--- openssl-1.0.1f/crypto/sparccpuid.S.~1~	Fri Feb  7 10:41:37 2014
++++ openssl-1.0.1f/crypto/sparccpuid.S	Thu Feb  6 16:04:14 2014
+@@ -398,5 +398,7 @@
+ .size	OPENSSL_cleanse,.-OPENSSL_cleanse
+
+ .section	".init",#alloc,#execinstr
++	call	solaris_locking_setup
++	nop
+ 	call	OPENSSL_cpuid_setup
+ 	nop
+--- openssl-1.0.1f/crypto/x86_64cpuid.pl.~1~	Wed Feb 12 13:20:09 2014
++++ openssl-1.0.1f/crypto/x86_64cpuid.pl	Wed Feb 12 13:21:20 2014
+@@ -20,7 +20,10 @@
+ print<<___;
+ .extern		OPENSSL_cpuid_setup
+ .hidden		OPENSSL_cpuid_setup
++.extern		solaris_locking_setup
++.hidden		solaris_locking_setup
+ .section	.init
++	call	solaris_locking_setup
+ 	call	OPENSSL_cpuid_setup
+ 
+ .hidden	OPENSSL_ia32cap_P
+--- openssl-1.0.1f/crypto/x86cpuid.pl.~1~	Wed Feb 12 13:38:03 2014
++++ openssl-1.0.1f/crypto/x86cpuid.pl	Wed Feb 12 13:38:31 2014
+@@ -353,6 +353,7 @@
+ 	&ret	();
+ &function_end_B("OPENSSL_ia32_rdrand");
+ 
++&initseg("solaris_locking_setup");
+ &initseg("OPENSSL_cpuid_setup");
+ 
+ &asm_finish();
diff -r 2c57b522c401 -r 84e093c079e2 components/openssl/openssl-1.0.1/patches/30_wanboot.patch
--- a/components/openssl/openssl-1.0.1/patches/30_wanboot.patch	Fri Mar 07 14:59:54 2014 -0800
+++ b/components/openssl/openssl-1.0.1/patches/30_wanboot.patch	Fri Mar 07 17:02:45 2014 -0800
@@ -1,3 +1,7 @@
+#
+# This patch file makes the changes neccessary to build wanboot-openssl.o
+# binary. This is Solaris-specific: not suitable for upstream.
+#
 --- openssl-1.0.0g/Makefile.org	2010-01-27 08:06:58.000000000 -0800
 +++ openssl-1.0.0g-1/Makefile.org	2012-03-26 03:04:08.440194448 -0700
 @@ -138,7 +138,13 @@
@@ -32,7 +36,45 @@
 
 --- openssl-1.0.0e/crypto/cryptlib.c	2011-06-22 08:39:00.000000000 -0700
 +++ openssl-1.0.0e_patched/crypto/cryptlib.c	2011-12-12 06:17:45.422476900 -0800
-@@ -900,6 +900,10 @@
+@@ -415,6 +415,7 @@
+ static void solaris_locking_callback(int mode, int type, const char *file,
+     int line)
+ 	{
++#ifndef	_BOOT
+ 	if (mode & CRYPTO_LOCK)
+ 		{
+ 		pthread_mutex_lock(&solaris_openssl_locks[type]);
+@@ -423,6 +424,7 @@
+ 		{
+ 		pthread_mutex_unlock(&solaris_openssl_locks[type]);
+ 		}
++#endif
+ 	}
+
+
+@@ -456,6 +458,12 @@
+ 		}
+ 
+ 	/*
++	 * pthread_* can't be used in wanboot.
++	 * wanboot needs not be thread-safe and mutexes and locking callback
++	 * function will not be setup for wanboot.
++	 */
++#ifndef	_BOOT
++	/*
+ 	 * Set atfork handler so that child can setup its own mutexes and
+ 	 * locking callbacks when it is forked
+ 	 */
+@@ -478,7 +486,7 @@
+ 		pthread_mutex_init(&solaris_openssl_locks[i], NULL);
+ 		}
+ 	locking_callback = solaris_locking_callback;
+-
++#endif
+ 	}
+ 
+ void CRYPTO_set_locking_callback(void (*func)(int mode,int type,
+@@ -979,6 +979,10 @@
  	MessageBox (NULL,buf,_T("OpenSSL: FATAL"),MB_OK|MB_ICONSTOP);
  }
  #else
@@ -43,7 +85,7 @@
  void OPENSSL_showfatal (const char *fmta,...)
  { va_list ap;
  
-@@ -907,14 +911,21 @@
+@@ -986,14 +990,21 @@
      vfprintf (stderr,fmta,ap);
      va_end (ap);
  }
@@ -325,12 +367,14 @@
   */
 --- openssl-1.0.0e/crypto/sparccpuid.S	2010-09-05 12:48:01.000000000 -0700
 +++ openssl-1.0.0e_patched/crypto/sparccpuid.S	2012-02-13 07:42:58.259478325 -0800
-@@ -397,6 +397,11 @@
+@@ -397,8 +397,13 @@
  .type	OPENSSL_cleanse,#function
  .size	OPENSSL_cleanse,.-OPENSSL_cleanse
  
 +#ifndef _BOOT
  .section	".init",#alloc,#execinstr
+ 	call	solaris_locking_setup
+ 	nop
 	call	OPENSSL_cpuid_setup
 	nop
 +#else
diff -r 2c57b522c401 -r 84e093c079e2 components/openssl/openssl-1.0.1/patches/openssl-t4-inline.sparc-patch
--- a/components/openssl/openssl-1.0.1/patches/openssl-t4-inline.sparc-patch	Fri Mar 07 14:59:54 2014 -0800
+++ b/components/openssl/openssl-1.0.1/patches/openssl-t4-inline.sparc-patch	Fri Mar 07 17:02:45 2014 -0800
@@ -1,5 +1,6 @@
 #
 # This file adds inline T4 instruction support to OpenSSL upstream code.
+# The change was brought in from OpenSSL 1.0.2.
 #
 Index: Configure
 ===================================================================
@@ -204,7 +205,7 @@
 +.size	_sparcv9_vis1_instrument_bus2,.-_sparcv9_vis1_instrument_bus2
 +
  .section	".init",#alloc,#execinstr
- 	call	OPENSSL_cpuid_setup
+ 	call	solaris_locking_setup
  	nop
 Index: crypto/sparcv9cap.c
 ===================================================================