# HG changeset patch # User Misaki Miyashita # Date 1432769567 25200 # Node ID 8e8f535e48a57c006f36794fd6305c84912f06c0 # Parent 643c4e910399f75e8d5ac38dc52fb933152880ef PSARC/2015/043 Further OpenSSL Thread and Fork Safety 19579036 proftpd child process segfaults after failed login attempt 21149030 SegFault when a cleanup callback is called before the cipher initialization diff -r 643c4e910399 -r 8e8f535e48a5 components/openssl/openssl-1.0.1-fips-140/patches/29_fork_safe.patch --- a/components/openssl/openssl-1.0.1-fips-140/patches/29_fork_safe.patch Wed May 27 12:25:12 2015 -0700 +++ b/components/openssl/openssl-1.0.1-fips-140/patches/29_fork_safe.patch Wed May 27 16:32:47 2015 -0700 @@ -1,6 +1,7 @@ # # This file adds the code to setup internal mutexes and callback function. # PSARC/2014/077 +# PSARC/2015/043 # This change was implemented in-house. The issue was brought up to # the upstream engineers, but there was no commitment. # @@ -23,7 +24,43 @@ static void (MS_FAR *locking_callback) (int mode, int type, const char *file, int line) = 0; static int (MS_FAR *add_lock_callback) (int *pointer, int amount, -@@ -402,6 +405,79 @@ +@@ -373,7 +376,10 @@ + void CRYPTO_set_dynlock_create_callback(struct CRYPTO_dynlock_value *(*func) + (const char *file, int line)) + { +- dynlock_create_callback = func; ++ /* ++ * we now setup our own dynamic locking callback, and disallow ++ * setting of another locking callback. ++ */ + } + + void CRYPTO_set_dynlock_lock_callback(void (*func) (int mode, +@@ -382,7 +388,10 @@ + const char *file, + int line)) + { +- dynlock_lock_callback = func; ++ /* ++ * we now setup our own dynamic locking callback, and disallow ++ * setting of another locking callback. ++ */ + } + + void CRYPTO_set_dynlock_destroy_callback(void (*func) +@@ -389,7 +398,10 @@ + (struct CRYPTO_dynlock_value *l, + const char *file, int line)) + { +- dynlock_destroy_callback = func; ++ /* ++ * we now setup our own dynamic locking callback, and disallow ++ * setting of another locking callback. ++ */ + } + + void (*CRYPTO_get_locking_callback(void)) (int mode, int type, +@@ -402,6 +414,129@@ return (add_lock_callback); } @@ -33,16 +70,58 @@ + */ +static void solaris_locking_callback(int mode, int type, const char *file, + int line) -+ { -+ if (mode & CRYPTO_LOCK) -+ { -+ pthread_mutex_lock(&solaris_openssl_locks[type]); -+ } -+ else -+ { -+ pthread_mutex_unlock(&solaris_openssl_locks[type]); -+ } -+ } ++{ ++ if (mode & CRYPTO_LOCK) { ++ pthread_mutex_lock(&solaris_openssl_locks[type]); ++ } else { ++ pthread_mutex_unlock(&solaris_openssl_locks[type]); ++ } ++} ++ ++ ++/* ++ * Implement Solaris's own dynamic locking routines. ++ */ ++static struct CRYPTO_dynlock_value * ++solaris_dynlock_create(const char *file, int line) ++{ ++ int ret; ++ pthread_mutex_t *dynlock; ++ ++ dynlock = OPENSSL_malloc(sizeof(pthread_mutex_t)); ++ if (dynlock == NULL) { ++ return (NULL); ++ } ++ ++ ret = pthread_mutex_init(dynlock, NULL); ++ OPENSSL_assert(ret); ++ ++ return ((struct CRYPTO_dynlock_value *)dynlock); ++} ++ ++static void ++solaris_dynlock_lock(int mode, struct CRYPTO_dynlock_valud *dynlock, ++ const char *file, int line) ++{ ++ int ret; ++ ++ if (mode & CRYPTO_LOCK) { ++ ret = pthread_mutex_lock((pthread_mutex_t *)dynlock); ++ } else { ++ ret = pthread_mutex_unlock((pthread_mutex_t *)dynlock); ++ } ++ ++ OPENSSL_assert(ret == 0); ++} ++ ++static void ++solaris_dynlock_destroy(struct CRYPTO_dynlock_value *dynlock, ++ const char *file, int line) ++{ ++ int ret; ++ ret = pthread_mutex_destroy((pthread_mutex_t *)dynlock); ++ OPENSSL_assert(ret); ++} + + +/* @@ -50,53 +129,61 @@ + * global locking callback function ptr and mutexes. + */ +static void solaris_fork_child(void) -+ { -+ /* -+ * clear locking_callback to indicate that locks should -+ * be reinitialized. -+ */ -+ locking_callback = NULL; -+ solaris_locking_setup(); -+ } ++{ ++ /* ++ * clear locking_callback to indicate that locks should ++ * be reinitialized. ++ */ ++ locking_callback = NULL; ++ solaris_locking_setup(); ++} + +/* + * This function allocates and initializes the global mutex array, and + * sets the locking callback. + */ +void solaris_locking_setup() -+ { -+ int i; -+ int num_locks; ++{ ++ int i; ++ int num_locks; + -+ /* locking callback is already setup. Nothing to do */ -+ if (locking_callback != NULL) -+ { -+ return; -+ } ++ /* setup the dynlock callback if not already */ ++ if (dynlock_create_callback == NULL) { ++ dynlock_create_callback = solaris_dynlock_create; ++ } ++ if (dynlock_lock_callback == NULL) { ++ dynlock_lock_callback = solaris_dynlock_lock; ++ } ++ if (dynlock_destroy_callback == NULL) { ++ dynlock_destroy_callback = solaris_dynlock_destroy; ++ } + -+ /* -+ * Set atfork handler so that child can setup its own mutexes and -+ * locking callbacks when it is forked -+ */ -+ (void) pthread_atfork(NULL, NULL, solaris_fork_child); ++ /* locking callback is already setup. Nothing to do */ ++ if (locking_callback != NULL) { ++ return; ++ } + -+ /* allocate locks needed by OpenSSL */ -+ num_locks = CRYPTO_num_locks(); -+ solaris_openssl_locks = -+ OPENSSL_malloc(sizeof (pthread_mutex_t) * num_locks); -+ if (solaris_openssl_locks == NULL) -+ { -+ fprintf(stderr, -+ "solaris_locking_setup: memory allocation failure.\n"); -+ abort(); -+ } ++ /* ++ * Set atfork handler so that child can setup its own mutexes and ++ * locking callbacks when it is forked ++ */ ++ (void) pthread_atfork(NULL, NULL, solaris_fork_child); + -+ /* initialize openssl mutexes */ -+ for (i = 0; i < num_locks; i++) -+ { -+ pthread_mutex_init(&solaris_openssl_locks[i], NULL); -+ } -+ locking_callback = solaris_locking_callback; ++ /* allocate locks needed by OpenSSL */ ++ num_locks = CRYPTO_num_locks(); ++ solaris_openssl_locks = ++ OPENSSL_malloc(sizeof (pthread_mutex_t) * num_locks); ++ if (solaris_openssl_locks == NULL) { ++ fprintf(stderr, ++ "solaris_locking_setup: memory allocation failure.\n"); ++ abort(); ++ } ++ ++ /* initialize openssl mutexes */ ++ for (i = 0; i < num_locks; i++) { ++ pthread_mutex_init(&solaris_openssl_locks[i], NULL); ++ } ++ locking_callback = solaris_locking_callback; + +} + @@ -109,13 +196,39 @@ OPENSSL_init(); - locking_callback = func; + -+ /* -+ * we now setup our own locking callback and mutexes, and disallow -+ * setting of another locking callback. -+ */ ++ /* ++ * we now setup our own locking callback and mutexes, and disallow ++ * setting of another locking callback. ++ */ } void CRYPTO_set_add_lock_callback(int (*func) (int *num, int mount, int type, +@@ -471,9 +551,10 @@ + + int CRYPTO_THREADID_set_callback(void (*func) (CRYPTO_THREADID *)) + { +- if (threadid_callback) +- return 0; +- threadid_callback = func; ++ /* ++ * Use the backup method (the address of 'errno') to identify the ++ * thread and disallow setting the threadid callback. ++ */ + return 1; + } + +@@ -531,7 +611,10 @@ + + void CRYPTO_set_id_callback(unsigned long (*func) (void)) + { +- id_callback = func; ++ /* ++ * Use the backup method to identify the thread/process. ++ * Setting the id callback is disallowed. ++ */ + } + + unsigned long CRYPTO_thread_id(void) --- openssl-1.0.1f/crypto/cryptlib.h.~1~ Fri Feb 7 10:41:42 2014 +++ openssl-1.0.1f/crypto/cryptlib.h Thu Feb 6 16:04:16 2014 @@ -104,6 +104,8 @@ diff -r 643c4e910399 -r 8e8f535e48a5 components/openssl/openssl-1.0.1-fips-140/patches/41_uninitialized_ctx.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/openssl/openssl-1.0.1-fips-140/patches/41_uninitialized_ctx.patch Wed May 27 16:32:47 2015 -0700 @@ -0,0 +1,14 @@ +# +# This was developed in house. Upstreadm notified (PR#277). +# +diff -ru openssl-1.0.1m/crypto/evp/evp_enc.c openssl-1.0.1m/crypto/evp/evp_enc.c.new +--- openssl-1.0.1m/crypto/evp/evp_enc.c Thu May 7 09:46:32 2015 ++++ openssl-1.0.1m/crypto/evp/evp_enc.c.new Thu May 7 09:46:23 2015 +@@ -179,6 +179,7 @@ + EVPerr(EVP_F_EVP_CIPHERINIT_EX, ERR_R_MALLOC_FAILURE); + return 0; + } ++ (void) memset(ctx->cipher_data, 0, ctx->cipher->ctx_size); + } else { + ctx->cipher_data = NULL; + } diff -r 643c4e910399 -r 8e8f535e48a5 components/openssl/openssl-1.0.1/patches/29_fork_safe.patch --- a/components/openssl/openssl-1.0.1/patches/29_fork_safe.patch Wed May 27 12:25:12 2015 -0700 +++ b/components/openssl/openssl-1.0.1/patches/29_fork_safe.patch Wed May 27 16:32:47 2015 -0700 @@ -1,6 +1,7 @@ # # This file adds the code to setup internal mutexes and callback function. # PSARC/2014/077 +# PSARC/2015/043 # This change was implemented in-house. The issue was brought up to # the upstream engineers, but there was no commitment. # @@ -23,7 +24,43 @@ static void (MS_FAR *locking_callback) (int mode, int type, const char *file, int line) = 0; static int (MS_FAR *add_lock_callback) (int *pointer, int amount, -@@ -402,6 +405,79 @@ +@@ -373,7 +376,10 @@ + void CRYPTO_set_dynlock_create_callback(struct CRYPTO_dynlock_value *(*func) + (const char *file, int line)) + { +- dynlock_create_callback = func; ++ /* ++ * we now setup our own dynamic locking callback, and disallow ++ * setting of another locking callback. ++ */ + } + + void CRYPTO_set_dynlock_lock_callback(void (*func) (int mode, +@@ -382,7 +388,10 @@ + const char *file, + int line)) + { +- dynlock_lock_callback = func; ++ /* ++ * we now setup our own dynamic locking callback, and disallow ++ * setting of another locking callback. ++ */ + } + + void CRYPTO_set_dynlock_destroy_callback(void (*func) +@@ -389,7 +398,10 @@ + (struct CRYPTO_dynlock_value *l, + const char *file, int line)) + { +- dynlock_destroy_callback = func; ++ /* ++ * we now setup our own dynamic locking callback, and disallow ++ * setting of another locking callback. ++ */ + } + + void (*CRYPTO_get_locking_callback(void)) (int mode, int type, +@@ -402,6 +414,129@@ return (add_lock_callback); } @@ -33,16 +70,58 @@ + */ +static void solaris_locking_callback(int mode, int type, const char *file, + int line) -+ { -+ if (mode & CRYPTO_LOCK) -+ { -+ pthread_mutex_lock(&solaris_openssl_locks[type]); -+ } -+ else -+ { -+ pthread_mutex_unlock(&solaris_openssl_locks[type]); -+ } -+ } ++{ ++ if (mode & CRYPTO_LOCK) { ++ pthread_mutex_lock(&solaris_openssl_locks[type]); ++ } else { ++ pthread_mutex_unlock(&solaris_openssl_locks[type]); ++ } ++} ++ ++ ++/* ++ * Implement Solaris's own dynamic locking routines. ++ */ ++static struct CRYPTO_dynlock_value * ++solaris_dynlock_create(const char *file, int line) ++{ ++ int ret; ++ pthread_mutex_t *dynlock; ++ ++ dynlock = OPENSSL_malloc(sizeof(pthread_mutex_t)); ++ if (dynlock == NULL) { ++ return (NULL); ++ } ++ ++ ret = pthread_mutex_init(dynlock, NULL); ++ OPENSSL_assert(ret); ++ ++ return ((struct CRYPTO_dynlock_value *)dynlock); ++} ++ ++static void ++solaris_dynlock_lock(int mode, struct CRYPTO_dynlock_valud *dynlock, ++ const char *file, int line) ++{ ++ int ret; ++ ++ if (mode & CRYPTO_LOCK) { ++ ret = pthread_mutex_lock((pthread_mutex_t *)dynlock); ++ } else { ++ ret = pthread_mutex_unlock((pthread_mutex_t *)dynlock); ++ } ++ ++ OPENSSL_assert(ret == 0); ++} ++ ++static void ++solaris_dynlock_destroy(struct CRYPTO_dynlock_value *dynlock, ++ const char *file, int line) ++{ ++ int ret; ++ ret = pthread_mutex_destroy((pthread_mutex_t *)dynlock); ++ OPENSSL_assert(ret); ++} + + +/* @@ -50,53 +129,61 @@ + * global locking callback function ptr and mutexes. + */ +static void solaris_fork_child(void) -+ { -+ /* -+ * clear locking_callback to indicate that locks should -+ * be reinitialized. -+ */ -+ locking_callback = NULL; -+ solaris_locking_setup(); -+ } ++{ ++ /* ++ * clear locking_callback to indicate that locks should ++ * be reinitialized. ++ */ ++ locking_callback = NULL; ++ solaris_locking_setup(); ++} + +/* + * This function allocates and initializes the global mutex array, and + * sets the locking callback. + */ +void solaris_locking_setup() -+ { -+ int i; -+ int num_locks; ++{ ++ int i; ++ int num_locks; + -+ /* locking callback is already setup. Nothing to do */ -+ if (locking_callback != NULL) -+ { -+ return; -+ } ++ /* setup the dynlock callback if not already */ ++ if (dynlock_create_callback == NULL) { ++ dynlock_create_callback = solaris_dynlock_create; ++ } ++ if (dynlock_lock_callback == NULL) { ++ dynlock_lock_callback = solaris_dynlock_lock; ++ } ++ if (dynlock_destroy_callback == NULL) { ++ dynlock_destroy_callback = solaris_dynlock_destroy; ++ } + -+ /* -+ * Set atfork handler so that child can setup its own mutexes and -+ * locking callbacks when it is forked -+ */ -+ (void) pthread_atfork(NULL, NULL, solaris_fork_child); ++ /* locking callback is already setup. Nothing to do */ ++ if (locking_callback != NULL) { ++ return; ++ } + -+ /* allocate locks needed by OpenSSL */ -+ num_locks = CRYPTO_num_locks(); -+ solaris_openssl_locks = -+ OPENSSL_malloc(sizeof (pthread_mutex_t) * num_locks); -+ if (solaris_openssl_locks == NULL) -+ { -+ fprintf(stderr, -+ "solaris_locking_setup: memory allocation failure.\n"); -+ abort(); -+ } ++ /* ++ * Set atfork handler so that child can setup its own mutexes and ++ * locking callbacks when it is forked ++ */ ++ (void) pthread_atfork(NULL, NULL, solaris_fork_child); + -+ /* initialize openssl mutexes */ -+ for (i = 0; i < num_locks; i++) -+ { -+ pthread_mutex_init(&solaris_openssl_locks[i], NULL); -+ } -+ locking_callback = solaris_locking_callback; ++ /* allocate locks needed by OpenSSL */ ++ num_locks = CRYPTO_num_locks(); ++ solaris_openssl_locks = ++ OPENSSL_malloc(sizeof (pthread_mutex_t) * num_locks); ++ if (solaris_openssl_locks == NULL) { ++ fprintf(stderr, ++ "solaris_locking_setup: memory allocation failure.\n"); ++ abort(); ++ } ++ ++ /* initialize openssl mutexes */ ++ for (i = 0; i < num_locks; i++) { ++ pthread_mutex_init(&solaris_openssl_locks[i], NULL); ++ } ++ locking_callback = solaris_locking_callback; + +} + @@ -109,13 +196,39 @@ OPENSSL_init(); - locking_callback = func; + -+ /* -+ * we now setup our own locking callback and mutexes, and disallow -+ * setting of another locking callback. -+ */ ++ /* ++ * we now setup our own locking callback and mutexes, and disallow ++ * setting of another locking callback. ++ */ } void CRYPTO_set_add_lock_callback(int (*func) (int *num, int mount, int type, +@@ -471,9 +551,10 @@ + + int CRYPTO_THREADID_set_callback(void (*func) (CRYPTO_THREADID *)) + { +- if (threadid_callback) +- return 0; +- threadid_callback = func; ++ /* ++ * Use the backup method (the address of 'errno') to identify the ++ * thread and disallow setting the threadid callback. ++ */ + return 1; + } + +@@ -531,7 +611,10 @@ + + void CRYPTO_set_id_callback(unsigned long (*func) (void)) + { +- id_callback = func; ++ /* ++ * Use the backup method to identify the thread/process. ++ * Setting the id callback is disallowed. ++ */ + } + + unsigned long CRYPTO_thread_id(void) --- openssl-1.0.1f/crypto/cryptlib.h.~1~ Fri Feb 7 10:41:42 2014 +++ openssl-1.0.1f/crypto/cryptlib.h Thu Feb 6 16:04:16 2014 @@ -104,6 +104,8 @@ diff -r 643c4e910399 -r 8e8f535e48a5 components/openssl/openssl-1.0.1/patches/30_wanboot.patch --- a/components/openssl/openssl-1.0.1/patches/30_wanboot.patch Wed May 27 12:25:12 2015 -0700 +++ b/components/openssl/openssl-1.0.1/patches/30_wanboot.patch Wed May 27 16:32:47 2015 -0700 @@ -2,8 +2,8 @@ # This patch file makes the changes neccessary to build wanboot-openssl.o # binary. This is Solaris-specific: not suitable for upstream. # ---- openssl-1.0.0g/Makefile.org 2010-01-27 08:06:58.000000000 -0800 -+++ openssl-1.0.0g-1/Makefile.org 2012-03-26 03:04:08.440194448 -0700 +--- openssl-1.0.0g/Makefile.org 2010-01-27 08:06:58.000000000 -0800 ++++ openssl-1.0.0g-1/Makefile.org 2012-03-26 03:04:08.440194448 -0700 @@ -138,7 +138,13 @@ BASEADDR= @@ -18,8 +18,8 @@ ENGDIRS= ccgost SHLIBDIRS= crypto ssl ---- openssl-1.0.0g/Makefile 2012-01-18 05:42:28.000000000 -0800 -+++ openssl-1.0.0g-1/Makefile 2012-03-26 03:03:59.170540344 -0700 +--- openssl-1.0.0g/Makefile 2012-01-18 05:42:28.000000000 -0800 ++++ openssl-1.0.0g-1/Makefile 2012-03-26 03:03:59.170540344 -0700 @@ -137,7 +137,13 @@ BASEADDR=0xFB00000 @@ -34,47 +34,91 @@ ENGDIRS= ccgost SHLIBDIRS= crypto ssl ---- openssl-1.0.0e/crypto/cryptlib.c 2011-06-22 08:39:00.000000000 -0700 -+++ openssl-1.0.0e_patched/crypto/cryptlib.c 2011-12-12 06:17:45.422476900 -0800 -@@ -412,6 +412,7 @@ +--- openssl-1.0.0e/crypto/cryptlib.c 2011-06-22 08:39:00.000000000 -0700 ++++ openssl-1.0.0e_patched/crypto/cryptlib.c 2011-12-12 06:17:45.422476900 -0800 +@@ -421,11 +421,13 @@ static void solaris_locking_callback(int mode, int type, const char *file, int line) - { -+#ifndef _BOOT - if (mode & CRYPTO_LOCK) - { - pthread_mutex_lock(&solaris_openssl_locks[type]); -@@ -420,6 +421,7 @@ - { - pthread_mutex_unlock(&solaris_openssl_locks[type]); - } + { ++#ifndef _BOOT + if (mode & CRYPTO_LOCK) { + pthread_mutex_lock(&solaris_openssl_locks[type]); + } else { + pthread_mutex_unlock(&solaris_openssl_locks[type]); + } +#endif - } + } -@@ -453,6 +455,12 @@ - } +@@ -435,6 +437,7 @@ + static struct CRYPTO_dynlock_value * + solaris_dynlock_create(const char *file, int line) + { ++#ifndef _BOOT + int ret; + pthread_mutex_t *dynlock; + +@@ -447,6 +450,9 @@ + OPENSSL_assert(ret); + + return ((struct CRYPTO_dynlock_value *)dynlock); ++#else ++ return (NULL); ++#endif + } + + static void +@@ -453,6 +459,7 @@ + solaris_dynlock_lock(int mode, struct CRYPTO_dynlock_valud *dynlock, + const char *file, int line) + { ++#ifndef _BOOT + int ret; + + if (mode & CRYPTO_LOCK) { +@@ -462,6 +469,7 @@ + } + + OPENSSL_assert(ret == 0); ++#endif + } + + static void +@@ -468,9 +476,11 @@ + solaris_dynlock_destroy(struct CRYPTO_dynlock_value *dynlock, + const char *file, int line) + { ++#ifndef _BOOT + int ret; + ret = pthread_mutex_destroy((pthread_mutex_t *)dynlock); + OPENSSL_assert(ret); ++#endif + } + + +@@ -514,6 +524,12 @@ + } - /* -+ * pthread_* can't be used in wanboot. -+ * wanboot needs not be thread-safe and mutexes and locking callback -+ * function will not be setup for wanboot. -+ */ -+#ifndef _BOOT -+ /* - * Set atfork handler so that child can setup its own mutexes and - * locking callbacks when it is forked - */ -@@ -475,7 +483,7 @@ - pthread_mutex_init(&solaris_openssl_locks[i], NULL); - } - locking_callback = solaris_locking_callback; + /* ++ * pthread_* can't be used in wanboot. ++ * wanboot needs not be thread-safe and mutexes and locking callback ++ * function will not be setup for wanboot. ++ */ ++#ifndef _BOOT ++ /* + * Set atfork handler so that child can setup its own mutexes and + * locking callbacks when it is forked + */ +@@ -534,7 +550,7 @@ + pthread_mutex_init(&solaris_openssl_locks[i], NULL); + } + locking_callback = solaris_locking_callback; - +#endif } void CRYPTO_set_locking_callback(void (*func) (int mode, int type, -@@ -1021,6 +1029,12 @@ +@@ -1084,6 +1100,12 @@ MessageBox(NULL, buf, _T("OpenSSL: FATAL"), MB_OK | MB_ICONSTOP); } #else @@ -83,36 +127,36 @@ + * OPENSSL_showfatal() is not used anywhere else then here we can safely use + * the code from 0.9.7d version. + */ -+#ifndef _BOOT ++#ifndef _BOOT void OPENSSL_showfatal(const char *fmta, ...) { va_list ap; -@@ -1029,6 +1043,7 @@ +@@ -1092,6 +1114,7 @@ vfprintf(stderr, fmta, ap); va_end(ap); } -+#endif /* _BOOT */ ++#endif /* _BOOT */ int OPENSSL_isservice(void) { -@@ -1038,9 +1053,15 @@ +@@ -1101,9 +1124,15 @@ void OpenSSLDie(const char *file, int line, const char *assertion) { -+#ifndef _BOOT ++#ifndef _BOOT OPENSSL_showfatal ("%s(%d): OpenSSL internal error, assertion failed: %s\n", file, line, assertion); +#else -+ fprintf(stderr, -+ "%s(%d): OpenSSL internal error, assertion failed: %s\n", -+ file,line,assertion); -+#endif ++ fprintf(stderr, ++ "%s(%d): OpenSSL internal error, assertion failed: %s\n", ++ file,line,assertion); ++#endif #if !defined(_WIN32) || defined(__CYGWIN__) abort(); #else ---- openssl-1.0.0e/crypto/err/err_all.c 2009-08-09 07:58:05.000000000 -0700 -+++ openssl-1.0.0e_patched/crypto/err/err_all.c 2011-12-13 05:22:01.205351400 -0800 +--- openssl-1.0.0e/crypto/err/err_all.c 2009-08-09 07:58:05.000000000 -0700 ++++ openssl-1.0.0e_patched/crypto/err/err_all.c 2011-12-13 05:22:01.205351400 -0800 @@ -148,7 +148,9 @@ ERR_load_X509V3_strings(); ERR_load_PKCS12_strings(); @@ -123,14 +167,14 @@ ERR_load_TS_strings(); # ifndef OPENSSL_NO_ENGINE ERR_load_ENGINE_strings(); ---- openssl-1.0.0e/crypto/evp/evp_key.c 2010-03-27 12:27:50.000000000 -0700 -+++ openssl-1.0.0e_patched/crypto/evp/evp_key.c 2011-12-13 05:19:32.956908600 -0800 +--- openssl-1.0.0e/crypto/evp/evp_key.c 2010-03-27 12:27:50.000000000 -0700 ++++ openssl-1.0.0e_patched/crypto/evp/evp_key.c 2011-12-13 05:19:32.956908600 -0800 @@ -83,7 +83,7 @@ else return (prompt_string); } - -+#ifndef _BOOT ++#ifndef _BOOT /* * For historical reasons, the standard function for reading passwords is in * the DES library -- if someone ever wants to disable DES, this function @@ -138,17 +182,17 @@ OPENSSL_cleanse(buff, BUFSIZ); return ret; } -+#endif /* !_BOOT */ ++#endif /* !_BOOT */ int EVP_BytesToKey(const EVP_CIPHER *type, const EVP_MD *md, const unsigned char *salt, const unsigned char *data, ---- openssl-1.0.0e/crypto/rand/rand_unix.c 2009-04-06 07:31:36.000000000 -0700 -+++ openssl-1.0.0e_patched/crypto/rand/rand_unix.c 2011-12-19 07:28:39.988944800 -0800 +--- openssl-1.0.0e/crypto/rand/rand_unix.c 2009-04-06 07:31:36.000000000 -0700 ++++ openssl-1.0.0e_patched/crypto/rand/rand_unix.c 2011-12-19 07:28:39.988944800 -0800 @@ -122,7 +122,11 @@ # include # include # include -+#ifdef _BOOT ++#ifdef _BOOT +# include +#else # include @@ -216,7 +260,7 @@ } # endif -+#ifndef _BOOT ++#ifndef _BOOT /* put in some default random data, we need more than just this */ l = curr_pid; RAND_add(&l, sizeof(l), 0.0); @@ -224,21 +268,21 @@ l = time(NULL); RAND_add(&l, sizeof(l), 0.0); -+#endif /* !_BOOT */ ++#endif /* !_BOOT */ # if defined(OPENSSL_SYS_BEOS) { ---- openssl-1.0.0e/crypto/rand/randfile.c 2011-03-19 02:44:37.000000000 -0700 -+++ openssl-1.0.0e_patched/crypto/rand/randfile.c 2011-12-13 05:26:51.884824200 -0800 +--- openssl-1.0.0e/crypto/rand/randfile.c 2011-03-19 02:44:37.000000000 -0700 ++++ openssl-1.0.0e_patched/crypto/rand/randfile.c 2011-12-13 05:26:51.884824200 -0800 @@ -57,9 +57,11 @@ */ /* We need to define this to get macros like S_IFBLK and S_IFCHR */ -+#ifndef _BOOT ++#ifndef _BOOT #if !defined(OPENSSL_SYS_VXWORKS) # define _XOPEN_SOURCE 500 #endif -+#endif /* _BOOT */ ++#endif /* _BOOT */ #include #include @@ -246,7 +290,7 @@ return (ret); } -+#ifndef _BOOT ++#ifndef _BOOT int RAND_write_file(const char *file) { unsigned char buf[BUFSIZE]; @@ -256,13 +300,13 @@ } + +#endif /* _BOOT */ ---- openssl-1.0.0e/crypto/x509v3/v3_utl.c 2009-07-27 14:08:53.000000000 -0700 -+++ openssl-1.0.0e_patched/crypto/x509v3/v3_utl.c 2011-12-13 05:10:08.844191400 -0800 +--- openssl-1.0.0e/crypto/x509v3/v3_utl.c 2009-07-27 14:08:53.000000000 -0700 ++++ openssl-1.0.0e_patched/crypto/x509v3/v3_utl.c 2011-12-13 05:10:08.844191400 -0800 @@ -715,9 +715,50 @@ } } -+#if defined(_BOOT) ++#if defined(_BOOT) +/* This function was copied from bio/b_sock.c */ +static int get_ip(const char *str, unsigned char ip[4]) +{ @@ -302,10 +346,10 @@ { int a0, a1, a2, a3; + -+#if defined(_BOOT) -+ if (get_ip(in, v4) != 1) -+ return 0; -+#else /* _BOOT */ ++#if defined(_BOOT) ++ if (get_ip(in, v4) != 1) ++ return 0; ++#else /* _BOOT */ if (sscanf(in, "%d.%d.%d.%d", &a0, &a1, &a2, &a3) != 4) return 0; if ((a0 < 0) || (a0 > 255) || (a1 < 0) || (a1 > 255) @@ -313,17 +357,17 @@ v4[1] = a1; v4[2] = a2; v4[3] = a3; -+#endif /* _BOOT */ ++#endif /* _BOOT */ return 1; } ---- openssl-1.0.0e/e_os.h 2011-12-19 04:17:51.631087400 -0800 -+++ openssl-1.0.0e_patched/e_os.h 2011-12-19 04:15:15.776668900 -0800 +--- openssl-1.0.0e/e_os.h 2011-12-19 04:17:51.631087400 -0800 ++++ openssl-1.0.0e_patched/e_os.h 2011-12-19 04:15:15.776668900 -0800 @@ -213,10 +213,19 @@ # define get_last_socket_error() errno # define clear_socket_error() errno=0 # define ioctlsocket(a,b,c) ioctl(a,b,c) -+#ifdef _BOOT ++#ifdef _BOOT +#include +extern int socket_read(int, void *, size_t, int); +extern int socket_close(int); @@ -339,8 +383,8 @@ # ifdef WIN16 /* never the case */ # define MS_CALLBACK _far _loadds ---- openssl-1.0.0e/crypto/sparcv9cap.c 2010-09-05 12:48:01.000000000 -0700 -+++ openssl-1.0.0e_patched/crypto/sparcv9cap.c 2011-12-23 05:24:02.011607700 -0800 +--- openssl-1.0.0e/crypto/sparcv9cap.c 2010-09-05 12:48:01.000000000 -0700 ++++ openssl-1.0.0e_patched/crypto/sparcv9cap.c 2011-12-23 05:24:02.011607700 -0800 @@ -12,7 +12,11 @@ #define SPARCV9_VIS2 (1<<3) /* reserved */ #define SPARCV9_FMADD (1<<4) /* reserved for SPARC64 V */ @@ -382,8 +426,8 @@ /* * This code path is disabled, because of incompatibility of libdevinfo.so.1 * and libmalloc.so.1 (see below for details) ---- openssl-1.0.0e/crypto/sparccpuid.S 2010-09-05 12:48:01.000000000 -0700 -+++ openssl-1.0.0e_patched/crypto/sparccpuid.S 2012-02-13 07:42:58.259478325 -0800 +--- openssl-1.0.0e/crypto/sparccpuid.S 2010-09-05 12:48:01.000000000 -0700 ++++ openssl-1.0.0e_patched/crypto/sparccpuid.S 2012-02-13 07:42:58.259478325 -0800 @@ -397,8 +397,13 @@ .type OPENSSL_cleanse,#function .size OPENSSL_cleanse,.-OPENSSL_cleanse @@ -392,8 +436,8 @@ .section ".init",#alloc,#execinstr call solaris_locking_setup nop - call OPENSSL_cpuid_setup - nop + call OPENSSL_cpuid_setup + nop +#else + nop + nop @@ -418,7 +462,7 @@ p = s->s3->client_random; -+#ifndef _BOOT ++#ifndef _BOOT if (ssl_fill_hello_random(s, 0, p, SSL3_RANDOM_SIZE) <= 0) +#else + if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE) <= 0) @@ -432,7 +476,7 @@ * Apparently we're using a version-flexible SSL_METHOD (not at its * highest protocol version). */ -+#ifndef _BOOT ++#ifndef _BOOT if (s->ctx->method->version == SSLv23_method()->version) { +#else + if (s->ctx->method->version == TLS1_2_VERSION) { diff -r 643c4e910399 -r 8e8f535e48a5 components/openssl/openssl-1.0.1/patches/41_uninitialized_ctx.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/openssl/openssl-1.0.1/patches/41_uninitialized_ctx.patch Wed May 27 16:32:47 2015 -0700 @@ -0,0 +1,14 @@ +# +# This was developed in house. Upstreadm notified (PR#277). +# +diff -ru openssl-1.0.1m/crypto/evp/evp_enc.c openssl-1.0.1m/crypto/evp/evp_enc.c.new +--- openssl-1.0.1m/crypto/evp/evp_enc.c Thu May 7 09:46:32 2015 ++++ openssl-1.0.1m/crypto/evp/evp_enc.c.new Thu May 7 09:46:23 2015 +@@ -179,6 +179,7 @@ + EVPerr(EVP_F_EVP_CIPHERINIT_EX, ERR_R_MALLOC_FAILURE); + return 0; + } ++ (void) memset(ctx->cipher_data, 0, ctx->cipher->ctx_size); + } else { + ctx->cipher_data = NULL; + }