# HG changeset patch # User Ron Jordan # Date 1436838896 25200 # Node ID 9b43e26833bfb96ba0dba21604841d4bd1d6e2a9 # Parent de7e078c69d8a6cd2b3e5fe73c7549218c022798 21416447 Upgrade OpenSSL version to 1.0.1p 21416479 problem in LIBRARY/OPENSSL diff -r de7e078c69d8 -r 9b43e26833bf components/openssl/openssl-1.0.1-fips-140/Makefile --- a/components/openssl/openssl-1.0.1-fips-140/Makefile Tue Jun 30 10:45:07 2015 -0700 +++ b/components/openssl/openssl-1.0.1-fips-140/Makefile Mon Jul 13 18:54:56 2015 -0700 @@ -29,14 +29,14 @@ COMPONENT_NAME = openssl-fips-140 # Note that this is the OpenSSL version that is used to build FIPS-140 certified # libraries. However, we use the FIPS canister version for the IPS package. -COMPONENT_VERSION = 1.0.1o +COMPONENT_VERSION = 1.0.1p IPS_COMPONENT_VERSION = 2.0.6 COMPONENT_PROJECT_URL= http://www.openssl.org/ COMPONENT_SRC_NAME = openssl COMPONENT_SRC = $(COMPONENT_SRC_NAME)-$(COMPONENT_VERSION) COMPONENT_ARCHIVE = $(COMPONENT_SRC).tar.gz COMPONENT_ARCHIVE_HASH= \ - sha256:16e678c6a05f2502811e075f2c4059ac01c878d091c9c585afc49ebc541f7b13 + sha256:bd5ee6803165c0fb60bbecbacacf244f1f90d2aa0d71353af610c29121e9b2f1 COMPONENT_ARCHIVE_URL = $(COMPONENT_PROJECT_URL)source/$(COMPONENT_ARCHIVE) COMPONENT_BUGDB= library/openssl diff -r de7e078c69d8 -r 9b43e26833bf components/openssl/openssl-1.0.1-fips-140/openssl-1.0.1-fips-140.p5m --- a/components/openssl/openssl-1.0.1-fips-140/openssl-1.0.1-fips-140.p5m Tue Jun 30 10:45:07 2015 -0700 +++ b/components/openssl/openssl-1.0.1-fips-140/openssl-1.0.1-fips-140.p5m Mon Jul 13 18:54:56 2015 -0700 @@ -34,7 +34,7 @@ set name=pkg.human-version value=$(COMPONENT_VERSION) set name=com.oracle.info.description \ value="the FIPS 140-2 Capable OpenSSL libraries" -set name=com.oracle.info.tpno value=23126 +set name=com.oracle.info.tpno value=23452 set name=info.classification value=org.opensolaris.category.2008:System/Security set name=info.source-url value=$(COMPONENT_ARCHIVE_URL) set name=info.upstream-url value=$(COMPONENT_PROJECT_URL) diff -r de7e078c69d8 -r 9b43e26833bf components/openssl/openssl-1.0.1-fips-140/patches/18-compiler_opts.patch --- a/components/openssl/openssl-1.0.1-fips-140/patches/18-compiler_opts.patch Tue Jun 30 10:45:07 2015 -0700 +++ b/components/openssl/openssl-1.0.1-fips-140/patches/18-compiler_opts.patch Mon Jul 13 18:54:56 2015 -0700 @@ -15,7 +15,7 @@ my $mips32_asm=":bn-mips.o::aes_cbc.o aes-mips.o:::sha1-mips.o sha256-mips.o::::::::"; @@ -257,6 +264,12 @@ #"sunos-cc", "cc:-O4 -DNOPROTO -DNOCONST::(unknown):SUNOS::DES_UNROLL:${no_asm}::", - "sunos-gcc","gcc:-O3 -mv8 -Dssize_t=int::(unknown):SUNOS::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL DES_PTR DES_RISC1:${no_asm}::", + "sunos-gcc","gcc:-O3 -mcpu=v8 -Dssize_t=int::(unknown):SUNOS::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL DES_PTR DES_RISC1:${no_asm}::", +#### Solaris configs, used for OpenSSL as delivered by OpenSolaris +"solaris-x86-cc-sunw","cc:-m32 -xO3 -xspace -Xa::-D_REENTRANT::-lsocket -lnsl -lc -R /lib/openssl/fips-140:BN_LLONG RC4_CHUNK DES_PTR DES_UNROLL BF_PTR:${x86_elf_asm}:dlfcn:solaris-shared:-KPIC:-m32 -G -dy -z text -zdefs -Bdirect -zignore -M/usr/lib/ld/map.pagealign -M/usr/lib/ld/map.noexdata:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", @@ -25,4 +25,4 @@ + #### IRIX 5.x configs # -mips2 flag is added by ./config when appropriate. - "irix-gcc","gcc:-O3 -DTERMIOS -DB_ENDIAN::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX RC4_CHAR RC4_CHUNK DES_UNROLL DES_RISC2 DES_PTR BF_PTR:${mips32_asm}:o32:dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", + "irix-gcc","gcc:-O3 -DB_ENDIAN::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX RC4_CHAR RC4_CHUNK DES_UNROLL DES_RISC2 DES_PTR BF_PTR:${mips32_asm}:o32:dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", diff -r de7e078c69d8 -r 9b43e26833bf components/openssl/openssl-1.0.1-fips-140/patches/33_cert_chain.patch --- a/components/openssl/openssl-1.0.1-fips-140/patches/33_cert_chain.patch Tue Jun 30 10:45:07 2015 -0700 +++ b/components/openssl/openssl-1.0.1-fips-140/patches/33_cert_chain.patch Mon Jul 13 18:54:56 2015 -0700 @@ -61,10 +61,10 @@ + int X509_verify_cert(X509_STORE_CTX *ctx) { - X509 *x, *xtmp, *chain_ss = NULL; + X509 *x, *xtmp, *xtmp2, *chain_ss = NULL; @@ -304,8 +331,17 @@ int X509_verify_cert(X509_STORE_CTX *ctx) - - /* we now have our chain, lets check it... */ + } + } while (retry); - /* Is last certificate looked up self signed? */ - if (!ctx->check_issued(ctx, x, x)) { @@ -185,8 +185,8 @@ --- openssl/crypto/x509/x509_vfy.h 26 Sep 2012 13:50:42 -0000 1.67.2.3.4.1 +++ openssl/crypto/x509/x509_vfy.h 14 Dec 2012 14:30:46 -0000 1.67.2.3.4.2 @@ -406,6 +406,9 @@ - /* Check selfsigned CA signature */ - # define X509_V_FLAG_CHECK_SS_SIGNATURE 0x4000 + */ + # define X509_V_FLAG_NO_ALT_CHAINS 0x100000 +/* Allow partial chains if at least one certificate is in trusted store */ +# define X509_V_FLAG_PARTIAL_CHAIN 0x80000 diff -r de7e078c69d8 -r 9b43e26833bf components/openssl/openssl-1.0.1/Makefile --- a/components/openssl/openssl-1.0.1/Makefile Tue Jun 30 10:45:07 2015 -0700 +++ b/components/openssl/openssl-1.0.1/Makefile Mon Jul 13 18:54:56 2015 -0700 @@ -28,15 +28,15 @@ # When upgrading OpenSSL, please, DON'T FORGET TO TEST WANBOOT too. # For more information about wanboot-openssl testing, please refer to # ../README. -COMPONENT_VERSION = 1.0.1o +COMPONENT_VERSION = 1.0.1p # Version for IPS. It is easier to do it manually than convert the letter to a # number while taking into account that there might be no letter at all. -IPS_COMPONENT_VERSION = 1.0.1.15 +IPS_COMPONENT_VERSION = 1.0.1.16 COMPONENT_PROJECT_URL= http://www.openssl.org/ COMPONENT_SRC = $(COMPONENT_NAME)-$(COMPONENT_VERSION) COMPONENT_ARCHIVE = $(COMPONENT_SRC).tar.gz COMPONENT_ARCHIVE_HASH= \ - sha256:16e678c6a05f2502811e075f2c4059ac01c878d091c9c585afc49ebc541f7b13 + sha256:bd5ee6803165c0fb60bbecbacacf244f1f90d2aa0d71353af610c29121e9b2f1 COMPONENT_ARCHIVE_URL = $(COMPONENT_PROJECT_URL)source/$(COMPONENT_ARCHIVE) COMPONENT_BUGDB= library/openssl diff -r de7e078c69d8 -r 9b43e26833bf components/openssl/openssl-1.0.1/openssl-1.0.1.p5m --- a/components/openssl/openssl-1.0.1/openssl-1.0.1.p5m Tue Jun 30 10:45:07 2015 -0700 +++ b/components/openssl/openssl-1.0.1/openssl-1.0.1.p5m Mon Jul 13 18:54:56 2015 -0700 @@ -30,7 +30,7 @@ value="OpenSSL is a full-featured toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library." set name=pkg.human-version value=$(COMPONENT_VERSION) set name=com.oracle.info.description value=OpenSSL -set name=com.oracle.info.tpno value=23126 +set name=com.oracle.info.tpno value=23452 set name=info.classification value=org.opensolaris.category.2008:System/Security set name=info.source-url value=$(COMPONENT_ARCHIVE_URL) set name=info.upstream-url value=$(COMPONENT_PROJECT_URL) diff -r de7e078c69d8 -r 9b43e26833bf components/openssl/openssl-1.0.1/patches/18-compiler_opts.patch --- a/components/openssl/openssl-1.0.1/patches/18-compiler_opts.patch Tue Jun 30 10:45:07 2015 -0700 +++ b/components/openssl/openssl-1.0.1/patches/18-compiler_opts.patch Mon Jul 13 18:54:56 2015 -0700 @@ -6,7 +6,7 @@ +++ /tmp/Configure Thu Feb 10 20:01:51 2011 @@ -257,6 +257,19 @@ #"sunos-cc", "cc:-O4 -DNOPROTO -DNOCONST::(unknown):SUNOS::DES_UNROLL:${no_asm}::", - "sunos-gcc","gcc:-O3 -mv8 -Dssize_t=int::(unknown):SUNOS::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL DES_PTR DES_RISC1:${no_asm}::", + "sunos-gcc","gcc:-O3 -mcpu=v8 -Dssize_t=int::(unknown):SUNOS::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL DES_PTR DES_RISC1:${no_asm}::", +#### Solaris configs, used for OpenSSL as delivered by S11. +"solaris-x86-cc-sunw","cc:-m32 -xO3 -xspace -Xa::-D_REENTRANT::-lsocket -lnsl -lc:BN_LLONG RC4_CHUNK DES_PTR DES_UNROLL BF_PTR:${x86_elf_asm}:dlfcn:solaris-shared:-KPIC:-m32 -G -dy -z text -zdefs -Bdirect -zignore -M/usr/lib/ld/map.pagealign -M/usr/lib/ld/map.noexdata:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", diff -r de7e078c69d8 -r 9b43e26833bf components/openssl/openssl-1.0.1/patches/33_cert_chain.patch --- a/components/openssl/openssl-1.0.1/patches/33_cert_chain.patch Tue Jun 30 10:45:07 2015 -0700 +++ b/components/openssl/openssl-1.0.1/patches/33_cert_chain.patch Mon Jul 13 18:54:56 2015 -0700 @@ -61,10 +61,10 @@ + int X509_verify_cert(X509_STORE_CTX *ctx) { - X509 *x, *xtmp, *chain_ss = NULL; + X509 *x, *xtmp, *xtmp2, *chain_ss = NULL; @@ -304,8 +331,17 @@ int X509_verify_cert(X509_STORE_CTX *ctx) - - /* we now have our chain, lets check it... */ + } + } while (retry); - /* Is last certificate looked up self signed? */ - if (!ctx->check_issued(ctx, x, x)) { @@ -185,8 +185,8 @@ --- openssl/crypto/x509/x509_vfy.h 26 Sep 2012 13:50:42 -0000 1.67.2.3.4.1 +++ openssl/crypto/x509/x509_vfy.h 14 Dec 2012 14:30:46 -0000 1.67.2.3.4.2 @@ -406,6 +406,9 @@ - /* Check selfsigned CA signature */ - # define X509_V_FLAG_CHECK_SS_SIGNATURE 0x4000 + */ + # define X509_V_FLAG_NO_ALT_CHAINS 0x100000 +/* Allow partial chains if at least one certificate is in trusted store */ +# define X509_V_FLAG_PARTIAL_CHAIN 0x80000