# HG changeset patch # User Misaki Miyashita # Date 1456958389 28800 # Node ID d20398d814114f498fabbd2abb26ef2edc381e58 # Parent 4e57ec0a98403655979cc57c3300e08d067a392c 22829366 Upgrade OpenSSL version to 1.0.2g 22829389 problem in LIBRARY/OPENSSL 22829403 problem in LIBRARY/OPENSSL 22829414 problem in LIBRARY/OPENSSL 22829419 problem in LIBRARY/OPENSSL 22829425 problem in LIBRARY/OPENSSL diff -r 4e57ec0a9840 -r d20398d81411 components/openssl/common/patches/041_rm_sslv2_v3.patch --- a/components/openssl/common/patches/041_rm_sslv2_v3.patch Wed Mar 02 07:32:20 2016 -0800 +++ b/components/openssl/common/patches/041_rm_sslv2_v3.patch Wed Mar 02 14:39:49 2016 -0800 @@ -155,70 +155,48 @@ flagged with SSLv3. No new ciphers were added by TLSv1.1. =item Kx= ---- openssl-1.0.1/doc/ssl/SSL_CTX_new.pod Tue Jan 20 04:33:36 2015 -+++ openssl-1.0.1/doc/ssl/SSL_CTX_new.pod.new Tue May 26 11:37:24 2015 -@@ -25,19 +25,12 @@ - - =item SSLv2_method(void), SSLv2_server_method(void), SSLv2_client_method(void) +--- openssl-1.x/doc/ssl/SSL_CTX_new.pod Tue Jan 20 04:33:36 2015 ++++ openssl-1.x/doc/ssl/SSL_CTX_new.pod.new Tue May 26 11:37:24 2015 +@@ -8,7 +8,6 @@ + TLSv1_1_method, TLSv1_1_server_method, TLSv1_1_client_method, + TLSv1_method, TLSv1_server_method, TLSv1_client_method, + SSLv3_method, SSLv3_server_method, SSLv3_client_method, +-SSLv2_method, SSLv2_server_method, SSLv2_client_method, + DTLS_method, DTLS_server_method, DTLS_client_method, + DTLSv1_2_method, DTLSv1_2_server_method, DTLSv1_2_client_method, + DTLSv1_method, DTLSv1_server_method, DTLSv1_client_method - +@@ -70,7 +69,7 @@ + These are the general-purpose I SSL/TLS methods. + The actual protocol version used will be negotiated to the highest version + mutually supported by the client and the server. +-The supported protocols are SSLv2, SSLv3, TLSv1, TLSv1.1 and TLSv1.2. ++The supported protocols are TLSv1, TLSv1.1 and TLSv1.2. + Most applications should use these method, and avoid the version specific + methods described below. --A TLS/SSL connection established with these methods will only understand --the SSLv2 protocol. A client will send out SSLv2 client hello messages --and will also indicate that it only understand SSLv2. A server will only --understand SSLv2 client hello messages. -+These functions are deprecated. - - =item SSLv3_method(void), SSLv3_server_method(void), SSLv3_client_method(void) +@@ -116,20 +115,11 @@ + =item SSLv3_method(), SSLv3_server_method(), SSLv3_client_method() A TLS/SSL connection established with these methods will only understand the --SSLv3 protocol. A client will send out SSLv3 client hello messages --and will indicate that it only understands SSLv3. A server will only understand --SSLv3 client hello messages. This especially means, that it will --not understand SSLv2 client hello messages which are widely used for --compatibility reasons, see SSLv23_*_method(). +-SSLv3 protocol. A client will send out SSLv3 client hello messages and will +-indicate that it only understands SSLv3. A server will only understand SSLv3 +-client hello messages. The SSLv3 protocol is deprecated and should not be +-used. +SSLv3 protocol. However, SSLv3 is not supported by this relese of OpenSSL. - =item TLSv1_method(void), TLSv1_server_method(void), TLSv1_client_method(void) - -@@ -51,34 +44,24 @@ - - =item SSLv23_method(void), SSLv23_server_method(void), SSLv23_client_method(void) - --A TLS/SSL connection established with these methods may understand the SSLv2, --SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols. -+A TLS/SSL connection established with these methods may understand the -+TLSv1, TLSv1.1 and TLSv1.2 protocols. - --If the cipher list does not contain any SSLv2 ciphersuites (the default --cipher list does not) or extensions are required (for example server name) -+If extensions are required (for example server name) - a client will send out TLSv1 client hello messages including extensions and - will indicate that it also understands TLSv1.1, TLSv1.2 and permits a - fallback to SSLv3. A server will support SSLv3, TLSv1, TLSv1.1 and TLSv1.2 - protocols. This is the best choice when compatibility is a concern. + =item SSLv2_method(), SSLv2_server_method(), SSLv2_client_method() --If any SSLv2 ciphersuites are included in the cipher list and no extensions --are required then SSLv2 compatible client hellos will be used by clients and --SSLv2 will be accepted by servers. This is B recommended due to the --insecurity of SSLv2 and the limited nature of the SSLv2 client hello --prohibiting the use of extensions. -- - =back +-A TLS/SSL connection established with these methods will only understand the +-SSLv2 protocol. A client will send out SSLv2 client hello messages and will +-also indicate that it only understand SSLv2. A server will only understand +-SSLv2 client hello messages. The SSLv2 protocol offers little to no security +-and should not be used. +-As of OpenSSL 1.0.2g, EXPORT ciphers and 56-bit DES are no longer available +-with SSLv2. ++These functions are deprecated. --The list of protocols available can later be limited using the SSL_OP_NO_SSLv2, --SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1, SSL_OP_NO_TLSv1_1 and SSL_OP_NO_TLSv1_2 -+The list of protocols available can later be limited using the -+SSL_OP_NO_TLSv1, SSL_OP_NO_TLSv1_1 and SSL_OP_NO_TLSv1_2 - options of the SSL_CTX_set_options() or SSL_set_options() functions. - Using these options it is possible to choose e.g. SSLv23_server_method() and - be able to negotiate with all possible clients, but to only allow newer - protocols like TLSv1, TLSv1.1 or TLS v1.2. + =item DTLS_method(), DTLS_server_method(), DTLS_client_method() --Applications which never want to support SSLv2 (even is the cipher string --is configured to use SSLv2 ciphersuites) can set SSL_OP_NO_SSLv2. -- - SSL_CTX_new() initializes the list of ciphers, the session cache setting, - the callbacks, the keys and certificates and the options to its default - values. --- openssl-1.0.1/doc/ssl/SSL_CTX_set_cipher_list.pod Thu Mar 19 06:37:10 2015 +++ openssl-1.0.1/doc/ssl/SSL_CTX_set_cipher_list.pod.new Tue May 26 11:38:09 2015 @@ -54,10 +54,6 @@ @@ -406,26 +384,26 @@ I. -@@ -132,15 +131,15 @@ +@@ -201,15 +200,15 @@ + =item const SSL_METHOD *B(void); + + Constructor for the SSLv2 SSL_METHOD structure for clients, servers +-or both. ++or both. (deprecated) =item const SSL_METHOD *B(void); --Constructor for the SSLv2 SSL_METHOD structure for a dedicated client. -+Constructor for the SSLv2 SSL_METHOD structure for a dedicated client. (deprecated) +-Constructor for the SSLv2 SSL_METHOD structure for clients. ++Constructor for the SSLv2 SSL_METHOD structure for clients. (deprecated) =item const SSL_METHOD *B(void); --Constructor for the SSLv2 SSL_METHOD structure for a dedicated server. -+Constructor for the SSLv2 SSL_METHOD structure for a dedicated server. (deprecated) - - =item const SSL_METHOD *B(void); +-Constructor for the SSLv2 SSL_METHOD structure for servers. ++Constructor for the SSLv2 SSL_METHOD structure for servers. (deprecated) --Constructor for the SSLv2 SSL_METHOD structure for combined client and server. -+Constructor for the SSLv2 SSL_METHOD structure for combined client and server. (deprecated) + =back - =item const SSL_METHOD *B(void); - -@@ -189,12 +188,12 @@ +@@ -234,12 +233,12 @@ =item const char *B(SSL_CIPHER *cipher); Return the internal name of I as a string. These are the various @@ -442,16 +420,7 @@ --- openssl-1.0.1/doc/apps/ciphers.pod Thu Mar 19 06:37:10 2015 +++ openssl-1.0.1/doc/apps/ciphers.pod.new Tue May 26 12:07:35 2015 -@@ -9,8 +9,6 @@ - B B - [B<-v>] - [B<-V>] --[B<-ssl2>] --[B<-ssl3>] - [B<-tls1>] - [B] - -@@ -26,26 +24,14 @@ +@@ -26,26 +24,18 @@ =item B<-v> @@ -470,41 +439,31 @@ Like B<-v>, but include cipher suite codes in output (hex format). --=item B<-ssl3> -- --only include SSL v3 ciphers. -- +-=item B<-ssl3>, B<-tls1> ++=item B<-tls1> + +-This lists ciphers compatible with any of SSLv3, TLSv1, TLSv1.1 or TLSv1.2. ++This lists ciphers compatible with any of TLSv1, TLSv1.1 or TLSv1.2. + -=item B<-ssl2> - --only include SSL v2 ciphers. +-Only include SSLv2 ciphers. - - =item B<-tls1> - - only include TLS v1 ciphers. -@@ -246,9 +232,9 @@ - ciphers suites using FORTEZZA key exchange, authentication, encryption or all - FORTEZZA algorithms. Not implemented. + =item B<-h>, B<-?> --=item B, B, B, B -+=item B, B - --TLS v1.2, TLS v1.0, SSL v3.0 or SSL v2.0 cipher suites respectively. Note: -+TLS v1.2 or TLS v1.0 cipher suites respectively. Note: - there are no ciphersuites specific to TLS v1.1. - - =item B, B, B -@@ -579,16 +565,6 @@ + Print a brief usage message. +@@ -588,16 +580,6 @@ TLS_PSK_WITH_AES_128_CBC_SHA PSK-AES128-CBC-SHA TLS_PSK_WITH_AES_256_CBC_SHA PSK-AES256-CBC-SHA -=head2 Deprecated SSL v2.0 cipher suites. - - SSL_CK_RC4_128_WITH_MD5 RC4-MD5 -- SSL_CK_RC4_128_EXPORT40_WITH_MD5 EXP-RC4-MD5 -- SSL_CK_RC2_128_CBC_WITH_MD5 RC2-MD5 -- SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 EXP-RC2-MD5 +- SSL_CK_RC4_128_EXPORT40_WITH_MD5 Not implemented. +- SSL_CK_RC2_128_CBC_WITH_MD5 RC2-CBC-MD5 +- SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 Not implemented. - SSL_CK_IDEA_128_CBC_WITH_MD5 IDEA-CBC-MD5 -- SSL_CK_DES_64_CBC_WITH_MD5 DES-CBC-MD5 +- SSL_CK_DES_64_CBC_WITH_MD5 Not implemented. - SSL_CK_DES_192_EDE3_CBC_WITH_MD5 DES-CBC3-MD5 - =head1 NOTES @@ -526,21 +485,18 @@ [B<-no_tls1>] [B<-no_tls1_1>] [B<-no_tls1_2>] -@@ -201,11 +199,11 @@ +@@ -201,9 +199,9 @@ given as a hexadecimal number without leading 0x, for example -psk 1a2b3c4d. --=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2> +-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2> +=item B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2> --these options disable the use of certain SSL or TLS protocols. By default -+these options disable the use of certain TLS protocols. By default - the initial handshake uses a method which should be compatible with all --servers and permit them to use SSL v3, SSL v2 or TLS as appropriate. -+servers. +-These options require or disable the use of the specified SSL or TLS protocols. ++These options require or disable the use of the specified TLS protocols. + By default the initial handshake uses a I method which will + negotiate the highest mutually supported protocol version. - Unfortunately there are still ancient and broken servers in use which - cannot handle this technique and will fail to connect. Some servers only @@ -227,10 +225,6 @@ supported cipher in the list sent by the client. See the B command for more information. @@ -593,19 +549,17 @@ [B<-no_dhe>] [B<-bugs>] [B<-hack>] -@@ -217,11 +217,11 @@ +@@ -217,9 +217,9 @@ given as a hexadecimal number without leading 0x, for example -psk 1a2b3c4d. --=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1> +-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2> +=item B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2> - these options disable the use of certain SSL or TLS protocols. By default - the initial handshake uses a method which should be compatible with all --servers and permit them to use SSL v3, SSL v2 or TLS as appropriate. -+servers. - - =item B<-bugs> +-These options require or disable the use of the specified SSL or TLS protocols. ++These options require or disable the use of the specified TLS protocols. + By default the initial handshake uses a I method which will + negotiate the highest mutually supported protocol version. --- openssl-1.0.1/doc/apps/s_time.pod Thu Jan 15 06:43:49 2015 +++ openssl-1.0.1/doc/apps/s_time.pod.new Tue May 26 12:20:09 2015 diff -r 4e57ec0a9840 -r d20398d81411 components/openssl/openssl-default/Makefile --- a/components/openssl/openssl-default/Makefile Wed Mar 02 07:32:20 2016 -0800 +++ b/components/openssl/openssl-default/Makefile Wed Mar 02 14:39:49 2016 -0800 @@ -28,19 +28,19 @@ # When upgrading OpenSSL, please, DON'T FORGET TO TEST WANBOOT too. # For more information about wanboot-openssl testing, please refer to # ../README. -COMPONENT_VERSION = 1.0.2f +COMPONENT_VERSION = 1.0.2g # Version for IPS. It is easier to do it manually than convert the letter to a # number while taking into account that there might be no letter at all. -IPS_COMPONENT_VERSION = 1.0.2.6 +IPS_COMPONENT_VERSION = 1.0.2.7 COMPONENT_PROJECT_URL= http://www.openssl.org/ COMPONENT_SRC = $(COMPONENT_NAME)-$(COMPONENT_VERSION) COMPONENT_ARCHIVE = $(COMPONENT_SRC).tar.gz COMPONENT_ARCHIVE_HASH= \ - sha256:932b4ee4def2b434f85435d9e3e19ca8ba99ce9a065a61524b429a9d5e9b2e9c + sha256:b784b1b3907ce39abf4098702dade6365522a253ad1552e267a9a0e89594aa33 COMPONENT_ARCHIVE_URL = $(COMPONENT_PROJECT_URL)source/$(COMPONENT_ARCHIVE) COMPONENT_BUGDB= library/openssl -TPNO= 26527 +TPNO= 27085 # Clone the patch files to the patches-all dir. # COPY_COMMON_FILES is there so that rsync is called as soon as diff -r 4e57ec0a9840 -r d20398d81411 components/openssl/openssl-fips-140/Makefile --- a/components/openssl/openssl-fips-140/Makefile Wed Mar 02 07:32:20 2016 -0800 +++ b/components/openssl/openssl-fips-140/Makefile Wed Mar 02 14:39:49 2016 -0800 @@ -29,20 +29,22 @@ endif COMPONENT_NAME = openssl-fips-140 -# Note that this is the OpenSSL version that is used to build FIPS-140 certified -# libraries. However, we use the FIPS canister version for the IPS package. -COMPONENT_VERSION = 1.0.2f +# Note: COMPONENT_VERSION is the core OpenSSL version, and IPS_COMPONENT_VERSION +# is the FIPS module version. The COMPONENT_VERSION changes with the core +# OpenSSL version, but the IPS_COMPONENT_VERSION is purposely only to change if +# the FIPS module version changes. +COMPONENT_VERSION = 1.0.2g IPS_COMPONENT_VERSION = 2.0.6 COMPONENT_PROJECT_URL= http://www.openssl.org/ COMPONENT_SRC_NAME = openssl COMPONENT_SRC = $(COMPONENT_SRC_NAME)-$(COMPONENT_VERSION) COMPONENT_ARCHIVE = $(COMPONENT_SRC).tar.gz COMPONENT_ARCHIVE_HASH= \ - sha256:932b4ee4def2b434f85435d9e3e19ca8ba99ce9a065a61524b429a9d5e9b2e9c + sha256:b784b1b3907ce39abf4098702dade6365522a253ad1552e267a9a0e89594aa33 COMPONENT_ARCHIVE_URL = $(COMPONENT_PROJECT_URL)source/$(COMPONENT_ARCHIVE) COMPONENT_BUGDB= library/openssl -TPNO= 26527 +TPNO= 27085 # Clone the patch files to the patches-all dir. # COPY_COMMON_FILES is there so that rsync is called as soon as