7141635 Deliver wanboot-openssl.o for wanboot
authorTomas Kuthan <tomas.kuthan@oracle.com>
Thu, 22 Mar 2012 14:20:01 -0700
changeset 745 09fd85317532
parent 744 6df1d115f82e
child 746 67d8050c297a
7141635 Deliver wanboot-openssl.o for wanboot 6869649 wanboot may not require "get_ip" anymore 7145496 OpenSSL's Configure calls /usr/bin/make for "make links" which fails
components/openssl/README
components/openssl/openssl-1.0.0-wanboot/Makefile
components/openssl/openssl-1.0.0-wanboot/README
components/openssl/openssl-1.0.0-wanboot/files/stubs.c
components/openssl/openssl-1.0.0-wanboot/mapfile
components/openssl/openssl-1.0.0-wanboot/patches/18-compiler_opts.patch
components/openssl/openssl-1.0.0-wanboot/patches/30_wanboot.patch
components/openssl/openssl-1.0.0/Makefile
components/openssl/openssl-1.0.0/Makefile.version
components/openssl/openssl-1.0.0/openssl-1.0.0.p5m
--- a/components/openssl/README	Thu Mar 22 13:55:41 2012 -0700
+++ b/components/openssl/README	Thu Mar 22 14:20:01 2012 -0700
@@ -18,17 +18,20 @@
 #
 # CDDL HEADER END
 #
-# Copyright (c) 2009, 2011, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2009, 2012, Oracle and/or its affiliates. All rights reserved.
 #
 
 Build Layout
 ---
 
-OpenSSL build is run three times. Once for 1.0.0 non-fips, once for 0.9.8
+OpenSSL build is run four times. Once for regular dynamic 1.0.0 non-fips, once 
+for static 1.0.0 bits to link with standalone wanboot binary, once for 0.9.8
 fips-140, and once for 0.9.8 FIPS-140 canister (in the openssl-fips component)
-needed to build 0.9.8 FIPS-140 certified libraries. All builds are done for 32
-and 64 bits. So, in total, OpenSSL is built six times.
+needed to build 0.9.8 FIPS-140 certified libraries. All builds apart from 
+static libraries for wanboot are done for 32 and 64 bits. So, in total, OpenSSL
+is built seven times.
 
+For more details on OpenSSL for wanboot see openssl-1.0.0-wanboot/README.
 See also comments in all three Makefiles for more information.
 
 The non-fips Build.
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssl/openssl-1.0.0-wanboot/Makefile	Thu Mar 22 14:20:01 2012 -0700
@@ -0,0 +1,250 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+# Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
+
+
+#
+# This component is not to be installed. It is used from openssl-1.0.0
+# to build static stand-alone OpenSSL binaries to link with wanboot.
+#
+
+include ../../../make-rules/shared-macros.mk
+
+# COMPONENT_NAME, COMPONENT_VERSION, IPS_COMPONENT_VERSION and some other
+# related macros definitions were moved to ../openssl-1.0.0/Makefile.version
+# in order to keep OpenSSL versions in ../openssl-1.0.0 and 
+# ../openssl-1.0.0-wanboot in sync
+include ../openssl-1.0.0/Makefile.version
+
+include $(WS_TOP)/make-rules/prep.mk
+include $(WS_TOP)/make-rules/configure.mk
+include $(WS_TOP)/make-rules/ips.mk
+include $(WS_TOP)/make-rules/lint-libraries.mk
+
+PATH=$(SPRO_VROOT)/bin:/usr/bin:/usr/gnu/bin:/usr/perl5/bin
+
+# OpenSSL does not use autoconf but its own configure system.
+CONFIGURE_SCRIPT = $(SOURCE_DIR)/Configure
+
+# This is to force OpenSSL's Configure script to use gmake for "make links". 
+# Otherwise it fails with:
+#     mksh: Fatal error in reader: Unmatched `(' on line
+CONFIGURE_ENV += MAKE="$(GMAKE)"
+
+CONFIGURE_OPTIONS =  -DNO_WINDOWS_BRAINDEATH
+CONFIGURE_OPTIONS += -DNO_CHMOD -D_BOOT -DOPENSSL_NO_DTLS1
+CONFIGURE_OPTIONS += no-cast
+CONFIGURE_OPTIONS += no-dso
+CONFIGURE_OPTIONS += no-ec
+CONFIGURE_OPTIONS += no-ecdh
+CONFIGURE_OPTIONS += no-ecdsa
+CONFIGURE_OPTIONS += no-mdc2
+CONFIGURE_OPTIONS += no-rc3
+CONFIGURE_OPTIONS += no-rc4
+CONFIGURE_OPTIONS += no-rc5
+CONFIGURE_OPTIONS += no-ripemd
+CONFIGURE_OPTIONS += no-idea
+CONFIGURE_OPTIONS += no-hw
+CONFIGURE_OPTIONS += no-threads
+CONFIGURE_OPTIONS += no-shared
+CONFIGURE_OPTIONS += no-seed
+# We use both no-whirlpool and no-whrlpool since there is an inconsistency in
+# the OpenSSL code and one needs both to build OpenSSL successfully with
+# Whirlpool implementation removed.
+CONFIGURE_OPTIONS += no-whirlpool
+CONFIGURE_OPTIONS += no-whrlpool
+
+# For wanboot, we only need 64-bit sparc binaries
+CONFIGURE_OPTIONS +=	solaris64-sparcv9-cc-sunw
+
+# OpenSSL has its own configure system which must be run from the fully
+# populated source code directory. However, the Userland configuration phase is
+# run from the build directory. So, we must get the full source code into the
+# build directory.
+COMPONENT_PRE_CONFIGURE_ACTION = \
+    ( $(CLONEY) $(SOURCE_DIR) $(BUILD_DIR)/$(MACH$(BITS)); )
+
+# File stubs.c stubs out several functions, that are not available for wanboot.
+# We do not provide it in a form of a patch to ease future maintenance.
+COMPONENT_PRE_BUILD_ACTION = \
+    ( $(CP) -fp files/stubs.c       $(@D)/crypto/; )
+
+# Object files for wanboot-openssl.o have to be listed explicitly.
+WANBOOT_OBJS =  \
+    crypto/aes/aes-sparcv9.o crypto/aes/aes_cbc.o crypto/aes/aes_cfb.o \
+    crypto/aes/aes_core.o crypto/aes/aes_ecb.o crypto/aes/aes_ofb.o \
+    crypto/aes/aes_wrap.o crypto/asn1/a_bitstr.o crypto/asn1/a_bool.o \
+    crypto/asn1/a_bytes.o crypto/asn1/a_d2i_fp.o crypto/asn1/a_digest.o \
+    crypto/asn1/a_dup.o crypto/asn1/a_enum.o crypto/asn1/a_gentm.o \
+    crypto/asn1/a_i2d_fp.o crypto/asn1/a_int.o crypto/asn1/a_mbstr.o \
+    crypto/asn1/a_object.o crypto/asn1/a_octet.o crypto/asn1/a_print.o \
+    crypto/asn1/a_set.o crypto/asn1/a_sign.o crypto/asn1/a_strex.o \
+    crypto/asn1/a_strnid.o crypto/asn1/a_time.o crypto/asn1/a_type.o \
+    crypto/asn1/a_utctm.o crypto/asn1/a_utf8.o crypto/asn1/a_verify.o \
+    crypto/asn1/ameth_lib.o crypto/asn1/asn1_err.o crypto/asn1/asn1_gen.o \
+    crypto/asn1/asn1_lib.o crypto/asn1/asn1_par.o crypto/asn1/asn_mime.o \
+    crypto/asn1/asn_pack.o crypto/asn1/bio_asn1.o crypto/asn1/bio_ndef.o \
+    crypto/asn1/d2i_pr.o crypto/asn1/evp_asn1.o crypto/asn1/f_int.o \
+    crypto/asn1/f_string.o crypto/asn1/i2d_pr.o crypto/asn1/nsseq.o \
+    crypto/asn1/p5_pbe.o crypto/asn1/p5_pbev2.o crypto/asn1/p8_pkey.o \
+    crypto/asn1/t_pkey.o crypto/asn1/t_x509.o crypto/asn1/t_x509a.o \
+    crypto/asn1/tasn_dec.o crypto/asn1/tasn_enc.o crypto/asn1/tasn_fre.o \
+    crypto/asn1/tasn_new.o crypto/asn1/tasn_prn.o crypto/asn1/tasn_typ.o \
+    crypto/asn1/tasn_utl.o crypto/asn1/x_algor.o crypto/asn1/x_attrib.o \
+    crypto/asn1/x_bignum.o crypto/asn1/x_crl.o crypto/asn1/x_exten.o \
+    crypto/asn1/x_info.o crypto/asn1/x_long.o crypto/asn1/x_name.o \
+    crypto/asn1/x_pkey.o crypto/asn1/x_pubkey.o crypto/asn1/x_req.o \
+    crypto/asn1/x_sig.o crypto/asn1/x_spki.o crypto/asn1/x_val.o \
+    crypto/asn1/x_x509.o crypto/asn1/x_x509a.o crypto/bf/bf_cfb64.o \
+    crypto/bf/bf_ecb.o crypto/bf/bf_enc.o crypto/bf/bf_ofb64.o \
+    crypto/bf/bf_skey.o crypto/bio/b_dump.o crypto/bio/b_print.o \
+    crypto/bio/bf_buff.o crypto/bio/bio_err.o crypto/bio/bio_lib.o \
+    crypto/bio/bss_file.o crypto/bio/bss_mem.o crypto/bio/bss_null.o \
+    crypto/bio/bss_sock.o crypto/bn/bn-sparcv9.o crypto/bn/bn_add.o \
+    crypto/bn/bn_blind.o crypto/bn/bn_ctx.o crypto/bn/bn_div.o \
+    crypto/bn/bn_err.o crypto/bn/bn_exp.o crypto/bn/bn_exp2.o \
+    crypto/bn/bn_gcd.o crypto/bn/bn_lib.o crypto/bn/bn_mod.o \
+    crypto/bn/bn_mont.o crypto/bn/bn_mul.o crypto/bn/bn_prime.o \
+    crypto/bn/bn_print.o crypto/bn/bn_rand.o crypto/bn/bn_recp.o \
+    crypto/bn/bn_shift.o crypto/bn/bn_sqr.o crypto/bn/bn_word.o \
+    crypto/bn/sparcv9-mont.o crypto/bn/sparcv9a-mont.o \
+    crypto/buffer/buf_err.o crypto/buffer/buffer.o crypto/camellia/camellia.o \
+    crypto/camellia/cmll_cbc.o crypto/camellia/cmll_cfb.o \
+    crypto/camellia/cmll_ecb.o crypto/camellia/cmll_misc.o \
+    crypto/camellia/cmll_ofb.o crypto/cms/cms_asn1.o crypto/cms/cms_att.o \
+    crypto/cms/cms_dd.o crypto/cms/cms_enc.o crypto/cms/cms_env.o \
+    crypto/cms/cms_err.o crypto/cms/cms_io.o crypto/cms/cms_lib.o \
+    crypto/cms/cms_sd.o crypto/comp/c_zlib.o crypto/comp/comp_err.o \
+    crypto/comp/comp_lib.o crypto/conf/conf_api.o crypto/conf/conf_def.o \
+    crypto/conf/conf_err.o crypto/conf/conf_lib.o crypto/conf/conf_mod.o \
+    crypto/cpt_err.o crypto/cryptlib.o crypto/des/cfb64ede.o \
+    crypto/des/cfb64enc.o crypto/des/cfb_enc.o crypto/des/des_enc-sparc.o \
+    crypto/des/ecb3_enc.o crypto/des/ecb_enc.o crypto/des/ofb64ede.o \
+    crypto/des/ofb64enc.o crypto/des/set_key.o crypto/des/xcbc_enc.o \
+    crypto/dh/dh_ameth.o crypto/dh/dh_asn1.o crypto/dh/dh_check.o \
+    crypto/dh/dh_err.o crypto/dh/dh_gen.o crypto/dh/dh_key.o \
+    crypto/dh/dh_lib.o crypto/dh/dh_pmeth.o crypto/dsa/dsa_ameth.o \
+    crypto/dsa/dsa_asn1.o crypto/dsa/dsa_err.o crypto/dsa/dsa_gen.o \
+    crypto/dsa/dsa_key.o crypto/dsa/dsa_lib.o crypto/dsa/dsa_ossl.o \
+    crypto/dsa/dsa_pmeth.o crypto/dsa/dsa_sign.o crypto/dsa/dsa_vrf.o \
+    crypto/dso/dso_lib.o crypto/dso/dso_null.o crypto/dso/dso_openssl.o \
+    crypto/engine/eng_ctrl.o crypto/engine/eng_err.o crypto/engine/eng_init.o \
+    crypto/engine/eng_lib.o crypto/engine/eng_list.o crypto/engine/eng_pkey.o \
+    crypto/engine/eng_table.o crypto/engine/tb_asnmth.o \
+    crypto/engine/tb_cipher.o crypto/engine/tb_dh.o crypto/engine/tb_digest.o \
+    crypto/engine/tb_dsa.o crypto/engine/tb_pkmeth.o crypto/engine/tb_rand.o \
+    crypto/engine/tb_rsa.o crypto/err/err.o crypto/err/err_all.o \
+    crypto/err/err_prn.o crypto/evp/bio_b64.o crypto/evp/bio_enc.o \
+    crypto/evp/bio_md.o crypto/evp/c_all.o crypto/evp/c_allc.o \
+    crypto/evp/c_alld.o crypto/evp/digest.o crypto/evp/e_aes.o \
+    crypto/evp/e_bf.o crypto/evp/e_camellia.o crypto/evp/e_des.o \
+    crypto/evp/e_des3.o crypto/evp/e_null.o crypto/evp/e_rc2.o \
+    crypto/evp/e_xcbc_d.o crypto/evp/encode.o crypto/evp/evp_enc.o \
+    crypto/evp/evp_err.o crypto/evp/evp_key.o crypto/evp/evp_lib.o \
+    crypto/evp/evp_pbe.o crypto/evp/evp_pkey.o crypto/evp/m_dss.o \
+    crypto/evp/m_dss1.o crypto/evp/m_md4.o crypto/evp/m_md5.o \
+    crypto/evp/m_sha.o crypto/evp/m_sha1.o crypto/evp/m_sigver.o \
+    crypto/evp/names.o crypto/evp/p5_crpt.o crypto/evp/p5_crpt2.o \
+    crypto/evp/p_lib.o crypto/evp/p_sign.o crypto/evp/p_verify.o \
+    crypto/evp/pmeth_fn.o crypto/evp/pmeth_gn.o crypto/evp/pmeth_lib.o \
+    crypto/ex_data.o crypto/hmac/hm_ameth.o crypto/hmac/hm_pmeth.o \
+    crypto/hmac/hmac.o crypto/lhash/lhash.o crypto/md4/md4_dgst.o \
+    crypto/md5/md5_dgst.o crypto/mem.o crypto/mem_dbg.o crypto/modes/cbc128.o \
+    crypto/modes/cfb128.o crypto/modes/ofb128.o crypto/o_dir.o \
+    crypto/o_time.o crypto/objects/o_names.o crypto/objects/obj_dat.o \
+    crypto/objects/obj_err.o crypto/objects/obj_lib.o \
+    crypto/objects/obj_xref.o crypto/ocsp/ocsp_asn.o crypto/ocsp/ocsp_err.o \
+    crypto/pem/pem_all.o crypto/pem/pem_err.o crypto/pem/pem_info.o \
+    crypto/pem/pem_lib.o crypto/pem/pem_oth.o crypto/pem/pem_pk8.o \
+    crypto/pem/pem_pkey.o crypto/pem/pem_x509.o crypto/pem/pem_xaux.o \
+    crypto/pkcs12/p12_add.o crypto/pkcs12/p12_asn.o crypto/pkcs12/p12_attr.o \
+    crypto/pkcs12/p12_crpt.o crypto/pkcs12/p12_decr.o crypto/pkcs12/p12_key.o \
+    crypto/pkcs12/p12_mutl.o crypto/pkcs12/p12_p8d.o crypto/pkcs12/p12_p8e.o \
+    crypto/pkcs12/p12_utl.o crypto/pkcs12/pk12err.o crypto/pkcs7/pk7_asn1.o \
+    crypto/pkcs7/pk7_attr.o crypto/pkcs7/pk7_doit.o crypto/pkcs7/pk7_lib.o \
+    crypto/pkcs7/pkcs7err.o crypto/rand/md_rand.o crypto/rand/rand_err.o \
+    crypto/rand/rand_lib.o crypto/rand/rand_unix.o crypto/rand/randfile.o \
+    crypto/rc2/rc2_cbc.o crypto/rc2/rc2_ecb.o crypto/rc2/rc2_skey.o \
+    crypto/rc2/rc2cfb64.o crypto/rc2/rc2ofb64.o crypto/rsa/rsa_ameth.o \
+    crypto/rsa/rsa_asn1.o crypto/rsa/rsa_eay.o crypto/rsa/rsa_err.o \
+    crypto/rsa/rsa_gen.o crypto/rsa/rsa_lib.o crypto/rsa/rsa_none.o \
+    crypto/rsa/rsa_oaep.o crypto/rsa/rsa_pk1.o crypto/rsa/rsa_pmeth.o \
+    crypto/rsa/rsa_pss.o crypto/rsa/rsa_sign.o crypto/rsa/rsa_ssl.o \
+    crypto/rsa/rsa_x931.o crypto/sha/sha1-sparcv9.o crypto/sha/sha1dgst.o \
+    crypto/sha/sha256-sparcv9.o crypto/sha/sha256.o \
+    crypto/sha/sha512-sparcv9.o crypto/sha/sha512.o crypto/sha/sha_dgst.o \
+    crypto/sparccpuid.o crypto/sparcv9cap.o crypto/stack/stack.o \
+    crypto/stubs.o crypto/ts/ts_err.o crypto/ui/ui_err.o crypto/x509/by_dir.o \
+    crypto/x509/by_file.o crypto/x509/x509_att.o crypto/x509/x509_cmp.o \
+    crypto/x509/x509_d2.o crypto/x509/x509_def.o crypto/x509/x509_err.o \
+    crypto/x509/x509_ext.o crypto/x509/x509_lu.o crypto/x509/x509_obj.o \
+    crypto/x509/x509_req.o crypto/x509/x509_trs.o crypto/x509/x509_txt.o \
+    crypto/x509/x509_v3.o crypto/x509/x509_vfy.o crypto/x509/x509_vpm.o \
+    crypto/x509/x509name.o crypto/x509/x509rset.o crypto/x509/x509type.o \
+    crypto/x509/x_all.o crypto/x509v3/pcy_cache.o crypto/x509v3/pcy_data.o \
+    crypto/x509v3/pcy_lib.o crypto/x509v3/pcy_map.o crypto/x509v3/pcy_node.o \
+    crypto/x509v3/pcy_tree.o crypto/x509v3/v3_akey.o crypto/x509v3/v3_akeya.o \
+    crypto/x509v3/v3_alt.o crypto/x509v3/v3_bcons.o crypto/x509v3/v3_bitst.o \
+    crypto/x509v3/v3_conf.o crypto/x509v3/v3_cpols.o crypto/x509v3/v3_crld.o \
+    crypto/x509v3/v3_enum.o crypto/x509v3/v3_extku.o crypto/x509v3/v3_genn.o \
+    crypto/x509v3/v3_ia5.o crypto/x509v3/v3_info.o crypto/x509v3/v3_int.o \
+    crypto/x509v3/v3_lib.o crypto/x509v3/v3_ncons.o crypto/x509v3/v3_ocsp.o \
+    crypto/x509v3/v3_pci.o crypto/x509v3/v3_pcia.o crypto/x509v3/v3_pcons.o \
+    crypto/x509v3/v3_pku.o crypto/x509v3/v3_pmaps.o crypto/x509v3/v3_prn.o \
+    crypto/x509v3/v3_purp.o crypto/x509v3/v3_skey.o crypto/x509v3/v3_sxnet.o \
+    crypto/x509v3/v3_utl.o crypto/x509v3/v3err.o ssl/s3_both.o ssl/s3_clnt.o \
+    ssl/s3_enc.o ssl/s3_lib.o ssl/s3_pkt.o ssl/ssl_algs.o ssl/ssl_asn1.o \
+    ssl/ssl_cert.o ssl/ssl_ciph.o ssl/ssl_err.o ssl/ssl_err2.o ssl/ssl_lib.o \
+    ssl/ssl_rsa.o ssl/ssl_sess.o ssl/t1_enc.o ssl/t1_lib.o ssl/t1_reneg.o
+
+# Linking of openssl bits for wanboot.
+# Interface for wanboot is specified in mapfile. Object files are compiled 
+# to have functions in separate sections, unused sections get discarded.
+CREATE_BIG_OBJECT_FILE = ( \
+    cd $(BUILD_DIR)/$(MACH64); \
+    $(LD) -o wanboot-openssl.o -r -M../../mapfile -Breduce \
+        -zdiscard-unused=sections,files -zguidance \
+        $(WANBOOT_OBJS); \
+    )
+
+COMPONENT_POST_BUILD_ACTION = \
+    ($(CREATE_BIG_OBJECT_FILE); )
+
+
+# For wanboot, we only need 64-bit sparc binaries
+build_sparc:		$(BUILD_64)
+
+build_i386:
+	@echo "Not available"
+
+build:			build_$(MACH)
+
+install:
+	@echo "This component is not to be installed individually."
+
+publish:
+	@echo "This component is not to be published individually."
+
+test:		$(NO_TESTS)
+
+BUILD_PKG_DEPENDENCIES =	$(BUILD_TOOLS)
+
+include $(WS_TOP)/make-rules/depend.mk
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssl/openssl-1.0.0-wanboot/README	Thu Mar 22 14:20:01 2012 -0700
@@ -0,0 +1,241 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+# Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
+#
+
+
+Disclaimer
+----
+
+The purpose of this directory is solely to build and deliver static OpenSSL
+binaries for wanboot. These binaries have some highly specific patches applied.
+Do not attempt to use these for any other purpose.
+
+
+Building
+----
+
+Building in this directory is triggered by running 'gmake build' in
+../openssl-1.0.0. Calling 'gmake build' locally is possible for debugging
+purposes.  There are no 'install' and 'publish' targets.  Only 64-bit sparc
+version is built, nothing is done for x86.
+
+The outcome of build is file wanboot-openssl.o containing all the openssl bits
+required for wanboot. As part of 'make install' in ../openssl-1.0.0 this file 
+is copied in to its proto area. From there, wanboot-openssl.o is published and
+delivered as a part of pkg:/library/security/openssl package.
+
+
+Patches
+----
+
+18-compiler_opts.patch:
+Taken from $USERLAND/components/openssl/openssl-1.0.0/patches/
+- modified not to link with libc (-lc);
+- '-xF=%all' added to comp. flags to create separate section for each function
+
+30_wanboot.patch:
+Wanboot specific patches.
+- modified Makefiles not to build in engines apps test tools
+- not using vfprintf for error print in crypto/cryptlib.c
+- not using ERR_load_DSO_strings() in crypto/err/err_all.c
+- not using EVP_read_pw_string() in crypto/evp/evp_key.c
+    - reading password is implemented in disabled DES library
+- avoid select() in crypto/rand/rand_unix.c
+- not defining _XOPEN_SOURCE in crypto/rand/randfile.c
+- direct reading of IP to avoid sscanf() in crypto/x509v3/v3_utl.c
+- using functions from libsock in e_os.h
+- by-passing version of sparc detection in crypto/sparcv9cap.c
+    - results in not using FPU for big numbers multiplication
+    - should be ok - original detection seems broken, FPU gets never used
+- stubs for EVP_read_pw_string_min(), OPENSSL_issetugid(), 
+    opendir(), readdir(), closedir() 
+- implementation of atoi()
+
+
+Configure options
+----
+
+Most of the Configure options where carried over from the original code when
+migrating openssl for wanboot from ON to Userland. For the most part, these
+options exclude unused ciphers.
+
+New options added:
+-DNO_CHMOD		chmod not available in stand-alone environment
+-DBOOT			guard for wanboot specific patches
+-DOPENSSL_NO_DTLS1	to avoid dtls1_min_mtu() - DTLS not used anyway
+
+
+List of object files for wanboot-openssl.o
+----
+
+At this moment, object files for wanboot-openssl.o need to be listed explicitly.
+This is cumbersome and relatively tedious with respect to upgrading to higher
+version of openssl.
+
+In future, it would be nice, if this could be performed automatically by the
+linker. The required interface for wanboot is already defined in a mapfile and
+linker option '-zdiscard-unused=sections,files' is already used to discard
+unused code. 
+But sadly, at this moment when the linker is given all the object files, it
+fails to recognize some unreferenced sections as unused. As a result, numerous
+object files are not discarded, although they should be. These files are not
+patched to work in standalone environment, which causes wanboot linking failure
+due to undefined references.
+
+In order to determine which openssl object files are required for wanboot,
+first build static standalone openssl bits in Userland. As a site effect,
+static libraries libssl.a and libcrypto.a are created.
+
+    $ cd $USERLAND/components/openssl/openssl-1.0.0-wanboot ; gmake build
+
+Next, collect some information from linking wanboot static libraries in ON.
+This can be done by the following hack.
+
+    $ cd $ON/usr/src/psm/stand/boot/sparcv9/sun4
+    $ touch wanboot.o
+    $ LD_OPTIONS="-Dfiles,symbols,output=ld.dbg \
+        -L$USERLAND/components/openssl/openssl-1.0.0-wanboot/build/sparcv9 " \
+        WAN_OPENSSL=" -lwanboot -lssl -lcrypto" dmake all
+
+The following sort of information ends up in ld.dbg (note that the debugging
+output from the link-editor is not considered a 'stable interface' and may
+change in the future):
+
+    debug:
+    debug: file=/builds/tkuthan/ul-s11u1/components/openssl/openssl-1.0.0-wanboot/build/sparcv9/libcrypto.a(sparcv9cap.o)  [ ET_REL ]
+    debug:
+    debug: symbol table processing; file=/builds/tkuthan/ul-s11u1/components/openssl/openssl-1.0.0-wanboot/build/sparcv9/libcrypto.a(sparcv9cap.o)  [ ET_REL ]
+    debug: symbol[1]=sparcv9cap.c
+    ...
+
+Now run the following script in Userland:
+
+    #!/bin/bash
+ 
+    # set to workspace paths:
+    USERLAND=/builds/tkuthan/ul-s11u1
+    ON=/builds/tkuthan/on11u1-wanboot-rti
+ 
+    BUILD=$USERLAND/components/openssl/openssl-1.0.0-wanboot/build/sparcv9
+    LD_DBG=$ON/usr/src/psm/stand/boot/sparcv9/sun4/ld.dbg
+ 
+    for i in `find $BUILD/crypto $BUILD/ssl -name '*.o'`
+    do
+            f=`basename $i`
+            if grep -q "^debug: file.*\<$f\>" $LD_DBG
+            then
+                    echo $i | sed "s#$BUILD/##"
+            fi
+    done
+
+to get the list of required object files.
+
+Additionally, you can format the list for including to Makefile by:
+    $ sort | tr '\n' ' ' | fold -s -w74 | sed -e 's/^/    /' -e 's/$/\\/'
+
+
+Linking with wanboot
+----
+
+When linking with wanboot please pay attention to following pitfalls.
+
+Correct openssl header files need to be included. This is done in
+$ON/usr/src/stand/lib/wanboot/Makefile
+Make sure CPPFLAGS point to the right directories.
+
+EXTREME CAUTION needs to be employed, if WANBOOT GREW IN SIZE because of the
+changes!
+Wanboot is a statically linked standalone binary and it is loaded on a fixed
+address before execution. This address is defined in 
+$ON/usr/src/psm/stand/boot/sparc/common/mapfile:
+
+     27 LOAD_SEGMENT text {
+     28 	FLAGS = READ EXECUTE;
+     29 	VADDR = 0x130000;
+     30 	ASSIGN_SECTION {
+     31 		TYPE = PROGBITS;
+     32 		FLAGS = ALLOC !WRITE;
+     33 	};
+     34 };
+
+This address (VADDR) NEEDS TO BE GREATER THEN 
+    size of .text section + size of .data section + 0x4000
+
+The reason for this is in how wanboot is loaded by OpenBoot Prom:
+1) user initiates boot from network - "boot net"
+2) obp loads wanboot binary at address 0x4000
+3) obp parses ELF header, reads virtual address where to load wanboot to
+4) obp mem-copies .text section to this address
+5) obp copies .data section behind .text
+6) obp starts executing wanboot at entry address
+
+If the given address is too small, obp overwrites part of .data with
+instructions from .text in step 4. resulting in .data being corrupted.
+Initialized variables get bogus values and failure is inevitable.
+This is very hard to troubleshoot.
+
+
+Testing wanboot with new openssl
+----
+
+With every upgrade of OpenSSL, it is necessary to make sure wanboot builds and
+works well with the new bits.
+
+Provided you have a freshly built ON workspace, you can link wanboot with new
+OpenSSL bits by redefining WAN_OPENSSL macro:
+
+    # copy wanboot-openssl.o to ON build machine
+    cp wanboot-openssl.o /var/tmp/
+
+    # prepare to rebuild wanboot
+    cd $ON
+    bldenv developer.sh
+    cd usr/src/psm/stand/boot/sparcv9/sun4
+
+    # hack to force a rebuild
+    touch wanboot.o
+
+    # link new OpenSSL to wanboot
+    WAN_OPENSSL=/var/tmp/wanboot-openssl.o dmake all
+
+Wanboot should build without warning.
+
+If there is something like this in the output:
+
+    Undefined                       first referenced
+     symbol                             in file
+    CRYPTO_ccm128_setiv                 /var/tmp/wanboot-openssl.o
+    SSL_get_srtp_profiles               /var/tmp/wanboot-openssl.o
+    ssl_parse_clienthello_use_srtp_ext  /var/tmp/wanboot-openssl.o
+    CRYPTO_gcm128_setiv                 /var/tmp/wanboot-openssl.o
+    ...
+    cmac_pkey_meth                      /var/tmp/wanboot-openssl.o
+    ld: fatal: symbol referencing errors. No output written to wanboot
+    *** Error code 1
+    dmake: Fatal error: Command failed for target `wanboot'
+
+some additional work has to be done in OpenSSL to either satisfy the function 
+references listed in the linker error message, or to remove the calls to these
+functions.
+
+Finally, resulting wanboot binary shall be deployed on some install server and
+wanbooting from this server shall be tested.
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssl/openssl-1.0.0-wanboot/files/stubs.c	Thu Mar 22 14:20:01 2012 -0700
@@ -0,0 +1,118 @@
+/*
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
+ *
+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ * or http://www.opensolaris.org/os/licensing.
+ * See the License for the specific language governing permissions
+ * and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ * If applicable, add the following below this CDDL HEADER, with the
+ * fields enclosed by brackets "[]" replaced with your own identifying
+ * information: Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ */
+/*
+ * Copyright (c) 2011, 2012, Oracle and/or its affiliates. All rights reserved.
+ */
+
+
+#include <sys/types.h>
+#include <dirent.h>
+#include <errno.h>
+#include <stddef.h>
+
+/*
+ * In OpenSSL 0.9.7 the EVP_read_pw_string now calls into the new "ui"
+ * routines of 0.9.7, which is not compiled in the standalone, so it is
+ * stubbed out here to avoid having to add a bunch of #ifndef's elsewhere.
+ */
+/* ARGSUSED */
+int
+EVP_read_pw_string_min(char *buf, int min, int len, const char *prompt, int
+    verify)
+{
+	return (-1); /* failure */
+}
+
+/*
+ * In standalone issetugid() is always false.
+ */
+int
+OPENSSL_issetugid(void)
+{
+	return (1);
+}
+
+/*
+ * Directory routines -- currently, the only consumer of these interfaces
+ * is $SRC/common/openssl/ssl/ssl_cert.c, and it has fallback code in the
+ * case of failure, so we just fail opendir() and stub out the rest.  At
+ * some point, we may need to provide a real implementation.
+ */
+/* ARGSUSED */
+DIR *
+opendir(const char *dirname)
+{
+	errno = EACCES;
+	return (NULL);
+}
+
+/* ARGSUSED */
+struct dirent *
+readdir(DIR *dirp)
+{
+	return (NULL);
+}
+
+/* ARGSUSED */
+int
+closedir(DIR *dirp)
+{
+	return (0);
+}
+
+/*
+ * Atoi is used on multiple places in libcrypto.
+ * This implementation is taken from stand-alone libsock library:
+ * usr/src/stand/lib/sock/sock_test.c
+ * Alternative solution: just extern it here, wanboot has -lsock anyway.
+ */
+#ifndef	isdigit
+#define	isdigit(c) ((c) >= '0' && (c) <= '9')
+#endif
+
+#ifndef	isspace
+#define	isspace(c) ((c) == ' ' || (c) == '\t' || (c) == '\n' || \
+		    (c) == '\r' || (c) == '\f' || (c) == '\013')
+#endif
+int
+atoi(const char *p)
+{
+	int n;
+	int c = *p++, neg = 0;
+
+	while (isspace(c)) {
+		c = *p++;
+	}
+	if (!isdigit(c)) {
+		switch (c) {
+		case '-':
+			neg++;
+			/* FALLTHROUGH */
+		case '+':
+			c = *p++;
+		}
+	}
+	for (n = 0; isdigit(c); c = *p++) {
+		n *= 10; /* two steps to avoid unnecessary overflow */
+		n += '0' - c; /* accum neg to avoid surprises at MAX */
+	}
+	return (neg ? n : -n);
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssl/openssl-1.0.0-wanboot/mapfile	Thu Mar 22 14:20:01 2012 -0700
@@ -0,0 +1,126 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+# Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
+#
+
+#
+# This file defines interface requirements of wanboot on OpenSSL.
+#
+
+$mapfile_version 2
+SYMBOL_SCOPE {
+		ERR_clear_error;
+		SSL_CTX_set_default_passwd_cb;
+		SSL_load_error_strings;
+		EVP_PKEY_free;
+		SSL_get_peer_certificate;
+		SSL_CIPHER_get_name;
+		sk_value;
+		RAND_load_file;
+		X509_NAME_oneline;
+		SSL_write;
+		X509_NAME_get_text_by_NID;
+		OPENSSL_uni2asc;
+		SSL_CTX_set_default_passwd_cb_userdata;
+		SSL_CTX_use_PrivateKey_file;
+		OPENSSL_asc2uni;
+		SSL_get_error;
+		ASN1_UTF8STRING_free;
+		ASN1_mbstring_copy;
+		ERR_error_string;
+		PKCS12_unpack_p7data;
+		X509_free;
+		ERR_get_error;
+		ERR_put_error;
+		PKCS12_free;
+		ASN1_UTF8STRING_new;
+		OPENSSL_add_all_algorithms_noconf;
+		OBJ_nid2obj;
+		PKCS12_SAFEBAG_free;
+		ASN1_STRING_free;
+		sk_delete;
+		OBJ_obj2nid;
+		SSL_CTX_set_verify_depth;
+		PKCS8_PRIV_KEY_INFO_free;
+		SSL_set_connect_state;
+		sk_pop_free;
+		BIO_s_file;
+		SSL_set_fd;
+		SSL_CTX_use_PrivateKey;
+		ASN1_STRING_to_UTF8;
+		PKCS12_certbag2x509;
+		PKCS7_free;
+		PKCS12_decrypt_skey;
+		BIO_new;
+		RAND_status;
+		sk_num;
+		SSL_get_verify_result;
+		SSL_free;
+		SSL_read;
+		SSL_new;
+		SSLv3_client_method;
+		X509_check_private_key;
+		SSL_CTX_new;
+		ASN1_TYPE_set;
+		ASN1_TYPE_new;
+		ERR_peek_error;
+		CRYPTO_free;
+		SSL_CTX_load_verify_locations;
+		PKCS12_unpack_authsafes;
+		X509_ATTRIBUTE_new;
+		PKCS12_unpack_p7encdata;
+		sk_push;
+		SSL_connect;
+		SSL_shutdown;
+		SSL_CTX_use_certificate_file;
+		PKCS12_get_attr_gen;
+		X509_verify_cert_error_string;
+		X509_ATTRIBUTE_free;
+		X509_alias_set1;
+		PKCS12_verify_mac;
+		ASN1_TIME_print;
+		SSL_CTX_use_certificate;
+		SSL_get_ciphers;
+		SSL_CTX_ctrl;
+		SSL_CTX_free;
+		X509_keyid_set1;
+		ERR_load_strings;
+		EVP_EncodeBlock;
+		ASN1_TYPE_free;
+		sk_new_null;
+		SSL_get_current_cipher;
+		ASN1_STRING_cmp;
+		ASN1_STRING_set;
+		ERR_get_next_error_library;
+		EVP_PKCS82PKEY;
+		X509_get_issuer_name;
+		CRYPTO_malloc;
+		BIO_ctrl;
+		BIO_free;
+		X509_STORE_add_cert;
+		ASN1_STRING_type_new;
+		SSL_CTX_set_cipher_list;
+		X509_get_subject_name;
+		SSL_library_init;
+		d2i_PKCS12_fp;
+	local:
+		*;
+};
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssl/openssl-1.0.0-wanboot/patches/18-compiler_opts.patch	Thu Mar 22 14:20:01 2012 -0700
@@ -0,0 +1,15 @@
+--- openssl-1.0.0f/Configure	Thu Feb 10 20:02:41 2011
++++ /tmp/Configure	Thu Feb 10 20:01:51 2011
[email protected]@ -246,6 +246,12 @@
+ #"sunos-cc", "cc:-O4 -DNOPROTO -DNOCONST::(unknown):SUNOS::DES_UNROLL:${no_asm}::",
+ "sunos-gcc","gcc:-O3 -mv8 -Dssize_t=int::(unknown):SUNOS::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL DES_PTR DES_RISC1:${no_asm}::",
+ 
++#### Solaris configs, used for OpenSSL as delivered by S11.
++# Option -xF=%all instructs the compiler to place functions and data
++# variables into separate section fragments. This enables the link editor
++# to discard unused sections and files when linking wanboot-openssl.o
++"solaris64-sparcv9-cc-sunw","cc:-xtarget=ultra -m64 -Qoption cg -xregs=no%appl -xO5 -xstrconst -xdepend -xspace -xF=%all -Xa -DB_ENDIAN::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl:BN_LLONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:solaris-shared:-KPIC:-m64 -G -dy -z text -zdefs -Bdirect -zignore -M/usr/lib/ld/map.pagealign:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):/usr/bin/ar rs::/64",
++
+ #### IRIX 5.x configs
+ # -mips2 flag is added by ./config when appropriate.
+ "irix-gcc","gcc:-O3 -DTERMIOS -DB_ENDIAN::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX RC4_CHAR RC4_CHUNK DES_UNROLL DES_RISC2 DES_PTR BF_PTR:${no_asm}:dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssl/openssl-1.0.0-wanboot/patches/30_wanboot.patch	Thu Mar 22 14:20:01 2012 -0700
@@ -0,0 +1,348 @@
+--- openssl-1.0.0e/Makefile	2011-09-06 06:18:01.000000000 -0700
++++ openssl-1.0.0e_patched/Makefile	2011-12-19 08:29:38.100618700 -0800
[email protected]@ -111,7 +111,7 @@
+ ZLIB_INCLUDE=
+ LIBZLIB=
+ 
+-DIRS=   crypto ssl engines apps test tools
++DIRS=   crypto ssl
+ ENGDIRS= ccgost
+ SHLIBDIRS= crypto ssl
+ 
+--- openssl-1.0.0e/Makefile.org	2010-01-27 08:06:58.000000000 -0800
++++ openssl-1.0.0e_patched/Makefile.org	2011-12-19 08:30:01.795240100 -0800
[email protected]@ -109,7 +109,7 @@
+ ZLIB_INCLUDE=
+ LIBZLIB=
+ 
+-DIRS=   crypto ssl engines apps test tools
++DIRS=   crypto ssl
+ ENGDIRS= ccgost
+ SHLIBDIRS= crypto ssl
+ 
+--- openssl-1.0.0e/crypto/cryptlib.c	2011-06-22 08:39:00.000000000 -0700
++++ openssl-1.0.0e_patched/crypto/cryptlib.c	2011-12-12 06:17:45.422476900 -0800
[email protected]@ -871,6 +871,10 @@
+ 	MessageBox (NULL,buf,_T("OpenSSL: FATAL"),MB_OK|MB_ICONSTOP);
+ }
+ #else
++/* Solaris libsa.a used for WAN boot doesn't provide for vfprintf(). Since
++ *  * OPENSSL_showfatal() is not used anywhere else then here we can safely use
++ *   * the code from 0.9.7d version. */
++#ifndef	_BOOT
+ void OPENSSL_showfatal (const char *fmta,...)
+ { va_list ap;
+ 
[email protected]@ -878,14 +882,21 @@
+     vfprintf (stderr,fmta,ap);
+     va_end (ap);
+ }
++#endif	/* _BOOT */
+ int OPENSSL_isservice (void) { return 0; }
+ #endif
+ 
+ void OpenSSLDie(const char *file,int line,const char *assertion)
+ 	{
++#ifndef	_BOOT		
+ 	OPENSSL_showfatal(
+ 		"%s(%d): OpenSSL internal error, assertion failed: %s\n",
+ 		file,line,assertion);
++#else
++	fprintf(stderr,
++		"%s(%d): OpenSSL internal error, assertion failed: %s\n",
++		file,line,assertion);
++#endif	
+ #if !defined(_WIN32) || defined(__CYGWIN__)
+ 	abort();
+ #else
+--- openssl-1.0.0e/crypto/err/err_all.c	2009-08-09 07:58:05.000000000 -0700
++++ openssl-1.0.0e_patched/crypto/err/err_all.c	2011-12-13 05:22:01.205351400 -0800
[email protected]@ -142,7 +142,9 @@
+ 	ERR_load_X509V3_strings();
+ 	ERR_load_PKCS12_strings();
+ 	ERR_load_RAND_strings();
++#ifndef _BOOT
+ 	ERR_load_DSO_strings();
++#endif /* _BOOT */
+ 	ERR_load_TS_strings();
+ #ifndef OPENSSL_NO_ENGINE
+ 	ERR_load_ENGINE_strings();
+--- openssl-1.0.0e/crypto/evp/evp_key.c	2010-03-27 12:27:50.000000000 -0700
++++ openssl-1.0.0e_patched/crypto/evp/evp_key.c	2011-12-13 05:19:32.956908600 -0800
[email protected]@ -84,7 +84,7 @@
+ 	else
+ 		return(prompt_string);
+ 	}
+-
++#ifndef	_BOOT
+ /* For historical reasons, the standard function for reading passwords is
+  * in the DES library -- if someone ever wants to disable DES,
+  * this function will fail */
[email protected]@ -111,6 +111,7 @@
+ 	OPENSSL_cleanse(buff,BUFSIZ);
+ 	return ret;
+ 	}
++#endif	/* !_BOOT */
+ 
+ int EVP_BytesToKey(const EVP_CIPHER *type, const EVP_MD *md, 
+ 	     const unsigned char *salt, const unsigned char *data, int datal,
+--- openssl-1.0.0e/crypto/rand/rand_unix.c	2009-04-06 07:31:36.000000000 -0700
++++ openssl-1.0.0e_patched/crypto/rand/rand_unix.c	2011-12-19 07:28:39.988944800 -0800
[email protected]@ -122,7 +122,11 @@
+ #include <sys/time.h>
+ #include <sys/times.h>
+ #include <sys/stat.h>
++#ifdef	_BOOT
++#include <sys/fcntl.h>
++#else
+ #include <fcntl.h>
++#endif
+ #include <unistd.h>
+ #include <time.h>
+ #if defined(OPENSSL_SYS_LINUX) /* should actually be available virtually everywhere */
[email protected]@ -253,6 +257,11 @@
+ 	const char **egdsocket = NULL;
+ #endif
+ 
++#ifdef _BOOT
++/* open() is provided by standalone libsa not visible from here */
++extern int open(const char *, int);
++#endif
++
+ #ifdef DEVRANDOM
+ 	memset(randomstats,0,sizeof(randomstats));
+ 	/* Use a random entropy pool device. Linux, FreeBSD and OpenBSD
[email protected]@ -295,9 +304,13 @@
+ 				{
+ 				int try_read = 0;
+ 
+-#if defined(OPENSSL_SYS_BEOS_R5)
++#if defined(OPENSSL_SYS_BEOS_R5) || defined(_BOOT)
+ 				/* select() is broken in BeOS R5, so we simply
+ 				 *  try to read something and snooze if we couldn't */
++				/* 
++				 * select() is not available when linking stand-alone
++				 * library for wanboot 
++				 */
+ 				try_read = 1;
+ 
+ #elif defined(OPENSSL_SYS_LINUX)
[email protected]@ -355,6 +368,7 @@
+ 				else
+ 					r = -1;
+ 				
++#ifndef	_BOOT				
+ 				/* Some Unixen will update t in select(), some
+ 				   won't.  For those who won't, or if we
+ 				   didn't use select() in the first place,
[email protected]@ -366,13 +380,17 @@
+ 				}
+ 			while ((r > 0 ||
+ 			       (errno == EINTR || errno == EAGAIN)) && usec != 0 && n < ENTROPY_NEEDED);
++#else	/* _BOOT */
++				}
++			while (r > 0 && n < ENTROPY_NEEDED);
++#endif	/* _BOOT */			
+ 
+ 			close(fd);
+ 			}
+ 		}
+ #endif /* defined(DEVRANDOM) */
+ 
+-#ifdef DEVRANDOM_EGD
++#if defined(DEVRANDOM_EGD) && !defined(_BOOT)
+ 	/* Use an EGD socket to read entropy from an EGD or PRNGD entropy
+ 	 * collecting daemon. */
+ 
[email protected]@ -395,6 +413,7 @@
+ 		}
+ #endif
+ 
++#ifndef	_BOOT
+ 	/* put in some default random data, we need more than just this */
+ 	l=curr_pid;
+ 	RAND_add(&l,sizeof(l),0.0);
[email protected]@ -403,6 +422,7 @@
+ 
+ 	l=time(NULL);
+ 	RAND_add(&l,sizeof(l),0.0);
++#endif /* !_BOOT */	
+ 
+ #if defined(OPENSSL_SYS_BEOS)
+ 	{
+
+--- openssl-1.0.0e/crypto/rand/randfile.c	2011-03-19 02:44:37.000000000 -0700
++++ openssl-1.0.0e_patched/crypto/rand/randfile.c	2011-12-13 05:26:51.884824200 -0800
[email protected]@ -57,7 +57,9 @@
+  */
+ 
+ /* We need to define this to get macros like S_IFBLK and S_IFCHR */
++#ifndef	_BOOT
+ #define _XOPEN_SOURCE 500
++#endif	/* _BOOT */
+ 
+ #include <errno.h>
+ #include <stdio.h>
+--- openssl-1.0.0e/crypto/x509v3/v3_utl.c	2009-07-27 14:08:53.000000000 -0700
++++ openssl-1.0.0e_patched/crypto/x509v3/v3_utl.c	2011-12-13 05:10:08.844191400 -0800
[email protected]@ -659,9 +659,52 @@
+ 		}
+ 	}
+ 
++#if	defined(_BOOT)
++/* This function was copied from bio/b_sock.c */
++static int get_ip(const char *str, unsigned char ip[4])
++	{
++	unsigned int tmp[4];
++	int num=0,c,ok=0;
++
++	tmp[0]=tmp[1]=tmp[2]=tmp[3]=0;
++
++	for (;;)
++		{
++		c= *(str++);
++		if ((c >= '0') && (c <= '9'))
++			{
++			ok=1;
++			tmp[num]=tmp[num]*10+c-'0';
++			if (tmp[num] > 255) return(0);
++			}
++		else if (c == '.')
++			{
++			if (!ok) return(-1);
++			if (num == 3) return(0);
++			num++;
++			ok=0;
++			}
++		else if (c == '\0' && (num == 3) && ok)
++			break;
++		else
++			return(0);
++		}
++	ip[0]=tmp[0];
++	ip[1]=tmp[1];
++	ip[2]=tmp[2];
++	ip[3]=tmp[3];
++	return(1);
++	}
++#endif /* _BOOT */
++
+ static int ipv4_from_asc(unsigned char *v4, const char *in)
+ 	{
+ 	int a0, a1, a2, a3;
++
++#if	defined(_BOOT)
++	if (get_ip(in, v4) != 1)
++		return 0;
++#else	/* _BOOT */
+ 	if (sscanf(in, "%d.%d.%d.%d", &a0, &a1, &a2, &a3) != 4)
+ 		return 0;
+ 	if ((a0 < 0) || (a0 > 255) || (a1 < 0) || (a1 > 255)
[email protected]@ -671,6 +716,7 @@
+ 	v4[1] = a1;
+ 	v4[2] = a2;
+ 	v4[3] = a3;
++#endif	/* _BOOT */
+ 	return 1;
+ 	}
+ 
+--- openssl-1.0.0e/doc/crypto/hmac.pod	2009-09-30 16:40:52.000000000 -0700
++++ openssl-1.0.0e_patched/doc/crypto/hmac.pod	2011-12-12 05:39:53.818071600 -0800
[email protected]@ -2,7 +2,7 @@
+ 
+ =head1 NAME
+ 
+-HMAC, HMAC_Init, HMAC_Update, HMAC_Final, HMAC_cleanup - HMAC message
++HMAC, HMAC_CTX_init, HMAC_Init, HMAC_Init_ex, HMAC_Update, HMAC_Final, HMAC_CTX_cleanup, HMAC_cleanup - HMAC message
+ authentication code
+ 
+ =head1 SYNOPSIS
+--- openssl-1.0.0e/e_os.h	2011-12-19 04:17:51.631087400 -0800
++++ openssl-1.0.0e_patched/e_os.h	2011-12-19 04:15:15.776668900 -0800
[email protected]@ -207,10 +207,19 @@
+ #define get_last_socket_error()	errno
+ #define clear_socket_error()	errno=0
+ #define ioctlsocket(a,b,c)	ioctl(a,b,c)
++#ifdef	_BOOT
++#include <netinet/in.h>
++extern int socket_read(int, void *, size_t, int);
++extern int socket_close(int);
++#define	closesocket(s)		socket_close(s)
++#define	readsocket(s,b,n)	socket_read((s),(b),(n), 200)
++#define	writesocket(s,b,n)	send((s),(b),(n), 0)
++#else  /* !_BOOT */
+ #define closesocket(s)		close(s)
+ #define readsocket(s,b,n)	read((s),(b),(n))
+ #define writesocket(s,b,n)	write((s),(b),(n))
+ #endif
++#endif
+ 
+ #ifdef WIN16 /* never the case */
+ #  define MS_CALLBACK	_far _loadds
+--- openssl-1.0.0e/crypto/sparcv9cap.c	2010-09-05 12:48:01.000000000 -0700
++++ openssl-1.0.0e_patched/crypto/sparcv9cap.c	2011-12-23 05:24:02.011607700 -0800
[email protected]@ -12,7 +12,7 @@
+ #define SPARCV9_VIS2		(1<<3)	/* reserved */
+ #define SPARCV9_FMADD		(1<<4)	/* reserved for SPARC64 V */
+ 
+-static int OPENSSL_sparcv9cap_P=SPARCV9_TICK_PRIVILEGED;
++static int OPENSSL_sparcv9cap_P = SPARCV9_VIS1;
+ 
+ int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, const BN_ULONG *np,const BN_ULONG *n0, int num)
+ 	{
[email protected]@ -32,6 +32,7 @@
+ void		_sparcv9_vis2_probe(void);
+ void		_sparcv9_fmadd_probe(void);
+ 
++#ifndef _BOOT
+ unsigned long OPENSSL_rdtsc(void)
+ 	{
+ 	if (OPENSSL_sparcv9cap_P&SPARCV9_TICK_PRIVILEGED)
[email protected]@ -43,8 +44,19 @@
+ 	else
+ 		return _sparcv9_rdtick();
+ 	}
++#endif
++
++#if defined(_BOOT)
++/*
++ * Hardcoding sparc capabilities for wanboot.
++ * Older CPUs are EOLed anyway.
++ */
++void OPENSSL_cpuid_setup(void)
++	{
++	OPENSSL_sparcv9cap_P = SPARCV9_VIS1;
++	}
+ 
+-#if 0 && defined(__sun) && defined(__SVR4)
++#elif 0 && defined(__sun) && defined(__SVR4)
+ /* This code path is disabled, because of incompatibility of
+  * libdevinfo.so.1 and libmalloc.so.1 (see below for details)
+  */
+--- openssl-1.0.0e/crypto/sparccpuid.S	2010-09-05 12:48:01.000000000 -0700
++++ openssl-1.0.0e_patched/crypto/sparccpuid.S	2012-02-13 07:42:58.259478325 -0800
[email protected]@ -397,6 +397,11 @@
+ .type	OPENSSL_cleanse,#function
+ .size	OPENSSL_cleanse,.-OPENSSL_cleanse
+ 
++#ifndef _BOOT
+ .section	".init",#alloc,#execinstr
+	call	OPENSSL_cpuid_setup
+	nop
++#else
++	nop
++	nop
++#endif
+--- openssl-1.0.0e/crypto/Makefile	2010-07-26 15:09:59.000000000 -0700
++++ openssl-1.0.0e_patched/crypto/Makefile	2011-12-22 08:26:22.041955800 -0800
[email protected]@ -34,8 +34,8 @@
+ 
+ LIB= $(TOP)/libcrypto.a
+ SHARED_LIB= libcrypto$(SHLIB_EXT)
+-LIBSRC=	cryptlib.c mem.c mem_clr.c mem_dbg.c cversion.c ex_data.c cpt_err.c ebcdic.c uid.c o_time.c o_str.c o_dir.c
+-LIBOBJ= cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o cpt_err.o ebcdic.o uid.o o_time.o o_str.o o_dir.o $(CPUID_OBJ)
++LIBSRC=	cryptlib.c mem.c mem_clr.c mem_dbg.c cversion.c ex_data.c cpt_err.c ebcdic.c uid.c o_time.c o_str.c o_dir.c stubs.c
++LIBOBJ= cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o cpt_err.o ebcdic.o uid.o o_time.o o_str.o o_dir.o stubs.o $(CPUID_OBJ)
+ 
+ SRC= $(LIBSRC)
+ 
--- a/components/openssl/openssl-1.0.0/Makefile	Thu Mar 22 13:55:41 2012 -0700
+++ b/components/openssl/openssl-1.0.0/Makefile	Thu Mar 22 14:20:01 2012 -0700
@@ -22,18 +22,11 @@
 #
 include ../../../make-rules/shared-macros.mk
 
-COMPONENT_NAME =	openssl
-# When new version of OpenSSL comes in, you must update both COMPONENT_VERSION
-# and IPS_COMPONENT_VERSION.
-COMPONENT_VERSION =	1.0.0g
-# Version for IPS. It is easier to do it manually than convert the letter to a
-# number while taking into account that there might be no letter at all.
-IPS_COMPONENT_VERSION = 1.0.0.7
-COMPONENT_PROJECT_URL=	http://www.openssl.org/
-COMPONENT_SRC =		$(COMPONENT_NAME)-$(COMPONENT_VERSION)
-COMPONENT_ARCHIVE =	$(COMPONENT_SRC).tar.gz
-COMPONENT_ARCHIVE_HASH=	sha1:2b517baada2338663c27314cb922f9755e73e07f
-COMPONENT_ARCHIVE_URL =	$(COMPONENT_PROJECT_URL)source/$(COMPONENT_ARCHIVE)
+# COMPONENT_NAME, COMPONENT_VERSION, IPS_COMPONENT_VERSION and some other
+# related macros definitions were moved to ../openssl-1.0.0/Makefile.version
+# in order to keep OpenSSL versions in ../openssl-1.0.0 and
+# ../openssl-1.0.0-wanboot in sync
+include Makefile.version
 
 # Architecture-specific patches
 EXTRA_PATCHES.i386 = $(PATCH_DIR)/openssl-1.0.0d-aesni-v4.i386-patch
@@ -50,6 +43,11 @@
 # OpenSSL does not use autoconf but its own configure system.
 CONFIGURE_SCRIPT = $(SOURCE_DIR)/Configure
 
+# This is to force OpenSSL's Configure script to use gmake for 'make links'. 
+# Otherwise it fails with:
+#     mksh: Fatal error in reader: Unmatched `(' on line
+CONFIGURE_ENV += MAKE="$(GMAKE)"
+
 # Used in the configure options below.
 PKCS11_LIB32 = /usr/lib/libpkcs11.so.1
 PKCS11_LIB64 = /usr/lib/64/libpkcs11.so.1
@@ -120,6 +118,35 @@
     ( [ $(BITS) -eq 32 ] && $(GPATCH) -p1 $(@D)/crypto/opensslconf.h \
       patches-post-config/opensslconf.patch; cd $(@D); $(MAKE) depend; )
 
+# This conditional part triggers actions in ../openssl-1.0.0-wanboot directory
+# in order to create static openssl bits for linking with wanboot.
+# Specifically
+#     - propagate clean and clobber targets to wanboot dir
+#     - build wanboot bits and copy in wanboot-openssl.o to proto area
+#     - cache (link) openssl tarball from wanboot dir
+ifeq ($(MACH), sparc)
+WANBOOT_DIR	= $(COMPONENT_DIR)/../openssl-1.0.0-wanboot
+WANBOOT_TO	= $(PROTO_DIR)/lib/openssl/wanboot/$(MACH64)
+clobber clean::
+	(cd $(WANBOOT_DIR) ; $(GMAKE) [email protected])
+
+# In order not to download the tarball twice (once here and once in 
+# ../openssl-1.0.0-wanboot), there is a hacky caching applied.
+# After having build in ../openssl-1.0.0-wanboot an attempt is made to create
+# a soft-link in this directory pointing to the tarball. 
+$(WANBOOT_DIR)/build/$(MACH64)/.built:
+	(cd $(WANBOOT_DIR) ; $(GMAKE) build;)
+	-$(LN) -s $(WANBOOT_DIR)/$(COMPONENT_ARCHIVE) $(COMPONENT_DIR)/ 
+
+build: $(WANBOOT_DIR)/build/$(MACH64)/.built
+install: $(WANBOOT_DIR)/build/$(MACH64)/.built
+
+$(INSTALL_64): COMPONENT_POST_INSTALL_ACTION = \
+    ( $(MKDIR) -p $(WANBOOT_TO); \
+      $(CP) $(WANBOOT_DIR)/build/$(MACH64)/wanboot-openssl.o $(WANBOOT_TO); )
+endif
+
+
 # We do not ship our engines as patches since it would be more difficult to
 # update the files which have been under continuous development. We rather copy
 # the files to the right directories.
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssl/openssl-1.0.0/Makefile.version	Thu Mar 22 14:20:01 2012 -0700
@@ -0,0 +1,45 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+# Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
+
+
+#
+# This file contains version-related macro definitions. It is included
+# by both ./Makefile and ../openssl-1.0.0-wanboot/Makefile in order to
+# keep them in sync.
+#
+
+COMPONENT_NAME =	openssl
+# When new version of OpenSSL comes in, you must update both COMPONENT_VERSION
+# and IPS_COMPONENT_VERSION.
+# When upgrading OpenSSL, please, DON'T FORGET TO TEST WANBOOT too. 
+# For more information about wanboot-openssl testing, please refer to
+# ../openssl-1.0.0-wanboot/README.
+COMPONENT_VERSION =	1.0.0g
+# Version for IPS. It is easier to do it manually than convert the letter to a
+# number while taking into account that there might be no letter at all.
+IPS_COMPONENT_VERSION = 1.0.0.7
+COMPONENT_PROJECT_URL=	http://www.openssl.org/
+COMPONENT_SRC =		$(COMPONENT_NAME)-$(COMPONENT_VERSION)
+COMPONENT_ARCHIVE =	$(COMPONENT_SRC).tar.gz
+COMPONENT_ARCHIVE_HASH=	sha1:2b517baada2338663c27314cb922f9755e73e07f
+COMPONENT_ARCHIVE_URL =	$(COMPONENT_PROJECT_URL)source/$(COMPONENT_ARCHIVE)
+
--- a/components/openssl/openssl-1.0.0/openssl-1.0.0.p5m	Thu Mar 22 13:55:41 2012 -0700
+++ b/components/openssl/openssl-1.0.0/openssl-1.0.0.p5m	Thu Mar 22 14:20:01 2012 -0700
@@ -18,7 +18,7 @@
 #
 # CDDL HEADER END
 #
-# Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2011, 2012, Oracle and/or its affiliates. All rights reserved.
 #
 
 <transform file path=usr.*/man/.+ -> default mangler.man.stability uncommitted>
@@ -171,6 +171,15 @@
 file path=usr/include/openssl/x509.h
 file path=usr/include/openssl/x509_vfy.h
 file path=usr/include/openssl/x509v3.h
+# Wanboot static standalone openssl binaries
+dir path=/lib
+dir path=/lib/openssl
+dir path=/lib/openssl/wanboot
+dir path=/lib/openssl/wanboot/$(MACH64)
+file path=/lib/openssl/wanboot/$(MACH64)/wanboot-openssl.o \
+    variant.arch=sparc \
+    pkg.depend.bypass-generate=.* \
+    pkg.linted.userland.action001=true
 # Manual pages.
 dir path=usr/share
 dir path=usr/share/man