7141635 Deliver wanboot-openssl.o for wanboot
6869649 wanboot may not require "get_ip" anymore
7145496 OpenSSL's Configure calls /usr/bin/make for "make links" which fails
--- a/components/openssl/README Thu Mar 22 13:55:41 2012 -0700
+++ b/components/openssl/README Thu Mar 22 14:20:01 2012 -0700
@@ -18,17 +18,20 @@
#
# CDDL HEADER END
#
-# Copyright (c) 2009, 2011, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2009, 2012, Oracle and/or its affiliates. All rights reserved.
#
Build Layout
---
-OpenSSL build is run three times. Once for 1.0.0 non-fips, once for 0.9.8
+OpenSSL build is run four times. Once for regular dynamic 1.0.0 non-fips, once
+for static 1.0.0 bits to link with standalone wanboot binary, once for 0.9.8
fips-140, and once for 0.9.8 FIPS-140 canister (in the openssl-fips component)
-needed to build 0.9.8 FIPS-140 certified libraries. All builds are done for 32
-and 64 bits. So, in total, OpenSSL is built six times.
+needed to build 0.9.8 FIPS-140 certified libraries. All builds apart from
+static libraries for wanboot are done for 32 and 64 bits. So, in total, OpenSSL
+is built seven times.
+For more details on OpenSSL for wanboot see openssl-1.0.0-wanboot/README.
See also comments in all three Makefiles for more information.
The non-fips Build.
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssl/openssl-1.0.0-wanboot/Makefile Thu Mar 22 14:20:01 2012 -0700
@@ -0,0 +1,250 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+# Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
+
+
+#
+# This component is not to be installed. It is used from openssl-1.0.0
+# to build static stand-alone OpenSSL binaries to link with wanboot.
+#
+
+include ../../../make-rules/shared-macros.mk
+
+# COMPONENT_NAME, COMPONENT_VERSION, IPS_COMPONENT_VERSION and some other
+# related macros definitions were moved to ../openssl-1.0.0/Makefile.version
+# in order to keep OpenSSL versions in ../openssl-1.0.0 and
+# ../openssl-1.0.0-wanboot in sync
+include ../openssl-1.0.0/Makefile.version
+
+include $(WS_TOP)/make-rules/prep.mk
+include $(WS_TOP)/make-rules/configure.mk
+include $(WS_TOP)/make-rules/ips.mk
+include $(WS_TOP)/make-rules/lint-libraries.mk
+
+PATH=$(SPRO_VROOT)/bin:/usr/bin:/usr/gnu/bin:/usr/perl5/bin
+
+# OpenSSL does not use autoconf but its own configure system.
+CONFIGURE_SCRIPT = $(SOURCE_DIR)/Configure
+
+# This is to force OpenSSL's Configure script to use gmake for "make links".
+# Otherwise it fails with:
+# mksh: Fatal error in reader: Unmatched `(' on line
+CONFIGURE_ENV += MAKE="$(GMAKE)"
+
+CONFIGURE_OPTIONS = -DNO_WINDOWS_BRAINDEATH
+CONFIGURE_OPTIONS += -DNO_CHMOD -D_BOOT -DOPENSSL_NO_DTLS1
+CONFIGURE_OPTIONS += no-cast
+CONFIGURE_OPTIONS += no-dso
+CONFIGURE_OPTIONS += no-ec
+CONFIGURE_OPTIONS += no-ecdh
+CONFIGURE_OPTIONS += no-ecdsa
+CONFIGURE_OPTIONS += no-mdc2
+CONFIGURE_OPTIONS += no-rc3
+CONFIGURE_OPTIONS += no-rc4
+CONFIGURE_OPTIONS += no-rc5
+CONFIGURE_OPTIONS += no-ripemd
+CONFIGURE_OPTIONS += no-idea
+CONFIGURE_OPTIONS += no-hw
+CONFIGURE_OPTIONS += no-threads
+CONFIGURE_OPTIONS += no-shared
+CONFIGURE_OPTIONS += no-seed
+# We use both no-whirlpool and no-whrlpool since there is an inconsistency in
+# the OpenSSL code and one needs both to build OpenSSL successfully with
+# Whirlpool implementation removed.
+CONFIGURE_OPTIONS += no-whirlpool
+CONFIGURE_OPTIONS += no-whrlpool
+
+# For wanboot, we only need 64-bit sparc binaries
+CONFIGURE_OPTIONS += solaris64-sparcv9-cc-sunw
+
+# OpenSSL has its own configure system which must be run from the fully
+# populated source code directory. However, the Userland configuration phase is
+# run from the build directory. So, we must get the full source code into the
+# build directory.
+COMPONENT_PRE_CONFIGURE_ACTION = \
+ ( $(CLONEY) $(SOURCE_DIR) $(BUILD_DIR)/$(MACH$(BITS)); )
+
+# File stubs.c stubs out several functions, that are not available for wanboot.
+# We do not provide it in a form of a patch to ease future maintenance.
+COMPONENT_PRE_BUILD_ACTION = \
+ ( $(CP) -fp files/stubs.c $(@D)/crypto/; )
+
+# Object files for wanboot-openssl.o have to be listed explicitly.
+WANBOOT_OBJS = \
+ crypto/aes/aes-sparcv9.o crypto/aes/aes_cbc.o crypto/aes/aes_cfb.o \
+ crypto/aes/aes_core.o crypto/aes/aes_ecb.o crypto/aes/aes_ofb.o \
+ crypto/aes/aes_wrap.o crypto/asn1/a_bitstr.o crypto/asn1/a_bool.o \
+ crypto/asn1/a_bytes.o crypto/asn1/a_d2i_fp.o crypto/asn1/a_digest.o \
+ crypto/asn1/a_dup.o crypto/asn1/a_enum.o crypto/asn1/a_gentm.o \
+ crypto/asn1/a_i2d_fp.o crypto/asn1/a_int.o crypto/asn1/a_mbstr.o \
+ crypto/asn1/a_object.o crypto/asn1/a_octet.o crypto/asn1/a_print.o \
+ crypto/asn1/a_set.o crypto/asn1/a_sign.o crypto/asn1/a_strex.o \
+ crypto/asn1/a_strnid.o crypto/asn1/a_time.o crypto/asn1/a_type.o \
+ crypto/asn1/a_utctm.o crypto/asn1/a_utf8.o crypto/asn1/a_verify.o \
+ crypto/asn1/ameth_lib.o crypto/asn1/asn1_err.o crypto/asn1/asn1_gen.o \
+ crypto/asn1/asn1_lib.o crypto/asn1/asn1_par.o crypto/asn1/asn_mime.o \
+ crypto/asn1/asn_pack.o crypto/asn1/bio_asn1.o crypto/asn1/bio_ndef.o \
+ crypto/asn1/d2i_pr.o crypto/asn1/evp_asn1.o crypto/asn1/f_int.o \
+ crypto/asn1/f_string.o crypto/asn1/i2d_pr.o crypto/asn1/nsseq.o \
+ crypto/asn1/p5_pbe.o crypto/asn1/p5_pbev2.o crypto/asn1/p8_pkey.o \
+ crypto/asn1/t_pkey.o crypto/asn1/t_x509.o crypto/asn1/t_x509a.o \
+ crypto/asn1/tasn_dec.o crypto/asn1/tasn_enc.o crypto/asn1/tasn_fre.o \
+ crypto/asn1/tasn_new.o crypto/asn1/tasn_prn.o crypto/asn1/tasn_typ.o \
+ crypto/asn1/tasn_utl.o crypto/asn1/x_algor.o crypto/asn1/x_attrib.o \
+ crypto/asn1/x_bignum.o crypto/asn1/x_crl.o crypto/asn1/x_exten.o \
+ crypto/asn1/x_info.o crypto/asn1/x_long.o crypto/asn1/x_name.o \
+ crypto/asn1/x_pkey.o crypto/asn1/x_pubkey.o crypto/asn1/x_req.o \
+ crypto/asn1/x_sig.o crypto/asn1/x_spki.o crypto/asn1/x_val.o \
+ crypto/asn1/x_x509.o crypto/asn1/x_x509a.o crypto/bf/bf_cfb64.o \
+ crypto/bf/bf_ecb.o crypto/bf/bf_enc.o crypto/bf/bf_ofb64.o \
+ crypto/bf/bf_skey.o crypto/bio/b_dump.o crypto/bio/b_print.o \
+ crypto/bio/bf_buff.o crypto/bio/bio_err.o crypto/bio/bio_lib.o \
+ crypto/bio/bss_file.o crypto/bio/bss_mem.o crypto/bio/bss_null.o \
+ crypto/bio/bss_sock.o crypto/bn/bn-sparcv9.o crypto/bn/bn_add.o \
+ crypto/bn/bn_blind.o crypto/bn/bn_ctx.o crypto/bn/bn_div.o \
+ crypto/bn/bn_err.o crypto/bn/bn_exp.o crypto/bn/bn_exp2.o \
+ crypto/bn/bn_gcd.o crypto/bn/bn_lib.o crypto/bn/bn_mod.o \
+ crypto/bn/bn_mont.o crypto/bn/bn_mul.o crypto/bn/bn_prime.o \
+ crypto/bn/bn_print.o crypto/bn/bn_rand.o crypto/bn/bn_recp.o \
+ crypto/bn/bn_shift.o crypto/bn/bn_sqr.o crypto/bn/bn_word.o \
+ crypto/bn/sparcv9-mont.o crypto/bn/sparcv9a-mont.o \
+ crypto/buffer/buf_err.o crypto/buffer/buffer.o crypto/camellia/camellia.o \
+ crypto/camellia/cmll_cbc.o crypto/camellia/cmll_cfb.o \
+ crypto/camellia/cmll_ecb.o crypto/camellia/cmll_misc.o \
+ crypto/camellia/cmll_ofb.o crypto/cms/cms_asn1.o crypto/cms/cms_att.o \
+ crypto/cms/cms_dd.o crypto/cms/cms_enc.o crypto/cms/cms_env.o \
+ crypto/cms/cms_err.o crypto/cms/cms_io.o crypto/cms/cms_lib.o \
+ crypto/cms/cms_sd.o crypto/comp/c_zlib.o crypto/comp/comp_err.o \
+ crypto/comp/comp_lib.o crypto/conf/conf_api.o crypto/conf/conf_def.o \
+ crypto/conf/conf_err.o crypto/conf/conf_lib.o crypto/conf/conf_mod.o \
+ crypto/cpt_err.o crypto/cryptlib.o crypto/des/cfb64ede.o \
+ crypto/des/cfb64enc.o crypto/des/cfb_enc.o crypto/des/des_enc-sparc.o \
+ crypto/des/ecb3_enc.o crypto/des/ecb_enc.o crypto/des/ofb64ede.o \
+ crypto/des/ofb64enc.o crypto/des/set_key.o crypto/des/xcbc_enc.o \
+ crypto/dh/dh_ameth.o crypto/dh/dh_asn1.o crypto/dh/dh_check.o \
+ crypto/dh/dh_err.o crypto/dh/dh_gen.o crypto/dh/dh_key.o \
+ crypto/dh/dh_lib.o crypto/dh/dh_pmeth.o crypto/dsa/dsa_ameth.o \
+ crypto/dsa/dsa_asn1.o crypto/dsa/dsa_err.o crypto/dsa/dsa_gen.o \
+ crypto/dsa/dsa_key.o crypto/dsa/dsa_lib.o crypto/dsa/dsa_ossl.o \
+ crypto/dsa/dsa_pmeth.o crypto/dsa/dsa_sign.o crypto/dsa/dsa_vrf.o \
+ crypto/dso/dso_lib.o crypto/dso/dso_null.o crypto/dso/dso_openssl.o \
+ crypto/engine/eng_ctrl.o crypto/engine/eng_err.o crypto/engine/eng_init.o \
+ crypto/engine/eng_lib.o crypto/engine/eng_list.o crypto/engine/eng_pkey.o \
+ crypto/engine/eng_table.o crypto/engine/tb_asnmth.o \
+ crypto/engine/tb_cipher.o crypto/engine/tb_dh.o crypto/engine/tb_digest.o \
+ crypto/engine/tb_dsa.o crypto/engine/tb_pkmeth.o crypto/engine/tb_rand.o \
+ crypto/engine/tb_rsa.o crypto/err/err.o crypto/err/err_all.o \
+ crypto/err/err_prn.o crypto/evp/bio_b64.o crypto/evp/bio_enc.o \
+ crypto/evp/bio_md.o crypto/evp/c_all.o crypto/evp/c_allc.o \
+ crypto/evp/c_alld.o crypto/evp/digest.o crypto/evp/e_aes.o \
+ crypto/evp/e_bf.o crypto/evp/e_camellia.o crypto/evp/e_des.o \
+ crypto/evp/e_des3.o crypto/evp/e_null.o crypto/evp/e_rc2.o \
+ crypto/evp/e_xcbc_d.o crypto/evp/encode.o crypto/evp/evp_enc.o \
+ crypto/evp/evp_err.o crypto/evp/evp_key.o crypto/evp/evp_lib.o \
+ crypto/evp/evp_pbe.o crypto/evp/evp_pkey.o crypto/evp/m_dss.o \
+ crypto/evp/m_dss1.o crypto/evp/m_md4.o crypto/evp/m_md5.o \
+ crypto/evp/m_sha.o crypto/evp/m_sha1.o crypto/evp/m_sigver.o \
+ crypto/evp/names.o crypto/evp/p5_crpt.o crypto/evp/p5_crpt2.o \
+ crypto/evp/p_lib.o crypto/evp/p_sign.o crypto/evp/p_verify.o \
+ crypto/evp/pmeth_fn.o crypto/evp/pmeth_gn.o crypto/evp/pmeth_lib.o \
+ crypto/ex_data.o crypto/hmac/hm_ameth.o crypto/hmac/hm_pmeth.o \
+ crypto/hmac/hmac.o crypto/lhash/lhash.o crypto/md4/md4_dgst.o \
+ crypto/md5/md5_dgst.o crypto/mem.o crypto/mem_dbg.o crypto/modes/cbc128.o \
+ crypto/modes/cfb128.o crypto/modes/ofb128.o crypto/o_dir.o \
+ crypto/o_time.o crypto/objects/o_names.o crypto/objects/obj_dat.o \
+ crypto/objects/obj_err.o crypto/objects/obj_lib.o \
+ crypto/objects/obj_xref.o crypto/ocsp/ocsp_asn.o crypto/ocsp/ocsp_err.o \
+ crypto/pem/pem_all.o crypto/pem/pem_err.o crypto/pem/pem_info.o \
+ crypto/pem/pem_lib.o crypto/pem/pem_oth.o crypto/pem/pem_pk8.o \
+ crypto/pem/pem_pkey.o crypto/pem/pem_x509.o crypto/pem/pem_xaux.o \
+ crypto/pkcs12/p12_add.o crypto/pkcs12/p12_asn.o crypto/pkcs12/p12_attr.o \
+ crypto/pkcs12/p12_crpt.o crypto/pkcs12/p12_decr.o crypto/pkcs12/p12_key.o \
+ crypto/pkcs12/p12_mutl.o crypto/pkcs12/p12_p8d.o crypto/pkcs12/p12_p8e.o \
+ crypto/pkcs12/p12_utl.o crypto/pkcs12/pk12err.o crypto/pkcs7/pk7_asn1.o \
+ crypto/pkcs7/pk7_attr.o crypto/pkcs7/pk7_doit.o crypto/pkcs7/pk7_lib.o \
+ crypto/pkcs7/pkcs7err.o crypto/rand/md_rand.o crypto/rand/rand_err.o \
+ crypto/rand/rand_lib.o crypto/rand/rand_unix.o crypto/rand/randfile.o \
+ crypto/rc2/rc2_cbc.o crypto/rc2/rc2_ecb.o crypto/rc2/rc2_skey.o \
+ crypto/rc2/rc2cfb64.o crypto/rc2/rc2ofb64.o crypto/rsa/rsa_ameth.o \
+ crypto/rsa/rsa_asn1.o crypto/rsa/rsa_eay.o crypto/rsa/rsa_err.o \
+ crypto/rsa/rsa_gen.o crypto/rsa/rsa_lib.o crypto/rsa/rsa_none.o \
+ crypto/rsa/rsa_oaep.o crypto/rsa/rsa_pk1.o crypto/rsa/rsa_pmeth.o \
+ crypto/rsa/rsa_pss.o crypto/rsa/rsa_sign.o crypto/rsa/rsa_ssl.o \
+ crypto/rsa/rsa_x931.o crypto/sha/sha1-sparcv9.o crypto/sha/sha1dgst.o \
+ crypto/sha/sha256-sparcv9.o crypto/sha/sha256.o \
+ crypto/sha/sha512-sparcv9.o crypto/sha/sha512.o crypto/sha/sha_dgst.o \
+ crypto/sparccpuid.o crypto/sparcv9cap.o crypto/stack/stack.o \
+ crypto/stubs.o crypto/ts/ts_err.o crypto/ui/ui_err.o crypto/x509/by_dir.o \
+ crypto/x509/by_file.o crypto/x509/x509_att.o crypto/x509/x509_cmp.o \
+ crypto/x509/x509_d2.o crypto/x509/x509_def.o crypto/x509/x509_err.o \
+ crypto/x509/x509_ext.o crypto/x509/x509_lu.o crypto/x509/x509_obj.o \
+ crypto/x509/x509_req.o crypto/x509/x509_trs.o crypto/x509/x509_txt.o \
+ crypto/x509/x509_v3.o crypto/x509/x509_vfy.o crypto/x509/x509_vpm.o \
+ crypto/x509/x509name.o crypto/x509/x509rset.o crypto/x509/x509type.o \
+ crypto/x509/x_all.o crypto/x509v3/pcy_cache.o crypto/x509v3/pcy_data.o \
+ crypto/x509v3/pcy_lib.o crypto/x509v3/pcy_map.o crypto/x509v3/pcy_node.o \
+ crypto/x509v3/pcy_tree.o crypto/x509v3/v3_akey.o crypto/x509v3/v3_akeya.o \
+ crypto/x509v3/v3_alt.o crypto/x509v3/v3_bcons.o crypto/x509v3/v3_bitst.o \
+ crypto/x509v3/v3_conf.o crypto/x509v3/v3_cpols.o crypto/x509v3/v3_crld.o \
+ crypto/x509v3/v3_enum.o crypto/x509v3/v3_extku.o crypto/x509v3/v3_genn.o \
+ crypto/x509v3/v3_ia5.o crypto/x509v3/v3_info.o crypto/x509v3/v3_int.o \
+ crypto/x509v3/v3_lib.o crypto/x509v3/v3_ncons.o crypto/x509v3/v3_ocsp.o \
+ crypto/x509v3/v3_pci.o crypto/x509v3/v3_pcia.o crypto/x509v3/v3_pcons.o \
+ crypto/x509v3/v3_pku.o crypto/x509v3/v3_pmaps.o crypto/x509v3/v3_prn.o \
+ crypto/x509v3/v3_purp.o crypto/x509v3/v3_skey.o crypto/x509v3/v3_sxnet.o \
+ crypto/x509v3/v3_utl.o crypto/x509v3/v3err.o ssl/s3_both.o ssl/s3_clnt.o \
+ ssl/s3_enc.o ssl/s3_lib.o ssl/s3_pkt.o ssl/ssl_algs.o ssl/ssl_asn1.o \
+ ssl/ssl_cert.o ssl/ssl_ciph.o ssl/ssl_err.o ssl/ssl_err2.o ssl/ssl_lib.o \
+ ssl/ssl_rsa.o ssl/ssl_sess.o ssl/t1_enc.o ssl/t1_lib.o ssl/t1_reneg.o
+
+# Linking of openssl bits for wanboot.
+# Interface for wanboot is specified in mapfile. Object files are compiled
+# to have functions in separate sections, unused sections get discarded.
+CREATE_BIG_OBJECT_FILE = ( \
+ cd $(BUILD_DIR)/$(MACH64); \
+ $(LD) -o wanboot-openssl.o -r -M../../mapfile -Breduce \
+ -zdiscard-unused=sections,files -zguidance \
+ $(WANBOOT_OBJS); \
+ )
+
+COMPONENT_POST_BUILD_ACTION = \
+ ($(CREATE_BIG_OBJECT_FILE); )
+
+
+# For wanboot, we only need 64-bit sparc binaries
+build_sparc: $(BUILD_64)
+
+build_i386:
+ @echo "Not available"
+
+build: build_$(MACH)
+
+install:
+ @echo "This component is not to be installed individually."
+
+publish:
+ @echo "This component is not to be published individually."
+
+test: $(NO_TESTS)
+
+BUILD_PKG_DEPENDENCIES = $(BUILD_TOOLS)
+
+include $(WS_TOP)/make-rules/depend.mk
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssl/openssl-1.0.0-wanboot/README Thu Mar 22 14:20:01 2012 -0700
@@ -0,0 +1,241 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+# Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
+#
+
+
+Disclaimer
+----
+
+The purpose of this directory is solely to build and deliver static OpenSSL
+binaries for wanboot. These binaries have some highly specific patches applied.
+Do not attempt to use these for any other purpose.
+
+
+Building
+----
+
+Building in this directory is triggered by running 'gmake build' in
+../openssl-1.0.0. Calling 'gmake build' locally is possible for debugging
+purposes. There are no 'install' and 'publish' targets. Only 64-bit sparc
+version is built, nothing is done for x86.
+
+The outcome of build is file wanboot-openssl.o containing all the openssl bits
+required for wanboot. As part of 'make install' in ../openssl-1.0.0 this file
+is copied in to its proto area. From there, wanboot-openssl.o is published and
+delivered as a part of pkg:/library/security/openssl package.
+
+
+Patches
+----
+
+18-compiler_opts.patch:
+Taken from $USERLAND/components/openssl/openssl-1.0.0/patches/
+- modified not to link with libc (-lc);
+- '-xF=%all' added to comp. flags to create separate section for each function
+
+30_wanboot.patch:
+Wanboot specific patches.
+- modified Makefiles not to build in engines apps test tools
+- not using vfprintf for error print in crypto/cryptlib.c
+- not using ERR_load_DSO_strings() in crypto/err/err_all.c
+- not using EVP_read_pw_string() in crypto/evp/evp_key.c
+ - reading password is implemented in disabled DES library
+- avoid select() in crypto/rand/rand_unix.c
+- not defining _XOPEN_SOURCE in crypto/rand/randfile.c
+- direct reading of IP to avoid sscanf() in crypto/x509v3/v3_utl.c
+- using functions from libsock in e_os.h
+- by-passing version of sparc detection in crypto/sparcv9cap.c
+ - results in not using FPU for big numbers multiplication
+ - should be ok - original detection seems broken, FPU gets never used
+- stubs for EVP_read_pw_string_min(), OPENSSL_issetugid(),
+ opendir(), readdir(), closedir()
+- implementation of atoi()
+
+
+Configure options
+----
+
+Most of the Configure options where carried over from the original code when
+migrating openssl for wanboot from ON to Userland. For the most part, these
+options exclude unused ciphers.
+
+New options added:
+-DNO_CHMOD chmod not available in stand-alone environment
+-DBOOT guard for wanboot specific patches
+-DOPENSSL_NO_DTLS1 to avoid dtls1_min_mtu() - DTLS not used anyway
+
+
+List of object files for wanboot-openssl.o
+----
+
+At this moment, object files for wanboot-openssl.o need to be listed explicitly.
+This is cumbersome and relatively tedious with respect to upgrading to higher
+version of openssl.
+
+In future, it would be nice, if this could be performed automatically by the
+linker. The required interface for wanboot is already defined in a mapfile and
+linker option '-zdiscard-unused=sections,files' is already used to discard
+unused code.
+But sadly, at this moment when the linker is given all the object files, it
+fails to recognize some unreferenced sections as unused. As a result, numerous
+object files are not discarded, although they should be. These files are not
+patched to work in standalone environment, which causes wanboot linking failure
+due to undefined references.
+
+In order to determine which openssl object files are required for wanboot,
+first build static standalone openssl bits in Userland. As a site effect,
+static libraries libssl.a and libcrypto.a are created.
+
+ $ cd $USERLAND/components/openssl/openssl-1.0.0-wanboot ; gmake build
+
+Next, collect some information from linking wanboot static libraries in ON.
+This can be done by the following hack.
+
+ $ cd $ON/usr/src/psm/stand/boot/sparcv9/sun4
+ $ touch wanboot.o
+ $ LD_OPTIONS="-Dfiles,symbols,output=ld.dbg \
+ -L$USERLAND/components/openssl/openssl-1.0.0-wanboot/build/sparcv9 " \
+ WAN_OPENSSL=" -lwanboot -lssl -lcrypto" dmake all
+
+The following sort of information ends up in ld.dbg (note that the debugging
+output from the link-editor is not considered a 'stable interface' and may
+change in the future):
+
+ debug:
+ debug: file=/builds/tkuthan/ul-s11u1/components/openssl/openssl-1.0.0-wanboot/build/sparcv9/libcrypto.a(sparcv9cap.o) [ ET_REL ]
+ debug:
+ debug: symbol table processing; file=/builds/tkuthan/ul-s11u1/components/openssl/openssl-1.0.0-wanboot/build/sparcv9/libcrypto.a(sparcv9cap.o) [ ET_REL ]
+ debug: symbol[1]=sparcv9cap.c
+ ...
+
+Now run the following script in Userland:
+
+ #!/bin/bash
+
+ # set to workspace paths:
+ USERLAND=/builds/tkuthan/ul-s11u1
+ ON=/builds/tkuthan/on11u1-wanboot-rti
+
+ BUILD=$USERLAND/components/openssl/openssl-1.0.0-wanboot/build/sparcv9
+ LD_DBG=$ON/usr/src/psm/stand/boot/sparcv9/sun4/ld.dbg
+
+ for i in `find $BUILD/crypto $BUILD/ssl -name '*.o'`
+ do
+ f=`basename $i`
+ if grep -q "^debug: file.*\<$f\>" $LD_DBG
+ then
+ echo $i | sed "s#$BUILD/##"
+ fi
+ done
+
+to get the list of required object files.
+
+Additionally, you can format the list for including to Makefile by:
+ $ sort | tr '\n' ' ' | fold -s -w74 | sed -e 's/^/ /' -e 's/$/\\/'
+
+
+Linking with wanboot
+----
+
+When linking with wanboot please pay attention to following pitfalls.
+
+Correct openssl header files need to be included. This is done in
+$ON/usr/src/stand/lib/wanboot/Makefile
+Make sure CPPFLAGS point to the right directories.
+
+EXTREME CAUTION needs to be employed, if WANBOOT GREW IN SIZE because of the
+changes!
+Wanboot is a statically linked standalone binary and it is loaded on a fixed
+address before execution. This address is defined in
+$ON/usr/src/psm/stand/boot/sparc/common/mapfile:
+
+ 27 LOAD_SEGMENT text {
+ 28 FLAGS = READ EXECUTE;
+ 29 VADDR = 0x130000;
+ 30 ASSIGN_SECTION {
+ 31 TYPE = PROGBITS;
+ 32 FLAGS = ALLOC !WRITE;
+ 33 };
+ 34 };
+
+This address (VADDR) NEEDS TO BE GREATER THEN
+ size of .text section + size of .data section + 0x4000
+
+The reason for this is in how wanboot is loaded by OpenBoot Prom:
+1) user initiates boot from network - "boot net"
+2) obp loads wanboot binary at address 0x4000
+3) obp parses ELF header, reads virtual address where to load wanboot to
+4) obp mem-copies .text section to this address
+5) obp copies .data section behind .text
+6) obp starts executing wanboot at entry address
+
+If the given address is too small, obp overwrites part of .data with
+instructions from .text in step 4. resulting in .data being corrupted.
+Initialized variables get bogus values and failure is inevitable.
+This is very hard to troubleshoot.
+
+
+Testing wanboot with new openssl
+----
+
+With every upgrade of OpenSSL, it is necessary to make sure wanboot builds and
+works well with the new bits.
+
+Provided you have a freshly built ON workspace, you can link wanboot with new
+OpenSSL bits by redefining WAN_OPENSSL macro:
+
+ # copy wanboot-openssl.o to ON build machine
+ cp wanboot-openssl.o /var/tmp/
+
+ # prepare to rebuild wanboot
+ cd $ON
+ bldenv developer.sh
+ cd usr/src/psm/stand/boot/sparcv9/sun4
+
+ # hack to force a rebuild
+ touch wanboot.o
+
+ # link new OpenSSL to wanboot
+ WAN_OPENSSL=/var/tmp/wanboot-openssl.o dmake all
+
+Wanboot should build without warning.
+
+If there is something like this in the output:
+
+ Undefined first referenced
+ symbol in file
+ CRYPTO_ccm128_setiv /var/tmp/wanboot-openssl.o
+ SSL_get_srtp_profiles /var/tmp/wanboot-openssl.o
+ ssl_parse_clienthello_use_srtp_ext /var/tmp/wanboot-openssl.o
+ CRYPTO_gcm128_setiv /var/tmp/wanboot-openssl.o
+ ...
+ cmac_pkey_meth /var/tmp/wanboot-openssl.o
+ ld: fatal: symbol referencing errors. No output written to wanboot
+ *** Error code 1
+ dmake: Fatal error: Command failed for target `wanboot'
+
+some additional work has to be done in OpenSSL to either satisfy the function
+references listed in the linker error message, or to remove the calls to these
+functions.
+
+Finally, resulting wanboot binary shall be deployed on some install server and
+wanbooting from this server shall be tested.
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssl/openssl-1.0.0-wanboot/files/stubs.c Thu Mar 22 14:20:01 2012 -0700
@@ -0,0 +1,118 @@
+/*
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
+ *
+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ * or http://www.opensolaris.org/os/licensing.
+ * See the License for the specific language governing permissions
+ * and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ * If applicable, add the following below this CDDL HEADER, with the
+ * fields enclosed by brackets "[]" replaced with your own identifying
+ * information: Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ */
+/*
+ * Copyright (c) 2011, 2012, Oracle and/or its affiliates. All rights reserved.
+ */
+
+
+#include <sys/types.h>
+#include <dirent.h>
+#include <errno.h>
+#include <stddef.h>
+
+/*
+ * In OpenSSL 0.9.7 the EVP_read_pw_string now calls into the new "ui"
+ * routines of 0.9.7, which is not compiled in the standalone, so it is
+ * stubbed out here to avoid having to add a bunch of #ifndef's elsewhere.
+ */
+/* ARGSUSED */
+int
+EVP_read_pw_string_min(char *buf, int min, int len, const char *prompt, int
+ verify)
+{
+ return (-1); /* failure */
+}
+
+/*
+ * In standalone issetugid() is always false.
+ */
+int
+OPENSSL_issetugid(void)
+{
+ return (1);
+}
+
+/*
+ * Directory routines -- currently, the only consumer of these interfaces
+ * is $SRC/common/openssl/ssl/ssl_cert.c, and it has fallback code in the
+ * case of failure, so we just fail opendir() and stub out the rest. At
+ * some point, we may need to provide a real implementation.
+ */
+/* ARGSUSED */
+DIR *
+opendir(const char *dirname)
+{
+ errno = EACCES;
+ return (NULL);
+}
+
+/* ARGSUSED */
+struct dirent *
+readdir(DIR *dirp)
+{
+ return (NULL);
+}
+
+/* ARGSUSED */
+int
+closedir(DIR *dirp)
+{
+ return (0);
+}
+
+/*
+ * Atoi is used on multiple places in libcrypto.
+ * This implementation is taken from stand-alone libsock library:
+ * usr/src/stand/lib/sock/sock_test.c
+ * Alternative solution: just extern it here, wanboot has -lsock anyway.
+ */
+#ifndef isdigit
+#define isdigit(c) ((c) >= '0' && (c) <= '9')
+#endif
+
+#ifndef isspace
+#define isspace(c) ((c) == ' ' || (c) == '\t' || (c) == '\n' || \
+ (c) == '\r' || (c) == '\f' || (c) == '\013')
+#endif
+int
+atoi(const char *p)
+{
+ int n;
+ int c = *p++, neg = 0;
+
+ while (isspace(c)) {
+ c = *p++;
+ }
+ if (!isdigit(c)) {
+ switch (c) {
+ case '-':
+ neg++;
+ /* FALLTHROUGH */
+ case '+':
+ c = *p++;
+ }
+ }
+ for (n = 0; isdigit(c); c = *p++) {
+ n *= 10; /* two steps to avoid unnecessary overflow */
+ n += '0' - c; /* accum neg to avoid surprises at MAX */
+ }
+ return (neg ? n : -n);
+}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssl/openssl-1.0.0-wanboot/mapfile Thu Mar 22 14:20:01 2012 -0700
@@ -0,0 +1,126 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+# Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
+#
+
+#
+# This file defines interface requirements of wanboot on OpenSSL.
+#
+
+$mapfile_version 2
+SYMBOL_SCOPE {
+ ERR_clear_error;
+ SSL_CTX_set_default_passwd_cb;
+ SSL_load_error_strings;
+ EVP_PKEY_free;
+ SSL_get_peer_certificate;
+ SSL_CIPHER_get_name;
+ sk_value;
+ RAND_load_file;
+ X509_NAME_oneline;
+ SSL_write;
+ X509_NAME_get_text_by_NID;
+ OPENSSL_uni2asc;
+ SSL_CTX_set_default_passwd_cb_userdata;
+ SSL_CTX_use_PrivateKey_file;
+ OPENSSL_asc2uni;
+ SSL_get_error;
+ ASN1_UTF8STRING_free;
+ ASN1_mbstring_copy;
+ ERR_error_string;
+ PKCS12_unpack_p7data;
+ X509_free;
+ ERR_get_error;
+ ERR_put_error;
+ PKCS12_free;
+ ASN1_UTF8STRING_new;
+ OPENSSL_add_all_algorithms_noconf;
+ OBJ_nid2obj;
+ PKCS12_SAFEBAG_free;
+ ASN1_STRING_free;
+ sk_delete;
+ OBJ_obj2nid;
+ SSL_CTX_set_verify_depth;
+ PKCS8_PRIV_KEY_INFO_free;
+ SSL_set_connect_state;
+ sk_pop_free;
+ BIO_s_file;
+ SSL_set_fd;
+ SSL_CTX_use_PrivateKey;
+ ASN1_STRING_to_UTF8;
+ PKCS12_certbag2x509;
+ PKCS7_free;
+ PKCS12_decrypt_skey;
+ BIO_new;
+ RAND_status;
+ sk_num;
+ SSL_get_verify_result;
+ SSL_free;
+ SSL_read;
+ SSL_new;
+ SSLv3_client_method;
+ X509_check_private_key;
+ SSL_CTX_new;
+ ASN1_TYPE_set;
+ ASN1_TYPE_new;
+ ERR_peek_error;
+ CRYPTO_free;
+ SSL_CTX_load_verify_locations;
+ PKCS12_unpack_authsafes;
+ X509_ATTRIBUTE_new;
+ PKCS12_unpack_p7encdata;
+ sk_push;
+ SSL_connect;
+ SSL_shutdown;
+ SSL_CTX_use_certificate_file;
+ PKCS12_get_attr_gen;
+ X509_verify_cert_error_string;
+ X509_ATTRIBUTE_free;
+ X509_alias_set1;
+ PKCS12_verify_mac;
+ ASN1_TIME_print;
+ SSL_CTX_use_certificate;
+ SSL_get_ciphers;
+ SSL_CTX_ctrl;
+ SSL_CTX_free;
+ X509_keyid_set1;
+ ERR_load_strings;
+ EVP_EncodeBlock;
+ ASN1_TYPE_free;
+ sk_new_null;
+ SSL_get_current_cipher;
+ ASN1_STRING_cmp;
+ ASN1_STRING_set;
+ ERR_get_next_error_library;
+ EVP_PKCS82PKEY;
+ X509_get_issuer_name;
+ CRYPTO_malloc;
+ BIO_ctrl;
+ BIO_free;
+ X509_STORE_add_cert;
+ ASN1_STRING_type_new;
+ SSL_CTX_set_cipher_list;
+ X509_get_subject_name;
+ SSL_library_init;
+ d2i_PKCS12_fp;
+ local:
+ *;
+};
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssl/openssl-1.0.0-wanboot/patches/18-compiler_opts.patch Thu Mar 22 14:20:01 2012 -0700
@@ -0,0 +1,15 @@
+--- openssl-1.0.0f/Configure Thu Feb 10 20:02:41 2011
++++ /tmp/Configure Thu Feb 10 20:01:51 2011
+@@ -246,6 +246,12 @@
+ #"sunos-cc", "cc:-O4 -DNOPROTO -DNOCONST::(unknown):SUNOS::DES_UNROLL:${no_asm}::",
+ "sunos-gcc","gcc:-O3 -mv8 -Dssize_t=int::(unknown):SUNOS::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL DES_PTR DES_RISC1:${no_asm}::",
+
++#### Solaris configs, used for OpenSSL as delivered by S11.
++# Option -xF=%all instructs the compiler to place functions and data
++# variables into separate section fragments. This enables the link editor
++# to discard unused sections and files when linking wanboot-openssl.o
++"solaris64-sparcv9-cc-sunw","cc:-xtarget=ultra -m64 -Qoption cg -xregs=no%appl -xO5 -xstrconst -xdepend -xspace -xF=%all -Xa -DB_ENDIAN::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl:BN_LLONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:solaris-shared:-KPIC:-m64 -G -dy -z text -zdefs -Bdirect -zignore -M/usr/lib/ld/map.pagealign:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):/usr/bin/ar rs::/64",
++
+ #### IRIX 5.x configs
+ # -mips2 flag is added by ./config when appropriate.
+ "irix-gcc","gcc:-O3 -DTERMIOS -DB_ENDIAN::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX RC4_CHAR RC4_CHUNK DES_UNROLL DES_RISC2 DES_PTR BF_PTR:${no_asm}:dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssl/openssl-1.0.0-wanboot/patches/30_wanboot.patch Thu Mar 22 14:20:01 2012 -0700
@@ -0,0 +1,348 @@
+--- openssl-1.0.0e/Makefile 2011-09-06 06:18:01.000000000 -0700
++++ openssl-1.0.0e_patched/Makefile 2011-12-19 08:29:38.100618700 -0800
+@@ -111,7 +111,7 @@
+ ZLIB_INCLUDE=
+ LIBZLIB=
+
+-DIRS= crypto ssl engines apps test tools
++DIRS= crypto ssl
+ ENGDIRS= ccgost
+ SHLIBDIRS= crypto ssl
+
+--- openssl-1.0.0e/Makefile.org 2010-01-27 08:06:58.000000000 -0800
++++ openssl-1.0.0e_patched/Makefile.org 2011-12-19 08:30:01.795240100 -0800
+@@ -109,7 +109,7 @@
+ ZLIB_INCLUDE=
+ LIBZLIB=
+
+-DIRS= crypto ssl engines apps test tools
++DIRS= crypto ssl
+ ENGDIRS= ccgost
+ SHLIBDIRS= crypto ssl
+
+--- openssl-1.0.0e/crypto/cryptlib.c 2011-06-22 08:39:00.000000000 -0700
++++ openssl-1.0.0e_patched/crypto/cryptlib.c 2011-12-12 06:17:45.422476900 -0800
+@@ -871,6 +871,10 @@
+ MessageBox (NULL,buf,_T("OpenSSL: FATAL"),MB_OK|MB_ICONSTOP);
+ }
+ #else
++/* Solaris libsa.a used for WAN boot doesn't provide for vfprintf(). Since
++ * * OPENSSL_showfatal() is not used anywhere else then here we can safely use
++ * * the code from 0.9.7d version. */
++#ifndef _BOOT
+ void OPENSSL_showfatal (const char *fmta,...)
+ { va_list ap;
+
+@@ -878,14 +882,21 @@
+ vfprintf (stderr,fmta,ap);
+ va_end (ap);
+ }
++#endif /* _BOOT */
+ int OPENSSL_isservice (void) { return 0; }
+ #endif
+
+ void OpenSSLDie(const char *file,int line,const char *assertion)
+ {
++#ifndef _BOOT
+ OPENSSL_showfatal(
+ "%s(%d): OpenSSL internal error, assertion failed: %s\n",
+ file,line,assertion);
++#else
++ fprintf(stderr,
++ "%s(%d): OpenSSL internal error, assertion failed: %s\n",
++ file,line,assertion);
++#endif
+ #if !defined(_WIN32) || defined(__CYGWIN__)
+ abort();
+ #else
+--- openssl-1.0.0e/crypto/err/err_all.c 2009-08-09 07:58:05.000000000 -0700
++++ openssl-1.0.0e_patched/crypto/err/err_all.c 2011-12-13 05:22:01.205351400 -0800
+@@ -142,7 +142,9 @@
+ ERR_load_X509V3_strings();
+ ERR_load_PKCS12_strings();
+ ERR_load_RAND_strings();
++#ifndef _BOOT
+ ERR_load_DSO_strings();
++#endif /* _BOOT */
+ ERR_load_TS_strings();
+ #ifndef OPENSSL_NO_ENGINE
+ ERR_load_ENGINE_strings();
+--- openssl-1.0.0e/crypto/evp/evp_key.c 2010-03-27 12:27:50.000000000 -0700
++++ openssl-1.0.0e_patched/crypto/evp/evp_key.c 2011-12-13 05:19:32.956908600 -0800
+@@ -84,7 +84,7 @@
+ else
+ return(prompt_string);
+ }
+-
++#ifndef _BOOT
+ /* For historical reasons, the standard function for reading passwords is
+ * in the DES library -- if someone ever wants to disable DES,
+ * this function will fail */
+@@ -111,6 +111,7 @@
+ OPENSSL_cleanse(buff,BUFSIZ);
+ return ret;
+ }
++#endif /* !_BOOT */
+
+ int EVP_BytesToKey(const EVP_CIPHER *type, const EVP_MD *md,
+ const unsigned char *salt, const unsigned char *data, int datal,
+--- openssl-1.0.0e/crypto/rand/rand_unix.c 2009-04-06 07:31:36.000000000 -0700
++++ openssl-1.0.0e_patched/crypto/rand/rand_unix.c 2011-12-19 07:28:39.988944800 -0800
+@@ -122,7 +122,11 @@
+ #include <sys/time.h>
+ #include <sys/times.h>
+ #include <sys/stat.h>
++#ifdef _BOOT
++#include <sys/fcntl.h>
++#else
+ #include <fcntl.h>
++#endif
+ #include <unistd.h>
+ #include <time.h>
+ #if defined(OPENSSL_SYS_LINUX) /* should actually be available virtually everywhere */
+@@ -253,6 +257,11 @@
+ const char **egdsocket = NULL;
+ #endif
+
++#ifdef _BOOT
++/* open() is provided by standalone libsa not visible from here */
++extern int open(const char *, int);
++#endif
++
+ #ifdef DEVRANDOM
+ memset(randomstats,0,sizeof(randomstats));
+ /* Use a random entropy pool device. Linux, FreeBSD and OpenBSD
+@@ -295,9 +304,13 @@
+ {
+ int try_read = 0;
+
+-#if defined(OPENSSL_SYS_BEOS_R5)
++#if defined(OPENSSL_SYS_BEOS_R5) || defined(_BOOT)
+ /* select() is broken in BeOS R5, so we simply
+ * try to read something and snooze if we couldn't */
++ /*
++ * select() is not available when linking stand-alone
++ * library for wanboot
++ */
+ try_read = 1;
+
+ #elif defined(OPENSSL_SYS_LINUX)
+@@ -355,6 +368,7 @@
+ else
+ r = -1;
+
++#ifndef _BOOT
+ /* Some Unixen will update t in select(), some
+ won't. For those who won't, or if we
+ didn't use select() in the first place,
+@@ -366,13 +380,17 @@
+ }
+ while ((r > 0 ||
+ (errno == EINTR || errno == EAGAIN)) && usec != 0 && n < ENTROPY_NEEDED);
++#else /* _BOOT */
++ }
++ while (r > 0 && n < ENTROPY_NEEDED);
++#endif /* _BOOT */
+
+ close(fd);
+ }
+ }
+ #endif /* defined(DEVRANDOM) */
+
+-#ifdef DEVRANDOM_EGD
++#if defined(DEVRANDOM_EGD) && !defined(_BOOT)
+ /* Use an EGD socket to read entropy from an EGD or PRNGD entropy
+ * collecting daemon. */
+
+@@ -395,6 +413,7 @@
+ }
+ #endif
+
++#ifndef _BOOT
+ /* put in some default random data, we need more than just this */
+ l=curr_pid;
+ RAND_add(&l,sizeof(l),0.0);
+@@ -403,6 +422,7 @@
+
+ l=time(NULL);
+ RAND_add(&l,sizeof(l),0.0);
++#endif /* !_BOOT */
+
+ #if defined(OPENSSL_SYS_BEOS)
+ {
+
+--- openssl-1.0.0e/crypto/rand/randfile.c 2011-03-19 02:44:37.000000000 -0700
++++ openssl-1.0.0e_patched/crypto/rand/randfile.c 2011-12-13 05:26:51.884824200 -0800
+@@ -57,7 +57,9 @@
+ */
+
+ /* We need to define this to get macros like S_IFBLK and S_IFCHR */
++#ifndef _BOOT
+ #define _XOPEN_SOURCE 500
++#endif /* _BOOT */
+
+ #include <errno.h>
+ #include <stdio.h>
+--- openssl-1.0.0e/crypto/x509v3/v3_utl.c 2009-07-27 14:08:53.000000000 -0700
++++ openssl-1.0.0e_patched/crypto/x509v3/v3_utl.c 2011-12-13 05:10:08.844191400 -0800
+@@ -659,9 +659,52 @@
+ }
+ }
+
++#if defined(_BOOT)
++/* This function was copied from bio/b_sock.c */
++static int get_ip(const char *str, unsigned char ip[4])
++ {
++ unsigned int tmp[4];
++ int num=0,c,ok=0;
++
++ tmp[0]=tmp[1]=tmp[2]=tmp[3]=0;
++
++ for (;;)
++ {
++ c= *(str++);
++ if ((c >= '0') && (c <= '9'))
++ {
++ ok=1;
++ tmp[num]=tmp[num]*10+c-'0';
++ if (tmp[num] > 255) return(0);
++ }
++ else if (c == '.')
++ {
++ if (!ok) return(-1);
++ if (num == 3) return(0);
++ num++;
++ ok=0;
++ }
++ else if (c == '\0' && (num == 3) && ok)
++ break;
++ else
++ return(0);
++ }
++ ip[0]=tmp[0];
++ ip[1]=tmp[1];
++ ip[2]=tmp[2];
++ ip[3]=tmp[3];
++ return(1);
++ }
++#endif /* _BOOT */
++
+ static int ipv4_from_asc(unsigned char *v4, const char *in)
+ {
+ int a0, a1, a2, a3;
++
++#if defined(_BOOT)
++ if (get_ip(in, v4) != 1)
++ return 0;
++#else /* _BOOT */
+ if (sscanf(in, "%d.%d.%d.%d", &a0, &a1, &a2, &a3) != 4)
+ return 0;
+ if ((a0 < 0) || (a0 > 255) || (a1 < 0) || (a1 > 255)
+@@ -671,6 +716,7 @@
+ v4[1] = a1;
+ v4[2] = a2;
+ v4[3] = a3;
++#endif /* _BOOT */
+ return 1;
+ }
+
+--- openssl-1.0.0e/doc/crypto/hmac.pod 2009-09-30 16:40:52.000000000 -0700
++++ openssl-1.0.0e_patched/doc/crypto/hmac.pod 2011-12-12 05:39:53.818071600 -0800
+@@ -2,7 +2,7 @@
+
+ =head1 NAME
+
+-HMAC, HMAC_Init, HMAC_Update, HMAC_Final, HMAC_cleanup - HMAC message
++HMAC, HMAC_CTX_init, HMAC_Init, HMAC_Init_ex, HMAC_Update, HMAC_Final, HMAC_CTX_cleanup, HMAC_cleanup - HMAC message
+ authentication code
+
+ =head1 SYNOPSIS
+--- openssl-1.0.0e/e_os.h 2011-12-19 04:17:51.631087400 -0800
++++ openssl-1.0.0e_patched/e_os.h 2011-12-19 04:15:15.776668900 -0800
+@@ -207,10 +207,19 @@
+ #define get_last_socket_error() errno
+ #define clear_socket_error() errno=0
+ #define ioctlsocket(a,b,c) ioctl(a,b,c)
++#ifdef _BOOT
++#include <netinet/in.h>
++extern int socket_read(int, void *, size_t, int);
++extern int socket_close(int);
++#define closesocket(s) socket_close(s)
++#define readsocket(s,b,n) socket_read((s),(b),(n), 200)
++#define writesocket(s,b,n) send((s),(b),(n), 0)
++#else /* !_BOOT */
+ #define closesocket(s) close(s)
+ #define readsocket(s,b,n) read((s),(b),(n))
+ #define writesocket(s,b,n) write((s),(b),(n))
+ #endif
++#endif
+
+ #ifdef WIN16 /* never the case */
+ # define MS_CALLBACK _far _loadds
+--- openssl-1.0.0e/crypto/sparcv9cap.c 2010-09-05 12:48:01.000000000 -0700
++++ openssl-1.0.0e_patched/crypto/sparcv9cap.c 2011-12-23 05:24:02.011607700 -0800
+@@ -12,7 +12,7 @@
+ #define SPARCV9_VIS2 (1<<3) /* reserved */
+ #define SPARCV9_FMADD (1<<4) /* reserved for SPARC64 V */
+
+-static int OPENSSL_sparcv9cap_P=SPARCV9_TICK_PRIVILEGED;
++static int OPENSSL_sparcv9cap_P = SPARCV9_VIS1;
+
+ int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, const BN_ULONG *np,const BN_ULONG *n0, int num)
+ {
+@@ -32,6 +32,7 @@
+ void _sparcv9_vis2_probe(void);
+ void _sparcv9_fmadd_probe(void);
+
++#ifndef _BOOT
+ unsigned long OPENSSL_rdtsc(void)
+ {
+ if (OPENSSL_sparcv9cap_P&SPARCV9_TICK_PRIVILEGED)
+@@ -43,8 +44,19 @@
+ else
+ return _sparcv9_rdtick();
+ }
++#endif
++
++#if defined(_BOOT)
++/*
++ * Hardcoding sparc capabilities for wanboot.
++ * Older CPUs are EOLed anyway.
++ */
++void OPENSSL_cpuid_setup(void)
++ {
++ OPENSSL_sparcv9cap_P = SPARCV9_VIS1;
++ }
+
+-#if 0 && defined(__sun) && defined(__SVR4)
++#elif 0 && defined(__sun) && defined(__SVR4)
+ /* This code path is disabled, because of incompatibility of
+ * libdevinfo.so.1 and libmalloc.so.1 (see below for details)
+ */
+--- openssl-1.0.0e/crypto/sparccpuid.S 2010-09-05 12:48:01.000000000 -0700
++++ openssl-1.0.0e_patched/crypto/sparccpuid.S 2012-02-13 07:42:58.259478325 -0800
+@@ -397,6 +397,11 @@
+ .type OPENSSL_cleanse,#function
+ .size OPENSSL_cleanse,.-OPENSSL_cleanse
+
++#ifndef _BOOT
+ .section ".init",#alloc,#execinstr
+ call OPENSSL_cpuid_setup
+ nop
++#else
++ nop
++ nop
++#endif
+--- openssl-1.0.0e/crypto/Makefile 2010-07-26 15:09:59.000000000 -0700
++++ openssl-1.0.0e_patched/crypto/Makefile 2011-12-22 08:26:22.041955800 -0800
+@@ -34,8 +34,8 @@
+
+ LIB= $(TOP)/libcrypto.a
+ SHARED_LIB= libcrypto$(SHLIB_EXT)
+-LIBSRC= cryptlib.c mem.c mem_clr.c mem_dbg.c cversion.c ex_data.c cpt_err.c ebcdic.c uid.c o_time.c o_str.c o_dir.c
+-LIBOBJ= cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o cpt_err.o ebcdic.o uid.o o_time.o o_str.o o_dir.o $(CPUID_OBJ)
++LIBSRC= cryptlib.c mem.c mem_clr.c mem_dbg.c cversion.c ex_data.c cpt_err.c ebcdic.c uid.c o_time.c o_str.c o_dir.c stubs.c
++LIBOBJ= cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o cpt_err.o ebcdic.o uid.o o_time.o o_str.o o_dir.o stubs.o $(CPUID_OBJ)
+
+ SRC= $(LIBSRC)
+
--- a/components/openssl/openssl-1.0.0/Makefile Thu Mar 22 13:55:41 2012 -0700
+++ b/components/openssl/openssl-1.0.0/Makefile Thu Mar 22 14:20:01 2012 -0700
@@ -22,18 +22,11 @@
#
include ../../../make-rules/shared-macros.mk
-COMPONENT_NAME = openssl
-# When new version of OpenSSL comes in, you must update both COMPONENT_VERSION
-# and IPS_COMPONENT_VERSION.
-COMPONENT_VERSION = 1.0.0g
-# Version for IPS. It is easier to do it manually than convert the letter to a
-# number while taking into account that there might be no letter at all.
-IPS_COMPONENT_VERSION = 1.0.0.7
-COMPONENT_PROJECT_URL= http://www.openssl.org/
-COMPONENT_SRC = $(COMPONENT_NAME)-$(COMPONENT_VERSION)
-COMPONENT_ARCHIVE = $(COMPONENT_SRC).tar.gz
-COMPONENT_ARCHIVE_HASH= sha1:2b517baada2338663c27314cb922f9755e73e07f
-COMPONENT_ARCHIVE_URL = $(COMPONENT_PROJECT_URL)source/$(COMPONENT_ARCHIVE)
+# COMPONENT_NAME, COMPONENT_VERSION, IPS_COMPONENT_VERSION and some other
+# related macros definitions were moved to ../openssl-1.0.0/Makefile.version
+# in order to keep OpenSSL versions in ../openssl-1.0.0 and
+# ../openssl-1.0.0-wanboot in sync
+include Makefile.version
# Architecture-specific patches
EXTRA_PATCHES.i386 = $(PATCH_DIR)/openssl-1.0.0d-aesni-v4.i386-patch
@@ -50,6 +43,11 @@
# OpenSSL does not use autoconf but its own configure system.
CONFIGURE_SCRIPT = $(SOURCE_DIR)/Configure
+# This is to force OpenSSL's Configure script to use gmake for 'make links'.
+# Otherwise it fails with:
+# mksh: Fatal error in reader: Unmatched `(' on line
+CONFIGURE_ENV += MAKE="$(GMAKE)"
+
# Used in the configure options below.
PKCS11_LIB32 = /usr/lib/libpkcs11.so.1
PKCS11_LIB64 = /usr/lib/64/libpkcs11.so.1
@@ -120,6 +118,35 @@
( [ $(BITS) -eq 32 ] && $(GPATCH) -p1 $(@D)/crypto/opensslconf.h \
patches-post-config/opensslconf.patch; cd $(@D); $(MAKE) depend; )
+# This conditional part triggers actions in ../openssl-1.0.0-wanboot directory
+# in order to create static openssl bits for linking with wanboot.
+# Specifically
+# - propagate clean and clobber targets to wanboot dir
+# - build wanboot bits and copy in wanboot-openssl.o to proto area
+# - cache (link) openssl tarball from wanboot dir
+ifeq ($(MACH), sparc)
+WANBOOT_DIR = $(COMPONENT_DIR)/../openssl-1.0.0-wanboot
+WANBOOT_TO = $(PROTO_DIR)/lib/openssl/wanboot/$(MACH64)
+clobber clean::
+ (cd $(WANBOOT_DIR) ; $(GMAKE) $@)
+
+# In order not to download the tarball twice (once here and once in
+# ../openssl-1.0.0-wanboot), there is a hacky caching applied.
+# After having build in ../openssl-1.0.0-wanboot an attempt is made to create
+# a soft-link in this directory pointing to the tarball.
+$(WANBOOT_DIR)/build/$(MACH64)/.built:
+ (cd $(WANBOOT_DIR) ; $(GMAKE) build;)
+ -$(LN) -s $(WANBOOT_DIR)/$(COMPONENT_ARCHIVE) $(COMPONENT_DIR)/
+
+build: $(WANBOOT_DIR)/build/$(MACH64)/.built
+install: $(WANBOOT_DIR)/build/$(MACH64)/.built
+
+$(INSTALL_64): COMPONENT_POST_INSTALL_ACTION = \
+ ( $(MKDIR) -p $(WANBOOT_TO); \
+ $(CP) $(WANBOOT_DIR)/build/$(MACH64)/wanboot-openssl.o $(WANBOOT_TO); )
+endif
+
+
# We do not ship our engines as patches since it would be more difficult to
# update the files which have been under continuous development. We rather copy
# the files to the right directories.
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssl/openssl-1.0.0/Makefile.version Thu Mar 22 14:20:01 2012 -0700
@@ -0,0 +1,45 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+# Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
+
+
+#
+# This file contains version-related macro definitions. It is included
+# by both ./Makefile and ../openssl-1.0.0-wanboot/Makefile in order to
+# keep them in sync.
+#
+
+COMPONENT_NAME = openssl
+# When new version of OpenSSL comes in, you must update both COMPONENT_VERSION
+# and IPS_COMPONENT_VERSION.
+# When upgrading OpenSSL, please, DON'T FORGET TO TEST WANBOOT too.
+# For more information about wanboot-openssl testing, please refer to
+# ../openssl-1.0.0-wanboot/README.
+COMPONENT_VERSION = 1.0.0g
+# Version for IPS. It is easier to do it manually than convert the letter to a
+# number while taking into account that there might be no letter at all.
+IPS_COMPONENT_VERSION = 1.0.0.7
+COMPONENT_PROJECT_URL= http://www.openssl.org/
+COMPONENT_SRC = $(COMPONENT_NAME)-$(COMPONENT_VERSION)
+COMPONENT_ARCHIVE = $(COMPONENT_SRC).tar.gz
+COMPONENT_ARCHIVE_HASH= sha1:2b517baada2338663c27314cb922f9755e73e07f
+COMPONENT_ARCHIVE_URL = $(COMPONENT_PROJECT_URL)source/$(COMPONENT_ARCHIVE)
+
--- a/components/openssl/openssl-1.0.0/openssl-1.0.0.p5m Thu Mar 22 13:55:41 2012 -0700
+++ b/components/openssl/openssl-1.0.0/openssl-1.0.0.p5m Thu Mar 22 14:20:01 2012 -0700
@@ -18,7 +18,7 @@
#
# CDDL HEADER END
#
-# Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2011, 2012, Oracle and/or its affiliates. All rights reserved.
#
<transform file path=usr.*/man/.+ -> default mangler.man.stability uncommitted>
@@ -171,6 +171,15 @@
file path=usr/include/openssl/x509.h
file path=usr/include/openssl/x509_vfy.h
file path=usr/include/openssl/x509v3.h
+# Wanboot static standalone openssl binaries
+dir path=/lib
+dir path=/lib/openssl
+dir path=/lib/openssl/wanboot
+dir path=/lib/openssl/wanboot/$(MACH64)
+file path=/lib/openssl/wanboot/$(MACH64)/wanboot-openssl.o \
+ variant.arch=sparc \
+ pkg.depend.bypass-generate=.* \
+ pkg.linted.userland.action001=true
# Manual pages.
dir path=usr/share
dir path=usr/share/man