25172715 OpenSSL libraries should have RUNPATH for libcrypto pairing s11u3-sru
authorJan Parcel <jan.parcel@oracle.com>
Fri, 21 Apr 2017 13:46:39 -0700
branchs11u3-sru
changeset 7926 26093f5b918b
parent 7925 9029178fe4cd
child 7927 9a07678a4c7f
25172715 OpenSSL libraries should have RUNPATH for libcrypto pairing 25668366 finish ecc: move openssl.5 to Userland and ship dependent components 24684497 openssl(5) corrections when Elliptic Curve Cryptography is enabled 25816900 openssl.5 in Userland 11.3 needs to be openssl.7 for packaging reasons
components/openssl/TESTING
components/openssl/common/patches/018-compiler_opts.patch
components/openssl/openssl-default/Makefile
components/openssl/openssl-default/files/openssl.5
components/openssl/openssl-default/openssl-default.p5m
components/openssl/openssl-fips-140/Makefile
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssl/TESTING	Fri Apr 21 13:46:39 2017 -0700
@@ -0,0 +1,18 @@
+Oracle Internal pre-integration test suite:
+
+Use the openssl test suite in the Solaris Test Collection (STC),
+found in the stcnv gate's usr/closed subdirectory.  The stc gates
+are in the same location as the ON gates, stcnv for 11.3, stc12 for 11.4.
+
+Packages are built and available for install from the gate (not the clone),
+as detailed in the README's for each suite.
+
+It is important to read and use the README in openssl test suite directory.
+
+Also, refer to the wanboot testing information in the README in this directory.
+
+Other testing may be required by reviewers based upon the nature of the changes
+being made.
+
+
+
--- a/components/openssl/common/patches/018-compiler_opts.patch	Wed Mar 15 10:30:53 2017 -0700
+++ b/components/openssl/common/patches/018-compiler_opts.patch	Fri Apr 21 13:46:39 2017 -0700
@@ -12,20 +12,24 @@
  my $sparcv8_asm=":sparcv8.o::des_enc-sparc.o fcrypt_b.o:::::::::::::void";
  my $alpha_asm="alphacpuid.o:bn_asm.o alpha-mont.o::::::sha1-alpha.o:::::::ghash-alpha.o::void";
  my $mips64_asm=":bn-mips.o mips-mont.o:::aes_cbc.o aes-mips.o:::sha1-mips.o sha256-mips.o sha512-mips.o::::::::";
[email protected]@ -277,6 +278,21 @@
[email protected]@ -277,6 +278,25 @@
  #"sunos-cc", "cc:-O4 -DNOPROTO -DNOCONST::(unknown):SUNOS::DES_UNROLL:${no_asm}::",
  "sunos-gcc","gcc:-O3 -mcpu=v8 -Dssize_t=int::(unknown):SUNOS::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL DES_PTR DES_RISC1:${no_asm}::",
  
 +#### Solaris configs, used for OpenSSL as delivered by S11.
-+"solaris-x86-cc-sunw","cc:-m32 -xO3 -xspace -Xa::-D_REENTRANT::-lsocket -lnsl -lc:BN_LLONG RC4_CHUNK DES_PTR DES_UNROLL BF_PTR:${x86_elf_asm}:dlfcn:solaris-shared:-KPIC:-m32 -G -dy -z text -zdefs -Bdirect -zignore -M/usr/lib/ld/map.pagealign -M/usr/lib/ld/map.noexdata:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"solaris-x86-cc-sunw","cc:-m32 -xO3 -xspace -Xa::-D_REENTRANT::-lsocket -lnsl -lc -R /lib/openssl/default:BN_LLONG RC4_CHUNK DES_PTR DES_UNROLL BF_PTR:${x86_elf_asm}:dlfcn:solaris-shared:-KPIC:-m32 -G -dy -z text -zdefs -Bdirect -zignore -M/usr/lib/ld/map.pagealign -M/usr/lib/ld/map.noexdata:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 +#
-+"solaris64-x86_64-cc-sunw","cc:-xO3 -m64 -xstrconst -Xa -DL_ENDIAN::-D_REENTRANT::-lsocket -lnsl -lc:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR DES_PTR DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:solaris-shared:-KPIC:-m64 -G -dy -z text -zdefs -Bdirect -zignore -M/usr/lib/ld/map.pagealign -M/usr/lib/ld/map.noexdata:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"solaris64-x86_64-cc-sunw","cc:-xO3 -m64 -xstrconst -Xa -DL_ENDIAN::-D_REENTRANT::-lsocket -lnsl -lc -R /lib/openssl/default/64:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR DES_PTR DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:solaris-shared:-KPIC:-m64 -G -dy -z text -zdefs -Bdirect -zignore -M/usr/lib/ld/map.pagealign -M/usr/lib/ld/map.noexdata:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++#
++"solaris-sparcv9-cc-sunw","cc:-xtarget=ultra -m32 -Qoption cg -xregs=no%appl -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -lc -R /lib/openssl/default:BN_LLONG RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:solaris-shared:-KPIC:-m32 -G -dy -z text -zdefs -Bdirect -zignore -M/usr/lib/ld/map.pagealign:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 +#
-+"solaris-sparcv9-cc-sunw","cc:-xtarget=ultra -m32 -Qoption cg -xregs=no%appl -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -lc:BN_LLONG RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:solaris-shared:-KPIC:-m32 -G -dy -z text -zdefs -Bdirect -zignore -M/usr/lib/ld/map.pagealign:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"solaris64-sparcv9-cc-sunw","cc:-xtarget=ultra -m64 -Qoption cg -xregs=no%appl -xO5 -xstrconst -xdepend -xspace -Xa -DB_ENDIAN::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -lc -R /lib/openssl/default/64:BN_LLONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:solaris-shared:-KPIC:-m64 -G -dy -z text -zdefs -Bdirect -zignore -M/usr/lib/ld/map.pagealign:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):/usr/bin/ar rs::/64",
++"solaris-fips-x86-cc-sunw","cc:-m32 -xO3 -xspace -Xa::-D_REENTRANT::-lsocket -lnsl -lc -R /lib/openssl/fips-140:BN_LLONG RC4_CHUNK DES_PTR DES_UNROLL BF_PTR:${x86_elf_asm}:dlfcn:solaris-shared:-KPIC:-m32 -G -dy -z text -zdefs -Bdirect -zignore -M/usr/lib/ld/map.pagealign -M/usr/lib/ld/map.noexdata:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 +#
-+"solaris64-sparcv9-cc-sunw","cc:-xtarget=ultra -m64 -Qoption cg -xregs=no%appl -xO5 -xstrconst -xdepend -xspace -Xa -DB_ENDIAN::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -lc:BN_LLONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:solaris-shared:-KPIC:-m64 -G -dy -z text -zdefs -Bdirect -zignore -M/usr/lib/ld/map.pagealign:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):/usr/bin/ar rs::/64",
-+"solaris-fips-sparcv9-cc-sunw","cc:-xtarget=ultra -m32 -Qoption cg -xregs=no%appl -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -lc:BN_LLONG RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${fips_sparcv9_asm}:dlfcn:solaris-shared:-KPIC:-m32 -G -dy -z text -zdefs -Bdirect -zignore -M/usr/lib/ld/map.pagealign:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"solaris64-fips-sparcv9-cc-sunw","cc:-xtarget=ultra -m64 -Qoption cg -xregs=no%appl -xO5 -xstrconst -xdepend -xspace -Xa -DB_ENDIAN::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -lc:BN_LLONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${fips_sparcv9_asm}:dlfcn:solaris-shared:-KPIC:-m64 -G -dy -z text -zdefs -Bdirect -zignore -M/usr/lib/ld/map.pagealign:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):/usr/bin/ar rs::/64",
++"solaris64-fips-x86_64-cc-sunw","cc:-xO3 -m64 -xstrconst -Xa -DL_ENDIAN::-D_REENTRANT::-lsocket -lnsl -lc -R /lib/openssl/fips-140/64:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR DES_PTR DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:solaris-shared:-KPIC:-m64 -G -dy -z text -zdefs -Bdirect -zignore -M/usr/lib/ld/map.pagealign -M/usr/lib/ld/map.noexdata:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++#
++"solaris-fips-sparcv9-cc-sunw","cc:-xtarget=ultra -m32 -Qoption cg -xregs=no%appl -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -lc -R /lib/openssl/fips-140:BN_LLONG RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${fips_sparcv9_asm}:dlfcn:solaris-shared:-KPIC:-m32 -G -dy -z text -zdefs -Bdirect -zignore -M/usr/lib/ld/map.pagealign:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"solaris64-fips-sparcv9-cc-sunw","cc:-xtarget=ultra -m64 -Qoption cg -xregs=no%appl -xO5 -xstrconst -xdepend -xspace -Xa -DB_ENDIAN::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -lc -R /lib/openssl/fips-140/64:BN_LLONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${fips_sparcv9_asm}:dlfcn:solaris-shared:-KPIC:-m64 -G -dy -z text -zdefs -Bdirect -zignore -M/usr/lib/ld/map.pagealign:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):/usr/bin/ar rs::/64",
 +# Option -xF=%all instructs the compiler to place functions and data
 +# variables into separate section fragments. This enables the link editor
 +# to discard unused sections and files when linking wanboot-openssl.o
--- a/components/openssl/openssl-default/Makefile	Wed Mar 15 10:30:53 2017 -0700
+++ b/components/openssl/openssl-default/Makefile	Fri Apr 21 13:46:39 2017 -0700
@@ -378,6 +378,15 @@
 COMPONENT_PRE_INSTALL_ACTION = ( $(MKDIR) $(MANDIR_SECTIONS); \
     $(MKDIR) $(PROTO_DIR)/usr/lib/$(MACH64); )
 
+# Remove unnecessary RUNPATH/RPATH for libcrypto.so.1.0.0
+COMPONENT_POST_INSTALL_ACTION.32 = \
+    $(ELFEDIT) -e "dyn:delete RUNPATH" -e "dyn:delete RPATH" \
+	$(BUILD_DIR_32)/libcrypto.so.1.0.0;
+COMPONENT_POST_INSTALL_ACTION.64 = \
+    $(ELFEDIT) -e "dyn:delete RUNPATH" -e "dyn:delete RPATH" \
+	$(BUILD_DIR_64)/libcrypto.so.1.0.0;
+COMPONENT_POST_INSTALL_ACTION += $(COMPONENT_POST_INSTALL_ACTION.$(BITS))
+
 # The install_docs target will install man pages into $(PROTO_DIR)/$(MANDIR). We
 # also add /usr/perl5/bin to PATH so that OpenSSL install code can locate the
 # system pod2man. If not set, OpenSSL make would use an internal implementation
@@ -423,3 +432,4 @@
 REQUIRED_PACKAGES += developer/build/makedepend
 REQUIRED_PACKAGES += network/rsync
 REQUIRED_PACKAGES += system/library
+REQUIRED_PACKAGES += system/linker
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssl/openssl-default/files/openssl.5	Fri Apr 21 13:46:39 2017 -0700
@@ -0,0 +1,217 @@
+'\" te
+.\" Copyright (c) 2009, 2017, Oracle and/or its affiliates. All rights          reserved.
+.TH openssl 7 "3 Mar 2017" "SunOS 5.11" "Standards, Environments, and Macros"
+.SH NAME
+openssl \- OpenSSL cryptographic and Secure Sockets Layer toolkit
+.SH DESCRIPTION
+.sp
+.LP
+OpenSSL is a cryptography toolkit that implements the Secure Sockets Layer (SSLv3) and Transport Layer Security (TLS v1) network protocols.
+.sp
+.LP
+The following features are omitted  from  the  binaries  for issues  including but not limited to patents, trademark, and US export restrictions: IDEA, MDC2, RC3,  RC5, 4758_CCA Engine, AEP Engine, Atalla Engine, CAPI Engine, CHIL Engine, CSWIFT Engine, GMP Engine, GOST Engine, NURON  Engine, PadLock Engine, Sureware Engine, and UBSEC Engine.
+.SS "The Dynamic Engine Support"
+.sp
+.LP
+The dynamic engine support has been enabled, which enables an external engine, in the form of a shared library, to be dynamically bound and used by an OpenSSL-based application.
+.sp
+.LP
+Run the following command to see if the dynamic engine is supported:
+.sp
+.in +2
+.nf
+$openssl engine dynamic
+(dynamic) Dynamic engine loading support
+.fi
+.in -2
+.sp
+
+.SS "The PKCS#11 Engine"
+.sp
+.LP
+The PKCS#11 engine has been included with the ENGINE name \fBpkcs11\fR. The engine was developed within Oracle and is not integrated in the OpenSSL project.
+.sp
+.LP
+The PKCS#11 is a dynamic engine, and is configured to use the Oracle Solaris Cryptographic Framework. See \fBcryptoadm\fR(1M) for configuration information.
+.sp
+.LP
+The PKCS#11 engine can support the following set of mechanisms: \fBCKM_AES_CBC\fR, \fBCKM_AES_ECB\fR, \fBCKM_BLOWFISH_CBC\fR, \fBCKM_DES_CBC\fR, \fBCKM_DES_ECB\fR, \fBCKM_DES3_CBC\fR, \fBCKM_DES3_ECB\fR, \fBCKM_DSA\fR, \fBCKM_MD5\fR, \fBCKM_RC4\fR, \fBCKM_RSA_PKCS\fR, \fBCKM_RSA_X_509\fR, \fBCKM_SHA_1\fR, \fBCKM_SHA224\fR, \fBCKM_SHA256\fR, \fBCKM_SHA384\fR, \fBCKM_SHA512\fR, \fBCKM_SHA224_HMAC\fR, \fBCKM_SHA224_HMAC_GENERAL\fR, and \fBCKM_SHA224_KEY_DERIVATION\fR.
+.sp
+.LP
+The set of mechanisms available depends on installed Crypto Framework providers. To see what mechanisms can be offloaded to the Cryptographic Framework through the PKCS#11 engine on a given machine, run the following command:
+.sp
+.in +2
+.nf
+$ /usr/sfw/bin/openssl engine dynamic -pre
+SO_PATH:/lib/openssl/engines/64/libpk11.so -pre LOAD -t -c
+.fi
+.in -2
+.sp
+
+.sp
+.LP
+In order to verify the use of the PKCS#11 engine and the use of hardware acceleration with the OpenSSL application, you must specify the EVP option. EVP stands for "EnVeloPE" API, which is the API applications such as Apache use to access OpenSSL cryptography. Use the EVP option to get the most accurate "openssl speed" results.
+.sp
+.in +2
+.nf
+$ \fB/usr/bin/openssl speed -evp aes-128-cbc -engine pkcs11\fR
+.fi
+.in -2
+.sp
+
+.sp
+.LP
+Due to the requirements of the PKCS#11 standard regarding \fBfork\fR(2) behavior, some applications that use the OpenSSL EVP interfaces and \fBfork()\fR function with active \fBcrypto\fR contexts might experience unexpected behavior.
+.SS "Using FIPS Mode"
+.sp
+.LP
+FIPS-140 capable OpenSSL is available in Oracle Solaris.
+.sp
+.LP
+The IPS package mediator feature is used to activate the non-FIPS-140 version or the FIPS-140 version of OpenSSL.
+.sp
+.LP
+By default, the non-FIPS-140 version (\fBdefault\fR implementation) is activated. Use the \fBpkg set-mediator\fR command to switch to the FIPS-140 version of OpenSSL. Before switching to the \fBfips-140\fR implementation, ensure that the \fBfips-140\fR implementation exists in the list shown by the \fBpkg mediator -a openssl\fR command. Otherwise, the system might become unusable.
+.sp
+.in +2
+.nf
+# \fBpkg set-mediator -I fips-140 openssl\fR
+.fi
+.in -2
+.sp
+
+.sp
+.LP
+To switch back to the default non-FIPS-140 version, use the following command:
+.sp
+.in +2
+.nf
+# \fBpkg set-mediator -I default openssl\fR
+.fi
+.in -2
+.sp
+
+.sp
+.LP
+It is recommended to perform the mediator implementation change in an alternate BE.
+.sp
+.LP
+For more information, see \fIManaging Encryption and Certificates in Oracle Solaris 11.3\fR.
+.sp
+.LP
+When the FIPS-140 version of OpenSSL is activated, an application can run in FIPS-140 mode or non-FIPS-140 mode. An application must explicitly call \fBFIPS_mode_set()\fR in order to activate FIPS-140 mode.
+.SS "Building an OpenSSL Application"
+.sp
+.LP
+To build an OpenSSL application, use the following \fBcc\fR command line options:
+.sp
+.in +2
+.nf
+cc [ \fIflag\fR... ] \fIfile\fR... -lcrypto -lssl [ \fIlibrary\fR... ]
+.fi
+.in -2
+
+.SS "Accessing RSA Keys in PKCS#11 Keystores"
+.sp
+.LP
+OpenSSL can access RSA keys in PKCS#11 keystores using the following functions of the ENGINE API: 
+.sp
+.in +2
+.nf
+EVP_PKEY *ENGINE_load_private_key(ENGINE *e,
+ const char *key_id, UI_METHOD *ui_method,
+ void *callback_data)
+
+EVP_PKEY *ENGINE_load_public_key(ENGINE *e,
+ const char *key_id, UI_METHOD *ui_method,
+ void *callback_data)
+.fi
+.in -2
+
+.sp
+.LP
+\fBkey_id\fR, formerly for filenames only, can be now also set to a \fBPKCS#11 URI\fR. The \fBEVP_PKEY\fR structure is newly allocated and caller is responsible to free the structure later. To avoid clashes with existing filenames, \fBfile://\fR prefix for filenames is now also accepted but only when the PKCS#11 engine is in use. The PKCS#11 URI specification follows:
+.sp
+.in +2
+.nf
+pkcs11:[token=<label>][:manuf=<label>][;serial=<label>]
+   [;model=<label>][;object=<label>]
+   [;objecttype=(public|private|cert)]
+   [;passphrasedialog=(builtin|exec:<file>)]
+.fi
+.in -2
+
+.sp
+.LP
+The ordering of keywords is not significant. The PKCS#11 engine uses the keystore for the slot chosen for public key operations, which is \fBmetaslot\fR on a standard configured machine. Currently, the PKCS#11 engine ignores the \fBobjecttype\fR keyword. The only mandatory keyword is \fBobject\fR which is the key object label. For information on how to use a different, possibly hardware, keystore with \fBmetaslot\fR, see \fBlibpkcs11\fR(3LIB).
+.sp
+.LP
+The token PIN is provided by way of the \fBpassphrasedialog\fR keyword and is either read from the terminal (\fBbuiltin\fR) or from the output of an external command (\fBexec:<file>\fR). The PIN is used to log into the token and by default is deleted from the memory then. The keyword \fBpin\fR is intentionally not provided due to inherent security problems of possible use of a password in the process arguments.
+.sp
+.LP
+Due to fork safety issues the application must re-login if the child continues to use the PKCS#11 engine. It is done inside of the engine automatically if fork is detected and in that case, \fBexec:<file>\fR option of the \fBpassphrasedialog\fR keyword can be used. Alternatively, an environment variable \fBOPENSSL_PKCS11_PIN_CACHING_POLICY\fR can be used to allow the PIN to be cached in memory and reused in the child. It can be set to \fBnone\fR which is the default, \fBmemory\fR to store the PIN in memory, and \fBmlocked-memory\fR to keep the PIN in a locked page using \fBmlock\fR(3C). \fBPRIV_PROC_LOCK_MEMORY\fR privilege is required in that case.
+.sp
+.LP
+Sensitive parts of private keys are never read from the token to the process memory no matter whether the key is tagged with sensitive flag or not. The PKCS#11 engine uses the public components as a search key to get a PKCS#11 object handle to the private key.
+.sp
+.LP
+To use the RSA keys by reference, high level API functions such as \fBRSA_public_decrypt()\fR, \fBEVP_PKEY_set1_RSA()\fR, or \fBEVP_SignInit()\fR must be used. Low level functions might go around the engine and fail to make use of the feature.
+.SS "OpenSSL Thread and Fork Safety"
+.sp
+.LP
+OpenSSL provides an interface \fBCRYPTO_set_locking_callback()\fR for any consumers to set its own locking callback function. However, setting of the callback function by a library can lead to segmentation fault, if the library is unloaded while other parts of the stack are still using OpenSSL.
+.sp
+.LP
+In order to prevent this issue, OpenSSL on Solaris sets up the mutexes and the locking callback function internally within OpenSSL. An application or library might still call \fBCRYPTO_set_locking_callback()\fR, but setting of their own callback function will be ignored.
+.SS "Additional Documentation"
+.sp
+.LP
+Extensive additional documentation for OpenSSL modules is available in the \fB/usr/share/man/man1openssl\fR, \fB/usr/share/man/man3openssl\fR, \fB/usr/share/man/man5openssl\fR, and \fB/usr/share/man/man7openssl\fR directories.
+.sp
+.LP
+To view the license terms, attribution, and copyright for OpenSSL, run \fBpkg info --license library/security/openssl\fR.
+.SH EXAMPLES
+.LP
+\fBExample 1 \fRGenerating and Printing a Public Key
+.sp
+.LP
+The following example generates and prints a public key stored in an already initialized PKCS#11 keystore. Notice the use of \fB-engine pkcs11\fR and \fB-inform e\fR.
+
+.sp
+.in +2
+.nf
+$ pktool gencert keystore=pkcs11 label=mykey \e
+   subject="CN=test" keytype=rsa keylen=1024 serial=01
+$ openssl rsa -in "pkcs11:object=mykey;passphrasedialog=builtin"\e
+   -pubout -text -engine pkcs11 -inform e
+.fi
+.in -2
+
+.SH ATTRIBUTES
+.sp
+.LP
+See \fBattributes\fR(5) for a description of the following attributes:
+.sp
+
+.sp
+.TS
+tab() box;
+cw(2.75i) |cw(2.75i) 
+lw(2.75i) |lw(2.75i) 
+.
+ATTRIBUTE TYPEATTRIBUTE VALUE
+_
+AvailabilityT{
+library/security/openssl, library/security/openssl
+T}
+_
+Interface StabilityCommitted
+.TE
+
+.SH SEE ALSO
+.sp
+.LP
+\fBcrle\fR(1), \fBcryptoadm\fR(1M), \fBlibpkcs11\fR(3LIB), \fBattributes\fR(5), \fBprivileges\fR(5)
+.sp
+.LP
+\fB/usr/share/man/man1openssl/openssl.1openssl\fR, \fB/usr/share/man/man1openssl/CRYPTO_num_locks.3openssl\fR, \fB/usr/share/man/man3openssl/engine.3\fR, \fB/usr/share/man/man3openssl/evp.3\fR
--- a/components/openssl/openssl-default/openssl-default.p5m	Wed Mar 15 10:30:53 2017 -0700
+++ b/components/openssl/openssl-default/openssl-default.p5m	Fri Apr 21 13:46:39 2017 -0700
@@ -2219,6 +2219,12 @@
 file path=usr/share/man/man3openssl/x509.3openssl
 file path=usr/share/man/man5openssl/config.5openssl
 file path=usr/share/man/man5openssl/x509v3_config.5openssl
+# openssl.7 is pre-Solarified, so bypass the mangler.
+# Because it needs to be installed in the CBE, it cannot be
+# openssl.5, changing to openssl.7 to match the future
+# and avoid CBE conflict with the old openssl.5
+file files/openssl.5 path=usr/share/man/man7/openssl.7 \
+    mangler.bypass=true
 file path=usr/share/man/man7openssl/des_modes.7openssl
 legacy pkg=SUNWopensslr desc="OpenSSL Libraries (Root)" \
     name="OpenSSL Libraries (Root)"
--- a/components/openssl/openssl-fips-140/Makefile	Wed Mar 15 10:30:53 2017 -0700
+++ b/components/openssl/openssl-fips-140/Makefile	Fri Apr 21 13:46:39 2017 -0700
@@ -120,9 +120,9 @@
 
 # We define our own compiler and linker option sets for Solaris. See Configure
 # for more information.
-CONFIGURE_OPTIONS32_i386 =	solaris-x86-cc-sunw
+CONFIGURE_OPTIONS32_i386 =      solaris-fips-x86-cc-sunw
 CONFIGURE_OPTIONS32_sparc =	solaris-fips-sparcv9-cc-sunw
-CONFIGURE_OPTIONS64_i386 =	solaris64-x86_64-cc-sunw
+CONFIGURE_OPTIONS64_i386 =      solaris64-fips-x86_64-cc-sunw
 CONFIGURE_OPTIONS64_sparc =	solaris64-fips-sparcv9-cc-sunw
 
 # Some additional options needed for our engines.
@@ -180,6 +180,15 @@
 # libraries.
 COMPONENT_PRE_INSTALL_ACTION = ( $(MKDIR) $(PROTO_DIR)/usr/lib/$(MACH64); )
 
+# Remove unnecessary RUNPATH/RPATH for libcrypto.so.1.0.0
+COMPONENT_POST_INSTALL_ACTION.32 = \
+    $(ELFEDIT) -e "dyn:delete RUNPATH" -e "dyn:delete RPATH" \
+        $(BUILD_DIR_32)/libcrypto.so.1.0.0;
+COMPONENT_POST_INSTALL_ACTION.64 = \
+    $(ELFEDIT) -e "dyn:delete RUNPATH" -e "dyn:delete RPATH" \
+        $(BUILD_DIR_64)/libcrypto.so.1.0.0;
+COMPONENT_POST_INSTALL_ACTION += $(COMPONENT_POST_INSTALL_ACTION.$(BITS))
+
 $(SOURCE_DIR)/.prep: $(COMPONENT_DIR)/../openssl-fips/build/$(MACH32)/.installed \
 		     $(COMPONENT_DIR)/../openssl-fips/build/$(MACH64)/.installed
 
@@ -214,3 +223,4 @@
 REQUIRED_PACKAGES += developer/build/makedepend
 REQUIRED_PACKAGES += network/rsync
 REQUIRED_PACKAGES += system/library
+REQUIRED_PACKAGES += system/linker