19823263 Upgrade OpenSSL to 1.0.1j s11-update
authorMisaki Miyashita <Misaki.Miyashita@Oracle.COM>
Thu, 16 Oct 2014 16:50:39 -0700
branchs11-update
changeset 3396 2865c45ffb48
parent 3395 f071896dc0e3
child 3399 ac7c3a176aeb
19823263 Upgrade OpenSSL to 1.0.1j 19823177 problem in LIBRARY/OPENSSL 19823193 problem in LIBRARY/OPENSSL 19823202 problem in LIBRARY/OPENSSL 19823212 problem in LIBRARY/OPENSSL
components/openssl/openssl-1.0.1-fips-140/Makefile
components/openssl/openssl-1.0.1-fips-140/openssl-1.0.1-fips-140.p5m
components/openssl/openssl-1.0.1-fips-140/patches/36_evp_leak.patch
components/openssl/openssl-1.0.1/Makefile
components/openssl/openssl-1.0.1/openssl-1.0.1.p5m
components/openssl/openssl-1.0.1/patches/30_wanboot.patch
components/openssl/openssl-1.0.1/patches/36_evp_leak.patch
--- a/components/openssl/openssl-1.0.1-fips-140/Makefile	Thu Oct 16 15:24:49 2014 -0700
+++ b/components/openssl/openssl-1.0.1-fips-140/Makefile	Thu Oct 16 16:50:39 2014 -0700
@@ -29,14 +29,14 @@
 COMPONENT_NAME =	openssl-fips-140
 # Note that this is the OpenSSL version that is used to build FIPS-140 certified
 # libraries. However, we use the FIPS canister version for the IPS package.
-COMPONENT_VERSION =	1.0.1i
+COMPONENT_VERSION =	1.0.1j
 IPS_COMPONENT_VERSION = 2.0.6
 COMPONENT_PROJECT_URL=	http://www.openssl.org/
 COMPONENT_SRC_NAME =	openssl
 COMPONENT_SRC =		$(COMPONENT_SRC_NAME)-$(COMPONENT_VERSION)
 COMPONENT_ARCHIVE =	$(COMPONENT_SRC).tar.gz
 COMPONENT_ARCHIVE_HASH=	\
-    sha256:3c179f46ca77069a6a0bac70212a9b3b838b2f66129cb52d568837fc79d8fcc7
+    sha256:1b60ca8789ba6f03e8ef20da2293b8dc131c39d83814e775069f02d26354edf3
 COMPONENT_ARCHIVE_URL =	$(COMPONENT_PROJECT_URL)source/$(COMPONENT_ARCHIVE)
 COMPONENT_BUGDB=	library/openssl
 
--- a/components/openssl/openssl-1.0.1-fips-140/openssl-1.0.1-fips-140.p5m	Thu Oct 16 15:24:49 2014 -0700
+++ b/components/openssl/openssl-1.0.1-fips-140/openssl-1.0.1-fips-140.p5m	Thu Oct 16 16:50:39 2014 -0700
@@ -34,7 +34,7 @@
 set name=pkg.human-version value=$(COMPONENT_VERSION)
 set name=com.oracle.info.description \
     value="the FIPS 140-2 Capable OpenSSL libraries"
-set name=com.oracle.info.tpno value=18553
+set name=com.oracle.info.tpno value=19492
 set name=info.classification value=org.opensolaris.category.2008:System/Security
 set name=info.source-url value=$(COMPONENT_ARCHIVE_URL)
 set name=info.upstream-url value=$(COMPONENT_PROJECT_URL)
--- a/components/openssl/openssl-1.0.1-fips-140/patches/36_evp_leak.patch	Thu Oct 16 15:24:49 2014 -0700
+++ b/components/openssl/openssl-1.0.1-fips-140/patches/36_evp_leak.patch	Thu Oct 16 16:50:39 2014 -0700
@@ -2,7 +2,7 @@
 
 --- openssl-1.0.1f/crypto/evp/evp_enc.c.orig	Mon Feb 11 07:26:04 2013
 +++ openssl-1.0.1f/crypto/evp/evp_enc.c	Mon Feb  3 16:40:48 2014
[email protected]@ -393,10 +393,14 @@
[email protected]@ -394,10 +394,14 @@
  		{
  		ret = M_do_cipher(ctx, out, NULL, 0);
  		if (ret < 0)
@@ -19,7 +19,7 @@
  		}
  
  	b=ctx->cipher->block_size;
[email protected]@ -404,7 +408,8 @@
[email protected]@ -405,7 +409,8 @@
  	if (b == 1)
  		{
  		*outl=0;
@@ -29,7 +29,7 @@
  		}
  	bl=ctx->buf_len;
  	if (ctx->flags & EVP_CIPH_NO_PADDING)
[email protected]@ -412,10 +417,12 @@
[email protected]@ -413,10 +418,12 @@
  		if(bl)
  			{
  			EVPerr(EVP_F_EVP_ENCRYPTFINAL_EX,EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH);
@@ -44,7 +44,7 @@
  		}
  
  	n=b-bl;
[email protected]@ -427,6 +434,12 @@
[email protected]@ -428,6 +435,12 @@
  	if(ret)
  		*outl=b;
  
@@ -57,82 +57,70 @@
  	return ret;
  	}
  
[email protected]@ -500,7 +513,7 @@
- 
[email protected]@ -502,6 +515,7 @@
  int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
  	{
--	int i,n;
-+	int i,n,ret = 1;
- 	unsigned int b;
+ 	unsigned int i, b;
++	int err = 1;
+         unsigned char pad, padding_good;
  	*outl=0;
  
[email protected]@ -508,10 +521,14 @@
[email protected]@ -509,10 +522,14 @@
  		{
- 		i = M_do_cipher(ctx, out, NULL, 0);
- 		if (i < 0)
+ 		int ret = M_do_cipher(ctx, out, NULL, 0);
+ 		if (ret < 0)
 -			return 0;
 +			{
-+			ret = 0;
++			err = 0;
 +			goto cleanup;
 +			}
  		else
- 			*outl = i;
+ 			*outl = ret;
 -		return 1;
-+		ret = 1;
++		err = 1;
 +		goto cleanup;
  		}
  
- 	b=ctx->cipher->block_size;
[email protected]@ -520,10 +537,12 @@
+ 	b=(unsigned int)(ctx->cipher->block_size);
[email protected]@ -521,10 +538,12 @@
  		if(ctx->buf_len)
  			{
  			EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH);
 -			return 0;
-+			ret = 0;
++			err = 0;
 +			goto cleanup;
  			}
  		*outl = 0;
 -		return 1;
-+		ret = 1;
++		err = 1;
 +		goto cleanup;
  		}
  	if (b > 1)
  		{
[email protected]@ -530,7 +549,8 @@
[email protected]@ -531,7 +550,8 @@
  		if (ctx->buf_len || !ctx->final_used)
  			{
  			EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,EVP_R_WRONG_FINAL_BLOCK_LENGTH);
 -			return(0);
-+			ret = 0;
++			err = 0;
 +			goto cleanup;
  			}
  		OPENSSL_assert(b <= sizeof ctx->final);
- 		n=ctx->final[b-1];
[email protected]@ -537,7 +557,8 @@
- 		if (n == 0 || n > (int)b)
- 			{
- 			EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,EVP_R_BAD_DECRYPT);
--			return(0);
-+			ret = 0;
-+			goto cleanup;
- 			}
- 		for (i=0; i<n; i++)
- 			{
[email protected]@ -544,7 +565,8 @@
- 			if (ctx->final[--b] != n)
- 				{
- 				EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,EVP_R_BAD_DECRYPT);
--				return(0);
-+				ret = 0;
-+				goto cleanup;
- 				}
- 			}
- 		n=ctx->cipher->block_size-n;
[email protected]@ -554,7 +576,14 @@
+ 		pad=ctx->final[b-1];
[email protected]@ -555,13 +577,22 @@
+ 			out[i] = ctx->final[i] & padding_good;
+ 		/* Safe cast: for a good padding, EVP_MAX_IV_LENGTH >= b >= pad */
+ 		*outl = padding_good & ((unsigned char)(b - pad));
+-		return padding_good & 1;
++		err = padding_good & 1;
++		goto cleanup;
  		}
  	else
- 		*outl=0;
--	return(1);
+ 		{
+ 		*outl = 0;
+-		return 1;
++		err = 1;
+ 		}
 +
 +cleanup:
 +	if (ctx->cipher->cleanup)
@@ -140,7 +128,7 @@
 +		ctx->cipher->cleanup(ctx);
 +		}
 +
-+	return ret;
++	return err;
  	}
  
  void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx)
--- a/components/openssl/openssl-1.0.1/Makefile	Thu Oct 16 15:24:49 2014 -0700
+++ b/components/openssl/openssl-1.0.1/Makefile	Thu Oct 16 16:50:39 2014 -0700
@@ -28,15 +28,15 @@
 # When upgrading OpenSSL, please, DON'T FORGET TO TEST WANBOOT too. 
 # For more information about wanboot-openssl testing, please refer to
 # ../README.
-COMPONENT_VERSION =	1.0.1i
+COMPONENT_VERSION =	1.0.1j
 # Version for IPS. It is easier to do it manually than convert the letter to a
 # number while taking into account that there might be no letter at all.
-IPS_COMPONENT_VERSION = 1.0.1.9
+IPS_COMPONENT_VERSION = 1.0.1.10
 COMPONENT_PROJECT_URL=	http://www.openssl.org/
 COMPONENT_SRC =		$(COMPONENT_NAME)-$(COMPONENT_VERSION)
 COMPONENT_ARCHIVE =	$(COMPONENT_SRC).tar.gz
 COMPONENT_ARCHIVE_HASH=	\
-    sha256:3c179f46ca77069a6a0bac70212a9b3b838b2f66129cb52d568837fc79d8fcc7
+    sha256:1b60ca8789ba6f03e8ef20da2293b8dc131c39d83814e775069f02d26354edf3
 
 COMPONENT_ARCHIVE_URL =	$(COMPONENT_PROJECT_URL)source/$(COMPONENT_ARCHIVE)
 COMPONENT_BUGDB=	library/openssl
--- a/components/openssl/openssl-1.0.1/openssl-1.0.1.p5m	Thu Oct 16 15:24:49 2014 -0700
+++ b/components/openssl/openssl-1.0.1/openssl-1.0.1.p5m	Thu Oct 16 16:50:39 2014 -0700
@@ -30,7 +30,7 @@
     value="OpenSSL is a full-featured toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library."
 set name=pkg.human-version value=$(COMPONENT_VERSION)
 set name=com.oracle.info.description value=OpenSSL
-set name=com.oracle.info.tpno value=18553
+set name=com.oracle.info.tpno value=19492
 set name=info.classification value=org.opensolaris.category.2008:System/Security
 set name=info.source-url value=$(COMPONENT_ARCHIVE_URL)
 set name=info.upstream-url value=$(COMPONENT_PROJECT_URL)
@@ -703,7 +703,7 @@
 link path=usr/share/man/man3openssl/CMS_SignerInfo_get0_signer_id.3openssl \
     target=CMS_get0_SignerInfos.3openssl
 link path=usr/share/man/man3openssl/CMS_SignerInfo_sign.3openssl \
-    target=CMS_sign_add1_signer.3openssl
+    target=CMS_add1_signer.3openssl
 file path=usr/share/man/man3openssl/CMS_add0_cert.3openssl
 link path=usr/share/man/man3openssl/CMS_add0_crl.3openssl \
     target=CMS_add0_cert.3openssl
@@ -714,6 +714,7 @@
 link path=usr/share/man/man3openssl/CMS_add1_cert.3openssl \
     target=CMS_add0_cert.3openssl
 file path=usr/share/man/man3openssl/CMS_add1_recipient_cert.3openssl
+file path=usr/share/man/man3openssl/CMS_add1_signer.3openssl
 file path=usr/share/man/man3openssl/CMS_compress.3openssl
 file path=usr/share/man/man3openssl/CMS_decrypt.3openssl
 file path=usr/share/man/man3openssl/CMS_encrypt.3openssl
@@ -733,7 +734,6 @@
 link path=usr/share/man/man3openssl/CMS_set1_signer_certs.3openssl \
     target=CMS_get0_SignerInfos.3openssl
 file path=usr/share/man/man3openssl/CMS_sign.3openssl
-file path=usr/share/man/man3openssl/CMS_sign_add1_signer.3openssl
 file path=usr/share/man/man3openssl/CMS_sign_receipt.3openssl
 file path=usr/share/man/man3openssl/CMS_uncompress.3openssl
 file path=usr/share/man/man3openssl/CMS_verify.3openssl
--- a/components/openssl/openssl-1.0.1/patches/30_wanboot.patch	Thu Oct 16 15:24:49 2014 -0700
+++ b/components/openssl/openssl-1.0.1/patches/30_wanboot.patch	Thu Oct 16 16:50:39 2014 -0700
@@ -241,7 +241,7 @@
  	return(ret);
  	}
  
-+#ifndef        _BOOT
++#ifndef	_BOOT
  int RAND_write_file(const char *file)
  	{
  	unsigned char buf[BUFSIZE];
@@ -425,3 +425,17 @@
  
  		/* Do the message type and length last */
  		d=p= &(buf[4]);
+--- openssl-1.0.1f/ssl/s3_lib.c       Wed Oct 15 11:18:30 2014
++++ openssl-1.0.1f/ssl/s3_lib.c.new    Wed Oct 15 11:20:07 2014
[email protected]@ -3364,7 +3364,11 @@
+ 			return 1;
+ 		/* Apparently we're using a version-flexible SSL_METHOD
+ 		 * (not at its highest protocol version). */
++#ifndef	_BOOT
+ 		if (s->ctx->method->version == SSLv23_method()->version)
++#else
++		if (s->ctx->method->version == TLS1_2_VERSION)
++#endif
+ 			{
+ #if TLS_MAX_VERSION != TLS1_2_VERSION
+ #  error Code needs update for SSLv23_method() support beyond TLS1_2_VERSION.
--- a/components/openssl/openssl-1.0.1/patches/36_evp_leak.patch	Thu Oct 16 15:24:49 2014 -0700
+++ b/components/openssl/openssl-1.0.1/patches/36_evp_leak.patch	Thu Oct 16 16:50:39 2014 -0700
@@ -2,7 +2,7 @@
 
 --- openssl-1.0.1f/crypto/evp/evp_enc.c.orig	Mon Feb 11 07:26:04 2013
 +++ openssl-1.0.1f/crypto/evp/evp_enc.c	Mon Feb  3 16:40:48 2014
[email protected]@ -393,10 +393,14 @@
[email protected]@ -394,10 +394,14 @@
  		{
  		ret = M_do_cipher(ctx, out, NULL, 0);
  		if (ret < 0)
@@ -19,7 +19,7 @@
  		}
  
  	b=ctx->cipher->block_size;
[email protected]@ -404,7 +408,8 @@
[email protected]@ -405,7 +409,8 @@
  	if (b == 1)
  		{
  		*outl=0;
@@ -29,7 +29,7 @@
  		}
  	bl=ctx->buf_len;
  	if (ctx->flags & EVP_CIPH_NO_PADDING)
[email protected]@ -412,10 +417,12 @@
[email protected]@ -413,10 +418,12 @@
  		if(bl)
  			{
  			EVPerr(EVP_F_EVP_ENCRYPTFINAL_EX,EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH);
@@ -44,7 +44,7 @@
  		}
  
  	n=b-bl;
[email protected]@ -427,6 +434,12 @@
[email protected]@ -428,6 +435,12 @@
  	if(ret)
  		*outl=b;
  
@@ -57,82 +57,70 @@
  	return ret;
  	}
  
[email protected]@ -500,7 +513,7 @@
- 
[email protected]@ -502,6 +515,7 @@
  int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
  	{
--	int i,n;
-+	int i,n,ret = 1;
- 	unsigned int b;
+ 	unsigned int i, b;
++	int err = 1;
+         unsigned char pad, padding_good;
  	*outl=0;
  
[email protected]@ -508,10 +521,14 @@
[email protected]@ -509,10 +522,14 @@
  		{
- 		i = M_do_cipher(ctx, out, NULL, 0);
- 		if (i < 0)
+ 		int ret = M_do_cipher(ctx, out, NULL, 0);
+ 		if (ret < 0)
 -			return 0;
 +			{
-+			ret = 0;
++			err = 0;
 +			goto cleanup;
 +			}
  		else
- 			*outl = i;
+ 			*outl = ret;
 -		return 1;
-+		ret = 1;
++		err = 1;
 +		goto cleanup;
  		}
  
- 	b=ctx->cipher->block_size;
[email protected]@ -520,10 +537,12 @@
+ 	b=(unsigned int)(ctx->cipher->block_size);
[email protected]@ -521,10 +538,12 @@
  		if(ctx->buf_len)
  			{
  			EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH);
 -			return 0;
-+			ret = 0;
++			err = 0;
 +			goto cleanup;
  			}
  		*outl = 0;
 -		return 1;
-+		ret = 1;
++		err = 1;
 +		goto cleanup;
  		}
  	if (b > 1)
  		{
[email protected]@ -530,7 +549,8 @@
[email protected]@ -531,7 +550,8 @@
  		if (ctx->buf_len || !ctx->final_used)
  			{
  			EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,EVP_R_WRONG_FINAL_BLOCK_LENGTH);
 -			return(0);
-+			ret = 0;
++			err = 0;
 +			goto cleanup;
  			}
  		OPENSSL_assert(b <= sizeof ctx->final);
- 		n=ctx->final[b-1];
[email protected]@ -537,7 +557,8 @@
- 		if (n == 0 || n > (int)b)
- 			{
- 			EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,EVP_R_BAD_DECRYPT);
--			return(0);
-+			ret = 0;
-+			goto cleanup;
- 			}
- 		for (i=0; i<n; i++)
- 			{
[email protected]@ -544,7 +565,8 @@
- 			if (ctx->final[--b] != n)
- 				{
- 				EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,EVP_R_BAD_DECRYPT);
--				return(0);
-+				ret = 0;
-+				goto cleanup;
- 				}
- 			}
- 		n=ctx->cipher->block_size-n;
[email protected]@ -554,7 +576,14 @@
+ 		pad=ctx->final[b-1];
[email protected]@ -555,13 +577,22 @@
+ 			out[i] = ctx->final[i] & padding_good;
+ 		/* Safe cast: for a good padding, EVP_MAX_IV_LENGTH >= b >= pad */
+ 		*outl = padding_good & ((unsigned char)(b - pad));
+-		return padding_good & 1;
++		err = padding_good & 1;
++		goto cleanup;
  		}
  	else
- 		*outl=0;
--	return(1);
+ 		{
+ 		*outl = 0;
+-		return 1;
++		err = 1;
+ 		}
 +
 +cleanup:
 +	if (ctx->cipher->cleanup)
@@ -140,7 +128,7 @@
 +		ctx->cipher->cleanup(ctx);
 +		}
 +
-+	return ret;
++	return err;
  	}
  
  void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx)