--- a/components/openssl/openssl-1.0.1-fips-140/Makefile Wed Jan 15 11:48:34 2014 +0100
+++ b/components/openssl/openssl-1.0.1-fips-140/Makefile Wed Jan 15 12:21:47 2014 -0800
@@ -18,7 +18,7 @@
#
# CDDL HEADER END
#
-# Copyright (c) 2011, 2013, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2011, 2014, Oracle and/or its affiliates. All rights reserved.
#
export PARFAIT_BUILD=no
@@ -29,14 +29,14 @@
COMPONENT_NAME = openssl-fips-140
# Note that this is the OpenSSL version that is used to build FIPS-140 certified
# libraries. However, we use the FIPS canister version for the IPS package.
-COMPONENT_VERSION = 1.0.1e
-IPS_COMPONENT_VERSION = 2.0.5
+COMPONENT_VERSION = 1.0.1f
+IPS_COMPONENT_VERSION = 2.0.6
COMPONENT_PROJECT_URL= http://www.openssl.org/
COMPONENT_SRC_NAME = openssl
COMPONENT_SRC = $(COMPONENT_SRC_NAME)-$(COMPONENT_VERSION)
COMPONENT_ARCHIVE = $(COMPONENT_SRC).tar.gz
COMPONENT_ARCHIVE_HASH= \
- sha256:f74f15e8c8ff11aa3d5bb5f276d202ec18d7246e95f961db76054199c69c1ae3
+ sha256:6cc2a80b17d64de6b7bac985745fdaba971d54ffd7d38d3556f998d7c0c9cb5a
COMPONENT_ARCHIVE_URL = $(COMPONENT_PROJECT_URL)source/$(COMPONENT_ARCHIVE)
COMPONENT_BUGDB= utility/openssl
--- a/components/openssl/openssl-1.0.1-fips-140/openssl-1.0.1-fips-140.p5m Wed Jan 15 11:48:34 2014 +0100
+++ b/components/openssl/openssl-1.0.1-fips-140/openssl-1.0.1-fips-140.p5m Wed Jan 15 12:21:47 2014 -0800
@@ -27,7 +27,8 @@
set name=pkg.human-version value=$(COMPONENT_VERSION)
set name=pkg.summary value="FIPS 140-2 Capable OpenSSL libraries"
set name=com.oracle.info.description value="the FIPS 140-2 Capable OpenSSL libraries"
-set name=com.oracle.info.tpno value=13019
+# TPNO number for the new component is not yet available (bug #18071490)
+# set name=com.oracle.info.tpno value=
set name=info.classification \
value="org.opensolaris.category.2008:System/Security"
set name=info.source-url value=$(COMPONENT_ARCHIVE_URL)
--- a/components/openssl/openssl-1.0.1-fips-140/patches/26-openssl_fips.patch Wed Jan 15 11:48:34 2014 +0100
+++ b/components/openssl/openssl-1.0.1-fips-140/patches/26-openssl_fips.patch Wed Jan 15 12:21:47 2014 -0800
@@ -1,6 +1,6 @@
--- openssl-0.9.8m/apps/openssl.c Thu Oct 15 19:28:02 2009
+++ openssl-0.9.8m/apps/openssl.c Fri Feb 26 16:12:30 2010
-@@ -133,6 +133,9 @@
+@@ -134,6 +134,9 @@
#include <openssl/fips.h>
#endif
@@ -10,7 +10,7 @@
/* The LHASH callbacks ("hash" & "cmp") have been replaced by functions with the
* base prototypes (we cast each variable inside the function to the required
* type of "FUNCTION*"). This removes the necessity for macro-generated wrapper
-@@ -152,9 +155,10 @@
+@@ -153,9 +156,10 @@
#endif
@@ -22,7 +22,7 @@
const char *errstr = NULL;
int rw;
-@@ -165,7 +169,7 @@
+@@ -166,7 +170,7 @@
goto err;
}
@@ -31,7 +31,7 @@
{
errstr = "type out of bounds";
goto err;
-@@ -310,6 +314,14 @@
+@@ -311,6 +315,14 @@
if (getenv("OPENSSL_DEBUG_LOCKING") != NULL)
#endif
{
@@ -46,7 +46,7 @@
CRYPTO_set_locking_callback(lock_dbg_cb);
}
-@@ -313,18 +325,28 @@
+@@ -314,18 +326,28 @@
CRYPTO_set_locking_callback(lock_dbg_cb);
}
--- a/components/openssl/openssl-1.0.1-fips-140/patches/31_dtls_version.patch Wed Jan 15 11:48:34 2014 +0100
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,11 +0,0 @@
---- openssl-1.0.1e/ssl/s3_cbc.c 2013-02-14 08:06:58.000000000 -0800
-+++ openssl-1.0.1e/ssl/s3_cbc.c.orig 2013-02-14 03:04:08.440194448 -0700
-@@ -148,7 +148,7 @@
- unsigned padding_length, good, to_check, i;
- const unsigned overhead = 1 /* padding length byte */ + mac_size;
- /* Check if version requires explicit IV */
-- if (s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION)
-+ if (s->version >= TLS1_1_VERSION || s->version == DTLS1_BAD_VER)
- {
- /* These lengths are all public so we can test them in
- * non-constant time.
--- a/components/openssl/openssl-1.0.1-fips-140/patches/33_cert_chain.patch Wed Jan 15 11:48:34 2014 +0100
+++ b/components/openssl/openssl-1.0.1-fips-140/patches/33_cert_chain.patch Wed Jan 15 12:21:47 2014 -0800
@@ -166,7 +166,7 @@
}
static int check_revocation(X509_STORE_CTX *ctx)
-@@ -1591,6 +1630,8 @@ static int internal_verify(X509_STORE_CTX *ctx)
+@@ -1602,6 +1641,8 @@ static int internal_verify(X509_STORE_CTX *ctx)
xs=xi;
else
{
--- a/components/openssl/openssl-1.0.1-fips-140/patches/34_tls_segfault.patch Wed Jan 15 11:48:34 2014 +0100
+++ b/components/openssl/openssl-1.0.1-fips-140/patches/34_tls_segfault.patch Wed Jan 15 12:21:47 2014 -0800
@@ -3,7 +3,7 @@
$ diff -ru ssl/t1_enc.c ssl/t1_enc.c
--- t1_enc.c.orig Tue Dec 10 15:36:05 2013
+++ t1_enc.c Wed Dec 11 09:29:02 2013
-@@ -980,7 +980,10 @@
+@@ -986,7 +986,10 @@
}
else
{
--- a/components/openssl/openssl-1.0.1/Makefile Wed Jan 15 11:48:34 2014 +0100
+++ b/components/openssl/openssl-1.0.1/Makefile Wed Jan 15 12:21:47 2014 -0800
@@ -18,7 +18,7 @@
#
# CDDL HEADER END
#
-# Copyright (c) 2011, 2013, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2011, 2014, Oracle and/or its affiliates. All rights reserved.
#
include ../../../make-rules/shared-macros.mk
@@ -28,15 +28,15 @@
# When upgrading OpenSSL, please, DON'T FORGET TO TEST WANBOOT too.
# For more information about wanboot-openssl testing, please refer to
# ../README.
-COMPONENT_VERSION = 1.0.1e
+COMPONENT_VERSION = 1.0.1f
# Version for IPS. It is easier to do it manually than convert the letter to a
# number while taking into account that there might be no letter at all.
-IPS_COMPONENT_VERSION = 1.0.1.5
+IPS_COMPONENT_VERSION = 1.0.1.6
COMPONENT_PROJECT_URL= http://www.openssl.org/
COMPONENT_SRC = $(COMPONENT_NAME)-$(COMPONENT_VERSION)
COMPONENT_ARCHIVE = $(COMPONENT_SRC).tar.gz
COMPONENT_ARCHIVE_HASH= \
- sha256:f74f15e8c8ff11aa3d5bb5f276d202ec18d7246e95f961db76054199c69c1ae3
+ sha256:6cc2a80b17d64de6b7bac985745fdaba971d54ffd7d38d3556f998d7c0c9cb5a
COMPONENT_ARCHIVE_URL = $(COMPONENT_PROJECT_URL)source/$(COMPONENT_ARCHIVE)
COMPONENT_BUGDB= utility/openssl
--- a/components/openssl/openssl-1.0.1/openssl-1.0.1.p5m Wed Jan 15 11:48:34 2014 +0100
+++ b/components/openssl/openssl-1.0.1/openssl-1.0.1.p5m Wed Jan 15 12:21:47 2014 -0800
@@ -29,7 +29,8 @@
value="OpenSSL is a full-featured toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library."
set name=pkg.summary value="OpenSSL - a Toolkit for Secure Sockets Layer (SSL v2/v3) and Transport Layer (TLS v1) protocols and general purpose cryptographic library"
set name=com.oracle.info.description value="OpenSSL"
-set name=com.oracle.info.tpno value=13003
+# TPNO number for the new component is not yet available (bug #18071490)
+# set name=com.oracle.info.tpno value=
set name=info.classification \
value="org.opensolaris.category.2008:System/Security"
set name=info.source-url value=$(COMPONENT_ARCHIVE_URL)
--- a/components/openssl/openssl-1.0.1/patches/31_dtls_version.patch Wed Jan 15 11:48:34 2014 +0100
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,11 +0,0 @@
---- openssl-1.0.1e/ssl/s3_cbc.c 2013-02-14 08:06:58.000000000 -0800
-+++ openssl-1.0.1e/ssl/s3_cbc.c.orig 2013-02-14 03:04:08.440194448 -0700
-@@ -148,7 +148,7 @@
- unsigned padding_length, good, to_check, i;
- const unsigned overhead = 1 /* padding length byte */ + mac_size;
- /* Check if version requires explicit IV */
-- if (s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION)
-+ if (s->version >= TLS1_1_VERSION || s->version == DTLS1_BAD_VER)
- {
- /* These lengths are all public so we can test them in
- * non-constant time.
--- a/components/openssl/openssl-1.0.1/patches/33_cert_chain.patch Wed Jan 15 11:48:34 2014 +0100
+++ b/components/openssl/openssl-1.0.1/patches/33_cert_chain.patch Wed Jan 15 12:21:47 2014 -0800
@@ -166,7 +166,7 @@
}
static int check_revocation(X509_STORE_CTX *ctx)
-@@ -1591,6 +1630,8 @@ static int internal_verify(X509_STORE_CTX *ctx)
+@@ -1602,6 +1641,8 @@ static int internal_verify(X509_STORE_CTX *ctx)
xs=xi;
else
{
--- a/components/openssl/openssl-1.0.1/patches/34_tls_segfault.patch Wed Jan 15 11:48:34 2014 +0100
+++ b/components/openssl/openssl-1.0.1/patches/34_tls_segfault.patch Wed Jan 15 12:21:47 2014 -0800
@@ -3,7 +3,7 @@
$ diff -ru ssl/t1_enc.c ssl/t1_enc.c
--- t1_enc.c.orig Tue Dec 10 15:36:05 2013
+++ t1_enc.c Wed Dec 11 09:29:02 2013
-@@ -980,7 +980,10 @@
+@@ -986,7 +986,10 @@
}
else
{
--- a/components/openssl/openssl-1.0.1/patches/openssl-t4-inline.sparc-patch Wed Jan 15 11:48:34 2014 +0100
+++ b/components/openssl/openssl-1.0.1/patches/openssl-t4-inline.sparc-patch Wed Jan 15 12:21:47 2014 -0800
@@ -519,7 +519,7 @@
diff -ru openssl-1.0.1e/crypto/sha/Makefile openssl-1.0.1e/crypto/sha/Makefile
--- openssl-1.0.1e/crypto/sha/Makefile 2011-05-24 17:02:24.000000000 -0700
+++ openssl-1.0.1e/crypto/sha/Makefile 2011-07-27 10:48:17.817470000 -0700
-@@ -66,9 +66,9 @@
+@@ -68,9 +68,9 @@
sha1-x86_64.s: asm/sha1-x86_64.pl; $(PERL) asm/sha1-x86_64.pl $(PERLASM_SCHEME) > $@
sha256-x86_64.s:asm/sha512-x86_64.pl; $(PERL) asm/sha512-x86_64.pl $(PERLASM_SCHEME) $@
sha512-x86_64.s:asm/sha512-x86_64.pl; $(PERL) asm/sha512-x86_64.pl $(PERLASM_SCHEME) $@
@@ -1191,7 +1191,7 @@
#ifdef KSSL_DEBUG
{
int i;
-@@ -132,10 +152,16 @@ static int des_ede_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+@@ -132,10 +154,16 @@
printf("\n");
}
#endif /* KSSL_DEBUG */
@@ -1201,7 +1201,7 @@
+ return 1;
+ }
+
- if (inl>=EVP_MAXCHUNK)
+ while (inl>=EVP_MAXCHUNK)
{
DES_ede3_cbc_encrypt(in, out, (long)EVP_MAXCHUNK,
- &data(ctx)->ks1, &data(ctx)->ks2, &data(ctx)->ks3,
@@ -2221,16 +2221,16 @@
CRYPTO_gcm128_init(&gctx->gcm,&gctx->ks,
(block128_f)vpaes_encrypt);
gctx->ctr = NULL;
-@@ -846,7 +1220,7 @@
- break;
- }
+@@ -849,7 +1223,7 @@
#endif
+ (void)0; /* terminate potentially open 'else' */
+
- AES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks);
+ AES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks.ks);
CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, (block128_f)AES_encrypt);
#ifdef AES_CTR_ASM
gctx->ctr = (ctr128_f)AES_ctr32_encrypt;
-@@ -1077,17 +1451,17 @@
+@@ -1080,17 +1454,17 @@
{
if (enc)
{
@@ -2245,14 +2245,14 @@
xctx->xts.block1 = (block128_f)vpaes_decrypt;
}
- vpaes_set_encrypt_key(key + ctx->key_len/2,
+ vpaes_set_encrypt_key(key + ctx->key_len/2,
- ctx->key_len * 4, &xctx->ks2);
+ ctx->key_len * 4, &xctx->ks2.ks);
- xctx->xts.block2 = (block128_f)vpaes_encrypt;
+ xctx->xts.block2 = (block128_f)vpaes_encrypt;
- xctx->xts.key1 = &xctx->ks1;
-@@ -1096,17 +1470,17 @@
- #endif
+ xctx->xts.key1 = &xctx->ks1;
+@@ -1102,17 +1476,17 @@
+
if (enc)
{
- AES_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1);
@@ -2272,7 +2272,7 @@
xctx->xts.block2 = (block128_f)AES_encrypt;
xctx->xts.key1 = &xctx->ks1;
-@@ -1217,7 +1591,7 @@
+@@ -1223,7 +1597,7 @@
#ifdef VPAES_CAPABLE
if (VPAES_CAPABLE)
{
@@ -2281,7 +2281,7 @@
CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
&cctx->ks, (block128_f)vpaes_encrypt);
cctx->str = NULL;
-@@ -1225,7 +1599,7 @@
+@@ -1231,7 +1605,7 @@
break;
}
#endif
@@ -2290,7 +2290,7 @@
CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
&cctx->ks, (block128_f)AES_encrypt);
cctx->str = NULL;
-@@ -1313,5 +1687,4 @@
+@@ -1319,5 +1693,4 @@
BLOCK_CIPHER_custom(NID_aes,192,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
BLOCK_CIPHER_custom(NID_aes,256,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)