18024740 problem in UTILITY/OPENSSL
authorMisaki Miyashita <Misaki.Miyashita@Oracle.COM>
Wed, 15 Jan 2014 12:21:47 -0800
changeset 1641 2fc479afcf70
parent 1640 849c16a5333c
child 1642 f01331e7331a
18024740 problem in UTILITY/OPENSSL
components/openssl/openssl-1.0.1-fips-140/Makefile
components/openssl/openssl-1.0.1-fips-140/openssl-1.0.1-fips-140.p5m
components/openssl/openssl-1.0.1-fips-140/patches/26-openssl_fips.patch
components/openssl/openssl-1.0.1-fips-140/patches/31_dtls_version.patch
components/openssl/openssl-1.0.1-fips-140/patches/33_cert_chain.patch
components/openssl/openssl-1.0.1-fips-140/patches/34_tls_segfault.patch
components/openssl/openssl-1.0.1/Makefile
components/openssl/openssl-1.0.1/openssl-1.0.1.p5m
components/openssl/openssl-1.0.1/patches/31_dtls_version.patch
components/openssl/openssl-1.0.1/patches/33_cert_chain.patch
components/openssl/openssl-1.0.1/patches/34_tls_segfault.patch
components/openssl/openssl-1.0.1/patches/openssl-t4-inline.sparc-patch
--- a/components/openssl/openssl-1.0.1-fips-140/Makefile	Wed Jan 15 11:48:34 2014 +0100
+++ b/components/openssl/openssl-1.0.1-fips-140/Makefile	Wed Jan 15 12:21:47 2014 -0800
@@ -18,7 +18,7 @@
 #
 # CDDL HEADER END
 #
-# Copyright (c) 2011, 2013, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2011, 2014, Oracle and/or its affiliates. All rights reserved.
 #
 export PARFAIT_BUILD=no
 
@@ -29,14 +29,14 @@
 COMPONENT_NAME =	openssl-fips-140
 # Note that this is the OpenSSL version that is used to build FIPS-140 certified
 # libraries. However, we use the FIPS canister version for the IPS package.
-COMPONENT_VERSION =	1.0.1e
-IPS_COMPONENT_VERSION = 2.0.5
+COMPONENT_VERSION =	1.0.1f
+IPS_COMPONENT_VERSION = 2.0.6
 COMPONENT_PROJECT_URL=	http://www.openssl.org/
 COMPONENT_SRC_NAME =	openssl
 COMPONENT_SRC =		$(COMPONENT_SRC_NAME)-$(COMPONENT_VERSION)
 COMPONENT_ARCHIVE =	$(COMPONENT_SRC).tar.gz
 COMPONENT_ARCHIVE_HASH=	\
-    sha256:f74f15e8c8ff11aa3d5bb5f276d202ec18d7246e95f961db76054199c69c1ae3
+    sha256:6cc2a80b17d64de6b7bac985745fdaba971d54ffd7d38d3556f998d7c0c9cb5a
 COMPONENT_ARCHIVE_URL =	$(COMPONENT_PROJECT_URL)source/$(COMPONENT_ARCHIVE)
 COMPONENT_BUGDB=	utility/openssl
 
--- a/components/openssl/openssl-1.0.1-fips-140/openssl-1.0.1-fips-140.p5m	Wed Jan 15 11:48:34 2014 +0100
+++ b/components/openssl/openssl-1.0.1-fips-140/openssl-1.0.1-fips-140.p5m	Wed Jan 15 12:21:47 2014 -0800
@@ -27,7 +27,8 @@
 set name=pkg.human-version value=$(COMPONENT_VERSION)
 set name=pkg.summary value="FIPS 140-2 Capable OpenSSL libraries"
 set name=com.oracle.info.description value="the FIPS 140-2 Capable OpenSSL libraries"
-set name=com.oracle.info.tpno value=13019
+# TPNO number for the new component is not yet available (bug #18071490)
+# set name=com.oracle.info.tpno value=
 set name=info.classification \
     value="org.opensolaris.category.2008:System/Security"
 set name=info.source-url value=$(COMPONENT_ARCHIVE_URL)
--- a/components/openssl/openssl-1.0.1-fips-140/patches/26-openssl_fips.patch	Wed Jan 15 11:48:34 2014 +0100
+++ b/components/openssl/openssl-1.0.1-fips-140/patches/26-openssl_fips.patch	Wed Jan 15 12:21:47 2014 -0800
@@ -1,6 +1,6 @@
 --- openssl-0.9.8m/apps/openssl.c	Thu Oct 15 19:28:02 2009
 +++ openssl-0.9.8m/apps/openssl.c	Fri Feb 26 16:12:30 2010
[email protected]@ -133,6 +133,9 @@
[email protected]@ -134,6 +134,9 @@
  #include <openssl/fips.h>
  #endif
  
@@ -10,7 +10,7 @@
  /* The LHASH callbacks ("hash" & "cmp") have been replaced by functions with the
   * base prototypes (we cast each variable inside the function to the required
   * type of "FUNCTION*"). This removes the necessity for macro-generated wrapper
[email protected]@ -152,9 +155,10 @@
[email protected]@ -153,9 +156,10 @@
  #endif
  
  
@@ -22,7 +22,7 @@
  	const char *errstr = NULL;
  	int rw;
  	
[email protected]@ -165,7 +169,7 @@
[email protected]@ -166,7 +170,7 @@
  		goto err;
  		}
  
@@ -31,7 +31,7 @@
  		{
  		errstr = "type out of bounds";
  		goto err;
[email protected]@ -310,6 +314,14 @@
[email protected]@ -311,6 +315,14 @@
  	if (getenv("OPENSSL_DEBUG_LOCKING") != NULL)
  #endif
  		{
@@ -46,7 +46,7 @@
  		CRYPTO_set_locking_callback(lock_dbg_cb);
  		}
  
[email protected]@ -313,18 +325,28 @@
[email protected]@ -314,18 +326,28 @@
  		CRYPTO_set_locking_callback(lock_dbg_cb);
  		}
  
--- a/components/openssl/openssl-1.0.1-fips-140/patches/31_dtls_version.patch	Wed Jan 15 11:48:34 2014 +0100
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,11 +0,0 @@
---- openssl-1.0.1e/ssl/s3_cbc.c	2013-02-14 08:06:58.000000000 -0800
-+++ openssl-1.0.1e/ssl/s3_cbc.c.orig 2013-02-14 03:04:08.440194448 -0700
[email protected]@ -148,7 +148,7 @@
- 	unsigned padding_length, good, to_check, i;
- 	const unsigned overhead = 1 /* padding length byte */ + mac_size;
- 	/* Check if version requires explicit IV */
--	if (s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION)
-+	if (s->version >= TLS1_1_VERSION || s->version == DTLS1_BAD_VER)
- 		{
- 		/* These lengths are all public so we can test them in
- 		 * non-constant time.
--- a/components/openssl/openssl-1.0.1-fips-140/patches/33_cert_chain.patch	Wed Jan 15 11:48:34 2014 +0100
+++ b/components/openssl/openssl-1.0.1-fips-140/patches/33_cert_chain.patch	Wed Jan 15 12:21:47 2014 -0800
@@ -166,7 +166,7 @@
  }
  
  static int check_revocation(X509_STORE_CTX *ctx)
[email protected]@ -1591,6 +1630,8 @@ static int internal_verify(X509_STORE_CTX *ctx)
[email protected]@ -1602,6 +1641,8 @@ static int internal_verify(X509_STORE_CTX *ctx)
  		xs=xi;
  	else
  		{
--- a/components/openssl/openssl-1.0.1-fips-140/patches/34_tls_segfault.patch	Wed Jan 15 11:48:34 2014 +0100
+++ b/components/openssl/openssl-1.0.1-fips-140/patches/34_tls_segfault.patch	Wed Jan 15 12:21:47 2014 -0800
@@ -3,7 +3,7 @@
 $ diff -ru ssl/t1_enc.c ssl/t1_enc.c
 --- t1_enc.c.orig       Tue Dec 10 15:36:05 2013
 +++ t1_enc.c    Wed Dec 11 09:29:02 2013
[email protected]@ -980,7 +980,10 @@
[email protected]@ -986,7 +986,10 @@
  		}
  		else
  		{
--- a/components/openssl/openssl-1.0.1/Makefile	Wed Jan 15 11:48:34 2014 +0100
+++ b/components/openssl/openssl-1.0.1/Makefile	Wed Jan 15 12:21:47 2014 -0800
@@ -18,7 +18,7 @@
 #
 # CDDL HEADER END
 #
-# Copyright (c) 2011, 2013, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2011, 2014, Oracle and/or its affiliates. All rights reserved.
 #
 include ../../../make-rules/shared-macros.mk
 
@@ -28,15 +28,15 @@
 # When upgrading OpenSSL, please, DON'T FORGET TO TEST WANBOOT too. 
 # For more information about wanboot-openssl testing, please refer to
 # ../README.
-COMPONENT_VERSION =	1.0.1e
+COMPONENT_VERSION =	1.0.1f
 # Version for IPS. It is easier to do it manually than convert the letter to a
 # number while taking into account that there might be no letter at all.
-IPS_COMPONENT_VERSION = 1.0.1.5
+IPS_COMPONENT_VERSION = 1.0.1.6
 COMPONENT_PROJECT_URL=	http://www.openssl.org/
 COMPONENT_SRC =		$(COMPONENT_NAME)-$(COMPONENT_VERSION)
 COMPONENT_ARCHIVE =	$(COMPONENT_SRC).tar.gz
 COMPONENT_ARCHIVE_HASH=	\
-    sha256:f74f15e8c8ff11aa3d5bb5f276d202ec18d7246e95f961db76054199c69c1ae3
+    sha256:6cc2a80b17d64de6b7bac985745fdaba971d54ffd7d38d3556f998d7c0c9cb5a
 COMPONENT_ARCHIVE_URL =	$(COMPONENT_PROJECT_URL)source/$(COMPONENT_ARCHIVE)
 COMPONENT_BUGDB=	utility/openssl
 
--- a/components/openssl/openssl-1.0.1/openssl-1.0.1.p5m	Wed Jan 15 11:48:34 2014 +0100
+++ b/components/openssl/openssl-1.0.1/openssl-1.0.1.p5m	Wed Jan 15 12:21:47 2014 -0800
@@ -29,7 +29,8 @@
     value="OpenSSL is a full-featured toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library."
 set name=pkg.summary value="OpenSSL - a Toolkit for Secure Sockets Layer (SSL v2/v3) and Transport Layer (TLS v1) protocols and general purpose cryptographic library"
 set name=com.oracle.info.description value="OpenSSL"
-set name=com.oracle.info.tpno value=13003
+# TPNO number for the new component is not yet available (bug #18071490)
+# set name=com.oracle.info.tpno value=
 set name=info.classification \
     value="org.opensolaris.category.2008:System/Security"
 set name=info.source-url value=$(COMPONENT_ARCHIVE_URL)
--- a/components/openssl/openssl-1.0.1/patches/31_dtls_version.patch	Wed Jan 15 11:48:34 2014 +0100
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,11 +0,0 @@
---- openssl-1.0.1e/ssl/s3_cbc.c	2013-02-14 08:06:58.000000000 -0800
-+++ openssl-1.0.1e/ssl/s3_cbc.c.orig 2013-02-14 03:04:08.440194448 -0700
[email protected]@ -148,7 +148,7 @@
- 	unsigned padding_length, good, to_check, i;
- 	const unsigned overhead = 1 /* padding length byte */ + mac_size;
- 	/* Check if version requires explicit IV */
--	if (s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION)
-+	if (s->version >= TLS1_1_VERSION || s->version == DTLS1_BAD_VER)
- 		{
- 		/* These lengths are all public so we can test them in
- 		 * non-constant time.
--- a/components/openssl/openssl-1.0.1/patches/33_cert_chain.patch	Wed Jan 15 11:48:34 2014 +0100
+++ b/components/openssl/openssl-1.0.1/patches/33_cert_chain.patch	Wed Jan 15 12:21:47 2014 -0800
@@ -166,7 +166,7 @@
  }
  
  static int check_revocation(X509_STORE_CTX *ctx)
[email protected]@ -1591,6 +1630,8 @@ static int internal_verify(X509_STORE_CTX *ctx)
[email protected]@ -1602,6 +1641,8 @@ static int internal_verify(X509_STORE_CTX *ctx)
  		xs=xi;
  	else
  		{
--- a/components/openssl/openssl-1.0.1/patches/34_tls_segfault.patch	Wed Jan 15 11:48:34 2014 +0100
+++ b/components/openssl/openssl-1.0.1/patches/34_tls_segfault.patch	Wed Jan 15 12:21:47 2014 -0800
@@ -3,7 +3,7 @@
 $ diff -ru ssl/t1_enc.c ssl/t1_enc.c
 --- t1_enc.c.orig       Tue Dec 10 15:36:05 2013
 +++ t1_enc.c    Wed Dec 11 09:29:02 2013
[email protected]@ -980,7 +980,10 @@
[email protected]@ -986,7 +986,10 @@
  		}
  		else
  		{
--- a/components/openssl/openssl-1.0.1/patches/openssl-t4-inline.sparc-patch	Wed Jan 15 11:48:34 2014 +0100
+++ b/components/openssl/openssl-1.0.1/patches/openssl-t4-inline.sparc-patch	Wed Jan 15 12:21:47 2014 -0800
@@ -519,7 +519,7 @@
 diff -ru openssl-1.0.1e/crypto/sha/Makefile openssl-1.0.1e/crypto/sha/Makefile
 --- openssl-1.0.1e/crypto/sha/Makefile    2011-05-24 17:02:24.000000000 -0700
 +++ openssl-1.0.1e/crypto/sha/Makefile    2011-07-27 10:48:17.817470000 -0700
[email protected]@ -66,9 +66,9 @@
[email protected]@ -68,9 +68,9 @@
  sha1-x86_64.s:	asm/sha1-x86_64.pl;	$(PERL) asm/sha1-x86_64.pl $(PERLASM_SCHEME) > [email protected]
  sha256-x86_64.s:asm/sha512-x86_64.pl;	$(PERL) asm/sha512-x86_64.pl $(PERLASM_SCHEME) [email protected]
  sha512-x86_64.s:asm/sha512-x86_64.pl;	$(PERL) asm/sha512-x86_64.pl $(PERLASM_SCHEME) [email protected]
@@ -1191,7 +1191,7 @@
  #ifdef KSSL_DEBUG
  	{
          int i;
[email protected]@ -132,10 +152,16 @@ static int des_ede_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
[email protected]@ -132,10 +154,16 @@
  	printf("\n");
  	}
  #endif    /* KSSL_DEBUG */
@@ -1201,7 +1201,7 @@
 +		return 1;
 +		}
 +
- 	if (inl>=EVP_MAXCHUNK)
+ 	while (inl>=EVP_MAXCHUNK)
  		{
  		DES_ede3_cbc_encrypt(in, out, (long)EVP_MAXCHUNK,
 -			     &data(ctx)->ks1, &data(ctx)->ks2, &data(ctx)->ks3,
@@ -2221,16 +2221,16 @@
  			CRYPTO_gcm128_init(&gctx->gcm,&gctx->ks,
  					(block128_f)vpaes_encrypt);
  			gctx->ctr = NULL;
[email protected]@ -846,7 +1220,7 @@
- 			break;
- 			}
[email protected]@ -849,7 +1223,7 @@
  #endif
+ 		(void)0;	/* terminate potentially open 'else' */
+ 
 -		AES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks);
 +		AES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks.ks);
  		CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, (block128_f)AES_encrypt);
  #ifdef AES_CTR_ASM
  		gctx->ctr = (ctr128_f)AES_ctr32_encrypt;
[email protected]@ -1077,17 +1451,17 @@
[email protected]@ -1080,17 +1454,17 @@
  		    {
  		    if (enc)
  			{
@@ -2245,14 +2245,14 @@
  			xctx->xts.block1 = (block128_f)vpaes_decrypt;
  			}
  
- 		vpaes_set_encrypt_key(key + ctx->key_len/2,
+ 		    vpaes_set_encrypt_key(key + ctx->key_len/2,
 -						ctx->key_len * 4, &xctx->ks2);
 +						ctx->key_len * 4, &xctx->ks2.ks);
- 		xctx->xts.block2 = (block128_f)vpaes_encrypt;
+ 		    xctx->xts.block2 = (block128_f)vpaes_encrypt;
  
- 		xctx->xts.key1 = &xctx->ks1;
[email protected]@ -1096,17 +1470,17 @@
- #endif
+ 		    xctx->xts.key1 = &xctx->ks1;
[email protected]@ -1102,17 +1476,17 @@
+ 
  		if (enc)
  			{
 -			AES_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1);
@@ -2272,7 +2272,7 @@
  		xctx->xts.block2 = (block128_f)AES_encrypt;
  
  		xctx->xts.key1 = &xctx->ks1;
[email protected]@ -1217,7 +1591,7 @@
[email protected]@ -1223,7 +1597,7 @@
  #ifdef VPAES_CAPABLE
  		if (VPAES_CAPABLE)
  			{
@@ -2281,7 +2281,7 @@
  			CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
  					&cctx->ks, (block128_f)vpaes_encrypt);
  			cctx->str = NULL;
[email protected]@ -1225,7 +1599,7 @@
[email protected]@ -1231,7 +1605,7 @@
  			break;
  			}
  #endif
@@ -2290,7 +2290,7 @@
  		CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
  					&cctx->ks, (block128_f)AES_encrypt);
  		cctx->str = NULL;
[email protected]@ -1313,5 +1687,4 @@
[email protected]@ -1319,5 +1693,4 @@
  BLOCK_CIPHER_custom(NID_aes,192,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)
  BLOCK_CIPHER_custom(NID_aes,256,1,12,ccm,CCM,EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS)