19314980 Update the OpenSSL FIPS-140 module version to 2.0.6 s11-update
authorMisaki Miyashita <Misaki.Miyashita@Oracle.COM>
Fri, 15 Aug 2014 10:45:58 -0700
branchs11-update
changeset 3267 442b27130f7a
parent 3266 e00ca9ce4b5f
child 3269 56b0e19454ba
19314980 Update the OpenSSL FIPS-140 module version to 2.0.6
components/openssl/openssl-1.0.1-fips-140/Makefile
components/openssl/openssl-fips/Makefile
--- a/components/openssl/openssl-1.0.1-fips-140/Makefile	Fri Aug 15 08:10:02 2014 -0700
+++ b/components/openssl/openssl-1.0.1-fips-140/Makefile	Fri Aug 15 10:45:58 2014 -0700
@@ -40,7 +40,7 @@
 COMPONENT_ARCHIVE_URL =	$(COMPONENT_PROJECT_URL)source/$(COMPONENT_ARCHIVE)
 COMPONENT_BUGDB=	utility/openssl
 
-# OpenSSL FIPS 2.0.5 directory
+# OpenSSL FIPS directory
 OPENSSL_FIPS_DIR = $(COMPONENT_DIR)/../openssl-fips
 
 # Note that the SPARC patch above does not fit this pattern. That is intentional
@@ -150,14 +150,14 @@
 # update the files which have been under continuous development. We rather copy
 # the files to the right directories and let OpenSSL makefiles build it.
 # We also copy some FIPS specific header files needed to build FIPS version
-# of OpenSSL from FIPS module (openssl-fips-ecp-2.0.5).
+# of OpenSSL from FIPS module.
 COMPONENT_PRE_BUILD_ACTION = \
     ( $(LN) -fs $(COMPONENT_DIR)/engines/pkcs11/*     $(@D)/engines; \
       $(MKDIR) $(@D)/bin; \
-      $(LN) -fs $(OPENSSL_FIPS_DIR)/openssl-fips-ecp-2.0.5/fips/fips.h $(@D)/include/openssl; \
-      $(LN) -fs $(OPENSSL_FIPS_DIR)/openssl-fips-ecp-2.0.5/fips/fipssyms.h $(@D)/include/openssl; \
-      $(LN) -fs $(OPENSSL_FIPS_DIR)/openssl-fips-ecp-2.0.5/fips/rand/fips_rand.h $(@D)/include/openssl; \
-      $(LN) -fs $(OPENSSL_FIPS_DIR)/openssl-fips-ecp-2.0.5/fips/fipsld $(@D)/bin/; \
+      $(LN) -fs $(OPENSSL_FIPS_DIR)/openssl-fips-ecp-$(IPS_COMPONENT_VERSION)/fips/fips.h $(@D)/include/openssl; \
+      $(LN) -fs $(OPENSSL_FIPS_DIR)/openssl-fips-ecp-$(IPS_COMPONENT_VERSION)/fips/fipssyms.h $(@D)/include/openssl; \
+      $(LN) -fs $(OPENSSL_FIPS_DIR)/openssl-fips-ecp-$(IPS_COMPONENT_VERSION)/fips/rand/fips_rand.h $(@D)/include/openssl; \
+      $(LN) -fs $(OPENSSL_FIPS_DIR)/openssl-fips-ecp-$(IPS_COMPONENT_VERSION)/fips/fipsld $(@D)/bin/; \
       $(LN) -fs $(OPENSSL_FIPS_DIR)/build/$(MACH$(BITS))/fips/fips_standalone_sha1 $(@D)/bin/; \
       $(LN) -fs $(COMPONENT_DIR)/build/$(MACH$(BITS))/fips_premain_dso $(@D)/bin/;)
 
--- a/components/openssl/openssl-fips/Makefile	Fri Aug 15 08:10:02 2014 -0700
+++ b/components/openssl/openssl-fips/Makefile	Fri Aug 15 10:45:58 2014 -0700
@@ -29,11 +29,11 @@
 include ../../../make-rules/shared-macros.mk
 
 COMPONENT_NAME =	openssl-fips
-COMPONENT_VERSION =	2.0.5
+COMPONENT_VERSION =	2.0.6
 COMPONENT_SRC =		$(COMPONENT_NAME)-ecp-$(COMPONENT_VERSION)
 COMPONENT_ARCHIVE =	$(COMPONENT_SRC).tar.gz
 COMPONENT_ARCHIVE_HASH=	\
-    sha256:f1abdd0ca1a9467a3eba15564fc2b3447114d1d63020c33cd3210f2a43a5ff4d
+    sha256:861b431c625c27daf440041fd67c0866ebb84b44cc672cf1ea8f23e883518897
 COMPONENT_ARCHIVE_URL =	http://www.openssl.org/source/$(COMPONENT_ARCHIVE)
 COMPONENT_BUGDB=	utility/openssl
 
@@ -64,8 +64,12 @@
 FIPS_PATH_32 = $(COMPONENT_DIR)/32:$(COMPONENT_DIR)/gcc:$(PATH)
 FIPS_PATH_64 = $(COMPONENT_DIR)/gcc:$(PATH)
 
+# HMAC-SHA-1 digest of the OpenSSL FIPS tar file is used for the
+# integrity test requirement for the FIPS-140 validation.
+# Note: COMPONENT_ARCHIVE_HASH is a SHA256 digest used by the Userland
+# Consolidation to check the file integrity.
 OPENSSL_FIPS_HMAC_KEY = etaonrishdlcupfm
-OPENSSL_FIPS_HMAC = 148e4e127ffef1df80c0ed61bae35b07ec7b7b36
+OPENSSL_FIPS_HMAC = 852f43cd9ae1bd2eba60e4f9f1f266d3c16c0319
 
 # There is a broken link in the tarball which causes cp(1) to fail which would
 # fail the whole configure process. It's safer to get rid of the link than