18161027 OpenSSL 1.0.1f: ON nightly fails with missing symbol in wanboot-openssl.o
--- a/components/openssl/README Thu Jan 30 13:44:37 2014 -0800
+++ b/components/openssl/README Thu Jan 30 14:31:44 2014 -0800
@@ -18,7 +18,7 @@
#
# CDDL HEADER END
#
-# Copyright (c) 2009, 2013, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2009, 2014, Oracle and/or its affiliates. All rights reserved.
#
@@ -37,7 +37,7 @@
OpenSSL Version
---
-For non-FIPS build, we currently deliver OpenSSL 1.0.1e with some updates
+For non-FIPS build, we currently deliver OpenSSL 1.0.1 with some updates
from OpenSSL 1.0.2 to make T4 instructions embedded in the OpenSSL
upstream code. As of April 2013, 1.0.2 is not yet released, and therefore,
we have decided to patch the code.
@@ -52,10 +52,6 @@
components/openssl/openssl-1.0.1/inline-t4/sparcv9-gf2m.pl
components/openssl/openssl-1.0.1/inline-t4/vis3-mont.pl
components/openssl/openssl-1.0.1/patches/openssl-t4-inline.sparc-patch
-TPNO for OpenSSL 1.0.1e is 13003.
-
-For FIPS build, we currently deliver OpenSSL 0.9.8y with OpenSSL FIPS module 2.1.
-TPNO for OpenSSL 0.9.8y is 13019.
The non-fips Build.
@@ -118,9 +114,7 @@
- results in not using FPU for big numbers multiplication
- should be ok - original detection seems broken, FPU gets never used
- implementation of atoi()
-
-31_dtls_version.patch
-Fix DTLS_BAD_VER bug reported after OpenSSL 1.0.1e is released.
+- avoid using ssl_fill_hello_random() in s3_clnt.c
openssl-t4-inline.sparc-patch
SPARC-only patch.
@@ -135,9 +129,10 @@
The fips Build
---
-FIPS-140 certified libraries for Solaris private use. Since OpenSSL 1.0.1 is
-now FIPS-140 certified, we can ship only 1.0.1 with S12 and S11.2 and make
-it a public interface. (To be done next)
+We are now shipping FIPS-140 certified OpenSSL 1.0.1 with S12 and S11.2.
+The admin may choose to activate 'openssl-fips' implementation using 'pkg mediator'.
+The change will come soon.
+
Patches
---
@@ -145,6 +140,7 @@
All the patches from 1.0.1 (non-fips) are used in 1.0.1(fips) as well aside from
14-manpage_openssl.patch which is not needed since we do not deliver 1.0.1(fips) man
pages. Once we make fips version public, we should deliver man page.
+(coming soon)
The wanboot Build
----
@@ -176,7 +172,7 @@
first build static standalone openssl bits in Userland. As a site effect,
static libraries libssl.a and libcrypto.a are created in build/sparcv9-wanboot.
- $ cd $USERLAND/components/openssl/openssl-1.0.0 ; gmake build
+ $ cd $USERLAND/components/openssl/openssl-1.0.1 ; gmake build
Next, collect some information from linking wanboot static libraries in ON.
This can be done by the following hack.
@@ -184,16 +180,16 @@
$ cd $ON/usr/src/psm/stand/boot/sparcv9/sun4
$ touch wanboot.o
$ LD_OPTIONS="-Dfiles,symbols,output=ld.dbg \
- -L$USERLAND/components/openssl/openssl-1.0.0/build/sparcv9-wanboot " \
+ -L$USERLAND/components/openssl/openssl-1.0.1/build/sparcv9-wanboot " \
WAN_OPENSSL=" -lwanboot -lssl -lcrypto" dmake all
The following sort of information ends up in ld.dbg (note that the debugging
output from the link-editor is not considered a 'stable interface' and may
change in the future):
- debug: file=/builds/tkuthan/ul-wanboot-rebuilt/components/openssl/openssl-1.0.0/build/sparcv9-wanboot/libcrypto.a(sparcv9cap.o) [ ET_REL ]
+ debug: file=/builds/tkuthan/ul-wanboot-rebuilt/components/openssl/openssl-1.0.1/build/sparcv9-wanboot/libcrypto.a(sparcv9cap.o) [ ET_REL ]
debug:
- debug: symbol table processing; file=/builds/tkuthan/ul-wanboot-rebuilt/components/openssl/openssl-1.0.0/build/sparcv9-wanboot/libcrypto.a(sparcv9cap.o) [ ET_REL ]
+ debug: symbol table processing; file=/builds/tkuthan/ul-wanboot-rebuilt/components/openssl/openssl-1.0.1/build/sparcv9-wanboot/libcrypto.a(sparcv9cap.o) [ ET_REL ]
debug: symbol[1]=sparcv9cap.c
....
@@ -205,7 +201,7 @@
USERLAND=/builds/tkuthan/ul-wanboot-rebuilt
ON=/builds/tkuthan/on11u1-wanboot-rti
- BUILD=$USERLAND/components/openssl/openssl-1.0.0/build/sparcv9-wanboot
+ BUILD=$USERLAND/components/openssl/openssl-1.0.1/build/sparcv9-wanboot
LD_DBG=$ON/usr/src/psm/stand/boot/sparcv9/sun4/ld.dbg
for i in `find $BUILD/crypto $BUILD/ssl -name '*.o'`
--- a/components/openssl/openssl-1.0.1/patches/30_wanboot.patch Thu Jan 30 13:44:37 2014 -0800
+++ b/components/openssl/openssl-1.0.1/patches/30_wanboot.patch Thu Jan 30 14:31:44 2014 -0800
@@ -351,3 +351,19 @@
SRC= $(LIBSRC)
+--- openssl-1.0.1f/ssl/s3_clnt.c Thu Jan 30 02:53:33 2014
++++ openssl-1.0.1f/ssl/s3_clnt.c.new Thu Jan 30 02:57:51 2014
+@@ -681,8 +681,13 @@
+
+ p=s->s3->client_random;
+
++#ifndef _BOOT
+ if (ssl_fill_hello_random(s, 0, p, SSL3_RANDOM_SIZE) <= 0)
+ goto err;
++#else
++ if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE) <= 0)
++ goto err;
++#endif
+
+ /* Do the message type and length last */
+ d=p= &(buf[4]);