22307393 Upgrade OpenSSL version to 1.0.2e
22307570 problem in LIBRARY/OPENSSL
22307591 problem in LIBRARY/OPENSSL
22307596 problem in LIBRARY/OPENSSL
22307601 problem in LIBRARY/OPENSSL
22317607 problem in LIBRARY/OPENSSL
--- a/components/openssl/common/patches/038-remove_illegal_instruction_calls.patch Mon Nov 09 17:42:03 2015 -0800
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,204 +0,0 @@
-#
-# This patch was developed in house.
-# This is Solaris-specific: not suitable for upstream.
-#
---- openssl-1.0.1g/crypto/sparcv9cap.c.~1~ Thu May 1 13:07:00 2014
-+++ openssl-1.0.1g/crypto/sparcv9cap.c Thu May 1 13:11:33 2014
-@@ -2,10 +2,10 @@
- #include <stdlib.h>
- #include <string.h>
- #include <setjmp.h>
--#include <signal.h>
- #include <sys/time.h>
- #include <unistd.h>
- #include <openssl/bn.h>
-+#include <sys/auxv.h>
-
- #include "sparc_arch.h"
-
-@@ -69,13 +69,8 @@
- }
-
- unsigned long _sparcv9_rdtick(void);
--void _sparcv9_vis1_probe(void);
- unsigned long _sparcv9_vis1_instrument(void);
--void _sparcv9_vis2_probe(void);
--void _sparcv9_fmadd_probe(void);
- unsigned long _sparcv9_rdcfr(void);
--void _sparcv9_vis3_probe(void);
--unsigned long _sparcv9_random(void);
- size_t _sparcv9_vis1_instrument_bus(unsigned int *, size_t);
- size_t _sparcv9_vis1_instrument_bus2(unsigned int *, size_t, size_t);
-
-@@ -231,18 +227,11 @@
-
- #else
-
--static sigjmp_buf common_jmp;
--static void common_handler(int sig)
--{
-- siglongjmp(common_jmp, sig);
--}
--
- void OPENSSL_cpuid_setup(void)
- {
- char *e;
-- struct sigaction common_act, ill_oact, bus_oact;
-- sigset_t all_masked, oset;
- static int trigger = 0;
-+ uint_t ui = 0;
-
- if (trigger)
- return;
-@@ -255,47 +255,23 @@
- return;
- }
-
-+ (void) getisax(&ui, 1);
-+
- /* Initial value, fits UltraSPARC-I&II... */
-- OPENSSL_sparcv9cap_P[0] = SPARCV9_PREFER_FPU | SPARCV9_TICK_PRIVILEGED;
-+ OPENSSL_sparcv9cap_P[0] = SPARCV9_BLK;
-
-- sigfillset(&all_masked);
-- sigdelset(&all_masked, SIGILL);
-- sigdelset(&all_masked, SIGTRAP);
--# ifdef SIGEMT
-- sigdelset(&all_masked, SIGEMT);
--# endif
-- sigdelset(&all_masked, SIGFPE);
-- sigdelset(&all_masked, SIGBUS);
-- sigdelset(&all_masked, SIGSEGV);
-- sigprocmask(SIG_SETMASK, &all_masked, &oset);
--
-- memset(&common_act, 0, sizeof(common_act));
-- common_act.sa_handler = common_handler;
-- common_act.sa_mask = all_masked;
--
-- sigaction(SIGILL, &common_act, &ill_oact);
-- sigaction(SIGBUS, &common_act, &bus_oact); /* T1 fails 16-bit ldda [on
-- * Linux] */
--
-- if (sigsetjmp(common_jmp, 1) == 0) {
-- _sparcv9_rdtick();
-- OPENSSL_sparcv9cap_P[0] &= ~SPARCV9_TICK_PRIVILEGED;
-- }
--
-- if (sigsetjmp(common_jmp, 1) == 0) {
-- _sparcv9_vis1_probe();
-- OPENSSL_sparcv9cap_P[0] |= SPARCV9_VIS1 | SPARCV9_BLK;
-- /* detect UltraSPARC-Tx, see sparccpud.S for details... */
-- if (_sparcv9_vis1_instrument() >= 12)
-- OPENSSL_sparcv9cap_P[0] &= ~(SPARCV9_VIS1 | SPARCV9_PREFER_FPU);
-- else {
-- _sparcv9_vis2_probe();
-- OPENSSL_sparcv9cap_P[0] |= SPARCV9_VIS2;
-+ if (ui & AV_SPARC_VIS) {
-+ /* detect UltraSPARC-Tx, see sparccpuid.S for details... */
-+ if (_sparcv9_vis1_instrument() < 7)
-+ OPENSSL_sparcv9cap_P[0] |= SPARCV9_TICK_PRIVILEGED;
-+ if (_sparcv9_vis1_instrument() < 12) {
-+ OPENSSL_sparcv9cap_P[0] |= SPARCV9_VIS1|SPARCV9_PREFER_FPU;
-+ if (ui & AV_SPARC_VIS2)
-+ OPENSSL_sparcv9cap_P[0] |= SPARCV9_VIS2;
- }
- }
-
-- if (sigsetjmp(common_jmp, 1) == 0) {
-- _sparcv9_fmadd_probe();
-+ if (ui & AV_SPARC_FMAF) {
- OPENSSL_sparcv9cap_P[0] |= SPARCV9_FMADD;
- }
-
-@@ -303,36 +279,23 @@
- * VIS3 flag is tested independently from VIS1, unlike VIS2 that is,
- * because VIS3 defines even integer instructions.
- */
-- if (sigsetjmp(common_jmp, 1) == 0) {
-- _sparcv9_vis3_probe();
-- OPENSSL_sparcv9cap_P[0] |= SPARCV9_VIS3;
-+ if (ui & AV_SPARC_VIS3) {
-+ OPENSSL_sparcv9cap_P[0] |= SPARCV9_VIS3;
- }
--# if 0 /* was planned at some point but never
-- * implemented in hardware */
-- if (sigsetjmp(common_jmp, 1) == 0) {
-- (void)_sparcv9_random();
-- OPENSSL_sparcv9cap_P[0] |= SPARCV9_RANDOM;
-- }
--# endif
-
-- /*
-- * In wait for better solution _sparcv9_rdcfr is masked by
-- * VIS3 flag, because it goes to uninterruptable endless
-- * loop on UltraSPARC II running Solaris. Things might be
-- * different on Linux...
-- */
-- if ((OPENSSL_sparcv9cap_P[0] & SPARCV9_VIS3) &&
-- sigsetjmp(common_jmp, 1) == 0) {
-+#define AV_T4_MECHS (AV_SPARC_AES | AV_SPARC_DES | AV_SPARC_KASUMI | \
-+ AV_SPARC_CAMELLIA | AV_SPARC_MD5 | AV_SPARC_SHA1 | \
-+ AV_SPARC_SHA256 | AV_SPARC_SHA512 | AV_SPARC_MPMUL | \
-+ AV_SPARC_CRC32C)
-+
-+ if ((OPENSSL_sparcv9cap_P[0]&SPARCV9_VIS3) && (ui & AV_T4_MECHS)) {
- OPENSSL_sparcv9cap_P[1] = (unsigned int)_sparcv9_rdcfr();
- }
-
-- sigaction(SIGBUS, &bus_oact, NULL);
-- sigaction(SIGILL, &ill_oact, NULL);
-+ if (sizeof(size_t) == 8) {
-+ OPENSSL_sparcv9cap_P[0] |= SPARCV9_64BIT_STACK;
-+ }
-
-- sigprocmask(SIG_SETMASK, &oset, NULL);
--
-- if (sizeof(size_t) == 8)
-- OPENSSL_sparcv9cap_P[0] |= SPARCV9_64BIT_STACK;
- # ifdef __linux
- else {
- int ret = syscall(340);
---- openssl-1.0.1g/crypto/sparccpuid.S.~1~ Thu May 1 13:07:00 2014
-+++ openssl-1.0.1g/crypto/sparccpuid.S Thu May 1 13:11:33 2014
-@@ -232,16 +232,6 @@
- .type _sparcv9_rdtick,#function
- .size _sparcv9_rdtick,.-_sparcv9_rdtick
-
--.global _sparcv9_vis1_probe
--.align 8
--_sparcv9_vis1_probe:
-- add %sp,BIAS+2,%o1
-- .word 0xc19a5a40 !ldda [%o1]ASI_FP16_P,%f0
-- retl
-- .word 0x81b00d80 !fxor %f0,%f0,%f0
--.type _sparcv9_vis1_probe,#function
--.size _sparcv9_vis1_probe,.-_sparcv9_vis1_probe
--
- ! Probe and instrument VIS1 instruction. Output is number of cycles it
- ! takes to execute rdtick and pair of VIS1 instructions. US-Tx VIS unit
- ! is slow (documented to be 6 cycles on T2) and the core is in-order
-@@ -303,24 +293,6 @@
- .type _sparcv9_vis1_instrument,#function
- .size _sparcv9_vis1_instrument,.-_sparcv9_vis1_instrument
-
--.global _sparcv9_vis2_probe
--.align 8
--_sparcv9_vis2_probe:
-- retl
-- .word 0x81b00980 !bshuffle %f0,%f0,%f0
--.type _sparcv9_vis2_probe,#function
--.size _sparcv9_vis2_probe,.-_sparcv9_vis2_probe
--
--.global _sparcv9_fmadd_probe
--.align 8
--_sparcv9_fmadd_probe:
-- .word 0x81b00d80 !fxor %f0,%f0,%f0
-- .word 0x85b08d82 !fxor %f2,%f2,%f2
-- retl
-- .word 0x81b80440 !fmaddd %f0,%f0,%f2,%f0
--.type _sparcv9_fmadd_probe,#function
--.size _sparcv9_fmadd_probe,.-_sparcv9_fmadd_probe
--
- .global _sparcv9_rdcfr
- .align 8
- _sparcv9_rdcfr:
--- a/components/openssl/common/patches/039-internal_tests.patch Mon Nov 09 17:42:03 2015 -0800
+++ b/components/openssl/common/patches/039-internal_tests.patch Tue Dec 08 14:36:41 2015 -0800
@@ -13,5 +13,5 @@
- test_ss test_ca test_engine test_evp test_evp_extra test_ssl test_tsa test_ige \
+ test_ss test_engine test_evp test_evp_extra test_ssl test_tsa test_ige \
test_jpake test_srp test_cms test_ocsp test_v3name test_heartbeat \
- test_constant_time test_verify_extra
+ test_constant_time test_verify_extra test_clienthello
--- a/components/openssl/common/patches/042-default_fips_keygen.patch Mon Nov 09 17:42:03 2015 -0800
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,27 +0,0 @@
-#
-# This patch came from the upstream to use x9.31 keygen by default in
-# the FIPS mode. This will be available in the next release.
-#
---- openssl-1.0.1p/crypto/rsa/rsa_gen.c.orig Tue Aug 11 10:47:51 2015
-+++ openssl-1.0.1p/crypto/rsa/rsa_gen.c Tue Aug 11 10:56:07 2015
-@@ -69,6 +69,8 @@
- #include <openssl/rsa.h>
- #ifdef OPENSSL_FIPS
- # include <openssl/fips.h>
-+extern int FIPS_rsa_x931_generate_key_ex(RSA *rsa, int bits, BIGNUM *e,
-+ BN_GENCB *cb);
- #endif
-
- static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,
-@@ -93,8 +95,9 @@
- if (rsa->meth->rsa_keygen)
- return rsa->meth->rsa_keygen(rsa, bits, e_value, cb);
- #ifdef OPENSSL_FIPS
-- if (FIPS_mode())
-- return FIPS_rsa_generate_key_ex(rsa, bits, e_value, cb);
-+ if (FIPS_mode()) {
-+ return FIPS_rsa_x931_generate_key_ex(rsa, bits, e_value, cb);
-+ }
- #endif
- return rsa_builtin_keygen(rsa, bits, e_value, cb);
- }
--- a/components/openssl/openssl-default/Makefile Mon Nov 09 17:42:03 2015 -0800
+++ b/components/openssl/openssl-default/Makefile Tue Dec 08 14:36:41 2015 -0800
@@ -28,19 +28,19 @@
# When upgrading OpenSSL, please, DON'T FORGET TO TEST WANBOOT too.
# For more information about wanboot-openssl testing, please refer to
# ../README.
-COMPONENT_VERSION = 1.0.2d
+COMPONENT_VERSION = 1.0.2e
# Version for IPS. It is easier to do it manually than convert the letter to a
# number while taking into account that there might be no letter at all.
-IPS_COMPONENT_VERSION = 1.0.2.4
+IPS_COMPONENT_VERSION = 1.0.2.5
COMPONENT_PROJECT_URL= http://www.openssl.org/
COMPONENT_SRC = $(COMPONENT_NAME)-$(COMPONENT_VERSION)
COMPONENT_ARCHIVE = $(COMPONENT_SRC).tar.gz
COMPONENT_ARCHIVE_HASH= \
- sha256:671c36487785628a703374c652ad2cebea45fa920ae5681515df25d9f2c9a8c8
+ sha256:e23ccafdb75cfcde782da0151731aa2185195ac745eea3846133f2e05c0e0bff
COMPONENT_ARCHIVE_URL = $(COMPONENT_PROJECT_URL)source/$(COMPONENT_ARCHIVE)
COMPONENT_BUGDB= library/openssl
-TPNO= 24194
+TPNO= 25900
# Clone the patch files to the patches-all dir.
# COPY_COMMON_FILES is there so that rsync is called as soon as
--- a/components/openssl/openssl-default/patches/102-wanboot.patch Mon Nov 09 17:42:03 2015 -0800
+++ b/components/openssl/openssl-default/patches/102-wanboot.patch Tue Dec 08 14:36:41 2015 -0800
@@ -119,7 +119,7 @@
void CRYPTO_set_locking_callback(void (*func) (int mode, int type,
@@ -1104,6 +1120,12 @@
- MessageBox(NULL, buf, _T("OpenSSL: FATAL"), MB_OK | MB_ICONSTOP);
+ MessageBox(NULL, buf, _T("OpenSSL: FATAL"), MB_OK | MB_ICONERROR);
}
#else
+/*
@@ -658,15 +658,15 @@
}
+#endif /*!_BOOT*/
- int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
- int n)
+ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p,
+ unsigned char *limit)
@@ -2486,11 +2492,13 @@
return 0;
}
+#ifndef _BOOT
custom_ext_init(&s->cert->srv_ext);
- if (ssl_scan_clienthello_custom_tlsext(s, ptmp, d + n, &al) <= 0) {
+ if (ssl_scan_clienthello_custom_tlsext(s, ptmp, limit, &al) <= 0) {
ssl3_send_alert(s, SSL3_AL_FATAL, al);
return 0;
}
--- a/components/openssl/openssl-fips-140/Makefile Mon Nov 09 17:42:03 2015 -0800
+++ b/components/openssl/openssl-fips-140/Makefile Tue Dec 08 14:36:41 2015 -0800
@@ -31,18 +31,18 @@
COMPONENT_NAME = openssl-fips-140
# Note that this is the OpenSSL version that is used to build FIPS-140 certified
# libraries. However, we use the FIPS canister version for the IPS package.
-COMPONENT_VERSION = 1.0.2d
+COMPONENT_VERSION = 1.0.2e
IPS_COMPONENT_VERSION = 2.0.6
COMPONENT_PROJECT_URL= http://www.openssl.org/
COMPONENT_SRC_NAME = openssl
COMPONENT_SRC = $(COMPONENT_SRC_NAME)-$(COMPONENT_VERSION)
COMPONENT_ARCHIVE = $(COMPONENT_SRC).tar.gz
COMPONENT_ARCHIVE_HASH= \
- sha256:671c36487785628a703374c652ad2cebea45fa920ae5681515df25d9f2c9a8c8
+ sha256:e23ccafdb75cfcde782da0151731aa2185195ac745eea3846133f2e05c0e0bff
COMPONENT_ARCHIVE_URL = $(COMPONENT_PROJECT_URL)source/$(COMPONENT_ARCHIVE)
COMPONENT_BUGDB= library/openssl
-TPNO= 24194
+TPNO= 25900
# Clone the patch files to the patches-all dir.
# COPY_COMMON_FILES is there so that rsync is called as soon as