20325338 Upgrade OpenSSL version to 1.0.1k s11u2-sru6-backport
authorRon Jordan <ron.jordan@oracle.com>
Tue, 13 Jan 2015 07:39:33 -0800
branchs11u2-sru6-backport
changeset 3709 4f62f67d71dd
parent 3708 81bf94d26dc3
child 3710 a503f4ae6aa3
20325338 Upgrade OpenSSL version to 1.0.1k 20325565 problem in LIBRARY/OPENSSL 20325572 problem in LIBRARY/OPENSSL 20325582 problem in LIBRARY/OPENSSL 20325589 problem in LIBRARY/OPENSSL 20325594 problem in LIBRARY/OPENSSL 20325597 problem in LIBRARY/OPENSSL 20325600 problem in LIBRARY/OPENSSL 20325603 problem in LIBRARY/OPENSSL
components/openssl/openssl-1.0.1-fips-140/Makefile
components/openssl/openssl-1.0.1-fips-140/openssl-1.0.1-fips-140.p5m
components/openssl/openssl-1.0.1-fips-140/patches/36_evp_leak.patch
components/openssl/openssl-1.0.1/Makefile
components/openssl/openssl-1.0.1/openssl-1.0.1.p5m
components/openssl/openssl-1.0.1/patches/36_evp_leak.patch
--- a/components/openssl/openssl-1.0.1-fips-140/Makefile	Tue Jan 20 05:42:59 2015 -0800
+++ b/components/openssl/openssl-1.0.1-fips-140/Makefile	Tue Jan 13 07:39:33 2015 -0800
@@ -18,7 +18,7 @@
 #
 # CDDL HEADER END
 #
-# Copyright (c) 2011, 2014, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved.
 #
 export PARFAIT_BUILD=no
 
@@ -29,14 +29,14 @@
 COMPONENT_NAME =	openssl-fips-140
 # Note that this is the OpenSSL version that is used to build FIPS-140 certified
 # libraries. However, we use the FIPS canister version for the IPS package.
-COMPONENT_VERSION =	1.0.1j
+COMPONENT_VERSION =	1.0.1k
 IPS_COMPONENT_VERSION = 2.0.6
 COMPONENT_PROJECT_URL=	http://www.openssl.org/
 COMPONENT_SRC_NAME =	openssl
 COMPONENT_SRC =		$(COMPONENT_SRC_NAME)-$(COMPONENT_VERSION)
 COMPONENT_ARCHIVE =	$(COMPONENT_SRC).tar.gz
 COMPONENT_ARCHIVE_HASH=	\
-    sha256:1b60ca8789ba6f03e8ef20da2293b8dc131c39d83814e775069f02d26354edf3
+    sha256:8f9faeaebad088e772f4ef5e38252d472be4d878c6b3a2718c10a4fcebe7a41c
 COMPONENT_ARCHIVE_URL =	$(COMPONENT_PROJECT_URL)source/$(COMPONENT_ARCHIVE)
 COMPONENT_BUGDB=	library/openssl
 
--- a/components/openssl/openssl-1.0.1-fips-140/openssl-1.0.1-fips-140.p5m	Tue Jan 20 05:42:59 2015 -0800
+++ b/components/openssl/openssl-1.0.1-fips-140/openssl-1.0.1-fips-140.p5m	Tue Jan 13 07:39:33 2015 -0800
@@ -18,7 +18,7 @@
 #
 # CDDL HEADER END
 #
-# Copyright (c) 2011, 2014, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved.
 #
 
 <transform file path=usr.*/man/.+ -> default mangler.man.stability uncommitted>
@@ -34,7 +34,7 @@
 set name=pkg.human-version value=$(COMPONENT_VERSION)
 set name=com.oracle.info.description \
     value="the FIPS 140-2 Capable OpenSSL libraries"
-set name=com.oracle.info.tpno value=19492 
+set name=com.oracle.info.tpno value=21111 
 set name=info.classification value=org.opensolaris.category.2008:System/Security
 set name=info.source-url value=$(COMPONENT_ARCHIVE_URL)
 set name=info.upstream-url value=$(COMPONENT_PROJECT_URL)
--- a/components/openssl/openssl-1.0.1-fips-140/patches/36_evp_leak.patch	Tue Jan 20 05:42:59 2015 -0800
+++ b/components/openssl/openssl-1.0.1-fips-140/patches/36_evp_leak.patch	Tue Jan 13 07:39:33 2015 -0800
@@ -57,32 +57,32 @@
  	return ret;
  	}
  
[email protected]@ -502,6 +515,7 @@
[email protected]@ -501,6 +501,7 @@
  int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
  	{
- 	unsigned int i, b;
+ 	int i,n;
 +	int err = 1;
-         unsigned char pad, padding_good;
+ 	unsigned int b;
  	*outl=0;
  
[email protected]@ -509,10 +522,14 @@
[email protected]@ -508,10 +509,14 @@
  		{
- 		int ret = M_do_cipher(ctx, out, NULL, 0);
- 		if (ret < 0)
+ 		i = M_do_cipher(ctx, out, NULL, 0);
+ 		if (i < 0)
 -			return 0;
 +			{
 +			err = 0;
 +			goto cleanup;
 +			}
  		else
- 			*outl = ret;
+ 			*outl = i;
 -		return 1;
 +		err = 1;
 +		goto cleanup;
  		}
  
- 	b=(unsigned int)(ctx->cipher->block_size);
[email protected]@ -521,10 +538,12 @@
+ 	b=ctx->cipher->block_size;
[email protected]@ -520,10 +525,12 @@
  		if(ctx->buf_len)
  			{
  			EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH);
@@ -97,7 +97,7 @@
  		}
  	if (b > 1)
  		{
[email protected]@ -531,7 +550,8 @@
[email protected]@ -530,7 +537,8 @@
  		if (ctx->buf_len || !ctx->final_used)
  			{
  			EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,EVP_R_WRONG_FINAL_BLOCK_LENGTH);
@@ -106,28 +106,38 @@
 +			goto cleanup;
  			}
  		OPENSSL_assert(b <= sizeof ctx->final);
- 		pad=ctx->final[b-1];
[email protected]@ -555,13 +577,22 @@
- 			out[i] = ctx->final[i] & padding_good;
- 		/* Safe cast: for a good padding, EVP_MAX_IV_LENGTH >= b >= pad */
- 		*outl = padding_good & ((unsigned char)(b - pad));
--		return padding_good & 1;
-+		err = padding_good & 1;
-+		goto cleanup;
+ 
[email protected]@ -542,7 +550,8 @@
+ 		if (n == 0 || n > (int)b)
+ 			{
+ 			EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,EVP_R_BAD_DECRYPT);
+-			return(0);
++			err = 0;
++			goto cleanup;
+ 			}
+ 		for (i=0; i<n; i++)
+ 			{
[email protected]@ -549,7 +558,8 @@
+ 			if (ctx->final[--b] != n)
+ 				{
+ 				EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,EVP_R_BAD_DECRYPT);
+-				return(0);
++				err = 0;
++				goto cleanup;
+ 				}
+ 			}
+ 		n=ctx->cipher->block_size-n;
[email protected]@ -559,7 +569,13 @@
  		}
  	else
- 		{
- 		*outl = 0;
--		return 1;
-+		err = 1;
- 		}
-+
+ 		*outl=0;
+-	return(1);
++	err = 1;
 +cleanup:
 +	if (ctx->cipher->cleanup)
 +		{
 +		ctx->cipher->cleanup(ctx);
 +		}
-+
 +	return err;
  	}
  
--- a/components/openssl/openssl-1.0.1/Makefile	Tue Jan 20 05:42:59 2015 -0800
+++ b/components/openssl/openssl-1.0.1/Makefile	Tue Jan 13 07:39:33 2015 -0800
@@ -18,7 +18,7 @@
 #
 # CDDL HEADER END
 #
-# Copyright (c) 2011, 2014, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved.
 #
 include ../../../make-rules/shared-macros.mk
 
@@ -28,15 +28,15 @@
 # When upgrading OpenSSL, please, DON'T FORGET TO TEST WANBOOT too. 
 # For more information about wanboot-openssl testing, please refer to
 # ../README.
-COMPONENT_VERSION =	1.0.1j
+COMPONENT_VERSION =	1.0.1k
 # Version for IPS. It is easier to do it manually than convert the letter to a
 # number while taking into account that there might be no letter at all.
-IPS_COMPONENT_VERSION = 1.0.1.10
+IPS_COMPONENT_VERSION = 1.0.1.11
 COMPONENT_PROJECT_URL=	http://www.openssl.org/
 COMPONENT_SRC =		$(COMPONENT_NAME)-$(COMPONENT_VERSION)
 COMPONENT_ARCHIVE =	$(COMPONENT_SRC).tar.gz
 COMPONENT_ARCHIVE_HASH=	\
-    sha256:1b60ca8789ba6f03e8ef20da2293b8dc131c39d83814e775069f02d26354edf3
+    sha256:8f9faeaebad088e772f4ef5e38252d472be4d878c6b3a2718c10a4fcebe7a41c
 
 COMPONENT_ARCHIVE_URL =	$(COMPONENT_PROJECT_URL)source/$(COMPONENT_ARCHIVE)
 COMPONENT_BUGDB=	library/openssl
--- a/components/openssl/openssl-1.0.1/openssl-1.0.1.p5m	Tue Jan 20 05:42:59 2015 -0800
+++ b/components/openssl/openssl-1.0.1/openssl-1.0.1.p5m	Tue Jan 13 07:39:33 2015 -0800
@@ -18,7 +18,7 @@
 #
 # CDDL HEADER END
 #
-# Copyright (c) 2011, 2014, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved.
 #
 
 <transform file path=usr.*/man/.+ -> default mangler.man.stability uncommitted>
@@ -30,7 +30,7 @@
     value="OpenSSL is a full-featured toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library."
 set name=pkg.human-version value=$(COMPONENT_VERSION)
 set name=com.oracle.info.description value=OpenSSL
-set name=com.oracle.info.tpno value=19492 
+set name=com.oracle.info.tpno value=21111 
 set name=info.classification value=org.opensolaris.category.2008:System/Security
 set name=info.source-url value=$(COMPONENT_ARCHIVE_URL)
 set name=info.upstream-url value=$(COMPONENT_PROJECT_URL)
--- a/components/openssl/openssl-1.0.1/patches/36_evp_leak.patch	Tue Jan 20 05:42:59 2015 -0800
+++ b/components/openssl/openssl-1.0.1/patches/36_evp_leak.patch	Tue Jan 13 07:39:33 2015 -0800
@@ -57,32 +57,32 @@
  	return ret;
  	}
  
[email protected]@ -502,6 +515,7 @@
[email protected]@ -501,6 +501,7 @@
  int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
  	{
- 	unsigned int i, b;
+ 	int i,n;
 +	int err = 1;
-         unsigned char pad, padding_good;
+ 	unsigned int b;
  	*outl=0;
  
[email protected]@ -509,10 +522,14 @@
[email protected]@ -508,10 +509,14 @@
  		{
- 		int ret = M_do_cipher(ctx, out, NULL, 0);
- 		if (ret < 0)
+ 		i = M_do_cipher(ctx, out, NULL, 0);
+ 		if (i < 0)
 -			return 0;
 +			{
 +			err = 0;
 +			goto cleanup;
 +			}
  		else
- 			*outl = ret;
+ 			*outl = i;
 -		return 1;
 +		err = 1;
 +		goto cleanup;
  		}
  
- 	b=(unsigned int)(ctx->cipher->block_size);
[email protected]@ -521,10 +538,12 @@
+ 	b=ctx->cipher->block_size;
[email protected]@ -520,10 +525,12 @@
  		if(ctx->buf_len)
  			{
  			EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH);
@@ -97,7 +97,7 @@
  		}
  	if (b > 1)
  		{
[email protected]@ -531,7 +550,8 @@
[email protected]@ -530,7 +537,8 @@
  		if (ctx->buf_len || !ctx->final_used)
  			{
  			EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,EVP_R_WRONG_FINAL_BLOCK_LENGTH);
@@ -106,28 +106,38 @@
 +			goto cleanup;
  			}
  		OPENSSL_assert(b <= sizeof ctx->final);
- 		pad=ctx->final[b-1];
[email protected]@ -555,13 +577,22 @@
- 			out[i] = ctx->final[i] & padding_good;
- 		/* Safe cast: for a good padding, EVP_MAX_IV_LENGTH >= b >= pad */
- 		*outl = padding_good & ((unsigned char)(b - pad));
--		return padding_good & 1;
-+		err = padding_good & 1;
-+		goto cleanup;
+ 
[email protected]@ -542,7 +550,8 @@
+ 		if (n == 0 || n > (int)b)
+ 			{
+ 			EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,EVP_R_BAD_DECRYPT);
+-			return(0);
++			err = 0;
++			goto cleanup;
+ 			}
+ 		for (i=0; i<n; i++)
+ 			{
[email protected]@ -549,7 +558,8 @@
+ 			if (ctx->final[--b] != n)
+ 				{
+ 				EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,EVP_R_BAD_DECRYPT);
+-				return(0);
++				err = 0;
++				goto cleanup;
+ 				}
+ 			}
+ 		n=ctx->cipher->block_size-n;
[email protected]@ -559,7 +569,13 @@
  		}
  	else
- 		{
- 		*outl = 0;
--		return 1;
-+		err = 1;
- 		}
-+
+ 		*outl=0;
+-	return(1);
++	err = 1;
 +cleanup:
 +	if (ctx->cipher->cleanup)
 +		{
 +		ctx->cipher->cleanup(ctx);
 +		}
-+
 +	return err;
  	}