20325338 Upgrade OpenSSL version to 1.0.1k
20325565 problem in LIBRARY/OPENSSL
20325572 problem in LIBRARY/OPENSSL
20325582 problem in LIBRARY/OPENSSL
20325589 problem in LIBRARY/OPENSSL
20325594 problem in LIBRARY/OPENSSL
20325597 problem in LIBRARY/OPENSSL
20325600 problem in LIBRARY/OPENSSL
20325603 problem in LIBRARY/OPENSSL
--- a/components/openssl/openssl-1.0.1-fips-140/Makefile Tue Jan 20 05:42:59 2015 -0800
+++ b/components/openssl/openssl-1.0.1-fips-140/Makefile Tue Jan 13 07:39:33 2015 -0800
@@ -18,7 +18,7 @@
#
# CDDL HEADER END
#
-# Copyright (c) 2011, 2014, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved.
#
export PARFAIT_BUILD=no
@@ -29,14 +29,14 @@
COMPONENT_NAME = openssl-fips-140
# Note that this is the OpenSSL version that is used to build FIPS-140 certified
# libraries. However, we use the FIPS canister version for the IPS package.
-COMPONENT_VERSION = 1.0.1j
+COMPONENT_VERSION = 1.0.1k
IPS_COMPONENT_VERSION = 2.0.6
COMPONENT_PROJECT_URL= http://www.openssl.org/
COMPONENT_SRC_NAME = openssl
COMPONENT_SRC = $(COMPONENT_SRC_NAME)-$(COMPONENT_VERSION)
COMPONENT_ARCHIVE = $(COMPONENT_SRC).tar.gz
COMPONENT_ARCHIVE_HASH= \
- sha256:1b60ca8789ba6f03e8ef20da2293b8dc131c39d83814e775069f02d26354edf3
+ sha256:8f9faeaebad088e772f4ef5e38252d472be4d878c6b3a2718c10a4fcebe7a41c
COMPONENT_ARCHIVE_URL = $(COMPONENT_PROJECT_URL)source/$(COMPONENT_ARCHIVE)
COMPONENT_BUGDB= library/openssl
--- a/components/openssl/openssl-1.0.1-fips-140/openssl-1.0.1-fips-140.p5m Tue Jan 20 05:42:59 2015 -0800
+++ b/components/openssl/openssl-1.0.1-fips-140/openssl-1.0.1-fips-140.p5m Tue Jan 13 07:39:33 2015 -0800
@@ -18,7 +18,7 @@
#
# CDDL HEADER END
#
-# Copyright (c) 2011, 2014, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved.
#
<transform file path=usr.*/man/.+ -> default mangler.man.stability uncommitted>
@@ -34,7 +34,7 @@
set name=pkg.human-version value=$(COMPONENT_VERSION)
set name=com.oracle.info.description \
value="the FIPS 140-2 Capable OpenSSL libraries"
-set name=com.oracle.info.tpno value=19492
+set name=com.oracle.info.tpno value=21111
set name=info.classification value=org.opensolaris.category.2008:System/Security
set name=info.source-url value=$(COMPONENT_ARCHIVE_URL)
set name=info.upstream-url value=$(COMPONENT_PROJECT_URL)
--- a/components/openssl/openssl-1.0.1-fips-140/patches/36_evp_leak.patch Tue Jan 20 05:42:59 2015 -0800
+++ b/components/openssl/openssl-1.0.1-fips-140/patches/36_evp_leak.patch Tue Jan 13 07:39:33 2015 -0800
@@ -57,32 +57,32 @@
return ret;
}
-@@ -502,6 +515,7 @@
+@@ -501,6 +501,7 @@
int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
{
- unsigned int i, b;
+ int i,n;
+ int err = 1;
- unsigned char pad, padding_good;
+ unsigned int b;
*outl=0;
-@@ -509,10 +522,14 @@
+@@ -508,10 +509,14 @@
{
- int ret = M_do_cipher(ctx, out, NULL, 0);
- if (ret < 0)
+ i = M_do_cipher(ctx, out, NULL, 0);
+ if (i < 0)
- return 0;
+ {
+ err = 0;
+ goto cleanup;
+ }
else
- *outl = ret;
+ *outl = i;
- return 1;
+ err = 1;
+ goto cleanup;
}
- b=(unsigned int)(ctx->cipher->block_size);
-@@ -521,10 +538,12 @@
+ b=ctx->cipher->block_size;
+@@ -520,10 +525,12 @@
if(ctx->buf_len)
{
EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH);
@@ -97,7 +97,7 @@
}
if (b > 1)
{
-@@ -531,7 +550,8 @@
+@@ -530,7 +537,8 @@
if (ctx->buf_len || !ctx->final_used)
{
EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,EVP_R_WRONG_FINAL_BLOCK_LENGTH);
@@ -106,28 +106,38 @@
+ goto cleanup;
}
OPENSSL_assert(b <= sizeof ctx->final);
- pad=ctx->final[b-1];
-@@ -555,13 +577,22 @@
- out[i] = ctx->final[i] & padding_good;
- /* Safe cast: for a good padding, EVP_MAX_IV_LENGTH >= b >= pad */
- *outl = padding_good & ((unsigned char)(b - pad));
-- return padding_good & 1;
-+ err = padding_good & 1;
-+ goto cleanup;
+
+@@ -542,7 +550,8 @@
+ if (n == 0 || n > (int)b)
+ {
+ EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,EVP_R_BAD_DECRYPT);
+- return(0);
++ err = 0;
++ goto cleanup;
+ }
+ for (i=0; i<n; i++)
+ {
+@@ -549,7 +558,8 @@
+ if (ctx->final[--b] != n)
+ {
+ EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,EVP_R_BAD_DECRYPT);
+- return(0);
++ err = 0;
++ goto cleanup;
+ }
+ }
+ n=ctx->cipher->block_size-n;
+@@ -559,7 +569,13 @@
}
else
- {
- *outl = 0;
-- return 1;
-+ err = 1;
- }
-+
+ *outl=0;
+- return(1);
++ err = 1;
+cleanup:
+ if (ctx->cipher->cleanup)
+ {
+ ctx->cipher->cleanup(ctx);
+ }
-+
+ return err;
}
--- a/components/openssl/openssl-1.0.1/Makefile Tue Jan 20 05:42:59 2015 -0800
+++ b/components/openssl/openssl-1.0.1/Makefile Tue Jan 13 07:39:33 2015 -0800
@@ -18,7 +18,7 @@
#
# CDDL HEADER END
#
-# Copyright (c) 2011, 2014, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved.
#
include ../../../make-rules/shared-macros.mk
@@ -28,15 +28,15 @@
# When upgrading OpenSSL, please, DON'T FORGET TO TEST WANBOOT too.
# For more information about wanboot-openssl testing, please refer to
# ../README.
-COMPONENT_VERSION = 1.0.1j
+COMPONENT_VERSION = 1.0.1k
# Version for IPS. It is easier to do it manually than convert the letter to a
# number while taking into account that there might be no letter at all.
-IPS_COMPONENT_VERSION = 1.0.1.10
+IPS_COMPONENT_VERSION = 1.0.1.11
COMPONENT_PROJECT_URL= http://www.openssl.org/
COMPONENT_SRC = $(COMPONENT_NAME)-$(COMPONENT_VERSION)
COMPONENT_ARCHIVE = $(COMPONENT_SRC).tar.gz
COMPONENT_ARCHIVE_HASH= \
- sha256:1b60ca8789ba6f03e8ef20da2293b8dc131c39d83814e775069f02d26354edf3
+ sha256:8f9faeaebad088e772f4ef5e38252d472be4d878c6b3a2718c10a4fcebe7a41c
COMPONENT_ARCHIVE_URL = $(COMPONENT_PROJECT_URL)source/$(COMPONENT_ARCHIVE)
COMPONENT_BUGDB= library/openssl
--- a/components/openssl/openssl-1.0.1/openssl-1.0.1.p5m Tue Jan 20 05:42:59 2015 -0800
+++ b/components/openssl/openssl-1.0.1/openssl-1.0.1.p5m Tue Jan 13 07:39:33 2015 -0800
@@ -18,7 +18,7 @@
#
# CDDL HEADER END
#
-# Copyright (c) 2011, 2014, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved.
#
<transform file path=usr.*/man/.+ -> default mangler.man.stability uncommitted>
@@ -30,7 +30,7 @@
value="OpenSSL is a full-featured toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library."
set name=pkg.human-version value=$(COMPONENT_VERSION)
set name=com.oracle.info.description value=OpenSSL
-set name=com.oracle.info.tpno value=19492
+set name=com.oracle.info.tpno value=21111
set name=info.classification value=org.opensolaris.category.2008:System/Security
set name=info.source-url value=$(COMPONENT_ARCHIVE_URL)
set name=info.upstream-url value=$(COMPONENT_PROJECT_URL)
--- a/components/openssl/openssl-1.0.1/patches/36_evp_leak.patch Tue Jan 20 05:42:59 2015 -0800
+++ b/components/openssl/openssl-1.0.1/patches/36_evp_leak.patch Tue Jan 13 07:39:33 2015 -0800
@@ -57,32 +57,32 @@
return ret;
}
-@@ -502,6 +515,7 @@
+@@ -501,6 +501,7 @@
int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
{
- unsigned int i, b;
+ int i,n;
+ int err = 1;
- unsigned char pad, padding_good;
+ unsigned int b;
*outl=0;
-@@ -509,10 +522,14 @@
+@@ -508,10 +509,14 @@
{
- int ret = M_do_cipher(ctx, out, NULL, 0);
- if (ret < 0)
+ i = M_do_cipher(ctx, out, NULL, 0);
+ if (i < 0)
- return 0;
+ {
+ err = 0;
+ goto cleanup;
+ }
else
- *outl = ret;
+ *outl = i;
- return 1;
+ err = 1;
+ goto cleanup;
}
- b=(unsigned int)(ctx->cipher->block_size);
-@@ -521,10 +538,12 @@
+ b=ctx->cipher->block_size;
+@@ -520,10 +525,12 @@
if(ctx->buf_len)
{
EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH);
@@ -97,7 +97,7 @@
}
if (b > 1)
{
-@@ -531,7 +550,8 @@
+@@ -530,7 +537,8 @@
if (ctx->buf_len || !ctx->final_used)
{
EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,EVP_R_WRONG_FINAL_BLOCK_LENGTH);
@@ -106,28 +106,38 @@
+ goto cleanup;
}
OPENSSL_assert(b <= sizeof ctx->final);
- pad=ctx->final[b-1];
-@@ -555,13 +577,22 @@
- out[i] = ctx->final[i] & padding_good;
- /* Safe cast: for a good padding, EVP_MAX_IV_LENGTH >= b >= pad */
- *outl = padding_good & ((unsigned char)(b - pad));
-- return padding_good & 1;
-+ err = padding_good & 1;
-+ goto cleanup;
+
+@@ -542,7 +550,8 @@
+ if (n == 0 || n > (int)b)
+ {
+ EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,EVP_R_BAD_DECRYPT);
+- return(0);
++ err = 0;
++ goto cleanup;
+ }
+ for (i=0; i<n; i++)
+ {
+@@ -549,7 +558,8 @@
+ if (ctx->final[--b] != n)
+ {
+ EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,EVP_R_BAD_DECRYPT);
+- return(0);
++ err = 0;
++ goto cleanup;
+ }
+ }
+ n=ctx->cipher->block_size-n;
+@@ -559,7 +569,13 @@
}
else
- {
- *outl = 0;
-- return 1;
-+ err = 1;
- }
-+
+ *outl=0;
+- return(1);
++ err = 1;
+cleanup:
+ if (ctx->cipher->cleanup)
+ {
+ ctx->cipher->cleanup(ctx);
+ }
-+
+ return err;
}