PSARC/2015/043 Further OpenSSL Thread and Fork Safety
19579036 proftpd child process segfaults after failed login attempt
21149030 SegFault when a cleanup callback is called before the cipher initialization
--- a/components/openssl/openssl-1.0.1-fips-140/patches/29_fork_safe.patch Tue Jun 09 22:00:18 2015 -0700
+++ b/components/openssl/openssl-1.0.1-fips-140/patches/29_fork_safe.patch Wed Jun 10 11:25:02 2015 -0700
@@ -1,11 +1,12 @@
#
# This file adds the code to setup internal mutexes and callback function.
-# PSARC/2014/077
+# PSARC/2014/077
+# PSARC/2015/043
# This change was implemented in-house. The issue was brought up to
# the upstream engineers, but there was no commitment.
#
--- openssl-1.0.1f/crypto/cryptlib.c.~1~ Fri Feb 7 10:41:36 2014
-+++ openssl-1.0.1f/crypto/cryptlib.c Thu Feb 6 16:03:58 2014
++++ openssl-1.0.1f/crypto/cryptlib.c Thu Feb 6 16:03:58 2014
@@ -116,6 +116,7 @@
#include "cryptlib.h"
@@ -21,58 +22,144 @@
+static pthread_mutex_t *solaris_openssl_locks;
+
static void (MS_FAR *locking_callback) (int mode, int type,
- const char *file, int line) = 0;
+ const char *file, int line) = 0;
static int (MS_FAR *add_lock_callback) (int *pointer, int amount,
-@@ -402,6 +405,79 @@
+@@ -373,7 +376,10 @@
+ void CRYPTO_set_dynlock_create_callback(struct CRYPTO_dynlock_value *(*func)
+ (const char *file, int line))
+ {
+- dynlock_create_callback = func;
++ /*
++ * We now setup our own dynamic locking callback, and disallow
++ * setting of another locking callback.
++ */
+ }
+
+ void CRYPTO_set_dynlock_lock_callback(void (*func) (int mode,
+@@ -382,7 +388,10 @@
+ const char *file,
+ int line))
+ {
+- dynlock_lock_callback = func;
++ /*
++ * We now setup our own dynamic locking callback, and disallow
++ * setting of another locking callback.
++ */
+ }
+
+ void CRYPTO_set_dynlock_destroy_callback(void (*func)
+@@ -389,7 +398,10 @@
+ (struct CRYPTO_dynlock_value *l,
+ const char *file, int line))
+ {
+- dynlock_destroy_callback = func;
++ /*
++ * We now setup our own dynamic locking callback, and disallow
++ * setting of another locking callback.
++ */
+ }
+
+ void (*CRYPTO_get_locking_callback(void)) (int mode, int type,
+@@ -402,6 +414,127 @@
return (add_lock_callback);
}
-
+
+/*
+ * This is the locking callback function which all applications will be
+ * using when CRYPTO_lock() is called.
+ */
+static void solaris_locking_callback(int mode, int type, const char *file,
+ int line)
-+ {
-+ if (mode & CRYPTO_LOCK)
-+ {
++{
++ if (mode & CRYPTO_LOCK) {
+ pthread_mutex_lock(&solaris_openssl_locks[type]);
-+ }
-+ else
-+ {
++ } else {
+ pthread_mutex_unlock(&solaris_openssl_locks[type]);
-+ }
++ }
++}
++
++/*
++ * Implement Solaris's own dynamic locking routines.
++ */
++static struct CRYPTO_dynlock_value *
++solaris_dynlock_create(const char *file, int line)
++{
++ int ret;
++ pthread_mutex_t *dynlock;
++
++ dynlock = OPENSSL_malloc(sizeof(pthread_mutex_t));
++ if (dynlock == NULL) {
++ return (NULL);
+ }
+
++ ret = pthread_mutex_init(dynlock, NULL);
++ OPENSSL_assert(ret);
++
++ return ((struct CRYPTO_dynlock_value *)dynlock);
++}
++
++static void
++solaris_dynlock_lock(int mode, struct CRYPTO_dynlock_value *dynlock,
++ const char *file, int line)
++{
++ int ret;
++
++ if (mode & CRYPTO_LOCK) {
++ ret = pthread_mutex_lock((pthread_mutex_t *)dynlock);
++ } else {
++ ret = pthread_mutex_unlock((pthread_mutex_t *)dynlock);
++ }
++
++ OPENSSL_assert(ret == 0);
++}
++
++static void
++solaris_dynlock_destroy(struct CRYPTO_dynlock_value *dynlock,
++ const char *file, int line)
++{
++ int ret;
++ ret = pthread_mutex_destroy((pthread_mutex_t *)dynlock);
++ OPENSSL_assert(ret);
++}
+
+/*
+ * This function is called when a child process is forked to setup its own
+ * global locking callback function ptr and mutexes.
+ */
+static void solaris_fork_child(void)
-+ {
-+ /*
-+ * clear locking_callback to indicate that locks should
-+ * be reinitialized.
-+ */
-+ locking_callback = NULL;
-+ solaris_locking_setup();
-+ }
++{
++ /*
++ * clear locking_callback to indicate that locks should
++ * be reinitialized.
++ */
++ locking_callback = NULL;
++ solaris_locking_setup();
++}
+
+/*
+ * This function allocates and initializes the global mutex array, and
+ * sets the locking callback.
+ */
+void solaris_locking_setup()
-+ {
++{
+ int i;
+ int num_locks;
+
++ /* setup the dynlock callback if not already */
++ if (dynlock_create_callback == NULL) {
++ dynlock_create_callback = solaris_dynlock_create;
++ }
++ if (dynlock_lock_callback == NULL) {
++ dynlock_lock_callback = solaris_dynlock_lock;
++ }
++ if (dynlock_destroy_callback == NULL) {
++ dynlock_destroy_callback = solaris_dynlock_destroy;
++ }
++
+ /* locking callback is already setup. Nothing to do */
-+ if (locking_callback != NULL)
-+ {
++ if (locking_callback != NULL) {
+ return;
-+ }
++ }
+
+ /*
+ * Set atfork handler so that child can setup its own mutexes and
@@ -84,26 +171,24 @@
+ num_locks = CRYPTO_num_locks();
+ solaris_openssl_locks =
+ OPENSSL_malloc(sizeof (pthread_mutex_t) * num_locks);
-+ if (solaris_openssl_locks == NULL)
-+ {
++ if (solaris_openssl_locks == NULL) {
+ fprintf(stderr,
+ "solaris_locking_setup: memory allocation failure.\n");
+ abort();
-+ }
++ }
+
+ /* initialize openssl mutexes */
-+ for (i = 0; i < num_locks; i++)
-+ {
++ for (i = 0; i < num_locks; i++) {
+ pthread_mutex_init(&solaris_openssl_locks[i], NULL);
-+ }
++ }
+ locking_callback = solaris_locking_callback;
+
+}
+
void CRYPTO_set_locking_callback(void (*func) (int mode, int type,
- const char *file, int line))
+ const char *file, int line))
{
-@@ -410,7 +486,11 @@
+@@ -410,7 +543,11 @@
* started.
*/
OPENSSL_init();
@@ -116,28 +201,55 @@
}
void CRYPTO_set_add_lock_callback(int (*func) (int *num, int mount, int type,
+@@ -471,9 +608,10 @@
+
+ int CRYPTO_THREADID_set_callback(void (*func) (CRYPTO_THREADID *))
+ {
+- if (threadid_callback)
+- return 0;
+- threadid_callback = func;
++ /*
++ * Use the backup method (the address of 'errno') to identify the
++ * thread and disallow setting the threadid callback.
++ */
+ return 1;
+ }
+
+@@ -529,7 +667,10 @@
+
+ void CRYPTO_set_id_callback(unsigned long (*func) (void))
+ {
+- id_callback = func;
++ /*
++ * Use the backup method (the address of 'errno') to identify the
++ * thread and disallow setting the threadid callback.
++ */
+ }
+
+ unsigned long CRYPTO_thread_id(void)
+
--- openssl-1.0.1f/crypto/cryptlib.h.~1~ Fri Feb 7 10:41:42 2014
-+++ openssl-1.0.1f/crypto/cryptlib.h Thu Feb 6 16:04:16 2014
++++ openssl-1.0.1f/crypto/cryptlib.h Thu Feb 6 16:04:16 2014
@@ -104,6 +104,8 @@
void *OPENSSL_stderr(void);
extern int OPENSSL_NONPIC_relocated;
-
+
+void solaris_locking_setup();
+
#ifdef __cplusplus
}
#endif
---- openssl-1.0.1f/crypto/sparccpuid.S.~1~ Fri Feb 7 10:41:37 2014
-+++ openssl-1.0.1f/crypto/sparccpuid.S Thu Feb 6 16:04:14 2014
+--- openssl-1.0.1f/crypto/sparccpuid.S.~1~ Fri Feb 7 10:41:37 2014
++++ openssl-1.0.1f/crypto/sparccpuid.S Thu Feb 6 16:04:14 2014
@@ -398,5 +398,7 @@
- .size OPENSSL_cleanse,.-OPENSSL_cleanse
+ .size OPENSSL_cleanse,.-OPENSSL_cleanse
.section ".init",#alloc,#execinstr
+ call solaris_locking_setup
+ nop
- call OPENSSL_cpuid_setup
- nop
---- openssl-1.0.1f/crypto/x86_64cpuid.pl.~1~ Wed Feb 12 13:20:09 2014
+ call OPENSSL_cpuid_setup
+ nop
+--- openssl-1.0.1f/crypto/x86_64cpuid.pl.~1~ Wed Feb 12 13:20:09 2014
+++ openssl-1.0.1f/crypto/x86_64cpuid.pl Wed Feb 12 13:21:20 2014
@@ -20,7 +20,10 @@
print<<___;
@@ -147,16 +259,16 @@
+.hidden solaris_locking_setup
.section .init
+ call solaris_locking_setup
- call OPENSSL_cpuid_setup
-
+ call OPENSSL_cpuid_setup
+
.hidden OPENSSL_ia32cap_P
---- openssl-1.0.1f/crypto/x86cpuid.pl.~1~ Wed Feb 12 13:38:03 2014
-+++ openssl-1.0.1f/crypto/x86cpuid.pl Wed Feb 12 13:38:31 2014
+--- openssl-1.0.1f/crypto/x86cpuid.pl.~1~ Wed Feb 12 13:38:03 2014
++++ openssl-1.0.1f/crypto/x86cpuid.pl Wed Feb 12 13:38:31 2014
@@ -353,6 +353,7 @@
- &ret ();
+ &ret ();
&function_end_B("OPENSSL_ia32_rdrand");
-
+
+&initseg("solaris_locking_setup");
&initseg("OPENSSL_cpuid_setup");
-
+
&asm_finish();
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssl/openssl-1.0.1-fips-140/patches/41_uninitialized_ctx.patch Wed Jun 10 11:25:02 2015 -0700
@@ -0,0 +1,13 @@
+#
+# This was developed in house. Upstream notified.
+#
+--- openssl-1.0.1m/crypto/evp/evp_enc.c.orig Tue Jun 2 13:18:15 2015
++++ openssl-1.0.1m/crypto/evp/evp_enc.c Tue Jun 2 13:19:19 2015
+@@ -179,6 +179,7 @@
+ EVPerr(EVP_F_EVP_CIPHERINIT_EX, ERR_R_MALLOC_FAILURE);
+ return 0;
+ }
++ (void) memset(ctx->cipher_data, 0, ctx->cipher->ctx_size);
+ } else {
+ ctx->cipher_data = NULL;
+ }
--- a/components/openssl/openssl-1.0.1/patches/29_fork_safe.patch Tue Jun 09 22:00:18 2015 -0700
+++ b/components/openssl/openssl-1.0.1/patches/29_fork_safe.patch Wed Jun 10 11:25:02 2015 -0700
@@ -1,6 +1,7 @@
#
# This file adds the code to setup internal mutexes and callback function.
# PSARC/2014/077
+# PSARC/2015/043
# This change was implemented in-house. The issue was brought up to
# the upstream engineers, but there was no commitment.
#
@@ -23,7 +24,43 @@
static void (MS_FAR *locking_callback) (int mode, int type,
const char *file, int line) = 0;
static int (MS_FAR *add_lock_callback) (int *pointer, int amount,
-@@ -402,6 +405,79 @@
+@@ -373,7 +376,10 @@
+ void CRYPTO_set_dynlock_create_callback(struct CRYPTO_dynlock_value *(*func)
+ (const char *file, int line))
+ {
+- dynlock_create_callback = func;
++ /*
++ * we now setup our own dynamic locking callback, and disallow
++ * setting of another locking callback.
++ */
+ }
+
+ void CRYPTO_set_dynlock_lock_callback(void (*func) (int mode,
+@@ -382,7 +388,10 @@
+ const char *file,
+ int line))
+ {
+- dynlock_lock_callback = func;
++ /*
++ * we now setup our own dynamic locking callback, and disallow
++ * setting of another locking callback.
++ */
+ }
+
+ void CRYPTO_set_dynlock_destroy_callback(void (*func)
+@@ -389,7 +398,10 @@
+ (struct CRYPTO_dynlock_value *l,
+ const char *file, int line))
+ {
+- dynlock_destroy_callback = func;
++ /*
++ * we now setup our own dynamic locking callback, and disallow
++ * setting of another locking callback.
++ */
+ }
+
+ void (*CRYPTO_get_locking_callback(void)) (int mode, int type,
+@@ -402,6 +414,129@@
return (add_lock_callback);
}
@@ -33,16 +70,58 @@
+ */
+static void solaris_locking_callback(int mode, int type, const char *file,
+ int line)
-+ {
-+ if (mode & CRYPTO_LOCK)
-+ {
-+ pthread_mutex_lock(&solaris_openssl_locks[type]);
-+ }
-+ else
-+ {
-+ pthread_mutex_unlock(&solaris_openssl_locks[type]);
-+ }
-+ }
++{
++ if (mode & CRYPTO_LOCK) {
++ pthread_mutex_lock(&solaris_openssl_locks[type]);
++ } else {
++ pthread_mutex_unlock(&solaris_openssl_locks[type]);
++ }
++}
++
++
++/*
++ * Implement Solaris's own dynamic locking routines.
++ */
++static struct CRYPTO_dynlock_value *
++solaris_dynlock_create(const char *file, int line)
++{
++ int ret;
++ pthread_mutex_t *dynlock;
++
++ dynlock = OPENSSL_malloc(sizeof(pthread_mutex_t));
++ if (dynlock == NULL) {
++ return (NULL);
++ }
++
++ ret = pthread_mutex_init(dynlock, NULL);
++ OPENSSL_assert(ret);
++
++ return ((struct CRYPTO_dynlock_value *)dynlock);
++}
++
++static void
++solaris_dynlock_lock(int mode, struct CRYPTO_dynlock_value *dynlock,
++ const char *file, int line)
++{
++ int ret;
++
++ if (mode & CRYPTO_LOCK) {
++ ret = pthread_mutex_lock((pthread_mutex_t *)dynlock);
++ } else {
++ ret = pthread_mutex_unlock((pthread_mutex_t *)dynlock);
++ }
++
++ OPENSSL_assert(ret == 0);
++}
++
++static void
++solaris_dynlock_destroy(struct CRYPTO_dynlock_value *dynlock,
++ const char *file, int line)
++{
++ int ret;
++ ret = pthread_mutex_destroy((pthread_mutex_t *)dynlock);
++ OPENSSL_assert(ret);
++}
+
+
+/*
@@ -50,53 +129,61 @@
+ * global locking callback function ptr and mutexes.
+ */
+static void solaris_fork_child(void)
-+ {
-+ /*
-+ * clear locking_callback to indicate that locks should
-+ * be reinitialized.
-+ */
-+ locking_callback = NULL;
-+ solaris_locking_setup();
-+ }
++{
++ /*
++ * clear locking_callback to indicate that locks should
++ * be reinitialized.
++ */
++ locking_callback = NULL;
++ solaris_locking_setup();
++}
+
+/*
+ * This function allocates and initializes the global mutex array, and
+ * sets the locking callback.
+ */
+void solaris_locking_setup()
-+ {
-+ int i;
-+ int num_locks;
++{
++ int i;
++ int num_locks;
+
-+ /* locking callback is already setup. Nothing to do */
-+ if (locking_callback != NULL)
-+ {
-+ return;
-+ }
++ /* setup the dynlock callback if not already */
++ if (dynlock_create_callback == NULL) {
++ dynlock_create_callback = solaris_dynlock_create;
++ }
++ if (dynlock_lock_callback == NULL) {
++ dynlock_lock_callback = solaris_dynlock_lock;
++ }
++ if (dynlock_destroy_callback == NULL) {
++ dynlock_destroy_callback = solaris_dynlock_destroy;
++ }
+
-+ /*
-+ * Set atfork handler so that child can setup its own mutexes and
-+ * locking callbacks when it is forked
-+ */
-+ (void) pthread_atfork(NULL, NULL, solaris_fork_child);
++ /* locking callback is already setup. Nothing to do */
++ if (locking_callback != NULL) {
++ return;
++ }
+
-+ /* allocate locks needed by OpenSSL */
-+ num_locks = CRYPTO_num_locks();
-+ solaris_openssl_locks =
-+ OPENSSL_malloc(sizeof (pthread_mutex_t) * num_locks);
-+ if (solaris_openssl_locks == NULL)
-+ {
-+ fprintf(stderr,
-+ "solaris_locking_setup: memory allocation failure.\n");
-+ abort();
-+ }
++ /*
++ * Set atfork handler so that child can setup its own mutexes and
++ * locking callbacks when it is forked
++ */
++ (void) pthread_atfork(NULL, NULL, solaris_fork_child);
+
-+ /* initialize openssl mutexes */
-+ for (i = 0; i < num_locks; i++)
-+ {
-+ pthread_mutex_init(&solaris_openssl_locks[i], NULL);
-+ }
-+ locking_callback = solaris_locking_callback;
++ /* allocate locks needed by OpenSSL */
++ num_locks = CRYPTO_num_locks();
++ solaris_openssl_locks =
++ OPENSSL_malloc(sizeof (pthread_mutex_t) * num_locks);
++ if (solaris_openssl_locks == NULL) {
++ fprintf(stderr,
++ "solaris_locking_setup: memory allocation failure.\n");
++ abort();
++ }
++
++ /* initialize openssl mutexes */
++ for (i = 0; i < num_locks; i++) {
++ pthread_mutex_init(&solaris_openssl_locks[i], NULL);
++ }
++ locking_callback = solaris_locking_callback;
+
+}
+
@@ -109,13 +196,39 @@
OPENSSL_init();
- locking_callback = func;
+
-+ /*
-+ * we now setup our own locking callback and mutexes, and disallow
-+ * setting of another locking callback.
-+ */
++ /*
++ * we now setup our own locking callback and mutexes, and disallow
++ * setting of another locking callback.
++ */
}
void CRYPTO_set_add_lock_callback(int (*func) (int *num, int mount, int type,
+@@ -471,9 +551,10 @@
+
+ int CRYPTO_THREADID_set_callback(void (*func) (CRYPTO_THREADID *))
+ {
+- if (threadid_callback)
+- return 0;
+- threadid_callback = func;
++ /*
++ * Use the backup method (the address of 'errno') to identify the
++ * thread and disallow setting the threadid callback.
++ */
+ return 1;
+ }
+
+@@ -531,7 +611,10 @@
+
+ void CRYPTO_set_id_callback(unsigned long (*func) (void))
+ {
+- id_callback = func;
++ /*
++ * Use the backup method to identify the thread/process.
++ * Setting the id callback is disallowed.
++ */
+ }
+
+ unsigned long CRYPTO_thread_id(void)
--- openssl-1.0.1f/crypto/cryptlib.h.~1~ Fri Feb 7 10:41:42 2014
+++ openssl-1.0.1f/crypto/cryptlib.h Thu Feb 6 16:04:16 2014
@@ -104,6 +104,8 @@
--- a/components/openssl/openssl-1.0.1/patches/30_wanboot.patch Tue Jun 09 22:00:18 2015 -0700
+++ b/components/openssl/openssl-1.0.1/patches/30_wanboot.patch Wed Jun 10 11:25:02 2015 -0700
@@ -2,8 +2,8 @@
# This patch file makes the changes neccessary to build wanboot-openssl.o
# binary. This is Solaris-specific: not suitable for upstream.
#
---- openssl-1.0.0g/Makefile.org 2010-01-27 08:06:58.000000000 -0800
-+++ openssl-1.0.0g-1/Makefile.org 2012-03-26 03:04:08.440194448 -0700
+--- openssl-1.0.0g/Makefile.org 2010-01-27 08:06:58.000000000 -0800
++++ openssl-1.0.0g-1/Makefile.org 2012-03-26 03:04:08.440194448 -0700
@@ -138,7 +138,13 @@
BASEADDR=
@@ -18,8 +18,8 @@
ENGDIRS= ccgost
SHLIBDIRS= crypto ssl
---- openssl-1.0.0g/Makefile 2012-01-18 05:42:28.000000000 -0800
-+++ openssl-1.0.0g-1/Makefile 2012-03-26 03:03:59.170540344 -0700
+--- openssl-1.0.0g/Makefile 2012-01-18 05:42:28.000000000 -0800
++++ openssl-1.0.0g-1/Makefile 2012-03-26 03:03:59.170540344 -0700
@@ -137,7 +137,13 @@
BASEADDR=0xFB00000
@@ -34,47 +34,91 @@
ENGDIRS= ccgost
SHLIBDIRS= crypto ssl
---- openssl-1.0.0e/crypto/cryptlib.c 2011-06-22 08:39:00.000000000 -0700
-+++ openssl-1.0.0e_patched/crypto/cryptlib.c 2011-12-12 06:17:45.422476900 -0800
-@@ -412,6 +412,7 @@
+--- openssl-1.0.0e/crypto/cryptlib.c 2011-06-22 08:39:00.000000000 -0700
++++ openssl-1.0.0e_patched/crypto/cryptlib.c 2011-12-12 06:17:45.422476900 -0800
+@@ -421,11 +421,13 @@
static void solaris_locking_callback(int mode, int type, const char *file,
int line)
- {
-+#ifndef _BOOT
- if (mode & CRYPTO_LOCK)
- {
- pthread_mutex_lock(&solaris_openssl_locks[type]);
-@@ -420,6 +421,7 @@
- {
- pthread_mutex_unlock(&solaris_openssl_locks[type]);
- }
+ {
++#ifndef _BOOT
+ if (mode & CRYPTO_LOCK) {
+ pthread_mutex_lock(&solaris_openssl_locks[type]);
+ } else {
+ pthread_mutex_unlock(&solaris_openssl_locks[type]);
+ }
+#endif
- }
+ }
-@@ -453,6 +455,12 @@
- }
+@@ -435,6 +437,7 @@
+ static struct CRYPTO_dynlock_value *
+ solaris_dynlock_create(const char *file, int line)
+ {
++#ifndef _BOOT
+ int ret;
+ pthread_mutex_t *dynlock;
+
+@@ -447,6 +450,9 @@
+ OPENSSL_assert(ret);
+
+ return ((struct CRYPTO_dynlock_value *)dynlock);
++#else
++ return (NULL);
++#endif
+ }
+
+ static void
+@@ -453,6 +459,7 @@
+ solaris_dynlock_lock(int mode, struct CRYPTO_dynlock_valud *dynlock,
+ const char *file, int line)
+ {
++#ifndef _BOOT
+ int ret;
+
+ if (mode & CRYPTO_LOCK) {
+@@ -462,6 +469,7 @@
+ }
+
+ OPENSSL_assert(ret == 0);
++#endif
+ }
+
+ static void
+@@ -468,9 +476,11 @@
+ solaris_dynlock_destroy(struct CRYPTO_dynlock_value *dynlock,
+ const char *file, int line)
+ {
++#ifndef _BOOT
+ int ret;
+ ret = pthread_mutex_destroy((pthread_mutex_t *)dynlock);
+ OPENSSL_assert(ret);
++#endif
+ }
+
+
+@@ -514,6 +524,12 @@
+ }
- /*
-+ * pthread_* can't be used in wanboot.
-+ * wanboot needs not be thread-safe and mutexes and locking callback
-+ * function will not be setup for wanboot.
-+ */
-+#ifndef _BOOT
-+ /*
- * Set atfork handler so that child can setup its own mutexes and
- * locking callbacks when it is forked
- */
-@@ -475,7 +483,7 @@
- pthread_mutex_init(&solaris_openssl_locks[i], NULL);
- }
- locking_callback = solaris_locking_callback;
+ /*
++ * pthread_* can't be used in wanboot.
++ * wanboot needs not be thread-safe and mutexes and locking callback
++ * function will not be setup for wanboot.
++ */
++#ifndef _BOOT
++ /*
+ * Set atfork handler so that child can setup its own mutexes and
+ * locking callbacks when it is forked
+ */
+@@ -534,7 +550,7 @@
+ pthread_mutex_init(&solaris_openssl_locks[i], NULL);
+ }
+ locking_callback = solaris_locking_callback;
-
+#endif
}
void CRYPTO_set_locking_callback(void (*func) (int mode, int type,
-@@ -1021,6 +1029,12 @@
+@@ -1084,6 +1100,12 @@
MessageBox(NULL, buf, _T("OpenSSL: FATAL"), MB_OK | MB_ICONSTOP);
}
#else
@@ -83,36 +127,36 @@
+ * OPENSSL_showfatal() is not used anywhere else then here we can safely use
+ * the code from 0.9.7d version.
+ */
-+#ifndef _BOOT
++#ifndef _BOOT
void OPENSSL_showfatal(const char *fmta, ...)
{
va_list ap;
-@@ -1029,6 +1043,7 @@
+@@ -1092,6 +1114,7 @@
vfprintf(stderr, fmta, ap);
va_end(ap);
}
-+#endif /* _BOOT */
++#endif /* _BOOT */
int OPENSSL_isservice(void)
{
-@@ -1038,9 +1053,15 @@
+@@ -1101,9 +1124,15 @@
void OpenSSLDie(const char *file, int line, const char *assertion)
{
-+#ifndef _BOOT
++#ifndef _BOOT
OPENSSL_showfatal
("%s(%d): OpenSSL internal error, assertion failed: %s\n", file, line,
assertion);
+#else
-+ fprintf(stderr,
-+ "%s(%d): OpenSSL internal error, assertion failed: %s\n",
-+ file,line,assertion);
-+#endif
++ fprintf(stderr,
++ "%s(%d): OpenSSL internal error, assertion failed: %s\n",
++ file,line,assertion);
++#endif
#if !defined(_WIN32) || defined(__CYGWIN__)
abort();
#else
---- openssl-1.0.0e/crypto/err/err_all.c 2009-08-09 07:58:05.000000000 -0700
-+++ openssl-1.0.0e_patched/crypto/err/err_all.c 2011-12-13 05:22:01.205351400 -0800
+--- openssl-1.0.0e/crypto/err/err_all.c 2009-08-09 07:58:05.000000000 -0700
++++ openssl-1.0.0e_patched/crypto/err/err_all.c 2011-12-13 05:22:01.205351400 -0800
@@ -148,7 +148,9 @@
ERR_load_X509V3_strings();
ERR_load_PKCS12_strings();
@@ -123,14 +167,14 @@
ERR_load_TS_strings();
# ifndef OPENSSL_NO_ENGINE
ERR_load_ENGINE_strings();
---- openssl-1.0.0e/crypto/evp/evp_key.c 2010-03-27 12:27:50.000000000 -0700
-+++ openssl-1.0.0e_patched/crypto/evp/evp_key.c 2011-12-13 05:19:32.956908600 -0800
+--- openssl-1.0.0e/crypto/evp/evp_key.c 2010-03-27 12:27:50.000000000 -0700
++++ openssl-1.0.0e_patched/crypto/evp/evp_key.c 2011-12-13 05:19:32.956908600 -0800
@@ -83,7 +83,7 @@
else
return (prompt_string);
}
-
-+#ifndef _BOOT
++#ifndef _BOOT
/*
* For historical reasons, the standard function for reading passwords is in
* the DES library -- if someone ever wants to disable DES, this function
@@ -138,17 +182,17 @@
OPENSSL_cleanse(buff, BUFSIZ);
return ret;
}
-+#endif /* !_BOOT */
++#endif /* !_BOOT */
int EVP_BytesToKey(const EVP_CIPHER *type, const EVP_MD *md,
const unsigned char *salt, const unsigned char *data,
---- openssl-1.0.0e/crypto/rand/rand_unix.c 2009-04-06 07:31:36.000000000 -0700
-+++ openssl-1.0.0e_patched/crypto/rand/rand_unix.c 2011-12-19 07:28:39.988944800 -0800
+--- openssl-1.0.0e/crypto/rand/rand_unix.c 2009-04-06 07:31:36.000000000 -0700
++++ openssl-1.0.0e_patched/crypto/rand/rand_unix.c 2011-12-19 07:28:39.988944800 -0800
@@ -122,7 +122,11 @@
# include <sys/time.h>
# include <sys/times.h>
# include <sys/stat.h>
-+#ifdef _BOOT
++#ifdef _BOOT
+# include <sys/fcntl.h>
+#else
# include <fcntl.h>
@@ -216,7 +260,7 @@
}
# endif
-+#ifndef _BOOT
++#ifndef _BOOT
/* put in some default random data, we need more than just this */
l = curr_pid;
RAND_add(&l, sizeof(l), 0.0);
@@ -224,21 +268,21 @@
l = time(NULL);
RAND_add(&l, sizeof(l), 0.0);
-+#endif /* !_BOOT */
++#endif /* !_BOOT */
# if defined(OPENSSL_SYS_BEOS)
{
---- openssl-1.0.0e/crypto/rand/randfile.c 2011-03-19 02:44:37.000000000 -0700
-+++ openssl-1.0.0e_patched/crypto/rand/randfile.c 2011-12-13 05:26:51.884824200 -0800
+--- openssl-1.0.0e/crypto/rand/randfile.c 2011-03-19 02:44:37.000000000 -0700
++++ openssl-1.0.0e_patched/crypto/rand/randfile.c 2011-12-13 05:26:51.884824200 -0800
@@ -57,9 +57,11 @@
*/
/* We need to define this to get macros like S_IFBLK and S_IFCHR */
-+#ifndef _BOOT
++#ifndef _BOOT
#if !defined(OPENSSL_SYS_VXWORKS)
# define _XOPEN_SOURCE 500
#endif
-+#endif /* _BOOT */
++#endif /* _BOOT */
#include <errno.h>
#include <stdio.h>
@@ -246,7 +290,7 @@
return (ret);
}
-+#ifndef _BOOT
++#ifndef _BOOT
int RAND_write_file(const char *file)
{
unsigned char buf[BUFSIZE];
@@ -256,13 +300,13 @@
}
+
+#endif /* _BOOT */
---- openssl-1.0.0e/crypto/x509v3/v3_utl.c 2009-07-27 14:08:53.000000000 -0700
-+++ openssl-1.0.0e_patched/crypto/x509v3/v3_utl.c 2011-12-13 05:10:08.844191400 -0800
+--- openssl-1.0.0e/crypto/x509v3/v3_utl.c 2009-07-27 14:08:53.000000000 -0700
++++ openssl-1.0.0e_patched/crypto/x509v3/v3_utl.c 2011-12-13 05:10:08.844191400 -0800
@@ -715,9 +715,50 @@
}
}
-+#if defined(_BOOT)
++#if defined(_BOOT)
+/* This function was copied from bio/b_sock.c */
+static int get_ip(const char *str, unsigned char ip[4])
+{
@@ -302,10 +346,10 @@
{
int a0, a1, a2, a3;
+
-+#if defined(_BOOT)
-+ if (get_ip(in, v4) != 1)
-+ return 0;
-+#else /* _BOOT */
++#if defined(_BOOT)
++ if (get_ip(in, v4) != 1)
++ return 0;
++#else /* _BOOT */
if (sscanf(in, "%d.%d.%d.%d", &a0, &a1, &a2, &a3) != 4)
return 0;
if ((a0 < 0) || (a0 > 255) || (a1 < 0) || (a1 > 255)
@@ -313,17 +357,17 @@
v4[1] = a1;
v4[2] = a2;
v4[3] = a3;
-+#endif /* _BOOT */
++#endif /* _BOOT */
return 1;
}
---- openssl-1.0.0e/e_os.h 2011-12-19 04:17:51.631087400 -0800
-+++ openssl-1.0.0e_patched/e_os.h 2011-12-19 04:15:15.776668900 -0800
+--- openssl-1.0.0e/e_os.h 2011-12-19 04:17:51.631087400 -0800
++++ openssl-1.0.0e_patched/e_os.h 2011-12-19 04:15:15.776668900 -0800
@@ -213,10 +213,19 @@
# define get_last_socket_error() errno
# define clear_socket_error() errno=0
# define ioctlsocket(a,b,c) ioctl(a,b,c)
-+#ifdef _BOOT
++#ifdef _BOOT
+#include <netinet/in.h>
+extern int socket_read(int, void *, size_t, int);
+extern int socket_close(int);
@@ -342,7 +386,7 @@
--- openssl-1.0.0e/crypto/sparcv9cap.c 2010-09-05 12:48:01.000000000 -0700
+++ openssl-1.0.0e_patched/crypto/sparcv9cap.c 2011-12-23 05:24:02.011607700 -0800
@@ -12,7 +12,11 @@
- #define SPARCV9_VIS2 (1<<3) /* reserved */
+ #define SPARCV9_VIS2 (1<<3) /* reserved */
#define SPARCV9_FMADD (1<<4) /* reserved for SPARC64 V */
+#ifndef _BOOT
@@ -392,8 +436,8 @@
.section ".init",#alloc,#execinstr
call solaris_locking_setup
nop
- call OPENSSL_cpuid_setup
- nop
+ call OPENSSL_cpuid_setup
+ nop
+#else
+ nop
+ nop
@@ -418,7 +462,7 @@
p = s->s3->client_random;
-+#ifndef _BOOT
++#ifndef _BOOT
if (ssl_fill_hello_random(s, 0, p, SSL3_RANDOM_SIZE) <= 0)
+#else
+ if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE) <= 0)
@@ -432,7 +476,7 @@
* Apparently we're using a version-flexible SSL_METHOD (not at its
* highest protocol version).
*/
-+#ifndef _BOOT
++#ifndef _BOOT
if (s->ctx->method->version == SSLv23_method()->version) {
+#else
+ if (s->ctx->method->version == TLS1_2_VERSION) {
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssl/openssl-1.0.1/patches/41_uninitialized_ctx.patch Wed Jun 10 11:25:02 2015 -0700
@@ -0,0 +1,13 @@
+#
+# This was developed in house. Upstream notified.
+#
+--- openssl-1.0.1m/crypto/evp/evp_enc.c.orig Tue Jun 2 13:18:15 2015
++++ openssl-1.0.1m/crypto/evp/evp_enc.c Tue Jun 2 13:19:19 2015
+@@ -179,6 +179,7 @@
+ EVPerr(EVP_F_EVP_CIPHERINIT_EX, ERR_R_MALLOC_FAILURE);
+ return 0;
+ }
++ (void) memset(ctx->cipher_data, 0, ctx->cipher->ctx_size);
+ } else {
+ ctx->cipher_data = NULL;
+ }