PSARC/2015/043 Further OpenSSL Thread and Fork Safety s11-update
authorjenny.yung@oracle.com <jenny.yung@oracle.com>
Wed, 10 Jun 2015 11:25:02 -0700
branchs11-update
changeset 4461 68eb2fdf9b3a
parent 4458 6e71221d175a
child 4464 2594d55f79e0
PSARC/2015/043 Further OpenSSL Thread and Fork Safety 19579036 proftpd child process segfaults after failed login attempt 21149030 SegFault when a cleanup callback is called before the cipher initialization
components/openssl/openssl-1.0.1-fips-140/patches/29_fork_safe.patch
components/openssl/openssl-1.0.1-fips-140/patches/41_uninitialized_ctx.patch
components/openssl/openssl-1.0.1/patches/29_fork_safe.patch
components/openssl/openssl-1.0.1/patches/30_wanboot.patch
components/openssl/openssl-1.0.1/patches/41_uninitialized_ctx.patch
--- a/components/openssl/openssl-1.0.1-fips-140/patches/29_fork_safe.patch	Tue Jun 09 22:00:18 2015 -0700
+++ b/components/openssl/openssl-1.0.1-fips-140/patches/29_fork_safe.patch	Wed Jun 10 11:25:02 2015 -0700
@@ -1,11 +1,12 @@
 #
 # This file adds the code to setup internal mutexes and callback function.
-#	PSARC/2014/077
+#       PSARC/2014/077
+#	PSARC/2015/043
 # This change was implemented in-house.  The issue was brought up to
 # the upstream engineers, but there was no commitment.
 #
 --- openssl-1.0.1f/crypto/cryptlib.c.~1~	Fri Feb  7 10:41:36 2014
-+++ openssl-1.0.1f/crypto/cryptlib.c	Thu Feb  6 16:03:58 2014
++++ openssl-1.0.1f/crypto/cryptlib.c    Thu Feb  6 16:03:58 2014
 @@ -116,6 +116,7 @@
  
  #include "cryptlib.h"
@@ -21,58 +22,144 @@
 +static pthread_mutex_t *solaris_openssl_locks;
 +
  static void (MS_FAR *locking_callback) (int mode, int type,
-                                         const char *file, int line) = 0;
+		                         const char *file, int line) = 0;
  static int (MS_FAR *add_lock_callback) (int *pointer, int amount,
[email protected]@ -402,6 +405,79 @@
[email protected]@ -373,7 +376,10 @@
+ void CRYPTO_set_dynlock_create_callback(struct CRYPTO_dynlock_value *(*func)
+		                          (const char *file, int line))
+ {
+-    dynlock_create_callback = func;
++	/*
++	 * We now setup our own dynamic locking callback, and disallow
++	 * setting of another locking callback.
++	 */
+ }
+ 
+ void CRYPTO_set_dynlock_lock_callback(void (*func) (int mode,
[email protected]@ -382,7 +388,10 @@
+		                                     const char *file,
+		                                     int line))
+ {
+-    dynlock_lock_callback = func;
++	/*
++	 * We now setup our own dynamic locking callback, and disallow
++	 * setting of another locking callback.
++	 */
+ }
+ 
+ void CRYPTO_set_dynlock_destroy_callback(void (*func)
[email protected]@ -389,7 +398,10 @@
+		                           (struct CRYPTO_dynlock_value *l,
+		                            const char *file, int line))
+ {
+-    dynlock_destroy_callback = func;
++	/*
++	 * We now setup our own dynamic locking callback, and disallow
++	 * setting of another locking callback.
++	 */
+ }
+ 
+ void (*CRYPTO_get_locking_callback(void)) (int mode, int type,
[email protected]@ -402,6 +414,127 @@
      return (add_lock_callback);
  }
-
+ 
 +/*
 + * This is the locking callback function which all applications will be
 + * using when CRYPTO_lock() is called.
 + */ 
 +static void solaris_locking_callback(int mode, int type, const char *file,
 +    int line)
-+	{
-+	if (mode & CRYPTO_LOCK)
-+		{
++{
++	if (mode & CRYPTO_LOCK) {
 +		pthread_mutex_lock(&solaris_openssl_locks[type]);
-+		}
-+	else
-+		{
++	} else {
 +		pthread_mutex_unlock(&solaris_openssl_locks[type]);
-+		}
++	}
++}
++
++/*
++ * Implement Solaris's own dynamic locking routines.
++ */
++static struct CRYPTO_dynlock_value *
++solaris_dynlock_create(const char *file, int line)
++{
++	int		ret;
++	pthread_mutex_t	*dynlock;
++
++	dynlock = OPENSSL_malloc(sizeof(pthread_mutex_t));
++	if (dynlock == NULL) {
++		return (NULL);
 +	}
 +
++	ret = pthread_mutex_init(dynlock, NULL);
++	OPENSSL_assert(ret);
++
++	return ((struct CRYPTO_dynlock_value *)dynlock);
++}
++
++static void
++solaris_dynlock_lock(int mode, struct CRYPTO_dynlock_value *dynlock,
++    const char *file, int line)
++{
++	int	ret;
++
++	if (mode & CRYPTO_LOCK) {
++		ret = pthread_mutex_lock((pthread_mutex_t *)dynlock);
++	} else {
++		ret = pthread_mutex_unlock((pthread_mutex_t *)dynlock);
++	}
++
++	OPENSSL_assert(ret == 0);
++}
++
++static void
++solaris_dynlock_destroy(struct CRYPTO_dynlock_value *dynlock,
++    const char *file, int line)
++{
++	int	ret;
++	ret = pthread_mutex_destroy((pthread_mutex_t *)dynlock);
++	OPENSSL_assert(ret);
++}
 +
 +/*
 + * This function is called when a child process is forked to setup its own
 + * global locking callback function ptr and mutexes.
 + */
 +static void solaris_fork_child(void)
-+	{
-+		/*
-+		 * clear locking_callback to indicate that locks should
-+		 * be reinitialized.
-+		 */
-+		locking_callback = NULL;
-+		solaris_locking_setup();
-+	}
++{
++	/*
++	 * clear locking_callback to indicate that locks should
++	 * be reinitialized.
++	 */
++	locking_callback = NULL;
++	solaris_locking_setup();
++}
 +
 +/*
 + * This function allocates and initializes the global mutex array, and
 + * sets the locking callback.
 + */
 +void solaris_locking_setup()
-+	{
++{
 +	int i;
 +	int num_locks;
 +
++	/* setup the dynlock callback if not already */
++	if (dynlock_create_callback == NULL) {
++		dynlock_create_callback = solaris_dynlock_create;
++	}
++	if (dynlock_lock_callback == NULL) {
++		dynlock_lock_callback = solaris_dynlock_lock;
++	}
++	if (dynlock_destroy_callback == NULL) {
++		dynlock_destroy_callback = solaris_dynlock_destroy;
++	}
++
 +	/* locking callback is already setup. Nothing to do */
-+	if (locking_callback != NULL)
-+		{
++	if (locking_callback != NULL) {
 +		return;
-+		}
++	}
 +
 +	/*
 +	 * Set atfork handler so that child can setup its own mutexes and
@@ -84,26 +171,24 @@
 +	num_locks = CRYPTO_num_locks();
 +	solaris_openssl_locks =
 +	    OPENSSL_malloc(sizeof (pthread_mutex_t) * num_locks);
-+	if (solaris_openssl_locks == NULL)
-+		{
++	if (solaris_openssl_locks == NULL) {
 +		fprintf(stderr,
 +			"solaris_locking_setup: memory allocation failure.\n");
 +		abort();
-+		}
++	}
 +
 +	/* initialize openssl mutexes */
-+	for (i = 0; i < num_locks; i++)
-+		{
++	for (i = 0; i < num_locks; i++) {
 +		pthread_mutex_init(&solaris_openssl_locks[i], NULL);
-+		}
++	}
 +	locking_callback = solaris_locking_callback;
 +
 +}
 +
  void CRYPTO_set_locking_callback(void (*func) (int mode, int type,
-                                                const char *file, int line))
+		                                const char *file, int line))
  {
[email protected]@ -410,7 +486,11 @@
[email protected]@ -410,7 +543,11 @@
       * started.
       */
      OPENSSL_init();
@@ -116,28 +201,55 @@
  }
  
  void CRYPTO_set_add_lock_callback(int (*func) (int *num, int mount, int type,
[email protected]@ -471,9 +608,10 @@
+ 
+ int CRYPTO_THREADID_set_callback(void (*func) (CRYPTO_THREADID *))
+ {
+-    if (threadid_callback)
+-        return 0;
+-    threadid_callback = func;
++    /*
++     * Use the backup method (the address of 'errno') to identify the
++     * thread and disallow setting the threadid callback.
++     */
+     return 1;
+ }
+ 
[email protected]@ -529,7 +667,10 @@
+ 
+ void CRYPTO_set_id_callback(unsigned long (*func) (void))
+ {
+-    id_callback = func;
++    /*
++     * Use the backup method (the address of 'errno') to identify the
++     * thread and disallow setting the threadid callback.
++     */
+ }
+ 
+ unsigned long CRYPTO_thread_id(void)
+
 --- openssl-1.0.1f/crypto/cryptlib.h.~1~	Fri Feb  7 10:41:42 2014
-+++ openssl-1.0.1f/crypto/cryptlib.h	Thu Feb  6 16:04:16 2014
++++ openssl-1.0.1f/crypto/cryptlib.h    Thu Feb  6 16:04:16 2014
 @@ -104,6 +104,8 @@
  void *OPENSSL_stderr(void);
  extern int OPENSSL_NONPIC_relocated;
- 
+
 +void solaris_locking_setup();
 +
  #ifdef  __cplusplus
  }
  #endif
---- openssl-1.0.1f/crypto/sparccpuid.S.~1~	Fri Feb  7 10:41:37 2014
-+++ openssl-1.0.1f/crypto/sparccpuid.S	Thu Feb  6 16:04:14 2014
+--- openssl-1.0.1f/crypto/sparccpuid.S.~1~      Fri Feb  7 10:41:37 2014
++++ openssl-1.0.1f/crypto/sparccpuid.S  Thu Feb  6 16:04:14 2014
 @@ -398,5 +398,7 @@
- .size	OPENSSL_cleanse,.-OPENSSL_cleanse
+ .size  OPENSSL_cleanse,.-OPENSSL_cleanse
 
  .section	".init",#alloc,#execinstr
 +	call	solaris_locking_setup
 +	nop
- 	call	OPENSSL_cpuid_setup
- 	nop
---- openssl-1.0.1f/crypto/x86_64cpuid.pl.~1~	Wed Feb 12 13:20:09 2014
+	call	OPENSSL_cpuid_setup
+	nop
+--- openssl-1.0.1f/crypto/x86_64cpuid.pl.~1~    Wed Feb 12 13:20:09 2014
 +++ openssl-1.0.1f/crypto/x86_64cpuid.pl	Wed Feb 12 13:21:20 2014
 @@ -20,7 +20,10 @@
  print<<___;
@@ -147,16 +259,16 @@
 +.hidden		solaris_locking_setup
  .section	.init
 +	call	solaris_locking_setup
- 	call	OPENSSL_cpuid_setup
- 
+	call	OPENSSL_cpuid_setup
+
  .hidden	OPENSSL_ia32cap_P
---- openssl-1.0.1f/crypto/x86cpuid.pl.~1~	Wed Feb 12 13:38:03 2014
-+++ openssl-1.0.1f/crypto/x86cpuid.pl	Wed Feb 12 13:38:31 2014
+--- openssl-1.0.1f/crypto/x86cpuid.pl.~1~       Wed Feb 12 13:38:03 2014
++++ openssl-1.0.1f/crypto/x86cpuid.pl   Wed Feb 12 13:38:31 2014
 @@ -353,6 +353,7 @@
- 	&ret	();
+	&ret    ();
  &function_end_B("OPENSSL_ia32_rdrand");
- 
+
 +&initseg("solaris_locking_setup");
  &initseg("OPENSSL_cpuid_setup");
- 
+
  &asm_finish();
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssl/openssl-1.0.1-fips-140/patches/41_uninitialized_ctx.patch	Wed Jun 10 11:25:02 2015 -0700
@@ -0,0 +1,13 @@
+#
+# This was developed in house. Upstream notified.
+#
+--- openssl-1.0.1m/crypto/evp/evp_enc.c.orig	Tue Jun  2 13:18:15 2015
++++ openssl-1.0.1m/crypto/evp/evp_enc.c	Tue Jun  2 13:19:19 2015
[email protected]@ -179,6 +179,7 @@
+                 EVPerr(EVP_F_EVP_CIPHERINIT_EX, ERR_R_MALLOC_FAILURE);
+                 return 0;
+             }
++	    (void) memset(ctx->cipher_data, 0, ctx->cipher->ctx_size);
+         } else {
+             ctx->cipher_data = NULL;
+         }
--- a/components/openssl/openssl-1.0.1/patches/29_fork_safe.patch	Tue Jun 09 22:00:18 2015 -0700
+++ b/components/openssl/openssl-1.0.1/patches/29_fork_safe.patch	Wed Jun 10 11:25:02 2015 -0700
@@ -1,6 +1,7 @@
 #
 # This file adds the code to setup internal mutexes and callback function.
 #	PSARC/2014/077
+#	PSARC/2015/043
 # This change was implemented in-house.  The issue was brought up to
 # the upstream engineers, but there was no commitment.
 #
@@ -23,7 +24,43 @@
  static void (MS_FAR *locking_callback) (int mode, int type,
                                          const char *file, int line) = 0;
  static int (MS_FAR *add_lock_callback) (int *pointer, int amount,
[email protected]@ -402,6 +405,79 @@
[email protected]@ -373,7 +376,10 @@
+ void CRYPTO_set_dynlock_create_callback(struct CRYPTO_dynlock_value *(*func)
+                                          (const char *file, int line))
+ {
+-    dynlock_create_callback = func;
++    /*
++     * we now setup our own dynamic locking callback, and disallow
++     * setting of another locking callback.
++     */
+ }
+
+ void CRYPTO_set_dynlock_lock_callback(void (*func) (int mode,
[email protected]@ -382,7 +388,10 @@
+                                                     const char *file,
+                                                     int line))
+ {
+-    dynlock_lock_callback = func;
++    /*
++     * we now setup our own dynamic locking callback, and disallow
++     * setting of another locking callback.
++     */
+ }
+
+ void CRYPTO_set_dynlock_destroy_callback(void (*func)
[email protected]@ -389,7 +398,10 @@
+                                           (struct CRYPTO_dynlock_value *l,
+                                            const char *file, int line))
+ {
+-    dynlock_destroy_callback = func;
++    /*
++     * we now setup our own dynamic locking callback, and disallow
++     * setting of another locking callback.
++     */
+ }
+
+ void (*CRYPTO_get_locking_callback(void)) (int mode, int type,
[email protected]@ -402,6 +414,[email protected]@
      return (add_lock_callback);
  }
 
@@ -33,16 +70,58 @@
 + */ 
 +static void solaris_locking_callback(int mode, int type, const char *file,
 +    int line)
-+	{
-+	if (mode & CRYPTO_LOCK)
-+		{
-+		pthread_mutex_lock(&solaris_openssl_locks[type]);
-+		}
-+	else
-+		{
-+		pthread_mutex_unlock(&solaris_openssl_locks[type]);
-+		}
-+	}
++{
++    if (mode & CRYPTO_LOCK) {
++        pthread_mutex_lock(&solaris_openssl_locks[type]);
++    } else {
++        pthread_mutex_unlock(&solaris_openssl_locks[type]);
++    }
++}
++
++
++/*
++ * Implement Solaris's own dynamic locking routines.
++ */
++static struct CRYPTO_dynlock_value *
++solaris_dynlock_create(const char *file, int line)
++{
++    int                        ret;
++    pthread_mutex_t    *dynlock;
++
++    dynlock = OPENSSL_malloc(sizeof(pthread_mutex_t));
++    if (dynlock == NULL) {
++        return (NULL);
++    }
++
++    ret = pthread_mutex_init(dynlock, NULL);
++    OPENSSL_assert(ret);
++
++    return ((struct CRYPTO_dynlock_value *)dynlock);
++}
++
++static void
++solaris_dynlock_lock(int mode, struct CRYPTO_dynlock_value *dynlock,
++    const char *file, int line)
++{
++    int        ret;
++
++    if (mode & CRYPTO_LOCK) {
++        ret = pthread_mutex_lock((pthread_mutex_t *)dynlock);
++    } else {
++        ret = pthread_mutex_unlock((pthread_mutex_t *)dynlock);
++    }
++
++    OPENSSL_assert(ret == 0);
++}
++
++static void
++solaris_dynlock_destroy(struct CRYPTO_dynlock_value *dynlock,
++    const char *file, int line)
++{
++    int ret;
++    ret = pthread_mutex_destroy((pthread_mutex_t *)dynlock);
++    OPENSSL_assert(ret);
++}
 +
 +
 +/*
@@ -50,53 +129,61 @@
 + * global locking callback function ptr and mutexes.
 + */
 +static void solaris_fork_child(void)
-+	{
-+		/*
-+		 * clear locking_callback to indicate that locks should
-+		 * be reinitialized.
-+		 */
-+		locking_callback = NULL;
-+		solaris_locking_setup();
-+	}
++{
++    /*
++     * clear locking_callback to indicate that locks should
++     * be reinitialized.
++     */
++    locking_callback = NULL;
++    solaris_locking_setup();
++}
 +
 +/*
 + * This function allocates and initializes the global mutex array, and
 + * sets the locking callback.
 + */
 +void solaris_locking_setup()
-+	{
-+	int i;
-+	int num_locks;
++{
++    int i;
++    int num_locks;
 +
-+	/* locking callback is already setup. Nothing to do */
-+	if (locking_callback != NULL)
-+		{
-+		return;
-+		}
++    /* setup the dynlock callback if not already */
++    if (dynlock_create_callback == NULL) {
++        dynlock_create_callback = solaris_dynlock_create;
++    }
++    if (dynlock_lock_callback == NULL) {
++        dynlock_lock_callback = solaris_dynlock_lock;
++    }
++    if (dynlock_destroy_callback == NULL) {
++        dynlock_destroy_callback = solaris_dynlock_destroy;
++    }
 +
-+	/*
-+	 * Set atfork handler so that child can setup its own mutexes and
-+	 * locking callbacks when it is forked
-+	 */
-+	(void) pthread_atfork(NULL, NULL, solaris_fork_child);
++    /* locking callback is already setup. Nothing to do */
++    if (locking_callback != NULL) {
++        return;
++    }
 +
-+	/* allocate locks needed by OpenSSL  */
-+	num_locks = CRYPTO_num_locks();
-+	solaris_openssl_locks =
-+	    OPENSSL_malloc(sizeof (pthread_mutex_t) * num_locks);
-+	if (solaris_openssl_locks == NULL)
-+		{
-+		fprintf(stderr,
-+			"solaris_locking_setup: memory allocation failure.\n");
-+		abort();
-+		}
++    /*
++     * Set atfork handler so that child can setup its own mutexes and
++     * locking callbacks when it is forked
++     */
++    (void) pthread_atfork(NULL, NULL, solaris_fork_child);
 +
-+	/* initialize openssl mutexes */
-+	for (i = 0; i < num_locks; i++)
-+		{
-+		pthread_mutex_init(&solaris_openssl_locks[i], NULL);
-+		}
-+	locking_callback = solaris_locking_callback;
++    /* allocate locks needed by OpenSSL  */
++    num_locks = CRYPTO_num_locks();
++    solaris_openssl_locks =
++        OPENSSL_malloc(sizeof (pthread_mutex_t) * num_locks);
++    if (solaris_openssl_locks == NULL) {
++        fprintf(stderr,
++            "solaris_locking_setup: memory allocation failure.\n");
++        abort();
++    }
++
++    /* initialize openssl mutexes */
++    for (i = 0; i < num_locks; i++) {
++        pthread_mutex_init(&solaris_openssl_locks[i], NULL);
++    }
++    locking_callback = solaris_locking_callback;
 +
 +}
 +
@@ -109,13 +196,39 @@
      OPENSSL_init();
 -    locking_callback = func;
 +
-+	/*
-+	 * we now setup our own locking callback and mutexes, and disallow
-+	 * setting of another locking callback.
-+	 */
++    /*
++     * we now setup our own locking callback and mutexes, and disallow
++     * setting of another locking callback.
++     */
  }
  
  void CRYPTO_set_add_lock_callback(int (*func) (int *num, int mount, int type,
[email protected]@ -471,9 +551,10 @@
+ 
+ int CRYPTO_THREADID_set_callback(void (*func) (CRYPTO_THREADID *))
+ {
+-    if (threadid_callback)
+-        return 0;
+-    threadid_callback = func;
++    /*
++     * Use the backup method (the address of 'errno') to identify the
++     * thread and disallow setting the threadid callback.
++     */
+     return 1;
+ }
+ 
[email protected]@ -531,7 +611,10 @@
+ 
+ void CRYPTO_set_id_callback(unsigned long (*func) (void))
+ {
+-    id_callback = func;
++    /*
++     * Use the backup method to identify the thread/process.
++     * Setting the id callback is disallowed.
++     */
+ }
+ 
+ unsigned long CRYPTO_thread_id(void)
 --- openssl-1.0.1f/crypto/cryptlib.h.~1~	Fri Feb  7 10:41:42 2014
 +++ openssl-1.0.1f/crypto/cryptlib.h	Thu Feb  6 16:04:16 2014
 @@ -104,6 +104,8 @@
--- a/components/openssl/openssl-1.0.1/patches/30_wanboot.patch	Tue Jun 09 22:00:18 2015 -0700
+++ b/components/openssl/openssl-1.0.1/patches/30_wanboot.patch	Wed Jun 10 11:25:02 2015 -0700
@@ -2,8 +2,8 @@
 # This patch file makes the changes neccessary to build wanboot-openssl.o
 # binary. This is Solaris-specific: not suitable for upstream.
 #
---- openssl-1.0.0g/Makefile.org	2010-01-27 08:06:58.000000000 -0800
-+++ openssl-1.0.0g-1/Makefile.org	2012-03-26 03:04:08.440194448 -0700
+--- openssl-1.0.0g/Makefile.org    2010-01-27 08:06:58.000000000 -0800
++++ openssl-1.0.0g-1/Makefile.org    2012-03-26 03:04:08.440194448 -0700
 @@ -138,7 +138,13 @@
 
  BASEADDR=
@@ -18,8 +18,8 @@
  ENGDIRS= ccgost
  SHLIBDIRS= crypto ssl
 
---- openssl-1.0.0g/Makefile	2012-01-18 05:42:28.000000000 -0800
-+++ openssl-1.0.0g-1/Makefile	2012-03-26 03:03:59.170540344 -0700
+--- openssl-1.0.0g/Makefile    2012-01-18 05:42:28.000000000 -0800
++++ openssl-1.0.0g-1/Makefile    2012-03-26 03:03:59.170540344 -0700
 @@ -137,7 +137,13 @@
 
  BASEADDR=0xFB00000
@@ -34,47 +34,91 @@
  ENGDIRS= ccgost
  SHLIBDIRS= crypto ssl
 
---- openssl-1.0.0e/crypto/cryptlib.c	2011-06-22 08:39:00.000000000 -0700
-+++ openssl-1.0.0e_patched/crypto/cryptlib.c	2011-12-12 06:17:45.422476900 -0800
[email protected]@ -412,6 +412,7 @@
+--- openssl-1.0.0e/crypto/cryptlib.c    2011-06-22 08:39:00.000000000 -0700
++++ openssl-1.0.0e_patched/crypto/cryptlib.c    2011-12-12 06:17:45.422476900 -0800
[email protected]@ -421,11 +421,13 @@
  static void solaris_locking_callback(int mode, int type, const char *file,
      int line)
- 	{
-+#ifndef	_BOOT
- 	if (mode & CRYPTO_LOCK)
- 		{
- 		pthread_mutex_lock(&solaris_openssl_locks[type]);
[email protected]@ -420,6 +421,7 @@
- 		{
- 		pthread_mutex_unlock(&solaris_openssl_locks[type]);
- 		}
+ {
++#ifndef    _BOOT
+     if (mode & CRYPTO_LOCK) {
+         pthread_mutex_lock(&solaris_openssl_locks[type]);
+     } else {
+         pthread_mutex_unlock(&solaris_openssl_locks[type]);
+     }
 +#endif
- 	}
+ }
  
  
[email protected]@ -453,6 +455,12 @@
- 		}
[email protected]@ -435,6 +437,7 @@
+ static struct CRYPTO_dynlock_value *
+ solaris_dynlock_create(const char *file, int line)
+ {
++#ifndef    _BOOT
+     int                        ret;
+     pthread_mutex_t    *dynlock;
+
[email protected]@ -447,6 +450,9 @@
+     OPENSSL_assert(ret);
+
+     return ((struct CRYPTO_dynlock_value *)dynlock);
++#else
++    return (NULL);
++#endif
+ }
+
+ static void
[email protected]@ -453,6 +459,7 @@
+ solaris_dynlock_lock(int mode, struct CRYPTO_dynlock_valud *dynlock,
+     const char *file, int line)
+ {
++#ifndef    _BOOT
+     int        ret;
+
+     if (mode & CRYPTO_LOCK) {
[email protected]@ -462,6 +469,7 @@
+     }
+
+     OPENSSL_assert(ret == 0);
++#endif
+ }
+
+ static void
[email protected]@ -468,9 +476,11 @@
+ solaris_dynlock_destroy(struct CRYPTO_dynlock_value *dynlock,
+     const char *file, int line)
+ {
++#ifndef    _BOOT
+     int ret;
+     ret = pthread_mutex_destroy((pthread_mutex_t *)dynlock);
+     OPENSSL_assert(ret);
++#endif
+ }
+
+
[email protected]@ -514,6 +524,12 @@
+     }
  
- 	/*
-+	 * pthread_* can't be used in wanboot.
-+	 * wanboot needs not be thread-safe and mutexes and locking callback
-+	 * function will not be setup for wanboot.
-+	 */
-+#ifndef	_BOOT
-+	/*
- 	 * Set atfork handler so that child can setup its own mutexes and
- 	 * locking callbacks when it is forked
- 	 */
[email protected]@ -475,7 +483,7 @@
- 		pthread_mutex_init(&solaris_openssl_locks[i], NULL);
- 		}
- 	locking_callback = solaris_locking_callback;
+     /*
++     * pthread_* can't be used in wanboot.
++     * wanboot needs not be thread-safe and mutexes and locking callback
++     * function will not be setup for wanboot.
++     */
++#ifndef    _BOOT
++    /*
+      * Set atfork handler so that child can setup its own mutexes and
+      * locking callbacks when it is forked
+      */
[email protected]@ -534,7 +550,7 @@
+         pthread_mutex_init(&solaris_openssl_locks[i], NULL);
+     }
+     locking_callback = solaris_locking_callback;
 -
 +#endif
  }
  
  void CRYPTO_set_locking_callback(void (*func) (int mode, int type,
[email protected]@ -1021,6 +1029,12 @@
[email protected]@ -1084,6 +1100,12 @@
          MessageBox(NULL, buf, _T("OpenSSL: FATAL"), MB_OK | MB_ICONSTOP);
  }
  #else
@@ -83,36 +127,36 @@
 + * OPENSSL_showfatal() is not used anywhere else then here we can safely use
 + * the code from 0.9.7d version.
 + */
-+#ifndef	_BOOT
++#ifndef    _BOOT
  void OPENSSL_showfatal(const char *fmta, ...)
  {
      va_list ap;
[email protected]@ -1029,6 +1043,7 @@
[email protected]@ -1092,6 +1114,7 @@
      vfprintf(stderr, fmta, ap);
      va_end(ap);
  }
-+#endif	/* _BOOT */
++#endif    /* _BOOT */
  
  int OPENSSL_isservice(void)
  {
[email protected]@ -1038,9 +1053,15 @@
[email protected]@ -1101,9 +1124,15 @@
  
  void OpenSSLDie(const char *file, int line, const char *assertion)
  {
-+#ifndef	_BOOT		
++#ifndef    _BOOT        
      OPENSSL_showfatal
          ("%s(%d): OpenSSL internal error, assertion failed: %s\n", file, line,
           assertion);
 +#else
-+	fprintf(stderr,
-+		"%s(%d): OpenSSL internal error, assertion failed: %s\n",
-+		file,line,assertion);
-+#endif	
++    fprintf(stderr,
++        "%s(%d): OpenSSL internal error, assertion failed: %s\n",
++        file,line,assertion);
++#endif    
  #if !defined(_WIN32) || defined(__CYGWIN__)
      abort();
  #else
---- openssl-1.0.0e/crypto/err/err_all.c	2009-08-09 07:58:05.000000000 -0700
-+++ openssl-1.0.0e_patched/crypto/err/err_all.c	2011-12-13 05:22:01.205351400 -0800
+--- openssl-1.0.0e/crypto/err/err_all.c    2009-08-09 07:58:05.000000000 -0700
++++ openssl-1.0.0e_patched/crypto/err/err_all.c    2011-12-13 05:22:01.205351400 -0800
 @@ -148,7 +148,9 @@
      ERR_load_X509V3_strings();
      ERR_load_PKCS12_strings();
@@ -123,14 +167,14 @@
      ERR_load_TS_strings();
  # ifndef OPENSSL_NO_ENGINE
      ERR_load_ENGINE_strings();
---- openssl-1.0.0e/crypto/evp/evp_key.c	2010-03-27 12:27:50.000000000 -0700
-+++ openssl-1.0.0e_patched/crypto/evp/evp_key.c	2011-12-13 05:19:32.956908600 -0800
+--- openssl-1.0.0e/crypto/evp/evp_key.c    2010-03-27 12:27:50.000000000 -0700
++++ openssl-1.0.0e_patched/crypto/evp/evp_key.c    2011-12-13 05:19:32.956908600 -0800
 @@ -83,7 +83,7 @@
      else
          return (prompt_string);
  }
 -
-+#ifndef	_BOOT
++#ifndef    _BOOT
  /*
   * For historical reasons, the standard function for reading passwords is in
   * the DES library -- if someone ever wants to disable DES, this function
@@ -138,17 +182,17 @@
      OPENSSL_cleanse(buff, BUFSIZ);
      return ret;
  }
-+#endif	/* !_BOOT */
++#endif    /* !_BOOT */
  
  int EVP_BytesToKey(const EVP_CIPHER *type, const EVP_MD *md,
                     const unsigned char *salt, const unsigned char *data,
---- openssl-1.0.0e/crypto/rand/rand_unix.c	2009-04-06 07:31:36.000000000 -0700
-+++ openssl-1.0.0e_patched/crypto/rand/rand_unix.c	2011-12-19 07:28:39.988944800 -0800
+--- openssl-1.0.0e/crypto/rand/rand_unix.c    2009-04-06 07:31:36.000000000 -0700
++++ openssl-1.0.0e_patched/crypto/rand/rand_unix.c    2011-12-19 07:28:39.988944800 -0800
 @@ -122,7 +122,11 @@
  # include <sys/time.h>
  # include <sys/times.h>
  # include <sys/stat.h>
-+#ifdef	_BOOT
++#ifdef    _BOOT
 +# include <sys/fcntl.h>
 +#else
  # include <fcntl.h>
@@ -216,7 +260,7 @@
      }
  #  endif
  
-+#ifndef	_BOOT
++#ifndef    _BOOT
      /* put in some default random data, we need more than just this */
      l = curr_pid;
      RAND_add(&l, sizeof(l), 0.0);
@@ -224,21 +268,21 @@
  
      l = time(NULL);
      RAND_add(&l, sizeof(l), 0.0);
-+#endif /* !_BOOT */	
++#endif /* !_BOOT */    
  
  #  if defined(OPENSSL_SYS_BEOS)
      {
---- openssl-1.0.0e/crypto/rand/randfile.c	2011-03-19 02:44:37.000000000 -0700
-+++ openssl-1.0.0e_patched/crypto/rand/randfile.c	2011-12-13 05:26:51.884824200 -0800
+--- openssl-1.0.0e/crypto/rand/randfile.c    2011-03-19 02:44:37.000000000 -0700
++++ openssl-1.0.0e_patched/crypto/rand/randfile.c    2011-12-13 05:26:51.884824200 -0800
 @@ -57,9 +57,11 @@
   */
  
  /* We need to define this to get macros like S_IFBLK and S_IFCHR */
-+#ifndef	_BOOT
++#ifndef    _BOOT
  #if !defined(OPENSSL_SYS_VXWORKS)
  # define _XOPEN_SOURCE 500
  #endif
-+#endif	/* _BOOT */
++#endif    /* _BOOT */
  
  #include <errno.h>
  #include <stdio.h>
@@ -246,7 +290,7 @@
      return (ret);
  }
  
-+#ifndef	_BOOT
++#ifndef    _BOOT
  int RAND_write_file(const char *file)
  {
      unsigned char buf[BUFSIZE];
@@ -256,13 +300,13 @@
  }
 +
 +#endif /* _BOOT */
---- openssl-1.0.0e/crypto/x509v3/v3_utl.c	2009-07-27 14:08:53.000000000 -0700
-+++ openssl-1.0.0e_patched/crypto/x509v3/v3_utl.c	2011-12-13 05:10:08.844191400 -0800
+--- openssl-1.0.0e/crypto/x509v3/v3_utl.c    2009-07-27 14:08:53.000000000 -0700
++++ openssl-1.0.0e_patched/crypto/x509v3/v3_utl.c    2011-12-13 05:10:08.844191400 -0800
 @@ -715,9 +715,50 @@
      }
  }
  
-+#if	defined(_BOOT)
++#if    defined(_BOOT)
 +/* This function was copied from bio/b_sock.c */
 +static int get_ip(const char *str, unsigned char ip[4])
 +{
@@ -302,10 +346,10 @@
  {
      int a0, a1, a2, a3;
 +
-+#if	defined(_BOOT)
-+	if (get_ip(in, v4) != 1)
-+		return 0;
-+#else	/* _BOOT */
++#if    defined(_BOOT)
++    if (get_ip(in, v4) != 1)
++        return 0;
++#else    /* _BOOT */
      if (sscanf(in, "%d.%d.%d.%d", &a0, &a1, &a2, &a3) != 4)
          return 0;
      if ((a0 < 0) || (a0 > 255) || (a1 < 0) || (a1 > 255)
@@ -313,17 +357,17 @@
      v4[1] = a1;
      v4[2] = a2;
      v4[3] = a3;
-+#endif	/* _BOOT */
++#endif    /* _BOOT */
      return 1;
  }
 
---- openssl-1.0.0e/e_os.h	2011-12-19 04:17:51.631087400 -0800
-+++ openssl-1.0.0e_patched/e_os.h	2011-12-19 04:15:15.776668900 -0800
+--- openssl-1.0.0e/e_os.h    2011-12-19 04:17:51.631087400 -0800
++++ openssl-1.0.0e_patched/e_os.h    2011-12-19 04:15:15.776668900 -0800
 @@ -213,10 +213,19 @@
  #  define get_last_socket_error() errno
  #  define clear_socket_error()    errno=0
  #  define ioctlsocket(a,b,c)      ioctl(a,b,c)
-+#ifdef	_BOOT
++#ifdef    _BOOT
 +#include <netinet/in.h>
 +extern int socket_read(int, void *, size_t, int);
 +extern int socket_close(int);
@@ -342,7 +386,7 @@
 --- openssl-1.0.0e/crypto/sparcv9cap.c	2010-09-05 12:48:01.000000000 -0700
 +++ openssl-1.0.0e_patched/crypto/sparcv9cap.c	2011-12-23 05:24:02.011607700 -0800
 @@ -12,7 +12,11 @@
- #define SPARCV9_VIS2            (1<<3) /* reserved */
+ #define SPARCV9_VIS2            (1<<3) /* reserved */		
  #define SPARCV9_FMADD           (1<<4) /* reserved for SPARC64 V */
 
 +#ifndef        _BOOT
@@ -392,8 +436,8 @@
  .section	".init",#alloc,#execinstr
  	call	solaris_locking_setup
  	nop
-	call	OPENSSL_cpuid_setup
-	nop
+ 	call	OPENSSL_cpuid_setup
+ 	nop
 +#else
 +	nop
 +	nop
@@ -418,7 +462,7 @@
  
          p = s->s3->client_random;
 
-+#ifndef	_BOOT
++#ifndef    _BOOT
          if (ssl_fill_hello_random(s, 0, p, SSL3_RANDOM_SIZE) <= 0)
 +#else
 +        if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE) <= 0)
@@ -432,7 +476,7 @@
           * Apparently we're using a version-flexible SSL_METHOD (not at its
           * highest protocol version).
           */
-+#ifndef	_BOOT
++#ifndef    _BOOT
          if (s->ctx->method->version == SSLv23_method()->version) {
 +#else
 +        if (s->ctx->method->version == TLS1_2_VERSION) {
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssl/openssl-1.0.1/patches/41_uninitialized_ctx.patch	Wed Jun 10 11:25:02 2015 -0700
@@ -0,0 +1,13 @@
+#
+# This was developed in house. Upstream notified.
+#
+--- openssl-1.0.1m/crypto/evp/evp_enc.c.orig	Tue Jun  2 13:18:15 2015
++++ openssl-1.0.1m/crypto/evp/evp_enc.c	Tue Jun  2 13:19:19 2015
[email protected]@ -179,6 +179,7 @@
+                 EVPerr(EVP_F_EVP_CIPHERINIT_EX, ERR_R_MALLOC_FAILURE);
+                 return 0;
+             }
++	    (void) memset(ctx->cipher_data, 0, ctx->cipher->ctx_size);
+         } else {
+             ctx->cipher_data = NULL;
+         }