PSARC/2016/417 OpenSSL Elliptic Curve Cryptography
23058111 Enable Elliptic Curve Cryptography in OpenSSL
--- a/components/openssl/openssl-default/Makefile Wed Aug 31 15:55:51 2016 -0700
+++ b/components/openssl/openssl-default/Makefile Thu Sep 01 14:13:59 2016 -0700
@@ -90,9 +90,6 @@
# We use OpenSSL install code for installing only manual pages and we do that
# for 32-bit version only.
CONFIGURE_OPTIONS += --install_prefix=$(PROTO_DIR)
-CONFIGURE_OPTIONS += no-ec
-CONFIGURE_OPTIONS += no-ecdh
-CONFIGURE_OPTIONS += no-ecdsa
CONFIGURE_OPTIONS += no-rc3
CONFIGURE_OPTIONS += no-rc5
CONFIGURE_OPTIONS += no-md2
@@ -111,6 +108,9 @@
CONFIGURE_OPTIONS += no-hw_cswift
CONFIGURE_OPTIONS += no-seed
+# We don't ship GOST engine.
+CONFIGURE_OPTIONS += no-gost
+
# Disable SSLv2 and SSLv3 protocols
CONFIGURE_OPTIONS += no-ssl2 no-ssl2-method
CONFIGURE_OPTIONS += no-ssl3 no-ssl3-method
@@ -154,6 +154,7 @@
$(BUILD_DIR_WANBOOT)/.configured: CONFIGURE_OPTIONS += -DOPENSSL_NO_SRP
$(BUILD_DIR_WANBOOT)/.configured: CONFIGURE_OPTIONS += no-cast
$(BUILD_DIR_WANBOOT)/.configured: CONFIGURE_OPTIONS += no-dso
+$(BUILD_DIR_WANBOOT)/.configured: CONFIGURE_OPTIONS += no-ec
$(BUILD_DIR_WANBOOT)/.configured: CONFIGURE_OPTIONS += no-rc4
$(BUILD_DIR_WANBOOT)/.configured: CONFIGURE_OPTIONS += no-ripemd
$(BUILD_DIR_WANBOOT)/.configured: CONFIGURE_OPTIONS += no-hw
@@ -395,10 +396,10 @@
endif
# Set modified lint flags for our lint library targets.
-$(BUILD_DIR_32)/llib-lcrypto.ln: LINT_FLAGS=$(LFLAGS_32)
-$(BUILD_DIR_32)/llib-lssl.ln: LINT_FLAGS=$(LFLAGS_32)
-$(BUILD_DIR_64)/llib-lcrypto.ln: LINT_FLAGS=$(LFLAGS_64)
-$(BUILD_DIR_64)/llib-lssl.ln: LINT_FLAGS=$(LFLAGS_64)
+$(BUILD_DIR_32)/llib-lcrypto.ln: LINT_FLAGS=$(LFLAGS_32) -I$(PROTOUSRINCDIR)
+$(BUILD_DIR_32)/llib-lssl.ln: LINT_FLAGS=$(LFLAGS_32) -I$(PROTOUSRINCDIR)
+$(BUILD_DIR_64)/llib-lcrypto.ln: LINT_FLAGS=$(LFLAGS_64) -I$(PROTOUSRINCDIR)
+$(BUILD_DIR_64)/llib-lssl.ln: LINT_FLAGS=$(LFLAGS_64) -I$(PROTOUSRINCDIR)
# There are also separate STC test suites 'openssl' and 'openssl-engine'
# for regression testing. These internal tests are unit tests only.
--- a/components/openssl/openssl-default/files/openssl.7 Wed Aug 31 15:55:51 2016 -0700
+++ b/components/openssl/openssl-default/files/openssl.7 Thu Sep 01 14:13:59 2016 -0700
@@ -9,7 +9,7 @@
OpenSSL is a cryptography toolkit that implements the Transport Layer Security (TLS v1) network protocols. This version of OpenSSL no longer supports the Secure Sockets Layer (SSLv2/v3) network protocols.
.sp
.LP
-The following features are omitted from the binaries for issues including but not limited to patents, trademark, and US export restrictions: ECC, IDEA, MDC2, RC3, RC5, 4758_CCA Engine, AEP Engine, Atalla Engine, CHIL Engine, CSWIFT Engine, GMP Engine, NURON Engine, PadLock Engine, Sureware Engine, and UBSEC Engine.
+The following features are omitted from the binaries for issues including but not limited to patents, trademark, and US export restrictions: IDEA, MDC2, RC3, RC5, 4758_CCA Engine, AEP Engine, Atalla Engine, CAPI Engine, CHIL Engine, CSWIFT Engine, GMP Engine, GOST Engine, NURON Engine, PadLock Engine, Sureware Engine, and UBSEC Engine.
.SS "The Dynamic Engine Support"
.sp
.LP
--- a/components/openssl/openssl-default/llib-lcrypto Wed Aug 31 15:55:51 2016 -0700
+++ b/components/openssl/openssl-default/llib-lcrypto Thu Sep 01 14:13:59 2016 -0700
@@ -46,6 +46,9 @@
#include <openssl/dso.h>
#include <openssl/e_os2.h>
#include <openssl/ebcdic.h>
+#include <openssl/ec.h>
+#include <openssl/ecdh.h>
+#include <openssl/ecdsa.h>
#include <openssl/engine.h>
#include <openssl/err.h>
#include <openssl/evp.h>
--- a/components/openssl/openssl-default/openssl-default.p5m Wed Aug 31 15:55:51 2016 -0700
+++ b/components/openssl/openssl-default/openssl-default.p5m Thu Sep 01 14:13:59 2016 -0700
@@ -178,6 +178,9 @@
file path=usr/include/openssl/dtls1.h
file path=usr/include/openssl/e_os2.h
file path=usr/include/openssl/ebcdic.h
+file path=usr/include/openssl/ec.h
+file path=usr/include/openssl/ecdh.h
+file path=usr/include/openssl/ecdsa.h
file path=usr/include/openssl/engine.h
file path=usr/include/openssl/err.h
file path=usr/include/openssl/evp.h
--- a/components/openssl/openssl-fips-140/Makefile Wed Aug 31 15:55:51 2016 -0700
+++ b/components/openssl/openssl-fips-140/Makefile Thu Sep 01 14:13:59 2016 -0700
@@ -90,7 +90,6 @@
# We use OpenSSL install code for installing only manual pages and we do that
# for 32-bit version only.
CONFIGURE_OPTIONS += --install_prefix=$(PROTO_DIR)
-CONFIGURE_OPTIONS += no-ec2m
CONFIGURE_OPTIONS += no-rc3
CONFIGURE_OPTIONS += no-rc5
CONFIGURE_OPTIONS += no-md2
@@ -167,10 +166,10 @@
COMPONENT_PRE_BUILD_ACTION = \
( $(LN) -fs $(COMPONENT_DIR)/../common/engines/pkcs11/* $(@D)/engines; \
$(MKDIR) $(@D)/bin; \
- $(LN) -fs $(OPENSSL_FIPS_DIR)/openssl-fips-ecp-$(IPS_COMPONENT_VERSION)/fips/fips.h $(@D)/include/openssl; \
- $(LN) -fs $(OPENSSL_FIPS_DIR)/openssl-fips-ecp-$(IPS_COMPONENT_VERSION)/fips/fipssyms.h $(@D)/include/openssl; \
- $(LN) -fs $(OPENSSL_FIPS_DIR)/openssl-fips-ecp-$(IPS_COMPONENT_VERSION)/fips/rand/fips_rand.h $(@D)/include/openssl; \
- $(LN) -fs $(OPENSSL_FIPS_DIR)/openssl-fips-ecp-$(IPS_COMPONENT_VERSION)/fips/fipsld $(@D)/bin/; \
+ $(LN) -fs $(OPENSSL_FIPS_DIR)/openssl-fips-$(IPS_COMPONENT_VERSION)/fips/fips.h $(@D)/include/openssl; \
+ $(LN) -fs $(OPENSSL_FIPS_DIR)/openssl-fips-$(IPS_COMPONENT_VERSION)/fips/fipssyms.h $(@D)/include/openssl; \
+ $(LN) -fs $(OPENSSL_FIPS_DIR)/openssl-fips-$(IPS_COMPONENT_VERSION)/fips/rand/fips_rand.h $(@D)/include/openssl; \
+ $(LN) -fs $(OPENSSL_FIPS_DIR)/openssl-fips-$(IPS_COMPONENT_VERSION)/fips/fipsld $(@D)/bin/; \
$(LN) -fs $(OPENSSL_FIPS_DIR)/build/$(MACH$(BITS))/fips/fips_standalone_sha1 $(@D)/bin/; \
$(LN) -fs $(COMPONENT_DIR)/build/$(MACH$(BITS))/fips_premain_dso $(@D)/bin/;)
@@ -191,10 +190,10 @@
install: $(INSTALL_32_and_64)
# Set modified lint flags for our lint library targets.
-$(BUILD_DIR_32)/llib-lcrypto.ln: LINT_FLAGS=$(LFLAGS_32)
-$(BUILD_DIR_32)/llib-lssl.ln: LINT_FLAGS=$(LFLAGS_32)
-$(BUILD_DIR_64)/llib-lcrypto.ln: LINT_FLAGS=$(LFLAGS_64)
-$(BUILD_DIR_64)/llib-lssl.ln: LINT_FLAGS=$(LFLAGS_64)
+$(BUILD_DIR_32)/llib-lcrypto.ln: LINT_FLAGS=$(LFLAGS_32) -I$(PROTOUSRINCDIR)
+$(BUILD_DIR_32)/llib-lssl.ln: LINT_FLAGS=$(LFLAGS_32) -I$(PROTOUSRINCDIR)
+$(BUILD_DIR_64)/llib-lcrypto.ln: LINT_FLAGS=$(LFLAGS_64) -I$(PROTOUSRINCDIR)
+$(BUILD_DIR_64)/llib-lssl.ln: LINT_FLAGS=$(LFLAGS_64) -I$(PROTOUSRINCDIR)
# There are also separate STC test suites 'openssl' and 'openssl-engine'
# for regression testing. These internal tests are unit tests only.
--- a/components/openssl/openssl-fips-140/llib-lcrypto Wed Aug 31 15:55:51 2016 -0700
+++ b/components/openssl/openssl-fips-140/llib-lcrypto Thu Sep 01 14:13:59 2016 -0700
@@ -20,7 +20,7 @@
*/
/*
- * Copyright (c) 2009, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2009, 2016, Oracle and/or its affiliates. All rights reserved.
*/
/* LINTLIBRARY */
@@ -42,6 +42,9 @@
#include <openssl/dso.h>
#include <openssl/e_os2.h>
#include <openssl/ebcdic.h>
+#include <openssl/ec.h>
+#include <openssl/ecdh.h>
+#include <openssl/ecdsa.h>
#include <openssl/engine.h>
#include <openssl/err.h>
#include <openssl/evp.h>
--- a/components/openssl/openssl-fips/Makefile Wed Aug 31 15:55:51 2016 -0700
+++ b/components/openssl/openssl-fips/Makefile Thu Sep 01 14:13:59 2016 -0700
@@ -32,7 +32,7 @@
COMPONENT_NAME = openssl-fips
COMPONENT_VERSION = 2.0.12
-COMPONENT_SRC = $(COMPONENT_NAME)-ecp-$(COMPONENT_VERSION)
+COMPONENT_SRC = $(COMPONENT_NAME)-$(COMPONENT_VERSION)
COMPONENT_ARCHIVE = $(COMPONENT_SRC).tar.gz
COMPONENT_ARCHIVE_HASH= \
sha256:976b264835f7f30bf6545464158613ae5246d9d46913c1ba1534b9ef552dcc3b
@@ -71,7 +71,7 @@
# Note: COMPONENT_ARCHIVE_HASH is a SHA256 digest used by the Userland
# Consolidation to check the file integrity.
OPENSSL_FIPS_HMAC_KEY = etaonrishdlcupfm
-OPENSSL_FIPS_HMAC = 3da3e6d610378ad4b6ee2638a141c17cb3a2aabf
+OPENSSL_FIPS_HMAC = 86ec30179f1bfb2edde4ababf0fb519ba7380b69
# There is a broken link in the tarball which causes cp(1) to fail which would
# fail the whole configure process. It's safer to get rid of the link than
@@ -132,7 +132,7 @@
@echo Basic FIPS-140 mode verification passed.
$(TOUCH) $@
-test: $(NO_TESTS)
+test: $(NO_TESTS)
system-test: $(NO_TESTS)