--- a/components/openssl/README Fri Jun 20 09:46:39 2014 -0700
+++ b/components/openssl/README Fri Jun 20 10:41:46 2014 -0700
@@ -131,6 +131,9 @@
For instructions in sparcv9cap.c, remove if not supported on any platforms.
Otherwise modify them to call getisax() to check for HW capability instead.
+39_parfait_fixes.patch
+Fixes errors found by parfait in openssl.
+
The fips Build
---
--- a/components/openssl/openssl-1.0.1-fips-140/openssl-1.0.1-fips-140.p5m Fri Jun 20 09:46:39 2014 -0700
+++ b/components/openssl/openssl-1.0.1-fips-140/openssl-1.0.1-fips-140.p5m Fri Jun 20 10:41:46 2014 -0700
@@ -27,6 +27,8 @@
# change of action type. It should be removed once non-FIPS version becomes
# available in the reference repository
set name=pkg.linted.pkglint.dupaction010.1 value=true
+set name=pkg.linted.pkglint.dupaction001.1 value=true
+set name=pkg.linted.pkglint.dupaction010.2 value=true
set name=pkg.fmri \
value=pkg:/library/security/openssl/openssl-fips-140@$(IPS_COMPONENT_VERSION),$(BUILD_VERSION)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssl/openssl-1.0.1-fips-140/patches/39_parfait_fixes.patch Fri Jun 20 10:41:46 2014 -0700
@@ -0,0 +1,66 @@
+# This patch was developed in-house
+# Patch submitted to upstream
+--- openssl-1.0.1h/crypto/ocsp/ocsp_ht.c.~1~ Tue Jun 10 12:56:08 2014
++++ openssl-1.0.1h/crypto/ocsp/ocsp_ht.c Tue Jun 10 12:55:30 2014
+@@ -158,8 +158,15 @@
+
+ OCSP_REQ_CTX *rctx;
+ rctx = OPENSSL_malloc(sizeof(OCSP_REQ_CTX));
++ if (!rctx)
++ return 0;
+ rctx->state = OHS_ERROR;
+ rctx->mem = BIO_new(BIO_s_mem());
++ if (!rctx->mem)
++ {
++ OCSP_REQ_CTX_free(rctx);
++ return 0;
++ }
+ rctx->io = io;
+ rctx->asn1_len = 0;
+ if (maxline > 0)
+@@ -168,15 +175,24 @@
+ rctx->iobuflen = OCSP_MAX_LINE_LEN;
+ rctx->iobuf = OPENSSL_malloc(rctx->iobuflen);
+ if (!rctx->iobuf)
++ {
++ OCSP_REQ_CTX_free(rctx);
+ return 0;
++ }
+ if (!path)
+ path = "/";
+
+ if (BIO_printf(rctx->mem, post_hdr, path) <= 0)
++ {
++ OCSP_REQ_CTX_free(rctx);
+ return 0;
++ }
+
+ if (req && !OCSP_REQ_CTX_set1_req(rctx, req))
++ {
++ OCSP_REQ_CTX_free(rctx);
+ return 0;
++ }
+
+ return rctx;
+ }
+@@ -490,6 +506,9 @@
+
+ ctx = OCSP_sendreq_new(b, path, req, -1);
+
++ if (!ctx)
++ return NULL;
++
+ do
+ {
+ rv = OCSP_sendreq_nbio(&resp, ctx);
+--- openssl-1.0.1h/ssl/d1_both.c.~1~ Tue Jun 3 14:16:25 2014
++++ openssl-1.0.1h/ssl/d1_both.c Tue Jun 3 14:17:26 2014
+@@ -1172,6 +1172,8 @@
+
+ frag = dtls1_hm_fragment_new(s->init_num, 0);
+
++ if (!frag)
++ return 0;
+ memcpy(frag->fragment, s->init_buf->data, s->init_num);
+
+ if ( is_ccs)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssl/openssl-1.0.1/patches/39_parfait_fixes.patch Fri Jun 20 10:41:46 2014 -0700
@@ -0,0 +1,66 @@
+# This patch was developed in-house
+# Patch submitted to upstream
+--- openssl-1.0.1h/crypto/ocsp/ocsp_ht.c.~1~ Tue Jun 10 12:56:08 2014
++++ openssl-1.0.1h/crypto/ocsp/ocsp_ht.c Tue Jun 10 12:55:30 2014
+@@ -158,8 +158,15 @@
+
+ OCSP_REQ_CTX *rctx;
+ rctx = OPENSSL_malloc(sizeof(OCSP_REQ_CTX));
++ if (!rctx)
++ return 0;
+ rctx->state = OHS_ERROR;
+ rctx->mem = BIO_new(BIO_s_mem());
++ if (!rctx->mem)
++ {
++ OCSP_REQ_CTX_free(rctx);
++ return 0;
++ }
+ rctx->io = io;
+ rctx->asn1_len = 0;
+ if (maxline > 0)
+@@ -168,15 +175,24 @@
+ rctx->iobuflen = OCSP_MAX_LINE_LEN;
+ rctx->iobuf = OPENSSL_malloc(rctx->iobuflen);
+ if (!rctx->iobuf)
++ {
++ OCSP_REQ_CTX_free(rctx);
+ return 0;
++ }
+ if (!path)
+ path = "/";
+
+ if (BIO_printf(rctx->mem, post_hdr, path) <= 0)
++ {
++ OCSP_REQ_CTX_free(rctx);
+ return 0;
++ }
+
+ if (req && !OCSP_REQ_CTX_set1_req(rctx, req))
++ {
++ OCSP_REQ_CTX_free(rctx);
+ return 0;
++ }
+
+ return rctx;
+ }
+@@ -490,6 +506,9 @@
+
+ ctx = OCSP_sendreq_new(b, path, req, -1);
+
++ if (!ctx)
++ return NULL;
++
+ do
+ {
+ rv = OCSP_sendreq_nbio(&resp, ctx);
+--- openssl-1.0.1h/ssl/d1_both.c.~1~ Thu May 29 13:07:00 2014
++++ openssl-1.0.1h/ssl/d1_both.c Thu May 29 13:07:45 2014
+@@ -1172,6 +1172,8 @@
+
+ frag = dtls1_hm_fragment_new(s->init_num, 0);
+
++ if (!frag)
++ return 0;
+ memcpy(frag->fragment, s->init_buf->data, s->init_num);
+
+ if ( is_ccs)