24703781 Upgrade OpenSSL version to 1.0.2i
authorMisaki Miyashita <Misaki.Miyashita@Oracle.COM>
Fri, 23 Sep 2016 12:03:45 -0700
changeset 6964 c3b11711b2b9
parent 6963 78a1c83a7df1
child 6965 beaa97be01e8
24703781 Upgrade OpenSSL version to 1.0.2i 24703800 problem in LIBRARY/OPENSSL 24703856 problem in LIBRARY/OPENSSL 24703866 problem in LIBRARY/OPENSSL 24703911 problem in LIBRARY/OPENSSL 24703934 problem in LIBRARY/OPENSSL 24703939 problem in LIBRARY/OPENSSL
components/openssl/common/patches/039-internal_tests.patch
components/openssl/common/patches/041_rm_sslv2_v3.patch
components/openssl/common/patches/047-CVE-2016-2177.patch
components/openssl/common/patches/048-CVE-2016-2178.patch
components/openssl/common/patches/049-use-srln.patch
components/openssl/common/patches/052-CVE-2016-6302.patch
components/openssl/common/patches/053-large-crl.patch
components/openssl/openssl-default/Makefile
components/openssl/openssl-default/openssl-default.license
components/openssl/openssl-default/patches/102-wanboot.patch
components/openssl/openssl-fips-140/Makefile
components/openssl/openssl-fips-140/openssl-fips-140.license
components/openssl/openssl-fips-140/patches/203-multi-definition.patch
--- a/components/openssl/common/patches/039-internal_tests.patch	Fri Sep 23 08:18:05 2016 -0700
+++ b/components/openssl/common/patches/039-internal_tests.patch	Fri Sep 23 12:03:45 2016 -0700
@@ -6,12 +6,12 @@
 #
 --- a/test/Makefile.orig	Thu Apr  2 12:11:12 2015
 +++ b/test/Makefile	Thu Apr  2 12:11:21 2015
[email protected]@ -146,7 +146,7 @@
[email protected]@ -156,7 +156,7 @@
  	test_rand test_bn test_ec test_ecdsa test_ecdh \
  	test_enc test_x509 test_rsa test_crl test_sid \
  	test_gen test_req test_pkcs7 test_verify test_dh test_dsa \
 -	test_ss test_ca test_engine test_evp test_evp_extra test_ssl test_tsa test_ige \
 +	test_ss test_engine test_evp test_evp_extra test_ssl test_tsa test_ige \
  	test_jpake test_srp test_cms test_ocsp test_v3name test_heartbeat \
- 	test_constant_time test_verify_extra test_clienthello
- 
+ 	test_constant_time test_verify_extra test_clienthello test_sslv2conftest \
+ 	test_dtls test_bad_dtls
--- a/components/openssl/common/patches/041_rm_sslv2_v3.patch	Fri Sep 23 08:18:05 2016 -0700
+++ b/components/openssl/common/patches/041_rm_sslv2_v3.patch	Fri Sep 23 12:03:45 2016 -0700
@@ -1,54 +1,6 @@
 #
 # This was developed in house.  Not applicable to the upstream.
 #
---- openssl-1.0.1/ssl/s2_meth.c      Fri May  8 09:38:33 2015
-+++ openssl-1.0.1/ssl/s2_meth.c.new       Fri May  8 09:51:53 2015
[email protected]@ -74,6 +74,13 @@
-                          ssl2_accept, ssl2_connect, ssl2_get_method)
- #else                           /* !OPENSSL_NO_SSL2 */
-
-+/* stub function */
-+const SSL_METHOD *
-+SSLv2_method(void)
-+{
-+       return (NULL);
-+}
-+
- # if PEDANTIC
- static void *dummy = &dummy;
- # endif
---- openssl-1.0.1/ssl/s2_clnt.c      Fri May  8 09:37:51 2015
-+++ openssl-1.0.1/ssl/s2_clnt.c.new       Fri May  8 09:53:12 2015
[email protected]@ -1087,6 +1087,13 @@
- }
- #else                           /* !OPENSSL_NO_SSL2 */
-
-+/* stub function */
-+const SSL_METHOD *
-+SSLv2_client_method(void)
-+{
-+       return (NULL);
-+}
-+
- # if PEDANTIC
- static void *dummy = &dummy;
- # endif
---- openssl-1.0.1/ssl/s2_srvr.c      Fri May  8 09:38:02 2015
-+++ openssl-1.0.1/ssl/s2_srvr.c.new       Fri May  8 09:53:43 2015
[email protected]@ -1148,6 +1148,13 @@
- }
- #else                           /* !OPENSSL_NO_SSL2 */
-
-+/* stub function */
-+const SSL_METHOD *
-+SSLv2_server_method(void)
-+{
-+        return (NULL);
-+}
-+
- # if PEDANTIC
- static void *dummy = &dummy;
- # endif
 --- openssl-1.0.1/ssl/ssl.h	Tue May 26 11:13:15 2015
 +++ openssl-1.0.1/ssl/ssl.h.new	Tue May 26 11:32:09 2015
 @@ -2345,10 +2345,23 @@
--- a/components/openssl/common/patches/047-CVE-2016-2177.patch	Fri Sep 23 08:18:05 2016 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,237 +0,0 @@
-# The patch is based on the following commit from the upstream:
-# https://git.openssl.org/?p=openssl.git;a=commit;h=a004e72b95835136d3f1ea90517f706c24c03da7
-# The fix is patched until the new version becomes available
-# from the upstream.
---- a/ssl/s3_srvr.c
-+++ b/ssl/s3_srvr.c
[email protected]@ -989,7 +989,7 @@ int ssl3_get_client_hello(SSL *s)
- 
-         session_length = *(p + SSL3_RANDOM_SIZE);
- 
--        if (p + SSL3_RANDOM_SIZE + session_length + 1 >= d + n) {
-+        if (SSL3_RANDOM_SIZE + session_length + 1 >= (d + n) - p) {
-             al = SSL_AD_DECODE_ERROR;
-             SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
-             goto f_err;
[email protected]@ -1007,7 +1007,7 @@ int ssl3_get_client_hello(SSL *s)
-     /* get the session-id */
-     j = *(p++);
- 
--    if (p + j > d + n) {
-+    if ((d + n) - p < j) {
-         al = SSL_AD_DECODE_ERROR;
-         SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
-         goto f_err;
[email protected]@ -1063,14 +1063,14 @@ int ssl3_get_client_hello(SSL *s)
- 
-     if (SSL_IS_DTLS(s)) {
-         /* cookie stuff */
--        if (p + 1 > d + n) {
-+        if ((d + n) - p < 1) {
-             al = SSL_AD_DECODE_ERROR;
-             SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
-             goto f_err;
-         }
-         cookie_len = *(p++);
- 
--        if (p + cookie_len > d + n) {
-+        if ((d + n ) - p < cookie_len) {
-             al = SSL_AD_DECODE_ERROR;
-             SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
-             goto f_err;
[email protected]@ -1140,7 +1140,7 @@ int ssl3_get_client_hello(SSL *s)
-         }
-     }
- 
--    if (p + 2 > d + n) {
-+    if ((d + n ) - p < 2) {
-         al = SSL_AD_DECODE_ERROR;
-         SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
-         goto f_err;
[email protected]@ -1154,7 +1154,7 @@ int ssl3_get_client_hello(SSL *s)
-     }
- 
-     /* i bytes of cipher data + 1 byte for compression length later */
--    if ((p + i + 1) > (d + n)) {
-+    if ((d + n) - p < i + 1) {
-         /* not enough data */
-         al = SSL_AD_DECODE_ERROR;
-         SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
[email protected]@ -1220,7 +1220,7 @@ int ssl3_get_client_hello(SSL *s)
- 
-     /* compression */
-     i = *(p++);
--    if ((p + i) > (d + n)) {
-+    if ((d + n) - p < i) {
-         /* not enough data */
-         al = SSL_AD_DECODE_ERROR;
-         SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
---- a/ssl/ssl_sess.c
-+++ b/ssl/ssl_sess.c
[email protected]@ -573,7 +573,7 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
-     int r;
- #endif
- 
--    if (session_id + len > limit) {
-+    if (limit - session_id < len) {
-         fatal = 1;
-         goto err;
-     }
---- a/ssl/t1_lib.c
-+++ b/ssl/t1_lib.c
[email protected]@ -1867,11 +1867,11 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
-         0x02, 0x03,             /* SHA-1/ECDSA */
-     };
- 
--    if (data >= (limit - 2))
-+    if (limit - data <= 2)
-         return;
-     data += 2;
- 
--    if (data > (limit - 4))
-+    if (limit - data < 4)
-         return;
-     n2s(data, type);
-     n2s(data, size);
[email protected]@ -1879,7 +1879,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
-     if (type != TLSEXT_TYPE_server_name)
-         return;
- 
--    if (data + size > limit)
-+    if (limit - data < size)
-         return;
-     data += size;
- 
[email protected]@ -1887,7 +1887,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
-         const size_t len1 = sizeof(kSafariExtensionsBlock);
-         const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
- 
--        if (data + len1 + len2 != limit)
-+        if (limit - data != (int)(len1 + len2))
-             return;
-         if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
-             return;
[email protected]@ -1896,7 +1896,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
-     } else {
-         const size_t len = sizeof(kSafariExtensionsBlock);
- 
--        if (data + len != limit)
-+        if (limit - data != (int)(len))
-             return;
-         if (memcmp(data, kSafariExtensionsBlock, len) != 0)
-             return;
[email protected]@ -2053,19 +2053,19 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
-     if (data == limit)
-         goto ri_check;
- 
--    if (data > (limit - 2))
-+    if (limit - data < 2)
-         goto err;
- 
-     n2s(data, len);
- 
--    if (data + len != limit)
-+    if (limit - data != len)
-         goto err;
- 
--    while (data <= (limit - 4)) {
-+    while (limit - data >= 4) {
-         n2s(data, type);
-         n2s(data, size);
- 
--        if (data + size > (limit))
-+        if (limit - data < size)
-             goto err;
- # if 0
-         fprintf(stderr, "Received extension type %d size %d\n", type, size);
[email protected]@ -2472,18 +2472,18 @@ static int ssl_scan_clienthello_custom_tlsext(SSL *s,
-     if (s->hit || s->cert->srv_ext.meths_count == 0)
-         return 1;
- 
--    if (data >= limit - 2)
-+    if (limit - data <= 2)
-         return 1;
-     n2s(data, len);
- 
--    if (data > limit - len)
-+    if (limit - data < len)
-         return 1;
- 
--    while (data <= limit - 4) {
-+    while (limit - data >= 4) {
-         n2s(data, type);
-         n2s(data, size);
- 
--        if (data + size > limit)
-+        if (limit - data < size)
-             return 1;
-         if (custom_ext_parse(s, 1 /* server */ , type, data, size, al) <= 0)
-             return 0;
[email protected]@ -2569,20 +2569,20 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p,
-                              SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
- # endif
- 
--    if (data >= (d + n - 2))
-+    if ((d + n) - data <= 2)
-         goto ri_check;
- 
-     n2s(data, length);
--    if (data + length != d + n) {
-+    if ((d + n) - data != length) {
-         *al = SSL_AD_DECODE_ERROR;
-         return 0;
-     }
- 
--    while (data <= (d + n - 4)) {
-+    while ((d + n) - data >= 4) {
-         n2s(data, type);
-         n2s(data, size);
- 
--        if (data + size > (d + n))
-+        if ((d + n) - data < size)
-             goto ri_check;
- 
-         if (s->tlsext_debug_cb)
[email protected]@ -3307,29 +3307,33 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
-     /* Skip past DTLS cookie */
-     if (SSL_IS_DTLS(s)) {
-         i = *(p++);
--        p += i;
--        if (p >= limit)
-+
-+        if (limit - p <= i)
-             return -1;
-+
-+        p += i;
-     }
-     /* Skip past cipher list */
-     n2s(p, i);
--    p += i;
--    if (p >= limit)
-+    if (limit - p <= i)
-         return -1;
-+    p += i;
-+
-     /* Skip past compression algorithm list */
-     i = *(p++);
--    p += i;
--    if (p > limit)
-+    if (limit - p < i)
-         return -1;
-+    p += i;
-+
-     /* Now at start of extensions */
--    if ((p + 2) >= limit)
-+    if (limit - p <= 2)
-         return 0;
-     n2s(p, i);
--    while ((p + 4) <= limit) {
-+    while (limit - p >= 4) {
-         unsigned short type, size;
-         n2s(p, type);
-         n2s(p, size);
--        if (p + size > limit)
-+        if (limit - p < size)
-             return 0;
-         if (type == TLSEXT_TYPE_session_ticket) {
-             int r;
--- a/components/openssl/common/patches/048-CVE-2016-2178.patch	Fri Sep 23 08:18:05 2016 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,28 +0,0 @@
-# The patch is based on the following commit from the upstream:
-# https://git.openssl.org/?p=openssl.git;a=commit;h=399944622df7bd81af62e67ea967c470534090e2
-# The fix is patched until the new version becomes available
-# from the upstream.
---- a/crypto/dsa/dsa_ossl.c	2016-06-20 08:06:46.793733045 -0700
-+++ b/crypto/dsa/dsa_ossl.c	2016-06-20 08:07:42.133601060 -0700
[email protected]@ -248,9 +248,6 @@
-         if (!BN_rand_range(&k, dsa->q))
-             goto err;
-     while (BN_is_zero(&k)) ;
--    if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
--        BN_set_flags(&k, BN_FLG_CONSTTIME);
--    }
- 
-     if (dsa->flags & DSA_FLAG_CACHE_MONT_P) {
-         if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p,
[email protected]@ -282,6 +279,11 @@
-     } else {
-         K = &k;
-     }
-+
-+    if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
-+        BN_set_flags(K, BN_FLG_CONSTTIME);
-+    }
-+
-     DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx,
-                    dsa->method_mont_p);
-     if (!BN_mod(r, r, dsa->q, ctx))
--- a/components/openssl/common/patches/049-use-srln.patch	Fri Sep 23 08:18:05 2016 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,86 +0,0 @@
-# This patch fixes the invalid use of 64-bit instruction (srlx) by 32-bit
-# applications.  This patch is from the following commit in the upstream:
-#    https://github.com/openssl/openssl/commit/f198cc43a0eca4bf1a8e7f60c51af560f4346dc8
---- a/crypto/des/asm/dest4-sparcv9.pl	2016-08-04 14:20:26.610683970 -0700
-+++ b/crypto/des/asm/dest4-sparcv9.pl	2016-08-04 14:22:33.339076315 -0700
[email protected]@ -96,7 +96,7 @@
- des_t4_cbc_encrypt:
- 	cmp		$len, 0
- 	be,pn		$::size_t_cc, .Lcbc_abort
--	nop
-+	srln		$len, 0, $len		! needed on v8+, "nop" on v9
- 	ld		[$ivec + 0], %f0	! load ivec
- 	ld		[$ivec + 4], %f1
- 
[email protected]@ -197,7 +197,7 @@
- des_t4_cbc_decrypt:
- 	cmp		$len, 0
- 	be,pn		$::size_t_cc, .Lcbc_abort
--	nop
-+	srln		$len, 0, $len		! needed on v8+, "nop" on v9
- 	ld		[$ivec + 0], %f2	! load ivec
- 	ld		[$ivec + 4], %f3
- 
[email protected]@ -305,7 +305,7 @@
- des_t4_ede3_cbc_encrypt:
- 	cmp		$len, 0
- 	be,pn		$::size_t_cc, .Lcbc_abort
--	nop
-+	srln		$len, 0, $len		! needed on v8+, "nop" on v9
- 	ld		[$ivec + 0], %f0	! load ivec
- 	ld		[$ivec + 4], %f1
- 
[email protected]@ -457,7 +457,7 @@
- des_t4_ede3_cbc_decrypt:
- 	cmp		$len, 0
- 	be,pn		$::size_t_cc, .Lcbc_abort
--	nop
-+	srln		$len, 0, $len		! needed on v8+, "nop" on v9
- 	ld		[$ivec + 0], %f2	! load ivec
- 	ld		[$ivec + 4], %f3
- 
---- a/crypto/modes/asm/ghash-sparcv9.pl	2016-08-04 14:22:59.021798885 -0700
-+++ b/crypto/modes/asm/ghash-sparcv9.pl	2016-08-04 14:24:07.947062045 -0700
[email protected]@ -445,6 +445,8 @@
- .align	32
- gcm_ghash_vis3:
- 	save	%sp,-$frame,%sp
-+	nop
-+	srl	$len,0,$len		! needed on v8+, "nop" on v9
- 
- 	ldx	[$Xip+8],$C2		! load Xi
- 	ldx	[$Xip+0],$C3
---- a/crypto/perlasm/sparcv9_modes.pl	2016-08-04 14:24:29.877624460 -0700
-+++ b/crypto/perlasm/sparcv9_modes.pl	2016-08-04 14:27:18.552931245 -0700
[email protected]@ -37,6 +37,7 @@
- 	save		%sp, -$::frame, %sp
- 	cmp		$len, 0
- 	be,pn		$::size_t_cc, .L${bits}_cbc_enc_abort
-+	srln		$len, 0, $len		! needed on v8+, "nop" on v9
- 	sub		$inp, $out, $blk_init	! $inp!=$out
- ___
- $::code.=<<___ if (!$::evp);
[email protected]@ -254,6 +255,7 @@
- 	save		%sp, -$::frame, %sp
- 	cmp		$len, 0
- 	be,pn		$::size_t_cc, .L${bits}_cbc_dec_abort
-+	srln		$len, 0, $len		! needed on v8+, "nop" on v9
- 	sub		$inp, $out, $blk_init	! $inp!=$out
- ___
- $::code.=<<___ if (!$::evp);
[email protected]@ -613,6 +615,7 @@
- .align	32
- ${alg}${bits}_t4_ctr32_encrypt:
- 	save		%sp, -$::frame, %sp
-+	srln		$len, 0, $len		! needed on v8+, "nop" on v9
- 
- 	prefetch	[$inp], 20
- 	prefetch	[$inp + 63], 20
[email protected]@ -916,6 +919,7 @@
- .align	32
- ${alg}${bits}_t4_xts_${dir}crypt:
- 	save		%sp, -$::frame-16, %sp
-+	srln		$len, 0, $len		! needed on v8+, "nop" on v9
- 
- 	mov		$ivec, %o0
- 	add		%fp, $::bias-16, %o1
--- a/components/openssl/common/patches/052-CVE-2016-6302.patch	Fri Sep 23 08:18:05 2016 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,30 +0,0 @@
-# The patch is based on the following commit from the upstream:
-# https://github.com/openssl/openssl/commit/baaabfd8fdcec04a691695fad9a664bea43202b6
-# The fix is patched until the new version becomes available
-# from the upstream.
---- a/ssl/t1_lib.c
-+++ b/ssl/t1_lib.c
[email protected]@ -3401,9 +3401,7 @@
-     HMAC_CTX hctx;
-     EVP_CIPHER_CTX ctx;
-     SSL_CTX *tctx = s->initial_ctx;
--    /* Need at least keyname + iv + some encrypted data */
--    if (eticklen < 48)
--        return 2;
-+
-     /* Initialize session ticket encryption and HMAC contexts */
-     HMAC_CTX_init(&hctx);
-     EVP_CIPHER_CTX_init(&ctx);
[email protected]@ -3437,6 +3435,12 @@
-     if (mlen < 0) {
-         goto err;
-     }
-+    /* Sanity check ticket length: must exceed keyname + IV + HMAC */
-+    if (eticklen <= 16 + EVP_CIPHER_CTX_iv_length(&ctx) + mlen) {
-+        HMAC_CTX_cleanup(&hctx);
-+        EVP_CIPHER_CTX_cleanup(&ctx);
-+        return 2;
-+    }
-     eticklen -= mlen;
-     /* Check HMAC of encrypted ticket */
-     if (HMAC_Update(&hctx, etick, eticklen) <= 0
--- a/components/openssl/common/patches/053-large-crl.patch	Fri Sep 23 08:18:05 2016 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,19 +0,0 @@
-# The patch is based on the following commit from the upstream:
-# https://github.com/openssl/openssl/commit/a1eef756cc1948e
-# The fix is patched until the new version becomes available
-# from the upstream.
---- a/crypto/asn1/x_name.c
-+++ b/crypto/asn1/x_name.c
[email protected]@ -199,10 +199,8 @@ static int x509_name_ex_d2i(ASN1_VALUE **val,
-     int i, j, ret;
-     STACK_OF(X509_NAME_ENTRY) *entries;
-     X509_NAME_ENTRY *entry;
--    if (len > X509_NAME_MAX) {
--        ASN1err(ASN1_F_X509_NAME_EX_D2I, ASN1_R_TOO_LONG);
--        return 0;
--    }
-+    if (len > X509_NAME_MAX)
-+        len = X509_NAME_MAX;
-     q = p;
- 
-     /* Get internal representation of Name */
--- a/components/openssl/openssl-default/Makefile	Fri Sep 23 08:18:05 2016 -0700
+++ b/components/openssl/openssl-default/Makefile	Fri Sep 23 12:03:45 2016 -0700
@@ -30,19 +30,19 @@
 # When upgrading OpenSSL, please, DON'T FORGET TO TEST WANBOOT too. 
 # For more information about wanboot-openssl testing, please refer to
 # ../README.
-COMPONENT_VERSION =	1.0.2h
+COMPONENT_VERSION =	1.0.2i
 # Version for IPS. It is easier to do it manually than convert the letter to a
 # number while taking into account that there might be no letter at all.
-IPS_COMPONENT_VERSION = 1.0.2.8
+IPS_COMPONENT_VERSION = 1.0.2.9
 COMPONENT_PROJECT_URL=	http://www.openssl.org/
 COMPONENT_SRC =		$(COMPONENT_NAME)-$(COMPONENT_VERSION)
 COMPONENT_ARCHIVE =	$(COMPONENT_SRC).tar.gz
 COMPONENT_ARCHIVE_HASH=	\
-    sha256:1d4007e53aad94a5b2002fe045ee7bb0b3d98f1a47f8b2bc851dcd1c74332919
+    sha256:9287487d11c9545b6efb287cdb70535d4e9b284dd10d51441d9b9963d000de6f
 COMPONENT_ARCHIVE_URL =	$(COMPONENT_PROJECT_URL)source/$(COMPONENT_ARCHIVE)
 COMPONENT_BUGDB=	library/openssl
 
-TPNO=			28137
+TPNO=			31795
 
 # Clone the patch files to the patches-all dir.
 # COPY_COMMON_FILES is there so that rsync is called as soon as
@@ -112,7 +112,7 @@
 CONFIGURE_OPTIONS += no-gost
 
 # Disable SSLv2 and SSLv3 protocols
-CONFIGURE_OPTIONS += no-ssl2 no-ssl2-method
+CONFIGURE_OPTIONS += no-ssl2
 CONFIGURE_OPTIONS += no-ssl3 no-ssl3-method
 
 # We use both no-whirlpool and no-whrlpool since there is an inconsistency in
--- a/components/openssl/openssl-default/openssl-default.license	Fri Sep 23 08:18:05 2016 -0700
+++ b/components/openssl/openssl-default/openssl-default.license	Fri Sep 23 12:03:45 2016 -0700
@@ -12,7 +12,7 @@
   ---------------
 
 /* ====================================================================
- * Copyright (c) 1998-2011 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2016 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
--- a/components/openssl/openssl-default/patches/102-wanboot.patch	Fri Sep 23 08:18:05 2016 -0700
+++ b/components/openssl/openssl-default/patches/102-wanboot.patch	Fri Sep 23 12:03:45 2016 -0700
@@ -298,18 +298,6 @@
      {
 --- openssl-1.0.0e/crypto/rand/randfile.c    2011-03-19 02:44:37.000000000 -0700
 +++ openssl-1.0.0e_patched/crypto/rand/randfile.c    2011-12-13 05:26:51.884824200 -0800
[email protected]@ -57,9 +57,11 @@
-  */
- 
- /* We need to define this to get macros like S_IFBLK and S_IFCHR */
-+#ifndef    _BOOT
- #if !defined(OPENSSL_SYS_VXWORKS)
- # define _XOPEN_SOURCE 500
- #endif
-+#endif    /* _BOOT */
- 
- #include <errno.h>
- #include <stdio.h>
 @@ -191,6 +193,7 @@
      return (ret);
  }
@@ -459,8 +447,8 @@
 
 +#ifndef _BOOT
  .global	_sparcv9_vis1_instrument_bus
+ .weak	_sparcv9_vis1_instrument_bus
  .align	8
- _sparcv9_vis1_instrument_bus:
 @@ -501,3 +502,7 @@
  	nop
  	call	OPENSSL_cpuid_setup
--- a/components/openssl/openssl-fips-140/Makefile	Fri Sep 23 08:18:05 2016 -0700
+++ b/components/openssl/openssl-fips-140/Makefile	Fri Sep 23 12:03:45 2016 -0700
@@ -35,18 +35,18 @@
 # is the FIPS module version. The COMPONENT_VERSION changes with the core
 # OpenSSL version, but the IPS_COMPONENT_VERSION is purposely only to change if
 # the FIPS module version changes.
-COMPONENT_VERSION =	1.0.2h
+COMPONENT_VERSION =	1.0.2i
 IPS_COMPONENT_VERSION = 2.0.12
 COMPONENT_PROJECT_URL=	http://www.openssl.org/
 COMPONENT_SRC_NAME =	openssl
 COMPONENT_SRC =		$(COMPONENT_SRC_NAME)-$(COMPONENT_VERSION)
 COMPONENT_ARCHIVE =	$(COMPONENT_SRC).tar.gz
 COMPONENT_ARCHIVE_HASH=	\
-    sha256:1d4007e53aad94a5b2002fe045ee7bb0b3d98f1a47f8b2bc851dcd1c74332919
+    sha256:9287487d11c9545b6efb287cdb70535d4e9b284dd10d51441d9b9963d000de6f
 COMPONENT_ARCHIVE_URL =	$(COMPONENT_PROJECT_URL)source/$(COMPONENT_ARCHIVE)
 COMPONENT_BUGDB=	library/openssl
 
-TPNO=			28137
+TPNO=			31795
 
 # Clone the patch files to the patches-all dir.
 # COPY_COMMON_FILES is there so that rsync is called as soon as
@@ -113,7 +113,7 @@
 CONFIGURE_OPTIONS += no-seed
 
 # Disable SSLv2 and SSLv3 protocols
-CONFIGURE_OPTIONS += no-ssl2 no-ssl2-method
+CONFIGURE_OPTIONS += no-ssl2
 CONFIGURE_OPTIONS += no-ssl3 no-ssl3-method
 
 # We define our own compiler and linker option sets for Solaris. See Configure
--- a/components/openssl/openssl-fips-140/openssl-fips-140.license	Fri Sep 23 08:18:05 2016 -0700
+++ b/components/openssl/openssl-fips-140/openssl-fips-140.license	Fri Sep 23 12:03:45 2016 -0700
@@ -12,7 +12,7 @@
   ---------------
 
 /* ====================================================================
- * Copyright (c) 1998-2011 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2016 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
--- a/components/openssl/openssl-fips-140/patches/203-multi-definition.patch	Fri Sep 23 08:18:05 2016 -0700
+++ b/components/openssl/openssl-fips-140/patches/203-multi-definition.patch	Fri Sep 23 12:03:45 2016 -0700
@@ -4,15 +4,15 @@
 #
 --- openssl-0.9.8m/crypto/sparccpuid.S       Mon Jun 29 19:28:02 2015
 +++ openssl-0.9.8m/crypto/sparccpuid.S       Mon Jun 29 19:28:02 2015
[email protected]@ -400,6 +400,8 @@
[email protected]@ -428,6 +428,8 @@
  .type	OPENSSL_cleanse,#function
  .size	OPENSSL_cleanse,.-OPENSSL_cleanse
 
 +
 +#if 0
  .global	_sparcv9_vis1_instrument_bus
+ .weak	_sparcv9_vis1_instrument_bus
  .align	8
- _sparcv9_vis1_instrument_bus:
 @@ -496,6 +498,8 @@
  .type	_sparcv9_vis1_instrument_bus2,#function
  .size	_sparcv9_vis1_instrument_bus2,.-_sparcv9_vis1_instrument_bus2