21416447 Upgrade OpenSSL version to 1.0.1p s11-update
authorMisaki Miyashita <Misaki.Miyashita@Oracle.COM>
Fri, 10 Jul 2015 14:15:09 -0700
branchs11-update
changeset 4626 d5dbb6652eec
parent 4625 18adb92d4193
child 4627 2101fdb9d9aa
21416447 Upgrade OpenSSL version to 1.0.1p 21416479 problem in LIBRARY/OPENSSL
components/openssl/openssl-1.0.1-fips-140/Makefile
components/openssl/openssl-1.0.1-fips-140/patches/18-compiler_opts.patch
components/openssl/openssl-1.0.1-fips-140/patches/29_fork_safe.patch
components/openssl/openssl-1.0.1-fips-140/patches/33_cert_chain.patch
components/openssl/openssl-1.0.1-fips-140/patches/39_test.patch
components/openssl/openssl-1.0.1/Makefile
components/openssl/openssl-1.0.1/patches/18-compiler_opts.patch
components/openssl/openssl-1.0.1/patches/30_wanboot.patch
components/openssl/openssl-1.0.1/patches/33_cert_chain.patch
components/openssl/openssl-1.0.1/patches/39_internal_tests.patch
--- a/components/openssl/openssl-1.0.1-fips-140/Makefile	Fri Jul 10 20:29:35 2015 +0000
+++ b/components/openssl/openssl-1.0.1-fips-140/Makefile	Fri Jul 10 14:15:09 2015 -0700
@@ -32,18 +32,18 @@
 COMPONENT_NAME =	openssl-fips-140
 # Note that this is the OpenSSL version that is used to build FIPS-140 certified
 # libraries. However, we use the FIPS canister version for the IPS package.
-COMPONENT_VERSION =	1.0.1o
+COMPONENT_VERSION =	1.0.1p
 IPS_COMPONENT_VERSION = 2.0.6
 COMPONENT_PROJECT_URL=	http://www.openssl.org/
 COMPONENT_SRC_NAME =	openssl
 COMPONENT_SRC =		$(COMPONENT_SRC_NAME)-$(COMPONENT_VERSION)
 COMPONENT_ARCHIVE =	$(COMPONENT_SRC).tar.gz
 COMPONENT_ARCHIVE_HASH=	\
-    sha256:16e678c6a05f2502811e075f2c4059ac01c878d091c9c585afc49ebc541f7b13
+    sha256:bd5ee6803165c0fb60bbecbacacf244f1f90d2aa0d71353af610c29121e9b2f1
 COMPONENT_ARCHIVE_URL =	$(COMPONENT_PROJECT_URL)source/$(COMPONENT_ARCHIVE)
 COMPONENT_BUGDB=	library/openssl
 
-TPNO=			23126	
+TPNO=			23452
 
 # OpenSSL FIPS directory
 OPENSSL_FIPS_DIR = $(COMPONENT_DIR)/../openssl-fips
--- a/components/openssl/openssl-1.0.1-fips-140/patches/18-compiler_opts.patch	Fri Jul 10 20:29:35 2015 +0000
+++ b/components/openssl/openssl-1.0.1-fips-140/patches/18-compiler_opts.patch	Fri Jul 10 14:15:09 2015 -0700
@@ -15,8 +15,8 @@
  my $mips32_asm=":bn-mips.o::aes_cbc.o aes-mips.o:::sha1-mips.o sha256-mips.o::::::::";
 @@ -257,6 +264,12 @@
  #"sunos-cc", "cc:-O4 -DNOPROTO -DNOCONST::(unknown):SUNOS::DES_UNROLL:${no_asm}::",
- "sunos-gcc","gcc:-O3 -mv8 -Dssize_t=int::(unknown):SUNOS::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL DES_PTR DES_RISC1:${no_asm}::",
-
+ "sunos-gcc","gcc:-O3 -mcpu=v8 -Dssize_t=int::(unknown):SUNOS::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL DES_PTR DES_RISC1:${no_asm}::",
+ 
 +#### Solaris configs, used for OpenSSL as delivered by OpenSolaris
 +"solaris-x86-cc-sunw","cc:-m32 -xO3 -xspace -Xa::-D_REENTRANT::-lsocket -lnsl -lc -R /lib/openssl/fips-140:BN_LLONG RC4_CHUNK DES_PTR DES_UNROLL BF_PTR:${x86_elf_asm}:dlfcn:solaris-shared:-KPIC:-m32 -G -dy -z text -zdefs -Bdirect -zignore -M/usr/lib/ld/map.pagealign -M/usr/lib/ld/map.noexdata:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 +"solaris64-x86_64-cc-sunw","cc:-xO3 -m64 -xstrconst -Xa -DL_ENDIAN::-D_REENTRANT::-lsocket -lnsl -lc -R /lib/openssl/fips-140/64:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR DES_PTR DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:solaris-shared:-KPIC:-m64 -G -dy -z text -zdefs -Bdirect -zignore -M/usr/lib/ld/map.pagealign -M/usr/lib/ld/map.noexdata:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
@@ -25,4 +25,4 @@
 +
  #### IRIX 5.x configs
  # -mips2 flag is added by ./config when appropriate.
- "irix-gcc","gcc:-O3 -DTERMIOS -DB_ENDIAN::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX RC4_CHAR RC4_CHUNK DES_UNROLL DES_RISC2 DES_PTR BF_PTR:${mips32_asm}:o32:dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+ "irix-gcc","gcc:-O3 -DB_ENDIAN::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX RC4_CHAR RC4_CHUNK DES_UNROLL DES_RISC2 DES_PTR BF_PTR:${mips32_asm}:o32:dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
--- a/components/openssl/openssl-1.0.1-fips-140/patches/29_fork_safe.patch	Fri Jul 10 20:29:35 2015 +0000
+++ b/components/openssl/openssl-1.0.1-fips-140/patches/29_fork_safe.patch	Fri Jul 10 14:15:09 2015 -0700
@@ -22,11 +22,11 @@
 +static pthread_mutex_t *solaris_openssl_locks;
 +
  static void (MS_FAR *locking_callback) (int mode, int type,
-		                         const char *file, int line) = 0;
+                                         const char *file, int line) = 0;
  static int (MS_FAR *add_lock_callback) (int *pointer, int amount,
 @@ -373,7 +376,10 @@
  void CRYPTO_set_dynlock_create_callback(struct CRYPTO_dynlock_value *(*func)
-		                          (const char *file, int line))
+                                          (const char *file, int line))
  {
 -    dynlock_create_callback = func;
 +	/*
@@ -37,8 +37,8 @@
  
  void CRYPTO_set_dynlock_lock_callback(void (*func) (int mode,
 @@ -382,7 +388,10 @@
-		                                     const char *file,
-		                                     int line))
+                                                     const char *file,
+                                                     int line))
  {
 -    dynlock_lock_callback = func;
 +	/*
@@ -49,8 +49,8 @@
  
  void CRYPTO_set_dynlock_destroy_callback(void (*func)
 @@ -389,7 +398,10 @@
-		                           (struct CRYPTO_dynlock_value *l,
-		                            const char *file, int line))
+                                           (struct CRYPTO_dynlock_value *l,
+                                            const char *file, int line))
  {
 -    dynlock_destroy_callback = func;
 +	/*
@@ -186,7 +186,7 @@
 +}
 +
  void CRYPTO_set_locking_callback(void (*func) (int mode, int type,
-		                                const char *file, int line))
+                                                const char *file, int line))
  {
 @@ -410,7 +543,11 @@
       * started.
@@ -242,8 +242,8 @@
 --- openssl-1.0.1f/crypto/sparccpuid.S.~1~      Fri Feb  7 10:41:37 2014
 +++ openssl-1.0.1f/crypto/sparccpuid.S  Thu Feb  6 16:04:14 2014
 @@ -398,5 +398,7 @@
- .size  OPENSSL_cleanse,.-OPENSSL_cleanse
-
+ .size	OPENSSL_cleanse,.-OPENSSL_cleanse
+ 
  .section	".init",#alloc,#execinstr
 +	call	solaris_locking_setup
 +	nop
@@ -260,15 +260,15 @@
  .section	.init
 +	call	solaris_locking_setup
 	call	OPENSSL_cpuid_setup
-
+ 
  .hidden	OPENSSL_ia32cap_P
 --- openssl-1.0.1f/crypto/x86cpuid.pl.~1~       Wed Feb 12 13:38:03 2014
 +++ openssl-1.0.1f/crypto/x86cpuid.pl   Wed Feb 12 13:38:31 2014
 @@ -353,6 +353,7 @@
-	&ret    ();
+ 	&ret	();
  &function_end_B("OPENSSL_ia32_rdrand");
-
+ 
 +&initseg("solaris_locking_setup");
  &initseg("OPENSSL_cpuid_setup");
-
+ 
  &asm_finish();
--- a/components/openssl/openssl-1.0.1-fips-140/patches/33_cert_chain.patch	Fri Jul 10 20:29:35 2015 +0000
+++ b/components/openssl/openssl-1.0.1-fips-140/patches/33_cert_chain.patch	Fri Jul 10 14:15:09 2015 -0700
@@ -61,10 +61,10 @@
 +
  int X509_verify_cert(X509_STORE_CTX *ctx)
  {
-     X509 *x, *xtmp, *chain_ss = NULL;
+     X509 *x, *xtmp, *xtmp2, *chain_ss = NULL;
 @@ -304,8 +331,17 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
- 
-     /* we now have our chain, lets check it... */
+         }
+     } while (retry);
  
 -    /* Is last certificate looked up self signed? */
 -    if (!ctx->check_issued(ctx, x, x)) {
@@ -184,9 +184,9 @@
 $ cvs diff -u -r1.67.2.3.4.1 -r1.67.2.3.4.2 x509_vfy.h
 --- openssl/crypto/x509/x509_vfy.h    26 Sep 2012 13:50:42 -0000    1.67.2.3.4.1
 +++ openssl/crypto/x509/x509_vfy.h    14 Dec 2012 14:30:46 -0000    1.67.2.3.4.2
[email protected]@ -406,6 +406,9 @@
- /* Check selfsigned CA signature */
- # define X509_V_FLAG_CHECK_SS_SIGNATURE          0x4000
[email protected]@ -412,6 +412,9 @@
+  */
+ # define X509_V_FLAG_NO_ALT_CHAINS               0x100000
  
 +/* Allow partial chains if at least one certificate is in trusted store */
 +# define X509_V_FLAG_PARTIAL_CHAIN               0x80000
--- a/components/openssl/openssl-1.0.1-fips-140/patches/39_test.patch	Fri Jul 10 20:29:35 2015 +0000
+++ b/components/openssl/openssl-1.0.1-fips-140/patches/39_test.patch	Fri Jul 10 14:15:09 2015 -0700
@@ -12,6 +12,6 @@
  	test_gen test_req test_pkcs7 test_verify test_dh test_dsa \
 -	test_ss test_ca test_engine test_evp test_evp_extra test_ssl test_tsa test_ige \
 +	test_ss test_engine test_evp test_evp_extra test_ssl test_tsa test_ige \
- 	test_jpake test_srp test_cms test_heartbeat test_constant_time
+ 	test_jpake test_srp test_cms test_heartbeat test_constant_time test_verify_extra
  
  test_evp:
--- a/components/openssl/openssl-1.0.1/Makefile	Fri Jul 10 20:29:35 2015 +0000
+++ b/components/openssl/openssl-1.0.1/Makefile	Fri Jul 10 14:15:09 2015 -0700
@@ -28,20 +28,20 @@
 # When upgrading OpenSSL, please, DON'T FORGET TO TEST WANBOOT too. 
 # For more information about wanboot-openssl testing, please refer to
 # ../README.
-COMPONENT_VERSION =	1.0.1o
+COMPONENT_VERSION =	1.0.1p
 # Version for IPS. It is easier to do it manually than convert the letter to a
 # number while taking into account that there might be no letter at all.
-IPS_COMPONENT_VERSION = 1.0.1.15
+IPS_COMPONENT_VERSION = 1.0.1.16
 COMPONENT_PROJECT_URL=	http://www.openssl.org/
 COMPONENT_SRC =		$(COMPONENT_NAME)-$(COMPONENT_VERSION)
 COMPONENT_ARCHIVE =	$(COMPONENT_SRC).tar.gz
 COMPONENT_ARCHIVE_HASH=	\
-    sha256:16e678c6a05f2502811e075f2c4059ac01c878d091c9c585afc49ebc541f7b13
+    sha256:bd5ee6803165c0fb60bbecbacacf244f1f90d2aa0d71353af610c29121e9b2f1
 
 COMPONENT_ARCHIVE_URL =	$(COMPONENT_PROJECT_URL)source/$(COMPONENT_ARCHIVE)
 COMPONENT_BUGDB=	library/openssl
 
-TPNO=			23126
+TPNO=			23452
 
 include $(WS_MAKE_RULES)/prep.mk
 include $(WS_MAKE_RULES)/configure.mk
--- a/components/openssl/openssl-1.0.1/patches/18-compiler_opts.patch	Fri Jul 10 20:29:35 2015 +0000
+++ b/components/openssl/openssl-1.0.1/patches/18-compiler_opts.patch	Fri Jul 10 14:15:09 2015 -0700
@@ -6,7 +6,7 @@
 +++ /tmp/Configure	Thu Feb 10 20:01:51 2011
 @@ -257,6 +257,20 @@
  #"sunos-cc", "cc:-O4 -DNOPROTO -DNOCONST::(unknown):SUNOS::DES_UNROLL:${no_asm}::",
- "sunos-gcc","gcc:-O3 -mv8 -Dssize_t=int::(unknown):SUNOS::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL DES_PTR DES_RISC1:${no_asm}::",
+ "sunos-gcc","gcc:-O3 -mcpu=v8 -Dssize_t=int::(unknown):SUNOS::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL DES_PTR DES_RISC1:${no_asm}::",
  
 +#### Solaris configs, used for OpenSSL as delivered by S11.
 +"solaris-x86-cc-sunw","cc:-m32 -xO3 -xspace -Xa::-D_REENTRANT::-lsocket -lnsl -lc:BN_LLONG RC4_CHUNK DES_PTR DES_UNROLL BF_PTR:${x86_elf_asm}:dlfcn:solaris-shared:-KPIC:-m32 -G -dy -z text -zdefs -Bdirect -zignore -M/usr/lib/ld/map.pagealign -M/usr/lib/ld/map.noexdata:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
--- a/components/openssl/openssl-1.0.1/patches/30_wanboot.patch	Fri Jul 10 20:29:35 2015 +0000
+++ b/components/openssl/openssl-1.0.1/patches/30_wanboot.patch	Fri Jul 10 14:15:09 2015 -0700
@@ -69,12 +69,12 @@
 
  static void
 @@ -453,6 +459,7 @@
- solaris_dynlock_lock(int mode, struct CRYPTO_dynlock_valud *dynlock,
+ solaris_dynlock_lock(int mode, struct CRYPTO_dynlock_value *dynlock,
      const char *file, int line)
  {
 +#ifndef    _BOOT
      int        ret;
-
+ 
      if (mode & CRYPTO_LOCK) {
 @@ -462,6 +469,7 @@
      }
@@ -386,9 +386,9 @@
 --- openssl-1.0.0e/crypto/sparcv9cap.c	2010-09-05 12:48:01.000000000 -0700
 +++ openssl-1.0.0e_patched/crypto/sparcv9cap.c	2011-12-23 05:24:02.011607700 -0800
 @@ -12,7 +12,11 @@
- #define SPARCV9_VIS2            (1<<3) /* reserved */		
+ #define SPARCV9_VIS2            (1<<3) /* reserved */
  #define SPARCV9_FMADD           (1<<4) /* reserved for SPARC64 V */
-
+ 
 +#ifndef        _BOOT
  static int OPENSSL_sparcv9cap_P = SPARCV9_TICK_PRIVILEGED;
 +#else
--- a/components/openssl/openssl-1.0.1/patches/33_cert_chain.patch	Fri Jul 10 20:29:35 2015 +0000
+++ b/components/openssl/openssl-1.0.1/patches/33_cert_chain.patch	Fri Jul 10 14:15:09 2015 -0700
@@ -61,10 +61,10 @@
 +
  int X509_verify_cert(X509_STORE_CTX *ctx)
  {
-     X509 *x, *xtmp, *chain_ss = NULL;
+     X509 *x, *xtmp, *xtmp2, *chain_ss = NULL;
 @@ -304,8 +331,17 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
- 
-     /* we now have our chain, lets check it... */
+         }
+     } while (retry);
  
 -    /* Is last certificate looked up self signed? */
 -    if (!ctx->check_issued(ctx, x, x)) {
@@ -184,9 +184,9 @@
 $ cvs diff -u -r1.67.2.3.4.1 -r1.67.2.3.4.2 x509_vfy.h
 --- openssl/crypto/x509/x509_vfy.h    26 Sep 2012 13:50:42 -0000    1.67.2.3.4.1
 +++ openssl/crypto/x509/x509_vfy.h    14 Dec 2012 14:30:46 -0000    1.67.2.3.4.2
[email protected]@ -406,6 +406,9 @@
- /* Check selfsigned CA signature */
- # define X509_V_FLAG_CHECK_SS_SIGNATURE          0x4000
[email protected]@ -412,6 +412,9 @@
+  */
+ # define X509_V_FLAG_NO_ALT_CHAINS               0x100000
  
 +/* Allow partial chains if at least one certificate is in trusted store */
 +# define X509_V_FLAG_PARTIAL_CHAIN               0x80000
--- a/components/openssl/openssl-1.0.1/patches/39_internal_tests.patch	Fri Jul 10 20:29:35 2015 +0000
+++ b/components/openssl/openssl-1.0.1/patches/39_internal_tests.patch	Fri Jul 10 14:15:09 2015 -0700
@@ -12,6 +12,6 @@
  	test_gen test_req test_pkcs7 test_verify test_dh test_dsa \
 -	test_ss test_ca test_engine test_evp test_evp_extra test_ssl test_tsa test_ige \
 +	test_ss test_engine test_evp test_evp_extra test_ssl test_tsa test_ige \
- 	test_jpake test_srp test_cms test_heartbeat test_constant_time
+ 	test_jpake test_srp test_cms test_heartbeat test_constant_time test_verify_extra
  
  test_evp: