PSARC/2014/077 OpenSSL Thread and Fork Safety
17822462 svc:/network/sendmail-client:default (sendmail SMTP client queue runner) core
18071490 OpenSSL: Update the package file with new TPNO number for OpenSSL 1.0.1f
--- a/components/openssl/openssl-1.0.1-fips-140/openssl-1.0.1-fips-140.p5m Wed Mar 26 13:50:24 2014 -0700
+++ b/components/openssl/openssl-1.0.1-fips-140/openssl-1.0.1-fips-140.p5m Wed Mar 26 14:54:04 2014 -0700
@@ -34,8 +34,7 @@
set name=pkg.human-version value=$(COMPONENT_VERSION)
set name=com.oracle.info.description \
value="the FIPS 140-2 Capable OpenSSL libraries"
-# TPNO number for the new component is not yet available (bug #18071490)
-# set name=com.oracle.info.tpno value=
+set name=com.oracle.info.tpno value=16634
set name=info.classification value=org.opensolaris.category.2008:System/Security
set name=info.source-url value=$(COMPONENT_ARCHIVE_URL)
set name=info.upstream-url value=$(COMPONENT_PROJECT_URL)
--- a/components/openssl/openssl-1.0.1-fips-140/patches/18-compiler_opts.patch Wed Mar 26 13:50:24 2014 -0700
+++ b/components/openssl/openssl-1.0.1-fips-140/patches/18-compiler_opts.patch Wed Mar 26 14:54:04 2014 -0700
@@ -1,3 +1,6 @@
+#
+# Solaris-specific; not suitable for upstream
+#
diff -ruN openssl-0.9.8k/Configure openssl-0.9.8k/Configure
--- openssl-0.9.8k/Configure 2009-02-16 09:44:22.000000000 +0100
+++ openssl-0.9.8k/Configure 2009-06-25 16:19:22.897811727 +0200
@@ -17,7 +20,7 @@
+#### Solaris configs, used for OpenSSL as delivered by OpenSolaris
+"solaris-x86-cc-sunw","cc:-m32 -xO3 -xspace -Xa::-D_REENTRANT::-lsocket -lnsl -lc -R /lib/openssl/fips-140:BN_LLONG RC4_CHUNK DES_PTR DES_UNROLL BF_PTR:${x86_elf_asm}:dlfcn:solaris-shared:-KPIC:-m32 -G -dy -z text -zdefs -Bdirect -zignore -M/usr/lib/ld/map.pagealign -M/usr/lib/ld/map.noexdata:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris64-x86_64-cc-sunw","cc:-xO3 -m64 -xstrconst -Xa -DL_ENDIAN::-D_REENTRANT::-lsocket -lnsl -lc -R /lib/openssl/fips-140/64:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR DES_PTR DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:solaris-shared:-KPIC:-m64 -G -dy -z text -zdefs -Bdirect -zignore -M/usr/lib/ld/map.pagealign -M/usr/lib/ld/map.noexdata:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"solaris-sparcv8-cc-sunw","cc:-xtarget=ultra -m32 -Qoption cg -xregs=no%appl -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -lc -lsoftcrypto -R /lib/openssl/fips-140:BN_LLONG RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:solaris-shared:-KPIC:-m32 -G -dy -z text -zdefs -Bdirect -zignore -M/usr/lib/ld/map.pagealign:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"solaris-sparcv8-cc-sunw","cc:-xtarget=ultra -m32 -Qoption cg -xregs=no%appl -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -lc -lsoftcrypto -R /lib/openssl/fips-140:BN_LLONG RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:solaris-shared:-KPIC:-m32 -G -dy -z text -zdefs -Bdirect -zignore -M/usr/lib/ld/map.pagealign:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris64-sparcv9-cc-sunw","cc:-xtarget=ultra -m64 -Qoption cg -xregs=no%appl -xO5 -xstrconst -xdepend -xspace -Xa -DB_ENDIAN::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -lc -lsoftcrypto -R /lib/openssl/fips-140/64:BN_LLONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:solaris-shared:-KPIC:-m64 -G -dy -z text -zdefs -Bdirect -zignore -M/usr/lib/ld/map.pagealign:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):/usr/ccs/bin/ar rs::/64",
+
#### IRIX 5.x configs
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssl/openssl-1.0.1-fips-140/patches/29_fork_safe.patch Wed Mar 26 14:54:04 2014 -0700
@@ -0,0 +1,161 @@
+#
+# This file adds the code to setup internal mutexes and callback function.
+# PSARC/2014/077
+# This change was implemented in-house. The issue was brought up to
+# the upstream engineers, but there was no commitment.
+#
+--- openssl-1.0.1f/crypto/cryptlib.c.~1~ Fri Feb 7 10:41:36 2014
++++ openssl-1.0.1f/crypto/cryptlib.c Thu Feb 6 16:03:58 2014
+@@ -116,6 +116,7 @@
+
+ #include "cryptlib.h"
+ #include <openssl/safestack.h>
++#include <pthread.h>
+
+ #if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_WIN16)
+ static double SSLeay_MSVC5_hack=0.0; /* and for VC1.5 */
+@@ -181,6 +182,7 @@
+ numbers. */
+ static STACK_OF(CRYPTO_dynlock) *dyn_locks=NULL;
+
++static pthread_mutex_t *solaris_openssl_locks;
+
+ static void (MS_FAR *locking_callback)(int mode,int type,
+ const char *file,int line)=0;
+@@ -406,6 +409,79 @@
+ return(add_lock_callback);
+ }
+
++/*
++ * This is the locking callback function which all applications will be
++ * using when CRYPTO_lock() is called.
++ */
++static void solaris_locking_callback(int mode, int type, const char *file,
++ int line)
++ {
++ if (mode & CRYPTO_LOCK)
++ {
++ pthread_mutex_lock(&solaris_openssl_locks[type]);
++ }
++ else
++ {
++ pthread_mutex_unlock(&solaris_openssl_locks[type]);
++ }
++ }
++
++
++/*
++ * This function is called when a child process is forked to setup its own
++ * global locking callback function ptr and mutexes.
++ */
++static void solaris_fork_child(void)
++ {
++ /*
++ * clear locking_callback to indicate that locks should
++ * be reinitialized.
++ */
++ locking_callback = NULL;
++ solaris_locking_setup();
++ }
++
++/*
++ * This function allocates and initializes the global mutex array, and
++ * sets the locking callback.
++ */
++void solaris_locking_setup()
++ {
++ int i;
++ int num_locks;
++
++ /* locking callback is already setup. Nothing to do */
++ if (locking_callback != NULL)
++ {
++ return;
++ }
++
++ /*
++ * Set atfork handler so that child can setup its own mutexes and
++ * locking callbacks when it is forked
++ */
++ (void) pthread_atfork(NULL, NULL, solaris_fork_child);
++
++ /* allocate locks needed by OpenSSL */
++ num_locks = CRYPTO_num_locks();
++ solaris_openssl_locks =
++ OPENSSL_malloc(sizeof (pthread_mutex_t) * num_locks);
++ if (solaris_openssl_locks == NULL)
++ {
++ fprintf(stderr,
++ "solaris_locking_setup: memory allocation failure.\n");
++ abort();
++ }
++
++ /* initialize openssl mutexes */
++ for (i = 0; i < num_locks; i++)
++ {
++ pthread_mutex_init(&solaris_openssl_locks[i], NULL);
++ }
++ locking_callback = solaris_locking_callback;
++
++ }
++
+ void CRYPTO_set_locking_callback(void (*func)(int mode,int type,
+ const char *file,int line))
+ {
+@@ -413,7 +478,11 @@
+ * are started.
+ */
+ OPENSSL_init();
+- locking_callback=func;
++
++ /*
++ * we now setup our own locking callback and mutexes, and disallow
++ * setting of another locking callback.
++ */
+ }
+
+ void CRYPTO_set_add_lock_callback(int (*func)(int *num,int mount,int type,
+--- openssl-1.0.1f/crypto/cryptlib.h.~1~ Fri Feb 7 10:41:42 2014
++++ openssl-1.0.1f/crypto/cryptlib.h Thu Feb 6 16:04:16 2014
+@@ -104,6 +104,8 @@
+ void *OPENSSL_stderr(void);
+ extern int OPENSSL_NONPIC_relocated;
+
++void solaris_locking_setup();
++
+ #ifdef __cplusplus
+ }
+ #endif
+--- openssl-1.0.1f/crypto/sparccpuid.S.~1~ Fri Feb 7 10:41:37 2014
++++ openssl-1.0.1f/crypto/sparccpuid.S Thu Feb 6 16:04:14 2014
+@@ -398,5 +398,7 @@
+ .size OPENSSL_cleanse,.-OPENSSL_cleanse
+
+ .section ".init",#alloc,#execinstr
++ call solaris_locking_setup
++ nop
+ call OPENSSL_cpuid_setup
+ nop
+--- openssl-1.0.1f/crypto/x86_64cpuid.pl.~1~ Wed Feb 12 13:20:09 2014
++++ openssl-1.0.1f/crypto/x86_64cpuid.pl Wed Feb 12 13:21:20 2014
+@@ -20,7 +20,10 @@
+ print<<___;
+ .extern OPENSSL_cpuid_setup
+ .hidden OPENSSL_cpuid_setup
++.extern solaris_locking_setup
++.hidden solaris_locking_setup
+ .section .init
++ call solaris_locking_setup
+ call OPENSSL_cpuid_setup
+
+ .hidden OPENSSL_ia32cap_P
+--- openssl-1.0.1f/crypto/x86cpuid.pl.~1~ Wed Feb 12 13:38:03 2014
++++ openssl-1.0.1f/crypto/x86cpuid.pl Wed Feb 12 13:38:31 2014
+@@ -353,6 +353,7 @@
+ &ret ();
+ &function_end_B("OPENSSL_ia32_rdrand");
+
++&initseg("solaris_locking_setup");
+ &initseg("OPENSSL_cpuid_setup");
+
+ &asm_finish();
--- a/components/openssl/openssl-1.0.1/openssl-1.0.1.p5m Wed Mar 26 13:50:24 2014 -0700
+++ b/components/openssl/openssl-1.0.1/openssl-1.0.1.p5m Wed Mar 26 14:54:04 2014 -0700
@@ -30,8 +30,7 @@
value="OpenSSL is a full-featured toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library."
set name=pkg.human-version value=$(COMPONENT_VERSION)
set name=com.oracle.info.description value=OpenSSL
-# TPNO number for the new component is not yet available (bug #18071490)
-# set name=com.oracle.info.tpno value=
+set name=com.oracle.info.tpno value=16634
set name=info.classification value=org.opensolaris.category.2008:System/Security
set name=info.source-url value=$(COMPONENT_ARCHIVE_URL)
set name=info.upstream-url value=$(COMPONENT_PROJECT_URL)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssl/openssl-1.0.1/patches/29_fork_safe.patch Wed Mar 26 14:54:04 2014 -0700
@@ -0,0 +1,161 @@
+#
+# This file adds the code to setup internal mutexes and callback function.
+# PSARC/2014/077
+# This change was implemented in-house. The issue was brought up to
+# the upstream engineers, but there was no commitment.
+#
+--- openssl-1.0.1f/crypto/cryptlib.c.~1~ Fri Feb 7 10:41:36 2014
++++ openssl-1.0.1f/crypto/cryptlib.c Thu Feb 6 16:03:58 2014
+@@ -116,6 +116,7 @@
+
+ #include "cryptlib.h"
+ #include <openssl/safestack.h>
++#include <pthread.h>
+
+ #if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_WIN16)
+ static double SSLeay_MSVC5_hack=0.0; /* and for VC1.5 */
+@@ -181,6 +182,7 @@
+ numbers. */
+ static STACK_OF(CRYPTO_dynlock) *dyn_locks=NULL;
+
++static pthread_mutex_t *solaris_openssl_locks;
+
+ static void (MS_FAR *locking_callback)(int mode,int type,
+ const char *file,int line)=0;
+@@ -406,6 +409,79 @@
+ return(add_lock_callback);
+ }
+
++/*
++ * This is the locking callback function which all applications will be
++ * using when CRYPTO_lock() is called.
++ */
++static void solaris_locking_callback(int mode, int type, const char *file,
++ int line)
++ {
++ if (mode & CRYPTO_LOCK)
++ {
++ pthread_mutex_lock(&solaris_openssl_locks[type]);
++ }
++ else
++ {
++ pthread_mutex_unlock(&solaris_openssl_locks[type]);
++ }
++ }
++
++
++/*
++ * This function is called when a child process is forked to setup its own
++ * global locking callback function ptr and mutexes.
++ */
++static void solaris_fork_child(void)
++ {
++ /*
++ * clear locking_callback to indicate that locks should
++ * be reinitialized.
++ */
++ locking_callback = NULL;
++ solaris_locking_setup();
++ }
++
++/*
++ * This function allocates and initializes the global mutex array, and
++ * sets the locking callback.
++ */
++void solaris_locking_setup()
++ {
++ int i;
++ int num_locks;
++
++ /* locking callback is already setup. Nothing to do */
++ if (locking_callback != NULL)
++ {
++ return;
++ }
++
++ /*
++ * Set atfork handler so that child can setup its own mutexes and
++ * locking callbacks when it is forked
++ */
++ (void) pthread_atfork(NULL, NULL, solaris_fork_child);
++
++ /* allocate locks needed by OpenSSL */
++ num_locks = CRYPTO_num_locks();
++ solaris_openssl_locks =
++ OPENSSL_malloc(sizeof (pthread_mutex_t) * num_locks);
++ if (solaris_openssl_locks == NULL)
++ {
++ fprintf(stderr,
++ "solaris_locking_setup: memory allocation failure.\n");
++ abort();
++ }
++
++ /* initialize openssl mutexes */
++ for (i = 0; i < num_locks; i++)
++ {
++ pthread_mutex_init(&solaris_openssl_locks[i], NULL);
++ }
++ locking_callback = solaris_locking_callback;
++
++ }
++
+ void CRYPTO_set_locking_callback(void (*func)(int mode,int type,
+ const char *file,int line))
+ {
+@@ -413,7 +478,11 @@
+ * are started.
+ */
+ OPENSSL_init();
+- locking_callback=func;
++
++ /*
++ * we now setup our own locking callback and mutexes, and disallow
++ * setting of another locking callback.
++ */
+ }
+
+ void CRYPTO_set_add_lock_callback(int (*func)(int *num,int mount,int type,
+--- openssl-1.0.1f/crypto/cryptlib.h.~1~ Fri Feb 7 10:41:42 2014
++++ openssl-1.0.1f/crypto/cryptlib.h Thu Feb 6 16:04:16 2014
+@@ -104,6 +104,8 @@
+ void *OPENSSL_stderr(void);
+ extern int OPENSSL_NONPIC_relocated;
+
++void solaris_locking_setup();
++
+ #ifdef __cplusplus
+ }
+ #endif
+--- openssl-1.0.1f/crypto/sparccpuid.S.~1~ Fri Feb 7 10:41:37 2014
++++ openssl-1.0.1f/crypto/sparccpuid.S Thu Feb 6 16:04:14 2014
+@@ -398,5 +398,7 @@
+ .size OPENSSL_cleanse,.-OPENSSL_cleanse
+
+ .section ".init",#alloc,#execinstr
++ call solaris_locking_setup
++ nop
+ call OPENSSL_cpuid_setup
+ nop
+--- openssl-1.0.1f/crypto/x86_64cpuid.pl.~1~ Wed Feb 12 13:20:09 2014
++++ openssl-1.0.1f/crypto/x86_64cpuid.pl Wed Feb 12 13:21:20 2014
+@@ -20,7 +20,10 @@
+ print<<___;
+ .extern OPENSSL_cpuid_setup
+ .hidden OPENSSL_cpuid_setup
++.extern solaris_locking_setup
++.hidden solaris_locking_setup
+ .section .init
++ call solaris_locking_setup
+ call OPENSSL_cpuid_setup
+
+ .hidden OPENSSL_ia32cap_P
+--- openssl-1.0.1f/crypto/x86cpuid.pl.~1~ Wed Feb 12 13:38:03 2014
++++ openssl-1.0.1f/crypto/x86cpuid.pl Wed Feb 12 13:38:31 2014
+@@ -353,6 +353,7 @@
+ &ret ();
+ &function_end_B("OPENSSL_ia32_rdrand");
+
++&initseg("solaris_locking_setup");
+ &initseg("OPENSSL_cpuid_setup");
+
+ &asm_finish();
--- a/components/openssl/openssl-1.0.1/patches/30_wanboot.patch Wed Mar 26 13:50:24 2014 -0700
+++ b/components/openssl/openssl-1.0.1/patches/30_wanboot.patch Wed Mar 26 14:54:04 2014 -0700
@@ -1,3 +1,7 @@
+#
+# This patch file makes the changes neccessary to build wanboot-openssl.o
+# binary. This is Solaris-specific: not suitable for upstream.
+#
--- openssl-1.0.0g/Makefile.org 2010-01-27 08:06:58.000000000 -0800
+++ openssl-1.0.0g-1/Makefile.org 2012-03-26 03:04:08.440194448 -0700
@@ -138,7 +138,13 @@
@@ -32,7 +36,45 @@
--- openssl-1.0.0e/crypto/cryptlib.c 2011-06-22 08:39:00.000000000 -0700
+++ openssl-1.0.0e_patched/crypto/cryptlib.c 2011-12-12 06:17:45.422476900 -0800
-@@ -900,6 +900,10 @@
+@@ -415,6 +415,7 @@
+ static void solaris_locking_callback(int mode, int type, const char *file,
+ int line)
+ {
++#ifndef _BOOT
+ if (mode & CRYPTO_LOCK)
+ {
+ pthread_mutex_lock(&solaris_openssl_locks[type]);
+@@ -423,6 +424,7 @@
+ {
+ pthread_mutex_unlock(&solaris_openssl_locks[type]);
+ }
++#endif
+ }
+
+
+@@ -456,6 +458,12 @@
+ }
+
+ /*
++ * pthread_* can't be used in wanboot.
++ * wanboot needs not be thread-safe and mutexes and locking callback
++ * function will not be setup for wanboot.
++ */
++#ifndef _BOOT
++ /*
+ * Set atfork handler so that child can setup its own mutexes and
+ * locking callbacks when it is forked
+ */
+@@ -478,7 +486,7 @@
+ pthread_mutex_init(&solaris_openssl_locks[i], NULL);
+ }
+ locking_callback = solaris_locking_callback;
+-
++#endif
+ }
+
+ void CRYPTO_set_locking_callback(void (*func)(int mode,int type,
+@@ -979,6 +979,10 @@
MessageBox (NULL,buf,_T("OpenSSL: FATAL"),MB_OK|MB_ICONSTOP);
}
#else
@@ -43,7 +85,7 @@
void OPENSSL_showfatal (const char *fmta,...)
{ va_list ap;
-@@ -907,14 +911,21 @@
+@@ -986,14 +990,21 @@
vfprintf (stderr,fmta,ap);
va_end (ap);
}
@@ -325,12 +367,14 @@
*/
--- openssl-1.0.0e/crypto/sparccpuid.S 2010-09-05 12:48:01.000000000 -0700
+++ openssl-1.0.0e_patched/crypto/sparccpuid.S 2012-02-13 07:42:58.259478325 -0800
-@@ -397,6 +397,11 @@
+@@ -397,8 +397,13 @@
.type OPENSSL_cleanse,#function
.size OPENSSL_cleanse,.-OPENSSL_cleanse
+#ifndef _BOOT
.section ".init",#alloc,#execinstr
+ call solaris_locking_setup
+ nop
call OPENSSL_cpuid_setup
nop
+#else
--- a/components/openssl/openssl-1.0.1/patches/openssl-t4-inline.sparc-patch Wed Mar 26 13:50:24 2014 -0700
+++ b/components/openssl/openssl-1.0.1/patches/openssl-t4-inline.sparc-patch Wed Mar 26 14:54:04 2014 -0700
@@ -1,5 +1,6 @@
#
# This file adds inline T4 instruction support to OpenSSL upstream code.
+# The change was brought in from OpenSSL 1.0.2.
#
Index: Configure
===================================================================
@@ -204,7 +205,7 @@
+.size _sparcv9_vis1_instrument_bus2,.-_sparcv9_vis1_instrument_bus2
+
.section ".init",#alloc,#execinstr
- call OPENSSL_cpuid_setup
+ call solaris_locking_setup
nop
Index: crypto/sparcv9cap.c
===================================================================