21416447 Upgrade OpenSSL version to 1.0.1p
authorMisaki Miyashita <Misaki.Miyashita@Oracle.COM>
Fri, 10 Jul 2015 06:49:44 -0700
changeset 4616 eeaf5255cb21
parent 4613 9c99af0be85c
child 4623 02fd00d17535
21416447 Upgrade OpenSSL version to 1.0.1p 21416479 problem in LIBRARY/OPENSSL
components/openssl/common/patches/018-compiler_opts.patch
components/openssl/common/patches/033-cert_chain.patch
components/openssl/common/patches/039-internal_tests.patch
components/openssl/openssl-1.0.1-fips-140/Makefile
components/openssl/openssl-1.0.1/Makefile
components/openssl/openssl-1.0.1/patches/102-wanboot.patch
--- a/components/openssl/common/patches/018-compiler_opts.patch	Thu Jul 09 13:47:36 2015 -0700
+++ b/components/openssl/common/patches/018-compiler_opts.patch	Fri Jul 10 06:49:44 2015 -0700
@@ -14,7 +14,7 @@
  my $mips32_asm=":bn-mips.o::aes_cbc.o aes-mips.o:::sha1-mips.o sha256-mips.o::::::::";
 @@ -257,6 +257,21 @@
  #"sunos-cc", "cc:-O4 -DNOPROTO -DNOCONST::(unknown):SUNOS::DES_UNROLL:${no_asm}::",
- "sunos-gcc","gcc:-O3 -mv8 -Dssize_t=int::(unknown):SUNOS::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL DES_PTR DES_RISC1:${no_asm}::",
+ "sunos-gcc","gcc:-O3 -mcpu=v8 -Dssize_t=int::(unknown):SUNOS::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL DES_PTR DES_RISC1:${no_asm}::",
  
 +#### Solaris configs, used for OpenSSL as delivered by S11.
 +"solaris-x86-cc-sunw","cc:-m32 -xO3 -xspace -Xa::-D_REENTRANT::-lsocket -lnsl -lc:BN_LLONG RC4_CHUNK DES_PTR DES_UNROLL BF_PTR:${x86_elf_asm}:dlfcn:solaris-shared:-KPIC:-m32 -G -dy -z text -zdefs -Bdirect -zignore -M/usr/lib/ld/map.pagealign -M/usr/lib/ld/map.noexdata:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
--- a/components/openssl/common/patches/033-cert_chain.patch	Thu Jul 09 13:47:36 2015 -0700
+++ b/components/openssl/common/patches/033-cert_chain.patch	Fri Jul 10 06:49:44 2015 -0700
@@ -61,10 +61,10 @@
 +
  int X509_verify_cert(X509_STORE_CTX *ctx)
  {
-     X509 *x, *xtmp, *chain_ss = NULL;
+     X509 *x, *xtmp, *xtmp2, *chain_ss = NULL;
 @@ -304,8 +331,17 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
- 
-     /* we now have our chain, lets check it... */
+         }
+     } while (retry);
  
 -    /* Is last certificate looked up self signed? */
 -    if (!ctx->check_issued(ctx, x, x)) {
@@ -184,9 +184,9 @@
 $ cvs diff -u -r1.67.2.3.4.1 -r1.67.2.3.4.2 x509_vfy.h
 --- openssl/crypto/x509/x509_vfy.h    26 Sep 2012 13:50:42 -0000    1.67.2.3.4.1
 +++ openssl/crypto/x509/x509_vfy.h    14 Dec 2012 14:30:46 -0000    1.67.2.3.4.2
[email protected]@ -406,6 +406,9 @@
- /* Check selfsigned CA signature */
- # define X509_V_FLAG_CHECK_SS_SIGNATURE          0x4000
[email protected]@ -412,6 +412,9 @@
+  */
+ # define X509_V_FLAG_NO_ALT_CHAINS               0x100000
  
 +/* Allow partial chains if at least one certificate is in trusted store */
 +# define X509_V_FLAG_PARTIAL_CHAIN               0x80000
--- a/components/openssl/common/patches/039-internal_tests.patch	Thu Jul 09 13:47:36 2015 -0700
+++ b/components/openssl/common/patches/039-internal_tests.patch	Fri Jul 10 06:49:44 2015 -0700
@@ -12,6 +12,6 @@
  	test_gen test_req test_pkcs7 test_verify test_dh test_dsa \
 -	test_ss test_ca test_engine test_evp test_evp_extra test_ssl test_tsa test_ige \
 +	test_ss test_engine test_evp test_evp_extra test_ssl test_tsa test_ige \
- 	test_jpake test_srp test_cms test_heartbeat test_constant_time
+ 	test_jpake test_srp test_cms test_heartbeat test_constant_time test_verify_extra
  
  test_evp:
--- a/components/openssl/openssl-1.0.1-fips-140/Makefile	Thu Jul 09 13:47:36 2015 -0700
+++ b/components/openssl/openssl-1.0.1-fips-140/Makefile	Fri Jul 10 06:49:44 2015 -0700
@@ -32,18 +32,18 @@
 COMPONENT_NAME =	openssl-fips-140
 # Note that this is the OpenSSL version that is used to build FIPS-140 certified
 # libraries. However, we use the FIPS canister version for the IPS package.
-COMPONENT_VERSION =	1.0.1o
+COMPONENT_VERSION =	1.0.1p
 IPS_COMPONENT_VERSION = 2.0.6
 COMPONENT_PROJECT_URL=	http://www.openssl.org/
 COMPONENT_SRC_NAME =	openssl
 COMPONENT_SRC =		$(COMPONENT_SRC_NAME)-$(COMPONENT_VERSION)
 COMPONENT_ARCHIVE =	$(COMPONENT_SRC).tar.gz
 COMPONENT_ARCHIVE_HASH=	\
-    sha256:16e678c6a05f2502811e075f2c4059ac01c878d091c9c585afc49ebc541f7b13
+    sha256:bd5ee6803165c0fb60bbecbacacf244f1f90d2aa0d71353af610c29121e9b2f1
 COMPONENT_ARCHIVE_URL =	$(COMPONENT_PROJECT_URL)source/$(COMPONENT_ARCHIVE)
 COMPONENT_BUGDB=	library/openssl
 
-TPNO=			23126
+TPNO=			23452
 
 # Clone the patch files to the patches-all dir.
 # COPY_COMMON_FILES is there so that rsync is called as soon as
--- a/components/openssl/openssl-1.0.1/Makefile	Thu Jul 09 13:47:36 2015 -0700
+++ b/components/openssl/openssl-1.0.1/Makefile	Fri Jul 10 06:49:44 2015 -0700
@@ -28,19 +28,19 @@
 # When upgrading OpenSSL, please, DON'T FORGET TO TEST WANBOOT too. 
 # For more information about wanboot-openssl testing, please refer to
 # ../README.
-COMPONENT_VERSION =	1.0.1o
+COMPONENT_VERSION =	1.0.1p
 # Version for IPS. It is easier to do it manually than convert the letter to a
 # number while taking into account that there might be no letter at all.
-IPS_COMPONENT_VERSION = 1.0.1.15
+IPS_COMPONENT_VERSION = 1.0.1.16
 COMPONENT_PROJECT_URL=	http://www.openssl.org/
 COMPONENT_SRC =		$(COMPONENT_NAME)-$(COMPONENT_VERSION)
 COMPONENT_ARCHIVE =	$(COMPONENT_SRC).tar.gz
 COMPONENT_ARCHIVE_HASH=	\
-    sha256:16e678c6a05f2502811e075f2c4059ac01c878d091c9c585afc49ebc541f7b13
+    sha256:bd5ee6803165c0fb60bbecbacacf244f1f90d2aa0d71353af610c29121e9b2f1
 COMPONENT_ARCHIVE_URL =	$(COMPONENT_PROJECT_URL)source/$(COMPONENT_ARCHIVE)
 COMPONENT_BUGDB=	library/openssl
 
-TPNO=			23126
+TPNO=			23452
 
 # Clone the patch files to the patches-all dir.
 # COPY_COMMON_FILES is there so that rsync is called as soon as
--- a/components/openssl/openssl-1.0.1/patches/102-wanboot.patch	Thu Jul 09 13:47:36 2015 -0700
+++ b/components/openssl/openssl-1.0.1/patches/102-wanboot.patch	Fri Jul 10 06:49:44 2015 -0700
@@ -69,12 +69,12 @@
 
  static void
 @@ -453,6 +459,7 @@
- solaris_dynlock_lock(int mode, struct CRYPTO_dynlock_valud *dynlock,
+ solaris_dynlock_lock(int mode, struct CRYPTO_dynlock_value *dynlock,
      const char *file, int line)
  {
 +#ifndef    _BOOT
      int        ret;
-
+ 
      if (mode & CRYPTO_LOCK) {
 @@ -462,6 +469,7 @@
      }