--- a/components/openssl/common/patches/018-compiler_opts.patch Thu Jul 09 13:47:36 2015 -0700
+++ b/components/openssl/common/patches/018-compiler_opts.patch Fri Jul 10 06:49:44 2015 -0700
@@ -14,7 +14,7 @@
my $mips32_asm=":bn-mips.o::aes_cbc.o aes-mips.o:::sha1-mips.o sha256-mips.o::::::::";
@@ -257,6 +257,21 @@
#"sunos-cc", "cc:-O4 -DNOPROTO -DNOCONST::(unknown):SUNOS::DES_UNROLL:${no_asm}::",
- "sunos-gcc","gcc:-O3 -mv8 -Dssize_t=int::(unknown):SUNOS::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL DES_PTR DES_RISC1:${no_asm}::",
+ "sunos-gcc","gcc:-O3 -mcpu=v8 -Dssize_t=int::(unknown):SUNOS::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL DES_PTR DES_RISC1:${no_asm}::",
+#### Solaris configs, used for OpenSSL as delivered by S11.
+"solaris-x86-cc-sunw","cc:-m32 -xO3 -xspace -Xa::-D_REENTRANT::-lsocket -lnsl -lc:BN_LLONG RC4_CHUNK DES_PTR DES_UNROLL BF_PTR:${x86_elf_asm}:dlfcn:solaris-shared:-KPIC:-m32 -G -dy -z text -zdefs -Bdirect -zignore -M/usr/lib/ld/map.pagealign -M/usr/lib/ld/map.noexdata:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
--- a/components/openssl/common/patches/033-cert_chain.patch Thu Jul 09 13:47:36 2015 -0700
+++ b/components/openssl/common/patches/033-cert_chain.patch Fri Jul 10 06:49:44 2015 -0700
@@ -61,10 +61,10 @@
+
int X509_verify_cert(X509_STORE_CTX *ctx)
{
- X509 *x, *xtmp, *chain_ss = NULL;
+ X509 *x, *xtmp, *xtmp2, *chain_ss = NULL;
@@ -304,8 +331,17 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
-
- /* we now have our chain, lets check it... */
+ }
+ } while (retry);
- /* Is last certificate looked up self signed? */
- if (!ctx->check_issued(ctx, x, x)) {
@@ -184,9 +184,9 @@
$ cvs diff -u -r1.67.2.3.4.1 -r1.67.2.3.4.2 x509_vfy.h
--- openssl/crypto/x509/x509_vfy.h 26 Sep 2012 13:50:42 -0000 1.67.2.3.4.1
+++ openssl/crypto/x509/x509_vfy.h 14 Dec 2012 14:30:46 -0000 1.67.2.3.4.2
-@@ -406,6 +406,9 @@
- /* Check selfsigned CA signature */
- # define X509_V_FLAG_CHECK_SS_SIGNATURE 0x4000
+@@ -412,6 +412,9 @@
+ */
+ # define X509_V_FLAG_NO_ALT_CHAINS 0x100000
+/* Allow partial chains if at least one certificate is in trusted store */
+# define X509_V_FLAG_PARTIAL_CHAIN 0x80000
--- a/components/openssl/common/patches/039-internal_tests.patch Thu Jul 09 13:47:36 2015 -0700
+++ b/components/openssl/common/patches/039-internal_tests.patch Fri Jul 10 06:49:44 2015 -0700
@@ -12,6 +12,6 @@
test_gen test_req test_pkcs7 test_verify test_dh test_dsa \
- test_ss test_ca test_engine test_evp test_evp_extra test_ssl test_tsa test_ige \
+ test_ss test_engine test_evp test_evp_extra test_ssl test_tsa test_ige \
- test_jpake test_srp test_cms test_heartbeat test_constant_time
+ test_jpake test_srp test_cms test_heartbeat test_constant_time test_verify_extra
test_evp:
--- a/components/openssl/openssl-1.0.1-fips-140/Makefile Thu Jul 09 13:47:36 2015 -0700
+++ b/components/openssl/openssl-1.0.1-fips-140/Makefile Fri Jul 10 06:49:44 2015 -0700
@@ -32,18 +32,18 @@
COMPONENT_NAME = openssl-fips-140
# Note that this is the OpenSSL version that is used to build FIPS-140 certified
# libraries. However, we use the FIPS canister version for the IPS package.
-COMPONENT_VERSION = 1.0.1o
+COMPONENT_VERSION = 1.0.1p
IPS_COMPONENT_VERSION = 2.0.6
COMPONENT_PROJECT_URL= http://www.openssl.org/
COMPONENT_SRC_NAME = openssl
COMPONENT_SRC = $(COMPONENT_SRC_NAME)-$(COMPONENT_VERSION)
COMPONENT_ARCHIVE = $(COMPONENT_SRC).tar.gz
COMPONENT_ARCHIVE_HASH= \
- sha256:16e678c6a05f2502811e075f2c4059ac01c878d091c9c585afc49ebc541f7b13
+ sha256:bd5ee6803165c0fb60bbecbacacf244f1f90d2aa0d71353af610c29121e9b2f1
COMPONENT_ARCHIVE_URL = $(COMPONENT_PROJECT_URL)source/$(COMPONENT_ARCHIVE)
COMPONENT_BUGDB= library/openssl
-TPNO= 23126
+TPNO= 23452
# Clone the patch files to the patches-all dir.
# COPY_COMMON_FILES is there so that rsync is called as soon as
--- a/components/openssl/openssl-1.0.1/Makefile Thu Jul 09 13:47:36 2015 -0700
+++ b/components/openssl/openssl-1.0.1/Makefile Fri Jul 10 06:49:44 2015 -0700
@@ -28,19 +28,19 @@
# When upgrading OpenSSL, please, DON'T FORGET TO TEST WANBOOT too.
# For more information about wanboot-openssl testing, please refer to
# ../README.
-COMPONENT_VERSION = 1.0.1o
+COMPONENT_VERSION = 1.0.1p
# Version for IPS. It is easier to do it manually than convert the letter to a
# number while taking into account that there might be no letter at all.
-IPS_COMPONENT_VERSION = 1.0.1.15
+IPS_COMPONENT_VERSION = 1.0.1.16
COMPONENT_PROJECT_URL= http://www.openssl.org/
COMPONENT_SRC = $(COMPONENT_NAME)-$(COMPONENT_VERSION)
COMPONENT_ARCHIVE = $(COMPONENT_SRC).tar.gz
COMPONENT_ARCHIVE_HASH= \
- sha256:16e678c6a05f2502811e075f2c4059ac01c878d091c9c585afc49ebc541f7b13
+ sha256:bd5ee6803165c0fb60bbecbacacf244f1f90d2aa0d71353af610c29121e9b2f1
COMPONENT_ARCHIVE_URL = $(COMPONENT_PROJECT_URL)source/$(COMPONENT_ARCHIVE)
COMPONENT_BUGDB= library/openssl
-TPNO= 23126
+TPNO= 23452
# Clone the patch files to the patches-all dir.
# COPY_COMMON_FILES is there so that rsync is called as soon as
--- a/components/openssl/openssl-1.0.1/patches/102-wanboot.patch Thu Jul 09 13:47:36 2015 -0700
+++ b/components/openssl/openssl-1.0.1/patches/102-wanboot.patch Fri Jul 10 06:49:44 2015 -0700
@@ -69,12 +69,12 @@
static void
@@ -453,6 +459,7 @@
- solaris_dynlock_lock(int mode, struct CRYPTO_dynlock_valud *dynlock,
+ solaris_dynlock_lock(int mode, struct CRYPTO_dynlock_value *dynlock,
const char *file, int line)
{
+#ifndef _BOOT
int ret;
-
+
if (mode & CRYPTO_LOCK) {
@@ -462,6 +469,7 @@
}