diff --git a/CHANGES b/CHANGES index 06c4313405..8af7679765 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +3579. [maint] Updates to PKCS#11 openssl patches, supporting + versions 0.9.8y, 1.0.0k, 1.0.1e [RT #33463] + 3578. [bug] 'rndc -c file' now fails if 'file' does not exist. [RT #33571] diff --git a/bin/pkcs11/openssl-0.9.8x-patch b/bin/pkcs11/openssl-0.9.8y-patch similarity index 99% rename from bin/pkcs11/openssl-0.9.8x-patch rename to bin/pkcs11/openssl-0.9.8y-patch index d3e4f3ec45..ca3f31655d 100644 --- a/bin/pkcs11/openssl-0.9.8x-patch +++ b/bin/pkcs11/openssl-0.9.8y-patch @@ -1,7 +1,7 @@ Index: openssl/Configure -diff -u openssl/Configure:1.8.6.1 openssl/Configure:1.8 ---- openssl/Configure:1.8.6.1 Sun Jan 15 15:45:33 2012 -+++ openssl/Configure Mon Jun 13 14:25:15 2011 +diff -u openssl/Configure:1.8.6.1.4.1 openssl/Configure:1.8.2.1 +--- openssl/Configure:1.8.6.1.4.1 Tue May 14 14:41:19 2013 ++++ openssl/Configure Tue May 14 14:56:15 2013 @@ -12,7 +12,7 @@ # see INSTALL for instructions. @@ -24,7 +24,7 @@ diff -u openssl/Configure:1.8.6.1 openssl/Configure:1.8 # --with-krb5-dir Declare where Kerberos 5 lives. The libraries are expected # to live in the subdirectory lib/ and the header files in # include/. A value is required. -@@ -335,7 +341,7 @@ +@@ -336,7 +342,7 @@ "linux-ppc", "gcc:-DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::linux_ppc32.o::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", #### IA-32 targets... "linux-ia32-icc", "icc:-DL_ENDIAN -DTERMIO -O2 -no_cpprt::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", @@ -33,7 +33,7 @@ diff -u openssl/Configure:1.8.6.1 openssl/Configure:1.8 "linux-aout", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -march=i486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}", #### "linux-generic64","gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -@@ -343,7 +349,7 @@ +@@ -344,7 +350,7 @@ "linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "linux-ia64-ecc","ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "linux-ia64-icc","icc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", @@ -42,7 +42,7 @@ diff -u openssl/Configure:1.8.6.1 openssl/Configure:1.8 #### SPARC Linux setups # Ray Miller has patiently # assisted with debugging of following two configs. -@@ -590,6 +596,10 @@ +@@ -591,6 +597,10 @@ my $idx_ranlib = $idx++; my $idx_arflags = $idx++; @@ -53,7 +53,7 @@ diff -u openssl/Configure:1.8.6.1 openssl/Configure:1.8 my $prefix=""; my $libdir=""; my $openssldir=""; -@@ -828,6 +838,14 @@ +@@ -829,6 +839,14 @@ { $flags.=$_." "; } @@ -68,7 +68,7 @@ diff -u openssl/Configure:1.8.6.1 openssl/Configure:1.8 elsif (/^--prefix=(.*)$/) { $prefix=$1; -@@ -963,6 +981,22 @@ +@@ -964,6 +982,22 @@ exit 0; } @@ -91,7 +91,7 @@ diff -u openssl/Configure:1.8.6.1 openssl/Configure:1.8 if ($target =~ m/^CygWin32(-.*)$/) { $target = "Cygwin".$1; } -@@ -1078,6 +1112,25 @@ +@@ -1079,6 +1113,25 @@ print "\n"; } @@ -117,7 +117,7 @@ diff -u openssl/Configure:1.8.6.1 openssl/Configure:1.8 my $IsMK1MF=scalar grep /^$target$/,@MK1MF_Builds; $IsMK1MF=1 if ($target eq "mingw" && $^O ne "cygwin" && !is_msys()); -@@ -1129,6 +1182,8 @@ +@@ -1130,6 +1183,8 @@ if ($flags ne "") { $cflags="$flags$cflags"; } else { $no_user_cflags=1; } @@ -126,7 +126,7 @@ diff -u openssl/Configure:1.8.6.1 openssl/Configure:1.8 # Kerberos settings. The flavor must be provided from outside, either through # the script "config" or manually. if (!$no_krb5) -@@ -1492,6 +1547,7 @@ +@@ -1493,6 +1548,7 @@ s/^VERSION=.*/VERSION=$version/; s/^MAJOR=.*/MAJOR=$major/; s/^MINOR=.*/MINOR=$minor/; @@ -150,7 +150,7 @@ diff -u openssl/Makefile.org:1.4.6.1 openssl/Makefile.org:1.4 Index: openssl/README.pkcs11 diff -u /dev/null openssl/README.pkcs11:1.6.4.1 ---- /dev/null Tue Jun 19 16:24:30 2012 +--- /dev/null Thu May 16 07:41:50 2013 +++ openssl/README.pkcs11 Mon Jun 13 18:27:39 2011 @@ -0,0 +1,261 @@ +ISC modified @@ -624,7 +624,7 @@ diff -u openssl/crypto/engine/Makefile:1.6.6.1 openssl/crypto/engine/Makefile:1. tb_cipher.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h Index: openssl/crypto/engine/cryptoki.h diff -u /dev/null openssl/crypto/engine/cryptoki.h:1.4 ---- /dev/null Tue Jun 19 16:24:30 2012 +--- /dev/null Thu May 16 07:41:50 2013 +++ openssl/crypto/engine/cryptoki.h Thu Dec 18 00:14:12 2008 @@ -0,0 +1,103 @@ +/* @@ -767,9 +767,9 @@ diff -u openssl/crypto/engine/engine.h:1.4.6.1 openssl/crypto/engine/engine.h:1. /* Get and set global flags (ENGINE_TABLE_FLAG_***) for the implementation * "registry" handling. */ Index: openssl/crypto/engine/hw_pk11.c -diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26.4.2 ---- /dev/null Tue Jun 19 16:24:30 2012 -+++ openssl/crypto/engine/hw_pk11.c Thu Jun 16 12:31:35 2011 +diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26.4.3 +--- /dev/null Thu May 16 07:41:51 2013 ++++ openssl/crypto/engine/hw_pk11.c Thu May 16 07:20:00 2013 @@ -0,0 +1,4057 @@ +/* + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. @@ -1630,8 +1630,8 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26.4.2 + */ +static const char def_PK11_LIBNAME[] = PK11_LIB_LOCATION; + -+static CK_BBOOL true = TRUE; -+static CK_BBOOL false = FALSE; ++static CK_BBOOL mytrue = TRUE; ++static CK_BBOOL myfalse = FALSE; +/* Needed in hw_pk11_pub.c as well so that's why it is not static. */ +CK_SLOT_ID pubkey_SLOTID = 0; +static CK_SLOT_ID rand_SLOTID = 0; @@ -3707,9 +3707,9 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26.4.2 + { + {CKA_CLASS, (void*) NULL, sizeof (CK_OBJECT_CLASS)}, + {CKA_KEY_TYPE, (void*) NULL, sizeof (CK_KEY_TYPE)}, -+ {CKA_TOKEN, &false, sizeof (false)}, -+ {CKA_ENCRYPT, &true, sizeof (true)}, -+ {CKA_DECRYPT, &true, sizeof (true)}, ++ {CKA_TOKEN, &myfalse, sizeof (myfalse)}, ++ {CKA_ENCRYPT, &mytrue, sizeof (mytrue)}, ++ {CKA_DECRYPT, &mytrue, sizeof (mytrue)}, + {CKA_VALUE, (void*) NULL, 0}, + }; + @@ -4830,7 +4830,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26.4.2 +#endif /* OPENSSL_NO_HW */ Index: openssl/crypto/engine/hw_pk11_err.c diff -u /dev/null openssl/crypto/engine/hw_pk11_err.c:1.4.10.1 ---- /dev/null Tue Jun 19 16:24:30 2012 +--- /dev/null Thu May 16 07:41:51 2013 +++ openssl/crypto/engine/hw_pk11_err.c Tue Jun 14 21:52:40 2011 @@ -0,0 +1,288 @@ +/* @@ -5123,7 +5123,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_err.c:1.4.10.1 +} Index: openssl/crypto/engine/hw_pk11_err.h diff -u /dev/null openssl/crypto/engine/hw_pk11_err.h:1.9.10.1 ---- /dev/null Tue Jun 19 16:24:30 2012 +--- /dev/null Thu May 16 07:41:51 2013 +++ openssl/crypto/engine/hw_pk11_err.h Tue Jun 14 21:52:40 2011 @@ -0,0 +1,440 @@ +/* @@ -5568,7 +5568,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_err.h:1.9.10.1 +#endif /* HW_PK11_ERR_H */ Index: openssl/crypto/engine/hw_pk11_pub.c diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4 ---- /dev/null Tue Jun 19 16:24:30 2012 +--- /dev/null Thu May 16 07:41:51 2013 +++ openssl/crypto/engine/hw_pk11_pub.c Sun Jun 17 21:12:10 2012 @@ -0,0 +1,3530 @@ +/* @@ -9103,7 +9103,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4 +#endif /* OPENSSL_NO_HW */ Index: openssl/crypto/engine/hw_pk11ca.h diff -u /dev/null openssl/crypto/engine/hw_pk11ca.h:1.2.4.2 ---- /dev/null Tue Jun 19 16:24:30 2012 +--- /dev/null Thu May 16 07:41:51 2013 +++ openssl/crypto/engine/hw_pk11ca.h Wed Jun 15 21:12:32 2011 @@ -0,0 +1,32 @@ +/* Redefine all pk11/PK11 external symbols to pk11ca/PK11CA */ @@ -9140,7 +9140,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11ca.h:1.2.4.2 +#define ENGINE_load_pk11 ENGINE_load_pk11ca Index: openssl/crypto/engine/hw_pk11so.c diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.3.4.2 ---- /dev/null Tue Jun 19 16:24:30 2012 +--- /dev/null Thu May 16 07:41:51 2013 +++ openssl/crypto/engine/hw_pk11so.c Thu Jun 16 12:31:35 2011 @@ -0,0 +1,1745 @@ +/* @@ -10890,7 +10890,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.3.4.2 +#endif /* OPENSSL_NO_HW */ Index: openssl/crypto/engine/hw_pk11so.h diff -u /dev/null openssl/crypto/engine/hw_pk11so.h:1.2.4.2 ---- /dev/null Tue Jun 19 16:24:30 2012 +--- /dev/null Thu May 16 07:41:51 2013 +++ openssl/crypto/engine/hw_pk11so.h Wed Jun 15 21:12:32 2011 @@ -0,0 +1,32 @@ +/* Redefine all pk11/PK11 external symbols to pk11so/PK11SO */ @@ -10927,7 +10927,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.h:1.2.4.2 +#define ENGINE_load_pk11 ENGINE_load_pk11so Index: openssl/crypto/engine/hw_pk11so_pub.c diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2.4.4 ---- /dev/null Tue Jun 19 16:24:30 2012 +--- /dev/null Thu May 16 07:41:51 2013 +++ openssl/crypto/engine/hw_pk11so_pub.c Sun Jun 17 21:12:11 2012 @@ -0,0 +1,1622 @@ +/* @@ -12554,11 +12554,11 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2.4.4 +#endif /* OPENSSL_NO_HW */ Index: openssl/crypto/engine/pkcs11.h diff -u /dev/null openssl/crypto/engine/pkcs11.h:1.1.1.1 ---- /dev/null Tue Jun 19 16:24:30 2012 +--- /dev/null Thu May 16 07:41:51 2013 +++ openssl/crypto/engine/pkcs11.h Wed Oct 24 23:27:09 2007 @@ -0,0 +1,299 @@ +/* pkcs11.h include file for PKCS #11. */ -+/* $Revision: 1.1.1.1 $ */ ++/* $Revision$ */ + +/* License to copy and use this software is granted provided that it is + * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface @@ -12858,11 +12858,11 @@ diff -u /dev/null openssl/crypto/engine/pkcs11.h:1.1.1.1 +#endif Index: openssl/crypto/engine/pkcs11f.h diff -u /dev/null openssl/crypto/engine/pkcs11f.h:1.1.1.1 ---- /dev/null Tue Jun 19 16:24:30 2012 +--- /dev/null Thu May 16 07:41:51 2013 +++ openssl/crypto/engine/pkcs11f.h Wed Oct 24 23:27:09 2007 @@ -0,0 +1,912 @@ +/* pkcs11f.h include file for PKCS #11. */ -+/* $Revision: 1.1.1.1 $ */ ++/* $Revision$ */ + +/* License to copy and use this software is granted provided that it is + * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface @@ -13775,11 +13775,11 @@ diff -u /dev/null openssl/crypto/engine/pkcs11f.h:1.1.1.1 +#endif Index: openssl/crypto/engine/pkcs11t.h diff -u /dev/null openssl/crypto/engine/pkcs11t.h:1.2 ---- /dev/null Tue Jun 19 16:24:30 2012 +--- /dev/null Thu May 16 07:41:51 2013 +++ openssl/crypto/engine/pkcs11t.h Sat Aug 30 11:58:07 2008 @@ -0,0 +1,1885 @@ +/* pkcs11t.h include file for PKCS #11. */ -+/* $Revision: 1.2 $ */ ++/* $Revision$ */ + +/* License to copy and use this software is granted provided that it is + * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface @@ -15664,10 +15664,10 @@ diff -u /dev/null openssl/crypto/engine/pkcs11t.h:1.2 + +#endif Index: openssl/util/libeay.num -diff -u openssl/util/libeay.num:1.7.6.1 openssl/util/libeay.num:1.7 ---- openssl/util/libeay.num:1.7.6.1 Sun Jan 15 15:45:40 2012 -+++ openssl/util/libeay.num Mon Jun 13 14:25:25 2011 -@@ -3728,3 +3728,5 @@ +diff -u openssl/util/libeay.num:1.7.6.1.4.1 openssl/util/libeay.num:1.7.2.1 +--- openssl/util/libeay.num:1.7.6.1.4.1 Tue May 14 14:41:22 2013 ++++ openssl/util/libeay.num Tue May 14 14:56:18 2013 +@@ -3729,3 +3729,5 @@ pqueue_size 4114 EXIST::FUNCTION: OPENSSL_uni2asc 4115 EXIST:NETWARE:FUNCTION: OPENSSL_asc2uni 4116 EXIST:NETWARE:FUNCTION: diff --git a/bin/pkcs11/openssl-1.0.0j-patch b/bin/pkcs11/openssl-1.0.0k-patch similarity index 99% rename from bin/pkcs11/openssl-1.0.0j-patch rename to bin/pkcs11/openssl-1.0.0k-patch index da6dd814a1..bfd37bf1e6 100644 --- a/bin/pkcs11/openssl-1.0.0j-patch +++ b/bin/pkcs11/openssl-1.0.0k-patch @@ -1,7 +1,7 @@ Index: openssl/Configure -diff -u openssl/Configure:1.9.2.1.2.1 openssl/Configure:1.11 ---- openssl/Configure:1.9.2.1.2.1 Tue Jun 19 14:46:03 2012 -+++ openssl/Configure Tue Jun 19 14:49:21 2012 +diff -u openssl/Configure:1.9.2.1.2.1.4.1 openssl/Configure:1.11.2.1 +--- openssl/Configure:1.9.2.1.2.1.4.1 Tue May 14 15:37:45 2013 ++++ openssl/Configure Tue May 14 15:49:01 2013 @@ -10,7 +10,7 @@ # see INSTALL for instructions. @@ -24,7 +24,7 @@ diff -u openssl/Configure:1.9.2.1.2.1 openssl/Configure:1.11 # --with-krb5-dir Declare where Kerberos 5 lives. The libraries are expected # to live in the subdirectory lib/ and the header files in # include/. A value is required. -@@ -343,7 +349,7 @@ +@@ -344,7 +350,7 @@ "linux-armv4", "gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", #### IA-32 targets... "linux-ia32-icc", "icc:-DL_ENDIAN -DTERMIO -O2 -no_cpprt::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", @@ -33,7 +33,7 @@ diff -u openssl/Configure:1.9.2.1.2.1 openssl/Configure:1.11 "linux-aout", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -march=i486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_asm}:a.out", #### "linux-generic64","gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -@@ -351,7 +357,7 @@ +@@ -352,7 +358,7 @@ "linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "linux-ia64-ecc","ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "linux-ia64-icc","icc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", @@ -42,7 +42,7 @@ diff -u openssl/Configure:1.9.2.1.2.1 openssl/Configure:1.11 "linux-s390x", "gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", #### SPARC Linux setups # Ray Miller has patiently -@@ -622,6 +628,10 @@ +@@ -623,6 +629,10 @@ my $idx_arflags = $idx++; my $idx_multilib = $idx++; @@ -53,7 +53,7 @@ diff -u openssl/Configure:1.9.2.1.2.1 openssl/Configure:1.11 my $prefix=""; my $libdir=""; my $openssldir=""; -@@ -824,6 +834,14 @@ +@@ -825,6 +835,14 @@ { $flags.=$_." "; } @@ -68,7 +68,7 @@ diff -u openssl/Configure:1.9.2.1.2.1 openssl/Configure:1.11 elsif (/^--prefix=(.*)$/) { $prefix=$1; -@@ -961,6 +979,22 @@ +@@ -962,6 +980,22 @@ exit 0; } @@ -91,7 +91,7 @@ diff -u openssl/Configure:1.9.2.1.2.1 openssl/Configure:1.11 if ($target =~ m/^CygWin32(-.*)$/) { $target = "Cygwin".$1; } -@@ -1038,6 +1072,25 @@ +@@ -1039,6 +1073,25 @@ $exp_cflags .= " -DOPENSSL_EXPERIMENTAL_$ALGO"; } @@ -117,7 +117,7 @@ diff -u openssl/Configure:1.9.2.1.2.1 openssl/Configure:1.11 my $IsMK1MF=scalar grep /^$target$/,@MK1MF_Builds; $exe_ext=".exe" if ($target eq "Cygwin" || $target eq "DJGPP" || $target =~ /^mingw/); -@@ -1125,6 +1178,8 @@ +@@ -1126,6 +1179,8 @@ if ($flags ne "") { $cflags="$flags$cflags"; } else { $no_user_cflags=1; } @@ -126,7 +126,7 @@ diff -u openssl/Configure:1.9.2.1.2.1 openssl/Configure:1.11 # Kerberos settings. The flavor must be provided from outside, either through # the script "config" or manually. if (!$no_krb5) -@@ -1494,6 +1549,7 @@ +@@ -1495,6 +1550,7 @@ s/^VERSION=.*/VERSION=$version/; s/^MAJOR=.*/MAJOR=$major/; s/^MINOR=.*/MINOR=$minor/; @@ -150,7 +150,7 @@ diff -u openssl/Makefile.org:1.5.2.1.2.1 openssl/Makefile.org:1.6 Index: openssl/README.pkcs11 diff -u /dev/null openssl/README.pkcs11:1.7 ---- /dev/null Tue Jun 19 16:23:56 2012 +--- /dev/null Thu May 16 07:42:54 2013 +++ openssl/README.pkcs11 Mon Jun 13 18:27:17 2011 @@ -0,0 +1,261 @@ +ISC modified @@ -605,7 +605,7 @@ diff -u openssl/crypto/engine/Makefile:1.8.2.1 openssl/crypto/engine/Makefile:1. tb_asnmth.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h Index: openssl/crypto/engine/cryptoki.h diff -u /dev/null openssl/crypto/engine/cryptoki.h:1.4 ---- /dev/null Tue Jun 19 16:23:56 2012 +--- /dev/null Thu May 16 07:42:54 2013 +++ openssl/crypto/engine/cryptoki.h Thu Dec 18 00:14:12 2008 @@ -0,0 +1,103 @@ +/* @@ -748,9 +748,9 @@ diff -u openssl/crypto/engine/engine.h:1.5.2.1 openssl/crypto/engine/engine.h:1. void ENGINE_load_gmp(void); #endif Index: openssl/crypto/engine/hw_pk11.c -diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30 ---- /dev/null Tue Jun 19 16:23:56 2012 -+++ openssl/crypto/engine/hw_pk11.c Thu Jun 16 12:31:53 2011 +diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.1 +--- /dev/null Thu May 16 07:42:54 2013 ++++ openssl/crypto/engine/hw_pk11.c Thu May 16 06:53:50 2013 @@ -0,0 +1,4057 @@ +/* + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. @@ -1611,8 +1611,8 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30 + */ +static const char def_PK11_LIBNAME[] = PK11_LIB_LOCATION; + -+static CK_BBOOL true = TRUE; -+static CK_BBOOL false = FALSE; ++static CK_BBOOL mytrue = TRUE; ++static CK_BBOOL myfalse = FALSE; +/* Needed in hw_pk11_pub.c as well so that's why it is not static. */ +CK_SLOT_ID pubkey_SLOTID = 0; +static CK_SLOT_ID rand_SLOTID = 0; @@ -3688,9 +3688,9 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30 + { + {CKA_CLASS, (void*) NULL, sizeof (CK_OBJECT_CLASS)}, + {CKA_KEY_TYPE, (void*) NULL, sizeof (CK_KEY_TYPE)}, -+ {CKA_TOKEN, &false, sizeof (false)}, -+ {CKA_ENCRYPT, &true, sizeof (true)}, -+ {CKA_DECRYPT, &true, sizeof (true)}, ++ {CKA_TOKEN, &myfalse, sizeof (myfalse)}, ++ {CKA_ENCRYPT, &mytrue, sizeof (mytrue)}, ++ {CKA_DECRYPT, &mytrue, sizeof (mytrue)}, + {CKA_VALUE, (void*) NULL, 0}, + }; + @@ -4811,7 +4811,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30 +#endif /* OPENSSL_NO_HW */ Index: openssl/crypto/engine/hw_pk11_err.c diff -u /dev/null openssl/crypto/engine/hw_pk11_err.c:1.5 ---- /dev/null Tue Jun 19 16:23:56 2012 +--- /dev/null Thu May 16 07:42:54 2013 +++ openssl/crypto/engine/hw_pk11_err.c Tue Jun 14 00:43:26 2011 @@ -0,0 +1,288 @@ +/* @@ -5104,7 +5104,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_err.c:1.5 +} Index: openssl/crypto/engine/hw_pk11_err.h diff -u /dev/null openssl/crypto/engine/hw_pk11_err.h:1.12 ---- /dev/null Tue Jun 19 16:23:57 2012 +--- /dev/null Thu May 16 07:42:54 2013 +++ openssl/crypto/engine/hw_pk11_err.h Tue Jun 14 21:51:32 2011 @@ -0,0 +1,440 @@ +/* @@ -5549,7 +5549,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_err.h:1.12 +#endif /* HW_PK11_ERR_H */ Index: openssl/crypto/engine/hw_pk11_pub.c diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 ---- /dev/null Tue Jun 19 16:23:57 2012 +--- /dev/null Thu May 16 07:42:54 2013 +++ openssl/crypto/engine/hw_pk11_pub.c Sun Jun 17 21:12:24 2012 @@ -0,0 +1,3530 @@ +/* @@ -9084,7 +9084,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 +#endif /* OPENSSL_NO_HW */ Index: openssl/crypto/engine/hw_pk11ca.h diff -u /dev/null openssl/crypto/engine/hw_pk11ca.h:1.4 ---- /dev/null Tue Jun 19 16:23:57 2012 +--- /dev/null Thu May 16 07:42:54 2013 +++ openssl/crypto/engine/hw_pk11ca.h Wed Jun 15 21:12:20 2011 @@ -0,0 +1,32 @@ +/* Redefine all pk11/PK11 external symbols to pk11ca/PK11CA */ @@ -9121,7 +9121,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11ca.h:1.4 +#define ENGINE_load_pk11 ENGINE_load_pk11ca Index: openssl/crypto/engine/hw_pk11so.c diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7 ---- /dev/null Tue Jun 19 16:23:57 2012 +--- /dev/null Thu May 16 07:42:54 2013 +++ openssl/crypto/engine/hw_pk11so.c Thu Jun 16 12:31:53 2011 @@ -0,0 +1,1745 @@ +/* @@ -10871,7 +10871,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7 +#endif /* OPENSSL_NO_HW */ Index: openssl/crypto/engine/hw_pk11so.h diff -u /dev/null openssl/crypto/engine/hw_pk11so.h:1.4 ---- /dev/null Tue Jun 19 16:23:57 2012 +--- /dev/null Thu May 16 07:42:54 2013 +++ openssl/crypto/engine/hw_pk11so.h Wed Jun 15 21:12:20 2011 @@ -0,0 +1,32 @@ +/* Redefine all pk11/PK11 external symbols to pk11so/PK11SO */ @@ -10908,7 +10908,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.h:1.4 +#define ENGINE_load_pk11 ENGINE_load_pk11so Index: openssl/crypto/engine/hw_pk11so_pub.c diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8 ---- /dev/null Tue Jun 19 16:23:57 2012 +--- /dev/null Thu May 16 07:42:54 2013 +++ openssl/crypto/engine/hw_pk11so_pub.c Sun Jun 17 21:12:24 2012 @@ -0,0 +1,1622 @@ +/* @@ -12535,11 +12535,11 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8 +#endif /* OPENSSL_NO_HW */ Index: openssl/crypto/engine/pkcs11.h diff -u /dev/null openssl/crypto/engine/pkcs11.h:1.1.1.1 ---- /dev/null Tue Jun 19 16:23:57 2012 +--- /dev/null Thu May 16 07:42:54 2013 +++ openssl/crypto/engine/pkcs11.h Wed Oct 24 23:27:09 2007 @@ -0,0 +1,299 @@ +/* pkcs11.h include file for PKCS #11. */ -+/* $Revision: 1.1.1.1 $ */ ++/* $Revision$ */ + +/* License to copy and use this software is granted provided that it is + * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface @@ -12839,11 +12839,11 @@ diff -u /dev/null openssl/crypto/engine/pkcs11.h:1.1.1.1 +#endif Index: openssl/crypto/engine/pkcs11f.h diff -u /dev/null openssl/crypto/engine/pkcs11f.h:1.1.1.1 ---- /dev/null Tue Jun 19 16:23:57 2012 +--- /dev/null Thu May 16 07:42:54 2013 +++ openssl/crypto/engine/pkcs11f.h Wed Oct 24 23:27:09 2007 @@ -0,0 +1,912 @@ +/* pkcs11f.h include file for PKCS #11. */ -+/* $Revision: 1.1.1.1 $ */ ++/* $Revision$ */ + +/* License to copy and use this software is granted provided that it is + * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface @@ -13756,11 +13756,11 @@ diff -u /dev/null openssl/crypto/engine/pkcs11f.h:1.1.1.1 +#endif Index: openssl/crypto/engine/pkcs11t.h diff -u /dev/null openssl/crypto/engine/pkcs11t.h:1.2 ---- /dev/null Tue Jun 19 16:23:57 2012 +--- /dev/null Thu May 16 07:42:54 2013 +++ openssl/crypto/engine/pkcs11t.h Sat Aug 30 11:58:07 2008 @@ -0,0 +1,1885 @@ +/* pkcs11t.h include file for PKCS #11. */ -+/* $Revision: 1.2 $ */ ++/* $Revision$ */ + +/* License to copy and use this software is granted provided that it is + * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface @@ -15645,10 +15645,10 @@ diff -u /dev/null openssl/crypto/engine/pkcs11t.h:1.2 + +#endif Index: openssl/util/libeay.num -diff -u openssl/util/libeay.num:1.8.2.1 openssl/util/libeay.num:1.9 ---- openssl/util/libeay.num:1.8.2.1 Sun Jan 15 16:09:52 2012 -+++ openssl/util/libeay.num Sun Jan 15 16:30:10 2012 -@@ -4194,3 +4194,5 @@ +diff -u openssl/util/libeay.num:1.8.2.1.6.1 openssl/util/libeay.num:1.9.2.1 +--- openssl/util/libeay.num:1.8.2.1.6.1 Tue May 14 15:37:52 2013 ++++ openssl/util/libeay.num Tue May 14 15:49:08 2013 +@@ -4195,3 +4195,5 @@ OPENSSL_strncasecmp 4566 EXIST::FUNCTION: OPENSSL_gmtime 4567 EXIST::FUNCTION: OPENSSL_gmtime_adj 4568 EXIST::FUNCTION: diff --git a/bin/pkcs11/openssl-1.0.1c-patch b/bin/pkcs11/openssl-1.0.1e-patch similarity index 98% rename from bin/pkcs11/openssl-1.0.1c-patch rename to bin/pkcs11/openssl-1.0.1e-patch index 2bd3068aa7..635694e542 100644 --- a/bin/pkcs11/openssl-1.0.1c-patch +++ b/bin/pkcs11/openssl-1.0.1e-patch @@ -1,7 +1,7 @@ Index: openssl/Configure -diff -u openssl/Configure:1.9.2.1.2.1.2.1 openssl/Configure:1.12 ---- openssl/Configure:1.9.2.1.2.1.2.1 Tue Jun 19 15:29:45 2012 -+++ openssl/Configure Tue Jun 19 16:17:49 2012 +diff -u openssl/Configure:1.9.2.1.2.1.2.1.2.1 openssl/Configure:1.13 +--- openssl/Configure:1.9.2.1.2.1.2.1.2.1 Wed May 15 11:46:59 2013 ++++ openssl/Configure Wed May 15 11:57:36 2013 @@ -10,7 +10,7 @@ # see INSTALL for instructions. @@ -24,7 +24,7 @@ diff -u openssl/Configure:1.9.2.1.2.1.2.1 openssl/Configure:1.12 # --with-krb5-dir Declare where Kerberos 5 lives. The libraries are expected # to live in the subdirectory lib/ and the header files in # include/. A value is required. -@@ -350,7 +356,7 @@ +@@ -352,7 +358,7 @@ "linux-armv4", "gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", #### IA-32 targets... "linux-ia32-icc", "icc:-DL_ENDIAN -DTERMIO -O2 -no_cpprt::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", @@ -33,7 +33,7 @@ diff -u openssl/Configure:1.9.2.1.2.1.2.1 openssl/Configure:1.12 "linux-aout", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -march=i486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_asm}:a.out", #### "linux-generic64","gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -@@ -358,7 +364,7 @@ +@@ -360,7 +366,7 @@ "linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "linux-ia64-ecc","ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "linux-ia64-icc","icc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", @@ -42,7 +42,7 @@ diff -u openssl/Configure:1.9.2.1.2.1.2.1 openssl/Configure:1.12 "linux64-s390x", "gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", #### So called "highgprs" target for z/Architecture CPUs # "Highgprs" is kernel feature first implemented in Linux 2.6.32, see -@@ -655,6 +661,10 @@ +@@ -657,6 +663,10 @@ my $idx_arflags = $idx++; my $idx_multilib = $idx++; @@ -53,7 +53,7 @@ diff -u openssl/Configure:1.9.2.1.2.1.2.1 openssl/Configure:1.12 my $prefix=""; my $libdir=""; my $openssldir=""; -@@ -874,6 +884,14 @@ +@@ -876,6 +886,14 @@ $_ =~ s/%([0-9a-f]{1,2})/chr(hex($1))/gei; $flags.=$_." "; } @@ -68,7 +68,7 @@ diff -u openssl/Configure:1.9.2.1.2.1.2.1 openssl/Configure:1.12 elsif (/^--prefix=(.*)$/) { $prefix=$1; -@@ -1041,6 +1059,22 @@ +@@ -1043,6 +1061,22 @@ exit 0; } @@ -91,7 +91,7 @@ diff -u openssl/Configure:1.9.2.1.2.1.2.1 openssl/Configure:1.12 if ($target =~ m/^CygWin32(-.*)$/) { $target = "Cygwin".$1; } -@@ -1118,6 +1152,25 @@ +@@ -1120,6 +1154,25 @@ $exp_cflags .= " -DOPENSSL_EXPERIMENTAL_$ALGO"; } @@ -117,7 +117,7 @@ diff -u openssl/Configure:1.9.2.1.2.1.2.1 openssl/Configure:1.12 my $IsMK1MF=scalar grep /^$target$/,@MK1MF_Builds; $exe_ext=".exe" if ($target eq "Cygwin" || $target eq "DJGPP" || $target =~ /^mingw/); -@@ -1207,6 +1260,8 @@ +@@ -1209,6 +1262,8 @@ if ($flags ne "") { $cflags="$flags$cflags"; } else { $no_user_cflags=1; } @@ -126,7 +126,7 @@ diff -u openssl/Configure:1.9.2.1.2.1.2.1 openssl/Configure:1.12 # Kerberos settings. The flavor must be provided from outside, either through # the script "config" or manually. if (!$no_krb5) -@@ -1596,6 +1651,7 @@ +@@ -1598,6 +1653,7 @@ s/^VERSION=.*/VERSION=$version/; s/^MAJOR=.*/MAJOR=$major/; s/^MINOR=.*/MINOR=$minor/; @@ -135,9 +135,9 @@ diff -u openssl/Configure:1.9.2.1.2.1.2.1 openssl/Configure:1.12 s/^SHLIB_VERSION_HISTORY=.*/SHLIB_VERSION_HISTORY=$shlib_version_history/; s/^SHLIB_MAJOR=.*/SHLIB_MAJOR=$shlib_major/; Index: openssl/Makefile.org -diff -u openssl/Makefile.org:1.5.2.1.2.1.2.1 openssl/Makefile.org:1.7 ---- openssl/Makefile.org:1.5.2.1.2.1.2.1 Tue Jun 19 15:29:46 2012 -+++ openssl/Makefile.org Tue Jun 19 16:17:49 2012 +diff -u openssl/Makefile.org:1.5.2.1.2.1.2.1.2.1 openssl/Makefile.org:1.8 +--- openssl/Makefile.org:1.5.2.1.2.1.2.1.2.1 Wed May 15 11:46:59 2013 ++++ openssl/Makefile.org Wed May 15 11:57:36 2013 @@ -26,6 +26,9 @@ INSTALL_PREFIX= INSTALLTOP=/usr/local/ssl @@ -150,7 +150,7 @@ diff -u openssl/Makefile.org:1.5.2.1.2.1.2.1 openssl/Makefile.org:1.7 Index: openssl/README.pkcs11 diff -u /dev/null openssl/README.pkcs11:1.7 ---- /dev/null Tue Jun 19 16:21:25 2012 +--- /dev/null Thu May 16 07:44:28 2013 +++ openssl/README.pkcs11 Mon Jun 13 18:27:17 2011 @@ -0,0 +1,261 @@ +ISC modified @@ -606,7 +606,7 @@ diff -u openssl/crypto/engine/Makefile:1.8.2.1.4.1 openssl/crypto/engine/Makefil tb_asnmth.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h Index: openssl/crypto/engine/cryptoki.h diff -u /dev/null openssl/crypto/engine/cryptoki.h:1.4 ---- /dev/null Tue Jun 19 16:21:25 2012 +--- /dev/null Thu May 16 07:44:28 2013 +++ openssl/crypto/engine/cryptoki.h Thu Dec 18 00:14:12 2008 @@ -0,0 +1,103 @@ +/* @@ -749,10 +749,10 @@ diff -u openssl/crypto/engine/engine.h:1.5.2.1.4.1 openssl/crypto/engine/engine. void ENGINE_load_gmp(void); #endif Index: openssl/crypto/engine/hw_pk11.c -diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30 ---- /dev/null Tue Jun 19 16:21:25 2012 -+++ openssl/crypto/engine/hw_pk11.c Thu Jun 16 12:31:53 2011 -@@ -0,0 +1,4057 @@ +diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.32 +--- /dev/null Thu May 16 07:44:28 2013 ++++ openssl/crypto/engine/hw_pk11.c Thu May 16 06:50:56 2013 +@@ -0,0 +1,3951 @@ +/* + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. + * Use is subject to license terms. @@ -888,15 +888,6 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30 +#undef SOLARIS_HW_SLOT_SELECTION +#endif + -+/* -+ * AES counter mode is not supported in the OpenSSL EVP API yet and neither -+ * there are official OIDs for mechanisms based on this mode. With our changes, -+ * an application can define its own EVP calls for AES counter mode and then -+ * it can make use of hardware acceleration through this engine. However, it's -+ * better if we keep AES CTR support code under ifdef's. -+ */ -+#define SOLARIS_AES_CTR -+ +#ifdef OPENSSL_SYS_WIN32 +#pragma pack(push, cryptoki, 1) +#include "cryptoki.h" @@ -909,16 +900,6 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30 +#include "hw_pk11ca.h" +#include "hw_pk11_err.c" + -+#ifdef SOLARIS_AES_CTR -+/* -+ * NIDs for AES counter mode that will be defined during the engine -+ * initialization. -+ */ -+static int NID_aes_128_ctr = NID_undef; -+static int NID_aes_192_ctr = NID_undef; -+static int NID_aes_256_ctr = NID_undef; -+#endif /* SOLARIS_AES_CTR */ -+ +/* + * We use this lock to prevent multiple C_Login()s, guard getpassphrase(), + * uri_struct manipulation, and static token info. All of that is used by the @@ -1031,10 +1012,6 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30 + +/* Symmetric cipher and digest support functions */ +static int cipher_nid_to_pk11(int nid); -+#ifdef SOLARIS_AES_CTR -+static int pk11_add_NID(char *sn, char *ln); -+static int pk11_add_aes_ctr_NIDs(void); -+#endif /* SOLARIS_AES_CTR */ +static int pk11_usable_ciphers(const int **nids); +static int pk11_usable_digests(const int **nids); +static int pk11_cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key, @@ -1099,12 +1076,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30 + PK11_AES_128_ECB, + PK11_AES_192_ECB, + PK11_AES_256_ECB, -+ PK11_BLOWFISH_CBC, -+#ifdef SOLARIS_AES_CTR + PK11_AES_128_CTR, + PK11_AES_192_CTR, + PK11_AES_256_CTR, -+#endif /* SOLARIS_AES_CTR */ ++ PK11_BLOWFISH_CBC, + PK11_CIPHER_MAX +}; + @@ -1177,17 +1152,14 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30 + CKK_AES, CKM_AES_ECB, }, + { PK11_AES_256_ECB, NID_aes_256_ecb, 0, 32, 32, + CKK_AES, CKM_AES_ECB, }, ++ { PK11_AES_128_CTR, NID_aes_128_ctr, 16, 16, 16, ++ CKK_AES, CKM_AES_CTR, }, ++ { PK11_AES_192_CTR, NID_aes_192_ctr, 16, 24, 24, ++ CKK_AES, CKM_AES_CTR, }, ++ { PK11_AES_256_CTR, NID_aes_256_ctr, 16, 32, 32, ++ CKK_AES, CKM_AES_CTR, }, + { PK11_BLOWFISH_CBC, NID_bf_cbc, 8, 16, 16, + CKK_BLOWFISH, CKM_BLOWFISH_CBC, }, -+#ifdef SOLARIS_AES_CTR -+ /* we don't know the correct NIDs until the engine is initialized */ -+ { PK11_AES_128_CTR, NID_undef, 16, 16, 16, -+ CKK_AES, CKM_AES_CTR, }, -+ { PK11_AES_192_CTR, NID_undef, 16, 24, 24, -+ CKK_AES, CKM_AES_CTR, }, -+ { PK11_AES_256_CTR, NID_undef, 16, 32, 32, -+ CKK_AES, CKM_AES_CTR, }, -+#endif /* SOLARIS_AES_CTR */ + }; + +typedef struct PK11_DIGEST_st @@ -1377,15 +1349,9 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30 + NULL + }; + -+#ifdef SOLARIS_AES_CTR -+/* -+ * NID_undef's will be changed to the AES counter mode NIDs as soon they are -+ * created in pk11_library_init(). Note that the need to change these structures -+ * is the reason why we don't define them with the const keyword. -+ */ -+static EVP_CIPHER pk11_aes_128_ctr = ++static const EVP_CIPHER pk11_aes_128_ctr = + { -+ NID_undef, ++ NID_aes_128_ctr, + 16, 16, 16, + EVP_CIPH_CBC_MODE, + pk11_cipher_init, @@ -1397,9 +1363,9 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30 + NULL + }; + -+static EVP_CIPHER pk11_aes_192_ctr = ++static const EVP_CIPHER pk11_aes_192_ctr = + { -+ NID_undef, ++ NID_aes_192_ctr, + 16, 24, 16, + EVP_CIPH_CBC_MODE, + pk11_cipher_init, @@ -1411,9 +1377,9 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30 + NULL + }; + -+static EVP_CIPHER pk11_aes_256_ctr = ++static const EVP_CIPHER pk11_aes_256_ctr = + { -+ NID_undef, ++ NID_aes_256_ctr, + 16, 32, 16, + EVP_CIPH_CBC_MODE, + pk11_cipher_init, @@ -1424,7 +1390,6 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30 + EVP_CIPHER_get_asn1_iv, + NULL + }; -+#endif /* SOLARIS_AES_CTR */ + +static const EVP_CIPHER pk11_bf_cbc = + { @@ -1612,8 +1577,8 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30 + */ +static const char def_PK11_LIBNAME[] = PK11_LIB_LOCATION; + -+static CK_BBOOL true = TRUE; -+static CK_BBOOL false = FALSE; ++static CK_BBOOL mytrue = TRUE; ++static CK_BBOOL myfalse = FALSE; +/* Needed in hw_pk11_pub.c as well so that's why it is not static. */ +CK_SLOT_ID pubkey_SLOTID = 0; +static CK_SLOT_ID rand_SLOTID = 0; @@ -2050,15 +2015,6 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30 + goto err; + } + -+#ifdef SOLARIS_AES_CTR -+ /* -+ * We must do this before we start working with slots since we need all -+ * NIDs there. -+ */ -+ if (pk11_add_aes_ctr_NIDs() == 0) -+ goto err; -+#endif /* SOLARIS_AES_CTR */ -+ +#ifdef SOLARIS_HW_SLOT_SELECTION + if (check_hw_mechanisms() == 0) + goto err; @@ -3255,9 +3211,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30 + PK11_SESSION *sp, CK_MECHANISM_PTR pmech) + { + CK_RV rv; -+#ifdef SOLARIS_AES_CTR + CK_AES_CTR_PARAMS ctr_params; -+#endif /* SOLARIS_AES_CTR */ + + /* + * We expect pmech->mechanism to be already set and @@ -3268,7 +3222,6 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30 + OPENSSL_assert(pmech->pParameter == NULL); + OPENSSL_assert(pmech->ulParameterLen == 0); + -+#ifdef SOLARIS_AES_CTR + if (ctx->cipher->nid == NID_aes_128_ctr || + ctx->cipher->nid == NID_aes_192_ctr || + ctx->cipher->nid == NID_aes_256_ctr) @@ -3288,7 +3241,6 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30 + (void) memcpy(ctr_params.cb, ctx->iv, AES_BLOCK_SIZE); + } + else -+#endif /* SOLARIS_AES_CTR */ + { + if (pcipher->iv_len > 0) + { @@ -3620,20 +3572,16 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30 + case NID_rc4: + *cipher = &pk11_rc4; + break; ++ case NID_aes_128_ctr: ++ *cipher = &pk11_aes_128_ctr; ++ break; ++ case NID_aes_192_ctr: ++ *cipher = &pk11_aes_192_ctr; ++ break; ++ case NID_aes_256_ctr: ++ *cipher = &pk11_aes_256_ctr; ++ break; + default: -+#ifdef SOLARIS_AES_CTR -+ /* -+ * These can't be in separated cases because the NIDs -+ * here are not constants. -+ */ -+ if (nid == NID_aes_128_ctr) -+ *cipher = &pk11_aes_128_ctr; -+ else if (nid == NID_aes_192_ctr) -+ *cipher = &pk11_aes_192_ctr; -+ else if (nid == NID_aes_256_ctr) -+ *cipher = &pk11_aes_256_ctr; -+ else -+#endif /* SOLARIS_AES_CTR */ + *cipher = NULL; + break; + } @@ -3689,9 +3637,9 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30 + { + {CKA_CLASS, (void*) NULL, sizeof (CK_OBJECT_CLASS)}, + {CKA_KEY_TYPE, (void*) NULL, sizeof (CK_KEY_TYPE)}, -+ {CKA_TOKEN, &false, sizeof (false)}, -+ {CKA_ENCRYPT, &true, sizeof (true)}, -+ {CKA_DECRYPT, &true, sizeof (true)}, ++ {CKA_TOKEN, &myfalse, sizeof (myfalse)}, ++ {CKA_ENCRYPT, &mytrue, sizeof (mytrue)}, ++ {CKA_DECRYPT, &mytrue, sizeof (mytrue)}, + {CKA_VALUE, (void*) NULL, 0}, + }; + @@ -4470,60 +4418,6 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30 + return; + } + -+#ifdef SOLARIS_AES_CTR -+/* create a new NID when we have no OID for that mechanism */ -+static int pk11_add_NID(char *sn, char *ln) -+ { -+ ASN1_OBJECT *o; -+ int nid; -+ -+ if ((o = ASN1_OBJECT_create(OBJ_new_nid(1), (unsigned char *)"", -+ 1, sn, ln)) == NULL) -+ { -+ return (0); -+ } -+ -+ /* will return NID_undef on error */ -+ nid = OBJ_add_object(o); -+ ASN1_OBJECT_free(o); -+ -+ return (nid); -+ } -+ -+/* -+ * Create new NIDs for AES counter mode. OpenSSL doesn't support them now so we -+ * have to help ourselves here. -+ */ -+static int pk11_add_aes_ctr_NIDs(void) -+ { -+ /* are we already set? */ -+ if (NID_aes_256_ctr != NID_undef) -+ return (1); -+ -+ /* -+ * There are no official names for AES counter modes yet so we just -+ * follow the format of those that exist. -+ */ -+ if ((NID_aes_128_ctr = pk11_add_NID("AES-128-CTR", "aes-128-ctr")) == -+ NID_undef) -+ goto err; -+ ciphers[PK11_AES_128_CTR].nid = pk11_aes_128_ctr.nid = NID_aes_128_ctr; -+ if ((NID_aes_192_ctr = pk11_add_NID("AES-192-CTR", "aes-192-ctr")) == -+ NID_undef) -+ goto err; -+ ciphers[PK11_AES_192_CTR].nid = pk11_aes_192_ctr.nid = NID_aes_192_ctr; -+ if ((NID_aes_256_ctr = pk11_add_NID("AES-256-CTR", "aes-256-ctr")) == -+ NID_undef) -+ goto err; -+ ciphers[PK11_AES_256_CTR].nid = pk11_aes_256_ctr.nid = NID_aes_256_ctr; -+ return (1); -+ -+err: -+ PK11err(PK11_F_ADD_AES_CTR_NIDS, PK11_R_ADD_NID_FAILED); -+ return (0); -+ } -+#endif /* SOLARIS_AES_CTR */ -+ +/* Find what symmetric ciphers this slot supports. */ +static void pk11_find_symmetric_ciphers(CK_FUNCTION_LIST_PTR pflist, + CK_SLOT_ID current_slot, int *current_slot_n_cipher, int *local_cipher_nids) @@ -4812,7 +4706,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30 +#endif /* OPENSSL_NO_HW */ Index: openssl/crypto/engine/hw_pk11_err.c diff -u /dev/null openssl/crypto/engine/hw_pk11_err.c:1.5 ---- /dev/null Tue Jun 19 16:21:25 2012 +--- /dev/null Thu May 16 07:44:28 2013 +++ openssl/crypto/engine/hw_pk11_err.c Tue Jun 14 00:43:26 2011 @@ -0,0 +1,288 @@ +/* @@ -5105,7 +4999,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_err.c:1.5 +} Index: openssl/crypto/engine/hw_pk11_err.h diff -u /dev/null openssl/crypto/engine/hw_pk11_err.h:1.12 ---- /dev/null Tue Jun 19 16:21:25 2012 +--- /dev/null Thu May 16 07:44:28 2013 +++ openssl/crypto/engine/hw_pk11_err.h Tue Jun 14 21:51:32 2011 @@ -0,0 +1,440 @@ +/* @@ -5550,7 +5444,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_err.h:1.12 +#endif /* HW_PK11_ERR_H */ Index: openssl/crypto/engine/hw_pk11_pub.c diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 ---- /dev/null Tue Jun 19 16:21:25 2012 +--- /dev/null Thu May 16 07:44:28 2013 +++ openssl/crypto/engine/hw_pk11_pub.c Sun Jun 17 21:12:24 2012 @@ -0,0 +1,3530 @@ +/* @@ -9085,7 +8979,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 +#endif /* OPENSSL_NO_HW */ Index: openssl/crypto/engine/hw_pk11ca.h diff -u /dev/null openssl/crypto/engine/hw_pk11ca.h:1.4 ---- /dev/null Tue Jun 19 16:21:25 2012 +--- /dev/null Thu May 16 07:44:28 2013 +++ openssl/crypto/engine/hw_pk11ca.h Wed Jun 15 21:12:20 2011 @@ -0,0 +1,32 @@ +/* Redefine all pk11/PK11 external symbols to pk11ca/PK11CA */ @@ -9122,7 +9016,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11ca.h:1.4 +#define ENGINE_load_pk11 ENGINE_load_pk11ca Index: openssl/crypto/engine/hw_pk11so.c diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7 ---- /dev/null Tue Jun 19 16:21:25 2012 +--- /dev/null Thu May 16 07:44:28 2013 +++ openssl/crypto/engine/hw_pk11so.c Thu Jun 16 12:31:53 2011 @@ -0,0 +1,1745 @@ +/* @@ -10872,7 +10766,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7 +#endif /* OPENSSL_NO_HW */ Index: openssl/crypto/engine/hw_pk11so.h diff -u /dev/null openssl/crypto/engine/hw_pk11so.h:1.4 ---- /dev/null Tue Jun 19 16:21:26 2012 +--- /dev/null Thu May 16 07:44:28 2013 +++ openssl/crypto/engine/hw_pk11so.h Wed Jun 15 21:12:20 2011 @@ -0,0 +1,32 @@ +/* Redefine all pk11/PK11 external symbols to pk11so/PK11SO */ @@ -10909,7 +10803,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.h:1.4 +#define ENGINE_load_pk11 ENGINE_load_pk11so Index: openssl/crypto/engine/hw_pk11so_pub.c diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8 ---- /dev/null Tue Jun 19 16:21:26 2012 +--- /dev/null Thu May 16 07:44:28 2013 +++ openssl/crypto/engine/hw_pk11so_pub.c Sun Jun 17 21:12:24 2012 @@ -0,0 +1,1622 @@ +/* @@ -12536,11 +12430,11 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8 +#endif /* OPENSSL_NO_HW */ Index: openssl/crypto/engine/pkcs11.h diff -u /dev/null openssl/crypto/engine/pkcs11.h:1.1.1.1 ---- /dev/null Tue Jun 19 16:21:26 2012 +--- /dev/null Thu May 16 07:44:28 2013 +++ openssl/crypto/engine/pkcs11.h Wed Oct 24 23:27:09 2007 @@ -0,0 +1,299 @@ +/* pkcs11.h include file for PKCS #11. */ -+/* $Revision: 1.1.1.1 $ */ ++/* $Revision$ */ + +/* License to copy and use this software is granted provided that it is + * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface @@ -12840,11 +12734,11 @@ diff -u /dev/null openssl/crypto/engine/pkcs11.h:1.1.1.1 +#endif Index: openssl/crypto/engine/pkcs11f.h diff -u /dev/null openssl/crypto/engine/pkcs11f.h:1.1.1.1 ---- /dev/null Tue Jun 19 16:21:26 2012 +--- /dev/null Thu May 16 07:44:28 2013 +++ openssl/crypto/engine/pkcs11f.h Wed Oct 24 23:27:09 2007 @@ -0,0 +1,912 @@ +/* pkcs11f.h include file for PKCS #11. */ -+/* $Revision: 1.1.1.1 $ */ ++/* $Revision$ */ + +/* License to copy and use this software is granted provided that it is + * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface @@ -13757,11 +13651,11 @@ diff -u /dev/null openssl/crypto/engine/pkcs11f.h:1.1.1.1 +#endif Index: openssl/crypto/engine/pkcs11t.h diff -u /dev/null openssl/crypto/engine/pkcs11t.h:1.2 ---- /dev/null Tue Jun 19 16:21:26 2012 +--- /dev/null Thu May 16 07:44:28 2013 +++ openssl/crypto/engine/pkcs11t.h Sat Aug 30 11:58:07 2008 @@ -0,0 +1,1885 @@ +/* pkcs11t.h include file for PKCS #11. */ -+/* $Revision: 1.2 $ */ ++/* $Revision$ */ + +/* License to copy and use this software is granted provided that it is + * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface @@ -15646,10 +15540,10 @@ diff -u /dev/null openssl/crypto/engine/pkcs11t.h:1.2 + +#endif Index: openssl/util/libeay.num -diff -u openssl/util/libeay.num:1.8.2.1.4.1 openssl/util/libeay.num:1.10 ---- openssl/util/libeay.num:1.8.2.1.4.1 Tue Jun 19 15:30:18 2012 -+++ openssl/util/libeay.num Tue Jun 19 16:18:10 2012 -@@ -4310,3 +4310,5 @@ +diff -u openssl/util/libeay.num:1.8.2.1.4.1.2.1 openssl/util/libeay.num:1.11 +--- openssl/util/libeay.num:1.8.2.1.4.1.2.1 Wed May 15 11:47:13 2013 ++++ openssl/util/libeay.num Wed May 15 11:57:43 2013 +@@ -4311,3 +4311,5 @@ BIO_s_datagram_sctp 4680 EXIST::FUNCTION:DGRAM,SCTP BIO_dgram_is_sctp 4681 EXIST::FUNCTION:SCTP BIO_dgram_sctp_notification_cb 4682 EXIST::FUNCTION:SCTP @@ -15736,9 +15630,9 @@ diff -u openssl/util/mkdef.pl:1.7.2.1.4.1 openssl/util/mkdef.pl:1.9 if ($keyword eq "STATIC_ENGINE" && $no_static_engine) { return 0; } if ($keyword eq "GMP" && $no_gmp) { return 0; } Index: openssl/util/pl/VC-32.pl -diff -u openssl/util/pl/VC-32.pl:1.7.2.1.4.1 openssl/util/pl/VC-32.pl:1.8 ---- openssl/util/pl/VC-32.pl:1.7.2.1.4.1 Tue Jun 19 15:30:18 2012 -+++ openssl/util/pl/VC-32.pl Tue Jun 19 16:18:10 2012 +diff -u openssl/util/pl/VC-32.pl:1.7.2.1.4.1.2.1 openssl/util/pl/VC-32.pl:1.9 +--- openssl/util/pl/VC-32.pl:1.7.2.1.4.1.2.1 Wed May 15 11:47:13 2013 ++++ openssl/util/pl/VC-32.pl Wed May 15 11:57:43 2013 @@ -46,7 +46,7 @@ my $f = $shlib || $fips ?' /MD':' /MT'; $lib_cflag='/Zl' if (!$shlib); # remove /DEFAULTLIBs from static lib diff --git a/doc/arm/pkcs11.xml b/doc/arm/pkcs11.xml index 8a0062f4ad..aa13c021c3 100644 --- a/doc/arm/pkcs11.xml +++ b/doc/arm/pkcs11.xml @@ -70,13 +70,14 @@ The modified OpenSSL code is included in the BIND 9 release, in the form of a context diff against the latest verions of - OpenSSL. OpenSSL 0.9.8 and 1.0.0 are both supported; there are + OpenSSL. OpenSSL 0.9.8, 1.0.0 and 1.0.1 are supported; there are separate diffs for each version. In the examples to follow, - we use OpenSSL 0.9.8, but the same methods work with OpenSSL 1.0.0. + we use OpenSSL 0.9.8, but the same methods work with OpenSSL 1.0.0 + and 1.0.1. The latest OpenSSL versions at the time of the BIND release - are 0.9.8s and 1.0.0f. + are 0.9.8y, 1.0.0k and 1.0.1e. ISC will provide an updated patch as new versions of OpenSSL are released. The version number in the following examples is expected to change.