OBSOLETE Patch-ID# 151913-04
Download this patch from My Oracle Support
Your use of the firmware, software and any other materials contained
in this update is subject to My Oracle Support Terms of Use, which
may be viewed at My Oracle Support.
|
For further information on patching best practices and resources, please
see the following links:
|
Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
|
Keywords: security openssl 1.0.1
Synopsis: Obsoleted by: 151913-05 SunOS 5.10_x86: OpenSSL 1.0.1 patch
Date: Apr/18/2016
Install Requirements: NA
Solaris Release: 10_x86
SunOS Release: 5.10_x86
Unbundled Product:
Unbundled Release:
Xref: This patch available for SPARC as patch 151912
Topic: SunOS 5.10_x86: OpenSSL 1.0.1 patch
Relevant Architectures: i386
Bugs fixed with this patch:
Changes incorporated in this version: 22307591 22309690 22603686 22829389 22829403 22829425 22852190
Patches accumulated and obsoleted by this patch:
Patches which conflict with this patch:
Patches required with this patch: 148072-19 (or greater)
Obsoleted by:
Files included with this patch:
/etc/openssl/openssl.cnf
/usr/bin/CA.pl
/usr/bin/amd64/openssl
/usr/bin/openssl
/usr/include/openssl/aes.h
/usr/include/openssl/asn1.h
/usr/include/openssl/asn1_mac.h
/usr/include/openssl/asn1t.h
/usr/include/openssl/bio.h
/usr/include/openssl/blowfish.h
/usr/include/openssl/bn.h
/usr/include/openssl/buffer.h
/usr/include/openssl/camellia.h
/usr/include/openssl/cast.h
/usr/include/openssl/cmac.h
/usr/include/openssl/cms.h
/usr/include/openssl/comp.h
/usr/include/openssl/conf.h
/usr/include/openssl/conf_api.h
/usr/include/openssl/crypto.h
/usr/include/openssl/des.h
/usr/include/openssl/des_old.h
/usr/include/openssl/dh.h
/usr/include/openssl/dsa.h
/usr/include/openssl/dso.h
/usr/include/openssl/dtls1.h
/usr/include/openssl/e_os2.h
/usr/include/openssl/ebcdic.h
/usr/include/openssl/engine.h
/usr/include/openssl/err.h
/usr/include/openssl/evp.h
/usr/include/openssl/hmac.h
/usr/include/openssl/krb5_asn.h
/usr/include/openssl/kssl.h
/usr/include/openssl/lhash.h
/usr/include/openssl/md2.h
/usr/include/openssl/md4.h
/usr/include/openssl/md5.h
/usr/include/openssl/modes.h
/usr/include/openssl/obj_mac.h
/usr/include/openssl/objects.h
/usr/include/openssl/ocsp.h
/usr/include/openssl/opensslconf.h
/usr/include/openssl/opensslv.h
/usr/include/openssl/ossl_typ.h
/usr/include/openssl/pem.h
/usr/include/openssl/pem2.h
/usr/include/openssl/pkcs12.h
/usr/include/openssl/pkcs7.h
/usr/include/openssl/pqueue.h
/usr/include/openssl/rand.h
/usr/include/openssl/rc2.h
/usr/include/openssl/rc4.h
/usr/include/openssl/ripemd.h
/usr/include/openssl/rsa.h
/usr/include/openssl/safestack.h
/usr/include/openssl/sha.h
/usr/include/openssl/srp.h
/usr/include/openssl/srtp.h
/usr/include/openssl/ssl.h
/usr/include/openssl/ssl2.h
/usr/include/openssl/ssl23.h
/usr/include/openssl/ssl3.h
/usr/include/openssl/stack.h
/usr/include/openssl/symhacks.h
/usr/include/openssl/tls1.h
/usr/include/openssl/ts.h
/usr/include/openssl/txt_db.h
/usr/include/openssl/ui.h
/usr/include/openssl/ui_compat.h
/usr/include/openssl/x509.h
/usr/include/openssl/x509_vfy.h
/usr/include/openssl/x509v3.h
/usr/lib/amd64/libcrypto.so
/usr/lib/amd64/libcrypto.so.1.0.0
/usr/lib/amd64/libssl.so
/usr/lib/amd64/libssl.so.1.0.0
/usr/lib/amd64/llib-lcrypto.ln
/usr/lib/amd64/llib-lssl.ln
/usr/lib/amd64/pkgconfig/libcrypto.pc
/usr/lib/amd64/pkgconfig/libssl.pc
/usr/lib/amd64/pkgconfig/openssl.pc
/usr/lib/libcrypto.so
/usr/lib/libcrypto.so.1.0.0
/usr/lib/libssl.so
/usr/lib/libssl.so.1.0.0
/usr/lib/llib-lcrypto
/usr/lib/llib-lcrypto.ln
/usr/lib/llib-lssl
/usr/lib/llib-lssl.ln
/usr/lib/openssl/engines/64
/usr/lib/openssl/engines/amd64/libpk11.so
/usr/lib/openssl/engines/amd64/libpk11.so.1.0.0
/usr/lib/openssl/engines/libpk11.so
/usr/lib/openssl/engines/libpk11.so.1.0.0
/usr/lib/pkgconfig/libcrypto.pc
/usr/lib/pkgconfig/libssl.pc
/usr/lib/pkgconfig/openssl.pc
Problem Description:
22307591 problem with OpenSSL
22309690 upgrade OpenSSL version to 1.0.1q
22603686 upgrade OpenSSL version to 1.0.1r
22829389 problem with OpenSSL
22829403 problem with OpenSSL
22829425 problem with OpenSSL
22852190 upgrade OpenSSL version to 1.0.1s
(from 151913-03)
22121569 PKCS#11 engine library is missing a symlink to libpk11.so.1
22305087 lint library info is not generated and shipped for OpenSSL 1.0.1 in Solaris 10
(from 151913-02)
22278885 symlinks missing in OpenSSL 1.0.1 patches
(from 151913-01)
15569223 32-bit openssl x86 performance can be greatly improved by enabling hand-crafted asm
15711910 move OpenSSL from SFW to Userland gate
15780866 OpenSSL for wanboot should not be built in a separate directory
15824598 T4 AES should be embedded in the OpenSSL upstream source
15824599 T4 hash should be embedded in the OpenSSL upstream source
15824600 T4 montmul should be embedded in the OpenSSL upstream source
16921388 T4 DES should be embedded in the OpenSSL upstream source
16922032 need X509_V_FLAG_PARTIAL_CHAIN - ability to trust a leaf certificate
17193314 ssh dumps core when using aes128-cbc cipher on T4
17283726 memory leak with EVP_CipherInit_ex
17799549 libcrypto openssl incorrect size for libcrypto.so.1.0.0`_sparcv9_random
17822462 svc:/network/sendmail-client:default (sendmail SMTP client queue runner) dumped core
20231102 problem with OpenSSL
20826468 enable internal tests for OpenSSL in the Userland gate
20992215 warnings about sparcv8+ ABI violation found in OpenSSL build logs
21059433 Solaris 10 specific patches for integrating OpenSSL 1.0.1
21059453 OpenSSL consumers should be initially built with current OpenSSL version 0.9.7d
21149030 segfault when a cleanup callback is called before cipher initialization
21179246 passing incompatible argument in crypto/evp/e_aes.c:861
21416447 upgrade OpenSSL version to 1.0.1p
21492687 PIN caching policy "mlocked-memory" does not work in the PKCS#11 engine
21822200 warning about unused variables in ssl_asn1.c with "no-psk"
21829045 OpenSSL 1.0.1 integrated into Solaris 10 must support export source builds
22253902 OpenSSL engine needs to live under /usr directory hierarchy
Patch Installation Instructions:
--------------------------------
Please refer to the man pages for instructions on using 'patchadd'
and 'patchrm' commands provided with Solaris.
The following example installs a patch to a standalone machine:
example# patchadd /var/spool/patch/123456-07
The following example removes a patch from a standalone system:
example# patchrm 123456-07
For additional examples please see the appropriate man pages. Any
other special or non-generic installation instructions should be
described below as special instructions.
Special Install Instructions:
-----------------------------
NOTE 1: Release Notes for Solaris 10 OpenSSL 1.0.1 on x86
OpenSSL.org has announced end of support for OpenSSL 0.9.8 at the
end of 2015. This will impact the ability to backport security
fixes into Solaris 10's 0.9.7d-based OpenSSL and, as a result,
OpenSSL version 1.0.1 is being provided for Solaris 10.
1. Deliverables
To get OpenSSL 1.0.1p for Solaris 10 (SPARC), please apply the
following patch:
151913-02 (or greater) OpenSSL 1.0.1 patch (this patch)
When this patch is installed on a Solaris 10 system, existing
SUNWopenssl* packages are enhanced with new OpenSSL deliverables
in the following locations:
- binaries in /usr/bin and /usr/bin/64
- libraries in /usr/lib and /usr/lib/64
- header files in /usr/include
- pkg-config(1) files in /usr/lib/pkgconfig and /usr/lib/64/pkgconfig
- configuration in /etc/openssl
2. Impact on existing old OpenSSL
The new OpenSSL 1.0.1 deliverables do not interfere with the
existing OpenSSL 0.9.7d (+ security fixes) already present on
your system. This means you can still use your existing commands
and applications built against the old OpenSSL 0.9.7d.
There is one exception here: pkg-config(1) files. pkg-config(1)
files relevant to the old OpenSSL 0.9.7d were moved:
- /usr/lib/pkgconfig/openssl.pc -> /usr/sfw/lib/pkgconfig/openssl.pc
- /usr/lib/64/pkgconfig/openssl.pc -> /usr/sfw/lib/64/pkgconfig/openssl.pc
3. Usage
How to use the new OpenSSL 1.0.1 after patch installation? Binary
openssl in /usr/bin works just as you would expect.
When building an application against new OpenSSL libraries, it
should just work out-of-the-box because header files and libraries
are installed in standard default locations searched by compilers.
If the application has a dependency on a header file or library
residing in /usr/sfw then use:
-I/usr/include -I/usr/sfw/include for search path of header files
-L/usr/lib -L/usr/sfw/lib for search path of libraries for linking
There is also one exception here: if you are building with gcc 3.4.3
shipped with Solaris 10 (package SUNWgcc), then there is a problem
with search order of header files and libraries for linking. That
is, gcc 3.4.3 hardcodes /usr/sfw/include at the beginning of its
search list of system header files. Similarly, gcc 3.4.3 hardcodes
/usr/sfw/lib at the beginning of its search list of libraries for
linking. This means that header files and libraries for linking
from the old OpenSSL 0.9.7d would be picked by default.
Unfortunately there is no single workaround for this problem. Here
is a list of recipes which you can try to work around this problem:
Recipe 1
Use special flags when the running configure script to reorder the
list of include paths to shift /usr/sfw/include to the end, and
specify the libraries directly when the configure script has a
means to do that. E.g. for the wget program the configure command
would be:
openssl_includes=`cpp -Wp,-v </dev/null 2>&1 | awk 'BEGIN {hold=""} $0 !~ /^ / {next}; $0 ~ /^ \/usr\/sfw\/include$/ {hold="-I/usr/sfw/include"; next}; {printf "-I%s ", $0}; END {printf "%s\n", hold}'`
CFLAGS="-nostdinc $openssl_includes" OPENSSL_LIBS="/usr/lib/libssl.so.1.0.0 /usr/lib/libcrypto.so.1.0.0" ./configure --with-ssl=openssl
Recipe 2
Use special flags when running the configure script to reorder the
list of include paths to shift /usr/sfw/include to the end, and do
so similarly with the list of library paths and /usr/sfw/lib. E.g.
for the curl program the configure command would be:
openssl_includes=`cpp -Wp,-v </dev/null 2>&1 | awk 'BEGIN {hold=""} $0 !~ /^ / {next}; $0 ~ /^ \/usr\/sfw\/include$/ {hold="-I/usr/sfw/include"; next}; {printf "-I%s ", $0}; END {printf "%s\n", hold}'`
openssl_libs=`/usr/sfw/bin/gld --verbose | grep ^SEARCH_DIR | sed -e 's/SEARCH_DIR("//g' -e 's/");//g' | tr ' ' '\n' | awk 'BEGIN {hold=""} $0 !~ /^\// {next}; $0 ~ /^\/usr\/sfw\/lib$/ {hold="-L/usr/sfw/lib"; next}; {printf "-L%s ", $0}; END {printf "%s\n", hold}'`
CPPFLAGS="-nostdinc $openssl_includes" LDFLAGS="-nodefaultlibs $openssl_libs" LIBS="-lc" ./configure
Recipe 3
If none of the previous recipes work, you can install the following
supplementary IDR for SPARC which removes OpenSSL 0.9.7d header files
and libraries for linking from your system:
IDR152033-03 Upgrade OpenSSL version to 1.0.1m
In particular, after this supplementary IDR is installed:
- The directory /usr/sfw/include/openssl is empty
- Symlinks for linking /usr/sfw/lib/lib{crypto,ssl}.so and
/usr/sfw/lib/64/lib{crypto,ssl}.so do not exist
This means the supplementary IDR will prevent compiling against
OpenSSL 0.9.7d. Existing programs linked against this version
will continue working.
When the IDR is backed out, the previous state is restored. It
is possible to install the supplementary IDR on top of the main
patch, but not vice versa.
README -- Last modified date: Tuesday, May 31, 2016