path: root/usr/src/common/openssl/README.SUNW

#
# Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#

The version of OpenSSL found in this directory was created by taking the
stock version of OpenSSL 0.9.8a from www.openssl.org and modifying some of
the files to conform to Sun standards.  

This work is based on previous work done on stock version of OpenSSL 0.9.7d
shipped with Solaris 10.

===================
Configure options
===================

Below are the options and the targets given to the Configure script.

To build shared objects,

    ./Configure \
	no-ec \
	no-ecdh \
	no-ecdsa \
	no-rc3 \
	no-rc5 \
	no-mdc2 \
	no-idea \
	no-hw_cswift \
	no-hw_ncipher \
	no-hw_atalla \
	no-hw_nuron \
	no-hw_ubsec \
	no-hw_aep \
	no-hw_sureware \
	no-hw_4758-cca \
	no-hw_chil \
	no-hw_gmp \
	threads \
	shared \
	$TARGET

, where TARGET is one of the three, depending on the target architecture:

    solaris-sparcv8-cc (sparc)
    solaris64-sparcv9-cc (sparcv9)
    solaris-x86-cc (i386)


For libcrypto.a and libssl.a used by wanboot,

    ./Configure \
	no-aes \
	no-cast \
	no-dso \
	no-ec \
	no-ecdh \
	no-ecdsa \
	no-mdc2 \
	no-rc3 \
	no-rc4 \
	no-rc5 \
	no-ripemd \
	no-idea \
	no-hw \
	no-threads \
	solaris64-sparcv9-cc


===============================================
The files differ from the original distribution
===============================================

The following files are different from the OpenSSL 0.9.8a release.

1. This header file is generated by Configure.  We combined four versions of 
   this file generated by four runs of Configure.

	crypto/opensslconf.h

2. Solaris OpenSSL supports PKCS#11 engine.
   This code may go back to the open-source community in the future.

   The following files were created.

	crypto/engine/hw_pk11_err.h
	crypto/engine/hw_pk11.c
	crypto/engine/hw_pk11_err.c
	crypto/engine/hw_pk11_pub.c

   The following files were modified.

	crypto/engine/engine.h

3. These files were modified to load the PKCS#11 engine.
   Added code is surrounded by "#ifdef SOLARIS_OPENSSL".

	crypto/engine/eng_cnf.c
	crypto/engine/hw_pk11.c


4. We have a special case where OpenSSL is used by the "wanboot" binary
   program, that is run to boot the wanboot client.
   The following files are modified for this purpose.  Added code is 
   surrounded by "#ifdef _BOOT".

	crypto/opensslconf.h
	crypto/err/err_all.c
	crypto/evp/evp_key.c
	crypto/rand/rand_unix.c
	crypto/rand/randfile.c
	crypto/x509v3/v3_utl.c
	e_os.h


5. The configuration file was modified to ship with Solaris defaults.

	$SRC/cmd/openssl/openssl.cnf
	(Note: apps/openssl.cnf is unused.)


6. Two files were added for a clean ON build even though the majority
   if OpenSSL code itself is not subject to lint checks (with the exception
   of crypto/engine/hw_pk11*.[ch] files).

	crypto/llib-lcrypto
	ssl/llib-lssl

7. OpenSSL version string was modified. Due to the fact that we don't upgrade
   OpenSSL frequently we are forced to patch the currently shipped version. The
   problem with this aproach is that normally, every security vulnerability fix
   triggers a new release of OpenSSL so people can easily check whether their
   currently installed version is vulnerable or not. That is not possible with a
   patched older version. So, we decided to put the security bug tags into the
   version string, like this:

   OpenSSL 0.9.8a 11 Oct 2005 (+ security fixes for: CAN-2005-2969 CVE-2006-3738
   CVE-2006-4343 CVE-2007-3108 CVE-2007-5135 CVE-2008-5077)

   Note that actually it's all on the same line because we want to avoid
   problems with Configure scripts that might rely on the fact that the original
   OpenSSL version string consists of one line only.

   Be aware that the version string is not considered a stable interface and
   that all security vulnerability reports are available via SunAlert
   notifications.

8. And, finally, this file was added.

	README.SUNW