From 1e3c58d18dbbc867ce3fd44f1f32119fe04d5543 Mon Sep 17 00:00:00 2001 From: Cecil Hugh Watson Date: Sat, 4 Sep 2010 22:51:18 -0700 Subject: openssl:Bumped/Updated for LinHES 7. --- abs/core-testing/openssl/PKGBUILD | 52 +- abs/core-testing/openssl/ca-dir.patch | 33 + abs/core-testing/openssl/fix-manpages.patch | 1887 +++++++++++++++++++++++++++ abs/core-testing/openssl/no-rpath.patch | 11 + 4 files changed, 1971 insertions(+), 12 deletions(-) create mode 100644 abs/core-testing/openssl/ca-dir.patch create mode 100644 abs/core-testing/openssl/fix-manpages.patch create mode 100644 abs/core-testing/openssl/no-rpath.patch diff --git a/abs/core-testing/openssl/PKGBUILD b/abs/core-testing/openssl/PKGBUILD index 457c646..9853a57 100644 --- a/abs/core-testing/openssl/PKGBUILD +++ b/abs/core-testing/openssl/PKGBUILD @@ -1,28 +1,56 @@ -# $Id: PKGBUILD 23270 2009-01-07 15:42:29Z pierre $ +# $Id: PKGBUILD 81714 2010-06-02 11:00:36Z pierre $ # Maintainer: Pierre Schmitz pkgname=openssl -pkgver=0.9.8j -pkgrel=1 +_ver=1.0.0a +# use a pacman compatible version scheme +pkgver=${_ver/[a-z]/.${_ver//[0-9.]/}} +pkgrel=2 pkgdesc='The Open Source toolkit for Secure Sockets Layer and Transport Layer Security' arch=('i686' 'x86_64') -url='http://www.openssl.org' +url='https://www.openssl.org' license=('custom:BSD') -depends=('zlib' 'perl') +depends=('perl') optdepends=('ca-certificates') options=('!makeflags') -source=("http://www.openssl.org/source/${pkgname}-${pkgver}.tar.gz" \ - 'http://www.linuxfromscratch.org/patches/blfs/svn/openssl-0.9.8j-fix_manpages-1.patch') +backup=('etc/ssl/openssl.cnf') +source=("https://www.openssl.org/source/${pkgname}-${_ver}.tar.gz" + 'fix-manpages.patch' + 'no-rpath.patch' + 'ca-dir.patch') +md5sums=('e3873edfffc783624cfbdb65e2249cbd' + 'f540cd9e0e3047d589d0581fe7a2d0f2' + 'dc78d3d06baffc16217519242ce92478' + '3bf51be3a1bbd262be46dc619f92aa90') + +# keep an upgrade path for older installations +PKGEXT='.pkg.tar.gz' build() { - cd $srcdir/$pkgname-$pkgver + cd $srcdir/$pkgname-$_ver - patch -p1 -i $srcdir/openssl-0.9.8j-fix_manpages-1.patch || return 1 - ./config --prefix=/usr --openssldir=/etc/ssl shared zlib -Wa,--noexecstack + # avoid conflicts with other man pages + # see http://www.linuxfromscratch.org/patches/downloads/openssl/ + patch -p0 -i $srcdir/fix-manpages.patch || return 1 + # remove rpath: http://bugs.archlinux.org/task/14367 + patch -p0 -i $srcdir/no-rpath.patch || return 1 + # set ca dir to /etc/ssl by default + patch -p0 -i $srcdir/ca-dir.patch || return 1 + # mark stack as non-executable: http://bugs.archlinux.org/task/12434 + ./config --prefix=/usr --openssldir=/etc/ssl --libdir=lib \ + shared zlib enable-md2 -Wa,--noexecstack || return 1 make || return 1 - make test || return 1 - make INSTALL_PREFIX=$pkgdir MANDIR=/usr/share/man install + # the test fails due to missing write permissions in /etc/ssl + # revert this patch for make test + #patch -p0 -R -i $srcdir/ca-dir.patch + #make test || return 1 + #patch -p0 -i $srcdir/ca-dir.patch +} + +package() { + cd $srcdir/$pkgname-$_ver + make INSTALL_PREFIX=$pkgdir MANDIR=/usr/share/man install install -D -m644 LICENSE $pkgdir/usr/share/licenses/$pkgname/LICENSE } diff --git a/abs/core-testing/openssl/ca-dir.patch b/abs/core-testing/openssl/ca-dir.patch new file mode 100644 index 0000000..41d1386 --- /dev/null +++ b/abs/core-testing/openssl/ca-dir.patch @@ -0,0 +1,33 @@ +--- apps/CA.pl.in 2006-04-28 02:30:49.000000000 +0200 ++++ apps/CA.pl.in 2010-04-01 00:35:02.600553509 +0200 +@@ -53,7 +53,7 @@ + $X509="$openssl x509"; + $PKCS12="$openssl pkcs12"; + +-$CATOP="./demoCA"; ++$CATOP="/etc/ssl"; + $CAKEY="cakey.pem"; + $CAREQ="careq.pem"; + $CACERT="cacert.pem"; +--- apps/CA.sh 2009-10-15 19:27:47.000000000 +0200 ++++ apps/CA.sh 2010-04-01 00:35:02.600553509 +0200 +@@ -68,7 +68,7 @@ + X509="$OPENSSL x509" + PKCS12="openssl pkcs12" + +-if [ -z "$CATOP" ] ; then CATOP=./demoCA ; fi ++if [ -z "$CATOP" ] ; then CATOP=/etc/ssl ; fi + CAKEY=./cakey.pem + CAREQ=./careq.pem + CACERT=./cacert.pem +--- apps/openssl.cnf 2009-04-04 20:09:43.000000000 +0200 ++++ apps/openssl.cnf 2010-04-01 00:35:02.607220681 +0200 +@@ -39,7 +39,7 @@ + #################################################################### + [ CA_default ] + +-dir = ./demoCA # Where everything is kept ++dir = /etc/ssl # Where everything is kept + certs = $dir/certs # Where the issued certs are kept + crl_dir = $dir/crl # Where the issued crl are kept + database = $dir/index.txt # database index file. diff --git a/abs/core-testing/openssl/fix-manpages.patch b/abs/core-testing/openssl/fix-manpages.patch new file mode 100644 index 0000000..e043081 --- /dev/null +++ b/abs/core-testing/openssl/fix-manpages.patch @@ -0,0 +1,1887 @@ +--- crypto/rand/md_rand.c 2009-01-03 10:25:32.000000000 +0100 ++++ crypto/rand/md_rand.c 2010-04-01 00:45:00.746327192 +0200 +@@ -196,7 +196,7 @@ + int do_not_lock; + + /* +- * (Based on the rand(3) manpage) ++ * (Based on the openssl_rand(3) manpage) + * + * The input is chopped up into units of 20 bytes (or less for + * the last block). Each of these blocks is run through the hash +@@ -361,7 +361,7 @@ + num_ceil = (1 + (num-1)/(MD_DIGEST_LENGTH/2)) * (MD_DIGEST_LENGTH/2); + + /* +- * (Based on the rand(3) manpage:) ++ * (Based on the openssl_rand(3) manpage) + * + * For each group of 10 bytes (or less), we do the following: + * +--- doc/apps/openssl-passwd.pod 1970-01-01 01:00:00.000000000 +0100 ++++ doc/apps/openssl-passwd.pod 2010-04-01 00:45:00.796327220 +0200 +@@ -0,0 +1,82 @@ ++=pod ++ ++=head1 NAME ++ ++openssl-passwd - compute password hashes ++ ++=head1 SYNOPSIS ++ ++B ++[B<-crypt>] ++[B<-1>] ++[B<-apr1>] ++[B<-salt> I] ++[B<-in> I] ++[B<-stdin>] ++[B<-noverify>] ++[B<-quiet>] ++[B<-table>] ++{I} ++ ++=head1 DESCRIPTION ++ ++The B command computes the hash of a password typed at ++run-time or the hash of each password in a list. The password list is ++taken from the named file for option B<-in file>, from stdin for ++option B<-stdin>, or from the command line, or from the terminal otherwise. ++The Unix standard algorithm B and the MD5-based BSD password ++algorithm B<1> and its Apache variant B are available. ++ ++=head1 OPTIONS ++ ++=over 4 ++ ++=item B<-crypt> ++ ++Use the B algorithm (default). ++ ++=item B<-1> ++ ++Use the MD5 based BSD password algorithm B<1>. ++ ++=item B<-apr1> ++ ++Use the B algorithm (Apache variant of the BSD algorithm). ++ ++=item B<-salt> I ++ ++Use the specified salt. ++When reading a password from the terminal, this implies B<-noverify>. ++ ++=item B<-in> I ++ ++Read passwords from I. ++ ++=item B<-stdin> ++ ++Read passwords from B. ++ ++=item B<-noverify> ++ ++Don't verify when reading a password from the terminal. ++ ++=item B<-quiet> ++ ++Don't output warnings when passwords given at the command line are truncated. ++ ++=item B<-table> ++ ++In the output list, prepend the cleartext password and a TAB character ++to each password hash. ++ ++=back ++ ++=head1 EXAMPLES ++ ++B prints B. ++ ++B prints B<$1$xxxxxxxx$UYCIxa628.9qXjpQCjM4a.>. ++ ++B prints B<$apr1$xxxxxxxx$dxHfLAsjHkDRmG83UXe8K0>. ++ ++=cut +--- doc/apps/openssl.pod 2010-01-21 19:46:28.000000000 +0100 ++++ doc/apps/openssl.pod 2010-04-01 00:45:00.796327220 +0200 +@@ -163,7 +163,7 @@ + + Online Certificate Status Protocol utility. + +-=item L|passwd(1)> ++=item L|openssl-passwd(1)> + + Generation of hashed passwords. + +@@ -401,7 +401,7 @@ + L, L, L, + L, L, L, + L, L, L, +-L, ++L, + L, L, L, + L, L, L, + L, L, +--- doc/apps/passwd.pod 2002-10-04 14:59:00.000000000 +0200 ++++ doc/apps/passwd.pod 1970-01-01 01:00:00.000000000 +0100 +@@ -1,82 +0,0 @@ +-=pod +- +-=head1 NAME +- +-passwd - compute password hashes +- +-=head1 SYNOPSIS +- +-B +-[B<-crypt>] +-[B<-1>] +-[B<-apr1>] +-[B<-salt> I] +-[B<-in> I] +-[B<-stdin>] +-[B<-noverify>] +-[B<-quiet>] +-[B<-table>] +-{I} +- +-=head1 DESCRIPTION +- +-The B command computes the hash of a password typed at +-run-time or the hash of each password in a list. The password list is +-taken from the named file for option B<-in file>, from stdin for +-option B<-stdin>, or from the command line, or from the terminal otherwise. +-The Unix standard algorithm B and the MD5-based BSD password +-algorithm B<1> and its Apache variant B are available. +- +-=head1 OPTIONS +- +-=over 4 +- +-=item B<-crypt> +- +-Use the B algorithm (default). +- +-=item B<-1> +- +-Use the MD5 based BSD password algorithm B<1>. +- +-=item B<-apr1> +- +-Use the B algorithm (Apache variant of the BSD algorithm). +- +-=item B<-salt> I +- +-Use the specified salt. +-When reading a password from the terminal, this implies B<-noverify>. +- +-=item B<-in> I +- +-Read passwords from I. +- +-=item B<-stdin> +- +-Read passwords from B. +- +-=item B<-noverify> +- +-Don't verify when reading a password from the terminal. +- +-=item B<-quiet> +- +-Don't output warnings when passwords given at the command line are truncated. +- +-=item B<-table> +- +-In the output list, prepend the cleartext password and a TAB character +-to each password hash. +- +-=back +- +-=head1 EXAMPLES +- +-B prints B. +- +-B prints B<$1$xxxxxxxx$UYCIxa628.9qXjpQCjM4a.>. +- +-B prints B<$apr1$xxxxxxxx$dxHfLAsjHkDRmG83UXe8K0>. +- +-=cut +--- doc/crypto/BN_generate_prime.pod 2003-01-13 14:18:22.000000000 +0100 ++++ doc/crypto/BN_generate_prime.pod 2010-04-01 00:45:00.824035190 +0200 +@@ -90,7 +90,7 @@ + + =head1 SEE ALSO + +-L, L, L ++L, L, L + + =head1 HISTORY + +--- doc/crypto/bn.pod 2008-07-03 21:59:24.000000000 +0200 ++++ doc/crypto/bn.pod 2010-04-01 00:45:01.022993777 +0200 +@@ -167,7 +167,7 @@ + =head1 SEE ALSO + + L, +-L, L, L, L, ++L, L, L, L, + L, L, + L, L, L, + L, L, +--- doc/crypto/BN_rand.pod 2002-09-25 15:33:26.000000000 +0200 ++++ doc/crypto/BN_rand.pod 2010-04-01 00:45:00.824035190 +0200 +@@ -45,7 +45,7 @@ + + =head1 SEE ALSO + +-L, L, L, ++L, L, L, + L, L + + =head1 HISTORY +--- doc/crypto/CONF_modules_free.pod 2006-12-21 22:13:27.000000000 +0100 ++++ doc/crypto/CONF_modules_free.pod 2010-04-01 00:45:00.827162198 +0200 +@@ -37,7 +37,7 @@ + =head1 SEE ALSO + + L, L, +-L ++L + + =head1 HISTORY + +--- doc/crypto/CONF_modules_load_file.pod 2004-03-02 14:31:32.000000000 +0100 ++++ doc/crypto/CONF_modules_load_file.pod 2010-04-01 00:45:00.833827289 +0200 +@@ -51,7 +51,7 @@ + =head1 SEE ALSO + + L, L, +-L, L ++L, L + + =head1 HISTORY + +--- doc/crypto/crypto.pod 2002-10-06 14:59:25.000000000 +0200 ++++ doc/crypto/crypto.pod 2010-04-01 00:45:01.029660428 +0200 +@@ -46,7 +46,7 @@ + + =item AUXILIARY FUNCTIONS + +-L, L, L, ++L, L, L, + L + + =item INPUT/OUTPUT, DATA ENCODING +--- doc/crypto/des.pod 2003-10-01 17:02:45.000000000 +0200 ++++ doc/crypto/des.pod 2010-04-01 00:45:01.036327160 +0200 +@@ -115,7 +115,7 @@ + the key; it is used to speed the encryption process. + + DES_random_key() generates a random key. The PRNG must be seeded +-prior to using this function (see L). If the PRNG ++prior to using this function (see L). If the PRNG + could not generate a secure key, 0 is returned. + + Before a DES key can be used, it must be converted into the +@@ -317,7 +317,7 @@ + + =head1 SEE ALSO + +-crypt(3), L, L, L ++crypt(3), L, L, L + + =head1 HISTORY + +--- doc/crypto/DH_generate_key.pod 2002-09-25 15:33:27.000000000 +0200 ++++ doc/crypto/DH_generate_key.pod 2010-04-01 00:45:00.840494142 +0200 +@@ -40,7 +40,7 @@ + + =head1 SEE ALSO + +-L, L, L, L ++L, L, L, L + + =head1 HISTORY + +--- doc/crypto/DH_generate_parameters.pod 2002-09-25 15:33:27.000000000 +0200 ++++ doc/crypto/DH_generate_parameters.pod 2010-04-01 00:45:00.847161913 +0200 +@@ -59,7 +59,7 @@ + + =head1 SEE ALSO + +-L, L, L, ++L, L, L, + L + + =head1 HISTORY +--- doc/crypto/dh.pod 2002-08-05 18:27:01.000000000 +0200 ++++ doc/crypto/dh.pod 2010-04-01 00:45:01.036327160 +0200 +@@ -67,8 +67,8 @@ + + =head1 SEE ALSO + +-L, L, L, L, +-L, L, L, ++L, L, L, L, ++L, L, L, + L, L, + L, + L, +--- doc/crypto/DSA_do_sign.pod 2002-09-25 15:33:27.000000000 +0200 ++++ doc/crypto/DSA_do_sign.pod 2010-04-01 00:45:00.847161913 +0200 +@@ -36,7 +36,7 @@ + + =head1 SEE ALSO + +-L, L, L, ++L, L, L, + L, + L + +--- doc/crypto/DSA_generate_key.pod 2002-09-25 15:33:27.000000000 +0200 ++++ doc/crypto/DSA_generate_key.pod 2010-04-01 00:45:00.847161913 +0200 +@@ -24,7 +24,7 @@ + + =head1 SEE ALSO + +-L, L, L, ++L, L, L, + L + + =head1 HISTORY +--- doc/crypto/DSA_generate_parameters.pod 2002-09-25 15:33:27.000000000 +0200 ++++ doc/crypto/DSA_generate_parameters.pod 2010-04-01 00:45:00.847161913 +0200 +@@ -90,7 +90,7 @@ + + =head1 SEE ALSO + +-L, L, L, ++L, L, L, + L + + =head1 HISTORY +--- doc/crypto/dsa.pod 2002-08-05 18:27:01.000000000 +0200 ++++ doc/crypto/dsa.pod 2010-04-01 00:45:01.042994012 +0200 +@@ -100,7 +100,7 @@ + + =head1 SEE ALSO + +-L, L, L, L, ++L, L, L, L, + L, L, L, + L, + L, +--- doc/crypto/DSA_sign.pod 2002-09-25 15:33:27.000000000 +0200 ++++ doc/crypto/DSA_sign.pod 2010-04-01 00:45:00.847161913 +0200 +@@ -55,7 +55,7 @@ + + =head1 SEE ALSO + +-L, L, L, ++L, L, L, + L + + =head1 HISTORY +--- doc/crypto/engine.pod 2007-11-19 10:18:03.000000000 +0100 ++++ doc/crypto/engine.pod 2010-04-01 00:45:01.049660583 +0200 +@@ -594,6 +594,6 @@ + + =head1 SEE ALSO + +-L, L, L, L ++L, L, L, L + + =cut +--- doc/crypto/ERR_clear_error.pod 2000-02-01 02:36:58.000000000 +0100 ++++ doc/crypto/ERR_clear_error.pod 2010-04-01 00:45:00.857161750 +0200 +@@ -20,7 +20,7 @@ + + =head1 SEE ALSO + +-L, L ++L, L + + =head1 HISTORY + +--- doc/crypto/ERR_error_string.pod 2004-11-14 16:11:37.000000000 +0100 ++++ doc/crypto/ERR_error_string.pod 2010-04-01 00:45:00.863828202 +0200 +@@ -60,7 +60,7 @@ + + =head1 SEE ALSO + +-L, L, ++L, L, + L, + L + L +--- doc/crypto/ERR_get_error.pod 2002-11-29 15:21:54.000000000 +0100 ++++ doc/crypto/ERR_get_error.pod 2010-04-01 00:45:00.870494614 +0200 +@@ -61,7 +61,7 @@ + + =head1 SEE ALSO + +-L, L, ++L, L, + L + + =head1 HISTORY +--- doc/crypto/ERR_GET_LIB.pod 2000-02-01 02:36:58.000000000 +0100 ++++ doc/crypto/ERR_GET_LIB.pod 2010-04-01 00:45:00.850495218 +0200 +@@ -41,7 +41,7 @@ + + =head1 SEE ALSO + +-L, L ++L, L + + =head1 HISTORY + +--- doc/crypto/ERR_load_crypto_strings.pod 2000-02-24 12:55:08.000000000 +0100 ++++ doc/crypto/ERR_load_crypto_strings.pod 2010-04-01 00:45:00.873827919 +0200 +@@ -35,7 +35,7 @@ + + =head1 SEE ALSO + +-L, L ++L, L + + =head1 HISTORY + +--- doc/crypto/ERR_load_strings.pod 2000-02-24 12:55:08.000000000 +0100 ++++ doc/crypto/ERR_load_strings.pod 2010-04-01 00:45:00.876327759 +0200 +@@ -43,7 +43,7 @@ + + =head1 SEE ALSO + +-L, L ++L, L + + =head1 HISTORY + +--- doc/crypto/err.pod 2002-07-10 21:35:46.000000000 +0200 ++++ doc/crypto/err.pod 1970-01-01 01:00:00.000000000 +0100 +@@ -1,187 +0,0 @@ +-=pod +- +-=head1 NAME +- +-err - error codes +- +-=head1 SYNOPSIS +- +- #include +- +- unsigned long ERR_get_error(void); +- unsigned long ERR_peek_error(void); +- unsigned long ERR_get_error_line(const char **file, int *line); +- unsigned long ERR_peek_error_line(const char **file, int *line); +- unsigned long ERR_get_error_line_data(const char **file, int *line, +- const char **data, int *flags); +- unsigned long ERR_peek_error_line_data(const char **file, int *line, +- const char **data, int *flags); +- +- int ERR_GET_LIB(unsigned long e); +- int ERR_GET_FUNC(unsigned long e); +- int ERR_GET_REASON(unsigned long e); +- +- void ERR_clear_error(void); +- +- char *ERR_error_string(unsigned long e, char *buf); +- const char *ERR_lib_error_string(unsigned long e); +- const char *ERR_func_error_string(unsigned long e); +- const char *ERR_reason_error_string(unsigned long e); +- +- void ERR_print_errors(BIO *bp); +- void ERR_print_errors_fp(FILE *fp); +- +- void ERR_load_crypto_strings(void); +- void ERR_free_strings(void); +- +- void ERR_remove_state(unsigned long pid); +- +- void ERR_put_error(int lib, int func, int reason, const char *file, +- int line); +- void ERR_add_error_data(int num, ...); +- +- void ERR_load_strings(int lib,ERR_STRING_DATA str[]); +- unsigned long ERR_PACK(int lib, int func, int reason); +- int ERR_get_next_error_library(void); +- +-=head1 DESCRIPTION +- +-When a call to the OpenSSL library fails, this is usually signalled +-by the return value, and an error code is stored in an error queue +-associated with the current thread. The B library provides +-functions to obtain these error codes and textual error messages. +- +-The L manpage describes how to +-access error codes. +- +-Error codes contain information about where the error occurred, and +-what went wrong. L describes how to +-extract this information. A method to obtain human-readable error +-messages is described in L. +- +-L can be used to clear the +-error queue. +- +-Note that L should be used to +-avoid memory leaks when threads are terminated. +- +-=head1 ADDING NEW ERROR CODES TO OPENSSL +- +-See L if you want to record error codes in the +-OpenSSL error system from within your application. +- +-The remainder of this section is of interest only if you want to add +-new error codes to OpenSSL or add error codes from external libraries. +- +-=head2 Reporting errors +- +-Each sub-library has a specific macro XXXerr() that is used to report +-errors. Its first argument is a function code B, the second +-argument is a reason code B. Function codes are derived +-from the function names; reason codes consist of textual error +-descriptions. For example, the function ssl23_read() reports a +-"handshake failure" as follows: +- +- SSLerr(SSL_F_SSL23_READ, SSL_R_SSL_HANDSHAKE_FAILURE); +- +-Function and reason codes should consist of upper case characters, +-numbers and underscores only. The error file generation script translates +-function codes into function names by looking in the header files +-for an appropriate function name, if none is found it just uses +-the capitalized form such as "SSL23_READ" in the above example. +- +-The trailing section of a reason code (after the "_R_") is translated +-into lower case and underscores changed to spaces. +- +-When you are using new function or reason codes, run B. +-The necessary B<#define>s will then automatically be added to the +-sub-library's header file. +- +-Although a library will normally report errors using its own specific +-XXXerr macro, another library's macro can be used. This is normally +-only done when a library wants to include ASN1 code which must use +-the ASN1err() macro. +- +-=head2 Adding new libraries +- +-When adding a new sub-library to OpenSSL, assign it a library number +-B, define a macro XXXerr() (both in B), add its +-name to B (in B), and add +-C to the ERR_load_crypto_strings() function +-(in B). Finally, add an entry +- +- L XXX xxx.h xxx_err.c +- +-to B, and add B to the Makefile. +-Running B will then generate a file B, and +-add all error codes used in the library to B. +- +-Additionally the library include file must have a certain form. +-Typically it will initially look like this: +- +- #ifndef HEADER_XXX_H +- #define HEADER_XXX_H +- +- #ifdef __cplusplus +- extern "C" { +- #endif +- +- /* Include files */ +- +- #include +- #include +- +- /* Macros, structures and function prototypes */ +- +- +- /* BEGIN ERROR CODES */ +- +-The B sequence is used by the error code +-generation script as the point to place new error codes, any text +-after this point will be overwritten when B is run. +-The closing #endif etc will be automatically added by the script. +- +-The generated C error code file B will load the header +-files B, B and B so the +-header file must load any additional header files containing any +-definitions it uses. +- +-=head1 USING ERROR CODES IN EXTERNAL LIBRARIES +- +-It is also possible to use OpenSSL's error code scheme in external +-libraries. The library needs to load its own codes and call the OpenSSL +-error code insertion script B explicitly to add codes to +-the header file and generate the C error code file. This will normally +-be done if the external library needs to generate new ASN1 structures +-but it can also be used to add more general purpose error code handling. +- +-TBA more details +- +-=head1 INTERNALS +- +-The error queues are stored in a hash table with one B +-entry for each pid. ERR_get_state() returns the current thread's +-B. An B can hold up to B error +-codes. When more error codes are added, the old ones are overwritten, +-on the assumption that the most recent errors are most important. +- +-Error strings are also stored in hash table. The hash tables can +-be obtained by calling ERR_get_err_state_table(void) and +-ERR_get_string_table(void) respectively. +- +-=head1 SEE ALSO +- +-L, +-L, +-L, +-L, +-L, +-L, +-L, +-L, +-L, +-L, +-L, +-L +- +-=cut +--- doc/crypto/ERR_print_errors.pod 2000-02-01 02:36:59.000000000 +0100 ++++ doc/crypto/ERR_print_errors.pod 2010-04-01 00:45:00.879660945 +0200 +@@ -38,7 +38,7 @@ + + =head1 SEE ALSO + +-L, L, ++L, L, + L, + L, + L +--- doc/crypto/ERR_put_error.pod 2000-02-24 12:55:08.000000000 +0100 ++++ doc/crypto/ERR_put_error.pod 2010-04-01 00:45:00.886327158 +0200 +@@ -34,7 +34,7 @@ + + =head1 SEE ALSO + +-L, L ++L, L + + =head1 HISTORY + +--- doc/crypto/ERR_remove_state.pod 2000-05-19 09:54:42.000000000 +0200 ++++ doc/crypto/ERR_remove_state.pod 2010-04-01 00:45:00.892994288 +0200 +@@ -25,7 +25,7 @@ + + =head1 SEE ALSO + +-L ++L + + =head1 HISTORY + +--- doc/crypto/EVP_BytesToKey.pod 2004-11-25 18:47:30.000000000 +0100 ++++ doc/crypto/EVP_BytesToKey.pod 2010-04-01 00:45:00.899660540 +0200 +@@ -59,7 +59,7 @@ + + =head1 SEE ALSO + +-L, L, ++L, L, + L + + =head1 HISTORY +--- doc/crypto/EVP_OpenInit.pod 2000-09-23 09:16:14.000000000 +0200 ++++ doc/crypto/EVP_OpenInit.pod 2010-04-01 00:45:00.906327633 +0200 +@@ -54,7 +54,7 @@ + + =head1 SEE ALSO + +-L, L, ++L, L, + L, + L + +--- doc/crypto/EVP_SealInit.pod 2005-03-29 19:50:08.000000000 +0200 ++++ doc/crypto/EVP_SealInit.pod 2010-04-01 00:45:00.912995642 +0200 +@@ -74,7 +74,7 @@ + + =head1 SEE ALSO + +-L, L, ++L, L, + L, + L + +--- doc/crypto/EVP_SignInit.pod 2006-07-12 14:31:29.000000000 +0200 ++++ doc/crypto/EVP_SignInit.pod 2010-04-01 00:45:00.919661935 +0200 +@@ -89,7 +89,7 @@ + =head1 SEE ALSO + + L, +-L, L, ++L, L, + L, L, L, + L, L, L, + L, L +--- doc/crypto/EVP_VerifyInit.pod 2006-07-12 14:31:30.000000000 +0200 ++++ doc/crypto/EVP_VerifyInit.pod 2010-04-01 00:45:00.926327388 +0200 +@@ -80,7 +80,7 @@ + + L, + L, +-L, L, ++L, L, + L, L, L, + L, L, L, + L, L +--- doc/crypto/OPENSSL_config.pod 2005-06-03 01:19:56.000000000 +0200 ++++ doc/crypto/OPENSSL_config.pod 2010-04-01 00:45:00.932995118 +0200 +@@ -73,7 +73,7 @@ + =head1 SEE ALSO + + L, L, +-L ++L + + =head1 HISTORY + +--- doc/crypto/openssl_err.pod 1970-01-01 01:00:00.000000000 +0100 ++++ doc/crypto/openssl_err.pod 2010-04-01 00:45:01.059660101 +0200 +@@ -0,0 +1,187 @@ ++=pod ++ ++=head1 NAME ++ ++openssl_err - error codes ++ ++=head1 SYNOPSIS ++ ++ #include ++ ++ unsigned long ERR_get_error(void); ++ unsigned long ERR_peek_error(void); ++ unsigned long ERR_get_error_line(const char **file, int *line); ++ unsigned long ERR_peek_error_line(const char **file, int *line); ++ unsigned long ERR_get_error_line_data(const char **file, int *line, ++ const char **data, int *flags); ++ unsigned long ERR_peek_error_line_data(const char **file, int *line, ++ const char **data, int *flags); ++ ++ int ERR_GET_LIB(unsigned long e); ++ int ERR_GET_FUNC(unsigned long e); ++ int ERR_GET_REASON(unsigned long e); ++ ++ void ERR_clear_error(void); ++ ++ char *ERR_error_string(unsigned long e, char *buf); ++ const char *ERR_lib_error_string(unsigned long e); ++ const char *ERR_func_error_string(unsigned long e); ++ const char *ERR_reason_error_string(unsigned long e); ++ ++ void ERR_print_errors(BIO *bp); ++ void ERR_print_errors_fp(FILE *fp); ++ ++ void ERR_load_crypto_strings(void); ++ void ERR_free_strings(void); ++ ++ void ERR_remove_state(unsigned long pid); ++ ++ void ERR_put_error(int lib, int func, int reason, const char *file, ++ int line); ++ void ERR_add_error_data(int num, ...); ++ ++ void ERR_load_strings(int lib,ERR_STRING_DATA str[]); ++ unsigned long ERR_PACK(int lib, int func, int reason); ++ int ERR_get_next_error_library(void); ++ ++=head1 DESCRIPTION ++ ++When a call to the OpenSSL library fails, this is usually signalled ++by the return value, and an error code is stored in an error queue ++associated with the current thread. The B library provides ++functions to obtain these error codes and textual error messages. ++ ++The L manpage describes how to ++access error codes. ++ ++Error codes contain information about where the error occurred, and ++what went wrong. L describes how to ++extract this information. A method to obtain human-readable error ++messages is described in L. ++ ++L can be used to clear the ++error queue. ++ ++Note that L should be used to ++avoid memory leaks when threads are terminated. ++ ++=head1 ADDING NEW ERROR CODES TO OPENSSL ++ ++See L if you want to record error codes in the ++OpenSSL error system from within your application. ++ ++The remainder of this section is of interest only if you want to add ++new error codes to OpenSSL or add error codes from external libraries. ++ ++=head2 Reporting errors ++ ++Each sub-library has a specific macro XXXerr() that is used to report ++errors. Its first argument is a function code B, the second ++argument is a reason code B. Function codes are derived ++from the function names; reason codes consist of textual error ++descriptions. For example, the function ssl23_read() reports a ++"handshake failure" as follows: ++ ++ SSLerr(SSL_F_SSL23_READ, SSL_R_SSL_HANDSHAKE_FAILURE); ++ ++Function and reason codes should consist of upper case characters, ++numbers and underscores only. The error file generation script translates ++function codes into function names by looking in the header files ++for an appropriate function name, if none is found it just uses ++the capitalized form such as "SSL23_READ" in the above example. ++ ++The trailing section of a reason code (after the "_R_") is translated ++into lower case and underscores changed to spaces. ++ ++When you are using new function or reason codes, run B. ++The necessary B<#define>s will then automatically be added to the ++sub-library's header file. ++ ++Although a library will normally report errors using its own specific ++XXXerr macro, another library's macro can be used. This is normally ++only done when a library wants to include ASN1 code which must use ++the ASN1err() macro. ++ ++=head2 Adding new libraries ++ ++When adding a new sub-library to OpenSSL, assign it a library number ++B, define a macro XXXerr() (both in B), add its ++name to B (in B), and add ++C to the ERR_load_crypto_strings() function ++(in B). Finally, add an entry ++ ++ L XXX xxx.h xxx_err.c ++ ++to B, and add B to the Makefile. ++Running B will then generate a file B, and ++add all error codes used in the library to B. ++ ++Additionally the library include file must have a certain form. ++Typically it will initially look like this: ++ ++ #ifndef HEADER_XXX_H ++ #define HEADER_XXX_H ++ ++ #ifdef __cplusplus ++ extern "C" { ++ #endif ++ ++ /* Include files */ ++ ++ #include ++ #include ++ ++ /* Macros, structures and function prototypes */ ++ ++ ++ /* BEGIN ERROR CODES */ ++ ++The B sequence is used by the error code ++generation script as the point to place new error codes, any text ++after this point will be overwritten when B is run. ++The closing #endif etc will be automatically added by the script. ++ ++The generated C error code file B will load the header ++files B, B and B so the ++header file must load any additional header files containing any ++definitions it uses. ++ ++=head1 USING ERROR CODES IN EXTERNAL LIBRARIES ++ ++It is also possible to use OpenSSL's error code scheme in external ++libraries. The library needs to load its own codes and call the OpenSSL ++error code insertion script B explicitly to add codes to ++the header file and generate the C error code file. This will normally ++be done if the external library needs to generate new ASN1 structures ++but it can also be used to add more general purpose error code handling. ++ ++TBA more details ++ ++=head1 INTERNALS ++ ++The error queues are stored in a hash table with one B ++entry for each pid. ERR_get_state() returns the current thread's ++B. An B can hold up to B error ++codes. When more error codes are added, the old ones are overwritten, ++on the assumption that the most recent errors are most important. ++ ++Error strings are also stored in hash table. The hash tables can ++be obtained by calling ERR_get_err_state_table(void) and ++ERR_get_string_table(void) respectively. ++ ++=head1 SEE ALSO ++ ++L, ++L, ++L, ++L, ++L, ++L, ++L, ++L, ++L, ++L, ++L, ++L ++ ++=cut +--- doc/crypto/openssl_rand.pod 1970-01-01 01:00:00.000000000 +0100 ++++ doc/crypto/openssl_rand.pod 2010-04-01 00:45:01.059660101 +0200 +@@ -0,0 +1,175 @@ ++=pod ++ ++=head1 NAME ++ ++openssl_rand - pseudo-random number generator ++ ++=head1 SYNOPSIS ++ ++ #include ++ ++ int RAND_set_rand_engine(ENGINE *engine); ++ ++ int RAND_bytes(unsigned char *buf, int num); ++ int RAND_pseudo_bytes(unsigned char *buf, int num); ++ ++ void RAND_seed(const void *buf, int num); ++ void RAND_add(const void *buf, int num, int entropy); ++ int RAND_status(void); ++ ++ int RAND_load_file(const char *file, long max_bytes); ++ int RAND_write_file(const char *file); ++ const char *RAND_file_name(char *file, size_t num); ++ ++ int RAND_egd(const char *path); ++ ++ void RAND_set_rand_method(const RAND_METHOD *meth); ++ const RAND_METHOD *RAND_get_rand_method(void); ++ RAND_METHOD *RAND_SSLeay(void); ++ ++ void RAND_cleanup(void); ++ ++ /* For Win32 only */ ++ void RAND_screen(void); ++ int RAND_event(UINT, WPARAM, LPARAM); ++ ++=head1 DESCRIPTION ++ ++Since the introduction of the ENGINE API, the recommended way of controlling ++default implementations is by using the ENGINE API functions. The default ++B, as set by RAND_set_rand_method() and returned by ++RAND_get_rand_method(), is only used if no ENGINE has been set as the default ++"rand" implementation. Hence, these two functions are no longer the recommened ++way to control defaults. ++ ++If an alternative B implementation is being used (either set ++directly or as provided by an ENGINE module), then it is entirely responsible ++for the generation and management of a cryptographically secure PRNG stream. The ++mechanisms described below relate solely to the software PRNG implementation ++built in to OpenSSL and used by default. ++ ++These functions implement a cryptographically secure pseudo-random ++number generator (PRNG). It is used by other library functions for ++example to generate random keys, and applications can use it when they ++need randomness. ++ ++A cryptographic PRNG must be seeded with unpredictable data such as ++mouse movements or keys pressed at random by the user. This is ++described in L. Its state can be saved in a seed file ++(see L) to avoid having to go through the ++seeding process whenever the application is started. ++ ++L describes how to obtain random data from the ++PRNG. ++ ++=head1 INTERNALS ++ ++The RAND_SSLeay() method implements a PRNG based on a cryptographic ++hash function. ++ ++The following description of its design is based on the SSLeay ++documentation: ++ ++First up I will state the things I believe I need for a good RNG. ++ ++=over 4 ++ ++=item 1 ++ ++A good hashing algorithm to mix things up and to convert the RNG 'state' ++to random numbers. ++ ++=item 2 ++ ++An initial source of random 'state'. ++ ++=item 3 ++ ++The state should be very large. If the RNG is being used to generate ++4096 bit RSA keys, 2 2048 bit random strings are required (at a minimum). ++If your RNG state only has 128 bits, you are obviously limiting the ++search space to 128 bits, not 2048. I'm probably getting a little ++carried away on this last point but it does indicate that it may not be ++a bad idea to keep quite a lot of RNG state. It should be easier to ++break a cipher than guess the RNG seed data. ++ ++=item 4 ++ ++Any RNG seed data should influence all subsequent random numbers ++generated. This implies that any random seed data entered will have ++an influence on all subsequent random numbers generated. ++ ++=item 5 ++ ++When using data to seed the RNG state, the data used should not be ++extractable from the RNG state. I believe this should be a ++requirement because one possible source of 'secret' semi random ++data would be a private key or a password. This data must ++not be disclosed by either subsequent random numbers or a ++'core' dump left by a program crash. ++ ++=item 6 ++ ++Given the same initial 'state', 2 systems should deviate in their RNG state ++(and hence the random numbers generated) over time if at all possible. ++ ++=item 7 ++ ++Given the random number output stream, it should not be possible to determine ++the RNG state or the next random number. ++ ++=back ++ ++The algorithm is as follows. ++ ++There is global state made up of a 1023 byte buffer (the 'state'), a ++working hash value ('md'), and a counter ('count'). ++ ++Whenever seed data is added, it is inserted into the 'state' as ++follows. ++ ++The input is chopped up into units of 20 bytes (or less for ++the last block). Each of these blocks is run through the hash ++function as follows: The data passed to the hash function ++is the current 'md', the same number of bytes from the 'state' ++(the location determined by in incremented looping index) as ++the current 'block', the new key data 'block', and 'count' ++(which is incremented after each use). ++The result of this is kept in 'md' and also xored into the ++'state' at the same locations that were used as input into the ++hash function. I ++believe this system addresses points 1 (hash function; currently ++SHA-1), 3 (the 'state'), 4 (via the 'md'), 5 (by the use of a hash ++function and xor). ++ ++When bytes are extracted from the RNG, the following process is used. ++For each group of 10 bytes (or less), we do the following: ++ ++Input into the hash function the local 'md' (which is initialized from ++the global 'md' before any bytes are generated), the bytes that are to ++be overwritten by the random bytes, and bytes from the 'state' ++(incrementing looping index). From this digest output (which is kept ++in 'md'), the top (up to) 10 bytes are returned to the caller and the ++bottom 10 bytes are xored into the 'state'. ++ ++Finally, after we have finished 'num' random bytes for the caller, ++'count' (which is incremented) and the local and global 'md' are fed ++into the hash function and the results are kept in the global 'md'. ++ ++I believe the above addressed points 1 (use of SHA-1), 6 (by hashing ++into the 'state' the 'old' data from the caller that is about to be ++overwritten) and 7 (by not using the 10 bytes given to the caller to ++update the 'state', but they are used to update 'md'). ++ ++So of the points raised, only 2 is not addressed (but see ++L). ++ ++=head1 SEE ALSO ++ ++L, L, ++L, L, ++L, ++L, ++L ++ ++=cut +--- doc/crypto/openssl_threads.pod 1970-01-01 01:00:00.000000000 +0100 ++++ doc/crypto/openssl_threads.pod 2009-10-01 01:40:52.000000000 +0200 +@@ -0,0 +1,210 @@ ++=pod ++ ++=head1 NAME ++ ++CRYPTO_THREADID_set_callback, CRYPTO_THREADID_get_callback, ++CRYPTO_THREADID_current, CRYPTO_THREADID_cmp, CRYPTO_THREADID_cpy, ++CRYPTO_THREADID_hash, CRYPTO_set_locking_callback, CRYPTO_num_locks, ++CRYPTO_set_dynlock_create_callback, CRYPTO_set_dynlock_lock_callback, ++CRYPTO_set_dynlock_destroy_callback, CRYPTO_get_new_dynlockid, ++CRYPTO_destroy_dynlockid, CRYPTO_lock - OpenSSL thread support ++ ++=head1 SYNOPSIS ++ ++ #include ++ ++ /* Don't use this structure directly. */ ++ typedef struct crypto_threadid_st ++ { ++ void *ptr; ++ unsigned long val; ++ } CRYPTO_THREADID; ++ /* Only use CRYPTO_THREADID_set_[numeric|pointer]() within callbacks */ ++ void CRYPTO_THREADID_set_numeric(CRYPTO_THREADID *id, unsigned long val); ++ void CRYPTO_THREADID_set_pointer(CRYPTO_THREADID *id, void *ptr); ++ int CRYPTO_THREADID_set_callback(void (*threadid_func)(CRYPTO_THREADID *)); ++ void (*CRYPTO_THREADID_get_callback(void))(CRYPTO_THREADID *); ++ void CRYPTO_THREADID_current(CRYPTO_THREADID *id); ++ int CRYPTO_THREADID_cmp(const CRYPTO_THREADID *a, ++ const CRYPTO_THREADID *b); ++ void CRYPTO_THREADID_cpy(CRYPTO_THREADID *dest, ++ const CRYPTO_THREADID *src); ++ unsigned long CRYPTO_THREADID_hash(const CRYPTO_THREADID *id); ++ ++ int CRYPTO_num_locks(void); ++ ++ /* struct CRYPTO_dynlock_value needs to be defined by the user */ ++ struct CRYPTO_dynlock_value; ++ ++ void CRYPTO_set_dynlock_create_callback(struct CRYPTO_dynlock_value * ++ (*dyn_create_function)(char *file, int line)); ++ void CRYPTO_set_dynlock_lock_callback(void (*dyn_lock_function) ++ (int mode, struct CRYPTO_dynlock_value *l, ++ const char *file, int line)); ++ void CRYPTO_set_dynlock_destroy_callback(void (*dyn_destroy_function) ++ (struct CRYPTO_dynlock_value *l, const char *file, int line)); ++ ++ int CRYPTO_get_new_dynlockid(void); ++ ++ void CRYPTO_destroy_dynlockid(int i); ++ ++ void CRYPTO_lock(int mode, int n, const char *file, int line); ++ ++ #define CRYPTO_w_lock(type) \ ++ CRYPTO_lock(CRYPTO_LOCK|CRYPTO_WRITE,type,__FILE__,__LINE__) ++ #define CRYPTO_w_unlock(type) \ ++ CRYPTO_lock(CRYPTO_UNLOCK|CRYPTO_WRITE,type,__FILE__,__LINE__) ++ #define CRYPTO_r_lock(type) \ ++ CRYPTO_lock(CRYPTO_LOCK|CRYPTO_READ,type,__FILE__,__LINE__) ++ #define CRYPTO_r_unlock(type) \ ++ CRYPTO_lock(CRYPTO_UNLOCK|CRYPTO_READ,type,__FILE__,__LINE__) ++ #define CRYPTO_add(addr,amount,type) \ ++ CRYPTO_add_lock(addr,amount,type,__FILE__,__LINE__) ++ ++=head1 DESCRIPTION ++ ++OpenSSL can safely be used in multi-threaded applications provided ++that at least two callback functions are set, locking_function and ++threadid_func. ++ ++locking_function(int mode, int n, const char *file, int line) is ++needed to perform locking on shared data structures. ++(Note that OpenSSL uses a number of global data structures that ++will be implicitly shared whenever multiple threads use OpenSSL.) ++Multi-threaded applications will crash at random if it is not set. ++ ++locking_function() must be able to handle up to CRYPTO_num_locks() ++different mutex locks. It sets the B-th lock if B & ++B, and releases it otherwise. ++ ++B and B are the file number of the function setting the ++lock. They can be useful for debugging. ++ ++threadid_func(CRYPTO_THREADID *id) is needed to record the currently-executing ++thread's identifier into B. The implementation of this callback should not ++fill in B directly, but should use CRYPTO_THREADID_set_numeric() if thread ++IDs are numeric, or CRYPTO_THREADID_set_pointer() if they are pointer-based. ++If the application does not register such a callback using ++CRYPTO_THREADID_set_callback(), then a default implementation is used - on ++Windows and BeOS this uses the system's default thread identifying APIs, and on ++all other platforms it uses the address of B. The latter is satisfactory ++for thread-safety if and only if the platform has a thread-local error number ++facility. ++ ++Once threadid_func() is registered, or if the built-in default implementation is ++to be used; ++ ++=over 4 ++ ++=item * ++CRYPTO_THREADID_current() records the currently-executing thread ID into the ++given B object. ++ ++=item * ++CRYPTO_THREADID_cmp() compares two thread IDs (returning zero for equality, ie. ++the same semantics as memcmp()). ++ ++=item * ++CRYPTO_THREADID_cpy() duplicates a thread ID value, ++ ++=item * ++CRYPTO_THREADID_hash() returns a numeric value usable as a hash-table key. This ++is usually the exact numeric or pointer-based thread ID used internally, however ++this also handles the unusual case where pointers are larger than 'long' ++variables and the platform's thread IDs are pointer-based - in this case, mixing ++is done to attempt to produce a unique numeric value even though it is not as ++wide as the platform's true thread IDs. ++ ++=back ++ ++Additionally, OpenSSL supports dynamic locks, and sometimes, some parts ++of OpenSSL need it for better performance. To enable this, the following ++is required: ++ ++=over 4 ++ ++=item * ++Three additional callback function, dyn_create_function, dyn_lock_function ++and dyn_destroy_function. ++ ++=item * ++A structure defined with the data that each lock needs to handle. ++ ++=back ++ ++struct CRYPTO_dynlock_value has to be defined to contain whatever structure ++is needed to handle locks. ++ ++dyn_create_function(const char *file, int line) is needed to create a ++lock. Multi-threaded applications might crash at random if it is not set. ++ ++dyn_lock_function(int mode, CRYPTO_dynlock *l, const char *file, int line) ++is needed to perform locking off dynamic lock numbered n. Multi-threaded ++applications might crash at random if it is not set. ++ ++dyn_destroy_function(CRYPTO_dynlock *l, const char *file, int line) is ++needed to destroy the lock l. Multi-threaded applications might crash at ++random if it is not set. ++ ++CRYPTO_get_new_dynlockid() is used to create locks. It will call ++dyn_create_function for the actual creation. ++ ++CRYPTO_destroy_dynlockid() is used to destroy locks. It will call ++dyn_destroy_function for the actual destruction. ++ ++CRYPTO_lock() is used to lock and unlock the locks. mode is a bitfield ++describing what should be done with the lock. n is the number of the ++lock as returned from CRYPTO_get_new_dynlockid(). mode can be combined ++from the following values. These values are pairwise exclusive, with ++undefined behaviour if misused (for example, CRYPTO_READ and CRYPTO_WRITE ++should not be used together): ++ ++ CRYPTO_LOCK 0x01 ++ CRYPTO_UNLOCK 0x02 ++ CRYPTO_READ 0x04 ++ CRYPTO_WRITE 0x08 ++ ++=head1 RETURN VALUES ++ ++CRYPTO_num_locks() returns the required number of locks. ++ ++CRYPTO_get_new_dynlockid() returns the index to the newly created lock. ++ ++The other functions return no values. ++ ++=head1 NOTES ++ ++You can find out if OpenSSL was configured with thread support: ++ ++ #define OPENSSL_THREAD_DEFINES ++ #include ++ #if defined(OPENSSL_THREADS) ++ // thread support enabled ++ #else ++ // no thread support ++ #endif ++ ++Also, dynamic locks are currently not used internally by OpenSSL, but ++may do so in the future. ++ ++=head1 EXAMPLES ++ ++B shows examples of the callback functions on ++Solaris, Irix and Win32. ++ ++=head1 HISTORY ++ ++CRYPTO_set_locking_callback() is ++available in all versions of SSLeay and OpenSSL. ++CRYPTO_num_locks() was added in OpenSSL 0.9.4. ++All functions dealing with dynamic locks were added in OpenSSL 0.9.5b-dev. ++B and associated functions were introduced in OpenSSL 1.0.0 ++to replace (actually, deprecate) the previous CRYPTO_set_id_callback(), ++CRYPTO_get_id_callback(), and CRYPTO_thread_id() functions which assumed ++thread IDs to always be represented by 'unsigned long'. ++ ++=head1 SEE ALSO ++ ++L ++ ++=cut +--- doc/crypto/RAND_add.pod 2000-03-22 16:30:03.000000000 +0100 ++++ doc/crypto/RAND_add.pod 2010-04-01 00:45:00.939660251 +0200 +@@ -65,7 +65,7 @@ + + =head1 SEE ALSO + +-L, L, ++L, L, + L, L + + =head1 HISTORY +--- doc/crypto/RAND_bytes.pod 2007-09-24 13:01:18.000000000 +0200 ++++ doc/crypto/RAND_bytes.pod 2010-04-01 00:45:00.946326823 +0200 +@@ -38,7 +38,7 @@ + + =head1 SEE ALSO + +-L, L, ++L, L, + L + + =head1 HISTORY +--- doc/crypto/RAND_cleanup.pod 2000-01-27 02:25:06.000000000 +0100 ++++ doc/crypto/RAND_cleanup.pod 2010-04-01 00:45:00.952993593 +0200 +@@ -20,7 +20,7 @@ + + =head1 SEE ALSO + +-L ++L + + =head1 HISTORY + +--- doc/crypto/RAND_egd.pod 2008-11-10 12:26:44.000000000 +0100 ++++ doc/crypto/RAND_egd.pod 2010-04-01 00:45:00.959660646 +0200 +@@ -72,7 +72,7 @@ + + =head1 SEE ALSO + +-L, L, ++L, L, + L + + =head1 HISTORY +--- doc/crypto/RAND_load_file.pod 2001-03-21 16:25:56.000000000 +0100 ++++ doc/crypto/RAND_load_file.pod 2010-04-01 00:45:00.976327494 +0200 +@@ -43,7 +43,7 @@ + + =head1 SEE ALSO + +-L, L, L ++L, L, L + + =head1 HISTORY + +--- doc/crypto/rand.pod 2002-08-05 18:27:01.000000000 +0200 ++++ doc/crypto/rand.pod 1970-01-01 01:00:00.000000000 +0100 +@@ -1,175 +0,0 @@ +-=pod +- +-=head1 NAME +- +-rand - pseudo-random number generator +- +-=head1 SYNOPSIS +- +- #include +- +- int RAND_set_rand_engine(ENGINE *engine); +- +- int RAND_bytes(unsigned char *buf, int num); +- int RAND_pseudo_bytes(unsigned char *buf, int num); +- +- void RAND_seed(const void *buf, int num); +- void RAND_add(const void *buf, int num, int entropy); +- int RAND_status(void); +- +- int RAND_load_file(const char *file, long max_bytes); +- int RAND_write_file(const char *file); +- const char *RAND_file_name(char *file, size_t num); +- +- int RAND_egd(const char *path); +- +- void RAND_set_rand_method(const RAND_METHOD *meth); +- const RAND_METHOD *RAND_get_rand_method(void); +- RAND_METHOD *RAND_SSLeay(void); +- +- void RAND_cleanup(void); +- +- /* For Win32 only */ +- void RAND_screen(void); +- int RAND_event(UINT, WPARAM, LPARAM); +- +-=head1 DESCRIPTION +- +-Since the introduction of the ENGINE API, the recommended way of controlling +-default implementations is by using the ENGINE API functions. The default +-B, as set by RAND_set_rand_method() and returned by +-RAND_get_rand_method(), is only used if no ENGINE has been set as the default +-"rand" implementation. Hence, these two functions are no longer the recommened +-way to control defaults. +- +-If an alternative B implementation is being used (either set +-directly or as provided by an ENGINE module), then it is entirely responsible +-for the generation and management of a cryptographically secure PRNG stream. The +-mechanisms described below relate solely to the software PRNG implementation +-built in to OpenSSL and used by default. +- +-These functions implement a cryptographically secure pseudo-random +-number generator (PRNG). It is used by other library functions for +-example to generate random keys, and applications can use it when they +-need randomness. +- +-A cryptographic PRNG must be seeded with unpredictable data such as +-mouse movements or keys pressed at random by the user. This is +-described in L. Its state can be saved in a seed file +-(see L) to avoid having to go through the +-seeding process whenever the application is started. +- +-L describes how to obtain random data from the +-PRNG. +- +-=head1 INTERNALS +- +-The RAND_SSLeay() method implements a PRNG based on a cryptographic +-hash function. +- +-The following description of its design is based on the SSLeay +-documentation: +- +-First up I will state the things I believe I need for a good RNG. +- +-=over 4 +- +-=item 1 +- +-A good hashing algorithm to mix things up and to convert the RNG 'state' +-to random numbers. +- +-=item 2 +- +-An initial source of random 'state'. +- +-=item 3 +- +-The state should be very large. If the RNG is being used to generate +-4096 bit RSA keys, 2 2048 bit random strings are required (at a minimum). +-If your RNG state only has 128 bits, you are obviously limiting the +-search space to 128 bits, not 2048. I'm probably getting a little +-carried away on this last point but it does indicate that it may not be +-a bad idea to keep quite a lot of RNG state. It should be easier to +-break a cipher than guess the RNG seed data. +- +-=item 4 +- +-Any RNG seed data should influence all subsequent random numbers +-generated. This implies that any random seed data entered will have +-an influence on all subsequent random numbers generated. +- +-=item 5 +- +-When using data to seed the RNG state, the data used should not be +-extractable from the RNG state. I believe this should be a +-requirement because one possible source of 'secret' semi random +-data would be a private key or a password. This data must +-not be disclosed by either subsequent random numbers or a +-'core' dump left by a program crash. +- +-=item 6 +- +-Given the same initial 'state', 2 systems should deviate in their RNG state +-(and hence the random numbers generated) over time if at all possible. +- +-=item 7 +- +-Given the random number output stream, it should not be possible to determine +-the RNG state or the next random number. +- +-=back +- +-The algorithm is as follows. +- +-There is global state made up of a 1023 byte buffer (the 'state'), a +-working hash value ('md'), and a counter ('count'). +- +-Whenever seed data is added, it is inserted into the 'state' as +-follows. +- +-The input is chopped up into units of 20 bytes (or less for +-the last block). Each of these blocks is run through the hash +-function as follows: The data passed to the hash function +-is the current 'md', the same number of bytes from the 'state' +-(the location determined by in incremented looping index) as +-the current 'block', the new key data 'block', and 'count' +-(which is incremented after each use). +-The result of this is kept in 'md' and also xored into the +-'state' at the same locations that were used as input into the +-hash function. I +-believe this system addresses points 1 (hash function; currently +-SHA-1), 3 (the 'state'), 4 (via the 'md'), 5 (by the use of a hash +-function and xor). +- +-When bytes are extracted from the RNG, the following process is used. +-For each group of 10 bytes (or less), we do the following: +- +-Input into the hash function the local 'md' (which is initialized from +-the global 'md' before any bytes are generated), the bytes that are to +-be overwritten by the random bytes, and bytes from the 'state' +-(incrementing looping index). From this digest output (which is kept +-in 'md'), the top (up to) 10 bytes are returned to the caller and the +-bottom 10 bytes are xored into the 'state'. +- +-Finally, after we have finished 'num' random bytes for the caller, +-'count' (which is incremented) and the local and global 'md' are fed +-into the hash function and the results are kept in the global 'md'. +- +-I believe the above addressed points 1 (use of SHA-1), 6 (by hashing +-into the 'state' the 'old' data from the caller that is about to be +-overwritten) and 7 (by not using the 10 bytes given to the caller to +-update the 'state', but they are used to update 'md'). +- +-So of the points raised, only 2 is not addressed (but see +-L). +- +-=head1 SEE ALSO +- +-L, L, +-L, L, +-L, +-L, +-L +- +-=cut +--- doc/crypto/RAND_set_rand_method.pod 2007-11-19 10:18:03.000000000 +0100 ++++ doc/crypto/RAND_set_rand_method.pod 2010-04-01 00:45:00.982994946 +0200 +@@ -67,7 +67,7 @@ + + =head1 SEE ALSO + +-L, L ++L, L + + =head1 HISTORY + +--- doc/crypto/RSA_blinding_on.pod 2000-02-24 12:55:10.000000000 +0100 ++++ doc/crypto/RSA_blinding_on.pod 2010-04-01 00:45:00.989661318 +0200 +@@ -34,7 +34,7 @@ + + =head1 SEE ALSO + +-L, L ++L, L + + =head1 HISTORY + +--- doc/crypto/RSA_generate_key.pod 2002-09-25 15:33:27.000000000 +0200 ++++ doc/crypto/RSA_generate_key.pod 2010-04-01 00:45:00.996327969 +0200 +@@ -59,7 +59,7 @@ + + =head1 SEE ALSO + +-L, L, L, ++L, L, L, + L + + =head1 HISTORY +--- doc/crypto/rsa.pod 2002-08-04 23:08:36.000000000 +0200 ++++ doc/crypto/rsa.pod 2010-04-01 00:45:01.062995006 +0200 +@@ -108,7 +108,7 @@ + =head1 SEE ALSO + + L, L, L, L, +-L, L, L, ++L, L, L, + L, + L, L, + L, +--- doc/crypto/RSA_public_encrypt.pod 2004-03-23 22:01:34.000000000 +0100 ++++ doc/crypto/RSA_public_encrypt.pod 2010-04-01 00:45:01.002994781 +0200 +@@ -73,7 +73,7 @@ + + =head1 SEE ALSO + +-L, L, L, ++L, L, L, + L + + =head1 HISTORY +--- doc/crypto/RSA_sign_ASN1_OCTET_STRING.pod 2002-09-25 15:33:28.000000000 +0200 ++++ doc/crypto/RSA_sign_ASN1_OCTET_STRING.pod 2010-04-01 00:45:01.009660553 +0200 +@@ -48,7 +48,7 @@ + =head1 SEE ALSO + + L, L, +-L, L, L, ++L, L, L, + L + + =head1 HISTORY +--- doc/crypto/threads.pod 2009-10-01 01:40:52.000000000 +0200 ++++ doc/crypto/threads.pod 1970-01-01 01:00:00.000000000 +0100 +@@ -1,210 +0,0 @@ +-=pod +- +-=head1 NAME +- +-CRYPTO_THREADID_set_callback, CRYPTO_THREADID_get_callback, +-CRYPTO_THREADID_current, CRYPTO_THREADID_cmp, CRYPTO_THREADID_cpy, +-CRYPTO_THREADID_hash, CRYPTO_set_locking_callback, CRYPTO_num_locks, +-CRYPTO_set_dynlock_create_callback, CRYPTO_set_dynlock_lock_callback, +-CRYPTO_set_dynlock_destroy_callback, CRYPTO_get_new_dynlockid, +-CRYPTO_destroy_dynlockid, CRYPTO_lock - OpenSSL thread support +- +-=head1 SYNOPSIS +- +- #include +- +- /* Don't use this structure directly. */ +- typedef struct crypto_threadid_st +- { +- void *ptr; +- unsigned long val; +- } CRYPTO_THREADID; +- /* Only use CRYPTO_THREADID_set_[numeric|pointer]() within callbacks */ +- void CRYPTO_THREADID_set_numeric(CRYPTO_THREADID *id, unsigned long val); +- void CRYPTO_THREADID_set_pointer(CRYPTO_THREADID *id, void *ptr); +- int CRYPTO_THREADID_set_callback(void (*threadid_func)(CRYPTO_THREADID *)); +- void (*CRYPTO_THREADID_get_callback(void))(CRYPTO_THREADID *); +- void CRYPTO_THREADID_current(CRYPTO_THREADID *id); +- int CRYPTO_THREADID_cmp(const CRYPTO_THREADID *a, +- const CRYPTO_THREADID *b); +- void CRYPTO_THREADID_cpy(CRYPTO_THREADID *dest, +- const CRYPTO_THREADID *src); +- unsigned long CRYPTO_THREADID_hash(const CRYPTO_THREADID *id); +- +- int CRYPTO_num_locks(void); +- +- /* struct CRYPTO_dynlock_value needs to be defined by the user */ +- struct CRYPTO_dynlock_value; +- +- void CRYPTO_set_dynlock_create_callback(struct CRYPTO_dynlock_value * +- (*dyn_create_function)(char *file, int line)); +- void CRYPTO_set_dynlock_lock_callback(void (*dyn_lock_function) +- (int mode, struct CRYPTO_dynlock_value *l, +- const char *file, int line)); +- void CRYPTO_set_dynlock_destroy_callback(void (*dyn_destroy_function) +- (struct CRYPTO_dynlock_value *l, const char *file, int line)); +- +- int CRYPTO_get_new_dynlockid(void); +- +- void CRYPTO_destroy_dynlockid(int i); +- +- void CRYPTO_lock(int mode, int n, const char *file, int line); +- +- #define CRYPTO_w_lock(type) \ +- CRYPTO_lock(CRYPTO_LOCK|CRYPTO_WRITE,type,__FILE__,__LINE__) +- #define CRYPTO_w_unlock(type) \ +- CRYPTO_lock(CRYPTO_UNLOCK|CRYPTO_WRITE,type,__FILE__,__LINE__) +- #define CRYPTO_r_lock(type) \ +- CRYPTO_lock(CRYPTO_LOCK|CRYPTO_READ,type,__FILE__,__LINE__) +- #define CRYPTO_r_unlock(type) \ +- CRYPTO_lock(CRYPTO_UNLOCK|CRYPTO_READ,type,__FILE__,__LINE__) +- #define CRYPTO_add(addr,amount,type) \ +- CRYPTO_add_lock(addr,amount,type,__FILE__,__LINE__) +- +-=head1 DESCRIPTION +- +-OpenSSL can safely be used in multi-threaded applications provided +-that at least two callback functions are set, locking_function and +-threadid_func. +- +-locking_function(int mode, int n, const char *file, int line) is +-needed to perform locking on shared data structures. +-(Note that OpenSSL uses a number of global data structures that +-will be implicitly shared whenever multiple threads use OpenSSL.) +-Multi-threaded applications will crash at random if it is not set. +- +-locking_function() must be able to handle up to CRYPTO_num_locks() +-different mutex locks. It sets the B-th lock if B & +-B, and releases it otherwise. +- +-B and B are the file number of the function setting the +-lock. They can be useful for debugging. +- +-threadid_func(CRYPTO_THREADID *id) is needed to record the currently-executing +-thread's identifier into B. The implementation of this callback should not +-fill in B directly, but should use CRYPTO_THREADID_set_numeric() if thread +-IDs are numeric, or CRYPTO_THREADID_set_pointer() if they are pointer-based. +-If the application does not register such a callback using +-CRYPTO_THREADID_set_callback(), then a default implementation is used - on +-Windows and BeOS this uses the system's default thread identifying APIs, and on +-all other platforms it uses the address of B. The latter is satisfactory +-for thread-safety if and only if the platform has a thread-local error number +-facility. +- +-Once threadid_func() is registered, or if the built-in default implementation is +-to be used; +- +-=over 4 +- +-=item * +-CRYPTO_THREADID_current() records the currently-executing thread ID into the +-given B object. +- +-=item * +-CRYPTO_THREADID_cmp() compares two thread IDs (returning zero for equality, ie. +-the same semantics as memcmp()). +- +-=item * +-CRYPTO_THREADID_cpy() duplicates a thread ID value, +- +-=item * +-CRYPTO_THREADID_hash() returns a numeric value usable as a hash-table key. This +-is usually the exact numeric or pointer-based thread ID used internally, however +-this also handles the unusual case where pointers are larger than 'long' +-variables and the platform's thread IDs are pointer-based - in this case, mixing +-is done to attempt to produce a unique numeric value even though it is not as +-wide as the platform's true thread IDs. +- +-=back +- +-Additionally, OpenSSL supports dynamic locks, and sometimes, some parts +-of OpenSSL need it for better performance. To enable this, the following +-is required: +- +-=over 4 +- +-=item * +-Three additional callback function, dyn_create_function, dyn_lock_function +-and dyn_destroy_function. +- +-=item * +-A structure defined with the data that each lock needs to handle. +- +-=back +- +-struct CRYPTO_dynlock_value has to be defined to contain whatever structure +-is needed to handle locks. +- +-dyn_create_function(const char *file, int line) is needed to create a +-lock. Multi-threaded applications might crash at random if it is not set. +- +-dyn_lock_function(int mode, CRYPTO_dynlock *l, const char *file, int line) +-is needed to perform locking off dynamic lock numbered n. Multi-threaded +-applications might crash at random if it is not set. +- +-dyn_destroy_function(CRYPTO_dynlock *l, const char *file, int line) is +-needed to destroy the lock l. Multi-threaded applications might crash at +-random if it is not set. +- +-CRYPTO_get_new_dynlockid() is used to create locks. It will call +-dyn_create_function for the actual creation. +- +-CRYPTO_destroy_dynlockid() is used to destroy locks. It will call +-dyn_destroy_function for the actual destruction. +- +-CRYPTO_lock() is used to lock and unlock the locks. mode is a bitfield +-describing what should be done with the lock. n is the number of the +-lock as returned from CRYPTO_get_new_dynlockid(). mode can be combined +-from the following values. These values are pairwise exclusive, with +-undefined behaviour if misused (for example, CRYPTO_READ and CRYPTO_WRITE +-should not be used together): +- +- CRYPTO_LOCK 0x01 +- CRYPTO_UNLOCK 0x02 +- CRYPTO_READ 0x04 +- CRYPTO_WRITE 0x08 +- +-=head1 RETURN VALUES +- +-CRYPTO_num_locks() returns the required number of locks. +- +-CRYPTO_get_new_dynlockid() returns the index to the newly created lock. +- +-The other functions return no values. +- +-=head1 NOTES +- +-You can find out if OpenSSL was configured with thread support: +- +- #define OPENSSL_THREAD_DEFINES +- #include +- #if defined(OPENSSL_THREADS) +- // thread support enabled +- #else +- // no thread support +- #endif +- +-Also, dynamic locks are currently not used internally by OpenSSL, but +-may do so in the future. +- +-=head1 EXAMPLES +- +-B shows examples of the callback functions on +-Solaris, Irix and Win32. +- +-=head1 HISTORY +- +-CRYPTO_set_locking_callback() is +-available in all versions of SSLeay and OpenSSL. +-CRYPTO_num_locks() was added in OpenSSL 0.9.4. +-All functions dealing with dynamic locks were added in OpenSSL 0.9.5b-dev. +-B and associated functions were introduced in OpenSSL 1.0.0 +-to replace (actually, deprecate) the previous CRYPTO_set_id_callback(), +-CRYPTO_get_id_callback(), and CRYPTO_thread_id() functions which assumed +-thread IDs to always be represented by 'unsigned long'. +- +-=head1 SEE ALSO +- +-L +- +-=cut +--- doc/crypto/X509_NAME_ENTRY_get_object.pod 2006-05-14 13:27:59.000000000 +0200 ++++ doc/crypto/X509_NAME_ENTRY_get_object.pod 2010-04-01 00:45:01.016327524 +0200 +@@ -65,7 +65,7 @@ + =head1 SEE ALSO + + L, L, +-L ++L + + =head1 HISTORY + +--- doc/ssl/SSL_get_error.pod 2005-03-30 13:50:14.000000000 +0200 ++++ doc/ssl/SSL_get_error.pod 2010-04-01 00:45:03.069662282 +0200 +@@ -105,7 +105,7 @@ + + =head1 SEE ALSO + +-L, L ++L, L + + =head1 HISTORY + +--- doc/ssl/SSL_want.pod 2005-03-30 13:50:14.000000000 +0200 ++++ doc/ssl/SSL_want.pod 2010-04-01 00:45:03.082993225 +0200 +@@ -72,6 +72,6 @@ + + =head1 SEE ALSO + +-L, L, L ++L, L, L + + =cut +--- FAQ 2010-03-29 15:11:53.000000000 +0200 ++++ FAQ 2010-04-01 00:46:00.593821225 +0200 +@@ -724,7 +724,7 @@ + CRYPTO_set_id_callback(), for all versions of OpenSSL up to and + including 0.9.8[abc...]. As of version 0.9.9, CRYPTO_set_id_callback() + and associated APIs are deprecated by CRYPTO_THREADID_set_callback() +-and friends. This is described in the threads(3) manpage. ++and friends. This is described in the openssl_threads(3) manpage. + + * I've compiled a program under Windows and it crashes: why? + diff --git a/abs/core-testing/openssl/no-rpath.patch b/abs/core-testing/openssl/no-rpath.patch new file mode 100644 index 0000000..ebd95e2 --- /dev/null +++ b/abs/core-testing/openssl/no-rpath.patch @@ -0,0 +1,11 @@ +--- Makefile.shared.no-rpath 2005-06-23 22:47:54.000000000 +0200 ++++ Makefile.shared 2005-11-16 22:35:37.000000000 +0100 +@@ -153,7 +153,7 @@ + NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \ + SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX" + +-DO_GNU_APP=LDFLAGS="$(CFLAGS) -Wl,-rpath,$(LIBRPATH)" ++DO_GNU_APP=LDFLAGS="$(CFLAGS)" + + #This is rather special. It's a special target with which one can link + #applications without bothering with any features that have anything to -- cgit v0.12