# # Copyright 2009 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # The version of OpenSSL found in this directory was created by taking the stock version of OpenSSL 0.9.8a from www.openssl.org and modifying some of the files to conform to Sun standards. This work is based on previous work done on stock version of OpenSSL 0.9.7d shipped with Solaris 10. =================== Configure options =================== Below are the options and the targets given to the Configure script. To build shared objects, ./Configure \ no-ec \ no-ecdh \ no-ecdsa \ no-rc3 \ no-rc5 \ no-mdc2 \ no-idea \ no-hw_cswift \ no-hw_ncipher \ no-hw_atalla \ no-hw_nuron \ no-hw_ubsec \ no-hw_aep \ no-hw_sureware \ no-hw_4758-cca \ no-hw_chil \ no-hw_gmp \ threads \ shared \ $TARGET , where TARGET is one of the three, depending on the target architecture: solaris-sparcv8-cc (sparc) solaris64-sparcv9-cc (sparcv9) solaris-x86-cc (i386) For libcrypto.a and libssl.a used by wanboot, ./Configure \ no-aes \ no-cast \ no-dso \ no-ec \ no-ecdh \ no-ecdsa \ no-mdc2 \ no-rc3 \ no-rc4 \ no-rc5 \ no-ripemd \ no-idea \ no-hw \ no-threads \ solaris64-sparcv9-cc =============================================== The files differ from the original distribution =============================================== The following files are different from the OpenSSL 0.9.8a release. 1. This header file is generated by Configure. We combined four versions of this file generated by four runs of Configure. crypto/opensslconf.h 2. Solaris OpenSSL supports PKCS#11 engine. This code may go back to the open-source community in the future. The following files were created. crypto/engine/hw_pk11_err.h crypto/engine/hw_pk11.c crypto/engine/hw_pk11_err.c crypto/engine/hw_pk11_pub.c The following files were modified. crypto/engine/engine.h 3. These files were modified to load the PKCS#11 engine. Added code is surrounded by "#ifdef SOLARIS_OPENSSL". crypto/engine/eng_cnf.c crypto/engine/hw_pk11.c 4. We have a special case where OpenSSL is used by the "wanboot" binary program, that is run to boot the wanboot client. The following files are modified for this purpose. Added code is surrounded by "#ifdef _BOOT". crypto/opensslconf.h crypto/err/err_all.c crypto/evp/evp_key.c crypto/rand/rand_unix.c crypto/rand/randfile.c crypto/x509v3/v3_utl.c e_os.h 5. The configuration file was modified to ship with Solaris defaults. $SRC/cmd/openssl/openssl.cnf (Note: apps/openssl.cnf is unused.) 6. Two files were added for a clean ON build even though the majority if OpenSSL code itself is not subject to lint checks (with the exception of crypto/engine/hw_pk11*.[ch] files). crypto/llib-lcrypto ssl/llib-lssl 7. OpenSSL version string was modified. Due to the fact that we don't upgrade OpenSSL frequently we are forced to patch the currently shipped version. The problem with this aproach is that normally, every security vulnerability fix triggers a new release of OpenSSL so people can easily check whether their currently installed version is vulnerable or not. That is not possible with a patched older version. So, we decided to put the security bug tags into the version string, like this: OpenSSL 0.9.8a 11 Oct 2005 (+ security fixes for: CAN-2005-2969 CVE-2006-3738 CVE-2006-4343 CVE-2007-3108 CVE-2007-5135 CVE-2008-5077) Note that actually it's all on the same line because we want to avoid problems with Configure scripts that might rely on the fact that the original OpenSSL version string consists of one line only. Be aware that the version string is not considered a stable interface and that all security vulnerability reports are available via SunAlert notifications. 8. And, finally, this file was added. README.SUNW