summaryrefslogtreecommitdiffstats
path: root/main
diff options
context:
space:
mode:
authorTimo Teräs <timo.teras@iki.fi>2014-08-07 07:59:05 +0300
committerTimo Teräs <timo.teras@iki.fi>2014-08-07 07:59:05 +0300
commit9b2d3aa0289fc6e6f5fddca823337631d49cadf5 (patch)
tree7d95f07a3aeb2087d4d6c2a9f2811ea5c5aaa7b9 /main
parentc0b217d037a9d092b864cf1125bf2d29e008c907 (diff)
downloadaports-9b2d3aa0289fc6e6f5fddca823337631d49cadf5.tar.bz2
aports-9b2d3aa0289fc6e6f5fddca823337631d49cadf5.tar.xz
main/openssl: security ugprade to 1.0.1i (multiple CVE)
CVE-2014-3508 Information leak in pretty printing functions CVE-2014-5139 Crash with SRP ciphersuite in Server Hello message CVE-2014-3509 Race condition in ssl_parse_serverhello_tlsext CVE-2014-3505 Double Free when processing DTLS packets CVE-2014-3506 DTLS memory exhaustion CVE-2014-3507 DTLS memory leak from zero-length fragments CVE-2014-3510 OpenSSL DTLS anonymous EC(DH) denial of service CVE-2014-3511 OpenSSL TLS protocol downgrade attack CVE-2014-3512 SRP buffer overrun
Diffstat (limited to 'main')
-rw-r--r--main/openssl/APKBUILD14
-rw-r--r--main/openssl/fix-manpages.patch628
2 files changed, 7 insertions, 635 deletions
diff --git a/main/openssl/APKBUILD b/main/openssl/APKBUILD
index a632e1179..601e735d3 100644
--- a/main/openssl/APKBUILD
+++ b/main/openssl/APKBUILD
@@ -1,6 +1,6 @@
# Maintainer: Timo Teras <timo.teras@iki.fi>
pkgname=openssl
-pkgver=1.0.1h
+pkgver=1.0.1i
pkgrel=0
pkgdesc="Toolkit for SSL v2/v3 and TLS v1"
url="http://openssl.org"
@@ -120,8 +120,8 @@ libssl() {
done
}
-md5sums="8d6d684a9430d5cc98a62a5d8fbda8cf openssl-1.0.1h.tar.gz
-c804de28dcf4cc64275e7df8828750c8 fix-manpages.patch
+md5sums="c8dc151a671b9b92ff3e4c118b174972 openssl-1.0.1i.tar.gz
+c5896bc17b3e95ba6329a3d6c2a6fd84 fix-manpages.patch
c6a9857a5dbd30cead0404aa7dd73977 openssl-bb-basename.patch
ddb5fc155145d5b852425adaec32234d 0001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch
4a7b9e20beb33a5e262ab64c2b8e5b48 0002-engines-e_padlock-backport-cvs-head-changes.patch
@@ -134,8 +134,8 @@ efec1bce615256961b1756e575ee1d0a fix-default-apps-capath.patch
05ad806219cef6fa5692ac727af7fab6 c_rehash.c
60ca340e32944e4825747e3681ccd553 openssl-1.0.1-parallel-build.patch
b7f2421187ae2b4c7e424cda2022d41d abi-compat-no-freelists.patch"
-sha256sums="9d1c8a9836aa63e2c6adb684186cbd4371c9e9dcc01d6e3bb447abf2d4d3d093 openssl-1.0.1h.tar.gz
-e3a33c676f8fbe113a780c6b33b28dbf79eb410aac4b989af2dd7a4f64cddea8 fix-manpages.patch
+sha256sums="3c179f46ca77069a6a0bac70212a9b3b838b2f66129cb52d568837fc79d8fcc7 openssl-1.0.1i.tar.gz
+99595db76e85785e265b69778e84f75f29a4e29945fb051f12fbb7c84667f453 fix-manpages.patch
82863c2fed659a7186c7f3905a1853b8bd8060350ad101ce159fa7e7d2ba27e8 openssl-bb-basename.patch
18dd81fefb39b3328a444774ed10871ed50348ca171d2da9f826f916127b2dae 0001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch
39c31c2e33cded09543a2d1fd2e3238e9d11c672ba71a14d13095baad3ec9696 0002-engines-e_padlock-backport-cvs-head-changes.patch
@@ -148,8 +148,8 @@ cbb2493ec9157e78035e9cc02be17655996ee9cd0a71b79507fc19f3862f452b 0003-engines-e
7b0947fd09ad1e8d9cea360b883090025b40193d0fc8a631f2e3bb42db28d76b c_rehash.c
bd56e5fe1b6fe594ab93f34d25fef0b7372633bad8532f81da998f3e6655d221 openssl-1.0.1-parallel-build.patch
41c7c1e5bea7f7e0ccc59203a48f097948627d72fcf87f943fcfe8c14b4069a2 abi-compat-no-freelists.patch"
-sha512sums="687d12ae13e364b15622f68933894050d577a4f8647bd68c7e9e86eb9d9f49cd2ebb0da3c5d3ded0a8746cf7b87e23b167b536116aa9a0402d7e7cc2ee401a92 openssl-1.0.1h.tar.gz
-b8f18d0bddb943346e383904bfe8463f3b5bd3e10d53f5210ae26ad285893f17ebd7a84cf55bb4219a85dc15e61afc08dfbd91a4e6ed9a14f3168618775c1a0d fix-manpages.patch
+sha512sums="6cbcdcec8568236e8f20f0461f93df8a193a0ad88102ff548443e6ec87e2a7f649e314beee1e6bafda693934b4fb142244b61d14bf736828dda09e277b941d93 openssl-1.0.1i.tar.gz
+6d7770a63e721295d048641492e13fb09d292de1e9acd5e61ea0dd897e041d1627c7a7733ed2e5be86e26f0e8894edc123227808306b97cb6a2c6f5e941c9c33 fix-manpages.patch
6c4f4b0c1b606b3e5a8175618c4398923392f9c25ad8d3f5b65b0424fe51e104c4f456d2da590d9f572382225ab320278e88db1585790092450cad60a02819a5 openssl-bb-basename.patch
ea282b09d4692a29e5a554e19b0798fa921717d4892decc68cba92cad11e85e4064d8ac78d98f6fa8bb45c65fdd1a5d1a6f6755e53102d520e9d8b807c3a7822 0001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch
96cdd28d1ad5efd3f5836b4c57c9c6ea8e790fbf919e32a8c4acd3883a3531b8d295053a4aa20e6165600153b141ce7b0a3d1d736fdfc325d59862b845aa4d98 0002-engines-e_padlock-backport-cvs-head-changes.patch
diff --git a/main/openssl/fix-manpages.patch b/main/openssl/fix-manpages.patch
index 92b092fff..857414842 100644
--- a/main/openssl/fix-manpages.patch
+++ b/main/openssl/fix-manpages.patch
@@ -647,631 +647,3 @@ index f5ab1c3..63f7ebc 100644
+L<rsa(3)|rsa(3)>, L<dsa(3)|dsa(3)>, L<dh(3)|dh(3)>, L<openssl_rand(3)|openssl_rand(3)>
=cut
-diff --git a/doc/crypto/err.pod b/doc/crypto/err.pod
-deleted file mode 100644
-index 6f72955..0000000
---- a/doc/crypto/err.pod
-+++ /dev/null
-@@ -1,187 +0,0 @@
--=pod
--
--=head1 NAME
--
--err - error codes
--
--=head1 SYNOPSIS
--
-- #include <openssl/err.h>
--
-- unsigned long ERR_get_error(void);
-- unsigned long ERR_peek_error(void);
-- unsigned long ERR_get_error_line(const char **file, int *line);
-- unsigned long ERR_peek_error_line(const char **file, int *line);
-- unsigned long ERR_get_error_line_data(const char **file, int *line,
-- const char **data, int *flags);
-- unsigned long ERR_peek_error_line_data(const char **file, int *line,
-- const char **data, int *flags);
--
-- int ERR_GET_LIB(unsigned long e);
-- int ERR_GET_FUNC(unsigned long e);
-- int ERR_GET_REASON(unsigned long e);
--
-- void ERR_clear_error(void);
--
-- char *ERR_error_string(unsigned long e, char *buf);
-- const char *ERR_lib_error_string(unsigned long e);
-- const char *ERR_func_error_string(unsigned long e);
-- const char *ERR_reason_error_string(unsigned long e);
--
-- void ERR_print_errors(BIO *bp);
-- void ERR_print_errors_fp(FILE *fp);
--
-- void ERR_load_crypto_strings(void);
-- void ERR_free_strings(void);
--
-- void ERR_remove_state(unsigned long pid);
--
-- void ERR_put_error(int lib, int func, int reason, const char *file,
-- int line);
-- void ERR_add_error_data(int num, ...);
--
-- void ERR_load_strings(int lib,ERR_STRING_DATA str[]);
-- unsigned long ERR_PACK(int lib, int func, int reason);
-- int ERR_get_next_error_library(void);
--
--=head1 DESCRIPTION
--
--When a call to the OpenSSL library fails, this is usually signalled
--by the return value, and an error code is stored in an error queue
--associated with the current thread. The B<err> library provides
--functions to obtain these error codes and textual error messages.
--
--The L<ERR_get_error(3)|ERR_get_error(3)> manpage describes how to
--access error codes.
--
--Error codes contain information about where the error occurred, and
--what went wrong. L<ERR_GET_LIB(3)|ERR_GET_LIB(3)> describes how to
--extract this information. A method to obtain human-readable error
--messages is described in L<ERR_error_string(3)|ERR_error_string(3)>.
--
--L<ERR_clear_error(3)|ERR_clear_error(3)> can be used to clear the
--error queue.
--
--Note that L<ERR_remove_state(3)|ERR_remove_state(3)> should be used to
--avoid memory leaks when threads are terminated.
--
--=head1 ADDING NEW ERROR CODES TO OPENSSL
--
--See L<ERR_put_error(3)> if you want to record error codes in the
--OpenSSL error system from within your application.
--
--The remainder of this section is of interest only if you want to add
--new error codes to OpenSSL or add error codes from external libraries.
--
--=head2 Reporting errors
--
--Each sub-library has a specific macro XXXerr() that is used to report
--errors. Its first argument is a function code B<XXX_F_...>, the second
--argument is a reason code B<XXX_R_...>. Function codes are derived
--from the function names; reason codes consist of textual error
--descriptions. For example, the function ssl23_read() reports a
--"handshake failure" as follows:
--
-- SSLerr(SSL_F_SSL23_READ, SSL_R_SSL_HANDSHAKE_FAILURE);
--
--Function and reason codes should consist of upper case characters,
--numbers and underscores only. The error file generation script translates
--function codes into function names by looking in the header files
--for an appropriate function name, if none is found it just uses
--the capitalized form such as "SSL23_READ" in the above example.
--
--The trailing section of a reason code (after the "_R_") is translated
--into lower case and underscores changed to spaces.
--
--When you are using new function or reason codes, run B<make errors>.
--The necessary B<#define>s will then automatically be added to the
--sub-library's header file.
--
--Although a library will normally report errors using its own specific
--XXXerr macro, another library's macro can be used. This is normally
--only done when a library wants to include ASN1 code which must use
--the ASN1err() macro.
--
--=head2 Adding new libraries
--
--When adding a new sub-library to OpenSSL, assign it a library number
--B<ERR_LIB_XXX>, define a macro XXXerr() (both in B<err.h>), add its
--name to B<ERR_str_libraries[]> (in B<crypto/err/err.c>), and add
--C<ERR_load_XXX_strings()> to the ERR_load_crypto_strings() function
--(in B<crypto/err/err_all.c>). Finally, add an entry
--
-- L XXX xxx.h xxx_err.c
--
--to B<crypto/err/openssl.ec>, and add B<xxx_err.c> to the Makefile.
--Running B<make errors> will then generate a file B<xxx_err.c>, and
--add all error codes used in the library to B<xxx.h>.
--
--Additionally the library include file must have a certain form.
--Typically it will initially look like this:
--
-- #ifndef HEADER_XXX_H
-- #define HEADER_XXX_H
--
-- #ifdef __cplusplus
-- extern "C" {
-- #endif
--
-- /* Include files */
--
-- #include <openssl/bio.h>
-- #include <openssl/x509.h>
--
-- /* Macros, structures and function prototypes */
--
--
-- /* BEGIN ERROR CODES */
--
--The B<BEGIN ERROR CODES> sequence is used by the error code
--generation script as the point to place new error codes, any text
--after this point will be overwritten when B<make errors> is run.
--The closing #endif etc will be automatically added by the script.
--
--The generated C error code file B<xxx_err.c> will load the header
--files B<stdio.h>, B<openssl/err.h> and B<openssl/xxx.h> so the
--header file must load any additional header files containing any
--definitions it uses.
--
--=head1 USING ERROR CODES IN EXTERNAL LIBRARIES
--
--It is also possible to use OpenSSL's error code scheme in external
--libraries. The library needs to load its own codes and call the OpenSSL
--error code insertion script B<mkerr.pl> explicitly to add codes to
--the header file and generate the C error code file. This will normally
--be done if the external library needs to generate new ASN1 structures
--but it can also be used to add more general purpose error code handling.
--
--TBA more details
--
--=head1 INTERNALS
--
--The error queues are stored in a hash table with one B<ERR_STATE>
--entry for each pid. ERR_get_state() returns the current thread's
--B<ERR_STATE>. An B<ERR_STATE> can hold up to B<ERR_NUM_ERRORS> error
--codes. When more error codes are added, the old ones are overwritten,
--on the assumption that the most recent errors are most important.
--
--Error strings are also stored in hash table. The hash tables can
--be obtained by calling ERR_get_err_state_table(void) and
--ERR_get_string_table(void) respectively.
--
--=head1 SEE ALSO
--
--L<CRYPTO_set_id_callback(3)|CRYPTO_set_id_callback(3)>,
--L<CRYPTO_set_locking_callback(3)|CRYPTO_set_locking_callback(3)>,
--L<ERR_get_error(3)|ERR_get_error(3)>,
--L<ERR_GET_LIB(3)|ERR_GET_LIB(3)>,
--L<ERR_clear_error(3)|ERR_clear_error(3)>,
--L<ERR_error_string(3)|ERR_error_string(3)>,
--L<ERR_print_errors(3)|ERR_print_errors(3)>,
--L<ERR_load_crypto_strings(3)|ERR_load_crypto_strings(3)>,
--L<ERR_remove_state(3)|ERR_remove_state(3)>,
--L<ERR_put_error(3)|ERR_put_error(3)>,
--L<ERR_load_strings(3)|ERR_load_strings(3)>,
--L<SSL_get_error(3)|SSL_get_error(3)>
--
--=cut
-diff --git a/doc/crypto/rand.pod b/doc/crypto/rand.pod
-deleted file mode 100644
-index 1c068c8..0000000
---- a/doc/crypto/rand.pod
-+++ /dev/null
-@@ -1,175 +0,0 @@
--=pod
--
--=head1 NAME
--
--rand - pseudo-random number generator
--
--=head1 SYNOPSIS
--
-- #include <openssl/rand.h>
--
-- int RAND_set_rand_engine(ENGINE *engine);
--
-- int RAND_bytes(unsigned char *buf, int num);
-- int RAND_pseudo_bytes(unsigned char *buf, int num);
--
-- void RAND_seed(const void *buf, int num);
-- void RAND_add(const void *buf, int num, int entropy);
-- int RAND_status(void);
--
-- int RAND_load_file(const char *file, long max_bytes);
-- int RAND_write_file(const char *file);
-- const char *RAND_file_name(char *file, size_t num);
--
-- int RAND_egd(const char *path);
--
-- void RAND_set_rand_method(const RAND_METHOD *meth);
-- const RAND_METHOD *RAND_get_rand_method(void);
-- RAND_METHOD *RAND_SSLeay(void);
--
-- void RAND_cleanup(void);
--
-- /* For Win32 only */
-- void RAND_screen(void);
-- int RAND_event(UINT, WPARAM, LPARAM);
--
--=head1 DESCRIPTION
--
--Since the introduction of the ENGINE API, the recommended way of controlling
--default implementations is by using the ENGINE API functions. The default
--B<RAND_METHOD>, as set by RAND_set_rand_method() and returned by
--RAND_get_rand_method(), is only used if no ENGINE has been set as the default
--"rand" implementation. Hence, these two functions are no longer the recommened
--way to control defaults.
--
--If an alternative B<RAND_METHOD> implementation is being used (either set
--directly or as provided by an ENGINE module), then it is entirely responsible
--for the generation and management of a cryptographically secure PRNG stream. The
--mechanisms described below relate solely to the software PRNG implementation
--built in to OpenSSL and used by default.
--
--These functions implement a cryptographically secure pseudo-random
--number generator (PRNG). It is used by other library functions for
--example to generate random keys, and applications can use it when they
--need randomness.
--
--A cryptographic PRNG must be seeded with unpredictable data such as
--mouse movements or keys pressed at random by the user. This is
--described in L<RAND_add(3)|RAND_add(3)>. Its state can be saved in a seed file
--(see L<RAND_load_file(3)|RAND_load_file(3)>) to avoid having to go through the
--seeding process whenever the application is started.
--
--L<RAND_bytes(3)|RAND_bytes(3)> describes how to obtain random data from the
--PRNG.
--
--=head1 INTERNALS
--
--The RAND_SSLeay() method implements a PRNG based on a cryptographic
--hash function.
--
--The following description of its design is based on the SSLeay
--documentation:
--
--First up I will state the things I believe I need for a good RNG.
--
--=over 4
--
--=item 1
--
--A good hashing algorithm to mix things up and to convert the RNG 'state'
--to random numbers.
--
--=item 2
--
--An initial source of random 'state'.
--
--=item 3
--
--The state should be very large. If the RNG is being used to generate
--4096 bit RSA keys, 2 2048 bit random strings are required (at a minimum).
--If your RNG state only has 128 bits, you are obviously limiting the
--search space to 128 bits, not 2048. I'm probably getting a little
--carried away on this last point but it does indicate that it may not be
--a bad idea to keep quite a lot of RNG state. It should be easier to
--break a cipher than guess the RNG seed data.
--
--=item 4
--
--Any RNG seed data should influence all subsequent random numbers
--generated. This implies that any random seed data entered will have
--an influence on all subsequent random numbers generated.
--
--=item 5
--
--When using data to seed the RNG state, the data used should not be
--extractable from the RNG state. I believe this should be a
--requirement because one possible source of 'secret' semi random
--data would be a private key or a password. This data must
--not be disclosed by either subsequent random numbers or a
--'core' dump left by a program crash.
--
--=item 6
--
--Given the same initial 'state', 2 systems should deviate in their RNG state
--(and hence the random numbers generated) over time if at all possible.
--
--=item 7
--
--Given the random number output stream, it should not be possible to determine
--the RNG state or the next random number.
--
--=back
--
--The algorithm is as follows.
--
--There is global state made up of a 1023 byte buffer (the 'state'), a
--working hash value ('md'), and a counter ('count').
--
--Whenever seed data is added, it is inserted into the 'state' as
--follows.
--
--The input is chopped up into units of 20 bytes (or less for
--the last block). Each of these blocks is run through the hash
--function as follows: The data passed to the hash function
--is the current 'md', the same number of bytes from the 'state'
--(the location determined by in incremented looping index) as
--the current 'block', the new key data 'block', and 'count'
--(which is incremented after each use).
--The result of this is kept in 'md' and also xored into the
--'state' at the same locations that were used as input into the
--hash function. I
--believe this system addresses points 1 (hash function; currently
--SHA-1), 3 (the 'state'), 4 (via the 'md'), 5 (by the use of a hash
--function and xor).
--
--When bytes are extracted from the RNG, the following process is used.
--For each group of 10 bytes (or less), we do the following:
--
--Input into the hash function the local 'md' (which is initialized from
--the global 'md' before any bytes are generated), the bytes that are to
--be overwritten by the random bytes, and bytes from the 'state'
--(incrementing looping index). From this digest output (which is kept
--in 'md'), the top (up to) 10 bytes are returned to the caller and the
--bottom 10 bytes are xored into the 'state'.
--
--Finally, after we have finished 'num' random bytes for the caller,
--'count' (which is incremented) and the local and global 'md' are fed
--into the hash function and the results are kept in the global 'md'.
--
--I believe the above addressed points 1 (use of SHA-1), 6 (by hashing
--into the 'state' the 'old' data from the caller that is about to be
--overwritten) and 7 (by not using the 10 bytes given to the caller to
--update the 'state', but they are used to update 'md').
--
--So of the points raised, only 2 is not addressed (but see
--L<RAND_add(3)|RAND_add(3)>).
--
--=head1 SEE ALSO
--
--L<BN_rand(3)|BN_rand(3)>, L<RAND_add(3)|RAND_add(3)>,
--L<RAND_load_file(3)|RAND_load_file(3)>, L<RAND_egd(3)|RAND_egd(3)>,
--L<RAND_bytes(3)|RAND_bytes(3)>,
--L<RAND_set_rand_method(3)|RAND_set_rand_method(3)>,
--L<RAND_cleanup(3)|RAND_cleanup(3)>
--
--=cut
-diff --git a/doc/crypto/rsa.pod b/doc/crypto/rsa.pod
-index 45ac53f..5fa0dcc 100644
---- a/doc/crypto/rsa.pod
-+++ b/doc/crypto/rsa.pod
-@@ -108,7 +108,7 @@ RSA was covered by a US patent which expired in September 2000.
- =head1 SEE ALSO
-
- L<rsa(1)|rsa(1)>, L<bn(3)|bn(3)>, L<dsa(3)|dsa(3)>, L<dh(3)|dh(3)>,
--L<rand(3)|rand(3)>, L<engine(3)|engine(3)>, L<RSA_new(3)|RSA_new(3)>,
-+L<openssl_rand(3)|openssl_rand(3)>, L<engine(3)|engine(3)>, L<RSA_new(3)|RSA_new(3)>,
- L<RSA_public_encrypt(3)|RSA_public_encrypt(3)>,
- L<RSA_sign(3)|RSA_sign(3)>, L<RSA_size(3)|RSA_size(3)>,
- L<RSA_generate_key(3)|RSA_generate_key(3)>,
-diff --git a/doc/crypto/threads.pod b/doc/crypto/threads.pod
-deleted file mode 100644
-index dc0e939..0000000
---- a/doc/crypto/threads.pod
-+++ /dev/null
-@@ -1,210 +0,0 @@
--=pod
--
--=head1 NAME
--
--CRYPTO_THREADID_set_callback, CRYPTO_THREADID_get_callback,
--CRYPTO_THREADID_current, CRYPTO_THREADID_cmp, CRYPTO_THREADID_cpy,
--CRYPTO_THREADID_hash, CRYPTO_set_locking_callback, CRYPTO_num_locks,
--CRYPTO_set_dynlock_create_callback, CRYPTO_set_dynlock_lock_callback,
--CRYPTO_set_dynlock_destroy_callback, CRYPTO_get_new_dynlockid,
--CRYPTO_destroy_dynlockid, CRYPTO_lock - OpenSSL thread support
--
--=head1 SYNOPSIS
--
-- #include <openssl/crypto.h>
--
-- /* Don't use this structure directly. */
-- typedef struct crypto_threadid_st
-- {
-- void *ptr;
-- unsigned long val;
-- } CRYPTO_THREADID;
-- /* Only use CRYPTO_THREADID_set_[numeric|pointer]() within callbacks */
-- void CRYPTO_THREADID_set_numeric(CRYPTO_THREADID *id, unsigned long val);
-- void CRYPTO_THREADID_set_pointer(CRYPTO_THREADID *id, void *ptr);
-- int CRYPTO_THREADID_set_callback(void (*threadid_func)(CRYPTO_THREADID *));
-- void (*CRYPTO_THREADID_get_callback(void))(CRYPTO_THREADID *);
-- void CRYPTO_THREADID_current(CRYPTO_THREADID *id);
-- int CRYPTO_THREADID_cmp(const CRYPTO_THREADID *a,
-- const CRYPTO_THREADID *b);
-- void CRYPTO_THREADID_cpy(CRYPTO_THREADID *dest,
-- const CRYPTO_THREADID *src);
-- unsigned long CRYPTO_THREADID_hash(const CRYPTO_THREADID *id);
--
-- int CRYPTO_num_locks(void);
--
-- /* struct CRYPTO_dynlock_value needs to be defined by the user */
-- struct CRYPTO_dynlock_value;
--
-- void CRYPTO_set_dynlock_create_callback(struct CRYPTO_dynlock_value *
-- (*dyn_create_function)(char *file, int line));
-- void CRYPTO_set_dynlock_lock_callback(void (*dyn_lock_function)
-- (int mode, struct CRYPTO_dynlock_value *l,
-- const char *file, int line));
-- void CRYPTO_set_dynlock_destroy_callback(void (*dyn_destroy_function)
-- (struct CRYPTO_dynlock_value *l, const char *file, int line));
--
-- int CRYPTO_get_new_dynlockid(void);
--
-- void CRYPTO_destroy_dynlockid(int i);
--
-- void CRYPTO_lock(int mode, int n, const char *file, int line);
--
-- #define CRYPTO_w_lock(type) \
-- CRYPTO_lock(CRYPTO_LOCK|CRYPTO_WRITE,type,__FILE__,__LINE__)
-- #define CRYPTO_w_unlock(type) \
-- CRYPTO_lock(CRYPTO_UNLOCK|CRYPTO_WRITE,type,__FILE__,__LINE__)
-- #define CRYPTO_r_lock(type) \
-- CRYPTO_lock(CRYPTO_LOCK|CRYPTO_READ,type,__FILE__,__LINE__)
-- #define CRYPTO_r_unlock(type) \
-- CRYPTO_lock(CRYPTO_UNLOCK|CRYPTO_READ,type,__FILE__,__LINE__)
-- #define CRYPTO_add(addr,amount,type) \
-- CRYPTO_add_lock(addr,amount,type,__FILE__,__LINE__)
--
--=head1 DESCRIPTION
--
--OpenSSL can safely be used in multi-threaded applications provided
--that at least two callback functions are set, locking_function and
--threadid_func.
--
--locking_function(int mode, int n, const char *file, int line) is
--needed to perform locking on shared data structures.
--(Note that OpenSSL uses a number of global data structures that
--will be implicitly shared whenever multiple threads use OpenSSL.)
--Multi-threaded applications will crash at random if it is not set.
--
--locking_function() must be able to handle up to CRYPTO_num_locks()
--different mutex locks. It sets the B<n>-th lock if B<mode> &
--B<CRYPTO_LOCK>, and releases it otherwise.
--
--B<file> and B<line> are the file number of the function setting the
--lock. They can be useful for debugging.
--
--threadid_func(CRYPTO_THREADID *id) is needed to record the currently-executing
--thread's identifier into B<id>. The implementation of this callback should not
--fill in B<id> directly, but should use CRYPTO_THREADID_set_numeric() if thread
--IDs are numeric, or CRYPTO_THREADID_set_pointer() if they are pointer-based.
--If the application does not register such a callback using
--CRYPTO_THREADID_set_callback(), then a default implementation is used - on
--Windows and BeOS this uses the system's default thread identifying APIs, and on
--all other platforms it uses the address of B<errno>. The latter is satisfactory
--for thread-safety if and only if the platform has a thread-local error number
--facility.
--
--Once threadid_func() is registered, or if the built-in default implementation is
--to be used;
--
--=over 4
--
--=item *
--CRYPTO_THREADID_current() records the currently-executing thread ID into the
--given B<id> object.
--
--=item *
--CRYPTO_THREADID_cmp() compares two thread IDs (returning zero for equality, ie.
--the same semantics as memcmp()).
--
--=item *
--CRYPTO_THREADID_cpy() duplicates a thread ID value,
--
--=item *
--CRYPTO_THREADID_hash() returns a numeric value usable as a hash-table key. This
--is usually the exact numeric or pointer-based thread ID used internally, however
--this also handles the unusual case where pointers are larger than 'long'
--variables and the platform's thread IDs are pointer-based - in this case, mixing
--is done to attempt to produce a unique numeric value even though it is not as
--wide as the platform's true thread IDs.
--
--=back
--
--Additionally, OpenSSL supports dynamic locks, and sometimes, some parts
--of OpenSSL need it for better performance. To enable this, the following
--is required:
--
--=over 4
--
--=item *
--Three additional callback function, dyn_create_function, dyn_lock_function
--and dyn_destroy_function.
--
--=item *
--A structure defined with the data that each lock needs to handle.
--
--=back
--
--struct CRYPTO_dynlock_value has to be defined to contain whatever structure
--is needed to handle locks.
--
--dyn_create_function(const char *file, int line) is needed to create a
--lock. Multi-threaded applications might crash at random if it is not set.
--
--dyn_lock_function(int mode, CRYPTO_dynlock *l, const char *file, int line)
--is needed to perform locking off dynamic lock numbered n. Multi-threaded
--applications might crash at random if it is not set.
--
--dyn_destroy_function(CRYPTO_dynlock *l, const char *file, int line) is
--needed to destroy the lock l. Multi-threaded applications might crash at
--random if it is not set.
--
--CRYPTO_get_new_dynlockid() is used to create locks. It will call
--dyn_create_function for the actual creation.
--
--CRYPTO_destroy_dynlockid() is used to destroy locks. It will call
--dyn_destroy_function for the actual destruction.
--
--CRYPTO_lock() is used to lock and unlock the locks. mode is a bitfield
--describing what should be done with the lock. n is the number of the
--lock as returned from CRYPTO_get_new_dynlockid(). mode can be combined
--from the following values. These values are pairwise exclusive, with
--undefined behaviour if misused (for example, CRYPTO_READ and CRYPTO_WRITE
--should not be used together):
--
-- CRYPTO_LOCK 0x01
-- CRYPTO_UNLOCK 0x02
-- CRYPTO_READ 0x04
-- CRYPTO_WRITE 0x08
--
--=head1 RETURN VALUES
--
--CRYPTO_num_locks() returns the required number of locks.
--
--CRYPTO_get_new_dynlockid() returns the index to the newly created lock.
--
--The other functions return no values.
--
--=head1 NOTES
--
--You can find out if OpenSSL was configured with thread support:
--
-- #define OPENSSL_THREAD_DEFINES
-- #include <openssl/opensslconf.h>
-- #if defined(OPENSSL_THREADS)
-- // thread support enabled
-- #else
-- // no thread support
-- #endif
--
--Also, dynamic locks are currently not used internally by OpenSSL, but
--may do so in the future.
--
--=head1 EXAMPLES
--
--B<crypto/threads/mttest.c> shows examples of the callback functions on
--Solaris, Irix and Win32.
--
--=head1 HISTORY
--
--CRYPTO_set_locking_callback() is
--available in all versions of SSLeay and OpenSSL.
--CRYPTO_num_locks() was added in OpenSSL 0.9.4.
--All functions dealing with dynamic locks were added in OpenSSL 0.9.5b-dev.
--B<CRYPTO_THREADID> and associated functions were introduced in OpenSSL 1.0.0
--to replace (actually, deprecate) the previous CRYPTO_set_id_callback(),
--CRYPTO_get_id_callback(), and CRYPTO_thread_id() functions which assumed
--thread IDs to always be represented by 'unsigned long'.
--
--=head1 SEE ALSO
--
--L<crypto(3)|crypto(3)>
--
--=cut
-diff --git a/doc/ssl/SSL_get_error.pod b/doc/ssl/SSL_get_error.pod
-index 48c6b15..5432293 100644
---- a/doc/ssl/SSL_get_error.pod
-+++ b/doc/ssl/SSL_get_error.pod
-@@ -105,7 +105,7 @@ OpenSSL error queue contains more information on the error.
-
- =head1 SEE ALSO
-
--L<ssl(3)|ssl(3)>, L<err(3)|err(3)>
-+L<ssl(3)|ssl(3)>, L<openssl_err(3)|openssl_err(3)>
-
- =head1 HISTORY
-
-diff --git a/doc/ssl/SSL_want.pod b/doc/ssl/SSL_want.pod
-index c0059c0..2e51a75 100644
---- a/doc/ssl/SSL_want.pod
-+++ b/doc/ssl/SSL_want.pod
-@@ -72,6 +72,6 @@ return 1, when the corresponding condition is true or 0 otherwise.
-
- =head1 SEE ALSO
-
--L<ssl(3)|ssl(3)>, L<err(3)|err(3)>, L<SSL_get_error(3)|SSL_get_error(3)>
-+L<ssl(3)|ssl(3)>, L<openssl_err(3)|openssl_err(3)>, L<SSL_get_error(3)|SSL_get_error(3)>
-
- =cut