The entry point needs the option 'binitfini', but it was not being
added since the perl code to detect the match did not work.
The entry point for AIX is no longer static - so a wrapper has been
added to call the static version.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15636)
The mechanism had special cases to guess when something was generated
from a .in file. It's better, though, to use the knowledge in
configdata.pm, especially when the generated file is in a different
location than its source.
Cleanups are added, and we change the use of sed to a use of perl
when cleaning up paths with 'something/../' in them, since perl has
more powerful tools for this sort of thing.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15514)
For some types of targets, we pretty much know what kinds of files all
the dependencies are. For some, however, we can't assume anything,
and are faced with dependencies in platform agnostic form. We need to
find those in diverse places in %unified_info, and deduce from there
how they should be converted to a platform specific form.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15436)
First of all, we have concluded that we can calculate the integrity
checksum with a simple perl script.
Second, having the production of providers/fipsmodule.cnf as a
dependency for run_tests wasn't quite right. What we really want is
to generate it as soon as a new providers/fips.so is produced. That
required a small bit of fiddling with how diverse dependencies are
made.
Fixes#15166
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15436)
In 1.1.1 when installing the man pages we created symlinks to the base
page for all functions described on the page. We need to continue doing
this.
Fixes#14846
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15312)
quotify1() and quotify_l() were in OpenSSL::Template, but should be
more widely usable.
configdata.pm.in's out_item() is also more widely useful and is
therefore moved to OpenSSL::Util as well, and renamed to dump_data().
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15310)
Use it in the automated workflows.
Fixes: #15247
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15248)
Add also update-fips-checksums to update the checksums in the
$(SRCDIR) if the $(SRCDIR) and $(BLDDIR) is different.
The fips-checksums and generate_fips_sources targets are always
produced (regardless of enable-fips) as nothing else depends on them
and they are developer targets.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15229)
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15167)
This adds the following scripts:
util/lang-compress.pl:
Compress source code, which language is determined by the first argument.
For the moment, we know 'perl' (perlasm source code), 'C' (C source code)
and 'S' (Assembler with C preprocessor directives).
This removes comments and empty lines, and compresses series of horizontal
spaces to one single space in the languages where that's appropriate.
util/fips-checksums.sh:
Takes source file names as arguments, pushes them through
util/lang-compress.pl and unifdef with FIPS_MODE defined, and calculates
the checksum on the result.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8871)
To follow the principle "what you configure is what you install",
the `make install` target now includes the installation of the
fips provider (`make install_fips`) if (and only if) OpenSSL was
configured with fips support (`enable-fips`).
The `make install_fips` target exists as well and can be used
to install just the fips provider. It requires `enable-fips`
and issues an error message if `no-fips` was configured.
The anologue holds for the 'uninstall_fips' target.
Fixes#13693
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13684)
There is already a `providers/fipsmodule.cnf` target which is required by
the tests. Instead of creating another fipsmodule.cnf, the `install_fips`
target simply copies that configuration file to its final destination.
This commit also restores the minimal dependencies to build the `install_fips`
target immediately after configuring, which was broken after the removal
of the `install_sw` dependency.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13684)
According to the OpenSSL 3.0 Wiki, the file should be located at
$(DESTDIR)$(OPENSSLDIR)/fipsmodule.cnf
next to the openssl.cnf file.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13684)
The `openssl` app was previously called without a path, which
would generally invoke the system's copy of the openssl application.
Currently, that's most likely an openssl version 1.1.1 application,
which does not recognize the `fipsinstall` command and terminates
with an error message.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13684)
The FIPS hmac key is provided as a hexadezimal string, which needs to
be be prefixed with `hexkey:`, not `key:`.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13684)
Previously, we had dependency making pretty much hard coded in the
build file templates, with a bit of an exception for Unix family
platforms, where we had different cases depending on what dependency
making program was found.
With the Embarcadero C++ builder, a separate scheme appeared, with a
different logic.
This change merges the two, and introduces two config target
attributes:
makedepcmd The program to use, where this is relevant.
This replaces the earlier configuration
attribute 'makedepprog'.
makedep_scheme This is a keyword that can be used by build
files templates to produce different sorts of
commands, but most importantly, to pass as
argument to util/add-depend.pl, which uses
this keyword as a "producer" for the
dependency lines.
If the config target doesn't define the 'makedep_scheme' attribute,
Configure tries to figure it out by looking for GCC compatible
compilers or for the 'makedepend' command.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/15006)
This file is outside the source tree, so we have no business removing
it. This is especially concerning if that was the tarball the user
had to create the source tree.
Fixes#14981
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14985)
We remove a TODO(3.0) from the unix Makefile template. The current
approach works. It can be improved later.
Fixes#14403
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14887)
We now use the MANSUFFIX "ossl" by default.
Fixes#14318
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14847)
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14806)
The `make install_fips` target failed
msp@debian:~/src/openssl$ make install_fips
*** Installing FIPS module
install providers/fips.so -> /opt/openssl-dev/lib/ossl-modules/fips.so
*** Installing FIPS module configuration
fipsinstall /opt/openssl-dev/ssl/fipsmodule.cnf
FATAL: Startup failure (dev note: apps_startup()) for ./apps/openssl
... No such file or directory:crypto/conf/conf_def.c:771:calling stat(fipsmodule.cnf)
...
make: *** [Makefile:3341: install_fips] Error 1
because the `openssl fipsinstall` command was loading a previously installed
configuration file instead of the copy shipped with the source tree.
msp@debian:~/src/openssl$ strace -f make install_fips |& grep openssl.cnf
[pid 128683] openat(AT_FDCWD, "/opt/openssl-dev/ssl/openssl.cnf", O_RDONLY) = 3
This issue reveiled a more general problem, which applies to the tests as well:
unless openssl is installed, the openssl app must not use any preinstalled
configuration file. This holds in particular when the preinstalled configuration
file load providers, which caused the above failure.
The most consistent way to achieve this behaviour is to set the OPENSSL_CONF
environment variable to the correct location in the util/wrap.pl perl wrapper.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14136)
This is needed for less capable platforms with limits on the size of
command line argument lists.
Fixes#14732
CLA: The author has the permission to grant the OpenSSL Team the right to use this change.
Signed-off-by: Randall S. Becker <rsbecker@nexbridge.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14735)
On Unix-like platforms where the shared library comes in a form with
and a form without SO version number, the one without is symbolically
linked to the one with.
However, we have Unix-like platforms where we don't deal with SO
version numbers, and where the "simple" shlib thereby ends up being
symbolically linked to itself. A simple check of the two shlib file
names is enough to ensure that we only do the symbolic link when
actually necessary.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14726)
Using /usr/bin/env on the NonStop ia64 and x86 platforms
causes a translation of - to -i as part of the implicit interpretation
by env of its arguments prior to handing off the arguments to perl.
This causes the FIPS module configuration to be written to a file
named -i instead of going to stdout.
CLA: Trivial
Fixes: #14612
Signed-off-by: Randall S. Becker <rsbecker@nexbridge.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14613)
Our goal is to be able to produce fipsmodule.cnf with the help of
'openssl fipsinstall', using the openssl program that we build.
This refactors the generatesrc code in all the build file templates to
replace $generator and $generator_incs with $gen0, $gen_args and $gen_incs,
which makes it easier and more consistent to manipulate different bits
of the generator command, and also keeps the variable names consistent
while not overly long.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14320)
We need to add something for the 'tests' target to depend on, so a
special syntax for those is introduced:
DEPEND[|tests|]=fipsmodule.cnf
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14320)
doc/build.info was essentially generated on the fly while running
Configure, something that takes a huge amount of time on slower file
systems (such as Windows).
Instead, we generate it with 'make update', saving the user from
having to wait for too long, at the small price for developers to have
to run 'make update' whenever they write a new manual file.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14269)
Some of the notes and readme files have been converted to markdown
format recently and renamed during this process. While adding the
.md extension was a natural step, switching to mixed cases was not
a change to the better, it gives them a ragged appearance:
NOTES.ANDROID => NOTES-Android.md
NOTES.DJGPP => NOTES-DJGPP.md
NOTES.PERL => NOTES-Perl.md
NOTES.UNIX => NOTES-Unix.md
NOTES.VMS => NOTES-VMS.md
NOTES.VALGRIND => NOTES-Valgrind.md
NOTES.WIN => NOTES-Windows.txt
README.ENGINE => README-Engine.md
README.FIPS => README-FIPS.md
Moreover, the NOTES-Windows.txt file is the only file which has been
converted to markdown but has received a .txt file extension.
This doesn't make sense, because the OpenSSL users on Windows will
need to read the other markdown documents as well. Since they are
developers, we can trust them to be able to associate their favorite
editor with the .md extension.
In fact, having a comment at the beginning of the file saying that it
is in markdown format but we didn't dare to add the correct extension
in order not to overwhelm our Windows users can be interpreted either
as unintentionally funny or disrespectful ;-)
This commit suggests the following more consistent renaming:
NOTES.ANDROID => NOTES-ANDROID.md
NOTES.DJGPP => NOTES-DJGPP.md
NOTES.PERL => NOTES-PERL.md
NOTES.UNIX => NOTES-UNIX.md
NOTES.VMS => NOTES-VMS.md
NOTES.VALGRIND => NOTES-VALGRIND.md
NOTES.WIN => NOTES-WINDOWS.md
README.ENGINE => README-ENGINES.md
README.FIPS => README-FIPS.md
(note the plural in README-ENGINES, anticipating a README-PROVIDERS)
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14042)
We do this by adding the attribute 'pod' to all .pod.in -> .pod
generations, like this:
DEPEND[NAME.pod]{pod}=NAME.pod.in,
... and selecting out the target files for those dependencies into a
dedicated target 'build_generated_pods', which the 'doc-nits' and
'cmd-nits' make targets are made to depend on.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14067)
For Unix like environments, we may have so called "simple" shared
library names (libfoo.so as opposed to libfoo.so.1.2), or we may have
"import" library names associated with a DLL (libfoo.dll.a for
libfoo.dll on Mingw and derivatives).
So far, "import" library names were treated the same as "simple"
shared library names, as some kind of normalization for the Unix way
of doing things.
We now shift to treat them separately, to make it clearer what is
what.
Fixes#13414, incidently
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13875)
This deprecates all the ERR_load_ functions, and moves their definition to
separate C source files that can easily be removed when those functions are
finally removed.
This also reduces include/openssl/kdferr.h to include cryptoerr_legacy.h,
moves the declaration of ERR_load_ERR_strings() from include/openssl/err.h
to include/openssl/cryptoerr_legacy.h, and finally removes the declaration
of ERR_load_DSO_strings(), which was entirely internal anyway.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13390)
