Commit Graph

1449 Commits

Author SHA1 Message Date
Richard Levitte
4333b89f50 Update copyright year
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13999)
2021-01-28 13:54:57 +01:00
Richard Levitte
2497e2e7db Configure: warn about duplicate GENERATE declarations in build.info files
This sort of duplication is permitted, as the end result will be a single
item anyway, but we might as well warn to avoid future confusion.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13824)
2021-01-12 11:25:54 +01:00
Richard Levitte
5e16ac142e Configure: clean away perl syntax faults
The faults aren't fatal (i.e. perl just shrugs), but are curious.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13824)
2021-01-12 11:25:54 +01:00
Richard Levitte
507f83800f Configure: Check all SOURCE declarations, to ensure consistency
If the given sources are GENERATEd, we check those generators as well.

This ensures that the declarations in the diverse build.info files are
consistent with existing files.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13824)
2021-01-12 11:25:54 +01:00
Richard Levitte
3a1ee3c199 Drop OPENSSL_NO_RSA everywhere
The configuration option 'no-rsa' was dropped with OpenSSL 1.1.0, so
this is simply a cleanup of the remains.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13700)
2020-12-20 12:19:42 +01:00
Richard Levitte
e3577adddf GitHub CI: Separate no-deprecated job from minimal job
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13706)
2020-12-19 17:02:12 +01:00
Dr. David von Oheimb
06f81af8fc {.travis,ci,appveyor}.yml: Make minimal config consistent, add no-deprecated no-ec no-ktls no-siv
This works nicely by addin a new no-bulk option to Configure.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13110)
2020-12-04 16:20:53 +01:00
Matt Caswell
b8fa02e8a4 Fix no-engine
If we specify no-engine then this should cascade to also mean
no-dynamic-engine. The store test was only checking whether
dynamic-engine was disabled, meaning that some tests were failing
in a no-engine build.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13502)
2020-11-27 17:32:03 +00:00
Richard Levitte
e1f5a92df4 Configure: handle undefined shared_target.
Some very basic config targets don't defined the 'shared_target'
attribute at all.  This wasn't handled well enough in Configure.
This also cleans away an explicit reference to the ossltest engine in
Configurations/unix-Makefile.tmpl, which isn't necessary since the
build.info attributes were added.

Fixes openssl/web#197

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13031)
2020-09-29 16:08:04 +02:00
Richard Levitte
37fe90ad17 Configure: Show 'enable' and 'disable' config attributes
This makes a difference for './Configure HASH' and './Configure TABLE'

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12933)
2020-09-24 08:06:50 +02:00
Shane Lontis
7a810fac86 Add 'fips-securitychecks' option and plumb this into the actual fips checks
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12745)
2020-09-18 14:20:39 +01:00
Pauli
910b71cf47 deprecate engines in 3.0
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12226)
2020-07-16 09:12:26 +02:00
Daniel Bevenius
55affcadbe Configure: fix minor typo in apitable comment
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12398)
2020-07-15 23:22:24 +02:00
Dr. David von Oheimb
1dc1ea182b Fix many MarkDown issues in {NOTES*,README*,HACKING,LICENSE}.md files
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12109)
2020-07-05 11:29:43 +02:00
Dr. David von Oheimb
036cbb6bbf Rename NOTES*, README*, VERSION, HACKING, LICENSE to .md or .txt
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12109)
2020-07-05 11:29:43 +02:00
Richard Levitte
ea4ee152a7 Configure: fix handling of build.info attributes with value
This line wasn't properly handled:

    SCRIPTS{misc,linkname=tsget}=tsget.pl

It generated an attribute "linkname=tsget" with the value 1, instead of
what it should have, an attribute "linkname" with the value "tsget".

Fixes #12341

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12344)
2020-07-03 09:12:07 +02:00
Richard Levitte
610e2b3b70 Configure: Check source and build dir equality a little more thoroughly
'absolutedir' does a thorough job ensuring that we have a "real" path
to both source and build directory, unencumbered by symbolic links.
However, that isn't enough on case insensitive file systems on Unix
flavored platforms, where it's possible to stand in, for example,
/PATH/TO/Work/openssl, and then do this:

    perl ../../work/openssl/Configure

... and thereby having it look like the source directory and the build
directory aren't the same.

We solve this by having a closer look at the computed source and build
directories, and making sure they are exactly the same strings if they
are in fact the same directory.

This is especially important when making symbolic links based on this
directories, but may have other ramifications as well.

Fixes #12323

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12337)
2020-07-02 18:53:25 +02:00
Rich Salz
3121425830 Add --fips-key configuration parameter to fipsinstall application.
Change default FIPS HMAC KEY from all-zero's
Use default FIPSKEY if not given on command line.
Make all -macopt in fipsinstall optional
Make all tests, except fipsinstall, use the default -macopt and
-mac_name flags.
Define and use FIPSDIR variable on VMS/MMS.
Also use SRCDIR/BLDDIR in SRCTOP/BLDTOP.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12235)
2020-06-29 12:20:41 +10:00
Richard Levitte
16b0e0fcb3 DOC: Mention Configure consistently
'config' is now a mere wrapper for backward compatibility.
All documentation is changed accordingly.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11230)
2020-06-28 18:43:04 +02:00
Richard Levitte
180626159e Configure: pick up options from older 'config'
These options were coded in util/perl/OpenSSL/config.pm, but that got
removed when the OpenSSL::config::main() function was removed.  We're
not putting them back, but in 'Configure'.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11230)
2020-06-28 18:35:34 +02:00
Richard Levitte
e39795af0a util/perl/OpenSSL/config.pm: refactor map_guess()
map_guess() is now table driven, just like get_system().
Additionally, it now takes a config hash table and returns one of its
own.  This way, 'Configure' can pass whatever it has already found to
OpenSSL::config::get_platform(), and easily merge the returned hash
table into its %config.

This also gets rid of variables that we no longer need.  That includes
$PERL and all the $__CNF_ environment variables.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11230)
2020-06-28 18:34:35 +02:00
Richard Levitte
081436bf73 util/perl/OpenSSL/config.pm, Configure: move check of target with compiler
Previously, ./config would check if "$target-$CC", then "$target"
exists and choose the one that does.  This is now moved to Configure.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11230)
2020-06-28 18:34:35 +02:00
Shane Lontis
4f2271d58a Add ACVP fips module tests
For FIPS validation purposes - Automated Cryptographic Validation Protocol (ACVP) tests need to be
performed. (See https://github.com/usnistgov/ACVP). These tests are very similiar to the old CAVS tests.

This PR uses a hardwired subset of these test vectors to perform similiar operations,
to show the usage and prove that the API's are able to perform the required operations.
It may also help with communication with the lab (i.e- The lab could add a test here to show
a unworking use case - which we can then address).

The EVP layer performs these tests instead of calling lower level API's
as was done in the old FOM.
Some of these tests require access to internals that are not normally allowed/required.

The config option 'acvp_tests' (enabled by default) has been added so that this
access may be removed.

The mechanism has been implemented as additional OSSL_PARAM values that can be set and get.
A callback mechanism did not seem to add any additional benefit.
These params will not be added to the gettables lists.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11572)
2020-06-17 11:33:16 +10:00
Bernd Edlinger
ddec332f32 Fix egd and devrandom source configs
./config --with-rand-seed=egd

need to defines OPENSSL_RAND_SEED_EGD and OPENSSL_NO_EGD
so get rid of OPENSSL_NO_EGD (compiles but I did not really test EGD)

./config --with-rand-seed=devrandom

does not work since wait_random_seeded works under the assumption
that OPENSSL_RAND_SEED_GETRANDOM is supposed to be enabled as well,
that is usually the case, but not when only devrandom is enabled.
Skip the wait code in this special case.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11848)
2020-05-20 14:48:16 +02:00
Richard Levitte
4975e8b4d2 Configure: avoid perl regexp bugs
It seems that in older perl versions '(?P' doesn't interact very well
with '(?|' or '(?:'.

Since we make extensive use of '(?P' in build.info parsing, we avoid
combining that with '(?|' and '(?:' when parsing build.info variables,
and end up parsing variable modifier twice (first generally, and then
parse that result into the modifier components).

Fixes #11694

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11737)
2020-05-06 20:16:25 +02:00
Richard Levitte
f828ba0363 Configure: change all references to INSTALL to INSTALL.md
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11657)
2020-04-28 10:03:40 +02:00
Richard Levitte
6a960a94cc Configure: Allow quoted values in VERSION
Fixes #11618

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11624)
2020-04-25 04:05:27 +02:00
Matt Caswell
33388b44b6 Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11616)
2020-04-23 13:55:52 +01:00
Nikolay Morozov
fa555aa897 GOST2012 TLS Supported Groups Identifiers Support
For GOST2012-GOST8912-GOST8912 IANA introduce TLS Supported Groups Identifiers
https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11568)
2020-04-22 11:22:00 +03:00
Richard Levitte
b16654a281 config, Configure: move the check of removed crypto/ sub-systems
The 'config' script checked for a bunch of crypto/ sub-system
directories, and added 'no-' options if they weren't there.

We move it to 'Configure' in an effort to simplify 'config' for
further work.

Note: this is pretty much a historical thing.  In modern OpenSSL, it's
much simpler to edit the SUBDIRS statement in crypto/build.info.
However, it's been claimed the there are those who still remove some
of these sub-system sources.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11217)
2020-03-04 17:12:52 +01:00
Richard Levitte
19cf4404d5 Configure: Diverse cleanups
There were some remaining old code and comments that don't serve a
purpose any longer.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11185)
2020-03-02 03:34:30 +01:00
Richard Levitte
e429217902 build.info: Implement simply substitutions in variable values
Use case: having a variable with multiple source files in its value,
and wanting to refer to the corresponding object file.

    $SRCS=foo.c bar.c
    SOURCE[program]=$SRCS
    DEPEND[${SRCS/.c/.o}]=prog.h

    GENERATE[prog.h]=...

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11185)
2020-03-02 03:34:30 +01:00
Richard Levitte
ad5be194c6 build.info: Make it possible to have more than one item in KEYWORD[]
So far, the "index" part of KEYWORD[whatever] could only handle one
item.  There are cases, however, where we want to add the exact same
value to multiple items.  This is especially helpful if a variable
that may have multi-item values are used in the "index" part.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11185)
2020-03-02 03:34:29 +01:00
Rich Salz
6943335e3e Make secure-memory be a config option
Adding support for "no-secure-memory" was simple, a one-liner.
Fixing all the "ifdef OPENSSL_SECURE_MEMORY" to be "ifndef NO_xxx"
was a bit more work.  My original goof, for not following the OpenSSL
pattern "ifndef NO_" used everywhere else.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/11023)
2020-02-14 15:18:27 +01:00
Richard Levitte
b05d632732 Configure: Add easy to use disabled deprecated functionality indicators
In C, we have macros like OPENSSL_NO_DEPRECATED_3_0 to check if some
section of code should be disabled to simulate a removal of things
deprecated in the version.

In perl, we had to check $disabled{deprecated} and compare
$config{api} with the proper version code, which is doable but tedious
and error prone.

This change adds $disabled{'deprecated-x.y'} (x.y being a version
number) which directly corresponds to OPENSSL_NO_DEPRECATED_x_y, for
use in build.info conditions, test recipes and other perl stuff.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11027)
2020-02-07 14:54:36 +01:00
Richard Levitte
cf0843c091 Configure: Better detection of '-static' in @{$config{LDFLAGS}}
@{$config{LDFLAGS}} isn't necessarily split up in pieces, so we need
to check for '-static' with a regexp rather than with an exact string
match.

Fixes #10867

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10878)
2020-01-23 18:01:50 +01:00
Richard Levitte
bbe486cf61 Configure: use $list_separator_re only for defines and includes
This regexp was used a bit too uncontrolled, which had it split flag
values where it should not have.

Fixes #10792

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10793)
2020-01-13 09:02:16 +01:00
Matt Caswell
c72fa2554f Deprecate the low level AES functions
Use of the low level AES functions has been informally discouraged for a
long time. We now formally deprecate them.

Applications should instead use the EVP APIs, e.g. EVP_EncryptInit_ex,
EVP_EncryptUpdate, EVP_EncryptFinal_ex, and the equivalently named decrypt
functions.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10580)
2020-01-06 15:09:57 +00:00
Rich Salz
1461138271 Deprecated crypto-mdebug-backtrace
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10572)
2019-12-14 20:57:35 +01:00
Rich Salz
742ccab318 Deprecate most of debug-memory
Fixes #8322

The leak-checking (and backtrace option, on some platforms) provided
by crypto-mdebug and crypto-mdebug-backtrace have been mostly neutered;
only the "make malloc fail" capability remains.  OpenSSL recommends using
the compiler's leak-detection instead.

The OPENSSL_DEBUG_MEMORY environment variable is no longer used.
CRYPTO_mem_ctrl(), CRYPTO_set_mem_debug(), CRYPTO_mem_leaks(),
CRYPTO_mem_leaks_fp() and CRYPTO_mem_leaks_cb() return a failure code.
CRYPTO_mem_debug_{malloc,realloc,free}() have been removed.  All of the
above are now deprecated.

Merge (now really small) mem_dbg.c into mem.c

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10572)
2019-12-14 20:57:35 +01:00
Andy Polyakov
0984041283 Configure: use ELFv2 ABI on some ppc64 big endian systems
If _CALL_ELF is defined to be 2, it's an ELFv2 system.
Conditionally switch to the v2 perlasm scheme.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8883)
2019-12-11 18:31:33 +01:00
Richard Levitte
8c06d7199e Configuration: compute openssl_other_defines and related info later
The computation of macros and configdata.pm related data from %disabled
was done much too early, leaving later disablings without real support.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10566)
2019-12-10 14:20:34 +01:00
Richard Levitte
76d0a74b8e Disable devcryptoeng on newer OpenBSD versions
It's reported that /dev/crypto support has been dropped in OpenBSD 5.7.

Fixes #10552

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10566)
2019-12-10 14:20:34 +01:00
Richard Levitte
cff64af553 Configure: make it possible to have generated generators
This makes it possible to chain GENERATOR statements, which allows
constructs like this:

    GENERATE[something.html]=something.pod
    GENERATE[something.pod]=something.pod.in

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6236)
2019-11-29 09:51:17 +01:00
Richard Levitte
829f86bb7b Add the possibility to generate documentation at build time
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6236)
2019-11-29 09:51:16 +01:00
Richard Levitte
a6a4d0acd2 Change the logic and behaviour surrounding '--api' and 'no-deprecated'
At some point in time, there was a 'no-deprecated' configuration
option, which had the effect of hiding all declarations of deprecated
stuff, i.e. make the public API look like they were all removed.

At some point in time, there was a '--api' configuration option, which
had the effect of having the public API look like it did in the version
given as value, on a best effort basis.  In practice, this was used to
get different implementations of BN_zero(), depending on the desired
API compatibility level.

At some later point in time, '--api' was changed to mean the same as
'no-deprecated', but only for the deprecations up to and including the
desired API compatibility level.  BN_zero() has been set to the
pre-1.0.0 implementation ever since, unless 'no-deprecation' has been
given.

This change turns these options back to their original meaning, but
with the slight twist that when combined, i.e. both '--api' and
'no-deprecated' is given, the declarations that are marked deprecated
up to an including the desired API compatibility level are hidden,
simulating that they have been removed.

If no desired API compatibility level has been given, then
configuration sets the current OpenSSL version by default.

Furthermore, the macro OPENSSL_API_LEVEL is now used exclusively to
check what API compatibility level is desired.  For checking in code
if `no-deprecated` has been configured for the desired API
compatibility level, macros for each supported level is generated,
such as OPENSSL_NO_DEPRECATED_1_1_1, corresponding to the use of
DEPRECATEDIN_ macros, such as DEPRECATEDIN_1_1_1().

Just like before, to set an API compatibility level when building an
application, define OPENSSL_API_COMPAT with an appropriate value.  If
it's desirable to hide deprecated functions up to and including that
level, additionally define OPENSSL_NO_DEPRECATED (the value is
ignored).

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10364)
2019-11-07 11:37:25 +01:00
Richard Levitte
b4a7b4ec4a Configure: Make --strict-warnings meaningful with MSVC cl
We also add this to our x86_64 builds on appveyor

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10287)
2019-11-02 11:00:13 +01:00
Andrew Gallatin
2111f5c283 Add support for in-kernel TLS (KTLS) on FreeBSD.
- Check for the <sys/ktls.h> header to determine if KTLS support
  is available.
- Populate a tls_enable structure with session key material for
  supported algorithms.  At present, AES-GCM128/256 and AES-CBC128/256
  with SHA1 and SHA2-256 HMACs are supported.  For AES-CBC, only MtE
  is supported.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10045)
2019-10-31 10:24:32 +00:00
agnosticdev
f62d67b6ab Update dgst.c to show a list of message digests
Fixes #9893

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/9912)
2019-10-18 22:14:41 +02:00
Richard Levitte
20551b2e62 Configure: get version from the file 'VERSION' instead of 'opensslv.h'
'VERSION' is a very easy file to parse, as opposed to a header file.
We also have the benefit of holding the version information in one
very well known place and can then generate all other version texts
as we see fit, for example opensslv.h.

Fixes #10203

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10205)
2019-10-18 12:22:00 +02:00