We put almost everything in these internal static libraries:
libcommon Block building code that can be used by all
our implementations, legacy and non-legacy
alike.
libimplementations All non-legacy algorithm implementations and
only them. All the code that ends up here is
agnostic to the definitions of FIPS_MODE.
liblegacy All legacy implementations.
libnonfips Support code for the algorithm implementations.
Built with FIPS_MODE undefined. Any code that
checks that FIPS_MODE isn't defined must end
up in this library.
libfips Support code for the algorithm implementations.
Built with FIPS_MODE defined. Any code that
checks that FIPS_MODE is defined must end up
in this library.
The FIPS provider module is built from providers/fips/*.c and linked
with libimplementations, libcommon and libfips.
The Legacy provider module is built from providers/legacy/*.c and
linked with liblegacy, libcommon and libcrypto.
If module building is disabled, the object files from liblegacy and
libcommon are added to libcrypto and the Legacy provider becomes a
built-in provider.
The Default provider module is built-in, so it ends up being linked
with libimplementations, libcommon and libnonfips. For libcrypto in
form of static library, the object files from those other libraries
are simply being added to libcrypto.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10088)
Added functionality to use static libraries as source for other
libraries. When done this way, the target library will use the object
files from the sourced static libraries, making the sourced libraries
work as "containers" for object files.
We also need to make sure that the Unix Makefile template knows how to
deal with shared libraries and modules that depend on static libraries.
That's new situation we haven't had before.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10088)
The dependency resolution is made uniquely to resolve proper library
order when linking a program, a module or a shared library.
resolvedepends() did a little too much at once, so it's now reduced to
only collect dependencies (and is renamed to collectdepends()), while
a new function, expanddepends(), expands a list of dependency to
insure that dependent libraries are present after depending libraries,
and finally there is reducedepends() which removes unnecessary
duplicates, leaving only the last one.
resolvedepends() is now a simple utility routine that calls the three
mentioned above in correct order.
As part of this, we implement weak dependencies through the 'weak'
build.info attribute. This is meant to cause a specific order between
libraries without requiring that they are all present.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10088)
The build.info grammar's regular expressions were a horrible read.
By assigning certain sub-expressions to variables, we hope to make
it a little more readable.
Also, the handling of build.info attributes is reworked to use a
common function instead of having copies of the same code.
Finally, the attributes are reorganized to specify if they belong with
programs, libraries, modules or scripts. This will enable more
intricate attribute assignment in changes to come.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10088)
Also added blanks lines after declarations in a couple of places.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9916)
Always refer to openssl.pod instead of repeating the same description
everywhere.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10126)
Better synopsis for 'openssl dgst' and 'openssl enc', correct names
for 'openssl rehash' ('c_rehash' is mentioned there too), correct
option end marker for 'openssl verify', and finally, refer to
sub-commands as sub-commands.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10065)
"gost" was called "ccgost".
"rsax" was treated like literal input rather than an engine name.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10065)
Almost all OpenSSL commands are in reality 'openssl cmd', so make sure
they are refered to like that and not just as the sub-command.
Self-references are avoided as much as is possible, and replaced with
"this command". In some cases, we even avoid that with a slight
rewrite of the sentence or paragrah they were in. However, in the few
cases where a self-reference is still admissible, they are done in
bold, i.e. openssl-speed.pod references itself like this:
B<openssl speed>
References to other commands are done as manual links, i.e. CA.pl.pod
references 'openssl req' like this: L<openssl-req(1)>
Some commands are examples rather than references; we enclose those in
C<>.
While we are it, we abolish "utility", replacing it with "command", or
remove it entirely in some cases.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10065)
Quite a lot of replacables were still bold, and some options were
mentioned without a beginning dash.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10065)
Ellipses were used to express that the '-rand' value can specify
multiple files, like this:
B<-rand> I<file...>
Because there are conventions around ellipses, this becomes confusing,
because '-rand file...' is normally intepreted to mean that
'-rand file1 file2 file3' would be processed as three randomness
files, which makes no sense.
Rather than making things complicated with more elaborate syntax, we
change it to:
B<-rand> I<files>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10065)
Don't run the test_CTX_print_errors test test in test_cmp_ctx if
no-autoerrinit has been configured.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10091)
The decryption failed alert was deprecated a long time ago. It can
provide an attacker too much information to be able to distinguish between
MAC failures and decryption failures and can lead to oracle attacks.
Instead we should always use the bad_record_mac alert for these issues.
This fixes one instance that still exists. It does not represent a
security issue in this case because it is only ever sent if the record is
publicly invalid, i.e. we have detected it is invalid without using any
secret material.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10093)
Even thought the underlying calls might return something other than 0
or 1, EVP_CIPHER_CTX_ctrl() and EVP_MD_CTX_ctrl() were made to only
return those values regardless. That behaviour was recently lost, so
we need to restore it.
Fixes#10106
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/10108)
Extensive documentation added in HISTORY section in doc/man5/config.pod
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9578)
RC4 is a stream cipher therefore EVP_CIPHER_CTX_block_size() should
return 1.
This fixes a test failure in ssl_test_old when enable-weak-ssl-ciphers
has been configured.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10090)
This leaves minimal implementations of EVP_md5_sha1, which is now only
there to provide a name for implicit fetches.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9076)
The random bit caching was a residue of earlier code and isn't used any more.
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/10089)
This leaves minimal implementations of EVP_sha* and EVP_shake*, which
is now only there to provide a name for implicit fetches.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10059)
Use err() for find-doc-nits -e output
Doing this meant we could remove the -s flag, so we do so; move
option/help stuff to top of script.
Add a CHANGES entry.
Rename missing to other.syms
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10039)
This modifies the treatment of algorithm name strings to allow
multiple names separated with colons.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/8985)
EVP_DigestInit_ex forced following of the legacy path if ctx->pctx is
set (meaning we've actually been called via EVP_DigestSignInit_ex).
There is some code in the legacy path that calls the
EVP_PKEY_CTRL_DIGESTINIT ctrl on the pctx. Not going down the legacy path
if ctx->pctx is set means that ctrl message will neve get sent. However,
it turns out that all algs that understand that ctrl also set the
EVP_MD_CTX_FLAG_NO_INIT flag which forces legacy anyway. Therefore the
ctx->pctx check is not required and can be removed.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10082)
Skip the test_CTX_print_errors in cmp_ctx_test if no-err has been
configured.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10071)
Otherwise a mem leak can occur since EVP_MD_free() calls
EVP_MD_CTX_reset() which then clears the contents of the ctx.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10013)
This resets the fields of the EVP_MD_CTX and means we can no longer
make calls using the EVP_MD_CTX, such as to query parameters.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10013)
Previous commits added code for routing md related parameters via and
EVP_SIGNATURE implementation during a DigestSign operation. This adds a
test to make sure this works as expected.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10013)
