Description
-----------
Upon `EC_GROUP_new_from_ecparameters()` check if the parameters match any
of the built-in curves. If that is the case, return a new
`EC_GROUP_new_by_curve_name()` object instead of the explicit parameters
`EC_GROUP`.
This affects all users of `EC_GROUP_new_from_ecparameters()`:
- direct calls to `EC_GROUP_new_from_ecparameters()`
- direct calls to `EC_GROUP_new_from_ecpkparameters()` with an explicit
parameters argument
- ASN.1 parsing of explicit parameters keys (as it eventually
ends up calling `EC_GROUP_new_from_ecpkparameters()`)
A parsed explicit parameter key will still be marked with the
`OPENSSL_EC_EXPLICIT_CURVE` ASN.1 flag on load, so, unless
programmatically forced otherwise, if the key is eventually serialized
the output will still be encoded with explicit parameters, even if
internally it is treated as a named curve `EC_GROUP`.
Before this change, creating any `EC_GROUP` object using
`EC_GROUP_new_from_ecparameters()`, yielded an object associated with
the default generic `EC_METHOD`, but this was never guaranteed in the
documentation.
After this commit, users of the library that intentionally want to
create an `EC_GROUP` object using a specific `EC_METHOD` can still
explicitly call `EC_GROUP_new(foo_method)` and then manually set the
curve parameters using `EC_GROUP_set_*()`.
Motivation
----------
This has obvious performance benefits for the built-in curves with
specialized `EC_METHOD`s and subtle but important security benefits:
- the specialized methods have better security hardening than the
generic implementations
- optional fields in the parameter encoding, like the `cofactor`, cannot
be leveraged by an attacker to force execution of the less secure
code-paths for single point scalar multiplication
- in general, this leads to reducing the attack surface
Check the manuscript at https://arxiv.org/abs/1909.01785 for an in depth
analysis of the issues related to this commit.
It should be noted that `libssl` does not allow to negotiate explicit
parameters (as per RFC 8422), so it is not directly affected by the
consequences of using explicit parameters that this commit fixes.
On the other hand, we detected external applications and users in the
wild that use explicit parameters by default (and sometimes using 0 as
the cofactor value, which is technically not a valid value per the
specification, but is tolerated by parsers for wider compatibility given
that the field is optional).
These external users of `libcrypto` are exposed to these vulnerabilities
and their security will benefit from this commit.
Related commits
---------------
While this commit is beneficial for users using built-in curves and
explicit parameters encoding for serialized keys, commit
b783beeadf (and its equivalents for the
1.0.2, 1.1.0 and 1.1.1 stable branches) fixes the consequences of the
invalid cofactor values more in general also for other curves
(CVE-2019-1547).
The following list covers commits in `master` that are related to the
vulnerabilities presented in the manuscript motivating this commit:
- d2baf88c43 [crypto/rsa] Set the constant-time flag in multi-prime RSA too
- 311e903d84 [crypto/asn1] Fix multiple SCA vulnerabilities during RSA key validation.
- b783beeadf [crypto/ec] for ECC parameters with NULL or zero cofactor, compute it
- 724339ff44 Fix SCA vulnerability when using PVK and MSBLOB key formats
Note that the PRs that contributed the listed commits also include other
commits providing related testing and documentation, in addition to
links to PRs and commits backporting the fixes to the 1.0.2, 1.1.0 and
1.1.1 branches.
Responsible Disclosure
----------------------
This and the other issues presented in https://arxiv.org/abs/1909.01785
were reported by Cesar Pereida García, Sohaib ul Hassan, Nicola Tuveri,
Iaroslav Gridin, Alejandro Cabrera Aldaya and Billy Bob Brumley from the
NISEC group at Tampere University, FINLAND.
The OpenSSL Security Team evaluated the security risk for this
vulnerability as low, and encouraged to propose fixes using public Pull
Requests.
_______________________________________________________________________________
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9808)
The EVP_KDF_ definitions are no longer needed, and neither is
EVP_get_kdfbyname()
test/evp_kdf_test.c tried to use a EVP_get_kdfbyname() that was rewritten
to use EVP_KDF_fetch() without ever freeing the resulting KDF method.
It's better to refactor the test to use EVP_KDF_fetch directly.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9662)
We also use this in test_tls13messages to check that the extensions we
expect to see in a CertificateRequest are there.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9780)
This makes it clearer what's what. The 'openssl' application and its
sub-commands remain in apps/
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9723)
If the passed string length is zero, the function computes the string length
from the passed string.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9760)
This function re-implements EVP_CIPHER_meth_free(), but has a name that
isn't encumbered by legacy EVP_CIPHER construction functionality.
We also refactor most of EVP_CIPHER_meth_new() into an internal
evp_cipher_new() that's used when creating fetched methods.
EVP_CIPHER_meth_new() and EVP_CIPHER_meth_free() are rewritten in terms of
evp_cipher_new() and EVP_CIPHER_free(). This means that at any time, we can
deprecate all the EVP_CIPHER_meth_ functions with no harmful consequence.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9758)
This function re-implements EVP_MD_meth_free(), but has a name that
isn't encumbered by legacy EVP_MD construction functionality.
We also refactor most of EVP_MD_meth_new() into an internal
evp_md_new() that's used when creating fetched methods.
EVP_MD_meth_new() and EVP_MD_meth_free() are rewritten in terms of
evp_md_new() and EVP_MD_free(). This means that at any time, we can
deprecate all the EVP_MD_meth_ functions with no harmful consequence.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9758)
When at least one of OPENSSL_NO_ERR or OPENSSL_NO_FILENAMES is
defined, __FILE__ and __LINE__ are not saved with the error record.
This test only checked OPENSSL_NO_FILENAMES. Now fixed.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9755)
Use the header file internal/cryptlib.h instead.
Remove checks for OPENSSL_NO_ASM and I386_ONLY
in cryptlib.c, to match the checks in other
places where OPENSSL_ia32cap_P is used and
assumed to be initialized.
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/9688)
A test in sslapitest.c was failing in a no-ec build because we were using
an EC based ciphersuite. That particular test doesn't require EC
specifically, so we swap to a non EC based ciphersuite.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9716)
This command is somewhat similar to 'openssl engine', but displays
what it can about the given providers.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9697)
Moved the relevant ciphers into default and restructed headers to allow the move.
This removed most of the cases of #ifdef NO_XXX (which are now specified in build.info)
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9482)
The EVP_PKEY MAC implementations had a diversity of controls that were
really the same thing. We did reproduce that for the provider based
MACs, but are changing our minds on this. Instead of that, we now use
one parameter name for passing the name of the underlying ciphers or
digests to a MAC implementation, "cipher" and "digest", and one
parameter name for passing the output size of the MAC, "size".
Then we leave it to the EVP_PKEY->EVP_MAC bridge to translate "md"
to "digest", and "digestsize" to "size".
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9667)
Parsing functions are at liberty to return:
1: when parsing on processing of the parsed value succeeded
0: when the parsed keyword is unknown
-1: when the parsed value processing failed
Some parsing functions didn't do this quite right, they returned 0
when they should have returned -1, causing a message like this:
Line 123: unknown keyword PeerKey
When this message (which is displayed when the parsing function
returns -1) would have been more appropriate:
Line 123: error processing keyword PeerKey = ffdhe2048-2-pub
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9682)
The current EVP_PEKY_ctrl for SM2 has no capability of parsing an ID
input in hexdecimal.
The newly added ctrl string is called: sm2_hex_id
Test cases and documentation are updated.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9584)
The aes code has been refactored into generic and algorithn specific parts,
so that most of the code can be shared.
The cipher related files have been broken up into smaller parts.
Add chunked variant of mode ciphers - aria uses this (many other ciphers will use this new code instead of the
generic code used by aes).
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9451)
If ossl_method_store_add() gets called with a method that already exists
(i.e. the store has one with matching provider, nid and properties), that
method should not be stored. We do this check inside ossl_method_store_add()
because it has all the locking required to do so safely.
Fixes#9561
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9650)
Because this function affects the reference count on failure (the call
to impl_free() does this), it may as well handle incrementing it as
well to indicate the extra reference in the method store.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9650)
Add Cleanups for gcm - based on the changes to ccm.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Patrick Steuer <patrick.steuer@de.ibm.com>
(Merged from https://github.com/openssl/openssl/pull/9280)
The macros are defined in include/openssl/core_names.h and follow the
naming standard OSSL_{OPNAME}_NAME_{ALGONAME}, where {OPNAME} is the
name of the operation (such as MAC) and {ALGONAME} is the name of the
algorithm. Example: OSSL_MAC_NAME_HMAC
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9635)
Add test to evp_test_extra for ciphers (that is similiar to the digest_fetch).
Move some of the aes and gcm methods that can be shared with other ciphers into ciphers_common.c
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9580)
Appease -Wstring-plus-int.
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9608)
It was argued that names like SOMETHING_set_param_types were confusing,
and a rename has been proposed to SOMETHING_settable_params, and by
consequence, SOMETHING_get_param_types is renamed
SOMETHING_gettable_params.
This changes implements this change for the dispatched provider and
core functions.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9591)
Actually supply a chain and then test:
1) A successful check of both the ee and chain certs
2) A failure to check the ee cert
3) A failure to check a chain cert
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9442)
Make sure we only test TLSv1.2 things if TLSv1.2 is actually available.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9442)
If built with no-filenames then we shouldn't test this functionality in
the test suite.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9544)
We run the cipher and digest evp_test test files in FIPS mode. Some
ciphers/digests aren't available in FIPS mode so we mark those as
only being available in the default provider.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9531)
The krb5 external test relies on legacy algorithms. Therefore we make
use of the capability to load a config file by default, and ensure that
the config file in use by the krb5 tests loads both the legacy and default
providers.
[extended tests]
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9492)
Previously we only loaded the config file by default for libssl. Now we do
it for libcrypto too.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9492)
Running evp_test with the FIPS module has never worked because the
config file was never loaded by default. Actually loading the FIPS module
reveals lots of failures in evp_test. The following commits will enable
loading the config file by default and so we temporarily disable running
the evp_test with the FIPS module until the tests can be fixed.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9492)
The "Availablein" keyword is supposed to indicate which providers are
required in evp_test in order for a particular test to pass. Unfortunately
this didn't work. If the provider was available then the test failed.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9492)
[extended tests]
This is a temporary workaround for issue #9251, which contains a full
discussion of the real problem.
As a temporary workaround, we test `EC_GROUP_new_from_ecparameters()`
against a curve that does not currently have alternative
implementations.
The proper fix is dependant on resolution of issue #8615
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9474)
Implement the GNU C library's random(3) pseudorandom number generator.
The algorithm is described: https://www.mscs.dal.ca/~selinger/random/
The rationale is to make the tests repeatable across differing platforms with
different underlying implementations of the random(3) library call.
More specifically: when executing tests with random ordering.
[extended tests]
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/9463)
Different providers will give different results, and we need to test
them all.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9398)
This changes the stanza format used so far. Some test stanza had the
following line, only possible for digests:
Legacy = 1
These have been traded for the following:
Availablein = legacy
That line is globally available in all test stanza and can be used to
tell what providers a certain algorithm may be available in. Only one
provider needs to match, so one might have something like this for
some tests:
Availablein = default fips
This means that one of those providers must be available for the test
stanza to be performed.
If the providers mentioned for a stanza aren't available, the test is
skipped.
If this line isn't used in a stanza, the algorithm is assumed to be
available unconditionally (either by fallback providers, or providers
loaded by the config file).
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9398)
This avoids leaking bit 0 of the private key.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/9363)
Change SYSerr to have the function name; remove SYS_F_xxx defines
Add a test and documentation.
Use get_last_socket_err, which removes some ifdef's in OpenSSL code.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9072)
This means include deallocation information in the return from
the ossl_param_bld_to_param function.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9404)
A fuller implementation of PARAMS_TEMPLATE as per #9266 but renamed.
This introduces a statis data type which can be used to constructor a
description of a parameter array. It can then be converted into a OSSL_PARAM
array and the allocated storage freed by a single call to OPENSSL_free.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9305)
Deprecate all xxx_F_ defines.
Removed some places that tested for a specific function.
Use empty field for the function names in output.
Update documentation.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9058)
Custom aes ciphers will be placed into multiple new files
(instead of the monolithic setup used in the e_aes.c legacy code)
so it makes sense to have a header for the platform specific
code that needs to be shared between files.
modes_lcl.h has also moved to modes_int.h to allow sharing with the
provider source.
Code that will be common to AEAD ciphers has also been added. These
will be used by seperate PR's for GCM, CCM & OCB.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9301)
Adds simple utility functions to allow both the default and fips providers to
encode and decode DSA-Sig-Value and ECDSA-Sig-Value (DSA_SIG and ECDSA_SIG
structures) to/from ASN.1 DER without requiring those providers to have a
dependency on the asn1 module.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9111)
Move the KDF code for CMS DH key agreement into an EVP_KDF object.
There are 2 specifications for X9.42 KDF. This implementation uses DER for
otherinfo which embeds the KDF loop counter inside the DER object.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8898)
Happens when trying to generate 4 or 5 bit safe primes.
[extended tests]
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9311)
Change it to split the error string returned by `openssl errstr` in a
more robust manner, and ensure it's the reason code we look at.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9304)
CLA: trivial
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/9288)
Because of that we can remove OPENSSL_UNISTD and some other
macros from e_os2.h and opensslconf.h
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9204)
If evp_test fails to load the legacy provider then it leaks a reference
to the default provider.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9270)
CLA: trivial
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/9275)
SM2 certificate signing request can be created and signed by OpenSSL
now, both in library and apps.
Documentation and test cases are added.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9085)
All the other upref functions are spelled as "up_ref". These new functions
should be consistent.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9233)
Augment the cert_cb sslapitest to include a run that uses
SSL_check_chain() to inspect the certificate prior to installing
it on the SSL object. If the check shows the certificate as not
valid in that context, we do not install a certificate at all, so
the handshake will fail later on in processing (tls_choose_sigalg()),
exposing the indicated regression.
Currently it fails, since we have not yet set the shared sigalgs
by the time the cert_cb runs.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9157)
Before the return size was included in the OSSL_PARAM structure, the size
global was updated via a pointer. The size global variable has been removed
and the in structure return size used instead.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9248)
Once there are buildable fips tests, some tests that are data driven
from files will need to be modified to exclude non approved curves in
fips mode.
These changes were tested by temporarily adding #define FIPS_MODE 1 to
all the modified source files.
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9081)
This feature is enabled by default outside of FIPS builds
which ban such actions completely.
Encryption is always disallowed and will generate an error.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9112)
Instead of referencing the return size from the OSSL_PARAM structure, make the
size a field within the structure.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9135)
Remove the union that effectively cast thread IDs to long integers before
display and instead print a hex dump of the entire object.
Refer #9191
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9194)
It turned out that the internal trace cleanup handler was added too
late, so it would be executed before OPENSSL_cleanup().
This results in address errors, as the trace code that's executed in
OPENSSL_cleanup() itself tries to reach for data that's been freed at
that point.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9196)
Changed a bad reference: test/Makefile -> test/build.info
Add ../apps/include as include path to include opt.h used by test/testutil.h.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9154)
The BIO_FLAGS_NONCLEAR_RST flag behavior was not properly documented
and it also caused the length to be incorrectly set after the reset
operation.
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9179)
If a test program goes wrong, it's sometimes helpful to be able to
trace what goes on in libcrypto and libssl.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9191)
The "add error data" functions now append to the current error.
Add a test for this.
Cleanup some of the ERR_put functions.
In the FIPS module, always append "(in the FIPS module)" to any errors.
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9181)
This adds the ability to clean up a thread on a per OPENSSL_CTX basis.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9040)
This file information was hidden in config target files, when they
should really be part of build.info like any other file we build
from. With build.info variables, the task became much easier.
We take the opportunity to move apps_init_src and apps_aux_src to
apps/build.info as well, and to clean up apps/build.info.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9166)
