RC4 based ciphersuites in libssl have been disabled by default. They can
be added back by building OpenSSL with the "enable-weak-ssl-ciphers"
Configure option at compile time.
Reviewed-by: Rich Salz <rsalz@openssl.org>
The proper logic is that both zlib and zlib-dynamic are disabled by
default and that enabling zlib-dynamic would enable zlib. Somewhere
along the way, the logic got changed, zlib-dynamic was enabled by
default and zlib didn't get automatically enabled.
This change restores the original logic.
Reviewed-by: Rich Salz <rsalz@openssl.org>
We copied $target{cflags}, $target{defines} and a few more to %config,
just to add to the entries. Avoid doing so, and let the build templates
deal with combining the two.
There are a few cases where we still fiddle with %target, but that's
acceptable.
Reviewed-by: Andy Polyakov <appro@openssl.org>
The thread_cflag setting filled a double role, as kinda sorta an
indicator of thread scheme, and as cflags. Some configs also added
lflags and ex_libs for multithreading regardless of if threading would
be enabled or not.
Instead of this, add threading cflags among in the cflag setting,
threading lflags in the lflag setting and so on if and only if threads
are enabled (which they are by default).
Also, for configs where there are no special cflags for threading (the
VMS configs are of that kind), this makes it possible to still clearly
mention what thread scheme is used.
The exact value of thread scheme is currently ignored except when it's
"(unknown)", and thereby only serves as a flag to tell if we know how
to build for multi-threading in a particular config. Yet, the
currently used values are "(unknown)", "pthreads", "uithreads" (a.k.a
solaris threads) and "winthreads".
Reviewed-by: Andy Polyakov <appro@openssl.org>
Instead, make the build type ("debug" or "release") available through
$config{build_type} and let the configs themselves figure out what the
usual settings (such as "cflags", "lflags" and so on) should be
accordingly.
The benefit with this is that we can now have debug and release
variants of any setting, not just those Configure supports, and may
also involve other factors (the MSVC flags /MD[d] and /MT[d] involve
both build type and whether threading is enabled or not)
Reviewed-by: Andy Polyakov <appro@openssl.org>
Configure had the Unix centric addition of -lz when linking with zlib
is enabled, which doesn't work on other platforms. Therefore, we move
it to the BASE_unix config template and add corresponding ones in the
other BASE_* config templates. The Windows one is probably incomplete,
but that doesn't matter for the moment, as mk1mf does it's own thing
anyway.
This required making the %withargs table global, so perl snippets in
the configs can use it.
Reviewed-by: Andy Polyakov <appro@openssl.org>
These BASE templates are intended to hold values that are common for
all configuration variants for whole families of configurations.
So far, three "families" are identified: Unix, Windows and VMS, mostly
characterised by the build system they currently use.
Reviewed-by: Andy Polyakov <appro@openssl.org>
This provides for more powerful lazy evaluation and buildup of the
setting contents. For example, something like this becomes possible:
defines => [ sub { $config{thisorthat} ? "FOO" : () } ]
Any undefined result of such functions (such as 'undef' or the empty
list) will be ignored.
Reviewed-by: Andy Polyakov <appro@openssl.org>
There are cases, for example when configuring no-asm, that the added
uplink source files got in the way of the cpuid ones. The best way to
solve this is to separate the two.
Reviewed-by: Andy Polyakov <appro@openssl.org>
They now default to " " as separator, but that can be overridden by
having a hash with parameters as last argument. The only currently
recognised parameter is `separator'.
The special separator `undef' will force the result to become a list
rather than a concatenated string.
Reviewed-by: Andy Polyakov <appro@openssl.org>
In the earlier change, where static libraries get built with position
independent code, OPENSSL_PIC was removed by mistake. This adds it
back.
Reviewed-by: Tim Hudson <tjh@openssl.org>
The commit 1288f26 says that it fixes no-async, but instead seems to break
it. Therefore revert that change and fix no-async.
Reviewed-by: Rich Salz <rsalz@openssl.org>
This way, we can use them as conditions instead of relying to more or
less obscure aliases in %config or variables directly in Configure.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Preserved for now for those who have scripts with the option
"no-ssl2". We warn that it's deprecated, and ignore it otherwise.
In response to RT#4330
Reviewed-by: Rich Salz <rsalz@openssl.org>
Building shared libraries or not is not the same as building position
independent code or not. It's true that if you don't build PIC, you
can't build shared libraries. However, you may very well want to
build only static libraries but still want PIC code.
Therefore, we introduce a new configuration option "pic", which is
enabled by default or explicitely with "enable-pic", or disabled with
"no-pic" or "disable-pic". Of course, if "pic" is disabled, "shared"
and "dynamic-engine" are automatically disabled as well.
Reviewed-by: Rich Salz <rsalz@openssl.org>
We were kinda sorta using a mix of $disabled{"static-engine" and
$disabled{"dynamic-engine"} in Configure. Let's avoid confusion,
choose one of them and stick to it.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Until now, the engines in engines/ were only built as dynamicaly
loadable ones if shared libraries were built.
We not dissociate the two and can build dynamicaly loadable engines
even if we only build static libcrypto and libssl. This is controlled
with the option (enable|disable|no)-static-engine, defaulting to
no-static-engine.
Note that the engines in crypto/engine/ (dynamic and cryptodev) will
always be built into libcrypto.
Reviewed-by: Rich Salz <rsalz@openssl.org>
This takes us away from the idea that we know exactly how our static
libraries are going to get used. Instead, we make them available to
build shareable things with, be it other shared libraries or DSOs.
On the other hand, we also have greater control of when the shared
library cflags. They will never be used with object files meant got
binaries, such as apps/openssl or test/test*.
With unified, we take this a bit further and prepare for having to
deal with extra cflags specifically to be used with DSOs (dynamic
engines), libraries and binaries (applications).
Reviewed-by: Rich Salz <rsalz@openssl.org>
Better libclean that removes the exact files that have been built,
nothing more and nothing less.
Corrected typo
A couple of editorial changes.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Then it can pass around the information where it belongs. The
Makefile templates pick it up along with other target data, the
DSO module gets to pick up the information through
crypto/include/internal/dso_conf.h
Reviewed-by: Andy Polyakov <appro@openssl.org>
Adding uplink and applink to some builds was done by "magic", the
configuration for "mingw" only had a macro definition, the Configure
would react to its presence by adding the uplink source files to
cpuid_asm_src, and crypto/build.info inherited dance to get it
compiled, and Makefile.shared made sure applink.o would be
appropriately linked in. That was a lot under the hood.
To replace this, we create a few template configurations in
Configurations/00-base-templates.conf, inherit one of them in the
"mingw" configuration, the rest is just about refering to the
$target{apps_aux_src} / $target{apps_obj} in the right places.
Reviewed-by: Andy Polyakov <appro@openssl.org>
All those flags existed because we had all the dependencies versioned
in the repository, and wanted to have it be consistent, no matter what
the local configuration was. Now that the dependencies are gone from
the versioned Makefile.ins, it makes much more sense to use the exact
same flags as when compiling the object files.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Add -DBIO_DEBUG to --strict-warnings.
Remove comments about outdated debugging ifdef guards.
Remove md_rand ifdef guarding an assert; it doesn't seem used.
Remove the conf guards in conf_api since we use OPENSSL_assert, not assert.
For pkcs12 stuff put OPENSSL_ in front of the macro name.
Merge TLS_DEBUG into SSL_DEBUG.
Various things just turned on/off asserts, mainly for checking non-NULL
arguments, which is now removed: camellia, bn_ctx, crypto/modes.
Remove some old debug code, that basically just printed things to stderr:
DEBUG_PRINT_UNKNOWN_CIPHERSUITES, DEBUG_ZLIB, OPENSSL_RI_DEBUG,
RL_DEBUG, RSA_DEBUG, SCRYPT_DEBUG.
Remove OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Although I explicitly don't care about the tinfoil-hat reason given in
the initial opening of RT#3628, that "paths usually contain private
information", there *are* situations where it's useful to eliminate the
filenames from the compiled binary.
The two reasons we do care about in the context of firmware such as EDK2
are that it allows for a smaller footprint, and it is also a necessary
component of a binary-reproducible build.
To that end, introduce OPENSSL_FILE and OPENSSL_LINE macros, defining
them to __FILE__ and __LINE__ respectively in the normal case, but to
"" and 0 when OPENSSL_NO_FILENAMES is set.
This is mostly a naïve invocation of
$ sed 's/__\([FL]I[NL]E\)__/OPENSSL_\1/g' -i `git grep -l __LINE__`
but with a few instances change to just print the function name instead
(although those probably need to die anyway) and test cases left untouched.
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
For example, this works instead of giving a big error message (note
the lack of '--unified'):
mkdir ../_build
(cd ../_build/; ../openssl-src/config; make)
Reviewed-by: Andy Polyakov <appro@openssl.org>
The previous fix wasn't right.
Also, change all (^|\s) and (\s|$) constructs to (?:^|\s) and (?:\s|$).
Perl seems to like that better.
Reviewed-by: Andy Polyakov <appro@openssl.org>
When OPENSSL_NO_ASYNC is set, make ASYNC_{un,}block_pause() do nothing.
This prevents md_rand.c from failing to build. Probably better to do it
this way than to wrap every instance in an explicit #ifdef.
A bunch of new socket code got added to a new file crypto/bio/b_addr.c.
Make it all go away if OPENSSL_NO_SOCK is defined.
Allow configuration with no-ripemd, no-ts, no-ui
We use these for the UEFI build.
Also remove the 'Really???' comment from no-err and no-locking. We use
those too.
We need to drop the crypto/engine directory from the build too, and also
set OPENSSL_NO_ENGINE
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Macro definitions "should" be found in $config{defines}, but some
configs haven't transfered macro definitions from their 'cflags'
settings (which isn't mandatory anyway), so check both places.
Reviewed-by: Andy Polyakov <appro@openssl.org>
This check is meaningless on VMS and only produce an error because the
underlying shell (DCL) doesn't understand sh syntax such as '2>&1'.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Depending on user preferences, Configure might get something like
--PREFIX=blah just as well as --prefix=blah, or "SHARED" just as well
as "shared". On VMS, let's therefore lowercase at least the portion
of the argument before a possible equal sign.
For good measure, we lowercase the arguments to be checked in
config.com as well. The original argument is sent on to Configure,
however.
Reviewed-by: Andy Polyakov <appro@openssl.org>
To force it on anyone using --strict-warnings was the wrong move, as
this is an option best left to those who know what they're doing.
Use with care!
Reviewed-by: Andy Polyakov <appro@openssl.org>
The previous method had some unfortunate consequences with
--strict-warnings. To counteract, revert part of the previous change
and move down the block of code that adds the user cflags and defines.
Reviewed-by: Rich Salz <rsalz@openssl.org>
INSTALL_PREFIX is a confusing name, as there's also --prefix.
Instead, tag along with the rest of the open source world and adopt
the Makefile variable DESTDIR to designate the desired staging
directory.
The Configure option --install_prefix is removed, the only way to
designate a staging directory is with the Makefile variable (this is
also implemented for VMS' descrip.mms et al).
Reviewed-by: Rich Salz <rsalz@openssl.org>
In the previous commit to change all chomp to a more flexible regexp,
Configure was forgotten. This completes the change.
Reviewed-by: Andy Polyakov <appro@openssl.org>
To enable heartbeats for DTLS, configure with enable-heartbeats.
Heartbeats for TLS have been completely removed.
This addresses RT 3647
Reviewed-by: Richard Levitte <levitte@openssl.org>
If someone runs a mixed unixmake / unified environment (the unified
build tree would obviously be out of the source tree), the unified
build will pick up on the unixmake crypto/buildinf.h because of
assumptions made around this sort of declaration (found in
crypto/build.info):
DEPENDS[cversion.o]=buildinf.h
The assumption was that if such a header could be found in the source
tree, that was the one to depend on, otherwise it would assume it
should be in the build tree.
This change makes sure that sort of mix-up won't happen again.
Reviewed-by: Rich Salz <rsalz@openssl.org>
It's not necessary for a pristine source, and a developer that makes
changes usually knows what to do.
Also, there was this mechanism that would do a "make depend"
automatically which hasn't been used for so many years. Removed as
well.
Reviewed-by: Rich Salz <rsalz@openssl.org>
The logic to figure out the combinations of --prefix and --openssldir
has stayed in Configure so far, with Unix paths as defaults.
However, since we're making Configure increasingly platform agnostic,
these defaults need to change and adapt to the platform, along with
the logic to combine them.
The easiest to provide for this is to move the logic and the defaults
away from Configure and into the build files.
This also means that the definition of the macros ENGINESDIR and
OPENSSLDIR move away from include/openssl/opensslconf.h and into the
build files.
Makefile.in is adapted accordingly.
Reviewed-by: Rich Salz <rsalz@openssl.org>
With some compilers, C macros are defined differently on the command
line than on Unix. It could be that the flad to define them isn't -D,
it could also be that they need to be grouped together and not be mixed
in with the other compiler flags (that's how it's done on VMS, for
example).
On Unix family platform configurations, we can continue to have macro
definitions mixed in with the rest of the flags, so the changes in
Configurations/*.conf are kept to an absolute minimum.
Reviewed-by: Rich Salz <rsalz@openssl.org>
There were cases where some input was absolute, and concatenating it
to the diretory to the source or build top could fail spectacularly.
Let's check the input first to see if it's absolute.
And while we're on the subject of checking if a file or dir spec is
absolute using file_name_is_absolute() has its own quirks on VMS,
where a logical name is considered absolute under most circumstances.
This is perfectly correct from a VMS point of view, but when parsing
the build.info files, we want single word file or directory names to
only be checked syntactically. A function isabsolute() that does the
right thing is the solution.
Reviewed-by: Rich Salz <rsalz@openssl.org>
version32.rc was not created on Windows. The if condition has been corrected.
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
This option disables automatic loading of the crypto/ssl error strings in
order to keep statically linked executable file size down
Reviewed-by: Richard Levitte <levitte@openssl.org>
This commit provides the basis and core code for an auto initialisation
and deinitialisation framework for libcrypto and libssl. The intention is
to remove the need (in many circumstances) to call explicit initialise and
deinitialise functions. Explicit initialisation will still be an option,
and if non-default initialisation is needed then it will be required.
Similarly for de-initialisation (although this will be a lot easier since
it will bring all de-initialisation into a single function).
Reviewed-by: Richard Levitte <levitte@openssl.org>
It seems realpath() is quite buggy on VMS, or will at least give quite
surprising results. On the other hand, realpath() is the better on
Unix to clean out clutter like foo/../bar on Unix.
So we make out own function to get the absolute directory for a given
input, and use rel2abs() or realpath() depending on the platform
Configure runs on.
Issue reported by Steven M. Schweda <sms@antinode.info>
Reviewed-by: Andy Polyakov <appro@openssl.org>
common.tmpl will be used together with the template build file, and is
the engine that connects the information gathered from all the
build.info files with making the build file itself.
This file expects there to be a template section in the build file
template that defines a number perl functions designed to return
strings with appropriate lines for the build system at hand. The
exact functions, what they can expect as arguments and what output
they're expected to produce is documented in Configurations/README.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
File::Path::make_path didn't show up before File::Path 2.06 / perl v5.10.1.
Because we're trying to stay compatible with perl v5.10.0 and up,
it's better to use the legacy interface.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Some time ago, we had a ex_libs configuration setting that could be
divided into lflags and ex_libs. These got divided in two settings,
lflags and ex_libs, and the former was interpreted to be general
linking flags.
Unfortunately, that conclusion wasn't entirely accurate. Most of
those linking were meant to end up in a very precise position on the
linking command line, just before the spec of libraries the linking
depends on.
Back to the drawing board, we're diving things further, now having
lflags, which are linking flags that aren't depending on command line
position, plib_lflags, which are linking flags that should show up just
before the spec of libraries to depend on, and finally ex_libs, which
is the spec of extra libraries to depend on.
Also, documentation is changed in Configurations/README. This was
previously forgotten.
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Add no-async option to Configure that forces ASYNC_NULL.
Related to RT1979
An embedded system or replacement C library (e.g. musl or uClibc)
may not support the *context APIs that are needed for async operation.
Compiles with musl. Ran unit tests, async tests skipped as expected.
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
It turns out that the combination splitpath() could return an empty
string for the directory part. This doesn't play well with catdir().
Reviewed-by: Rich Salz <rsalz@openssl.org>
The "unified" build scheme revolves around small information files,
build.info, which each describe their own bit of everything that needs
to be built, using a mini-language described in Configurations/README.
The information in build.info file contain references to source files
and final result. Object files are not mentioned at all, they are
simply from source files. Because of this, all the *_obj items in
Configurations/*.conf are renamed to *_asm_src and the files listed
in the values are change from object files to their corresponding
source files. For the sake of the other build schemes, Configure
generates corresponding *_obj entries in %target.
Furthermore, the "unified" build scheme supports having a build
directory tree separate from the source directry tree.
All paths in a build.info file is assumed to be relative to its
location, either within the source tree or within the build tree.
Reviewed-by: Andy Polyakov <appro@openssl.org>
When the target is {something}-icc, we're doing some extra checks of
the icc compiler. However, all such targets were cleaned away in
March 2015, so this Configure section is dead code.
Reviewed-by: Rich Salz <rsalz@openssl.org>
There was an unused macro in ssl_locl.h that used an internal
type, so I removed it.
Move bio_st from bio.h to ossl_type.h
Reviewed-by: Andy Polyakov <appro@openssl.org>
The lflags configuration had a weird syntax with a % as separator. If
it was present, whatever came before ended up as PEX_LIBS in Makefile
(usually, this is LDFLAGS), while whatever came after ended up as
EX_LIBS.
This change splits that item into lflags and ex_libs, making their use
more explicit.
Also, PEX_LIBS in all the Makefiles are renamed to LDFLAGS.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Many options for supporting optimizations for legacy crypto on legacy
platforms have been removed. This simplifies the source code and
does not really penalize anyone.
DES_PTR (always on)
DES_RISC1, DES_RISC2 (always off)
DES_INT (always 'unsigned int')
DES_UNROLL (always on)
BF_PTR (always on) BF_PTR2 (removed)
MD2_CHAR, MD2_LONG (always 'unsigned char')
IDEA_SHORT, IDEA_LONG (always 'unsigned int')
RC2_SHORT, RC2_LONG (always 'unsigned int')
RC4_LONG (only int and char (for assembler) are supported)
RC4_CHUNK (always long), RC_CHUNK_LL (removed)
RC4_INDEX (always on)
And also make D_ENCRYPT macro more clear (@appro)
This is done in consultation with Andy.
Reviewed-by: Andy Polyakov <appro@openssl.org>
A mistake was made and the setting of this config variable got
reverted to an older behavior. This restores the latest.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Enhances the routines in OpenSSL::Test::Utils for checking disabled
stuff to get their information directly from Configure instead of
'openssl list -disabled'.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
- Small rearrangement of the TABLE and HASH printouts, and adding
printout of the "build_scheme" item
- Renamed "engines_obj" to "padlock_obj"
- Moved the runs of dofile down... it didn't quite make sense to have
that in the middle of a printout
Reviewed-by: Rich Salz <rsalz@openssl.org>
Now that we're using templates, we should warn people not to edit the
resulting file. We do it through util/dofile.pl, which is enhanced
with an option to tell what file it was called from. We also change
the calls so the template files are on the command line instead of
being redirected through standard input. That way, we can display
something like this (example taken from include/openssl/opensslconf.h):
/* WARNING: do not edit! */
/* Generated by Configure from include/openssl/opensslconf.h.in */
Reviewed-by: Rich Salz <rsalz@openssl.org>
It is time for Makefile.org to fold into the new regime and have a run
through util/dofile.pl. This forces some information out of there and
into Configure, which isn't a bad thing, it makes Configure
increasingly the center of build information, which is as it should
be.
A few extra defaults were needed in the BASE template to get rid of
warnings about missing values.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Move opensslconf.h.in to include/openssl.
Split off DES,BN,RC4 stuff into separate header file
templates in crypto/include/internal/*_conf.h.in
Reviewed-by: Richard Levitte <levitte@openssl.org>
Now that configdata.pm is the centre of information, use that instead
of Makefile to figure out reconfiguration parameters. This will help
future development with different Makefile file names.
The code to read necessary configuration data from Makefile is retained
for an easy transition to configdata.pm based information gathering. It
will be removed later on.
This change includes moving the variable $cross_compile_prefix to %config.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
The turn has come to have crypto/opensslconf.h.in get run through
util/dofile.pl. The consequence is that a large number of variables
get moved to the %config table.
Also, the string variables $openssl_*, which were populated with cpp
lines, all being of the form "#define SOMETHING", were converted into
ARRAY refs in %config values, containing just the list of macros to be
defined.
Reviewed-by: Rich Salz <rsalz@openssl.org>
For this adaptation, the variables $options and $version needed to
move to %config in Configure, and why not move all other variables
holding diverse version numbers at the same time?
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
apps/CA.pl and tools/c_rehash are built from template files. So far,
this was done by Configure, which created its own problems as it
forced everyone to reconfigure just because one of the template files
had changed.
Instead, have those files created as part of the normal build in apps/
and in tools/.
Furthermore, this prepares for a future where Configure may produce
entirely other build files than Makefile, and the latter can't be
guaranteed to be the holder of all information for other scripts.
Instead, configdata.pm (described below) becomes the center of
configuration information.
This introduces a few new things:
%config a hash table to hold all kinds of configuration data
that can be used by any other script.
configdata.pm a perl module that Configure writes. It currently
holds the hash tables %config and %target.
util/dofile.pl a script that takes a template on STDIN and outputs
the result after applying configuration data on it.
It's supposed to be called like this:
perl -I$(TOP) -Mconfigdata < template > result
or
perl -I$(TOP) -Mconfigdata templ1 templ2 ... > result
Note: util/dofile.pl requires Text::Template.
As part of this changed, remove a number of variables that are really
just copies of entries in %target, and use %target directly. The
exceptions are $target{cflags} and $target{lflags}, they do get copied
to $cflags and $lflags. The reason for this is that those variable
potentially go through a lot of changes and would rather deserve a
place in %config. That, however, is for another commit.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
It's time for print_table_entry to get a bit of refreshment. The way it
was put together, we needed to maintain the list of known configuration
keys of interest twice, in different shapes. This is error prone, so
move the list of strings to a common list for all printing cases, and
use simple formatting of lines to do the actual printout based on that
list.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Time to get rid of @MK1MF_Builds and introduce a more flexible
'build_scheme' configuration key. Its value may be a string or an
array of strings, meaning we need to teach resolve_config how to
handle ARRAY referenses.
The build scheme is a word that selects a function to create the
appropriate result files for a certain configuration. Currently valid
build schemes aer "mk1mf" and "unixmake", the plan is however to add
at least one other for a more universal build scheme.
Incidently, this also adds the functions 'add' and 'add_before', which
can be used in a configuration, so instead of having to repeatedly
write a sub like this:
key1 => sub { join(" ", @_, "myvalues"); },
key2 => sub { join(" ", "myvalues", @_); },
one could write this:
key1 => add(" ", "myvalues"),
key2 => add_before(" ", "myvalues"),
The good point with 'add' and 'add_before' is that they handle
inheritances where the values are a misture of scalars and ARRAYs. If
there are any ARRAY to be found, the resulting value will be an ARRAY,
otherwise it will be a scalar with all the incoming valued joined
together with the separator given as first argument to add/add_before.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Move the documentation of the target configuration form to
Configurations/README.
Move initial assembler object templates to
Configurations/00-BASE-templates.conf.
Furthermore, remove all variables containing the names of the
non-assembler object files and make a BASE template of them instead.
The values from this templates are used as defaults as is. The
remaining manipulation of data when assembler modules are used is done
only when $no_asm is false.
While doing this, clean out some other related variables that aren't
used anywhere.
Also, we had to move the resolution of the chosen target a bit, or the
function 'asm' would never catch a true $no_asm... this hasn't
mattered before we've moved it all to the BASE template, but now it
does.
At the same time, add the default for the 'unistd' key to the BASE
template.
Reviewed-by: Rich Salz <rsalz@openssl.org>
--prefix is now exclusively used for software and manual installation.
--openssldir is not exclusively used as a default location for certs,
keys and the default openssl.cnf.
This change is made to bring clarity, to have the two less
intertwined, and to be more compatible with the usual ways of software
installation.
Please change your habits and scripts to use --prefix rather than
--openssldir for installation location now.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
It's time to refactor the handling of %disabled so that all
information of value is in the same place. We have so far had a few
cascading disable rules in form of code, far away from %disabled.
Instead, bring that information to the array @disable_cascade, which
is a list of pairs of the form 'test => descendents'. The test part
can be a string, and it's simply checked if that string is a key in
%disabled, or it can be a CODEref to do a more complex test. If the
test comes true, then all descendents are disabled. This check is
performed until there are no more things that need to be disabled.
Also, $default_depflags is constructed from the information in
%disabled instead of being a separate string. While a string of its
own is visually appealing, it's much too easy to forget to update it
when something is changed in %disabled.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
The way the "reconf"/"reconfigure" argument is handled is overly
complicated. Just grep for it first, and if it is there in the
current arguments, get the old command line arguments from Makefile.
While we're at it, make the Makefile variable CONFIGURE_ARGS hold the
value as a perl list of strings. This makes things much safer in case
one of the arguments would contain a space. Since CONFIGURE_ARGS is
used for nothing else, there's no harm in this.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Split the read_config function into read_config that ONLY reads the
configuration files but doesn't try to resolve any of the
inheritances, and resolve_config which resolves the inheritance chain
of a given target. Move them to the bottom of Configure, with the
rest of the helpers.
Have a new small hash table, %target, which will hold the values for
the target the user requested. This also means that all access to the
current target data can be reduced from '$table{$target}->{key}' to a
mere '$target{key}'.
While we're at it, the old string formatted configurations are getting
obsolete, so they may as well get deprecated entirely.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Get rid of the --test-sanity option. Since we no longer have string
based configurations, we don't have the problem with miscounting
colons any more.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Start simple, removed some unused variables and change all '<<EOF' to
'<<"EOF"'. The latter is because some code colorizers (notably, in
emacs) cannot recognise the here document end marker unless it's
quoted and therefore assume the rest of the file is part of the here
document.
Reviewed-by: Rich Salz <rsalz@openssl.org>
The GOST engine is now out of date and is removed by this commit. An up
to date GOST engine is now being maintained in an external repository.
See:
https://wiki.openssl.org/index.php/Binaries
Reviewed-by: Richard Levitte <levitte@openssl.org>
For BSD systems, Configure adds a shared_ldflags including a reference
to the Makefile variable LIBRPATH, but since it must be passed down to
Makefile.shared, care must be taken so the value of LIBRPATH doesn't
get expanded too early, or it ends up giving an empty string.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Some users want to disable SSL 3.0/TLS 1.0/TLS 1.1, and enable just
TLS 1.2. In the future they might want to disable TLS 1.2 and
enable just TLS 1.3, ...
This commit makes it possible to disable any or all of the TLS or
DTLS protocols. It also considerably simplifies the SSL/TLS tests,
by auto-generating the min/max version tests based on the set of
supported protocols (425 explicitly written out tests got replaced
by two loops that generate all 425 tests if all protocols are
enabled, fewer otherwise).
Reviewed-by: Richard Levitte <levitte@openssl.org>
The previous 'Relax the requirements for a debug build' commit had
an extra line of code that shouldn't have been there. This fixes it.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
The entropy-gathering daemon is used only on a small number of machines.
Provide a configure knob so that EGD support can be disabled by default
but re-enabled on those systems that do need it.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
We required that a target be named 'debug-something' or to have at
least one of the configuration items debug_cflags and debug_lflags for
--debug to be accepted.
However, there are targets with no such markings but that will still
have debugging capabilities. This is particularly true for mk1mf
builds, where the extra flags for debugging are figured out later on
by util/mk1mf.pl.
Reviewed-by: Rich Salz <rsalz@openssl.org>
For some strange reason opensslconf.h was only defining DES_LONG
when included via des.h, but that's exceedingly fragile (as a
result of include guards the include via des.h might not actually
process the content again).
Ripped out the nesting constraint, now always define OSSL_DES_LONG
if not already defined. Note, this could just be DES_LONG, but
trying to avoid exposing DES_LONG in places where it has never been
seen before, so it is up to des.h to actually define DES_LONG as
OSSL_DES_LONG.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Create Makefile's from Makefile.in
Rename Makefile.org to Makefile.in
Rename Makefiles to Makefile.in
Address review feedback from Viktor and Richard
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
We use $default_depflags to check if a 'make depend' is needed after
configuring, so it needs to be kept up to date.
Reviewed-by: Matt Caswell <matt@openssl.org>
Provide backwards-compatiblity for functions, macros and include
files if OPENSSL_API_COMPAT is either not defined or defined less
than the version number of the release in which the feature was
deprecated.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Only two macros CRYPTO_MDEBUG and CRYPTO_MDEBUG_ABORT to control this.
If CRYPTO_MDEBUG is not set, #ifdef out the whole debug machinery.
(Thanks to Jakob Bohm for the suggestion!)
Make the "change wrapper functions" be the only paradigm.
Wrote documentation!
Format the 'set func' functions so their paramlists are legible.
Format some multi-line comments.
Remove ability to get/set the "memory debug" functions at runtme.
Remove MemCheck_* and CRYPTO_malloc_debug_init macros.
Add CRYPTO_mem_debug(int flag) function.
Add test/memleaktest.
Rename CRYPTO_malloc_init to OPENSSL_malloc_init; remove needless calls.
Reviewed-by: Richard Levitte <levitte@openssl.org>
'./Configure reconf' hasn't been working for a while, because a perl
lable needs to be immediately followed by a block.
Reviewed-by: Andy Polyakov <appro@openssl.org>
The contents of this variable ($memleak_devteam_backtrace) is added to
$cflags unless we build for a platform we know doesn't support gcc's
-rdynamic och backtrace() and friends.
Reviewed-by: Andy Polyakov <appro@openssl.org>
./Configure [target] --strict-warnings -Wno-pedantic-ms-format
would not add '-pedantic' because it matches '-Wno-pedantic-ms-format',
which was added first.
Reviewed-by: Matt Caswell <matt@openssl.org>
Configure has, so far, had no control at all of which 'no-' options it
can be given. This means that, for example, someone could configure
with something absurd like 'no-stack' and then watch the build crumble
to dust... or file a bug report.
This introduces some sanity into the possible choices.
The added list comes from looking for the explicit ones used in
Configure, and from grepping after OPENSSL_NO_ in all source files.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Much related/similar work also done by
Ivan Nestlerode <ivan.nestlerode@sonos.com>
+Replace FILE BIO's with dummy ops that fail.
+Include <stdio.h> for sscanf() even with no-stdio (since the declaration
is there). We rely on sscanf() to parse the OPENSSL_ia32cap environment
variable, since it can be larger than a 'long'. And we don't rely on the
availability of strtoull().
+Remove OPENSSL_stderr(); not used.
+Make OPENSSL_showfatal() do nothing (currently without stdio there's
nothing we can do).
+Remove file-based functionality from ssl/. The function
prototypes were already gone, but not the functions themselves.
+Remove unviable conf functionality via SYS_UEFI
+Add fallback definition of BUFSIZ.
+Remove functions taking FILE * from header files.
+Add missing DECLARE_PEM_write_fp_const
+Disable X509_LOOKUP_hash_dir(). X509_LOOKUP_file() was already compiled out,
so remove its prototype.
+Use OPENSSL_showfatal() in CRYPTO_destroy_dynlockid().
+Eliminate SRP_VBASE_init() and supporting functions. Users will need to
build the verifier manually instead.
+Eliminate compiler warning for unused do_pk8pkey_fp().
+Disable TEST_ENG_OPENSSL_PKEY.
+Disable GOST engine as is uses [f]printf all over the place.
+Eliminate compiler warning for unused send_fp_chars().
Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
With the new testing framework, building a test target with mk1mf.pl
becomes a very simple thing. And especially, no more need to do the
amount of hackery in unix.pl we did.
Also, some tests need a working apps/CA.pl as well as rehashed certs
in certs/demo. So, move the code creating those files so it gets done
regardless, not just in non-mk1mf environments.
Reviewed-by: Rich Salz <rsalz@openssl.org>
This reverts the non-cleanup parts of commit c73ad69017. We do actually
have a reasonable use case for OPENSSL_NO_RFC3779 in the EDK2 UEFI
build, since we don't have a strspn() function in our runtime environment
and we don't want the RFC3779 functionality anyway.
In addition, it changes the default behaviour of the Configure script so
that RFC3779 support isn't disabled by default. It was always disabled
from when it was first added in 2006, right up until the point where
OPENSSL_NO_RFC3779 was turned into a no-op, and the code in the
Configure script was left *trying* to disable it, but not actually
working.
Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Given the pervasive nature of TLS extensions it is inadvisable to run
OpenSSL without support for them. It also means that maintaining
the OPENSSL_NO_TLSEXT option within the code is very invasive (and probably
not well tested). Therefore it is being removed.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Following on from the removal of libcrypto and libssl support for Kerberos
this commit removes all remaining references to Kerberos.
Reviewed-by: Rich Salz <rsalz@openssl.org>
The disabled set of -Weverything is hard to maintain across versions.
Use -Wall -Wextra but also document other useful warnings that currently trigger.
Reviewed-by: Rich Salz <rsalz@openssl.org>
We use GNU statement expressions in crypto/md32_common.h, surrounded
by checks that GNU C is indeed used to compile. It seems that clang,
at least on Linux, pretends to be GNU C, therefore finds the statement
expressions and then warns about them.
The solution is to have clang be quiet about it.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Rather than making include/openssl/foo.h a symlink to
crypto/foo/foo.h, this change moves the file to include/openssl/foo.h
once and for all.
Likewise, move crypto/foo/footest.c to test/footest.c, instead of
symlinking it there.
Originally-by: Geoff Thorpe <geoff@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
In order to receive warnings on unused function return values the flag
-DDEBUG_UNUSED must be passed to the compiler. This change adds that for the
--strict-warnings Configure option.
Reviewed-by: Richard Levitte <levitte@openssl.org>
./config would translate -d into having the target get a 'debug-'
prefix, and then run './Configure LIST' to find out if such a
debugging target exists or not.
With the recent changes, the separate 'debug-foo' targets are
disappearing, and we're giving the normal targets debugging
capabilities instead. Unfortunately, './config' wasn't changed to
match this new behavior.
This change introduces the arguments '--debug' and '--release' - the
latter just for orthogonality - to ./Configure, and ./config now
treats -d by adding '--debug' to the options for ./Configure.
Reviewed-by: Matt Caswell <matt@openssl.org>
Because base templates express inheritance of values, the attribute is
renamed to 'inherit_from', and texts about this talk about 'inheritance(s)'
rather than base templates.
As they were previously implemented, base templates that were listed
together would override one another, the first one acting as defaults for
the next and so on.
However, it was pointed out that a strength of inheritance would be to
base configurations on several templates - for example one for CPU, one
for operating system and one for compiler - and that requires a different
way of combining those templates. With this change, inherited values
from several inheritances are concatenated by default (keep on reading).
Also, in-string templates with the double-curly syntax are removed,
replaced with the possibility to have a configuration value be a coderef
(i.e. a 'sub { /* your code goes here */ }') that gets the list of values
from all inheritances as the list @_. The result of executing such a
coderef on a list of values is assumed to become a string. ANY OTHER
FORM OF VALUE WILL CURRENTLY BREAK.
As a matter of fact, an attribute in the current config with no value is
assumed to have this coderef as value:
sub { join(' ', @_) }
While we're at it, rename debug-[cl]flags to debug_[cl]flags and
nodebug-[cl]flags to release_[cl]flags.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Base templates are templates that are used to inherit from. They can
loosely be compared with parent class inheritance in object orientation.
They can be used for the same purpose as the variables with multi-field
strings are used in old-style string configurations.
Base templates are declared with the base_templates configuration
attribute, like so:
"example_target" => {
base_templates => [ "x86_asm", ... ]
...
}
Note: The value of base_templates MUST be an array reference (an array
enclosed in square brackets).
Any configuration target can be used as a base template by another. It
is also possible to have a target that's a pure template and not meant to
be used directly as a configuration target. Such a target is marked with
the template configuration attribute, like so:
"example_template" => {
template => 1,
cc => "mycc",
...
},
As part of this commit, all variables with multi-field strings have been
translated to pure templates. The variables currently remain since we
can't expect people to shift to hash table configurations immediately.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Template references are words with double brackets, and refer to the
same field in the target pointed at the the double bracketed word.
For example, if a target's configuration has the following entry:
'cflags' => '-DFOO {{x86_debug}}'
... then {{x86_debug}} will be replaced with the 'cflags' value from
target 'x86_debug'.
Note: template references are resolved recursively, and circular
references are not allowed
Reviewed-by: Andy Polyakov <appro@openssl.org>
The reasoning is that configuration strings are hard to read and error
prone, and that a better way would be for them to be key => value hashes.
Configure is made to be able to handle target configuration values as a
string as well as a hash. It also does the best it can to combine a
"debug-foo" target with a "foo" target, given that they are similar
except for the cflags and lflags values. The latter are spliced into
options that are common for "debug-foo" and "foo", options that exist
only with "debug-foo" and options that exist only with "foo", and make
them into combinable attributes that holds common cflags, extra cflags
for debuggin and extra cflags for non-debugging configurations.
The next step is to make it possible to have template configurations.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Configure would load the glob "Configurations*". The problem with
this is that it also loads all kinds of backups of those
configurations that some editors do, like emacs' classic
'Configurations~'. The solution is to give them an extension, such as
'.conf', and make sure to end the glob with that.
Also, because 'Configurations.conf' makes for a silly name, and
because a possibly large number of configurations will become clutter,
move them to a subdirectory 'Configurations/', and rename them to
something more expressive, as well as something that sets up some form
of sorting order. Thus:
Configurations -> Configurations/10-main.conf
Configurations.team -> Configurations/90-team.conf
Finally, make sure that Configure sorts the list of files that 'glob'
produces, and adapt Makefile.org.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Move the build configuration table into separate files. The Configurations
file is standard configs, and Configurations.team is for openssl-team
members. Any other file, Configurations*, found in the same directory
as the Configure script, is loaded.
To add another file, use --config=FILE flags (which should probably be
an absolute path).
Written by Stefen Eissing <stefan.eissing@greenbytes.de> and Rich Salz
<rsalz@openssl.org>, contributed by Akamai Technologies.
Reviewed-by: Richard Levitte <levitte@openssl.org>
The previous defaulting to TERMIOS took away -DTERMIOS / -DTERMIO a
bit too enthusiastically. Windows/DOSish platforms of all sorts get
identified as OPENSSL_SYS_MSDOS, and they get a different treatment
altogether UNLESS -DTERMIO or -DTERMIOS is explicitely given with the
configuration. The answer is to restore those macro definitions for
the affected configuration targets.
Reviewed-by: Tim Hudson <tjh@openssl.org>
The rationale for this move is that TERMIOS is default, supported by
POSIX-1.2001, and most definitely on Linux. For a few other systems,
TERMIO may still be the termnial interface of preference, so we keep
-DTERMIO on those in Configure.
crypto/ui/ui_openssl.c is simplified in this regard, and will define
TERMIOS for all systems except a select few exceptions.
Reviewed-by: Matt Caswell <matt@openssl.org>
In master OPENSSL_NO_DEPRECATED is the default anyway. By including it in
--strict-warnings as well this means you cannot combine enable-deprecated
with --strict-warnings.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Rename OPENSSL_SYSNAME_xxx to OPENSSL_SYS_xxx
Remove MS_STATIC; it's a relic from platforms <32 bits.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
This commit removes NCR, Tandem, Cray.
Regenerates TABLE.
Removes another missing BEOS fluff.
The last platform remaining on this ticket is WIN16.
Reviewed-by: Richard Levitte <levitte@openssl.org>
This change documents the world as-is, by turning all warnings on,
and then turning warnings that trigger off again.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
This facilitates "universal" builds, ones that target multiple
architectures, e.g. ARMv5 through ARMv7. See commentary in
Configure for details.
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
This commit removes DG-UX.
It also flushes out some left-behinds in config.
And regenerates TABLE from Configure (hadn't been done in awhile).
Reviewed-by: Richard Levitte <levitte@openssl.org>
Also introduce OPENSSL_USE_DEPRECATED. If OPENSSL_NO_DEPRECATED is
defined at config stage then OPENSSL_USE_DEPRECATED has no effect -
deprecated functions are not available.
If OPENSSL_NO_DEPRECATED is not defined at config stage then
applications must define OPENSSL_USE_DEPRECATED in order to access
deprecated functions.
Also introduce compiler warnings for gcc for applications using
deprecated functions
Reviewed-by: Rich Salz <rsalz@openssl.org>
When no-ssl3 is set only make SSLv3 disabled by default. Retain -ssl3
options for s_client/s_server/ssltest.
When no-ssl3-method is set SSLv3_*method() is removed and all -ssl3
options.
We should document this somewhere, e.g. wiki, FAQ or manual page.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
These are based on debug-ben-debug-64-clang and is intended to produce
consistent settings for folks involved in the unit testing effort detailed at:
http://wiki.openssl.org/index.php/Unit_Testing
-fsanitize has been removed from the set of clang flags for now. Apparently
clang 3.1, which ships with FreeBSD 9.1, completely ignores -fsanitize. Clang
3.3, which ships with FreeBSD 9.2, compiles with it, but fails to link due to
the absence of libasan:
http://lists.freebsd.org/pipermail/freebsd-hackers/2013-December/043995.htmlhttps://www.mail-archive.com/cfe-commits@cs.uiuc.edu/msg92260.htmlhttp://reviews.llvm.org/D2644
We need -Wno-error=unused-const-variable because of this error:
.../crypto/ec/ec_lib.c:74:19: error: unused variable 'EC_version' [-Werror,-Wunused-const-variable]
static const char EC_version[] = "EC" OPENSSL_VERSION_PTEXT;
Change-Id: I2cba53537137186114c083049ea1233550a741f9
Signed-off-by: Mike Bland <mbland@acm.org>
Signed-off-by: Geoff Thorpe <geoff@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
The following #ifdef tests were all removed:
__MWERKS__
MAC_OS_pre_X
MAC_OS_GUSI_SOURCE
MAC_OS_pre_X
OPENSSL_SYS_MACINTOSH_CLASSIC
OPENSSL_SYS_MACOSX_RHAPSODY
Reviewed-by: Andy Polyakov <appro@openssl.org>
Add the wrapper to all public header files (Configure
generates one). Don't bother for those that are just
lists of #define's that do renaming.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Don't call internal functions directly call them through
SSL_test_functions(). This also makes unit testing work on
Windows and platforms that don't export internal functions
from shared libraries.
By default unit testing is not enabled: it requires the compile
time option "enable-unit-test".
Reviewed-by: Geoff Thorpe <geoff@openssl.org>
- EC_GROUP_cmp shouldn't consider curves equal just because
the curve name is the same. (They really *should* be the same
in this case, but there's an EC_GROUP_set_curve_name API,
which could be misused.)
- EC_POINT_cmp shouldn't return 0 for ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED
or EC_R_INCOMPATIBLE_OBJECTS errors because in a cmp API, 0 indicates
equality (not an error).
Reported by: king cope
Removed prior audit proof logic - audit proof support was implemented using the generic TLS extension API
Tests exercising the new supplemental data registration and callback api can be found in ssltest.c.
Implemented changes to s_server and s_client to exercise supplemental data callbacks via the -auth argument, as well as additional flags to exercise supplemental data being sent only during renegotiation.
following reasons:
- it's not the way to engage XPG4v2 mode, defining _XOPEN_SOURCE to
value less than 500 is (see standards(5));
- we need to work out strategy to handle _XOPEN_SOURCE, current state
when we define e.g. _XOPEN_SOURCE to 500 in some files is inappropriate;
- sctp implementation on Solaris is incomplete, in sense that bss_dgram.c
doesn't compile, because not all structures are defined, so that
enabling sctp doesn't work anyway;
