Make secure-memory be a config option

Adding support for "no-secure-memory" was simple, a one-liner.
Fixing all the "ifdef OPENSSL_SECURE_MEMORY" to be "ifndef NO_xxx"
was a bit more

Make secure-memory be a config option

Adding support for "no-secure-memory" was simple, a one-liner.
Fixing all the "ifdef OPENSSL_SECURE_MEMORY" to be "ifndef NO_xxx"
was a bit more work. My original goof, for not following the OpenSSL
pattern "ifndef NO_" used everywhere else.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/11023)

show more ...

Configure: Add easy to use disabled deprecated functionality indicators

In C, we have macros like OPENSSL_NO_DEPRECATED_3_0 to check if some
section of code should be disabled to simulat

Configure: Add easy to use disabled deprecated functionality indicators

In C, we have macros like OPENSSL_NO_DEPRECATED_3_0 to check if some
section of code should be disabled to simulate a removal of things
deprecated in the version.

In perl, we had to check $disabled{deprecated} and compare
$config{api} with the proper version code, which is doable but tedious
and error prone.

This change adds $disabled{'deprecated-x.y'} (x.y being a version
number) which directly corresponds to OPENSSL_NO_DEPRECATED_x_y, for
use in build.info conditions, test recipes and other perl stuff.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11027)

show more ...

Configure: Better detection of '-static' in @{$config{LDFLAGS}}

@{$config{LDFLAGS}} isn't necessarily split up in pieces, so we need
to check for '-static' with a regexp rather than with

Configure: Better detection of '-static' in @{$config{LDFLAGS}}

@{$config{LDFLAGS}} isn't necessarily split up in pieces, so we need
to check for '-static' with a regexp rather than with an exact string
match.

Fixes #10867

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10878)

show more ...

Configure: use $list_separator_re only for defines and includes

This regexp was used a bit too uncontrolled, which had it split flag
values where it should not have.

Fixes #1079

Configure: use $list_separator_re only for defines and includes

This regexp was used a bit too uncontrolled, which had it split flag
values where it should not have.

Fixes #10792

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10793)

show more ...

Deprecate the low level AES functions

Use of the low level AES functions has been informally discouraged for a
long time. We now formally deprecate them.

Applications should ins

Deprecate the low level AES functions

Use of the low level AES functions has been informally discouraged for a
long time. We now formally deprecate them.

Applications should instead use the EVP APIs, e.g. EVP_EncryptInit_ex,
EVP_EncryptUpdate, EVP_EncryptFinal_ex, and the equivalently named decrypt
functions.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10580)

show more ...

Deprecated crypto-mdebug-backtrace

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pu

Deprecated crypto-mdebug-backtrace

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10572)

show more ...

Deprecate most of debug-memory

Fixes #8322

The leak-checking (and backtrace option, on some platforms) provided
by crypto-mdebug and crypto-mdebug-backtrace have been mostly neu

Deprecate most of debug-memory

Fixes #8322

The leak-checking (and backtrace option, on some platforms) provided
by crypto-mdebug and crypto-mdebug-backtrace have been mostly neutered;
only the "make malloc fail" capability remains. OpenSSL recommends using
the compiler's leak-detection instead.

The OPENSSL_DEBUG_MEMORY environment variable is no longer used.
CRYPTO_mem_ctrl(), CRYPTO_set_mem_debug(), CRYPTO_mem_leaks(),
CRYPTO_mem_leaks_fp() and CRYPTO_mem_leaks_cb() return a failure code.
CRYPTO_mem_debug_{malloc,realloc,free}() have been removed. All of the
above are now deprecated.

Merge (now really small) mem_dbg.c into mem.c

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10572)

show more ...

Configure: use ELFv2 ABI on some ppc64 big endian systems

If _CALL_ELF is defined to be 2, it's an ELFv2 system.
Conditionally switch to the v2 perlasm scheme.

Reviewed-by: Paul

Configure: use ELFv2 ABI on some ppc64 big endian systems

If _CALL_ELF is defined to be 2, it's an ELFv2 system.
Conditionally switch to the v2 perlasm scheme.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8883)

show more ...

Configuration: compute openssl_other_defines and related info later

The computation of macros and configdata.pm related data from %disabled
was done much too early, leaving later disabli

Configuration: compute openssl_other_defines and related info later

The computation of macros and configdata.pm related data from %disabled
was done much too early, leaving later disablings without real support.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10566)

show more ...

Disable devcryptoeng on newer OpenBSD versions

It's reported that /dev/crypto support has been dropped in OpenBSD 5.7.

Fixes #10552

Reviewed-by: Tim Hudson <tjh@openssl.org

Disable devcryptoeng on newer OpenBSD versions

It's reported that /dev/crypto support has been dropped in OpenBSD 5.7.

Fixes #10552

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10566)

show more ...

Configure: make it possible to have generated generators

This makes it possible to chain GENERATOR statements, which allows
constructs like this:

GENERATE[something.html]=so

Configure: make it possible to have generated generators

This makes it possible to chain GENERATOR statements, which allows
constructs like this:

GENERATE[something.html]=something.pod
GENERATE[something.pod]=something.pod.in

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6236)

show more ...

Add the possibility to generate documentation at build time

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6236)

Change the logic and behaviour surrounding '--api' and 'no-deprecated'

At some point in time, there was a 'no-deprecated' configuration
option, which had the effect of hiding all declara

Change the logic and behaviour surrounding '--api' and 'no-deprecated'

At some point in time, there was a 'no-deprecated' configuration
option, which had the effect of hiding all declarations of deprecated
stuff, i.e. make the public API look like they were all removed.

At some point in time, there was a '--api' configuration option, which
had the effect of having the public API look like it did in the version
given as value, on a best effort basis. In practice, this was used to
get different implementations of BN_zero(), depending on the desired
API compatibility level.

At some later point in time, '--api' was changed to mean the same as
'no-deprecated', but only for the deprecations up to and including the
desired API compatibility level. BN_zero() has been set to the
pre-1.0.0 implementation ever since, unless 'no-deprecation' has been
given.

This change turns these options back to their original meaning, but
with the slight twist that when combined, i.e. both '--api' and
'no-deprecated' is given, the declarations that are marked deprecated
up to an including the desired API compatibility level are hidden,
simulating that they have been removed.

If no desired API compatibility level has been given, then
configuration sets the current OpenSSL version by default.

Furthermore, the macro OPENSSL_API_LEVEL is now used exclusively to
check what API compatibility level is desired. For checking in code
if `no-deprecated` has been configured for the desired API
compatibility level, macros for each supported level is generated,
such as OPENSSL_NO_DEPRECATED_1_1_1, corresponding to the use of
DEPRECATEDIN_ macros, such as DEPRECATEDIN_1_1_1().

Just like before, to set an API compatibility level when building an
application, define OPENSSL_API_COMPAT with an appropriate value. If
it's desirable to hide deprecated functions up to and including that
level, additionally define OPENSSL_NO_DEPRECATED (the value is
ignored).

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10364)

show more ...

Configure: Make --strict-warnings meaningful with MSVC cl

We also add this to our x86_64 builds on appveyor

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://git

Configure: Make --strict-warnings meaningful with MSVC cl

We also add this to our x86_64 builds on appveyor

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10287)

show more ...

Add support for in-kernel TLS (KTLS) on FreeBSD.

- Check for the <sys/ktls.h> header to determine if KTLS support
is available.
- Populate a tls_enable structure with session key m

Add support for in-kernel TLS (KTLS) on FreeBSD.

- Check for the <sys/ktls.h> header to determine if KTLS support
is available.
- Populate a tls_enable structure with session key material for
supported algorithms. At present, AES-GCM128/256 and AES-CBC128/256
with SHA1 and SHA2-256 HMACs are supported. For AES-CBC, only MtE
is supported.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10045)

show more ...

Update dgst.c to show a list of message digests

Fixes #9893

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Me

Update dgst.c to show a list of message digests

Fixes #9893

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/9912)

show more ...

Configure: get version from the file 'VERSION' instead of 'opensslv.h'

'VERSION' is a very easy file to parse, as opposed to a header file.
We also have the benefit of holding the versio

Configure: get version from the file 'VERSION' instead of 'opensslv.h'

'VERSION' is a very easy file to parse, as opposed to a header file.
We also have the benefit of holding the version information in one
very well known place and can then generate all other version texts
as we see fit, for example opensslv.h.

Fixes #10203

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10205)

show more ...

Configure: accept Windows style compiler options

Currently the Configure command only supports passing UNIX style
options (`-opt`) to the compiler. Passing Windows style options
(`/o

Configure: accept Windows style compiler options

Currently the Configure command only supports passing UNIX style
options (`-opt`) to the compiler. Passing Windows style options
(`/opt`) yields an error. Fortunately, the compiler accepts both
types of options, nevertheless this commit fixes that discrimination
of Windows users.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9961)

show more ...

Configure: Implement attributes for DEPEND[xxx]

We want to attach attributes on dependencies.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openss

Configure: Implement attributes for DEPEND[xxx]

We want to attach attributes on dependencies.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10088)

show more ...

Configure: rework build.info grammar and attributes

The build.info grammar's regular expressions were a horrible read.
By assigning certain sub-expressions to variables, we hope to make

Configure: rework build.info grammar and attributes

The build.info grammar's regular expressions were a horrible read.
By assigning certain sub-expressions to variables, we hope to make
it a little more readable.

Also, the handling of build.info attributes is reworked to use a
common function instead of having copies of the same code.

Finally, the attributes are reorganized to specify if they belong with
programs, libraries, modules or scripts. This will enable more
intricate attribute assignment in changes to come.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10088)

show more ...

When building of modules is disabled, build the legacy provider into libcrypto

This makes the legacy provider available regardless of building conditions.

Reviewed-by: Matt Caswell

When building of modules is disabled, build the legacy provider into libcrypto

This makes the legacy provider available regardless of building conditions.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9637)

show more ...

Configure, build.info: make it possible to use variables in indexes

That will make it possible to assign different goals for translation
units depending on need.

Reviewed-by: Ma

Configure, build.info: make it possible to use variables in indexes

That will make it possible to assign different goals for translation
units depending on need.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9637)

show more ...

Fix building statically without any dso support

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9895)

confdata.pm.in: New template for configdata.pm

To have the configdata.pm text embedded in Configure was kind of ugly,
and becomes clearer if put into a template file, configdata.pm.in.

confdata.pm.in: New template for configdata.pm

To have the configdata.pm text embedded in Configure was kind of ugly,
and becomes clearer if put into a template file, configdata.pm.in. We
can then use OpenSSL::Template to generate it.

We also modify configdata.pm to be the build file generator, and run
it from Configure. The benefit with that is that developers who
tinker and play with the build file can do a "factory reset" without
having to go through the configuration process, i.e. they can re-use
the config data the already have.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9693)

show more ...

Rework the perl fallback functionality

The module with_fallback.pm was kind of clunky and required a transfer
module. This change replaces if with a much more generic pragma type
mo

Rework the perl fallback functionality

The module with_fallback.pm was kind of clunky and required a transfer
module. This change replaces if with a much more generic pragma type
module, which simply appends given directories to @INC (as opposed to
the 'lib' pragma, which prepends the directories to @INC).

This also supports having a file MODULES.txt with sub-directories to
modules. This ensures that we don't have to spray individual module
paths throughout our perl code, but can have them collected in one
place.

(do note that there is a 'fallback' module on CPAN. However, it isn't
part of the core perl, and it has no support the any MODULES.txt kind
of construct)

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9826)

show more ...