Configure: Show 'enable' and 'disable' config attributes

This makes a difference for './Configure HASH' and './Configure TABLE'

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged

Configure: Show 'enable' and 'disable' config attributes

This makes a difference for './Configure HASH' and './Configure TABLE'

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12933)

show more ...

Add 'fips-securitychecks' option and plumb this into the actual fips checks

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12745)

deprecate engines in 3.0

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12226)

Configure: fix minor typo in apitable comment

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl

Configure: fix minor typo in apitable comment

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12398)

show more ...

Fix many MarkDown issues in {NOTES*,README*,HACKING,LICENSE}.md files

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12109)

Rename NOTES*, README*, VERSION, HACKING, LICENSE to .md or .txt

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12109)

Configure: fix handling of build.info attributes with value

This line wasn't properly handled:

SCRIPTS{misc,linkname=tsget}=tsget.pl

It generated an attribute "linkname

Configure: fix handling of build.info attributes with value

This line wasn't properly handled:

SCRIPTS{misc,linkname=tsget}=tsget.pl

It generated an attribute "linkname=tsget" with the value 1, instead of
what it should have, an attribute "linkname" with the value "tsget".

Fixes #12341

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12344)

show more ...

Configure: Check source and build dir equality a little more thoroughly

'absolutedir' does a thorough job ensuring that we have a "real" path
to both source and build directory, unencumb

Configure: Check source and build dir equality a little more thoroughly

'absolutedir' does a thorough job ensuring that we have a "real" path
to both source and build directory, unencumbered by symbolic links.
However, that isn't enough on case insensitive file systems on Unix
flavored platforms, where it's possible to stand in, for example,
/PATH/TO/Work/openssl, and then do this:

perl ../../work/openssl/Configure

... and thereby having it look like the source directory and the build
directory aren't the same.

We solve this by having a closer look at the computed source and build
directories, and making sure they are exactly the same strings if they
are in fact the same directory.

This is especially important when making symbolic links based on this
directories, but may have other ramifications as well.

Fixes #12323

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12337)

show more ...

Add --fips-key configuration parameter to fipsinstall application.

Change default FIPS HMAC KEY from all-zero's
Use default FIPSKEY if not given on command line.
Make all -macopt in

Add --fips-key configuration parameter to fipsinstall application.

Change default FIPS HMAC KEY from all-zero's
Use default FIPSKEY if not given on command line.
Make all -macopt in fipsinstall optional
Make all tests, except fipsinstall, use the default -macopt and
-mac_name flags.
Define and use FIPSDIR variable on VMS/MMS.
Also use SRCDIR/BLDDIR in SRCTOP/BLDTOP.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12235)

show more ...

DOC: Mention Configure consistently

'config' is now a mere wrapper for backward compatibility.
All documentation is changed accordingly.

Reviewed-by: Tim Hudson <tjh@openssl.org

DOC: Mention Configure consistently

'config' is now a mere wrapper for backward compatibility.
All documentation is changed accordingly.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11230)

show more ...

Configure: pick up options from older 'config'

These options were coded in util/perl/OpenSSL/config.pm, but that got
removed when the OpenSSL::config::main() function was removed. We're

Configure: pick up options from older 'config'

These options were coded in util/perl/OpenSSL/config.pm, but that got
removed when the OpenSSL::config::main() function was removed. We're
not putting them back, but in 'Configure'.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11230)

show more ...

util/perl/OpenSSL/config.pm: refactor map_guess()

map_guess() is now table driven, just like get_system().
Additionally, it now takes a config hash table and returns one of its
own.

util/perl/OpenSSL/config.pm: refactor map_guess()

map_guess() is now table driven, just like get_system().
Additionally, it now takes a config hash table and returns one of its
own. This way, 'Configure' can pass whatever it has already found to
OpenSSL::config::get_platform(), and easily merge the returned hash
table into its %config.

This also gets rid of variables that we no longer need. That includes
$PERL and all the $__CNF_ environment variables.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11230)

show more ...

util/perl/OpenSSL/config.pm, Configure: move check of target with compiler

Previously, ./config would check if "$target-$CC", then "$target"
exists and choose the one that does. This is

util/perl/OpenSSL/config.pm, Configure: move check of target with compiler

Previously, ./config would check if "$target-$CC", then "$target"
exists and choose the one that does. This is now moved to Configure.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11230)

show more ...

Add ACVP fips module tests

For FIPS validation purposes - Automated Cryptographic Validation Protocol (ACVP) tests need to be
performed. (See https://github.com/usnistgov/ACVP). These te

Add ACVP fips module tests

For FIPS validation purposes - Automated Cryptographic Validation Protocol (ACVP) tests need to be
performed. (See https://github.com/usnistgov/ACVP). These tests are very similiar to the old CAVS tests.

This PR uses a hardwired subset of these test vectors to perform similiar operations,
to show the usage and prove that the API's are able to perform the required operations.
It may also help with communication with the lab (i.e- The lab could add a test here to show
a unworking use case - which we can then address).

The EVP layer performs these tests instead of calling lower level API's
as was done in the old FOM.
Some of these tests require access to internals that are not normally allowed/required.

The config option 'acvp_tests' (enabled by default) has been added so that this
access may be removed.

The mechanism has been implemented as additional OSSL_PARAM values that can be set and get.
A callback mechanism did not seem to add any additional benefit.
These params will not be added to the gettables lists.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11572)

show more ...

Fix egd and devrandom source configs

./config --with-rand-seed=egd

need to defines OPENSSL_RAND_SEED_EGD and OPENSSL_NO_EGD
so get rid of OPENSSL_NO_EGD (compiles but I did not

Fix egd and devrandom source configs

./config --with-rand-seed=egd

need to defines OPENSSL_RAND_SEED_EGD and OPENSSL_NO_EGD
so get rid of OPENSSL_NO_EGD (compiles but I did not really test EGD)

./config --with-rand-seed=devrandom

does not work since wait_random_seeded works under the assumption
that OPENSSL_RAND_SEED_GETRANDOM is supposed to be enabled as well,
that is usually the case, but not when only devrandom is enabled.
Skip the wait code in this special case.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11848)

show more ...

Configure: avoid perl regexp bugs

It seems that in older perl versions '(?P' doesn't interact very well
with '(?|' or '(?:'.

Since we make extensive use of '(?P' in build.info p

Configure: avoid perl regexp bugs

It seems that in older perl versions '(?P' doesn't interact very well
with '(?|' or '(?:'.

Since we make extensive use of '(?P' in build.info parsing, we avoid
combining that with '(?|' and '(?:' when parsing build.info variables,
and end up parsing variable modifier twice (first generally, and then
parse that result into the modifier components).

Fixes #11694

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11737)

show more ...

Configure: change all references to INSTALL to INSTALL.md

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11657)

Configure: Allow quoted values in VERSION

Fixes #11618

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://gi

Configure: Allow quoted values in VERSION

Fixes #11618

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11624)

show more ...

Update copyright year

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11616)

GOST2012 TLS Supported Groups Identifiers Support

For GOST2012-GOST8912-GOST8912 IANA introduce TLS Supported Groups Identifiers
https://www.iana.org/assignments/tls-parameters/tls-param

GOST2012 TLS Supported Groups Identifiers Support

For GOST2012-GOST8912-GOST8912 IANA introduce TLS Supported Groups Identifiers
https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11568)

show more ...

config, Configure: move the check of removed crypto/ sub-systems

The 'config' script checked for a bunch of crypto/ sub-system
directories, and added 'no-' options if they weren't there.

config, Configure: move the check of removed crypto/ sub-systems

The 'config' script checked for a bunch of crypto/ sub-system
directories, and added 'no-' options if they weren't there.

We move it to 'Configure' in an effort to simplify 'config' for
further work.

Note: this is pretty much a historical thing. In modern OpenSSL, it's
much simpler to edit the SUBDIRS statement in crypto/build.info.
However, it's been claimed the there are those who still remove some
of these sub-system sources.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11217)

show more ...

Configure: Diverse cleanups

There were some remaining old code and comments that don't serve a
purpose any longer.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged

Configure: Diverse cleanups

There were some remaining old code and comments that don't serve a
purpose any longer.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11185)

show more ...

build.info: Implement simply substitutions in variable values

Use case: having a variable with multiple source files in its value,
and wanting to refer to the corresponding object file.

build.info: Implement simply substitutions in variable values

Use case: having a variable with multiple source files in its value,
and wanting to refer to the corresponding object file.

$SRCS=foo.c bar.c
SOURCE[program]=$SRCS
DEPEND[${SRCS/.c/.o}]=prog.h

GENERATE[prog.h]=...

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11185)

show more ...

build.info: Make it possible to have more than one item in KEYWORD[]

So far, the "index" part of KEYWORD[whatever] could only handle one
item. There are cases, however, where we want to

build.info: Make it possible to have more than one item in KEYWORD[]

So far, the "index" part of KEYWORD[whatever] could only handle one
item. There are cases, however, where we want to add the exact same
value to multiple items. This is especially helpful if a variable
that may have multi-item values are used in the "index" part.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11185)

show more ...

Make secure-memory be a config option

Adding support for "no-secure-memory" was simple, a one-liner.
Fixing all the "ifdef OPENSSL_SECURE_MEMORY" to be "ifndef NO_xxx"
was a bit more

Make secure-memory be a config option

Adding support for "no-secure-memory" was simple, a one-liner.
Fixing all the "ifdef OPENSSL_SECURE_MEMORY" to be "ifndef NO_xxx"
was a bit more work. My original goof, for not following the OpenSSL
pattern "ifndef NO_" used everywhere else.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/11023)

show more ...