acvp-test: disable the ACVP testing code by default

It's only useful for the FIPS lab and shouldn't be in production.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged

acvp-test: disable the ACVP testing code by default

It's only useful for the FIPS lab and shouldn't be in production.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15092)

show more ...

acvp: fix the no-acvp_test build

A pair of the disabled string checks were incorrect.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.

acvp: fix the no-acvp_test build

A pair of the disabled string checks were incorrect.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15082)

show more ...

Configure: disable fips mode by default

Building the fips provider in addition to the default provider
effectively doubles the build time. Since many users will not
need fips support

Configure: disable fips mode by default

Building the fips provider in addition to the default provider
effectively doubles the build time. Since many users will not
need fips support, it is now disabled by default.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13684)

show more ...

Configure: sort the disablables alphabetically

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13684)

Configuration: rework how dependency making is handled

Previously, we had dependency making pretty much hard coded in the
build file templates, with a bit of an exception for Unix family

Configuration: rework how dependency making is handled

Previously, we had dependency making pretty much hard coded in the
build file templates, with a bit of an exception for Unix family
platforms, where we had different cases depending on what dependency
making program was found.

With the Embarcadero C++ builder, a separate scheme appeared, with a
different logic.

This change merges the two, and introduces two config target
attributes:

makedepcmd The program to use, where this is relevant.
This replaces the earlier configuration
attribute 'makedepprog'.
makedep_scheme This is a keyword that can be used by build
files templates to produce different sorts of
commands, but most importantly, to pass as
argument to util/add-depend.pl, which uses
this keyword as a "producer" for the
dependency lines.

If the config target doesn't define the 'makedep_scheme' attribute,
Configure tries to figure it out by looking for GCC compatible
compilers or for the 'makedepend' command.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/15006)

show more ...

Runchecker: fix failure with no-autoalginit option by disabling FIPS

With this option, the openssl command line tool is not created. Without that
it is impossible to create the fipsmodu

Runchecker: fix failure with no-autoalginit option by disabling FIPS

With this option, the openssl command line tool is not created. Without that
it is impossible to create the fipsmodule.cnf file that the tests would
otherwise depend upon.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14979)

show more ...

Avoid the need for Configure time 128-bit int detection

We just detect this at compile time instead.

This avoids cross-compilation problems where the host platform supports
128-

Avoid the need for Configure time 128-bit int detection

We just detect this at compile time instead.

This avoids cross-compilation problems where the host platform supports
128-bit ints, but the target platform does not (or vice versa). This was
causing a problem on some platforms where, dependent on the CFLAGS, 128 bit
ints were either supported or not.

Fixes #14804

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14941)

show more ...

Generate dependency information

The Clang-based `bcc32c.exe` doesn't implement the `-Hp` option, so we
have to use [`cpp32.exe`][1] instead. Therefore, change the dependency-
emitti

Generate dependency information

The Clang-based `bcc32c.exe` doesn't implement the `-Hp` option, so we
have to use [`cpp32.exe`][1] instead. Therefore, change the dependency-
emitting command to use `$(CPP)` instead of `$(CC)`, which which also
uncovered the [existing bug of `2>&1` before `> $dep`][2]. Also
C++Builder's `make.exe` doesn't implement `2>&1` in its command runner,
so wrap the whole line in a `cmd /C`.

[1]: http://docwiki.embarcadero.com/RADStudio/Sydney/en/CPP32.EXE,_the_C_Compiler_Preprocessor
[2]: https://ss64.com/nt/syntax-redirection.html

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13540)

show more ...

Configure: Check if 128-bit integers are supported by compiler

Add a config variable "use_int128" to indicate if 128-bit integers are
supported or not at the configure time. This makes

Configure: Check if 128-bit integers are supported by compiler

Add a config variable "use_int128" to indicate if 128-bit integers are
supported or not at the configure time. This makes it easier to
automatically select 64-bit versus 32-bit implementation for curve448.

Signed-off-by: Amitay Isaacs <amitay@ozlabs.org>

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14784)

show more ...

Disable fips-securitychecks if no-fips is configured.

Fixes: #14629

Signed-off-by: Randall S. Becker <rsbecker@nexbridge.com>

Reviewed-by: Tomas Mraz <tomas@openssl.org>

Disable fips-securitychecks if no-fips is configured.

Fixes: #14629

Signed-off-by: Randall S. Becker <rsbecker@nexbridge.com>

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14634)

show more ...

Configure: check all DEPEND values against GENERATE, not just .h files

All files that are given to DEPEND statements in build.info files are
being checked against GENERATE statements, to

Configure: check all DEPEND values against GENERATE, not just .h files

All files that are given to DEPEND statements in build.info files are
being checked against GENERATE statements, to see if it's reasonable
to look for them in the source tree or not. This was only done for .h
files, for reasons that are lost in history. We now change that check
to look at all files instead.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14598)

show more ...

build.info: Make it possible to use compiled programs as generators

Our goal is to be able to produce fipsmodule.cnf with the help of
'openssl fipsinstall', using the openssl program tha

build.info: Make it possible to use compiled programs as generators

Our goal is to be able to produce fipsmodule.cnf with the help of
'openssl fipsinstall', using the openssl program that we build.

This refactors the generatesrc code in all the build file templates to
replace $generator and $generator_incs with $gen0, $gen_args and $gen_incs,
which makes it easier and more consistent to manipulate different bits
of the generator command, and also keeps the variable names consistent
while not overly long.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14320)

show more ...

build.info: Add the possibility to add dependencies on raw targets

We need to add something for the 'tests' target to depend on, so a
special syntax for those is introduced:

build.info: Add the possibility to add dependencies on raw targets

We need to add something for the 'tests' target to depend on, so a
special syntax for those is introduced:

DEPEND[|tests|]=fipsmodule.cnf

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14320)

show more ...

Deprecate the low level SRP APIs

The OTC decided that all low level APIs should be deprecated. This extends
to SRP, even though at the current time there is no "EVP" interface to it.

Deprecate the low level SRP APIs

The OTC decided that all low level APIs should be deprecated. This extends
to SRP, even though at the current time there is no "EVP" interface to it.
This could be added in a future release.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14132)

show more ...

Add a configure time option to disable the fetch cache.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.co

Add a configure time option to disable the fetch cache.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14126)

show more ...

Stop disabling TLSv1.3 if ec and dh are disabled

Even if EC and DH are disabled then we may still be able to use TLSv1.3
if we have groups that have been plugged in by an external provid

Stop disabling TLSv1.3 if ec and dh are disabled

Even if EC and DH are disabled then we may still be able to use TLSv1.3
if we have groups that have been plugged in by an external provider.

Fixes #13767

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13916)

show more ...

Update copyright year

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13999)

Configure: warn about duplicate GENERATE declarations in build.info files

This sort of duplication is permitted, as the end result will be a single
item anyway, but we might as well warn

Configure: warn about duplicate GENERATE declarations in build.info files

This sort of duplication is permitted, as the end result will be a single
item anyway, but we might as well warn to avoid future confusion.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13824)

show more ...

Configure: clean away perl syntax faults

The faults aren't fatal (i.e. perl just shrugs), but are curious.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https:/

Configure: clean away perl syntax faults

The faults aren't fatal (i.e. perl just shrugs), but are curious.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13824)

show more ...

Configure: Check all SOURCE declarations, to ensure consistency

If the given sources are GENERATEd, we check those generators as well.

This ensures that the declarations in the dive

Configure: Check all SOURCE declarations, to ensure consistency

If the given sources are GENERATEd, we check those generators as well.

This ensures that the declarations in the diverse build.info files are
consistent with existing files.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13824)

show more ...

Drop OPENSSL_NO_RSA everywhere

The configuration option 'no-rsa' was dropped with OpenSSL 1.1.0, so
this is simply a cleanup of the remains.

Reviewed-by: Tomas Mraz <tmraz@fedor

Drop OPENSSL_NO_RSA everywhere

The configuration option 'no-rsa' was dropped with OpenSSL 1.1.0, so
this is simply a cleanup of the remains.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13700)

show more ...

GitHub CI: Separate no-deprecated job from minimal job

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13706)

{.travis,ci,appveyor}.yml: Make minimal config consistent, add no-deprecated no-ec no-ktls no-siv

This works nicely by addin a new no-bulk option to Configure.

Reviewed-by: Matt Cas

{.travis,ci,appveyor}.yml: Make minimal config consistent, add no-deprecated no-ec no-ktls no-siv

This works nicely by addin a new no-bulk option to Configure.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13110)

show more ...

Fix no-engine

If we specify no-engine then this should cascade to also mean
no-dynamic-engine. The store test was only checking whether
dynamic-engine was disabled, meaning that some

Fix no-engine

If we specify no-engine then this should cascade to also mean
no-dynamic-engine. The store test was only checking whether
dynamic-engine was disabled, meaning that some tests were failing
in a no-engine build.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13502)

show more ...

Configure: handle undefined shared_target.

Some very basic config targets don't defined the 'shared_target'
attribute at all. This wasn't handled well enough in Configure.
This also

Configure: handle undefined shared_target.

Some very basic config targets don't defined the 'shared_target'
attribute at all. This wasn't handled well enough in Configure.
This also cleans away an explicit reference to the ossltest engine in
Configurations/unix-Makefile.tmpl, which isn't necessary since the
build.info attributes were added.

Fixes openssl/web#197

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13031)

show more ...