openssl.git
21 months agocrypto/engine/eng_list.c: compare getenv rv to NULL instead of 0
Patrick Steuer [Mon, 18 Dec 2017 21:47:01 +0000 (22:47 +0100)]
crypto/engine/eng_list.c: compare getenv rv to NULL instead of 0

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4958)

21 months agoClarify error for unrecognized arguments.
Jacob Hoffman-Andrews [Sat, 23 Dec 2017 00:18:22 +0000 (16:18 -0800)]
Clarify error for unrecognized arguments.

Many of the sub-commands under apps/ accept cipher or digest arguments like
"-sha256". These are implemented using a catchall flag that runs the result
through opt_md() or opt_cipher(). That means any unrecognized flag, including
typos, gets sent to those two functions, producing confusing error messages like
below:

    $ ./apps/openssl req -x590
    req: Unrecognized digest x590
    req: Use -help for summary.

This change switches these two functions to say "Unrecognized flag X" instead.
The new message deliberately leaves off the "-" from the flag name, because
there are some cases where opt_md() and opt_cipher() are passed a flag value
instead (for instance, openssl ca -md). I think the new message is generic
enough that it can serve both cases with improved clarity.

CLA: trivial

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4972)

21 months agofix compile error 'intrinsic function not declared'
EasySec [Sat, 30 Dec 2017 17:48:23 +0000 (18:48 +0100)]
fix compile error 'intrinsic function not declared'

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5000)

21 months agoFix spelling: adroideabi -> androideabi
pass86 [Sun, 7 Jan 2018 13:57:25 +0000 (21:57 +0800)]
Fix spelling: adroideabi -> androideabi

CLA: trivial

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/5029)

21 months agoUse the index that matches the key type (either SSL_PKEY_RSA_PSS_SIGN or SSL_PKEY_RSA).
Noah Robbin [Wed, 29 Nov 2017 21:58:25 +0000 (16:58 -0500)]
Use the index that matches the key type (either SSL_PKEY_RSA_PSS_SIGN or SSL_PKEY_RSA).

Extract the RSA key using EVP_PKEY_get0.  Type is checked externally to be either EVP_PKEY_RSA_PSS or EVP_PKEY_RSA.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4389)

21 months agoUse size of server key when selecting signature algorithm.
Noah Robbin [Tue, 19 Sep 2017 16:15:42 +0000 (12:15 -0400)]
Use size of server key when selecting signature algorithm.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4389)

21 months agoNUMERICSTRING support
Dmitry Belyavskiy [Mon, 8 Jan 2018 12:32:47 +0000 (15:32 +0300)]
NUMERICSTRING support

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5036)

21 months agoAdd util/openssl-update-copyright shell script
Dr. Matthias St. Pierre [Sun, 7 Jan 2018 01:29:01 +0000 (02:29 +0100)]
Add util/openssl-update-copyright shell script

usage: openssl-update-copyright [-h|--help] [file|directory] ...

Updates the year ranges of all OpenSSL copyright statements in the given
files or directories. (Directories are traversed recursively.)

Only copyright statements containing the string 'The OpenSSL Project' are
affected. The copyright time range is adjusted to include the current year.
If only a single year was specified, it is replaced by a time range starting
at that year and ending at the current year. All '(c)' and '(C)' signs are
preserved.

Signed-off-by: Dr. Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5027)

21 months agoSeparate general linking flags from extra libraries
Richard Levitte [Mon, 8 Jan 2018 11:28:08 +0000 (12:28 +0100)]
Separate general linking flags from extra libraries

So far, we've placed all extra library related flags together, ending
up in the make variable EX_LIBS.  This turns out to be problematic, as
for example, some compilers don't quite agree with something like
this:

    cc -o foo foo.o -L/whatever -lsomething

They prefer this:

    cc -L/whatever -o foo foo.o -lsomething

IBM's compiler on OS/390 is such a compiler that we know of, and we
have previously handled that as a previous case.

The answer here is to make a more general solution, where linking
options are divided in two parts, where one ends up in LDFLAGS and
the other in EX_LIBS (they corresponds to what is called LDFLAGS and
LDLIBS in the GNU world)

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5033)

21 months agoClean up uClinux targets
Richard Levitte [Mon, 8 Jan 2018 11:40:06 +0000 (12:40 +0100)]
Clean up uClinux targets

The uClinux targets included some attributes that would result in
circular references of CFLAGS and LDCLAGS.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5034)

21 months agoFix IPv6 define
Rich Salz [Sun, 7 Jan 2018 20:58:52 +0000 (15:58 -0500)]
Fix IPv6 define

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5030)

21 months agoCHANGES: Document the removal of OS390-Unix
Richard Levitte [Sun, 7 Jan 2018 21:36:12 +0000 (22:36 +0100)]
CHANGES: Document the removal of OS390-Unix

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5031)

21 months agos390x assembly pack: add KMA code path for aes-gcm.
Patrick Steuer [Mon, 2 Oct 2017 13:53:00 +0000 (15:53 +0200)]
s390x assembly pack: add KMA code path for aes-gcm.

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4634)

21 months agocrypto/aes/asm/aes-s390x.pl: replace decrypt flag by macro.
Patrick Steuer [Tue, 24 Oct 2017 11:29:40 +0000 (13:29 +0200)]
crypto/aes/asm/aes-s390x.pl: replace decrypt flag by macro.

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4634)

21 months agos390x assembly pack: add KMA code path for aes-ctr.
Patrick Steuer [Tue, 14 Feb 2017 01:07:37 +0000 (02:07 +0100)]
s390x assembly pack: add KMA code path for aes-ctr.

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4634)

21 months agoec/curve25519.c: avoid 2^51 radix on SPARC.
Andy Polyakov [Sun, 31 Dec 2017 12:23:08 +0000 (13:23 +0100)]
ec/curve25519.c: avoid 2^51 radix on SPARC.

SPARC ISA doesn't have provisions to back up 128-bit multiplications
and additions. And so multiplications are done with library calls
and carries with comparisons and conditional moves. As result base
2^51 code is >40% slower...

Reviewed-by: Tim Hudson <tjh@openssl.org>
21 months agoec/ecp_nistz256.c: switch to faster addition chain in scalar inversion.
Andy Polyakov [Sat, 30 Dec 2017 19:15:44 +0000 (20:15 +0100)]
ec/ecp_nistz256.c: switch to faster addition chain in scalar inversion.

[and improve formatting]

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5001)

21 months agoec/asm/ecp_nistz256-armv8.pl: add optimized inversion.
Andy Polyakov [Sat, 30 Dec 2017 14:11:25 +0000 (15:11 +0100)]
ec/asm/ecp_nistz256-armv8.pl: add optimized inversion.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5001)

21 months agoec/asm/ecp_nistz256-x86_64.pl: add .cfi and SEH handlers to new functions.
Andy Polyakov [Sat, 30 Dec 2017 14:51:55 +0000 (15:51 +0100)]
ec/asm/ecp_nistz256-x86_64.pl: add .cfi and SEH handlers to new functions.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5001)

21 months agoec/ecp_nistz256.c: improve ECDSA sign by 30-40%.
Andy Polyakov [Sat, 30 Dec 2017 14:08:31 +0000 (15:08 +0100)]
ec/ecp_nistz256.c: improve ECDSA sign by 30-40%.

This is based on RT#3810, which added dedicated modular inversion.
ECDSA verify results improves as well, but not as much.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5001)

21 months agoRemove remaining NETWARE ifdef's
Rich Salz [Sat, 6 Jan 2018 16:49:53 +0000 (11:49 -0500)]
Remove remaining NETWARE ifdef's

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5028)

21 months agoAdd fingerprint text, remove MD5
Rich Salz [Sat, 4 Nov 2017 14:40:49 +0000 (10:40 -0400)]
Add fingerprint text, remove MD5

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4906)

21 months agoAdd the possibility to do 'openssl help [command]'
Richard Levitte [Sun, 31 Dec 2017 07:44:26 +0000 (08:44 +0100)]
Add the possibility to do 'openssl help [command]'

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5002)

21 months agoapps: make sure prog_init only calculates once
Richard Levitte [Sun, 31 Dec 2017 07:44:12 +0000 (08:44 +0100)]
apps: make sure prog_init only calculates once

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5002)

21 months agoCorrected 'cms' exit status when key or certificate cannot be opened
Konstantin Shemyak [Thu, 28 Dec 2017 21:12:59 +0000 (23:12 +0200)]
Corrected 'cms' exit status when key or certificate cannot be opened

Fixes #4996.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4997)

21 months agoFix error handling in X509_REQ_print_ex
Bernd Edlinger [Sat, 6 Jan 2018 14:21:46 +0000 (15:21 +0100)]
Fix error handling in X509_REQ_print_ex

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5025)

21 months agoStop using unimplemented cipher classes.
Bernd Edlinger [Fri, 5 Jan 2018 17:50:09 +0000 (18:50 +0100)]
Stop using unimplemented cipher classes.
Add comments to no longer usable ciphers.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5023)

21 months agoAdd x509(1) reference
Viktor Dukhovni [Wed, 13 Dec 2017 15:55:38 +0000 (10:55 -0500)]
Add x509(1) reference

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
21 months agoRemove old config that used non-exist util script
Rich Salz [Thu, 4 Jan 2018 18:02:37 +0000 (13:02 -0500)]
Remove old config that used non-exist util script

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5016)

21 months agoRewrite RT3513.
Rich Salz [Wed, 3 Jan 2018 18:12:20 +0000 (13:12 -0500)]
Rewrite RT3513.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5011)

21 months agoImprove readability of evp.pod
Dr. Matthias St. Pierre [Wed, 3 Jan 2018 21:14:02 +0000 (22:14 +0100)]
Improve readability of evp.pod

The changes are analogous to the ones made in commit 0bf340e1350e
to x509.pod, see PR #4924.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/5012)

21 months agocrypto/rand: restore the generic DRBG implementation
Dr. Matthias St. Pierre [Thu, 28 Dec 2017 20:42:14 +0000 (21:42 +0100)]
crypto/rand: restore the generic DRBG implementation

The DRGB concept described in NIST SP 800-90A provides for having different
algorithms to generate random output. In fact, the FIPS object module used to
implement three of them, CTR DRBG, HASH DRBG and HMAC DRBG.

When the FIPS code was ported to master in #4019, two of the three algorithms
were dropped, and together with those the entire code that made RAND_DRBG
generic was removed, since only one concrete implementation was left.

This commit restores the original generic implementation of the DRBG, making it
possible again to add additional implementations using different algorithms
(like RAND_DRBG_CHACHA20) in the future.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4998)

21 months agocrypto/rand: rename drbg_rand.c to drbg_ctr.c
Dr. Matthias St. Pierre [Thu, 28 Dec 2017 01:18:21 +0000 (02:18 +0100)]
crypto/rand: rename drbg_rand.c to drbg_ctr.c

The generic part of the FIPS DRBG was implemented in fips_drbg_lib.c and the
algorithm specific parts in fips_drbg_<alg>.c for <alg> in {ctr, hash, hmac}.
Additionally, there was the module fips_drbg_rand.c which contained 'gluing'
code between the RAND_METHOD api and the FIPS DRBG.

When the FIPS code was ported to master in #4019, for some reason the ctr-drbg
implementation from fips_drbg_ctr.c ended up in drbg_rand.c instead of drbg_ctr.c.

This commit renames the module drbg_rand.c back to drbg_ctr.c, thereby restoring
a simple relationship between the original fips modules and the drbg modules
in master:

 fips_drbg_lib.c    =>  drbg_lib.c    /* generic part of implementation */
 fips_drbg_<alg>.c  =>  drbg_<alg>.c  /* algorithm specific implementations */

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4998)

21 months agoTest that supported_groups is permitted in ServerHello
Benjamin Kaduk [Wed, 4 Oct 2017 17:09:16 +0000 (12:09 -0500)]
Test that supported_groups is permitted in ServerHello

Add a regression test for the functionality enabled in the
previous commit.

[extended tests]

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4463)

21 months agoPermit the "supported_groups" extension in ServerHellos
Benjamin Kaduk [Wed, 4 Oct 2017 16:02:23 +0000 (11:02 -0500)]
Permit the "supported_groups" extension in ServerHellos

Although this is forbidden by all three(!) relevant specifications,
there seem to be multiple server implementations in the wild that
send it.  Since we didn't check for unexpected extensions in any
given message type until TLS 1.3 support was added, our previous
behavior was to silently accept these extensions and pass them over
to the custom extension callback (if any).  In order to avoid
regression of functionality, relax the check for "extension in
unexpected context" for this specific case, but leave the protocol
enforcment mechanism unchanged for other extensions and in other
extension contexts.

Leave a detailed comment to indicate what is going on.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4463)

21 months agoFix trace of TLSv1.3 Certificate Request message
Matt Caswell [Tue, 2 Jan 2018 15:51:23 +0000 (15:51 +0000)]
Fix trace of TLSv1.3 Certificate Request message

A TLSv1.3 Certificate Request message was issuing a "Message length parse
error" using the -trace option to s_server/s_client.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/5008)

21 months agoFix minor 'the the' typos
Daniel Bevenius [Fri, 29 Dec 2017 06:07:15 +0000 (07:07 +0100)]
Fix minor 'the the' typos

Similar to commit 17b602802114d53017ff7894319498934a580b17(
"Remove extra `the` in SSL_SESSION_set1_id.pod"), this commit removes
typos where additional 'the' have been added.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4999)

21 months agoIgnore ORDINALS in build.info files, and remove its documentation
Richard Levitte [Thu, 28 Dec 2017 15:03:17 +0000 (16:03 +0100)]
Ignore ORDINALS in build.info files, and remove its documentation

Following the changes that removed Makefile.shared, we also changed
the generation of .def / .map / .opt files from ordinals more
explicit, removing the need to the "magic" ORDINALS declaration.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4993)

21 months agoec/curve25519.c: "double" ecdhx25519 performance on 64-bit platforms.
Andy Polyakov [Wed, 27 Dec 2017 10:55:34 +0000 (11:55 +0100)]
ec/curve25519.c: "double" ecdhx25519 performance on 64-bit platforms.

"Double" is in quotes because improvement coefficient varies
significantly depending on platform and compiler. You're likely
to measure ~2x improvement on popular desktop and server processors,
but not so much on mobile ones, even minor regression on ARM
Cortex series. Latter is because they have rather "weak" umulh
instruction. On low-end x86_64 problem is that contemporary gcc
and clang tend to opt for double-precision shift for >>51, which
can be devastatingly slow on some processors.

Just in case for reference, trick is to use 2^51 radix [currently
only for DH].

Reviewed-by: Rich Salz <rsalz@openssl.org>
21 months agoUpdate the documentation for SSL_write_early_data()
Matt Caswell [Wed, 27 Dec 2017 13:55:03 +0000 (13:55 +0000)]
Update the documentation for SSL_write_early_data()

Now that we attempt to send early data in the first TCP packet along with
the ClientHello, the documentation for SSL_write_early_data() needed a
tweak.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4802)

21 months agoDisable partial writes for early data
Matt Caswell [Wed, 27 Dec 2017 13:36:45 +0000 (13:36 +0000)]
Disable partial writes for early data

We don't keep track of the number of bytes written between in the
SSL_write_ex() call and the subsequent flush. If the flush needs to be
retried then we will have forgotten how many bytes actually got written.
The simplest solution is to just disable it for this scenario.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4802)

21 months agoDon't flush the ClientHello if we're going to send early data
Matt Caswell [Mon, 27 Nov 2017 15:20:06 +0000 (15:20 +0000)]
Don't flush the ClientHello if we're going to send early data

We'd like the first bit of early_data and the ClientHello to go in the
same TCP packet if at all possible to enable things like TCP Fast Open.
Also, if you're only going to send one block of early data then you also
don't need to worry about TCP_NODELAY.

Fixes #4783

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4802)

21 months agoAdd 'openssl req' option to specify extension values on command line
Richard Levitte [Wed, 27 Dec 2017 17:29:36 +0000 (18:29 +0100)]
Add 'openssl req' option to specify extension values on command line

The idea is to be able to add extension value lines directly on the
command line instead of through the config file, for example:

    openssl req -new -extension 'subjectAltName = DNS:dom.ain, DNS:oth.er' \
                     -extension 'certificatePolicies = 1.2.3.4'

Fixes #3311

Thank you Jacob Hoffman-Andrews for the inspiration

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4986)

21 months agoAlternate fix for ../test/recipes/80-test_ssl_old.t with no-ec
Bernd Edlinger [Wed, 27 Dec 2017 15:37:22 +0000 (16:37 +0100)]
Alternate fix for ../test/recipes/80-test_ssl_old.t with no-ec

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4981)

21 months agoec/ecp_nistp*.c: sanitize for undefined/implmentation-specific behaviour.
Andy Polyakov [Sat, 23 Dec 2017 14:15:30 +0000 (15:15 +0100)]
ec/ecp_nistp*.c: sanitize for undefined/implmentation-specific behaviour.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/4974)

21 months agoVMS fix: link shared libs from objects files instead of from static libs
Richard Levitte [Wed, 20 Dec 2017 10:02:39 +0000 (11:02 +0100)]
VMS fix: link shared libs from objects files instead of from static libs

The simplifications that were made when Makefile.shared was removed
didn't work quite right.  Also, this is what we do on Unix and Windows
anyway, so this makes us more consistent across all platforms.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4982)

21 months agoRemove outdated comments
Paul Yang [Sun, 10 Dec 2017 15:48:23 +0000 (23:48 +0800)]
Remove outdated comments

Variables n, d, p are no longer there.

[skip ci]

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4894)

21 months agoSuggestion for improvements to x509.pod
Daniel Bevenius [Wed, 13 Dec 2017 14:41:02 +0000 (15:41 +0100)]
Suggestion for improvements to x509.pod

This commit is a suggestion to hopefully improve x509.pod. I had to
re-read it the first time through and with these changes it reads a
little easier, and wondering if others agree.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4924)

21 months agoFix comment about undefined behavior of constant_time_msb
Kurt Roeckx [Sat, 23 Dec 2017 22:32:11 +0000 (23:32 +0100)]
Fix comment about undefined behavior of constant_time_msb

This comment was correct for the original commit introducing this
function (5a3d21c0585064292bde5cd34089e120487ab687), but was fixed
in commit d2fa182988afa33d9e950358de406cc9fb36d000 (and
67b8bcee95f225a07216700786b538bb98d63cfe)

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
GH: #4975

21 months agopoly1305/asm/poly1305-x86_64.pl: add Knights Landing AVX512 result.
Andy Polyakov [Wed, 6 Dec 2017 14:51:32 +0000 (15:51 +0100)]
poly1305/asm/poly1305-x86_64.pl: add Knights Landing AVX512 result.

Hardware used for benchmarking courtesy of Atos, experiments run by
Romain Dolbeau <romain.dolbeau@atos.net>. Kudos!

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4855)

21 months agoAdd sha/asm/keccak1600-avx512vl.pl.
Andy Polyakov [Sun, 17 Dec 2017 20:32:38 +0000 (21:32 +0100)]
Add sha/asm/keccak1600-avx512vl.pl.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4948)

21 months agoRemove extra `the` in SSL_SESSION_set1_id.pod
Daniel Bevenius [Thu, 21 Dec 2017 08:08:25 +0000 (09:08 +0100)]
Remove extra `the` in SSL_SESSION_set1_id.pod

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4969)

22 months agoFix a typo in comment
Bernd Edlinger [Sun, 17 Dec 2017 21:15:15 +0000 (22:15 +0100)]
Fix a typo in comment

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4949)

22 months agoVMS build.info: uppercase args to perl modules must be quoted
Richard Levitte [Sun, 17 Dec 2017 08:47:04 +0000 (09:47 +0100)]
VMS build.info: uppercase args to perl modules must be quoted

This is because VMS perl will otherwise lowercase them

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4946)

22 months agoRestore the use of LDCMD when linking applications
Richard Levitte [Sun, 17 Dec 2017 11:56:24 +0000 (12:56 +0100)]
Restore the use of LDCMD when linking applications

It is a hack, but it existed in the recently removed Makefile.shared,
and its use is documented in fuzz/README.md, so we cannot drop it now.

Fixes https://github.com/google/oss-fuzz/issues/1037

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4947)

22 months agoEnable the ARIA ciphers by default.
Pauli [Sun, 17 Dec 2017 21:42:19 +0000 (07:42 +1000)]
Enable the ARIA ciphers by default.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4950)

22 months agoMake DRBG uninstantiate() and instantiate() methods inverse to each other
Dr. Matthias St. Pierre [Mon, 20 Nov 2017 22:27:23 +0000 (23:27 +0100)]
Make DRBG uninstantiate() and instantiate() methods inverse to each other

Previously, the RAND_DRBG_uninstantiate() call was not exactly inverse to
RAND_DRBG_instantiate(), because some important member values of the
drbg->ctr member where cleared. Now these values are restored internally.

Signed-off-by: Dr. Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/4402)

22 months agoAllocate the three shared DRBGs on the secure heap
Dr. Matthias St. Pierre [Mon, 6 Nov 2017 01:29:15 +0000 (02:29 +0100)]
Allocate the three shared DRBGs on the secure heap

Signed-off-by: Dr. Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/4402)

22 months agoImplement automatic reseeding of DRBG after a specified time interval
Dr. Matthias St. Pierre [Fri, 24 Nov 2017 14:24:51 +0000 (15:24 +0100)]
Implement automatic reseeding of DRBG after a specified time interval

Every DRBG now supports automatic reseeding not only after a given
number of generate requests, but also after a specified time interval.

Signed-off-by: Dr. Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/4402)

22 months agoAdd master DRBG for reseeding
Dr. Matthias St. Pierre [Fri, 24 Nov 2017 13:59:58 +0000 (14:59 +0100)]
Add master DRBG for reseeding

A third shared DRBG is added, the so called master DRBG. Its sole purpose
is to reseed the two other shared DRBGs, the public and the private DRBG.
The randomness for the master DRBG is either pulled from the os entropy
sources, or added by the application using the RAND_add() call.

The master DRBG reseeds itself automatically after a given number of generate
requests, but can also be reseeded using RAND_seed() or RAND_add().
A reseeding of the master DRBG is automatically propagated to the public
and private DRBG. This construction fixes the problem, that up to now
the randomness provided by RAND_add() was added only to the public and
not to the private DRBG.

Signed-off-by: Dr. Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/4402)

22 months agoRemove spaces at end of line in ssl/statem
Paul Yang [Fri, 15 Dec 2017 07:01:20 +0000 (15:01 +0800)]
Remove spaces at end of line in ssl/statem

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matt Caswell <matt@openssl.org>
GH: #4934

22 months agoAdd comments to NULL func ptrs in bio_method_st
Daniel Bevenius [Sun, 17 Dec 2017 21:04:48 +0000 (07:04 +1000)]
Add comments to NULL func ptrs in bio_method_st

This commit adds comments to bio_method_st definitions where the
function pointers are defined as NULL. Most of the structs have comments
but some where missing and not all consitent.

CLA: trivial

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4881)

22 months agoFix invalid function type casts.
Bernd Edlinger [Fri, 15 Dec 2017 18:33:48 +0000 (19:33 +0100)]
Fix invalid function type casts.
Rename bio_info_cb to BIO_info_cb.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4493)

22 months agoRemove test-runs dir, adjust .gitignore
Bernd Edlinger [Thu, 14 Dec 2017 20:16:41 +0000 (21:16 +0100)]
Remove test-runs dir, adjust .gitignore

Ignore libssl.map/libcrypto.map instead of ssl.map/crypto.map

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4932)

22 months agoFix 'make update'
Todd Short [Thu, 14 Dec 2017 19:38:24 +0000 (14:38 -0500)]
Fix 'make update'

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4931)

22 months agoFix some clang compilation errors
Matt Caswell [Thu, 30 Nov 2017 17:55:34 +0000 (17:55 +0000)]
Fix some clang compilation errors

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4701)

22 months agoDon't run the TLSv1.3 CCS tests if TLSv1.3 is not enabled
Matt Caswell [Thu, 30 Nov 2017 17:55:06 +0000 (17:55 +0000)]
Don't run the TLSv1.3 CCS tests if TLSv1.3 is not enabled

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4701)

22 months agoAdd some TLSv1.3 CCS tests
Matt Caswell [Thu, 30 Nov 2017 10:13:13 +0000 (10:13 +0000)]
Add some TLSv1.3 CCS tests

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4701)

22 months agoMake sure we treat records written after HRR as TLSv1.3
Matt Caswell [Thu, 30 Nov 2017 15:49:08 +0000 (15:49 +0000)]
Make sure we treat records written after HRR as TLSv1.3

This fixes a bug where some CCS records were written with the wrong TLS
record version.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4701)

22 months agoIssue a CCS from the client if we received an HRR
Matt Caswell [Thu, 30 Nov 2017 14:33:22 +0000 (14:33 +0000)]
Issue a CCS from the client if we received an HRR

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4701)

22 months agoFix server side HRR flushing
Matt Caswell [Thu, 30 Nov 2017 14:29:28 +0000 (14:29 +0000)]
Fix server side HRR flushing

Flush following the CCS after an HRR. Only flush the HRR if middlebox
compat is turned off.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4701)

22 months agoDelay flush until after CCS with early_data
Matt Caswell [Thu, 30 Nov 2017 11:28:26 +0000 (11:28 +0000)]
Delay flush until after CCS with early_data

Normally we flush immediately after writing the ClientHello. However if
we are going to write a CCS immediately because we've got early_data to
come, then we should move the flush until after the CCS.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4701)

22 months agoEnsure CCS sent before early_data has the correct record version
Matt Caswell [Mon, 13 Nov 2017 16:12:35 +0000 (16:12 +0000)]
Ensure CCS sent before early_data has the correct record version

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4701)

22 months agoSend supported_versions in an HRR
Matt Caswell [Tue, 5 Dec 2017 10:16:25 +0000 (10:16 +0000)]
Send supported_versions in an HRR

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4701)

22 months agoMake sure supported_versions appears in an HRR too
Matt Caswell [Mon, 13 Nov 2017 15:01:07 +0000 (15:01 +0000)]
Make sure supported_versions appears in an HRR too

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4701)

22 months agoUpdate TLSProxy to know about new HRR style
Matt Caswell [Mon, 13 Nov 2017 14:40:46 +0000 (14:40 +0000)]
Update TLSProxy to know about new HRR style

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4701)

22 months agoUpdate state machine to send CCS based on whether we did an HRR
Matt Caswell [Mon, 13 Nov 2017 11:24:51 +0000 (11:24 +0000)]
Update state machine to send CCS based on whether we did an HRR

The CCS may be sent at different times based on whether or not we
sent an HRR earlier. In order to make that decision this commit
also updates things to make sure we remember whether an HRR was
used or not.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4701)

22 months agoFix an HRR bug
Matt Caswell [Thu, 9 Nov 2017 16:03:40 +0000 (16:03 +0000)]
Fix an HRR bug

Ensure that after an HRR we can only negotiate TLSv1.3

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4701)

22 months agoMerge HRR into ServerHello
Matt Caswell [Tue, 5 Dec 2017 10:14:35 +0000 (10:14 +0000)]
Merge HRR into ServerHello

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4701)

22 months agoSend a CCS after ServerHello in TLSv1.3 if using middlebox compat mode
Matt Caswell [Wed, 8 Nov 2017 15:00:48 +0000 (15:00 +0000)]
Send a CCS after ServerHello in TLSv1.3 if using middlebox compat mode

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4701)

22 months agoSend a CCS from a client in an early_data handshake
Matt Caswell [Wed, 8 Nov 2017 14:26:48 +0000 (14:26 +0000)]
Send a CCS from a client in an early_data handshake

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4701)

22 months agoSend a CCS from the client in a non-early_data handshake
Matt Caswell [Wed, 8 Nov 2017 11:37:12 +0000 (11:37 +0000)]
Send a CCS from the client in a non-early_data handshake

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4701)

22 months agoRemove TLSv1.3 specific write transition for ClientHello
Matt Caswell [Wed, 8 Nov 2017 11:18:00 +0000 (11:18 +0000)]
Remove TLSv1.3 specific write transition for ClientHello

Since we no longer do version negotiation during the processing of an HRR
we do not need the TLSv1.3 specific write transition for ClientHello

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4701)

22 months agoDrop CCS messages received in the TLSv1.3 handshake
Matt Caswell [Tue, 7 Nov 2017 16:36:51 +0000 (16:36 +0000)]
Drop CCS messages received in the TLSv1.3 handshake

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4701)

22 months agoSend TLSv1.2 as the record version when using TLSv1.3
Matt Caswell [Tue, 7 Nov 2017 16:04:35 +0000 (16:04 +0000)]
Send TLSv1.2 as the record version when using TLSv1.3

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4701)

22 months agoImplement session id TLSv1.3 middlebox compatibility mode
Matt Caswell [Tue, 7 Nov 2017 10:45:43 +0000 (10:45 +0000)]
Implement session id TLSv1.3 middlebox compatibility mode

Clients will send a "fake" session id and servers must echo it back.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4701)

22 months agoUpdate ServerHello to new draft-22 format
Matt Caswell [Fri, 3 Nov 2017 16:38:48 +0000 (16:38 +0000)]
Update ServerHello to new draft-22 format

The new ServerHello format is essentially now the same as the old TLSv1.2
one, but it must additionally include supported_versions. The version
field is fixed at TLSv1.2, and the version negotiation happens solely via
supported_versions.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4701)

22 months agoUpdate the TLSv1.3 draft version indicators to draft 22
Matt Caswell [Fri, 3 Nov 2017 11:26:29 +0000 (11:26 +0000)]
Update the TLSv1.3 draft version indicators to draft 22

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4701)

22 months agoMinor cleanup of the rsa mp limits code
Bernd Edlinger [Mon, 11 Dec 2017 15:10:36 +0000 (16:10 +0100)]
Minor cleanup of the rsa mp limits code

Reduce RSA_MAX_PRIME_NUM to 5.
Remove no longer used RSA_MIN_PRIME_SIZE.
Make rsa_multip_cap honor RSA_MAX_PRIME_NUM.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4905)

22 months agoFix VMS use of util/mkdef.pl in top build.info
Richard Levitte [Wed, 13 Dec 2017 09:49:14 +0000 (10:49 +0100)]
Fix VMS use of util/mkdef.pl in top build.info

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4921)

22 months agoDocument the X509_V_FLAG_PARTIAL_CHAIN flag
Viktor Dukhovni [Mon, 11 Dec 2017 23:33:59 +0000 (18:33 -0500)]
Document the X509_V_FLAG_PARTIAL_CHAIN flag

Also improved documentation of TRUSTED_FIRST

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
22 months agoFix more OCSP_resp_get0_signer() nits
Ben Kaduk [Tue, 12 Dec 2017 17:41:26 +0000 (11:41 -0600)]
Fix more OCSP_resp_get0_signer() nits

Fix a typo for "retrieve" and some indentation.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/4919)

22 months agoFix minor typo in bio.pod
Daniel Bevenius [Tue, 12 Dec 2017 15:56:50 +0000 (16:56 +0100)]
Fix minor typo in bio.pod

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4917)

22 months agocrypto/bio/bss_dgram.c: annotate fallthrough (-Wimplicit-fallthrough)
Patrick Steuer [Tue, 12 Dec 2017 13:49:21 +0000 (14:49 +0100)]
crypto/bio/bss_dgram.c: annotate fallthrough (-Wimplicit-fallthrough)

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4916)

22 months agoFix leak in ERR_get_state() when OPENSSL_init_crypto() isn't called yet
Richard Levitte [Tue, 12 Dec 2017 01:05:38 +0000 (02:05 +0100)]
Fix leak in ERR_get_state() when OPENSSL_init_crypto() isn't called yet

If OPENSSL_init_crypto() hasn't been called yet when ERR_get_state()
is called, it need to be called early, so the base initialization is
done.  On some platforms (those who support DSO functionality and
don't define OPENSSL_USE_NODELETE), that includes a call of
ERR_set_mark(), which calls this function again.
Furthermore, we know that ossl_init_thread_start(), which is called
later in ERR_get_state(), calls OPENSSL_init_crypto(0, NULL), except
that's too late.
Here's what happens without an early call of OPENSSL_init_crypto():

    => ERR_get_state():
         => CRYPTO_THREAD_get_local():
         <= NULL;
         # no state is found, so it gets allocated.
         => ossl_init_thread_start():
              => OPENSSL_init_crypto():
                   # Here, base_inited is set to 1
                   # before ERR_set_mark() call
                   => ERR_set_mark():
                        => ERR_get_state():
                             => CRYPTO_THREAD_get_local():
                             <= NULL;
                             # no state is found, so it gets allocated!!!!!
                             => ossl_init_thread_start():
                                  => OPENSSL_init_crypto():
                                       # base_inited is 1,
                                       # so no more init to be done
                                  <= 1
                             <=
                             => CRYPTO_thread_set_local():
                             <=
                        <=
                   <=
              <= 1
         <=
         => CRYPTO_thread_set_local()      # previous value removed!
    <=

Result: double allocation, and we have a leak.

By calling the base OPENSSL_init_crypto() early, we get this instead:

    => ERR_get_state():
         => OPENSSL_init_crypto():
              # Here, base_inited is set to 1
              # before ERR_set_mark() call
              => ERR_set_mark():
                   => ERR_get_state():
                        => OPENSSL_init_crypto():
                             # base_inited is 1,
                             # so no more init to be done
                        <= 1
                        => CRYPTO_THREAD_get_local():
                        <= NULL;
                        # no state is found, so it gets allocated
                        # let's assume we got 0xDEADBEEF
                        => ossl_init_thread_start():
                             => OPENSSL_init_crypto():
                                  # base_inited is 1,
                                  # so no more init to be done
                             <= 1
                        <= 1
                        => CRYPTO_thread_set_local():
                        <=
                   <=
              <=
         <= 1
         => CRYPTO_THREAD_get_local():
         <= 0xDEADBEEF
    <= 0xDEADBEEF

Result: no leak.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4913)

22 months agoVMS build file template: adapt for when someone disabled 'makedepend'
Richard Levitte [Mon, 11 Dec 2017 20:01:18 +0000 (21:01 +0100)]
VMS build file template: adapt for when someone disabled 'makedepend'

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4907)

22 months agoRestore makedepend capabilities for Windows and VMS
Richard Levitte [Mon, 11 Dec 2017 19:54:07 +0000 (20:54 +0100)]
Restore makedepend capabilities for Windows and VMS

This got lost somehow.  The methods to do makedepend on Windows and
VMS are hard coded for cl (Windows) and CC/DECC (VMS), because that's
what we currently support natively.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4907)

22 months agoNote the removal of Makefile.shared in CHANGES
Richard Levitte [Mon, 4 Dec 2017 15:57:36 +0000 (16:57 +0100)]
Note the removal of Makefile.shared in CHANGES

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4840)

22 months agoRemove Makefile.shared, as it's now entirely unused
Richard Levitte [Mon, 4 Dec 2017 15:33:59 +0000 (16:33 +0100)]
Remove Makefile.shared, as it's now entirely unused

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4840)

22 months agoConfigure et al: cleanups
Richard Levitte [Mon, 4 Dec 2017 15:31:26 +0000 (16:31 +0100)]
Configure et al: cleanups

Remove some config attributes that just duplicate values that are
already there in other attributes.

Remove the special runs of mkdef.pl and mkrc.pl from build file
templates, as these are now done via GENERATE statements in
build.info.

Remove all references to ordinal files from build file templates, as
these are now treated via the GENERATE statements in build.info.

Also remove -shared flags and similar that are there in shared-info.pl
anyway.  (in the case of darwin, it's mandatory, as -bundle and
-dynamiclib don't mix)

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4840)