openbsd/src/lib/libcrypto/Makefile, branch OPENBSD_6

openbsd/src/lib/libcrypto/Makefile, branch OPENBSD_6_2 A mirror of https://github.com/libressl/openbsd.git https://git.lua4.win/openbsd/atom?h=OPENBSD_6_2 2017-08-28T17:41:59+00:00 Remove RSA_padding_add_SSLv23()/RSA_padding_check_SSLv23() and related 2017-08-28T17:41:59+00:00 jsing 2017-08-28T17:41:59+00:00 urn:sha1:0382c9253ad062352e3b0e86758368e59d99d3ba code. We removed SSLv2/SSLv3 a long time ago... Discussed with doug@ sprinkle a few missing dependencies on perl scripts internal bits. 2017-08-20T17:53:13+00:00 espie 2017-08-20T17:53:13+00:00 urn:sha1:39e376c267c3aa3e7cc588facfbbba9d81cb593b 'it works' deraadt@ Switch to -Werror with clang for libressl. 2017-08-13T19:42:33+00:00 doug 2017-08-13T19:42:33+00:00 urn:sha1:e0d9b6877814aabc7aa1b8a33ad302bf782d8ce3 Discussed with beck@ and jsing@ ok beck@ remove misc. depend and yacc nits that no longer matter. 2017-07-10T21:30:37+00:00 espie 2017-07-10T21:30:37+00:00 urn:sha1:ecf4ad9e94dd924bbce561ab5f2f1e2dcc9d3314 okay millert@ mark files as BUILDFIRST, or write explicit dependencies, so that most 2017-06-16T10:25:54+00:00 espie 2017-06-16T10:25:54+00:00 urn:sha1:8216c8f121c197a76840fb3260e5a44335efefd9 programs will build even without a make depend first. okay tb@ millert@ Randomize link-order of libcrypto as we do with libc. This library 2017-05-29T09:44:01+00:00 deraadt 2017-05-29T09:44:01+00:00 urn:sha1:b4ca6599527e8767077c39409965f099aa3d3769 has many small functions without significant local storage, therefore less tail protection from -fstack-protector-strong to prevent their use as ROP gadgets. It is used in security contexts. Also many functions dribble pointers onto the stack, allowing discovery of gadgets via the fixed relative addresses, so let's randomly bias those. ok tedu jsing The rc script will soon need a strategy for skipping this step on machines with poor IO performance. Or maybe do it less often? However, I don't see many more libraries we'll do this with, these are the two most important ones. Bring in HKDF, from BoringSSL, with regress tests modified to be 2017-05-06T20:42:57+00:00 beck 2017-05-06T20:42:57+00:00 urn:sha1:7f30b538d9c825a59a9a9028931e2f2094cf5a2a in C. Ride previous minor bump ok tom@ inoguchi@ jsing@ Only enable -Werror on libcrypto/libssl/libtls if we are building with 2017-04-30T04:44:58+00:00 jsing 2017-04-30T04:44:58+00:00 urn:sha1:d6384322b936d181e80c1948d8ee20a647f0408e gcc4. This should avoid failed builds while transitioning compilers. While here also make the CFLAGS blocks consistent across makefiles. Discussed with deraadt@, ok beck@ Add an EVP interface that provides concatenated MD5+SHA1 hashes, which are 2017-02-28T14:15:37+00:00 jsing 2017-02-28T14:15:37+00:00 urn:sha1:f96f1c1c67ea18091fd9c2931b6544d268dc00c5 used in various parts of TLS 1.0/1.1. This will allow for code simplification in libssl. The same interface exists in OpenSSL 1.1. ok beck@ deraadt@ inoguchi@ millert@ Make explicit _ct and _nonct versions of bn_mod_exp funcitons that 2017-01-21T09:38:59+00:00 beck 2017-01-21T09:38:59+00:00 urn:sha1:a0a595cda97de2b217b0582cfa601ee4c746bfce matter for constant time, and make the public interface only used external to the library. This moves us to a model where the important things are constant time versions unless you ask for them not to be, rather than the opposite. I'll continue with this method by method. Add regress tests for same. ok jsing@