rename md5_block_asm_data_order to ossl_md5_block_asm_data_order

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13417)

Rename md5_sha1_* ossl_md5_sha1_*

md5_sha1_init(), md5_sha1_update(), md5_sha1_final() and md5_sha1_ctrl().

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github

Rename md5_sha1_* ossl_md5_sha1_*

md5_sha1_init(), md5_sha1_update(), md5_sha1_final() and md5_sha1_ctrl().

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13417)

show more ...

DOC: Fix example in OSSL_PARAM_int.pod

This fixes an incorrect NULL check.

Fixes #11162

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@o

DOC: Fix example in OSSL_PARAM_int.pod

This fixes an incorrect NULL check.

Fixes #11162

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13426)

show more ...

Swap to FIPS186-2 DSA generation outside of the FIPS module

Inside the FIPS module we continue to use FIPS186-4. We prefer FIPS186-2
in the default provider for backwards compatibility r

Swap to FIPS186-2 DSA generation outside of the FIPS module

Inside the FIPS module we continue to use FIPS186-4. We prefer FIPS186-2
in the default provider for backwards compatibility reasons.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13228)

show more ...

Swap to DH_PARAMGEN_TYPE_GENERATOR as the default outside of the FIPS module

The documentation claimed this was already the default but it wasn't. This
was causing the dhparam applicatio

Swap to DH_PARAMGEN_TYPE_GENERATOR as the default outside of the FIPS module

The documentation claimed this was already the default but it wasn't. This
was causing the dhparam application to change behaviour when compared to
1.1.1

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13228)

show more ...

Adapt ssltest_old to not use deprecated DH APIs

There are non-deprecated replacements so we should use those instead.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged

Adapt ssltest_old to not use deprecated DH APIs

There are non-deprecated replacements so we should use those instead.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13368)

show more ...

Extend the auto DH testing to check DH sizes

Check that the size of the DH parameters we select changes according to
the size of the certificate key or symmetric cipher (if no certificat

Extend the auto DH testing to check DH sizes

Check that the size of the DH parameters we select changes according to
the size of the certificate key or symmetric cipher (if no certificate).

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13368)

show more ...

Add some additional test certificates/keys

Add certs with 1024, 3072, 4096 and 8192 bit RSA keys

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.c

Add some additional test certificates/keys

Add certs with 1024, 3072, 4096 and 8192 bit RSA keys

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13368)

show more ...

Add a CHANGES.md entry for the "tmp_dh" functions/macros

Describe the tmp_dh deprecations, and what applications should do instead.

Reviewed-by: Richard Levitte <levitte@openssl.org

Add a CHANGES.md entry for the "tmp_dh" functions/macros

Describe the tmp_dh deprecations, and what applications should do instead.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13368)

show more ...

Add a test for the various ways of setting temporary DH params

We support a number of different ways of setting temporary DH params. We
should test that they all work correctly.

Add a test for the various ways of setting temporary DH params

We support a number of different ways of setting temporary DH params. We
should test that they all work correctly.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13368)

show more ...

Document some SSL DH related functions/macros

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13368)

Return sensible values for some SSL ctrls

Some ctrls were always returning 0 even if they were successful.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https:

Return sensible values for some SSL ctrls

Some ctrls were always returning 0 even if they were successful.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13368)

show more ...

Only disabled what we need to in a no-dh build

no-dh disables the low level API for DH. However, since we're now using
the high level EVP API in most places we don't need to disable quit

Only disabled what we need to in a no-dh build

no-dh disables the low level API for DH. However, since we're now using
the high level EVP API in most places we don't need to disable quite so
much.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13368)

show more ...

Implement a replacement for SSL_set_tmp_dh()

The old function took a DH as a parameter. In the new version we pass
an EVP_PKEY instead. Similarly for the SSL_CTX version of this function

Implement a replacement for SSL_set_tmp_dh()

The old function took a DH as a parameter. In the new version we pass
an EVP_PKEY instead. Similarly for the SSL_CTX version of this function.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13368)

show more ...

Remove deprecated functionality from s_server

This will be added back in by a later commit

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/ope

Remove deprecated functionality from s_server

This will be added back in by a later commit

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13368)

show more ...

Disable the DHParameters config option in a no-deprecated build

This option calls SSL_set_tmp_dh() which does not exist in a no-deprecated
build. We need to implement an alternative.

Disable the DHParameters config option in a no-deprecated build

This option calls SSL_set_tmp_dh() which does not exist in a no-deprecated
build. We need to implement an alternative.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13368)

show more ...

Remove DH usage from tls_process_cke_dhe

We instead set the encoded public key directly in the EVP_PKEY object.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from h

Remove DH usage from tls_process_cke_dhe

We instead set the encoded public key directly in the EVP_PKEY object.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13368)

show more ...

Remove DH usage in tls_construct_server_key_exchange()

We get DH related parameters directly from the EVP_PKEY instead of
downgrading to a DH object first.

Reviewed-by: Richard

Remove DH usage in tls_construct_server_key_exchange()

We get DH related parameters directly from the EVP_PKEY instead of
downgrading to a DH object first.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13368)

show more ...

Avoid the use of a DH object in tls_construct_cke_dhe()

There is no need for us to downgrade the EVP_PKEY into a DH object
for this function so we rewrite things to avoid it.

Re

Avoid the use of a DH object in tls_construct_cke_dhe()

There is no need for us to downgrade the EVP_PKEY into a DH object
for this function so we rewrite things to avoid it.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13368)

show more ...

Deprecate SSL_CTRL_SET_TMP_DH and other related ctrls

These ctrls pass around a DH object which is now deprecated, so we
deprecate the ctrls themselves.

Reviewed-by: Richard Lev

Deprecate SSL_CTRL_SET_TMP_DH and other related ctrls

These ctrls pass around a DH object which is now deprecated, so we
deprecate the ctrls themselves.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13368)

show more ...

Convert TLS ServerKeyExchange processing to use an EVP_PKEY

Previously we were constructing a DH object and then assigning it to an
EVP_PKEY. Instead we construct an EVP_PKEY directly.

Convert TLS ServerKeyExchange processing to use an EVP_PKEY

Previously we were constructing a DH object and then assigning it to an
EVP_PKEY. Instead we construct an EVP_PKEY directly.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13368)

show more ...

Convert TLS auto DH parameters to use EVP_PKEY

Previously a DH object was constructed and then assigned to an EVP_PKEY.
Instead we now construct the EVP_PKEY directly instead.

R

Convert TLS auto DH parameters to use EVP_PKEY

Previously a DH object was constructed and then assigned to an EVP_PKEY.
Instead we now construct the EVP_PKEY directly instead.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13368)

show more ...

DOC: Rewrite the section on reporting errors in doc/man3/ERR_put_error.pod

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13320)

CONF: Convert one last CONFerr() to ERR_raise()

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13320)

Simplify util/err-to-raise

There's no need to enumerate the possible {NAME}err, as they have a
consistent pattern. Also, this script should not be used on the
engines, as they have

Simplify util/err-to-raise

There's no need to enumerate the possible {NAME}err, as they have a
consistent pattern. Also, this script should not be used on the
engines, as they have already converted appropriately.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13320)

show more ...