diff --git a/libgcrypt-1.10.0-fips-disable-oaep.patch b/libgcrypt-1.10.0-fips-disable-oaep.patch
new file mode 100644
index 0000000..3de63c8
--- /dev/null
+++ b/libgcrypt-1.10.0-fips-disable-oaep.patch
@@ -0,0 +1,151 @@
+From 34d8fc576b3a06dd205f45327a971eb6771e808c Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Wed, 17 Aug 2022 09:01:44 +0200
+Subject: [PATCH 1/2] Disable RSA-OAEP padding in FIPS mode
+
+* cipher/pubkey-util.c (_gcry_pk_util_data_to_mpi): Block OAEP padding
+  in FIPS mode for encryption
+* cipher/rsa.c (rsa_decrypt): Block OAEP padding in FIPS mode for
+  decryption
+---
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+---
+ cipher/pubkey-util.c | 5 ++++-
+ cipher/rsa.c         | 3 ++-
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/cipher/pubkey-util.c b/cipher/pubkey-util.c
+index 4953caf3..244dd5d4 100644
+--- a/cipher/pubkey-util.c
++++ b/cipher/pubkey-util.c
+@@ -1092,7 +1092,10 @@ _gcry_pk_util_data_to_mpi (gcry_sexp_t input, gcry_mpi_t *ret_mpi,
+       const void * value;
+       size_t valuelen;
+ 
+-      if ( !(value=sexp_nth_data (lvalue, 1, &valuelen)) || !valuelen )
++      /* The RSA OAEP encryption requires some more assurances in FIPS */
++      if (fips_mode ())
++        rc = GPG_ERR_INV_FLAG;
++      else if ( !(value=sexp_nth_data (lvalue, 1, &valuelen)) || !valuelen )
+ 	rc = GPG_ERR_INV_OBJ;
+       else
+ 	{
+diff --git a/cipher/rsa.c b/cipher/rsa.c
+index 96dba090..87f57b55 100644
+--- a/cipher/rsa.c
++++ b/cipher/rsa.c
+@@ -1457,7 +1457,8 @@ rsa_decrypt (gcry_sexp_t *r_plain, gcry_sexp_t s_data, gcry_sexp_t keyparms)
+       rc = GPG_ERR_INV_DATA;
+       goto leave;
+     }
+-  if (fips_mode () && (ctx.encoding == PUBKEY_ENC_PKCS1))
++  if (fips_mode () && (ctx.encoding == PUBKEY_ENC_PKCS1 ||
++                       ctx.encoding == PUBKEY_ENC_OAEP))
+     {
+       rc = GPG_ERR_INV_FLAG;
+       goto leave;
+-- 
+2.37.1
+
+
+From c6d64e697c2748a49e875060aa753fc568c5f772 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Wed, 17 Aug 2022 10:31:19 +0200
+Subject: [PATCH 2/2] tests: Expect the OEAP tests to fail in FIPS mode
+
+* tests/basic.c (check_pubkey_crypt): Expect the OAEP padding encryption
+  to fail in FIPS mode
+* tests/pkcs1v2.c (check_oaep): Expect the OAEP tests to fail in FIPS
+  mode
+---
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+---
+ tests/basic.c   | 14 +++++++++-----
+ tests/pkcs1v2.c | 13 +++++++++++++
+ 2 files changed, 22 insertions(+), 5 deletions(-)
+
+diff --git a/tests/basic.c b/tests/basic.c
+index 26980e15..b4102c9f 100644
+--- a/tests/basic.c
++++ b/tests/basic.c
+@@ -16892,21 +16892,24 @@ check_pubkey_crypt (int n, gcry_sexp_t skey, gcry_sexp_t pkey, int algo,
+ 	"(flags oaep)",
+ 	1,
+ 	0,
+-	0 },
++	0,
++	FLAG_NOFIPS },
+       { GCRY_PK_RSA,
+         "(data\n (flags oaep)\n (hash-algo sha1)\n"
+ 	" (value #11223344556677889900AA#))\n",
+ 	"(flags oaep)(hash-algo sha1)",
+ 	1,
+ 	0,
+-	0 },
++	0,
++	FLAG_NOFIPS },
+       { GCRY_PK_RSA,
+         "(data\n (flags oaep)\n (hash-algo sha1)\n (label \"test\")\n"
+ 	" (value #11223344556677889900AA#))\n",
+ 	"(flags oaep)(hash-algo sha1)(label \"test\")",
+ 	1,
+ 	0,
+-	0 },
++	0,
++	FLAG_NOFIPS },
+       { GCRY_PK_RSA,
+         "(data\n (flags oaep)\n (hash-algo sha1)\n (label \"test\")\n"
+ 	" (value #11223344556677889900AA#)\n"
+@@ -16914,7 +16917,8 @@ check_pubkey_crypt (int n, gcry_sexp_t skey, gcry_sexp_t pkey, int algo,
+ 	"(flags oaep)(hash-algo sha1)(label \"test\")",
+ 	1,
+ 	0,
+-	0 },
++	0,
++	FLAG_NOFIPS },
+       {	0,
+         "(data\n (flags )\n" " (value #11223344556677889900AA#))\n",
+ 	NULL,
+@@ -16960,7 +16964,7 @@ check_pubkey_crypt (int n, gcry_sexp_t skey, gcry_sexp_t pkey, int algo,
+ 	"(flags pkcs1)",
+ 	1,
+ 	0,
+-	GPG_ERR_ENCODING_PROBLEM, FLAG_SPECIAL },
++	GPG_ERR_ENCODING_PROBLEM, FLAG_SPECIAL | FLAG_NOFIPS },
+       {	0,
+         "(data\n (flags pss)\n"
+ 	" (value #11223344556677889900AA#))\n",
+diff --git a/tests/pkcs1v2.c b/tests/pkcs1v2.c
+index 6c7f3d81..2fd495d5 100644
+--- a/tests/pkcs1v2.c
++++ b/tests/pkcs1v2.c
+@@ -186,11 +186,24 @@ check_oaep (void)
+           err = gcry_pk_encrypt (&ciph, plain, pub_key);
+           if (err)
+             {
++              if (in_fips_mode)
++                {
++                  gcry_sexp_release (plain);
++                  plain = NULL;
++                  continue;
++                }
+               show_sexp ("plain:\n", ciph);
+               fail ("gcry_pk_encrypt failed: %s\n", gpg_strerror (err));
+             }
+           else
+             {
++              if (in_fips_mode)
++                {
++                  fail ("The OAEP encryption unexpectedly worked in FIPS mode\n");
++                  gcry_sexp_release (plain);
++                  plain = NULL;
++                  continue;
++                }
+               if (extract_cmp_data (ciph, "a", tbl[tno].m[mno].encr,
+                                     tbl[tno].m[mno].desc))
+                 {
+-- 
+2.37.1
+
diff --git a/libgcrypt.spec b/libgcrypt.spec
index f842598..e83ea22 100644
--- a/libgcrypt.spec
+++ b/libgcrypt.spec
@@ -28,6 +28,7 @@ Patch4: libgcrypt-1.10.0-allow-small-RSA-verify.patch
 Patch5: libgcrypt-1.10.0-allow-short-salt.patch
 Patch6: libgcrypt-1.10.0-fips-getrandom.patch
 Patch7: libgcrypt-1.10.0-fips-selftest.patch
+Patch8: libgcrypt-1.10.0-fips-disable-oaep.patch
 
 %global gcrylibdir %{_libdir}
 %global gcrysoname libgcrypt.so.20
@@ -70,6 +71,7 @@ applications using libgcrypt.
 %patch5 -p1
 %patch6 -p1
 %patch7 -p1
+%patch8 -p1
 
 %build
 # This package has a configure test which uses ASMs, but does not link the